User Guide
Copyright Information
Open Source Code
Legal Notice
Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
477
485
490
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Feature Description
What’s New In ArubaOS
About this Guide
Spectrum enhancements
Users using them in a given network
Issued
Spectrum recording information
Fundamentals
WebUI
Related Documents
Conventions
Type Style Description
Page
Understanding Basic Deployment and Configuration Tasks
Basic User-Centric Networks
Deployment Scenario #1 Controller and APs on Same Subnet
APs All on One Subnet Different from Controller Subnets
APs on Multiple Different Subnets from Controllers
Configuring the Controller
Running Initial Setup
Dell W-7200 Series Controller
Using the LCD Screen
Connecting to the Controller after Initial Setup
New Port Numbering Scheme
Displays
Using the LCD and USB Drive
Uploading a Pre-saved Configuration
Upgrading an Image
Configuring a Vlan to Connect to the Network
Disabling LCD Menu Functions
Assigning and Configuring the Trunk Port
Creating, Updating, and Viewing VLANs and Associated IDs
Creating, Updating, and Deleting Vlan Pools
To confirm the port assignments, use the show vlan command
Configuring the Default Gateway
Configuring the Loopback IP Address for the Controller
WebUI
Configuring the System Clock
Enter y to reboot the controller or n to cancel
Controller returns the following messages
Installing Licenses
Enabling Wireless Connectivity
Configuring Your User-Centric Network
Connecting the Controller to the Network
Must explicitly enable Telnet on the controller
Control Plane Security
Control Plane Security Overview
Configuring Control Plane Security
Configure the following control plane security parameters
Parameter Description
CLI
Example
Managing AP Whitelists
Adding APs to the Campus and Remote AP Whitelists
Address as a name
Viewing Whitelist Status
Status Entry
Control Plane Security Campus AP Whitelist status only
Status Entry Description
Command Description
Modifying an AP in the Campus AP Whitelist
Click the Campus AP Whitelist tab
Revoking an AP via the Campus AP Whitelist
Deleting an AP Entry from the Campus AP Whitelist
Purging the Campus AP Whitelist
Campus AP whitelist contains Master switch
Managing Whitelists on Master and Local Controllers
With local Dell
Campus AP Whitelist Synchronization
Viewing and Managing the Master or Local Switch Whitelists
Viewing the Master or Local Switch Whitelist
Data Column Description
Deleting an Entry from the Master or Local Switch Whitelist
Purging the Master or Local Switch Whitelist
Configuring Networks with a Backup Master Controller
Configuring Networks with Clusters of Master Controllers
Working in Environments with Multiple Master Controllers
Click the Cluster Setting tab
Creating a Cluster Root
Viewing Controller Cluster Settings
To view your current cluster configuration via the WebUI
Creating a Cluster Member
Replacing a Controller on a Multi-Controller Network
Replacing Controllers in a Single Master Network
Replacing a Local Controller
Replacing a Master Controllerwith No Backup
Replacing a Redundant Master Controller
Replacing a Local Controller in a Multi-Master Network
Replacing a Cluster Member Controller with no Backup
Replacing Controllers in a Multi-Master Network
Replacing a Redundant Cluster Member Controller
Replacing a Redundant Cluster Root Controller
Identifying Certificate Problems
Configuring Control Plane Security after Upgrading
Troubleshooting Control Plane Security
Manually Certify Campus APs
Verifying Certificates
Disabling Control Plane Security
Verifying Whitelist Synchronization
Supported APs
Rogue APs
Understanding License Terminology
Software Licenses
Working with Licenses
License
Using Licenses
Working with Licenses on a Multiple Controller Network
Basis What Consumes One License
Understanding License Interaction
Controller Total AP Count Campus APs Remote APs
License Installation Best Practices and Exceptions
Installing a License
Enabling a new license on your controller
Obtaining a Software License Key
Requesting a Software License in Email
Locating the System Serial Number
Creating a Software License Key
Moving Licenses
Resetting the Controller
Deleting a License
Applying the Software License Key in the WebUI
Page
You can create and update a single Vlan or bulk VLANs
Configuring VLANs
Network Configuration Parameters
Navigate to the Configuration Network VLANs
Creating a Named Vlan not in a Pool
Navigate to Configuration Network VLANs
Creating Named VLANs
Creating Bulk VLANs In the WebUI
This example assigns a name to an existing Vlan ID
Using the WebUI
Creating a Vlan Pool
This example assigns a Vlan name in a virtual AP
Distinguishing Between Even and Hash Assignment Types
Creating a Vlan Pool
Following example shows how to view Vlan IDs to a Vlan pool
Creating a Vlan Pool Using the CLI
Viewing and Adding Vlan IDs Using the CLI
Updating a Vlan Pool
Adding a Bandwidth Contract to the Vlan
Optimizing Vlan Broadcast and Multicast Traffic
Proxy Arp is disabled for the Interface
Configuring Ports
Using the CLI
Navigate to Configuration Network IP
About Trusted and Untrusted Physical Ports
Configuring Trusted/Untrusted Ports and VLANs
Classifying Traffic as Trusted or Untrusted
About Trusted and Untrusted VLANs
For Port Mode select Trunk
This example
Understanding Vlan Assignments
How a Vlan Obtains an IP Address
Assigning a Static Address to a Vlan
Navigate to the Configuration Network IP IP Interfaces
Configuring a Vlan to Receive a Dynamic Address
Configuring Multiple Wired Uplink Interfaces Active-Standby
Enabling the Dhcp Client
Enabling the PPPoE Client
Select Obtain an IP address with PPPoE
Default Gateway from DHCP/PPPoE
Configuring DNS/WINS Server from DHPC/PPPoE
Select Apply
Configuring Source NAT to Dynamic Vlan Address
Configuring Source NAT for Vlan Interfaces
Example Configuration
Inter-VLAN Routing
Configuring Static Routes
Using the WebUI to restrict Vlan routing
Navigate to the Configuration Network IP IP Interface
Configuring the Loopback IP Address
Modify the IP Address as required Click
Apply
Configuring the Controller IP Address
Configuring GRE Tunnels
Using the CLI
Directing Traffic into the Tunnel
Navigate to the Configuration Network IP GRE Tunnels
Creating a Tunnel Interface
Static Routes
Tunnel Keepalives
WebUI
CLI
Understanding IPv6 Topology
This chapter describes ArubaOS support for IPv6 features
Understanding IPv6 Notation
IPv6 Support
Enabling IPv6
Enabling IPv6 Support for Controller and APs
Features Supported on IPv6 APs?
To Configure Global Unicast Address
Configuring IPv6 Addresses
To Configure Link Local Address
Yes Limited
Configuring IPv6 Static Neighbors
To Configure Loopback Interface Address
To Configure Static IPv6 Routes
Configuring IPv6 Default Gateway and Static IPv6 Routes
To Configure IPv6 Default Gateway
Managing Controller IP Addresses
Configuring Multicast Listener Discovery MLD
To Modify IPv6 MLD Parameters
Debugging an IPv6 Controller
Provisioning an IPv6 AP
Working with IPv6 Router Advertisements RAs
Configuring a Captive Portal over IPv6
Filtering an IPv6 Extension Header EH
To view the EH types denied
Configuring an IPv6 RA on a Vlan
Using WebUI
You can use the WebUI or CLI to configure IPv6 RA on a Vlan
Configuring Optional Parameters for RAs
Using CLI
To configure IPv6 recursive DNS server
Navigate to the ConfigurationNetworkIP
To configure neighbor discovery retransmit time
To configure RA hop-limit
Supported Network Configuration
Viewing IPv6 RA Status
Understanding Authentication
Authentication Method Supported for IPv6 Clients?
