User Guide Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Copyright Information © Copyright 2016 Hewlett Packard Enterprise Development LP. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses.
Contents About this Guide 9 Intended Audience 9 Related Documents 9 Conventions 9 Contacting Dell 10 About Instant 11 Instant Overview 11 What is New in this Release 14 Setting up a W-IAP 16 Setting up Instant Network 16 Provisioning a W-IAP 17 Logging in to the Instant UI 19 Accessing the Instant CLI 20 Automatic Retrieval of Configuration 24 Managed Mode Operations 24 Prerequisites 24 Configuring Managed Mode Parameters 25 Verifying the Configuration 26 Instant User In
Configuring Uplink VLAN for a W-IAP 68 Changing the W-IAP Installation Mode 68 Changing USB Port Status 69 Master Election and Virtual Controller 70 Adding a W-IAP to the Network 71 Removing a W-IAP from the Network 72 VLAN Configuration VLAN Pooling 73 Uplink VLAN Monitoring and Detection on Upstream Devices 73 IPv6 Support 74 IPv6 Notation 74 Enabling IPv6 Support for W-IAP Configuration 74 Firewall Support for IPv6 76 Debugging Commands 76 Wireless Network Profiles 77 Configur
Configuring Wired Profile for Guest Access 120 Configuring Internal Captive Portal for Guest Network 122 Configuring External Captive Portal for a Guest Network 125 Configuring Facebook Login 131 Configuring Guest Logon Role and Access Rules for Guest Users 132 Configuring Captive Portal Roles for an SSID 134 Configuring Walled Garden Access 137 Authentication and User Management 139 Managing W-IAP Users 139 Supported Authentication Methods 143 Supported EAP Authentication Frameworks 14
Applying a Time Range Profile to a WLAN SSID 218 Verifying the Configuration 219 Dynamic DNS Registration 221 Enabling Dynamic DNS 221 Configuring Dynamic DNS Updates for Clients 222 Verifying the Configuration 223 VPN Configuration 224 Understanding VPN Features 224 Configuring a Tunnel from a W-IAP to a Mobility Controller 225 Configuring Routing Profiles 236 IAP-VPN Deployment 238 Understanding IAP-VPN Architecture 238 Configuring W-IAP and Controller for IAP-VPN Operations 241
Configuring OpenDNS Credentials 293 Integrating a W-IAP with Palo Alto Networks Firewall 293 Integrating a W-IAP with an XML API Interface 295 CALEA Integration and Lawful Intercept Compliance 298 Cluster Security 304 Overview 304 Enabling Cluster Security 305 Cluster Security Debugging Logs 305 Verifying the Configuration 306 W-IAP Management and Monitoring Managing a W-IAP from W-AirWave Uplink Configuration 307 307 318 Uplink Interfaces 318 Uplink Preferences and Switching 323 I
Rebooting the W-IAP 359 Monitoring Devices and Logs 361 Configuring SNMP 361 Configuring a Syslog Server 365 Configuring TFTP Dump Server 366 Running Debug Commands 367 Uplink Bandwidth Monitoring 371 Hotspot Profiles 373 Understanding Hotspot Profiles 373 Configuring Hotspot Profiles 375 Sample Configuration 386 ClearPass Guest Setup 389 Configuring ClearPass Guest 389 Verifying ClearPass Guest Setup 392 Troubleshooting 392 IAP-VPN Deployment Scenarios Scenario 1—IPsec: Single
Chapter 1 About this Guide This User Guide describes the features supported by Dell Networking W-Series Instant Access Point (W-IAP) and provides detailed instructions for setting up and configuring the Instant network. Intended Audience This guide is intended for administrators who configure and use W-IAPs.
Table 1: Typographical Conventions Style Type Description In the command examples, italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example: # send In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets. [Optional] Command examples enclosed in square brackets are optional.
Chapter 2 About Instant This chapter provides the following information: l Instant Overview on page 11 l What is New in this Release on page 14 Instant Overview Instant virtualizes Dell Networking W-Series Mobility Controller capabilities on 802.1--capable access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Instant is a simple, easy to deploy turnkey WLAN solution consisting of one or more W-IAPs.
Table 3: Supported W-IAP Platforms W-IAP Platform Minimum Required Instant Software Version W-IAP103 Instant 6.4.0.2-4.1.0.0 or later W-IAP274/275 W-IAP114/115 Instant 6.3.1.1-4.0.0.0 or later W-IAP224/225 W-IAP155/155P Instant 6.2.1.0-3.3.0.0 or later W-IAP108/109 Instant 6.2.0.0-3.2.0.0 or later Each W-IAP model has a minimum required Instant software version as shown in Table 3.
Table 4: Supported W-IAP Variants W-IAP Model (Reg Domain) W-IAP###US (US only) W-IAP###JP (Japan only) W-IAP###RW (Rest of the World except US/JP) W-IAP274/275 Yes Yes Yes W-IAP228 Yes Yes Yes W-IAP224/225 Yes Yes Yes W-IAP214/215 Yes Yes Yes W-IAP205H Yes Yes Yes W-IAP204/205 Yes Yes Yes W-IAP155/155P Yes Yes No W-IAP114/115 Yes Yes Yes W-IAP108/109 Yes Yes No W-IAP103 Yes Yes Yes For information on regulatory domains and the list of countries supported by the
Instant CLI The Instant Command Line Interface (CLI) is a text-based interface that is accessible through a Secure Shell (SSH) session. SSH access requires that you configure an IP address and a default gateway on the W-IAP and connect the WIAP to your network. This is typically performed when the Instant network on a W-IAP is set up. What is New in this Release The following features are introduced in Instant 6.5.1.0-4.3.1.
Table 6: New Hardware Platforms Feature Description W-IAP304/305 The W-IAP300 Series (W-IAP304/305) wireless access points are equipped with one 10/100/1000Base-T auto-sensing MDI/MDX Ethernet port. This port supports wirednetwork connectivity, in addition to Power over Ethernet (PoE) from IEEE 802.3af and 802.3at compliant power sources. They also have two LEDs that indicate the system and radio status of the device and are equipped with three external antenna connectors.
Chapter 3 Setting up a W-IAP This chapter describes the following procedures: l Setting up Instant Network on page 16 l Provisioning a W-IAP on page 17 l Logging in to the Instant UI on page 19 l Accessing the Instant CLI on page 20 Setting up Instant Network Before installing a W-IAP: l Ensure that you have an Ethernet cable of the required length to connect a W-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.
Assigning a Static IP To assign a static IP to a W-IAP: 1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the W-IAP. 2. Turn on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Press Enter key before the timer expires. The W-IAP goes into the apboot mode. 4. In the apboot mode, execute the following commands to assign a static IP to the W-IAP.
Connecting to a Provisioning Wi-Fi Network The W-IAPs boot with factory default configuration and try to provision automatically. If the automatic provisioning is successful, the Instant SSID will not be available. If W-AirWave and Activate are not reachable and the automatic provisioning fails, the Instant SSID becomes available and the users can connect to a provisioning network by using the Instant SSID. To connect to a provisioning Wi-Fi network: 1.
apboot> saveenv apboot> reset Provisioning W-IAPs through W-AirWave For information on provisioning W-IAPs through W-AirWave, refer to the W-AirWave Deployment Guide. Logging in to the Instant UI Launch a web browser and enter instant.dell-pcw.com.
Improper country code assignments can disrupt wireless transmissions. Most countries impose penalties and sanctions on operators of wireless networks with devices set to improper country codes. To view the country code information, run the show country-codes command. Specifying Country Code This procedure is applicable only to the W-IAP-RW variants. Skip this step if you are installing W-IAP in the United States and Japan.
The configure terminal command allows you to enter the basic configuration mode and the command prompt is displayed as follows: (Instant AP)(config)# The Instant CLI allows CLI scripting in several other subcommand modes to allow the users to configure individual interfaces, SSIDs, access rules, and security settings. You can use the question mark (?) to view the commands available in a privileged EXEC mode, configuration mode, or subcommand mode.
Using Sequence-Sensitive Commands The Instant CLI does not support positioning or precedence of sequence-sensitive commands. Therefore, it is recommended that you remove the existing configuration before adding or modifying the configuration details for sequence-sensitive commands. You can either delete an existing profile or remove a specific configuration by using the no… commands.
The loginsession command configures the management session (Telnet or SSH) to remain active without any user activity. To define a timeout interval: (Instant AP) (config) #loginsession timeout can be any number of minutes from 5 to 60, or any number of seconds from 1 to 3600. You can also specify a timeout value of 0 to disable CLI session timeouts. The users must re-login to the W-IAP after the session times out. The session does not time out when the value is set to 0.
Chapter 4 Automatic Retrieval of Configuration This chapter provides the following information: l Managed Mode Operations on page 24 l Prerequisites on page 24 l Configuring Managed Mode Parameters on page 25 l Verifying the Configuration on page 26 Managed Mode Operations W-IAPs support managed mode operations to retrieve the configuration file from a server through the File Transfer Protocol (FTP) or FTP over Secure Sockets Layer (FTPS), and automatically update the W-IAP configuration.
Configuring Managed Mode Parameters To enable the automatic configuration, perform the steps described in the following table: Table 9: Managed Mode Commands Steps Command 1. Start a CLI session to configure the managed-mode profile for automatic configuration. (Instant AP)(config)# managed-mode-profile 2. Enable automatic configuration Or Specify the user credentials.
Table 9: Managed Mode Commands Steps Command 6. Configure the day and time at which the W-IAPs can poll the configuration files from the server. (Instant AP) (managed-mode-profile)# sync-time day
- hour min window Based on the expected frequency of configuration changes and maintenance window, you can set the configuration synchronization timeline. l day
- —Indicates day, for example to configure Sunday as the day, specify 01.
If the configuration settings retrieved in the configuration file are incomplete, W-IAPs reboot with the earlier configuration. 27 | Automatic Retrieval of Configuration Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 5 Instant User Interface This chapter describes the following Instant UI elements: l Login Screen on page 28 l Main Window on page 29 Login Screen The Instant login page allows you to perform the following tasks: l View Instant Network Connectivity summary l View the Instant UI in a specific language l Log in to the Instant UI Viewing Connectivity Summary The login page also displays the connectivity status to the Instant network.
Main Window On logging in to Instant, the Instant UI Main Window is displayed. The following figure shows the Instant main window: Figure 4 Instant Main Window The main window consists of the following elements: l Banner l Search Text Box l Tabs l Links l Views Banner The banner is a horizontal rectangle that appears on the Instant main window. It displays the company name, logo, and the VC's name.
Network Tab This tab displays a list of Wi-Fi networks that are configured in the Instant network. The network names are displayed as links. The expanded view displays the following information about each WLAN SSID: l Name—Name of the network. l Clients—Number of clients that are connected to the network. l Type—Type of network such as Employee, Guest, or Voice. l Band—Band in which the network is broadcast: 2.4 GHz band, 5 GHz band, or both.
Clients Tab This tab displays a list of clients that are connected to the Instant network. The client names are displayed as links. The expanded view displays the following information about each client: l Name—Username of the client or guest users if available. l IP Address—IP address of the client. l MAC Address—MAC address of the client. l OS—Operating system that runs on the client. l ESSID—ESSID to which the client is connected. l Access Point—W-IAP to which the client is connected.
System This link displays the System window. The System window consists of the following tabs: Use the Show/Hide Advanced option of the System window to view or hide the advanced options. l General—Allows you to configure, view, or edit the Name, IP address, NTP Server, and other W-IAP settings for the VC. l Admin—Allows you to configure administrator credentials for access to the VC Management UI. You can also configure W-AirWave in this tab.
l Roles —Use this tab to view the roles defined for all the Networks. The Access Rules part allows you to configure permissions for each role. For more information, see Configuring User Roles on page 195 and Configuring ACL Rules for Network Services on page 178. l Blacklisting—Use this tab to blacklist clients. For more information, see Blacklisting Clients on page 172.
l VPN l IDS l Wired l Services l DHCP Server l Support VPN The VPN window allows you to define communication settings with a Dell controller or a third party VPN concentrator. See VPN Configuration on page 224 for more information. The following figure shows an example of the IPsec configuration options available in the VPN window: Figure 5 VPN Window for IPsec Configuration IDS The IDS window allows you to configure wireless intrusion detection and protection levels.
Figure 6 IDS Window: Intrusion Detection Figure 7 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue WIAPs on page 328. 35 | Instant User Interface Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 104 for more information. The following figure shows the Wired window: Figure 8 Wired Window Services The Services window allows you to configure services such as AirGroup, Real Time Location System (RTLS), and OpenDNS. The Services window consists of the following tabs: l AirGroup—Allows you to configure the AirGroup and AirGroup services. For more information, see Configuring AirGroup on page 279.
The following figure shows the default view of the Services window: Figure 9 Services Window: Default View DHCP Server The DHCP Servers window allows you to configure various DHCP modes. The following figure shows the options available in the DHCP Servers window: Figure 10 DHCP Servers Window For more information, see DHCP Configuration on page 207. Support The Support link consists of the following details: l Command—Allows you to select a support command for execution.
l Auto Run—Allows you to configure a schedule for automatic execution of a support command for a specific W-IAP or all W-IAPs. l Filter—Allows you to filter the contents of a command output. l Clear—Clears the command output that is displayed after a command is executed. l Save—Allows you to save the support command logs as an HTML or text file. For more information on support commands, see Running Debug Commands on page 367.
Table 10: Contents of the Info Section in the Instant Main Window Name Description Info section in the Virtual Controller view The Info section in the Virtual Controller view displays the following information: Info section in the Network view l Name—Displays the VC name. l Country Code—Displays the Country in which the VC is operating. l Virtual Controller IP address—Displays the IP address of the VC. l VC DNS—Displays the DNS IP address configured for the VC.
Table 10: Contents of the Info Section in the Instant Main Window Name Info section in the Client view Description l Clients—Number of clients associated with the W-IAP. l Type—Displays the model number of the W-IAP. l Zone—Displays W-IAP zone details. l CPU Utilization—Displays the CPU utilization in percentage. l Memory Free—Displays the memory availability of the W-IAP in MB. l Serial number—Displays the serial number of the W-IAP. l MAC—Displays the MAC address.
Table 11: RF Dashboard Icons Icon number Name Description 1 Signal Displays the signal strength of the client. Signal strength is measured in decibels. Depending on the signal strength of the client, the color of the lines on the Signal icon changes in the following order: l Green—Signal strength is more than 20 dB. l Orange—Signal strength is between 15 dB and 20 dB. l Red—Signal strength is less than 15 dB.
Table 11: RF Dashboard Icons Icon number Name Description 4 Noise Displays the noise floor details for the W-IAPs. Noise is measured in decibels/meter. Depending on the noise floor, the color of the lines on the Noise icon changes in the following order: l Green—Noise floor is more than -87 dBm. l Orange—Noise floor is between -80 dBm and -87 dBm. l Red—Noise floor is less than -80 dBm. To view the noise floor graph of a W-IAP, click the Noise icon next to the W-IAP in the Noise column.
The following table describes the RF trends graphs available in the Client view: Table 12: Client View—RF Trends Graphs and Monitoring Procedures Graph Name Signal Description Monitoring Procedure The Signal graph shows the signal strength of the client for the last 15 minutes. It is measured in decibels. To monitor the signal strength of the selected client for the last 15 minutes: To see an enlarged view, click the graph.
Table 12: Client View—RF Trends Graphs and Monitoring Procedures Graph Name Description To see the exact speed at a particular time, move the cursor over the graph line. Throughput The Throughput Graph shows the throughput of the selected client for the last 15 minutes. l l Outgoing traffic—Throughput for the outgoing traffic is displayed in green. It is shown above the median line. Incoming traffic—Throughput for the incoming traffic is displayed in blue. It is shown below the median line.
The following table describes the graphs displayed in the Network view: Table 13: Network View—Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To check the number of clients associated with the network for the last 15 minutes: To see an enlarged view, click the graph.
The following table describes the graphs displayed in the Access Point view: Table 14: Access Point View—Usage Trends and Monitoring Procedures Graph Name W-IAP Description Monitoring Procedure Neighboring W-IAPs The Neighboring W-IAPs graph shows the number of W-IAPs detected by the selected W-IAP: To check the neighboring W-IAPs detected by the WIAP for the last 15 minutes: l Valid W-IAPs: A W-IAP that is part of the enterprise providing WLAN service.
Table 14: Access Point View—Usage Trends and Monitoring Procedures Graph Name W-IAP Description To see the free memory of the W-IAP, move the cursor over the graph line. Clients The Clients graph shows the number of clients associated with the selected W-IAP for the last 15 minutes. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the number of clients associated with the W-IAP for the last 15 minutes.
Mobility information about the client is reset each time it roams from one W-IAP to another. Client Match If Client Match is enabled, the Client Match link provides a graphical representation of radio map view of a WIAP and the client distribution on a W-IAP radio. On clicking an access point in the Access Points tab and the Client Match link, a stations map view is displayed and a graph is drawn with real-time data points for the W-IAPradio. If the W-IAP supports dual-band, you can toggle between 2.
The spectrum link displays the following: l Device list—The device list display consists of a device summary table and channel information for active non Wi-Fi devices currently seen by a spectrum monitor or a hybrid W-IAP radio. l Channel Utilization and Monitoring—This chart provides an overview of channel quality across the spectrum. It shows channel utilization information such as channel quality, availability, and utilization metrics as seen by a spectrum monitor for the 2.
