User Guide
Open Source Code
Copyright Information
Legal Notice
Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
485
477
490
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Contents
Contents Dell PowerConnect W-Series ArubaOS 6.2 User Guide
What’s New In ArubaOS
Feature Description
About this Guide
Users using them in a given network
Issued
Spectrum enhancements
Spectrum recording information
Fundamentals
WebUI
Conventions
Related Documents
Type Style Description
Page
Basic User-Centric Networks
Understanding Basic Deployment and Configuration Tasks
Deployment Scenario #1 Controller and APs on Same Subnet
APs All on One Subnet Different from Controller Subnets
APs on Multiple Different Subnets from Controllers
Configuring the Controller
Running Initial Setup
Using the LCD Screen
Connecting to the Controller after Initial Setup
Dell W-7200 Series Controller
New Port Numbering Scheme
Displays
Uploading a Pre-saved Configuration
Using the LCD and USB Drive
Upgrading an Image
Configuring a Vlan to Connect to the Network
Disabling LCD Menu Functions
Creating, Updating, and Viewing VLANs and Associated IDs
Assigning and Configuring the Trunk Port
Creating, Updating, and Deleting Vlan Pools
Configuring the Default Gateway
Configuring the Loopback IP Address for the Controller
To confirm the port assignments, use the show vlan command
WebUI
Enter y to reboot the controller or n to cancel
Configuring the System Clock
Controller returns the following messages
Enabling Wireless Connectivity
Configuring Your User-Centric Network
Installing Licenses
Connecting the Controller to the Network
Must explicitly enable Telnet on the controller
Control Plane Security
Configuring Control Plane Security
Configure the following control plane security parameters
Control Plane Security Overview
Parameter Description
CLI
Example
Managing AP Whitelists
Adding APs to the Campus and Remote AP Whitelists
Viewing Whitelist Status
Status Entry
Address as a name
Control Plane Security Campus AP Whitelist status only
Status Entry Description
Modifying an AP in the Campus AP Whitelist
Command Description
Click the Campus AP Whitelist tab
Deleting an AP Entry from the Campus AP Whitelist
Revoking an AP via the Campus AP Whitelist
Purging the Campus AP Whitelist
Managing Whitelists on Master and Local Controllers
Campus AP whitelist contains Master switch
With local Dell
Viewing and Managing the Master or Local Switch Whitelists
Viewing the Master or Local Switch Whitelist
Campus AP Whitelist Synchronization
Data Column Description
Deleting an Entry from the Master or Local Switch Whitelist
Configuring Networks with a Backup Master Controller
Configuring Networks with Clusters of Master Controllers
Purging the Master or Local Switch Whitelist
Working in Environments with Multiple Master Controllers
Click the Cluster Setting tab
Creating a Cluster Root
To view your current cluster configuration via the WebUI
Viewing Controller Cluster Settings
Creating a Cluster Member
Replacing Controllers in a Single Master Network
Replacing a Controller on a Multi-Controller Network
Replacing a Local Controller
Replacing a Master Controllerwith No Backup
Replacing a Redundant Master Controller
Replacing a Cluster Member Controller with no Backup
Replacing Controllers in a Multi-Master Network
Replacing a Local Controller in a Multi-Master Network
Replacing a Redundant Cluster Member Controller
Replacing a Redundant Cluster Root Controller
Configuring Control Plane Security after Upgrading
Troubleshooting Control Plane Security
Identifying Certificate Problems
Manually Certify Campus APs
Disabling Control Plane Security
Verifying Certificates
Verifying Whitelist Synchronization
Supported APs
Rogue APs
Understanding License Terminology
Software Licenses
Working with Licenses
Using Licenses
Working with Licenses on a Multiple Controller Network
License
Basis What Consumes One License
Understanding License Interaction
Controller Total AP Count Campus APs Remote APs
Installing a License
License Installation Best Practices and Exceptions
Enabling a new license on your controller
Requesting a Software License in Email
Locating the System Serial Number
Obtaining a Software License Key
Creating a Software License Key
Resetting the Controller
Deleting a License
Moving Licenses
Applying the Software License Key in the WebUI
Page
Configuring VLANs
Network Configuration Parameters
You can create and update a single Vlan or bulk VLANs
Navigate to the Configuration Network VLANs
Navigate to Configuration Network VLANs
Creating Named VLANs
Creating a Named Vlan not in a Pool
Creating Bulk VLANs In the WebUI
Using the WebUI
Creating a Vlan Pool
This example assigns a name to an existing Vlan ID
This example assigns a Vlan name in a virtual AP
Distinguishing Between Even and Hash Assignment Types
Creating a Vlan Pool
Creating a Vlan Pool Using the CLI
Viewing and Adding Vlan IDs Using the CLI
Following example shows how to view Vlan IDs to a Vlan pool
Updating a Vlan Pool
Adding a Bandwidth Contract to the Vlan
Optimizing Vlan Broadcast and Multicast Traffic
Configuring Ports
Using the CLI
Proxy Arp is disabled for the Interface
Navigate to Configuration Network IP
Configuring Trusted/Untrusted Ports and VLANs
Classifying Traffic as Trusted or Untrusted
About Trusted and Untrusted Physical Ports
About Trusted and Untrusted VLANs
For Port Mode select Trunk
This example
How a Vlan Obtains an IP Address
Understanding Vlan Assignments
Assigning a Static Address to a Vlan
Configuring a Vlan to Receive a Dynamic Address
Configuring Multiple Wired Uplink Interfaces Active-Standby
Navigate to the Configuration Network IP IP Interfaces
Enabling the Dhcp Client
Enabling the PPPoE Client
Select Obtain an IP address with PPPoE
Configuring DNS/WINS Server from DHPC/PPPoE
Default Gateway from DHCP/PPPoE
Select Apply
Configuring Source NAT to Dynamic Vlan Address
Configuring Source NAT for Vlan Interfaces
Example Configuration
Inter-VLAN Routing
Using the WebUI to restrict Vlan routing
Configuring Static Routes
Navigate to the Configuration Network IP IP Interface
Modify the IP Address as required Click
Configuring the Loopback IP Address
Apply
Configuring GRE Tunnels
Configuring the Controller IP Address
Using the CLI
Navigate to the Configuration Network IP GRE Tunnels
Creating a Tunnel Interface
Directing Traffic into the Tunnel
Static Routes
WebUI
Tunnel Keepalives
CLI
This chapter describes ArubaOS support for IPv6 features
Understanding IPv6 Notation
Understanding IPv6 Topology
IPv6 Support
Enabling IPv6
Enabling IPv6 Support for Controller and APs
Features Supported on IPv6 APs?
Configuring IPv6 Addresses
To Configure Link Local Address
To Configure Global Unicast Address
Yes Limited
Configuring IPv6 Static Neighbors
To Configure Loopback Interface Address
Configuring IPv6 Default Gateway and Static IPv6 Routes
To Configure IPv6 Default Gateway
To Configure Static IPv6 Routes
Managing Controller IP Addresses
Configuring Multicast Listener Discovery MLD
To Modify IPv6 MLD Parameters
Debugging an IPv6 Controller
Provisioning an IPv6 AP
Configuring a Captive Portal over IPv6
Filtering an IPv6 Extension Header EH
Working with IPv6 Router Advertisements RAs
To view the EH types denied
Using WebUI
Configuring an IPv6 RA on a Vlan
You can use the WebUI or CLI to configure IPv6 RA on a Vlan
Configuring Optional Parameters for RAs
Using CLI
Navigate to the ConfigurationNetworkIP
To configure neighbor discovery retransmit time
To configure IPv6 recursive DNS server
To configure RA hop-limit
Supported Network Configuration
Viewing IPv6 RA Status
Authentication Method Supported for IPv6 Clients?
