Dell PowerConnect WAirWave 7.
Copyright © 2011 Dell PowerConnect W Networks, Inc. Dell PowerConnect W Networks trademarks include , Dell PowerConnect W Networks®, Dell PowerConnect W Wireless Networks®, the registered Dell PowerConnect W the Mobile Edge Company logo, and Dell PowerConnect W Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA.
Contents Preface....................................................................................................................................................................... 7 Document Audience and Organization........................................................................................... 7 Note, Caution, and Warning Icons .................................................................................................. 7 Contacting Support ............................................
General Profiles Guidelines ............................................................................................................ 28 General Controller Procedures and Guidelines .......................................................................... 29 Using Controllers in Dell PowerConnect W Configuration................................................ 29 Pushing Device Configurations to Controllers.....................................................................
Profiles > IDS > General .......................................................................................................... 84 Profiles > IDS > Signature Matching..................................................................................... 85 Profiles > IDS > Signature Matching > Signature............................................................... 86 Profiles > IDS > Denial of Service..........................................................................................
Overview of IP Mobility Domains......................................................................................... 157 Advanced Services > IP Mobility......................................................................................... 158 Advanced Services > IP Mobility > Mobility Domain ....................................................... 160 Advanced Services > VPN Services ...................................................................................
Preface Document Audience and Organization This configuration guide is intended for wireless network administrators and helpdesk personnel who deploy ArubaOS on the network and wish to manage it with Dell PowerConnect W-AirWave 7.4. Dell PowerConnect W-AirWave 7.4 versions 6.3 and later support Dell PowerConnect Configuration. NOTE: Dell PowerConnect W-Series AirWave Wireless Management Suite (AWMS), AirWave, and AirWave Management Platform (AMP) refer to the same product set and are used interchangeably.
Contacting Support Table 2 Web Support Web Support 8 | Preface Main Website dell.com Support Website support.dell.com Documentation Website support.dell.com/manuals Dell PowerConnect W-AirWave 7.
Chapter 1 Dell PowerConnect W Configuration in AirWave Introduction ArubaOS (AOS) is the operating system, software suite, and application engine that operates Dell PowerConnect W-Series mobility controllers and centralizes control over the entire mobile environment. The AOS wizards, command-line interface (CLI), and the AOS WebUI are the primary means used to configure and deploy AOS. For a complete description of AOS, refer to the Dell PowerConnect W-Series ArubaOS User Guide at support.dell.
Configuration changes are pushed to the controller via SSH with no reboot required. AMP only supports configuration of the settings which a master controller would push to the standby / local controllers (global features). AMP supports all master, master-standby, and master-local deployments. All settings for Profiles, Dell PowerConnect W AP Groups, Servers and Roles are supported, as is the AOS WLAN Wizard.
Groups > Dell PowerConnect W Config Page With Global Configuration Enabled—the way this page displays depends on whether global or group configuration is enabled in AMP Setup > General > Device Configuration: If global configuration is enabled, the Groups > Dell PowerConnect W Config page manages Dell PowerConnect W AP group and other controller-wide settings defined on the Device Setup > Dell PowerConnect W Configuration page.
Groups > Dell PowerConnect W Config Page With Global Configuration Enabled When Use Global Dell PowerConnect W Configuration is enabled in AMP Setup > General, focused submenu page displays and edits all configured Dell PowerConnect W AP groups, with the following factors: Dell PowerConnect W AP Groups must be defined from the Device Setup > Dell PowerConnect W Configuration page before they are visible on the Groups > Dell PowerConnect W Config page.
Figure 4 Groups > Dell PowerConnect W Config with Group-Level Configuration Dell PowerConnect W Configuration Sections in the Tree View Whether you are using global or group configuration, the Dell PowerConnect W Configuration tree view page supports several sections, as follows: Dell PowerConnect W AP Groups Section AP Overrides Section WLANs Section Profiles Section Security Section Local Config Section Advanced Services Section NOTE: Only Dell PowerConnect W AP Groups, AP Ove
You can import a controller configuration file from AOS for Dell PowerConnect W AP Group deployment in AirWave.
WLAN profiles contain several diverse settings including SSIDs, referenced Dell PowerConnect W AP Groups, Traffic Management profiles, and device Folders.
Figure 7 Dell PowerConnect W Configuration > Security Navigation The following general guidelines apply to Security profiles in Dell PowerConnect W configuration: Roles can have multiple policies; each policy can have numerous roles. Server groups are comprised of servers and rules. Security rules apply in Dell PowerConnect W Configuration in the same way as deployed in AOS. For additional information about Security, refer to “Security” on page 126.
For additional information about IP Mobility and VPN Services, refer to “Advanced Services” on page 149. APs/Devices > List Page This page supports devices in all of AirWave. This page supports controller reboot, controller re-provisioning, and changing Dell PowerConnect W AP groups. Select Modify Devices to configure thin AP settings.
Figure 11 APs/Devices > Manage Page Illustration (Partial Display) APs/Devices > Monitor Page Used in conjunction with the Manage page, the Monitor page enables review of device-level settings.
Additional Concepts and Components of Dell PowerConnect W Configuration Dell PowerConnect W Configuration emphasizes the following components and network management concepts.
Save, Save and Apply, and Revert Buttons Several Add or Detail pages in Dell PowerConnect W Configuration include the Save, Save and Apply, and Revert buttons. These buttons function as follows: Save—This button saves a configuration but does not apply it, allowing you to return to complete or apply the configuration at a later time. If you use this button, you may see the following alert on other Dell PowerConnect W Configuration pages.
Dell PowerConnect W Configuration includes several settings or functions that are dependent on special licenses. The user interface conveys that a special license is required for any such setting, function, or profile. AirWave does not push such configurations when a license related to those configurations is unavailable. For details on the licenses required by a specific version of AOS, refer to the Dell PowerConnectW-AirWave User Guide on support.dell.com/manuals for that release.
If the page reports a device mismatch, the page will display an Import button that allows you to import the Dell PowerConnect W-Series controller settings from a Dell PowerConnect W-Series controller that has already been configured. To import the complete configuration from the controller (including any unreferenced profiles) select the Include unreferenced profiles checkbox.
Figure 15 Dell PowerConnect W Configuration > Dell PowerConnect W AP Groups > Add/Edit Details Page (Partial View) The following section of this configuration guide provides additional information about configuring Dell PowerConnect W AP Groups: “General Dell PowerConnect W AP Groups Procedures and Guidelines” on page 27 8. Add or edit WLANs in Dell PowerConnect W Configuration as required. a. Navigate to the Dell PowerConnect W Configuration > WLANs page.
“General Profiles Guidelines” on page 28 10. Provision multiple Dell PowerConnect W AP Groups on one or more controllers by putting the controllers into an AMP group and configuring that group to use the selected Dell PowerConnect W AP Groups. With global configuration enabled, configure such Dell PowerConnect W AP Groups settings on the Group > Dell PowerConnect W Config page. With group configuration, use the Dell PowerConnect W AP Groups.
Figure 17 APs/Devices > Audit Page Illustration (Partial Display) Figure 18 APs/Devices > Mismatched Page Illustration After initial AOS deployment with the Dell PowerConnect W-Series Configuration feature, you can make additional configurations or continue with maintenance tasks, such as the following examples: Once Dell PowerConnect W-Series Configuration is deployed in AirWave, you can perform debugging with Telnet/SSH.
access this file from the System > Status page. For additional information, refer to the Dell PowerConnect WAirWave 7.4 User Guide on support.dell.com/manuals. To resolve communication issues, review the credentials on the APs/Devices > Manage page. Mismatches can occur when importing profiles because AirWave deletes orphaned profiles, even if following a new import.