Table 15: Types of Alerts Type of Alert Client Alerts Active Faults Fault History Description Information Displayed The alert type, Client Alerts, occur when clients are connected to the Instant network. The alert type, Client Alert displays the following information: The Active Faults alerts occur in the event of a system fault. The Fault History alerts display the historic system faults. l Timestamp—Displays the time at which the client alert was recorded.
Figure 19 Active Faults Figure 20 Fault History The following table displays a list of alerts that are generated in the W-IAP network: Table 16: Alerts List Description Code Description Details Corrective Actions 100101 Internal error The W-IAP has encountered an internal error for this client. Contact the Dell customer support team. 100102 Unknown SSID in association request The W-IAP cannot allow this client to associate because the association request received contains an unknown SSID.
Table 16: Alerts List Description Code Description Details Corrective Actions 100104 Unsupported 802.11 rate The W-IAP cannot allow this client to associate because it does not support the 802.11 rate requested by this client. Check the configuration on the WIAP to see if the desired rate can be supported; if not, consider replacing the W-IAP with another model that can support the rate.
Table 16: Alerts List Description Code Description Details Corrective Actions 100410 Integrity check failure in encrypted message The W-IAP cannot receive data from this client because the integrity check of the received message (MIC) has failed. Recommend checking the encryption setting on the client and on the W-IAP. Check the encryption setting on the client and on the W-IAP. 100511 DHCP request timed out This client did not receive a response to its DHCP request in time.
n Where—Provides information about the W-IAP that detected the foreign client. Click the Push Pin icon to view the information. The following figure shows an example for the intrusion detection log: Figure 21 Intrusion Detection For more information on the intrusion detection feature, see Intrusion Detection on page 328. AirGroup This AirGroup link provides an overall view of your AirGroup configuration. Click each parameter to view or edit the settings.
Figure 23 Configuration Link W-AirWave Setup W-AirWave is a solution for managing rapidly changing wireless networks. When enabled, W-AirWave allows you to manage the Instant network. For more information on W-AirWave, see Managing a W-IAP from W-AirWave on page 307. The W-AirWave status is displayed below the Virtual Controller section of the Instant main window. If the W-AirWave status is Not Set Up, click the Set Up Now link to configure W-AirWave. The System > Admin window is displayed.
Chapter 6 Initial Configuration Tasks This chapter consists of the following sections: l Configuring System Parameters on page 56 l Changing Password on page 62 Configuring System Parameters This section describes how to configure the system parameters of a W-IAP. To configure system parameters: 1. Select System. Table 17: System Parameters Parameter Description CLI Configuration Name Name of the W-IAP. (Instant AP)# name System location Physical location of the W-IAP.
Table 17: System Parameters Parameter Description CLI Configuration Dynamic Proxy This parameter allows you to enable or disable the dynamic proxy for RADIUS and Terminal Access Controller Access Control System (TACACS) servers. To enable dynamic RADIUS proxy: l l Dynamic RADIUS proxy—When dynamic RADIUS proxy is enabled, the VC network will use the IP address of the VC for communication with external RADIUS servers.
Table 17: System Parameters Parameter Description CLI Configuration NTP helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the W-IAP clock to set the correct time. If NTP server is not configured in the W-IAP network, an W-IAP reboot may lead to variation in time data. By default, the W-IAP tries to connect to pool.ntp.org to synchronize time.
Table 17: System Parameters Parameter CLI Configuration Description l All—Displays both App and WebCC DPI data. l None—Does not display any AppRF content. URL Visibility Select Enabled or Disabled from the URL visibility drop-down list. (Instant AP)(config) # url-visibility Cluster security Select Enabled to ensure that the control plane messages between access points are secured. This option is disabled by default.
Table 17: System Parameters Parameter Description CLI Configuration Auto join mode The Auto-Join feature allows W-IAPs to automatically discover the VC and join the network. The Auto-Join feature is enabled by default. If the Auto-Join feature is disabled, a link is displayed in the Access Points tab indicating that there are new W-IAPs discovered in the network. Click this link if you want to add these W-IAPs to the network.
Table 17: System Parameters Parameter CLI Configuration Description (Instant AP)(SSID Profile )# denyinter-user-bridging Deny local routing If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same W-IAP on different VLANs.
Changing Password You can update your password details by using the Instant UI or the CLI. In the Instant UI To change the admin user password: 1. Navigate to System > Admin. 2. Under Local, provide a new password that you would like the admin users to use. 3. Click OK. In the CLI To change the admin user password: (Instant AP)(config)# mgmt-user [password] (Instant AP)(config)# end (Instant AP)# commit apply Hashing of Management User Password Starting from Instant 6.5.0.0-4.3.0.
Chapter 7 Customizing W-IAP Settings This chapter describes the procedures for configuring settings that are specific to a W-IAP in the cluster.
For the SSID to be assigned to a W-IAP, the same zone details must be configured on the SSID. For more information on SSID configuration, see Configuring WLAN Settings for an SSID Profile on page 78. In the Instant UI 1. On the Access Points tab, click the W-IAP for which you want to set the zone. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Specify the W-IAP zone in Zone. 4. Click OK.
Configuring External Antenna If your W-IAP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system’s Equivalent Isotropically Radiated Power (EIRP) is in compliance with the limit specified by the regulatory authority of the country in which the W-IAP is deployed. You can also measure or calculate additional attenuation between the device and the antenna before configuring the antenna gain.
4. Click OK. In the CLI To configure external antenna for 5 GHz frequency: (Instant AP)# a-external-antenna To configure external antenna for 2.4 GHz frequency: (Instant AP)# g-external-antenna Configuring Radio Profiles for a W-IAP You can configure a radio profile on a W-IAP either manually or by using the Adaptive Radio Management (ARM) feature. ARM is enabled on Instant by default. It automatically assigns appropriate channel and power settings for the W-IAPs.
By default, the channel and power for a W-IAP are optimized dynamically using ARM. You can override ARM on the 2.4 GHz and 5 GHz bands and set the channel and power manually if desired. The following table describes various configuration modes for a W-IAP: Table 20: W-IAP Radio Modes Mode Description Access In Access mode, the W-IAP serves clients, while also monitoring for rogue W-IAPs in the background. If the Access mode is selected, perform the following actions: 1.
You can also set the maximum clients when configuring SSID profiles using the Max Clients Threshold parameter in the Instant UI and max-clients-threshold parameter in the Instant CLI. For more information, see Configuring WLAN Settings for an SSID Profile on page 78. If the maximum clients setting is configured multiple times, using either the configuration mode or Privileged EXEC mode, the latest configuration takes precedence.
2. In the Edit Access Point window, select Installation Type to configure the installation type for the W-IAP you have selected. Note that, by default, the Default mode is selected. This means that the W-IAP installation type is based on the W-IAP model. 3. You can either select the Indoor option to change the installation to Indoor mode or select the Outdoor option to change the installation to Outdoor mode. the to Outdoor mode. 4. Click OK.
Master Election and Virtual Controller Instant does not require an external Mobility Controller to regulate and manage the Wi-Fi network. Instead, one W-IAP in every network assumes the role of VC. It coordinates, stores, and distributes the settings required for providing a centralized functionality to regulate and manage the Wi-Fi network. The VC is the single point of configuration and firmware management.
In the Instant UI To provision a W-IAP as a master W-IAP: 1. On the Access Points tab, click the W-IAP to modify. 2. Click the edit link. 3. Select Enabled from the Preferred master drop-down list. This option is disabled by default. Figure 24 W-IAP Settings—Provisioning Master W-IAP 4. Click OK.
Removing a W-IAP from the Network You can remove a W-IAP from the network by using the Instant UI, only if the Auto-Join feature is disabled. In the Instant UI To remove a W-IAP from the network: 1. On the Access Points tab, click the W-IAP to delete. The x icon is displayed beside the W-IAP. 2. Click x to confirm the deletion. The deleted W-IAPs cannot join the Instant network anymore and are not displayed in the Instant UI. However, the master W-IAP details cannot be deleted from the VC database.
Chapter 8 VLAN Configuration This chapter explains the following topics: l VLAN Pooling l Uplink VLAN Monitoring and Detection on Upstream Devices VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile. Based on the network type and its requirements, you can configure the VLANs for a WLAN SSID or wired port profile.
Chapter 9 IPv6 Support This chapter includes the following topics: l IPv6 Notation on page 74 l Enabling IPv6 Support for W-IAP Configuration on page 74 l Firewall Support for IPv6 on page 76 l Debugging Commands on page 76 IPv6 Notation IPv6 is the latest version of Internet Protocol (IP) that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses.
When the IP mode is set to v4-prefer mode, the W-IAP derives a link local IPv6 address and attempts to acquire a routable IPv6 address by monitoring Router Advertisements (RA) packets. W-IAP assigns itself to both Stateless address autoconfiguration (SLAAC) and DHCPv6 client address. W-IAPs also support IPv6 DNS server addresses and use these for DNS resolution.
SNTP Over IPv6 To view the SNTP configuration: (Instant AP)# show running-config|include ntp ntp-server 2001:470:20::121 Firewall Support for IPv6 For a given client, a single ACL is used to firewall both IPv4 and IPv6 rules. A rule any any match any any any permit in the access rule configuration will expand to two different ACL entries: l any any any P6 l any any any P4 Similarly, if any IPv6 specific rule is added.
Chapter 10 Wireless Network Profiles This chapter provides the following information: l Configuring Wireless Network Profiles on page 77 l Configuring Fast Roaming for Wireless Clients on page 97 l Configuring Modulation Rates on a WLAN SSID on page 100 l Disabling Short Preamble for Wireless Client on page 102 l Multi-User-MIMO on page 101 l Management Frame Protection on page 102 l Editing Status of a WLAN SSID Profile on page 102 l Editing a WLAN SSID Profile on page 103 l Deleting a WL
Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using the Instant UI or the CLI. In the Instant UI To configure WLAN settings: 1. On the Network tab of the Instant main window, click the New link. The New WLAN window is displayed. The following figure shows the contents of the WLAN Settings tab: Figure 26 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box.
Table 21: WLAN Configuration Parameters Parameter Description Broadcast filtering Select any of the following values: l All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols.
Table 21: WLAN Configuration Parameters Parameter Description DTIM interval The DTIM interval indicates the delivery traffic indication message (DTIM) period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the W-IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode. The default value is 1, which means the client checks for buffered data on the W-IAP at every beacon.
Table 21: WLAN Configuration Parameters Parameter Description For more information on WMM traffic and DSCP mapping, see Wi-Fi Multimedia Traffic Management on page 273. For voice traffic and Spectralink Voice Prioritization, configure the following parameters: l Traffic Specification (TSPEC)—To prioritize time-sensitive traffic such as voice traffic initiated by the client, select the Traffic Specification (TSPEC) check box.
Table 21: WLAN Configuration Parameters Parameter Description individually for each W-IAP in the cluster. SSID Encoding To encode the SSID, select UTF-8. By default, the SSIDs are not encoded. NOTE: When a wireless SSID is encoded, by default, UTF-8 is added to the access rules that are active on the SSID. However this does not apply for the access rules that are configured separately for the SSID. UTF-8 is not supported for wired networks.
(Instant AP)(SSID Profile )# max-clients-threshold (Instant AP)(SSID Profile )# end (Instant AP)# commit apply Temporal Diversity and Maximum Retries using CLI Starting from Instant 6.5.0.0-4.3.0.0, when clients are not responding to 802.11 packets with the temporaldiversity parameter disabled, which is the default setting, W-IAPs can attempt only hardware retries. But if this parameter is enabled when the clients are not responding to 802.
Figure 27 VLAN Tab 2. Select any for the following options for Client IP assignment: l Virtual Controller assigned—On selecting this option, the client obtains the IP address from the VC. l Network assigned—On selecting this option, the IP address is obtained from the network. 3. Based on the type of client IP assignment mode selected, you can configure the VLAN assignment for clients as described in the following table: 84 | Wireless Network Profiles Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Table 22: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If Virtual Controller assigned is selected for client IP assignment, the VC creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multisite wireless network.
Enforcing DHCP Starting from Instant 6.4.3.4-4.2.1.0, you can configure a WLAN SSID profile to enforce DHCP on W-IAP clients. When DHCP is enforced: l A layer-2 user entry is created when a client associates with a W-IAP. l The client DHCP state and IP address are tracked. l When the client obtains an IP address from DHCP, the DHCP state changes to complete. l If the DHCP state is complete, a layer-3 user entry is created.
Figure 28 Security Tab: Enterprise Figure 29 Security Tab: Personal Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 30 Security Tab: Open 2. Based on the security level selected, specify the following parameters: 88 | Wireless Network Profiles Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Table 23: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Level Parameter Description Key Management CLick the Enterprise security level, select any of the following options from the Key management drop-down list: l WPA-2 Enterprise l WPA Enterprise l Both (WPA-2 & WPA) l Dynamic Wired Equivalent Privacy (WEP) with 802.1X—If you do not want to use a session key from the RADIUS server to derive pairwise unicast keys, set Session Key for LEAP to Enabled.
Table 23: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Security Level Description When Termination is enabled, the W-IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the W-IAP and the authentication server.
Table 23: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Security Level Description l When Reauth interval is configured on an SSID performing only L3 authentication (captive portal authentication)—When reauthentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access.
Table 23: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Security Level Description authentication will be the same as the server, defined for 802.1x authentication. You will not be able to use the W-IAPs internal database for mac authentication and external RADIUS server for 802.1x authentication on the same SSID. Delimiter character Specify a character (for example, colon or dash) as a delimiter for the MAC address string.
Table 23: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Level Parameter Description Upload Certificate Click Upload Certificate and browse to upload a certificate file for the internal server. For more information on certificates, see Uploading Certificates on page 175. Enterprise, Personal, and Open security levels Fast Roaming You can configure the following fast roaming options for the WLAN SSID: Enterprise, Personal, and Open security levels.
(Instant AP)(SSID Profile )# radius-accounting-mode {user-association|userauthentication} (Instant AP)(SSID Profile )# radius-interim-accounting-interval (Instant AP)(SSID Profile )# radius-reauth-interval (Instant AP)(SSID Profile )# max-authentication-failures (Instant AP)(SSID Profile )# no okc-disable (Instant AP)(SSID Profile )# dot11r (Instant AP)(SSID Profile )# dot11k (Instant AP)(SSID Profile )# dot11v (Instant AP)(SSID Pr
You can configure up to 128 access rules for an Employee, Voice , or Guest network using the Instant UI or the CLI. In the Instant UI To configure access rules for an Employee or Voice network: 1. In the Access Rules tab, set the slider to any of the following types of access control: l Unrestricted—Select this option to set unrestricted access to the network. l Network-based—Set the slider to Network-based to set common rules for all users in a network.
To configure machine and user authentication roles: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-machine-auth AP)(SSID Profile )# end AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-unrestricted AP)(SSID Profile )# end AP)# commit apply Example The following example configures access rules f
For information on configuring a native VLAN on a wired profile, see Configuring VLAN for a Wired Profile on page 105. Configuring Fast Roaming for Wireless Clients Instant supports the following features that enable fast roaming of clients: l Opportunistic Key Caching l Fast BSS Transition (802.11r Roaming) l Radio Resource Management (802.11k) l BSS Transition Management (802.11v) Opportunistic Key Caching Instant now supports opportunistic key caching (OKC)-based roaming.
4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list. When any of these encryption types is selected, Opportunistic Key Caching (OKC) is enabled by default. 5. Click Next and then click Finish.
Radio Resource Management (802.11k) The 802.11k standard provides mechanisms for W-IAPs and clients to dynamically measure the available radio resources and enables stations to query and manage their radio resources. In an 802.11k-enabled network, WIAPs and clients can share radio and link measurement information, neighbor reports, and beacon reports with each other.
(Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# dot11k AP)(config)# end AP)# commit apply To view the beacon report details: (Instant AP)# show ap dot11k-beacon-report To view the neighbor details: (Instant AP)# show ap dot11k-nbrs Example (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile dot11k-profile AP)(SSID Profile "dot11k-profile")# dot11k AP)(config)# end AP)# commit apply BSS Transition Management (802.11v) The 802.
The 802.11 radio profiles support basic modulation and transmission rates. The 802.11g basic modulation rates determine the 802.11b/g rates for the data that are advertised in beacon frames and probe response and 802.11g transmission rates determine the 802.11b/g rates at which the W-IAP can transmit data. For 802.11n clients, you can now configure an HT MCS rate set so that the SSID does not broadcast the disabled MCS rates list. For 802.11ac clients, only 10 MCS rates supported in the 802.
To configure the RTS/CTS threshold: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile "")# rts-threshold AP)(SSID Profile "")# end AP)# commit apply To disable RTS/CTS, set the RTS threshold value to 0. Management Frame Protection Instant supports the IEEE 802.11w standard, also known as Management Frame Protection (MFP). MFP increases the security by providing data confidentiality of management frames. MFP uses 802.
In the CLI To disable an SSID: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# disable AP)(SSID Profile )# end AP)# commit apply To enable an SSID: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# enable AP)(SSID Profile )# end AP)# commit apply Editing a WLAN SSID Profile To edit a WLAN SSID profile: 1. On the Network tab, select the network that you want to edit.
