Dell 6.2 Chapte r 5

DellPowerConnect W- Series ArubaOS 6.2 | User Guide ControlPlane Security | 79

Chapte r 5

Control Plan e Security

ArubaOSsupports secure IPsec communications between a controller and campus or remote APs using public-key

self-signedcertificates created by each master controller.The controller certifies its APs by issuing them certificates.

If the master controller has any associated local Dell controllers,t he master controllersends a certificat e to each local

controller,which in turn sends certificates t o their own associated APs. I f a local controlleris unable to co ntact the

master controllerto obtain it s own certificate, it is not be ablet o certify its APs, and those APs can not

communicate with their local controller until master-localcommunicatio n has been reestablished.You create an

initial control plane security configuration when you first configure the controller using the initial setup wizard. The

ArubaOSiniti al setup wizard enables control planesecurity by default, so it is very important that the local controller

is able to communicate with its master controllerwhen it is first provisio ned.

Some AP modeltypes have factory-installed digital certificates. TheseA P modelsuse their factory-installed

certificates for IPsec, and do not need a certificate from the controller. Oncea campus or remote AP is certified,

either througha factory-installed certificate or a certificate from the controller, the AP can failover between local

Dell controllersand still stay connected to the secure network, because each AP has the same master controlleras a

common trust anchor.

Starting with ArubaOS6.2, the controller maintains two separate AP whit elists; onefor campus APs and one for

Remote APs. These whitelists contain records of allcampus APs o rremote APs co nnectedto t henetwork. You can

use a campus or AP whitelist at any time to add anew valid campus or remote AP to the secure network, or revoke

network access to any suspected rogue or unauthorized AP.

NOTE:The control pl ane securityfeature supports IPv4 campus and remote APsonl yDo not enable control plane security on a

controller thattermi natesIPv6 APs.

Whenthe co ntrollersends an AP a certificate, that AP must reboot before it can connect to it s controllerover a

securechannel. If you are enabling control plane security for the first time on a large network, you may experience

severalminutes of interrupted connectivity while each AP receives its certificate and establishes its secure

connection.

Topics in this chapter include:

