Managing Certificates, About Digital Certificates

Parameter	Description
no-access	No commands are accessible for this role

read-only	Read-only role

no access	Negates any configured parameter.

Server Group	Name of the group of servers used to authenticate administrative users. See the CLI command aaa-
	server-group, in the CLI Command Reference Guide for more information.

Managing Certificates

The controller is designed to provide secure services through the use of digital certificates. Certificates provide security when authenticating users and computers and eliminate the need for less secure password-based authentication.

There is a default server certificate installed in the controller to demonstrate the authentication of the controller for captive portal and WebUI management access. However, this certificate does not guarantee security in production networks. Dellstrongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted Certificate Authority (CA). This section describes how to generate a Certificate Signing Request (CSR) to submit to a CA and how to import the signed certificate received from the CA into the controller.

The controller supports client authentication using digital certificates for specific user-centric network services, such as AAA FastConnect, VPN (see Virtual Private Networks on page 271), and WebUI and SSH management access. Each service can employ different sets of client and server certificates.

During certificate-based authentication, the controller provides its server certificate to the client for authentication. After validating the controller’s server certificate, the client presents its own certificate to the controller for authentication. To validate the client certificate, the controller checks the certificate revocation list (CRL) maintained by the CA that issued the client certificate. After validating the client’s certificate, the controller can check the user name in the certificate with the configured authentication server (this action is optional and configurable).

About Digital Certificates

Clients and the servers to which they connect may hold authentication certificates that validate their identities. When a client connects to a server for the first time, or the first time since its previous certificate has expired or been revoked, the server requests that the client transmit its authentication certificate. The client’s certificate is then verified against the CA which issued it. Clients can also request and verify the server’s authentication certificate. For some applications, such as 802.1x authentication, clients do not need to validate the server certificate for the authentication to function.

Digital certificates are issued by a CA which can be either a commercial, third-party company or a private CA controlled by your organization. The CA is trusted to authenticate the owner of the certificate before issuing a certificate. A CA-signed certificate guarantees the identity of the certificate holder. This is done by comparing the digital signature on a client or server certificate to the signature on the certificate for the CA. When CA-signed certificates are used to authenticate clients, the controller checks the validity of client certificates using certificate revocation lists (CRLs) maintained by the CA that issued the certificate.

Digital certificates employ public key infrastructure (PKI), which requires a private-public key pair. A digital certificate is associated with a private key, known only to the certificate owner, and a public key. A certificate

Dell PowerConnect W-Series ArubaOS 6.2 User Guide

Management Access 635

Page 635

Image 635

Dell 6.2 manual Managing Certificates, About Digital Certificates

6.2 specifications

Dell 6.2 is an advanced enterprise solution that caters to the needs of businesses seeking robust performance and efficiency. As a part of Dell's commitment to innovation, the 6.2 series combines cutting-edge technologies and features that enhance productivity and deliver reliable computing experiences.

One of the standout features of the Dell 6.2 is its impressive processing power. Equipped with the latest Intel processors, it offers exceptional speed and multitasking capabilities. This allows businesses to run demanding applications effortlessly, making it ideal for data-intensive tasks such as data analysis, software development, and virtualization. The series also supports substantial RAM configurations, enabling users to manage extensive workloads without experiencing slowdowns.

In terms of storage, the Dell 6.2 line includes advanced SSD options that significantly boost data access speeds compared to traditional hard drives. This rapid access to information is vital for businesses that require quick retrieval of large datasets. Furthermore, the devices support RAID configurations, which enhances data redundancy and security, protecting critical business information from loss.

Connectivity is another critical aspect of the Dell 6.2 series. It includes multiple USB ports, HDMI outputs, and high-speed Ethernet options, ensuring that users can easily connect to various peripherals and networks. The integration of Wi-Fi 6 technology enables faster wireless connections, resulting in improved internet speeds and bandwidth efficiency, which is crucial in today’s increasingly connected workplaces.

Dell has also prioritized security in the 6.2 series. It features enhanced biometric authentication and advanced encryption methods, safeguarding sensitive data from unauthorized access. Additionally, the system's BIOS protection and automatic updates provide an added layer of security, ensuring that the device remains safe from emerging threats.

The design of the Dell 6.2 is not only sleek and modern but also built for durability. Its robust chassis is engineered to withstand the rigors of daily use, making it suitable for various business environments. This durability ensures that the investment in Dell 6.2 will last for years while maintaining performance integrity.

In summary, the Dell 6.2 series embodies a blend of speed, storage efficiency, connectivity, and security, making it a top choice for enterprises looking to enhance their computing capabilities. With its modern features and durable design, Dell 6.2 is positioned as a reliable partner in driving business success.