Chapter 11 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 104 l Assigning a Profile to Ethernet Ports on page 109 l Editing a Wired Profile on page 109 l Deleting a Wired Profile on page 110 l Link Aggregation Control Protocol on page 110 l Understanding Hierarchical Deployment on page 111 Configuring a Wired Profile The Ethernet ports allow third-party devices such as VoIP phones or printers (which support only wired connections) to connec
information on assigning a wired network profile to a port, see Assigning a Profile to Ethernet Ports on page 109. c. Spanning Tree—Select the Spanning Tree check box to enable Spanning Tree Protocol (STP) on the wired profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP will not operate on the uplink port and is supported only on W-IAPs with three or more ports.
l If Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1–4093. d. If the Access mode is selected: l If Client IP Assignment is set to Virtual Controller Assigned, proceed to step 2. l If Client IP Assignment is set to Network Assigned, specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode. 2. Click Next.
authentication fail-thru check box is displayed only when both MAC authentication and 802.1X authentication are Enabled. l l l Select any of the following options for Authentication server 1: n New—On selecting this option, an external RADIUS server must be configured to authenticate the users. For information on configuring an external server, see Configuring an External Server for Authentication on page 151.
In the Instant UI To configure access rules: 1. On the Access tab, configure the following access rule parameters. a. Select any of the following types of access control: l Role-based—Allows the users to obtain access based on the roles assigned to them. l Unrestricted—Allows the users to obtain unrestricted access on the port. l Network-based—Allows the users to be authenticated based on access rules specified for a network. b.
(Instant AP)(wired ap profile )# end (Instant AP)# commit apply To configure machine and user authentication roles: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# set-role-machine-auth AP)(wired ap profile )# end AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# set-role-unrestricted AP)(wired ap profil
Deleting a Wired Profile To delete a wired profile: 1. Click the Wired link under More on the Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to delete. 3. Click Delete. The wired profile is deleted. Link Aggregation Control Protocol The W-IAP220 Series access points and W-IAP270 Series support the IEEE 802.11ac standard for highperformance WLAN. To support maximum traffic, port aggregation is required as it increases throughput and enhances reliability.
Enabling Static LACP Configuration When W-IAPs connect to switches which have the LACP capability, the LACP feature does not work as expected. To enable a static LACP configuration, new commands are introduced. W-IAPs support the dynamic LACP configuration according to a peer switch. When the peer switch enables LACP configuration, the W-IAPs form the LACP. Users can enable, disable, and remove the static LACP configuration in the W-IAP.
Figure 31 Hierarchical Deployment Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 12 Captive Portal for Guest Access This chapter provides the following information: l Understanding Captive Portal on page 113 l Configuring a WLAN SSID for Guest Access on page 114 l Configuring Wired Profile for Guest Access on page 120 l Configuring Internal Captive Portal for Guest Network on page 122 l Configuring External Captive Portal for a Guest Network on page 125 l Configuring Facebook Login on page 131 l Configuring Guest Logon Role and Access Rules for Guest Users on page
l External captive portal—For external captive portal authentication, an external portal on the cloud or on a server outside the enterprise network is used. Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or airtime they can use at any given time. When an external captive portal is used, the administrators can configure a walled garden, which determines access to the URLs requested by the guest users.
Table 24: WLAN Configuration Parameters Parameter Description Broadcast filtering Select any of the following values: l All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols.
Table 24: WLAN Configuration Parameters Parameter Description DTIM interval The DTIM interval indicates the delivery traffic indication message (DTIM) period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the W-IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode. The default value is 1, which means the client checks for buffered data on the W-IAP at every beacon.
Table 24: WLAN Configuration Parameters Parameter Description from applications or devices that do not support QoS. l Video WMM—For video traffic generated from video streaming. l Voice WMM— For voice traffic generated from the incoming and outgoing voice communication.
Table 24: WLAN Configuration Parameters Parameter Description Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0 to 255. The default value is 64. SSID Encoding To encode the SSID, select UTF8. By default, the SSIDs are not encoded. Deny inter user bridging When enabled, the bridging traffic between two clients connected to the same SSID on the same VLAN is disabled.
Table 25: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Controller assigned is selected for client IP assignment, the VC creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile )# )# )# )#
5. Enter the following information. a. Mode—You can specify any of the following modes: l Access—Select this mode to allow the port to carry a single VLAN specified as the native VLAN. l Trunk—Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. b. Specify any of the following values for Client IP Assignment: l Virtual Controller Assigned: Select this option to allow the VC to assign IP addresses to the wired clients.
Configuring Internal Captive Portal for Guest Network For internal captive portal authentication, an internal server is used for hosting the captive portal service. You can configure internal captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or the CLI. In the Instant UI 1. Navigate to the WLAN wizard or Wired window.
Table 26: Internal Captive Portal Configuration Parameters Parameter Description l Select New for configuring a new external RADIUS or LDAP server for authentication. Load balancing Select Enabled to enable load balancing if two authentication servers are used. Reauth interval Select a value to allow the W-IAPs to periodically reauthenticate all associated and authenticated clients.
Table 26: Internal Captive Portal Configuration Parameters Parameter Description Accounting interval Configure an accounting interval in minutes within the range of 0–60, to allow W-IAPs to periodically post accounting information to the RADIUS server. Encryption Select Enabled to configure encryption parameters. Select an encryption and configure a passphrase. (Applicable for WLAN SSIDs only.
(Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# type (Instant AP)(wired ap profile )# captive-portal {|} exclude-uplink {3G|4G|Wifi|Ethernet} (Instant AP)(wired ap profile )# mac-authentication (Instant AP)(wired ap profile )# auth-server (Instant AP)(wired ap profile )# radius-reauth-interval (Instant AP)(wired ap profile )# end (Instant AP)# commit apply To custom
Table 27: Captive Portal Profile Configuration Parameters Parameter Description Name Enter a name for the profile. Type Select any one of the following types of authentication: l Radius Authentication—Select this option to enable user authentication against a RADIUS server. l Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
In the CLI To configure an external captive portal profile: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# wlan external-captive-portal [profile_name] AP)(External Captive Portal)# server AP)(External Captive Portal)# port AP)(External Captive Portal)# url AP)(External Captive Portal)# https AP)(External Captive Portal)# redirect-url AP)(External Captive Portal)# server-fail-through AP)(External C
Table 28: External Captive Portal Configuration Parameters Parameter Description Delimiter character Specify a character ( for example, colon or dash) as a delimiter for the MAC address string. When configured, the W-IAP will use the delimiter in the MAC authentication request. For example, if you specify colon as the delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.
In the CLI To configure security settings for guest users of the WLAN SSID profile: (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile )# essid (Instant AP)(SSID Profile )# type (Instant AP)(SSID Profile )# captive-portal{[exclude-uplink ]|external [exclude-uplink | profile [exclude-uplink ]]} (Instant AP)(SSID Profile )# captive-portal-proxy-server (Instant AP)(SSID Profile )# blacklist (In
Configuring External Captive Portal Authentication Using ClearPass Guest You can configure Instant to point to ClearPass Guest as an external captive portal server. With this configuration, the user authentication is performed by matching a string in the server response and that in the RADIUS server (either ClearPass Guest or a different RADIUS server).
When the RADIUS server IP address is configured under Extra Fields in the ClearPass Guest login page, the RADIUS server IP parameter is submitted to the server as part of the HTTP or HTTPS POST data when the guest users initiate an HTTP or HTTPS request. The W-IAP intercepts this information to perform the actual RADIUS authentication with the server IP defined in the POST message. For more information on guest registration customization on ClearPass Guest, refer to the ClearPass Guest User Guide.
(Instant AP)(SSID Profile )# captive-portal {[exclude-uplink ]|external [exclude-uplink |profile [exclude-uplink ]]} (Instant AP)(SSID Profile )# end (Instant AP)# commit apply Example The following example configures a Facebook account for captive portal authentication: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile guestNetwork AP)(SSID Profile "guestNetwork")# captive-portal facebook AP)(SSID Profile "guestNetwork")# end AP)# commit apply
You can configure up to 128 access rules for guest user roles through the Instant UI or the CLI. In the Instant UI To configure roles and access rules for the guest network: 1. On the Access Rules tab, set the slider to any of the following types of access control: l Unrestricted—Select this to set unrestricted access to the network. l Network-based—Set the slider to Network-based to set common rules for all users in a network. The Allow any to all destinations access rule is enabled by default.
(Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure machine and user authentication roles: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-machine-auth AP)(SSID Profile )# end AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-unrestricted AP)(SSID Profile )# end AP)# co
2. On the Access tab, move the slider to Role-based access control by using the scroll bar. 3. Select a role or create a new one if required. 4. Click New to add a new rule. The New Rule window is displayed. 5. In the New Rule window, specify the following parameters.
Table 30: Captive Portal Rule Configuration Parameters Parameter External Description l To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and then click OK. Ensure that the welcome text does not exceed 127 characters. l To change the policy text, click the second square box in the splash page, type the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters.
The client can connect to this SSID after authenticating with username and password. After a successful user login, the captive portal role is assigned to the client.
(Instant (Instant (Instant (Instant (Instant AP)(config)# wlan walled-garden AP)(Walled Garden)# white-list AP)(Walled Garden)# black-list AP)(Walled Garden)# end AP)# commit apply Disabling Captive Portal Authentication To disable captive portal authentication: 1. Select a wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed.
Chapter 13 Authentication and User Management This chapter provides the following information: l Managing W-IAP Users on page 139 l Supported Authentication Methods on page 143 l Supported EAP Authentication Frameworks on page 145 l Configuring Authentication Servers on page 146 l Understanding Encryption Types on page 160 l Configuring Authentication Survivability on page 161 l Configuring 802.1X Authentication for a Network Profile on page 163 l Enabling 802.
Configuring W-IAP Users The Instant user database consists of a list of guest and employee users. The addition of a user involves specifying the login credentials for a user. The login credentials for these users are provided outside the Instant system. A guest user can be a visitor who is temporarily using the enterprise network to access the Internet.
Edit or Delete User Settings 1. To edit user settings: a. Select the user you want to modify from the Users list in the table. b. Click Edit to modify user settings. c. Click OK. 2. To delete a user: a. Select the user you want to delete from the Users list in the table. b. Click Delete. c. Click OK. 3. To delete all or multiple users at a time: a. Select multiple users you want to delete from the Users list in the table. b. Click Delete All. c. Click OK.
Table 32: Authentication Parameters for Management Users Type of User Authentication Options Steps to Follow Local administrator Internal Select Internal if you want to specify a single set of user credentials. If using an internal authentication server: 1. Specify the Username and Password. 2. Retype the password to confirm. Authentication server Administrator with Read-Only Access Internal Select the RADIUS or TACACS authentication servers.
In the CLI To configure a local admin user: (Instant AP)(config)# mgmt-user [password] To configure guest management administrator credentials: (Instant AP)(config)# mgmt-user [password] guest-mgmt To configure a user with read-only privilege: (Instant AP)(config)# mgmt-user [password] read-only To configure management authentication settings: (Instant (Instant (Instant (Instant AP)(config)# AP)(config)# AP)(config)# AP)(config)# mgmt-auth-server mgmt-auth-ser
l Captive Portal Authentication l MAC Authentication with Captive Portal Authentication l 802.1X Authentication with Captive Portal Role l WISPr Authentication 802.1X Authentication 802.1X is an IEEE standard that provides an authentication framework for WLANs. The 802.1X standard uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.
Captive Portal Authentication Captive portal authentication is used for authenticating guest users. For more information on captive portal authentication, see Captive Portal for Guest Access on page 113. MAC Authentication with Captive Portal Authentication You can enforce MAC authentication for captive portal clients. For more information on configuring a W-IAP to use MAC authentication with captive portal authentication, see Configuring MAC Authentication with Captive Portal Authentication on page 170.
To use the W-IAP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated. Dell does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks. Authentication Termination on W-IAP W-IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the W-IAP and the authentication servers.
External RADIUS Server In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Instant RADIUS is implemented on the VC and this eliminates the need to configure multiple NAS clients for every W-IAP on the RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server.
l Aruba-AP-Group l Aruba-AP-IP-Address l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Path l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Group l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name l Aruba-AirGroup-Version l Aruba-Auth-SurvMethod l Aruba-Auth-Survivability l Aruba-CPPM-Role l Aruba-Calea-Server-Ip l Aruba-Device-Type l Aruba-Essid-Name l Aruba-Framed-IPv6-Address l Aruba-Location-Id
l Authentication-Type l CHAP-Challenge l Callback-Id l Callback-Number l Chargeable-User-Identity l Class l Connect-Info l Connect-Rate l Crypt-Password l DB-Entry-State l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Framed-AppleTalk-Link l Framed-AppleTalk-Network l Framed-AppleTalk-Zone l Framed-Compression l Framed-IP-Address l Framed-IP-Netmask l
l Location-Data l Location-Information l Login-IP-Host l Login-IPv6-Host l Login-LAT-Node l Login-LAT-Port l Login-LAT-Service l Login-Service l Login-TCP-Port l Menu l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Operator-Name l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Requested-Location-Info l Revoke-Text l Server-Group l Server-Name l Service-Type l Sessio
l Tunnel-Private-Group-Id l Tunnel-Server-Auth-Id l Tunnel-Server-Endpoint l Tunnel-Type l User-Category l User-Name l User-Vlan l Vendor-Specific l fw_mode l dhcp-option l dot1x-authentication-type l mac-address l mac-address-and-dhcp-options TACACS Servers You can now configure a TACACS server as the authentication server to authenticate and authorize all types of management users, and account user sessions.
In the Instant UI To configure an external authentication server: 1. Navigate to Security > Authentication Servers. The Security window is displayed. 2. To create a new server, click New. A window for specifying details for the new server is displayed. 3. Configure parameters based on the type of sever. l RADIUS—To configure a RADIUS server, specify the attributes described in the following table: Table 33: RADIUS Server Configuration Parameters Parameter Description Name Enter a name for the server.
Table 33: RADIUS Server Configuration Parameters Parameter Description RFC 3576 Select Enabled to allow the W-IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters. RFC 5997 This helps to detect the server status of the RADIUS server.
Table 34: LDAP Server Configuration Parameters Parameter Description Name Enter a name for the server. IP address Enter the IP address of the LDAP server. Auth port Enter the authorization port number of the LDAP server. The default port number is 389.
Table 35: TACACS Configuration Parameters Parameter Description Retry Count Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3. Dead time Specify a dead time in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes. Session authorization Enables or disables session authorization. When enabled, the optional authorization session is turned on for the admin users.
(Instant AP)(Auth Server )# drp-ip vlan gateway )# end (Instant AP)# commit apply To enable RadSec: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# wlan auth-server AP)(Auth Server "name")# ip AP)(Auth Server "name")# radsec [port ] AP)(Auth Server "name")# rfc3576 AP)(Auth Server "name")# rfc5997 {auth-only|acct-only} AP)(Auth Serve
l When the TLS tunnel is established, RADIUS packets will go through the tunnel and server adds CoA on this tunnel. l By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization changes. l Instant supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS connection opened by the W-IAP to send the request.
l To open the WLAN wizard, select an existing SSID on the Network tab, and click edit. l To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit. You can also associate the authentication servers when creating a new WLAN or wired profile. 2. Click the Security tab and select a splash page profile. 3. Select an authentication type. 4. From the Authentication Server 1 drop-down list, select the server name on which RadSec is enabled. 5.
When dynamic RADIUS proxy is enabled, the VC network uses the IP Address of the VC for communication with external RADIUS servers. Ensure that the VC IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see Configuring an External Server for Authentication on page 151. In case of VPN deployments, the tunnel IP received when establishing a VPN connection is used as the NAS IP.
l To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit. You can also associate the authentication servers when creating a new WLAN or wired profile. 2. Click the Security tab. 3. If you are configuring the authentication server for a WLAN SSID, on the Security tab, move the slider to Enterprise security level. 4. Ensure that an authentication type is enabled. 5.
WPA and WPA-2 WPA is created based on the draft of 802.11i, which allowed users to create more secure WLANs. WPA-2 encompasses the full implementation of the 802.11i standard. WPA-2 is a superset that encompasses the full WPA feature set. The following table summarizes the differences between the two certifications: Table 37: WPA and WPA-2 Features Certification Authentication WPA l PSK l IEEE 802.1X with Extensible Authentication Protocol (EAP) l PSK l IEEE 802.
Instant supports the following EAP standards for authentication survivability: l EAP-PEAP: The Protected Extensible Authentication Protocol, also known as Protected EAP or PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The EAP-PEAP supports MS-CHAPv2 and GTC methods. l EAP-TLS: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer Security (TLS) protocol.
l For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are uploaded on the W-IAP. For more information, see Uploading Certificates on page 175.