l"ControlP laneSecurity Overview" on page 80

l"ConfiguringControl Plane Security" on page 80

l"ManagingWhitelists on Master and Local Controllers" on page 87

l"Workingin Environments wi th MultipleMaster Controllers" on page 90

l"Replacinga Controlleron a Multi-ControllerNetwork" on page 93

l"ConfiguringControl Plane Security after Upgrading" on page 97

l"TroubleshootingControl Plane Security" on page 97

Contents

Main Copyright Informa tion OpenSource Code Legal Notice Contents Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About this G uide Whats New In ArubaOS 6 .2 New Featuresin ArubaOS 6.2 Table1: Page Table2: New HardwarePlatforms introducedwit h ArubaOS6.2 Fundamentals WebUI CLI Related Documen ts Conventions Table3: Type Style Description TypographicalConventions Page Chapte r 4 The Basic User-Ce ntric Networks Understanding Ba sic Deployment and Configu ration Tasks Deploymen t Scenario #1: C ontroller and A Ps on Same Sub net Figure 4: Deploymen t Scenario #2: A Ps All on One Sub net Different from C ontroller Subn et Figure 5: Deploymen t Scenario #3: A Ps on Multiple D ifferent Subne tsfro m Controllers Figure 6: Configuring the Contro ller Dell PowerConnectW-SeriesA rubaOSQuick Start Guide chapter Running Initial Se tup Connec ting to the Co ntroller after Initial Setu p Dell W-7200 Series Contro ller New Port N umbering Sc heme Individual Po rt Behavior Using the LCD Scre en Table7: LCD PanelMode: Boot Table9: Table8: Function/MenuOptions Displays Using the LCD and U SB Drive Upgradin g an Image Uploadin g a Pre-saved Configuration Disabling LCD Men u Functions Configuring a VLAN to Conne ct to the Network Creating, Upd ating, and Viewing VLAN sa nd Associated IDs Creating, Up dating, and Deleting VLAN P ools Assigning and C onfiguring the Trunk P ort Configuring the Defau lt Gateway Configuring th e Loopback IP Add ressfor the Co ntroller Configuring th e System Clock Installing Licenses Connec ting the Controller to the Network Installation Guide Enabling Wireless C onnectivity User Guide Configuring Your Us er-Centric Network Page Chapte r 5 Control Plan e Security Control Plane Secu rity Overview Configuring Control P lane Security ControlPlane Security Parameters Table11 : Figure 12: Managing AP Whitelis ts Adding APs to th e Campus a nd Remote AP Whitelists APW hitelist Parameters Table14 : Figure 13: Viewing Wh itelist Status Table15 : Status Entry Description Whitelist status information Status Entry Description AdditionalCampus AP Status Information Table16 : Table17 : Viewt heC ampusAP Whitelistv ia the CLI Modifying an AP in the C ampus AP Whitelist Revoking a n AP via the Campus AP Whitelist Deleting an A P Entry from the Campus AP Whitelist Purging th e Campus A P Whitelist Managing Whiteli sts on Master and Loca l Controllers Table18 : ControllerRole Campus AP Whitelist Master Switch Whitelist Local Switch Whitelist ControlPlane Security Whitelists Campus A P Whitelist Synchro nization Viewing a nd Manag ing the Master o r Local Switch Wh itelists Masterand Local Switch Whitelist Information Table20 : Viewing the Master or Local Swi tch Whitelist Deleting an Entry from the Mast eror Local Sw itch Whitelist Purging the Master or Local Switch Whit elist Working in Enviro nments with Multiple Mas ter Controllers cluster Configuring Netw orks with a Bac kup Master C ontroller mustsynchronize the database from the primary masterto the backupmaster at least once Configuring Netw orks with Clusters of M aster Controllers Creating a Cluster Root Optional Creating a Cluster Member Viewing Controll er Cluster Settings Table22 : CLI Commandsto Dis play Cluster Settings Replacing a Con troller on a Multi-Controller Network Replacin g Controllers in a Single Master N etwork Replacing a Local Controller Replacing a Master Controllerwit h No Backup Replacing a Redundant Master Controller Replacin g Controllers in a Multi-Master Netwo rk Replacing a Local Controller in a Mul ti-Master Network different Replacing a Cluster Member Controller w ith no Backup Replacing a Redundant Cl uster Member Controller Replacing a Cluster Root Control ler with no Backup Controller Replacing a Redundant Cluster Root C ontroller Configuring Contro l Plane Security after Upgrading beforeyou enable the feature Table23 : but did not yet have control plane security enabledbefore the upgrade Automaticallys endCertificates to CampusAPs ManuallyCertify Campus APs Verifying Certificates Disabling Co ntrol Plane Se curity master Verifying Whitelist Syn chronization Page Chapte r 6 Software Licen ses x Understanding License Terminology Working with Licens es Figure 25: Working with Lic enses on a Multiple Contro ller Network Table26 : Using License s License Basis WhatConsumes OneL icense Usageper License Understanding L icense Interaction License Inst allation Best Practices and Exc eptions filename Installing a Licen se Enablinga new license on your controller Requesting a S oftware License in Email Locating the System Serial N umber Obtaining a So ftware License Key Creating a Softw are License Key Applying the So ftware License Key in the WebUI Deleting a License Moving Licens es Resetting the Contro ller Page Chapte r 7 Network Con figuration Paramete rs up virtual port on the controller Configuring VLANs Creating Nam ed VLANs TheVLAN name cannot bemodified so choosethename carefully Creating a Nam ed VLAN not in a Pool Figure 28: Creating a VLAN P ool Figure 29: Distinguishing Bet ween Even and Hash Assignment Types Updating a VLAN Pool Deleting a VLAN Pool Creating a VLAN Pool Using the C LI Viewing and Adding VLAN I Ds Using the CLI Adding a Ba ndwidth Con tract to the VLAN Optimizing VLAN Broa dcast and Mu lticast Traffic Figure 30: Configuring Ports Classifying Traffic a s Trusted or Untruste d About Trusted and Untrusted Physical Ports Table31 : About Trusted and Untrusted VLANs Port VLAN TrafficStatus Configuring T rusted and Untrusted Ports and V LANs in Trunk Mode untrusted trusted untrusted Understanding VLAN As signments server-derivedrule How a V LAN Obtains an IP Ad dress Assigning a Static Ad dress toa V LAN Configuring a V LAN to Receive a Dynamic Ad dress Figure 32: Configuring Multiple Wired Up link Interfaces (Ac tive-Standby) Enabling th e DHCP Client Figure 33: Enabling th e PPPoE Client Default Ga teway from DHC P/PPPoE Configuring DNS/WINS Serve r from DHPC/PPP oE Configuring S ource NAT to Dynam ic VLAN Address Configuring So urce NAT for V LAN Interfaces Example Configuration Figure 34: Inter-VLAN Rou ting Figure 35: Using the WebUI to restrict VLA N routing Configuring Static Rou tes Configuring the Lo opback IP Address Configuring the Co ntroller IP Address Using the CLI <serverip> <servername>, <master> Creating a Tunn el Interface Directing Traffic into the T unnel Static Routes Firewall Policy Tunnel Keepalives Chapte r 8 IPv6 Suppo rt Understanding IPv6 Notation Understanding IPv6 Topology Figure 36: Enabling IPv6 Enabling IPv6 Sup port for Controller and APs Features Supportedon IPv6 APs? Table37 : IPv6 APs SupportMatrix Features Supportedon IPv6 APs? Configuring IPv6 Ad dresses ToConfigure Link Local Address ToConfigure Global Unicast Address ToConfigure Loopback InterfaceAddress Configuring IPv6 Static Neighb ors Configuring IPv6 De fault Gateway a nd Static IPv6 Ro utes ToConfigure IPv6 Default Gateway ToConfigure Static IPv6 Routes Managin g Controller IP A ddresses Configuring Multicast Listener D iscovery (MLD) ToModify IPv 6 MLD Parameters Debugg ing an IPv6 Co ntroller Provisioning a n IPv6 AP Filtering an IPv6 Extension Hea der (EH) Configuring a Cap tive Portal over IPv6 Working with IPv6 Router Advertisem ents (RAs) Configuring a n IPv6R A on a VLAN Using WebUI IPv6 Configuring Optional Para meters for RAs IPv6 Viewing IP v6R A Status Understanding Aru baOS Supported Network Configuration for IPv6 Clients Supporte d Network Configuratio n Understand ing the Netw ork Conne ction Sequ ence for Wind ows IPv6 Clients Understanding Arub aOS Authentication and Firewa ll Features that Support IPv6 IPv6 Client Authentication Table38 : Understanding Authentication AuthenticationMethod Supportedfor IPv6 Clients? Working with Firewall Features Table39 : Authentication Method Description IPv6 FirewallParameters Understand ing Firewall Policie s Table40 : IPv6 FirewallPolicy RuleParameters Creating an IPv6 Firewall Pol icy Assigning an IPv6 Policy to a U serRol e Understand ing DHCPv6 P assthrough/Relay Managing IPv6 User Addresses ArubaOSCommandLi neR eferenceGuide Viewing o r Deleting User E ntries Understand ing User Roles Viewing D atapath Statistics fo r IPv6 