ArubaOS 6.1 - To Parent Directory

ArubaOS 6.1 - To Parent Directory
User Guide
ArubaOS 6.1
Copyright
© 2011 Aruba Networks, Inc. Aruba Networks trademarks include
, Aruba Networks®, Aruba
Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®,
Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved.
All other trademarks are the property of their respective owners. Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. The Open Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against
it with respect to infringement of copyright on behalf of those vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information,
refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
www.arubanetworks.com
1344 Crossman Avenue
Sunnyvale, California 94089
Phone: 408.227.4500
Fax 408.227.4550
ArubaOS 6.1 | User Guide
0510833-03 | June 2011
Contents
About this Guide..................................................................................................................45
Audience..............................................................................................................45
Fundamentals ......................................................................................................45
WebUI ...........................................................................................................45
CLI.................................................................................................................45
Related Documents .............................................................................................46
Conventions.........................................................................................................46
Contacting Support .............................................................................................47
Chapter 1
The Basic User-Centric Networks .......................................................49
Configuring the User-Centric Network ................................................................49
Deployment and Configuration Tasks .................................................................49
Deployment Scenario #1...............................................................................50
Deployment Scenario #2...............................................................................50
Deployment Scenario #3...............................................................................51
Configuring the Controller ...................................................................................52
Running the Initial Setup ...............................................................................53
Connecting to the Controller after Initial Setup.............................................53
Configuring a VLAN for Network Connection......................................................53
Creating and Updating a VLAN.....................................................................54
Viewing Existing VLAN IDs .....................................................................54
Creating, Updating, and Deleting VLAN Pools .............................................55
Adding existing VLAN IDs to a VLAN Pool in the CLI.............................55
Assigning and Configuring the Trunk Port ....................................................55
In the WebUI ...........................................................................................55
In the CLI ................................................................................................56
Configuring the Default Gateway ..................................................................56
In the WebUI ...........................................................................................56
In the CLI ................................................................................................56
Configuring the Loopback for the Controller ................................................56
In the WebUI ..........................................................................................57
In the CLI ................................................................................................57
Configuring the System Clock ......................................................................57
Installing Licenses .........................................................................................57
Connecting the Controller to the Network ....................................................58
Additional Configuration ......................................................................................58
Chapter 2
Network Parameters .............................................................................59
Configuring VLANs ..............................................................................................59
Creating and Updating VLANs ......................................................................59
Using the WebUI.....................................................................................59
Using CLI ................................................................................................60
Create a Bulk VLANs using the WebUI ..................................................60
Using CLI ................................................................................................60
Creating, Updating and Deleting VLAN Pools ..............................................60
Creating a VLAN pool using the WebUI .................................................60
Updating a VLAN Pool............................................................................61
Deleting a VLAN Pool .............................................................................61
ArubaOS 6.1 | User Guide
| 3
Create a VLAN Pool using CLI................................................................61
Viewing existing VLAN IDs using CLI .....................................................61
Adding existing VLAN IDs using CLI ......................................................61
Add a Bandwidth Contract to the VLAN .......................................................62
Optimize VLAN Broadcast and Multicast Traffic...........................................62
In the CLI ................................................................................................63
In the WebUI ...........................................................................................63
Configuring Ports.................................................................................................63
Classifying Traffic as Trusted or Untrusted...................................................63
About Trusted and Untrusted Physical Ports .........................................63
About Trusted and Untrusted VLANs .....................................................64
Configuring Trusted/Untrusted Ports and VLANs.........................................64
Using WebUI...........................................................................................64
Using CLI ................................................................................................65
Configure Trusted/Untrusted Ports and VLANs in Trunk Mode....................65
Using the WebUI.....................................................................................65
Using CLI ................................................................................................66
About VLAN Assignments ...................................................................................66
How a VLAN obtains its IP Address..............................................................66
Assigning a Static Address to a VLAN ..........................................................66
Using the WebUI.....................................................................................66
Using CLI.......................................................................................................67
Configuring a VLAN to Receive a Dynamic Address ....................................67
Configuring Multiple Wired Uplink Interfaces (Active-Standby) .............67
Enabling the DHCP Client .............................................................................67
Using the WebUI.....................................................................................67
Using the CLI ..........................................................................................68
Enabling the PPPoE Client............................................................................68
Using the WebUI.....................................................................................68
Using CLI ................................................................................................68
Default Gateway from DHCP/PPPoE............................................................69
Using the WebUI.....................................................................................69
Using CLI ................................................................................................69
Configuring DNS/WINS Server from DHPC/PPPoE......................................69