Understanding Authentication
XSec No not tested MAC-based Yes
Working with Firewall Features
Authentication Description Method
Understanding Firewall Policies
Field Description
To assign an IPv6 policy using the WebUI
Creating an IPv6 Firewall Policy
Assigning an IPv6 Policy to a User Role
For Host IP, enter 2002d81ff9f01000
Managing IPv6 User Addresses
Understanding IPv6 Exceptions and Best Practices
Host config #ipv6 enable
Understanding Lacp Best Practices and Exceptions
Link Aggregation Control Protocol Lacp
Configuring Lacp
Set the port priority
Lacp Sample Configuration
151
Understanding Ospf Deployment Best Practices and Exceptions
OSPFv2
Understanding OSPFv2 by Example using a Wlan Scenario
Wlan Topology
Wlan Routing Table
Below is the routing table for Router
Branch Office Topology
Branch Office Ospf Topology
Configuring Ospf
Branch Office Routing Table
Routing table of the Central office controller is below
Routing table for Router 1 is below
General Ospf Configuration
Select the Add button to add an area see Figure
Sample Topology and Configuration
Remote Branch
Remote Branch
Central Office Controller-Active
Central Office Controller-Backup
OSPFv2 Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Dell PowerConnect W-Series ArubaOS 6.2 User Guide OSPFv2
Understanding Tunneled Node Configuration
Tunneled Nodes
Configuring a Wired Tunneled Node Client
Navigate to ConfigurationAdvanced ServicesWired Access
For example
WebUI
Configuring an Access Port as a Tunneled Node Port
Configuring a Trunk Port as a Tunneled Node Port
Locate the Wired Access Concentration Configuration section
Verify the configuration
Sample Output
On the tunneled node client
Page
Authentication Servers
Understanding Servers and Server Groups
Configuring a Radius Server
Configuring Servers
Describes the parameters you configure for a Radius server
Timeout
Default 5 seconds
Override the global configuration
NAS IP address to send in Radius packets
Configuring an RFC-3576 Radius Server
Radius Server Authentication Codes
Radius Server Fully Qualified Domain Names
Set a DNS Query Interval
Describes the parameters you configure for an Ldap server
Configuring an Ldap Server
Host IP address of the Ldap server Default N/A Admin-DN
Configuring a TACACS+ Server
Enter parameters as described in Table
Defines the TACACS+ server parameters
Type Connection type is Ldap-s Start-tls Clear-text
Configuring a Windows Server
Managing the Internal Database
Configuring the Internal Database
Parameters
Enter the following command in enable mode
Managing Internal Database Files
Exporting Files in the WebUI
Parameters Description
Configuring Server Groups
Working with Internal Database Utilities
Configuring Server Groups
Configuring Server List Order and Fail-Through
Configuring Dynamic Server Selection
Select Fail Through
Click Add Rule
Scroll to the right and click Add Server Click Apply
Configuring Match Fqdn Option
Trimming Domain Information from Requests
Configuring Server-Derivation Rules
Default bottom
Controller when the rule is applied
Top
User Authentication
Management Authentication
Navigate to the Configuration Management Administration
Assigning Server Groups
Accounting
Radius Accounting
Select AAA Profile, then select the AAA profile instance
Timer Description
Configuring Authentication Timers
TACACS+ Accounting
Setting an Authentication Timer
Default 5 minutes
Logon User Lifetime
Range
Configuring MAC-Based Authentication
MAC-based Authentication
Configuring the MAC Authentication Profile
Parameter
Configuring Clients
Using the WebUI to configure a MAC authentication profile
Using the CLI to configure a MAC authentication profile
Disables blacklisting
CLI
Understanding 802.1X Authentication
802.1X Authentication
Configuring Authentication with a Radius Server
Supported EAP Types
Configuring Authentication Terminated on Controller
802.1X Authentication with Radius Server
Configuring 802.1X Authentication
Failures, and the default value is 0 failures
Default User Role Guest role Reauthentication
Timer per role overrides this setting
This option is disabled by default
Interval Seconds, and the default value is 30 seconds
Default value is
Count
Requests
Key Exchange Delay between WPA/WPA2
Disable this feature
Authentication takes place
Option is disabled by default
For the cached information. The default value is 24 hours
Use to authenticate itself to the client
Disabled by default
Negotiation Disabled by default WPA-Fast-Handover
Configuring and Using Certificates with AAA FastConnect
Configuring User and Machine Authentication
Machine User Auth Description Role Assigned Status
Authenticated Vlan configured Virtual AP profile
Enabling 802.1x Supplicant Support on an AP
Machine Auth User Auth Description Vlan Assigned Status
Virtual AP profile
Prerequisites
To view the 802.1x authentication details on the controller
Provisioning an AP as a 802.1X Supplicant
Sample Configurations
Configuring Authentication with an 802.1X Radius Server
Configuring Roles and Policies
Creating the Student Role and Policy
Can use the alias for other rules and policies
Creating the Faculty Role and Policy
Using the WebUI
Creating the Guest Role and Policy
Under Time Range, select working-hours
Configuring the Radius Authentication Server
Creating Roles and Policies for Sysadmin and Computer
Creating an Alias for the Internal Network Using the CLI
Using the WebUI to create the computer role
Configuring 802.1X Authentication
Select Enforce Machine Authentication
Configuring VLANs
Configuring the Guest Wlan
Configuring the WLANs
Navigate to the Configuration Wireless AP Configuration
Configuring the Non-Guest WLANs
AP Group list, click Edit for the first-floor
CLI
Configuring a Server Rule Using the WebUI
Configuring a Server Rule Using the CLI
Select Termination
Configuring WLANs
Configuring the Guest Wlan
Configuring the Non-Guest WLANs
Configuring Mixed Authentication Modes
Authentication
Describes the different authentication possibilities
802.1x Logon
Performing Advanced Configuration Options for
Configuring Reauthentication with Unicast Key Rotation
Working With Stateful Authentication
Stateful and WISPr Authentication
Understanding Stateful Authentication Best Practices
Working With WISPr Authentication
Configuring Stateful 802.1x Authentication
Configuring Stateful Ntlm Authentication
Configuring Stateful Kerberos Authentication
Configuring WISPr Authentication
Profiles list, expand the WISPr Authentication Profile
Dell PowerConnect W-Series ArubaOS 6.2 User Guide 227
Configuring a Controller as Ocsp and CRL Clients
Configuring an Ocsp Controller as a Responder
Understanding Ocsp and CRL
Certificate Revocation
Configuring the Controller as an Ocsp Client
Navigate to the Configuration Management Certificates Upload
Configuring the Controller as a CRL Client
Select the Revocation Checkpoint tab
Configuring the Controller as an Ocsp Responder
Select Enable next to Enable Ocsp Responder
Captive Portal Authentication
Understanding Captive Portal
Configuring Captive Portal in the Base Operating System
Navigate to the Configuration Management General
Policy Enforcement Firewall Next Generation Pefng License
Controller Server Certificate
WebUI
CLI
Using Captive Portal with a Pefng License
Configuring Captive Portal in the WebUI
To configure captive portal with Pefng license via the WebUI
Configuring Captive Portal in the CLI
Sample Authentication with Captive Portal
Creating a Guest User Role
Configuring Policies and Roles in the WebUI
Select Add to add the guest-logon-access policy
Creating an Auth-guest User Role
Creating a Time Range
To configure the auth-guest-access policy via the WebUI
Creating an Auth-Guest-Access Policy
Creating Aliases
Creating an Block-Internal-Access Policy
To create the block-internal-access policy via the WebUI
Creating a Drop-and-Log Policy
Creating a Guest Role
To create the drop-and-log policy via the WebUI
To create a guest role via the WebUI
Configuring Policies and Roles in the CLI
Creating an Auth-Guest Role
Defining a Time Range
To create the guest-logon role via the WebUI
Configuring Guest VLANs
Creating a Guest-Logon-Access Policy
Creating a Block-Internal-Access Policy
Creating a Guest-Logon Role
Configuring Captive Portal Authentication Profiles
Click Add For Vlan ID, enter Click Apply
Configuring the AAA Profile
Modifying the Initial User Role
Configuring the Wlan
Managing User Accounts
Configuring Captive Portal Configuration Parameters
Unauthenticated that a guest cannot access
Utilization Logon Threshold Default 60% Logon wait
Role