Chapter 2 Using Dell PowerConnect W Configuration in Daily Operations Introduction This chapter presents common tasks or concepts after initial setup of Dell PowerConnect W Configuration is complete, as described in the section “Setting Up Initial Dell PowerConnect W Configuration” on page 21.
Selecting Dell PowerConnect W AP Groups To select Dell PowerConnect W AP Groups, navigate to the Dell PowerConnect W Configuration > Dell PowerConnect W AP Groups page. This page is central to defining Dell PowerConnect W AP Groups, to viewing the AMP groups with which an Dell PowerConnect W AP Group is associated, changing or deleting Dell PowerConnect W AP Groups, and assigning AP devices to an Dell PowerConnect W AP Group.
Group or WLAN setup. In the latter case, AirWave takes you to profile setup on separate pages, then returns to the Dell PowerConnect W AP Group or WLAN setup. For complete Profiles inventory and field descriptions, refer to “Profiles” on page 50 in the Appendix.
Supporting APs with Dell PowerConnect W Configuration AP Overrides Guidelines The AP Override component of Dell PowerConnect W Configuration operates with the following principles: AP devices function within groups that define operational parameters for groups of APs. This is standard across all of Dell PowerConnect W-AirWave 7.4. AP Overrides allows you to change some parameters of any given AP without having to remove that AP from the configuration group in which it operates.
4. On the APs/Devices > List page, you can specify the Group and Folder to which a device belongs. Click Modify Devices to change more than one device, or click the Wrench icon associated with any specific device to make changes. The APs/Devices > Manage page appears. 5. In the Settings section of the APs/Devices > Manage page, select the new Dell PowerConnect W AP Group to assign to the device. Change or adjust any additional settings as desired. 6.
9. Click Modify Devices. 10. Select the APs you want to re-group. 11. In the field that states Move to Dell PowerConnect W AP Group below the list of the devices, select the appropriate group and click Move.
Additional factors for visibility are as follows: Administrative and Management users in AirWave can view the Dell PowerConnect W Configuration page and the APs/Devices > Manage pages. Administrative users are enabled to view all configurations. Management users have access to all profiles and Dell PowerConnect W AP groups for their respective folders.
a. At least one user must have administrative privileges, but several additional users may be required with less rights and visibility to support Dell PowerConnect W Configuration without access to the most sensitive information, such as SSIDs or other security related data. b. Navigate to the AMP Setup > Roles page, and click Add New Role to create a new role with appropriate rights, or click the pencil (manage) icon next to an existing role to adjust rights as required.
Appendix A Configuration Reference Introduction This appendix describes the pages, field-level settings, and interdependencies of Dell PowerConnect W Configuration profiles. Additional information is available as follows: Dell PowerConnect W Configuration components are summarized in “Additional Concepts and Components of Dell PowerConnect W Configuration” on page 19. For procedures that use several of these components, refer to earlier chapters in this document.
The Dell PowerConnect W AP Groups page displays the following information for every group currently configured: Table 1 Dell PowerConnect W Configuration > Dell PowerConnect W AP Groups Page Column Description Name Displays the name of the Dell PowerConnect W AP Group. Select the pencil icon next to any group to edit. (Used by) Group Displays the AirWave device groups that define this Dell PowerConnect W AP Group.
Table 2 Dell PowerConnect W Configuration > Dell PowerConnect W AP Groups Details, Settings and Default Values (Continued) Field Default Description 802.11a Radio Profile 5_am Defines AP radio settings for the 5 GHz frequency band, including the Adaptive Radio Management (ARM) profile and the high-throughput (802.11n) radio profile. Select the pencil icon next to this field to edit or create additional profile settings in the RF > 802.11a/g Radio page of Dell PowerConnect W Configuration. 802.
Table 2 Dell PowerConnect W Configuration > Dell PowerConnect W AP Groups Details, Settings and Default Values (Continued) Field Default Description AP System Profile default Defines administrative options for the controller, including the IP addresses of the local, backup, and master controllers, Real-time Locating Systems (RTLS) server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots traps.
Table 2 Dell PowerConnect W Configuration > Dell PowerConnect W AP Groups Details, Settings and Default Values (Continued) Field Default Description Mesh Cluster Profiles Add New Mesh Cluster Profile Select to display a new Mesh Cluster Profile section to this page. This section has two fields, as follows: Mesh Cluster Profile—Drop-down menu displays all supported profiles. Select one from the menu. Priority (1-16)—Type in the priority number for this profile.
Table 4 AP Overrides Add or Edit Page Fields (Continued) Field Default Description WLANs WLANs This section lists the WLANs currently defined in Dell PowerConnect W Configuration by default. You can display selected WLANs or all WLANs. Select one or more WLANs for which AP Override is to apply. Excluded WLANs Excluded WLANs This section displays WLANs currently defined by default. This section can display selected WLANs or all WLANs.
Table 4 AP Overrides Add or Edit Page Fields (Continued) Field Default Description Wired AP Profile default Controls whether 802.11 frames are tunneled to the controller using Generic Routing Encapsulation (GRE) tunnels, bridged into the local Ethernet LAN (for remote APs), or a configured for combination of the two (split-mode). This profile also configures the switching mode characteristics for the port, and sets the port as either trusted or untrusted.
Table 4 AP Overrides Add or Edit Page Fields (Continued) Field Default Description 802.11g Traffic Management Profile default Specify the minimum percentage of available bandwidth to be allocated to a specific SSID when there is congestion on the wireless network, and sets the interval between bandwidth usage reports. This setting pertains specifically to 802.11g. Refer to “Profiles > QoS > Traffic Management” on page 104 802.
Table 4 AP Overrides Add or Edit Page Fields (Continued) Field Default Description Excluded Mesh Cluster Profiles Excluded Mesh Cluster Profiles If required, select one or more Mesh Cluster profiles from this field. This field can display all Mesh Cluster profiles or can display only selected Mesh Cluster profiles. For additional information about Mesh Cluster profiles, refer to “Profiles > QoS” on page 104.
Table 5 Dell PowerConnect W Configuration > WLANs Page Fields and Descriptions (Continued) Field Description Dell PowerConnect W AP Group Lists the Dell PowerConnect W AP Group or Groups that use the associated WLAN. AP Override Lists any AP Override configurations for specific APs on the WLAN and in the respective Dell PowerConnect W AP Groups. Traffic Management Lists Traffic Management profiles that are currently configured and deployed on the WLAN. Folder Lists the folder for the WLAN.
The alternate way to create or edit WLANs is from the Advanced page. Refer to “WLANs > Advanced” on page 45. WLANs > Advanced From the Dell PowerConnect W Configuration > WLANs page, click Add to create a new WLAN, or click the pencil icon to edit an existing WLAN, then click Advanced. The Advanced page allows you to configure many more sophisticated settings when creating or editing WLANs. Table 7 describes the fields for this page.