XSec No not tested MAC-based Yes
Working with Firewall Features
Authentication Description Method
Understanding Firewall Policies
Field Description
Assigning an IPv6 Policy to a User Role
To assign an IPv6 policy using the WebUI
Creating an IPv6 Firewall Policy
For Host IP, enter 2002d81ff9f01000
Managing IPv6 User Addresses
Understanding IPv6 Exceptions and Best Practices
Host config #ipv6 enable
Understanding Lacp Best Practices and Exceptions
Link Aggregation Control Protocol Lacp
Configuring Lacp
Set the port priority
Lacp Sample Configuration
151
Understanding Ospf Deployment Best Practices and Exceptions
OSPFv2
Wlan Routing Table
Understanding OSPFv2 by Example using a Wlan Scenario
Wlan Topology
Below is the routing table for Router
Branch Office Topology
Branch Office Ospf Topology
Routing table of the Central office controller is below
Configuring Ospf
Branch Office Routing Table
Routing table for Router 1 is below
General Ospf Configuration
Select the Add button to add an area see Figure
Sample Topology and Configuration
Remote Branch
Remote Branch
Central Office Controller-Active
Central Office Controller-Backup
OSPFv2 Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide OSPFv2
Understanding Tunneled Node Configuration
Tunneled Nodes
For example
Configuring a Wired Tunneled Node Client
Navigate to ConfigurationAdvanced ServicesWired Access
WebUI
Locate the Wired Access Concentration Configuration section
Configuring an Access Port as a Tunneled Node Port
Configuring a Trunk Port as a Tunneled Node Port
Verify the configuration
Sample Output
On the tunneled node client
Page
Authentication Servers
Understanding Servers and Server Groups
Configuring Servers
Configuring a Radius Server
Describes the parameters you configure for a Radius server
Override the global configuration
Timeout
Default 5 seconds
NAS IP address to send in Radius packets
Radius Server Fully Qualified Domain Names
Configuring an RFC-3576 Radius Server
Radius Server Authentication Codes
Set a DNS Query Interval
Configuring an Ldap Server
Describes the parameters you configure for an Ldap server
Host IP address of the Ldap server Default N/A Admin-DN
Defines the TACACS+ server parameters
Configuring a TACACS+ Server
Enter parameters as described in Table
Type Connection type is Ldap-s Start-tls Clear-text
Configuring a Windows Server
Configuring the Internal Database
Managing the Internal Database
Parameters
Exporting Files in the WebUI
Enter the following command in enable mode
Managing Internal Database Files
Parameters Description
Configuring Server Groups
Working with Internal Database Utilities
Configuring Server Groups
Configuring Server List Order and Fail-Through
Configuring Dynamic Server Selection
Select Fail Through
Click Add Rule
Scroll to the right and click Add Server Click Apply
Configuring Match Fqdn Option
Trimming Domain Information from Requests
Configuring Server-Derivation Rules
Controller when the rule is applied
Default bottom
Top
Navigate to the Configuration Management Administration
User Authentication
Management Authentication
Assigning Server Groups
Accounting
Radius Accounting
Select AAA Profile, then select the AAA profile instance
Configuring Authentication Timers
Timer Description
TACACS+ Accounting
Logon User Lifetime
Setting an Authentication Timer
Default 5 minutes
Range
Configuring the MAC Authentication Profile
Configuring MAC-Based Authentication
MAC-based Authentication
Parameter
Using the CLI to configure a MAC authentication profile
Configuring Clients
Using the WebUI to configure a MAC authentication profile
Disables blacklisting
CLI
Understanding 802.1X Authentication
802.1X Authentication
Configuring Authentication with a Radius Server
Supported EAP Types
Configuring Authentication Terminated on Controller
802.1X Authentication with Radius Server
Configuring 802.1X Authentication
Timer per role overrides this setting
Failures, and the default value is 0 failures
Default User Role Guest role Reauthentication
This option is disabled by default
Count
Interval Seconds, and the default value is 30 seconds
Default value is
Requests
Authentication takes place
Key Exchange Delay between WPA/WPA2
Disable this feature
Option is disabled by default
Disabled by default
For the cached information. The default value is 24 hours
Use to authenticate itself to the client
Negotiation Disabled by default WPA-Fast-Handover
Configuring and Using Certificates with AAA FastConnect
Configuring User and Machine Authentication
Machine User Auth Description Role Assigned Status
Machine Auth User Auth Description Vlan Assigned Status
Authenticated Vlan configured Virtual AP profile
Enabling 802.1x Supplicant Support on an AP
Virtual AP profile
To view the 802.1x authentication details on the controller
Prerequisites
Provisioning an AP as a 802.1X Supplicant
Configuring Roles and Policies
Sample Configurations
Configuring Authentication with an 802.1X Radius Server
Creating the Student Role and Policy
Can use the alias for other rules and policies
Using the WebUI
Creating the Faculty Role and Policy
Creating the Guest Role and Policy
Under Time Range, select working-hours
Creating an Alias for the Internal Network Using the CLI
Configuring the Radius Authentication Server
Creating Roles and Policies for Sysadmin and Computer
Using the WebUI to create the computer role
Configuring 802.1X Authentication
Select Enforce Machine Authentication
Configuring VLANs
Configuring the WLANs
Configuring the Guest Wlan
Navigate to the Configuration Wireless AP Configuration
Configuring the Non-Guest WLANs
AP Group list, click Edit for the first-floor
CLI
Configuring a Server Rule Using the WebUI
Configuring a Server Rule Using the CLI
Select Termination
Configuring WLANs
Configuring the Guest Wlan
Configuring the Non-Guest WLANs
Describes the different authentication possibilities
Configuring Mixed Authentication Modes
Authentication
802.1x Logon
Performing Advanced Configuration Options for
Configuring Reauthentication with Unicast Key Rotation
Working With Stateful Authentication
Stateful and WISPr Authentication
Working With WISPr Authentication
Understanding Stateful Authentication Best Practices
Configuring Stateful 802.1x Authentication
Configuring Stateful Ntlm Authentication
Configuring Stateful Kerberos Authentication
Configuring WISPr Authentication
Profiles list, expand the WISPr Authentication Profile
Dell PowerConnect W-Series ArubaOS 6.2 User Guide 227
Understanding Ocsp and CRL
Configuring a Controller as Ocsp and CRL Clients
Configuring an Ocsp Controller as a Responder
Certificate Revocation
Configuring the Controller as an Ocsp Client
Navigate to the Configuration Management Certificates Upload
Configuring the Controller as a CRL Client
Select the Revocation Checkpoint tab
Configuring the Controller as an Ocsp Responder
Select Enable next to Enable Ocsp Responder
Captive Portal Authentication
Understanding Captive Portal
Policy Enforcement Firewall Next Generation Pefng License
Configuring Captive Portal in the Base Operating System
Navigate to the Configuration Management General
Controller Server Certificate
WebUI
CLI
Using Captive Portal with a Pefng License
Configuring Captive Portal in the WebUI
To configure captive portal with Pefng license via the WebUI
Sample Authentication with Captive Portal
Configuring Captive Portal in the CLI
Creating a Guest User Role
Creating an Auth-guest User Role
Configuring Policies and Roles in the WebUI
Select Add to add the guest-logon-access policy
Creating a Time Range
Creating an Auth-Guest-Access Policy
To configure the auth-guest-access policy via the WebUI
Creating Aliases
Creating an Block-Internal-Access Policy
To create the block-internal-access policy via the WebUI
To create the drop-and-log policy via the WebUI
Creating a Drop-and-Log Policy
Creating a Guest Role
To create a guest role via the WebUI
Defining a Time Range
Configuring Policies and Roles in the CLI
Creating an Auth-Guest Role
To create the guest-logon role via the WebUI
Creating a Block-Internal-Access Policy
Configuring Guest VLANs
Creating a Guest-Logon-Access Policy
Creating a Guest-Logon Role
Configuring Captive Portal Authentication Profiles
Click Add For Vlan ID, enter Click Apply
Configuring the AAA Profile
Modifying the Initial User Role
Configuring the Wlan
Managing User Accounts
Utilization Logon Threshold Default 60% Logon wait
Configuring Captive Portal Configuration Parameters
Unauthenticated that a guest cannot access
Role
Enabling Optional Captive Portal Configurations
Following are optional captive portal configurations