Sessions Page Chapte r 9 Link Aggre gation Control P rotocol (LACP) Understanding L ACP Best Practices and Exceptio ns Configuring LACP passive LACP Sample Config uration Page Chapte r 10 OSPFv2 Understanding OSP F Deployment Best Practices an d Exceptions Understanding OSPFv 2 by Example usi ng a WLAN Scenario WLAN Topo logy WLAN Routing T able Understanding OSPF v2 by Example using a Branch Office S cenario Branch Office T opology Figure 41: Branch Office R outing Table View the branch office controllerrouting table using the show ip route command: Configuring OSPF Page Sample Topology and Configuration Figure 45: Remote Bra nch 1 Remote Bra nch 2 W-3200 Central Office C ontrollerActive W-3200 Central Office C ontrollerBack up Page Page Chapte r 11 Tunneled Nodes Understanding Tunneled Node Configuration Figure 46: Configuring a Wired Tunn eled Node Client Configuring an Acce ssP ort as a Tunn eled Node Port Configuring a T runk Port as a Tunneled N ode Port Sample Output Use the Ont het unnelednode client: Page Chapte r 12 Authentic ation Servers groups Understanding Authentication ServerBest Practices and Exceptions Understanding S ervers and Server Groups Configuring Servers RADIUS Server ConfigurationParameters Table48 : Configuring a R ADIUS Server ipaddr RADIUS Server Authenticat ion Codes Table49 : Code Description RADIUS Authentication ResponseCodes RADIUS S erver Fully Qualified Do main Name s Set a DN S Query Interval Configuring an RFC-3576 RAD IUS Server 503: SessionNot Found Configuring a n LDAP Server Table50 : LDAPS erverConfigurationParameters Configuring a T ACACS+ Server Table51 : TACACS+ Server ConfigurationParameters Configuring a Win dows Server Table52 : WindowsServer ConfigurationParameters InternalDatabase ConfigurationParameters Table53 : Managing the Internal Database Configuring the Interna l Database Parameters Description Managin g Internal Data base Files Exporting Files in the WebUI Importing Files in t he WebUI Exporting and Importing Fil es in the CLI groups Configuring Serve r Groups Configuring Server Group s Configuring Server List Order an d Fail-Through fail-through Configuring Dyna mic Server Sele ction contains exactly begins Figure 54: Configuring M atch FQDN Option exactly Trimming Dom ain Information from Req uests Configuring S erver-Derivation Rules Table55 : ServerRule ConfigurationParameters Configuring a R ole Derivation Rule for the Interna lDa tabase Assigning Serv er Groups Table56 : User Guide Rolesand Policies RADIUS TACACS+ LDAP InternalDatabase Accounting RADIUS Accounting Page start stop AuthenticationTimers TACACS + Accounting Configuring Authent ication Timers Table57 : Timer Description Setting an Au thentication Timer Chapte r 13 MAC-based A uthentication MAC AuthenticationProfile ConfigurationParameters Table58 : Configuring MAC-Based Au thentication Configuring Clients Page Chapte r 14 802.1X Authentication Dell controller authenticator supplicant SupportedEAP Types Configuring A uthentication with a RA DIUS Server Figure 59: Configuring A uthentication Term inated on Controller Figure 60: Configuring 802 .1X Authentication Table61 : 802.1xAuthentication ProfileBasic WebUIParameters Page Page Page Configuring and Using Certificates with A AA FastConne ct Configuring User a nd Machin e Authentica tion machineauthentication Table62 : Working with Ro leA ssignment with Machine Au thentication Ena bled Machine Auth Enabling 802 .1x Supplicant Support on an AP Prerequisites Provisioning a n AP as a 802.1X Su pplicant Sample Configurat ions Configuring A uthentication with an 802.1X RAD IUS Server Configuring Role s and Policies Creating the Student Role and P olicy Page Creating the Faculty Role and Pol icy Using the WebUI Creating the Guest Role and Pol icy svc-dns svc-https Creating Roles and Policies f orS ysadmin and Computer Using the WebUIto create the computer role Creating an Alias for the I nternal Network Using the CLI Configuring th e RADIUS Authen tication Server Configuring 802.1X Auth entication Configuring V LANs Configuring th e WLANs Configuring the Gue stW LAN Configuring the Non-Gue st WLANs Page Configuring Authentic ation with the C ontrollers Internal Da tabase Configuring the Interna l Database Configuring a Server Rule Using the WebUI Configuring a Server Rule Using the CLI Configuring 802.1x Auth entication Configuring V LANs Configuring W LANs Configuring the Gue stW LAN Configuring the Non-G uest WLANs Configuring M ixed Authenticatio n Modes Table64 : Authentication 1 2 3 4 5 6 MixedAuthentication Modes Performing Advan ced Configuration Options f or 802.1X Configuring Reauthe ntication with U nicast Key Rota tion Chapte r 15 Stateful an d WISPr Authe ntication Working With Stateful Au thentication Working With WISPr Authe ntication partner logoff authentication proxy Configuring Statefu l NTLM Authentication Configuring Statefu l Kerberos Authentication Configuring WISPr Auth entication Table65 : WISPr AuthenticationProfile Parameters Page Chapte r 16 Certificate Revoc ation revocation checkpoint Understanding OCSP a nd CRL Configuring a C ontroller as OCS P and CRL C lients Configuring the Co ntroller as an OCSP Client Figure 66: Figure 67: Configuring the Co ntroller as a CRL Client Configuring the Co ntroller as an OCSP Respond er Page Chapte r 17 Captive Po rtal Authentication Understanding Ca ptive Portal Policy Enfo rcement Firewall Ne xt Generatio n (PEFNG) License chapter Configuring Captiv e Portal in the Base Operating Sys tem Page Page Using Captive Po rtal with a PEFNG License Configuring Ca ptive Portal in the W ebUI Configuring Captive Portal in the CLI Sample Authentica tion with Captive Portal logon Creating a Gue stU ser Role Creating a n Auth-guest U ser Role Configuring Po licies and Role s in the WebU I Creating a Time Range Creating Aliases Creating an Auth-Guest-Access Policy Creating an Block-Internal-Access Poli cy Creating a Drop-and-Log Policy Creating a Guest Role Creating an Auth-Guest Role Configuring Po licies and Role s in the CLI Defining a Time Range Creating Aliases Creating a Guest-Logon-Access Policy Creating an Auth-Guest-Access Policy Configuring Gues t VLANs Configuring Captiv e Portal Authentication Profiles Modifying the Initial User Role Configuring th e AAA Profile Configuring th e WLAN Managing UserAccounts Configuring Captive Po rtal Configuration Parameters Table6 8 describes configuration parameterso n the WebUI Captive Portal Authentication profile page. Table68 : CaptivePortal Authentication ProfileP arameters Enabling Optiona l Captive Portal Configurations The followingare opt ional captive portal configurations: Uploadin g Captive Porta l Pages by SS ID Association Table69 : Forcaptive portal wi th role-basedaccess only Entity Engineering Business Faculty CaptivePortal login Pages Configuring R edirection to a Proxy Server captive-portal-profile Redirecting Clients on Differen t VLANs Web Clien t Configuration with Pro xy Script Personalizing the Ca ptive Portal Page Page Creating and Inst alling an Internal Captive Portal Creating a New Interna l Web Page Variable Description Table70 : WebPage Authentication Variables Username Example Password Example FQDN Example Basic HTML Example Installing a Ne w Captive Portal P age Displaying Au thentication E rror Messages Reverting to th e Default Cap tive Portal Configuring Lo calization Page Page Figure 71: Customizing the We lcome Page Figure 72: Customizing the Po p-Up box Customizing th e Logged Ou t Box Creating Walled Garden Acc ess Enabling Captive Portal Enhancements Configuring th e Redirect-URL Configuring th e Login URL Defining Netd estination Descriptions Configuring a W hitelist Configuring the Netdesti nation for a Whitelist: Associating a Whiteli st to Captive Portal Profile Applying a Captive Portal Prof ile to a User-Role Verifying a Whitelist Configurat ion Use the followingco mmandsto verify t hewhit elist alias: Verifying a Captive Portal P rofile Linked to a Whitelist Use the followingco mmandsto verify t heCapti ve Portal profilelinked to the whitelist: Verifying Dynamic ACLs for a Whit elist Verifying DNS Resolved IP Addresses for Whit elisted URLs Use the followingco mmandto verify the D NSresolved IP addresses for the whitelisted URLs: Example: Chapte r 18 Virtual Private Ne tworks Planning a VPN Co nfiguration Selecting a n IKE protocol Understand ing Suite-B Encryption Lice nsing Table73 : IKE Policies Suite-Bfor IPs ectunnels Suite-BAlgorithms Supportedby the ACR License Working w ith IKEv2 Clients Windows 7 Client StrongSwan4.3 Client VIA Client VPN Clients SupportingIKEv2 Understand