Contents

User Guide Legal Notice Copyright InformationOpen Source Code Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents 490 477485 Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide About this Guide Feature DescriptionWhat’s New In ArubaOS Spectrum recording information Users using them in a given networkIssued Spectrum enhancements WebUI Fundamentals Type Style Description Related DocumentsConventions Page Deployment Scenario #1 Controller and APs on Same Subnet Understanding Basic Deployment and Configuration TasksBasic User-Centric Networks APs All on One Subnet Different from Controller Subnets APs on Multiple Different Subnets from Controllers Running Initial Setup Configuring the Controller New Port Numbering Scheme Using the LCD ScreenConnecting to the Controller after Initial Setup Dell W-7200 Series Controller Displays Upgrading an Image Using the LCD and USB DriveUploading a Pre-saved Configuration Disabling LCD Menu Functions Configuring a Vlan to Connect to the Network Creating, Updating, and Deleting Vlan Pools Assigning and Configuring the Trunk PortCreating, Updating, and Viewing VLANs and Associated IDs WebUI Configuring the Default GatewayConfiguring the Loopback IP Address for the Controller To confirm the port assignments, use the show vlan command Controller returns the following messages Configuring the System ClockEnter y to reboot the controller or n to cancel Connecting the Controller to the Network Enabling Wireless ConnectivityConfiguring Your User-Centric Network Installing Licenses Must explicitly enable Telnet on the controller Control Plane Security Parameter Description Configuring Control Plane SecurityConfigure the following control plane security parameters Control Plane Security Overview Example CLI Adding APs to the Campus and Remote AP Whitelists Managing AP Whitelists Control Plane Security Campus AP Whitelist status only Viewing Whitelist StatusStatus Entry Address as a name Status Entry Description Click the Campus AP Whitelist tab Command DescriptionModifying an AP in the Campus AP Whitelist Purging the Campus AP Whitelist Revoking an AP via the Campus AP WhitelistDeleting an AP Entry from the Campus AP Whitelist With local Dell Campus AP whitelist contains Master switchManaging Whitelists on Master and Local Controllers Data Column Description Viewing and Managing the Master or Local Switch WhitelistsViewing the Master or Local Switch Whitelist Campus AP Whitelist Synchronization Deleting an Entry from the Master or Local Switch Whitelist Working in Environments with Multiple Master Controllers Configuring Networks with a Backup Master ControllerConfiguring Networks with Clusters of Master Controllers Purging the Master or Local Switch Whitelist Creating a Cluster Root Click the Cluster Setting tab Creating a Cluster Member Viewing Controller Cluster SettingsTo view your current cluster configuration via the WebUI Replacing a Local Controller Replacing a Controller on a Multi-Controller NetworkReplacing Controllers in a Single Master Network Replacing a Redundant Master Controller Replacing a Master Controllerwith No Backup Replacing a Redundant Cluster Member Controller Replacing a Cluster Member Controller with no BackupReplacing Controllers in a Multi-Master Network Replacing a Local Controller in a Multi-Master Network Replacing a Redundant Cluster Root Controller Manually Certify Campus APs Configuring Control Plane Security after UpgradingTroubleshooting Control Plane Security Identifying Certificate Problems Verifying Whitelist Synchronization Verifying CertificatesDisabling Control Plane Security Rogue APs Supported APs Software Licenses Understanding License Terminology Working with Licenses Basis What Consumes One License Using LicensesWorking with Licenses on a Multiple Controller Network License Controller Total AP Count Campus APs Remote APs Understanding License Interaction Enabling a new license on your controller License Installation Best Practices and ExceptionsInstalling a License Creating a Software License Key Requesting a Software License in EmailLocating the System Serial Number Obtaining a Software License Key Applying the Software License Key in the WebUI Resetting the ControllerDeleting a License Moving LicensesPage Navigate to the Configuration Network VLANs Configuring VLANsNetwork Configuration Parameters You can create and update a single Vlan or bulk VLANs Creating Bulk VLANs In the WebUI Navigate to Configuration Network VLANsCreating Named VLANs Creating a Named Vlan not in a Pool This example assigns a Vlan name in a virtual AP Using the WebUICreating a Vlan Pool This example assigns a name to an existing Vlan ID Creating a Vlan Pool Distinguishing Between Even and Hash Assignment Types Updating a Vlan Pool Creating a Vlan Pool Using the CLIViewing and Adding Vlan IDs Using the CLI Following example shows how to view Vlan IDs to a Vlan pool Optimizing Vlan Broadcast and Multicast Traffic Adding a Bandwidth Contract to the Vlan Navigate to Configuration Network IP Configuring PortsUsing the CLI Proxy Arp is disabled for the Interface About Trusted and Untrusted VLANs Configuring Trusted/Untrusted Ports and VLANsClassifying Traffic as Trusted or Untrusted About Trusted and Untrusted Physical Ports This example For Port Mode select Trunk Assigning a Static Address to a Vlan Understanding Vlan AssignmentsHow a Vlan Obtains an IP Address Enabling the Dhcp Client Configuring a Vlan to Receive a Dynamic AddressConfiguring Multiple Wired Uplink Interfaces Active-Standby Navigate to the Configuration Network IP IP Interfaces Select Obtain an IP address with PPPoE Enabling the PPPoE Client Select Apply Default Gateway from DHCP/PPPoEConfiguring DNS/WINS Server from DHPC/PPPoE Configuring Source NAT for Vlan Interfaces Configuring Source NAT to Dynamic Vlan Address Inter-VLAN Routing Example Configuration Navigate to the Configuration Network IP IP Interface Configuring Static RoutesUsing the WebUI to restrict Vlan routing Apply Configuring the Loopback IP AddressModify the IP Address as required Click Using the CLI Configuring the Controller IP AddressConfiguring GRE Tunnels Static Routes Navigate to the Configuration Network IP GRE TunnelsCreating a Tunnel Interface Directing Traffic into the Tunnel CLI Tunnel KeepalivesWebUI IPv6 Support This chapter describes ArubaOS support for IPv6 featuresUnderstanding IPv6 Notation Understanding IPv6 Topology Enabling IPv6 Support for Controller and APs Enabling IPv6 Features Supported on IPv6 APs? Yes Limited Configuring IPv6 AddressesTo Configure Link Local Address To Configure Global Unicast Address To Configure Loopback Interface Address Configuring IPv6 Static Neighbors Managing Controller IP Addresses Configuring IPv6 Default Gateway and Static IPv6 RoutesTo Configure IPv6 Default Gateway To Configure Static IPv6 Routes To Modify IPv6 MLD Parameters Configuring Multicast Listener Discovery MLD Provisioning an IPv6 AP Debugging an IPv6 Controller To view the EH types denied Configuring a Captive Portal over IPv6Filtering an IPv6 Extension Header EH Working with IPv6 Router Advertisements RAs You can use the WebUI or CLI to configure IPv6 RA on a Vlan Configuring an IPv6 RA on a VlanUsing WebUI Using CLI Configuring Optional Parameters for RAs To configure RA hop-limit Navigate to the ConfigurationNetworkIPTo configure neighbor discovery retransmit time To configure IPv6 recursive DNS server Viewing IPv6 RA Status Supported Network Configuration XSec No not tested MAC-based Yes Understanding AuthenticationAuthentication Method Supported for IPv6 Clients? Authentication Description Method Working with Firewall Features Understanding Firewall Policies Field Description For Host IP, enter 2002d81ff9f01000 To assign an IPv6 policy using the WebUICreating an IPv6 Firewall Policy Assigning an IPv6 Policy to a User Role Understanding IPv6 Exceptions and Best Practices Managing IPv6 User Addresses Host config #ipv6 enable Link Aggregation Control Protocol Lacp Understanding Lacp Best Practices and Exceptions Set the port priority Configuring Lacp Lacp Sample Configuration 151 OSPFv2 Understanding Ospf Deployment Best Practices and Exceptions Below is the routing table for Router Understanding OSPFv2 by Example using a Wlan ScenarioWlan Topology Wlan Routing Table Branch Office Ospf Topology Branch Office Topology Routing table for Router 1 is below Configuring OspfBranch Office Routing Table Routing table of the Central office controller is below Select the Add button to add an area see Figure General Ospf Configuration Remote Branch Sample Topology and Configuration Remote Branch Central Office Controller-Active Central Office Controller-Backup OSPFv2 Dell PowerConnect W-Series ArubaOS 6.2 User Guide Dell PowerConnect W-Series ArubaOS 6.2 User Guide OSPFv2 Tunneled Nodes Understanding Tunneled Node Configuration WebUI Configuring a Wired Tunneled Node ClientNavigate to ConfigurationAdvanced ServicesWired Access For example Verify the configuration Configuring an Access Port as a Tunneled Node PortConfiguring a Trunk Port as a Tunneled Node Port Locate the Wired Access Concentration Configuration section On the tunneled node client Sample OutputPage Understanding Servers and Server Groups Authentication Servers Describes the parameters you configure for a Radius server Configuring ServersConfiguring a Radius Server NAS IP address to send in Radius packets TimeoutDefault 5 seconds Override the global configuration Set a DNS Query Interval Configuring an RFC-3576 Radius ServerRadius Server Authentication Codes Radius Server