Table 7 WLANs > Advanced Page Fields (Continued) Field Default Description Mobile IP Yes Enable or disable mobile IP functions. This setting specifies whether the controller is the home agent for a client. When enabled, this setting detects when a mobile client has moved to a foreign network and determines the home agent for a roaming client. HA Discovery on Association No Enable or disable HA discovery on Association.
Table 7 WLANs > Advanced Page Fields (Continued) Field Default Description Remote AP Operation Standard Define the rights for remote APs in this WLAN. Options are as follows: standard persistent backup always Remote APs connect to a controller using Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPSec). AP control and 802.11 data traffic are carried through this tunnel. Secure Remote Access Point Service extends the corporate office to the remote site.
Profiles Understanding Dell PowerConnect W Configuration Profiles In AOS, related configuration parameters are grouped into a profile that you can apply as needed to an AP group or to individual APs. This section lists each category of AP profiles that you can configure and then apply to an AP group or to an individual AP. Note that some profiles reference other profiles. For example, a virtual AP profile references SSID and AAA profiles, while an AAA profile can reference an 802.
2. From the navigation pane, you can configure the following profile types: AAA Profile—The AAA profile defines the authentication method and the default user role for unauthenticated users. This profile type references additional profiles. Refer to “Profiles > AAA” on page 49. 802.1x Auth—Manages settings for the 802.11k protocol. In a 802.
2. Select the Add button to create a new AAA profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 8. Table 8 Profiles > AAA > New AAA Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the AAA profile.
Table 8 Profiles > AAA > New AAA Profile Settings (Continued) Field Default Description SIP Authentication Role None Select the role to function for SIP authentication. The controller supports the stateful tracking of session initiation protocol (SIP) authentication between a SIP client and a SIP registry server. Upon successful registration, a user role is assigned to the SIP client. Select the add icon to create a new role, or click the pencil icon to edit an existing role.
In Dell PowerConnect W user-centric networks, you can terminate the 802.1x authentication on the controller. The controller passes user authentication to its internal database or to a “backend” non-802.1x server. This feature, also called “AAA FastConnect,” is useful for deployments where an 802.1x EAP-compliant RADIUS server is not available or required for authentication. Perform these steps to configure an 802.1X Auth profile. 1. Select Profiles > AAA > 802.1x Auth in the navigation pane.
Table 9 Profiles > AAA > 802.1x Auth Profile Settings (Continued) Field Default Description Blacklist on Machine Authentication Failure No Define whether the user is blacklisted upon authentication failure. This setting requires a policy enforcement firewall license. Machine Authentication: Default User Role ap-role Select the default role to be assigned to the user after completing 802.1x authentication. This setting requires a policy enforcement firewall license.
Table 9 Profiles > AAA > 802.1x Auth Profile Settings (Continued) Field Default Description Dynamic WEP Key Message Retry Count (1-3) 1 Define the number of times that failed authentication with a WEP key should be allowed to retry authentication. The range is from 0 to 3 attempts. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and searching for such weak implementations that are still used by many legacy devices.
Table 9 Profiles > AAA > 802.1x Auth Profile Settings (Continued) Field Default Description Termination EAP-Type PEAP 0 Specify EAP-PEAP termination. 802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and user authentication. If a user attempts to log in without the computer being authenticated first, the user is placed into a more limited “guest” user role.
Table 9 Profiles > AAA > 802.1x Auth Profile Settings (Continued) Field Default Description Disable Rekey and Reauthentication for Clients on Call No Although reauthentication and rekey timers are configurable on a per-SSID basis, an 802.1x transaction during a call can affect voice quality. If a client is on a call, 802.1x reauthentication and rekey are disabled by default until the call is completed. You disable or re-enable the “voice aware” feature in the 802.1x authentication profile.
Table 10 Profiles > AAA > Advanced Authentication Profile Settings (Continued) Field Default Description Dead Time for down Authentication Server (0-60 min) 10 minutes Maximum period, in minutes, that the controller considers an unresponsive authentication server to be “out of service”. This timer is only applicable if there are two or more authentication servers configured on the controller.
Table 11 Profiles > AAA > Captive Portal Auth Profile Settings (Continued) Field Default Description Server Group default Enter the name of the internal VPN authentication server group, or the server group that performs 802.1x authentication. Default Role default Role assigned to the Captive Portal user upon login. When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role.
Table 11 Profiles > AAA > Captive Portal Auth Profile Settings (Continued) Field Default Description Add switch IP address in redirection URL No Sends the switch IP address in the redirection URL when external captive portal servers are used. An external captive portal server can determine the controller from which a request originated by parsing the ‘switchip’ variable in the URL. Allow Only One Active User Session No Allows only one active user session at a time.
Table 12 Profiles > AAA > IPv6 Extension Header Profile Settings Field Default Description Denied Extension Header Filter Items Match IPv6 Header Type (0-255) hop-by-hop Specify one of the following EH types: authentication: Matches the IPv6 authentication header dest-option: Matches the IPv6 destination-option header esp: Matches the IPv6 encapsulation security payload header fragment: Matches the IPv6 fragment header hop-by-hop: Matches the IPv6 hop-by-hop header mobility: Matches the IPv6
3. Select Add or Save. The added or edited MAC Auth profile appears on the Profiles > AAA page, and on the MAC Auth details page. Profiles > AAA > VPN Connection A VIA connection profile contains settings required by VIA to establish a secure connection to the controller. You can configure multiple VIA connection profiles. A VIA connection profile is always associated to a user role and all users belonging to that role will use the configured settings.
Table 14 Profiles > AAA > VPN Connection Profile Settings (Continued) Field Default Description Allow user to save passwords Yes Enable or disable users to save passwords entered in VIA. Enable split tunneling No Enable or disable split tunneling. If enabled, all traffic to the VIA tunneled networks will go through the controller and the rest is just bridged directly on the client. If disabled, all traffic will flow through the controller.
Table 14 Profiles > AAA > VPN Connection Profile Settings (Continued) Field Default Description VIA Authentication Profile Select a VIA Authentication Profile to reference. Refer to “Profiles > AAA > VPN Connection > VIA Auth” on page 63. VIA Client WLAN Profile Select a VIA Client WLAN Profile to reference. Refer to “Profiles > AAA > VPN Connection > VIA Client WLAN” on page 63. VIA Controller Enter the Hostname/IP address, internal IP address, and description of the VIA Controller. 3.
Table 16 Profiles > AAA > VIA Client WLAN Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the VIA Client WLAN profile. General Settings EAP-PEAP EAP-PEAP options Select the following options, if the EAP type is PEAP (Protected EAP): validate-server-certificate: Select this option to validate server certificates.
Table 16 Profiles > AAA > VIA Client WLAN Profile Settings (Continued) Field Default Description Enable IEEE 802.1x authentication for this network Yes Select this option to enable 802.1x authentication for this network. Authenticate as computer when computer info is available Yes Select this option to authenticate as a computer when computer information is available. Connect even if this WLAN is not broadcasting No Whether to connect even if this WLAN is not broadcasting.
Table 17 Profiles > AAA > Stateful 802.1X Profile Settings (Continued) Field Default Description Referenced Profiles Server Group Select the AAA authentication server group. Select the pencil icon to edit an existing server group or click the add icon to create a new server group. Other Settings Default Role ap-role The user role to be associated with this authentication profile. Timeout (1-20 sec) 10 Maximum time, in seconds, that the server waits before timing out the request.
