advertisement
Aruba Central
Copyright Information
© Copyright 2015 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public
License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett-
Packard Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:
Hewlett-Packard Company
Attn: General Counsel
3000 Hanover Street
Palo Alto, CA 94304
USA
Please specify the product and version for which you are requesting source code. You may also request a copy of this source code free of charge at [email protected]
.
Revision 1 | November 2015 Aruba Central | User Guide
Contents
About this Document
Aruba Central Overview
Supported Mobility Access Switches
Supported ArubaOS Firmware Versions
Setting up Customer Accounts
Binding Devices to Your License
Creating Additional Customer Accounts
Central User Interface
Aruba Central | User Guide
Contents
15
18
21
3
13
Contents |
3
4
| Contents
Other UI Elements and Functions
Device Configuration and Group Management
Initial Configuration of Devices
Importing Existing Configuration from a Device
Configuring System Parameters for IAP Network
Modifying AP Administrator Credentials
Monitoring
26
31
Aruba Central | User Guide
Wireless Configuration
Configuring ARM-Assigned Radio Profiles
Manually Configuring Radio Profiles
Removing an IAP from the Network
Configuring a WLAN SSID Profile for Employee and Voice Networks
Aruba Central | User Guide
42
Contents |
5
6
| Contents
Configuring Captive Portal Profiles for Guest Access
Configuring Captive Portal Profiles for Guest Network
Disabling Captive Portal Authentication
Configuring Walled Garden Access
Configuring Profiles for Wired Network
Configuring ARM and RF Parameters
Monitoring the network with ARM
Configuring Authentication and Security Parameters
Supported Authentication Methods
Supported Authentication Servers
Configuring External Servers for Authentication
Configuring Dynamic RADIUS Proxy Parameters
Configuring 802.1X Authentication for a Network Profile
Aruba Central | User Guide
Configuring MAC Authentication for a Network Profile
Configuring MAC Authentication with 802.1X Authentication
Configuring MAC Authentication with Captive Portal Authentication
Configuring WISPr Authentication
Configuring the View-only Administrator Credentials
Configuring Guest Management Interface Administrator Credentials
Blacklisting Clients Dynamically
Configuring Roles and Policies for User Access Control
Configuring Firewall and Access Rules
Configuring Access Rules for Network Services
Configuring Network Address Translation Rules
Configuring Firewall Settings for Protection from ARP Attacks
Configuring Management Subnets
Configuring Restricted Access to Corporate Network
Assigning Bandwidth Contracts to User Roles
Understanding Role Assignment Rule
Creating a Role Derivation Rule
Configuring VLAN Derivation Rules
Using Advanced Expressions in Role and VLAN Derivation Rules
Aruba Central | User Guide
Contents |
7
8
| Contents
Configuring a User Role for VLAN Derivation
Assigning User VLAN Roles to a Network Profile
Configuring Intrusion Detection System
Detecting and Classifying Rogue APs
Configuring Wireless Intrusion Protection and Detection Levels
Configuring a Tunnel from an IAP to Aruba mobility controller
Enabling Automatic Configuration of GRE Tunnel
Manually Configuring a GRE Tunnel
Configuring DHCP and Client IP Assignment Modes
Configuring Distributed DHCP Scopes
Configuring Centralized DHCP Scope
Configuring Local and Local, L3 DHCP Scopes
Configuring DHCP Server for Client IP Assignment
Configuring an IAP for RTLS Support
Configuring an IAP for Analytics and Location Engine Support
Enabling ALE support on an IAP
Configuring OpenDNS Credentials
Aruba Central | User Guide
CALEA Integration and Lawful Intercept Compliance
Configuring an IAP for CALEA Integration
Configuring an IAP for Bonjour support Support
Configuring Bonjour support and Bonjour support Services
Integrating an IAP with Palo Alto Networks Firewall
Configuring IAP for PAN integration
Uplink Preferences and Switching
Switching Uplinks based on the Internet Availability
Mobility and Client Management
Configuring L3 Mobility Domain
Configuring L3 mobility domain
Aruba Central | User Guide
Contents |
9
10
| Contents
Configuring Enterprise Domains
Configuring Community String for SNMP
AppRF
Deep Packet Inspection with AppRF
Configuring ACL Rules for Application and Application Categories
Configuring Web Policy Enforcement
Guest Management
Creating Apps for Social Login
Configuring a Splash Page Profile
Customizing a Splash Page Design
Previewing and Modifying a Splash Page
Associating a Splash Page Profile to an SSID
128
140
Aruba Central | User Guide
Mobility Access Switch configuration
Mobility Access Switch Overview
Configuring a Mobility Access Switch
Zero Touch Provisioning through Central
Setting the Admin or Enable mode password
Managing Reports
Firmware and Subscription Maintenance
Upgrading IAP or Mobility Access Switch
Automatically upgrading a device to a new firmware version
Aruba Central | User Guide
153
159
162
Contents |
11
12
| Contents
Manually Upgrading a Device to a New Firmware Version
Clearing IAP Configuration Using Groups
Resetting an IAP through Console
Adding Another Subscription Key
Terminology
169
Aruba Central | User Guide
Chapter 1
About this Document
This user guide describes the features supported by Aruba Central and provides detailed instructions to set up and configure Instant Access Points (IAPs) and a Mobility Access Switch.
Intended Audience
This guide is intended for system administrators who configure and monitor their wireless network using
Central.
l l l
Related Documents
In addition to this document, the Central product documentation includes the following documents:
Aruba Central Getting Started Guide
Aruba Central Online Help
Aruba Central Release Notes
Conventions
The following conventions are used throughout this guide to emphasize important concepts:
Table 1:
Typographical Conventions
Type Style Description
Italics
This style is used to emphasize important terms and to mark the titles of books.
System items
This fixed-width font depicts the following: l
Sample screen output l
System prompts
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Aruba Central | User Guide About this Document |
13
Contacting Aruba Networks
Table 2:
Contact Information
Main Site http://www.arubanetworks.com/
Support Site
Airheads Social Forums and Knowledge
Base
North American Telephone https://support.arubanetworks.com/ http://community.arubanetworks.com/
International Telephone
Software Licensing Site
End-of-life Information
Security Incident Response Team (SIRT)
1-800-943-4526 (Toll Free)
1-408-754-1200 http://www.arubanetworks.com/support-services/contactsupport/ https://licensing.arubanetworks.com/ http://www.arubanetworks.com/support-services/end-of-life/ http://www.arubanetworks.com/support-services/securitybulletins/
Support Email Addresses
Americas, EMEA, and APAC
Security Incident Response Team (SIRT) [email protected]
14
| About this Document Aruba Central | User Guide
Chapter 2
Aruba Central Overview
Aruba Central is a cloud-based platform that enables you to manage your Aruba wireless network. Designed as a software-as-a-service (SAAS) subscription, Central provides a standard web-based interface that allows you to configure and monitor multiple Aruba Wi-Fi networks from anywhere, provided you have an Internet connection.
You can upgrade your IAP to the latest version from a remote location.
The key features of Central are: l l l l l l l
Streamlined management of devices
Dashboard view of network and client health
Easy grouping of devices
Centralized configuration and firmware updates
Guest Wi-Fi access configuration
Reporting
Remote troubleshooting and client information
Supported IAPs
The current release of Central supports the following IAP platforms: l
IAP-277 l l
IAP-228
IAP-205H l l l l
IAP-103 Series
IAP-114/115
IAP-204/205
IAP-214/215 l l l l l l l l
IAP-274/275
IAP-224/225
RAP-3WN/3WNP
RAP-108/109
RAP-155/155P
IAP-134/135
IAP-105
IAP-175P/175AC
Supported IAP Versions
The current release of Central supports only the following IAP firmware versions: l
6.3.1.8-4.0.0.8
l
6.3.1.8-4.0.0.11
Aruba Central | User Guide Aruba Central Overview |
15
l l l
6.4.2.0-4.1.1.9 or later
6.4.2.3-4.1.2.3
6.4.3.1-4.2.0.1 or later l l l l
Supported Mobility Access Switches
The following Mobility Access Switch models are supported in the current release of Central:
S1500-12P
S1200-24P
S2500-24P
S3500-24T
Supported ArubaOS Firmware Versions
The current release of Central supports the following ArubaOS software versions for the Mobility Access
Switches.
l l
7.3.2.6
7.4.0.3
Accessing Central UI
You can access Central using a standard web browser from a remote management console or workstation and launch it using any of the following browsers:
Table 3:
Browser Compatibility Matrix
Browser Versions Operating System
Google Chrome 39.0.2171.65 or later
Windows and Mac OS
Mozilla FireFox 34.0.5 or later
Internet Explorer 11
Windows and Mac OS
Windows
Internet Explorer 10
Windows
Safari 8
Mac OS
Safari 7
Safari 5.1.7
Mac OS
Windows
To view the Central UI, ensure that JavaScript is enabled on the web browser.
16
| Aruba Central Overview Aruba Central | User Guide
Subscription and Licenses
Central feature availability is based on the following license terms: l
If you have purchased only the IAP license, only the information related to the IAPs and wireless configuration pages are available in the Central UI.
l l
If you have purchased only the Mobility Access Switch license, only the information related to the Mobility
Access Switches and the Mobility Access Switch configuration pages are available in the Central UI.
If you have purchased both the IAP and the Mobility Access Switch licenses, both the IAP and Mobility
Access Switch configuration pages are available in the Central UI.
Aruba Central | User Guide Aruba Central Overview |
17
Chapter 3
Setting up Customer Accounts
Central offers a 90-day evaluation license for customers who want to try the Aruba cloud solution for managing their Wi-Fi networks. When you create an account with Central, an evaluation license is automatically assigned, unless you have a paid subscription.
Signing up for Aruba Central
To sign up as a customer for Central:
1. Go to http://www.arubanetworks.com/products/sme/eval/.
2. Enter your email address and click
Continue
.
l
If you are signing up for Central for the first time, the registration page is displayed. Complete the registration process (see step 3 through step 8).
l l l
If you are an existing customer and your email address is already in the Central database, and you have verified your email address, the Central login page is displayed.
If your email address already exists in the Central database and you have not verified your email address, click
Resend Verification Email
and verify your email address by clicking the
Activate Your
Account
link.
If you are an existing Aruba customer with SSO login credentials and you are signing up for Central for the first time: n n n
Validate your account by providing your SSO password. On successful authentication, the registration page is displayed. Complete the registration process to gain access to Central (see step 3 through step
8).
If you have forgotten your SSO password, click
Forgot Password
and complete the steps to retrieve your password.
To sign up again, click
Try Signing up again
and complete the steps to sign up for an Central account.
3. On the Registration page, enter first name, last name, and address details. If you are a new user, enter the password. For registered users and those with SSO login credentials, the
Password
field is disabled.
4. Select the country. If you select
United States
or
Canada
as the country, the
Need Instant AP
dropdown list is displayed. By selecting
Yes
, you can sign for the Instant AP evaluation.
5. Select the
I agree to the Terms and Conditions
check box.
6. Click
Sign Up
. On successfully completing the registration, a verification email is sent to your email address.
7. Access your email account and click the
Activate Your Account
link. If the email verification is successful, the
Log in to Aruba Central
button is displayed.
8. Click
Log in to Aruba Central
and provide your registered user name and password. If an account has multiple customers configured , the accounts selection page is displayed.
9. Select an account to access the Central dashboard.
Binding Devices to Your License
To bind devices to your license:
1. After you successfully log in to Central, a welcome message is displayed in the Central UI. To bind devices to your license, click
Manage Your License
. The
Device Management
pane is displayed. To view the
Aruba Central | User Guide Setting up Customer Accounts |
18
subscription key details before binding devices, click
Subscription Keys
.
The evaluation subscription key allows you to add only five IAP devices and two ArubaMobility Access Switches.
For evaluation subscription, the devices are not automatically synchronized. Therefore, the user must manually add the devices from the
Device Management
page by clicking
Add Devices.
If you have a paid subscription and the devices are not synchronized for more than 24 hours, contact Aruba Networks customer support and if required manually add the devices.
For IAPs that dynamically form a cluster, the users must add the master IAP from the
Device Management
page every time a slave IAP joins the cluster, so that the slave IAP details are synchronized.
To manually add the devices:
1. Click
Add Devices
. The
Manually Add Devices
window is displayed.
2. Enter the cloud activation key.
l l
To obtain the cloud activation key for IAPs, execute the
show version
command at the IAP CLI or click
Maintenance
>
About
in the IAP UI.
To obtain the Media Access Control (MAC) address and cloud activation key for Mobility Access Switches, execute the
show inventory | include HW
and
show version
commands on the Mobility Access
Switch CLI. You can also view the cloud activation key in the
Maintenance
>
About
tab of the switch UI.
The activation key is enabled only if the Mobility Access Switch has access to the Internet.
3. Click
Add Devices
.
4. To assign a license to the device, select the device and click
Assign License(s)
.
Adding User Accounts
To add user accounts to your license:
1. Click
Maintenance > User Management
.
2. On the
User Management
pane, click
Add User
. The
Create User
window is displayed.
3. Enter the email address of the user in the
USERNAME
text box.
4. From the
User Scope
drop-down list, select the group to which you want to assign the user.
5. Select the user access level that you want to assign to the user from the
Access Level
drop-down list.
Central supports following types of users: l
Admin
—The Admin users have full access to all the groups and have special rights to create or update user details, groups, and to provision devices.
l
Read/Write
—The users with read/write privileges can access the groups or devices assigned by the
Admin user. The users with Read/Write privileges can perform operations that can change the behavior of devices or groups such as modifying the configuration of a device, deleting a device and so on.
l l
Read only
—The users with read-only privileges can access the groups or devices assigned by the Admin user and view details of the groups and devices.
Guest operator
—The guest operators have access to guest management operations only. These users can add guest users and configure splash page profiles.
A user cannot have different access rights for different groups.
6. Click
Save
. When the user account is successfully created:
19
| Setting up Customer Accounts Aruba Central | User Guide
l l
New users will receive a welcome email with the registration link. Complete the registration steps described in step 7 through step 11.
Users with an existing Central account will receive an email invite with a link to the Central portal. Click the link to access the Central UI.
If the user has not received the registration email, click
Resend Invite Email
in the
User Management
pane to resend the invite.
7. To register, click
Register Your Account
link. The
Sign up with Aruba Central
page is displayed.
8. Enter the password, , first name, last name, and address details.
9. Select a country and state.
10.Select the
I agree to the Terms and Conditions
check box.
11.Click
Sign Up
. On successful completion of registration, the user account is created.
12.Log in to Central with the registered credentials.
Creating Additional Customer Accounts
If you want to manage Wi-Fi networks in multiple regions, you can create additional customer accounts. Central allows you to create up to five customer accounts.
To create an additional customer account:
1. Click the
Settings
icon next to your user name on the main pane. Click
Switch Customer
. The customer account selection page is displayed.
2. Click the + icon to add a new account. The
Sign up with Aruba Central
page is displayed.
3. Enter your address, and select the country and state.
4. Enter the city and ZIP code details.
5. Select the
I agree to the Terms and Conditions
check box.
6. Click
Sign Up
. The customer account is added.
7. Repeat the procedure to add another customer account.
To log in with a different customer account, click
Switch Customer
and click the account that you want to access.
Aruba Central | User Guide Setting up Customer Accounts |
20
Chapter 4
Central User Interface
This chapter describes the following topics: l
l l l
l l l l
Other UI Elements and Functions
Main Window
After you log in to Central, the
Monitoring > Overview
data pane is displayed. See
Figure 1
Central Main Pane
The main window consists of the following elements: l l l l
Aruba Central | User Guide Central User Interface |
21
l l l l
Other UI Elements and Functions
Search
The
Search
box allows administrators to search for an IAP, Mobility Access Switch, client, or a network. When you enter a text string in the
Search
box, the search function suggests matching keywords and allows you to automatically complete the search text entry.
Filter Icon
The
Filter
icon next to the search box allows you filter devices based on the labels. If the devices are attached to a label:
1. Click the
Filter
icon.
2. Enter the label based on which you want to filter the devices.
3. Click
Apply Search
. The Monitoring dashboard views (
Monitoring
>
Access Points
and
Monitoring
>
Switches
) are filtered based on the specified label.
Although devices can be filtered and monitored based on the label classification, the configuration changes can be applied only at the group level. For more information on groups and labels, see
and
Tabs
The left pane lists the following Central function tabs: l l l l l l l
By default, each tab appears in a compressed view. Click the tabs to expand or collapse the tab view.
Monitoring
The
Monitoring
tab allows you to monitor IAPs and the clients associated to these IAPs. It includes the following options for detailed dashboard views: l l l l l l
Overview
—Displays the profile, status, activity, and diagnostics details such as total number of IAPs and clients, number of IAPs that are down, and throughput to and from the client.
Access Points
—Provides details of the IAPs connected to Central.
AppRF
—Provides a summary of client traffic to applications, application categories, websites category, and website reputation score.
Switches
—Provides details of the Mobility Access Switches connected to Central.
Clients
— Provides details of the clients associated with the IAP.
WIDS
—The Wireless Intrusion Detection System (WIDS) monitors the presence of unauthorized IAPs and clients.
22
| Central User Interface Aruba Central | User Guide
l l
Event Log
—Logs information about unauthorized IAPs and clients, and generates reports based on the information gathered.
Notifications
—Displays the unacknowledged notifications count at the top right corner of the Central UI.
Wireless Configuration
The
Wireless Configuration
tab allows you to configure APs, wireless or wired network, intrusion detection and prevention, Radio Frequency (RF) settings, security settings, Dynamic Host Control Protocol (DHCP) profiles, services, and system parameters.
Switch Configuration
The
Switch Configuration
tab allows you to configure switches, add VLANs and DHCP pools, modify ports, and view system parameters.
Guest Management
The
Guest Management
tab allows you to configure splash page profiles for guest wireless network and guest visitor accounts.
Reports
The
Reports
tab allows you to generate network reports, security reports, and PCI compliance reports. You can also export reports and send it to an email account.
Maintenance
The
Maintenance
tab allows you to maintain the network and configure user credentials. It also allows you to: l l l l
View the current firmware version of the devices and provides options to upgrade to the latest firmware version.
View the license information such as license name, start and end dates, license capacity, and the options to add or remove the Central software license.
Create and manage labels.
Configure user credentials to access the Central UI.
Documentation
The
Documentation
tab provides links to the latest versions of all the Central documents such as User Guide ,
Getting Started Guide, and What's New.
Notifications
The
Notifications
icon displays the number of unacknowledged notifications at the top right corner of the
Central UI.
Help
Click the
Help
icon to view a short description or definition of selected terms and fields in a pane or dialog box.
To view the online help:
1. Click the
(?)
at the top right corner of Central main window. The data pane items are displayed in light green color.
2. Move your cursor over a data pane item to view the help text.
To disable the help mode, click
(?)
again.
Aruba Central | User Guide Central User Interface |
23
Data Pane
Displays detailed information of the tabs and the selected features. The following figure displays the data pane for
Guest Management
>
Splash Page
pane.
Figure 2
Data Pane Example
Support
You can reach Aruba support for troubleshooting Central by clicking the
Support
link at the right edge of
Central.
Feedback
Using the
Feedback
tab, you can provide feedback and comments for the Central UI.
Other UI Elements and Functions
Central UI also includes the following UI features: l l l l
Other UI Elements and Functions
Labels
Labels are tags that can be used to filter devices for monitoring and reporting purposes. A device can have multiple labels. For example, consider an IAP labeled as
Building 25
and
Lobby
. These tags identify the location of the IAP within the enterprise campus and the building. The IAPs in other buildings can also be tagged as
Lobby
to enable all the IAPs in the lobbies of all these buildings in the campus. To filter and monitor
IAPs in the lobbies of all the campus buildings, you can tag all the IAPs in a lobby with the label
Lobby
. Labels can also be used to determine the ownership, departments, and functions of the devices. For more information on labels, see the following topics: l l
24
| Central User Interface Aruba Central | User Guide
Variables
Variables are device parameters that can be configured. Variables cannot inherit their values from the default group. These user-defined parameters are specific to a device, for example, Virtual Controller name, IP address, and VLAN.
Groups
A group consists of devices provisioned in the network. You can create multiple groups and attach devices to these groups. Central defines a group as a subset of the devices on the wireless LAN, ranging in size from one device to hundreds of devices that share some common configuration settings. For example, if one or several
VCs are grouped together with a cluster of IAPs, you can configure the IAPs associated with each VC as a single unit from the Central UI. These configuration parameters are assigned with the same default value. You can quickly configure a number of IAPs using a group. The group configuration is shared across all devices. For more information on groups, see
.
Overrides
The devices in a group share the same configuration settings. The configuration changes applied at the group level takes precedence. However, the configuration changes applied at the device levels can be preserved as well. For more information on overrides, see
.
Aruba Central | User Guide Central User Interface |
25
Chapter 5
Device Configuration and Group Management
This chapter describes the following topics: l l l l l l
Communication Ports on page 26
Initial Configuration of Devices on page 26
Configuring System Parameters for IAP Network on page 28
Modifying AP Administrator Credentials on page 30
l l l l
Communication Ports
Most of the communication between devices on the remote site and Central server in the cloud happens through HTTPS (TCP 443). However, you may need to configure the following ports:
TCP port 443 for configuration and management part.
TCP port 80 for IAP and Switch image upgrade.
UDP port 123 for NTP server to configure its timezone when factory default IAP comes up.
TCP port 2083 for radius authentication for guest management. If it is blocked, the HTTPS protocol is used.
l l
Initial Configuration of Devices
Before connecting to Central:
If an IAP is shipped with factory default settings, Central applies the default configuration parameters on the IAP when it connects to the Central. The user can change the values in the default group and the IAP automatically inherits these values. If the user assigns the IAP to a group in the
Device Management
pane, the group configuration is applied to the IAP.
If the IAP is operational in subscriber networks, the configuration parameters of an IAP were already changed from factory default settings. When the IAP connects to Central, no configuration is required.
Importing Existing Configuration from a Device
When a preconfigured device is included in Central, it is initially listed under unprovisioned group.
To import a configuration:
1. Go to https://portal.central.arubanetworks.com
and log in with your user credentials.
2. Ensure that the IAP or Mobility Access Switch is connected to the wired network.
3. Click an IAP or Mobility Access Switch.
The Import New Group
and
Overwrite Existing Config
options are displayed.
4. To create a new group, click
Import to New Group
tab and then click
Save
.
To overwrite an existing configuration, click
Overwrite Existing Config
.
5. Click
Save
. Central deletes the existing configuration and applies the group configuration.
Aruba Central | User Guide Device Configuration and Group Management |
26
Pending Configuration
If a Virtual Controller configuration is not synchronized with the Central configuration, a pending configuration icon is displayed. This implies that there are some pending configurations, which are not applied to the Virtual
Controller.
Click the
Pending Configuration
icon to view the configurations that are not synchronized and click
Resolve
.
The entire configuration is re-applied to the Virtual Controller.
Managing Groups
Central allows some configuration settings to be managed efficiently at the group level, while others are managed at an individual device level. Central defines a group as a subset of the devices on the wireless LAN, ranging in size from one device to hundreds of devices that share some common configuration settings. When a group is configured, all devices within a group share the same basic configuration settings.
Creating a Group
To create a group:
1. Click the icon next to
All Groups
on the left pane.
2. Click
(+)
to create a new group. The
Create New Group
pane appears.
3. Enter a name for the group in
Enter Group Name
.
4. Select the device that you want to assign to the new group, for example virtual controller or switch.
5. Click
Next
.
6. Enter the default device password for the newly created group in the
Password
text box.
7. To reconfirm the password, re-enter the default device password in the
Retype Password
text box.
8. Click
Save
.
Editing or Deleting a Group
To edit or delete a group:
1. Click the icon next to
All Groups
in the left pane.
2. Click the edit icon to edit a group. The
Manage Group
pane appears.
3. To delete a group, select a group from the
Groups
list and click
Delete
.
4. To create a clone of an existing group: a. Select a group from the
Groups
list.
b. Click
Clone
.
c. Enter the name of the group in the
Enter Group Name
text box.
d. Click
Save
.
5. To move a device from one group to an another group: a. Select a group from
Groups
.
b. Select the device to move.
c. Click
Move
.
d. Select the group to which you want to assign the device.
e. Click
Save
.
27
| Device Configuration and Group Management Aruba Central | User Guide
Managing Overrides
Devices in Central can be configured at the group level as they share the same basic configuration settings.
However, you can also apply configuration changes at device level. If the device configuration differs from the configuration applied at the group level, an
Override
icon is displayed for this device. For example, the configuration changes to AAA server, SNMP read-only/read-write community string, syslog server, and SSID or network profiles at the device can be marked as overrides. . When a device has overrides and its configuration is modified at the group level, the overrides are automatically preserved. You can also resolve the overrides and remove the configuration changes applied at the device level.
To resolve overrides:
1. Click the Override icon displayed next to the device. The
Overrides
window is displayed.
2. Click
Resolve all Overrides
to resolve configuration differences.
Configuring System Parameters for IAP Network
To configure system parameters:
1. Select
Wireless Configuration > System
. The
System
details are displayed.
2. Click
General
and configure the following parameters:
Table 4:
System Parameters
Parameters Description
Name
Virtual Controll er IP
Timezone
To change the name of an IAP:
1. Click
Edit Values
. The
Edit VC Name
pane is displayed.
2. Click the edit icon.
3. Modify the name.
4. Click
Save
.
You can specify a single static IP address to manage a multi-AP Central network. This IP address is automatically provisioned on a shadow interface on the IAP that takes the role of a
VC. The AP sends three Address Resolution Protocol (ARP) messages with the static IP address and its MAC address to update the network ARP cache.
To configure the VC name and IP address:
1. Click
Edit Values
next to
Virtual Controller IP
. The
Edit IP Address
pane is displayed.
2. Click the edit icon.
3. Enter the IP address in
IP Addresses
.
4. Click
Save
.
To configure a timezone, select a timezone from the
Timezone
drop-down list.
If the selected timezone supports DST, the UI displays the "The selected country observes
Daylight Savings Time" message.
Preferred Band
NTP Server
Assign a preferred band by selecting an appropriate option from the
Preferred Band
dropdown list.
NOTE:
Reboot the IAP after modifying the radio profile for changes to take effect.
To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to: l l
Trace and track security gaps, network usage, and troubleshoot network issues.
Validate certificates.
Aruba Central | User Guide Device Configuration and Group Management |
28
Table 4:
System Parameters
Parameters Description
Virtual Controll er Netmask
Virtual
Controller
Gateway
Virtual
Controller
VLAN l l
Map an event on one network element to a corresponding event on another.
Maintain accurate time for billing services and similar.
The Network Time Protocol (NTP) helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the IAP clock to set the correct time. If NTP server is not configured in the IAP network, an IAP reboot may lead to variation in time data.
By default, the IAP tries to connect to
pool.ntp.org
to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server
pool.ntp.org
is used if no NTP server is configured or provisioned through DHCP option 42.
To configure an NTP server, enter the IP address or the URL (domain name) of the NTP server.
and reboot the AP to apply the configuration changes.
NOTE:
The IP configured for the VC can be in the same subnet as IAP or can be in a different subnet. Ensure that you configure the VC VLAN, gateway, and subnet mask details only if the VC
IP is in a different subnet.
NOTE:
Ensure that VC VLAN is not the same as native VLAN of the IAP.
Dynamic CPU
Utilization
IAPs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the IAPs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified.
To configure dynamic CPU management, select any of the following options from
Dynamic
CPU Utilization
.
l
Automatic
—When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option.
l l
Always Disabled in all APs
— When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience.
Always Enabled in all APs
—When selected, the client and network management functions are protected. This setting helps in large networks with high client density.
Auto Join Mode
Terminal
Access
The auto join mode feature allows IAPs to automatically discover the VC and join the network.
The
Auto Join Mode
feature is enabled by default.
If the auto join mode feature is disabled, a
New
link is displayed in the
Access Points
tab. Click this link to add IAPs to the network. If this feature is disabled, the inactive IAPs are displayed in red.
When terminal access is enabled, you can access the IAP CLI.
29
| Device Configuration and Group Management Aruba Central | User Guide
Table 4:
System Parameters
Parameters Description
Telnet Server When Telnet access is enabled, you can start a Telnet session with the IAP CLI.
LED Display
Extended SSID
To enable or disable LED display for all IAPs in a cluster, select
Enabled
or
Disabled
respectively.
NOTE:
The LED display is always in the
Enabled
mode during the IAP reboot.
Extended SSID
is enabled by default in the factory default settings of IAPs. This disables mesh in the factory default settings.
Deny Inter-user
Bridging
If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN.
When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable inter-user bridging, select
Enabled
.
Deny Local
Routing
If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same IAP on different VLANs.
When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable local routing, select
Enabled
.
Dynamic
RADIUS Proxy
MAS Integratio n
When enabled, the virtual controller network will use the IP Address of the virtual controller for communication with external RADIUS servers. You must set the virtual controller IP Address as a NAS client in the RADIUS server if
Dynamic RADIUS proxy
is enabled.
To enable LLDP protocol for Mobility Access Switch integration. With this protocol, IAPs can instruct the Mobility Access Switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and automatically configuring VLANs on ports where IAPs are connected.
Modifying AP Administrator Credentials
To change AP administrator password:
1. Select
Wireless Configuration > System
. The
Configuration-System
details are displayed.
2. Click
Admin
under
Local
, provide a new password that you would like the admin users to use.
3. Click
OK
.
Aruba Central | User Guide Device Configuration and Group Management |
30
Chapter 6
Monitoring
The
Monitoring
tab displays the monitoring dashboard for Central. The tab includes the following: l l l l l l l l
Overview
The
Overview
pane displays the summary of the networks, clients, and the geographical location of the devices.
Table 5:
Overview Pane
Parameter Description
Access Points count Displays the total number of IAPs.
Clients count Displays the total number of clients connected to an IAP over a specified period.
Displays the geographical location of the Mobility Access Switch.
Switches
Alerts count
Throughput graph
Clients graph
Wireless Data Usage graph
Wireless Client graph
Map
Top 5 Switches By Usage
Displays the total number of IAPs or clients that have alerts.
Displays the aggregate incoming and outgoing data traffic of all IAPs over a specified period.
Displays the number of clients connected to an IAP over a specified period.
Displays the aggregate incoming and outgoing traffic for all APs per
SSID over a specified period.
Displays the number of clients connected to APs per SSID over a specified period.
Displays the geographic location of the IAPs, clients, and alerts.
Displays the top five switches that are most used on the network.
Aruba Central | User Guide Monitoring |
31
Parameter
TOP 5 APs By Usage
TOP 5 Clients By Usage
Clients Type
WLANs
Quick Links
Description
Displays the list of top five IAPs that are most used on the network.
Displays the list of top five clients utilizing the maximum bandwidth over the network.
Displays the different types of clients connected to the network.
Displays the list of SSIDs configured.
Displays the links to the most frequently used pages in Central.
You can view the
Throughput
,
Clients
,
Wireless Data Usage
, and
Wireless Clients
for a specific time frame (3 hours, 1 day, 1 week, 1 month and 3 months) by clicking 3H, 1D, 1W, 1M or 3M.
Access Points
The
Access Points
pane displays the status and location of the IAPs.
Table 6:
Access Points Pane
Parameter Description
Flagged AP Displays the IAPs that are experiencing potential issues with utilization, noise, and so on.
The
Flagged AP
table includes the following columns: l l
Access Point
Util(%) l l l l l
Noise(dBm)
Errors
Clients
Memory
CPU
Access Point Displays the geographic location of the IAPs. The
ACCESS POINT
table consists of the following columns: l l
Name
Location l l l l l
Group
Status
Clients
Uptime
Labels
Utilization icon Displays the radio utilization rate of the IAPs. Depending on the percentage of utilization, the color of the lines on the
Utilization
icon changes from Green > Orange > Red.
32
| Monitoring Aruba Central | User Guide
Parameter
Clients
Throughput
Wireless
Data Usage
Wireless Clients
Map
Description
l l l
Green—Utilization is less than 50 percent.
Orange—Utilization is between 50-75 percent.
Red—Utilization is more than 75 percent.
Displays the number of clients connected to an IAP over a specified period.
Displays a graph with aggregate statistics of the incoming and outgoing data traffic of all
IAPs over a specified period.
Displays a graph with the aggregate incoming and outgoing traffic for all access points per SSID over a specified period.
Displays the number of clients connected to access points per SSID over a specified period.
Displays the geographic location of the IAPs.
You can view the
Throughput
,
Clients
,
Wireless Data Usage
, and
Wireless Clients
graphs for a specific time frame
( (3 hours, 1 day, 1 week, 1 month and 3 months) ) by clicking 3H, 1D, 1W, 1M or 3M.
AP Details
To view the details of the IAP, select
Monitoring > Access Points
and click the IAP for which you want to view the details under
Access Points
or
Flagged AP
. The
AP Details
pane is displayed.
Table 7:
AP Details Pane
Parameter Description
Device Status Displays the current status of the IAP.
Connected Clients
Uplink Type
Alerts
General IAP details
Displays the number of clients that are connected to this IAP.
Displays the type of uplink used.
Displays the alerts generated for this IAP.
The
AP DETAILS
pane displays the following generic information about the IAP: l
AP Name l l
Serial Number
MAC Address l l l l
IP Address
Mode
Mesh Role
Uptime
Aruba Central | User Guide Monitoring |
33
Parameter
GRAPH
Map
Apps
App Categories
Web Categories
Web Reputation
Wired Interface
Wireless Interface
Clients
Event Log
Description
l l l l l l l
VC Name
AP Model Type
Firmware Version
CPU Utilization
DeviceMemory Used
Device Memory Type
Group Name
Select a parameter from the list to view its corresponding graphs: l
Number of Connected Clients l l
Throughput
RF Channel Utilization l l l
Number of Neighboring Clients
Noise Floor
Errors/Retires/Drops Statistics
Displays the geographical location of the IAP.
When AppRF service is enabled, the
Apps
graph displays the applications used by the clients connected to the IAP.
If AppRF service is enabled, the App Categories graph displays the application categories that are accessed by the clients connected to the IAP.
When AppRF service is enabled, the
Web Categories
graph displays the web categories accessed by the clients connected to the IAP.
When AppRF service is enabled, the Web Reputation graph displays the Web reputation score for the websites accessed by the clients connected to the IAP.
Displays information about the wired interfaces configured on the IAP.