Fully Qualified Domain Names Host IP address of the Ldap server Default N/A Admin-DN Configuring an Ldap ServerDescribes the parameters you configure for an Ldap server Type Connection type is Ldap-s Start-tls Clear-text Configuring a TACACS+ ServerEnter parameters as described in Table Defines the TACACS+ server parameters Configuring a Windows Server Parameters Configuring the Internal DatabaseManaging the Internal Database Parameters Description Enter the following command in enable modeManaging Internal Database Files Exporting Files in the WebUI Working with Internal Database Utilities Configuring Server Groups Configuring Server List Order and Fail-Through Configuring Server Groups Select Fail Through Configuring Dynamic Server Selection Scroll to the right and click Add Server Click Apply Click Add Rule Trimming Domain Information from Requests Configuring Match Fqdn Option Configuring Server-Derivation Rules Top Controller when the rule is appliedDefault bottom Assigning Server Groups User AuthenticationManagement Authentication Navigate to the Configuration Management Administration Radius Accounting Accounting Select AAA Profile, then select the AAA profile instance TACACS+ Accounting Configuring Authentication TimersTimer Description Range Setting an Authentication TimerDefault 5 minutes Logon User Lifetime Parameter Configuring MAC-Based AuthenticationMAC-based Authentication Configuring the MAC Authentication Profile Disables blacklisting Configuring ClientsUsing the WebUI to configure a MAC authentication profile Using the CLI to configure a MAC authentication profile CLI 802.1X Authentication Understanding 802.1X Authentication Supported EAP Types Configuring Authentication with a Radius Server 802.1X Authentication with Radius Server Configuring Authentication Terminated on Controller Configuring 802.1X Authentication This option is disabled by default Failures, and the default value is 0 failuresDefault User Role Guest role Reauthentication Timer per role overrides this setting Requests Interval Seconds, and the default value is 30 secondsDefault value is Count Option is disabled by default Key Exchange Delay between WPA/WPA2Disable this feature Authentication takes place Negotiation Disabled by default WPA-Fast-Handover For the cached information. The default value is 24 hoursUse to authenticate itself to the client Disabled by default Configuring and Using Certificates with AAA FastConnect Machine User Auth Description Role Assigned Status Configuring User and Machine Authentication Virtual AP profile Authenticated Vlan configured Virtual AP profileEnabling 802.1x Supplicant Support on an AP Machine Auth User Auth Description Vlan Assigned Status Provisioning an AP as a 802.1X Supplicant To view the 802.1x authentication details on the controllerPrerequisites Creating the Student Role and Policy Sample ConfigurationsConfiguring Authentication with an 802.1X Radius Server Configuring Roles and Policies Can use the alias for other rules and policies Creating the Guest Role and Policy Using the WebUICreating the Faculty Role and Policy Under Time Range, select working-hours Using the WebUI to create the computer role Configuring the Radius Authentication ServerCreating Roles and Policies for Sysadmin and Computer Creating an Alias for the Internal Network Using the CLI Select Enforce Machine Authentication Configuring 802.1X Authentication Configuring VLANs Navigate to the Configuration Wireless AP Configuration Configuring the WLANsConfiguring the Guest Wlan AP Group list, click Edit for the first-floor Configuring the Non-Guest WLANs CLI Configuring a Server Rule Using the CLI Configuring a Server Rule Using the WebUI Select Termination Configuring WLANs Configuring the Guest Wlan Configuring the Non-Guest WLANs 802.1x Logon Configuring Mixed Authentication ModesAuthentication Describes the different authentication possibilities Configuring Reauthentication with Unicast Key Rotation Performing Advanced Configuration Options for Stateful and WISPr Authentication Working With Stateful Authentication Configuring Stateful 802.1x Authentication Working With WISPr AuthenticationUnderstanding Stateful Authentication Best Practices Configuring Stateful Ntlm Authentication Configuring Stateful Kerberos Authentication Configuring WISPr Authentication Profiles list, expand the WISPr Authentication Profile Dell PowerConnect W-Series ArubaOS 6.2 User Guide 227 Certificate Revocation Configuring a Controller as Ocsp and CRL ClientsConfiguring an Ocsp Controller as a Responder Understanding Ocsp and CRL Navigate to the Configuration Management Certificates Upload Configuring the Controller as an Ocsp Client Select the Revocation Checkpoint tab Configuring the Controller as a CRL Client Configuring the Controller as an Ocsp Responder Select Enable next to Enable Ocsp Responder Understanding Captive Portal Captive Portal Authentication Controller Server Certificate Configuring Captive Portal in the Base Operating SystemNavigate to the Configuration Management General Policy Enforcement Firewall Next Generation Pefng License WebUI CLI Using Captive Portal with a Pefng License To configure captive portal with Pefng license via the WebUI Configuring Captive Portal in the WebUI Creating a Guest User Role Sample Authentication with Captive PortalConfiguring Captive Portal in the CLI Creating a Time Range Configuring Policies and Roles in the WebUISelect Add to add the guest-logon-access policy Creating an Auth-guest User Role Creating Aliases Creating an Auth-Guest-Access PolicyTo configure the auth-guest-access policy via the WebUI To create the block-internal-access policy via the WebUI Creating an Block-Internal-Access Policy To create a guest role via the WebUI Creating a Drop-and-Log PolicyCreating a Guest Role To create the drop-and-log policy via the WebUI To create the guest-logon role via the WebUI Configuring Policies and Roles in the CLICreating an Auth-Guest Role Defining a Time Range Creating a Guest-Logon Role Configuring Guest VLANsCreating a Guest-Logon-Access Policy Creating a Block-Internal-Access Policy Click Add For Vlan ID, enter Click Apply Configuring Captive Portal Authentication Profiles Modifying the Initial User Role Configuring the AAA Profile Managing User Accounts Configuring the Wlan Role Configuring Captive Portal Configuration ParametersUnauthenticated that a guest cannot access Utilization Logon Threshold Default 60% Logon wait Following are optional captive portal configurations Enabling Optional Captive Portal Configurations Specify the fac-logon user Uploading Captive Portal Pages by Ssid AssociationChanging the Protocol to Http Entity Engineering Business Faculty Security Access Control Policies Configuring Redirection to a Proxy ServerL3 Authentication For captive portal with Pefng license For captive portal with role-based accessRedirecting Clients on Different VLANs Personalizing the Captive Portal Web Client Configuration with Proxy Script Select the Your Custom Background To customize the page background Creating a New Internal Web Creating and Installing an Internal Captive Portal Variable Password ExampleUsername Example Fqdn Example Basic Html Example Installing a New Captive PortalDisplaying Authentication Error Messages Configuring Localization Reverting to the Default Captive Portal This should be replaced with a link like this Insert javascript to handle error casesThis should be replaced with a link like the following Div id=errorbox style=display none /div Sample Translated Customizing the Welcome Customizing the Pop-Up box Customizing the Logged Out Box Navigate to Advanced Services Stateful Firewall Destination Creating Walled Garden Access Enabling Captive Portal Enhancements Configuring the Redirect-URLConfiguring the Login URL Associating a Whitelist to Captive Portal Profile Configuring a WhitelistConfiguring the Netdestination for a Whitelist Defining Netdestination Descriptions Verifying Dynamic ACLs for a Whitelist Verifying a Whitelist ConfigurationUse the following commands to verify the whitelist alias Verifying a Captive Portal Profile Linked to a Whitelist TOS Verifying DNS Resolved IP Addresses for Whitelisted URLs Example Virtual Private Networks Planning a VPN Configuration 384 Suite-B certificates ECDSA-256, ECDSA-384 Selecting an IKE protocolUnderstanding Suite-B Encryption Licensing IKE Policies Suite-B for IPsec tunnels Understanding Supported VPN AAA Deployments Working with IKEv2 Clients VPN Client Working with VPN Authentication ProfilesParameter Default Default-rap Default-cap Working with Certificate Groups Configuring a Basic VPN for L2TP/IPsec in the WebUI Enabling Source NAT Defining Authentication Method and Server AddressesNavigate to Configuration IP NAT Pools Defining Address Pools Defining IKEv1 Shared Keys Configuring IKE Policies Finalizing WebUI changes Setting the IPsec Dynamic Map Create address pools Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUIEnable authentication methods for IKEv1 clients Configure source NAT Defining Address Pools PRF-HMAC-MD5 PRF-HMAC-SHA1 PRF-HMAC-SHA256 PRF-HMAC-SHA384 Define IKEv2 Policies Configuring a VPN for Smart Card ClientsWorking with Smart Card clients using IKEv2 Enable authentication methods for IKEv2 clients Select Enable L2TP Configuring a VPN for Clients with User PasswordsWorking with Smart Card Clients using IKEv1 Click Add User Configuring Remote Access VPNs for XAuthConfiguring VPNs for XAuth Clients using Smart Cards Certificates or Common Name as it appears on the certificate Working with Remote