2. In the Edit or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. On the Security tab, specify the following parameters for the Enterprise security level: a. Select any of the following options from the Key management drop-down list. l WPA-2 Enterprise l WPA Enterprise l Both (WPA-2 & WPA) l Dynamic WEP with 802.1X 4.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see Configuring Security Settings for a Wired Profile on page 106. 6. Click Next to define access rules, and then click Finish to apply the changes. 7. Assign the profile to an Ethernet port. For more information, see Assigning a Profile to Ethernet Ports on page 109. In the CLI To enable 802.
a. Click Upload New Certificate. b. Specify the URL from where you want to upload the certificates and select the type of certificate. 3. Click OK. 4. To configure 802.1X authentication on uplink ports of a W-IAP, complete the following steps: a. Go to System > Show advanced options > Uplink. b. Click AP1X. c. Select PEAP or TLS as the authentication type. d. If you want to validate the server credentials using server certificate, select the Validate Server check box.
In the Instant UI To enable MAC Authentication for a wireless network: 1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit. 2. In the Edit or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. On the Security tab, select Enabled from the MAC authentication drop-down list for the Personal or the Open security level. 4.
In the Instant UI To enable MAC authentication for a wired profile: 1. Click the Wired link under More in the main window. The Wired window is displayed. 2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit. 3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next. 4.
In the Instant UI To configure both MAC and 802.1X authentications for a wireless network: 1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC and 802.1X authentications and click edit. 2. In the Edit or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. On the Security tab, ensure that the required parameters for MAC authentication and 802.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile "")# AP)(wired ap profile "")# AP)(wired ap profile "")# AP)(wired ap profile "")# AP)(wired ap profile "")# AP)(wired ap profile "")# AP)(wired ap profile "")# AP)(wired ap profile "")# AP)# commit apply type {|} mac-authentication dot1x l2-auth-failthrough auth-server server-load-balan
(Instant AP)(wired ap profile )# mac-authentication (Instant AP)(wired ap profile )# captive-portal (Instant AP)(wired ap profile )# captive-portal { [exclude-uplink ] |external [Profile ] [exclude-uplink ]} (Instant AP)(wired ap profile )# set-role-mac-auth (Instant AP)(wired ap profile )# end (Instant AP)# commit apply Configuring WISPr Authentication Instant supports the following smart clients: n iPass n Boingo These smart cl
The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites (iso.org and itu.int). A Boingo smart client uses a NAS identifier in the _ format for location identification.
In the CLI To blacklist a client: (Instant AP)(config)# blacklist-client (Instant AP)(config)# end (Instant AP)# commit apply To enable blacklisting in the SSID profile: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# blacklisting AP)(SSID Profile )# end AP)# commit apply To view the blacklisted clients: (Instant AP)# show blacklist-client Blacklisted Clients ------------------MAC Reason Timestamp ---------------00:1c:b3:09:85:15 use
In the CLI To dynamically blacklist clients: (Instant (Instant (Instant (Instant AP)(config)# auth-failure-blacklist-time AP)(config)# blacklist-time AP)(config)# end AP)# commit apply To enable blacklisting in the SSID profile: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# blacklisting AP)(SSID Profile )# end AP)# commit apply To view the blacklisted clients: (Instant AP)# show blacklist-client config Blacklist Time :60 Aut
Uploading Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key, and the digital signature of the certificateissuing authority so that a recipient can ensure that the certificate is real.
Loading Certificates through Instant CLI To upload a CA, server, or captive portal certificate: (Instant AP)# copy tftp {cpserver cert format {p12|pem}| radsec {ca|cert } format pem|system {1xca format {der|pem}| 1xcert format pem}} To download RadSec certificates: (Instant AP)# download-cert radsec ftp://192.0.2.7 format pem [psk ] (Instant AP)# download-cert radsecca ftp://192.0.2.
Figure 38 Server Certificate 4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the Instant UI. For more information, see Configuring Organization String on page 310 for further information. Figure 39 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to W-AirWave.
Chapter 14 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.
l For information on configuring access rules based on application and application categories, see Configuring ACL Rules for Application and Application Categories on page 267. l For information on configuring access rules based on web categories and web reputation, see Configuring Web Policy Enforcement Service on page 270. In the Instant UI To configure ACL rules for a user role: 1. Navigate to Security > Roles. The Roles tab contents are displayed.
Table 39: Access Rule Configuration Parameters Service Category Network Description Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: l any—Access is allowed or denied to all services. l custom—Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.
Table 39: Access Rule Configuration Parameters Service Category Description Blacklist Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients on page 172. Classify media Select the Classify media check box to prioritize video and voice traffic.
Configuring Network Address Translation Rules Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and the private (local network), which allows translation of private network IP addresses to a public address space.
In the CLI To configure source-NAT access rule: (Instant AP)(config)# wlan access-rule (Instant AP)(Access Rule "")# rule src-nat [vlan |tunnel] (Instant AP)(Access Rule "")# end (Instant AP)# commit apply Configuring Policy-Based Corporate Access To allow different forwarding policies for different SSIDs, you can configure policy-based corporate access.
f. If required, enable other parameters such as Log, Blacklist, Classify media, Disable scanning, DSCP tag, and 802.1p priority. g. Click OK. 5. Click Finish.
To view the ALG configuration: (Instant AP)# show alg Current ALG ----------ALG Status -------sccp Disabled sip Enabled ua Enabled vocera Enabled Configuring Firewall Settings for Protection from ARP Attacks You can configure firewall settings to protect the network against attacks using the Instant UI or the CLI. In the Instant UI To configure firewall settings: 1. Click the Security link located directly above the Search bar on the Instant main window. 2. Click the Firewall Settings tab.
To view the attack statistics (Instant AP)# show attack stats attack counters -------------------------------------Counter ------arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter garp send check counter Value ------0 0 0 0 0 0 0 0 Configuring Firewall Settings to Disable Auto Topology Rules By default, the auto topology rules in a W-IAP are enabled.
Managing Inbound Traffic Instant now supports an enhanced inbound firewall by allowing the configuration of firewall rules and management subnets, and restricting corporate access through an uplink switch.
Table 40: Inbound Firewall Rule Configuration Parameters Parameter Description Action Select any of following actions: l Select Allow to allow to access users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow making changes to the destination IP address. l Select Source-NAT to allow making changes to the source IP address. The destination-NAT and source-NAT actions apply only to the network services rules.
Table 40: Inbound Firewall Rule Configuration Parameters Parameter Description Log Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging function. Firewall logs on the W-IAPs are generated as security logs. Blacklist Select the Blacklist check box to blacklist the client when this rule is triggered.
In the Instant UI To configure management subnets: 1. Navigate to Security > Inbound Firewall. The Inbound Firewall tab contents are displayed. Figure 43 Firewall Settings—Management Subnets 2. To add a new management subnet: l In the Add new management subnet section, enter the subnet address in Subnet. l Enter the subnet mask in Mask. l Click Add. 3. To add multiple subnets, repeat step 2. 4. Click OK.
Content Filtering The content filtering feature allows you to route DNS requests to the OpenDNS platform and create content filtering policies. With content filter, you can achieve the following: l Allow all DNS requests to the non-corporate domains on a wireless or wired network to be sent to the OpenDNS server. When the OpenDNS credentials are configured, the W-IAP uses these credentials to access OpenDNS and provide enterprise-level content filtering.
In the Instant UI 1. Click the Wired link under More in the Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. In the Wired Settings tab, select Enabled from the Content Filtering drop-down list, and click Next to continue.
4. To set an access policy based on the web category: a. Under Service section, select Web category and expand the Web categories drop-down list. Figure 44 Roles—New Rule b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option. c. From the Action drop-down list, select Allow or Deny as required. d. Click OK. 5. To filter access based on the security ratings of the website: a. Select Web reputation under Service section. b.
Creating Custom Error Page for Web Access Blocked by AppRF Policies You can create a list of URLs to which the users are redirected when they access blocked websites. You can define an access rule to use these redirect URLs and assign the rule to a user role in the WLAN network. You can create a list of custom URLs and ACL rules for blocked websites either through the Instant UI or the CLI. Creating a List of Error Page URLs To create a list of error page URLs: In the Instant UI 1.
3. In the New Rule window, select the rule type as Redirect Blocked HTTPS. 4. Click OK. 5. Click OK in the Roles tab to save the changes.
Assigning Bandwidth Contracts to User Roles The administrators can manage bandwidth utilization by assigning either maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the W-IAP) or downstream (W-IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations.
Configuring Machine and User Authentication Roles You can assign different rights to clients based on whether their hardware device supports machine authentication. Machine authentication is only supported on Windows devices, so that this can be used to distinguish between Windows devices and other devices such as iPads. You can create any of the following types of rules: l Machine Auth only role—This indicates a Windows machine with no user logged in.
RADIUS VSA Attributes The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication. The role derived from a Dell VSA takes precedence over roles defined by other methods. MAC-Address Attribute The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
When creating more than one role assignment rule, the first matching rule in the rule list is applied. You can create a role assignment rule by using the Instant UI or the CLI. In the Instant UI 1. Navigate to the WLAN wizard or the Wired settings window: l To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile. l To configure access rules for a wired profile, go to More > Wired.
(Instant AP)(wired ap profile )# set-role {{equals|not-equal|starts-with| ends-with|contains} |value-of} (Instant AP)(wired ap profile )# end (Instant AP)# commit apply Example (Instant AP)(config)# wlan ssid-profile Profile1 (Instant AP)(SSID Profile "Profile1")# set-role mac-address-and-dhcp-options matches-regularexpression \bring\b Profile1 (Instant AP)(SSID Profile"Profile1")# end (Instant AP)# commit apply Understanding VLAN Assignment You can assign VLANs to a
Figure 46 Configure VSA on a RADIUS Server VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user.
User Role If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role. VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or an Ethernet port profile. Configuring VLAN Derivation Rules The VLAN derivation rules allow administrators to assign a VLAN to the W-IAP clients based on the attributes returned by the RADIUS server.
l ends-with—The rule is applied only if the attribute value ends with the string specified in Operand. 5. Enter the string to match the attribute in the String text box. 6. Select the appropriate VLAN ID from the VLAN drop-down list. 7. Click OK. 8. Ensure that the required security and access parameters are configured. 9. Click Finish to apply the changes.
Operator Description . Matches any character. For example, l..k matches lack, lark, link, lock, look, Lync, and so on. \ Matches the character that follows the backslash. For example, \192.\.0\.. matches IP address ranges that start with 192.0, such as 192.0.1.1. The expression looks up only for the single characters that match. [] Matches any one character listed between the brackets. For example, [bc]lock matches block and clock. \b Matches the words that begin and end with the given expression.
Configuring a User Role for VLAN Derivation This section describes the following procedures: l Creating a User VLAN Role on page 205 l Assigning User VLAN Roles to a Network Profile on page 205 Creating a User VLAN Role You can create a user role for VLAN derivation using the Instant UI or the CLI. In the Instant UI To configure a user role for VLAN derivation: 1. Click the Security link located directly above the Search bar in the Instant main window. 2. Click the Roles tab.
(Instant AP)# commit apply Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 15 DHCP Configuration This chapter provides the following information: l Configuring DHCP Scopes on page 207 l Configuring the Default DHCP Scope for Client IP Assignment on page 214 Configuring DHCP Scopes The VC supports different modes of Dynamic Host Configuration Protocol (DHCP) address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated.
Table 43: Local DHCP Mode Configuration Parameters Parameter Description Name Enter a name for the DHCP scope. Type Select any of the following options: l Local—On selecting Local, the DHCP server for local branch network is used for keeping the scope of the subnet local to the W-IAP. In the NAT mode, the traffic is forwarded through the IPsec tunnel or the uplink. l Local, L2—On selecting Local, L2, the VC acts as a DHCP server and a default gateway in the local network that is used.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)# commit apply subnet subnet-mask dns-server domain-name lease-time option end To configure a Local, L2 DHCP scope: (Instan
You can configure distributed DHCP scopes such as Distributed, L2 or Distributed, L3 by using the Instant UI or the CLI. In the Instant UI To configure distributed DHCP scopes such as Distributed, L2 or Distributed, L3: 1. Click More > DHCP Server. The DHCP Server window is displayed. 2. To configure a distributed DHCP mode, click New under Distributed DHCP Scopes. The New DHCP Scope window is displayed. The following figure shows the contents of the New DHCP Scope window.
Table 44: Distributed DHCP Mode Configuration Parameters Parameter Description Default router If Distributed, L2 is selected for the type of DHCP scope, specify the IP address of the default router. DNS server If required, specify the IP address of a DNS server. Domain name If required, specify the domain name. Lease time Specify a lease time for the client in minutes within a range of 2–1440 minutes. The default value is 720 minutes.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# ip dhcp AP)(DHCP Profile )# ip dhcp server-type AP)(DHCP Profile )# server-vlan AP)(DHCP Profile )# subnet-mask AP)(DHCP Profile )# default-router AP)(DHCP Profile )# client-count AP)(DHCP Profile )# dns-server
Table 45: Centralized DHCP Mode Configuration Parameters Parameter Description Name Enter a name for the DHCP scope. Type Set the type as follows: l Centralized, L2 for the Centralized, L2 profile l Centralized, L3 for the Centralized, L3 profile VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
The following table describes the behavior of the DHCP Relay Agent and Option 82 in the W-IAP.
In the Instant UI To configure a DHCP pool: 1. Navigate to More > DHCP Server. The DHCP Server tab contents are displayed. Figure 50 DHCP Servers Window 2. Enter the domain name of the client in the Domain name text box. 3. Enter the IP addresses of the DNS servers separated by a comma (,) in the DNS server(s) text box. 4. Enter the duration of the DHCP lease in the Lease time text box.
DHCP DHCP DHCP DHCP Netmask Lease Time(m) Domain Name DNS Server 216 | DHCP Configuration :255.255.255.0 :20 :example.com :192.0.2.1 Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 16 Configuring Time-Based Services This chapter describes time range profiles and the procedure for configuring time-based services. It includes the following topics: l Time Range Profiles on page 217 l Configuring a Time Range Profile on page 217 l Applying a Time Range Profile to a WLAN SSID on page 218 l Verifying the Configuration on page 219 Time Range Profiles Starting from Instant 6.4.3.4-4.2.1.
Table 47: Time Range Profile Configuration Parameters Parameter Description Name Specify a name for the time range profile. Type Select the type of time range profile. Periodic—When configured, the state of the W-IAP changes based on the time range configured in the profile. Absolute—When configured, the state of the W-IAP changes during a specific date / day and time.
l If a time range is disabled, the SSID becomes unavailable for the configured time range. For example, if the configured time range is 14:00–17:00, the SSID is made unavailable from 2 PM to 5 PM on a given day. 4. Click Next and then click Finish. If the SSID has two time range profiles enabled with an overlapping duration, the time range profile will be executed as per the configuration conditions described earlier in this chapter.
The following command creates a periodic time range profile that executes during the weekend: (Instant AP)(config)# time-range timep4 periodic weekend 10:20 to 10:30 The following command removes the time range configuration: (Instant AP)(config)# no time-range testhshs12 220 | Configuring Time-Based Services Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 17 Dynamic DNS Registration This chapter describes the procedure for configuring Dynamic DNS (DDNS) on W-IAPs and their clients. It includes the following topics: l Enabling Dynamic DNS on page 221 l Configuring Dynamic DNS Updates for Clients on page 222 l Verifying the Configuration on page 223 Enabling Dynamic DNS Starting from Instant 6.4.4.4-4.2.3.0, W-IAPs support the dynamic DNS feature which enables updating the DNS records of the W-IAP and the clients connected to it.
Table 48: Dynamic DNS Configuration Parameters Parameter Description Example Key Configures a Transaction Signature (TSIG) shared secret key to secure the dynamic updates. hmac-sha1:arubaddns: 16YuLPdH21rQ6PuK9udsVLtJw3Y= The following algorithm names are supported: l hmac-md5 (used by default if algo-name is not specified) l hmac-sha1 l hmac-sha256 NOTE: When a key is configured, the update is successful only if W-IAP and DNS server clocks are in sync.
In the Instant UI To enable DDNS for clients: 1. Navigate to More > DHCP Servers, select the Distributed, L3 DHCP Scope under Distributed DHCP Scopes and click Edit. 2. Select the Dynamic DNS check box. 3. Enter the TSIG shared secret key. 4. Click Next and then click Finish.
Chapter 18 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 224 l Configuring a Tunnel from a W-IAP to a Mobility Controller on page 225 l Configuring Routing Profiles on page 236 Understanding VPN Features As W-IAPs use a VC architecture, the W-IAP network does not require a physical controller to provide the configured WLAN services.
Supported VPN Protocols Instant supports the following VPN protocols for remote access: Table 49: VPN Protocols VPN Protocol Description Dell IPsec IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session. You can configure an IPsec tunnel to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
Configuring an IPsec Tunnel An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from the VC using the Instant UI or the CLI. In the Instant UI To configure a tunnel for IPsec protocol: 1. Click the More > VPN link in the Instant UI. The Tunneling window is displayed. 2. Select Aruba IPSec from the Protocol drop-down list. 3.
6. Click Next to create routing profiles. When the IPsec tunnel configuration is completed, the packets that are sent from and received by a W-IAP are encrypted.
For information on the GRE tunnel configuration on the controller, refer to the ArubaOS 6.5.x.x User Guide. In the Instant UI To configure a GRE tunnel: 1. Click the More > VPN link located directly above the Search bar in the Instant UI. The Tunneling window is displayed. 2. Select Manual GRE from the Protocol drop-down list. 3. Specify the following parameters. A sample configuration is shown in Figure 52. a. Enter an IP address or an FQDN for the main VPN/GRE endpoint in the Host text box. b.
