Users Guide
Table Of Contents
- Dell PowerConnect ArubaOS 5.0
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Deploying APs
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Remote AP vs Campus AP
- Basic Configuration
- AP Names and Groups
- Virtual APs
- Configuring Profiles
- Profile Hierarchy
- Virtual AP Configurations
- Configuring High-throughput on Virtual APs
- Advanced Configuration Options
- Automatic Channel and Transmit Power Selection Using ARM
- APs Over Low-Speed Links
- AP Redundancy
- AP Maintenance Mode
- Managing AP LEDs
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Advanced Configuration Options for 802.1x
- Roles and Policies
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Creating a Guest-logon User Role
- Creating an Auth-guest User Role
- Configure Policies and Roles via the WebUI
- Time Range
- Auth-Guest-Access Policy
- Block-Internal-Access Policy
- Drop-and-Log Policy
- Guest-logon Role
- Guest-Logon Role
- Configure Policies and Roles via the CLI
- Time Range
- Create Aliases
- Guest-Logon-Access Policy
- Auth-Guest-Access Policy
- Block-Internal-Access Policy
- Drop-and-Log Policy
- Guest-Logon Role
- Auth-Guest Role
- Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Securing Client Traffic
- Securing Controller-to-Controller Communication
- Configuring the Odyssey Client on Client Machines
- Advanced Security
- Virtual Intranet Access
- VIA
- Configuring the VIA Controller
- VPN Configuration
- Remote Access VPN for L2TP IPsec
- Remote Access VPNs for XAuth
- Remote Access VPN for PPTP
- Site-to-Site VPNs
- Dell Dialer
- Virtual Private Networks
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Troubleshooting Control Plane Security
- Adding Local Controllers
- IP Mobility
- VRRP
- RSTP
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- IDS Features
- IDS Configuration
- WLAN Management System
- Client Blacklisting
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Setting an Administrator Session Timeout
- Management Password Policy
- Managed RFprotect Sensors
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Software Licenses
- IPv6 Client Support
- Voice and Video
- License Requirements
- Configuring Voice
- Configuring Video
- QoS
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration for IAS and Windows Clients
- Internal Captive Portal
- VIA End User Instructions
- Provisioning RAP at Home
- Index
190 | Secure Enterprise Mesh Dell PowerConnect ArubaOS 5.0 | [User Guide
You configure the AP for mesh on the controller using either the WebUI or the CLI. All mesh related
configuration parameters are grouped into mesh profiles that you can apply as needed to an AP group or to
individual APs.
By default, APs operate as thin APs, which means their primary function is to receive and transmit
electromagnetic signals; other WLAN processing is left to the controller. When planning a mesh network, you
manually configure APs to operate in mesh portal or mesh point roles. Unlike a traditional WLAN environment,
local mesh nodes provide encryption and traffic forwarding for mesh links in a mesh environment. Virtual APs are
still applied to non-mesh radios.
Provisioning mesh APs is similar to thin APs; however, there are some key differences. Thin APs establish a
channel to the controller from which they receive the configuration for each radio interface. Mesh nodes, in
contrast, get their radio interfaces up and running before making contact with the controller. This requires a
minimum set of parameters from the AP group and mesh cluster that enables the mesh node to discover a
neighbor to create a mesh link and subsequent channel with the controller. To do this, you must first define and
configure the mesh cluster profile before configuring an AP to operate as a mesh node. This chapter first describes
how to configure the mesh profile, then describes how to configure APs to operate in mesh mode. If you have
already configured a complete mesh profile, continue to “Ethernet Ports for Mesh” on page 219 or “Provisioning
Mesh Nodes” on page 222.
Mesh Portals
The mesh portal (MPP) is the gateway between the wireless mesh network and the enterprise wired LAN. You
configure a Dell AP to perform the mesh portal role, which uses its wired interface to establish a link to the wired
LAN. You can deploy multiple mesh portals to support redundant mesh paths (mesh links between neighboring
mesh points that establish the best path to the mesh portal) from the wireless mesh network to the wired LAN.
The mesh portal broadcasts the configured mesh service set identifier (MSSID/mesh cluster name), and
advertises the mesh network service to available mesh points. Neighboring mesh points that have been
provisioned with the same MSSID authenticate to the portal and establish a secure mesh link over which traffic is
forwarded. The authentication process requires secure key negotiation, common to all APs, and the mesh link is
established and secured using Advanced Encryption Standard (AES) encryption. Mesh portals also propagate
channel information, including CSAs.
Mesh Points
The mesh point (MP) is a Dell AP configured for mesh and assigned the mesh point role. Depending on the AP
model, configuration parameters, and how it was provisioned, the mesh point can perform multiple tasks. The
mesh point provides traditional Dell WLAN services (such as client connectivity, intrusion detection system)
capabilities, user role association, LAN-to-LAN bridging, and Quality of Service (QoS) for LAN-to-mesh
communication) to clients and performs mesh backhaul/network connectivity. A mesh radio can be configured to
carry mesh-backhaul traffic only. Additionally, a mesh point can provide LAN-to-LAN Ethernet bridging by
sending tagged/untagged VLAN traffic across a mesh backhaul/network to a mesh portal.
Mesh points use one of their wireless interfaces to carry traffic and reach the controller. Mesh points are also
aware of potential neighbors and can form new mesh links if the current mesh link is no longer preferred or
available.
Mesh Clusters
Mesh clusters are similar to an Extended Service Set (ESS) in a WLAN infrastructure. A mesh cluster is a logical
set of mesh nodes that share the common connection and security parameters required to create mesh links.
Mesh clusters are grouped and defined by a mesh cluster profile, as described in “Mesh Cluster Profile” on
page 193.
Mesh clusters may enforce predictability in mesh networking by limiting the amount of concurrent mesh points,
hop counts, and bandwidth used in the mesh network. A mesh cluster can have multiple mesh portals and mesh