Enabling Optional Captive Portal Configurations
Following are optional captive portal configurations
Uploading Captive Portal Pages by Ssid Association
Changing the Protocol to Http
Entity Engineering Business Faculty
Specify the fac-logon user
L3 Authentication
Configuring Redirection to a Proxy Server
Security Access Control Policies
Redirecting Clients on Different VLANs
For captive portal with role-based access
For captive portal with Pefng license
Web Client Configuration with Proxy Script
Personalizing the Captive Portal
To customize the page background
Select the Your Custom Background
Creating and Installing an Internal Captive Portal
Creating a New Internal Web
Password Example
Username Example
Fqdn Example
Variable
Displaying Authentication Error Messages
Installing a New Captive Portal
Basic Html Example
Reverting to the Default Captive Portal
Configuring Localization
This should be replaced with a link like the following
Insert javascript to handle error cases
This should be replaced with a link like this
Div id=errorbox style=display none /div
Customizing the Welcome
Sample Translated
Customizing the Pop-Up box
Customizing the Logged Out Box
Creating Walled Garden Access
Navigate to Advanced Services Stateful Firewall Destination
Configuring the Login URL
Configuring the Redirect-URL
Enabling Captive Portal Enhancements
Configuring a Whitelist
Configuring the Netdestination for a Whitelist
Defining Netdestination Descriptions
Associating a Whitelist to Captive Portal Profile
Verifying a Whitelist Configuration
Use the following commands to verify the whitelist alias
Verifying a Captive Portal Profile Linked to a Whitelist
Verifying Dynamic ACLs for a Whitelist
Verifying DNS Resolved IP Addresses for Whitelisted URLs
TOS
Example
Planning a VPN Configuration
Virtual Private Networks
Selecting an IKE protocol
Understanding Suite-B Encryption Licensing
IKE Policies Suite-B for IPsec tunnels
384 Suite-B certificates ECDSA-256, ECDSA-384
Working with IKEv2 Clients
Understanding Supported VPN AAA Deployments
Working with VPN Authentication Profiles
Parameter Default Default-rap Default-cap
Working with Certificate Groups
VPN Client
Configuring a Basic VPN for L2TP/IPsec in the WebUI
Defining Authentication Method and Server Addresses
Navigate to Configuration IP NAT Pools
Defining Address Pools
Enabling Source NAT
Configuring IKE Policies
Defining IKEv1 Shared Keys
Setting the IPsec Dynamic Map
Finalizing WebUI changes
Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI
Enable authentication methods for IKEv1 clients
Configure source NAT
Create address pools
Defining Address Pools
PRF-HMAC-MD5 PRF-HMAC-SHA1 PRF-HMAC-SHA256
PRF-HMAC-SHA384
Configuring a VPN for Smart Card Clients
Working with Smart Card clients using IKEv2
Enable authentication methods for IKEv2 clients
Define IKEv2 Policies
Working with Smart Card Clients using IKEv1
Configuring a VPN for Clients with User Passwords
Select Enable L2TP
Configuring VPNs for XAuth Clients using Smart Cards
Configuring Remote Access VPNs for XAuth
Click Add User
Certificates or Common Name as it appears on the certificate
Working with Remote Access VPNs for Pptp
Working with Site-to-Site VPNs
Working with Third-Party Devices
Working with Site-to-Site VPNs with Dynamic IP Addresses
Configuring Site-to-Site VPNs
Understanding VPN Topologies
Show crypto-local pki servercert certname subject
For certificate authentication
Click Doneto activate the changes Click Apply
For preshared key authentication
Detecting Dead Peers
For the Pre-shared-key
For the Pre-shared-key for All FQDNs
Understanding Default IKE policies
Working with VPN Dialer
Configuring VPN Dialer
Assigning a Dialer to a User Role
Host config #user-role role dialer name
Configuring Firewall Policies
Roles and Policies
Support for Desktop Virtualization Protocols
Working With Access Control Lists ACLs
Creating a Firewall Policy
IP address of the host
Configure the NAT pool in the controller
This can be one of the following
When it leaves the controller
Queue in which a packet matching this rule should be placed
Pause ARM
White List
Creating a Network Service Alias
Creating an ACL White List
Configuring the ACL White List in the WebUI
Configuring the White List Bandwidth Contract in the CLI
Configuring the ACL White List in the CLI
Use the following CLI command to create ACL White Lists
Creating User Roles
Bandwidth Contracts
Creating a User Role
Click the Delete button against the role you want to delete
Configuring a Bandwidth Contract in the WebUI
Configuring and Assigning Bandwidth Contracts in the CLI
Bandwidth Contract Exceptions
Assigning a Bandwidth Contract to a User Role in the WebUI
Configuring Bandwidth Contract Exceptions
Assigning User Roles
Assigning User Roles in AAA Profiles
Viewing the Current Exceptions List
Working with User-Derived VLANs
Rule Type Condition Value
Equals String
Dhcp server
Understanding Device Identification
Configuring a User-derived Vlan in the WebUI
Dhcp Option Description Hexadecimal Equivalent
User-Derived Role Example
Configuring a User-derived Role or Vlan in the CLI
See for descriptions of these parameters
Navigate to the Configuration Security Authentication
Configuring a Default Role for Authentication Method
Controller’s log files
Configuring a Server-Derived Role
Configuring a VSA-Derived Role
Understanding Global Firewall Parameters
Monitor TCP SYN Attack rate
Or disabled
Log Icmp Errors
Default Disabled stateful SIP processing is enabled
Portal configuration
Session Idle Timeout sec
Default 15 seconds
Disable FTP Server
Default Disabled FTP server is enabled
Session-tunnel FIB Enable session,tunnel based forwarding
Mbps Default 1 Mbps Rate limit CP auth process traffic
Mbps Is 1-200 Mbps Default 1 Mbps
Session mirror Ipsec
Page
Wlan Profiles Default AP Group Toronto AP Group
Configuring Virtual AP Profiles
Virtual APs
Excluding a Virtual AP Profile From an AP in the WebUI
Configuring a Virtual AP
Excluding a Virtual AP Profile From an AP in the CLI
Configuring the User Role
Building3-lobby Guest
Deny Time Range
Ssid profile guest
Configuring Authentication
Configuring Authentication Servers
Done
Users. The default role for unauthenticated users is logon
MAC Authentication Default Role
Wired to Wireless Roaming
Side of the network. This feature is enabled by default
Click Edit for the default AP group
Select Wireless LAN under Profiles, then select Virtual AP
Applying the Virtual AP
Enforce Dhcp
Forward mode
Can be configured in tunnel mode
Campus APs in decrypt-tunnel forward mode
Enforcement, 802.11k and station blacklisting
Enable this setting
Click the Global Setting tab
Setting on each individual local controller
Band Steering
Default 6 stations
Default 3600 seconds 1 hour
Authentication Failure
APs. Default Disabled
Creating a new Ssid Profile
Select Wireless LAN underProfiles, then select Virtual AP
XSec license in each controller
Keys
Dtim Interval
Other wireless clients are transmitting
Default value is 2333 bytes
Powersave WMM Tspec Min
Period to receive broadcasts
Frames is disabled
Battery Boost
Lengthening battery life
At the lowest configured rate
Configuring an Ssid for Suite-B Cryptography
Configuring a Vlan
Configuring a Guest Wlan
Configuring a Guest Role
Configuring a Guest Virtual AP
Select Virtual AP
To enable bSec Ssid using bSec-128 or bSec-256
Sample Configuration
Enabling bSec Ssid Support
Enabling 802.11k Support
Measurement Mode for Beacon Reports
Measurement Report Mode field
Default Mode beacon-table
Advertise 802.11K Capability
Handover Trigger Feature Settings Profile
Handover of Voice Clients’ feature
Beacon Report Request Settings Profile
TSM Report Request Settings Profile
Working with Radio Resource Management Information Elements
Working with Beacon Report Requests
Con when Measurement Mode is set to Active-Channel Report
Measurement Mode for
Range from 0 to 255. The default value is
Randomization Interval
Gered. When the triggered option is selected,
Request frame. The default value is enabled
Working with a Traffic Stream Measurement Report
Number of repetitions
Configuring a High-Throughput Virtual AP
Range 0, 65535. The default value is
Range 0, 255. The default value is
Bin 0 Range
Select the 802.11a radio profile
40MHz intolerance
Select the 802.11g radio profile
Maximum number of spatial
Capabilities
Streams usable for Stbc
Transmission
Mode Is enabled by default
Short guard interval in 20 MHz
Short guard interval in 40 MHz
Supported MCS set
Managing High-Throughput Profiles
Understanding ARM
Adaptive Radio Management ARM
Configuring ARM Scanning