(Instant (Instant (Instant (Instant AP)(config-tunnel)# AP)(config-tunnel)# AP)(config-tunnel)# AP)(config-tunnel)# tunnel source tunnel destination trusted tunnel vlan Configuring Aruba GRE Parameters The Aruba GRE feature uses the IPsec connection between the W-IAP and the controller to send the control information for setting up a GRE tunnel.
Figure 53 Aruba GRE Configuration 6. Click Next to continue.
l If the primary LNS is down, it fails over to the backup LNS. L2TPv3 has one tunnel profile, and under this a primary peer and a backup peer are configured. If the primary tunnel creation fails or if the primary tunnel gets deleted, the backup starts. The following two failover modes are supported: n Preemptive: In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel.
Figure 55 Tunnel Configuration c. Enter the primary server IP address in the Primary Peer address text box. d. Enter the remote end backup tunnel IP address in the Backup Peer address text box. This is an optional text box entry and is required only when backup server is configured. e. Enter a port number in the Peer UDP port text box. f. Enter the remote end UDP port number in the Local UDP port text box. The default value is 1701. g.
b. Enter the tunnel profile name where the session will be associated. c. Configure the tunnel IP address with the corresponding network mask and VLAN ID. This is required to reach an W-IAP from a corporate network. For example, SNMP polling. d. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. e. Specify the remote end ID. f. If required, enable default l2 specific sublayer in the L2TPv3 session. g. Click OK. 5. Click Next to continue.
(Instant AP)# commit apply (Instant (Instant (Instant (Instant 5 (Instant (Instant AP)(config) # l2tpv3 session test_session AP)(L2TPv3 Session Profile "test_session")# cookie len 4 value 12345678 AP)(L2TPv3 Session Profile "test_session")# l2tpv3 tunnel test_tunnel AP)(L2TPv3 Session Profile "test_session")# tunnel-ip 1.1.1.1 mask 255.255.255.
Tunnel 858508253, from 10.13.11.29 to 10.13.11.157:state: ESTABLISHED created at: Jul 2 04:58:25 2013 administrative name: 'test_tunnel' (primary) created by admin: YES, tunnel mode: LAC, persist: YES local host name: Instant-C4:42:98 peer tunnel id: 1842732147, host name: aruba1600pop636635.hsbtst2.
use tiebreaker: OFF peer profile: NOT SET session profile: NOT SET trace flags: PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system statistics: (Instant AP)# show l2tpv3 system statistics L2TP counters:Total messages sent: 99, received: 194, retransmitted: 0 illegal: 0, unsupported: 0, ignored AVPs: 0, vendor AVPs: 0 Setup failures: tunnels: 0, sessions: 0 Resource failures: control frames: 0, peers: 0 tunnels: 0, sessions: 0 Limit exceeded errors: tunnels: 0, sessions: 0 Frame errors:
Figure 57 Tunneling— Routing 3. Update the following parameters: l Destination— Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel. l Netmask—Specify the subnet mask to the destination. l Gateway—Specify the gateway to which the traffic must be routed.
Chapter 19 IAP-VPN Deployment This section provides the following information: l Understanding IAP-VPN Architecture on page 238 l Configuring W-IAP and Controller for IAP-VPN Operations on page 241 Understanding IAP-VPN Architecture The IAP-VPN architecture includes the following two components: l W-IAPs at branch sites l Controller at the datacenter The master W-IAP at the branch site acts as the VPN endpoint and the controller at the datacenter acts as the VPN concentrator.
l Branches—The number of IAP-VPN branches that can be terminated on a given controller platform. l Routes—The number of L3 routes supported on the controller. l L3 mode and NAT mode users—The number of trusted users supported on the controller. There is no scale impact on the controller. They are limited only by the number of clients supported per W-IAP. l L2 mode users—The number of L2 mode users are limited to 128,000 for W-7220 or W-7240 Controllers and 64,000 across all platforms.
Distributed, L2 Mode In this mode, the W-IAP assigns an IP address from the configured subnet and forwards traffic to both corporate and non-corporate destinations. Clients receive the corporate IP with VC as the DHCP server. The default gateway for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLAN to remote site. Either the controller or an upstream router can be the gateway for the clients.
DHCP Scope and VPN Forwarding Modes Mapping The following table provides a summary of the DHCP scope and VPN forwarding modes mapping: Table 51: DHCP Scope and VPN Forwarding Modes Matrix Options Local Local, L2 Local, L3 Centralize d, L2 Centralize d, L3 Distribute d, L2 Distribute d, L3 DHCP server VC VC VC DHCP Server in the Datacenter DHCP Server in the Datacenter and VC acts as a relay agent VC VC Default Gateway for clients VC Default Gateway in the local network VC Controller or a
2. Configuring Routing Profiles 3. Configuring DHCP Profiles 4. Configuring an SSID or Wired Port 5. Enabling Dynamic RADIUS Proxy 6. Configuring Enterprise Domains Defining the VPN Host Settings The VPN endpoint on which a master W-IAP terminates its VPN tunnel is considered as the host. A master WIAP in a W-IAP network can be configured with a primary and backup host to provide VPN redundancy. You can define VPN host settings through More > VPN > Controller in the UI.
l Centralized, L3 For more information on configuring DHCP profiles, see Configuring DHCP Scopes on page 207. A Centralized, L2 or Distributed, L2 VLAN or subnet cannot be used to serve W-IAPs in a hierarchical mode of deployment. Ensure that the physical IP of the W-IAPs connecting to the master W-IAP in hierarchical mode of deployment is not on a VLAN or subnet that is in Centralized, L2 or Distributed, L2 mode of operation.
For IAP-VPN operations, ensure that the following configuration and verification procedures are completed on the controller: l OSPF Configuration l VPN Configuration l Branch-ID Allocation l Branch Status Verification This section describes the configuration procedures for the controller to realize generic use cases. For information on specific deployment scenarios, see IAP-VPN Deployment Scenarios on page 394. ArubaOS 6.3 or later version is recommended the controllers with IAP-VPN configuration.
0.0.0.15 0.0.0.15 0.0.0.15 0.0.0.15 0.0.0.15 0.0.0.15 0.0.0.15 0.0.0.15 0.0.0.15 N/A N/A N/A N/A N/A N/A N/A ROUTER NETWORK NSSA NSSA NSSA NSSA NSSA NSSA NSSA AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL 10.15.148.12 10.15.148.12 12.12.2.0 12.12.12.0 12.12.12.32 50.40.40.0 51.41.41.128 53.43.43.32 54.44.44.16 12.12.2.0 12.12.12.0 12.12.12.32 50.40.40.0 51.41.41.128 53.43.43.32 54.44.44.16 10.15.148.12 10.15.148.12 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.
If you are using the Windows 2003 server, perform the following steps to configure the external whitelist database on it. There are equivalent steps available for the Windows Server 2008 and other RADIUS servers. 1. Add the MAC addresses of all the W-IAPs in the Active Directory of the RADIUS server: a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the W-IAP for the username and password, respectively. b.
l Ensures that a branch is allocated the same subnet or range of IP addresses irrespective of which W-IAP in the branch becomes the master in the W-IAP cluster Branch Status Verification To view the details of the branch information connected to the controller, execute the show iap table command.
Table 52: Branch Details Parameter Description Assigned Vlan Displays the VLAN ID assigned to the branch. Key Displays the key for the branch, which is unique to each branch. Bid(Subnet Name) Displays the Branch ID (BID) of the subnet. In the example above, the controller displays bid-per-subnet-per-branch i.e., for "LA" branch, BID "2" for the ip-range "10.15.205.0-10.15.205.250" with client count per branch "5"). If a branch has multiple subnets, it can have multiple BIDs.
Chapter 20 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 249 l Configuring ARM Features on a W-IAP on page 250 l Configuring Radio Settings on page 256 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in networks with the highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each W-IAP in its current RF environment.
Configuring ARM Features on a W-IAP This section describes the following procedures for configuring ARM features: l Band Steering on page 250 l Airtime Fairness Mode on page 251 l Client Match on page 251 l Access Point Control on page 253 Band Steering The band steering feature assigns the dual-band capable clients to the 5 GHz band on dual-band W-IAPs.
Airtime Fairness Mode The airtime fairness feature provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system, thus delivering uniform performance to all clients. This feature prevents the clients from monopolizing resources. You can configure airtime fairness mode parameters through the Instant UI or the CLI. In the Instant UI 1.
When the client match feature is enabled on a W-IAP, the W-IAP measures the RF health of its associated clients. In the current release, the client match feature is supported only within a W-IAP cluster.
Table 55: Client Match Configuration Parameters Parameter Description Client match Select Enabled to enable the Client match feature on W-IAPs. When enabled, client count will be balanced among all the channels in the same band. For more information, see ARM Overview on page 249. By default, the client match feature is disabled. NOTE: When client match is enabled, ensure that Scanning is enabled. CM calculating interval Specify a value for calculating the interval of Client match.
Table 56: Access Point Control—Configuration Parameters Parameter Description Customize Valid Channels Select this check box to customize valid channels for 2.4 GHz and 5 GHz. By default, the W-IAP uses valid channels as defined by the Country Code (regulatory domain). On selecting the Customize Valid Channels check box, a list of valid channels for both 2.4 GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default.
3. Click OK.
5.0 GHz Channels ---------------Channel Status ------- -----36 enable 40 enable 44 enable 48 enable 52 enable 56 enable 60 enable 64 enable 149 enable 153 enable 157 enable 161 enable 165 enable 36+ enable 44+ enable 52+ disable 60+ disable 149+ enable 157+ enable 36E enable 52E enable 149E enable Client Match for Access Points in a Zone When Client match is enabled, the decision to move a client from the home W-IAP to a target W-IAP is made at the radio level.
2. Click Show advanced options. The advanced options are displayed. 3. Click the Radio tab. 4. Under the channel 2.4.GHz or 5 GHz, or both, configure the following parameters. Table 57: Radio Configuration Parameters Parameter Description Legacy only Select Enabled to run the radio in non-802.11n mode. This option is set to Disabled by default. 802.11d / 802.11h Select Enabled to allow the radio to advertise its 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities.
Table 57: Radio Configuration Parameters Parameter Description Background spectrum monitoring Select Enabled to allow the W-IAPs in access mode to continue with normal access service to clients, while performing additional function of monitoring RF interference (from both neighboring W-IAPs and non Wi-Fi sources such as, microwaves and cordless phones) on the channel they are currently serving clients.
(Instant AP)(RF dot11a Radio Profile)# end (Instant AP)# commit apply To view the radio configuration: (Instant AP)# show radio config 2.4 GHz: Legacy Mode:enable Beacon Interval:100 802.11d/802.11h:enable Interference Immunity Level:2 Channel Switch Announcement Count:0 MAX Distance:600 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable 5.0 GHz: Legacy Mode:enable Beacon Interval:100 802.11d/802.
By default, the ARM is triggered to scan all the channels every 10 seconds, and select the best channel for transmission. But when the W-IAP is in a new environment, ARM is triggered to perform frequent scanning of the non-DFS channels every 200 milliseconds, and select the best available channel for transmission. The apfrequent-scan command is introduced in the CLI to enable the W-IAPs to trigger frequent scanning of transmission signals on a radio profile.
Chapter 21 Deep Packet Inspection and Application Visibility This chapter provides the following information: l Deep Packet Inspection on page 261 l Enabling Application Visibility on page 261 l Application Visibility on page 262 l Enabling URL Visibility on page 267 l Configuring ACL Rules for Application and Application Categories on page 267 l Configuring Web Policy Enforcement Service on page 270 Deep Packet Inspection AppRF is Dell's custom-built Layer 7 firewall capability.
Application Visibility The AppRF graphs are based on Deep Packet Inspection (DPI) application and Web Policy Enforcement (WPE) service, which provide application traffic summary for the client devices associated with a W-IAP. The AppRF link above the activity panel of the dashboard is displayed only if AppRF visibility is enabled in the System window.
Figure 60 Application Categories List: Client View Figure 61 Application Categories Chart: W-IAP View Applications Chart The applications chart displays details on the client traffic towards the applications. By clicking the rectangular area, you can view the following graphs, and toggle between the chart and list views. Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 62 Applications Chart: Client View Figure 63 Applications List: Client View 264 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 64 Application Chart: Access Point View Web Categories Charts The web categories chart displays details about the client traffic to the web categories. By clicking the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 65 Web Categories Chart: Client View Figure 66 Web Categories List: Client View Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 67 Web Categories Chart: Access Point View Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs that are assigned security ratings. By clicking in the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 68 Web Reputation Chart: Client View Figure 69 Web Reputation List: Client View 266 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 70 Web Reputation Chart: W-IAP View Enabling URL Visibility Enabling URL visibility allows the W-IAP to extract the full URL information of the HTTP and HTTPS sessions and periodically log them on the ALE server. Full URL visibility for HTTP sessions fed to ALE are exposed as Northbound APIs, and are used by URL analytical engines for advanced client URL data mining and analysis. You can enable URL visibility by using the Instant UI or the CLI: In the Instant UI To enable URL visibility: 1.
3. In the Access rules section, click New to add a new rule. The New Rule window is displayed. 4. Ensure that the rule type is set to Access Control. 5. To configure access to applications or application category, select a service category from the following list: l Application l Application category 6.
Table 58: Access Rule Configuration Parameters Service Category Description 1. Select the Application Throttling check box. 2. Specify the downstream and upstream rates in Kbps. Action Select any of following actions: l Select Allow to allow access to users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address.
Table 58: Access Rule Configuration Parameters Service Category Description Disable scanning Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable scanning applies only if ARM scanning is enabled. For more information, see Configuring Radio Settings on page 256. DSCP tag Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63.
Figure 71 Web Policy Enforcement b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option. c. From the Action drop-down list, select Allow or Deny as required. d. Click OK. 5. To filter access based on the security ratings of the website: a. Select Web reputation under Service. b. Move the slider to the required security rating level.
l DSCP tag l 802.1p priority 8. Click OK on the Roles tab to save the changes to the role for which you defined ACL rules. In the CLI To control access based on web categories and security ratings: (Instant AP)(config)# wlan access-rule (Instant AP)(Access Rule "")# rule webcategory {permit | deny}[] (Instant AP)(Access Rule "")# rule webreputation {permit | deny}[
Chapter 22 Voice and Video This chapter explains the steps required to configure voice and video services on a W-IAP for Voice over IP (VoIP) devices, Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones, clients running Microsoft OCS, and Apple devices running the Facetime application.
Configuring WMM for Wireless Clients You can configure WMM for wireless clients by using the UI or the CLI. In the Instant UI To configure the WMM for wireless clients: 1. Navigate to the WLAN wizard. a. Click Networks > New or b. Click Networks, and select the WLAN SSID > edit. 2. Click Show advanced options under WLAN Settings. 3. Specify a percentage value for the following WMM access categories in the corresponding Share text box.
Table 60: WMM AC-DSCP Mapping DSCP Value WMM Access Category 32 Video 40 48 Voice 56 By customizing WMM AC mappings, all packets received are matched against the entries in the mapping table and prioritized accordingly. The mapping table contains information for upstream (client to W-IAP) and downstream (W-IAP to client) traffic. You can configure different WMM to DSCP mapping values for each WMM AC when configuring an SSID profile by using the Instant UI or the CLI.
Configuring WMM U-APSD To extend the battery life and enable power saving on WLAN clients, W-IAPs support Unscheduled Automatic Power Save Delivery (U-APSD) for the clients that support WMM. The U-APSD or the WMM Power Save feature is enabled by default on all SSIDs. When configured, U-APSD enables a client station to retrieve the unicast QoS traffic buffered in the W-IAP by sending trigger frames.
STUN Based Media Classification STUN based media classification requires the ACLs permitting signaling sessions without the classify-media flag. However, it requires an implicit deny firewall rule for User Datagram Protocol (UDP) to be activated. All other traffic that should be allowed in the network must be explicitly configured using ACL rules.The W-IAP automatically allows firewall sessions for voice and video calls made from Skype for Business and Apple Facetime.
The WLSXIAPVOICECLIENTLOCATIONUPDATE trap contains the following information: Table 61: SNMP Trap Details for VoIP Calls Parameter Description wlsxTrapVcIpAddress IP address of the VoIP client. wlsxTrapVcMacAddress MAC address of the VoIP client. wlsxTrapAPMacAddress MAC address of the W-IAP which generated the trap. wlsxTrapAPName Name of the W-IAP which generated the trap.
Chapter 23 Services This chapter provides information on how to configure the following services on a W-IAP: l Configuring AirGroup on page 279 l Configuring a W-IAP for RTLS Support on page 288 l Configuring a W-IAP for Analytics and Location Engine Support on page 289 l Managing BLE Beacons on page 290 l Clarity Live on page 291 l Cluster Security on page 304 l Configuring OpenDNS Credentials on page 293 l Integrating a W-IAP with Palo Alto Networks Firewall on page 293 l Integrating a W
The following figure illustrates how AirGroup enables personal sharing of Apple devices: Figure 72 AirGroup Enables Personal Device Sharing AirGroup is not supported on 3G and PPPoE uplinks. Multicast DNS and Bonjour® Services Bonjour is the trade name for the zero configuration implementation introduced by Apple. It is supported by most of the Apple product lines, including the Mac OS X operating system, iPhone, iPod Touch, iPad, Apple TV, and AirPort Express.