Displays information about the wireless interfaces configured on the IAP.
Displays information about the IAP clients.
Displays the list of events associated with an IAP.
To reboot the IAP from Central, select the
Monitoring > Access Points > Access Points
pane and click the AP. On the
Access Points> AP Details
pane, select the AP to reboot, and click the
Reboot AP
button.
34
| Monitoring Aruba Central | User Guide
Remote Console System
To access the AP through remote console, click
Console Access
on the
Monitoring
>
Access Points
>
AP
Details
pane.
AppRF
The AppRF pane displays the traffic summary for IAPs and client devices. The AppRF graphs are based on Deep
Packet Inspection (DPI) application and Web Policy Enforcement service, which provides application traffic summary for the client devices associated with an IAP.
For more information, see
Application Visibility on page 128
Switches
The
Switches
pane displays the status and location of the Mobility Access Switches.
Table 8:
Switches Pane
Parameter Description
Flagged
Switches
Displays the switches that may experience potential issues with power consumption, fan speed, and so on. This table displays the details in the following columns: l l
Name
Temp . (°C) l l
PoE Consumption (W)
CPU
Switches
Displays the geographic location of the switches on the Google Location Service. This table displays the following information: l l
Name
Location l l l l
Group
Status
Clients
IP Address l l l l
AVG Usage
Uptime
Labels
Uplink Ports
Switch Details
To view the details of the Mobility Access Switch, select
Monitoring > Switches
pane and click the Mobility
Access Switch for which you want to view the details under
Switches
or
Flagged Switches
. The
Switch
Details
pane is displayed.
Aruba Central | User Guide Monitoring |
35
Table 9:
Switch Details Pane
Parameter Description
Switch Status Displays the status of the Mobility Access Switch as Up or Down.
Connected Clients
Management IP
Switch Uptime
Switch Name
Serial Number
MAC Address
Public IP
Default Gateway
Group Name
Firmware Version
Switch Model Type
PoE Consumption
Temperature
Fan Speed
Label
Alerts
Map
Switch Dashboard
Displays the total number of clients connected to the Mobility Access Switch.
Displays the management IP address of the Mobility Access Switch.
Displays the uptime of the Mobility Access Switch in Days:Hours:Minutes format.
Displays the name of the Mobility Access Switch.
Displays the serial number of the Mobility Access Switch.
Displays the MAC address of the Mobility Access Switch.
Displays the public IP address of the Mobility Access Switch.
Displays the default gateway IP address of the Mobility Access Switch.
Displays the group name to which Mobility Access Switch belongs.
Displays the firmware version of the Mobility Access Switch.
Displays the model number of the Mobility Access Switch.
Displays the PoE power drawn from the Mobility Access Switch in watts (W).
Displays the temperature of the Mobility Access Switch in Celsius.
Displays the fan speed of the Mobility Access Switch in Rotations per Minute (RPM).
Click the
+
button and enter the name of the label for the Mobility Access Switch in the text box.
To delete a label, click the
X
button next to the label name.
Displays the number of alerts generated for this Mobility Access Switch.
Displays the geographical location of the Mobility Access Switch.
Displays the ports of the Mobility Access Switch that are Up and Down.
36
| Monitoring Aruba Central | User Guide
Parameter
Uplink Stats
Ports
Event Log
Description
Displays the uplink statistics for a specific site.
Displays the following port details of the Mobility Access Switch: l
Port# l l l l
Oper Stat
PoE
Type
Mode l l l
Tx Usage
Rx Usage
Trusted
Displays the list of events associated with the Mobility Access Switch.
To reboot the Mobility Access Switch from Central, click
Reboot Switch
in the
Monitoring > Switches > Switch
Details
pane.
Remote Console System pane
On the
Switch Details
pane, click
Console Access
to view the remote console for the Mobility Access Switch.
To access the Remote Console window through Internet Explorer 11, ensure that the URL is added under
Tools >
Compatibility View Settings
in Internet Explorer 11.
Monitor and Managed Mode
Before a Mobility Access Switch is connected to Central, the switch is in
Monitored
mode. In the monitored mode, the Mobility Access Switch has the configurations that can be modified only through the switch console.
When a Mobility Access Switch is connected to Central for the first time, the switch is in the managed mode. In managed mode, you can configure the Mobility Access Switch features only through Central.
To change the Mobility Access Switch from monitor to managed mode:
1. Select the
Monitoring > Switches
pane.
2. Select
Managed
from the drop-down list next to
Console Access
text box.
3. Click
Continue
.
If a switch is in the monitored mode, the configuration changes at the group or device level will not be applied to the switch. When any configuration is modified at the group or device level for the switches in the monitored mode, the following error is displayed:
Configuration cannot be pushed to device as device is monitoring mode
.
Aruba Central | User Guide Monitoring |
37
Clients
The
Clients
pane displays a list of clients that are connected to the network. The client names are displayed as links.
Table 10:
Clients Pane
Parameter Description
Flagged Wireless
Clients
Displays the details of the flagged clients and the indicators that determine if clients are flagged.
l l
MAC Address
IP Address l l
Speed
SNR
The Speed and SNR indicates the data transfer speed and Signal-to-noise ratio details based on which a client is flagged.
Clients
Throughput graph
Device Type graph
Map
Displays the geographic location of the IAPs. This tabe displays the following information: l
MAC Address l l
IP Address
Username l l l l l l
Host Name
Device Type
Connected To
SSID
Connection
Labels
Displays the aggregate incoming and outgoing data traffic of all clients over a specified period.
Displays the type of the client device.
Displays the geographic location of the clients.
Central does not provide details of the wired clients under the
Monitoring > Clients
page if the ports are trusted. The
Mobility Access Switch details are provided only if the ports are untrusted.
Client Details
To view the details of the client, select
Monitoring > Clients
and click the client for which you want to view the details under
Access Points
or
Flagged AP
. The
Clients Details
pane is displayed.
38
| Monitoring Aruba Central | User Guide
SSIDs
User Name
User Role
Channel
Band/Radio
Manufacture
Connection Rate
Device Type
SIignal Strength
Inbound
Outbound
Throughput
Usage
Map
Apps
Table 11:
Client Details Pane
Parameter Description
Port Displays the port (Switch port) to which the client is connected.
Signal
Speed
SNR
AP/SSID
Alerts
Signal strength of the client device in dB as measured by the access point.
Connection speed of the client.
Signal-to-Noise Ratio of the client device.
SSID to which the client is connected.
Number of alerts generated for this client. Alerts are generated due to abnormal client activity, low throughput, low signal quality, and so on.
SSID broadcast by the IAP.
User name of the client.
User role configured in an IAP cluster.
Channel broadcast by the client.
Radio band of IAP on which the client is operating.
Name of the device manufacturer.
Rate at which a wireless connection is established.
Operating system of the client device.
Signal strength of the client as detected by the IAP.
Data flowing from the client.
Data flowing from the IAP to the client.
Incoming and outgoing throughput traffic for a client during a specific time range.
Incoming and outgoing data usage for a client in units of bytes for a specific duration.
Geographical location of the client.
When AppRF service is enabled, the
Apps
graph displays the applications used by the client device.
Aruba Central | User Guide Monitoring |
39
Parameter
App Categories
Web Categories
Web Reputation
Mobility Trail
Event Log
Alerts
Description
If AppRF service is enabled, the
App Categories
graph displays the application categories accessed by the client device.
When AppRF service is enabled, the
Web Categories
graph displays the web categories accessed by the client device.
When AppRF service is enabled, the
Web Reputation
graph displays the Web reputation score for the websites accessed by the client device.
Details and time stamp of the IAP and client association.
List of events applicable to the client.
Alerts generated for clients if any.
WIDS
The
WIDS
pane provides a summary of the rogue IAPs, interfering IAPs, and the total number of wireless attacks detected on an AP and client device for a specified period.
Table 12:
WIDS Pane
Parameter Description
AP Type Displays the distribution of foreign IAP types detected by the system.
IDS Attack Detected
Map
WIDS Events
Displays the distribution of IDS attacks detected by the system.
Displays the geographic locations on which rogue APs, interfering APs, and IDS attacks are detected.
Displays a list of the WIDS events. The WIDS event table includes the following columns: l
Date/Time l l l l
Level
Description
Type
Detecting AP l l l
Virtual Controller
Radio
Station MAC
40
| Monitoring Aruba Central | User Guide
Event Log
The
Event Log
pane displays the event details that occur in the network.
Table 13:
Event Log Pane
Parameter Description
Date/Time Displays the system date and time at which the event occurred.
Hostname Displays the host name of the device.
MAC Address
Description
Device Type
Level
Event Type
Search icon
Displays the MAC address of the device.
Displays the description of the event that occurred.
Displays the type of device. For example, AP.
Displays the severity level of the event that occurred.
Displays the type of event. The event types are categorized as
Security, Infrastructure detection, Network, Client detection, and
Environment.
Allows you to search for a particular event.
Notifications
The
Notifications
pane displays all types of notification alerts that are detected and unacknowledged by
Central.
Table 14:
Notifications Pane
Parameter Description
Notifications
Displays all types of notification alerts.
Acknowledge All
Acknowledges all the notifications in one click.
Setting Notification Alerts
To configure a notification alert:
1. At the top right corner of the main pane, click
Notifications
icon
> Settings
icon. The
Notification
Settings
pane is displayed.
2. Select a notification type from the
Type
drop-down list.
3. Select an event type from the
Event
drop-down list.
4. Select a group type from the
Group
drop-down list.
5. To receive email notifications, select the
check box and enter the email address.
6. Click
Save
.
Aruba Central | User Guide Monitoring |
41
Chapter 7
Wireless Configuration
This chapter describes the following topics: l l l l l l l l l l l l l
Configuring Networks on page 45
Configuring ARM and RF Parameters on page 62
Configuring Authentication and Security Parameters on page 69
Configuring Roles and Policies for User Access Control on page 80
Configuring Intrusion Detection System on page 91
Configuring VPN Networks on page 95
Configuring DHCP and Client IP Assignment Modes on page 100
Configuring Services on page 106
Configuring Uplinks on page 113
Mobility and Client Management on page 122
Enterprise Domains on page 124
l l l l l l l
Configuring APs
This section describes the procedures for configuring settings that are specific to an IAP in the cluster.
Modifying IAP Parameters on page 42
Configuring Radio Profiles on page 43
Configuring External Antenna on page 44
Configuring Uplink VLAN on page 45
Assigning a Static IP Address on page 45
Removing an IAP from the Network on page 45
Modifying IAP Parameters
To customize the parameters of an IAP:
1. Select
Wireless Configuration > Access Points
and click the IAP that you want to customize.
2. Click
Edit
. The
Edit
pane for modifying the IAP details is displayed.
3. Under
Basic Info
, you can modify the name of the IAP by entering the name in the
Name
box. You can specify a name of up to 32 ASCII characters.
4. Specify a zone for the IAP. When a zone is configured for an IAP and if the same zone details are configured on an SSID, the SSID can be broadcast only by the IAPs in that specific zone. Only one zone can be configured on an SSID and an IAP can belong to only one zone.
5. To provision the IAP as a master IAP, set
Preferred Master
to
Enabled
.
6. Select
Get IP Address from DHCP Server
option to receive an IP address from the DHCP server or
.
7. Click
Save Settings
and reboot the IAP.
Aruba Central | User Guide Wireless Configuration |
42
Configuring Radio Profiles
You can configure a radio profile on an IAP either manually or by using the Adaptive Radio Management (ARM) feature.
ARM is enabled on Central by default. It automatically assigns appropriate channel and power settings for the
IAPs. For more information on ARM, see
Configuring ARM and RF Parameters on page 62
.
Configuring ARM-Assigned Radio Profiles
To enable ARM-assigned radio profiles:
1. In the
Access Points
tab, click the IAP to modify. The
edit
link is displayed.
2. Click the
edit
link. The
edit
window for modifying the IAP details is displayed.
3. Click the
Radio
tab. The
Radio
details are displayed.
4. Ensure that an appropriate mode is selected.
5. Select the
Adaptive radio management assigned
option under the bands that are applicable to the IAP configuration.
6. Click
Save Settings
.
Manually Configuring Radio Profiles
When radio settings are assigned manually by the administrator, the ARM is disabled.
To manually configure radio settings:
1. In the
Configuration > Access Points > Basic Info page
, click the IAP for which you want to enable ARM.
The
edit
link is displayed.
2. Click the
edit
link.
3. Click the
Radio
tab.
4. Ensure that an appropriate mode is selected.
By default, the channel and power for an IAP are optimized dynamically using Adaptive Radio Management
(ARM). You can override ARM on the 2.4 GHz and 5 GHz bands and set the channel and power manually if desired.
The following table describes various configuration modes for an IAP:
Table 15:
IAP Radio Modes
Mode Description
Access In the
Access
mode, the IAP serves clients, while also monitoring for rogue IAPs in the background.
Monitor
Spectrum Monitor
In the
Monitor
mode, the IAP acts as a dedicated monitor, scanning all channels for rogue IAPs and clients.
In the
Spectrum Monitor
mode, the IAP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring
IAPs or from non-Wi-Fi devices such as microwaves and cordless phones.
43
| Wireless Configuration Aruba Central | User Guide
In the
Monitor
and
Spectrum Monitor
modes, the IAPs do not provide access services to clients.
5. After the
Access
mode is selected: a. Select
Administrator assigned
in
2.4 GHz
and
5 GHz
band sections.
b. Select appropriate channel number from the
Channel
drop-down list for both
2.4 GHz
and
5 GHz
band sections.
c. Enter appropriate transmit power value in the
Transmit power
text box in
2.4 GHz
and
5 GHz
band sections.
6. Click
Save Settings
.
Configuring External Antenna
If your IAP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system’s Equivalent Isotropically Radiated Power (EIRP) is in compliance with the limit specified by the regulatory authority of the country in which the IAP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain. To know if your IAP device supports external antenna connectors, see the
Installation Guide
that is shipped along with the IAP device.
EIRP and Antenna Gain
The following formula can be used to calculate the EIRP limit related RF power based on selected antennas
(antenna gain) and feeder (Coaxial Cable loss):
EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB)
The following table describes this formula:
Table 16:
Formula Variable Definitions
Formula Element Description
EIRP Limit specific for each country of deployment
Tx RF Power RF power measured at RF connector of the unit
GA
FL
Antenna gain
Feeder loss
Configuring Antenna Gain
To configure antenna gain for IAPs with external connectors:
1. Select
Configuration > Access Points > Basic Info
and select the access point to configure and then click
Edit
.
2. Select
Radio
and select
External Antenna
to configure the antenna gain value. This option is available only for access points that support external antennas.
3. Enter the antenna gain values in dBm for the 2.4 GHz and 5 GHz bands.
4. Click
Save Settings
.
Aruba Central | User Guide Wireless Configuration |
44
Configuring Uplink VLAN
Central supports a management VLAN for the uplink traffic on an IAP. You can configure an uplink VLAN when an IAP needs to be managed from a non-native VLAN. After an IAP is provisioned with the uplink management
VLAN, all management traffic sent from the IAP is tagged to the management VLAN.
Ensure that the native VLAN of the IAP and its uplink VLAN are not the same.
To configure the uplink management VLAN on an IAP:
1. Select
Wireless Configuration > Access Points
and click the IAP to modify.
2. Click
Edit
. The
Edit
pane for modifying the IAP details is displayed.
3. Click
Uplink
and specify the VLAN in
Uplink Management VLAN
.
4. Select
Enable
from
Eth0 Bridging
list to configure Ethernet bridging.
5. Click
Save Settings
.
6. Reboot the IAP.
Adding an IAP
To add an IAP to Central, assign an IP address and a license.
After an IAP is connected to the network, if the
Auto Join Mode
feature is enabled, the IAP inherits the configuration from the VC and is listed in the
Access Points
tab.
Assigning a Static IP Address
You can either specify a static IP address or allow the IAP to obtain an IP address from a DHCP server. By default, the IAPs obtain IP address from a DHCP server.
To specify a static IP address for the IAP:
1. Select
Wireless Configuration > Access Points
and click the IAP to modify.
2. Click
Edit
. The
edit
pane for modifying the IAP details is displayed.
3. Under
Basic Info
, select
Static
to specify a static IP address. The following fields are displayed: a. Enter the new IP address for the IAP in the
IP Address
text box.
b. Enter the subnet mask of the network in the
Netmask
text box.
c. Enter the IP address of the default gateway in the
Default Gateway
text box.
d. Enter the IP address of the Domain Name System (DNS) server in the
DNS Server
text box.
e. Enter the domain name in the
Domain Name
text box.
4. Click
Save Settings
and reboot the IAP.
Removing an IAP from the Network
To remove an IAP from the network:
1. In the
Maintenance
tab, select the IAP to remove. The
Unassign
button is displayed in the bottom of the page.
2. Click
Unassign
to confirm the deletion.
Configuring Networks
This section describes the following procedures: l
Configuring a WLAN SSID Profile for Employee and Voice Networks on page 46
45
| Wireless Configuration Aruba Central | User Guide
l l l l
Configuring Captive Portal Profiles for Guest Access on page 52
Configuring Profiles for Wired Network on page 60
Editing a Network Profile on page 62
Deleting a Network Profile on page 62
Configuring a WLAN SSID Profile for Employee and Voice Networks
Central supports the following types of wireless networks: l l l
Employee network
—An Employee network is a classic Wi-Fi network. This network type is used by the employees in an organization and it supports passphrase-based or 802.1X-based authentication methods.
Employees can access the protected data of an enterprise through the employee network after successful authentication. The employee network is selected by default during a network profile configuration.
Voice network
—The Voice network type allows you to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization.
Guest network
—The Guest wireless network is created for guests, visitors, contractors, and any nonemployee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients.
Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network.
When a client is associated to the voice network, all data traffic is marked and placed into the high priority queue in
QoS (Quality of Service).
You can configure up to six wireless networks. By enabling Extended SSID (
Wireless Configuration > System >
General
), you can create up to
16
networks.
To configure a new wireless network profile, complete the following procedures:
1.
2.
3.
4.
Configuring Access Rules for a Network
Configuring WLAN Settings
To configure WLAN settings:
1. Select
Wireless Configuration > Networks
and then click
Create New
. The
Create a New Network
pane is displayed.
2. From the
Type
list, select
Wireless
.
3. Enter a name that is used to identify the network in the
Name (SSID)
box.
4. Based on the type of network profile, select any of the following options under
Primary Usage
: l l
Employee
Voice
l
Guest
5. Click
Show Advanced Options
. The advanced options for configuration are displayed. Specify the following parameters as required.
Aruba Central | User Guide Wireless Configuration |
46
Table 17:
WLAN Configuration Parameters
Parameter Description
Broadcast Filtering
Select any of the following values: l
All
—The IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols.
l l
ARP
—The IAP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients.
Disabled
—All broadcast and multicast traffic is forwarded to the wireless interfaces.
DTIM Interval
The
DTIM Interval
indicates the Delivery Traffic Indication Message (DTIM) period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the IAP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. The default value is 1, which means the client checks for buffered data on the IAP at every beacon. You can also configure a higher DTIM value for power saving.
Multicast Transmission Optimization
Select
Enabled
if you want the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default.
Dynamiv Multicast Optimization
DMO Channel
Utilization
Threshold
Select
Enabled
to allow IAP to convert multicast streams into unicast streams over the wireless link. Enabling Dynamic Multicast Optimization (DMO) enhances the quality and reliability of streaming video, while preserving the bandwidth available to the nonvideo clients.
NOTE:
When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.
Specify a value to set a threshold for DMO channel utilization. With DMO, the IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the IAP sends multicast traffic over the wireless link.
Transmission
Rates
Specify the following parameters: l l
2.4 GHz
—If the 2.4 GHz band is configured on the IAP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.
5 GHz
—If the 5 GHz band is configured on the IAP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.
Zone Specify the zone for the SSID. When the zone parameter is configured in the SSID profile and if the same zone is defined on the IAP, the SSID is broadcast by that IAP.
l l l
If an SSID belongs to a zone, all IAPs in this zone can broadcast this SSID.
If no IAP belongs to the zone configured on the SSID, the SSID is not broadcast.
If an SSID does not belong to any zone, all IAPs can broadcast this SSID.
Bandwidth Limits
Under
Bandwidth Limits
: l
Airtime
—Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.
47
| Wireless Configuration Aruba Central | User Guide
Parameter Description
l
Each Radio
—Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients.
WMM
Configure the following options for Wi-Fi Multimedia (WMM) traffic management. WMM supports voice, video, best effort, and background access categories. You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile.
Specify a percentage value for the following parameters: l l
Background WMM Share
—Allocates bandwidth for background traffic such as file downloads or print jobs.
BEST Effort WMM Share
—Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS.
l
Video WMM Share
—Allocates bandwidth for video traffic generated from video streaming.
l
Voice WMM Share
—Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication.
In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for
Best Effort WMM
share and
Voice WMM Share
to allocate a higher bandwidth to clients transmitting best effort and voice traffic.
Content Filtering
Select
Enabled
to route all DNS requests for the non-corporate domains to OpenDNS on this network.
Band
Select a value to specify the band at which the network transmits radio signals. You can set the band to
2.4 GHz
,
5 GHz
, or
All
. The
All
option is selected by default.
Inactivity
Timeout
Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. You can specify a value within the range of 60–3600 seconds. The default value is 1000 seconds.
Hide SSID
Select this checkbox if you do not want the SSID (network name) to be visible to users.
Disable SSID
Select this checkbox if you want to disable the SSID. When selected, the SSID will be disabled, but will not be removed from the network. By default, all SSIDs are enabled.
Can be used without uplink
Max Clients
Threshold
Local Probe
Request
Threshold
Select this checkbox if you do not want the SSID profile to use uplink.
Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0– 255. The default value is 64.
Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests if required. You can specify a
Received Signal Strength Indication (RSSI) value within range of 0–100 dB.
6. Click
Next
to configure VLAN settings.
Configuring VLAN Settings
To configure VLAN settings for an SSID:
1. In the
VLAN
tab, select any of the following options for
Client IP Assignment
:
Aruba Central | User Guide Wireless Configuration |
48
l
Virtual Controller Assigned
—On selecting this option, the client obtains the IP address from the VC.
The VC creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see
Configuring DHCP and Client IP
.
l
Network Assigned
—Select this option to obtain the IP address from the network.
2. If
Network Assigned
is selected, specify any of the following options for the
Client VLAN Assignment
.
l l l
Default
—On selecting this option, the client obtains the IP address in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network.
Static
—On selecting this option, you need to specify a single VLAN, a comma separated list of VLANS, or a range of VLANs for all clients on this network. If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID.
Dynamic
—On selecting this option, you can assign the VLANs dynamically from a DHCP server. To create VLAN assignment rules: a. Click
New
to assign the user to a VLAN. The
New VLAN Assignment Rule
pane is displayed.
b. Enter the following information: l l l l
Attribute
—Select an attribute returned by the RADIUS server during authentication.
Operator
—Select an operator for matching the string.
String
—Enter the string to match.
VLAN
—Enter the VLAN to be assigned.
3. Click
Next
to configure security settings for the employee network.
Configuring Security Settings
To configure security settings for an employee or voice network:
1. In
Security
, specify any of the following for
Security Level
: l
Enterprise
—On selecting
Enterprise
security level, the authentication options applicable to the enterprise network are displayed.
l l
Personal
—On selecting
Personal
security level, the authentication options applicable to the personalized network are displayed.
Open
—On selecting
Open
security level, the authentication options applicable to an open network are displayed:
The default security setting for a network profile is
Personal
.
2. Based on the security level specified, specify the following parameters:
49
| Wireless Configuration Aruba Central | User Guide
Table 18:
WLAN Security Settings
Data pane item Description
Key Management For
Enterprise
security level, select any of the following options from
Key Management
: l
WPA-2 Enterprise l l
Both (WPA-2 & WPA)
WPA Enterprise l
Dynamic WEP with 802.1X—If you do not want to use a session key from the RADIUS
Server to derive pairwise unicast keys, set
Session Key for LEAP
to
Enabled
. This is required for old printers that use dynamic WEP through Lightweight Extensible
Authentication Protocol (LEAP) authentication. The
Session Key for LEAP
feature is
Disabled
by default.
NOTE:
When
WPA-2 Enterprise
and
Both (WPA2-WPA)
encryption types are selected and if
802.1x authentication method is configured, the
Opportunistic Key Caching
(OKC) is enabled by default. If OKC is enabled, a cached Pairwise Master Key (PMK) is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the
Enterprise
security level.
For
Personal
security level, select an encryption key from
Key Management
. For WPA-2
Personal, WPA Personal, and Both (WPA-2&WPA) keys, specify the following parameters: l
Passphrase Format
: Select a passphrase format. The options are available are 8-63 alphanumeric characters and 64 hexadecimal characters.
l
Enter a passphrase in
Passphrase
and reconfirm.
For
Static WEP
, specify the following parameters: l
Select an appropriate value for
WEP Key Size
from the WEP key size. You can specify
64-bit or 128-bit.
l l
Select an appropriate value for Tx key from
Tx Key
.
Enter an appropriate
WEP Key
and reconfirm.
Fast Roaming
Termination
Enable the following fast roaming features as per your requirement: l
802.11r
—To enable 802.11r roaming, select
802.11r
. Selecting this enables fast BSS transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster.
l l
802.11k
—To enable 802.11k roaming on the, select
802.11k
. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When
802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
802.11v
—To enable 802.11v based BSS transition, select
802.11v
. 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.
To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS
Server, set
Termination
to
Enabled
.
Aruba Central | User Guide Wireless Configuration |
50
Data pane item Description
Enabling
Termination
can reduce network traffic to the external RADIUS Server by terminating the authorization protocol on the IAP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS Server, and the IAP acts as a relay for this exchange.
When
Termination
is enabled, the IAP acts as an authentication server and terminates the outer layers of the EAP and relays only the innermost layer to the external RADIUS Server.
NOTE:
If you are using LDAP for authentication, ensure that AP termination is configured to support EAP.
Authentication
Server 1 and
Authentication
Server 2
Select an authentication server from
Authentication Server
or select
New
to create a new server. For information on configuring external servers, see
Configuring External Servers for Authentication on page 72 . To use an internal server, select
Internal server
and add the clients that are required to authenticate with the internal RADIUS Server. Click
Users
to add the users.
If an external server is selected, you can also configure another authentication server.
Load Balancing
Reauth Interval
Blacklisting
Accounting
Authentication
Survivability
Set this to
Enabled
if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see
Dynamic Load Balancing between Authentication Servers on page 72 .
Specify a value for
Reauth Interval
. When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients.
If the re-authentication interval is configured: l
On an SSID performing L2 authentication (MAC or 802.1X authentication): When reauthentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.
l l
On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
On an SSID performing only L3 authentication (captive portal authentication): When reauthentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access.
To enable blacklisting of the clients with a specific number of authentication failures, select
Enabled
from
Blacklisting
and specify a value for
Max Authentication Failures
. The users who fail to authenticate the number of times specified in
Max Authentication
Failures
field are dynamically blacklisted.
To enable accounting, select
Enabled
from
Accounting
. On setting this option to
Enabled
,
APs post accounting information to the RADIUS server at the specified
Accounting
Interval
.
To enable authentication survivability, set
Authentication Survivability
to
Enabled
.
Specify a value in hours for
Cache Timeout
to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours and the default value is 24 hours.
51
| Wireless Configuration Aruba Central | User Guide
Data pane item Description
MAC
Authentication
To enable MAC address based authentication for
Personal
and
Open
security levels, set
MAC Authentication
to
Enabled
. For
Enterprise
security level, the following options are available: l l
Perform MAC Authentication Before 802.1X
— Select this to use 802.1X
authentication only when the MAC authentication is successful.
MAC Authentication Fail-Thru
— On selecting this, the 802.1X authentication is attempted when the MAC authentication fails.
Delimiter
Character
Uppercase
Support
Specify a character (for example, colon or dash) as a delimiter for the MAC address string.
When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
Set to
Enabled
to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
3. Click
Next
to configure access rules.
Configuring Access Rules
You can configure up to 64 access rules for a wireless network profile. To configure access rules for an employee or voice network:
1. In
Access Rules
, select any of the following types of access control: l
Unrestricted
—Select this to set unrestricted access to the network.
l
Network-based
—Select
Network-based
to set common rules for all users in a network. The
Allow any to all destinations
access rule is enabled by default. This rule allows traffic to all destinations. To define an access rule: c. Click (
+
) icon.
d. Select appropriate options in the
New Rule
pane.
e. Click
OK
.
l
Role based
—Select
Role based
to enable access based on user roles. For role-based access control: n
Create a user role if required.
n
Create access rules for a specific user role. You can also configure an access rule to enforce Captive portal authentication for an SSID that is configured to use 802.1X authentication method. For more information, see
Configuring Captive Portal Roles for an SSID on page 57 .
n
Create a role assignment rule.
2. Click
Finish
.
Configuring Captive Portal Profiles for Guest Access
Central supports the Captive portal authentication method in which a web page is presented to the guest users, when they try to access the Internet in hotels, conference centers or Wi-Fi hotspots. The web page also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well.
The Central Captive portal solution consists of the following: l
The captive portal web login page hosted by an internal or external server.
Aruba Central | User Guide Wireless Configuration |
52
l l
The RADIUS authentication or user authentication against internal database of the AP.
The SSID broadcast by the IAP.
With Central, administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network.
Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal web page prompts the user to authenticate with a user name and password.
Types of Captive Portal
Central supports the following types of Captive portal authentication: l l
Internal Captive portal
— An internal server is used for hosting the captive portal service. It supports the following types of authentication: n
Internal Authenticated
— When
Internal Authenticated
is enabled, a guest user who is preprovisioned in the user database has to provide authentication details.
n
Internal Acknowledged
—When
Internal Acknowledged
is enabled, a guest user has to accept the terms and conditions to access the Internet.
External Captive portal
— For external Captive portal authentication, an external portal on the cloud or on a server outside the enterprise network is used.
Configuring Captive Portal Profiles for Guest Network
For information on how to create and assign a captive portal profile, see the following sections: l l l l l
Configuring Captive Portal Profiles for Guest Network on page 53
Configuring Internal Captive Portal for Guest Network on page 54
Configuring External Captive Portal for a Guest Network on page 55
Configuring Guest Logon Role and Access Rules for Guest Users on page 57
Configuring Captive Portal Roles for an SSID on page 57
Configuring a WLAN SSID for Guest Access
To create an SSID for guest access:
1. Select
Wireless Configuration > Networks
and then click
Create New
. The
Create a New Network
data pane is displayed.
2. Select a type of network from
Type
.
3. Enter a name that uniquely identifies a wireless network in
Name (SSID)
.
4. Select the
Primary Usage
as
Guest
.
5. Click the
Show Advanced Options
link. The advanced options for configuration are displayed.
6. If configuring a wireless guest profile, set the required WLAN configuration parameters described in
7. Click
Next
to configure VLAN settings. The VLAN details are displayed.
8. Select any of the following options for
Client IP Assignment
: l
Virtual Controller Assigned
—On selecting this option, the client obtains the IP address from the VC.
The VC creates a private subnet and VLAN on the IAP for the wireless clients. The NAT for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex
VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see
Configuring DHCP and Client IP Assignment Modes on page 100
.
53
| Wireless Configuration Aruba Central | User Guide
l
Network Assigned
—Select this option to obtain the IP address from the network.
9. If the
Network Assigned
is selected, specify any of the following options for the
Client VLAN
Assignment
.
l l l
Default
— On selecting this option, the client obtains the IP address in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network.
Static
— On selecting this option, you need to specify a single VLAN, a comma separated list of VLANS, or a range of VLANs for all clients on this network. Select this option for configuring VLAN pooling.
Dynamic
— On selecting this option, you can assign the VLANs dynamically from a DHCP server. To create VLAN assignment rules: a. Click
New
to assign the user to a VLAN. The
New VLAN Assignment Rule
data pane is displayed.
b. Enter the following information: l l l l
ATTRIBUTE
— Select an attribute returned by the RADIUS server during authentication.
OPERATOR
— Select an operator for matching the string.
STRING
— Enter the string to match.
VLAN
— Enter the VLAN to be assigned.
10.Click
Next
to configure internal or external captive portal profiles.
Configuring Internal Captive Portal for Guest Network
To configure internal captive portal profile:
1. In the
Security
tab, assign values for the configuration parameters:
Table 19:
Internal Captive Portal Configuration Parameters
Parameter Description
Splash Page Type
Select any of the following: l
Internal - Authenticated
—When
Internal Authenticated
is enabled, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database.
l
Internal - Acknowledged
— When
Internal Acknowledged
is enabled, the guest users are required to accept the terms and conditions to access the
Internet.
MAC Authentication
WISPr
Authentication Server 1
Authentication Server 2
Select
Enabled
to enable the MAC authentication.
Select
Enabled
if you want to enable WISPr authentication. For more information on WISPr authentication, see
Configuring WISPr Authentication on page 78
.
NOTE:
The WISPr authentication is applicable only for Internal-Authenticated splash pages and is not applicable for wired profiles. This is applicable for WLAN SSIDs only.
Select any one of the following: l
A server from the list of servers if the server is already configured.
l l
Internal Server
to authenticate user credentials at run time.
Select
New
for configuring a new external RADIUS server for authentication.
Aruba Central | User Guide Wireless Configuration |
54
Table 19:
Internal Captive Portal Configuration Parameters
Parameter Description
Load Balancing
Select
Enabled
to enable load balancing if two authentication servers are used.
Reauth Interval
Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients.
Blacklisting
If you are configuring a wireless network profile, select
Enabled
to enable blacklisting of the clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Accounting Mode
Disable If Uplink Type Is
Encryption
Splash Page Design
Select an accounting mode for posting accounting information at the specified
Accounting interval
. When the accounting mode is set to
Authentication
, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to
Association
, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.
To exclude uplink, select an uplink type.
Select
Enabled
to configure encryption parameters. This is applicable for WLAN
SSIDs only.
Under
Splash Page Visuals
, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Internal -
Authenticated or Internal -Acknowledged) for which you are customizing the splash page design. Perform the following steps to customize the splash page design.
l l l
To change the color of the splash page, click the Splash page rectangle and select the required color from the
Background Color
palette.
To change the welcome text, click the first square box in the splash page, enter the required text in the
Welcome Text
box, and click
OK
. Ensure that the welcome text does not exceed 127 characters.