Entity Engineering Business Faculty
Uploading Captive Portal Pages by Ssid Association
Changing the Protocol to Http
Specify the fac-logon user
Configuring Redirection to a Proxy Server
L3 Authentication
Security Access Control Policies
For captive portal with role-based access
Redirecting Clients on Different VLANs
For captive portal with Pefng license
Web Client Configuration with Proxy Script
Personalizing the Captive Portal
To customize the page background
Select the Your Custom Background
Creating and Installing an Internal Captive Portal
Creating a New Internal Web
Fqdn Example
Password Example
Username Example
Variable
Installing a New Captive Portal
Displaying Authentication Error Messages
Basic Html Example
Reverting to the Default Captive Portal
Configuring Localization
Insert javascript to handle error cases
This should be replaced with a link like the following
This should be replaced with a link like this
Div id=errorbox style=display none /div
Customizing the Welcome
Sample Translated
Customizing the Pop-Up box
Customizing the Logged Out Box
Creating Walled Garden Access
Navigate to Advanced Services Stateful Firewall Destination
Configuring the Redirect-URL
Configuring the Login URL
Enabling Captive Portal Enhancements
Defining Netdestination Descriptions
Configuring a Whitelist
Configuring the Netdestination for a Whitelist
Associating a Whitelist to Captive Portal Profile
Verifying a Captive Portal Profile Linked to a Whitelist
Verifying a Whitelist Configuration
Use the following commands to verify the whitelist alias
Verifying Dynamic ACLs for a Whitelist
Verifying DNS Resolved IP Addresses for Whitelisted URLs
TOS
Example
Planning a VPN Configuration
Virtual Private Networks
IKE Policies Suite-B for IPsec tunnels
Selecting an IKE protocol
Understanding Suite-B Encryption Licensing
384 Suite-B certificates ECDSA-256, ECDSA-384
Working with IKEv2 Clients
Understanding Supported VPN AAA Deployments
Working with Certificate Groups
Working with VPN Authentication Profiles
Parameter Default Default-rap Default-cap
VPN Client
Configuring a Basic VPN for L2TP/IPsec in the WebUI
Defining Address Pools
Defining Authentication Method and Server Addresses
Navigate to Configuration IP NAT Pools
Enabling Source NAT
Configuring IKE Policies
Defining IKEv1 Shared Keys
Setting the IPsec Dynamic Map
Finalizing WebUI changes
Configure source NAT
Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI
Enable authentication methods for IKEv1 clients
Create address pools
Defining Address Pools
PRF-HMAC-MD5 PRF-HMAC-SHA1 PRF-HMAC-SHA256
PRF-HMAC-SHA384
Enable authentication methods for IKEv2 clients
Configuring a VPN for Smart Card Clients
Working with Smart Card clients using IKEv2
Define IKEv2 Policies
Configuring a VPN for Clients with User Passwords
Working with Smart Card Clients using IKEv1
Select Enable L2TP
Configuring Remote Access VPNs for XAuth
Configuring VPNs for XAuth Clients using Smart Cards
Click Add User
Certificates or Common Name as it appears on the certificate
Working with Remote Access VPNs for Pptp
Working with Site-to-Site VPNs
Working with Third-Party Devices
Configuring Site-to-Site VPNs
Working with Site-to-Site VPNs with Dynamic IP Addresses
Understanding VPN Topologies
Show crypto-local pki servercert certname subject
For certificate authentication
Click Doneto activate the changes Click Apply
For the Pre-shared-key
For preshared key authentication
Detecting Dead Peers
For the Pre-shared-key for All FQDNs
Understanding Default IKE policies
Working with VPN Dialer
Configuring VPN Dialer
Assigning a Dialer to a User Role
Host config #user-role role dialer name
Configuring Firewall Policies
Roles and Policies
Working With Access Control Lists ACLs
Support for Desktop Virtualization Protocols
Creating a Firewall Policy
Configure the NAT pool in the controller
IP address of the host
This can be one of the following
Pause ARM
When it leaves the controller
Queue in which a packet matching this rule should be placed
White List
Creating a Network Service Alias
Creating an ACL White List
Configuring the ACL White List in the CLI
Configuring the ACL White List in the WebUI
Configuring the White List Bandwidth Contract in the CLI
Use the following CLI command to create ACL White Lists
Creating User Roles
Creating a User Role
Bandwidth Contracts
Click the Delete button against the role you want to delete
Bandwidth Contract Exceptions
Configuring a Bandwidth Contract in the WebUI
Configuring and Assigning Bandwidth Contracts in the CLI
Assigning a Bandwidth Contract to a User Role in the WebUI
Assigning User Roles in AAA Profiles
Configuring Bandwidth Contract Exceptions
Assigning User Roles
Viewing the Current Exceptions List
Equals String
Working with User-Derived VLANs
Rule Type Condition Value
Dhcp server
Configuring a User-derived Vlan in the WebUI
Understanding Device Identification
Dhcp Option Description Hexadecimal Equivalent
Configuring a User-derived Role or Vlan in the CLI
User-Derived Role Example
See for descriptions of these parameters
Configuring a Default Role for Authentication Method
Navigate to the Configuration Security Authentication
Controller’s log files
Understanding Global Firewall Parameters
Configuring a Server-Derived Role
Configuring a VSA-Derived Role
Monitor TCP SYN Attack rate
Default Disabled stateful SIP processing is enabled
Or disabled
Log Icmp Errors
Portal configuration
Disable FTP Server
Session Idle Timeout sec
Default 15 seconds
Default Disabled FTP server is enabled
Mbps Is 1-200 Mbps Default 1 Mbps
Session-tunnel FIB Enable session,tunnel based forwarding
Mbps Default 1 Mbps Rate limit CP auth process traffic
Session mirror Ipsec
Page
Configuring Virtual AP Profiles
Wlan Profiles Default AP Group Toronto AP Group
Virtual APs
Configuring a Virtual AP
Excluding a Virtual AP Profile From an AP in the WebUI
Excluding a Virtual AP Profile From an AP in the CLI
Deny Time Range
Configuring the User Role
Building3-lobby Guest
Ssid profile guest
Configuring Authentication Servers
Configuring Authentication
Done
Wired to Wireless Roaming
Users. The default role for unauthenticated users is logon
MAC Authentication Default Role
Side of the network. This feature is enabled by default
Applying the Virtual AP
Click Edit for the default AP group
Select Wireless LAN under Profiles, then select Virtual AP
Enforce Dhcp
Campus APs in decrypt-tunnel forward mode
Forward mode
Can be configured in tunnel mode
Enforcement, 802.11k and station blacklisting
Setting on each individual local controller
Enable this setting
Click the Global Setting tab
Band Steering
Authentication Failure
Default 6 stations
Default 3600 seconds 1 hour
APs. Default Disabled
Creating a new Ssid Profile
Select Wireless LAN underProfiles, then select Virtual AP
Keys
XSec license in each controller
Dtim Interval
Powersave WMM Tspec Min
Other wireless clients are transmitting
Default value is 2333 bytes
Period to receive broadcasts
Lengthening battery life
Frames is disabled
Battery Boost
At the lowest configured rate
Configuring an Ssid for Suite-B Cryptography
Configuring a Guest Wlan
Configuring a Vlan
Configuring a Guest Role
Configuring a Guest Virtual AP
Select Virtual AP
Sample Configuration
To enable bSec Ssid using bSec-128 or bSec-256
Enabling bSec Ssid Support
Enabling 802.11k Support
Default Mode beacon-table
Measurement Mode for Beacon Reports
Measurement Report Mode field
Advertise 802.11K Capability
Beacon Report Request Settings Profile
Handover Trigger Feature Settings Profile
Handover of Voice Clients’ feature
TSM Report Request Settings Profile
Working with Radio Resource Management Information Elements
Working with Beacon Report Requests
Range from 0 to 255. The default value is
Con when Measurement Mode is set to Active-Channel Report
Measurement Mode for
Randomization Interval
Working with a Traffic Stream Measurement Report
Gered. When the triggered option is selected,
Request frame. The default value is enabled
Number of repetitions
Range 0, 255. The default value is
Configuring a High-Throughput Virtual AP
Range 0, 65535. The default value is
Bin 0 Range
Select the 802.11a radio profile
40MHz intolerance
Select the 802.11g radio profile
Streams usable for Stbc
Maximum number of spatial
Capabilities
Transmission
Short guard interval in 40 MHz
Mode Is enabled by default
Short guard interval in 20 MHz
Supported MCS set
Managing High-Throughput Profiles
Understanding ARM
Adaptive Radio Management ARM
Monitoring Your Network with ARM
Configuring ARM Scanning
ARM Support for 802.11n