ing Supported VP N AAA Deploymen ts Local-db. Working with VPN Auth entication Profiles Parameter default default-rap default-cap PredefinedAuthenticationProfile settings Configuring a Ba sic VPN for L2TP/IPsec in the WebUI Defining Authenti cation Method and Server Addresses Defining Address Pools Enabling Source NAT Selecting Certifi cates Defining IKEv1 Shared Keys Configuring IKE Polici es Setting the IPsec Dynam ic Map Finalizing WebUI changes ForIKEv1 Configuring a VPN f or L2TP/IPsec with IKEv 2 in the WebUI Defining Authenti cation Method and Server Addresses Defining Address Pools Enabling Source NAT Selecting Certifi cates Configuring IKE Polici es Setting the IPsec Dynam ic Map Finalizing WebUI changes Configuring a VPN f or Smart Card Clients Working w ith Smart Card c lients using IKEv2 Working w ith Smart Card C lients using IKEv1 Configuring a VPN f or Clients with User Pass words enable Configuring Rem ote Access VPNs for XAuth Configuring VPN s for XAuth Clien ts using Smart Ca rds Page Configuring a V PN for XAuth Clients Using a Usernam e and Password Working with Rem ote Access VPNs for PPTP Working with Site-to-Site VPNs Working w ith Third-Party Device s Working with Site-to-S iteV PNs with Dynamic IP Addresses initiator responder Understanding VPN Topologies Figure 78: initiator responder Page Detecting De ad Peers Understand ing Default IKE policies Table79 : Policy Name Policy Number IKE Version Working with VPN Dial er Configuring V PN Dialer Thisoption is not recommendedfor security reasons guest Assigning a Dialer to a User Ro le mydialer Page Chapte r 19 Roles and Po licies user dynamic bi-directional Working W ith Access Con trol Lists(AC Ls) from Support fo r Desktop Virtualizatio n Protocols Creating a Firewall Policy Table80 : FirewallPolicy Rule Parameters Page Creating a Netw ork Service Alias Creating a n ACL White List Configuring the ACL White Li st in the WebUI Configuring the White List Bandwidth Contract in the CLI Configuring the ACL White Li st in the CLI Creating User Roles Table81 : UserRole Parameters Creating a User Role Bandwid th Contracts per-ap-group per-user bandwidthcontracts BandwidthContract Exceptions Viewing the Current Excepti onsLi st Configuring Bandwidth C ontract Exceptions server-derivedrole xx:yy:zz Assigning Use r Roles Assigning Use r Roles in AAA P rofiles Working with User-De rived VLANs Table82 : RuleType Condition Value Conditionsfor a User-DerivedR oleor VLAN Understanding Device Identif ication DHCP Option Description HexadecimalEquivalent Configuring a User-derived VLAN in the WebUI Configuring a User-derived Role or VLAN in the CLI User-Derived Role Example laptop Figure 83: Configuring a Default R ole for Authen tication Metho d Configuring a S erver-Derived Role Configuring a V SA-Derived Role Table84 : Understanding Glo bal Firewall Parameters IPv4 FirewallParameters Page Page Page Page Chapte r 20 Virtual APs Table85 : virtual AP. Configuring Virtual AP Pro files Configuring a Virtual AP AP Group/Name VirtualAP Profile SSID Profile AAA Profile Configuring th e WLAN Configuring the U ser Role Configuring A uthentication Servers Configuring A uthentication Table87 : AAA ProfileParameters Applying the Virtua l AP Table88 : VirtualAP Profile Parameters Page Page Creating a ne w SSID Profile Table89 : SSID Profile Parameters Page Page Page Configuring an SSID for Suit e-B Cryptography Configuring a G uest WLAN Configuring a V LAN Configuring a G uest Role svc-https Configuring a Guest Virtual AP Enabling b Sec SSID Suppo rt Sample Configuration Enabling 802.11k Supp ort Table90 : 802.11kProfile Parameters on-hook Page Working with Radio Resource Management Inf ormation Elements RRM IEParameters Table91 : Working with Beacon Report Requests Table92 : BeaconReport Request Settings Page Working with a Traffic St ream Measurement Report Table93 : TSMReport Request Settings Configuring a High-T hroughput Virtual AP Table94 : High-ThroughputRadio Profile ConfigurationParameters Page Table95 : High-ThroughputSSID ProfileParameters Page Managing High-ThroughputProfiles Chapte r 21 Adaptive R adio Manag ement (ARM) Dell PowerConnectW-SeriesA rubaOS6 .2 User Guide Understanding ARM ARM Sup port for 802.11n Monitoring Y our Network w ith ARM Configuring ARM Scanning Configuring ARM Profiles Table96 : ARM Profiles ExampleWLAN Description ARM ProfileTypes Creating a Ne w ARM Profile Copying an E xisting Profile Deleting a Profile Configuring ARM S ettings Table97 : ARM ProfileC onfigurationParameters Page notbe enabl ed Page Page Assigning an ARM Profile to a n APGro up Using Multi-Band ARM for 802.11a /802.11g Traffic Enabling Band Steerin g (Default) but no virtual AP in tunnel mode Steering Mod es Enabling B and Steering Enabling Traffic Sha ping Enabling T raffic Shaping Table98 : TrafficManagementP rofileParameters Enabling Spectrum Load Balancing Reusing Chann els to Control RX Sensitivity Tun ing static, dynamicor disable Configuring Non-80 2.11 for Noise Interferenc e Immunity ARM Metrics a+b+c+d. Troubleshootin g ARM Too ma ny APs on the Same Cha nnel cov-idx Wireless Clients Re port a Low Sign al Level Transmission Po wer Levels Chan ge Too O ften Page Chapte r 22 Wireless Intrusion P revention Dell PowerConnect W-SeriesArubaOS 6.2 Command Line InterfaceGuide Working with the Reusa ble Wizard Figure 99: Understand ing Wizard Intrusion Detection Figure 100: Understand ing Wizard Intrusion Protection Protecting Your Infrastructure Protecting Your Client s Figure 101: Monitoring the Dashb oard Figure 102: Detecting Rogue APs Understand ing Classification Terminolo gy Table10 4: Table10 3: Classification Description Understanding Match Methods Understanding Match Types Understanding Suspected Rogue Confidence Level Understand ing AP Classification Rules Understanding SSID specifi cation Understanding SNR specificat ion Understanding Discovered-AP-Count specificat ion Sample Rules Working with Intrusion De tection Understand ing Infrastructure Intrusion Detec tion InfrastructureDetection Summary Table10 5: Page Page Page Page Page Detecting Wellenreit er Understand ing Client Intrusion Dete ction ClientDetect ionSummary Table10 6: valid-client Page Detecting a Block ACK DoS Detecting a ChopChop Att ack Detecting a Disconnect St ation Attack Detecting an EAP Rate Anom aly Detecting a FATA-Jack Attack St ructure Detecting an Omerta At tack Detecting Rate Anomal ies valid packetcapture Detecting a TKIP Replay A ttack Configuring Intrusio n Protection InfrastructureProtection Summary Table10 7: interface. Understand ing Infrastructure Intrusion Protec tion Understand ing Client Intrusion Protec tion Table10 8: ClientProtection Summary WMS ConfigurationParameters Table10 9: Configuring the WLAN Ma nagement System (WM S) Configuring Local WMS Settings Managing the WMS Database Understanding Cl ient Blacklisting Methods o f Blacklisting Blacklisting Man ually Blacklisting b y Authentication Failure Enabling A ttack Blacklisting Setting Blac klist Duration Removing a Clie nt from Blacklisting Working with WIP Advan ced Features Configuring TotalWa tch monitor scan Understanding TotalWatchChannel Types and Qualifiers Understand ing TotalWatch Mon itoring Features Understanding TotalWatchScanning Spectrum Features stays Table11 0: Frequency Channel Administering Tota lWatch Configuring Per R adio Settings Configuring Per A P Setting Page Licensing Working with Tarpit Sh ielding Command Line ReferenceGuide see deauth confused Chapte r 23 Access Po ints (APs) APC onfigurationFunctionOverview Table11 1: Basic Functions a nd Features Naming and Grouping APs AP group APname APname.floor.building.campus building.floor.location Creating an A P group Assigning AP s to an AP G roup Understanding AP Co nfiguration Profiles Working w ith Wireless LAN Profiles on-hook Page Page Working with AP P rofiles Working with Qo S Profiles Working w ith RF Manage ment Profiles Provisioning Mesh P rofiles Other Profiles Viewing Profile Erro rs flag Profile Hierarchy Page Page Deploying APs Running the RF Plan RFPlan Installation and User Guide Verifying that A Ps Can Con nect to the Contro ller Configuring Firewall Set tings Enabling Controller Di scovery Configuring DNS Resoluti on Configuring DHCP Server Communicat ion with APs Using the Aruba Discovery Protocol (ADP) Verifying that A Ps Are Rece iving IP Addresses Provisioning A Ps for Mesh Provisioning 802.11n AP s for Single-Chain Tran smission Table11 6: AP Model Freqency Band AntennaPort AntennaInterfaces for Single-ChainMode Installing APs o n the Netwo rk Figure 117: Updating the RF P lan Provisioning