Access VPNs for Pptp Working with Third-Party Devices Working with Site-to-Site VPNs Understanding VPN Topologies Configuring Site-to-Site VPNsWorking with Site-to-Site VPNs with Dynamic IP Addresses Show crypto-local pki servercert certname subject Click Doneto activate the changes Click Apply For certificate authentication For the Pre-shared-key for All FQDNs For preshared key authenticationDetecting Dead Peers For the Pre-shared-key Working with VPN Dialer Understanding Default IKE policies Assigning a Dialer to a User Role Configuring VPN Dialer Host config #user-role role dialer name Roles and Policies Configuring Firewall Policies Creating a Firewall Policy Working With Access Control Lists ACLsSupport for Desktop Virtualization Protocols This can be one of the following Configure the NAT pool in the controllerIP address of the host White List When it leaves the controllerQueue in which a packet matching this rule should be placed Pause ARM Creating an ACL White List Creating a Network Service Alias Use the following CLI command to create ACL White Lists Configuring the ACL White List in the WebUIConfiguring the White List Bandwidth Contract in the CLI Configuring the ACL White List in the CLI Creating User Roles Click the Delete button against the role you want to delete Creating a User RoleBandwidth Contracts Assigning a Bandwidth Contract to a User Role in the WebUI Configuring a Bandwidth Contract in the WebUIConfiguring and Assigning Bandwidth Contracts in the CLI Bandwidth Contract Exceptions Viewing the Current Exceptions List Configuring Bandwidth Contract ExceptionsAssigning User Roles Assigning User Roles in AAA Profiles Dhcp server Working with User-Derived VLANsRule Type Condition Value Equals String Dhcp Option Description Hexadecimal Equivalent Configuring a User-derived Vlan in the WebUIUnderstanding Device Identification See for descriptions of these parameters Configuring a User-derived Role or Vlan in the CLIUser-Derived Role Example Controller’s log files Configuring a Default Role for Authentication MethodNavigate to the Configuration Security Authentication Monitor TCP SYN Attack rate Configuring a Server-Derived RoleConfiguring a VSA-Derived Role Understanding Global Firewall Parameters Portal configuration Or disabledLog Icmp Errors Default Disabled stateful SIP processing is enabled Default Disabled FTP server is enabled Session Idle Timeout secDefault 15 seconds Disable FTP Server Session mirror Ipsec Session-tunnel FIB Enable session,tunnel based forwardingMbps Default 1 Mbps Rate limit CP auth process traffic Mbps Is 1-200 Mbps Default 1 MbpsPage Virtual APs Configuring Virtual AP ProfilesWlan Profiles Default AP Group Toronto AP Group Excluding a Virtual AP Profile From an AP in the CLI Configuring a Virtual APExcluding a Virtual AP Profile From an AP in the WebUI Ssid profile guest Configuring the User RoleBuilding3-lobby Guest Deny Time Range Done Configuring Authentication ServersConfiguring Authentication Side of the network. This feature is enabled by default Users. The default role for unauthenticated users is logonMAC Authentication Default Role Wired to Wireless Roaming Enforce Dhcp Click Edit for the default AP groupSelect Wireless LAN under Profiles, then select Virtual AP Applying the Virtual AP Enforcement, 802.11k and station blacklisting Forward modeCan be configured in tunnel mode Campus APs in decrypt-tunnel forward mode Band Steering Enable this settingClick the Global Setting tab Setting on each individual local controller APs. Default Disabled Default 6 stationsDefault 3600 seconds 1 hour Authentication Failure Creating a new Ssid Profile Select Wireless LAN underProfiles, then select Virtual AP Dtim Interval KeysXSec license in each controller Period to receive broadcasts Other wireless clients are transmittingDefault value is 2333 bytes Powersave WMM Tspec Min At the lowest configured rate Frames is disabledBattery Boost Lengthening battery life Configuring an Ssid for Suite-B Cryptography Configuring a Guest Role Configuring a Guest WlanConfiguring a Vlan Select Virtual AP Configuring a Guest Virtual AP Enabling bSec Ssid Support Sample ConfigurationTo enable bSec Ssid using bSec-128 or bSec-256 Enabling 802.11k Support Advertise 802.11K Capability Measurement Mode for Beacon ReportsMeasurement Report Mode field Default Mode beacon-table TSM Report Request Settings Profile Handover Trigger Feature Settings ProfileHandover of Voice Clients’ feature Beacon Report Request Settings Profile Working with Radio Resource Management Information Elements Working with Beacon Report Requests Randomization Interval Con when Measurement Mode is set to Active-Channel ReportMeasurement Mode for Range from 0 to 255. The default value is Number of repetitions Gered. When the triggered option is selected,Request frame. The default value is enabled Working with a Traffic Stream Measurement Report Bin 0 Range Configuring a High-Throughput Virtual APRange 0, 65535. The default value is Range 0, 255. The default value is 40MHz intolerance Select the 802.11a radio profile Select the 802.11g radio profile Transmission Maximum number of spatialCapabilities Streams usable for Stbc Supported MCS set Mode Is enabled by defaultShort guard interval in 20 MHz Short guard interval in 40 MHz Managing High-Throughput Profiles Adaptive Radio Management ARM Understanding ARM Understanding ARM Application Awareness Configuring ARM ScanningARM Support for 802.11n Monitoring Your Network with ARM Select RF Management to expand the RF Management section Configuring ARM ProfilesCreating a New ARM Profile ARM Profiles Example Wlan Description Select Adaptive Radio Management ARM Profile Configuring ARM SettingsCopying an Existing Profile Deleting a Profile Setting Description Default 8 scans That Scanning is also enabledPower Save Aware Scan Mode Default disabled Video Aware Client Aware setting is disabled Default 9 dBmScan That Scanning is also enabled Enabled, that device will ignore this setting Time Channel change Default 30 seconds Noise Threshold Default 240 secondsError Rate Threshold Change Default 50% Error Rate Wait Scanning if the load for the AP gets too high Default 1250000 BpsMode Aware Load Aware Assigning an ARM Profile to an AP Group Select Configuration AP Configuration Steering Modes Using Multi-Band ARM for 802.11a/802.11g TrafficEnabling Band Steering Enabling Band Steering Select Wireless LAN to expand the Wireless LAN sectionTo disable band steering, include the no parameter Select QoS to expand the QoS section To configure traffic shaping via the WebUIEnabling Traffic Shaping Enabling Traffic Shaping Enabling Spectrum Load Balancing To disable traffic shaping, use the default-accessparameter Configuring Non-802.11 for Noise Interference Immunity Reusing Channels to Control RX Sensitivity Tuning ARM Metrics Too many APs on the Same Channel Troubleshooting ARMWireless Clients Report a Low Signal Level Transmission Power Levels Change Too Often APs Don’t Change Channels Due to Channel Noise APs Detect Errors but Do Not Change Channels This chapter contains the following sections Wireless Intrusion PreventionWorking with the Reusable Wizard Understanding Wizard Intrusion Detection Protection features for Wlan clients Protecting Your Clients Understanding Wizard Intrusion ProtectionProtecting Your Infrastructure WIP Wizard Intrusion Protection Monitoring the Dashboard Classification Description Detecting Rogue APsUnderstanding Classification Terminology Understanding Classification Methodology Understanding Suspected Rogue Confidence Level Understanding Match MethodsUnderstanding Match Types Understanding Rule Matching Understanding AP Classification Rules Understanding Infrastructure Intrusion Detection Feature Command Trap Syslog IDWorking with Intrusion Detection 126086 Ids impersonation-profile WlsxAPSpoofingDetected 126069Detect-bad-wep WlsxStaRepeatWEPIVViolation 126016 Ids impersonation-profile Detect-malformed-large-duration Detected Require-wpa WlsxChannelMisconfiguration 127028Ids unauthorized-device-profile WlsxWirelessBridge 126036 Detect-wireless-bridge Wireless-bridge-quiet-time Detecting Ad hoc Networks Detecting an 802.11n 40MHz Intolerance SettingDetecting Active 802.11n Greenfield Mode Detecting an Ad hoc Network Using a Valid Ssid Detecting an RTS Rate Anomaly Detecting Bad WEP InitializationDetecting a Beacon Frame Spoofing Attack Detecting a Client Flood Attack Detecting Malformed Frame-Auth Detecting a Misconfigured APDetecting a Wireless Bridge Detecting Broadcast Deauthentication Detecting Wellenreiter Understanding Client Intrusion Detection Ids dos-profile WlsxOmertaAttack 126071 Ids dos-profile WlsxPowerSaveDoSAttack 126109Detect-power-save-dos-attack Detect-hotspotter-attack Hotspotter-quiet-time Detecting a Disconnect Station Attack Detecting a Meiners Power Save DoS AttackDetecting a Block ACK DoS Detecting a ChopChop Attack Detecting Unencrypted Valid Clients Detecting an Omerta AttackDetecting Rate Anomalies Detecting a Tkip Replay Attack Understanding Infrastructure Intrusion Protection Configuring Intrusion Protection Understanding Client Intrusion Protection Protecting Windows Bridge Configuring the Wlan Management System WMSNavigate to the Configuration Advanced Services Wireless Protecting Valid Stations Station Ageout Interval Configuring Local WMS SettingsNot configured Managing the WMS Database Blacklisting Manually Understanding Client BlacklistingMethods of Blacklisting Captive portal Blacklisting by Authentication FailureEnter a value in the Max Authentication