Understanding ARM Application Awareness
ARM Profiles Example Wlan Description
Configuring ARM Profiles
Creating a New ARM Profile
Select RF Management to expand the RF Management section
Deleting a Profile
Configuring ARM Settings
Copying an Existing Profile
Select Adaptive Radio Management ARM Profile
Setting Description
Aware Scan Mode Default disabled Video Aware
That Scanning is also enabled
Power Save
Default 8 scans
Enabled, that device will ignore this setting
Default 9 dBm
Scan That Scanning is also enabled
Client Aware setting is disabled
Threshold Change Default 50% Error Rate Wait
Default 240 seconds
Error Rate
Time Channel change Default 30 seconds Noise Threshold
Load Aware
Default 1250000 Bps
Mode Aware
Scanning if the load for the AP gets too high
Select Configuration AP Configuration
Assigning an ARM Profile to an AP Group
Using Multi-Band ARM for 802.11a/802.11g Traffic
Enabling Band Steering
Steering Modes
Select Wireless LAN to expand the Wireless LAN section
To disable band steering, include the no parameter
Enabling Band Steering
Enabling Traffic Shaping
To configure traffic shaping via the WebUI
Enabling Traffic Shaping
Select QoS to expand the QoS section
To disable traffic shaping, use the default-accessparameter
Enabling Spectrum Load Balancing
Reusing Channels to Control RX Sensitivity Tuning
Configuring Non-802.11 for Noise Interference Immunity
ARM Metrics
Transmission Power Levels Change Too Often
Troubleshooting ARM
Wireless Clients Report a Low Signal Level
Too many APs on the Same Channel
APs Detect Errors but Do Not Change Channels
APs Don’t Change Channels Due to Channel Noise
Wireless Intrusion Prevention
Working with the Reusable Wizard
This chapter contains the following sections
Protection features for Wlan clients
Understanding Wizard Intrusion Detection
Understanding Wizard Intrusion Protection
Protecting Your Infrastructure
Protecting Your Clients
Monitoring the Dashboard
WIP Wizard Intrusion Protection
Understanding Classification Methodology
Detecting Rogue APs
Understanding Classification Terminology
Classification Description
Understanding Match Methods
Understanding Match Types
Understanding Suspected Rogue Confidence Level
Understanding AP Classification Rules
Understanding Rule Matching
Feature Command Trap Syslog ID
Working with Intrusion Detection
Understanding Infrastructure Intrusion Detection
Ids impersonation-profile
Ids impersonation-profile WlsxAPSpoofingDetected 126069
Detect-bad-wep WlsxStaRepeatWEPIVViolation 126016
126086
Detect-wireless-bridge Wireless-bridge-quiet-time
Require-wpa WlsxChannelMisconfiguration 127028
Ids unauthorized-device-profile WlsxWirelessBridge 126036
Detect-malformed-large-duration Detected
Detecting an Ad hoc Network Using a Valid Ssid
Detecting an 802.11n 40MHz Intolerance Setting
Detecting Active 802.11n Greenfield Mode
Detecting Ad hoc Networks
Detecting a Client Flood Attack
Detecting Bad WEP Initialization
Detecting a Beacon Frame Spoofing Attack
Detecting an RTS Rate Anomaly
Detecting Broadcast Deauthentication
Detecting a Misconfigured AP
Detecting a Wireless Bridge
Detecting Malformed Frame-Auth
Understanding Client Intrusion Detection
Detecting Wellenreiter
Detect-hotspotter-attack Hotspotter-quiet-time
Ids dos-profile WlsxPowerSaveDoSAttack 126109
Detect-power-save-dos-attack
Ids dos-profile WlsxOmertaAttack 126071
Detecting a ChopChop Attack
Detecting a Meiners Power Save DoS Attack
Detecting a Block ACK DoS
Detecting a Disconnect Station Attack
Detecting a Tkip Replay Attack
Detecting an Omerta Attack
Detecting Rate Anomalies
Detecting Unencrypted Valid Clients
Configuring Intrusion Protection
Understanding Infrastructure Intrusion Protection
Understanding Client Intrusion Protection
Protecting Valid Stations
Configuring the Wlan Management System WMS
Navigate to the Configuration Advanced Services Wireless
Protecting Windows Bridge
Managing the WMS Database
Configuring Local WMS Settings
Not configured
Station Ageout Interval
Understanding Client Blacklisting
Methods of Blacklisting
Blacklisting Manually
Enabling Attack Blacklisting
Blacklisting by Authentication Failure
Enter a value in the Max Authentication failures field
Captive portal
Removing a Client from Blacklisting
Working with WIP Advanced Features
Setting Blacklist Duration
Profiles list, expand the IDS menu, then select IDS profile
Configuring TotalWatch
Understanding TotalWatch Channel Types and Qualifiers
Understanding TotalWatch Channel Dwell Time
Understanding TotalWatch Monitoring Features
Understanding TotalWatch Scanning Spectrum Features
Frequency Channel
Configuring Per AP Setting
Administering TotalWatch
Configuring Per Radio Settings
Understanding TotalWatch Channel Visiting
DOS
Working with Tarpit Shielding
Configuring Tarpit Shielding
Understanding Tarpit Shielding Licensing CLI Commands
Licensing
Function
Basic Functions and Features
Access Points APs
Following topics are included in this chapter
Naming and Grouping APs
Assigning APs to an AP Group
Use the following command to create an AP group
Creating an AP group
You can use the WebUI or the CLI to create a new AP group
Understanding AP Configuration Profiles
Working with Wireless LAN Profiles
Click Apply and Reboot
Page
Page
Working with AP Profiles
Working with QoS Profiles
Working with RF Management Profiles
Provisioning Mesh Profiles
Viewing Profile Errors
Profile Hierarchy
Other Profiles
AP Specific and AP Group Profile Hierarchies
Other Profile Hierarchies
Running the RF Plan
Configuring Firewall Settings
Deploying APs
Verifying that APs Can Connect to the Controller
Configuring DNS Resolution
Configuring Dhcp Server Communication with APs
Enabling Controller Discovery
Using the Aruba Discovery Protocol ADP
Navigate to the Configuration Network IP Dhcp Server window
Verifying that APs Are Receiving IP Addresses
AP Model Freqency Band Antenna Port
Provisioning APs for Mesh
Provisioning 802.11n APs for Single-Chain Transmission
AP92 4GHz or 5GHz
5GHz
Installing APs on the Network
AP Model Freqency Band
AP134 4GHz or 5GHz
Designation an AP as Remote RAP versus Campus CAP
Provisioning Installed APs
Updating the RF Plan
Working with the AP Provisioning Wizard
Provisioning an Individual AP
AP Provisioning Window
Page
Provisioning Multiple APs using a Provisioning Profile
LMS or backup LMS values
AP is associated
Assigning Provisioning Profiles
Configuring a Provisioned AP
AP Installation Modes
Troubleshooting
Clear gap-db wired-mac
Renaming an AP
Configuring the Bootstrap Threshold
To configure the bootstrap threshold using the WebUI
Optimize APs Over Low-Speed Links
Backup LMS IP
RF Band for AM Mode scanning
Configuring split-tunnel forwarding
LMS IPv6 Backup LMS IPv6 LMS Preemption
Wireless frame is only encapsulated inside the IPsec tunnel
Bootstrap threshold
From a wireless client that is connected to a tunneled Ssid
When an AP process crashes
Prioritizing AP heartbeats
AP Maintenance Mode
AP Redundancy
To enable AP maintenance mode
Energy Efficient Ethernet
Managing AP LEDs
AP130 Series only
RF Management
802.11a and 802.11g RF Management Profiles
Creating or Editing a Profile
Managing 802.11a/802.11g Profiles Using the WebUI
Enable CSA
Radio
Balancing mode Select one of the following options
Level 5 disable PHY reporting
Reuse feature
MHz and 40 MHz modes
Balancing threshold
Load-balancing mode
Channel. The default CSA count is 4 announcements
Radio Management ARM scanning and channel assignment
Signal strength
RX Sensitivity Tuning
RX sensitivity tuning based channel reuse threshold, in dBm
Default, allowing 40 MHz operation
Profile Spectrum monitor radio
Assigning an 802.11a/802.11g Profile
Assigning a High-throughput Profile
AM Scanning Profile
Assigning an ARM Profile
Managing 802.11a/802.11g Profiles Using the CLI
Deleting a Profile
Creating or Modifying a Profile
RF Optimization
Viewing RF Management Settings
To view the settings of a specific RF management profile
Assigning a 802.11a/802.11g Profile
Is sent to the client
RF Event Configuration
Default value 0 seconds
Maximum value 8 seconds
Detect Frame Rate Anomalies
Frame Error Rate High
Frame Error Rate Low
Recommended value is 85%
Frame Retry Rate High
Configuring AP Channel Assignments
Select the Regulatory Domain profile named default
Frame Retry Rate Low
Channel Switch Announcement CSA
Managing AP Console Settings
Automatic Channel and Transmit Power Selection
IP address of the AP’s master controller
IP address of the DNS server used by the AP
Domain name used by the AP
Understanding Mesh Access Points
