Users Guide
Table Of Contents
- Contents
- About this Guide
- The Basic User-Centric Networks
- Understanding Basic Deployment and Configuration Tasks
- Configuring the Controller
- W-7000 Series and W-7200 Series Controller
- Using the LCD Screen
- Configuring a VLAN to Connect to the Network
- Creating, Updating, and Viewing VLANs and Associated IDs
- Creating, Updating, and Deleting VLAN Pools
- Assigning and Configuring the Trunk Port
- Configuring the Default Gateway
- Configuring the Loopback IP Address for the Controller
- Configuring the System Clock
- Installing Licenses
- Connecting the Controller to the Network
- Enabling Wireless Connectivity
- Enabling Wireless Connectivity
- Configuring Your User-Centric Network
- Replacing a Controller
- Transferring Licenses
- Procedure Overview
- Change the VRRP Priorities for a Redundant Master Pair
- Back Up the Flash File System
- Stage the New Controller
- Add Licenses to the New Controller
- Backup Newly Installed Licenses
- Import and Restore Flash Backup
- Restore Licenses
- Reboot the Controller
- Modify the Host Name
- Modify Topology Settings
- Save your Configuration
- Remove the Existing Controller
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Managing AP Whitelists
- Managing Whitelists on Master and Local Controllers
- Working in Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Software Licenses
- Understanding License Terminology
- Working with Licenses
- Centralized Licensing in a Multi-Controller Network
- Using Licenses
- Understanding License Interaction
- License Installation Best Practices and Exceptions
- Installing a License
- Deleting a License
- Moving Licenses
- Resetting the Controller
- Network Configuration Parameters
- Configuring VLANs
- Configuring Ports
- Understanding VLAN Assignments
- VLAN Derivation Priorities for VLAN types
- How a VLAN Obtains an IP Address
- Assigning a Static Address to a VLAN
- Configuring a VLAN to Receive a Dynamic Address
- Configuring Multiple Wired Uplink Interfaces (Active-Standby)
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- Configuring GRE Tunnel Groups
- Jumbo Frame Support
- IPv6 Support
- Understanding IPv6 Notation
- Understanding IPv6 Topology
- Enabling IPv6
- Enabling IPv6 Support for Controller and APs
- Filtering an IPv6 Extension Header (EH)
- Configuring a Captive Portal over IPv6
- Working with IPv6 Router Advertisements (RAs)
- RADIUS Over IPv6
- TACACS Over IPv6
- DHCPv6 Server
- Understanding ArubaOS Supported Network Configuration for IPv6 Clients
- Understanding ArubaOS Authentication and Firewall Features that Support IPv6
- Managing IPv6 User Addresses
- Understanding IPv6 Exceptions and Best Practices
- Link Aggregation Control Protocol
- OSPFv2
- Tunneled Nodes
- Authentication Servers
- Understanding Authentication Server Best Practices and Exceptions
- Understanding Servers and Server Groups
- Configuring Authentication Servers
- Configuring a RADIUS Server
- RADIUS Service-Type Attribute
- Enabling Radsec on RADIUS Servers
- Configuring Username and Password for CPPM Authentication
- Configuring an RFC-3576 RADIUS Server
- Configuring an RFC-3576 RADIUS Server with Radsec
- Configuring an LDAP Server
- Configuring a TACACS+ Server
- Configuring a Windows Server
- Managing the Internal Database
- Configuring Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- Authentication Server Load Balancing
- MAC-based Authentication
- Branch Controller Config for Controllers
- Branch Deployment Features
- WAN Failure (Authentication) Survivability
- Supported Client and Authentication Types
- Administrative Functions
- Enabling Authentication Survivability on a Local Branch Controller
- Configuring the Survival Server Certificate
- Configuring the Lifetime of the Authentication Survivability Cache
- User Credential and Key Reply Attributes Are Saved Automatically
- Expired User Credential and Key Reply Attributes Are Purged Automatically
- About the Survival Server
- Trigger Conditions for Critical Actions
- Authentication for Captive Portal Clients
- Authentication for 802.1X Clients
- Authentication for MAC Address-Based Clients
- Authentication for WISPr Clients
- WAN Health Check
- WAN Optimization through IP Payload Compression