failures field Enabling Attack Blacklisting Profiles list, expand the IDS menu, then select IDS profile Working with WIP Advanced FeaturesSetting Blacklist Duration Removing a Client from Blacklisting Understanding TotalWatch Channel Types and Qualifiers Configuring TotalWatch Frequency Channel Understanding TotalWatch Monitoring FeaturesUnderstanding TotalWatch Scanning Spectrum Features Understanding TotalWatch Channel Dwell Time Understanding TotalWatch Channel Visiting Administering TotalWatchConfiguring Per Radio Settings Configuring Per AP Setting DOS Licensing Configuring Tarpit ShieldingUnderstanding Tarpit Shielding Licensing CLI Commands Working with Tarpit Shielding Following topics are included in this chapter Basic Functions and FeaturesAccess Points APs Function Naming and Grouping APs You can use the WebUI or the CLI to create a new AP group Use the following command to create an AP groupCreating an AP group Assigning APs to an AP Group Click Apply and Reboot Understanding AP Configuration ProfilesWorking with Wireless LAN Profiles Page Page Working with QoS Profiles Working with AP Profiles Provisioning Mesh Profiles Working with RF Management Profiles Other Profiles Viewing Profile ErrorsProfile Hierarchy AP Specific and AP Group Profile Hierarchies Other Profile Hierarchies Verifying that APs Can Connect to the Controller Configuring Firewall SettingsDeploying APs Running the RF Plan Enabling Controller Discovery Configuring DNS ResolutionConfiguring Dhcp Server Communication with APs Verifying that APs Are Receiving IP Addresses Using the Aruba Discovery Protocol ADPNavigate to the Configuration Network IP Dhcp Server window AP92 4GHz or 5GHz Provisioning APs for MeshProvisioning 802.11n APs for Single-Chain Transmission AP Model Freqency Band Antenna Port AP134 4GHz or 5GHz Installing APs on the NetworkAP Model Freqency Band 5GHz Working with the AP Provisioning Wizard Provisioning Installed APsUpdating the RF Plan Designation an AP as Remote RAP versus Campus CAP Provisioning an Individual AP AP Provisioning Window Page AP is associated Provisioning Multiple APs using a Provisioning ProfileLMS or backup LMS values Assigning Provisioning Profiles Troubleshooting Configuring a Provisioned APAP Installation Modes Renaming an AP Clear gap-db wired-mac Optimize APs Over Low-Speed Links Configuring the Bootstrap ThresholdTo configure the bootstrap threshold using the WebUI LMS IPv6 Backup LMS IPv6 LMS Preemption RF Band for AM Mode scanningConfiguring split-tunnel forwarding Backup LMS IP When an AP process crashes Bootstrap thresholdFrom a wireless client that is connected to a tunneled Ssid Wireless frame is only encapsulated inside the IPsec tunnel Prioritizing AP heartbeats AP Redundancy AP Maintenance Mode Energy Efficient Ethernet To enable AP maintenance mode AP130 Series only Managing AP LEDs 802.11a and 802.11g RF Management Profiles RF Management Radio Managing 802.11a/802.11g Profiles Using the WebUIEnable CSA Creating or Editing a Profile MHz and 40 MHz modes Level 5 disable PHY reportingReuse feature Balancing mode Select one of the following options Radio Management ARM scanning and channel assignment Load-balancing modeChannel. The default CSA count is 4 announcements Balancing threshold Default, allowing 40 MHz operation RX Sensitivity TuningRX sensitivity tuning based channel reuse threshold, in dBm Signal strength AM Scanning Profile Assigning an 802.11a/802.11g ProfileAssigning a High-throughput Profile Profile Spectrum monitor radio Assigning an ARM Profile Creating or Modifying a Profile Managing 802.11a/802.11g Profiles Using the CLIDeleting a Profile Assigning a 802.11a/802.11g Profile Viewing RF Management SettingsTo view the settings of a specific RF management profile RF Optimization Maximum value 8 seconds RF Event ConfigurationDefault value 0 seconds Is sent to the client Recommended value is 85% Frame Error Rate HighFrame Error Rate Low Detect Frame Rate Anomalies Frame Retry Rate Low Configuring AP Channel AssignmentsSelect the Regulatory Domain profile named default Frame Retry Rate High Channel Switch Announcement CSA Automatic Channel and Transmit Power Selection Managing AP Console Settings Domain name used by the AP IP address of the AP’s master controllerIP address of the DNS server used by the AP Secure Enterprise Mesh Understanding Mesh Access Points Mesh Points Mesh Portals Mesh Clusters Understanding Mesh Links Component Description Link MetricsOptimizing Links RF Management 802.11a and 802.11g Profiles Understanding Mesh ProfilesMesh Cluster Profile Mesh Radio Profile High-Throughput Profiles Mesh High-Throughput Ssid ProfileAdaptive Radio Management Profiles Mesh Recovery Profile Understanding Mesh SolutionsWired AP Profile Point-to-Multipoint Deployment Thin AP Services with Wireless Backhaul DeploymentPoint-to-Point Deployment Sample Point-to-Multipoint Deployment High-Availability Deployment Collecting Required Information Planning a Wlan According to Your SpecificationsTask Overview AP Desired Rates 2.4 GHz Radio Properties Building Dimensions AM Desired Rates Working with Mesh Radio ProfilesManaging Mesh Profiles In the WebUI Creating a New Profile AP goes through the list and uses the next highest rate Threshold Nodes Default 10 missed heartbeats. The range isIndicates the transmit rates for the 802.11a radio Rates Used for user traffic Range 0-4094. Default 0 disabledDefault distributed-tree-rssi Recommends using this default startup-subthresholdvalue Link quality Default 2,333 bytes. The range is 256- 2,346Assigning a Profile to a Mesh AP or AP Group Editing a Profile Managing Mesh Profiles In the CLI Viewing Profile SettingsTo view the settings of a specific mesh radio profile Deleting a Mesh Radio Profile Working with Mesh High Throughput Ssid ProfilesManaging Profiles In the WebUI Assigning a Profile to an AP Group Launch then software retries Temporal Diversity EnableEnabled legacy stations are allowed Configured value adjusts based on AP capabilities Different values, separate each value with a comma Mode Enabled by defaultΜsec, 2 µsec, 4 µsec Degrade throughput Managing Profiles In the CLI Deployments with Multiple Mesh Cluster Profiles Viewing High-throughput Ssid SettingsTo view the settings of a specific high-throughput profile Understanding Mesh Cluster Profiles Managing Mesh Cluster Profiles In the WebUI Associating a Profile to Mesh APs Deleting a Mesh Cluster Profile Managing Mesh Cluster Profiles In the CLI Associating Mesh Cluster Profiles Viewing Mesh Cluster Profile SettingsTo view the settings of a specific mesh cluster profile To exclude a specific mesh cluster profile from an AP Configuring Ethernet Ports for MeshConfiguring Bridging on the Ethernet Port Excluding a Mesh Cluster Profile from a Mesh Node Configuring Ethernet Ports for Secure Jack Operation Extending the Life of a Mesh Network Outdoor AP Parameters Provisioning Mesh Nodes Provisioning Mesh Nodes Under Port Selection, click the port to configureIP settings section, select Obtain IP Address Using Dhcp Provisioning Caveats Booting the Mesh Point Understanding the AP Boot SequenceBooting the Mesh Portal Air Monitoring and Mesh Verification ChecklistVerifying the Network CLI Examples Configuring Remote Mesh Portals RMPs Creating a Remote Mesh Portal In the WebUI How RMP Works Defining the Mesh Private Vlan Provisioning the AP Adding a Mesh Cluster Profile Selecting a Mesh Radio ProfileSelecting an RF Management Profile Profile Details window Configuring a Dhcp PoolConfiguring the Vlan ID of the Virtual AP Profile Additional Information Provisioning a Remote Mesh Portal In the CLI Configuring Redundancy Parameters Configuring the Local Controller for Redundancy On the master controller Configuring the LMS IPConfiguring the Master Controller for Redundancy Controllers. Specify a key of up to 64 characters Command ExplanationEnter the master-redundancy context Router ID of the Vrrp instance This config mode command includes RF plan data when Configuring Database Synchronization Configuring Master-Local Controller Redundancy Enabling Incremental Configuration Synchronization CLI Only Redundant Topology Master-Local Redundancy Vrrp Dell PowerConnect W-Series ArubaOS 6.2 User Guide Working with Rapid Convergence Disabled Discarding BlockingUnderstanding Rstp Migration and Interoperability Rstp 802.1w Description Port Role Edge Port and Point-to-Point Configuring RstpFeature Default Value/Range Port Fast Troubleshooting RstpChange the default configurations via the command line Monitoring Rstp Dell PowerConnect W-Series ArubaOS 6.2 User Guide Rstp Enabling PVST+ in the CLI Understanding PVST+ Interoperability and Best Practices Enabling PVST+ in the WebUI From the WebUI, add a Vlan instance and enable PVST+ IP Mobility Understanding Dell Mobility Architecture On all Dell controllers in the mobility domain Configuring Mobility DomainsEnable mobility disabled by default On a master controller Configuring a Mobility Domain Joining a Mobility Domain Example ConfigurationNavigate to the Configuration Advanced Services IP Mobility On controller a the master controller Configuring Mobility using the WebUISubnetwork Mask Home Agent Address or Vrip Tracking Mobile Users Configuring Mobility using the CLIViewing mobile client status using the WebUI Viewing mobile client status using the CLI Status Type Description Viewing user roaming status using the CLIViewing specific client information using the CLI Roaming Description Status Type HA Discovery on Association Configuring Advanced Mobility FunctionsSetting up