Users Guide
Table Of Contents
- Contents
- About this Guide
- The Basic User-Centric Networks
- Understanding Basic Deployment and Configuration Tasks
- Configuring the Controller
- W-7000 Series and W-7200 Series Controller
- Using the LCD Screen
- Configuring a VLAN to Connect to the Network
- Creating, Updating, and Viewing VLANs and Associated IDs
- Creating, Updating, and Deleting VLAN Pools
- Assigning and Configuring the Trunk Port
- Configuring the Default Gateway
- Configuring the Loopback IP Address for the Controller
- Configuring the System Clock
- Installing Licenses
- Connecting the Controller to the Network
- Enabling Wireless Connectivity
- Enabling Wireless Connectivity
- Configuring Your User-Centric Network
- Replacing a Controller
- Transferring Licenses
- Procedure Overview
- Change the VRRP Priorities for a Redundant Master Pair
- Back Up the Flash File System
- Stage the New Controller
- Add Licenses to the New Controller
- Backup Newly Installed Licenses
- Import and Restore Flash Backup
- Restore Licenses
- Reboot the Controller
- Modify the Host Name
- Modify Topology Settings
- Save your Configuration
- Remove the Existing Controller
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Managing AP Whitelists
- Managing Whitelists on Master and Local Controllers
- Working in Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Software Licenses
- Understanding License Terminology
- Working with Licenses
- Centralized Licensing in a Multi-Controller Network
- Using Licenses
- Understanding License Interaction
- License Installation Best Practices and Exceptions
- Installing a License
- Deleting a License
- Moving Licenses
- Resetting the Controller
- Network Configuration Parameters
- Configuring VLANs
- Configuring Ports
- Understanding VLAN Assignments
- VLAN Derivation Priorities for VLAN types
- How a VLAN Obtains an IP Address
- Assigning a Static Address to a VLAN
- Configuring a VLAN to Receive a Dynamic Address
- Configuring Multiple Wired Uplink Interfaces (Active-Standby)
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- Configuring GRE Tunnel Groups
- Jumbo Frame Support
- IPv6 Support
- Understanding IPv6 Notation
- Understanding IPv6 Topology
- Enabling IPv6
- Enabling IPv6 Support for Controller and APs
- Filtering an IPv6 Extension Header (EH)
- Configuring a Captive Portal over IPv6
- Working with IPv6 Router Advertisements (RAs)
- RADIUS Over IPv6
- TACACS Over IPv6
- DHCPv6 Server
- Understanding ArubaOS Supported Network Configuration for IPv6 Clients
- Understanding ArubaOS Authentication and Firewall Features that Support IPv6
- Managing IPv6 User Addresses
- Understanding IPv6 Exceptions and Best Practices
- Link Aggregation Control Protocol
- OSPFv2
- Tunneled Nodes
- Authentication Servers
- Understanding Authentication Server Best Practices and Exceptions
- Understanding Servers and Server Groups
- Configuring Authentication Servers
- Configuring a RADIUS Server
- RADIUS Service-Type Attribute
- Enabling Radsec on RADIUS Servers
- Configuring Username and Password for CPPM Authentication
- Configuring an RFC-3576 RADIUS Server
- Configuring an RFC-3576 RADIUS Server with Radsec
- Configuring an LDAP Server
- Configuring a TACACS+ Server
- Configuring a Windows Server
- Managing the Internal Database
- Configuring Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- Authentication Server Load Balancing
- MAC-based Authentication
- Branch Controller Config for Controllers
- Branch Deployment Features
- WAN Failure (Authentication) Survivability
- Supported Client and Authentication Types
- Administrative Functions
- Enabling Authentication Survivability on a Local Branch Controller
- Configuring the Survival Server Certificate
- Configuring the Lifetime of the Authentication Survivability Cache
- User Credential and Key Reply Attributes Are Saved Automatically
- Expired User Credential and Key Reply Attributes Are Purged Automatically
- About the Survival Server
- Trigger Conditions for Critical Actions
- Authentication for Captive Portal Clients
- Authentication for 802.1X Clients
- Authentication for MAC Address-Based Clients
- Authentication for WISPr Clients
- WAN Health Check
- WAN Optimization through IP Payload Compression