Secure Enterprise Mesh
Mesh Portals
Mesh Points
Understanding Mesh Links
Mesh Clusters
Link Metrics
Optimizing Links
Component Description
Mesh Radio Profile
Understanding Mesh Profiles
Mesh Cluster Profile
RF Management 802.11a and 802.11g Profiles
Mesh High-Throughput Ssid Profile
Adaptive Radio Management Profiles
High-Throughput Profiles
Understanding Mesh Solutions
Wired AP Profile
Mesh Recovery Profile
Thin AP Services with Wireless Backhaul Deployment
Point-to-Point Deployment
Point-to-Multipoint Deployment
High-Availability Deployment
Sample Point-to-Multipoint Deployment
Planning a Wlan According to Your Specifications
Task Overview
Collecting Required Information
Building Dimensions
AP Desired Rates 2.4 GHz Radio Properties
Creating a New Profile
Working with Mesh Radio Profiles
Managing Mesh Profiles In the WebUI
AM Desired Rates
Rates
Threshold Nodes Default 10 missed heartbeats. The range is
Indicates the transmit rates for the 802.11a radio
AP goes through the list and uses the next highest rate
Recommends using this default startup-subthresholdvalue
Range 0-4094. Default 0 disabled
Default distributed-tree-rssi
Used for user traffic
Editing a Profile
Default 2,333 bytes. The range is 256- 2,346
Assigning a Profile to a Mesh AP or AP Group
Link quality
Viewing Profile Settings
To view the settings of a specific mesh radio profile
Managing Mesh Profiles In the CLI
Assigning a Profile to an AP Group
Working with Mesh High Throughput Ssid Profiles
Managing Profiles In the WebUI
Deleting a Mesh Radio Profile
Configured value adjusts based on AP capabilities
Temporal Diversity Enable
Enabled legacy stations are allowed
Launch then software retries
Degrade throughput
Mode Enabled by default
Μsec, 2 µsec, 4 µsec
Different values, separate each value with a comma
Managing Profiles In the CLI
Understanding Mesh Cluster Profiles
Viewing High-throughput Ssid Settings
To view the settings of a specific high-throughput profile
Deployments with Multiple Mesh Cluster Profiles
Managing Mesh Cluster Profiles In the WebUI
Associating a Profile to Mesh APs
Managing Mesh Cluster Profiles In the CLI
Deleting a Mesh Cluster Profile
Viewing Mesh Cluster Profile Settings
To view the settings of a specific mesh cluster profile
Associating Mesh Cluster Profiles
Excluding a Mesh Cluster Profile from a Mesh Node
Configuring Ethernet Ports for Mesh
Configuring Bridging on the Ethernet Port
To exclude a specific mesh cluster profile from an AP
Configuring Ethernet Ports for Secure Jack Operation
Extending the Life of a Mesh Network
Provisioning Mesh Nodes
Outdoor AP Parameters
Provisioning Caveats
Under Port Selection, click the port to configure
IP settings section, select Obtain IP Address Using Dhcp
Provisioning Mesh Nodes
Understanding the AP Boot Sequence
Booting the Mesh Portal
Booting the Mesh Point
Verification Checklist
Verifying the Network
Air Monitoring and Mesh
Configuring Remote Mesh Portals RMPs
CLI Examples
How RMP Works
Creating a Remote Mesh Portal In the WebUI
Provisioning the AP
Defining the Mesh Private Vlan
Selecting a Mesh Radio Profile
Selecting an RF Management Profile
Adding a Mesh Cluster Profile
Configuring a Dhcp Pool
Configuring the Vlan ID of the Virtual AP Profile
Profile Details window
Provisioning a Remote Mesh Portal In the CLI
Additional Information
Configuring Redundancy Parameters
Configuring the Local Controller for Redundancy
Configuring the LMS IP
Configuring the Master Controller for Redundancy
On the master controller
Router ID of the Vrrp instance
Command Explanation
Enter the master-redundancy context
Controllers. Specify a key of up to 64 characters
Configuring Database Synchronization
This config mode command includes RF plan data when
Enabling Incremental Configuration Synchronization CLI Only
Configuring Master-Local Controller Redundancy
Redundant Topology Master-Local Redundancy
Vrrp Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Disabled Discarding Blocking
Understanding Rstp Migration and Interoperability
Working with Rapid Convergence
Rstp 802.1w Description Port Role
Configuring Rstp
Feature Default Value/Range
Edge Port and Point-to-Point
Monitoring Rstp
Troubleshooting Rstp
Change the default configurations via the command line
Port Fast
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Rstp
Understanding PVST+ Interoperability and Best Practices
Enabling PVST+ in the CLI
From the WebUI, add a Vlan instance and enable PVST+
Enabling PVST+ in the WebUI
Understanding Dell Mobility Architecture
IP Mobility
On a master controller
Configuring Mobility Domains
Enable mobility disabled by default
On all Dell controllers in the mobility domain
Configuring a Mobility Domain
Example Configuration
Navigate to the Configuration Advanced Services IP Mobility
Joining a Mobility Domain
Home Agent Address or Vrip
Configuring Mobility using the WebUI
Subnetwork Mask
On controller a the master controller
Viewing mobile client status using the CLI
Configuring Mobility using the CLI
Viewing mobile client status using the WebUI
Tracking Mobile Users
Roaming Description Status Type
Viewing user roaming status using the CLI
Viewing specific client information using the CLI
Status Type Description
Mobile Client Roaming Locations
Configuring Advanced Mobility Functions
Setting up mobility association Using the CLI
HA Discovery on Association
Seconds. The default setting is 5000 seconds
Is 0-5000 visitors. The default setting is 5000 visitors
Default setting is 3 attempts
Enable standalone AP
Click Apply after setting the parameter
Proxy Mobile IP
Proxy Dhcp
Understanding Bridge Mode Mobility Deployments
Revocations
Enabling Mobility Multicast
Working with Proxy Igmp and Proxy Remote Subscription
Working with Inter controller Mobility
Configuring Mobility Multicast
Inter-controller Mobility
Example
Enable Igmp proxy on the FastEthernet Ieee 802.3 interface
Enable Igmp snooping
Start at 0 from the left-most position
Understanding Firewall Port Configuration Among Dell Devices
External Firewall Configuration
Enabling Network Access
Ports Used for Virtual Internet Access VIA
Configuring Ports to Allow Other Traffic Types
Page
About Remote Access Points
Remote Access Points
Remote AP with a Private Network
Using the WebUI to create a DMZ address
Configuring the Secure Remote Access Point Service
Configure a Public IP Address for the Controller
Configure the NAT Device
Using the WebUI to configure Chap
Configure the VPN Server
Chap Authentication Support over PPPoE
You can use the CLI or the WebUI to configure Chap
Configuring Certificate RAP
Using the CLI to configure the Chap
Creating a Remote AP Whitelist
Using CLI
Configuring PSK RAP
Using WebUI
RAP Static Inner IP Address
Provision the AP
IP-Address parameter in the local database
Deploying a Branch Office/Home Office Solution
Deployment Scenario Master IP Address Value
Provisioning the Branch Office AP
Configuring the Branch Office AP
Troubleshooting Remote AP
Local Debugging
Basic View Information Advanced View Information Name
Seamless failover from backup link to primary link on RAP
Multihoming on remote AP RAP
Remote AP Connectivity
Enabling Remote AP Advanced Configuration Options
Remote AP Diagnostics
Data Description
Remote Oper Forward Mode Setting Ation
Understanding Remote AP Modes of Operation
Essid is up when Same behavior as Not supported AP contacts
Working in Fallback Mode
Only Ssid configuration Stored in flash on
SSIDs
Configuring Fallback Mode
Backup Configuration Behavior for Wired Ports
Configuring the AAA Profile for Fallback Mode in the WebUI
Configuring the AAA Profile for Fallback Mode in the CLI
Configuring the Dhcp Server on the Remote AP
Using the WebUI
Configuring Advanced Backup Options
Configuring the Session ACL in the WebUI
Configuring the AAA Profile in the WebUI
Configure the Remote-AP Dhcp Server fields
Defining the Backup Configuration in the WebUI
Configuring the Session ACL in the CLI
Route src-nat
Defining the Backup Configuration in the CLI
Specifying the DNS Controller Setting
Using the CLI to configure the AAA profile
You can define other parameters as needed
Backup Controller List
Configuring Remote AP Failback
Configuring the LMS and backup LMS IP addresses in the CLI
To enable, enter
Enabling RAP Local Network Access
Configuring Remote AP Authorization Profiles
To disable, enter
Working with Access Control Lists and Firewall Policies
Adding or Editing a Remote AP Authorization Profile
Understanding Split Tunneling
Configuring Split Tunneling
Sample Split Tunnel Environment
Configuring the Session ACL Allowing Tunneling