Perform these steps to configure a Combined VPN Auth profile. 1. Select Profiles > AAA > Combined VPN Auth in the navigation pane. 2. Select the Add button to create a new VPN Auth profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 19: Table 19 Dell PowerConnect W Configuration > Profiles > AAA > VPN Auth Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated.
Table 20 Profiles > AAA > Management Auth Profile Settings (Continued) Field Default Description Referenced Profiles Server Group Select the AAA authentication server group. Select the pencil icon to edit an existing server group or click the add icon to create a new server group. Other Settings Default Role root The role to be associated with this authentication profile: guest-provisioning: Allows the user to create guest accounts. location-api-mgmt: Permits access to location API information.
Table 21 Profiles > AAA > Stateful NTLM Auth Profile Settings (Continued) Field Default Description Name Blank Enter the name of the profile. Timeout 10 Set the aging out or timeout period, which is the amount of time for which the user sends no traffic. The user’s role remains authenticated unless this period of time is exceeded. Server Group default Select a server from the drop-down menu. You can edit servers with the Pencil icon or add additional servers with the Add icon.
Table 22 Profiles > AAA > WISPr Auth Profile Settings (Continued) Field Default Description Default Role guest Select the default role assigned to users that complete WISPr authentication. Max Authentication Failures 0 Number of times a user can try to login with wrong credentials after which the user will be blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a non-zero integer to blacklist the user after the specified number of failures.
Figure 23 Profiles > AP in Dell PowerConnect W Configuration 2. From the navigation pane, you can configure the following profile types. The following AP profiles configure AP operation parameters, regulatory domain, SNMP information, and more: Authorization—Allows you to assign authorization settings to a provisioned but unauthorized AP to an AP group with a restricted configuration profile. Refer to “Profiles > AP > Authorization” on page 71.
2. Select the Add button to create a new profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 23: Table 23 Profiles > AP > Authorization Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the profile. None Designates the profile to reference.
2. Select the Add button to create a new System profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 25: Table 25 Profiles > AP > Provisioning Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the profile. No Whether the AP you are provisioning is a remote AP.
Profiles > AP > Regulatory Domain This profile type defines an AP’s country code and valid channels for both legacy and high-throughput 802.11a and 802.11b/g radios. With the implementation of the high-throughput IEEE 802.11n draft standard, 40 MHz channels were added in addition to the existing 20 MHz channel options. Available 20 MHz and 40 MHz channels are dependent on the country code entered in the regulatory domain profile.
3. Select Add or Save. The added or edited Regulatory Domain profile appears on the Regulatory Domain Profiles page. Profiles > AP > SNMP Dell PowerConnect W-Series controllers and APs support versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for reporting purposes only. In other words, SNMP cannot be used for setting values in a system in the current AOS version. Perform these steps to configure a SNMP profile. 1. Select Profiles > AP > SNMP in the navigation pane. 2.
Table 28 Profiles > AP > SNMP > SNMP User Settings (Continued) Field Default Description User Name Blank Actual name of the network user to be supported by this SNMP profile in Dell PowerConnect W Configuration Authentication Profile none Select a protocol from the drop-down menu. Options are as follows: none—Uses no authentication type for the user being defined. md5—Sets the MD5 hashing algorithm for the user that hashes a cleartext password.
Table 29 Profiles > AP > System Profile Settings (Continued) Field Default Description LMS IP In multi-controller networks, this parameter specifies the IP address of the local management switch (LMS)—the Dell PowerConnect W-Series controller— which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network. This can be the IP address of the local or master controller.
Table 29 Profiles > AP > System Profile Settings (Continued) Field Default Description Bootstrap Threshold (165535) 8 Enter a threshold value from 0 to 65,535. Adjust the bootstrap threshold to 30 if the network experiences packet loss. This makes the AP recover more slowly in the event of a failure, but it will be more tolerant to heartbeat packet loss.
Table 29 Profiles > AP > System Profile Settings (Continued) Field Default Description Remote-AP DHCP Server ID Specify the IP address of the remote-AP DHCP server. Remote-AP DHCP Default Router Specify the IP address of the remote-AP DHCP default router. This field requires a remote AP license. This field requires a remote access points license, when used. Remote-AP DHCP DNS Server Enter the IP address or addresses of one or more remote-AP DHCP DNS servers.
3. Select Add or Save. The added or edited System profile appears on the System profiles list page. Profiles > AP > Wired Port APs with multiple wired Ethernet ports include a wired port profile that can enable or disable the wired port, define an AAA profile for wired port devices, and associate the port with an ethernet link profile that defines its speed and duplex values. Perform these steps to configure a Wired Port profile. 1. Select Profiles > AP > Wired Port in the navigation pane.
Perform these steps to configure a Wired profile. 1. Select Profiles > AP > Wired in the navigation pane. This page summarizes the current profiles of this type. 2. Select the Add button to create a new Wired profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 31: Table 31 Profiles > AP > Wired Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated.
Profiles > IDS The IDS profiles configure the AP’s Intrusion Detection System features, which detect and disable rogue APs and other devices that can potentially disrupt network operations. An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network. An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network.
Table 32 Profiles > IDS > General Profile Settings (Continued) Field Default Description Other Settings and AP SNMP User Profiles IDS Unauthorized Device Profile default Select the IDS Unauthorized Device Profile from the drop-down menu. This profile is referenced by the overriding IDS profile currently being configured. The drop-down menu contains any profiles that you have configured. To create a new profile of this type, click the add icon.
Profiles > IDS > General Perform these steps to configure a General IDS profile. 1. Select Profiles > IDS > General in the navigation pane. The list of current IDS profiles appears on this page. 2. Select the Add button to create a new General profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 33: Table 33 Profiles > IDS > General Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated.
Table 33 Profiles > IDS > General Profile Settings (Continued) Field Default Description Wired Containment of AP's Adj MACs No Enable/disable wired containment of MACs offset by one from APs BSSID. NOTE: This setting requires a minimum of AOS 6.0.0.0. Monitored Device Stats Update Interval (0-36000 sec) 0 Time interval, in seconds, for AP to update the switch with stats for monitored devices. Minimum is 60.
Table 34 Profiles > IDS > Signature Matching Profile Settings (Continued) Field Default Description Signature Profiles Select Signature Profiles Select from signature options as follows: AirJack ASLEAP Deauth-Broadcast default Disassoc-Broadcast Netstumbler Generic Netstrumbler Version 3.3.0x Null-Probe-Response Wellenreiter 3. Select Add or Save. The added or edited Signature Matching profile appears on the IDS > Signature Matching profiles page.
client from the Dell PowerConnect W system. When a client is blacklisted in the Dell PowerConnect W system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a de-authentication message is sent to force the client to disconnect. While blacklisted, the client cannot associate with another SSID in the network. Table 36 summarizes the predefined IDS Denial of Service profiles.
2. Select the Add button to create a new Signature Matching profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 37: Table 37 Profiles > IDS > Denial of Service Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the profile.
Table 37 Profiles > IDS > Denial of Service Profile Settings (Continued) Field Default Description Detect AP Flood Attack No Enables or disables the detection of flooding with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client operating systems. AP Flood Threshold 50 Sets the number of Fake AP beacons that must be received within the Flood Increase Time to trigger an alarm.
Association frames Disassociation frames Deauthentication frames Probe Request frames Probe Response frames Authentication frames A channel threshold applies to an entire channel, while a node threshold applies to a particular client MAC address. Dell PowerConnect W provides predefined default IDS rate thresholds profiles for each of these types of frames. Default values depend upon the frame type.