- Interface Bandwidth Contracts
- Integration with a Palo Alto Networks (PAN) Portal
- Branch Controller Routing Features
- Zero-Touch Provisioning
- Using Smart Config to create a Branch Config Group
- PortFast and BPDU Guard
- Preventing WAN Link Failure on Virtual APs
- Branch WAN Dashboard Changes
- 802.1X Authentication
- Understanding 802.1X Authentication
- Configuring 802.1X Authentication
- Enabling 802.1x Supplicant Support on an AP
- Sample Configurations
- Configuring Authentication with an 802.1X RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configuring 802.1X Authentication
- Configuring VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Configuring Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configuring 802.1x Authentication
- Configuring VLANs
- Configuring WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Configuring Mixed Authentication Modes
- Performing Advanced Configuration Options for 802.1X
- Application Single Sign-On Using L2 Authentication
- Stateful and WISPr Authentication
- Certificate Revocation
- Captive Portal Authentication
- Understanding Captive Portal
- Configuring Captive Portal in the Base Operating System
- Using Captive Portal with a PEFNG License
- Sample Authentication with Captive Portal
- Configuring Guest VLANs
- Configuring Captive Portal Authentication Profiles
- Enabling Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating and Installing an Internal Captive Portal
- Creating Walled Garden Access
- Enabling Captive Portal Enhancements
- Configuring the Redirect-URL
- Configuring the Login URL
- Defining Netdestination Descriptions
- Configuring a Whitelist
- Configuring the Netdestination for a Whitelist:
- Associating a Whitelist to Captive Portal Profile
- Applying a Captive Portal Profile to a User-Role
- Verifying a Whitelist Configuration
- Verifying a Captive Portal Profile Linked to a Whitelist
- Verifying Dynamic ACLs for a Whitelist
- Verifying DNS Resolved IP Addresses for Whitelisted URLs
- Bypassing Captive Portal Landing Page
- Virtual Private Networks
- Planning a VPN Configuration
- Working with VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec in the WebUI
- Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Working with Remote Access VPNs for PPTP
- Working with Site-to-Site VPNs
- Working with VPN Dialer
- Roles and Policies
- Configuring Firewall Policies
- User Roles
- Assigning User Roles
- Understanding Global Firewall Parameters
- Using AppRF 2.0
- ClearPass Policy Manager Integration
- Virtual APs
- Virtual AP Configuration Workflow
- Virtual AP Profiles
- Changing a Virtual AP Forwarding Mode
- Radio Resource Management (802.11k)
- BSS Transition Management (802.11v)
- Fast BSS Transition ( 802.11r)
- SSID Profiles
- WLAN Authentication
- High-Throughput Virtual APs
- Guest WLANs
- Changing a Virtual AP Forwarding Mode
- Adaptive Radio Management
- ARM Feature Overviews
- Configuring ARM Settings
- ARM Troubleshooting
- Understanding ARM
- Client Match
- ARM Coverage and Interference Metrics
- Configuring ARM Profiles
- Assigning an ARM Profile to an AP Group
- Using Multi-Band ARM for 802.11a/802.11g Traffic
- Band Steering
- Enabling Traffic Shaping
- Spectrum Load Balancing
- Reusing Channels to Control RX Sensitivity Tuning
- Configuring Non-802.11 Noise Interference Immunity
- Troubleshooting ARM
- Wireless Intrusion Prevention
- Working with the Reusable Wizard
- Monitoring the Dashboard
- Detecting Rogue APs
- Working with Intrusion Detection
- Understanding Infrastructure Intrusion Detection
- Detecting an 802.11n 40MHz Intolerance Setting
- Detecting Active 802.11n Greenfield Mode
- Detecting Ad hoc Networks
- Detecting an Ad hoc Network Using a Valid SSID
- Detecting an AP Flood Attack
- Detecting AP Impersonation
- Detecting AP Spoofing
- Detecting Bad WEP Initialization
- Detecting a Beacon Frame Spoofing Attack
- Detecting a Client Flood Attack
- Detecting a CTS Rate Anomaly
- Detecting an RTS Rate Anomaly
- Detecting Devices with an Invalid MAC OUI
- Detecting an Invalid Address Combination
- Detecting an Overflow EAPOL Key
- Detecting Overflow IE Tags
- Detecting a Malformed Frame-Assoc Request
- Detecting Malformed Frame-Auth