Configuring an ACL to Restrict Local Debug Homepage Access
Configuring the AAA Profile for Tunneling
Enable Restricted Access to LD Homepage
Configuring the Tunneling Virtual AP Profile
Inthe CLI
Provisioning Wi-Fi Multimedia
Navigate to Configuration Wireless AP Configuration
Defining Corporate DNS Servers
Navigate to Configuration Advanced Services All Profiles
Configuring Bandwidth Reservation
To configure bandwidth reservation
Reserving Uplink Bandwidth
4G USB Modem Provisioning Best Practices and Exceptions
Provisioning 4G USB Modems on Remote Access Points
Navigate to Configuration Wireless AP Installation
Provisioning RAP for USB Modems
RAP 3G/4G Backhaul Link Quality Monitoring
Configuring W-IAP3WN Access Points
Pantech
Converting an IAP to RAP or CAP
Converting IAP to RAP
Converting an IAP to CAP
Defining Bandwidth Contracts
Configuring Bandwidth Contracts for RAP
Enabling Bandwidth Contract Support for RAPs
Applying Contracts
Verifying Contracts on AP
Verifying Contracts Applied to Users
Following is a sample output for a per-user configuration
Verifying Bandwidth Contracts During Data Transfer
Page
Virtual Intranet Access
Understanding VIA Connection Manager
How it Works
On Apple MacBooks
Installing the VIA Connection Manager
On Microsoft Windows Computers
User action / environment VIA’s behavior
Minimal Upgrade
Configuring the VIA Controller
Upgrade Workflow
Complete Upgrade
Other authentication methods
Supported Authentication Mechanisms
Authentication mechanisms supported in VIA
Before you Begin
Configuring VIA Settings
Suite-B
Create VIA Authentication Profile
Using the WebUI to Configure VIA
Enable VPN Server Module
Create VIA User Roles
Create VIA Connection Profile
Enter a name for the server group
To create VIA connection profile
Configuration Option Description
Default None
To the support email-address for troubleshooting
List of all IKEv2 authentication methods
Client Auto-Login
VIA Authentication Name\username instead of just username
Enable Supplicant
Enable Fips Module
Use Windows Credentials
Configure VIA Web Authentication
To configure VIA web authentication profile
Associate VIA Connection Profile to User Role
Configure VIA Client Wlan Profiles
To configure a VIA client Wlan profile
To associate a VIA connection profile to a user role
Servers or trusted certification authorities
Option Description
Cryptobinding TLV
Mschapv2-use-windows-credentials
Rebranding VIA and Downloading the Installer
Download VIA Installer and Version File
To download the VIA installer and version file
Create VIA roles
Using the CLI to Configure VIA
Create VIA authentication profiles
Create VIA connection profiles
Pre-requisites
Customize VIA logo, landing page and downloading installer
Downloading VIA
Requires the following Microsoft KB on the end-user systems
Login to Download VIA
Downloading VIA
Installing VIA
Using VIA
Connection Details Tab
Troubleshooting
Diagnostic Tab
Settings Tab
Device
Understanding Spectrum Analysis
Spectrum Analysis
AP104 Yes
Device Configurable as a
Hybrid AP?
Graph Title
Graph Title Description Update Interval
Real-Time FFT
Spectrum Analysis Clients
Spectrogram
Swept
Hybrid APs Using Mode-Aware ARM
Creating Spectrum Monitors and Hybrid APs
Hybrid AP Channel Changes
Converting APs to Hybrid APs
Converting an Individual AP to a Spectrum Monitor
Converting a Group of APs to Spectrum Monitors
Select AP to expand the AP profiles section
Connecting Spectrum Devices to the Spectrum Analysis Client
Table Column Description
Disconnecting a Spectrum Device
View Connected Spectrum Analysis Devices
To manually disconnect a spectrum monitor or hybrid AP
Configuring the Spectrum Analysis Dashboards
Selecting a Spectrum Monitor
Click the Spectrum Dashboards tab
Changing Graphs within a Spectrum View
Click theSpectrum Dashboards tab
Renaming a Spectrum Analysis Dashboard View
Saving a Dashboard View
Select Rename
Customizing Spectrum Analysis Graphs
Resizing an Individual Graph
Spectrum Analysis Graph Configuration Options
Active Devices
Channel Range
Show
Device Type
Service set identifier of the device’s 802.11 wireless LAN
Active Devices Table
Column may display any of the following values
Column heading
Select the button by the symbol
Radio band or channel
Select the button by the Less than drop down list
Center Frequency
Active Devices Trend
Detects on the radio channel
MHz
Show lines for these
Wi-Fi data as non-Wi-Fi data
Channel Metrics
Select one of the following device types
Channel Metrics Graph
Radio band displayed in this graph
Channel Metrics Trend
Hour
Drop-down list and select one of the following options
Minutes
Unselect the checkbox to hide that information
Channel Summary Table
Monitor
Device Duty Cycle
Band Radio band displayed in this graph
Channel Utilization Trend
Numbering Identify a channel numbering scheme for the graph
Following device types
Intervals
As non-Wi-Fi data
Devices vs Channel
Uncheck the checkbox by that channel number
Devices vs Channel Options
FFT Duty Cycle
FFT Duty Cycle
Interference Power
Interference Power Options
Quality Spectrogram
Device types
Real-Time FFT
Data
Axis
Frequencies for the graph
Center
Frequency Center of the x-axis of this chart Span
Swept Spectrogram
Right field, and the higher value in the left field
Simple Line Graph of FFT Power Data
Swept Spectrogram Options
Working with Non-Wi-Fi Interferers
Non-Wi-Fi Description Interferer
Device vs Channel Interference Power
Understanding the Spectrum Analysis Session Log
Viewing Spectrum Analysis Data
Recording Spectrum Analysis Data
Creating a Spectrum Analysis Record
To record spectrum analysis data for later analysis
Playing a Recording in the Spectrum Dashboard
Saving the Recording
Playing a Spectrum Analysis Recording
To save the recording file
Playing a Recording Using the RFPlayback Tool
Click the Recording View/Play link at the top of the window
Click Load File For Playback
Converting a Spectrum Monitor Back to an AP or Air Monitor
Troubleshooting Spectrum Analysis
Troubleshooting Browser Issues
Loading a Spectrum View
Understanding Spectrum Analysis Syslog Messages
Playing a Recording in the RFPlayback Tool
Understanding Device Ageout Times
Age Out Generic Fixed Frequency
Hopper Seconds
Age Out Generic Frequency Hopper
Clients
Monitoring Performance
Dashboard Monitoring
APs
Using Dashboard Histograms
Monitoring Usage
Monitoring Potential Issues
Monitoring Security
Monitoring WLANs
Monitoring Access Points
Monitoring Clients
Element View
To disable this setting, include the no parameter
Monitoring Firewalls
Element
Element Description
Column
Bytes Tx Bytes Rx Bytes
Element Summary View
Details View
Element Tab
User Bytes Packets Device Destination
Usage Breakdown
Application
Aggregated Sessions
Usage Breakdown
Column Description
Source IP
Destination Alias
Configuring Certificate Authentication for WebUI Access
Management Access
Enabling Public Key Authentication for SSH Access
Enabling Radius Server Authentication
Select the client certificate Click Apply
Configuring Radius Server Authentication with VSA
Configuring a set-value server-derivation rule
Disabling Authentication of Local Management User Accounts
Verifying the configuration
Resetting the Admin or Enable Password
Bypassing the Enable Password Prompt
User admin Password
Defining a Management Password Policy
Implementing a Specific Management Password Policy
Setting an Administrator Session Timeout
Configure the settings described in Table
Allowed Characters Disallowed Characters
Colon
Management Authentication Profile Parameters
Allowed Characters
Period Pipe Plus sign + Tilde ~ Comma Accent mark `
Managing Certificates
About Digital Certificates
Parameter Description Range
Navigate to the Configuration Management Certificates CSR
Obtaining a Server Certificate
Enter the following information
Importing Certificates
Run the following command
Obtaining a Client Certificate
PKCS7 encrypted PKCS12 encrypted
Imported Certificate Locations
Use the following command to import CSR certificates
Viewing Certificate Information
Location Description
Configuring Snmp
Checking CRLs
Snmp Parameters for the Controller
Configuring Logging
Category/Subcategory Description
Category/Subcategory
Logging Level Description
802.1x messages Radius Radius user messages
Configuring the Guest Provisioning
Configuring the Guest Fields
Enabling Guest Provisioning
Guest Field
Guestcategory
Provisioning page for the sponsor information
Configuring the Page Design
Guest Field Description
Fields that follow
Configuring the Smtp Server and Port in the WebUI