- Interface Bandwidth Contracts
- Integration with a Palo Alto Networks (PAN) Portal
- Branch Controller Routing Features
- Zero-Touch Provisioning
- Using Smart Config to create a Branch Config Group
- PortFast and BPDU Guard
- Preventing WAN Link Failure on Virtual APs
- Branch WAN Dashboard Changes
- 802.1X Authentication
- Understanding 802.1X Authentication
- Configuring 802.1X Authentication
- Enabling 802.1x Supplicant Support on an AP
- Sample Configurations
- Configuring Authentication with an 802.1X RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configuring 802.1X Authentication
- Configuring VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Configuring Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configuring 802.1x Authentication
- Configuring VLANs
- Configuring WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Configuring Mixed Authentication Modes
- Performing Advanced Configuration Options for 802.1X
- Application Single Sign-On Using L2 Authentication
- Stateful and WISPr Authentication
- Certificate Revocation
- Captive Portal Authentication
- Understanding Captive Portal
- Configuring Captive Portal in the Base Operating System
- Using Captive Portal with a PEFNG License
- Sample Authentication with Captive Portal
- Configuring Guest VLANs
- Configuring Captive Portal Authentication Profiles
- Enabling Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating and Installing an Internal Captive Portal
- Creating Walled Garden Access
- Enabling Captive Portal Enhancements
- Configuring the Redirect-URL
- Configuring the Login URL
- Defining Netdestination Descriptions
- Configuring a Whitelist
- Configuring the Netdestination for a Whitelist:
- Associating a Whitelist to Captive Portal Profile
- Applying a Captive Portal Profile to a User-Role
- Verifying a Whitelist Configuration
- Verifying a Captive Portal Profile Linked to a Whitelist
- Verifying Dynamic ACLs for a Whitelist
- Verifying DNS Resolved IP Addresses for Whitelisted URLs
- Bypassing Captive Portal Landing Page
- Virtual Private Networks
- Planning a VPN Configuration
- Working with VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec in the WebUI
- Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Working with Remote Access VPNs for PPTP
- Working with Site-to-Site VPNs
- Working with VPN Dialer
- Roles and Policies
- Configuring Firewall Policies
- User Roles
- Assigning User Roles
- Understanding Global Firewall Parameters
- Using AppRF 2.0
- ClearPass Policy Manager Integration
- Virtual APs
- Virtual AP Configuration Workflow
- Virtual AP Profiles
- Changing a Virtual AP Forwarding Mode
- Radio Resource Management (802.11k)
- BSS Transition Management (802.11v)
- Fast BSS Transition ( 802.11r)
- SSID Profiles
- WLAN Authentication
- High-Throughput Virtual APs
- Guest WLANs
- Changing a Virtual AP Forwarding Mode
- Adaptive Radio Management
- ARM Feature Overviews
- Configuring ARM Settings
- ARM Troubleshooting
- Understanding ARM
- Client Match
- ARM Coverage and Interference Metrics
- Configuring ARM Profiles
- Assigning an ARM Profile to an AP Group
- Using Multi-Band ARM for 802.11a/802.11g Traffic
- Band Steering
- Enabling Traffic Shaping
- Spectrum Load Balancing
- Reusing Channels to Control RX Sensitivity Tuning
- Configuring Non-802.11 Noise Interference Immunity
- Troubleshooting ARM
- Wireless Intrusion Prevention
- Working with the Reusable Wizard
- Monitoring the Dashboard
- Detecting Rogue APs
- Working with Intrusion Detection
- Understanding Infrastructure Intrusion Detection
- Detecting an 802.11n 40MHz Intolerance Setting
- Detecting Active 802.11n Greenfield Mode
- Detecting Ad hoc Networks
- Detecting an Ad hoc Network Using a Valid SSID
- Detecting an AP Flood Attack
- Detecting AP Impersonation
- Detecting AP Spoofing
- Detecting Bad WEP Initialization
- Detecting a Beacon Frame Spoofing Attack
- Detecting a Client Flood Attack
- Detecting a CTS Rate Anomaly
- Detecting an RTS Rate Anomaly
- Detecting Devices with an Invalid MAC OUI
- Detecting an Invalid Address Combination
- Detecting an Overflow EAPOL Key
- Detecting Overflow IE Tags
- Detecting a Malformed Frame-Assoc Request
- Detecting Malformed Frame-Auth
- Detecting a Malformed Frame-HT IE
- Detecting a Malformed Frame-Large Duration