- Detecting a Malformed Frame-HT IE
- Detecting a Malformed Frame-Large Duration
- Detecting a Misconfigured AP
- Detecting a Windows Bridge
- Detecting a Wireless Bridge
- Detecting Broadcast Deauthentication
- Detecting Broadcast Disassociation
- Detecting Netstumbler
- Detecting Valid SSID Misuse
- Detecting Wellenreiter
- Understanding Client Intrusion Detection
- Detecting a Block ACK DoS
- Detecting a ChopChop Attack
- Detecting a Disconnect Station Attack
- Detecting an EAP Rate Anomaly
- Detecting a FATA-Jack Attack Structure
- Detecting a Hotspotter Attack
- Detecting a Meiners Power Save DoS Attack
- Detecting an Omerta Attack
- Detecting Rate Anomalies
- Detecting a TKIP Replay Attack
- Detecting Unencrypted Valid Clients
- Detecting a Valid Client Misassociation
- Detecting an AirJack Attack
- Detecting ASLEAP
- Detecting a Null Probe Response
- Understanding Infrastructure Intrusion Detection
- Configuring Intrusion Protection
- Understanding Infrastructure Intrusion Protection
- Protecting 40MHz 802.11 High Throughput Devices
- Protecting 802.11n High Throughput Devices
- Protecting Against Adhoc Networks
- Protecting Against AP Impersonation
- Protecting Against Misconfigured APs
- Protecting Against Wireless Hosted Networks
- Protecting SSIDs
- Protecting Against Rogue Containment
- Protecting Against Suspected Rogue Containment
- Protection against Wired Rogue APs
- Understanding Client Intrusion Protection
- Warning Message for Containment Features
- Understanding Infrastructure Intrusion Protection
- Configuring the WLAN Management System (WMS)
- Understanding Client Blacklisting
- Working with WIP Advanced Features
- Configuring TotalWatch
- Administering TotalWatch
- Tarpit Shielding Overview
- Configuring Tarpit Shielding
- Access Points
- Basic Functions and Features
- Naming and Grouping APs
- Understanding AP Configuration Profiles
- Before you Deploy an AP
- Enable Controller Discovery
- Enable DHCP to Provide APs with IP Addresses
- AP Provisioning Profiles
- Configuring Installed APs
- Optional AP Configuration Settings
- RF Management
- Optimizing APs Over Low-Speed Links
- AP Scanning Optimization
- Channel Group Scanning
- Configuring AP Channel Assignments
- Managing AP Console Settings
- Link Aggregation Support on W-AP220 Series and W-AP270 Series
- Service Tag
- Secure Enterprise Mesh
- Mesh Overview Information
- Mesh Configuration Procedures
- Understanding Mesh Access Points
- Understanding Mesh Links
- Understanding Mesh Profiles
- Understanding Remote Mesh Portals (RMPs)
- Understanding the AP Boot Sequence
- Mesh Deployment Solutions
- Mesh Deployment Planning
- Configuring Mesh Cluster Profiles
- Creating and Editing Mesh Radio Profiles
- Creating and Editing Mesh High-Throughput SSID Profiles
- Configuring Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- Verifying Your Mesh Network
- Configuring Remote Mesh Portals (RMPs)
- Creating a Remote Mesh Portal In the WebUI
- Step 1: Provision the AP
- Step 2: Define the Mesh Private VLAN in the Mesh Radio Profile
- Step 3: Assign the Mesh Radio Profile to a Remote Mesh AP
- Step 4: Assign an RF Management Profile to a Remote Mesh AP
- Step 5: Assign a Mesh Cluster Profile
- Step 6: Configuring a DHCP Pool
- Step 7: Configuring the VLAN ID of the Virtual AP Profile
- Provisioning a Remote Mesh Portal In the CLI
- Creating a Remote Mesh Portal In the WebUI
- Increasing Network Uptime Through Redundancy and VRRP
- High Availability
- VRRP-Based Redundancy
- High Availability Deployment Models
- Client State Synchronization
- High Availability Inter-Controller Heartbeats
- High Availability Extended Controller Capacity
- Configuring High Availability
- Migrating from VRRP or Backup-LMS Redundancy
- Configuring VRRP Redundancy
- RSTP
- PVST+
- Link Layer Discovery Protocol
- IP Mobility
- External Firewall Configuration
- Palo Alto Networks Firewall Integration
- Remote Access Points
- About Remote Access Points
- Configuring the Secure Remote Access Point Service
- Deploying a Branch/Home Office Solution
- Enabling Remote AP Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Working in Fallback Mode
- Configuring Fallback Mode
- Configuring the DHCP Server on the Remote AP