ARM Support for 802.11n
Monitoring Your Network with ARM
Understanding ARM Application Awareness
Configuring ARM Profiles
Creating a New ARM Profile
ARM Profiles Example Wlan Description
Select RF Management to expand the RF Management section
Configuring ARM Settings
Copying an Existing Profile
Deleting a Profile
Select Adaptive Radio Management ARM Profile
Setting Description
That Scanning is also enabled
Power Save
Aware Scan Mode Default disabled Video Aware
Default 8 scans
Default 9 dBm
Scan That Scanning is also enabled
Enabled, that device will ignore this setting
Client Aware setting is disabled
Default 240 seconds
Error Rate
Threshold Change Default 50% Error Rate Wait
Time Channel change Default 30 seconds Noise Threshold
Default 1250000 Bps
Mode Aware
Load Aware
Scanning if the load for the AP gets too high
Select Configuration AP Configuration
Assigning an ARM Profile to an AP Group
Enabling Band Steering
Using Multi-Band ARM for 802.11a/802.11g Traffic
Steering Modes
To disable band steering, include the no parameter
Select Wireless LAN to expand the Wireless LAN section
Enabling Band Steering
To configure traffic shaping via the WebUI
Enabling Traffic Shaping
Enabling Traffic Shaping
Select QoS to expand the QoS section
To disable traffic shaping, use the default-accessparameter
Enabling Spectrum Load Balancing
Reusing Channels to Control RX Sensitivity Tuning
Configuring Non-802.11 for Noise Interference Immunity
ARM Metrics
Troubleshooting ARM
Wireless Clients Report a Low Signal Level
Transmission Power Levels Change Too Often
Too many APs on the Same Channel
APs Detect Errors but Do Not Change Channels
APs Don’t Change Channels Due to Channel Noise
Working with the Reusable Wizard
Wireless Intrusion Prevention
This chapter contains the following sections
Protection features for Wlan clients
Understanding Wizard Intrusion Detection
Protecting Your Infrastructure
Understanding Wizard Intrusion Protection
Protecting Your Clients
Monitoring the Dashboard
WIP Wizard Intrusion Protection
Detecting Rogue APs
Understanding Classification Terminology
Understanding Classification Methodology
Classification Description
Understanding Match Types
Understanding Match Methods
Understanding Suspected Rogue Confidence Level
Understanding AP Classification Rules
Understanding Rule Matching
Working with Intrusion Detection
Feature Command Trap Syslog ID
Understanding Infrastructure Intrusion Detection
Ids impersonation-profile WlsxAPSpoofingDetected 126069
Detect-bad-wep WlsxStaRepeatWEPIVViolation 126016
Ids impersonation-profile
126086
Require-wpa WlsxChannelMisconfiguration 127028
Ids unauthorized-device-profile WlsxWirelessBridge 126036
Detect-wireless-bridge Wireless-bridge-quiet-time
Detect-malformed-large-duration Detected
Detecting an 802.11n 40MHz Intolerance Setting
Detecting Active 802.11n Greenfield Mode
Detecting an Ad hoc Network Using a Valid Ssid
Detecting Ad hoc Networks
Detecting Bad WEP Initialization
Detecting a Beacon Frame Spoofing Attack
Detecting a Client Flood Attack
Detecting an RTS Rate Anomaly
Detecting a Misconfigured AP
Detecting a Wireless Bridge
Detecting Broadcast Deauthentication
Detecting Malformed Frame-Auth
Understanding Client Intrusion Detection
Detecting Wellenreiter
Ids dos-profile WlsxPowerSaveDoSAttack 126109
Detect-power-save-dos-attack
Detect-hotspotter-attack Hotspotter-quiet-time
Ids dos-profile WlsxOmertaAttack 126071
Detecting a Meiners Power Save DoS Attack
Detecting a Block ACK DoS
Detecting a ChopChop Attack
Detecting a Disconnect Station Attack
Detecting an Omerta Attack
Detecting Rate Anomalies
Detecting a Tkip Replay Attack
Detecting Unencrypted Valid Clients
Configuring Intrusion Protection
Understanding Infrastructure Intrusion Protection
Understanding Client Intrusion Protection
Configuring the Wlan Management System WMS
Navigate to the Configuration Advanced Services Wireless
Protecting Valid Stations
Protecting Windows Bridge
Configuring Local WMS Settings
Not configured
Managing the WMS Database
Station Ageout Interval
Methods of Blacklisting
Understanding Client Blacklisting
Blacklisting Manually
Blacklisting by Authentication Failure
Enter a value in the Max Authentication failures field
Enabling Attack Blacklisting
Captive portal
Working with WIP Advanced Features
Setting Blacklist Duration
Removing a Client from Blacklisting
Profiles list, expand the IDS menu, then select IDS profile
Configuring TotalWatch
Understanding TotalWatch Channel Types and Qualifiers
Understanding TotalWatch Monitoring Features
Understanding TotalWatch Scanning Spectrum Features
Understanding TotalWatch Channel Dwell Time
Frequency Channel
Administering TotalWatch
Configuring Per Radio Settings
Configuring Per AP Setting
Understanding TotalWatch Channel Visiting
DOS
Configuring Tarpit Shielding
Understanding Tarpit Shielding Licensing CLI Commands
Working with Tarpit Shielding
Licensing
Basic Functions and Features
Access Points APs
Function
Following topics are included in this chapter
Naming and Grouping APs
Use the following command to create an AP group
Creating an AP group
Assigning APs to an AP Group
You can use the WebUI or the CLI to create a new AP group
Working with Wireless LAN Profiles
Understanding AP Configuration Profiles
Click Apply and Reboot
Page
Page
Working with AP Profiles
Working with QoS Profiles
Working with RF Management Profiles
Provisioning Mesh Profiles
Profile Hierarchy
Viewing Profile Errors
Other Profiles
AP Specific and AP Group Profile Hierarchies
Other Profile Hierarchies
Configuring Firewall Settings
Deploying APs
Running the RF Plan
Verifying that APs Can Connect to the Controller
Configuring Dhcp Server Communication with APs
Configuring DNS Resolution
Enabling Controller Discovery
Navigate to the Configuration Network IP Dhcp Server window
Using the Aruba Discovery Protocol ADP
Verifying that APs Are Receiving IP Addresses
Provisioning APs for Mesh
Provisioning 802.11n APs for Single-Chain Transmission
AP Model Freqency Band Antenna Port
AP92 4GHz or 5GHz
Installing APs on the Network
AP Model Freqency Band
5GHz
AP134 4GHz or 5GHz
Provisioning Installed APs
Updating the RF Plan
Designation an AP as Remote RAP versus Campus CAP
Working with the AP Provisioning Wizard
Provisioning an Individual AP
AP Provisioning Window
Page
LMS or backup LMS values
Provisioning Multiple APs using a Provisioning Profile
AP is associated
Assigning Provisioning Profiles
AP Installation Modes
Configuring a Provisioned AP
Troubleshooting
Clear gap-db wired-mac
Renaming an AP
To configure the bootstrap threshold using the WebUI
Configuring the Bootstrap Threshold
Optimize APs Over Low-Speed Links
RF Band for AM Mode scanning
Configuring split-tunnel forwarding
Backup LMS IP
LMS IPv6 Backup LMS IPv6 LMS Preemption
Bootstrap threshold
From a wireless client that is connected to a tunneled Ssid
Wireless frame is only encapsulated inside the IPsec tunnel
When an AP process crashes
Prioritizing AP heartbeats
AP Maintenance Mode
AP Redundancy
To enable AP maintenance mode
Energy Efficient Ethernet
Managing AP LEDs
AP130 Series only
RF Management
802.11a and 802.11g RF Management Profiles
Managing 802.11a/802.11g Profiles Using the WebUI
Enable CSA
Creating or Editing a Profile
Radio
Level 5 disable PHY reporting
Reuse feature
Balancing mode Select one of the following options
MHz and 40 MHz modes
Load-balancing mode
Channel. The default CSA count is 4 announcements
Balancing threshold
Radio Management ARM scanning and channel assignment
RX Sensitivity Tuning
RX sensitivity tuning based channel reuse threshold, in dBm
Signal strength
Default, allowing 40 MHz operation
Assigning an 802.11a/802.11g Profile
Assigning a High-throughput Profile
Profile Spectrum monitor radio
AM Scanning Profile
Assigning an ARM Profile
Deleting a Profile
Managing 802.11a/802.11g Profiles Using the CLI
Creating or Modifying a Profile
Viewing RF Management Settings
To view the settings of a specific RF management profile
RF Optimization
Assigning a 802.11a/802.11g Profile
RF Event Configuration
Default value 0 seconds
Is sent to the client
Maximum value 8 seconds
Frame Error Rate High
Frame Error Rate Low
Detect Frame Rate Anomalies
Recommended value is 85%
Configuring AP Channel Assignments
Select the Regulatory Domain profile named default
Frame Retry Rate High
Frame Retry Rate Low
Channel Switch Announcement CSA
Managing AP Console Settings
Automatic Channel and Transmit Power Selection
IP address of the DNS server used by the AP
IP address of the AP’s master controller
Domain name used by the AP