To change the policy text, click the second square in the splash page, enter the required text in the
Policy Text
box, and click
OK
. Ensure that the policy text does not exceed 255 characters.
l l
To upload a custom logo, click
Upload
, browse the image file, and click
upload image
. Ensure that the image file size does not exceed 16 KB.
To redirect users to another URL, specify a URL in
Redirect URL
.
l
To preview the captive portal page, click
Preview
splash page.
NOTE:
You can customize the captive portal page using double-byte characters.
Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the
Splash Page
Visuals
to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters.
2. Click
Next
.
Configuring External Captive Portal for a Guest Network
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the
Security > External Captive Portal
data pane and associate
55
| Wireless Configuration Aruba Central | User Guide
these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the
Security
tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles.
When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an
SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.
To configure an external captive portal profile:
1. Select
Wireless Configuration > Security > External Captive Portal
.
2. Click
New
. The
New
pop-up pane is displayed.
3. Specify values for the following parameters:
Table 20:
External Captive Portal Profile Configuration Parameters
Parameter Description
Name
Enter a name for the profile.
Type
IP or Hostname
Select any one of the following types of authentication: l
Radius Authentication
—Select this option to enable user authentication against a
RADIUS server.
l
Authentication Text
—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Enter the IP address or the hostname of the external splash page server.
URL
Enter the URL of the external captive portal server.
Port
Use HTTPS
Captive Portal
Failure
Automatic URL
Whitelisting
Auth Text
Redirect URL
Enter the port number that is used for communicating with the external Captive portal server.
Select this to enforce clients to use HTTPS to communicate with the captive portal server.
This option is available only if RADIUS Authentication is selected.
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select
Deny Internet
to prevent guest users from using the network, or
Allow Internet
to access the network.
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted.
If the
External Authentication splash
page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Specify a redirect URL if you want to redirect the users to another URL.
4. Click
Save
.
Aruba Central | User Guide Wireless Configuration |
56
Configuring Guest Logon Role and Access Rules for Guest Users
To configure access rules for a guest network:
1. Select
Wireless Configuration > Networks
and then click
Create New
. The
Create a New Network
pane is displayed.
2. For
Type
, select
Wireless
.
3. Enter a name that is used to identify the network in the
Name (SSID)
box.
4. Select
Guest
under
Primary Usage
and click
Next
.
5. In the
Access
tab, select any of the following types of access control: l
Unrestricted
— Select this to set unrestricted access to the network.
l
Network Based
— Select
Network Based
to set common rules for all users in a network. By default,
Allow any to all destinations
access rule is enabled. This rule allows traffic to all destinations. To define an access rule: c. Click
(
+
)
icon and select appropriate options for
Rule Type
,
Service
,
Action
,
Destination
, and
Options
fields.
d. Click
Save
.
l
Role Based
— Select
Role Based
to enable access based on user roles. For role-based access control:
1. Create a user role: a. Click
New
in
Role
pane.
b. Enter a name for the new role and click
OK
.
2. Create access rules for a specific user role: a. Click
(
+
)
icon and select appropriate options for
RuleType
,
Service
,
Action
,
Destination
, and
Options
fields.
b. Click
Save
.
3. Create a role assignment rule.
a. Under
Role Assignment Rule
, click
New
. The
New Role Assignment Rule
pane is displayed.
b. Select appropriate options in
Attribute
,
Operator
,
String
, and
Role
fields.
c. Click
Save
.
6. Click
Finish
.
Configuring Captive Portal Roles for an SSID
You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role.
The following conditions apply to the 802.1X and captive portal authentication configuration: l
If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile.
l l
If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile.
If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client.
57
| Wireless Configuration Aruba Central | User Guide
To create a captive portal role for the
Internal-acknowledged
and
External Authentication Text
splash page types:
1. Select an SSID profile from
Wireless Configuration > Networks
, and click
Edit.
2. Click
Access
, select
Role based
, and select an existing role or create a new one.
3. Click (
+ Add Rule
). The
Add Rules
data pane is displayed.
4. In the
Add Rules
data pane, specify the following parameters.
Table 21:
Access Rule Configuration Parameters
Data pane item
Description
Rule Type Select
Captive Portal
from the drop down.
Splash Page
Type
Internal
External
Select any of following attributes: l
Select
Internal
to configure a rule for internal captive portal authentication.
l
Select
External
to configure a rule for external captive portal authentication.
If
Internal
is selected as splash page type: l
Under
Splash Page Visuals
, use the editor to specify text and colors for the initial page that will be displayed to users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type configured l l l l l
To change the welcome text, enter the required text in
Welcome Text
, and click
Save
.
Ensure that the welcome text does not exceed 127 characters.
To change the policy text, enter the required text in
Policy Text
, and click
Save
. Ensure that the policy text does not exceed 255 characters.
To change the color of the splash page, click the box corresponding to
Body
Background Color
and select the required color from the palette.
To redirect the guest users, specify the URL in
Redirect URL
.
To preview the captive portal page, click
Preview Splash Page
.
If
External
is selected, perform the following steps: l
Select a profile from
Captive Portal Profile
.
l
If you want to edit the profile, click
Edit
and update the following parameters: l l l l l
Type
— Select either
RADIUS Authentication
(to enable user authentication against a RADIUS server) or
Authentication Text
(to specify the authentication text to returned by the external server after a successful user authentication).
IP OR Hostname
— Enter the IP address or the hostname of the external splash page server.
URL
— Enter the URL for the external splash page server.
Port
— Enter the port number for communicating with the external splash page server.
Captive Portal Failure
—This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. Select
Deny Internet
to prevent clients from using the network, or
Allow Internet
to allow the guest clients to access Internet when the external captive portal server is not available.
Aruba Central | User Guide Wireless Configuration |
58
Table 21:
Access Rule Configuration Parameters
Data pane item
Description
l l l
Automatic URL Whitelisting
— Select
Enabled
or
Disabled
to enable or disable automatic whitelisting of URLs. On selecting this for the external captive portal authentication, the URLs allowed for the unauthenticated users to access are automatically whitelisted. The automatic URL whitelisting is disabled by default.
Auth TEXT
— Indicates the authentication text returned by the external server after a successful user authentication.
Rredirect URL
— Specify a redirect URL to redirect the users to another
URL.
5. Click
Save
. The enforce captive portal rule is created and listed as an access rule.
6. Click
Save Settings.
The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client.
Disabling Captive Portal Authentication
To disable captive portal authentication, perform the following steps:
1. Select
Wireless Configuration > Networks
.
2. Select the network profile for which captive portal needs to be disabled and then click
Edit
. The
Networks
> Configuration <profile-name>
pane is displayed.
3. Select
Security
and select
None
from
Splash Page Type
.
4. Click
Save Settings.
Configuring Walled Garden Access
Administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time. When an external Captive portal is used, administrators can configure a walled garden, which determines access to the URLs requested by the guest users. For example, In a hotel environment, the unauthenticated users are allowed to access a designated login page (for example, a hotel website) and all its contents. Users who do not sign up for the Internet service can view only the
allowed
websites (typically hotel property websites).
Administrators can allow or block access to specific URLs by creating a whitelist and blacklist. When users attempt to access other Websites, which are not in the whitelist of the walled garden profile, users are redirected to the login page. If the requested URL is on the blacklist, it is blocked. If it appears on neither list, the request is redirected to the external Captive portal.
To create a walled garden access.
1. Select
Wireless Configuration > Security > Walled Garden
. The Walled Garden details are displayed.
2. Click
Blacklist:n Whitelist:n.
The
Walled Garden
data pane is displayed
.
3. To allow users to access a specific domain, click
New
and enter the domain name or URL in the
Whitelist
data pane. This allows access to a domain while the user remains unauthenticated. Specify a POSIX regular expression (regex(7)). For example: l l yahoo.com matches various domains such as news.yahoo.com, travel.yahoo.com and finance.yahoo.com
www.apple.com/library/test is a subset of www.apple.com site corresponding to path /library/test/*
59
| Wireless Configuration Aruba Central | User Guide
l favicon.ico allows access to /favicon.ico from all domains.
4. To deny users access to a domain, click
New
and enter the domain name or URL in the
Blacklist
data pane.
This prevents the unauthenticated users from viewing specific websites. When a URL specified in the blacklist is accessed by an unauthenticated user, IAP sends an HTTP 403 response to the client with a simple error message.
If the requested URL does not appear on the blacklist or whitelist list, the request is redirected to the external captive portal.
5. Select the domain name/URL and click
Edit
to modify or click
Delete
to remove the entry from the list.
6. Click
OK
to apply the changes.
Configuring Profiles for Wired Network
The Ethernet ports allow third-party devices such as VoIP phones or printers (which support only wired connections) to connect to the wireless network. You can also configure an Access Control List (ACL) for additional security on the Ethernet downlink.
To configure wired settings:
1. Select
Wireless Configuration > Networks
and then click
Create New
. The
Create a New Network
data pane is displayed.
2. Select
Wired
for
Type
.
3. In the
Basic Info
pane, enter the following information: a.
Name
— Specify a name for the profile.
b.
Primary Usage
—Select
Employee
or
Guest
.
c.
Speed/Duplex
Ensure that appropriate values are selected for
Speed/Duplex
. Contact your network administrator if you need to assign speed and duplex parameters.
d.
PoE
—Set
PoE
to
Enabled
to enable Power over Ethernet.
e.
Admin Status
—Ensure that an appropriate value is selected. The
Admin Status
indicates if the port is up or down.
f.
Content Filtering
— To ensure that all DNS requests to non-corporate domains on this wired network are sent to OpenDNS, select
Enabled
for
Content Filtering
.
g.
Uplink
—Select
Enabled
to configure uplink on this wired profile. If
Uplink
is set to
Enabled
and this network profile is assigned to a specific port, the port will be enabled as Uplink port.
h.
Spanning Tree
—Select the
Spanning Tree
check box to enable Spanning Tree Protocol (STP) on the wired profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP will not operate on the uplink port and is supported only on IAPs with three or more ports. By default Spanning Tree is disabled on wired profiles.
4. Click
Next
. The
VLANs
pane details are displayed.
5. On the VLANs pane, configure VLANs for the wired network: a.
Mode
—Specify any of the following modes: l l
Access
—Select this mode to allow the port to carry a single VLAN specified as the native VLAN.
Trunk
—Select this mode to allow the port to carry packets for multiple VLANs specified as allowed
VLANs.
b. Specify any of the following values for
Client IP Assignment
: l
Virtual Controller Assigned
: Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client.
Aruba Central | User Guide Wireless Configuration |
60
l
Network Assigned
: Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the
New
button to create a
VLAN is displayed. Create a new VLAN if required.
c. If the
Trunk
mode is selected: l
Specify the
Allowed VLAN
, enter a list of comma separated digits or ranges 1,2,5 or 1-4, or all. The
Allowed VLAN refers to the VLANs carried by the port in Access mode.
l
If the
Client IP Assignment
is set to
Network Assigned
, specify a value for
Native VLAN
. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093.
d. If the
Access
mode is selected: l l
If the
Client IP Assignment
is set to
Virtual Controller Assigned
, proceed to step 6.
If the
Client IP Assignment
is set to
Network Assigned
, specify a value for
Access VLAN
to indicate the VLAN carried by the port in the
Access
mode.
6. Click
Next
. The
Security
pane details are displayed.
7. On the
Security
pane, select the security options as per your requirement: l l
MAC Authentication
—To enable MAC authentication, select
Enabled
. The MAC authentication is disabled by default.
802.1X Authentication
—To enable 802.1X authentication, select
Enabled
.
l
MAC Authentication Fail-Through
—To enable authentication fail-thru, select
Enabled
. When this feature is enabled, 802.1X authentication is attempted when MAC authentication fails. The
MAC
Authentication Fail-Through
check box is displayed only when both
MAC Authentication
and
802.1X Authentication
are
Enabled
.
l l
Select any of the following options for
Authentication Server 1
: n
New
—On selecting this option, an external RADIUS server must be configured to authenticate the users. For information on configuring an external server, see
Configuring External Servers for
.
n
Internal Server
— If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the
Users
link to add the users.
Reauth Interval
—Specify the interval at which all associated and authenticated clients must be reauthenticated.
l
Load Balancing
— Set this to
Enabled
if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see
Dynamic Load Balancing between Authentication Servers on page 72 .
8. Click
Next
. The
Access
pane is displayed.
9. On the
Access
pane, configure the access rule parameters.
a. Select any of the following types of access control: l l
Role-based
— Allows the users to obtain access based on the roles assigned to them.
Unrestricted
— Allows the users to obtain unrestricted access on the port.
l
Network-based
— Allows the users to be authenticated based on access rules specified for a network.
b. If the
Role-based
access control is selected: l
Under
Role
, select an existing role for which you want to apply the access rules, or click
New
and add the required role. To add a new access rule, click
Add Rule
under
Access Rules For Selected Roles
.
The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.
61
| Wireless Configuration Aruba Central | User Guide
l
Configure role assignment rules. To add a new role assignment rule, click
New
under
Role
Assignment Rules
. Under
New Role Assignment Rule
: a. select an attribute.
b. Specify an operator condition.
c. Select a role.
d. Click
Save
.
10.Click
Next
. The
Network Assignment
pane is displayed.
11.On the
Network Assignment
pane, assign wired profiles to Ethernet ports: e. Select a profile from the
0/0
drop down list.
f. Select the profile from the
0/1
drop down list.
g. If the IAP supports E2, E3 and E4 ports, assign profiles to these ports by selecting a profile from the
0/2
,
0/3
, and
0/4
drop-down list respectively.
12.Click
Finish
.
Editing a Network Profile
To edit a network profile:
1. In the
Wireless Configuration > Networks
tab, select the network that you want to edit.
2. Click the
Edit
icon under
Actions
column. The network details are displayed.
3. Modify the profile.
4. Click
Save Settings
to save the changes.
Deleting a Network Profile
To delete a network profile:
1. In the
Wireless Configuration > Networks
tab, click the network that you want to delete.
2. Click the
Delete
icon under
Actions
column. A delete confirmation pane is displayed.
3. Click
OK
.
l l l
Configuring ARM and RF Parameters
This section provides the following information:
Configuring ARM Features on page 65
Configuring Radio Settings on page 67
ARM Overview
ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each IAP in its current RF environment. ARM works with all standard clients, across all operating systems, while remaining in compliance with the IEEE 802.11 standards. It does not require any proprietary client software to achieve its performance goals. ARM ensures low-latency roaming, consistently high performance, and maximum client compatibility in a multi-channel environment. By ensuring the fair distribution of available
Wi-Fi bandwidth to mobile devices, ARM ensures that data, voice, and video applications have sufficient network resources at all times. ARM allows mixed 802.11a, b, g, n, and ac client types to inter operate at the highest performance levels.
Aruba Central | User Guide Wireless Configuration |
62
Channel or Power Assignment
The channel or power assignment feature automatically assigns channel and power settings for all the IAPs in the network according to changes in the RF environment. This feature automates many setup tasks during network installation and the ongoing operations when RF conditions change.
Voice Aware Scanning
The Voice Aware scanning feature prevents an IAP supporting an active voice call from scanning for other channels in the RF spectrum and allows an IAP to resume scanning when there are no active voice calls. This significantly improves the voice quality when a call is in progress and simultaneously delivers the automated RF management functions. By default, this feature is enabled.
Load Aware Scanning
The Load Aware Scanning feature dynamically adjusts scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold. The IAPs resume complete monitoring scans when the traffic drops to the normal levels. By default, this feature is enabled.
Band steering mode
The Band Steering feature assigns the dual-band capable clients to the 5 GHz band on dual-band IAPs. This feature reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5 GHz band than on the 2.4 GHz band. For more information, see
Client Match
The Client Match feature continually monitors the RF neighborhood of the client to provide ongoing client bandsteering and load balancing, and enhanced IAP reassignment for roaming mobile clients. This feature supersedes the legacy bandsteering and spectrum load balancing features, which, unlike Client Match, do not trigger IAP changes for clients already associated to an IAP.
When Client Match is enabled on 802.11n capable IAPs, the Client Match feature overrides any settings configured for the legacy bandsteering, station hand-off assist or load balancing features. The 802.11ac-capable IAPs do not support the legacy bandsteering, station hand off or load balancing settings, so these IAPs must be managed using
Client Match.
When the Client Match feature is enabled on an IAP, the IAP measures the RF health of its associated clients. If one of the three mismatch conditions described below are met, clients are moved from one IAP to another for better performance and client experience. The Client Match feature is supported only within an IAP cluster.
The following client or IAP mismatch conditions are managed by the Client Match feature: l l l
Dynamic Load Balancing
—Client Match balances clients across IAPs on different channels, based upon the client load on the IAPs and the SNR levels the client detects from an underutilized IAP. If an IAP radio can support additional clients, the IAP participates in Client Match load balancing and clients can be directed to that IAP radio, subject to predefined SNR thresholds.
Sticky Clients
—The Client Match feature also helps mobile clients that tend to stay associated to an IAP despite low signal levels. IAPs using Client Match continually monitor the client's RSSI as it roams between
IAPs, and move the client to an IAP when a better radio match can be found. This prevents mobile clients from remaining associated to an APs with less than ideal RSSI, which can cause poor connectivity and reduce performance for other clients associated with that IAP.
Band Steering
—IAPs using the Client Match feature monitor the RSSI for clients that advertise a dual-band capability. If a client is currently associated to a 2.4 GHz radio and the AP detects that the client has a good
63
| Wireless Configuration Aruba Central | User Guide
RSSI from the 5 GHz radio, the controller attempts to steer the client to the 5 GHz radio, as long as the 5
GHz RSSI is not significantly worse than the 2.4 GHz RSSI, and the IAP retains a suitable distribution of clients on each of its radios.
By default, the Client Match feature is disabled. For information on Client Match configuration on an IAP, see
Configuring ARM Features on page 65 .
Spectrum load balancing is integrated with the Client Match feature. Client Match allows the APs in a cluster to be divided into several logical AP RF neighborhood called domains, which share the same clients. The VC determines the distribution of clients and balances client load across channels, regardless of whether the AP is responding to the wireless probe requests of the client.
Airtime Fairness Mode
The Airtime Fairness feature provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system, thus delivering uniform performance to all clients. This feature prevents the clients from monopolizing resources.
AP control
The following AP control features are supported: l l l l
Customize Valid Channels
— You can customize
Valid 5 GHz channels
and
Valid 2.4 GHz channels
for 20 MHz and 40 MHz channels in the IAP. The administrators can configure the ARM channels in the channel width window. The valid channels automatically show in the
static channel assignment
data pane.
Minimum Transmit Power
— This indicates the minimum EIRP from 3 to 33 dBm in 3 dBm increments.
You may also specify a special value of 127 dBm for regulatory maximum to disable power adjustments for environments such as outdoor mesh links. A higher power level setting may be constrained by the local regulatory requirements and AP capabilities. If the minimum transmission EIRP setting configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value is for minimum transmit power is 18 dBm.
Maximum Transmit Power
— This indicates the maximum Effective Isotropic Radiated Power (EIRP) from
3 to 33 dBm in 3 dBm increments. Higher power level settings may be constrained by local regulatory requirements and AP capabilities. If the maximum transmission EIRP configured on an AP is not supported by the AP model, the value is reduced to the highest supported power setting. The default value for maximum transmit power is 127 dBm.
Client Match
— When
Enabled
, ARM does not change channels for the APs with active clients, except for high priority events such as radar or excessive noise. This feature must be enabled in most deployments for a stable WLAN. If the Client Match mode is
Disabled
, the IAP may change to a more optimal channel, which change may disrupt current client traffic for a while. The Client Match option is
Enabled
by default.
When the Client Match ARM is disabled, channels can be changed even when the clients are active on a BSSID.
l l
Scanning
— When ARM is enabled, the IAP dynamically scans all 802.11 channels within its 802.11
regulatory domain at regular intervals and reports to the IAP. This scanning report includes WLAN coverage, interference, and intrusion detection data.
Wide Channel Bands
— This feature allows administrators to configure 40 MHz channels in the 2.4 GHz and 5.0 GHz bands. 40 MHz channels are essentially two 20 MHz adjacent channels that are bonded together. 40 MHz channel effectively doubles the frequency bandwidth available for data transmission.
Aruba Central | User Guide Wireless Configuration |
64
Monitoring the network with ARM
When ARM is enabled, an IAP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and sends reports on network (WLAN) coverage, interference, and intrusion detection to a VC.
ARM Metrics
ARM computes coverage and interference metrics for each valid channel, chooses the best performing channel, and transmit power settings for each IAP RF environment. Each IAP gathers other metrics on its ARM-assigned channel to provide a snapshot of the current RF health state.
Configuring ARM Features
To configure ARM features such as band steering, spectrum load balancing, and airtime fairness mode:
1. Select
Wireless Configuration > RF > ARM
. The ARM details are displayed.
2. Configure the following parameters for
Band Steering Mode
:
Table 22:
Band Steering Mode Configuration Parameters
Data pane item Description
Prefer 5 GHz
Select this option to use band steering in the 5 GHz mode. On selecting this, the IAP steers the client to the 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association.
Force 5 GHz
Select this option to enforce 5 GHz band steering mode on the IAPs.
Balance Bands
Select this option to allow the IAP to balance the clients across the two radios to best utilize the available 2.4 GHz bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40 MHz, while the 2.5 GHz band operates in 20MHz.
Disable
Select this option to allow the clients to select the band to use.
3. For
AIRTIME FAIRNESS MODE
specify any of the following values:
Table 23:
Airtime Fairness Mode Configuration Parameters
Data pane item Description
Default Access
Select this option to provide access based on client requests. When
AIR
TIME FAIRNESS
is set to default access, per user and per SSID bandwidth limits are not enforced.
Fair Access
Select this option to allocate Airtime evenly across all the clients.
Preferred Access
Select this option to set a preference where 11n clients are assigned more airtime than 11a/11g. The 11a/11g clients get more airtime than
11b. The ratio is 16:4:1.
4. For additional options, specify the following parameters:
65
| Wireless Configuration Aruba Central | User Guide
Table 24:
Additional ARM Configuration Parameters
Data pane item
Description
Client
Match
Select
Enabled
to enable the Client Match feature on APs. When enabled, client count is balanced among all the channels in the same band.
When Client Match is enabled, ensure that scanning is enabled.
CMCalculating
Interval
CMNeighbor Matching%
Specify a value for the calculating interval of Client Match. The value specified for
Interval
CM Calculating
determines the interval at which Client Match is calculated. The interval is specified in seconds and the default value is 30 seconds. You can specify a value within the range of 10-600.
Specify a value for
CM Neighbor Matching %
. This number takes into account the least similarity percentage to be considered as in the same virtual RF neighborhood of Client Match. You can specify a percentage value within the range of 20-100. The default value is 75%.
CM
Threshold
SLB Mode
Specify a value for
CM Threshold
. This number takes acceptance client count difference among all the channels of Client Match into account. When the client load on an AP reaches or exceeds the threshold in comparison, Client Match is enabled on that AP.
You can specify a value within range of 1-20. The default value is 2.
Select a mode from
SLB Mode
. The SLB mode determines the balancing strategy for Client Match.
The following options are available: l
Channel l l
Radio
Channel + Radio
5. For
Access Point Control
, specify the following parameters:
Aruba Central | User Guide Wireless Configuration |
66
Table 25:
AP Control Configuration Parameters
Data pane item
Description
Customize
Valid Channels
Select this to customize valid channels for 2.4 GHz and 5 GHz. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting
Customize Valid Channels
, a list of valid channels for both 2.4.GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default.
Minimum
Transmit
Power
Specify the minimum transmission power. The value specified for
Minimum Transmit Power
indicates the minimum EIRP from 3 to 33 dBm in 3 dBm increments. If the minimum transmission
EIRP setting configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value for minimum transmit power is 18 dBm.
Maximum
Transmit
Power
Specify the maximum transmission power. The value specified for
Maximum Transmit Power
indicates the maximum EIRP from 3 to 33 dBm in 3 dBm increments. If the maximum transmission
EIRP configured on an AP is not supported by the AP model, the value is reduced to the highest supported power setting. The default value for maximum transmit power is Max, which is set as 127 dBm.
Client
Aware
Select
Enabled
to allow ARM to control channel assignments for the IAPs with active clients. When the Client Match mode is set to
Disabled
, an IAP may change to a more optimal channel, which disrupts current client traffic. The
Client Aware
option is
Enabled
by default.
Scanning
Wide
Channel
Bands
Select
Enabled
so that the IAP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and reports to the IAP. This scanning report includes WLAN coverage, interference, and intrusion detection data.
NOTE:
For Client Match configuration, ensure that scanning is enabled.
Select a band to allow the APs to be placed in 40 MHz (wide band) channels. The
WIDE Channel
Band
allows administrators to configure 40 MHz channels in the 2.4 GHz and 5.0 GHz bands. 40
MHz channels are two 20 MHz adjacent channels that are bonded together. 40 MHz channel effectively doubles the frequency bandwidth available for data transmission.
For high performance, you can select 5 GHz. If the AP density is low, enable in the 2.4 GHz band.
80 MHz
Support
Enables or disables the use of 80 MHz channels on APs. This feature allows ARM to assign 80 MHz channels on APs with 5 GHz radios, which support a very high throughput. This setting is enabled by default.
NOTE:
Only the APs that support 802.11ac can be configured with 80 MHz channels.
6. Click
Save
and reboot the IAP.
7. Click
Save Settings
.
Configuring Radio Settings
To configure 2.4 GHz and 5 GHz radio settings for an IAP:
1. Select
Wireless Configuration > RF > Radio
. The Radio details are displayed.
2. Under 2.4 GHz, 5 GHz, or both, configure the following parameters.
67
| Wireless Configuration Aruba Central | User Guide
Table 26:
Radio Configuration Parameters
Data pane item Description
Legacy Only
Select
Enabled
to run the radio in non-802.11n mode. This option is set to
Disabled
by default.
802.11d / 802.11h
Select
Enabled
to allow the radio to advertise its 802.11d (Country
Information) and 802.11h (Transmit Power Control) capabilities. This option is set to
Disabled
by default.
Beacon Interval
Enter the beacon period for the IAP in milliseconds. This indicates how often the 802.11 beacon management frames are transmitted by the AP. You can specify a value within the range of 60-500. The default value is 100 milliseconds.
Interference
Immunity Level
Select to increase the immunity level to improve performance in highinterference environments.
The default immunity level is 2.
l
Level 0
— no ANI adaptation.
l l l l l
Level 1
— Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet.
Level 2
— Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature.
Level 3
— Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4 GHz appliances such as cordless phones.
Level 4
— Level 3 settings, and FIR immunity. At this level, the AP adjusts its sensitivity to in-band power, which can improve performance in environments with high and constant levels of noise interference.
Level 5
— The AP completely disables PHY error reporting, improving performance by eliminating the time the IAP spends on PHY processing.
Channel Switch
Announcement
Count
Background Spectrum Monitoring
NOTE:
Increasing the immunity level makes the AP lose a small amount of range.
Specify the count to indicate the number of channel switching announcements that are sent before switching to a new channel. This allows associated clients to recover gracefully from a channel change.
Select
Enabled
to allow the APs in access mode to continue with normal access service to clients, while performing additional function of monitoring
RF interference (from both neighboring APs and non Wi-Fi sources such as, microwaves and cordless phones) on the channel they are currently serving clients.
3. Click
Save Settings
.
Aruba Central | User Guide Wireless Configuration |
68
l l l l l l l l l l
Configuring Authentication and Security Parameters
This section provides the following information:
Supported Authentication Methods on page 69
Supported Authentication Servers on page 70
Configuring External Servers for Authentication on page 72
Configuring Dynamic RADIUS Proxy Parameters on page 75
Configuring 802.1X Authentication for a Network Profile on page 76
Configuring MAC Authentication for a Network Profile on page 77
Configuring MAC Authentication with 802.1X Authentication on page 77
Configuring MAC Authentication with Captive Portal Authentication on page 77
Configuring WISPr Authentication on page 78
Blacklisting Clients on page 79
Supported Authentication Methods
Authentication is a process of identifying a user through a valid username and password. Clients can also be authenticated based on their MAC addresses.
The following authentication methods are supported in Central: l l l
802.1X authentication
— 802.1X is a method for authenticating the identity of a user before providing network access to the user. Remote Authentication Dial In User Service (RADIUS) is a protocol that provides centralized authentication, authorization, and accounting management. For authentication purpose, the wireless client can associate to a network access server (NAS) or RADIUS client such as a wireless IAP. The wireless client can pass data traffic only after successful 802.1X authentication. For more information on configuring an IAP to use 802.1X authentication, see
Configuring 802.1X Authentication for a Network
.
MAC authentication
— Media Access Control (MAC) authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. For more information on configuring an
IAP to use MAC authentication, see
Configuring MAC Authentication for a Network Profile on page 77 .
MAC authentication with 802.1X authentication
—This authentication method has the following features: n n n
MAC authentication precedes 802.1X authentication - The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If
MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a
deny-all
role or
mac-auth-only
role.
MAC authentication only role - Allows you to create a
mac-auth-only
role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The
mac-auth-only
role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X
authentication is successful, the
mac-auth-only
role is overwritten by the final role. The
mac-authonly
role is primarily used for wired clients.
L2 authentication fall-through - Allows you to enable the
l2-authentication-fallthrough
mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this
69
| Wireless Configuration Aruba Central | User Guide
l l l l option is disabled, 802.1X authentication is not allowed. The
l2-authentication-fallthrough
mode is disabled by default.
For more information on configuring an IAP to use MAC + 802.1X Authentication, see
Authentication with 802.1X Authentication on page 77 .
Captive Portal
— Captive portal authentication is used for authenticating guest users. For more information on Captive Portal authentication, see
Configuring Captive Portal Profiles for Guest Access on page 52 .
MAC authentication with Captive Portal authentication
—This authentication method has the following features: n
If the captive portal splash page type is
Internal-Authenticated
or
External-RADIUS Server
, MAC authentication reuses the server configurations.
n n
If the captive portal splash page type is
Internal-Acknowledged
or
External-Authentication Text
and MAC authentication is enabled, a server configuration page is displayed.
If the captive portal splash page type is
none
, MAC authentication is disabled.
n
You can configure the
mac-auth-only
role when MAC authentication is enabled with captive portal authentication.
For more information configuring an IAP to use MAC and Captive Portal authentication, see
MAC Authentication with Captive Portal Authentication on page 77
.
802.1X authentication with Captive Portal authentication
— This authentication mechanism allows you to configure different Captive portal settings for clients on the same SSID. For example, you can configure an 802.1x SSID and create a role for captive portal access, so that some of the clients using the
SSID derive the Captive portal role. You can configure rules to indicate access to external or internal Captive portal, or none. For more information on configuring Captive portal roles for an SSID with 802.1x
authentication, see
Configuring Captive Portal Roles for an SSID on page 57 .
WISPr authentication
—Wireless Internet Service Provider roaming (WISPr) authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an Internet Service Provider (ISP) with whom the client may not have an account.
If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the
Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a
partner
ISP, the WISPr AAA server forwards the client’s credentials to the partner ISP’s WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on your hotspot’s own ISP as per their service agreements. The IAP assigns the default WISPr user role to the client when your ISP sends an authentication message to the IAP. For more information on WISPr authentication, see
Supported Authentication Servers
Based on the security requirements, you can configure internal or external RADIUS servers. This section describes the types of authentication servers and authentication termination, that can be configured for a network profile:
External RADIUS server
In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Central RADIUS is implemented on the VC, and this eliminates the need to configure multiple NAS clients for every IAP on the
RADIUS server for client authentication. Central RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an
Access-Accept
or
Access-Reject
message, and users are allowed or denied access to the network depending on the response from the RADIUS server.
Aruba Central | User Guide Wireless Configuration |
70
When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.
Central supports the following external authentication servers: l l
RADIUS
LDAP
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords.
To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the IAP the Vendor-Specific Attribute
(VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Internal RADIUS Server
Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal
RADIUS server listens and replies to the RADIUS packet.
The following authentication methods are supported in the Central network: l l l l
EAP-TLS — The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and
Certification Authority (CA) certificates installed on the IAP. The client certificate is verified on the VC (the client certificate must be signed by a known CA), before the username is verified on the authentication server.
EAP-TTLS (MSCHAPv2) — The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-
TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords.
EAP-PEAP (MSCHAPv2) — The Extensible Authentication Protocol-Protected Extensible Authentication
Protocol (EAP-PEAP) is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
LEAP— Lightweight Extensible Authentication Protocol (LEAP) uses dynamic Wired Equivalent Privacy (WEP) keys for authentication between the client and authentication server.
To use the internal database of an AP for user authentication, add the names and passwords of the users to be authenticated.
Aruba does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks.
Authentication Termination on IAP
Central allows EAP termination for PEAP-Generic Token Card (PEAP-GTC) and Protected Extensible
Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAPv2). PEAP-GTC termination allows authorization against an LDAP server and external RADIUS server while PEAP-MSCHAPv2 allows authorization against an external RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft
Active Directory server with LDAP authentication.
71
| Wireless Configuration Aruba Central | User Guide
l l
EAP-GTC— This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The EAP-GTC is mainly used for one-time token cards such as SecureID and the use of LDAP or
RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup.
EAP-MSCHAPv2— This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
Dynamic Load Balancing between Authentication Servers
You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.
The load balancing in IAP is performed based on the outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators.
Configuring External Servers for Authentication
You can configure an external RADIUS server, TACACS or LDAP server for user authentication. To configure a server:
1. Select
Wireless Configuration > Security > Authentication Servers
.
2. To create a new server, click
New
. A pane for specifying details for the new server is displayed.
3. Configure any of the following types of server: n
RADIUS Server
— To configure a RADIUS server, specify the attributes described in the following table:
Table 27:
RADIUS Server Configuration Parameters
Data pane item Description
Name
Enter the name of the new external RADIUS server.
IP Address
Enter the IP address of the external RADIUS server.
Auth Port
Accounting Port
Enter the authorization port number of the external RADIUS server. The default port number is 1812.
Enter the accounting port number. This port is used for sending accounting records to the RADIUS server. The default port number is 1813.
Shared Key
Retype Shared Key
Enter a shared key for communicating with the external RADIUS server.
Timeout
Re-enter the shared key.
Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The IAP retries to send the request several times (as configured in the
Retry count
), before the user is disconnected. For example, if the
Timeout
is 5 seconds,
Retry counter
is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
Aruba Central | User Guide Wireless Configuration |
72
Table 27:
RADIUS Server Configuration Parameters
Data pane item Description
Retry Count
Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group. The default value is 3 requests.
RFC 3576
Select
Enabled
to allow the APs to process RFC 3576-compliant CoA and disconnect messages from the RADIUS server. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters.
NAS IP Address
NAS Identifier
Enter the VC IP address. The NAS IP address is the VC IP address that is sent in data packets.
NOTE:
If you do not enter the IP address, the VC IP address is used by default when
Dynamic RADIUS Proxy
(DRP) is enabled.
Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with
RADIUS requests to the RADIUS server.
Dead Time
Specify a dead time for authentication server in minutes.
When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
Dynamic RADIUS
Proxy Parameters
Specify the following dynamic RADIUS proxy parameters: l l
DRP IP—IP address to be used as source IP for RADIUS packets.
DRP MASK—Subnet mask of the DRP IP address.
l l
DRP VLAN—VLAN in which the RADIUS packets are sent.
DRP GATEWAY—Gateway IP address of the DRP VLAN.
For more information on dynamic RADIUS proxy parameters and configuration procedure, see
Configuring Dynamic RADIUS Proxy Parameters on page 75
.
n
LDAP Server
—To configure an LDAP server, specify the attributes described in the following table:
Table 28:
LDAP Server Configuration Parameters
Data pane item Description
Name
Enter the name of the LDAP server.
IP Address
Auth Port
Enter the IP address of the LDAP server.
Enter the authorization port number of the LDAP server. The default port number is 389.
Admin-DN
Enter a distinguished name for the admin user with read/search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).
73
| Wireless Configuration Aruba Central | User Guide
Table 28:
LDAP Server Configuration Parameters
Data pane item Description
Admin Password
Enter a password for the admin.
Retype Admin Password
Base-DN
Filter
Retype the password for the admin.
Enter a distinguished name for the node that contains the entire user database.
Specify the filter to apply when searching for a user in the LDAP database. The default filter string is
(objectclass=*)
.
Key Attribute
Timeout
Specify the attribute to use as a key while searching for the LDAP server. For Active
Directory, the value is
sAMAccountName.
Enter a value between 1 and 30 seconds. The default value is 5.
Retry Count
Enter a value between 1 and 5. The default value is 3.
n
TACACS
— To configure a TACACS server, specify the attributes described in the following table:
Table 29:
TACACS Server Configuration Parameters
Data pane item Description
Name
Enter the name of the server.
Shared Key
Retype Key
Auth Port
Timeout
Enter the secret key of your choice to authenticate communication between the TACACS client and server.
Re-enter the secret key you have specified as the
Shared Key
.
Enter the TCP IP port used by the server. The default port number is 49.
Enter a number between 1 and 30 seconds to indicate the timeout period for
TACACS+ requests. The default value is 20 seconds.
IP Address
Enter the IP address of the server.
Retry Count
Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.
n
CoA
— To configure a CoA, select
CoA only
. The RADIUS server is automatically selected.
Aruba Central | User Guide Wireless Configuration |
74
Table 30:
CoA Configuration Parameters
Data pane item Description
Name
Enter the name of the server.
IP Address
Enter the IP address of the server.
BONJOUR Support
CoA Port
Shared Key
Enter a port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
Enter a shared key for communicating with the external RADIUS server.
Retype Key
Re-enter the shared key.
4. Click
Save Server
.
To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server by selecting New for Authentication Server when configuring a
WLAN or wired profile.
Configuring Dynamic RADIUS Proxy Parameters
The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication. To ensure that the RADIUS traffic is routed to the required RADIUS server, enable the dynamic RADIUS proxy feature.
For the AP clients to authenticate to the RADIUS servers through a different IP address and VLAN, complete the following steps:
1.
2.
Configure dynamic RADIUS proxy IP, VLAN. netmask, gateway for each authentication server
After completing the above steps, you can authenticate the SSID users against the configured dynamic
RADIUS proxy parameters.
Enabling Dynamic RADIUS Proxy
To enable RADIUS RADIUS proxy:
1. Select
Wireless Configuration > System
. The
System
data pane is displayed.
2. In
General
, select
Enabled
from
Dynamic RADIUS Proxy
.
3. Click
Save Settings
.
When dynamic RADIUS proxy is enabled, ensure that a static VC IP is configured. For more information on configuring
VC IP address, see
Configuring System Parameters for IAP Network on page 28 .
When dynamic RADIUS proxy is enabled, the VC network uses the IP Address of the VC for communication with external RADIUS servers. Ensure that the VC IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see
External Servers for Authentication on page 72 .
75
| Wireless Configuration Aruba Central | User Guide
Configuring DRP Parameters
To configure DRP parameters for the authentication server:
1. Select
Wireless Configuration > Security > Authentication Servers
.
2. To create a new server, click
New
and configure the required RADIUS server parameters as described in
.
3. Ensure that the following dynamic RADIUS proxy parameters are configured: l l l l
DRP IP
— IP address to be used as source IP for RADIUS packets
DRP MASK
—Subnet mask of the DRP IP address.
DRP VLAN
—VLAN in which the RADIUS packets are sent.
DRP GATEWAY
—Gateway IP address of the DRP VLAN.
4. Click
Save Server
.
Configuring 802.1X Authentication for a Network Profile
The Central network supports internal RADIUS server and external RADIUS server for 802.1X authentication.
The steps involved in 802.1X authentication are as follows:
1. The NAS requests authentication credentials from a wireless client.
2. The wireless client sends authentication credentials to the NAS.
3. The NAS sends these credentials to a RADIUS server.
4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an
Access-Accept
message to the NAS. If the RADIUS server cannot identify the user, it stops the authentication process and sends an
Access-Reject
message to the NAS. The
NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.
5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption key is used for encrypting or decrypting traffic sent to and from the client.
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.
To configure 802.1X authentication for a wireless network profile:
1. Select
Wireless Configuration > Networks
, select an existing profile for which you want to enable
802.1X authentication, and click
Edit
.
2. In
Edit <profile-name>
, ensure that all required WLAN and VLAN attributes are defined, and then click the
Security
tab.
3. In
Security
, for the
Enterprise
security level, select the preferred option from
Key Management
.
4. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set
Termination
to
Enabled
.
For 802.1X authorization, by default, the client conducts an EAP exchange with the RADIUS server, and the
AP acts as a relay for this exchange. When
Termination
is enabled, the IAP itself acts as an authentication server, terminates the outer layers of the EAP protocol, and only relays the innermost layer to the external
RADIUS server.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see
Configuring Security Settings on page 49
.
6. Click the
Access
tab to define access rules.
7. Click
Save Settings.
Aruba Central | User Guide Wireless Configuration |
76
Configuring MAC Authentication for a Network Profile
MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication. However, it is recommended that you do not use the MAC-based authentication.
To configure MAC authentication for a wireless profile:
1. Select
Wireless Configuration > Network
, select an existing profile for which you want to enable MAC authentication and click
Edit
.
2. In the
Edit <profile-name>,
ensure that all required WLAN and VLAN attributes are defined, and then click the
Security
tab
.
3. In
Security
, for
MAC Authentication
, select
Enabled
for
Personal
or
Open
security level.
4. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see
Configuring Security Settings on page 49
.
5. Click
Access
tab to define access rules.
6. Click
Save Settings
.
Configuring MAC Authentication with 802.1X Authentication
To configure MAC authentication with 802.1X authentication for wireless network profile.
1. Select
Wireless Configuration > Network
, select an existing profile for which you want to enable MAC and 802.1X authentication and click
Edit
.
2. Click
Security
. Ensure that the required parameters for MAC AUTHENTICATION and 802.1X authentication are configured.
3. Select
Perform MAC Authentication Before 802.1X
to use 802.1X authentication only when the MAC authentication is successful.
4. Select
MAC Authentication Fail Through
to use 802.1X authentication even when the MAC authentication fails.
5. Click
Access
tab to define access rules.
6. Click
Save Settings.
Configuring MAC Authentication with Captive Portal Authentication
This authentication method has the following features: l l l l
If the captive portal splash page type is
Internal-Authenticated
or
External-RADIUS Server
, MAC authentication reuses the server configurations.
If the captive portal splash page type is
Internal-Acknowledged
or
External-Authentication Text
and
MAC authentication is enabled, a server configuration page is displayed.
If the captive portal splash page type is
none
, MAC authentication is disabled.
MAC authentication only role — You can use the WLAN wizard to configure the
mac-auth-only
role in the role-based access rule configuration section when MAC authentication is enabled with captive portal authentication.
To configure the MAC authentication with captive portal authentication for a network profile:
1. Select an existing wireless profile for which you want to enable MAC with captive portal authentication.
Depending on the network profile selected, the
Edit <WLAN-Profile>
data pane is displayed.
2. In
Access
, specify the following parameters for a network with
Role Based
rules: a. Select
Enforce Machine Authentication
when MAC authentication is enabled for captive portal. If the
MAC authentication fails, the captive portal authentication role is assigned to the client.
77
| Wireless Configuration Aruba Central | User Guide
b. For wireless network profile, select
Enforce MAC Auth Only Role
when MAC authentication is enabled for captive portal. After successful MAC authentication, MAC auth only role is assigned to the client.
3. Click
Next
and then click
Save Settings
.
Configuring WISPr Authentication
Central supports the following smart clients: n n iPass
Boingo
These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic
Interface Specification (GIS)
redirect
,
authentication
, and
logoff
messages within HTML messages that are sent to the IAP.
WISPr authentication is supported only for the
Internal - Authenticated
and
External - RADIUS Server
captive portal authentication. Select the
Internal – Authenticated
or the
External - RADIUS Server
option from
Splash page type
list to configure WISPr authentication for a WLAN profile.
To configure WISPr authentication:
1. Select
Wireless Configuration > System.
2. Select
WISPr
. The
WISPr
details are displayed.
3. Enter the ISO Country Code for the WISPr Location ID in the
ISO Country Code
box.
4. Enter the E.164 Area Code for the WISPr Location ID in the
E.164 Area Code
box.
5. Enter the operator name of the Hotspot in the
Operator Name
box.
6. Enter the E.164 Country Code for the WISPr Location ID in the
E.164 Country Code
box.
7. Enter the SSID/Zone section for the WISPr Location ID in the
SSID/Zone
box.
8. Enter the name of the Hotspot location in the
Location Name
box. If no name is defined, the name of the
IAP to which the user is associated is used.
9. Click
Save Settings
to apply the changes.
The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites ( www.iso.org
and http://www.itu.int
).
A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support
Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server.
Managing IAP Users
IAP users are classified as follows: l l l
Administrator— A user who creates SSIDs, wired profiles, DHCP server configuration parameters, and manages the local user database. Administrators can access the virtual controller management UI.
Administrator with view-only access— The Central UI is displayed in the view-only mode for these users.
Guest users—Visiting users who temporarily use the enterprise network to access the Internet.
Configuring the View-only Administrator Credentials
To assign the view-only privilege to an admin user:
1. Select
Wireless Configuration > System.
The
System
pane details are displayed.
2. Select
Admin
. The
Admin
pane details are displayed.
Aruba Central | User Guide Wireless Configuration |
78
3. Under
View Only
: a. Specify a
Username
and
Password
.
b. Confirm the password. Ensure that the default passwords such as admin, admin123, admins, aruba123, aruba@123, and admin@123 not set as password.
4. Click
Save Settings
. When a user logs in with these credentials, the Central UI is displayed in the view-only mode.
Configuring Guest Management Interface Administrator Credentials
To configure guest administrator credentials:
1. Select
Wireless Configuration > System
. The
System
pane details are displayed.
2. Select
Admin
. The
Admin
pane details are displayed.
3. Under
Guest Registration Only
: c. Specify a
Username
and
Password
.
d. Confirm the password.
4. Click
Save Settings.
When a user logs in with these credentials, the guest management interface is displayed.
Blacklisting Clients
The client blacklisting denies connection to the blacklisted clients. When a client is blacklisted, it is not allowed to associate with an IAP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force client disconnection.
This section describes the following procedures: l l
Blacklisting Clients Manually on page 79
Blacklisting Clients Dynamically on page 79
Blacklisting Clients Manually
Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist. These clients are not allowed to connect to the network unless they are removed from the blacklist.
To add a client to the blacklist manually:
1. Select
WirelessConfiguration > Security > Blacklisting
.
2. Click
New
and enter the MAC address of the client to be blacklisted in
Enter A New MAC Address
.
3. Click
Ok
. The
Blacklisted Since
field displays the time at which the current blacklisting has started for the client.
To delete a client from the manual blacklist, select the MAC Address of the client under the
Manual
Blacklisting
, and then click
Delete
.
Blacklisting Clients Dynamically
The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process.
When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically blacklisted by an IAP.
In session firewall based blacklisting, an Access Control List (ACL) rule automates blacklisting. When the ACL rule is triggered, it sends out blacklist information and the client is blacklisted.
To configure the blacklisting duration:
79
| Wireless Configuration Aruba Central | User Guide
1. Select
Wireless Configuration > Security > Blacklisting
.
2. Under
Dynamic Blacklisting
: a. For
Auth Failure Blacklist Time
, enter the duration after which the clients that exceed the authentication failure threshold must be blacklisted.
b. For
PEF Rule Blacklised Time
, enter the duration after which the clients can be blacklisted due to an
ACL rule trigger.
You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted. For more information on configuring maximum authentication failure attempts, see
l l l l
Configuring Roles and Policies for User Access Control
This section provides the following information:
Configuring Firewall and Access Rules on page 80
Managing Inbound Traffic on page 85
Configuring User Roles on page 85
Configuring Derivation Rules on page 86
Configuring Firewall and Access Rules
This section describes the following topics: l l l l
Firewall and ACL Rules on page 80
Configuring Access Rules for Network Services on page 81
Configuring Network Address Translation Rules on page 82
Configuring ALG protocols on page 84
Firewall and ACL Rules
The Central firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the Central firewall, you can enforce network access policies that define access to the network, areas of the network that users may access, and the performance thresholds of various applications.
Central supports a role-based stateful firewall. Central firewall recognizes flows in a network and keeps track of the state of sessions. The Central firewall manages packets according to the first rule that matches packet. The firewall logs on the IAPs are generated as syslog messages. The Central firewall also supports the Application
Layer Gateway (ALG) functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols.
ACL Rules
You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses.
You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall.
The IAP clients are associated with user roles, which determine the client’s network privileges and the frequency at which clients re-authenticate. Central supports the following types of ACLs:
Aruba Central | User Guide Wireless Configuration |
80
l l
ACLs that permit or deny traffic based on the source IP address of the packet.
ACLs that permit or deny traffic based on source or destination IP address, or source or destination port number.
You can configure up to 64 access control rules for a firewall policy.
Configuring Access Rules for Network Services
This section describes the procedure for configuring ACLs to control access to network services. For information on: l l
Configuring access rules based on application and application categories, see
Application and Application Categories on page 136
.
Configuring access rules based on web categories and web reputation, see
.
To configure access rules:
1. Select
Wireless Configuration > Security
, and then click
Roles
. The
Roles
pane is displayed.
You can also configure access rules for a wired or wireless network profile in the
Wireless Configuration
>
Networks
>
Create a New Network
>
Access
pane.
2. Select a network profile for which you to assign the ACL rules.
3. Under
Access Rules For Selected Roles
, click
+ Add Rule
to add a new rule. The new rule window is displayed.
4. In the new rule window, specify the following parameters:
Table 31:
Access Rule Configuration Parameters
Parameter Description
Rule Type
Select a rule type from the list, for example
Access Control
.
Service
Action
Destination
Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement: l
any
—Access is allowed or denied to all services.
l
custom
—Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.
NOTE:
If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access.
Select any of following attributes: l
Select
Allow
to allow access users based on the access rule.
l l l
Select
Deny
to deny access to users based on the access rule.
Select
Destination-NAT
to allow changes to destination IP address.
Select
Source-NAT
to allow changes to the source IP address.
Select a destination option. You can allow or deny access to any the following destinations based on your requirements.
l
To all destinations
— Access is allowed or denied to all destinations.
81
| Wireless Configuration Aruba Central | User Guide
Table 31:
Access Rule Configuration Parameters
Parameter Description
l l l l l
To a particular server
— Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
Except to a particular server
— Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
To a network
— Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
Except to a network
— Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
To a Domain Name
— Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the
Domain Name
text box.
Log
Blacklist
Select
Log
to create a log entry when this rule is triggered. The Central firewall supports firewall based logging. Firewall logs on the IAPs are generated as security logs.
Select
Blacklist
to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as
Auth failure blacklist time
on the
BLACKLISTING
tab of the
Security
window. For more information, see
Blacklisting Clients on page 79
.
Classify Media
Select
Classify Media
to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: l l
Video: Priority 5 (Critical)
Voice: Priority 6 (Internetwork Control)
Disable Scanning
DSCP Tag
802.1 priority
Select
Disable Scanning
to disable ARM scanning when this rule is triggered.
The selection of the
Disable Scanning
applies only if ARM scanning is enabled. For more information, see
Configuring Radio Settings on page 67 .
Select
DSCP Tag
to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63.
Select
802.1 priority
to specify an 802.1 priority. Specify a value between 0 and 7.
5. Click
Save
.
Configuring Network Address Translation Rules
Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space.
Central supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device.
Aruba Central | User Guide Wireless Configuration |
82
Configuring a Source NAT Access Rule
The
Source NAT
action in access rules allows the user to override the routing profile entries. For example, when a routing profile is configured to use 0.0.0.0/0, the client traffic in L3 mode access on an SSID destined to the corporate network is sent to the tunnel. When an access rule is configured with
Source NAT
action, the users can specify the service, protocol, or destination to which the source NAT is applied.
You can also configure source based routing to allow client traffic on one SSID to reach the Internet through the corporate network, while the other SSID can be used as an alternate uplink.
To configure a source NAT access rule:
1. Select
Wireless Configuration > Networks
, and then click
Create New
.The
Create A New Network
pane is displayed.
2. For
Tyoe
, select
Wireless
.
3. Enter a name that is used to identify the network in the
Name (SSID)
box.
4. Based on the type of network profile, select any of the following options under
Primary Usage
: l l
Employee
Voice
l
Guest
5. Click
Next
to go the
Access
pane.
6. To configure access rules for the network, select
Network Based
. To configure access rules for user roles, select
Role Based
.
7. To create a new rule for the network, click
(+)
. To create an access rule for a user role, select the user role and then click
New
. The new rule window is displayed.
8. In the new rule window, select
Access Control
from the
Rule Type
list.
9. Select
Source-NAT
from the
Action
list, to allow changes to the source IP address.
10.Select a service from the list of available services.
11.Select the required option from the
Destination
list.
12.If required, enable other parameters such as
Log
,
Blacklist
,
Classify Media
,
Disable Scanning
,
DSCP
Tag
, and
802.1 priority
.
13.Click
Save.
Configuring Source-based Routing
To allow different forwarding policies for different SSIDs, you can configure source-based routing. The sourcebased routing configuration overrides the routing profile configuration and allows any destination or service to be configured to have direct access to the Internet (bypassing VPN tunnel) based on the ACL rule definition.
When source-based routing is enabled, the VC performs source NAT by using its uplink IP address.
To configure source-based routing:
1. Ensure that an L3 subnet with the netmask, gateway, VLAN, and IP address is configured. For more information on configuring L3 subnet, see
Configuring L3 Mobility Domain on page 123
.
2. Ensure that the source IP address is associated with the IP address configured for the L3 subnet.
3. Create an access rule for the SSID profile with Source NAT action as described in
Configuring a Destination NAT Access Rule
Central supports configuration of the destination NAT rule, which can be used to redirect traffic to the specified
IP address and destination port. Destination-NAT configuration is supported only in the bridge mode without
VPN.
83
| Wireless Configuration Aruba Central | User Guide
To configure a destination NAT access rule:
1. Select
Wireless Configuration > Networks
, and then click
Create New
.The
Create A New Network
pane is displayed.
2. For
TYPE
, select
Wireless
.
3. Enter a name that is used to identify the network in the
Name (SSID)
box.
4. Based on the type of network profile, select any of the following options under
Primary Usage
: l
Employee
l l
Voice
Guest
5. Click
Next
to go the
Access
pane.
6. To configure access rules for the network, select
Network Based
. To configure access rules for user roles, select
Role Based
.
7. To create a new rule for the network, click
(+)
. To create an access rule for a user role, select the user role and then click
New
. The new rule window is displayed.
8. In the new rule window, select
Access Control
from the
Rule Type
list.
9. Select
Destination-NAT
from
Action
list, to allow changes to the destination IP address.
10.Specify the IP address and port details.
11.Select a service from the list of available services.
12.Select the required option from
Destination
list.
13.If required, enable other parameters such as
Log
,
Blacklist
,
Classify Media
,
Disable Scanning
,
DSCP
Tag
, and
802.1 priority
.
14.Click
Save
.
Configuring ALG protocols
To configure protocols for ALG:
1. Select
Wireless Configuration > Security
.
2. Click
Firewall Settings
. The
Firewall Settings
pane contents are displayed.
3. Under
Application Layer Gateway (ALG) Algorithms
, select
Enabled
against the corresponding protocol to enable SIP, VOCERA, ALCATEL NOE, and CISCO SKINNY protocols.
1 2 3
4. Click
Save Settings.
When the protocols for the ALG are
Disabled
the changes do not take effect until the existing user sessions have expired. Reboot the IAP and the client, or wait a few minutes for changes to take effect.
Configuring Firewall Settings for Protection from ARP Attacks
To configure firewall settings:
1. Select
Wireless Configuration > Security
.
2. Click
Firewall Settings
. The
Firewall Settings
pane contents are displayed.
3. To configure protection against security attacks, select the following radio buttons: l l
Select
Drop Bad ARP
as
Enabled
to the IAP to drop the fake ARP packets.
Select
Fix Malformed DHCP
as
Enabled
to the IAP to fix the malformed DHCP packets.
l
Select
ARP poison check
as
Enabled
to the IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs.
4. Click
Save Settings.
Aruba Central | User Guide Wireless Configuration |
84
Managing Inbound Traffic
Central supports an enhanced inbound firewall by allowing the configuration of management subnets and restricting corporate access through an uplink switch.
To allow flexibility in firewall configuration, Central supports the following features: l l
Configurable management subnets
Restricted corporate access
Configuring Management Subnets
You can configure subnets to ensure that the IAP management is carried out only from these subnets. When the management subnets are configured, Telnet, SSH, and UI access is restricted to these subnets only.
To configure management subnets:
1. Select
Wireless Configuration > Security > Firewall Settings
. The
Firewall Settings
pane contents are displayed.
2. To add a new management subnet: l
Enter the subnet address in
Subnet
.
l l
Enter the subnet mask in
Mask.
Click
Add
.
3. To add multiple subnets, repeat step 2.
4. Click
Save Settings
.
Configuring Restricted Access to Corporate Network
You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of master IAP, including clients connected to a slave IAP.
To configure restricted corporate access:
1. Select
Wireless Configuration > Security >Firewall Settings
. The
Firewall Settings
pane contents are displayed.
2. Select
Enabled
from the
Restrict Corporate Access
.
3. Click
Save Settings
.
Configuring User Roles
Every client in the Central network is associated with a user role, which determines the client’s network privileges, the frequency of re-authentication, and the applicable bandwidth contracts. The user role configuration on an IAP involves the following procedures: l l
Creating a User Role on page 85
Assigning Bandwidth Contracts to User Roles on page 86
Creating a User Role
To create a user role:
1. Select
Wireless Configuration > Security
. The
Security
pane is displayed.
2. Click
Roles
. The
Roles
pane contents are displayed.
3. Under
Roles
, click
New
.
4. Enter a name for the new role and click
OK
.
85
| Wireless Configuration Aruba Central | User Guide
You can also create a user role when configuring wireless profile. For more information, see
Configuring Access Rules on page 52
.
Assigning Bandwidth Contracts to User Roles
The administrators can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream
(client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps.
By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.
To assign bandwidth contracts to a user role,
1. Select
Wireless Configuration > Security
. The
Security
pane contents are displayed.
2. Click
Roles
. The
Roles
pane contents are displayed.
3.
or select an existing role.
4. Under
Access Rues For Selected Roles
, click
(+)
.
5. Select
Bandwidth Contract
under
Rule-Type
.
6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select
Peruser
.
7. Click
Save
.
8. Associate the user role to a WLAN SSID or wired profile.
You can also create a user role and assign bandwidth contracts while
.
Configuring Derivation Rules
Central allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile.
Understanding Role Assignment Rule
When an SSID or wired profile is created, a default role for the clients connecting this SSID or wired profile is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods. The role assigned by some methods may take precedence over the roles assigned by the other methods.
RADIUS VSA Attributes
The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication.
The role derived from an Aruba VSA takes precedence over roles defined by other methods.
MAC-address Attribute
The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers (IEEE) Registration Authority. This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the “assignee”) globally and effectively reserves a block of each possible type of derivative identifier (such as MAC addresses) for the exclusive use of the assignee.
IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configures to assign a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can
Aruba Central | User Guide Wireless Configuration |
86
be derived from the user attributes after a client associates with an AP. You can configure rules that assign a user role to clients that match a MAC address based criteria. For example, you can assign a voice role to any client with a MAC address starting a0:a1:a2.
Roles based on Client Authentication
The user role can be the default user role configured for an authentication method, such as 802.1x
authentication. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method.
DHCP Option and DHCP Fingerprinting
DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the
DHCP frame. Based on the operating system type, a role can be assigned to the device.
For example, to create a role assignment rule with the DHCP option, select
equals
from the
Operator
list and enter 370103060F77FC in the
String
text box. Since 370103060F77FC is the fingerprint for Apple iOS devices such as iPad and iPhone, IAP assigns Apple iOS devices to the role that you choose.
Table 32:
DHCP Fingerprint
Device DHCP option DHCP fingerprint
Apple iOS Option 55 370103060F77FC
Android
Blackberry
Windows 7/Vista Desktop
Windows XP (SP3, Home,
Professional)
Windows Mobile
Option 60
Option 60
Option 55
Option 55
Option 60
3C64686370636420342E302E3135
3C426C61636B4265727279
37010f03062c2e2f1f2179f92b
37010f03062c2e2f1f21f92b
Windows 7 Phone
Apple Mac OSX
Option 55
Option 55
3c4d6963726f736f66742057696e646f7773204345
00
370103060f2c2e2f
370103060f775ffc2c2e2f
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
When creating more than one role assignment rule, the first matching rule in the rule list is applied.
To create a role assignment rule:
1. Select
Wireless Configuration > Networks > Create New
to create a new network profile.
2. Under
Access
, select
Role Based
.
3. Under
Role Assignment Rules
, click
New
. In
New Role Assignment Rule
, define a match method by which the string in
Operand
is matched with the attribute value returned by the authentication server.
87
| Wireless Configuration Aruba Central | User Guide
4. Select the attribute from the
Attribute
list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-anddhcp-options. For information on a list of RADIUS attributes, see
RADIUS Server Authentication with VSA on page 71 .
5. Select the operator from the
Operator
list. The following types of operators are supported: l
contains
— The rule is applied only if the attribute value contains the string specified in
Operand
.
l l
Is the role
— The rule is applied if the attribute value is the role.
equals
— The rule is applied only if the attribute value is equal to the string specified in
Operand
.
l l l l
not-equals
— The rule is applied only if the attribute value is not equal to the string specified in
Operand
.
starts-with
— The rule is applied only if the attribute value starts with the string specified in
Operand
.
ends-with
— The rule is applied only if the attribute value ends with string specified in
Operand
.
matches-regular-expression
— The rule is applied only if the attribute value matches the regular expression pattern specified in
Operand
. This operator is available only if the
mac-address-and-dhcpoptions
attribute is selected in the
Attribute
list. The
mac-address-and-dhcp-options
attribute and
matches-regular-expression
are applicable only for WLAN clients.
6. Enter the string to match in the
String
box.
7. Select the appropriate role from the
Role
list.
8. Click
Save
.
Understanding VLAN Assignment
You can assign VLANs to a client based on the following configuration conditions: l l l l l l
The default VLAN configured for the WLAN can be assigned to a client.
If VLANs are configured for a WLAN SSID or an Ethernet port profile, the VLAN for the client can be derived from the rules configured for these profiles before the authentication.
If a rule derives a specific VLAN, it is prioritized over the user roles that may have a VLAN configured.
The user VLANs can be derived from the default roles configured for 802.1X authentication or MAC authentication.
After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS server authentication.
The DHCP-based VLANs can be derived for Captive Portal authentication.
Configuring VLAN Derivation Rules
The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate.
To configure VLAN derivation rules for an SSID profile:
1. Select
Wireless Configuration > Networks
, and then click
Create New
. The
Create A New Network
pane is displayed.
2. For
Type
, select
Wireless
.
3. Enter a name that is used to identify the network in the
Name (SSID)
box.
4. Based on the type of network profile, select any of the following options under
Primary Usage
: l l
Employee
Voice
l
Guest
5. Click
Next
to configure VLAN settings.
Aruba Central | User Guide Wireless Configuration |
88
6. Select
Dynamic
under
Client VLAN Assignment
.
7. Click
New
to create a VLAN assignment rule. The
New VLAN Assignment Rule
window is displayed. In this window, you can define a match method by which the string in
Operand
is matched with the attribute values returned by the authentication server.
8. Select an attribute from the
Attribute
list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see
RADIUS Server Authentication with VSA on page 71
.
9. Select an operator from the
Operator
list. The following types of operators are supported: l l
contains
— The rule is applied only if the attribute value contains the string specified in
Operand
.
equals
— The rule is applied only if the attribute value is equal to the string specified in
Operand
.
l l l l
not-equals
— The rule is applied only if the attribute value is not equal to the string specified in
Operand
.
starts-with
— The rule is applied only if the attribute value starts with the string specified in
Operand
.
ends-with
— The rule is applied only if the attribute value ends with string specified in
Operand
.
matches-regular-expression
— The rule is applied only if the attribute value matches the regular expression pattern specified in
Operand
. This operator is available only if the
mac-address-and-dhcpoptions
attribute is selected in the
Attribute
list. The
mac-address-and-dhcp-options
attribute and
matches-regular-expression
are applicable only for the WLAN clients.
10.Enter the string to match in the
String
field.
11.Select the appropriate VLAN ID from
VLAN
.
12.Ensure that all other required parameters are configured.
13.Click
Save
to apply the changes.
Using Advanced Expressions in Role and VLAN Derivation Rules
For complex policies of role and VLAN derivation using device DHCP fingerprints, you can use a regular expression to match against the combined string of the MAC address and the DHCP options. The combined string is formed by concatenating the hexadecimal presentation of the MAC address and all of the DHCP options sent by a particular device. The regular expression is a powerful pattern description language that can be used to perform advanced pattern matching of the above string.
If the combined device fingerprint string matches the specified regular expression, the role or vlan can be set to the WLAN client.
The following table lists some of the most commonly used regular expressions, which can be used in user role and user VLAN derivation rules:
Table 33:
Advanced Expressions In Derivation Rules
Operator Description
.
Matches any character. For example, l..k matches lack, lark, link, lock, look, Lync and so on.
\
[ ]
Matches the character that follows the backslash. For example, \192.\.0\.. matches IP addresses ranges that starting with 192.0, such as 192.0.1.1. The expression looks only for the single characters that match.
Matches any one character listed between the brackets. For example, [bc]lock matches block and clock.
89
| Wireless Configuration Aruba Central | User Guide
Table 33:
Advanced Expressions In Derivation Rules
Operator Description
\b
\B
Matches the words that begin and end with the given expression. For example, \bdown matches downlink, linkdown, shutdown.
Matches the middle of a word. For example, \Bvice matches services, devices, serviceID, deviceID, and so on.
^
[^]
?
+
( )
|
$
*
\<
\>
{n}
{n,}
Matches the characters at starting position in a string. For example, ^bcd matches bcde or bcdf, but not abcd.
Matches any characters that are not listed between the brackets. For example, [^u]link matches downlink, link, but not uplink.
Matches any one occurrence of the pattern. For example, ?est matches best, nest, rest, test and so on.
Matches the end of an input string. For example, eth$ matches Eth, but not Ethernet.
Matches the declared element multiple times if it exists. For example, eth* matches all occurrences of eth, such as Eth, Ethernet, Eth0 and so on.
Matches the declared element one or more times. For example, aa+ matches occurrences of aa and aaa.
Matches nested characters. For example, (192)* matches any number of the character string 192.
Matches the character patterns on either side of the vertical bar. You can use this expression to construct a series of options.
Matches the beginning of the word. For example, \<wire matches wired, wireless and so on.
Matches the end of the word. For example, \>list matches blacklist, whitelist, and so on.
Where n is an integer" Matches the declared element exactly the n times. For example, {2}link matches uplink, but not downlink.
Where n is an integer" Matches the declared element at n times. For example, {2,}ink matches downlink, but not uplink.
For information on how to use regular expressions in role and VLAN derivation rules, see the following topics: l l
Configuring VLAN Derivation Rules on page 88
Creating a Role Derivation Rule on page 87
Configuring a User Role for VLAN Derivation
This section describes the following procedures: l l
Creating a User VLAN Role on page 91
Assigning User VLAN Roles to a Network Profile on page 91
Aruba Central | User Guide Wireless Configuration |
90
Creating a User VLAN Role
To configure a user role for VLAN derivation:
1. Select
Wireless Configuration > Security
.
2. Click
Roles
. The
Roles
pane contents are displayed.
3. Under
Role
, click
New
.
4. Enter a name for the new role and click
OK
.
5. Under
Access Rules For Selected Roles
, click
(+)
.
6. Select the
Rule Type
as
VLAN Assignment
.
7. Enter the ID of the VLAN in the
VLAN ID
box.
8. Click
Save
.
Assigning User VLAN Roles to a Network Profile
To assign a user VLAN role:
1. Select
Wireless Configuration > Networks > Create New > Access
.
2. Select
Role Based
.
3. Click
New
under the
Role Assignment Rules
and configure the following parameters: a. Select an attribute from the
Attribute
list.
b. Select an operator from the
Operator
list.
c. Enter the string in the
String
box.
d. Select the role to be assigned from the
Role
box.
e. Click
Save.
l l l
Configuring Intrusion Detection System
The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized
IAPs and clients. It also logs information about the unauthorized IAPs and clients, and generates reports based on the logged information.