mobility association Using the CLI Mobile Client Roaming Locations Enable standalone AP Is 0-5000 visitors. The default setting is 5000 visitorsDefault setting is 3 attempts Seconds. The default setting is 5000 seconds Click Apply after setting the parameter Proxy Dhcp Proxy Mobile IP Revocations Understanding Bridge Mode Mobility Deployments Working with Inter controller Mobility Enabling Mobility MulticastWorking with Proxy Igmp and Proxy Remote Subscription Inter-controller Mobility Configuring Mobility Multicast Start at 0 from the left-most position Enable Igmp proxy on the FastEthernet Ieee 802.3 interfaceEnable Igmp snooping Example External Firewall Configuration Understanding Firewall Port Configuration Among Dell Devices Configuring Ports to Allow Other Traffic Types Enabling Network AccessPorts Used for Virtual Internet Access VIA Page Remote Access Points About Remote Access Points Remote AP with a Private Network Configure the NAT Device Configuring the Secure Remote Access Point ServiceConfigure a Public IP Address for the Controller Using the WebUI to create a DMZ address You can use the CLI or the WebUI to configure Chap Configure the VPN ServerChap Authentication Support over PPPoE Using the WebUI to configure Chap Creating a Remote AP Whitelist Configuring Certificate RAPUsing the CLI to configure the Chap RAP Static Inner IP Address Configuring PSK RAPUsing WebUI Using CLI IP-Address parameter in the local database Provision the AP Deployment Scenario Master IP Address Value Deploying a Branch Office/Home Office Solution Local Debugging Configuring the Branch Office APTroubleshooting Remote AP Provisioning the Branch Office AP Basic View Information Advanced View Information Name Remote AP Connectivity Seamless failover from backup link to primary link on RAPMultihoming on remote AP RAP Data Description Enabling Remote AP Advanced Configuration OptionsRemote AP Diagnostics Understanding Remote AP Modes of Operation Remote Oper Forward Mode Setting Ation SSIDs Working in Fallback ModeOnly Ssid configuration Stored in flash on Essid is up when Same behavior as Not supported AP contacts Configuring the AAA Profile for Fallback Mode in the WebUI Configuring Fallback ModeBackup Configuration Behavior for Wired Ports Configuring the AAA Profile for Fallback Mode in the CLI Configuring the Dhcp Server on the Remote AP Using the WebUI Configuring the Session ACL in the WebUI Configuring Advanced Backup Options Configuring the AAA Profile in the WebUI Route src-nat Defining the Backup Configuration in the WebUIConfiguring the Session ACL in the CLI Configure the Remote-AP Dhcp Server fields You can define other parameters as needed Specifying the DNS Controller SettingUsing the CLI to configure the AAA profile Defining the Backup Configuration in the CLI Backup Controller List Configuring the LMS and backup LMS IP addresses in the CLI Configuring Remote AP Failback To disable, enter Enabling RAP Local Network AccessConfiguring Remote AP Authorization Profiles To enable, enter Understanding Split Tunneling Working with Access Control Lists and Firewall PoliciesAdding or Editing a Remote AP Authorization Profile Sample Split Tunnel Environment Configuring Split Tunneling Configuring the Session ACL Allowing Tunneling Configuring an ACL to Restrict Local Debug Homepage Access Enable Restricted Access to LD Homepage Configuring the AAA Profile for Tunneling Inthe CLI Configuring the Tunneling Virtual AP Profile Defining Corporate DNS Servers Provisioning Wi-Fi MultimediaNavigate to Configuration Wireless AP Configuration Reserving Uplink Bandwidth Configuring Bandwidth ReservationTo configure bandwidth reservation Navigate to Configuration Advanced Services All Profiles Provisioning RAP for USB Modems Provisioning 4G USB Modems on Remote Access PointsNavigate to Configuration Wireless AP Installation 4G USB Modem Provisioning Best Practices and Exceptions RAP 3G/4G Backhaul Link Quality Monitoring Pantech Configuring W-IAP3WN Access Points Converting an IAP to CAP Converting an IAP to RAP or CAPConverting IAP to RAP Applying Contracts Configuring Bandwidth Contracts for RAPEnabling Bandwidth Contract Support for RAPs Defining Bandwidth Contracts Verifying Contracts Applied to Users Verifying Contracts on AP Verifying Bandwidth Contracts During Data Transfer Following is a sample output for a per-user configurationPage How it Works Virtual Intranet AccessUnderstanding VIA Connection Manager User action / environment VIA’s behavior Installing the VIA Connection ManagerOn Microsoft Windows Computers On Apple MacBooks Complete Upgrade Configuring the VIA ControllerUpgrade Workflow Minimal Upgrade Before you Begin Supported Authentication MechanismsAuthentication mechanisms supported in VIA Other authentication methods Suite-B Configuring VIA Settings Create VIA User Roles Using the WebUI to Configure VIAEnable VPN Server Module Create VIA Authentication Profile To create VIA connection profile Create VIA Connection ProfileEnter a name for the server group Configuration Option Description Client Auto-Login To the support email-address for troubleshootingList of all IKEv2 authentication methods Default None Use Windows Credentials Enable SupplicantEnable Fips Module VIA Authentication Name\username instead of just username To configure VIA web authentication profile Configure VIA Web Authentication To associate a VIA connection profile to a user role Configure VIA Client Wlan ProfilesTo configure a VIA client Wlan profile Associate VIA Connection Profile to User Role Mschapv2-use-windows-credentials Option DescriptionCryptobinding TLV Servers or trusted certification authorities To download the VIA installer and version file Rebranding VIA and Downloading the InstallerDownload VIA Installer and Version File Create VIA connection profiles Using the CLI to Configure VIACreate VIA authentication profiles Create VIA roles Requires the following Microsoft KB on the end-user systems Customize VIA logo, landing page and downloading installerDownloading VIA Pre-requisites Downloading VIA Login to Download VIA Connection Details Tab Installing VIAUsing VIA Settings Tab TroubleshootingDiagnostic Tab AP104 Yes Understanding Spectrum AnalysisSpectrum Analysis Device Graph Title Device Configurable as aHybrid AP? Graph Title Description Update Interval Swept Spectrum Analysis ClientsSpectrogram Real-Time FFT Hybrid AP Channel Changes Hybrid APs Using Mode-Aware ARMCreating Spectrum Monitors and Hybrid APs Converting an Individual AP to a Spectrum Monitor Converting APs to Hybrid APs Select AP to expand the AP profiles section Converting a Group of APs to Spectrum Monitors Connecting Spectrum Devices to the Spectrum Analysis Client To manually disconnect a spectrum monitor or hybrid AP Disconnecting a Spectrum DeviceView Connected Spectrum Analysis Devices Table Column Description Click the Spectrum Dashboards tab Configuring the Spectrum Analysis DashboardsSelecting a Spectrum Monitor Click theSpectrum Dashboards tab Changing Graphs within a Spectrum View Select Rename Renaming a Spectrum Analysis Dashboard ViewSaving a Dashboard View Resizing an Individual Graph Customizing Spectrum Analysis Graphs Active Devices Spectrum Analysis Graph Configuration Options Show Channel Range Column may display any of the following values Service set identifier of the device’s 802.11 wireless LANActive Devices Table Device Type Select the button by the Less than drop down list Select the button by the symbolRadio band or channel Column heading MHz Active Devices TrendDetects on the radio channel Center Frequency Select one of the following device types Wi-Fi data as non-Wi-Fi dataChannel Metrics Show lines for these Radio band displayed in this graph Channel Metrics Graph Channel Metrics Trend Unselect the checkbox to hide that information Drop-down list and select one of the following optionsMinutes Hour Monitor Channel Summary Table Band Radio band displayed in this graph Device Duty Cycle Following device types Channel Utilization TrendNumbering Identify a channel numbering scheme for the graph Uncheck the checkbox by that channel number As non-Wi-Fi dataDevices vs Channel Intervals Devices vs Channel Options FFT Duty Cycle FFT Duty Cycle Interference Power Interference Power Options Device types Quality Spectrogram Data Real-Time FFT Frequencies for the graph Axis Right field, and the higher value in the left field Frequency Center of the x-axis of this chart SpanSwept Spectrogram Center Simple Line Graph of FFT Power Data Swept Spectrogram Options Working with Non-Wi-Fi Interferers Device vs Channel Interference Power Non-Wi-Fi Description Interferer Viewing Spectrum Analysis Data Understanding the Spectrum Analysis Session Log To record spectrum analysis data for later analysis Recording Spectrum Analysis DataCreating a Spectrum Analysis Record To save the recording file Saving the RecordingPlaying a Spectrum Analysis Recording Playing a Recording in the Spectrum Dashboard Click Load File For Playback Playing a Recording Using the RFPlayback ToolClick the Recording View/Play link at the top of the window Loading a Spectrum View Troubleshooting Spectrum AnalysisTroubleshooting Browser Issues Converting a Spectrum Monitor Back to an AP or Air Monitor Understanding Device Ageout Times Understanding Spectrum Analysis Syslog MessagesPlaying a Recording in the RFPlayback Tool Age Out Generic Frequency Hopper Age Out Generic Fixed FrequencyHopper Seconds APs Monitoring PerformanceDashboard Monitoring Clients Monitoring Usage Using Dashboard Histograms Monitoring WLANs