Ins talled APs Designation an A P as Remote (RAP) ve rsus Campus (CAP ) Working with the AP P rovisioning Wizard Provisioning a n Individual AP Figure 118: Page Provisioning Multiple AP susi ng a Provisioning Profile Table11 9: APP rovisioningProfile parameters Assigning Provisioning Profil es Troubleshooting doesnot Configuring a Provis ioned AP AP Installation Mod es Renamin g an AP Optimize APs O ver Low-Speed Links Configuring the Bootstrap Threshold Table12 0: APS ystem Profile Configuration backup Page Prioritizing AP heartbeats AP Redundancy AP MaintenanceMode EnergyEfficient Ethernet EthernetInterface Link ProfileP arameters Table12 1: Managin g AP LEDs RF Management 802.11a and 802.11g RF Managemen tPro files Managin g 802.11a/802.11gP rofiles Using the We bUI Creating or Editing a Profil e Table12 2: 802.11a/802.11gRF Management ConfigurationParameters Page isalso Page Assigning an 802.11a/802.11g Profile Assigning a High-throughput Profil e Assigning an ARM Profile Managin g 802.11a/802.11gP rofiles Using the CLI Viewing RF Management Set tings Assigning a 802.11a/802.11g Profile RF Optimization Table12 3: RFOptimization Profile Parameters RF Event Co nfiguration Table12 4: RFE vent ThresholdsProfile Parameters Configuring AP Chan nel Assignments Channe l Switch Ann ouncemen t (CSA) Automatic Channel an d Transmit Powe r Selection Managing AP Cons ole Settings Table12 5: Hit <Enter>t o stop autoboot. APC onsoleCommands Page Chapte r 24 Secure En terprise Mesh Understanding Me sh Access Points Mesh Portals Mesh Points Mesh Clusters Figure 126: Understanding Me sh Links Link Metrics Table12 7: Component Description MeshLink Metric Computation Optimizing Links Understanding Me sh Profiles Mesh Cluster P rofile Mesh Radio Pro file RF Manag ement (802.11a and 802.11g) Pro files Adaptive Radio Management Profi les Mesh High -Throughpu t SSID Profile Wired AP Profile Mesh Rec overy Profile Understanding Me sh Solutions Thin AP Service s with Wireless Back haul Deploym ent Figure 128: Point-to-Poin t Deployment Figure 129: Point-to-Multipo int Deployment High-Availab ilityDe ployment Figure 131: Planning a WLAN Ac cording to Your Specificati ons Task Overview Collecting Re quired Information Table13 2: PlanningWorksheet - BuildingDimensions Table13 3: AP Desired Rates (2.4 GHz Radio Properties) PlanningWorksheet - AP Desired Rates (2.4 GHz Radio Properties) Working with Mesh Rad io Profiles one Managin g Mesh Profiles In the W ebUI Creating a New Profile Table13 5: MeshRadio Profile ConfigurationParameters Page Assigning a Profile to a Mesh AP or AP Group Managin g Mesh Profiles In the C LI Viewing Profile Set tings Deleting a Mesh Radio Profil e Working with Mes h High Throughput SSID Profiles Managin g Profiles In the W ebUI Creating a Profile Table13 6: MeshHigh-ThroughputSSID Profile ConfigurationParameters Page Managin g Profiles In the C LI Viewing High-throughput SSI D Settings Understanding M esh Cluster Profiles Deploymen ts with Multiple Mesh Cluster Profiles Managin g Mesh Cluster P rofiles In the Web UI Creating a Profile MeshCluster Profile ConfigurationParameters Table13 7: Associating a Profile t o MeshA Ps Deleting a Mesh Cluster Profil e Managin g Mesh Cluster P rofiles In the CLI Viewing Mesh Cluster Profil e Settings Associating Mesh Cluster Profil es Excluding a Mesh Cluster Profile f rom a MeshN ode Deleting a Mesh Cluster Profil e Configuring Ethe rnet Ports for Mesh Configuring Bridg ing on the E thernet Port Configuring Ethe rnet Ports for Sec ure Jack O peration Extendin g the Life of a Me sh Network Provisioning Mes h Nodes Outdoor A P Parameters Provisioning Cave ats Provisioning Mesh No des Understanding the AP Boot Sequence Booting the Me sh Portal Booting the Me sh Point Air Monitoring and Mesh Verifying the Network Ift hemesh-radio is to bereservedexclusively for meshbackhaul tr affic, Verification Checkli st CLI Examples Configuring Remot e Mesh Portals (RMPs) How RMP Wo rks Figure 138: Creating a Rem ote Mesh Porta l In the WebUI Provisioning the AP Figure 139: Defining the Mesh Private VLAN Selecting a Mesh Radio Profil e Selecting an RF Management Profil e Adding a Mesh Cluster Profile Configuring a DHCP Pool Configuring the VLAN ID of the Virtual AP Profile Provisioning a Rem ote Mesh Portal In the CLI Additiona l Information Chapte r 25 VRRP VRRP Parameters Table14 0: Configuring Redundancy Parameters Configuring the Local Controller forRedundancy backup Configuring th e LMS IP Configuring the Master Con troller for Redund ancy initially-preferred master. VRRP Commands Command Explanation Table14 1: Command Explanation aruba-master Table14 2: Configuring D atabase Synchron ization Databasesynchronizationc ommands Enabling Incre mental Configu ration Synchro nization (CLIOnly) Table14 3: IncrementalConfigurationSynchronizationC ommands Configuring Master-Local Controller Redundancy Figure 144: Page Chapte r 26 RSTP PortState C omparison Table14 5: Understanding RS TP Migration and Interoperability STP (802.1d) In addition to port state changes,RSTP introduces port roles for allt heinterfaces (see Table 146). Table14 6: Port Role Description PortRole Descriptions Configuring RSTP Table14 8: Figure 147: Feature DefaultValue/Range RSTP DefaultValues Troubleshooting RSTP Page Chapte r 27 PVST+ Understanding PV ST+ Interoperability and Best Prac tices Enabling PVST+ in the CL I Enabling PVST+ in the We bUI Chapte r 28 IP Mobility foreignagent homeagent care-ofaddress Configuring Mobility Do mains Tasks to Configurea Mobility Domain Table15 1: active On a master controller: On all Dell controllersin the mobility domain: Configuring a Mo bility Domain Joining a Mob ilityD omain Example C onfiguration Figure 152: Configuring Mobility usi ng the WebUI Table15 3: Subnetwork Mask VLAN ID Home AgentAddress orVRIP Exampleentries Configuring Mob ilityu sing the CLI Tracking Mobile Use rs Mobile Clien t Roaming S tatus Viewing mobile cl ient status using the WebUI Viewing mobile cl ient status using the CLI Roaming Status Type Description Viewing user roaming status usi ng the CLI Roaming status can be one of the following: Status Type Description UserRoaming status Viewing specific cl ient information using the C LI Configuring Advan ced Mobility Functions Page 4. Click A pplyafter setti ngt he parameter. Proxy Mob ile IP proxy mobileIP module proxy DHCPmodule Proxy DHC P Revocations Understanding Bridg e Mode Mobility Deployments Figure 157: Enabling Mobility M ulticast Working w ith Proxy IGMP a nd Proxy Re mote Subscriptio n Working w ith Inter controller Mo bility Figure 158: Configuring Mob ilityM ulticast Table15 9: CommandSyntax Example Chapte r 29 External Firew all Configuration Understanding F irewall Port Configuration Among De ll Devices Enabling Network Acce ss Ports Used for Virtua l Internet Access (VIA) Configuring Ports to Allo w Other Traffic Types Page Chapte r 30 Remote A ccess Points About Remote Acc ess Points Figure 160: Figure 161: Figure 162: Figure 163: Configuring the Sec ure Remote Access Point Serv ice Configure a Public IP A ddress for the Co ntroller Using the WebUI to create a DMZ address Configurethe NAT Device Configure the VPN Server CHAP Au thentication S upport over PP PoE Using the WebUIto configure CHAP Figure 164: Using the CLI to configurethe CHAP Configuring C ertificate RAP Using WebUI Creating a Remote AP Whitel ist Configuring P SK RAP Add the user to the internal database Using WebUI Using CLI RAP Static In ner IP Address Provision the AP DeploymentScenario Master IP Address Value Deploying a Branch Offic e/Home Office Solution Figure 167: Provisioning the Bra nch Office AP Configuring th e Branch Office AP Troublesho oting Remote AP Local Debugging Remote AP Summary Summary Table Name Basic View Information AdvancedView Information RAP ConsoleSummary Tab Information Table16 8: Disabled Split Tunnel Multihoming on remote AP ( RAP) Seamless failover from backup l ink to primary link on RAP Remote AP Connectivit y Data Description Table16 9: Enabling Remo te AP Advanced Configuration Option s Understand ing Remote AP Mode s of Operation Table17 0: Remote AP Oper- ation Setting Forward Mode Setting RemoteAP Modes of Operationand Behavior Working in Fallbac k Mode Backup Configuration Behavior for Wired Ports Configuring Fa llback Mode Configuring the AAA Profi le for Fallback Mode in the WebUI Configuring the AAA Profi le for Fallback Mode in the CLI Configuring the Virtual AP Prof ile for Fallback Mode in the WebUI Configuring the Virtual AP Profile for Fallback Mode in t he CLI Configuring th e DHCP Server on the Remo te AP