2. Select the Add button to create a new Impersonation profile, or click the pencil icon next to an existing profile to edit. Complete the settings as described in Table 39: Table 39 Profiles > IDS > Impersonation Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the impersonation profile.
3. Select Add or Save. The added or edited Impersonation profile appears on the Profiles > IDS > Impersonation page. Profiles > IDS > Unauthorized Device Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can potentially disrupt network operations. The most important IDS functionality offered in the Dell PowerConnect W system is the ability to classify an AP as either a rogue AP or an interfering AP.
Table 40 Profiles > IDS > Unauthorized Devices Profile Settings (Continued) Field Default Description Adhoc Network Detection Quiet Time (60-360000 sec) 900 Set the time, in seconds, that must elapse after an adhoc network detection alarm has been triggered before another identical alarm may be triggered. Wireless Bridge Detection Quiet Time (60-360000 sec) 900 Set the time, in seconds, that must elapse after a wired bridging alarm has been triggered before another identical alarm may be triggered.
Table 40 Profiles > IDS > Unauthorized Devices Profile Settings (Continued) Field Default Description Detect Bad WEP No Enable or disable detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and searching for such weak implementations that are still used by many legacy devices. Detect Misconfigured AP No Enable or disable detection of misconfigured APs.
Profiles > Mesh Mesh profiles help define and bring-up the mesh network. This section describes the mesh radio and mesh cluster profiles in more detail. Cluster—Mesh clusters are grouped and defined by a mesh cluster profile, which provides the framework of the mesh network.
Table 41 Profiles > Mesh > Cluster Profile Settings (Continued) Field Default Description Cluster Name aruba-mesh Enter the mesh cluster name. The name can have a maximum of 32 characters, which is used as the MSSID. When you create a new cluster profile, it is a member of the “arubamesh” cluster. NOTE: Each mesh cluster profile should have a unique MSSID. Configure a new MSSID before you apply the mesh cluster profile. To view existing mesh cluster profiles, use the drop-down menu.
Table 42 Profiles > Mesh > Radio Profile Settings (Continued) Field Default Description Link Threshold (1-255) 12 Use this setting to optimize operation of the link metric algorithm. Indicates the minimal RSSI value. If the RSSI value is below this threshold, the link may be considered a subthreshold link. A sub-threshold link is one whose average RSSI value falls below the configured link threshold.
Table 42 Profiles > Mesh > Radio Profile Settings (Continued) Field Default Description RTS Threshold (256-2346 bytes) 2333 Define the packet size sent by mesh nodes. Mesh nodes transmitting frames larger than this threshold must issue request to send (RTS) and wait for other mesh nodes to respond with clear to send (CTS) to begin transmission. This helps prevent mid-air collisions. The supported range is from 256 to 2346 bytes. 802.
Table 43 Mesh > Radio > Mesh HT SSID Profile Settings (Continued) Field Defaul Description t Low-density Parity Check If enabled, the AP will advertise Low-density Parity Check (LDPC) support. LDPC improves data transmission over radio channels with high levels of background noise. Requires a minimum version of 6.1.0.0. MPDU Aggregation Enable or disable MAC protocol data unit (MPDU) aggregation.
Table 43 Mesh > Radio > Mesh HT SSID Profile Settings (Continued) Field Defaul Description t Maximum Number of Spatial Streams Usable for STBC Transmission Controls the maximum number of spatial streams usable for STBC transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. Maximum Number of Spatial Streams Usable for STBC Reception Controls the maximum number of spatial streams usable for STBC reception.
Table 44 Profiles > Mobility Switch > IGMP Snooping Profile Settings (Continued) Field Default Description Last-member-query-interval (125 sec) 1 Specify the IGMP query interval in response to host leave message. Enable Fast Leave No Enable or disables fast leave. You can enable this setting to improve bandwidth management. Enable Igmp Snooping Proxy No Enable or disable the IGMP Snooping proxy.
Table 45 Profiles > Mobility Switch > Ethernet Link Profile Settings (Continued) Field Default Duplex Auto Description Sets the duplex to one of the following parameters: Auto—Configures auto mode. full—Configures full duplex mode. half—Configures half duplex mode. Speed (Mbps) Auto Sets the speed to one of the following parameters: Auto—Negotiates bandwidth dynamically between 10 and 1000/10000. 10—10 Mbps. 100—100 Mbps. 10m_100m—10 to 100 Mbps. 1000—1 Gbps. 10000—10 Gbps.
Table 46 Profiles > Mobility Switch > Port Switching Profile Settings (Continued) Field Default Description Enable Broadcast Traffic Rate Limit Yes Enables storm control for broadcast. Enable Multicast Traffic Rate Limit No Enables storm control for multicast. Enable Unicast Rate Limit Yes Enables storm control for unicast. Switchport Mode Access Specify whether the port is an access port connected to an end device or a trunk port for uplink connectivity.
Table 47 Profiles > Mobility Switch > VLAN Profile Settings (Continued) Field Default Description VLAN IGMP Snooping profile None Select the VLAN IGMP Snooping profile to reference. Refer to “Profiles > Mobility Switch > IGMP Snooping” on page 100. Other Settings Description Specify a description/name for the VLAN. Mac Aging Time in Minutes (1-44640) 5 Specify the MAC aging time in minutes. Static MAC Items MAC Adds the specified MAC address to the MAC address table.
Table 48 Profiles > QoS > Traffic Management Profile Settings (Continued) Field Default Description Name Blank Name of the threshold profile. Report Interval 5 Set the time in minutes between the bandwidth usage report. The supported range is from 1 to 9,999,999 minutes.
Table 49 Profiles > QoS > VoIP Call Admission Control Profile Settings (Continued) Field Default Description VoIP Call Admission Control No Enable or disable VoIP Call Admission Control in this profile. VoIP Active Load Balancing No Enable or disable load balancing in this profile. VoIP Vocera Call Capacity (0-255) 20 Specify the bandwidth allocation to Vocera voice calls when Admission Control is enabled.
Table 49 Profiles > QoS > VoIP Call Admission Control Profile Settings (Continued) Field Default Description VoIP TSPEC Enforcement No A WMM client can send a Traffic Specification (TSPEC) signaling request to the AP before sending traffic of a specific AC type, such as voice. You can configure the controller so that the TSPEC signaling request from a client is ignored if the underlying voice call is not active; this feature is disabled by default.
Table 50 Profiles > QoS > WMM Traffic Management Profile Settings (Continued) Field Default Description Name Blank Enter the name of the profile. Enable Shaping Policy No Enable or disable Quality of Service with the WMM Traffic Management profile. Define the percentage of QoS for each type of service to be supported in WMM. NOTE: If you enable this profile with Yes, ensure that the four percentage values you specify immediately below this field do not exceed 100%.
intolerance of 40 MHz operation. (This option is disabled by default, allowing 40 MHz operation.) Refer to “Profiles > RF > 802.11a/g Radio > HT Radio” on page 116. Spectrum—Defines AP radio settings for spectrum analysis on specific Dell PowerConnect W AP models that can examine the RF environment in which the Wi-Fi network is operating, identify interference, and classify its sources. Refer to “Profiles > RF > 802.11a/g Radio > Spectrum” on page 117.