Monitoring Potential IssuesMonitoring Security Monitoring Clients Monitoring Access Points Element To disable this setting, include the no parameterMonitoring Firewalls Element View Bytes Tx Bytes Rx Bytes Element DescriptionColumn User Bytes Packets Device Destination Details ViewElement Tab Element Summary View Application Usage Breakdown Usage Breakdown Aggregated Sessions Destination Alias Column DescriptionSource IP Management Access Configuring Certificate Authentication for WebUI Access Enabling Public Key Authentication for SSH Access Select the client certificate Click Apply Enabling Radius Server Authentication Configuring Radius Server Authentication with VSA Configuring a set-value server-derivation rule Resetting the Admin or Enable Password Disabling Authentication of Local Management User AccountsVerifying the configuration User admin Password Bypassing the Enable Password Prompt Configure the settings described in Table Implementing a Specific Management Password PolicySetting an Administrator Session Timeout Defining a Management Password Policy Allowed Characters Disallowed Characters Period Pipe Plus sign + Tilde ~ Comma Accent mark ` Management Authentication Profile ParametersAllowed Characters Colon About Digital Certificates Managing Certificates Enter the following information Navigate to the Configuration Management Certificates CSRObtaining a Server Certificate Parameter Description Range PKCS7 encrypted PKCS12 encrypted Run the following commandObtaining a Client Certificate Importing Certificates Location Description Use the following command to import CSR certificatesViewing Certificate Information Imported Certificate Locations Snmp Parameters for the Controller Configuring SnmpChecking CRLs Configuring Logging Category/Subcategory Description 802.1x messages Radius Radius user messages Category/SubcategoryLogging Level Description Enabling Guest Provisioning Configuring the Guest ProvisioningConfiguring the Guest Fields Guestcategory Guest Field Fields that follow Configuring the Page DesignGuest Field Description Provisioning page for the sponsor information Navigate to the Configuration Management SMTPpage Configuring the Smtp Server and Port in the WebUIConfiguring Email Messages Creating Email Messages in the WebUI Configuring an Smtp server and port in the CLIClick Apply and then Save Configuration Management Users section, click Add Configuring a Guest Provisioning UserUsername and Password Authentication Method Static Authentication Method Click Apply and Save Configuration Customizing the Guest Access PassSmart Card Authentication Method Username and Password Method Customized Guest Account Information Window Creating Guest Accounts Creating a Guest Account-New Guest Window Guest Provisioning User Tasks Creating Multiple Guest Entries in a CSV File Importing Multiple Guest Entries CVS File Format-Guest Entries Information Importing the CSV File into the Database Importing a CSV file that contains Guest Entries Displaying the Guest Entries Log File Printing Guest Account Information Optional ConfigurationsRestricting one Captive Portal Session for each Guest Managing Files on the Controller Setting the Maximum Time for Guest AccountsUsing the WebUI to set the maximum time for guest accounts Using the CLI to set the maximum time for guest accounts Username to log into server Server Type ConfigurationNavigate to the Maintenance Controller Image Management Transferring ArubaOS Image Files Copying Log Files Backing Up and Restoring the Flash File System Copying Other Files Setting the System ClockManually Setting the Clock Navigate to the Configuration Management Clock Clock Synchronization Configuring NTP Authentication Threshold Description Enabling Capacity AlertsTimestamps in CLI Output User-capacity Sent. The default threshold for this parameter is 80%Examples Adding Local Controllers Configuring Local ControllersUsing the Initial Setup Using the Web UI Configuring Layer-2/Layer-3 SettingsConfiguring Trusted Ports Configuring Local Controller Settings Moving to a Multi-Controller Environment Configuring APsUsing the WebUI to configure the LMS IP Using the CLI to configure the LMS IP Configuring a Preshared Key Using the CLI to configure a PSK Configuring a Controller CertificateUsing the WebUI to configure a Local Controller PSK Using the WebUI to configure a Master Controller PSK Using the CLI to configure the Master Controller Certificate Advanced Security Securing Client Traffic Wireless xSec Client Example Securing Wireless Clients Securing Wired Clients Navigate to the Configuration Advanced Services Wired Access Securing Wireless Clients Through Non-Dell APs Securing Clients on an AP Wired Port Succeed Time to wait for authentication to For Controller Configuring Controllers for xSecSecuring Controller-to-Controller Communication Installing the Odyssey Client Configuring the Odyssey Client on Client Machines Modifying a regedit Policy Certificate Information Page Voice and Video License Requirements Configuring Voice and VideoSetting up Net Services Using Default Net Services Net Service Name Protocol Port Configuring User RolesCreating Custom Net Services Using the Default User Role Creating or Modifying Voice User Roles Using the WebUI to configure user rolesService Name Navigate to the Configuration Security Access Control Click Done Click Apply Using the CLI to configure a user role Using the WebUI to derive the role based on MAC OUI Using the User-Derivation RolesUsing the WebUI to derive the role based on Ssid Using the CLI to derive the role based on Ssid Configuring Video over Wlan enhancements Configuring Firewall Settings for Voice and Video ALGsAdditional Video Configurations Pre-requisites To enable Igmp snooping To add the ACL to a user role Configure multicast rate optimization for video traffic Set a bandwidth percentage for the following categories Configure and apply a bandwidth management profile Enable Igmp Proxy Enable multicast shaping on the firewall Enable Igmp Snooping Configure ARM scanning for video traffic Configure multicast rate optimization for the video traffic This step is optional Configure and apply bandwidth management profileWorking with QoS for Voice and Video Understanding VoIP Call Admission Control Profile Voip Tspec Enforcement Understanding Wi-Fi MultimediaTo enable call admission control in this profile Lowest Background Best effort Video Voice Highest Configuring WMM AC MappingPriority 802.1p Priority WMM Access Category Enabling WMM Background Best effort Video Voice Dscp Decimal Value WMM Access CategoryUsing the WebUI to map between WMM AC and Dscp Using the CLI to map between WMM AC and Dscp Configuring Dscp Priorities WMM Access Category Description 802.1p Tag Configuring Dynamic WMM Queue ManagementEnhanced Distributed Channel Access Microseconds, enter 94 3008/32. Possible values are Using the WebUI to configure Edca parametersDisables this option 1. a value of 4 computes to 2 4-1 = 15. Possible values are To associate the Edca profile instance to a Ssid profile Enabling WMM Queue Content EnforcementUsing the CLI to configure Edca parameters Port Packet Type Understanding Extended Voice and Video FeaturesMicrosoft OCS Apple Facetime Scanning for VoIP-Aware ARM Enabling WPA Fast HandoverEnabling Mobile IP Home Agent Assignment Disabling Voice-Aware Configuring SIP Authentication Tracking Viewing Real Time Call Quality Reports To configure Real Time analysis on voice callsEnabling Real Time Call Quality Analysis Web UI SIP session timer is implemented in the SIP ALG as per RFC Enabling SIP Session Timer Click the Policies tab To configure the session timer and the timeout valueTo view the SIP settings on the controller Select the Classify Media check box Enabling Wi-Fi Edge Detection and Handover for Voice Clients Understanding Dial Plan Format Expand Handover Trigger under Wireless LanClick the Apply button to save the configuration Working with Dial Plan for SIP Calls Action Description Configuring Dial Plans Dialplan Profile displays the dial plan details Dialplan Profile To view the SIP dial plan profile Enabling Enhanced 911 SupportTo create a voice dial plan profile To associate the dial plan with SIP ALG Working with Voice over Remote Access Point Enabling Lldp Understanding Battery Boost Configure the Lldp profile parameters as desired then click Show the power support capabilities of the AP interface Lldp PDUs. The AP will send all optional TLVs by defaultLldp PDUs. The AP will send all 802.1 TLVs by default Lldp PDUs. The AP will send all 803.2 TLVs by default LLDP-MED Profile Configuration Parameters Apply to save your settings Viewing Troubleshooting Details on Voice Client Status Advanced Voice Troubleshooting Connected To view the details of a completed call based on the CDR Id Viewing Troubleshooting Details on Voice Call CDRs Enabling Logging for a Specific Client Navigate to the Configuration Management LoggingEnabling Voice Logs To debug voice logs for a specific client To view the voice signaling message tracesViewing Voice Traces To set the voice logging level to debugging To view the voice configuration details on your controller Viewing Voice Configurations SIP settings Value Parameter Termination of Instant AP VPN tunnels L2/L3 network mode supportOverview Instant AP VPN Support External Whitelist DB VPN ConfigurationWhitelist DB Configuration Controller Whitelist DB Radius proxy for VPN connected IAPs VPN Local Pool ConfigurationVPN Profile Configuration Viewing Branch Status Output of this command includes the following