The IDS feature in the Central network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
This chapter describes the following procedures:
Detecting and Classifying Rogue APs on page 91
Configuring Wireless Intrusion Protection and Detection Levels on page 92
Detecting and Classifying Rogue APs
A rogue AP is an unauthorized AP plugged into the wired side of the network.
An interfering AP is an AP seen in the RF environment but it is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
The built-in IDS scans for APs that are not controlled by the VC. These are listed and classified as either
Interfering or Rogue, depending on whether they are on a foreign network or your network.
91
| Wireless Configuration Aruba Central | User Guide
OS Fingerprinting
The OS fingerprinting feature finds the operating system of the client. The following is a list of advantages of this feature: l l l
Identifying rogue clients — Helps to identify clients that are running on forbidden operating systems.
Identifying outdated operating systems — Helps to locate outdated and unexpected OS in the company network.
Locating and patching vulnerable operating systems — Assists in locating and patching specific operating system versions on the network that have known vulnerabilities, thereby securing the company network.
OS fingerprinting is enabled in the Central network by default. The following operating systems are identified by Central: l l l l l l l l l l l
Windows 7
Windows Vista
Windows Server
Windows XP
Windows ME
OS X iPhone iOS
Android
Blackberry
Linux
Configuring Wireless Intrusion Protection and Detection Levels
WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats.
Like most other security-related features of the Central network, the WIP can be configured on the IAP.
You can configure the following options: l l l l l
Infrastructure Detection Policies
— Specifies the policy for detecting wireless attacks on APs.
Client Detection Policies
— Specifies the policy for detecting wireless attacks on clients.
Infrastructure Protection Policies
— Specifies the policy for protecting APs from wireless attacks.
Client Protection Policies
— Specifies the policy for protecting clients from wireless attacks.
Containment Methods
— Prevents unauthorized stations from connecting to your Central network.
Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly.
The detection levels can be configured using the
IDS
pane. The following levels of detection can be configured in the WIP Detection page: l l l l
Off
Low
Medium
High
Aruba Central | User Guide Wireless Configuration |
92
The following table describes the detection policies enabled in the Infrastructure Detection
Custom settings
field.
Table 34:
Infrastructure Detection Policies
Detection level Detection policy
Off Rogue Classification
Low
Medium
High l l l l
Detect AP Spoofing
Detect Windows Bridge
IDS Signature — Deauthentication Broadcast
IDS Signature — Deassociation Broadcast l l
Detect Adhoc networks using VALID SSID —
Valid SSID list is auto-configured based on AP configuration
Detect Malformed Frame — Large Duration l l l l l l l l l l l l l l l l l l l
Detect AP Impersonation
Detect Adhoc Networks
Detect Valid SSID Misuse
Detect Wireless Bridge
Detect 802.11 40MHz intolerance settings
Detect Active 802.11n Greenfield Mode
Detect AP Flood Attack
Detect Client Flood Attack
Detect Bad WEP
Detect CTS Rate Anomaly
Detect RTS Rate Anomaly
Detect Invalid Address Combination
Detect Malformed Frame — HT IE
Detect Malformed Frame — Association
Request
Detect Malformed Frame — Auth
Detect Overflow IE
Detect Overflow EAPOL Key
Detect Beacon Wrong Channel
Detect devices with invalid MAC OUI
93
| Wireless Configuration Aruba Central | User Guide
The following table describes the detection policies enabled in the Client Detection
Custom settings
field.
Table 35:
Client Detection Policies
Detection level Detection policy
Off All detection policies are disabled.
Low l
Detect Valid Station Misassociation
Medium
High l l l l l l l
Detect Disconnect Station Attack
Detect Omerta Attack
Detect FATA-Jack Attack
Detect Block ACK DOS
Detect Hotspotter Attack
Detect unencrypted Valid Client
Detect Power Save DOS Attack l l l l l l
Detect EAP Rate Anomaly
Detect Rate Anomaly
Detect Chop Chop Attack
Detect TKIP Replay Attack
IDS Signature — Air Jack
IDS Signature — ASLEAP
The following levels of detection can be configured in the WIP Protection page: l
Off
l l
Low
High
The following table describes the protection policies that are enabled in the Infrastructure Protection
Custom settings
field.
Table 36:
Infrastructure Protection Policies
Protection level Protection policy
Off All protection policies are disabled
Low
High l l
Protect SSID — Valid SSID list is auto derived from AP configuration
Rogue Containment l l
Protect from Adhoc Networks
Protect AP Impersonation
Aruba Central | User Guide Wireless Configuration |
94
The following table describes the detection policies that are enabled in the Client Protection
Custom settings
field.
Table 37:
Client Protection Policies
Protection level Protection policy
Off All protection policies are disabled
Low
High
Protect Valid Station
Protect Windows Bridge
Containment methods
You can enable wired and wireless containments to prevent unauthorized stations from connecting to your
Central network.
Central supports the following types of containment mechanisms: l l
Wired containment — When enabled, IAPs generate ARP packets on the wired network to contain wireless attacks.
Wireless containment — When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified AP.
n
None — Disables all the containment mechanisms.
n n
Deauthenticate only — With deauthentication containment, the AP or client is contained by disrupting the client association on the wireless interface.
Tarpit containment — With tarpit containment, the AP is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the AP being contained.
The Federal Communications Commission (FCC) and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.
l l l
Configuring VPN Networks
This section describes the following VPN configuration procedures:
Understanding VPN Features on page 95
Configuring a Tunnel from an IAP to Aruba mobility controller on page 96
Configuring Routing Profiles on page 100
Understanding VPN Features
As IAPs use a Virtual Controller architecture, the IAP network does not require a physical controller to provide the configured WLAN services. However, a physical controller is required for terminating Virtual Private
Networks (VPN) tunnels from the IAP networks at branch locations or datacenters, where the Aruba controller acts as a VPN concentrator.
95
| Wireless Configuration Aruba Central | User Guide
When the VPN is configured, the IAP acting as the Virtual Controller creates a VPN tunnel to Aruba mobility controller in your corporate office. The controller acts as a VPN end-point and does not supply the IAP with any configuration.
The VPN features are recommended for: l l l
Enterprises with many branches that do not have a dedicated VPN connection to the corporate office.
Branch offices that require multiple APs.
Individuals working from home, connecting to the VPN.
Supported VPN Protocols
IAPs support the following VPN protocols for remote access:
Table 38:
VPN Protocols
VPN Protocol Description
Aruba IPsec
Layer-2 (L2)
GRE
L2TP
IPsec is a protocol suite that secures IP communications by authenticating and encrypting each
IP packet of a communication session.
You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
When IPsec is configured, ensure that you add the IAP MAC addresses to the whitelist database stored on the controlleror an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN operations.
NOTE:
The IAPs support IPsec only with Aruba Controllers.
Generic Routing Encapsulation (GRE) is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an end-point. IAPs support the configuration of L2 GRE (Ethernet over GRE) tunnel with an ArubaController to encapsulate the packets sent and received by the IAP.
You can use the GRE configuration for L2 deployments when there is no encryption requirement between the IAP and controller for client traffic.
IAPs support two types of GRE configuration: l
Manual GRE
—The manual GRE configuration sends unencrypted client traffic with an additional GRE header and does not support failover. When manual GRE is configured on the
IAP, ensure that the GRE tunnel settings are enabled on the controller.
l
Aruba GRE
—With Aruba GRE, no configuration on the controller is required except for adding the IAP MAC addresses to the whitelist database stored on the controller or an external server. Aruba GRE reduces manual configuration when
Per-AP tunnel
configuration is required and supports failover between two GRE end-points.
NOTE:
IAPs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba
GRE configuration is supported only with Aruba Controllerss.
The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows IAP to act as L2TP Access
Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to L2TP Network Server
(LNS). In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the IP address from the DHCP server running on
LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel.
Configuring a Tunnel from an IAP to Aruba mobility controller
IAP supports the configuration of tunneling protocols such as Generic Routing Encapsulation (GRE), IPsec, and
L2TPv3. This section describes the procedure for configuring VPN host settings on an IAP to enable communication with a controller in a remote location:
Aruba Central | User Guide Wireless Configuration |
96
l l l l
Configuring IPSec Tunnel on page 97
Enabling Automatic Configuration of GRE Tunnel on page 97
Manually Configuring a GRE Tunnel on page 98
Configuring an L2TPv3 Tunnel on page 99
Configuring IPSec Tunnel
An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPSec tunnel to the controller secures corporate data. You can configure an IPSec tunnel from
Virtual Controller using Central.
To configure a tunnel using the IPSec Protocol:
1. Click the
Wireless Configuration
>
VPN
link in Central.
2. Click
Controller
. Select
Aruba IPSec
from the
Protocol
drop-down list.
3. Enter the IP address or fully qualified domain name (FQDN) for the main VPN/IPSec endpoint in the
Primary host
field.
4. Enter the IP address or FQDN for the backup VPN/IPSec endpoint in the
Backup host
field. This entry is optional. When you specify the primary and backup host details, the other fields are displayed.
5. Specify the following parameters.
a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select
Enabled
from the
Preemption
drop-down list. This step is optional.
b. If
Preemption
is enabled, specify a value in seconds for
Hold time
. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold-time.
The default value for
Hold time
is 600 seconds.
c. To allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately, select
Enabled
from the
Fast failover
dropdown list. When fast failover is enabled and if the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute.
d. Specify a value in seconds for
Secs between test packets
. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the
IAP sends one packet to the controller every 5 seconds.
e. Enter a value for
Max allowed test packet loss
, to define a number for lost packets, after which the
IAP can determine that the VPN connection is unavailable. The default value is 2.
f. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, set
Reconnect user on failover
to
Enabled
.
g. To configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch, specify a value in seconds for
Reconnect time on failover
within a range of 30—900 seconds. By default, the reconnection duration is set to 60 seconds. The
Reconnect time on failover
field is displayed only when
Reconnect user on failover
is enabled.
6. When the IPsec tunnel configuration is completed, the packets that are sent from and received by an IAP are encrypted.
Enabling Automatic Configuration of GRE Tunnel
GRE is an Aruba proprietary tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a controller and the IAPs. The automatic GRE feature uses the IPSec connection between the IAP and controller to send the control information for setting up a GRE tunnel. When automatic GRE configuration is enabled, a single IPSec tunnel between the IAP cluster and the controller and one or several GRE tunnels are created based on the Per-AP tunnel configuration on the IAP. When this feature is enabled on the IAP, no manual configuration is required on the controller to create the GRE tunnel.
97
| Wireless Configuration Aruba Central | User Guide
You can configure an IAP to automatically set up a GRE tunnel from the IAP to controller by using Central.
1. Click the
Wireless Configuration
>
VPN
.
2. Click
Controller
. Select
Aruba GRE
from the
Protocol
drop-down list.
3. Enter the IP address or FQDN for the main VPN/IPSec endpoint in the
Primary host
field.
4. Enter the IP address or FQDN for the backup VPN/IPSec endpoint in the
Backup host
field. This entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed.
5. Specify the following parameters. A sample configuration is shown in .
a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select
Enabled
from the
Preemption
drop-down list. This step is optional.
b. If
Preemption
is enabled, specify a value in seconds for
Hold time
. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time.
The default value for
Hold time
is 600 seconds.
c. To allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately, select
Enabled
or
Disabled
from the
Fast failover
drop-down list. If the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute.
d. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, set
Reconnect user on failover
to
Enabled
.
e. To configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch, specify a value in seconds for
Reconnect time on failover
within the range of 30—900 seconds. By default, the reconnection duration is set to 60 seconds.
f. Specify a value in seconds for
Secs between test packets
. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the
IAP sends one packet to the controller every 5 seconds.
g. Enter a value for
Max allowed test packet loss
, to define a number for lost packets, after which the
IAP can determine that the VPN connection is unavailable. The default value is 2.
h. Select
Enabled
or
Disabled
from the
Per-AP tunnel
drop-down list. The administrator can enable this option to create a GRE tunnel from each IAP to the VPN/GRE Endpoint rather than the tunnels created just from the master IAP. When enabled, the traffic to the corporate network is sent through a Layer-2
GRE tunnel from the IAP itself and need not be forwarded through the master IAP.
6. Click
Next
to continue.
Manually Configuring a GRE Tunnel
You can also manually configure a GRE tunnel by configuring the GRE tunnel parameters on the IAP and controller. This procedure describes the steps involved in the manual configuration of a GRE tunnel from
Virtual Controller by using Central.
During the manual GRE setup, you can either use the Virtual Controller IP or the IAP IP to create the GRE tunnel at the controller side depending upon the following IAP settings: l l
If a Virtual Controller IP is configured and if Per-AP tunnel is disabled, the Virtual Controller IP is used to create the GRE tunnel.
If a Virtual Controller IP is not configured or if Per-AP tunnel is enabled, the IAP IP is used to create the GRE tunnel.
1. Click the
Wireless Configuration
>
VPN
.
2. Click
Controller
. Select
Manual GRE
from the
Protocol
drop-down list.
3. Specify the following parameters.
Aruba Central | User Guide Wireless Configuration |
98
a. Enter an IP address or the FQDN for the main VPN/GRE endpoint.
b. Enter a value for the GRE type parameter.
c. Select
Enabled
or
Disabled
from the
Per-AP tunnel
drop-down list. The administrator can enable this option to create a GRE tunnel from each IAP to the VPN/GRE Endpoint rather than the tunnels created just from the master IAP. When enabled, the traffic to the corporate network is sent through a Layer-2
GRE tunnel from the IAP itself and need not be forwarded through the master IAP.
By default, the
Per-AP tunnel
option is disabled.
4. When the GRE tunnel configuration is completed on both the IAP and Controller, the packets sent from and received by an IAP are encapsulated, but not encrypted.
Configuring an L2TPv3 Tunnel
The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows IAP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to L2TP Network Server (LNS). In a centralized L2 model, the
VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the
IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel. In this release, L2TPv3 supports the following: l l l
Central supports tunnel and session configuration, and uses Control Message Authentication (RFC 3931) for tunnel and session establishment. Each L2TPv3 tunnel supports one data connection and this connection is termed as an L2TPv3 session.
Each IAP supports tunneling over UDP only.
If the primary LNS is down, it fails over to the backup LNS. L2TPv3 has one tunnel profile and under this, one primary peer and a backup peer are configured. If the primary tunnel creation fails or if the primary tunnel gets deleted, the backup starts.The following two failover modes are supported: n n
Preemptive: In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel. If you configure the tunnel to be preemptive, and when the primary tunnel goes down, it starts the persistence timer which tries to bring up the primary tunnel.
Non-Preemptive: In this mode, when the back tunnel is established after the primary tunnel goes down, it does not make the primary tunnel active again.
You can configure an L2TPv3 tunnel by using Central.
1. Click the
Wireless Configuration
>
VPN
.
2. Click
Controller
.
3. Select
L2TPv3
from the Protocol drop-down list.
4. Configure the tunnel profile: a. Click
New
and enter the profile name to be used for tunnel creation.
b. Enter the primary server IP address.
c. Enter the remote end backup tunnel IP address. This is an optional field and is required only when backup server is configured.
d. Enter the remote end UDP port number. The default value is 1701.
e. Enter the interval at which the hello packets are sent through the tunnel. The default value is 60 seconds.
f. Select the message digest as MD5 or SHA used for message authentication.
g. Enter a shared key for the message digest. This key should match with the tunnel end point shared key.
h. If required, select the failover mode as Primary or Backup (when the backup server is available).
99
| Wireless Configuration Aruba Central | User Guide
i.
Specify a value for the tunnel MTU value if required. The default value is 1460.
j.
Click
Save
.
5. Configure the session profile: a. Enter the session name to be used for session creation.
b. Enter the tunnel profile name where the session will be associated.
c. Configure the tunnel IP address with the corresponding network mask and VLAN ID. This is required to reach an AP from a corporate network. For example, SNMP polling.
d. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set.
e. Click
Save
.
Configuring Routing Profiles
Central can terminate a single VPN connection on Aruba mobility controller. The routing profile defines the corporate subnets which need to be tunneled through IPSec.
You can configure routing profiles to specify a policy based on routing into the VPN tunnel using Central.
1. Click
Routing
.
2. Click
New
. The route parameters to configure are displayed.
3. Update the following parameters: l
Destination
— Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel.
l l
Netmask
— Specify the subnet mask to the destination defined for
Destination
.
Gateway
— Specify the gateway to which traffic must be routed. This IP address must be the controller
IP address on which the VPN connection is terminated. If you have a primary and backup host, configure two routes with the same destination and netmask, but ensure that the gateway is the primary controller IP for one route and the backup controller IP for the second route.
4. Click
OK
.
5. Click
Finish
.
l l
Configuring DHCP and Client IP Assignment Modes
This section provides the following information:
Configuring DHCP Scopes on page 100
Configuring DHCP Server for Client IP Assignment on page 105
Configuring DHCP Scopes
The VC supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated.
Configuring Distributed DHCP Scopes
Central allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN. You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch. You can also specify the IP addresses that must be excluded from those assigned to clients, so that they are assigned statically.
Aruba Central | User Guide Wireless Configuration |
100
Central supports the following distributed DHCP scopes: l l
Distributed, L2
— In this mode, the VC acts as the DHCP server, but the default gateway is in the data center. Based on the number of clients specified for each branch, the range of IP addresses is divided.
Based on the IP address range and client count configuration, the DHCP server in the VC controls a scope that is a subset of the complete IP Address range for the subnet distributed across all the branches. This
DHCP Assignment mode is used with the L2 forwarding mode.
Distributed, L3
— In this mode, the VC acts as the DHCP server and the default gateway. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC is configured with a unique subnet and a corresponding scope.
To configure distributed DHCP scopes such as Distributed, L2 or Distributed,L3.
1. Select
Wireless Configuration
>
DHCP
.
2. To configure a distributed DHCP mode, click
New
under
Distributed DHCP Scopes
. The
New DHCP
Scope
pane is displayed.
3. Based on the type of distributed DHCP scope, configure the following parameters:
Table 39:
Distributed DHCP Scope Configuration Parameters
Data pane item Description
Name
Enter a name for the DHCP scope.
Type
VLAN
Netmask
Default Router
DNS Server
Domain Name
Select any of the following options: l l
Distributed, L2
— On selecting
Distributed, L2
, the VC acts as the DHCP
Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.
Distributed, L3
— On selecting
Distributed, L3
, the VC acts as both DHCP
Server and default gateway. Traffic is routed into the VPN tunnel.
Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
If
Distributed, L2
is selected for type of DHCP scope, specify the subnet mask. The subnet mask and the network determine the size of subnet.
If
Distributed, L2
is selected for type of DHCP scope, specify the IP address of the default router.
If required, specify the IP address of a DNS server.
If required, specify the domain name.
101
| Wireless Configuration Aruba Central | User Guide
Table 39:
Distributed DHCP Scope Configuration Parameters
Data pane item Description
Lease Time Specify a lease time for the client in minutes.
IP Address Range
Option
Specify a range of IP addresses to use. To add another range, click the + icon. You can specify up to four different ranges of IP addresses.
l
For Distributed, L2 mode, ensure that all IP ranges are in the same subnet as the default router. On specifying the IP address ranges, a subnet validation is performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask. The configured IP range is divided into blocks based on the configured client count.
l
For Distributed, L3 mode, you can configure any discontiguous IP ranges. The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count.
NOTE:
You can allocate multiple branch IDs (BID) per subnet. The IAP generates a subnet name from the DHCP IP configuration, which the controller can use as a subnet identifier. If static subnets are configured in each branch, all of them are assigned the with BID 0, which is mapped directly to the configured static subnet.
Specify the type and a value for the DHCP option. You can configure the organization-specific DHCP options supported by the DHCP server. For example, 176,
242, 161, and so on. To add multiple DHCP options, click the + icon. You can add up to eight DHCP options.
4. Click
Next
.
5. Specify the number of clients to use per branch. The client count configured for a branch determines the use of IP addresses from the IP address range defined for a DHCP scope. For example, if 20 IP addresses are available in an IP address range configured for a DHCP scope and a client count of 9 is configured, only a few IP addresses (in this example, 9) from this range will be used and allocated to a branch. The IAP does not allow the administrators to assign the remaining IP addresses to another branch, although a lower value is configured for the client count.
6. Click
Next
. The
Static IP
tab is displayed. Specify the number of first and last IP addresses to reserve in the subnet.
7. Click
Finish
.
Configuring Centralized DHCP Scope
The centralized DHCP scope supports L2 and L3 clients.
When a centralized DHCP scope is configured: l
The Virtual Controller does not assign an IP address to the client and the DHCP traffic is directly forwarded to the DHCP Server.
l l
For L2 clients, the Virtual Controller bridges the DHCP traffic to the controller over the VPN/GRE tunnel. The
IP address is obtained from the DHCP server behind the controller serving the VLAN/GRE of the client. This
DHCP assignment mode also allows you to add the DHCP option 82 to the DHCP traffic forwarded to the controller.
For L3 clients, the Virtual Controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located behind the controller in the corporate network and reachable through the IPSec tunnel. The centralized L3 VLAN IP is used as the source IP. The IP address is obtained from the DHCP server.
To configure a centralized DHCP scope:
1. Select
Wireless Configuration
>
DHCP
.
Aruba Central | User Guide Wireless Configuration |
102
2. To configure
Centralized
DHCP scopes, click
New
under
Centralized DHCP Scopes
. The
New DHCP
Scope
data pane is displayed.
3. Based on type of DHCP scope, configure the following parameters:
Table 40:
DHCP Mode Configuration Parameters
Data pane item Description
Name
Enter a name for the DHCP scope.
VLAN
DHCP Relay
Helper Address
VLAN IP
VLAN Mask
Option 82
Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Select
Enabled
to allow the IAPs to intercept the broadcast packets and relay DHCP requests.
Enter the IP address of the DHCP server.
Specify the VLAN IP address of the DHCP relay server.
Specify the VLAN subnet mask of the DHCP relay server.
This option is available only if Centralized is selected. Select
Alcatel
to enable
DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string.
The Option 82 string is available only in the Alcatel (ALU) format. The ALU format for the Option 82 string consists of the following: l l
Remote Circuit ID; X AP-MAC; SSID; SSID-Type
Remote Agent; X IDUE-MAC
4. Click
OK
.
The Option 82 is specific to Alcatel and is not configurable in this version of Central.
The following table describes the behavior of the DHCP Relay Agent and Option 82 in the IAP.
Table 41:
DHCP Relay And Option 82
DHCP relay
Option
82
Behavior
Enabled Enabled DHCP packet relayed with the ALU-specific Option 82 string
Enabled
Disabled
Disabled
Disabled
Enabled
Disabled
DHCP packet relayed without the ALU-specific Option 82 string
DHCP packet not relayed, but broadcast with the ALU-specific Option 82 string
DHCP packet not relayed, but broadcast without the ALU-specific Option 82 string
103
| Wireless Configuration Aruba Central | User Guide
Configuring Local and Local, L3 DHCP Scopes
You can configure Local and Local, L3 DHCP scopes.
l l l
Local
—In this mode, the VC acts as both the DHCP Server and default gateway. The configured subnet and the corresponding DHCP scope are independent of subnets configured in other IAP clusters. The VC assigns an IP address from a local subnet and forwards traffic to both
corporate
and
non-corporate
destinations.
The network address is translated appropriately and the packet is forwarded through the IPSec tunnel or through the uplink. This DHCP assignment mode is used for the NAT forwarding mode.
Local, L2
—In this mode, the VC acts as a DHCP server and the gateway is located outside the IAP.
Local, L3
—In this mode, the VC acts as a DHCP server and default gateway, and assigns an IP address from the local subnet. The IAP routes the packets sent by clients on its uplink. This DHCP assignment mode is used with the L3 forwarding mode.
To configure a new DHCP scope:
1. Select
Wireless Configuration >DHCP
. The
DHCP Server
data pane is displayed.
2. Click
Local DHCP Scopes
>
New
. The
New DHCP Scope
pane is displayed.
3. Based on type of DHCP scope, configure the following parameters:
Table 42:
Local DHCP Configuration Parameters
Data pane item Description
Name
Enter a name for the DHCP scope.
Type
VLAN
Network
Netmask
Excluded Address
Default Router
DNS Server
Select any of the following options: l l l
Local
— On selecting
Local
, the DHCP server for local branch network is used for keeping the scope of the subnet local to the IAP. In the NAT mode, the traffic is forwarded through the uplink.
Local, L2
—On selecting Local, L2, the VC acts as a DHCP server and a default gateway in the local network is used.
Local, L3
—On selecting
Local, L3
, the VC acts as a DHCP server and gateway.
Enter the VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Specify the network to use.
Specify the subnet mask. The subnet mask and the network determine the size of subnet.
Specify a range of IP addresses to exclude. You can add up to two exclusion ranges. Based on the size of the subnet and the value configured for
Excluded addres
s, the IP addresses either before or after the defined range are excluded.
Enter the IP address of the default router.
Enter the IP address of a DNS server.
Aruba Central | User Guide Wireless Configuration |
104
Table 42:
Local DHCP Configuration Parameters
Data pane item Description
Domain Name Enter the domain name.
Lease Time
Option
Enter a lease time for the client in minutes.
Specify the type and a value for the DHCP option. You can configure the organization-specific DHCP options supported by the DHCP server. To add multiple
DHCP options, click the (
+
) icon.
4. Click
OK
.
Configuring DHCP Server for Client IP Assignment
The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the VC. You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512.
When the DHCP server is configured and if the
Client IP assignment
parameter for an SSID profile is set to
Virtual
Controller Assigned
, the Virtual Controller assigns the IP addresses to the WLAN or wired clients. By default, the IAP automatically determines a suitable DHCP pool for
Virtual Controller Assigned
networks.
The IAP typically selects the 172.31.98.0/23 subnet. If the IP address of the IAP is within the 172.31.98.0/23 subnet, the IAP selects the 10.254.98.0/23 subnet. However, this mechanism does not avoid all possible conflicts with the wired network. If your wired network uses either 172.31.98.0/23 or 10.254.98.0/23, and you experience problems with the
Virtual Controller Assigned
networks after upgrading to Aruba Central, manually configure the DHCP pool by following the steps described in this section.
To configure a domain name, DNS server, and DHCP server for client IP assignment.
1. Select
Wireless Configuration > System >DHCP
. The
DHCP
details are displayed.
2. Enter the domain name of the client in
Domain Name
.
3. Enter the IP addresses of the DNS servers separated by a comma(,) in
DNS Server
.
4. Enter the duration of the DHCP lease in
Lease Time
.
5. Select
Minutes
,
Hours
, or
Days
for the lease time from the list next to
Lease Time
. The default lease time is 0.
6. Enter the network in the
Network
box.
7. Enter the mask in the
Mask
box.
To provide simultaneous access to more than 512 clients, use the Network and Mask fields to specify a larger range.
While the network (or prefix) is the common part of the address range, the mask (suffix) specifies how long the variable part of the address range is.
8. Click
Save Settings
to apply the changes.
When the DHCP server is configured and if the
Client IP assignment
parameter for an SSID profile is set to
Virtual
Controller Assigned
, the Virtual Controller assigns the IP addresses to the WLAN or wired clients. By default, the IAP automatically determines a suitable DHCP pool for
Virtual Controller Assigned
networks.
The IAP typically selects the 172.31.98.0/23 subnet. If the IP address of the IAP is within the 172.31.98.0/23 subnet, the IAP selects the 10.254.98.0/23 subnet. However, this mechanism does not avoid all possible conflicts with the wired network. If your wired network uses either 172.31.98.0/23 or 10.254.98.0/23, and you experience problems
105
| Wireless Configuration Aruba Central | User Guide
with the
Virtual Controller Assigned
networks after upgrading to Aruba Central, manually configure the DHCP pool by following the steps described in this section.
l l l l l l l
Configuring Services
This section provides the following:
Configuring an IAP for RTLS Support on page 106
Configuring an IAP for Analytics and Location Engine Support on page 106
Configuring OpenDNS Credentials on page 107
CALEA Integration and Lawful Intercept Compliance on page 107
Configuring an IAP for Bonjour support Support on page 109
Integrating an IAP with Palo Alto Networks Firewall on page 112
Enabling AppRF Service on page 113
Configuring an IAP for RTLS Support
Central supports the real time tracking of devices when integrated with a third-party RTLS such as Aeroscout.
With the help of the RTLS, the devices can be monitored in real time or through history.
To configure third-party RTLS such as Aeroscout:
1. Select
Wireless Configuration > Services > RTLS
.
2. Select
Aeroscout
to send the RFID tag information to an Aeroscout RTLS.
3. Specify the IP address and port number of the Aeroscout server, to which location reports must be sent.
4. Select
Include Unassociated Stations
to send reports on the stations that are not associated to any IAP to the Aeroscout RTLS server.
5. Click
Save Settings
.
To configure third-party RTLS such as Aeroscout:
1. Select the
Aeroscout
check box to send the RFID tag information to an AeroScout RTLS.
2. Specify the IP address and port number of the AeroScout server, to which location reports must be sent.
3. Select the
Include unassociated stations
check box to send reports on the stations that are not associated to any IAP to the Aeroscout RTLS server.
4. Click
OK
.
Configuring an IAP for Analytics and Location Engine Support
The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client’s
Internet behavior for business such as shopping preferences.
ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default. For every device on the network, ALE provides the following information through the
Northbound API: l l l l l
Client user name
IP address
MAC address
Device type
Application firewall data, showing the destinations and applications used by associated devices.
Aruba Central | User Guide Wireless Configuration |
106
l l
Current location
Historical location
ALE requires the AP placement data to be able to calculate location for the devices in a network.
ALE with Central
Central supports Analytics and Location Engine (ALE). The ALE server acts as a primary interface to all thirdparty applications and the IAP sends client information and all status information to the ALE server.
To integrate IAP with ALE, the ALE server address must be configured on an IAP. If the ALE sever is configured with a host name, the Virtual Controller performs a mutual certificated-based authentication with ALE server, before sending any information.
Enabling ALE support on an IAP
To configure an IAP for ALE support:
1. Click
Wireless Configuration > Services
. The
Services
pane is displayed.
2. Click the
RTLS
tab. The tab details are displayed.
3. Select
Analytics & Location Engine
.
4. Specify the ALE server name or IP address.
5. Specify the reporting interval within the range of 6–60 seconds. The IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds.
6. Click
OK
.
Configuring OpenDNS Credentials
Central uses the OpenDNS credentials to provide enterprise-level content filtering.
To configure OpenDNS credentials:
1. Select
Wireless Configuration
>
Services
>
OpenDNS
. The
OpenDNS
details are displayed.
2. Enter the
Username
and
Password
.
3. Click
Save Settings
.
CALEA Integration and Lawful Intercept Compliance
Lawful Intercept (LI) allows the Law Enforcement Agencies (LEA) to perform an authorized electronic surveillance. Depending on the country of operation, the service providers (SPs) are required to support LI in their respective networks.
In the United States, SPs are required to ensure LI compliance based on Communications Assistance for Law
Enforcement Act (CALEA) specifications.
Central supports CALEA integration in a hierarchical and flat topology, mesh IAP network, the wired and wireless networks.
Enable this feature only if lawful interception is authorized by a law enforcement agency.
CALEA Server Integration
To support CALEA integration and ensure LI compliance, you can configure the IAPs to replicate a specific or selected client traffic and send it to a remote CALEA server.
107
| Wireless Configuration Aruba Central | User Guide
Traffic Flow from AP to CALEA Server
You can configure an IAP to send GRE encapsulated packets to the CALEA server and replicate client traffic within the GRE tunnel. Each IAP sends GRE encapsulated packets only for its associated or connected clients.
The following figure illustrates the traffic flow from the IAP to the CALEA server.
Figure 3
AP To CALEA Server
Traffic Flow from IAP to CALEA Server through VPN
You can also deploy the CALEA server with the controller and configure an additional IPSec tunnel for corporate access. When CALEA server is configured with the controller, the client traffic is replicated by the slave IAP and client data is encapsulated by GRE on slave, and routed to the master IAP. The master IAP sends the IPsec client traffic to the controller. The controller handles the IPSec client traffic while GRE data is routed to the CALEA server. The following figure illustrates the traffic flow from IAP to the CALEA server through VPN.
Figure 4
AP To CALEA Server Through VPN
Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through
VPN. For more information on configuring IPSec, see
Configuring IPSec Tunnel on page 97
.
Client Traffic Replication
Client traffic is replicated in the following ways: l
Through RADIUS VSA— In this method, the client traffic is replicated by using the RADIUS VSA to assign clients to a CALEA related user role. To enable role assignment to clients, you need to create a user role and a CALEA access rule, and then assign the CALEA rule to the user role. Whenever a client that is configured to use a CALEA rule connects, a replication role is assigned.
Aruba Central | User Guide Wireless Configuration |
108
l
Through Change of Authorization (CoA)—In this method, a user session can start without replication. When the network administrator triggers a CoA from the RADIUS server, the user session is replicated. The replication is stopped when the user disconnects or by sending a CoA to change the replication role.
As the client information is shared between multiple IAPs in a cluster, the replication rules persist when clients roam within the cluster.
Configuring an IAP for CALEA Integration
To enable CALEA server integration, perform the following steps:
Creating a CALEA Profile
You can create a CALEA profile by using Central.
1. Click
Configuration
>
Services
of the Central main window.
2. Click
CALEA
. The
CALEA
tab details are displayed.
3. Specify the following parameters: l l l
IP address
— Specify the IP address of the CALEA server.
Encapsulation type
— Specify the encapsulation type. The current release of Central supports GRE only.
GRE type
— Specify the GRE type.
l
MTU
— Specify a size for the maximum transmission unit (MTU) within the range of 68—1500. After
GRE encapsulation, if packet length exceeds the configured MTU, IP fragmentation occurs. The default
MTU size is 1500.
4. Click
OK
.
Creating an Access Rule for CALEA
You can create an access rule for CALEA by using Central.
1. To add the CALEA access rule to an existing profile, select an existing wireless (
Networks
tab >
edit
) or wired (
More
>
Wired
>
Edit
) profile. To add the access rule to a new profile, click
New
under Network tab and create a WLAN profile, or click
More
>
Wired
>
New
and create a wired port profile.
2. In the
Access
tab, select the role for which you want create the access rule.
3. Under
Access Rules
, click
New
. The
New Rule
window is displayed.