Table 51 Profiles > RF > 802.11a/g Profile Settings (Continued) Field Default AM Scanning Profile High-throughput Radio Profile Description Select a profile to define settings for Air Monitor Scanning. Select the pencil icon to edit an existing AM Scanning profile, or click the plus sign to create a new AM Scanning profile. Default-a Select a high-throughput (HT) profile from the drop-down menu to define HT settings for your 802.11a/g radio profile.
Table 51 Profiles > RF > 802.11a/g Profile Settings (Continued) Field Default Description Spectrum Load Balancing No The Spectrum Load Balancing feature helps optimize network resources by balancing clients across channels, regardless of whether the AP or the controller is responding to the wireless clients' probe requests. If enabled, the controller compares whether or not an AP has more clients than its neighboring APs on other channels.
Table 51 Profiles > RF > 802.11a/g Profile Settings (Continued) Field Default Description Non 802.11 Interference Immunity Level 2 When an AP attempts to decode a non-802.11 signal, that attempt can momentarily interrupt its ability to receive traffic. The noise immunity feature can help improve network performance in environments with a high level of non-802.11 noise from devices such as Bluetooth headsets, video monitors and cordless phones.
Profiles > RF > 802.11a/g Radio > AM Scanning Air Monitor (AM) devices establish and monitor RF activity on the network. This profile depends on the controller having a minimum version of 6.0.0.0. Perform these steps to create or edit an Air Monitor Scanning profile. 1. Select Profiles > RF > 802.11a/g Radio > AM Scanning in the navigation pane. 2. Select the Add button to create a new AM Scanning profile, or click the pencil icon to edit an existing profile.
Indoor mesh portals can take advantage of this feature to adjust power settings according to their ARM profiles, but outdoor mesh portals will continue to run at configured power level to maximize their range. NOTE: Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes. You can recover the mesh point if the original cluster profile is still available. Creating a new mesh cluster profile is recommended if needed.
Table 53 Profiles > RF > 802.11a/g Radio > ARM Profile Settings (Continued) Field Default Description Multi Band Scan Yes If enabled, single radio channel APs scans for rogue APs across multiple channels. This option requires that Scanning is also enabled. The Multi Band Scan option does not apply to APs that have two radios as these devices already scan across multiple channels.
Table 53 Profiles > RF > 802.11a/g Radio > ARM Profile Settings (Continued) Field Default Description Free Channel Index 25 The Dell PowerConnect W Interference index metric measures interference for a specified channel and its surrounding channels. This value is calculated and weighted for all APs on those channels (including 3rd-party APs). An AP will only move to a new channel if the new channel has a lower interference index value than the current channel.
2. Select the Add button to create a new HT Radio profile, or click the pencil icon to edit an existing profile. Complete the settings as described in Table 54: Table 54 Profiles > RF > HT Radio Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the profile.
Table 55 Profiles > RF > Spectrum Profile Settings (Continued) Field Default Description WIFI 600 seconds Define the ageout time for Wi-Fi devices. Generic Interferer 30 seconds Define the ageout time for generic devices. Microwave 15 seconds Define the ageout time for microwave ovens. Microwave (Inverter type) 15 seconds Define the ageout time for inverter microwave ovens. Video Device 60 seconds Define the ageout time for video devices.
Table 56 Profiles > RF > Event Thresholds Profile Settings (Continued) Field Default Description Bandwidth Rate High Watermark 0 Sets a high percentage watermark for bandwidth rate. When exceeded, this threshold triggers a high-watermark-exceeded alert. Defining 0% disables this function. Bandwidth Rate Low Watermark 0 Sets a low percentage watermark for bandwidth rate. When exceeded, this threshold triggers a low-watermark-exceeded alert. Defining 0% disables this function.
Profiles > RF > Optimization The RF Optimization profile enables or disables load balancing based on a user-defined number of clients or degree of AP utilization on an AP. Use this profile to detect coverage holes, radio interference and STA association failures and configure Received signal strength indication (RSSI) metrics. Perform these steps to create or edit Optimization profiles. 1. Select Profiles > RF > Optimization in the navigation pane. This page summarizes the current cluster profiles. 2.
Table 57 Profiles > RF > Optimization Profile Settings (Continued) Field Default Description Hole Good RSSI Threshold (0-65,535) 20 Set the amount of time in seconds during which Received Signal Strength Indication (RSSI) is to check coverage holes. NOTE: This setting requires a Wireless Intrusion Protection license. Hole Good Station Ageout (sec) 30 Set the amount of time in seconds that an AP is unseen by any probes before it is deleted from the database. Enter 0 to disable ageout.
SSID—Configures network authentication and encryption types. The SSID profile defines SSID settings and references additional EDCA and HT profiles. Refer to “Profiles > SSID” on page 122. EDCA AP—AP to client traffic prioritization, including EDCA parameters for background, best-effort, voice and video queues. Refer to “Profiles > SSID > EDCA AP” on page 126.
Table 58 Profiles > SSID Profile Settings (Continued) Field Default Description EDCA Parameters AP Profile None The drop-down menu allows you to select any EDCA AP profile that has already been configured. The referenced EDCA AP profile defines several settings that are used in the SSID profile. Select the Plus sign to create a new EDCA AP profile, as required. For additional information about this profile type, refer to “Profiles > SSID > EDCA AP” on page 126.
Table 58 Profiles > SSID Profile Settings (Continued) Field Default Description 802.11g Transmit Rates All selected Specify the total transmit rates for the 802.11g radio. The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is unavailable, the AP goes through the list and uses the next highest rate. All transmission rates are selected and used. If you do not select 802.11a or 802.11g transmit rates, all rates are selected by default when you click Apply. 802.
Table 58 Profiles > SSID Profile Settings (Continued) Field Default Description DSCP Mapping for WMM BestEffort AC Specify DSCP mapping for wireless multimedia best effort admission control. The supported range is 0 to 63. DSCP Mapping for WMM Background AC Specify DSCP mapping for wireless multimedia background admission control. The supported range is 0 to 63. 902il Compatibility Mode No Enable or disable support for NEC 902il compatibility.
Table 58 Profiles > SSID Profile Settings (Continued) Field Default Description 802.11g Beacon Rate Sets the beacon rate for 802.11a (use for Distributed Antenna System (DAS) only). CAUTION: Using this parameter in normal operation may cause connectivity problems. 802.11a Beacon Rate Sets the beacon rate for 802.11g (use for Distributed Antenna System (DAS) only). CAUTION: Using this parameter in normal operation may cause connectivity problems.
arbitrary inter-frame space number (AIFSN) minimum and maximum contention window (CW) size For each AC, the backoff time is the sum of the AIFSN and a random value between 0 and the CW value. The AC with the lowest backoff time is granted the opportunity to transmit (TXOP). Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times (a result of having smaller AIFSN and CW parameter values).
Table 60 Dell PowerConnect W Configuration > Profiles > SSID > EDCA AP Profile Settings (Continued) Field Default Description Arbitrary Inter-frame Space Number 7 Minimum Contention Window (Exponent) 4 Maximum Contention Window (Exponent) 10 WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF).
Table 60 Dell PowerConnect W Configuration > Profiles > SSID > EDCA AP Profile Settings (Continued) Field Default Description Transmission Opportunity Slots in 32 μsec Units 47 For each AC, the backoff time is the sum of the AIFSN and a random value between 0 and the CW value. The AC with the lowest backoff time is granted the opportunity to transmit (TXOP).