- Detecting a Misconfigured AP
- Detecting a Windows Bridge
- Detecting a Wireless Bridge
- Detecting Broadcast Deauthentication
- Detecting Broadcast Disassociation
- Detecting Netstumbler
- Detecting Valid SSID Misuse
- Detecting Wellenreiter
- Understanding Client Intrusion Detection
- Detecting a Block ACK DoS
- Detecting a ChopChop Attack
- Detecting a Disconnect Station Attack
- Detecting an EAP Rate Anomaly
- Detecting a FATA-Jack Attack Structure
- Detecting a Hotspotter Attack
- Detecting a Meiners Power Save DoS Attack
- Detecting an Omerta Attack
- Detecting Rate Anomalies
- Detecting a TKIP Replay Attack
- Detecting Unencrypted Valid Clients
- Detecting a Valid Client Misassociation
- Detecting an AirJack Attack
- Detecting ASLEAP
- Detecting a Null Probe Response
- Understanding Infrastructure Intrusion Detection
- Configuring Intrusion Protection
- Understanding Infrastructure Intrusion Protection
- Protecting 40MHz 802.11 High Throughput Devices
- Protecting 802.11n High Throughput Devices
- Protecting Against Adhoc Networks
- Protecting Against AP Impersonation
- Protecting Against Misconfigured APs
- Protecting Against Wireless Hosted Networks
- Protecting SSIDs
- Protecting Against Rogue Containment
- Protecting Against Suspected Rogue Containment
- Protection against Wired Rogue APs
- Understanding Client Intrusion Protection
- Warning Message for Containment Features
- Understanding Infrastructure Intrusion Protection
- Configuring the WLAN Management System (WMS)
- Understanding Client Blacklisting
- Working with WIP Advanced Features
- Configuring TotalWatch
- Administering TotalWatch
- Tarpit Shielding Overview
- Configuring Tarpit Shielding
- Access Points
- Basic Functions and Features
- Naming and Grouping APs
- Understanding AP Configuration Profiles
- Before you Deploy an AP
- Enable Controller Discovery
- Enable DHCP to Provide APs with IP Addresses
- AP Provisioning Profiles
- Configuring Installed APs
- Optional AP Configuration Settings
- RF Management
- Optimizing APs Over Low-Speed Links
- AP Scanning Optimization
- Channel Group Scanning
- Configuring AP Channel Assignments
- Managing AP Console Settings
- Link Aggregation Support on W-AP220 Series and W-AP270 Series
- Service Tag
- Secure Enterprise Mesh
- Mesh Overview Information
- Mesh Configuration Procedures
- Understanding Mesh Access Points
- Understanding Mesh Links
- Understanding Mesh Profiles
- Understanding Remote Mesh Portals (RMPs)
- Understanding the AP Boot Sequence
- Mesh Deployment Solutions
- Mesh Deployment Planning
- Configuring Mesh Cluster Profiles
- Creating and Editing Mesh Radio Profiles
- Creating and Editing Mesh High-Throughput SSID Profiles
- Configuring Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- Verifying Your Mesh Network
- Configuring Remote Mesh Portals (RMPs)
- Creating a Remote Mesh Portal In the WebUI
- Step 1: Provision the AP
- Step 2: Define the Mesh Private VLAN in the Mesh Radio Profile
- Step 3: Assign the Mesh Radio Profile to a Remote Mesh AP
- Step 4: Assign an RF Management Profile to a Remote Mesh AP
- Step 5: Assign a Mesh Cluster Profile
- Step 6: Configuring a DHCP Pool
- Step 7: Configuring the VLAN ID of the Virtual AP Profile
- Provisioning a Remote Mesh Portal In the CLI
- Creating a Remote Mesh Portal In the WebUI
- Increasing Network Uptime Through Redundancy and VRRP
- High Availability
- VRRP-Based Redundancy
- High Availability Deployment Models
- Client State Synchronization
- High Availability Inter-Controller Heartbeats
- High Availability Extended Controller Capacity
- Configuring High Availability
- Migrating from VRRP or Backup-LMS Redundancy
- Configuring VRRP Redundancy
- RSTP
- PVST+
- Link Layer Discovery Protocol
- IP Mobility
- External Firewall Configuration
- Palo Alto Networks Firewall Integration
- Remote Access Points
- About Remote Access Points
- Configuring the Secure Remote Access Point Service
- Deploying a Branch/Home Office Solution
- Enabling Remote AP Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Working in Fallback Mode
- Configuring Fallback Mode
- Configuring the DHCP Server on the Remote AP
- Configuring Advanced Backup Options
- Specifying the DNS Controller Setting
- Backup Controller List