4. Select
CALEA
.
5. Click
OK
.
6. Create a role assignment rule if required.
7. Click
Finish
.
Configuring an IAP for Bonjour support Support
This section provides the following information: l l l
Bonjour support Overview on page 109
Bonjour support with Central on page 110
Configuring Bonjour support and Bonjour support Services on page 111
Bonjour support Overview
Bonjour support is a zero configuration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home.
109
| Wireless Configuration Aruba Central | User Guide
Bonjour can be installed on computers running Microsoft Windows and is supported by the new networkcapable printers. Bonjour uses multicast DNS (mDNS) to locate devices and the services offered by these devices. The Bonjour supportsolution supports both wired and wireless devices. Wired devices that support
Bonjour services are part of Bonjour support when connected to a VLAN that is terminated on the VC.
The distributed Bonjour support architecture allows each IAP to handle Bonjour queries and responses without overloading a VC. This results in a scalable Bonjour support solution.
shows a sample Bonjour support architecture. In this scenario, IAP1 discovers the Air Print printer (P1) and IAP3 discovers the Apple TV (TV1). IAP1 advertises information about P1 to the other IAPs on the LAN. Similarly, IAP3 advertises information about TV1 to IAP1 and IAP2. This type of distributed architecture allows any IAP to respond to its connected devices locally. In this example, the iPad obtains a direct response from AP2 about the other Bonjour-enabled services in the network.
Figure 5
Bonjour Support Architecture
Bonjour support with Central
Bonjour support capabilities are available in Aruba WLANs where Wi-Fi data is transmitted via IAPs. Bonjour support is available on anAruba WLAN that is managed by Central.
l l l
The Bonjour support administrator assigns the Bonjour support operator role to an end user, which authorizes the user to register their device—such as an Apple TV.
Central maintains information for all mDNS services.
Central responds to device queries based on contextual data such as user role, username, and location.
Bonjour support Solution
In large universities and enterprise networks, it is common for Bonjour-capable devices to connect to the network across VLANs. As a result, user devices such as an iPad on a specific VLAN cannot discover an Apple TV that resides on another VLAN. As the addresses used by the protocol are link-scope multicast addresses, each query or advertisement can only be forwarded on its respective VLAN.
Broadcast and multicast traffic are usually filtered out from a wireless LAN network to preserve airtime and battery life. This inhibits the performance of Bonjour services as they rely on multicast traffic. Aruba addresses this mDNS challenge with Bonjour support technology.
Bonjour support leverages key elements from portfolio of Aruba including operating system software for
Central. Bonjour support maintains seamless connectivity between clients and services across VLANs and
Aruba Central | User Guide Wireless Configuration |
110
SSIDs. The mDNS packet traffic is minimized, thereby preserving valuable wired network bandwidth and WLAN airtime.
The following list summarizes the filtering options that are integrated with Central deployment models: l l l l
Allow mDNS to propagate across subnets/VLANs
Limit multicast mDNS traffic on the network
VLAN based mDNS service policy enforcement
User-role based mDNS service policy enforcement
Bonjour support also enables context awareness for services across the network: l
Bonjour support is aware of personal devices. For example, an Apple TV in a dorm room can be associated with the student who owns it.
l l
Bonjour support is aware of shared resources.For example, an Apple TV in a meeting room or a printer in a supply room that is available to certain users, such as the marketing department. Or, in a classroom, teachers can use AirPlay to wirelessly project a laptop screen onto an HDTV monitor using an Apple TV.
When configured with Central, Bonjour support enables a client to perform a location-based discovery. For example, when a client roams from one Central cluster to another, it can discover devices available in the new cluster to which the client is currently connected.
Bonjour support provides the following features: l l l l l
Send unicast responses to mDNS queries and reduces mDNS traffic footprint.
Ensure cross-VLAN visibility and availability of mDNS devices and services.
Allow or block mDNS services for all users.
Allow or block mDNS services based on user roles.
Allow or block mDNS services based on VLANs.
Bonjour supports zero-configuration services. The services are preconfigured and are available as part of the factory default configuration. The administrator can also enable or disable any or all services.
The following services are available for IAP clients: l l l l l l
AirPlay — Apple AirPlay allows wireless streaming of music, video, and slideshows from your iOS device to
Apple TV and other devices that support the AirPlay feature.
AirPrint — Apple AirPrint allows you to print from an iPad, iPhone, or iPod Touch directly to any AirPrint compatible printer.
iTunes— The iTunes service is used by iTunes Wi-Fi sync and iTunes home-sharing applications across all
Apple devices.
RemoteMgmt— Use this service for remote login, remote management, and FTP utilities on Apple devices.
Sharing— Applications such as disk sharing and file sharing, use the service ID that are part of this service on one or more Apple devices.
Chat— The iChat (Instant Messenger) application on Apple devices uses this service.
Configuring Bonjour support and Bonjour support Services
To enable Bonjour support and its services:
1. Select
Wireless Configuration > Services > Bonjour support
.
2. Select
ENABLE Bonjour support
. The
Bonjour support
configuration parameters are displayed.
3. Select
Enable Guest Bonjour support Multicast
to allow the users to use Bonjour support services enabled in a guest VLAN. However, the Bonjour support devices are visible in the guest VLAN and Bonjour support does not discover or enforce policies in the guest VLAN.
111
| Wireless Configuration Aruba Central | User Guide
4. Select
Enable Bonjour support Support Across Mobility Domains
to enable Inter cluster mobility.
Central supports two types of assignment modes: l
Intra Cluster (check box cleared) - The IAP does not share the mDNS database information with the other clusters.
l
Inter Cluster (check box selected) - The IAP shares the mDNS database information with the other clusters. The DNS records in the VC can be shared with the all the VCs configured for L3 Mobility.
5. Select required Bonjour support services. To allow all services, select
Allowall
.
6. Based on the services configured, you can block any user roles and VLAN from accessing a Bonjour support service. The user roles and VLANs marked as disallowed are prevented from accessing the corresponding Bonjour support service. You can create a list of disallowed user roles and VLANs for all
Bonjour support services configured on the IAP. For example, If the AirPlay service is selected, the
Edit
links for the
AirPlay Disallowed Roles
and
AirPlay Disallowed VLANS
are displayed. Similarly, if sharing service is selected, the
Edit
links for the
Sharing Disallowed Roles
and
Sharing Disallowed VLANS
are displayed.
l l
To block user roles from accessing a Bonjour support service, click the corresponding
Edit
link and select the user roles for which you want to restrict access. By default, an Bonjour support service is accessible by all user roles configured in your IAP cluster.
To select VLANs from allowing access to Bonjour support service, click the corresponding
Edit
link and select the VLANs to exclude. By default, the Bonjour support services are accessible by users or devices in all VLANs configured in your IAP cluster.
Integrating an IAP with Palo Alto Networks Firewall
Palo Alto Networks (PAN) next-generation firewall offers contextual security for all users for safe enabling of applications. A simple firewall beyond basic IP address or TCP port numbers only provides a subset of the enhanced security required for enterprises to secure their networks. In the context of businesses using social networking sites, legacy firewalls are not able to differentiate valid authorized users from casual social networking users.
The Palo Alto next-generation firewall is based on user ID, which provides many methods for connecting to sources of identity information and associating them with firewall policy rules. For example, it provides an option to gather user information from Active Directory or LDAP server.
Integration with Central
The functionality provided by the PAN firewall based on user ID requires the collection of information from the network. The IAP maintains the network (such as mapping IP address) and user information for its clients in the network and can provide the required information for the user ID feature on PAN firewall. Before sending the user-ID mapping information to the PAN firewall, the IAP must retrieve an API key that is used for authentication for all APIs.
IAP and PAN firewall integration can be seamless with the XML-API that available with PAN-OS 5.0 or later.
To integrate an IAP with PAN user ID, a global profile is added. This profile can be configured on an IAP with
PAN firewall information such as IP address, port, user name, password, firewall enabled or disabled status.
The IAP sends messages to PAN based on the type of authentication and client status: l l
After a client completes the authentication and is assigned an IP address, IAP sends the
login
message.
After a client is disconnected or dissociated from the IAP, the IAP sends a
logout
message.
Configuring IAP for PAN integration
To configure IAP for PAN firewall integration:
1. Select
Wireless Configuration > Services
. The
Services
pane is displayed.
Aruba Central | User Guide Wireless Configuration |
112
2. Click
Network Integration
. The PAN firewall configuration options are displayed.
3. Select
Enable
to enable PAN firewall.
4. Specify the
User Name
and
Password
. Ensure that you provide user credentials of the PAN firewall administrator.
5. Enter the PAN firewall
IP Address
.
6. Enter the port number within the range of 1—65535. The default port is 443.
7. Click
Save Settings
.
Enabling AppRF Service
To view the AppRF statistics for the clients associated with an IAP, you must enable the AppRF service.
To enable AppRF:
1. Navigate to
Wireless Configuration
>
Services
.
2. Click APP RF and then select the
Enable DPI
check box.
l l
Configuring Uplinks
This section provides the following information:
Uplink Preferences and Switching on page 120
Uplink Interfaces
Central supports 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate network.
The following figure illustrates a scenario in which the IAPs join the Virtual Controller as slave IAPs through a wired or mesh Wi-Fi uplink:
Figure 6
Uplink Types
The following types of uplinks are supported on Central: l l l
113
| Wireless Configuration Aruba Central | User Guide
3G/4G Uplink
Central supports the use of 3G/4G USB modems to provide the Internet backhaul to Central. The 3G/4G USB modems can be used to extend client connectivity to places where an Ethernet uplink cannot be configured.
This enables the RAPs to automatically choose the available network in a specific region.
Types of Modems
Central supports the following three types of 3G modems: l l l
True Auto Detect
— Modems of this type can be used only in one country and for a specific ISP. The parameters are configured automatically and hence no configuration is necessary.
Auto-detect + ISP/country
— Modems of this type require the user to specify the Country and ISP. The same modem is used for different ISPs with different parameters configured for each of them.
No Auto-detect
— Modems of this type are used only if they share the same Device-ID, Country, and ISP details. You need to configure different parameters for each of them. These modems work with Central when the appropriate parameters are configured.
Aruba Central | User Guide Wireless Configuration |
114
The following table lists the types of supported 3G modems:
115
| Wireless Configuration Aruba Central | User Guide
Table 43:
List Of Supported 3G Modems
Modem Type Supported 3G Modems
True Auto Detect l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l
USBConnect 881 (Sierra 881U)
Quicksilver (Globetrotter ICON 322)
UM100C (UTstarcom)
Icon 452
Aircard 250U (Sierra)
USB 598 (Sierra)
U300 (Franklin wireless)
U301 (Franklin wireless)
USB U760 for Virgin (Novatel)
USB U720 (Novatel/Qualcomm)
UM175 (Pantech)
UM150 (Pantech)
UMW190(Pantech)
SXC-1080 (Qualcomm)
Globetrotter ICON 225
UMG181
NTT DoCoMo L-05A (LG FOMA L05A)
NTT DoCoMo L-02A
ZTE WCDMA Technologies MSM (MF668?)
Fivespot (ZTE) c-motech CNU-600
ZTE AC2736
SEC-8089 (EpiValley)
Nokia CS-10
NTT DoCoMo L-08C (LG)
NTT DoCoMo L-02C (LG)
Novatel MC545
Huawei E220 for Movistar in Spain
Huawei E180 for Movistar in Spain
ZTE-MF820
Huawei E173s-1
Sierra 320
Longcheer WM72
U600 (3G mode)
Auto-detect + ISP/country
l
Sierra USB-306 (HK CLS/1010 (HK))
Aruba Central | User Guide Wireless Configuration |
116
Table 43:
List Of Supported 3G Modems
Modem Type Supported 3G Modems
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l
Sierra 306/308 (Telstra (Aus))
Sierra 503 PCIe (Telstra (Aus))
Sierra 312 (Telstra (Aus))
Aircard USB 308 (AT&T's Shockwave)
Compass 597(Sierra) (Sprint)
U597 (Sierra) (Verizon)
Tstick C597(Sierra) (Telecom(NZ))
Ovation U727 (Novatel) (Sprint)
USB U727 (Novatel) (Verizon)
USB U760 (Novatel) (Sprint)
USB U760 (Novatel) (Verizon)
Novatel MiFi 2200 (Verizon Mifi 2200)
Huawei E272, E170, E220 (ATT)
Huawei E169, E180,E220,E272 (Vodafone/SmarTone
(HK))
Huawei E160 (O2(UK))
Huawei E160 (SFR (France))
Huawei E220 (NZ and JP)
Huawei E176G (Telstra (Aus))
Huawei E1553, E176 (3/HUTCH (Aus))
Huawei K4505 (Vodafone/SmarTone (HK))
Huawei K4505 (Vodafone (UK))
ZTE MF656 (Netcom (norway))
ZTE MF636 (HK CSL/1010)
ZTE MF633/MF636 (Telstra (Aus))
ZTE MF637 (Orange in Israel)
Huawei E180, E1692,E1762 (Optus (Aus))
Huawei E1731 (Airtel-3G (India))
Huawei E3765 (Vodafone (Aus))
Huawei E3765 (T-Mobile (Germany)
Huawei E1552 (SingTel)
Huawei E1750 (T-Mobile (Germany))
UGM 1831 (TMobile)
Huawei D33HW (EMOBILE(Japan))
Huawei GD01 (EMOBILE(Japan))
Huawei EC150 (Reliance NetConnect+ (India))
117
| Wireless Configuration Aruba Central | User Guide
Table 43:
List Of Supported 3G Modems
Modem Type Supported 3G Modems
l l l l l
KDDI DATA07(Huawei) (KDDI (Japan))
Huawei E353 (China Unicom)
Huawei EC167 (China Telecom)
Huawei E367 (Vodafone (UK))
Huawei E352s-5 (T-Mobile (Germany))
No auto-detect l l
Huawei D41HW
ZTE AC2726
Table 44:
4G Supported Modem
Modem Type Supported 4G Modem
True Auto Detect l l
Pantech UML290
Ether-lte
When UML290 runs in auto detect mode, the modem can switch from 4G network to 3G network or vice-versa based on the signal strength. To configure the UML290 for the 3G network only, manually set the USB type to
pantech-3g
. To configure the UML290 for the 4G network only, manually set the 4G USB type to
pantech-lte
.
Configuring Cellular Uplink Profiles
You can configure 3G or 4G uplinks using Central.
1. Click the
System
link at the upper right corner of the Central main window. The
System
window is displayed.
2. In the
System
window, click the
show advanced settings
link. The advanced options are displayed.
3. Click the
Uplink
tab and perform any of the following steps: l l
To configure a 3G or 4G uplink automatically, select the
Country
and
ISP
. The parameters are automatically populated.
To configure a 3G or 4G uplink manually, perform the following steps: a. Obtain the modem configuration parameters from the local IT administrator or the modem manufacturer.
b. Enter the type of the 3G/4G modem driver type: l l
For 3G — Enter the type of 3G modem in the
USB type
text box.
For 4G — Enter the type of 4G modem in the
4G USB type
text box.
c. Enter the device ID of modem in the
USB dev
text box.
d. Enter the TTY port of the modem in the
USB tty
text box.
e. Enter the parameter to initialize the modem in the
USB init
text box.
f. Enter the parameter to dial the cell tower in the
USB dial
text box.
g. Enter the username used to dial the ISP in the
USB user
text box.
Aruba Central | User Guide Wireless Configuration |
118
h. Enter the password used to dial the ISP in the
USB password
text box.
i.
Enter the parameter used to switch a modem from the storage mode to modem mode in the
USB mode switch
text box.
4. To configure 3G/4G switch network, provide the driver type for the 3G modem in the
USB type
text box and the driver type for 4G modem in the
4G USB type
text box.
5. Click
OK
.
6. Reboot the IAP for changes to affect.
Wi-Fi uplink
The Wi-Fi uplink is supported for all IAP models, except 802.11ac APs. Only the master IAP uses the Wi-Fi uplink. The Wi-Fi allows uplink to open, PSK-CCMP, and PSK-TKIP SSIDs.
l l
For single radio IAPs, the radio serves wireless clients and Wi-Fi uplink.
For dual radio IAPs, both radios can be used to serve clients but only one of them can be used for Wi-Fi uplink.
When Wi-Fi uplink is in use, the client IP is assigned by the internal DHCP server.
Configuring a Wi-Fi Uplink Profile
The following configuration conditions apply to the Wi-Fi uplink: l l
To bind or unbind the Wi-Fi uplink on the 5 GHz band, reboot the IAP.
If Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive.
To provisionan IAP with Wi-Fi Uplink, complete the following steps:
1. If you are configuring a Wi-Fi uplink after restoring factory settings on an IAP, connect the IAP to an
Ethernet cable to allow the IAP to get the IP address. Otherwise, go to step 2.
2. Select
Wireless Configuration > System
. The
System
details are displayed.
3. Select
Uplink
and under
WiFi
, enter the name of the wireless network that is used for Wi-Fi uplink in the
Name (SSID)
box.
4. From
Management
, select the type of key for uplink encryption and authentication. If the uplink wireless router uses mixed encryption, WPA-2 is recommended for Wi-Fi uplink.
5. From
Band
, select the band in which the VC currently operates. The following options are available: l l l
2.4 GHz (default)
5 GHz
6. From
Passphrase Format
, select a
Passphrase format
. The following options are available: l
8 - 63 alphanumeric characters
64 hexadecimal characters
Ensure that the hexadecimal password string is exactly 64 digits in length.
7. Enter a pre-shared key (PSK) passphrase in
Passphrase
and click
OK
.
Ethernet Uplink
The Ethernet 0 port on an IAP is enabled as an uplink port by default.
Ethernet uplink supports the following:
119
| Wireless Configuration Aruba Central | User Guide
n n n
PPPoE
DHCP
Static IP
You can use PPPoE for your uplink connectivity in a single AP deployment.
Uplink redundancy with the PPPoE link is not supported.
When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured,
PPPoE has the highest priority for the uplink connections. The IAP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using PAP or the CHAP. Depending upon the request from the PPPoE server, either the PAP or the CHAP credentials are used for authentication. After configuring PPPoE, reboot the
IAP for the configuration to take effect. The PPPoE connection is dialed after the AP comes up. The PPPoE configuration is checked during IAP boot and if the configuration is correct, Ethernet is used for the uplink connection.
When PPPoE is used, do not configure Dynamic RADIUS Proxy and IP address of the VC. An SSID created with default
VLAN is not supported with PPPoE uplink.
You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails.
Configuring PPPoE uplink profile
To configure PPPOE settings:
1. Select
Wireless Configuration >System
. The
System
details are displayed.
2. Select
Uplink
, perform the following steps in the
PPPoE
pane: a. Enter the
PPPoE service name
provided by your service provider in
Service Name
.
b. In the
Chap Secret
and
Retype CHAP Secret
fields, enter the secret key used for CHAP authentication.
You can use a maximum of 34 characters for the CHAP secret key.
c. Enter the user name for the PPPoE connection in the
USER
field.
d. In the
Password
and
Retype Password
fields, enter a password for the PPPoE connection and confirm it.
3. To set a local interface for the PPPoE uplink connections, select a value from
Local Interface
. The selected
DHCP scope is used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and and allocated the entire Local, L3 DHCP subnet to the clients.
The options in
Local Interface
are displayed only if a Local, L3 DHCP scope is configured on the IAP.
4. Click
Save Settings
.
5. Reboot the IAP.
Uplink Preferences and Switching
This topic describes the following procedures: l l l
Setting an uplink priority on page 121
Enabling uplink pre-emption on page 121
Aruba Central | User Guide Wireless Configuration |
120
Enforcing Uplinks
The following configuration conditions apply to the uplink enforcement: l l l l
When an uplink is enforced, the IAP uses the specified uplink regardless of uplink pre-emption configuration and the current uplink status.
When an uplink is enforced and multiple Ethernet ports are configured and uplink is enabled on the wired profiles, the IAP tries to find an alternate Ethernet link based on the priority configured.
When no uplink is enforced and pre-emption is not enabled, and if the current uplink fails, the IAP tries to find an available uplink based on the priority configured.
When no uplink is enforced and pre-emption is enabled, and if the current uplink fails, the IAP tries to find an available uplink based on the priority configured. If current uplink is active, the IAP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active.
To enforce a specific uplink on an IAP:
1. Select
Wireless Configuration > System >Uplink
. The
Uplink
details are displayed.
2. Under
Management
, select the type of uplink from
Enforce Uplink
. If Ethernet uplink is selected, the
Port
field is displayed.
3. Specify the Ethernet interface port number.
4. Click
OK
. The selected uplink is enforced on the IAP.
Setting an uplink priority
To set an uplink priority:
1. Select
Wireless Configuration > System > Uplink
. The
Uplink
details are displayed.
2. Under
Uplink Priority List
, select the uplink, and increase or decrease the priority. By default, the Eth0 uplink is set as a high priority uplink.
3. Click
OK
. The selected uplink is prioritized over other uplinks.
Enabling uplink pre-emption
The following configuration conditions apply to uplink pre-emption: l l l
Pre-emption can be enabled only when no uplink is enforced.
When pre-emption is disabled and the current uplink fails, the IAP tries to find an available uplink based on the uplink priority configuration.
When pre-emption is enabled and if the current uplink is active, the IAP periodically tries to use a higher priority uplink, and switches to a higher priority uplink even if the current uplink is active.
To enable uplink pre-emption:
1. Select
Wireless Configuration >System >Uplink
. The
Uplink
details are displayed.
2. Under
Management
, ensure that the
Enforce Uplink
is set to None.
3. From
Pre-Emption
, select
Enabled.
4. Click
OK
.
Switching Uplinks based on the Internet Availability
You can configure Central to switch uplinks based on the Internet availability.
When the uplink switchover based on Internet availability is enabled, the IAP continuously sends ICMP packets to some well-known Internet servers. If the request is timed out due to a bad uplink connection or uplink interface failure, and the Internet is not reachable from the current uplink, the IAP switches to a different connection.
121
| Wireless Configuration Aruba Central | User Guide
To configure uplink switching:
1. Select
Wireless Configuration > System >Uplink
. The
Uplink
details are displayed.
2. Under
Management
, configure: l
Internet Failover
—To configure uplink switching based on the Internet availability, perform the following steps: a. Select
Enabled
from
Internet Failover
.
b. Specify values for
Failover Internet Packet Send Frequency
,
Failover Internet
Packet Lost Count
, and
Internet Check Count
, c. Click
OK
.
When
Internet failover
is enabled, the IAP ignores the VPN status, although uplink switching based on
VPN status is enabled.
l l
Mobility and Client Management
This section provides the following information:
Layer-3 Mobility Overview on page 122
Configuring L3 Mobility Domain on page 123
Layer-3 Mobility Overview
IAPs form a single Central network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead. In such a scenario, a client must be allowed to roam away from the Central network to which it first connected (home network) to another network supporting the same WLAN access parameters (foreign network) and continue its existing sessions.
Layer-3 (L3) mobility allows a client to roam without losing its IP address and sessions. If WLAN access parameters are the same across these networks, clients connected to IAPs in a given Central network can roam to IAPs in a foreign Central network and continue their existing sessions using their IP addresses. You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported.
The Aruba Central Layer-3 mobility solution defines a Mobility Domain as a set networks, with the same WLAN access parameters, across which client roaming is supported. The Central network to which the client first connects is called its home network. When the client roams to a foreign network, an IAP in the home network
(home IAP) anchors all traffic to or from this client. The IAP to which the client is connected in the foreign network (foreign IAP) tunnels all client traffic to or from the home IAP through a GRE tunnel.
Aruba Central | User Guide Wireless Configuration |
122
Figure 7
Traffic Routing
When a client first connects to Central network, a message is sent to all configured VC IP addresses to see if this is an L3 roamed client. On receiving an acknowledgment from any of the configured VC IP addresses, the client is identified as an L3 roamed client. If the IAP has no GRE tunnel to this home network, a new tunnel is formed to an IAP (home IAP) from the home network of the client.
Each foreign IAP has only one home IAP per Central network to avoid duplication of broadcast traffic. Separate
GRE tunnels are created for each foreign IAP / home IAP pair. If a peer IAP is a foreign IAP for one client and a home IAP for another, two separate GRE tunnels are used to handle L3 roaming traffic between these IAPs.
If client subnet discovery fails on association due to some reason, the foreign IAP identifies its subnet when it sends out the first L3 packet. If the subnet is not a local subnet and belongs to another network, the client is treated as an L3 roamed client and all its traffic is forwarded to the home network through a GRE tunnel.
Configuring L3 Mobility Domain
To configure a mobility domain, you have to specify the list of all Central networks that form the mobility domain. To allow clients to roam seamlessly among all the APs, specify the VC IP for each foreign subnet. You may include the local Central or VC IP address, so that the same configuration can be used across all Central networks in the mobility domain.
It is recommended that you configure all client subnets in the mobility domain. When client subnets are configured: l l
If a client is from a local subnet, it is identified as a local client. When a local client starts using the IP address, the L3 roaming is terminated.
If the client is from a foreign subnet, it is identified as a foreign client. When a foreign client starts using the
IP address, the L3 roaming is set up.
Home agent load balancing
Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it. When load balancing is enabled, the VC assigns the home AP for roamed
123
| Wireless Configuration Aruba Central | User Guide
clients by using a round robin policy. With this policy, the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the IAP cluster.
Configuring L3 mobility domain
To configure L3 mobility domain:
1. Select
Wireless Configuration > System
. The
System
details are displayed.
2. Select
L3 Mobility
. The L3 Mobility details are displayed.
3. From
Home Agent Load Balancing
, select
Enabled
. By default, home agent load balancing is disabled.
4. Click
New
in
Virtual Controller IP Addresses
, add the IP address of a VC that is part of the mobility domain, and click
OK
.
5. Repeat Step 2 to add the IP addresses of all VCs that form the L3 mobility domain.
6. Click
New
in
Subnets
and specify the following: a. Enter the client subnet in the
IP Address
box.
b. Enter the mask in the
Subnet Mask
box.
c. Enter the VLAN ID in the home network in the
VLAN ID
box.
d. Enter the home VC IP address for this subnet in the
Virtual Controller IP
box.
7. Click
OK
.
Enterprise Domains
The enterprise domain names list displays the DNS domain names that are valid on the enterprise network.
This list is used to determine how client DNS requests are routed. When
Content Filtering
is enabled, the DNS request of the clients is verified and the domain names that do not match the names in the list are sent to the openDNS server.
Configuring Enterprise Domains
To configure an enterprise domain:
1. Select
Wireless Configuration > System
, click
Enterprise Domains
. The
Enterprise Domains
details are displayed.
2. Click
New
and enter a name in the
New Domain Name
.
3. Click
Ok
.
To remove a domain, select the domain and click
Delete
.
You can configure an enterprise domain using Central.
4. Select
System
>
General
, click
Enterprise Domains
. The
Enterprise Domain
details are displayed.
5. Click
New
and enter a
New Domain Name
6. Click
OK
to apply the changes.
To delete a domain, select the domain and click
Delete
to remove the domain name from the list.
l l l
SNMP and Logging
This section provides the following information:
Configuring a Syslog Server on page 126
Configuring TFTP Dump Server on page 127
Aruba Central | User Guide Wireless Configuration |
124
Configuring SNMP
This section provides the following information: l l l
SNMP parameters for IAP on page 125
Configuring Community String for SNMP on page 125
Configuring SNMP Traps on page 126
SNMP parameters for IAP
Central supports SNMPv1, SNMPv2c, and SNMPv3 for reporting purposes only. An IAP cannot use SNMP to set values in an Aruba system.
You can configure the following parameters for an IAP:
Table 45:
SNMP Parameters
Parameter Description
Community Strings for
SNMPV1 and SNMPV2
An SNMP Community string is a text string that acts as a password, and is used to authenticate messages sent between the Virtual Controller and the SNMP agent.
If you are using SNMPv3 to obtain values from the IAP, you can configure the following parameters:
Name A string representing the name of the user.
Authentication Protocol An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol used. This can take one of the two values: l l
MD5— HMAC-MD5-96 Digest Authentication Protocol
SHA: HMAC-SHA-96 Digest Authentication Protocol
Authentication protocol password
Privacy protocol
Privacy protocol password
If messages sent on behalf of this user can be authenticated, the
(private) authentication key for use with the authentication protocol. This is a string password for MD5 or SHA depending on the choice above.
An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES
Symmetric Encryption).
If messages sent on behalf of this user can be encrypted/decrypted with DES, the (private) privacy key for use with the privacy protocol.
Configuring Community String for SNMP
This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings using the Central.
Creating Community strings for SNMPv1 and SNMPv2 using Central
To create community strings for SNMPv1 and SNMPv2:
1. Click the
System
link at the top right corner of the Central main window. The system window is displayed.
125
| Wireless Configuration Aruba Central | User Guide
2. Click the
Monitoring
tab.
3. Click
New
.
4. Enter the string in the
New Community String
text box.
5. Click
OK
.
6. To delete a community string, select the string, and click
Delete
.
Creating community strings for SNMPv3 using Central
To create community strings for SNMPv3:
1. Click
System
link at the top right corner of the Central main window. The system window is displayed.
2. Click the
Monitoring
tab. The SNMP configuration parameters displayed in the
Monitoring
tab.
3. Click
New
in the
Users for SNMPV3
box. A window for specifying SNMPv3 user information is displayed.
4. Enter the name of the user in the
Name
text box.
5. Select the type of authentication protocol from the
Auth protocol
drop-down list.
6. Enter the authentication password in the
Password
text box and retype the password in the
Retype
text box.
7. Select the type of privacy protocol from the
Privacy protocol
drop-down list.
8. Enter the privacy protocol password in the
Password
text box and retype the password in the
Retype
text box.
9. Click
OK
.
10.To edit the details for a particular user, select the user and click
Edit
.
11.To delete a particular user, select the user and click
Delete
.
Configuring SNMP Traps
Central supports the configuration of external trap receivers. Only the IAP acting as the Virtual Controller generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X.
You can configure SNMP traps using Central.
1. Select
System
>
SNMP
. The
SNMP
window is displayed.
2. Under
SNMP Traps
, enter a name in the
SNMP Engine ID
text box. It indicates the name of the SNMP agent on the access point. The SNMPV3 agent has an engine ID that uniquely identifies the agent in the device and is unique to that internal network.
3. Click
New
and update the following fields: l
IP Address—
Enter the
IP Address
of the new SNMP Trap receiver.
l l l
Version
— Select the SNMP version—
v1, v2c, v3
from the drop-down list. The version specifies the format of traps generated by the access point.
Community/Username
— Specify the community string for SNMPv1 and SNMPv2c traps and a username for SNMPv3 traps.
Port
— Enter the port to which the traps are sent. The default value is 162.
l
Inform
— When enabled, traps are sent as SNMP INFORM messages. It is applicable to SNMPV3 only.
The default value is
Yes
.
4. Click
OK
to view the trap receiver information in the
SNMP Trap Receivers
window.
Configuring a Syslog Server
To specify a syslog server for sending syslog messages to the external servers:
1. Select
Wireless Configuration>System
. The
System
details are displayed.
Aruba Central | User Guide Wireless Configuration |
126
2. Select the
Logging
tab.
3. In the
Syslog Server
box, enter the IP address of the server to which you want to send system logs.
4. Select the required values to configure Syslog Facility Levels. Syslog facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message.
The following facilities are supported by syslog: l
AP-Debug
—Detailed log about the AP device.
l l l l l l
Network
— Log about change of network, for example, when a new IAP is added to a network.
Security
—Log about network security, for example, when a client connects using wrong password.
System
—Log about configuration and system status.
User
—Important logs about client.
User-Debug
— Detailed log about client.
Wireless
— Log about radio.
The following table describes the logging levels in order of severity, from the most severe to the least.
Table 46:
Logging Levels
Logging level Description
Emergency Panic conditions that occur when the system becomes unusable.
Alert
Critical
Error
Warning
Notice
Information
Debug
Any condition requiring immediate attention and correction.
Any critical condition such as a hard drive error.
Error conditions.
Warning messages.
Significant events of a non-critical nature. The default value for all syslog facilities.
Messages of general interest to system users.
Messages containing information useful for debugging.
5. Click
Save Settings
.
Configuring TFTP Dump Server
To configure a TFTP server for storing core dump files:
1. Select
WirelessConfiguration
>
System> Logging
.
2. Enter the IP address of the TFTP server in the
TFTP Dump Server
box.
3. Click
Save Settings
.
127
| Wireless Configuration Aruba Central | User Guide
Chapter 8
AppRF
This chapter provides the following information: l l l l
Deep Packet Inspection with AppRF on page 128
Application Visibility on page 128
Configuring ACL Rules for Application and Application Categories on page 136
Configuring Web Policy Enforcement on page 137
Deep Packet Inspection with AppRF
AppRF is a custom built Layer 7 firewall capability supported for IAPs managed by Central. It consists of an onboard deep packet inspection and a cloud-based Web Policy Enforcement service that allows creating firewall policies based on types of application.
IAPs with DPI capability analyze data packets to identify applications in use and allow you to create access rules to determine client access to applications, application categories, web categories and website URLs based on security ratings. You can also define traffic shaping policies such as bandwidth control and QoS per application for client roles. For example, you can block bandwidth monopolizing applications on a guest role within an enterprise.
The Deep Packet Inspection feature is supported on IAP running 6.4.3.x-4.1.x.x or later releases. The AppRF feature is not supported on IAP-104/105, and IAP-134/135 devices.
Application Visibility
The Central UI now includes the
AppRF
option under the
Monitoring
tab. On clicking
AppRF
, a dashboard that provides a summary of client traffic to application and application categories is displayed. You can analyze the client traffic flow using the graphs displayed in the
AppRF
dashboard. To view the graphs on the
AppRF
pane, ensure that the
Application Visibility is supported for IAPs running 6.4.3.1-4.2.0.0 or later release version.
If the AppRF service is enabled before the upgrading to the latest version of Central, ensure that you re-enable the
AppRF service after the upgrade, to enable AppRF monitoring.
Central supports AppRF monitoring, DPI configuration, and web filtering for IAP-103, RAP-108/109, IAP-114/115, RAP-
155, IAP-224/225, IAP-274/275, IAP-228, and IAP-277 devices. The IAP-104/105, IAP-134/135, RAP3WNP, and IAP-175 devices support only web filtering.