- Configuring Advanced Backup Options
- Specifying the DNS Controller Setting
- Backup Controller List
- Configuring Remote AP Failback
- Enabling RAP Local Network Access
- Configuring Remote AP Authorization Profiles
- Working with Access Control Lists and Firewall Policies
- Understanding Split Tunneling
- Understanding Bridge
- Provisioning Wi-Fi Multimedia
- Reserving Uplink Bandwidth
- Provisioning 4G USB Modems on Remote Access Points
- Provisioning RAPs at Home
- Configuring W-IAP3WN and W-IAP3WNP Access Points
- Converting an IAP to RAP or CAP
- Enabling Bandwidth Contract Support for RAPs
- Virtual Intranet Access
- Spectrum Analysis
- Understanding Spectrum Analysis
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Working with Non-Wi-Fi Interferers
- Understanding the Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data
- Recording Spectrum Analysis Data
- Troubleshooting Spectrum Analysis
- Verifying Spectrum Monitors Support for One Client per Radio
- Converting a Spectrum Monitor Back to an AP or Air Monitor
- Troubleshooting Browser Issues
- Loading a Spectrum View
- Troubleshooting Issues with Adobe Flash Player 10.1 or Later
- Understanding Spectrum Analysis Syslog Messages
- Playing a Recording in the RFPlayback Tool
- Dashboard Monitoring
- Management Access
- Configuring Certificate Authentication for WebUI Access
- Secure Shell (SSH)
- Enabling Public Key Authentication
- Enabling RADIUS Server Authentication
- Configuring RADIUS Server Username and Password Authentication
- Configuring RADIUS Server Authentication with VSA
- Configuring RADIUS Server Authentication with Server Derivation Rule
- Configuring a set-value server-derivation rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Connecting to an W-AirWave Server
- Custom Certificate Support for RAP
- Implementing a Specific Management Password Policy
- Configuring AP Image Preload
- Configuring Centralized Image Upgrades
- Managing Certificates
- Configuring SNMP
- Enabling Capacity Alerts
- Configuring Logging
- Enabling Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- ClearPass Profiling with IF-MAP
- Whitelist Synchronization
- Downloadable Regulatory Table
- 802.11u Hotspots
- Hotspot 2.0 Pre-Deployment Information
- Hotspot Profile Configuration Tasks
- Hotspot 2.0 Overview
- Configuring Hotspot 2.0 Profiles
- Configuring Hotspot Advertisement Profiles
- Configuring ANQP Venue Name Profiles
- Configuring ANQP Network Authentication Profiles
- Configuring ANQP Domain Name Profiles
- Configuring ANQP IP Address Availability Profiles
- Configuring ANQP NAI Realm Profiles
- Configuring ANQP Roaming Consortium Profiles
- Configuring ANQP 3GPP Cellular Network Profiles
- Configuring H2QP Connection Capability Profiles
- Configuring H2QP Operator Friendly Name Profiles
- Configuring H2QP Operating Class Indication Profiles
- Configuring H2QP WAN Metrics Profiles
- Adding Local Controllers
- Advanced Security
- Securing Client Traffic
- Securing Controller-to-Controller Communication
- Configuring the Odyssey Client on Client Machines
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- Working with QoS for Voice and Video
- Unified Communication and Collaboration
- Understanding Extended Voice and Video Features
- Understanding QoS for Microsoft Lync and Apple Facetime
- Enabling WPA Fast Handover
- Enabling Mobile IP Home Agent Assignment
- Scanning for VoIP-Aware ARM
- Disabling Voice-Aware 802.1x
- Configuring SIP Authentication Tracking
- Enabling Real Time Call Quality Analysis
- Enabling SIP Session Timer
- Enabling Wi-Fi Edge Detection and Handover for Voice Clients
- Working with Dial Plan for SIP Calls
- Enabling Enhanced 911 Support
- Working with Voice over Remote Access Point
- Understanding Battery Boost
- Enabling LLDP
- Advanced Voice Troubleshooting
- AirGroup
- Zero Configuration Networking
- AirGroup Solution
- AirGroup Deployment Models
- Features Supported in AirGroup
- ClearPass Policy Manager and ClearPass Guest Features
- Auto-association and Controller-based Policy
- Best Practices and Limitations
- Integrated Deployment Model
- Master-Local Controller Synchronization
- Configuring an AirGroup Integrated Deployment Model
- Enabling or Disabling AirGroup Global Setting