Understanding Mesh Access Points
Secure Enterprise Mesh
Mesh Portals
Mesh Points
Understanding Mesh Links
Mesh Clusters
Optimizing Links
Link Metrics
Component Description
Understanding Mesh Profiles
Mesh Cluster Profile
Mesh Radio Profile
RF Management 802.11a and 802.11g Profiles
Adaptive Radio Management Profiles
Mesh High-Throughput Ssid Profile
High-Throughput Profiles
Wired AP Profile
Understanding Mesh Solutions
Mesh Recovery Profile
Point-to-Point Deployment
Thin AP Services with Wireless Backhaul Deployment
Point-to-Multipoint Deployment
High-Availability Deployment
Sample Point-to-Multipoint Deployment
Task Overview
Planning a Wlan According to Your Specifications
Collecting Required Information
Building Dimensions
AP Desired Rates 2.4 GHz Radio Properties
Working with Mesh Radio Profiles
Managing Mesh Profiles In the WebUI
Creating a New Profile
AM Desired Rates
Threshold Nodes Default 10 missed heartbeats. The range is
Indicates the transmit rates for the 802.11a radio
Rates
AP goes through the list and uses the next highest rate
Range 0-4094. Default 0 disabled
Default distributed-tree-rssi
Recommends using this default startup-subthresholdvalue
Used for user traffic
Default 2,333 bytes. The range is 256- 2,346
Assigning a Profile to a Mesh AP or AP Group
Editing a Profile
Link quality
To view the settings of a specific mesh radio profile
Viewing Profile Settings
Managing Mesh Profiles In the CLI
Working with Mesh High Throughput Ssid Profiles
Managing Profiles In the WebUI
Assigning a Profile to an AP Group
Deleting a Mesh Radio Profile
Temporal Diversity Enable
Enabled legacy stations are allowed
Configured value adjusts based on AP capabilities
Launch then software retries
Mode Enabled by default
Μsec, 2 µsec, 4 µsec
Degrade throughput
Different values, separate each value with a comma
Managing Profiles In the CLI
Viewing High-throughput Ssid Settings
To view the settings of a specific high-throughput profile
Understanding Mesh Cluster Profiles
Deployments with Multiple Mesh Cluster Profiles
Managing Mesh Cluster Profiles In the WebUI
Associating a Profile to Mesh APs
Managing Mesh Cluster Profiles In the CLI
Deleting a Mesh Cluster Profile
To view the settings of a specific mesh cluster profile
Viewing Mesh Cluster Profile Settings
Associating Mesh Cluster Profiles
Configuring Ethernet Ports for Mesh
Configuring Bridging on the Ethernet Port
Excluding a Mesh Cluster Profile from a Mesh Node
To exclude a specific mesh cluster profile from an AP
Configuring Ethernet Ports for Secure Jack Operation
Extending the Life of a Mesh Network
Provisioning Mesh Nodes
Outdoor AP Parameters
Under Port Selection, click the port to configure
IP settings section, select Obtain IP Address Using Dhcp
Provisioning Caveats
Provisioning Mesh Nodes
Booting the Mesh Portal
Understanding the AP Boot Sequence
Booting the Mesh Point
Verifying the Network
Verification Checklist
Air Monitoring and Mesh
Configuring Remote Mesh Portals RMPs
CLI Examples
How RMP Works
Creating a Remote Mesh Portal In the WebUI
Provisioning the AP
Defining the Mesh Private Vlan
Selecting an RF Management Profile
Selecting a Mesh Radio Profile
Adding a Mesh Cluster Profile
Configuring the Vlan ID of the Virtual AP Profile
Configuring a Dhcp Pool
Profile Details window
Provisioning a Remote Mesh Portal In the CLI
Additional Information
Configuring Redundancy Parameters
Configuring the Local Controller for Redundancy
Configuring the Master Controller for Redundancy
Configuring the LMS IP
On the master controller
Command Explanation
Enter the master-redundancy context
Router ID of the Vrrp instance
Controllers. Specify a key of up to 64 characters
Configuring Database Synchronization
This config mode command includes RF plan data when
Enabling Incremental Configuration Synchronization CLI Only
Configuring Master-Local Controller Redundancy
Redundant Topology Master-Local Redundancy
Vrrp Dell PowerConnect W-Series ArubaOS 6.2 User Guide
Understanding Rstp Migration and Interoperability
Disabled Discarding Blocking
Working with Rapid Convergence
Rstp 802.1w Description Port Role
Feature Default Value/Range
Configuring Rstp
Edge Port and Point-to-Point
Troubleshooting Rstp
Change the default configurations via the command line
Monitoring Rstp
Port Fast
Dell PowerConnect W-Series ArubaOS 6.2 User Guide Rstp
Understanding PVST+ Interoperability and Best Practices
Enabling PVST+ in the CLI
From the WebUI, add a Vlan instance and enable PVST+
Enabling PVST+ in the WebUI
Understanding Dell Mobility Architecture
IP Mobility
Configuring Mobility Domains
Enable mobility disabled by default
On a master controller
On all Dell controllers in the mobility domain
Configuring a Mobility Domain
Navigate to the Configuration Advanced Services IP Mobility
Example Configuration
Joining a Mobility Domain
Configuring Mobility using the WebUI
Subnetwork Mask
Home Agent Address or Vrip
On controller a the master controller
Configuring Mobility using the CLI
Viewing mobile client status using the WebUI
Viewing mobile client status using the CLI
Tracking Mobile Users
Viewing user roaming status using the CLI
Viewing specific client information using the CLI
Roaming Description Status Type
Status Type Description
Configuring Advanced Mobility Functions
Setting up mobility association Using the CLI
Mobile Client Roaming Locations
HA Discovery on Association
Is 0-5000 visitors. The default setting is 5000 visitors
Default setting is 3 attempts
Seconds. The default setting is 5000 seconds
Enable standalone AP
Click Apply after setting the parameter
Proxy Mobile IP
Proxy Dhcp
Understanding Bridge Mode Mobility Deployments
Revocations
Working with Proxy Igmp and Proxy Remote Subscription
Enabling Mobility Multicast
Working with Inter controller Mobility
Configuring Mobility Multicast
Inter-controller Mobility
Enable Igmp proxy on the FastEthernet Ieee 802.3 interface
Enable Igmp snooping
Example
Start at 0 from the left-most position
Understanding Firewall Port Configuration Among Dell Devices
External Firewall Configuration
Ports Used for Virtual Internet Access VIA
Enabling Network Access
Configuring Ports to Allow Other Traffic Types
Page
About Remote Access Points
Remote Access Points
Remote AP with a Private Network
Configuring the Secure Remote Access Point Service
Configure a Public IP Address for the Controller
Using the WebUI to create a DMZ address
Configure the NAT Device
Configure the VPN Server
Chap Authentication Support over PPPoE
Using the WebUI to configure Chap
You can use the CLI or the WebUI to configure Chap
Using the CLI to configure the Chap
Configuring Certificate RAP
Creating a Remote AP Whitelist
Configuring PSK RAP
Using WebUI
Using CLI
RAP Static Inner IP Address
Provision the AP
IP-Address parameter in the local database
Deploying a Branch Office/Home Office Solution
Deployment Scenario Master IP Address Value
Configuring the Branch Office AP
Troubleshooting Remote AP
Provisioning the Branch Office AP
Local Debugging
Basic View Information Advanced View Information Name
Multihoming on remote AP RAP
Seamless failover from backup link to primary link on RAP
Remote AP Connectivity
Remote AP Diagnostics
Enabling Remote AP Advanced Configuration Options
Data Description
Remote Oper Forward Mode Setting Ation
Understanding Remote AP Modes of Operation
Working in Fallback Mode
Only Ssid configuration Stored in flash on
Essid is up when Same behavior as Not supported AP contacts
SSIDs
Backup Configuration Behavior for Wired Ports
Configuring Fallback Mode
Configuring the AAA Profile for Fallback Mode in the WebUI
Configuring the AAA Profile for Fallback Mode in the CLI
Configuring the Dhcp Server on the Remote AP
Using the WebUI
Configuring Advanced Backup Options
Configuring the Session ACL in the WebUI
Configuring the AAA Profile in the WebUI
Defining the Backup Configuration in the WebUI
Configuring the Session ACL in the CLI
Configure the Remote-AP Dhcp Server fields
Route src-nat
Specifying the DNS Controller Setting
Using the CLI to configure the AAA profile
Defining the Backup Configuration in the CLI
You can define other parameters as needed
Backup Controller List
Configuring Remote AP Failback
Configuring the LMS and backup LMS IP addresses in the CLI
Enabling RAP Local Network Access
Configuring Remote AP Authorization Profiles
To enable, enter
To disable, enter
Adding or Editing a Remote AP Authorization Profile
Working with Access Control Lists and Firewall Policies
Understanding Split Tunneling
Configuring Split Tunneling
Sample Split Tunnel Environment