Figure 73 Bonjour Services and AirGroup Architecture For a list of supported Bonjour services, see AirGroup Services on page 283. DLNA UPnP Support In addition to the mDNS protocol, W-IAPs now support Universal Plug and Play (UPnP), and DLNA-enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network. DLNA also provides the ability to share data between the Windows or Android-based multimedia devices.
The following figure illustrates DLNA UPnP Services and AirGroup Architecture. Figure 74 DLNA UPnP Services and AirGroup Architecture For a list of supported DLNA services, see AirGroup Services on page 283. AirGroup Features AirGroup supports the following features: l Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint. l Ensures cross-VLAN visibility and availability of AirGroup devices and services. l Allows or blocks AirGroup services for all users.
The following figure shows an example of a higher-education environment with shared, local, and personal services available to mobile devices. Figure 75 AirGroup in a Higher-Education Environment When AirGroup discovers a new device, it interacts with ClearPass Policy Manager to obtain the shared attributes such as shared location and role. However, the current versions of W-IAPs do not support the enforcement of shared location policy. AirGroup Services AirGroup supports zero configuration services.
For more information on configuring AirGroup services, see Configuring AirGroup and AirGroup Services on a W-IAP on page 285. AirGroup Components AirGroup leverages key elements of the Dell solution portfolio including operating system software for Instant, ClearPass Policy Manager, and the VLAN-based or role-based filtering options offered by the AirGroup services. The components that make up the AirGroup solution include the Instant, ClearPass Policy Manager, and ClearPass Guest.
ClearPass Policy Manager and ClearPass Guest Features ClearPass Policy Manager and ClearPass Guest support the following features: l Registration portal for WLAN users to register their personal devices. l Registration portal for WLAN administrators to register shared devices. l Operator-defined personal AirGroup to specify a list of other users who can share devices with the operator. l Administrator-defined username, user role, and location attributes for shared devices.
7. Ensure that the required AirGroup services are selected. To add any service, click New and add. To allow all services, select allowall. If a custom service is added, you can add a corresponding service ID by clicking New under Service ID. If a W-IAP is upgraded to the current release with the Bonjour check box enabled, ensure that the corresponding Bonjour services are selected. Instant supports the use of up to 6 custom services. 8.
(Instant (Instant (Instant (Instant (Instant (Instant AP)(airgroup-service)# AP)(airgroup-service)# AP)(airgroup-service)# AP)(airgroup-service)# AP)(airgroup-service)# AP)# commit apply id description disallow-role disallow-vlan end To verify the AirGroup configuration status: (Instant AP)# show airgroup status Configuring AirGroup and ClearPass Policy Manager Interface in Instant Configure the Instant and ClearPass Policy Manager interface to allow an AirGr
Configuring a W-IAP for RTLS Support Instant supports the real-time tracking of devices when integrated with the AMP or a third-party Real Time Location Server such as Aeroscout Real Time Location Server. With the help of the RTLS, the devices can be monitored in real time or through history. You can configure RTLS by using the Instant UI or the CLI. In the Instant UI To configure Aruba RTLS: 1. Click the More > Services link on the Instant main window. 2. In the Services section, click the RTLS tab. 3.
(Instant AP)# commit apply To configure Aeroscout RTLS: (Instant AP)(config)# aeroscout-rtls include-unassoc-sta (Instant AP)(config)# end (Instant AP)# commit apply Configuring a W-IAP for Analytics and Location Engine Support The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it, and share it through a standard API.
Figure 78 Services Window—ALE Integration 4. In the Server text box, specify the ALE server name or IP address. 5. In the Report interval text box, specify the reporting interval within the range of 6–60 seconds. The W-IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK.
You can configure BLE operation modes and enable the BLE Beacon Management feature by using the Instant UI or the CLI. In the Instant UI Configuring BLE mode: 1. Click More > Services. 2. Click the RTLS tab. The tab details are displayed. 3. To manage the BLE devices using BMC, select Manage BLE Beacons. 4. Enter the authorization token. The authorization token is a text string of 1–255 characters used by the BLE devices in the HTTPS header when communicating with the BMC.
Inline Monitoring This functionality of Clarity Live helps diagnose client connectivity issues. It provides the network administrator or engineers with more information regarding the exact stage at which the client connectivity fails or provides data where the dhcp or radius server is slow. The W-IAP collects all information related to user transitions like association, authentication, and dhcp. Then, the W-IAP sends these records to a management server like W-AirWave.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# clarity AP)(clarity)# inline-auth-stats AP)(clarity)# inline-dhcp-stats AP)(clarity)# inline-dns-stats AP)(clarity)# inline-sta-stats AP)(clarity)# end AP)# commit apply Verify Clarity Configuration on W-IAP The following command is used to view the status of the Inline Monitoring events: (Instant AP)# show clarity config The following command is used to view the history of the authentication events: (Instant AP)# show clarity hi
Integration with Instant The functionality provided by the PAN firewall based on user ID requires the collection of information from the network. W-IAP maintains the network (such as mapping IP address) and user information for its clients in the network and can provide the required information for the user ID on PAN firewall. Before sending the user-ID mapping information to the PAN firewall, the W-IAP must retrieve an API key that will be used for authentication for all APIs.
Figure 79 Services Window: Network Integration Tab 3. Select the Enable check box to enable PAN firewall. 4. Provide the user credentials of the PAN firewall administrator in the Username and Password text boxes. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1–65,535. The default port is 443. 7. Specify the static Client Domain to be mapped to the client User IDs that do not have a domain name of its own. 8. Click OK.
Integration with Instant The XML API interface allows you to send specific XML commands to a W-IAP from an external server. These XML commands can be used to customize W-IAP client entries. You can use the XML API interface to add, delete, authenticate, query, or blacklist a user or a client. The user authentication is supported only for users authenticated by captive portal authentication and not for the dot1x-authentication users.
https:// l virtualcontroller-ip: The IP address of the VC that will receive the XML API request l command.xml : The XML request that contains the XML API command. The format of the XML API request is: xml= Value ...
Parameter Description Range / Defaults password The password of the user for authentication. — session_timeout The role will be changed to a pre-auto role after session timeout. — authentication Authentication method used to authenticate the message and the sender. You can use any of MD5, SHA-1 or clear text methods of authentication. This option is ignored if shared secret is not configured. It is, however, mandatory if it is configured.
Figure 80 IAP to CALEA Server Traffic Flow from W-IAP to CALEA Server through VPN You can also deploy the CALEA server with the controller and configure an additional IPsec tunnel for corporate access. When CALEA server is configured with the controller, the client traffic is replicated by the slave W-IAP and client data is encapsulated by GRE on slave, and routed to the master W-IAP. The master W-IAP sends the IPsec client traffic to the controller.
Figure 81 W-IAP to CALEA Server through VPN Ensure that IPsec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN. For more information on configuring IPsec, see Configuring an IPsec Tunnel on page 226. Client Traffic Replication Client traffic is replicated in the following ways: l Through RADIUS VSA—In this method, the client traffic is replicated by using the RADIUS VSA to assign clients to a CALEA-related user role.
In the Instant UI To configure a CALEA profile: 1. Click More > Services link on the Instant main window. 2. In the Services section, click CALEA. The CALEA tab details are displayed. 3. Specify the following parameters: l IP address—Specify the IP address of the CALEA server. l Encapsulation type—Select the encapsulation type. The current release of Instant supports GRE only. l GRE type—Specify the GRE type. l MTU—Specify a size for the maximum transmission unit (MTU) within the range of 68–1500.
3. On the Access tab, select the role for which you want create the access rule. 4. Under Access Rules, click New. 5. In the New Rule window that is displayed, select CALEA. 6. Click OK. 7. Create a role assignment rule if required. 8. Click Finish.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# auth-server server1 set-role
Chapter 24 Cluster Security This chapter describes cluster security and the procedure for configuring cluster security DTLS for secure communication. It includes the following topics: l Overview on page 304 l Enabling Cluster Security on page 305 l Cluster Security Debugging Logs on page 305 l on page 306 Overview Cluster security is a communication protocol that secures control plane messages between Instant access points.
Enabling Cluster Security You can enable cluster security using the Instant UI or the CLI. Ensure that the following pre-requisites are satisfied: Pre-requisites 1. NTP server must be reachable—If internet is reachable, pool.ntp.org will be used by default, otherwise a static NTP server needs to be configured. 2. UDP port 4434 should be permitted. In the Instant UI To enable cluster security: 1. Navigate to System > General . 2. Select Enabled from the Cluster security drop-down list. 3. Click OK.
mcap—The module capture module is used to log messages sent and received to the socket. Set log-level to debug to log only control messages. Set log-level to debug1 to log control and data messages.
Chapter 25 W-IAP Management and Monitoring This chapter provides information on managing and monitoring W-IAPs from the the W-AirWave management server: Managing a W-IAP from W-AirWave W-AirWave is a powerful platform and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of thirdparty manufacturers.
In the W-AirWave User Interface (UI), you can select either Manage Read/Write or Monitor-only+Firmware Upgrades as management modes. When the W-AirWave Management level is set to Manage Read/Write, the Instant UI is in read-only mode. When the W-AirWave Management level is set to Monitoronly+Firmware Upgrades, the Instant UI changes to the read-write mode. With the latest version of W-AirWave, a new option in the AMP is available to put the W-IAP in config-only mode.
Wireless Intrusion Detection System (WIDS) Event Reporting to W-AirWave W-AirWave supports Wireless Intrusion Detection System (WIDS) Event Reporting, which is provided by Instant. This includes WIDS classification integration with the Rogue Access Point Detection Software (RAPIDS) module. RAPIDS is a powerful and easy-to-use tool for automatic detection of unauthorized wireless devices. It supports multiple methods of rogue detection and uses authorized wireless W-IAPs to report other devices within range.
The following example shows how to configure the port number of the AMP server: 24:de:c6:cf:63:60 (config) # ams-ip 10.65.182.15:65535 24:de:c6:cf:63:60 (config) # end 24:de:c6:cf:63:60# commit apply Configuring Organization String The Organization string is a set of colon-separated strings created by the W-AirWave administrator to accurately represent the deployment of each W-IAP. This string is defined by the installation personnel on the site.
Configuring for W-AirWave Discovery Through DHCP The W-AirWave can be discovered through the DHCP server. You can configure this only if W-AirWave was not configured earlier or if you have deleted the precedent configuration. On the DHCP server, the format for option 60 is “ InstantAP“, and the two formats for option 43 are “,,” and “,” .
Figure 84 Instant and DHCP options for W-AirWave: Set Predefined Options 3. Select DHCP Standard Options in the Option class drop-down list and then click Add. 4. Enter the following information: n Name—Instant n Data Type—String n Code—60 n Description—Instant AP 312 | W-IAP Management and Monitoring Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 85 Instant and DHCP options for W-AirWave: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6. Right-click Server Options and select the configuration options. Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 86 Instant and DHCP options for W-AirWave: Server Options 7. Select 060 Dell Instant AP in the Server Options window and enter DellInstantAP in the String value text box. Figure 87 Instant and DHCP options for W-AirWave—060 W-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for either of the following in the ASCII text box: l l airwave-orgn, airwave-ip, airwave-key; for example: Dell,192.0.2.20, 12344567 airwave-orgn, airwave-domain; for example: Dell, dell.support.
Figure 88 Instant and DHCP options for—043 Vendor-Specific Info This creates DHCP options 60 and 43 on a global basis. You can do the same on a per-scope basis. The perscope option overrides the global option. Figure 89 Instant and DHCP options for W-AirWave: Scope Options Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Alternate Method for Defining Vendor-Specific DHCP Options This section describes how to add vendor-specific DHCP options for W-IAPs in a network that already uses DHCP options 60 and 43 for other services. Some networks use DHCP standard options 60 and 43 to provide the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for W-IAPs.
Figure 91 W-AirWave—New Group Figure 92 W-AirWave—Monitor Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 26 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 318 l Uplink Preferences and Switching on page 323 Uplink Interfaces Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network. The 3G/4G USB modems and the Wi-Fi uplink can be used to extend the connectivity to places where an Ethernet uplink cannot be configured.
Figure 94 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP You can use PPPoE for your uplink connectivity in both W-IAP and IAP-VPN deployments. PPPoE is supported only in a single W-IAP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
d. Enter a password for the PPPoE connection and confirm the password in the Password and Retype text boxes. 4. Select a value from the Local interface drop-down list to set a local interface for the PPPoE uplink connections. The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address.
Configuring Cellular Uplink Profiles You can configure 3G or 4G uplinks by using the Instant UI or the CLI. In the Instant UI To configure 3G/4G uplinks: 1. Click the System link on the Instant main window. 2. In the System window, click the show advanced settings link. 3. Click the Uplink tab. 4. To configure a 3G or 4G uplink, select the Country and ISP. 5. Click OK. 6. Reboot the W-IAP for changes to take effect.
To unlock a PIN with the PUK code provided by the operator: (Instant AP)# pin-puk To renew the PIN: (Instant AP)# pin-renew Wi-Fi Uplink The Wi-Fi uplink is supported on all the W-IAP models, except for the 802.11ac W-IAP models (W-IAP-2xx Series access points). However only the master W-IAP uses this uplink. The Wi-Fi allows uplink to open, PSK-CCMP, and PSK-TKIP SSIDs. l For single-radio W-IAPs, the radio serves wireless clients and the Wi-Fi uplink.
10.Navigate to System > General > Show Advanced Options view and set the Extended SSID parameter to Disabled. 11.Reboot the W-IAP to apply the changes. After the W-IAP reboot, the Wi-Fi and mesh links are automatically enabled.
l When no uplink is enforced and preemption is not enabled, and if the current uplink fails, the W-IAP tries to find an available uplink based on the priority configured. The uplink with the highest priority is used as the primary uplink. For example, if Wi-Fi-sta has the highest priority, it is used as the primary uplink. l When no uplink is enforced and preemption is enabled, and if the current uplink fails, the W-IAP tries to find an available uplink based on the priority configured.
l When preemption is disabled and the current uplink goes down, the W-IAP tries to find an available uplink based on the uplink priority configuration. l When preemption is enabled and if the current uplink is active, the W-IAP periodically tries to use a higherpriority uplink, and switches to a higher-priority uplink even if the current uplink is active. You can enable uplink preemption by using Instant UI or the CLI. In the Instant UI To enable uplink preemption: 1.
When the uplink switchover based on Internet availability is enabled, the W-IAP continuously sends Internet Control Management Protocol (ICMP) packets to some well-known Internet servers. If the request is timed out due to a bad uplink connection or uplink interface failure, and the public Internet is not reachable from the current uplink, the W-IAP switches to a different connection. You can set preferences for uplink switching by using the Instant UI and the CLI.
Viewing Uplink Status and Configuration To view the uplink status: (Instant AP)# show uplink status Uplink preemption :enable Uplink preemption interval :600 Uplink enforce :none Ethernet uplink eth0 :DHCP Uplink Table -----------Type State Priority In Use -------- -------- -----eth0 UP 2 Yes Wifi-sta INIT 1 No 3G/4G INIT 3 No Internet failover :enable Internet failover IP :192.2.0.
Chapter 27 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized W-IAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information. The IDS feature in the Instant network enables you to detect rogue W-IAPs, interfering W-IAPs, and other devices that can potentially disrupt network operations.
l Windows 7 l Windows Vista l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Instant network, the WIP can be configured on the W-IAP.
Figure 96 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings text box: Table 67: Infrastructure Detection Policies Detection Level Detection Policy Off Rogue Classification Low l Detect W-IAP Spoofing l Detect Windows Bridge l IDS Signature—Deauthentication Broadcast l IDS Signature—Deassociation Broadcast l Detect ad hoc networks using VALID SSID—Valid SSID list is autoconfigured based on Instant W-IAP con
Table 67: Infrastructure Detection Policies Detection Level Detection Policy l Detect W-IAP Flood Attack l Detect Client Flood Attack l Detect Bad WEP l Detect CTS Rate Anomaly l Detect RTS Rate Anomaly l Detect Invalid Address Combination l Detect Malformed Frame—HT IE l Detect Malformed Frame—Association Request l Detect Malformed Frame—Auth l Detect Overflow IE l Detect Overflow EAPOL Key l Detect Beacon Wrong Channel l Detect devices with invalid MAC OUI The following table de
Figure 97 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings text box: Table 69: Infrastructure Protection Policies Protection Level Protection Policy Off All protection policies are disabled Low l Protect SSID—Valid SSID list should be autoderived from Instant configuration l Rogue Containment l Protect from ad hoc Networks l Protect W-IAP Impersonation High The following table describes the de
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network. Instant supports the following types of containment mechanisms: l Wired containment—When enabled, W-IAPs generate ARP packets on the wired network to contain wireless attacks. n wired-containment-ap-adj-mac—Enables a wired containment to Rogue W-IAPs whose wired interface MAC address is offset by one from its BSSID.
Configuring IDS The IDS policy for W-IAPs can be created using the CLI.
Chapter 28 Mesh W-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 335 l Setting up Instant Mesh Network on page 336 l Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 336 Mesh Network Overview The Dell Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires.