Configuring Email Messages
Navigate to the Configuration Management SMTPpage
Configuring an Smtp server and port in the CLI
Click Apply and then Save Configuration
Creating Email Messages in the WebUI
Static Authentication Method
Configuring a Guest Provisioning User
Username and Password Authentication Method
Management Users section, click Add
Username and Password Method
Customizing the Guest Access Pass
Smart Card Authentication Method
Click Apply and Save Configuration
Creating Guest Accounts
Customized Guest Account Information Window
Guest Provisioning User Tasks
Creating a Guest Account-New Guest Window
Importing Multiple Guest Entries
Creating Multiple Guest Entries in a CSV File
Importing the CSV File into the Database
CVS File Format-Guest Entries Information
Importing a CSV file that contains Guest Entries
Displaying the Guest Entries Log File
Optional Configurations
Restricting one Captive Portal Session for each Guest
Printing Guest Account Information
Using the CLI to set the maximum time for guest accounts
Setting the Maximum Time for Guest Accounts
Using the WebUI to set the maximum time for guest accounts
Managing Files on the Controller
Transferring ArubaOS Image Files
Server Type Configuration
Navigate to the Maintenance Controller Image Management
Username to log into server
Backing Up and Restoring the Flash File System
Copying Log Files
Navigate to the Configuration Management Clock
Setting the System Clock
Manually Setting the Clock
Copying Other Files
Configuring NTP Authentication
Clock Synchronization
Enabling Capacity Alerts
Timestamps in CLI Output
Threshold Description
Sent. The default threshold for this parameter is 80%
Examples
User-capacity
Configuring Local Controllers
Using the Initial Setup
Adding Local Controllers
Configuring Local Controller Settings
Configuring Layer-2/Layer-3 Settings
Configuring Trusted Ports
Using the Web UI
Using the CLI to configure the LMS IP
Configuring APs
Using the WebUI to configure the LMS IP
Moving to a Multi-Controller Environment
Configuring a Preshared Key
Using the WebUI to configure a Master Controller PSK
Configuring a Controller Certificate
Using the WebUI to configure a Local Controller PSK
Using the CLI to configure a PSK
Using the CLI to configure the Master Controller Certificate
Securing Client Traffic
Advanced Security
Securing Wireless Clients
Wireless xSec Client Example
Securing Wired Clients
Navigate to the Configuration Advanced Services Wired Access
Securing Wireless Clients Through Non-Dell APs
Securing Clients on an AP Wired Port
Time to wait for authentication to
Succeed
Configuring Controllers for xSec
Securing Controller-to-Controller Communication
For Controller
Configuring the Odyssey Client on Client Machines
Installing the Odyssey Client
Modifying a regedit Policy
Certificate Information
Page
Using Default Net Services
Configuring Voice and Video
Setting up Net Services
Voice and Video License Requirements
Using the Default User Role
Configuring User Roles
Creating Custom Net Services
Net Service Name Protocol Port
Navigate to the Configuration Security Access Control
Using the WebUI to configure user roles
Service Name
Creating or Modifying Voice User Roles
Using the CLI to configure a user role
Click Done Click Apply
Using the CLI to derive the role based on Ssid
Using the User-Derivation Roles
Using the WebUI to derive the role based on Ssid
Using the WebUI to derive the role based on MAC OUI
Configuring Firewall Settings for Voice and Video ALGs
Additional Video Configurations
Configuring Video over Wlan enhancements
To enable Igmp snooping
Pre-requisites
Configure multicast rate optimization for video traffic
To add the ACL to a user role
Configure and apply a bandwidth management profile
Set a bandwidth percentage for the following categories
Enable multicast shaping on the firewall
Enable Igmp Proxy
Enable Igmp Snooping
Configure multicast rate optimization for the video traffic
Configure ARM scanning for video traffic
Configure and apply bandwidth management profile
Working with QoS for Voice and Video
This step is optional
Understanding VoIP Call Admission Control Profile
Understanding Wi-Fi Multimedia
To enable call admission control in this profile
Voip Tspec Enforcement
Enabling WMM
Configuring WMM AC Mapping
Priority 802.1p Priority WMM Access Category
Lowest Background Best effort Video Voice Highest
Dscp Decimal Value WMM Access Category
Using the WebUI to map between WMM AC and Dscp
Background Best effort Video Voice
Configuring Dscp Priorities
Using the CLI to map between WMM AC and Dscp
Configuring Dynamic WMM Queue Management
Enhanced Distributed Channel Access
WMM Access Category Description 802.1p Tag
1. a value of 4 computes to 2 4-1 = 15. Possible values are
Using the WebUI to configure Edca parameters
Disables this option
Microseconds, enter 94 3008/32. Possible values are
Enabling WMM Queue Content Enforcement
Using the CLI to configure Edca parameters
To associate the Edca profile instance to a Ssid profile
Apple Facetime
Understanding Extended Voice and Video Features
Microsoft OCS
Port Packet Type
Enabling WPA Fast Handover
Enabling Mobile IP Home Agent Assignment
Scanning for VoIP-Aware ARM
Configuring SIP Authentication Tracking
Disabling Voice-Aware
Web UI
To configure Real Time analysis on voice calls
Enabling Real Time Call Quality Analysis
Viewing Real Time Call Quality Reports
Enabling SIP Session Timer
SIP session timer is implemented in the SIP ALG as per RFC
To configure the session timer and the timeout value
To view the SIP settings on the controller
Click the Policies tab
Enabling Wi-Fi Edge Detection and Handover for Voice Clients
Select the Classify Media check box
Working with Dial Plan for SIP Calls
Expand Handover Trigger under Wireless Lan
Click the Apply button to save the configuration
Understanding Dial Plan Format
Configuring Dial Plans
Action Description
Dialplan Profile
Dialplan Profile displays the dial plan details
To associate the dial plan with SIP ALG
Enabling Enhanced 911 Support
To create a voice dial plan profile
To view the SIP dial plan profile
Working with Voice over Remote Access Point
Understanding Battery Boost
Enabling Lldp
Configure the Lldp profile parameters as desired then click
Lldp PDUs. The AP will send all 803.2 TLVs by default
Lldp PDUs. The AP will send all optional TLVs by default
Lldp PDUs. The AP will send all 802.1 TLVs by default
Show the power support capabilities of the AP interface
LLDP-MED Profile Configuration Parameters
Apply to save your settings
Advanced Voice Troubleshooting
Viewing Troubleshooting Details on Voice Client Status
Connected
Viewing Troubleshooting Details on Voice Call CDRs
To view the details of a completed call based on the CDR Id
Navigate to the Configuration Management Logging
Enabling Voice Logs
Enabling Logging for a Specific Client
To set the voice logging level to debugging
To view the voice signaling message traces
Viewing Voice Traces
To debug voice logs for a specific client
Viewing Voice Configurations
To view the voice configuration details on your controller
SIP settings Value Parameter
Instant AP VPN Support
L2/L3 network mode support
Overview
Termination of Instant AP VPN tunnels
Controller Whitelist DB
VPN Configuration
Whitelist DB Configuration
External Whitelist DB
Viewing Branch Status
VPN Local Pool Configuration
VPN Profile Configuration
Radius proxy for VPN connected IAPs
Output of this command includes the following parameters
Controller
Understanding W-600 Series Best Practices and Exceptions
Series Controllers
USB Ports
Connecting with a USB Cellular Modems
Switching Modes
Finding USB Modem Commands
Uplink Manager
Cellular Profile
Dialer Group
Cellular Profile from the WebUI
Configuring a Supported USB Modem
Verify the modem is registered with the Uplink Manager
Configuring a New USB Modem
Configuring the Profile and Modem Driver
If you get entries similar to the example below
Configuring the TTY Port
Driver=none
Testing the TTY Port
Selecting the Dialer Profile
Setting Up NAS Network-Attached Storage Devices
NAS Device Setup
Linux Support
Configuring in the CLI
Managing NAS Devices
View list of shares in a disk
Mounting and Unmounting Devices
NAS Media Green-solid Press and hold media
Controller wake-up Green-solid Button
Additional Commands for Managing Printers
Connecting to a Print Server
Printer Setup Using the CLI
To view a list of printers mounted on the controller, type
Series Sample Topology and Configuration
Remote Branch 1-W-650 Controller
Remote Branch 2-W-650 Controller