Configuring the Session ACL Allowing Tunneling
Configuring an ACL to Restrict Local Debug Homepage Access
Configuring the AAA Profile for Tunneling
Enable Restricted Access to LD Homepage
Configuring the Tunneling Virtual AP Profile
Inthe CLI
Navigate to Configuration Wireless AP Configuration
Provisioning Wi-Fi Multimedia
Defining Corporate DNS Servers
Configuring Bandwidth Reservation
To configure bandwidth reservation
Navigate to Configuration Advanced Services All Profiles
Reserving Uplink Bandwidth
Provisioning 4G USB Modems on Remote Access Points
Navigate to Configuration Wireless AP Installation
4G USB Modem Provisioning Best Practices and Exceptions
Provisioning RAP for USB Modems
RAP 3G/4G Backhaul Link Quality Monitoring
Configuring W-IAP3WN Access Points
Pantech
Converting IAP to RAP
Converting an IAP to RAP or CAP
Converting an IAP to CAP
Configuring Bandwidth Contracts for RAP
Enabling Bandwidth Contract Support for RAPs
Defining Bandwidth Contracts
Applying Contracts
Verifying Contracts on AP
Verifying Contracts Applied to Users
Following is a sample output for a per-user configuration
Verifying Bandwidth Contracts During Data Transfer
Page
Understanding VIA Connection Manager
Virtual Intranet Access
How it Works
Installing the VIA Connection Manager
On Microsoft Windows Computers
On Apple MacBooks
User action / environment VIA’s behavior
Configuring the VIA Controller
Upgrade Workflow
Minimal Upgrade
Complete Upgrade
Supported Authentication Mechanisms
Authentication mechanisms supported in VIA
Other authentication methods
Before you Begin
Configuring VIA Settings
Suite-B
Using the WebUI to Configure VIA
Enable VPN Server Module
Create VIA Authentication Profile
Create VIA User Roles
Enter a name for the server group
Create VIA Connection Profile
To create VIA connection profile
Configuration Option Description
To the support email-address for troubleshooting
List of all IKEv2 authentication methods
Default None
Client Auto-Login
Enable Supplicant
Enable Fips Module
VIA Authentication Name\username instead of just username
Use Windows Credentials
Configure VIA Web Authentication
To configure VIA web authentication profile
Configure VIA Client Wlan Profiles
To configure a VIA client Wlan profile
Associate VIA Connection Profile to User Role
To associate a VIA connection profile to a user role
Option Description
Cryptobinding TLV
Servers or trusted certification authorities
Mschapv2-use-windows-credentials
Download VIA Installer and Version File
Rebranding VIA and Downloading the Installer
To download the VIA installer and version file
Using the CLI to Configure VIA
Create VIA authentication profiles
Create VIA roles
Create VIA connection profiles
Customize VIA logo, landing page and downloading installer
Downloading VIA
Pre-requisites
Requires the following Microsoft KB on the end-user systems
Login to Download VIA
Downloading VIA
Using VIA
Installing VIA
Connection Details Tab
Diagnostic Tab
Troubleshooting
Settings Tab
Understanding Spectrum Analysis
Spectrum Analysis
Device
AP104 Yes
Hybrid AP?
Device Configurable as a
Graph Title
Graph Title Description Update Interval
Spectrum Analysis Clients
Spectrogram
Real-Time FFT
Swept
Creating Spectrum Monitors and Hybrid APs
Hybrid APs Using Mode-Aware ARM
Hybrid AP Channel Changes
Converting APs to Hybrid APs
Converting an Individual AP to a Spectrum Monitor
Converting a Group of APs to Spectrum Monitors
Select AP to expand the AP profiles section
Connecting Spectrum Devices to the Spectrum Analysis Client
Disconnecting a Spectrum Device
View Connected Spectrum Analysis Devices
Table Column Description
To manually disconnect a spectrum monitor or hybrid AP
Selecting a Spectrum Monitor
Configuring the Spectrum Analysis Dashboards
Click the Spectrum Dashboards tab
Changing Graphs within a Spectrum View
Click theSpectrum Dashboards tab
Saving a Dashboard View
Renaming a Spectrum Analysis Dashboard View
Select Rename
Customizing Spectrum Analysis Graphs
Resizing an Individual Graph
Spectrum Analysis Graph Configuration Options
Active Devices
Channel Range
Show
Service set identifier of the device’s 802.11 wireless LAN
Active Devices Table
Device Type
Column may display any of the following values
Select the button by the symbol
Radio band or channel
Column heading
Select the button by the Less than drop down list
Active Devices Trend
Detects on the radio channel
Center Frequency
MHz
Wi-Fi data as non-Wi-Fi data
Channel Metrics
Show lines for these
Select one of the following device types
Channel Metrics Graph
Radio band displayed in this graph
Channel Metrics Trend
Drop-down list and select one of the following options
Minutes
Hour
Unselect the checkbox to hide that information
Channel Summary Table
Monitor
Device Duty Cycle
Band Radio band displayed in this graph
Numbering Identify a channel numbering scheme for the graph
Channel Utilization Trend
Following device types
As non-Wi-Fi data
Devices vs Channel
Intervals
Uncheck the checkbox by that channel number
Devices vs Channel Options
FFT Duty Cycle
FFT Duty Cycle
Interference Power
Interference Power Options
Quality Spectrogram
Device types
Real-Time FFT
Data
Axis
Frequencies for the graph
Frequency Center of the x-axis of this chart Span
Swept Spectrogram
Center
Right field, and the higher value in the left field
Simple Line Graph of FFT Power Data
Swept Spectrogram Options
Working with Non-Wi-Fi Interferers
Non-Wi-Fi Description Interferer
Device vs Channel Interference Power
Understanding the Spectrum Analysis Session Log
Viewing Spectrum Analysis Data
Creating a Spectrum Analysis Record
Recording Spectrum Analysis Data
To record spectrum analysis data for later analysis
Saving the Recording
Playing a Spectrum Analysis Recording
Playing a Recording in the Spectrum Dashboard
To save the recording file
Click the Recording View/Play link at the top of the window
Playing a Recording Using the RFPlayback Tool
Click Load File For Playback
Troubleshooting Spectrum Analysis
Troubleshooting Browser Issues
Converting a Spectrum Monitor Back to an AP or Air Monitor
Loading a Spectrum View
Playing a Recording in the RFPlayback Tool
Understanding Spectrum Analysis Syslog Messages
Understanding Device Ageout Times
Hopper Seconds
Age Out Generic Fixed Frequency
Age Out Generic Frequency Hopper
Monitoring Performance
Dashboard Monitoring
Clients
APs
Using Dashboard Histograms
Monitoring Usage
Monitoring Security
Monitoring Potential Issues
Monitoring WLANs
Monitoring Access Points
Monitoring Clients
To disable this setting, include the no parameter
Monitoring Firewalls
Element View
Element
Column
Element Description
Bytes Tx Bytes Rx Bytes
Details View
Element Tab
Element Summary View
User Bytes Packets Device Destination
Usage Breakdown
Application
Aggregated Sessions
Usage Breakdown
Source IP
Column Description
Destination Alias
Configuring Certificate Authentication for WebUI Access
Management Access
Enabling Public Key Authentication for SSH Access
Enabling Radius Server Authentication
Select the client certificate Click Apply
Configuring Radius Server Authentication with VSA
Configuring a set-value server-derivation rule
Verifying the configuration
Disabling Authentication of Local Management User Accounts
Resetting the Admin or Enable Password
Bypassing the Enable Password Prompt
User admin Password
Implementing a Specific Management Password Policy
Setting an Administrator Session Timeout
Defining a Management Password Policy
Configure the settings described in Table
Allowed Characters Disallowed Characters
Management Authentication Profile Parameters
Allowed Characters
Colon
Period Pipe Plus sign + Tilde ~ Comma Accent mark `
Managing Certificates
About Digital Certificates
Navigate to the Configuration Management Certificates CSR
Obtaining a Server Certificate
Parameter Description Range
Enter the following information
Run the following command
Obtaining a Client Certificate
Importing Certificates
PKCS7 encrypted PKCS12 encrypted
Use the following command to import CSR certificates
Viewing Certificate Information
Imported Certificate Locations
Location Description
Checking CRLs
Configuring Snmp
Snmp Parameters for the Controller
Configuring Logging
Category/Subcategory Description
Logging Level Description
Category/Subcategory
802.1x messages Radius Radius user messages
Configuring the Guest Fields
Configuring the Guest Provisioning
Enabling Guest Provisioning
Guest Field
Guestcategory
Configuring the Page Design
Guest Field Description
Provisioning page for the sponsor information
Fields that follow
Configuring Email Messages