1. Select Profiles > SSID > EDCA Station in the navigation pane. 2. Select the Add button to create a new EDCA Station profile, or click the pencil icon to edit an existing profile. Complete the settings as described in Table 34: Table 62 Profiles > SSID > EDCA Station Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Name of the EDCA STA profile.
Table 62 Profiles > SSID > EDCA Station Profile Settings (Continued) Field Default Description Arbitrary Inter-frame Space Number 2 Minimum Contention Window (Exponent) 3 Maximum Contention Window (Exponent) 4 WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF).
The mesh high-throughput SSID profile defines settings unique to 802.11n-capable, high-throughput APs. If none of the APs in your mesh deployment are 802.11n-capable APs, you do not need to configure a high-throughput SSID profile. If you modify a currently provisioned and running high-throughput SSID profile, your changes take affect immediately. You do not reboot the controller or the AP. Perform these steps to create or edit HT SSID profiles. 1. Select Profiles > SSID > HT SSID in the navigation pane. 2.
Table 63 Profiles > SSID > HT SSID Profile Settings (Continued) Field Default Description Short Guard Interval in 40 MHz Mode Yes Enable or disable use of short (400ns) guard interval in 40 MHz mode. A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The 802.
Table 64 Profiles > SSID > 802.11K Profile Settings (Continued) Field Default Description Measurement Mode for Beacon Reports beacon-table Select the Measurement Mode for Beacon Reports drop-down menu and specify one of the following measurement modes: active—Enables active beacon measurement mode.
Figure 25 Security Components in Dell PowerConnect W Configuration This section describes the profiles, pages, parameters and default settings for all Security components components in Dell PowerConnect W Configuration, as follows: Security > User Roles Security > User Roles > BW Contracts Security > User Roles > VPN Dialers Security > Policies Security > Policies > Destinations Security > Policies > Services Security > Server Groups Security > Server Groups > LDAP Security
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria. For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has a MAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before client authentication. 3.
The Security > User Roles > Add New User Role page contains the following fields, as described in Table 66: Table 66 Security > User Roles > Add New User Role Fields and Descriptions Field Default Description Folder Top Set the folder with which the User Role is associated. The drop-down menu displays all folders available for association with the profile. Name Blank Enter the name of the user role.
Table 66 Security > User Roles > Add New User Role Fields and Descriptions (Continued) Field Default Description Policy Allowdiskservices Select the policy to apply to this user role. Once any policy is selected, you can edit the policy by clicking the pencil icon. You can create a new policy by clicking the add icon. Refer to “Security > Policies” on page 141. Dell PowerConnect W AP Group None Select the Dell PowerConnect W AP group in which this policy and user role will apply.
Select Add to complete the configuration of the BW Contract profile, or click Save to complete the editing of an existing profile. The new BW contract appears on the Security > User Roles page. Security > User Roles > VPN Dialers The VPN dialer can be downloaded using Captive Portal. For the user role assigned through Captive Portal, configure the dialer by the name used to identify the dialer.
Table 68 Security > User Roles > Add VPN Dialer Fields and Descriptions (Continued) Field Default Description Enable SecurID New and Next Pin Mode No Use this setting to enable or disable SecurID PIN modes. The SecurID authentication scheme authenticates the user on a RSA ACE/Server.
Table 68 Security > User Roles > Add VPN Dialer Fields and Descriptions (Continued) Field Default IPSEC Encryption 168-bit 3DES Description Specify the type of IPSEC encryption to support for the VPN. Options are as follows: Encapsulating Security Payload (ESP) with 168-bit 3DES ESP with 56-bit DES IPSEC Hash Algorithm SHA Set the IKE Hash Algorithm to either SHA or MD5, to match the IKE policy for IKE Hash Algorithm.
Table 69 Security > Policies > Add New Policy Fields and Descriptions (Continued) Field Default Service Type any Description Type of traffic, which can be one of the following: any: This option specifies that this rule applies to any type of traffic. tcp: Using this option, configure a range of TCP port(s) to match for the rule to be applied. udp: Using this option, configure a range of UDP port(s) to match for the rule to be applied.
Security > Policies > Destinations The Security > Policies > Destinations page lists the destination names currently configured, with the Policy that uses the destination and the folder. To create a new destination to be referenced by a security policy, click the Add New Net Destination button. To edit an existing policy, click the pencil icon.
Table 71 Security > Policies > Services Fields and Descriptions (Continued) Field Default Description Protocol TCP Specify the protocol that is to support the security policy service being configured. The service options are: TCP UDP IP The remaining fields on this page change according to which protocol you have selected.
AAA Captive Portal Auth Management Auth Stateful 802.1X Auth TACACS Accounting VPN Auth Folder The list of servers in a server group is an ordered list. By default, the first server in the list is always used unless it is unavailable, in which case the next server in the list is used. You can configure the order of servers in the server group. In the Web UI, use the up or down arrows to order the servers (the top server is the first server in the list).
Adding a New Server Group The server group is assigned to the server group for 802.1x authentication. To create a new server group, click the Add button, or to edit an existing group, click the pencil icon next to that group. The Add New Server Group page appears, and contains the following fields, as described in Table 72: Table 72 Security > Server Groups > Add or Edit Server Group Fields and Descriptions Field Default Description Folder Top Set the folder with which the server is associated.
Table 72 Security > Server Groups > Add or Edit Server Group Fields and Descriptions (Continued) Field Default Description Field to set role Specify whether the server group rule is a role or a VLAN. The Role/VLAN field at the bottom of the page changes in response to your selection here. Attribute ARAPFeatures From the drop-down menu, click the attribute that defines the server group rule being configured. Many options are supported.
Table 73 Security > Server Groups > Add LDAP Server Fields and Descriptions (Continued) Field Default Description Filter (objectclass=*) Select the filter that should be applied to any search of the user in the LDAP database. Key Attribute sAMAccountName Enter the attribute that should be used as a key in search for the LDAP server. For Active Directory, the value is sAMAccountName. Timeout (1030 sec) 20 Define the timeout period of a LDAP request, in seconds.
Table 74 Security > Server Groups > RADIUS (Continued) Field Default Description NAS ID Set the Network Access Server (NAS) identifier to use in RADIUS packets. NAS IP Set the NAS IP address to send in RADIUS packets. You can configure a “global” NAS IP address that the controller uses for communications with all RADIUS servers. If you do not configure a server-specific NAS IP, the global NAS IP is used. Use MD5 No Enable or disable the use of MD5 hashing for cleartext passwords.
Table 75 Security > Server Groups > TACACS (Continued) Field Default Description Enable Yes Enable or disable the TACACS server. Session Authorization No Enables or disables session authoriaztion.Session authorization turns on the optional authorization session for admin users. Select Add to complete the configuration of the TACACS Server, or click Save to complete the editing of an existing server. The new server appears on the Security > Server Groups > TACACS page.
Table 76 Security > Server Groups > Add Internal Server Fields and Descriptions (Continued) Field Default Description Expire User No Specify whether to expire the guest user after a period of time. If you click Yes, a new field appears with instructions about the date and time in which the guest user is expired from the internal server. Select Add to complete the configuration of the Internal Server, or click Save to complete the editing of an existing server.