Page Configuring Advanced Backup Options Configuring the Session ACL in t he WebUI Configuring the AAA Profi le in the WebUI Defining the Backup Confi guration in the WebUI Configuring the Session ACLin the CLI Using the CLI to confi guret he AAA profile Defining the Backup Confi guration in the CLI Specifying th e DNS Con troller Setting Backup Controller List Figure 171: Configuring the LMS and backup LMS IP addresses in the WebUI Configuring the LMS and backup LMS IP addresses in the CLI Configuring R emote AP Failback Enabling RAP Local Ne twork Access Figure 172: Dell PowerConnectW-Series ArubaOS CommandLine ReferenceGuide Configuring R emote AP Authorization P rofiles Adding or Editing a Remote A P Authorization Profile Understanding Split Tunneling Figure 173: Configuring Split Tunn eling Configuring the Session A CL Allowing Tu nneling Configuring an ACL to R estrict Local Deb ug Homep age Acce ss Figure 174: Configuring the AAA Profile fo r Tunneling start stop Inthe CLI Configuring the T unneling V irtual AP Profile Defining Co rporate DNS Servers Provisioning Wi-F i Multimedia Reserving Uplink Ban dwidth Understand ing Bandw idth Reservation fo r Uplink Voice Traffic Configuring B andwidth Reservation Figure 175: Provisioning 4 G USB Modems on Remote Acce ss Points 4G USB Mo dem Provisioning BestP ractices and E xceptions Provisioning R AP for USB Mo dems none RAP 3G/4G B ackhaul Link Quality Monitoring Configuring W-IAP3WN Access Po ints Dell PowerConnectW-SeriesW-IAP3WN Installation Guide Converting an IAP to RAP or CAP Converting IAP to RA P Converting an IA P to CAP Enabling Bandw idth Contract Support for RAPs Configuring Bandwidth C ontracts for RAP Defining Bandwidt h Contracts Applying Contracts ApplyingContracts Per-Role Verifying Contracts on AP The followingexample displays the bandwidth contracts o n AP for per-role configuration: Verifying Contracts Appli ed to Users The followingis a sample output for a per-user configuration: Verifying Bandwidth Cont racts During Data Transfer The followingis a sample output for a per-user configuration: Page Chapte r 31 Virtual Intrane t Access Understanding VIA Connection Manager How it Works User action/ environment VIAs behavior Installing the VIA Con nection Manag er On Microsoft Windows Computers On Apple MacBooks Upgrade W orkflow Minimal Upgrade Configuring the VIA C ontroller Before you Beg in SupportedAuthentication Mechanisms Authentication m echanisms supported in VIA 1.x Authentication m echanisms supported in VIA 2.x Other authenticationmethods: Configuring V IA Settings https://<server-IP-address>/via Internal Using the W ebUI to Config ure VIA Enable VPN Server Module AuthenticationProfiles Table17 8: Create VIA User Roles Create VIA Connection Profil e Figure 182: VIA - ConnectionProfile Options Table18 3: Down Up Up Down Page Configure VIA Web Authenti cation Down Up Figure 184: Associate VIA Connection Prof ile to User Role Edit Role Controller Profiles Figure 185: Configure VIA Client WLAN Profil es Figure 187: Figure 188: Table18 9: Option Description ConfigureVIA client WLAN profile Rebranding VIA and Downloading t he Installer You can re-brandthe VIA client and the VI A download page with your custom logo and HTML page. Figure 190: DownloadVIA Installer and Version File Customize VIA Logo Using the C LIto Configure VIA Create VIA roles Create VIA authenticat ion profiles Create VIA connection profil es Configure VIA web authent ication Downloading VIA Pre-requisites 1206 (ERROR_BAD_PROFILE) Downloa ding VIA https://115.52.100.10/via Figure 191: Figure 192: Installing VIA ansetup.msior ansetup64.msi Using VIA Connection Details Tab Diagnostic Tab Troubleshooting Chapte r 32 Spectrum A nalysis DeviceS upportfor Spectrum Analysis Table19 3: hybrid AP Device Configurableas a SpectrumMonitor? Configurableas a Hybrid AP? SpectrumAnalysis Graphs Table19 4: Page Spectrum Analysis Clients Hybrid AP C hannel Cha nges Hybrid APs Usin g Mode-Awa re ARM AM Creating Spectrum Mo nitors and Hybrid APs Converting A Ps to Hybrid APs Converting a n Individual AP to a Spectrum Monitor mode Converting a Grou p of APs to Sp ectrum Monito rs Connecting Spectru m Devices to the Spectrum Analysis Client SpectrumDevice Selection Information Table19 5: TableColumn Description View Con nected Sp ectrum Ana lysisDe vices Figure 196: Disconne cting a Spectrum De vice Configuring the Spec trum Analysis Dashboards View 2 View 3 View 1 Selecting a S pectrum Monitor Changin g Graphs within a Spectrum V iew Figure 198: Renamin g a Spec trum Analysis Dashbo ard View Figure 199: Saving a Dashb oard View Figure 200: Resizing an Individual Graph Customizing Spect rum Analysis Graphs Figure 202: Spectrum Analysis Graph Con figuration Optio ns Active Devices Figure 203: Table20 4: Active Devices GraphOptions Active Devices Table Figure 205: Active Devices Table Options Table20 6: Page Active Devices Trend Figure 207: Table20 8: , or , Channel Metrics channel availability Figure 209: ChannelMetrics Options Table21 0: Channel Metrics Trend Figure 211: ChannelMetrics TrendOptions Table21 2: Channel Summary Table Figure 213: Table21 4: ChannelSummary TableParameters Device Duty Cycle Figure 215: DeviceD uty Cycle Options Table21 6: Channel Utilizat ion Trend Figure 217: Table21 8: ChannelUtilization TrendOptions Devices vs Channel Figure 219: Table22 0: Devices vs ChannelOptions FFT Duty Cycle Figure 221: Table22 2: FFTDuty CycleOptions Interference Power Figure 223: InterferencePowerOptions Table22 4: Quality Spectrogram Figure 225: Table22 6: QualitySpectrogramOptions Real-Time FFT Figure 227: Table22 8: Real-TimeFFT Options Swept Spectrogram Page Page Ifthis chart is configured to show averageor m aximum FFT values, Ifthis chart is configured to show theFFT duty cycle Working with Non-Wi-Fi In terferers Non-Wi-Fi Interferer Description Non-Wi-FiInterfererTypes Table23 4: Bluetooth GenericInterferer Understanding the S pectrum Analysis Session Lo g Figure 235: Table23 6: Viewing Spectrum An alysis Data SpectrumAnalysis CLI Commands Recording Spectrum Analysis Data Creating a Spectrum An alysis Record Figure 237: Saving the Rec ording Figure 238: Playing a S pectrum An alysisR ecording Playing a Recording in the Spectrum D ashboard play Playing a Recording Using the RFPlayback Tool play http://get.adobe.com/air/ Figure 239: Troubleshootin g Spectrum Analysis Verifying Spe ctrum Monitors Su pport for One Client per R adio Converting a Spectrum Monitor Ba ck to an AP or Air Monitor Troublesho oting Browser Issue s Loading a Sp ectrum View Troublesho oting Issues with A dobe Flash Pla yer 10.1o r Later Understand ing Spectru m Analysis Syslog Messag es Playing a Reco rding in the RFPlayback T ool Understand ing Device Ag eout Times Table24 0: SpectrumProfile Parameters Chapte r 33 Dashboa rd Monitoring Monitoring Performan ce Clients APs Monitoring Usage Clients APs Monitoring Security Monitoring Potentia l Issues Monitoring WLANs Monitoring Access Po ints Monitoring Clients Monitoring Firewall s Element V iew Table24 1: Element Description ElementView Figure 242: Table24 3: TableView Fields Details View Element Tab Element Summary View Usage Breakdown Page Figure 2d Table24 7: AggregatedSessionsFields Chapte r 34 Management Access Configuring Certific ate Authentication for WebUI Acce ss Enabling Public Key Au thentication for SSH Access Enabling RADIUS Serv er Authentication Configuring RADIUS S erver Username a nd Password A uthentication Configuring RAD IUS Server Auth entication with V SA Configuring RAD IUS Server Auth entication with S erver Derivation Ru le Configuring a se t-value server-derivation rule Disabling Authentication of Local Management UserAccounts Verifying the con figuration Resetting the Adm in or Enable Passwo rd Figure 248: Resettingthe Passw ord Bypassing the En able Password Prompt Setting an Adm inistrator Session Time out Implementing a Sp ecific Management Passw ord Policy ManagementPasswordPolicy Settings Table25 0: Defining a Man agement Pa ssword Policy Allowed Characters Disallowed Characters Table25 1: AllowedCharacters in a ManagementUser Password Allowed Characters Disallowed Characters In the CLI Manage ment Authen tication Profile Pa rameters Table2 52 describes configuration parameterso n the ManagementAuthenticati on profilepage. Managing Certificat es strongly About Dig ital Certificates Obtaining a Se rver Certificate Table25 3: Parameter Description Range CSR Parameters Obtaining a Client Certificate Importing Certifica tes Use the following commandt o import CSR certificates: The followingexample imports a server