The mesh portal broadcasts a mesh services set identifier (MSSID/ mesh cluster name) to advertise the mesh network service to other mesh points in that Instant network. This is not configurable and is transparent to the user. The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard (AES) encryption. The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network.
In the Instant UI To configure Ethernet bridging: 1. On the Access Points tab, click the W-IAP to modify. 2. Click the edit link. 3. Click the Uplink tab. 4. Select Enable from the Eth0 Bridging drop-down list. 5. Click OK. 6. Reboot the W-IAP. In the CLI To configure Ethernet bridging: (Instant AP)# enet0-bridging Make the necessary changes to the wired-profile when eth0 is used as the downlink port. For more information, see Configuring a Wired Profile on page 104. Dell Networking W-Series Instant 6.5.
Chapter 29 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 338 l Configuring L3-Mobility on page 339 Layer-3 Mobility Overview W-IAPs form a single Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
When a client first connects to an Instant network, a message is sent to all configured VC IP addresses to see if this is an L3 roamed client. On receiving an acknowledgement from any of the configured VC IP addresses, the client is identified as an L3 roamed client. If the W-IAP has no GRE tunnel to this home network, a new tunnel is formed to an W-IAP (home W-IAP) from the client's home network. Each foreign W-IAP has only one home W-IAP per Instant network to avoid duplication of broadcast traffic.
Figure 100 L3 Mobility Window 4. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 5. Click New in the Virtual Controller IP Addresses section, add the IP address of a VC that is part of the mobility domain, and click OK. 6. Repeat Steps 2 to 5, to add the IP addresses of all VC that form the L3 mobility domain. 7. Click New in the Subnets section and specify the following: a. Enter the client subnet in the IP address text box. b.
Chapter 30 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 341 l Configuring Spectrum Monitors and Hybrid W-IAPs on page 347 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
To view the device list, click Spectrum in the dashboard. The following figure shows an example of the device list details. Figure 101 Device List Table 71 shows the device details that are displayed: Table 71: Device Summary and Channel Information Column Description Type Device type.
Table 71: Device Summary and Channel Information Column Description Duty-cycle Device duty cycle. This value represents the percent of time the device broadcasts a signal. Add-time Time at which the device was first detected. Update-time Time at which the device’s status was updated.
Table 72: Non-Wi-Fi Interferer Types Non Wi-Fi Interferer Description Frequency Hopper (Xbox) The Microsoft Xbox device uses a frequency hopping protocol in the 2.4 GHz band. These devices are classified as Frequency Hopper (Xbox). Frequency Hopper (Other) When the classifier detects a frequency hopper that does not fall into any of the prior categories, it is classified as Frequency Hopper (Other). Some examples include IEEE 802.
Figure 102 Channel Details Channel Details Information shows the information that you can view in the Channel Details graph. Table 73: Channel Details Information Column Description Channel An 802.11a or 802.11g radio channel. Quality(%) Current relative quality of the channel. Utilization(%) The percentage of the channel being used. Wi-Fi (%) The percentage of the channel currently being used by Wi-Fi devices. Type Device type.
Channel Metrics The channel metrics graph displays channel quality, availability, and utilization metrics as seen by a spectrum monitor or hybrid W-IAP. You can view the channel utilization data based on 2 GHz and 5 GHz radio channels. The percentage of each channel that is currently being used by Wi-Fi devices, and the percentage of each channel being used by non-Wi-Fi devices and 802.11 adjacent channel interference (ACI).
Spectrum Alerts When a new non-Wi-Fi device is found, an alert is reported to the VC. The spectrum alert messages include the device ID, device type, IP address of the spectrum monitor or hybrid W-IAP, and the timestamp. VC reports the detailed device information to AMP. Configuring Spectrum Monitors and Hybrid W-IAPs A W-IAP can be provisioned to function as a spectrum monitor or as a hybrid W-IAP.
You can configure a W-IAP to function as a stand-alone spectrum monitor by using the Instant UI or the CLI. In the Instant UI To convert a W-IAP to a spectrum monitor: 1. In the Access Points tab, click the W-IAP that you want to convert to a spectrum monitor. 2. Click the edit link. 3. Click the Radio tab. 4. From the Access Mode drop-down list, select Spectrum Monitor. 5. Click OK. 6. Reboot the W-IAP for the changes to take effect. 7.
Chapter 31 W-IAP Maintenance This section provides information on the following procedures: l Upgrading a W-IAP on page 349 l Backing up and Restoring W-IAP Configuration Data on page 352 l Converting a W-IAP to a Remote AP and Campus AP on page 353 l Resetting a Remote AP or Campus AP to a W-IAP on page 359 l Rebooting the W-IAP on page 359 Upgrading a W-IAP While upgrading a W-IAP, you can use the image check feature to allow the W-IAP to find new software image versions available on a cloud-ba
Figure 105 Proxy Configuration Window 2. Enter the HTTP proxy server IP address in the Server text box. 3. Enter the port number in the Port text box. 4. If you do not want the HTTP proxy to be applied for a particular host, click New to enter that IP address or domain name of that host in the Exceptions section. In the CLI To configure the HTTP proxy settings: (Instant (Instant (Instant (Instant AP)(config)# proxy server 192.0.2.1 8080 AP)(config)# proxy exception 192.0.2.
n Upgrade successful—When the upgrading is successful. n Upgrade failed—When the upgrading fails. If the upgrade fails and an error message is displayed, retry upgrading the W-IAP. Upgrading to a New Version Manually If the Automatic Image Check feature is disabled, you can obtain an image file from a local file system or from a TFTP or HTTP URL. To manually check for a new firmware image version and obtain an image file: 1. Navigate to Maintenance > Firmware. 2.
Backing up and Restoring W-IAP Configuration Data You can back up the W-IAP configuration data and restore the configuration when required. Viewing Current Configuration To view the current configuration on the W-IAP: l In the UI, navigate to Maintenance > Configuration > Current Configuration. l In the CLI, enter the following command at the command prompt: (Instant AP)# show running-config Backing up Configuration Data To back up the W-IAP configuration data: 1.
Converting a W-IAP to a Remote AP and Campus AP This section provides the following information: l Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion on page 353 l Converting a W-IAP to a Remote AP on page 355 l Converting a W-IAP to a Campus AP on page 357 l Converting a W-IAP to Stand-Alone Mode on page 358 l Converting a W-IAP using CLI on page 359 Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion You can provision a W-IAP as a Campus AP or a Remote AP in a contro
Table 75: W-IAP-to-ArubaOS Conversion W-IAP Variant W-IAP205H W-IAP21x W-IAP205 W-IAP274/275 W-IAP103H W-IAP114/115 W-IAP228 354 | W-IAP Maintenance W-IAP Regulatory Domain Controller Regulatory Domain ArubaOS release US Unrestricted US Y X X RW X Y Y JP X Y X US Y X X RW X Y Y JP X Y X US Y X X RW X Y Y JP X Y X US Y X X RW X Y Y JP X Y X US Y X X RW X Y Y JP X Y X US Y X X RW X Y Y JP X Y X US Y X X RW X Y Y JP
Table 75: W-IAP-to-ArubaOS Conversion W-IAP Variant W-IAP11x and W-IAP228 W-IAP228 All other WIAPs W-IAP Regulatory Domain Controller Regulatory Domain ArubaOS release US Unrestricted US Y X X RW X X X JP X Y X US Y X X RW/JP X X X US Y X X Unrestricted X Y X JP X Y X ArubaOS 6.3.1.0, ArubaOS 6.3.1.1, and ArubaOS 6.3.1.2 ArubaOS 6.3.0 Versions prior to ArubaOS 6.3.0, ArubaOS 6.3.x.x, ArubaOS 6.4, and ArubaOS 6.4.x.
A W-IAP can be converted to a Campus AP and Remote AP only if the controller is running ArubaOS 6.1.4 or later versions: The following table describes the supported W-IAP platforms and minimal ArubaOS version required for the Campus AP or Remote AP conversion. Table 76: W-IAP Platforms and Minimum ArubaOS Versions for W-IAP-to-Remote AP Conversion W-IAP Platform ArubaOS Release Instant Release W-IAP314/315 ArubaOS 6.5.0.0 or later versions Instant 4.3.0 or later versions W-IAP324/325 ArubaOS 6.4.4.
Figure 106 Maintenance—Convert Tab 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the host name (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address. Ensure that the Mobility Controller IP address is reachable by the W-IAPs. 5. Click Convert Now to complete the conversion.
Figure 107 Converting a W-IAP to Campus AP 3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the host name, Fully Qualified Domain Name (FQDN), or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local administrator to obtain these details. 5. Click Convert Now to complete the conversion.
4. Select the Access Point from the Access Point to Convert drop-down list. 5. Click Convert Now to complete the conversion. The W-IAP now operates in the stand-alone mode.
Figure 109 Rebooting the W-IAP 3. In the W-IAP list, select the W-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the W-IAPs in the network, click Reboot All. 4. The Confirm Reboot for AP message is displayed. Click Reboot Now to proceed. The Reboot in Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete.
Chapter 32 Monitoring Devices and Logs This chapter describes the following topics: l Configuring SNMP on page 361 l Configuring a Syslog Server on page 365 l Configuring TFTP Dump Server on page 366 l Running Debug Commands on page 367 l Uplink Bandwidth Monitoring on page 371 Configuring SNMP This section provides the following information: l SNMP Parameters for W-IAP on page 361 l Configuring SNMP on page 362 l Configuring SNMP Traps on page 364 SNMP Parameters for W-IAP Instant supports
Table 77: SNMP Parameters for W-IAP Parameter Description Authentication protocol password If messages sent on behalf of this user can be authenticated, a (private) authentication key is used with the authentication protocol. This is a string password for MD5 or SHA based on the conditions mentioned above. Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol that is used.
3. Click New under the Community Strings for SNMPv1 and SNMPv2 box. 4. Enter the string in the New Community String text box. 5. Click OK. 6. To delete a community string, select the string, and click Delete. Creating Community Strings for SNMPv3 Using Instant UI To create community strings for SNMPv3: 1. Click the System link on the Instant main window. 2. In the System window that is displayed, click the Monitoring tab. 3. Click New under the Users for SNMPV3 box. Figure 111 SNMPv3 User 4.
Engine ID:D8C7C8C44298 Community Strings ----------------Name ---SNMPv3 Users -----------Name Authentication Type Encryption Type ---- ------------------- --------------SNMP Trap Hosts --------------IP Address Version Name Port Inform ---------- ------- ---- ---- ------ Configuring SNMP Traps Instant supports the configuration of external trap receivers. Only the W-IAP acting as the VC generates traps. The traps for W-IAP cluster are generated with VC IP as the source IP, if VC IP is configured.
Configuring a Syslog Server You can specify a syslog server for sending syslog messages to the external servers by using the Instant UI or the CLI. In the Instant UI To configure a Syslog server and Syslog facility levels: 1. In the Instant main window, click the System link. 2. Click Show advanced options to display the advanced options. 3. Click the Monitoring tab. Figure 112 Syslog Server 4. In the Syslog server text box, enter the IP address of the server to which you want to send system logs.
l Wireless—Log about radio. The following table describes the logging levels in order of severity, from the most to the least severe. Table 78: Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical conditions such as a hard drive error. Errors Error conditions. Warning Warning messages.
In the Instant UI To configure a TFTP server: 1. In the Instant main window, click the System link. 2. Click Show advanced options to display the advanced options. 3. Click the Monitoring tab. 4. Enter the IP address of the TFTP server in the TFTP Dump Server text box. 5. Click OK. In the CLI To configure a TFTP server: (Instant AP)(config)# tftp-dump-server (Instant AP)(config)# end (Instant AP)# commit apply Running Debug Commands To run the debugging commands from the UI: 1.
AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP ARM Channels ARM Configuration ARM History ARM Neighbors ARM RF Summary ARM Scan Times ARP Table Association Table Authentication Frames Auth-Survivability Cache Auth-Survivability Debug Log BSSID Table Captive Portal Domains Captive Portal Auto White List Client Match Status Client Match History Client Match Action Client
AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP Log AP-Debug Log Conversion Log Driver Log Kernel Log Network Log PPPd Log Rapper Log Rapper Counter Log Rapper Brief Log Sapd Log Security Log System Log Tunnel Status Management Log Upgrade Log User-Debug Log User Log VPN Tunnel Log Wireless Management Frames Memory Allocation State Dumps Memory Utilization Mesh Counters
AP AP AP AP AP AP AP AP AP AP AP AP AP AP VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC AP VC VC VC VC VC Wired User Table Checksum Spectrum AP table Spectrum channel table Spectrum channel metrics Spectrum channel summary Spectrum client table Spectrum device duty cycle Spectrum non-wifi device history Spectrum non-wifi device table Spectrum non-wifi device log Spectrum number of device Spectrum interference-power table Spectr
VC VC VC VC Uplink Management Configuration WISPr Configuration XML API Server Information rfc3576-radius statistics show show show show uplink config wispr config xml-api-server ap debug rfc3576-radius-statistics Use the support commands under the supervision of Dell technical support. Uplink Bandwidth Monitoring A W-IAP uses Iperf3 as a TCP or UDP client to run a speed test and measure the bandwidth on an uplink.
--------Type Value ---- ----VC package 0 RSSI package 0 APPRF package 0 URLv package 0 STATE package 0 STAT package 0 UPLINK BW package 0 Total 0 372 | Monitoring Devices and Logs Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 33 Hotspot Profiles This chapter contains the following topics: l Understanding Hotspot Profiles on page 373 l Configuring Hotspot Profiles on page 375 l Sample Configuration on page 386 In the current release, Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 (Passpoint Release 1) is a Wi-Fi Alliance specification based on the 802.
A W-IAP can include its SP Organization Identifier (OI) indicating the identity of the SP in beacons and probe responses to clients. When a client recognizes a W-IAP's OI, it attempts to associate to that W-IAP using the security credentials corresponding to that SP. If the client does not recognize the AP’s OI, the client sends a Generic Advertisement Service (GAS) query to the W-IAP to request more information about the network before associating.
NAI Realm List An Network Access Identifier (NAI) Realm profile identifies and describes a NAI realm to which the clients can connect. The NAI realm settings on a W-IAP act as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame. Configuring Hotspot Profiles To configure a hotspot profile, perform the following steps: 1. Create the required ANQP and H2QP advertisement profiles. 2. Create a hotspot profile. 3.
You can specify any of the following EAP methods for the nai-realm-eap-method command: l identity—To use EAP Identity type. The associated numeric value is 1. l notification—To allow the hotspot realm to use EAP Notification messages for authentication. The associated numeric value is 2. l one-time-password—To use Authentication with a single-use password. The associated numeric value is 5. l generic-token-card—To use EAP Generic Token Card (EAP-GTC). The associated numeric value is 6.
Table 79: NAI Realm Profile Configuration Parameters Authentication ID Authentication Value eap-inner-auth The following authentication values apply: l Uses EAP inner authentication type. l reserved—The associated numeric value is 0. l The associated numeric value is 3. l pap—The associated numeric value is 1. l chap—The associated numeric value is 2. l mschap—The associated numeric value is 3. l mschapv2—The associated numeric value is 4.
You can specify any of the following venue groups and the corresponding venue types: Table 80: Venue Types Venue Group Associated Venue Type Value unspecified — The associated numeric value is 0. assembly l unspecified—The associated numeric value is 0. The associated numeric value is 1. l arena—The associated numeric value is 1. l stadium—The associated numeric value is 2. l passenger-terminal—The associated numeric value is 3. l amphitheater—The associated numeric value is 4.
Table 80: Venue Types Venue Group Associated Venue Type Value The associated numeric value is 5. l hospital—The associated numeric value is 1. l long-term-care—The associated numeric value is 2. l alc-drug-rehab—The associated numeric value is 3. l group-home—The associated numeric value is 4. l prison-or-jail—The associated numeric value is 5. mercantile l unspecified—The associated numeric value is 0. The associated numeric value is 6. l retail-store—The associated numeric value is 1.
Configuring a Network Authentication Profile You can configure a network authentication profile to define the authentication type used by the hotspot network.
Configuring an IP Address Availability Profile You can configure an available IP address types to send information on IP address availability as an ANQP IE in a GAS query response.
(Instant (Instant (Instant (Instant AP)(operator-class )# op-class AP)(operator-class )# enable AP)(operator-class )# end AP)# commit apply Configuring a WAN Metrics Profile You can configure a WAN metrics profile to define information about access network characteristics such as link status and metrics.
(Instant AP)(Hotspot2.0 )# enable (Instant AP)(Hotspot2.0 )# end (Instant AP)# commit apply The hotspot profile configuration parameters are described in the following table: Table 81: Hotspot Profile Configuration Parameters Parameter Description access-network-type Specify any of the following 802.11u network types. l private—This network is accessible for authorized users only. For example, home networks or enterprise networks that require user authentication.
Table 81: Hotspot Profile Configuration Parameters Parameter Description group-frame-block Enable this parameter if you want to stop the W-IAP from sending forward downstream group-addressed frames. hessid Specify a Homogenous Extended Service Set Identifier (HESSID) in a hexadecimal format separated by colons. internet Specify this parameter to allow the W-IAP to send an Information Element (IE) indicating that the network allows Internet access.