Configuring the Smtp Server and Port in the WebUI
Navigate to the Configuration Management SMTPpage
Click Apply and then Save Configuration
Configuring an Smtp server and port in the CLI
Creating Email Messages in the WebUI
Configuring a Guest Provisioning User
Username and Password Authentication Method
Static Authentication Method
Management Users section, click Add
Customizing the Guest Access Pass
Smart Card Authentication Method
Username and Password Method
Click Apply and Save Configuration
Creating Guest Accounts
Customized Guest Account Information Window
Guest Provisioning User Tasks
Creating a Guest Account-New Guest Window
Importing Multiple Guest Entries
Creating Multiple Guest Entries in a CSV File
Importing the CSV File into the Database
CVS File Format-Guest Entries Information
Importing a CSV file that contains Guest Entries
Displaying the Guest Entries Log File
Restricting one Captive Portal Session for each Guest
Optional Configurations
Printing Guest Account Information
Setting the Maximum Time for Guest Accounts
Using the WebUI to set the maximum time for guest accounts
Using the CLI to set the maximum time for guest accounts
Managing Files on the Controller
Server Type Configuration
Navigate to the Maintenance Controller Image Management
Transferring ArubaOS Image Files
Username to log into server
Backing Up and Restoring the Flash File System
Copying Log Files
Setting the System Clock
Manually Setting the Clock
Navigate to the Configuration Management Clock
Copying Other Files
Configuring NTP Authentication
Clock Synchronization
Timestamps in CLI Output
Enabling Capacity Alerts
Threshold Description
Examples
Sent. The default threshold for this parameter is 80%
User-capacity
Using the Initial Setup
Configuring Local Controllers
Adding Local Controllers
Configuring Layer-2/Layer-3 Settings
Configuring Trusted Ports
Configuring Local Controller Settings
Using the Web UI
Configuring APs
Using the WebUI to configure the LMS IP
Using the CLI to configure the LMS IP
Moving to a Multi-Controller Environment
Configuring a Preshared Key
Configuring a Controller Certificate
Using the WebUI to configure a Local Controller PSK
Using the WebUI to configure a Master Controller PSK
Using the CLI to configure a PSK
Using the CLI to configure the Master Controller Certificate
Securing Client Traffic
Advanced Security
Securing Wireless Clients
Wireless xSec Client Example
Securing Wired Clients
Navigate to the Configuration Advanced Services Wired Access
Securing Wireless Clients Through Non-Dell APs
Securing Clients on an AP Wired Port
Time to wait for authentication to
Succeed
Securing Controller-to-Controller Communication
Configuring Controllers for xSec
For Controller
Configuring the Odyssey Client on Client Machines
Installing the Odyssey Client
Modifying a regedit Policy
Certificate Information
Page
Configuring Voice and Video
Setting up Net Services
Using Default Net Services
Voice and Video License Requirements
Configuring User Roles
Creating Custom Net Services
Using the Default User Role
Net Service Name Protocol Port
Using the WebUI to configure user roles
Service Name
Navigate to the Configuration Security Access Control
Creating or Modifying Voice User Roles
Using the CLI to configure a user role
Click Done Click Apply
Using the User-Derivation Roles
Using the WebUI to derive the role based on Ssid
Using the CLI to derive the role based on Ssid
Using the WebUI to derive the role based on MAC OUI
Additional Video Configurations
Configuring Firewall Settings for Voice and Video ALGs
Configuring Video over Wlan enhancements
To enable Igmp snooping
Pre-requisites
Configure multicast rate optimization for video traffic
To add the ACL to a user role
Configure and apply a bandwidth management profile
Set a bandwidth percentage for the following categories
Enable multicast shaping on the firewall
Enable Igmp Proxy
Enable Igmp Snooping
Configure multicast rate optimization for the video traffic
Configure ARM scanning for video traffic
Working with QoS for Voice and Video
Configure and apply bandwidth management profile
This step is optional
Understanding VoIP Call Admission Control Profile
To enable call admission control in this profile
Understanding Wi-Fi Multimedia
Voip Tspec Enforcement
Configuring WMM AC Mapping
Priority 802.1p Priority WMM Access Category
Enabling WMM
Lowest Background Best effort Video Voice Highest
Using the WebUI to map between WMM AC and Dscp
Dscp Decimal Value WMM Access Category
Background Best effort Video Voice
Configuring Dscp Priorities
Using the CLI to map between WMM AC and Dscp
Enhanced Distributed Channel Access
Configuring Dynamic WMM Queue Management
WMM Access Category Description 802.1p Tag
Using the WebUI to configure Edca parameters
Disables this option
1. a value of 4 computes to 2 4-1 = 15. Possible values are
Microseconds, enter 94 3008/32. Possible values are
Using the CLI to configure Edca parameters
Enabling WMM Queue Content Enforcement
To associate the Edca profile instance to a Ssid profile
Understanding Extended Voice and Video Features
Microsoft OCS
Apple Facetime
Port Packet Type
Enabling Mobile IP Home Agent Assignment
Enabling WPA Fast Handover
Scanning for VoIP-Aware ARM
Configuring SIP Authentication Tracking
Disabling Voice-Aware
To configure Real Time analysis on voice calls
Enabling Real Time Call Quality Analysis
Web UI
Viewing Real Time Call Quality Reports
Enabling SIP Session Timer
SIP session timer is implemented in the SIP ALG as per RFC
To view the SIP settings on the controller
To configure the session timer and the timeout value
Click the Policies tab
Enabling Wi-Fi Edge Detection and Handover for Voice Clients
Select the Classify Media check box
Expand Handover Trigger under Wireless Lan
Click the Apply button to save the configuration
Working with Dial Plan for SIP Calls
Understanding Dial Plan Format
Configuring Dial Plans
Action Description
Dialplan Profile
Dialplan Profile displays the dial plan details
Enabling Enhanced 911 Support
To create a voice dial plan profile
To associate the dial plan with SIP ALG
To view the SIP dial plan profile
Working with Voice over Remote Access Point
Understanding Battery Boost
Enabling Lldp
Configure the Lldp profile parameters as desired then click
Lldp PDUs. The AP will send all optional TLVs by default
Lldp PDUs. The AP will send all 802.1 TLVs by default
Lldp PDUs. The AP will send all 803.2 TLVs by default
Show the power support capabilities of the AP interface
LLDP-MED Profile Configuration Parameters
Apply to save your settings
Advanced Voice Troubleshooting
Viewing Troubleshooting Details on Voice Client Status
Connected
Viewing Troubleshooting Details on Voice Call CDRs
To view the details of a completed call based on the CDR Id
Enabling Voice Logs
Navigate to the Configuration Management Logging
Enabling Logging for a Specific Client
To view the voice signaling message traces
Viewing Voice Traces
To set the voice logging level to debugging
To debug voice logs for a specific client
Viewing Voice Configurations
To view the voice configuration details on your controller
SIP settings Value Parameter
L2/L3 network mode support
Overview
Instant AP VPN Support
Termination of Instant AP VPN tunnels
VPN Configuration
Whitelist DB Configuration
Controller Whitelist DB
External Whitelist DB
VPN Local Pool Configuration
VPN Profile Configuration
Viewing Branch Status
Radius proxy for VPN connected IAPs
Output of this command includes the following parameters
Understanding W-600 Series Best Practices and Exceptions
Series Controllers
Controller
USB Ports
Switching Modes
Connecting with a USB Cellular Modems
Finding USB Modem Commands
Uplink Manager
Cellular Profile
Dialer Group
Cellular Profile from the WebUI
Configuring a Supported USB Modem
Verify the modem is registered with the Uplink Manager
Configuring the Profile and Modem Driver
Configuring a New USB Modem
If you get entries similar to the example below
Configuring the TTY Port
Driver=none
Testing the TTY Port
Selecting the Dialer Profile
NAS Device Setup
Setting Up NAS Network-Attached Storage Devices
Linux Support
Managing NAS Devices
Configuring in the CLI
View list of shares in a disk
NAS Media Green-solid Press and hold media
Mounting and Unmounting Devices
Controller wake-up Green-solid Button
Connecting to a Print Server
Printer Setup Using the CLI
Additional Commands for Managing Printers
To view a list of printers mounted on the controller, type
Series Sample Topology and Configuration
Remote Branch 1-W-650 Controller
Remote Branch 2-W-650 Controller