- Configuring Remote AP Failback
- Enabling RAP Local Network Access
- Configuring Remote AP Authorization Profiles
- Working with Access Control Lists and Firewall Policies
- Understanding Split Tunneling
- Understanding Bridge
- Provisioning Wi-Fi Multimedia
- Reserving Uplink Bandwidth
- Provisioning 4G USB Modems on Remote Access Points
- Provisioning RAPs at Home
- Configuring W-IAP3WN and W-IAP3WNP Access Points
- Converting an IAP to RAP or CAP
- Enabling Bandwidth Contract Support for RAPs
- Virtual Intranet Access
- Spectrum Analysis
- Understanding Spectrum Analysis
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Working with Non-Wi-Fi Interferers
- Understanding the Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data
- Recording Spectrum Analysis Data
- Troubleshooting Spectrum Analysis
- Verifying Spectrum Monitors Support for One Client per Radio
- Converting a Spectrum Monitor Back to an AP or Air Monitor
- Troubleshooting Browser Issues
- Loading a Spectrum View
- Troubleshooting Issues with Adobe Flash Player 10.1 or Later
- Understanding Spectrum Analysis Syslog Messages
- Playing a Recording in the RFPlayback Tool
- Dashboard Monitoring
- Management Access
- Configuring Certificate Authentication for WebUI Access
- Secure Shell (SSH)
- Enabling Public Key Authentication
- Enabling RADIUS Server Authentication
- Configuring RADIUS Server Username and Password Authentication
- Configuring RADIUS Server Authentication with VSA
- Configuring RADIUS Server Authentication with Server Derivation Rule
- Configuring a set-value server-derivation rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Connecting to an W-AirWave Server
- Custom Certificate Support for RAP
- Implementing a Specific Management Password Policy
- Configuring AP Image Preload
- Configuring Centralized Image Upgrades
- Managing Certificates
- Configuring SNMP
- Enabling Capacity Alerts
- Configuring Logging
- Enabling Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- ClearPass Profiling with IF-MAP
- Whitelist Synchronization
- Downloadable Regulatory Table
- 802.11u Hotspots
- Hotspot 2.0 Pre-Deployment Information
- Hotspot Profile Configuration Tasks
- Hotspot 2.0 Overview
- Configuring Hotspot 2.0 Profiles
- Configuring Hotspot Advertisement Profiles
- Configuring ANQP Venue Name Profiles
- Configuring ANQP Network Authentication Profiles
- Configuring ANQP Domain Name Profiles
- Configuring ANQP IP Address Availability Profiles
- Configuring ANQP NAI Realm Profiles
- Configuring ANQP Roaming Consortium Profiles
- Configuring ANQP 3GPP Cellular Network Profiles
- Configuring H2QP Connection Capability Profiles
- Configuring H2QP Operator Friendly Name Profiles
- Configuring H2QP Operating Class Indication Profiles
- Configuring H2QP WAN Metrics Profiles
- Adding Local Controllers
- Advanced Security
- Securing Client Traffic
- Securing Controller-to-Controller Communication
- Configuring the Odyssey Client on Client Machines
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- Working with QoS for Voice and Video
- Unified Communication and Collaboration
- Understanding Extended Voice and Video Features
- Understanding QoS for Microsoft Lync and Apple Facetime
- Enabling WPA Fast Handover
- Enabling Mobile IP Home Agent Assignment
- Scanning for VoIP-Aware ARM
- Disabling Voice-Aware 802.1x
- Configuring SIP Authentication Tracking
- Enabling Real Time Call Quality Analysis
- Enabling SIP Session Timer
- Enabling Wi-Fi Edge Detection and Handover for Voice Clients
- Working with Dial Plan for SIP Calls
- Enabling Enhanced 911 Support
- Working with Voice over Remote Access Point
- Understanding Battery Boost
- Enabling LLDP
- Advanced Voice Troubleshooting
- AirGroup
- Zero Configuration Networking
- AirGroup Solution
- AirGroup Deployment Models
- Features Supported in AirGroup
- ClearPass Policy Manager and ClearPass Guest Features
- Auto-association and Controller-based Policy
- Best Practices and Limitations
- Integrated Deployment Model
- Master-Local Controller Synchronization
- Configuring an AirGroup Integrated Deployment Model
- Enabling or Disabling AirGroup Global Setting
- Enabling or Disabling mDNS and DLNA
- Viewing AirGroup Global Setting on Controller
- Defining an AirGroup Service