certificate named cert_20 in DER format: Viewing Ce rtificate Information ImportedCertificate Locations Table25 5: Table25 4: CertificateShow C ommands Configuring SNMP Table25 6: SNMP Pa rameters for the C ontroller SNMP Parametersfor the Controller Configuring Logg ing Category/Subcategory Description Table25 7: SoftwareModules Category/Subcategory Description Table25 8: LoggingLev el Description LoggingLevels Enabling Guest P rovisioning Configuring the G uest Provisioning Pa ge Configuringthe Guest Fields Page Guest Field Description Configuringthe Page Design Figure 261: ConfiguringEmail Messages Configuring the SMTP Server and Port in the WebUI Configuring an SMTP server and port in the CLI Creating Email Messages in the WebUI Figure 262: Figure 263: Configuring a G uest Provisioning Use r Username andPass word AuthenticationMethod StaticAuthentication Method Smart Card AuthenticationMethod Username andPass word Method Customizing the Guest Access Pass Figure 264: Creating G uest Accoun ts Figure 265: Guest Provisioning User Tasks Figure 266: Figure 267: Importing Multipl e Guest Entries CreatingMultiple Guest Entries in a CSV File Figure 268: Importingthe CSV File into the Database Page Page Figure 272: PrintingGuest Account Information Figure 273: Optional C onfigurations Restricting one Captive Portal Session for each Guest Using the CLI to restrict one CaptivePortal sess ionfor each guest Setting the Maximum Time f orG uest Accounts Using the WebUIto s etthe maximum time for guest accounts Managing Files o n the Controller Server Type Configuration Table27 4: FileTransfer ConfigurationParameters Transferring Arub aOS Image Files Backing U p and Restoring the Flash File System Backup the Flash File System i n the WebUI Backup the Flash File System i n the CLI Restore the Flash File System i n the WebUI Restore the Flash File System i n the CLI Setting the System C lock Manually S etting the Cloc k Clock Sync hronization Configuring N TP Authentication Timestamps in CLI Ou tput Enabling Capaci ty Alerts CapacityAlert Thresholds Table27 5: wlsxThresholdCleared wlsxThresholdExceeded Examples Chapte r 35 Adding Lo cal Controllers Configuring Loc al Controllers Using the Initi al Setup Using the Web UI Configuring Layer-2/Layer-3 Se ttings Configuring T rusted Ports Configuring Loca l Controller Setting s Configuring A Ps Using the WebUI to confi guret he LMSI P Moving to a Mu lti-Controller Environment Configuring a P reshared Key Using the WebUI to confi gurea Local Controller PSK Using the WebUI to confi gurea Master Cont roller PSK Using the CLI to confi gurea PSK Master Controller Configuring a Contro ller Certificate Using the CLI to confi gurea Local Controller Certificat e Using the CLI to confi guret he Master Controller Certificate Chapte r 36 Advance d Security Securing Client Traff ic Securing Wireless Clie nts Figure 276: Securing Wire d Clients Figure 277: Securing Wireless Clients Th rough Non -Dell APs Securing C lientso n an AP Wired Port Table27 8: EthernetInterface Port/ Wired AP Port ConfigurationParameters Securing Controlle r-to-Controller Communication Figure 279: Configuring Co ntrollers for xSec Configuring the Ody ssey Client on Client Machin es Installing the O dyssey Client Figure 280: Page Page Page Chapte r 37 Voice and V ideo Voice and Video Lic ense Requirements Configuring Voice an d Video Setting up Net S ervices Configuring User R oles Using the Default User Rol e Creating or Modifying Voice User Roles Using the WebUIto configure user roles Table28 6: ALG Service Name Servicesfor ALGs Table28 7: control ACL Service Name OtherMandatoryServices f orthe ALGs Using the CLI to configurea user role Using the User-Derivation Roles Using the WebUIto derive the role based on SSID Using the CLI to derive ther olebased on SSID Using the WebUIto derive the role based on MAC OUI Using the CLI to derive ther olebased on MAC OUI Configuring Firew allS ettings for Voice and Video A LGs Additiona l Video Config urations Configuring Video over WLAN enhancements Pre-requisites authenticated a. To add the ACL to a user role: This exampleuses t he userrole, b. To add the ACL to a port: 4. Co nfiguredynamic multicast optimization for video traffic o n a virtual AP profile. 8. Configureand apply a bandwidth management profile. a. Enable a bandwidth shaping policy so that the allocated bandwidth share is appropriately used. b. Set a bandwidth percentagefor the following categories: Figure 288: Figure 289: Figure 290: Figure 291: Figure 292: Figure 293: Figure 294: Figure 295: Figure 296: Working with QoS fo r Voice and Video Understand ing VoIP Ca ll Admission Control P rofile VoIPC all AdmissionC ontrolConfigurationP arameters Table29 9: 5. Click Apply to save your settings. Understand ing Wi-Fi Multimedia Priority 802.1p Priority WMM Access Category Table30 0: WMMA ccess Category to 802.1pPriority Mapping Enabling WMM Configuring WMM AC Mapping Table30 1: DSCP DecimalValue WMM Access Category WMMA ccess Category to DSCP Mappings Using the WebUIto map between WMM AC and DSCP Using the CLI to map betweenWMM AC and DSCP Configuring DSCP Prioriti es Configuring Dynamic WMM Queue Management EnhancedDistributed ChannelAccess Table30 2: WMM Access Category Description 802.1p Tag WMMA ccess Categories and802.1p Tags Using the WebUIto configure EDCA parameters EDCA ParametersStation andED CA ParametersAP Profile Settings Table30 3: 5. Click Apply. Using the CLI to configureEDCA parameters EnablingWMM Queue Content Enforcement Understanding Extended Voice and Video Features Understand ing QoS for M icrosoft Office OCS and App le Facetime Table30 4: Microsoft OCS Apple Facetime Enabling WPA Fast Han dover Enabling Mobile IP H ome Agent A ssignment Scannin g for VoIP-Awa re ARM Disabling Voic e-Aware 802.1x Configuring S IP Authentication Tra cking Enabling Real Time Ca ll Quality Analysis In the Web UI Figure 305: ViewingReal Time Call Quality Reports Enabling S IP Session Timer section8.0, Proxy Behaviour Figure 306: Enabling V oice and Video Traffic Aw areness for Encrypted Signa ling Protocols Figure 307: Figure 308: Enabling Wi-Fi Edg e Detection a nd Hand over for Voice C lients Working w ith Dial Plan for SIP Calls Understanding Dial Plan Format DialplanPattern Action Description Table30 9: Examplesof Dial Plans Configuring Dial Pl ans Figure 310: Figure 311: Dialplan Profile Profile Figure 312: EnablingEnhanced 911 Support Working w ith Voice over R emote Acc ess Point Understand ing Battery Boo st Enabling LLDP Figure 314: Table31 5: LLDPProfile ConfigurationParameters Page Figure 316: Table31 7: LLDP-MEDProfile ConfigurationParameters 13.Apply to save yo urset tings. Advanced Voice Troubleshooting Viewing T roubleshooting Deta ilso n Voice C lient Status To view the details of a voice client based on its MAC address: Viewing T roubleshooting De tails on Voice Call C DRs EnablingVoice Logs Figure 318: EnablingLogging for a SpecificClient Figure 319: Viewing Vo ice Traces Viewing Vo ice Configurations To view the voice configuration details o n your controller: Page Chapte r 38 Instant AP V PN Support Dell PowerConnectW-Series InstantAccess PointU serGuide PowerConnect W-Series Instant AccessPoint User Guide Overview VPN Configuration Whitelist DB Co nfiguration Controller Whiteli st DB External Whitelist DB VPN Loca l Pool Configu ration Viewing Branch Status Example The output of this command includes the followingparameters: Table32 0: IAP TableParameters Chapte r 39 W-600 Series Controllers Table32 1: Controller USB Ports Maximum ExternalAPs RemoteAPs 600Series Controllerby the Numbers Connecting with a USB Cellular Modem s How it Works Figure 323: mode-switch Switching Mo des UplinkManager Figure 325: Cellular Profile Dialer Group Configuring a Sup ported USB Modem Figure 328: Connected Figure 329: Figure 330: Configuring a New USB M odem Configuring th e Profile and Modem D river Figure 332: Figure 333: Figure 334: Configuring th e TTY Port Figure 335: Figure 336: Figure 337: Figure 338: Testing the TTY P ort Figure 339: Figure 340: Selecting th e Dialer Profile Figure 341: Setting Up NAS (Network-Attach ed Storage) Devices NAS Device Se tup Configuring in th e CLI disk name mode filesystempath Managin g NAS Devices Mounting a nd Unmounting De vices Table34 2: InitialState LED State Action Status LED Function LED Action Completed Multi-functionMediaE ject Button Connecting to a Prin t Server Printer Setup Using the C LI configmode Additiona l Commands fo r Managing P rinters W-600 Series Samp le Topology and Configuration Remote Bra nch 1W-650 C ontroller Remote Bra nch 