- Enabling or Disabling mDNS and DLNA
- Viewing AirGroup Global Setting on Controller
- Defining an AirGroup Service
- Enabling the allowall Service
- Enabling or Disabling an AirGroup Service
- Viewing AirGroup Service Status
- Viewing Blocked Services
- Viewing AirGroup Service Details
- Configuring an AirGroup Domain
- Viewing an AirGroup Domain
- Configuring an AirGroup active-domain
- Viewing an AirGroup active-domains
- Viewing AirGroup VLAN Table
- Viewing AirGroup Multi-Controller Table
- Controller Dashboard Monitoring
- Configuring the AirGroup-CPPM Interface
- Bluetooth-Based Discovery and AirGroup
- AirGroup mDNS Static Records
- mDNS AP VLAN Aggregation
- mDNS Multicast Response Propagation
- Troubleshooting and Log Messages
- Instant AP VPN Support
- W-600 Series Controllers
- External Services Interface
- Sample ESI Topology
- Understanding the ESI Syslog Parser
- Configuring ESI
- Sample Route-Mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Sample NAT-mode ESI Topology
- Understanding Basic Regular Expression (BRE) Syntax
- External User Management
- Behavior and Defaults
- DHCP with Vendor-Specific Options
- 802.1X Configuration for IAS and Windows Clients
- Acronyms and Terms
559 | Wireless Intrusion Prevention Dell Networking W-Series ArubaOS 6.4.x| User Guide
Blacklisting by Authentication Failure
You can configure a maximum authentication failure threshold for each of the following authentication
methods:
l 802.1x
l MAC
l Captive portal
l VPN
When a client exceeds the configured threshold for one of the above methods, the client is automatically
blacklisted by the controller, an event is logged, and an SNMP trap is sent. By default, the maximum
authentication failure threshold is set to 0 for the above authentication methods, which means that there is no
limit to the number of times a client can attempt to authenticate.
With 802.1x authentication, you can also configure blacklisting of clients who fail machine authentication.
When clients are blacklisted because they exceed the authentication failure threshold, they are blacklisted
indefinitely by default. You can configure the duration of the blacklisting; see Setting Blacklist Duration on page
560.
To set the authentication failure threshold via the WebUI:
1. Navigate to the Configuration > Security > Authentication > Profiles page.
2. In the Profiles list, select the appropriate authentication profile, then select the profile instance.
3. Enter a value in the Max Authentication failures field.
4. Click Apply.
To set the authentication failure threshold via the command-line interface, access the CLI in config mode and
issue the following commands:
aaa authentication {captive-portal|dot1x|mac|vpn} <profile>
max-authentication-failures <number>
Enabling Attack Blacklisting
There are two types of automatic client blacklisting that can be enabled: blacklisting due to spoofed
deauthentication, or blacklisting due to other types of DoS attacks.
Automatic blacklisting for DoS attacks other than spoofed deauthentication is enabled by default. You can
disable this blacklisting on a per-SSID basis in the virtual AP profile.
Man in the middle (MITM) attacks begin with an intruder impersonating a valid enterprise AP. If an AP needs to
reboot, it sends deauthentication packets to connected clients to enable them to disconnect and reassociate
with another AP. An intruder or attacker can spoof deauthentication packets, forcing clients to disconnect from
the network and reassociate with the attacker’s AP. A valid enterprise client associates to the intruder’s AP,
while the intruder then associates to the enterprise AP. Communication between the network and the client
flows through the intruder (the man in the middle), thus allowing the intruder the ability to add, delete, or
modify data. When this type of attack is identified by the Dell system, the client can be blacklisted, blocking the
MITM attack. You can enable this blacklisting ability in the IDS DoS profile (this is disabled by default).
To enable spoofed deauth detection and blacklisting via the WebUI:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. In the Profiles list, expand the IDS menu, then select IDS profile.
4. Select the IDS DOS profile.