- Enabling the allowall Service
- Enabling or Disabling an AirGroup Service
- Viewing AirGroup Service Status
- Viewing Blocked Services
- Viewing AirGroup Service Details
- Configuring an AirGroup Domain
- Viewing an AirGroup Domain
- Configuring an AirGroup active-domain
- Viewing an AirGroup active-domains
- Viewing AirGroup VLAN Table
- Viewing AirGroup Multi-Controller Table
- Controller Dashboard Monitoring
- Configuring the AirGroup-CPPM Interface
- Bluetooth-Based Discovery and AirGroup
- AirGroup mDNS Static Records
- mDNS AP VLAN Aggregation
- mDNS Multicast Response Propagation
- Troubleshooting and Log Messages
- Instant AP VPN Support
- W-600 Series Controllers
- External Services Interface
- Sample ESI Topology
- Understanding the ESI Syslog Parser
- Configuring ESI
- Sample Route-Mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Sample NAT-mode ESI Topology
- Understanding Basic Regular Expression (BRE) Syntax
- External User Management
- Behavior and Defaults
- DHCP with Vendor-Specific Options
- 802.1X Configuration for IAS and Windows Clients
- Acronyms and Terms
Understanding Match Types
l Eth-Wired-MAC: The MAC addresses of wired devices learned by an AP on its Ethernet interface.
l GW-Wired-MAC: The collection of Gateway MACs of all APs across the master and local controllers.
l AP-Wired-MAC: The MAC addresses of wired devices learned by monitoring traffic out of other valid and
rogue APs.
l Config-Wired-MAC: The MAC addresses that are configured by the user, typically that of well-known
servers in the network.
l Manual: User-triggered classification.
l External-Wired-MAC: The MAC address matched a set of known wired devices that are maintained in an
external database.
l Mobility-Manager: The classification was determined by the mobility manager, AMP.
l Classification-off: AP is classified as rogue because classification has been disabled, causing all non-
authorized APs to be classified as rogue.
l Propagated-Wired-MAC: The MAC addresses of wired devices learned by a different AP than the one that
uses it for classifying a rogue.
l Base-BSSID-Override: The classification was derived from another BSSID, which belongs to the same AP
that supports multiple BSSIDs on the radio interface.
l AP-Rule: A user-defined AP classification rule has matched.
l System-Wired-MAC: The MAC addresses of wired devices learned at the controller.
l System-Gateway-MAC: The Gateway MAC addresses learned at the controller.
Understanding Suspected Rogue Confidence Level
A suspected rogue AP is a potential threat to the WLAN infrastructure. A suspected rogue AP has a confidence
level associated with it. An AP can be marked as a suspected rogue if it is determined to be a potential threat on
the wired network, or if it matches a user-defined classification rule.
The suspected-rogue classification mechanisms are:
l Each mechanism that causes a suspected-rogue classification is assigned a confidence level increment of
20%.
l AP classification rules have a configured confidence level.
l When a mechanism matches a previously unmatched mechanism, the confidence level increment
associated with that mechanism is added to the current confidence level (the confidence level starts at
zero).
l The confidence level is capped at 100%.
l If your controller reboots, your suspected-rogue APs are not checked against any new rules that were
configured after the reboot. Without this restriction, all the mechanisms that classified your APs as
suspected-rogues may trigger again, causing the confidence level to surpass its cap of 100%. You can
explicitly mark an AP as “interfering” to trigger all new rules to match against it.
Understanding AP Classification Rules
AP classification rule configuration is performed only on a master controller. If AMP is enabled via the
mobility-manager command, then processing of the AP classification rules is disabled on the master
controller. A rule is identified by its ASCII character string name (32 characters maximum). The AP classification
rules have one of the following specifications:
l SSID of the AP
l SNR of the AP
l Discovered-AP-Count or the number of APs that can see the AP
Dell Networking W-Series ArubaOS 6.4.x | User Guide Wireless Intrusion Prevention | 538