Central Office Controller-Active
Central Office Controller-Backup
Page
External Services Interface
Sample ESI Topology
ESI-Fortinet Topology
Understanding the ESI Syslog Parser
ESI Parser Domains
Peer Controllers
Syslog Parser Rules
Configuring ESI
Condition Pattern Matching
User Pattern Matching
Configuring Health-Check Method, Groups, and Servers
Defining the ESI Server
Enter a Profile Name
Server Name
To configure an ESI server group on the controller
Defining the ESI Server Group
Enter a Group Name
Redirection Policies and User Role
Adding a new syslog parser domain
ESI Syslog Parser Domains and Rules
Managing Syslog Parser Domains in the WebUI
Deleting an existing syslog parser domain
Managing Syslog Parser Rules
Use these CLI commands to manage syslog parser domains
Managing Syslog Parser Domains in the CLI
Editing an existing syslog parser domain
Adding a new parser rule
Deleting a syslog parser rule
Editing an existing syslog parser rule
Testing a Parser Rule
Use these CLI commands to manage syslog parser rules
Sample Route-mode ESI Topology
Monitoring Syslog Parser Statistics
Showing ESI syslog parser rule information
Configuring the Example Routed ESI Topology
ESI server configuration on controller
IP routing configuration on Fortinet gateway
Health-Check Method, Groups, and Servers
Defining the Ping Health-Check Method
Trusted IP Address. Enter Untrusted IP Address. Enter
Enter a Group Name. Enter fortinet
Redirection Policies and User Role
Adding a New Parser Rule in the WebUI
Syslog Parser Domain and Rules
Add a New Syslog Parser Domain in the WebUI
To add a new syslog parser domain for the routed example
Sample NAT-mode ESI Topology
Example NAT-Mode Topology
ESI server configuration on the controller
Configuring the ESI Group in the WebUI
Configuring the Example NAT-mode ESI Topology
Configuring the NAT-mode ESI Example in the WebUI
Profile Name. This example uses externalcpping
Configuring the Redirection Filter in the WebUI
Configuring the Example NAT-mode Topology in the CLI
Configure the ESI Servers in the WebUI
Policy Name. This example uses cpredirectacl
Using the ESI Group in a Session Access Control List
Configuring a Health-Check Ping
Configuring ESI Servers
CLI Configuration Example
Understanding Basic Regular Expression BRE Syntax
Character-Matching Operators
Regular Expression Repetition Operators
Regular Expression Anchors
Description Sample Result
References
Working with the ArubaOS XML API Works
External User Management
Adding a User
Authenticating a User
Creating an XML Request
Deleting a User
XML Response
Default Response Format
Format of a default XML response from the controller is
Blacklisting a User
Response Codes
Code Reason message
Query Command Response Format
Code Reason message Description
Verify the XML API server configuration
Using the XML API Server
Configuring the XML API Server
Associating the XML API Server to a AAA profile
Vlan
Set up Captive Portal profile
Associating the Captive Portal Profile to an Initial Role
This command deletes the user from the controller
Authentication Command Description
Options Description Range / Defaults
Dell controllers configuration
Monitoring External Captive Portal Usage Statistics
Using XML API in C Language
Sample Code
Page
Page
Understanding Request and Response
Understanding XML API Request Parameters
List all parameter that you can use in a request
Adding a Client
This command will add a client on your network
Understanding XMl API Response
Response from the controller
Authenticating a Client
View the updated details of the client on the controller
Deleting a Client
Status of the client before authentication
Sending the authentication command
Status of the client after authentication
Querying for Client Details
Blacklisting a Client
Blacklisting a Client-request and response
Supported Planning
RF Plan
Pre-Deployment Considerations
Configuration Considerations
Planning Deployment
Outdoor-Specific Deployment Considerations
Post-Deployment Considerations
Dual-Port AP Considerations
Launching the RF Plan
Campus List
Buttons Description
Building List Pane
Buttons
Edit a campus from the building list pane
Building Specifications Overview
Building Dimension
AP Modeling Parameters
Radio Type
Design Model
Overlap Factor
Radio Description Button
Overlap Description Factor
Users/AP
Radio Properties Desired Rates and HT Support Options
Radio Property Description
AM Modeling
Number of available channels
Valid values are 54, 48, 36, 24, 18, 12, 9, 6, 11, 5.5, 2
Monitor Rates
Planning Floors
Design Models
Radio Button Description
You can select or adjust the features as described in Table
Zoom
Level
Approximate Coverage Map
Floor Editor Dialog Box
Naming
Area Editor Dialog Box
Background Images
Location and Dimensions
Area Types
Access Point Editor Dialog Box
Fixed
Radio Types
Power Levels
802.11n Features
Y Coordinates
Optimize
AP Plan
Initialize
Memo
AM Plan
Fix All Suggested AP/AMs
Viewing the Results
Exporting and Importing Files
Export Campus
Import Campus
Export Buildings
Locate
Import Buildings
Fqln Mapper
Property Description
Using the Fqln Mapper in the AP Provision
Search Results
Sample Building
Using the WebUI
RF Plan Example
Height
Create a Building
Information
Model the Access Points
Text Box
Campus Name
Adding the background image and naming the first floor
Model the Air Monitors
Add and Edit a Floor
Adding the background image and naming the second floor
Creating a Don’t Deploy Area
Running the AP Plan
Click Optimize
Running the AM Plan
Click Initialize
Click Initialize then Optimize
Understanding Mode Support
Behavior and Defaults
Forwarding Mode Feature Not Supported
Understanding Basic System Defaults
Network Services
Name Protocol
Name Protocol Ports
Policies
Predefined Policy Description
Following are predefined policies
Be modified. It permits APs to boot up
Used to enable the captive portal logout
Access the controllers administrative
Network access. You can use this rule to
Needed
Permits all DNS traffic
NAT-T UDP 4500. Remove NAT-T if not
This policy can be used to source-NAT all
Roles
Predefined Role Description
Following are predefined roles
Beginning
Enables captive portal
Should be disabled if it is not needed
Profiles with different customization
Understanding Default Management User Roles
Predefined Role Permissions
ArubaOS software includes predefined management user roles
Show switches summary
Show aaa state configuration
Show aaa authentication-server all
Show wlan-ap-count type access-points
Monitoring Controller Clients Packet CaptureMonitoring
Understanding Default Open Ports
Port Protocol Where Used Description Number
Port is not exposed to wireless users
Controller Remote wired MAC lookup 4343
Testing
Exposed to wireless users
To configure option 60 on the Windows Dhcp server
Configuring a Windows-Based Dhcp Server
Configuring Option
Dhcp with Vendor-Specific Options
To configure option 43 on the Windows Dhcp server
Field Information
Scope Options Dialog Box
Navigate to Configuration Network IP IP Interfaces
Enabling Dhcp Relay Agent Information Option Option
Enabling Linux Dhcp Servers
Range 10.200.10.200
Configuring Microsoft IAS
802.1X Configuration for IAS and Windows Clients
Radius Client Configuration
Remote Access Policies
Configuring Policies
Active Directory Database
IAS Remote Access Policies
Click Configure to select additional properties
Policy Configuration Wizard-Authentication Methods
Configuring Radius Attributes
Radius class Attribute Configuration
Configuring Management Authentication using IAS
Creating a Remote Policy
Next, create a remote policy for your new Radius client
Defining Properties for Remote Policy
Creating a User Entry in Windows Active Directory
Configuring a Server Group for IAS Management Authentication
Window XP Wireless Client Sample Configuration
Navigate to DiagnosticsAAA Test Server
Click Begin Test
Wireless Networks
Networks to Access
Wireless Network Association
Wireless Network Authentication
Protected EAP Properties
EAP MSCHAPv2 Properties
Acronym
Acronyms
Acronyms and Terms
Definition
DoS
Acronym
MSCHAPv2
QoS
PoE
PPPoE
RoW
VoFI VoIP
WISPr
Terms
Term
XAuth
Term
Term Definition
Shops are providing free wireless access for customers
Encryption authentication
Fixed wireless
IR wireless
Input, multiple output
Optical wireless
Hills, mountains, and large human-made structures
Near field communicationNFC
Facilities offer public access to Wi-Fi networks
Access W-CDMA
Wi-Fi
Standards for broadband wireless access BWA networks. WiMAX
Kilometers
Wireless service provider
Wired LAN
Yagi antenna