Central Office Controller-Active
Central Office Controller-Backup
Page
External Services Interface
Sample ESI Topology
ESI-Fortinet Topology
Understanding the ESI Syslog Parser
ESI Parser Domains
Peer Controllers
Syslog Parser Rules
Condition Pattern Matching
Configuring ESI
User Pattern Matching
Defining the ESI Server
Configuring Health-Check Method, Groups, and Servers
Enter a Profile Name
To configure an ESI server group on the controller
Defining the ESI Server Group
Server Name
Enter a Group Name
Redirection Policies and User Role
ESI Syslog Parser Domains and Rules
Managing Syslog Parser Domains in the WebUI
Adding a new syslog parser domain
Deleting an existing syslog parser domain
Use these CLI commands to manage syslog parser domains
Managing Syslog Parser Domains in the CLI
Managing Syslog Parser Rules
Editing an existing syslog parser domain
Deleting a syslog parser rule
Adding a new parser rule
Editing an existing syslog parser rule
Testing a Parser Rule
Use these CLI commands to manage syslog parser rules
Monitoring Syslog Parser Statistics
Sample Route-mode ESI Topology
Showing ESI syslog parser rule information
ESI server configuration on controller
Configuring the Example Routed ESI Topology
IP routing configuration on Fortinet gateway
Health-Check Method, Groups, and Servers
Defining the Ping Health-Check Method
Trusted IP Address. Enter Untrusted IP Address. Enter
Enter a Group Name. Enter fortinet
Redirection Policies and User Role
Syslog Parser Domain and Rules
Add a New Syslog Parser Domain in the WebUI
Adding a New Parser Rule in the WebUI
To add a new syslog parser domain for the routed example
Sample NAT-mode ESI Topology
Example NAT-Mode Topology
ESI server configuration on the controller
Configuring the Example NAT-mode ESI Topology
Configuring the NAT-mode ESI Example in the WebUI
Configuring the ESI Group in the WebUI
Profile Name. This example uses externalcpping
Configuring the Example NAT-mode Topology in the CLI
Configure the ESI Servers in the WebUI
Configuring the Redirection Filter in the WebUI
Policy Name. This example uses cpredirectacl
Configuring a Health-Check Ping
Configuring ESI Servers
Using the ESI Group in a Session Access Control List
CLI Configuration Example
Understanding Basic Regular Expression BRE Syntax
Character-Matching Operators
Regular Expression Anchors
Regular Expression Repetition Operators
Description Sample Result
References
Working with the ArubaOS XML API Works
External User Management
Authenticating a User
Creating an XML Request
Adding a User
Deleting a User
Default Response Format
Format of a default XML response from the controller is
XML Response
Blacklisting a User
Response Codes
Code Reason message
Query Command Response Format
Code Reason message Description
Using the XML API Server
Configuring the XML API Server
Verify the XML API server configuration
Associating the XML API Server to a AAA profile
Vlan
Set up Captive Portal profile
Associating the Captive Portal Profile to an Initial Role
Authentication Command Description
Options Description Range / Defaults
This command deletes the user from the controller
Dell controllers configuration
Monitoring External Captive Portal Usage Statistics
Using XML API in C Language
Sample Code
Page
Page
Understanding XML API Request Parameters
Understanding Request and Response
List all parameter that you can use in a request
This command will add a client on your network
Understanding XMl API Response
Adding a Client
Response from the controller
View the updated details of the client on the controller
Authenticating a Client
Deleting a Client
Sending the authentication command
Status of the client before authentication
Status of the client after authentication
Querying for Client Details
Blacklisting a Client
Blacklisting a Client-request and response
Supported Planning
RF Plan
Configuration Considerations
Planning Deployment
Pre-Deployment Considerations
Outdoor-Specific Deployment Considerations
Post-Deployment Considerations
Dual-Port AP Considerations
Campus List
Launching the RF Plan
Buttons Description
Buttons
Building List Pane
Edit a campus from the building list pane
Building Specifications Overview
Building Dimension
AP Modeling Parameters
Radio Type
Overlap Factor
Design Model
Radio Description Button
Users/AP
Radio Properties Desired Rates and HT Support Options
Overlap Description Factor
Radio Property Description
Number of available channels
AM Modeling
Valid values are 54, 48, 36, 24, 18, 12, 9, 6, 11, 5.5, 2
Planning Floors
Design Models
Monitor Rates
Radio Button Description
You can select or adjust the features as described in Table
Zoom
Approximate Coverage Map
Floor Editor Dialog Box
Level
Naming
Area Editor Dialog Box
Background Images
Location and Dimensions
Area Types
Access Point Editor Dialog Box
Fixed
Power Levels
802.11n Features
Radio Types
Y Coordinates
AP Plan
Initialize
Optimize
Memo
Fix All Suggested AP/AMs
AM Plan
Viewing the Results
Exporting and Importing Files
Import Campus
Export Campus
Export Buildings
Locate
Import Buildings
Fqln Mapper
Property Description
Using the Fqln Mapper in the AP Provision
Search Results
Using the WebUI
RF Plan Example
Sample Building
Height
Create a Building
Model the Access Points
Text Box
Information
Campus Name
Model the Air Monitors
Add and Edit a Floor
Adding the background image and naming the first floor
Adding the background image and naming the second floor
Creating a Don’t Deploy Area
Running the AP Plan
Running the AM Plan
Click Initialize
Click Optimize
Click Initialize then Optimize
Behavior and Defaults
Understanding Mode Support
Forwarding Mode Feature Not Supported
Network Services
Understanding Basic System Defaults
Name Protocol
Name Protocol Ports
Predefined Policy Description
Policies
Following are predefined policies
Used to enable the captive portal logout
Access the controllers administrative
Be modified. It permits APs to boot up
Network access. You can use this rule to
Permits all DNS traffic
NAT-T UDP 4500. Remove NAT-T if not
Needed
This policy can be used to source-NAT all
Predefined Role Description
Roles
Following are predefined roles
Enables captive portal
Should be disabled if it is not needed
Beginning
Profiles with different customization
Predefined Role Permissions
Understanding Default Management User Roles
ArubaOS software includes predefined management user roles
Show aaa state configuration
Show aaa authentication-server all
Show switches summary
Show wlan-ap-count type access-points
Monitoring Controller Clients Packet CaptureMonitoring
Understanding Default Open Ports
Port Protocol Where Used Description Number
Controller Remote wired MAC lookup 4343
Testing
Port is not exposed to wireless users
Exposed to wireless users
Configuring a Windows-Based Dhcp Server
Configuring Option
To configure option 60 on the Windows Dhcp server
Dhcp with Vendor-Specific Options
To configure option 43 on the Windows Dhcp server
Field Information
Scope Options Dialog Box
Enabling Dhcp Relay Agent Information Option Option
Navigate to Configuration Network IP IP Interfaces
Enabling Linux Dhcp Servers
Range 10.200.10.200
802.1X Configuration for IAS and Windows Clients
Configuring Microsoft IAS
Radius Client Configuration
Configuring Policies
Remote Access Policies
Active Directory Database
IAS Remote Access Policies
Click Configure to select additional properties
Policy Configuration Wizard-Authentication Methods
Configuring Radius Attributes
Radius class Attribute Configuration
Creating a Remote Policy
Configuring Management Authentication using IAS
Next, create a remote policy for your new Radius client
Defining Properties for Remote Policy
Creating a User Entry in Windows Active Directory
Configuring a Server Group for IAS Management Authentication
Navigate to DiagnosticsAAA Test Server
Window XP Wireless Client Sample Configuration
Click Begin Test
Wireless Networks
Networks to Access
Wireless Network Association
Wireless Network Authentication
Protected EAP Properties
EAP MSCHAPv2 Properties
Acronyms
Acronyms and Terms
Acronym
Definition
DoS
Acronym
MSCHAPv2
PoE
PPPoE
QoS
RoW
VoFI VoIP
Terms
Term
WISPr
XAuth
Term
Term Definition
Encryption authentication
Fixed wireless
Shops are providing free wireless access for customers
IR wireless
Optical wireless
Hills, mountains, and large human-made structures
Input, multiple output
Near field communicationNFC
Access W-CDMA
Wi-Fi
Facilities offer public access to Wi-Fi networks
Standards for broadband wireless access BWA networks. WiMAX
Wireless service provider
Wired LAN
Kilometers
Yagi antenna