AppRF Dashboard
The
AppRF
dashboard displays application information in the following two tabs: l
Overview
tab provides a summary of client traffic to applications, application categories, website categories, and web reputation.
l
—The Analyze tab provides a detailed view of client traffic per application, application category, website categories, web reputation, SSID, device type,and user roles.
Both the
AppRF
>
Overview
and
AppRF
>
Analyze
panes include the
Configuration
link. Click the
Configuration
link, to create or modify the DPI ACL rules for applications, application categories, websites, and
Aruba Central | User Guide AppRF |
128
web categories based on the security score for a specific network profile. For more information on configuring
DPI access rules, see
Configuring ACL Rules for Application and Application Categories
and
.
You can view the client traffic to
Applications, Application Categories, Website Categories, and Web
Reputation
graphs for a specific time frame (3 Hours, 1 Day, 1 Week, 1 Month, 3 Months) by clicking 1H, 3H,
1D, 1M, or 3M. By default, the graphs display real-time client traffic data or usage trend in the last three hours.
The application (Apps) and Web Categories graphs are also displayed in the
and
AppRF data is updated every 30th minute of the hour. The data population on the AppRF dashboard may be delayed by an hour when compared to the AppRF data displyed in the
and
panes.
The Central UI also allows you to generate network summary reports with AppRF data. For more information, see
Generating a Report on page 159
.
Overview
The
Overview
pane include the following sections: l
Overview
—Presents four different graph areas with data graphs on all client traffic flowing to application
(Apps), application category (App Categories), web categories, and website reputation.
l
TOP 5 CLIENTS
—Displays the MAC address and traffic usage in bits per Second (bps) of the top 5 client that use the highest bandwidth. Clicking on a MAC address in the list provides the client details.
129
| AppRF Aruba Central | User Guide
The following figure provides a view of the
Overview
pane:
Figure 8
AppRF—Overview Pane
App Categories Chart
The
App Categories
chart displays details on the client traffic towards the application categories. When the cursor is placed on the chart, the app category and percentage of client traffic flowing to that app category is displayed. The legend below the chart displays the list of application categories to which the client traffic flow is detected. On clicking an app category from legend, the chart hides that app category and displays data for the remaining app categories.
Apps Chart
The
Apps
chart displays details on the client traffic flow to specific applications. When the cursor is placed on the chart, the application and percentage of traffic to that application is displayed. The legend below the chart displays the list of applications to which the client traffic flow is detected. On selecting an app from the legend, the chart hides that app and displays data for the remaining apps.
Aruba Central | User Guide AppRF |
130
Figure 9
Apps Chart
Web Categories Chart
The
Web Categories
chart displays details of the client traffic to web categories. When the cursor is placed on the chart, the web category and percentage of traffic to the web category is displayed. The legend below the chart displays the list of website categories to which the client traffic flow is detected. On selecting a web category from the legend, the chart hides that web category from the chart and displays data for the remaining web categories.
131
| AppRF Aruba Central | User Guide
Figure 10
Web Categories Chart
Web Reputation Charts
The Web Reputation chart displays details of the client traffic flow to the URLs that are assigned a web reputation score. When the cursor is placed on the chart, the web reputation type and percentage of traffic to the web reputation is displayed. On selecting a web reputation type from the legend, the chart hides the web reputation type and displays data for the remaining web reputation types.
Aruba Central | User Guide AppRF |
132
Figure 11
Web Reputation Chart
Analyze
The
Analyze
pane allows you to analyze the client traffic to applications, application categories, web categories, web reputation score, SSID, device type, and user roles.
The
Analyze
pane consists of the
App Categories
.
Apps
,
Web Categories
,
Web Reputation
,
SSID
,
Device
Type
and
User Roles
widgets.
The
SSID
,
Device Type
, and
User Role
widgets are not displayed by default. These can be displayed by selecting them from the
Display
drop-down list.
All widgets provide the following view options: l l l
List view
—Displays data usage for applications, application categories, web categories, and web reputation in the list format.
Chart view
—Presents the data usage information for applications, application categories, web categories, and web reputation in the graphical format. Place the cursor on the chart provides to view the data usage details.
Full screen
—Displays the data in the full screen mode.
133
| AppRF Aruba Central | User Guide
The following figure shows the contents of the
Analyze
pane.
Figure 12
Analyze Tab Dashboard
Filter
To filter the network traffic, ensure that you are in the list view. If you want to add multiple filters from different widgets, do not use the full screen mode. To add filters, click the line items in each widget and notice that the data in surrounding widgets change.
Aruba Central | User Guide AppRF |
134
The following figure shows the data without filters and data with filters on:
Figure 13
Data Without Filter And With Filter
The filtered categories are displayed as filters above widgets. To remove a filter, click the filter or click
X
next to filtered category.
Details—Apps
Clicking on
Details
in the
Apps
widget displays a list of all applications and client traffic to all these applications.
Table 47:
Details—Apps
Parameter Description
Category Name of the application.
Total Usage
Usage(%)
#SSID
The total usage of the application bandwidth.
Percentage of client traffic to an application.
Number of SSIDs through which the clients access an application.
Clicking on an application from the list in the
Details
table displays the MAC addresses of the top 10 users and the total bandwidth used by each user for the selected application in the last three hours (
3H
) or one day (
1D
).
By default, the details are displayed for the last 3 hours.
Details—Web Categories
Clicking on
Details
in the
Web Categories
widget displays a table that shows the details of the client traffic to all web categories the last three hours (
3H
) or one day (
1D
). By default, the details are displayed for the last 3 hours (3H).
135
| AppRF Aruba Central | User Guide
Table 48:
Details—Web Categories
Parameter Description
Category Name of the web category.
Total Usage
Usage(%)
#SSID
The total bandwidth used by clients accessing the web category.
Percentage of clients traffic to the web category.
Number of SSIDs used for accessing the web category.
Clicking on a web category from the list in the
Details
table, provides details of the top 10 users and destination IP address of the web category.
Table 49:
Web Category Users
Parameter Description
Users MAC address of the client using the web category.
Total Usage Total bandwidth used by the user device for this web category.
Table 50:
Web Category Destination IP(s) Table
Parameter Description
Destination IP(S) Destination IP address of the web category.
Total Usage Total traffic to the destination IP address.
Configuring ACL Rules for Application and Application Categories
This section describes the procedure for configuring access rules based on application and application categories to allow deep packet inspection of client traffic.
For information on configuring access rules based on web categories and web reputation, see
Policy Enforcement on page 137 .
To configure ACL rules for a user role:
1. Select
Wireless Configuration > Security > Roles
.
2. Select the role for which you want to configure access rules.
3. Under
Access Rules For Selected Roles
, click
(+)
to add a new rule. The new rule window is displayed.
4. Under
Rule Type
, select
Access Control.
5. To configure access to applications or application categories, select a service category from the following list: l l
Application category
Application
6. Based on the selected service category, configure the following parameters:
Aruba Central | User Guide AppRF |
136
Table 51:
Access Rule Configuration Parameters
Service category
Description
Application
Category
Select the application categories to which you want to allow or deny access.
Application
Application
Throttling
Action
Log
Blacklist
Select the applications to which you want to allow or deny access.
Application throttling allows you to set a bandwidth limit for an application and application categories. For example, you can limit the bandwidth rate for video streaming applications such as Youtube or Netflix, or assign a low bandwidth to high risk sites.
To specify a bandwidth limit:
1. Select the
Application Throttling
check box.
2. Specify the
Downstream
and
Upstream
rates in Kbps.
Select one of the following actions: l
Select
Allow
to allow access users based on the access rule.
l
Select
Deny
to deny access to users based on the access rule.
Select this check box if you want a log entry to be created when this rule is triggered.
Central supports firewall based logging. Firewall logs on the IAPs are generated as security logs.
Select the
Blacklist
check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as
Auth failure blacklist time
on the
Blacklisting tab of the
Security
window. For more information, see
Blacklisting Clients on page 79 .
Disable Scanning
DSCP Tag
Select
Disable scanning
check box to disable ARM scanning when this rule is triggered.
The selection of the
Disable scanning
applies only if ARRM scanning is enabled, For more information, see
Configuring Radio Settings on page 67 .
Select this check box to add a Differentiated Services Code Point (DSCP) tag to the rule.
DSCP is an L3 mechanism for classifying and managing network traffic and providing quality of service (QoS) on the network. To assign a higher priority, specify a higher value.
802.1 priority Select this check box to enable 802.1 priority. 802.1p is an L2 protocol for traffic prioritization to manage quality of service (QoS) on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
3. Click
Save
.
Configuring Web Policy Enforcement
You can configure web policy enforcement on an AP to block certain categories of websites based on your organization specifications by defining ACL rules.
To configure web policy enforcement:
1. Select
Wireless Configuration > Security > ROLES
.
2. Select the role for which you want to configure access rules.
137
| AppRF Aruba Central | User Guide
3. Under
Access Rules For Selected Roles
, click
(+)
to add a new rule. The new rule window is displayed.
4. Under
Rule Tyoe
, select
Access Control.
5. To set an access policy based on web categories: a. Under
Service
, select
Web Category
.
b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.
c. Under
Action
, select
Allow
or
Deny
.
d. Click
Save
.
6. To filter access based on the security ratings of the website: a. Select
Web Reputation
under
Service
.
b. Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available: n
Trustworthy WRI >81 — These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads.
n n n n
Low Risk WRI 61-80 — These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads.
Moderate WRI 41-60 — These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads.
Suspicious WRI 21-40 — These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads.
High Risk WRI<20 — These are high risk sites. There is a high probability that the user will be exposed to malicious links or payloads.
c. Under
Action
, select
Allow
or
Deny
as required.
7. To set a bandwidth limit based on web category or web reputation score, select the
Application Throttling
check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites.
8. If required, select the following check boxes: l
Log
— Select this check box if you want a log entry to be created when this rule is triggered. Central supports firewall based logging. Firewall logs on the IAPs are generated as security logs.
l
Blacklist
— Select this check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as
Auth Failure Blacklist Time
on the
Blacklisting
pane of the
Security
window. For more information, see
Blacklisting Clients on page 79
.
l l
Disable Scanning
—Select
Disable scanning
check box to disable ARM scanning when this rule is triggered. The selection of the
Disable scanning
applies only if ARM scanning is enabled, For more information, see
Configuring Radio Settings on page 67
.
DSCP Tag
—Select this check box to add a Differentiated Services Code Point (DSCP) tag to the rule.
DSCP is an L3 mechanism for classifying and managing network traffic and providing quality of service
(QoS) on the network. To assign a higher priority, specify a higher value.
l
802.1 priority
—Select this check box to enable 802.1 priority. 802.1p is an L2 protocol for traffic prioritization to manage quality of service (QoS) on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
9. Click
Save
to save the rules.
10.Click
Save Settings
in the
Roles
pane to save the changes to the role for which you defined ACL rules.
Aruba Central | User Guide AppRF |
138
In mixed versions of the groups, the application rule update is supported only at the VC level and not at the group level.
If you have a group with multiple IAPs running 6.2.1.0-4.0 and if you upgrade one or more VC to 6.2.1.0-4.1, you can configure application rules at the VC level, but not at the group level. To use application rules at the group level, create a new group and move IAPs running 6.2.1.0-4.1 to the newly created group. If application rules are configured in this group, ensure that the IAPs with versions lower than 6.2.1.0-4.1 are not moved to that group.
139
| AppRF Aruba Central | User Guide
Chapter 9
Guest Management
This chapter describes the following topics: l l l l
Creating Apps for Social Login on page 140
Configuring a Splash Page Profile on page 146
Configuring Visitor Accounts on page 151
Guest User Access
The guest management feature allows guest users to connect to the network and at the same time, allows the administrator to control guest user access to the network.
Central allows administrators to create a splash page profile for guest users. Guest users can access the
Internet by providing either the credentials configured by the guest operators or their respective social networking login credentials. For example, you can create a splash page that displays a corporate logo, color scheme and the terms of service, and enable logging in from a social networking service such as Facebook,
Google +, Twitter, and LinkedIn.
Businesses can also pair their network with the Facebook Wi-Fi service, so that the users logging into Wi-Fi hotspots are presented with a business page, before gaining access to the network.
To enable logging using Facebook, Google+, Twitter, and LinkedIn credentials, ensure that you create an application (app) on the social networking service provider site and enable authentiation for that app. The social networking service provider will then issue a client ID and client secret key that are required for configuring guest profiles based on social logins.
Guest operators can also create guest user accounts. For example, a network administrator can create a guest operator account for a receptionist. The receptionist creates user accounts for guests who require temporary access to the wireless network. Guest operators can create and set an expiration time for user accounts. For example, the expiration time can be set to 1 day.
l l l l
Creating Apps for Social Login
The following topics describe the procedures for creating applications to enable the social login feature:
Creating a Facebook App on page 140
Creating a Google App on page 142
Creating a Twitter App on page 144
Creating a LinkedIn App on page 145
Creating a Facebook App
Before creating a Facebook App, ensure that you have a valid Facebook account and you are registered as a
Facebook developer with that account.
To create an app:
1. Visit the Facebook app setup URL at https://developers.facebook.com/apps .
2. From
My Apps
, select
Add a New App
.
Aruba Central | User Guide Guest Management |
140
3. Select
Website
as the type of app.
Figure 14
App Creation
4. In the subsequent pane, enter a name for the application. For example, SampleNetworks.
5. Click
Create New Facebook App ID
.
6. On the
Create a new App ID
pop-up pane: a. Select
No
for
Is this a test version of another app?
.
b. Select
Business
from the
Category
drop-down list.
Figure 15
App ID Creation
7. Click
Create App ID
.
8. In the subsequent pane, enter the URL of your main site as shown in the following figure. For example, www.examplenetworks.com. You can also enter the URL of your mobile site if required.
Figure 16
Website Details
9. Click
Skip to Developer Dashboard
under
Next Steps
. The app ID and app secret key are displayed.
10.Note the app ID and app secret key. The app ID and secret key are required for configuring Facebook login in the Central UI.
141
| Guest Management Aruba Central | User Guide
Figure 17
App Settings
11.On the left pane, click the
Settings
.
12.Add a contact email address.
13.Click the
Advanced
tab. Ensure that
Native or desktop app
is set to
NO
.
14.Set the restrictions for accessing the application.
15.Under
Client Token
, ensure that
Client OAuth Login
is set to
YES
.
16.Under
Valid OAuth redirect URIs
, enter the OAuth reply URL that is generated dynamically for the
Facebook login. For more information on the OAuth reply URL, see the help tip for
on the
Guest
Management
>
Splash Page
of the Central UI.
Figure 18
OAuth Settings
Ensure that the URL is an HTTPS URL with a domain name and not the IP address. For example, https://example1.cloudguest.examplenetworks.com/oauth/reply.
17.Click
Save Changes
.
Creating a Google App
Before creating a Google app for Google+ based login, ensure that you have a valid Google+ account.
Aruba Central | User Guide Guest Management |
142
To create a Google+ app:
1. Access the Google Developer site at https://code.google.com/apis/console .
2. Create a project if not already created.
3. Under
APIs and auth
: a. Click
Consent screen
. In the subsequent pane, provide your
Email Address
and product name, and then click
Save
.
Figure 19
Google App Creation
b. Click
APIs
. The list of APIs is displayed. On the APIs pane, set
Admin SDK
and
Google+ API
to
ON
.
Figure 20
SDK Settings
c. Click
Credentials
. In the subsequent pane, click
Create new Client ID
.
d. Ensure that the
Web application
option is selected.
e. Under
AUTHORIZED JAVASCRIPT ORIGINS
, enter the base URL with FQDN of the cloud guest instance that will be hosting the captive portal. For example, https://%hostname%/.
143
| Guest Management Aruba Central | User Guide
f. Under
AUTHORIZED REDIRECT URIS
, enter the cloud server OAuth reply URL that is generated dynamically for the Google+ login. For more information on the OAuth reply URL, see the help tip for
Google+
on the
Guest Management
>
Splash Page
of the Central UI.
Figure 21
Client ID Generation
Ensure that the URL is an HTTPS URL with a domain name and not the IP address. For example, https://example1.cloudguest.examplenetworks.com/oauth/reply.
g. Click
Create Client ID
. The client ID and client secret key are generated.
h. Note the client ID and client secret key. The client ID and client secret key are required for configuring
Google+ login in the Central UI.
Creating a Twitter App
Before creating a Twitter app, ensure that you have a valid Twitter account.
Aruba Central | User Guide Guest Management |
144
To create a Twitter app:
1. Visit the Twitter app setup URL at https://apps.twitter.com
.
2. Click
Create New App
. The
Create an application
web page is displayed.
3. Enter the application name, description, and website address.
4. For
Callback URL
, enter the cloud server OAuth reply URL that is generated dynamically for the Twitter login. For more information on the OAuth reply URL, see the help tip for
on the
Guest
Management
>
Splash Page
of the Central UI.
Ensure that the URL is an HTTPS URL with a domain name and not the IP address. For example, https://exa.example.com/oauth/reply.
Figure 22
Twitter App Creation
5. Select
Allow this application to be used to Sign in with Twitter
.
6. Select
Yes, I agree
to accept the Developer Agreement terms.
7. Click
Create a Twitter application
. The consumer key (API key) and consumer secret (API key) are displayed.
8. Note the ID and secret key. The API key and API secret key are required for configuring Twitter login in
Central UI.
Creating a LinkedIn App
Before creating a LinkedIn app, ensure that you have a valid LinkedIn account.
To create a LinkedIn app:
1. Visit the LinkedIn app setup URL at
https://developer.linkedin.com
.
2. Click
My Apps
. You will be redirected to https://www.linkedin.com/secure/developer .
3. Click
Add New Application
. The
Add New Application
web page is displayed.
4. Enter your company name, application name, description, website URL, application use, contact information and other required fields.
145
| Guest Management Aruba Central | User Guide
5. For
OAuth 2.0 Redirect URLs
, enter the cloud server OAuth reply URL that is generated dynamically for the LinkedIn login. For more information on the OAuth redirect URL, see the help tip for
on the
Guest Management
>
Splash Page
of the Central UI.
Ensure that the URL is an HTTPs URL with a domain name and not the IP address. For example, https://example1.cloudguest.examplenetworks.com/oauth/reply.
Figure 23
LinkedIn App Creation
6. Accept the terms of agreement.
7. Click
Add Application
. The API and secret keys are displayed.
8. Note the API and secret key details. The API ID and secret key are required for configuring LinkedIn login in the Central UI.
l l l
Configuring a Splash Page Profile
This topic describes the following procedures:
Adding a Splash Page Profile on page 146
Customizing a Splash Page Design on page 149
Associating a Splash Page Profile to an SSID on page 150
Adding a Splash Page Profile
To create a splash page profile:
Aruba Central | User Guide Guest Management |
146
1. Select
Guest Management > Splash Page
and then click
Add Profile
. The
Create a Splash Page
pane is displayed.
2. On the
Configuration
pane, configure the parameters described in the following table:
Table 52:
Splash Page Configuration
Parameter Description
Name
Enter a unique name to identify the splash profile.
Type
Configure any of the following authentication methods to provide a secure network access to the guest users and visitors.
l l l
Anonymous
Authenticated
Facebook WiFi
Annonymous
Configure the
Anonymous
login method if you want to allow guest users to log in to the
Splash page without providing any credentials.
147
| Guest Management Aruba Central | User Guide
Table 52:
Splash Page Configuration
Parameter Description
Authenticated
Configure authentication and authorization attributes, and login credentials that enable users to access the Internet as guests. You can configure an authentication method based on sponsored access and social networking login profiles.
The
Username/Password
based authentication method allows pre-configured visitors to obtain access to wireless connection and the Internet. The visitors or guest users can register themselves by using the splash page when trying to access the network. The password is delivered to the users through print, SMS or email depending on the options selected during registration.
To allow the guest users to register by themselves:
1. Select the
Self-Registration
check box.
2. Select the
Verification Required
check box if the guest user account must be verified.
3. Specify a verification criteria to allow the self-registered users to verify through email or phone. If verification through email is configured and the
Send Verification Link
is selected, a verification link is sent to the email address of the user. The guest users can click the link to obtain access to the Internet.
4. Specify the duration within the range of 1-60 minutes, during which the users can access free Wi-Fi to verify the link. The users can log in to the network for the specified duration and click the verification link to obtain access to the Internet.
By default, the expiration date for the accounts of self-registered guest users is set to infinite during registration. The administrator or the guest operator can set the expiration date after registration.
Social Login
—Use this option to allow guest users to use their existing login credentials from social networking profiles such as Facebook, Twitter, Google+, or
LinkedIn and sign into a third-party website. When a social login based profile is configured, a new login account to access the guest network or third-party websites is not required.
l l
— Allows guest users to use their Facebook credentials to log in to the splash page. To enable Facebook integration, you must create a Facebook app and obtain the app ID and secret key. For more information on app creation, see
Creating a Facebook App . Enter the app ID and secret key for client ID and client
Secret respectively to complete the integration.
—Allows guest users to use their Twitter credentials to log in to the splash page. To enable Twitter integration, you must create a Twitter app and obtain the app ID and secret key. For more information, see
. Enter the app ID and secret key for client ID and client secret respectively to complete the integration.
l l
Google+
—Allows guest users to use their Google+ credentials to log in to the splash page. To enable Google+ integration, you must create a Google app and obtain the app ID and secret key. For more information, see
. Enter the app ID and secret key for client ID and client secret respectively to complete integration.
—Allows guest user to use their LinkedIn credentials to log in to the splash page. To enable LinkedIn integration, you must create a LinkedIn app and obtain the app ID and secret key. For more information, see
. Enter the app ID and secret key for client ID and client secret respectively to complete the integration.
Aruba Central | User Guide Guest Management |
148
Table 52:
Splash Page Configuration
Parameter Description
Facebook WiFi
Select the
Facebook WiFi
option if you want to enable network access through the free
Wi-Fi service offered by Facebook. Click
Configure
to pair your network with a
Facebook business page and allow guest users to log in from Wi-Fi hotspots using their
Facebook credentials.
Guest users can provide their location on Facebook to connect to free Wi-Fi, either by manually adding their location or by selecting a setting that automatically adds their location whenever they visit. When this option is enabled, the Wi-Fi users are presented with a specific Facebook page to access the Internet.
For more information on Facebook Wi-Fi service, see
Setting up Facebook Wi-Fi for
Your Business
at https://www.facebook.com/help/126760650808045 .
Authentication Success
Behaviour
If
Anonymous
or
Authenticated
option is selected as the guest user authentication method, specify a method for redirecting the users after a successful authentication.
Select one of the following options: l l
Redirect to Original URL
— When selected, upon successful authentication, the user is redirected to the URL that was originally requested.
Redirect URL
—Specify a redirect URL if you want to override the original request of users and redirect them to another URL.
Authentication Failure
Message
If the
Authenticated
authentication fails.
option is selected as the guest user authentication method, enter the authentication failure message text string returned by the server when the user
Session Timeout
Enter the maximum time in Day(s): Hour(s): Minute(s) format for which a client session remains active. The default value is 0:8:00. When the session expires, the users must re-authenticate.
If MAC caching is enabled, the users are allowed or denied access based on the MAC address of the connective device.
Share This Profile
Simultaneous Login
Limit
Select this check box if you want to allow the users to share the Splash Page profile. The
Splash Page profiles under All Groups can be shared across all the groups.
To set limit for the simultaneous logins from the same user for authenticated Splash
Page profiles, select a value from the
Simultaneous Login Limit
drop-down list.
5. Click
Next
. The
Customization
pane appears.
Customizing a Splash Page Design on page 149
.
You can edit or delete a splash page profile by clicking the respective icons in the
Splash Page Profile
pane.
Customizing a Splash Page Design
To customize a splash page design, on the
Guest Management > Splash Page > Create A Splash Page >
Customization
pane, configure the parameters described in the following table:
149
| Guest Management Aruba Central | User Guide
Table 53:
Splash Page Customization
Parameter Description
Theme Select a template from list. The theme template determines the look and feel of the splash page.
Background Color
To change the color of the splash page, select the required color from the
Background Color
palette.
Primary Color
Select the primary color of the splash page.
Font Color
Select the font color of the splash page.
Logo
To upload a logo, click
Browse
, and browse the image file.
Background Image
Welcome Text
Click
Browse
to upload a background image.
Enter the welcome text to be displayed on the splash page.
Terms & Conditions
Enter the terms and conditions to be displayed on the splash page.
Specify an acceptance criteria for terms and condition by selecting any of the following options from the
Display "I
Accept" Ccheckbox
: l l
No, Accept by default
Yes, Display Checkbox
If the
I ACCEPT
check box must be displayed on the Splash page, select the display format for terms and conditions.
6. Click
Preview
to preview the customized splash page or click
Finish
.
Previewing and Modifying a Splash Page
Previewing and Modifying a Splash Page Profile
To preview a splash page profile:
1. Select
Guest Management > Splash Page
. A list of Splash Page profiles is displayed.
2. Click the preview icon next to profile you want to preview. The Splash Page is displayed in a new window. To preview the Splash Page, ensure that the pop-up blocker is disabled.
To modify a splash page profile, click the edit icon next to the profile form list of profiles displayed in the Splash
Page Profiles pane.
To delete a profile, select the profile and click the delete icon next to the profile.
Associating a Splash Page Profile to an SSID
To associate a splash page profile with an SSID:
1. Select
Wireless Configuration > Networks
and then click
Create New
. The
Create a New Network
pane is displayed.
2. For
Type
, select
Wireless
.
Aruba Central | User Guide Guest Management |
150
3. Enter a name that is used to identify the network in the
Name(SSID)
box.
4. For
Primary Usage
, select
Guest
and click
Next
.
5. In the
VLANs
tab, if required, configure a VLAN assignment mode, and then click
Next
.
6. In the
Security
tab: a. Select
Cloud Guest
from the
Splash Page Type
list.
b. Select the splash page profile name from the
Guest Captive Portal Profile
list and click
Next
.
7. In the
Access
tab, if required, modify and create access rules set the configuration if required, and then click
Finish
.
Configuring Visitor Accounts
The
Visitors
pane displays information on the session and account details of the visitors who access the splash page.
Adding a visitor
To add a new visitor:
1. Select
Guest Management > Visitors
and then click
Add Visitor
. The
Add Visitor
pane is displayed.
2. Configure the parameters described in the following table:
Table 54:
Adding Visitors
Parameter Description
Name
Enter a unique name to identify the visitor.
Company
Enter the company name of the visitor.
Enter the email ID of the visitor.
Phone
Enter the phone number of the visitor.
Password
Click
Generate
. The automatically generated password is displayed in the
PASSWORD
text box.
Select
Send Access Code
to send the access code by email or SMS.
Valid Till
Specify the duration for the visitor account to expire in Day(S): Hour
(s): Minute(s) format.
To allow users to access the network for unlimited period of time, select
Unlimited
.
Enable
Select this checkbox to activate the user account.
3. Click
Save
.
4. Click
Save and Print
to print the details of the visitor.
You can export the details of the visitor to an excel sheet by clicking
Export All
.
151
| Guest Management Aruba Central | User Guide
The following table displays the session details of the visitor:
Table 55:
Visitors Session Pane
Parameter Description
Visitors
Displays the name of the visitor.
Login Type
Displays the login type of the client (
Anonymous
,
Username/Password
,
Self-Registration
,
Facebook Wi-Fi
).
Browser
MAC Address
Displays the type of browser that the client is connected.
Device Type
Displays the MAC address of the connected client device.
Displays the type of the device.
OS Name
Displays the OS on the client device.
Login Time
Session Time (Secs)
Displays the login time of the client.
Displays the duration for which the client is connected.
The following table displays the account details of a visitor:
Table 56:
Visitor Accounts Pane
Parameter Description
Name
Displays the name of the visitor.
Displays the email ID of the visitor.
Company
Displays the company name of the visitor.
Status
Indicates if the user account is in active or inactive state.
Created
Displays the date and time on which the visitor account is created.
Expired
Displays the date and time on which the visitor account expired.
Actions
Allows you to edit or a delete a specific visitor account.
Aruba Central | User Guide Guest Management |
152
Chapter 10
Mobility Access Switch configuration
This chapter provides the following information: l l l l l l
Mobility Access Switch Overview on page 153
Configuring a Mobility Access Switch on page 153
Configuring DHCP Pools on page 156
Setting the Admin or Enable mode password on page 157
Mobility Access Switch Overview
The ArubaOS Mobility Access Switch enables secure, role-based network access for wired users and devices, independent of their location or application. The Mobility Access Switch operates as a wired access point when deployed with an Aruba Mobility Controller.
As a wired access point, users and their devices are authenticated and assigned a unique role by the Mobility
Controller. These roles are applied irrespective of whether the user is a Wi-Fi client, or is connected to a port on the Mobility Access Switch. The use of Mobility Access Switch allows an enterprise workforce to have consistent and secure access to network resources based on the type of users, client devices, and connection method used.
Central supports S3500, S2500, and S1500 Mobility Access Switch models.
For more information on Mobility Access Switch, see ArubaOS
7.4 User Guide
.
Configuring a Mobility Access Switch
You can export configurations from an existing Mobility Access Switch to a new Mobility Access Switch within the same group. In this case, the new configuration of the Mobility Access Switch overwrites the existing configuration (including the device override).
You can configure the parameters of the Mobility Access Switch in the
Switch Configuration > Switches
page of the Central UI. By default, these parameters have the values configured using the Mobility Access
Switch. To configure the parameters using Central, click on the text boxes below the name of the corresponding field names.
Aruba Central | User Guide Mobility Access Switch configuration |
153
The following table describes the parameters that can be configured using Central:
Table 57:
Switches Pane
Name Description
MAC Address Displays the MAC address of the Mobility Access Switch
Hostname Enter the name of the host.
IP Assignment
IP Address
Netmask
Default Gateway
Provide the method of IP assignment as Static or DHCP.
Enter the IP address for static IP assignment.
Enter the netmask for static IP assignment.
Enter the default gateway for static IP assignment.
Clicking on the MAC address of a Mobility Access Switch displays the
Switch Details
page.
Zero Touch Provisioning through Central
If you have subscribed to Aruba Central:
1. Go to https://portal.central.arubanetworks.com and log in with your user credentials.
2. Connect your Mobility Access Switch to the wired network.
3. Select the
Maintenance > Device Management
page of the Central UI. The UI displays a list of available
Mobility Access Switches only if Aruba can correlate the Mobility Access Switch hardware information with the Central subscription. If the Mobility Access Switches are not listed, you need to manually add the
Mobility Access Switch.
4. To manually add the Mobility Access Switch: a. Click
Add Devices
.
b. Enter the MAC address in the
Mac Address
text box.
c. Enter the cloud activation key in the
Cloud Activation Key
text box.
You can get the cloud activation key from the
Maintenance
tab of the Mobility Access Switch.
You can use the
show inventory | include HW
command on the Mobility Access Switch to retrieve the MAC adddress. Use the
show version
command to view the cloud activation key. The activation key is enabled only if the
Mobility Access Switch has Internet access. If you have interrupted the ZTP process using the console or quick-setup, you must apply an IP address (static or DHCP), routing information, and name-servers for the Mobility Access Switch to connect to Activate to enable the activation key.
Configuring Ports
This section describes how to configure the ports of the Mobility Access Switch by using the Central UI.
To configure the port:
1. Select
Switch Configuration > Ports
page of the Central UI.
2. Select the port number and click
Edit
to configure the port parameters.
154
| Mobility Access Switch configuration Aruba Central | User Guide
3. From the
Port Mode
list, select the mode as
Access
or
Trunk
.
a. For
Access
mode, specify a value in the
Access VLAN
textbox.
b. For
Trunk
mode, specify appropriate values in the
Native VLAN
and
Allowed VLAN
text boxes.
4. From the
PoE
list, select the PoE state as
Enabled
or
Disabled
.
5. From the
Speed/Duplex
list, select one of the following values: l
Auto
l l
10 Mbps
100 Mbps
l
1 Gbps
6. Select the admin status as
Up
or
Down
from the
Admin Status
list.
7. Click
Save
.
l l l l
Configuring VLANs
Mobility Access Switches support the following types of VLANs:
MAC-based VLANs — In the case of untrusted interfaces, you can associate a client to a VLAN based on the source MAC of the packet. Based on the MAC, you can assign a role to the user after authentication.
Port-based VLANs — In the case of trusted interfaces, all untagged traffic is assigned a VLAN based on the incoming port.
Tag-based VLANs — In the case of trusted interfaces, all tagged traffic is assigned a VLAN based on the incoming tag.
Voice VLANs — You can use voice VLANs to separate voice traffic from data traffic when the voice and data traffic are carried over the same ethernet link.
Creating VLANs
By default, all the ports in the Mobility Access Switches are assigned to VLAN 1. You can create VLANs and assign ports to these VLANs.
To configure a VLAN:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
2. Click the
VLANs
tab and click
New
.
3. Specify the VLAN ID in the
ID
text box.
4. Provide the description for the VLAN in the
Description
text box.
5. Enter the IP address for the VLAN in the
IP Address
text box.
6. Enter the netmask for the VLAN in the
Netmask
text box.
7. Select the
Source NAT
check box to enable NAT.
8. Click
Update
.
9. Click
Save Settings
.
Editing VLANs
To edit a VLAN:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
2. Click the
VLANs
tab and click the
edit
button in the
Actions
column of the
VLANs
table.
3. Edit the required fields. The
VLAN ID
field is grayed out and cannot be modified.
4. Click
Update
.
Aruba Central | User Guide Mobility Access Switch configuration |
155
5. Click
Save Settings
.
Deleting VLANs
To delete a VLAN:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
2. Click the
VLANs
tab and select the VLAN to delete.
3. Click
Delete
.
4. Click
Save Settings
.
Configuring DHCP Pools
Select the
Enable DHCP service
checkbox to activate this service.
Creating a DHCP Pool
To configure a new DHCP pool:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
2. Click the
DHCP Pools
tab and click
New
.
3. Specify the DHCP pool name in the
Name
textbox.
4. Enter the IP address for the DHCP pool in the
Network
textbox.
5. Enter the netmask for the DHCP poolin the
Netmask
textbox.
6. Enter the default router for the DHCP pool in the
Default Router
textbox.
7. Enter the DNS server for the DHCP pool in the
DNS Server
textbox. You can click
+
to add multiple DNS servers.
8. Enter the WINS server for the DHCP pool in the
WINS Server
textbox. You can click
+
to add multiple WINS servers.