Select Add to create a new RFC3576 server, or click the pencil icon next to an existing server to edit it. The Security > Server Groups > Add RFC 3576 Server page contains the following fields, as described in Table 78. Table 78 Security > Server Groups > Add RFC 3576 Server Fields and Descriptions Field Default Description Folder Top Set the folder with which the server is associated. The drop-down menu displays all folders available for association with the server group.
have all commands reported as desired. Dell PowerConnect W Configuration supports TACACS Accounting servers that can be referenced by server groups. To view currently configured TACACS Accounting profiles and where they are used, navigate to the Security > TACACS Accounting page. Select Add to create a new TACACS Accounting profile, or click the pencil icon to edit an existing profile.
To create a new time range profile, click the Add New Time Range button, or click the pencil icon next to an existing time range profile to adjust settings. The Security > Time Range > Add/Edit New Time Range page contains the following fields, as described in Table 81: Table 81 Security > Time Range > Add/Edit Time Range Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the profile is associated.
Table 82 Security > User Rules > Add/Edit User Rules Fields and Descriptions (Continued) Field Default Description Rule Type bssid Select one of the following options from the drop-down menu. Your selection in this field changes an ensuing field that must be completed, as follows: bssid—Selecting this option displays the BSSID field below. Specify the BSSID in text. dhcp-option-77—Selecting this option displays the DHCP Option 77 field below. Enter this information in text.
Table 83 Local Config > SNMP Management Profile Settings (Continued) Field Description Enable Trap Generation Enables generation of SNMP traps to configured SNMP trap receivers. Engine ID Sets the SNMP server engine ID as a hexadecimal number. 24 character maximum. Inform Queue Length (100-350) Specify the length for the SNMP inform queue. Default is 250. Always use the controller's IP address as source address Set whether to use the IP address of the controller as the trap source.
supports advanced services such as IP Mobility and VPN services. Future AirWave versions will support additional advanced services. For additional information about IP Mobility domains, VPN services, and additional architecture or concepts, refer to your version of the Dell PowerConnect W-Series ArubaOS User Guide. Overview of IP Mobility Domains Dell PowerConnect W’s layer-3 mobility solution is based on the Mobile IP protocol standard, as described in RFC 3344, “IP Mobility Support for IPv4”.
controllers. You can also configure a mobility domain that contains multiple master controllers; you need to configure the mobility domain on each master controller. Table 84 Controllers in a Mobility Domain On a master controller: On all controllers in the mobility domain: Configure the mobility domain, including the entries in the home agent table (HAT). Enable mobility (disabled by default). Join a specified mobility domain (not required for “default” mobility domain).
Table 85 Advanced Services > IP Mobility, Add/Edit Fields and Descriptions (Continued) Field Default Description Replay Protection Time Value (0300 sec) 7 Define the time period over which message replay is to be detected. Message replay detects if a message that is intended for a client has been intercepted and replayed. This setting defines how long replay detection is to monitor for replay.
Table 85 Advanced Services > IP Mobility, Add/Edit Fields and Descriptions (Continued) Field Default Description Mobility Host Entry LIfetime When Mobility Cannot Be Provided (3060000 sec) 120 Define how long host entries in the IP mobility domain are to be maintained when they are without mobility. Maximum Number of BOOTP Packets Per Transaction (0-65534) 25 Define the maximum number of BOOTP packets that can be supported for a given transaction in proxy DHCP.
Configure the HAT with a list of every subnetwork, mask, VLAN ID, VRRP IP, and home agent IP address in the mobility domain. Include an entry for every home agent and user VLAN to which an IP subnetwork maps. If there is more than one controller in the mobility domain providing service for the same user VLAN, you must configure an entry for the VLAN for each controller. Best practices is to use the the same VRRP IP used by the AP.
Remote access VPNs allow hosts, such as telecommuters or traveling employees, to connect to private networks such as a corporate network over the Internet. Each host must run VPN client software that encapsulates and encrypts traffic and sends it to a VPN gateway at the destination network.
Select Add to create the VPN Services profile, or click Save to change an existing profile. The new VPN Service profile appears on the VPN Services page. Advanced Services > VPN Services > IKE Navigate to Advanced Services > VPN Services > IKE from the navigation pane. This page displays all Internet Key Exchange (IKE) profiles currently available for VPN Services. IKE is a part of the IPSEC protocol suite, supporting security for VPNs with a shared session secret that produces security keys.
Table 89 Advanced Services > VPN Services > IKE > IKE Policy Fields and Descriptions (Continued) Field Default Description Priority Blank Enter the priority number of this IKE policy. Other Settings Encryption From the drop-down menu, select the encryption type to be supported in the IKE policy. DES 3DES AES128 AES192 AES256 Hash Algorithm Select the hash algorithm for this IKE policy.
Computer-level authentication with a preshared key to create the IPSec security associations (SAs) to protect the L2TP-encapsulated data. User-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital certificates, or smart cards after successful creation of the SAs. Navigate to Advanced Services > VPN Services > L2TP from the navigation page. This page lists all L2TP profiles that are currently available.
The Advanced Services > VPN Services > PPTP Add/Edit Details page contains the following fields, as described in Table 91: Table 91 Advanced Services > VPN Services > PPTP Add/Edit Details Fields and Descriptions Field Default Description Folder Top Set the folder with which the PPTP profile is associated. The menu displays all folders available for association with the PPTP profile. Name Blank Enter the name of the PPTP profile. Enable PPTP Yes Enable or disable this PPTP profile.
Select Add to create a new IPSEC profile, or click the pencil icon next to an existing profile to modify settings. The Add/Edit Details page contains the following fields, as described in Table 92: Table 92 Advanced Services > VPN Services > IPSEC Add/Edit Fields and Descriptions Field Default Description Folder Top Set the folder with which the IPSEC profile is associated. The drop-down menu displays all folders available for association with the IPSEC profile.
Table 93 Advanced Services > VPN Services > IPSEC > Dynamic Map Add/Edit Fields and Descriptions (Continued) Field Default Description Other Settings Priority Specify the priority in which this Dynamic Map should be processed in relation to additional Dynamic Maps that may be configured and used by IPSEC profiles. Diffie-Hellman Group Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used within IKE to securely establish session keys.
Select Add to create the new Transform Set, or click Save if editing an existing Transform Set. The Transform Set is available for reference by Dynamic Maps in support of IPSEC profiles and VPN services. Groups > Dell PowerConnect W Config Page and Section Information With Global Dell PowerConnect W Configuration enabled in AMP Setup > General, create Dell PowerConnect W AP Groups with the Device Setup > Dell PowerConnect W Configuration page, as described in earlier in this document.
| Configuration Reference Dell PowerConnect W-AirWave 7.
Index A Adaptive Radio Management (ARM) 30 Advanced Services defined 16 pages and field descriptions 155 Advanced Services > IP Mobility 158 Advanced Services > IP Mobility > Mobility Domain 160 Advanced Services > IP Mobility page 158 Advanced Services > VPN Services 161 Advanced Services > VPN Services > IKE 163 Advanced Services > VPN Services > IPSEC 166 Advanced Services > VPN Services > IPSEC > Dynamic Map 167 Advanced Services > VPN Services > IPSEC > Dynamic Map > Transform Set 168 Advanced Servic
Profiles > RF > Event Thresholds 118 Profiles > RF > Optimization Profiles 120 Profiles > SSID 121, 122 Profiles > SSID > 802.