2W-650 C ontroller W-3200 Central Office C ontrollerActive W-3200 Central Office C ontrollerBack up Page Chapte r 40 External S ervices Interface Sample ESI Topology Figure 343: Figure 344: Understanding th e ESI Syslog Parser ESI Parser D omains Figure 345: Peer Con trollers Figure 346: peers Syslog Parser R ules Condition Pattern Matchi ng Configuring ESI Configuring He alth-Check Me thod, Groups, a nd Servers Defining th e ESI Server Defining th e ESI Server Grou p Redirection Po licies and User R ole ESI Syslog P arser Domains an d Rules Managin g Syslog Parser D omains in the W ebUI Adding a new syslog parser domain Deleting an existi ng syslog parserdom ain Editing an existing sysl og parserdomai n Managin g Syslog Parser D omains in the C LI Adding a new syslog parser domain Showing ESI syslog parser domain inf ormation Deleting an existi ng syslog parserdom ain Editing an existing sysl og parserdomai n Adding a new parser rule Deleting a syslog parser rule Editing an existing sysl og parserrule Testing a Parser Rule Adding a new parser rule Showing ESI syslog parser rule informat ion: Deleting a syslog parser rule: Editing an existing sysl og parserrule Sample Route-m ode ESI Topology Figure 347: ESI server configuration on controller server servergroups Configuring the Example Routed ESI Topology Health-Che ck Method , Groups, and S ervers Defining the Pin g Health-Check Me thod Defining th e ESI Server Defining th e ESI Server Grou p Redirection Policies an d User Role Syslog Parser D omain and Rules Add a New Syslog Parser Domain in the WebUI Adding a New Parser Rule in the WebUI Sample NAT-mode E SI Topology Figure 348: Figure 349: ESI server configuration on the controll er Configuring the Exa mple NAT-mod e ESI Topo logy Configuring th e NAT-mode ESI Exa mple in the WebUI Configuring the ESI Group in t he WebUI Configure the ESI Servers in the WebUI Configuring the Redirecti on Filter in the WebUI Configuring th e Example NAT-mo de Topology in the CLI Configuring a Health-Check Ping Configuring ESI Servers Configure an ESI Group, Add the Heal th-Check Ping and ESI Servers Using the ESI Group in a Session Access Cont rol List CLI Configuration Exampl e 1 Understanding Ba sic Regular Expression (BRE) S yntax Characte r-Matching Operators Table35 0: Character-matchingoperatorsinregular expressions substitute Regular E xpression Rep etition Operators Regularexpressionrepetition operators RegularExpression Anchors . That command uses the syntax: Table35 2: References This implementation is based, in part, on the following resources: Chapte r 41 ExternalUser Management C Overview Before you Beg in Creating an XML Reque st Adding a Use r Deleting a User Authentic ating a User Blacklisting a User XML Response Default Re sponse Format In which, contain the Ok string. If the requestw as a failure,the result tag will contain the Error string. in the request. Response Codes The followingresponse codes are returned if the XML request returnan the Error string. XMLResponse Codes Table35 3: Code Reasonm essage Description Query Com mand Respo nse Format Table35 4: ResponseCode Description QueryResponse Code Using the XML API Serv er Configuring the X ML API Server Associating th e XML API Se rver to a AAA p rofile Page The followingexample illustrates using the default-xml-apiAAA profile. Yourc ontrolleris now ready to receive API calls fromyour XML API server. Set up Captive Portal profi le Associating the Capti veP ortal Profile to an Initi al Role Creating a n XML API Re quest Table35 5: Table35 6: AuthenticationCommand Description XMLAPI AuthenticationCommand Monitoring E xternal Captive Portal Usa ge Statistics Sample Code C The examplescript i s written in the Using XML A PI in C Langu age Figure 357: Page Page Understanding Request and Response XMLAPI RequestParametersand Descriptions Table35 8: Understanding XML API Request Parameters The Table35 8list all parametert hat you can use in a request. Understanding XMl API Response Adding a Client This command will add a client on your network. Figure 359: The commandssends the following information in the authentication request to the controller: Deleting a Client Authenticating a Cl ient Status of theclient before authentication Sendingthe authenticationcommand Figure 360: Status of theclient after authentication Querying for Client D etails Blacklisting a Cl ient Figure 361: Responsefrom the controller Chapte r 42 RF Plan Supported Planning Planning Deploym ent Pre-Deploym ent Consideratio ns Installation Guide Outdoor-Sp ecific Deploym ent Consideratio ns Configura tion Considerations Post-Deployme nt Consideration s Dual-Port AP Consid erations Launching the RF Plan Campus List Pa ge Definitionof Campus List Buttons Table36 3: Figure 362: Building List Pa ne Edit a campus from the building list pane. Table36 5: Figure 364: BuildingList Buttons Building S pecifications Ove rview Figure 366: Building Dime nsion Page Figure 367: Table36 8: AP Mode ling Parame ters Page Figure 369: This window allows you to select o r control the parametersas defined in Table 370. RadioType Definitions Table37 1: Radio Type Design Model Table37 2: Table37 3: Radio Button Description DesignModel Radio Buttons Users/AP RadioProperties Table37 4: Radio Properties (Desired Rates and HT Support Opt ions) RadioProperty Description AM Modelin g Page Figure 375: RadioButton Description Table37 6: Table37 7: Planning Floo rs Page Figure 378: You can select or adjust the features as described in Table 379: Table37 9: FloorPlanningFeatures Zoom Approximate Coverage Map Floor Editor Dialog B ox BackgroundImages Area Editor Dialog Box Figure 382: Naming Locationand Dimensions Area Types Figure 383: Access Point Editor Di alog Box Figure 384: Naming Fixed Page Memo AP Plan Pag e approximatecoverage Figure 386: Initialize Optimize AM Plan Pag e Initialize Optimize Viewingthe Results Figure 389: Exporting a nd Importing Files Export Campus Figure 391: My_Campus.XML .XML Import Campus Locate FQLN Mapper APname.Floor.Building.Campus APP ropertySearch Table39 5: Figure 394: Using the FQLN Mapper in th e APPro vision Page Using the WebU I Using the CLI SampleBuilding Table39 7: RF Plan Example Sample Bu ilding Create a Buildin g TextBox Information Table39 8: Createa Building Model the A ccess Points Model the Air Monitors Add an d Edit a Floor Adding the b ackground imag e and naming the first floor Adding thebackground image and naming the second floor Defining Area s Creating a D ont Deploy A rea Running th e AP Plan Running th e AM Plan Chapte r 43 Behavior a nd Defaults Featuresnot Supportedin Each ForwardingMode Table39 9: Understanding Mode Support Understanding Bas ic System Defaults PredefinedNetwork Services Table40 0: Network Service s Table4 00 lists the predefined networkservices and their protoco lsand ports. Page Policies The followingare predefined policies. PredefinedPolicies Table40 1: Page Page Roles The followingare predefined roles. Table40 2: PredefinedRole Description PredefinedRoles Page Understanding Default Management User Roles The ArubaOSsoftware includes predefined management user roles. Table40 3: PredefinedManagementRoles Page Page Understanding De fault Open Ports Default(Trusted) OpenPorts Table40 4: Port Number Protocol WhereUs ed Description Chapte r 44 DHCP with Ven dor-Specific Option s Configuring a Windo ws-Based DHCP Server Configuring O ption 60 To configure option 60 on the Windows DH CP server Configuring O ption 43 To configure option 43 on the Windows DH CP server: Page Enabling DHCP Relay Age nt Information Option (Option 82 ) Configuring O ption 82 Enabling Linux DHCP Se rvers Page Chapte r 45 802.1X Configuration for IAS an d Windows Clien ts Step-by-StepGuide for Setting Up SecureWireless Access in a Test Lab Configuring Micros oft IAS RADIUS C lient Configuratio n Remote A ccess Policies Active Directo ry Database Configuring P olicies Figure 409: Page Configuring R ADIUS Attributes Figure 412: Figure 413: Configuring Mana gement Authentication usin g IAS Creating a Rem ote Policy Defining P roperties for Remo te Policy Creating a Use r Entry in Windows A ctive Directory Configure the C ontroller to use IAS Man agement A uthentication Figure 414: Figure 415: Verify Commun ication between the Co ntroller and the RADIUS Se rver Figure 416: Window XP Wireless Client Sample Config uration Page Figure 418: Figure 419: Figure 420: Page Page Appendix A Acronyms an d Terms Listof acronyms Table42 3: Acronyms Page Page Page Page Page Terms The followingt ablelist s the terms and their definitions used in this guide. Table42 4: Listof terms