9. Specify the lease time for the DHCP pool in days-hours-minutes format in the
Lease Time
textbox.
10.Enter the IP address range to exclude from the DHCP pool in the
Exclude Address Range
textbox. You can click
+
to exclude multiple IP address ranges.
11.Enter the
Code
and select the
Type
from the drop-down list in the
Option
textbox.
12.Enter the value for the DHCP pool in the
Value
textbox. You can click
+
to set multiple values for the DHCP pool.
13.Click
ADD
.
Editing DHCP Pools
To edit a DHCP pool:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
2. Click the
DHCP Pools
tab.
3. Click in the
Actions
column of the corresponding DHCP pool to modify any field of the DHCP pool.
4. Click
Save
.
Deleting DHCP Pools
To delete a DHCP pool:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
156
| Mobility Access Switch configuration Aruba Central | User Guide
2. Click the
DHCP Pools
tab.
3. Click in the
Actions
column of the corresponding DHCP pool that you choose to delete.
4. Click
Yes
when the
Do you want to delete <DHCP Pool Name>?
screen is displayed.
Setting the Admin or Enable mode password
This section describes how to configure a password for the administrator user account (admin) and enable mode on the Mobility Access Switch.
To configure the password:
1. Select the
Switch Configuration > System
page and perform the following steps: a. Enter the password for admin in the
Admin Password
textbox.
b. Confirm the password for admin in the
Confirm Password
textbox.
c. Enter the password for enable mode in the
Enable Mode Password
textbox.
d. Confirm the password for admin in the
Enable Mode Password
textbox.
2. Click
Save Settings
.
Creating a Name Server
To configure a name server:
1. Select the
Switch Configuration
page and select a group from the
Groups
page.
2. Click the
Systems
tab.
3. Enter the IP address of the name server in the
Name Server
textbox, which is obtained from the DNS server.
4. Click
Save Settings
.
Aruba Central | User Guide Mobility Access Switch configuration |
157
Chapter 11s
Chapter 11
Managing Reports
The
Reports
pane displays the summary of the reports generated for networks, security, and PCI Compliance.
Reports Pane
The following table displays the parameters that are used to generate a report.
Table 58:
Reporting Pane
Parameter Description
Title
Displays the title name of the report generated.
Date Run
Displays the date on which report was generated.
Saved By
Indicates the user login name using which the report was generated.
Status
Actions
Displays the current status of the report generated.
Allows to either export the report locally or send to an email address.
Scheduled Type
Indicates when the report is triggered.
Generating a Report
To create a report:
1. Select
Reports > Network
or
Security
or
PCI Compliance
and then click
Create New Report
. The
Create New Report
page is displayed.
2. Enter the name of the report in
Name
.
3. Select the period for which you want to view the report from
Time Span
.
4. Select
Now
from
Run Report
to generate report for the current period.
5. Select how often you want to generate the report by choosing
One Time
,
Daily Interval
,
Weekly
Interval
,
Monthly Interval
, or
Yearly Interval
from
REPEAT
.
6. If you are creating a network summary report, the
Include App RF
check box is displayed. To include
AppRF data in the network summary report, select the
Include App RF
check box.
7. If you are creating a PCI Compliance report, specify the Cardholder Data Environment (CDE) subnets or
CDE SSIDs for which you want to generate the report. You can also run report on all SSIDs.
8. Select a group from
Device Groups
. If no group is selected, the report is generated for all groups.
9. To send the report through email, select
Email Report
, enter email address, and then click
Create
.
Aruba Central | User Guide Managing Reports |
159
Deleting a Report
To delete a report:
1. Select
Reports > Network
or
Security
or
PCI Compliance
and then select the report that you want to delete.
2. Click
Delete
.
Downloading a Report
To download a report, click the download icon next to the report.
Emailing a Report
To email a report, click the email icon next to the report.
160
| Aruba Central | User Guide
Contents of a Report
The following table displays the parameters for the reports generated for networks, security, and PCI compliance pages.
Table 59:
Report Parameters
Report Type Parameters Displayed
Network Summary
Report
Displays the following parameters: l
Number of APs l l l
AP Model
Top Ten Wireless Clients By Usage
Top Ten APs By Usage l l l l l l l l
Total Usage By SSID
Device Types
Wireless Clients
Wireless Data Usage
Top Ten Applications By Usage
Top 10 Web Categories By Usage
Top 10 Users (includes Application and Web Category drop-down lists)
Top Destinations For Top Web Categories l l l l
Switches
Switch Model
Top Ten Switches By Usage
Top Ten Ports By Usage l
Wired Uplink Stats
NOTE:
The report in the PDF format does not display the
Application
and
Web Category
drop-down lists to filter the report based on applications and web categories. Instead, it displays reports for applications and web categories to which the client traffic flow is detected.
Security Report Displays the following parameters: l l
Rogue APs
Total Rogue APs Detected l l
Wireless Intrusions
Total Wireless Intrusions
PCI Compliance Displays the PCI Compliance result as
Fail
or
Pass
.
Aruba Central | User Guide |
161
Chapter 12
Firmware and Subscription Maintenance
The
Maintenance
tab displays the maintenance pane for the Central. The maintenance pane consists of: l
l l l l
Firmware
The
Firmware
tab provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device.
Table 60:
Firmware Maintenance
Name
Description
Recommended Firmware Version
Virtual Controllers
Displays the latest firmware version available on the public firmware server.
Displays the following information: l
VC Name—Name of the VC l l
APs—Number of APs associated to VC
Location—Location of the IAP device l l
Firmware Version—The firmware version on the IAP
Status—The upgrade status of the IAP
Switches
Displays the following information: l
Hostname—Host name of the switch l l
MAC AddressMAC address of the switch
Location—Location of the device l l
Firmware Version—The firmware version on the switch
Status—The upgrade status of the switch
Upgrade Firmware
Allows you to upgrade the device firmware to the latest supported version. For more information, see
Upgrading IAP or Mobility Access Switch on page 163
.
Search Filter Allows you to define a filter criterion for searching devices based on the host name, MAC address, location, firmware version, and the current upgrade status of the device.
Aruba Central | User Guide Firmware and Subscription Maintenance |
162
Upgrading IAP or Mobility Access Switch
You can upgrade an IAP or Mobility Access Switch either manually or by using the automatic image check feature.
Automatically upgrading a device to a new firmware version
To check for a new version on the image server in the cloud:
1. Go to
Maintenance > Firmware
. The
Firmware
window is displayed.
2. Select a virtual controller or a Mobility Access Switch.
3. Click
Upgrade Firmware,
select the
Automatic
button, and then click
Upgrade
.
The IAP or the Mobility Access Switch downloads the image from the server, saves it to flash, and reboots.
Depending on the progress and success of the upgrade, one of the following messages is displayed: n n
Upgrading — While image upgrading is in progress.
Upgrade failed — When the upgrade fails.
If the upgrade fails, retry upgrading your device.
Manually Upgrading a Device to a New Firmware Version
To manually upgrade to a new firmware image version:
1. Select
Maintenance > Firmware
. The
Firmware
pane is displayed.
2. Click
Upgrade Firmware
.
3. Select the
Manual
radio button and perform the following steps: l
Select one of the following from the
TYPE
list: n release — Select a firmware to upgrade from the
Select a firmware version
list. The list of available images for release firmware images are displayed.
n n beta — Select a firmware to upgrade from the
Select a firmware version
list. The list of available images for beta firmware images are displayed.
custom build — Enter the custom build in the
Firmware Version
text box.
To upgrade using custom build, contact Aruba Support for the firmware version.
4. Click
Upgrade
to upgrade your device to the newer version.
For upgrading a Mobility Access Switch, click
Reboot
button that appears after the upgrade. You can upgrade your device now or later by selecting appropriate options in
When?
field
.
To check for a new version on the image server in the cloud:
1. Select
Maintenance > Firmware
. The
Firmware
pane is displayed.
2. Select
Virtual Controllers
or
Mobility Access Switches
.
3. Click
Upgrade Firmware,
select
Automatic
radio button, and then click
Upgrade
.
The IAP downloads the image from the server, saves it to flash and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: n n
Upgrading—While image upgrading is in progress.
Upgrade failed—When the upgrading fails.
If the upgrade fails, retry upgrading your device.
163
| Firmware and Subscription Maintenance Aruba Central | User Guide
After upgrading a Mobility Access Switch, click
Reboot
. You can upgrade your device now or later by selecting appropriate options in
When?
field
.
Resetting an IAP
You can reset the system configuration of an IAP by erasing the existing configuration on the IAP. To erase the existing configuration on an IAP, perform any of the following procedures:
Clearing IAP Configuration Using Groups
To reset an IAP using groups:
1.
. Ensure that the group has no additional configuration.
2. Move the IAP that you want to reset, under the new group. After the IAP is moved to a new group, the configuration on the IAP is erased and the default group configuration is pushed to the IAP. However, in this procedure, only the system configuration is cleared and the
Per AP Settings
on the IAP are retained.
Resetting an IAP through Console
To reset an IAP from the IAP console:
1. Log in to the IAP console. To access the IAP console, select
Monitoring > Access Points
. From the
Access
Points
table in the
Access Points
pane, click the IAP to which you want to connect. The
Access Points>
AP Details
page is displayed.
2. Click
Console Access
.
3. Execute the
write erase all
command at the command prompt.
4. Reboot the IAP. With this procedure, the complete configuration including the
Per AP Settings
on the IAP is reset.
After the reboot, the IAP is moved to default group and will not be present in the group to which it was previously attached.
For information on resetting an IAP to factory default configuration by using the reset button on the device, see
Aruba Instant User Guide
.
Subscription Keys
The
Subscription Keys
tab provides details of the licenses assigned to a device.
Table 61:
Subscription Keys Pane
Name Description
Name
Displays the name of the license.
Type
Start Date
Displays the SKU of the license: l
For AP
: SUB1-CNP-IAP-1 and so on l
For Switch
: SUB1-CNP-MAS-1 and so on
Displays when the license is assigned to your device.
End Date
Displays the license expiry date.
Aruba Central | User Guide Firmware and Subscription Maintenance |
164
Name
Capacity
APs Used
Search icon
Description
Displays the maximum capacity of the license.
Displays the number of IAPs that use a license.
Click this icon to perform a search based on the specified keyword under each column.
Adding Another Subscription Key
When a subscription is extended or renewed, a new subscription key is assigned and is sent to the user. To activate the subscription key:
1. Click
Maintenance
>
Subscription Keys
. The
Subscription Keys
pane is displayed.
2. Click
Add Another Subscription Key
and enter the subscription ID.
3. Click
Activate
. The subscription key is added to the list.
The users with evaluation subscription receive subscription expiry notifications on the 30th, 15th and 1 day before the subscription expiry and on day 1 after the subscription expires. The users with paid subscriptions receive subscription expiry notifications on the 90th, 60th, 30th, 15th, and 1 day before expiry and two notifications per day on the day 1 and day 2 after the subscription expiry.
If the licenses have expired or are about to expire within 24 hours, a license expiry notification message is displayed in a pop-up window when the customer logs in to Central.
Label Management
Labels are tags that filter devices for monitoring and reporting purposes. A device can be assigned multiple labels. For example, an AP can be labeled as Building 25 and Lobby. These labels can be used to tag the device to a location or to specific owners, departments.
The devices can also be classified using
Groups
. The group classification can be used for role-based access to a device, while labels can used for tagging a device to a location or region. However, if a device is already assigned to a group and has a label associated with it, it is classified using both group and labels.
The
Label Management
tab in the Central UI allows you to create labels, edit, and remove the label assigned to a device. You can also filter devices based on the labels and customize the
Monitoring
dashboard views.
For more information on filtering devices based on labels, see
.
This section describes the following procedures: l l l l
Detaching a Device from a Label
Creating a Label
To create a label:
1. Click
Maintenance
>
Label Management
. The
Label Management
pane is displayed.
2. Click
Create a New Label
.
3. Enter a name for the label.
165
| Firmware and Subscription Maintenance Aruba Central | User Guide
4. Click
Create
. The new label is added to the
All Labels
table.
Assigning a Device to a Label
To assign a device to a label:
1. To assign label to an AP, from the list of APs displayed on the
Monitoring
>
Access Points
pane, select an AP.
2. To assign a label to a switch, from the list of switches displayed on the
Monitoring
>
Switches
pane, select a switch.
3. Click the edit icon in the
Labels
column. The
Edit Label
screen is displayed.
4. To assign device to a label, enter the label name and then click
Add
.
Detaching a Device from a Label
To detach a device from a label:
1. Click
Maintenance
>
Label Management
. The
Label Management
pane is displayed.
2. Select the label to which the device is associated. The devices assigned to the label are displayed.
3. Select the device and click
Unassign Devices
. The device is removed from the list of devices assigned to the label.
4. Click
OK
.
Editing or Deleting a Label
To edit or delete a label:
1. Click
Maintenance
>
Label Management
. The
Label Management
pane is displayed.
2. Select the label to edit or delete.
3. To edit the label, click the edit icon in the
Actions
column. Edit the label and click
Update
.
4. To delete the label, click the delete icon in the
Actions
column. To view the devices attached to the label before deleting, click
View Devices
. Click
Delete
to remove the label.
Device Management
The
Device Management
pane displays details of the devices managed by Central.
The following table describes the contents of the
Device Management
pane.
Table 62:
Device Management Pane
Name Description
Serial Number Serial number of the IAP or the Mobility Access Switch.
MAC Address
Subscription
Key
Type
MAC address of the IAP or the Mobility Access Switch.
Subscription keys for the IAP or the Mobility Access Switch.
Type of the device.
Aruba Central | User Guide Firmware and Subscription Maintenance |
166
Name
Group
Location
Add Devices
Description
The pre-assigned or pre-provisioned group to which the IAP or the Mobility
Access Switch is assigned. To assign a device to a group, see
.
Displays the location of the IAP or the Mobility Access Switch.
Allows you to manually add devices to Central network.
Typically, Central automatically retrieves the list of devices licensed to a customer account. If devices are not synchronized for more than 24 hours, contact the Aruba customer support team and if required, manually add the devices.
Adding Devices
To add devices to Central:
1. In the
Device Management
pane, click
Add Devices
. The
Manually Add Devices
window is displayed.
2. Provide the following information for the device: l
Cloud Activation Key l
MAC Address
3. Click
Add Devices
.
Assigning Devices to a Group
To assign devices to a group:
1. In the
Device Management
pane, select the device to assign to a group. To assign all unassigned devices at once, select the unassigned devices from a group.
2. Click
Assign Group
. The
Assign Group
pane is displayed.
3. Select the group to which you want to assign your device by using the scroll bar.
4. Click
Assign
.
5. To assign the device to a new group: a. Enter the name of the group in the text box and click
(+).
The newly created group is displayed in the list of available groups.
b. Select the newly created group and click
Assign.
Assigning Licenses to Devices
To assign license to the device:
1. In the
Device Management
pane, select the device and click
Assign License(s)
. The
Assign License
window is displayed.
2. Click
Assign
.
User Management
The
User Management
pane provides details of the user such as username, user scope, access level, and allows you to add, edit or delete users.
167
| Firmware and Subscription Maintenance Aruba Central | User Guide
Aruba Central User Roles
Centralsupports three types of users: l l l
Admin user
—The Admin users have full access to all the groups and have special rights to create or update user details, groups, and to provision devices.
Read/Write user
—These users have read/write access to the groups/devices assigned by the Admin user.
The Read/Write users can perform operations which can change the behavior of devices or groups such as modifying the configuration of a device, deleting a device and so on.
Guest operator
—The guest operator users have access to guest management operations only. These users can add guest users and configue splash page profiles.
A user cannot have different access rights for different groups.
Adding a User
To add a new user account:
1. Click
Maintenance
>
User Management
.
2. On the
User Management
page, click
Add User
. The
Create User
window is displayed.
3. Enter the name of the user in the
Username
text box.
4. Select the name of the group from the
User Scope
drop-down list.
5. Select a user role from the
Access Level
drop-down list.
6. Click
Save
. An email invite is sent to the user with a registration link. For more information on registering, see
Adding User Accounts on page 19 . If the user has not received an email invite, click
Resend Invite
to resend the invitation.
Aruba Central | User Guide Firmware and Subscription Maintenance |
168
Terminology
IAP
IDS
IEEE
ISP
LEAP
MX
Acronyms and Abbreviations
The following table lists the abbreviations in this user guide.
Table 63:
Acronyms And Abbreviations
Abbreviation Expansion
ARM Adaptive Radio Management
CLI
DHCP
DMZ
DNS
ARP
BSS
BSSID
CA
EAP-TLS
EAP-TTLS
Address Resolution Protocol
Basic Server Set
Basic Server Set Identifier
Certification Authority
Command Line Interface
Dynamic Host Configuration Protocol
Demilitarized Zone
Domain Name System
Extensible Authentication Protocol- Transport Layer Security
Extensible Authentication Protocol-Tunneled Transport
Layer Security
Access Point
Intrusion Detection System
Institute of Electrical and Electronics Engineers
Internet Service Provider
Lightweight Extensible Authentication Protocol
Mail Exchanger
Aruba Central | User Guide Terminology |
169
Table 63:
Acronyms And Abbreviations
Abbreviation Expansion
MAC Media Access Control
NAS
NAT
NS
NTP
PEAP
PEM
PoE
RADIUS
VC
VSA
WLAN
Network Access Server
Network Address Translation
Name Server
Network Time Protocol
Protected Extensible Authentication Protocol
Privacy Enhanced Mail
Power over Ethernet
Remote Authentication Dial In User Service
Virtual Controller
Vendor-Specific Attributes
Wireless Local Area Network
Glossary
The following table lists the terms and their definitions in this guide.
170
| Terminology Aruba Central | User Guide
Table 64:
Terms And Definitions
Term Definition
802.11
An evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers
(IEEE). 802.11 standards use the Ethernet protocol and CSMA/CA
(carrier sense multiple access with collision avoidance) for path sharing.
802.11a
802.11b
802.11g
802.11n
AP access point mapping ad-hoc network
Provides specifications for wireless systems. Networks using 802.11a
operate at radio frequencies in the 5GHz band. The specification uses a modulation scheme known as orthogonal frequency-division multiplexing (OFDM) that is especially well suited to use in office settings. The maximum data transfer rate is 54 Mbps.
WLAN standard often called Wi-Fi; backward compatible with 802.11.
Instead of the phase-shift keying (PSK) modulation method historically used in 802.11 standards, 802.11b uses complementary code keying
(CCK), which allows higher data speeds and is less susceptible to multipath-propagation interference. 802.11b operates in the 2.4 GHz band and the maximum data transfer rate is 11 Mbps.
Offers transmission over relatively short distances at up to 54 Mbps, compared with the 11 Mbps theoretical maximum of 802.11b. 802.11g
operates in the 2.4 GHz band and employs orthogonal frequency division multiplexing (OFDM), the modulation scheme used in 802.11a, to obtain higher data speed. Computers or terminals set up for
802.11g can fall back to speeds of 11 Mbps, so that 802.11b and
802.11g devices can be compatible within a single network.
Wireless networking standard to improve network throughput over the two previous standards 802.11a and 802.11g with a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz.
802.11n operates in the 2.4 and 5.0 bands.
An access point (AP) connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network. The number of access points a WLAN needs is determined by the number of users and the size of the network.
The act of locating and possibly exploiting connections to WLANs while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a
WLAN may have a range that extends beyond an office building, an outside user may be able to intrude into the network, obtain a free
Internet connection, and possibly gain access to company records and other resources.
A LAN or other small network, especially one with wireless or temporary plug-in connections, in which some of the network devices are part of the network only for the duration of a communications session or, in the case of mobile or portable devices, while in some close proximity to the rest of the network.
Aruba Central | User Guide Terminology |
171
Table 64:
Terms And Definitions
Term Definition
band A specified range of frequencies of electromagnetic radiation.
DHCP
DNS Server
DST
EAP fixed wireless frequency allocation frequency spectrum
The Dynamic Host Configuration Protocol (DHCP) is an autoconfiguration protocol used on IP networks. Computers or any network peripherals that are connected to IP networks must be configured, before they can communicate with other computers on the network.
DHCP allows a computer to be configured automatically, eliminating the need for a network administrator. DHCP also provides a central database to keep track of computers connected to the network. This database helps in preventing any two computers from being configured with the same IP address.
A Domain Name System (DNS) server functions as a phonebook for the Internet and Internet users. It converts human readable computer hostnames into IP addresses and vice-versa.
A DNS server stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.
Daylight saving time (DST), also known as summer time, is the practice of advancing clocks, so that evenings have more daylight and mornings have less. Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn.
Extensible authentication protocol (EAP) refers to the authentication protocol in wireless networks that expands on methods used by the point-to-point protocol (PPP), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.
Wireless devices or systems in fixed locations such as homes and offices. Fixed wireless devices usually derive their electrical power from the utility mains, unlike mobile wireless or portable wireless which tend to be battery-powered. Although mobile and portable systems can be used in fixed locations, efficiency and bandwidth are compromised compared with fixed systems.
Use of radio frequency spectrum regulated by governments.
Part of the electromagnetic spectrum.
172
| Terminology Aruba Central | User Guide
Table 64:
Terms And Definitions
Term Definition
hotspot A WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hot spot, contact it, and get connected through its network to reach the Internet and their own company remotely with a secure connection.
Increasingly, public places, such as airports, hotels, and coffee shops are providing free wireless access for customers.
IEEE 802.11 standards
POE
PPPoE
QoS
RF
VPN
W-CDMA
Wi-Fi
The IEEE 802.11 is a set of standards that are categorized based on the radio wave frequency and the data transfer rate.
Power over Ethernet (PoE) is a method of delivering power on the same physical Ethernet wire used for data communication. Power for devices is provided in one of the following two ways: l l
Endspan— The switch that an AP is connected for power supply.
Midspan— A device can sit between the switch and APs
The choice of endspan or midspan depends on the capabilities of the switch to which the IAP is connected. Typically if a switch is in place and does not support PoE, midspan power injectors are used.
Point-to-Point Protocol over Ethernet (PPPoE) is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem.
Quality of Service (QoS) refers to the capability of a network to provide better service to a specific network traffic over various technologies.
Radio Frequency (RF) refers to the portion of electromagnetic spectrum in which electromagnetic waves are generated by feeding alternating current to an antenna.
A Virtual Private Network (VPN) network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A VPN ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling
Protocol ( L2TP ). Data is encrypted at the sending end and decrypted at the receiving end.
Officially known as IMT-2000 direct spread; ITU standard derived from
Code-Division Multiple Access (CDMA). Wideband code-division multiple access (W-CDMA) is a third-generation (3G) mobile wireless technology that promises much higher data speeds to mobile and portable wireless devices than commonly offered in today's market.
A term for certain types of WLANs. Wi-Fi can apply to products that use any 802.11 standard. Wi-Fi has gained acceptance in many businesses, agencies, schools, and homes as an alternative to a wired LAN. Many airports, hotels, and fast-food facilities offer public access to Wi-Fi networks.
Aruba Central | User Guide Terminology |
173
Table 64:
Terms And Definitions
Term Definition
WEP Wired equivalent privacy (WEP) is a security protocol specified in
802.11b, designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. Data encryption protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms such as password protection, end-to-end encryption, virtual private networks (VPNs), and authentication can be put in place to ensure privacy.
wireless Describes telecommunications in which electromagnetic waves (rather than some form of wire) carry the signal over part or all of the communication path.
wireless network
WISP wireless service provider
WLAN
In a Wireless LAN (WLAN), laptops, desktops, PDAs, and other computer peripherals are connected to each other without any network cables. These network elements or clients use radio signals to communicate with each other. Wireless networks are set up based on the IEEE 802.11 standards.
Wireless ISP (WISP) refers to an Internet service provider (ISP) that allows subscribers to connect to a server at designated hot spots
(access points) using a wireless connection such as Wi-Fi. This type of
ISP offers broadband service and allows subscriber computers, called stations, to access the Internet and the Web from anywhere within the zone of coverage provided by the server antenna, usually a region with a radius of several kilometers.
A company that offers transmission services to users of wireless devices through radio frequency (RF) signals rather than through endto-end wire communication.
Wireless local area network (WLAN) is a Local Area Network (LAN) that the users access through a wireless connection.
174
| Terminology Aruba Central | User Guide
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Contents
- 13 About this Document
- 13 Intended Audience
- 13 Related Documents
- 13 Conventions
- 14 Contacting Aruba Networks
- 15 Aruba Central Overview
- 15 Supported IAPs
- 15 Supported IAP Versions
- 16 Supported Mobility Access Switches
- 16 Supported ArubaOS Firmware Versions
- 16 Accessing Central UI
- 17 Subscription and Licenses
- 18 Setting up Customer Accounts
- 18 Signing up for Aruba Central
- 18 Binding Devices to Your License
- 19 Adding User Accounts
- 20 Creating Additional Customer Accounts
- 21 Central User Interface
- 21 Main Window
- 22 Search
- 22 Filter Icon
- 22 Tabs
- 22 Monitoring
- 23 Wireless Configuration
- 23 Switch Configuration
- 23 Guest Management
- 23 Reports
- 23 Maintenance
- 23 Documentation
- 23 Notifications
- 23 Help
- 24 Data Pane
- 24 Support
- 24 Feedback
- 24 Other UI Elements and Functions
- 24 Labels
- 25 Variables
- 25 Groups
- 25 Overrides
- 26 Device Configuration and Group Management
- 26 Communication Ports
- 26 Initial Configuration of Devices
- 26 Importing Existing Configuration from a Device
- 27 Pending Configuration
- 27 Managing Groups
- 27 Creating a Group
- 27 Editing or Deleting a Group
- 28 Managing Overrides
- 28 Configuring System Parameters for IAP Network
- 30 Modifying AP Administrator Credentials
- 31 Monitoring
- 31 Overview
- 32 Access Points
- 33 AP Details
- 35 Remote Console System
- 35 AppRF
- 35 Switches
- 35 Switch Details
- 38 Clients
- 38 Client Details
- 40 WIDS
- 41 Event Log
- 41 Notifications
- 41 Setting Notification Alerts
- 42 Wireless Configuration
- 42 Configuring APs
- 42 Modifying IAP Parameters
- 43 Configuring Radio Profiles
- 43 Configuring ARM-Assigned Radio Profiles
- 43 Manually Configuring Radio Profiles
- 44 Configuring External Antenna
- 44 EIRP and Antenna Gain
- 45 Configuring Uplink VLAN
- 45 Adding an IAP
- 45 Assigning a Static IP Address
- 45 Removing an IAP from the Network
- 45 Configuring Networks
- 46 Configuring a WLAN SSID Profile for Employee and Voice Networks
- 46 Configuring WLAN Settings
- 48 Configuring VLAN Settings
- 49 Configuring Security Settings
- 52 Configuring Access Rules
- 52 Configuring Captive Portal Profiles for Guest Access
- 53 Configuring Captive Portal Profiles for Guest Network
- 59 Disabling Captive Portal Authentication
- 59 Configuring Walled Garden Access
- 60 Configuring Profiles for Wired Network
- 62 Editing a Network Profile
- 62 Deleting a Network Profile
- 62 Configuring ARM and RF Parameters
- 62 ARM Overview
- 63 Channel or Power Assignment
- 63 Voice Aware Scanning
- 63 Load Aware Scanning
- 63 Band steering mode
- 63 Client Match
- 64 Airtime Fairness Mode
- 65 Monitoring the network with ARM
- 65 ARM Metrics
- 65 Configuring ARM Features
- 67 Configuring Radio Settings
- 69 Configuring Authentication and Security Parameters
- 69 Supported Authentication Methods
- 70 Supported Authentication Servers
- 72 Configuring External Servers for Authentication
- 75 Configuring Dynamic RADIUS Proxy Parameters
- 75 Enabling Dynamic RADIUS Proxy
- 76 Configuring DRP Parameters
- 76 Configuring 802.1X Authentication for a Network Profile
- 77 Configuring MAC Authentication for a Network Profile
- 77 Configuring MAC Authentication with 802.1X Authentication
- 77 Configuring MAC Authentication with Captive Portal Authentication
- 78 Configuring WISPr Authentication
- 78 Managing IAP Users
- 78 Configuring the View-only Administrator Credentials
- 79 Configuring Guest Management Interface Administrator Credentials
- 79 Blacklisting Clients
- 79 Blacklisting Clients Manually
- 79 Blacklisting Clients Dynamically
- 80 Configuring Roles and Policies for User Access Control
- 80 Configuring Firewall and Access Rules
- 80 Firewall and ACL Rules
- 81 Configuring Access Rules for Network Services
- 82 Configuring Network Address Translation Rules
- 84 Configuring ALG protocols
- 84 Configuring Firewall Settings for Protection from ARP Attacks
- 85 Managing Inbound Traffic
- 85 Configuring Management Subnets
- 85 Configuring Restricted Access to Corporate Network
- 85 Configuring User Roles
- 85 Creating a User Role
- 86 Assigning Bandwidth Contracts to User Roles
- 86 Configuring Derivation Rules
- 86 Understanding Role Assignment Rule
- 87 Creating a Role Derivation Rule
- 88 Understanding VLAN Assignment
- 88 Configuring VLAN Derivation Rules
- 89 Using Advanced Expressions in Role and VLAN Derivation Rules
- 90 Configuring a User Role for VLAN Derivation
- 91 Creating a User VLAN Role
- 91 Assigning User VLAN Roles to a Network Profile
- 91 Configuring Intrusion Detection System
- 91 Detecting and Classifying Rogue APs
- 92 OS Fingerprinting
- 92 Configuring Wireless Intrusion Protection and Detection Levels
- 95 Containment methods
- 95 Configuring VPN Networks
- 95 Understanding VPN Features
- 96 Supported VPN Protocols
- 96 Configuring a Tunnel from an IAP to Aruba mobility controller
- 97 Configuring IPSec Tunnel
- 97 Enabling Automatic Configuration of GRE Tunnel
- 98 Manually Configuring a GRE Tunnel
- 99 Configuring an L2TPv3 Tunnel
- 100 Configuring Routing Profiles
- 100 Configuring DHCP and Client IP Assignment Modes
- 100 Configuring DHCP Scopes
- 100 Configuring Distributed DHCP Scopes
- 102 Configuring Centralized DHCP Scope
- 104 Configuring Local and Local, L3 DHCP Scopes
- 105 Configuring DHCP Server for Client IP Assignment
- 106 Configuring Services
- 106 Configuring an IAP for RTLS Support
- 106 Configuring an IAP for Analytics and Location Engine Support
- 107 ALE with Central
- 107 Enabling ALE support on an IAP
- 107 Configuring OpenDNS Credentials
- 107 CALEA Integration and Lawful Intercept Compliance
- 107 CALEA Server Integration
- 108 Client Traffic Replication
- 109 Configuring an IAP for CALEA Integration
- 109 Creating a CALEA Profile
- 109 Configuring an IAP for Bonjour support Support
- 109 Bonjour support Overview
- 110 Bonjour support with Central
- 111 Configuring Bonjour support and Bonjour support Services
- 112 Integrating an IAP with Palo Alto Networks Firewall
- 112 Integration with Central
- 112 Configuring IAP for PAN integration
- 113 Enabling AppRF Service
- 113 Configuring Uplinks
- 113 Uplink Interfaces
- 114 3G/4G Uplink
- 119 Wi-Fi uplink
- 119 Ethernet Uplink
- 120 Uplink Preferences and Switching
- 121 Enforcing Uplinks
- 121 Setting an uplink priority
- 121 Enabling uplink pre-emption
- 121 Switching Uplinks based on the Internet Availability
- 122 Mobility and Client Management
- 122 Layer-3 Mobility Overview
- 123 Configuring L3 Mobility Domain
- 123 Home agent load balancing
- 124 Configuring L3 mobility domain
- 124 Enterprise Domains
- 124 Configuring Enterprise Domains
- 124 SNMP and Logging
- 125 Configuring SNMP
- 125 SNMP parameters for IAP
- 125 Configuring Community String for SNMP
- 126 Configuring SNMP Traps
- 126 Configuring a Syslog Server
- 127 Configuring TFTP Dump Server
- 128 AppRF
- 128 Deep Packet Inspection with AppRF
- 128 Application Visibility
- 128 AppRF Dashboard
- 129 Overview
- 133 Analyze
- 136 Configuring ACL Rules for Application and Application Categories
- 137 Configuring Web Policy Enforcement
- 140 Guest Management
- 140 Guest User Access
- 140 Creating Apps for Social Login
- 140 Creating a Facebook App
- 142 Creating a Google App
- 144 Creating a Twitter App
- 145 Creating a LinkedIn App
- 146 Configuring a Splash Page Profile
- 146 Adding a Splash Page Profile
- 149 Customizing a Splash Page Design
- 150 Previewing and Modifying a Splash Page
- 150 Associating a Splash Page Profile to an SSID
- 151 Configuring Visitor Accounts
- 151 Adding a visitor
- 153 Mobility Access Switch configuration
- 153 Mobility Access Switch Overview
- 153 Configuring a Mobility Access Switch
- 154 Zero Touch Provisioning through Central
- 154 Configuring Ports
- 155 Configuring VLANs
- 155 Creating VLANs
- 155 Editing VLANs
- 156 Deleting VLANs
- 156 Configuring DHCP Pools
- 156 Creating a DHCP Pool
- 156 Editing DHCP Pools
- 156 Deleting DHCP Pools
- 157 Setting the Admin or Enable mode password
- 157 Creating a Name Server
- 159 Managing Reports
- 159 Reports Pane
- 159 Generating a Report
- 160 Deleting a Report
- 160 Downloading a Report
- 160 Emailing a Report
- 161 Contents of a Report
- 162 Firmware and Subscription Maintenance
- 162 Firmware
- 163 Upgrading IAP or Mobility Access Switch
- 163 Automatically upgrading a device to a new firmware version
- 163 Manually Upgrading a Device to a New Firmware Version
- 164 Resetting an IAP
- 164 Clearing IAP Configuration Using Groups
- 164 Resetting an IAP through Console
- 164 Subscription Keys
- 165 Adding Another Subscription Key
- 165 Label Management
- 166 Device Management
- 167 Adding Devices
- 167 Assigning Devices to a Group
- 167 Assigning Licenses to Devices
- 167 User Management
- 168 Aruba Central User Roles
- 168 Adding a User
- 169 Terminology
- 169 Acronyms and Abbreviations
- 170 Glossary