parameters USB Ports Understanding W-600 Series Best Practices and ExceptionsSeries Controllers Controller Finding USB Modem Commands Connecting with a USB Cellular ModemsSwitching Modes Cellular Profile Uplink Manager Cellular Profile from the WebUI Dialer Group Verify the modem is registered with the Uplink Manager Configuring a Supported USB Modem If you get entries similar to the example below Configuring a New USB ModemConfiguring the Profile and Modem Driver Driver=none Configuring the TTY Port Selecting the Dialer Profile Testing the TTY Port Linux Support Setting Up NAS Network-Attached Storage DevicesNAS Device Setup View list of shares in a disk Configuring in the CLIManaging NAS Devices Controller wake-up Green-solid Button Mounting and Unmounting DevicesNAS Media Green-solid Press and hold media To view a list of printers mounted on the controller, type Connecting to a Print ServerPrinter Setup Using the CLI Additional Commands for Managing Printers Remote Branch 1-W-650 Controller Series Sample Topology and Configuration Remote Branch 2-W-650 Controller Central Office Controller-Active Central Office Controller-Backup Page Sample ESI Topology External Services Interface ESI-Fortinet Topology ESI Parser Domains Understanding the ESI Syslog Parser Syslog Parser Rules Peer Controllers User Pattern Matching Configuring ESICondition Pattern Matching Enter a Profile Name Configuring Health-Check Method, Groups, and ServersDefining the ESI Server Enter a Group Name To configure an ESI server group on the controllerDefining the ESI Server Group Server Name Redirection Policies and User Role Deleting an existing syslog parser domain ESI Syslog Parser Domains and RulesManaging Syslog Parser Domains in the WebUI Adding a new syslog parser domain Editing an existing syslog parser domain Use these CLI commands to manage syslog parser domainsManaging Syslog Parser Domains in the CLI Managing Syslog Parser Rules Editing an existing syslog parser rule Adding a new parser ruleDeleting a syslog parser rule Use these CLI commands to manage syslog parser rules Testing a Parser Rule Showing ESI syslog parser rule information Sample Route-mode ESI TopologyMonitoring Syslog Parser Statistics IP routing configuration on Fortinet gateway Configuring the Example Routed ESI TopologyESI server configuration on controller Defining the Ping Health-Check Method Health-Check Method, Groups, and Servers Enter a Group Name. Enter fortinet Trusted IP Address. Enter Untrusted IP Address. Enter Redirection Policies and User Role To add a new syslog parser domain for the routed example Syslog Parser Domain and RulesAdd a New Syslog Parser Domain in the WebUI Adding a New Parser Rule in the WebUI Example NAT-Mode Topology Sample NAT-mode ESI Topology ESI server configuration on the controller Profile Name. This example uses externalcpping Configuring the Example NAT-mode ESI TopologyConfiguring the NAT-mode ESI Example in the WebUI Configuring the ESI Group in the WebUI Policy Name. This example uses cpredirectacl Configuring the Example NAT-mode Topology in the CLIConfigure the ESI Servers in the WebUI Configuring the Redirection Filter in the WebUI CLI Configuration Example Configuring a Health-Check PingConfiguring ESI Servers Using the ESI Group in a Session Access Control List Character-Matching Operators Understanding Basic Regular Expression BRE Syntax Description Sample Result Regular Expression Repetition OperatorsRegular Expression Anchors References External User Management Working with the ArubaOS XML API Works Deleting a User Authenticating a UserCreating an XML Request Adding a User Blacklisting a User Default Response FormatFormat of a default XML response from the controller is XML Response Code Reason message Response Codes Code Reason message Description Query Command Response Format Associating the XML API Server to a AAA profile Using the XML API ServerConfiguring the XML API Server Verify the XML API server configuration Vlan Associating the Captive Portal Profile to an Initial Role Set up Captive Portal profile Dell controllers configuration Authentication Command DescriptionOptions Description Range / Defaults This command deletes the user from the controller Monitoring External Captive Portal Usage Statistics Sample Code Using XML API in C LanguagePage Page List all parameter that you can use in a request Understanding Request and ResponseUnderstanding XML API Request Parameters Response from the controller This command will add a client on your networkUnderstanding XMl API Response Adding a Client Deleting a Client Authenticating a ClientView the updated details of the client on the controller Status of the client after authentication Status of the client before authenticationSending the authentication command Querying for Client Details Blacklisting a Client-request and response Blacklisting a Client RF Plan Supported Planning Outdoor-Specific Deployment Considerations Configuration ConsiderationsPlanning Deployment Pre-Deployment Considerations Dual-Port AP Considerations Post-Deployment Considerations Buttons Description Launching the RF PlanCampus List Edit a campus from the building list pane Building List PaneButtons Building Dimension Building Specifications Overview AP Modeling Parameters Radio Type Radio Description Button Design ModelOverlap Factor Radio Property Description Users/APRadio Properties Desired Rates and HT Support Options Overlap Description Factor Valid values are 54, 48, 36, 24, 18, 12, 9, 6, 11, 5.5, 2 AM ModelingNumber of available channels Radio Button Description Planning FloorsDesign Models Monitor Rates Zoom You can select or adjust the features as described in Table Naming Approximate Coverage MapFloor Editor Dialog Box Level Background Images Area Editor Dialog Box Area Types Location and Dimensions Fixed Access Point Editor Dialog Box Y Coordinates Power Levels802.11n Features Radio Types Memo AP PlanInitialize Optimize Viewing the Results AM PlanFix All Suggested AP/AMs Exporting and Importing Files Export Buildings Export CampusImport Campus Import Buildings Locate Property Description Fqln Mapper Search Results Using the Fqln Mapper in the AP Provision Height Using the WebUIRF Plan Example Sample Building Create a Building Campus Name Model the Access PointsText Box Information Adding the background image and naming the second floor Model the Air MonitorsAdd and Edit a Floor Adding the background image and naming the first floor Running the AP Plan Creating a Don’t Deploy Area Click Initialize then Optimize Running the AM PlanClick Initialize Click Optimize Forwarding Mode Feature Not Supported Understanding Mode SupportBehavior and Defaults Name Protocol Understanding Basic System DefaultsNetwork Services Name Protocol Ports Following are predefined policies PoliciesPredefined Policy Description Network access. You can use this rule to Used to enable the captive portal logoutAccess the controllers administrative Be modified. It permits APs to boot up This policy can be used to source-NAT all Permits all DNS trafficNAT-T UDP 4500. Remove NAT-T if not Needed Following are predefined roles RolesPredefined Role Description Profiles with different customization Enables captive portalShould be disabled if it is not needed Beginning ArubaOS software includes predefined management user roles Understanding Default Management User RolesPredefined Role Permissions Show wlan-ap-count type access-points Show aaa state configurationShow aaa authentication-server all Show switches summary Monitoring Controller Clients Packet CaptureMonitoring Port Protocol Where Used Description Number Understanding Default Open Ports Exposed to wireless users Controller Remote wired MAC lookup 4343Testing Port is not exposed to wireless users Dhcp with Vendor-Specific Options Configuring a Windows-Based Dhcp ServerConfiguring Option To configure option 60 on the Windows Dhcp server Field Information To configure option 43 on the Windows Dhcp server Scope Options Dialog Box Enabling Linux Dhcp Servers Navigate to Configuration Network IP IP InterfacesEnabling Dhcp Relay Agent Information Option Option Range 10.200.10.200 Radius Client Configuration Configuring Microsoft IAS802.1X Configuration for IAS and Windows Clients Active Directory Database Remote Access PoliciesConfiguring Policies Click Configure to select additional properties IAS Remote Access Policies Policy Configuration Wizard-Authentication Methods Radius class Attribute Configuration Configuring Radius Attributes Next, create a remote policy for your new Radius client Configuring Management Authentication using IASCreating a Remote Policy Creating a User Entry in Windows Active Directory Defining Properties for Remote Policy Configuring a Server Group for IAS Management Authentication Click Begin Test Window XP Wireless Client Sample ConfigurationNavigate to DiagnosticsAAA Test Server Wireless Networks Networks to Access Wireless Network Association Wireless Network Authentication Protected EAP Properties EAP MSCHAPv2 Properties Definition AcronymsAcronyms and Terms Acronym DoS Acronym MSCHAPv2 RoW PoEPPPoE QoS VoFI VoIP XAuth TermsTerm WISPr Term Term Definition IR wireless Encryption authenticationFixed wireless Shops are providing free wireless access for customers Near field communicationNFC Optical wirelessHills, mountains, and large human-made structures Input, multiple output Standards for broadband wireless access BWA networks. WiMAX Access W-CDMAWi-Fi Facilities offer public access to Wi-Fi networks Yagi antenna Wireless service providerWired LAN Kilometers