Associating an Advertisement Profile to a Hotspot Profile To associate a hotspot profile with an advertisement profile: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# hotspot hs-profile AP)(Hotspot2.0 )# advertisement-protocol AP)(Hotspot2.0 )# advertisement-profile anqp-3gpp AP)(Hotspot2.0 )# advertisement-profile anqp-domain-name AP)(Hotspot2.
Sample Configuration Step 1: Creating ANQP and H2QP Advertisement Profiles (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)# configure terminal AP)(config)# hotspot anqp-nai-realm-profile nr1 AP)(nai-realm "nr1")# nai-realm-name name1 AP)(nai-realm "nr1")# nai-realm-encoding utf8 AP)(nai-realm "nr1")# nai-realm-eap-method eap-sim AP)(nai-realm "nr1")# nai-realm-auth-id-1 non-eap-inner-auth AP)(nai-realm "nr1")# nai-realm-auth-value-1 mschapv2 AP)(nai-realm "nr1")# nai-ho
(Instant (Instant (Instant (Instant AP)(config) # hotspot h2qp-oper-class-profile AP)(operator-class )# op-class AP)(operator-class )# enable AP)(operator-class )# exit (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# hotspot h2qp-wan-metrics-profile AP)(WAN-metrics )# at-capacity AP)(WAN-metrics )# downlink-load AP)(WAN-metrics )# downlink-speed AP)(WAN-metrics )# lo
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant 388 | Hotspot Profiles AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Profile "ssidProfile1")# AP)(SSID Pro
ClearPass Guest Setup This chapter consists of the following topics: Configuring ClearPass Guest on page 389 Verifying ClearPass Guest Setup on page 392 Troubleshooting on page 392 Configuring ClearPass Guest To configure ClearPass Guest: 1. From the ClearPass Guest UI, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 113 Configure AirGroup Services 3. Click Add a new controller. 4. Update the parameters with appropriate values.
Figure 114 Configuration > Identity > Local Users Selection 2. Click Add User. 3. Create an AirGroup Administrator by entering the required values. Figure 115 Create an AirGroup Administrator 4. Click Add. 5. Now click Add User to create an AirGroup Operator. 390 | ClearPass Guest Setup Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Figure 116 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. Figure 117 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 118 Create a Device Dell Networking W-Series Instant 6.5.1.0-4.3.1.
The Register Shared Device page is displayed. Figure 119 ClearPass Guest- Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other boxes empty. 9. Click Register Shared Device. Verifying ClearPass Guest Setup To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network.
Problem Solution Limiting devices has no effect. Ensure IPv6 is disabled. Apple Macintosh running Mountain Lion can use AirPlay but iOS devices cannot. Ensure IPv6 is disabled. Dell Networking W-Series Instant 6.5.1.0-4.3.1.
Chapter 35 IAP-VPN Deployment Scenarios This section describes the most common IAP-VPN deployment models and provides information to carry out the necessary configuration procedures. The examples in this section refer to more than one DHCP profile and wired port configuration in addition to wireless SSID configuration. All these are optional. In most networks, a single DHCP profile and wireless SSID configuration referring to a DHCP profile is sufficient.
Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: 1. Single VPN primary configuration using IPsec. 2. Split-tunneling of client traffic. 3. Split-tunneling of DNS traffic from clients. 4. Distributed, L3 and Centralized, L2 mode DHCP. 5. RADIUS server within corporate network and authentication survivability for branch survivability. 6. Wired and wireless users in L2 and L3 modes, respectively. 7.
Table 84: W-IAP Configuration for Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure the primary host for VPN with the Public VRRP IP address of the controller. (Instant AP)(config)# vpn primary See Configuring an IPsec Tunnel 2. Configure a routing profile to tunnel all 10.0.0.0/8 subnet traffic to controller. (Instant AP)(config)# routing-profile (Instant AP)(routing-profile)# route 10.0.0.
Table 84: W-IAP Configuration for Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure (Instant AP)(Auth Server "server2")# acctport 1813 (Instant AP)(Auth Server "server2")# key "presharedkey" 6. Configure wired port and wireless SSIDs using the authentication servers. Configure wired ports to operate in L2 mode and associate Centralized, L2 mode VLAN 20 to the wired port profile.
Table 84: W-IAP Configuration for Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure (Instant AP)(Access Rule "wireless-ssid")# rule any any match any any any permit NOTE: Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W-IAP cluster.
Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy This scenario includes the following configuration elements: l A VRRP instance between the master/standby-master pair, which is configured as the primary VPN IP address. l Tunneling of all traffic to datacenter. l Exception route to bypass tunneling of RADIUS and W-AirWave traffic, which are locally reachable in the branch and the Internet, respectively. l All client DNS queries are tunneled to the controller.
l 10.2.2.0/24 is a branch-owned subnet, which needs to override global routing profile l 199.127.104.32 is used an example IP address of the W-AirWave server in the Internet W-IAP Configuration The following table provides information on the configuration steps performed through the CLI with example values. For information on the UI procedures, see the topics referenced in the UI Procedure column.
Table 85: W-IAP Configuration for Scenario 2—IPsec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure (Instant AP)(DHCP Profile "l3-dhcp")# client-count 200 NOTE: The IP range configuration on each branch will be the same. Each W-IAP will derive a smaller subnet based on the client count scope using the Branch ID (BID) allocated by controller. 6. Create authentication servers for user authentication. The example in the next column assumes 802.
Table 85: W-IAP Configuration for Scenario 2—IPsec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure (Instant AP)(SSID Profile "guest")# auth-server server1 (Instant AP)(SSID Profile "guest")# auth-server server2 (Instant AP)(SSID Profile "guest")# captive-portal internal NOTE: This example uses internal captive portal use case using external authentication server. You can also use an external captive portal example.
Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy This scenario includes the following configuration elements: l Multiple controller deployment model with controllers in different data centers operating as primary/backup VPN with Fast Failover and preemption enabled. l Split-tunneling of traffic. l Split-tunneling of client DNS traffic. l Two Distributed, L3 mode DHCPs, one each for employee and contractors; and one Local mode DHCP server.
l 10.40.0.0/16 subnet is reserved for L3 mode –used by Contractor SSID. l 172.16.20.0/24 subnet is used for NAT mode – used for wired network. l Client count in each branch is 200. l Contractors are only permitted to reach 10.16.0.0/16 network. W-IAP Configuration This section provides information on configuration steps performed through the CLI and the UI. Table 86: W-IAP Configuration for Scenario 3—IPsec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure 1.
Table 86: W-IAP Configuration for Scenario 3—IPsec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure (Instant AP)(DHCP profile "l3-dhcp")# domain-name corpdomain.com (Instant AP)(DHCP profile "l3-dhcp")# client-count 200 Local profile with VLAN 20 (Instant AP)(config)# ip dhcp local (Instant AP)(DHCP profile "local")# Local (Instant AP)(DHCP profile "local")# (Instant AP)(DHCP profile "local")# 172.16.20.1 (Instant AP)(DHCP profile "local")# 255.255.255.
Table 86: W-IAP Configuration for Scenario 3—IPsec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure (Instant AP)(wired-port-profile "wired-port")# authserver server2 (Instant AP)(wired-port-profile "wired-port")# dot1x (Instant AP)(wired-port-profile "wired-port")# exit (Instant AP)(config)# enet1-port-profile wired-port Configure a wireless SSID to operate in L3 mode for employee and associate Distributed, L3 mode VLAN 30 to the WLAN SSID profile.
Table 86: W-IAP Configuration for Scenario 3—IPsec: Multiple Datacenter Deployment Configuration Steps CLI Commands 10.16.0.0/16 network and all other traffic address is translated at the source and the global routing profile definition is bypassed.
Scenario 4—GRE: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: l Single VPN primary configuration using GRE n Aruba GRE, does not require any configuration on the Dell Networking W-Series Mobility Controller that acts as a GRE endpoint. n Manual GRE, which requires GRE tunnels to be explicitly configured on the GRE endpoint that can be a Dell Networking W-Series Mobility Controller or any device that supports GRE termination.
W-IAP Configuration This section provides information on configuration steps performed by using the CLI and the UI. Table 87: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure Aruba GRE or manual GRE Aruba GRE configuration See Configuring Aruba GRE Parameters l l Aruba GRE uses an IPsec tunnel to facilitate controller configuration and requires VPN to be configured.
Table 87: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 5. Create authentication servers for user authentication. The example in the next column assumes 802.1X SSID. (Instant AP)(config)# wlan auth-server server1 (Instant AP)(Auth Server "server1")# ip 10.2.2.
Table 87: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure (Instant AP)(SSID Profile "wireless-ssid")# authsurvivability 7. Create access rule for wired and wireless authentication.
Table 88: List of Terms Term Definition 802.11 An evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision avoidance) for path sharing. 802.11a Provides specifications for wireless systems. Networks using 802.11a operate at radio frequencies in the 5GHz band.
Table 88: List of Terms Term Definition ad-hoc network A LAN or other small network, especially one with wireless or temporary plug-in connections, in which some of the network devices are part of the network only for the duration of a communications session or, in the case of mobile or portable devices, while in some close proximity to the rest of the network. band A specified range of frequencies of electromagnetic radiation.
Table 88: List of Terms Term Definition hotspot A WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hot spot, contact it, and get connected through its network to reach the Internet and their own company remotely with a secure connection. Increasingly, public places, such as airports, hotels, and coffee shops are providing free wireless access for customers.
Table 88: List of Terms Term Definition W-CDMA Officially known as IMT-2000 direct spread; ITU standard derived from Code-Division Multiple Access (CDMA). Wideband code-division multiple access (W-CDMA) is a third-generation (3G) mobile wireless technology that promises much higher data speeds to mobile and portable wireless devices than commonly offered in today's market. Wi-Fi A term for certain types of WLANs. Wi-Fi can apply to products that use any 802.11 standard.
Acronyms and Abbreviations The following table lists the acronyms and abbreviations used in Aruba documents.
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition ANSI American National Standards Institute AP Access Point API Application Programming Interface ARM Adaptive Radio Management ARP Address Resolution Protocol AVF AntiVirus Firewall BCMC Broadcast-Multicast BGP Border Gateway protocol BLE Bluetooth Low Energy BMC Beacon Management Console BPDU Bridge Protocol Data Unit BRAS Broadband Remote Access Server BRE Basic Regular Expression BSS Basic Service
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter-Domain Routing CLI Command-Line Interface CN Common Name CoA Change of Authorization CoS Class of Service CPE Customer Premises Equipment CPsec Control Plane Security CPU Central Processing Unit CRC Cyclic Redundancy Check CRL Certificate Revocation List CSA Channel Switch Announcement CSMA/CA Carrier Sense Multiple Access / Collisio
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition DFS Dynamic Frequency Selection DFT Discreet Fourier Transform DHCP Dynamic Host Configuration Protocol DLNA Digital Living Network Alliance DMO Dynamic Multicast optimization DN Distinguished Name DNS Domain Name System DOCSIS Data over Cable Service Interface Specification DoS Denial of Service DPD Dead Peer Detection DPI Deep Packet Inspection DR Designated Router DRT Downloadable Regulatory Table
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation EAP-MSCHAP EAP-MSCHAPv2 Definition EAP-Microsoft Challenge Handshake Authentication Protocol EAPoL EAP over LAN EAPoUDP EAP over UDP EAP-PEAP EAP-Protected EAP EAP-PWD EAP-Password EAP-TLS EAP-Transport Layer Security EAP-TTLS EAP-Tunneled Transport Layer Security ECC Elliptical Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm EIGRP Enhanced Interior Gateway Routing Protocol EIRP Effective Isotropic
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition FRR Frame Retry Rate FSPL Free Space Path Loss FTP File Transfer Protocol GBps Gigabytes per second Gbps Gigabits per second GHz Gigahertz GIS Generic Interface Specification GMT Greenwich Mean Time GPP Guest Provisioning Page GPS Global Positioning System GRE Generic Routing Encapsulation GUI Graphical User Interface GVRP GARP or Generic VLAN Registration Protocol H2QP Hotspot 2.
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition IEEE Institute of Electrical and Electronics Engineers IGMP Internet Group Management Protocol IGP Interior Gateway Protocol IGRP Interior Gateway Routing Protocol IKE PSK Internet Key Exchange Pre-shared Key IoT Internet of Things IP Internet Protocol IPM Intelligent Power Monitoring IPS Intrusion Prevention System IPsec IP Security ISAKMP Internet Security Association and Key Management Protocol ISP In
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition LEEF Long Event Extended Format LI Lawful Interception LLDP Link Layer Discovery Protocol LLDP-MED LLDP–Media Endpoint Discovery LMS Local Management Switch LNS L2TP Network Server LTE Long Term Evolution MAB MAC Authentication Bypass MAC Media Access Control MAM Mobile Application Management MBps Megabytes per second Mbps Megabits per second MCS Modulation and Coding Scheme MD5 Message Digest 5 MDM
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition MSS Maximum Segment Size MSSID Mesh Service Set Identifier MSTP Multiple Spanning Tree Protocol MTU Maximum Transmission Unit MU-MIMO Multi-User Multiple-Input Multiple-Output MVRP Multiple VLAN Registration Protocol NAC Network Access Control NAD Network Access Device NAK Negative Acknowledgment Code NAP Network Access Protection NAS Network Access Server Network-attached Storage NAT Network Address Tra
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition OKC Opportunistic Key Caching OS Operating System OSPF Open Shortest Path First OUI Organizationally Unique Identifier OVA Open Virtual Appliance OVF Open Virtualization Format PAC Protected Access Credential PAP Password Authentication Protocol PAPI Proprietary Access Protocol Interface PCI Peripheral Component Interconnect PDU Power Distribution Unit PEAP Protected Extensible Authentication Protocol P
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition PPPoE PPP over Ethernet PPTP PPP Tunneling Protocol PRNG Pseudo-Random Number Generator PSK Pre-Shared Key PSU Power Supply Unit PVST Per VLAN Spanning Tree QoS Quality of Service RA Router Advertisement RADAR Radio Detection and Ranging RADIUS Remote Authentication Dial-In User Service RAM Random Access Memory RAP Remote AP RAPIDS Rogue Access Point and Intrusion Detection System RARP Reverse ARP R
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition RTLS Real-Time Location Systems RTP Real-Time Transport Protocol RTS Request to Send RTSP Real Time Streaming Protocol RVI Routed VLAN Interface RW Rest of World RoW SA Security Association SAML Security Assertion Markup Language SAN Subject Alternative Name SCB Station Control Block SCEP Simple Certificate Enrollment Protocol SCP Secure Copy Protocol SCSI Small Computer System Interface SDN Software D
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition SMB Small and Medium Business SMB Server Message Block SMS Short Message Service SMTP Simple Mail Transport Protocol SNIR Signal-to-Noise-Plus-Interference Ratio SNMP Simple Network Management Protocol SNR Signal-to-Noise Ratio SNTP Simple Network Time Protocol SOAP Simple Object Access Protocol SoC System on a Chip SoH Statement of Health SSH Secure Shell SSID Service Set Identifier SSL Secure Socke
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition TIM Traffic Indication Map TKIP Temporal Key Integrity Protocol TLS Transport Layer Security TLV Type-length-value ToS Type of Service TPC Transmit Power Control TPM Trusted Platform Module TSF Timing Synchronization Function TSPEC Traffic Specification TTL Time to Live TTLS Tunneled Transport Layer Security TXOP Transmission Opportunity U-APSD Unscheduled Automatic Power Save Delivery UCC Unified Co
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition VBR Virtual Beacon Report VHT Very High Throughput VIA Virtual Intranet Access VIP Virtual IP Address VLAN Virtual Local Area Network VM Virtual Machine VoIP Voice over IP VoWLAN Voice over Wireless Local Area Network VPN Virtual Private Network VRD Validated Reference Design VRF Visual RF VRRP Virtual Router Redundancy Protocol VSA Vendor-Specific Attributes VTP VLAN Trunking Protocol WAN Wide Are
Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition WMM Wi-Fi Multimedia WMS WLAN Management System WPA Wi-Fi Protected Access WSDL Web Service Description Language WWW World Wide Web WZC Wireless Zero Configuration XAuth Extended Authentication XML Extensible Markup Language XML-RPC XML Remote Procedure Call ZTP Zero Touch Provisioning Glossary The following table lists the terms and their definitions used in this document.
Table 90: List of Terms Term Definition 802.11g Offers transmission over relatively short distances at up to 54 Mbps, compared with the 11 Mbps theoretical maximum of 802.11b. 802.11g operates in the 2.4 GHz band and employs orthogonal frequency division multiplexing (OFDM), the modulation scheme used in 802.11a, to obtain higher data speed. Computers or terminals set up for 802.11g can fall back to speeds of 11 Mbps, so that 802.11b and 802.11g devices can be compatible within a single network. 802.
Table 90: List of Terms Term Definition DNS Server A Domain Name System (DNS) server functions as a phonebook for the Internet and Internet users. It converts human readable computer hostnames into IP addresses and vice-versa. A DNS server stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records.
Table 90: List of Terms Term Definition The choice of endspan or midspan depends on the capabilities of the switch to which the W-IAP is connected. Typically if a switch is in place and does not support PoE, midspan power injectors are used. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem.
Table 90: List of Terms Term Definition WEP Wired equivalent privacy (WEP) is a security protocol specified in 802.11b, designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.