Using the WebUI ...........................................................................................69
Using CLI ................................................................................................69
Configuring Source NAT to Dynamic VLAN Address....................................69
Using the WebUI.....................................................................................70
Using CLI ................................................................................................70
Configuring Source NAT for VLAN Interfaces ...............................................70
Example Configuration ...........................................................................70
Using the WebUI.....................................................................................71
Using CLI ................................................................................................71
Inter-VLAN Routing .......................................................................................71
Using the WebUI to restrict VLAN routing ..............................................72
Using CLI ................................................................................................72
Configuring Static Routes....................................................................................72
Using the WebUI ...........................................................................................72
Using CLI.......................................................................................................73
Configuring the Loopback IP Address ................................................................73
Using the WebUI ...........................................................................................73
Using CLI.......................................................................................................73
Using the CLI to reboot the controller...........................................................73
Configuring the Controller IP Address.................................................................73
Using CLI.......................................................................................................74
Configuring GRE Tunnels ....................................................................................75
Creating a Tunnel Interface ...........................................................................75
4 |
ArubaOS 6.1 | User Guide
Using the WebUI.....................................................................................75
Using CLI ................................................................................................75
Directing Traffic into the Tunnel ....................................................................75
Static Routes ..........................................................................................76
Firewall Policy .........................................................................................76
Tunnel Keepalives...................................................................................76
Chapter 3
RF Plan....................................................................................................77
Supported Planning.............................................................................................77
Before You Begin ................................................................................................78
Task Overview...............................................................................................78
Planning Requirements .................................................................................78
Launching the RF Plan ........................................................................................80
Campus List Page.........................................................................................80
Building List Pane .........................................................................................81
Building Specifications Overview..................................................................82
Building Dimension Page ..............................................................................83
AP Modeling Parameters Page .....................................................................84
Radio Type..............................................................................................86
Design Model..........................................................................................86
Overlap Factor ........................................................................................86
Users/AP.................................................................................................87
Radio Properties (Desired Rates and HT Support Options) ...................87
AM Modeling Page........................................................................................88
Design Models ........................................................................................89
Monitor Rates .........................................................................................89
Planning Floors Page ....................................................................................90
Zoom ......................................................................................................91
Approximate Coverage Map...................................................................91
Coverage Rate ........................................................................................91
Channel...................................................................................................92
HT Mode .................................................................................................92
Floor Editor Dialog Box...........................................................................92
Area Editor Dialog Box ...........................................................................93
Access Point Editor Dialog Box..............................................................95
AP Plan Page ................................................................................................97
Initialize ...................................................................................................97
Optimize..................................................................................................97
Fix All Suggested AP/AMs......................................................................98
AM Plan Page................................................................................................98
Initialize ...................................................................................................98
Optimize..................................................................................................98
Fix All Suggested AP/AMs......................................................................99
Exporting and Importing Files .......................................................................99
Export Campus.......................................................................................99
Import Campus.....................................................................................100
Export Buildings Page ..........................................................................100
Import Buildings Page ..........................................................................100
Locate .........................................................................................................101
FQLN Mapper .............................................................................................101
Using the FQLN Mapper in the AP Provision Page ...........................................103
Using the WebUI .........................................................................................103
Using CLI.....................................................................................................103
Legacy RF Plan Example...................................................................................104
Sample Building ..........................................................................................104
Create a Building ........................................................................................106
Model the Access Points ...........................................................................107
ArubaOS 6.1 | User Guide
| 5
Model the Air Monitors ...............................................................................107
Add and Edit a Floor ...................................................................................107
Adding the background image and naming the first floor...........................107
Adding the background image and naming the second floor.....................108
Defining Areas .............................................................................................108
Creating a Don’t Care Area ........................................................................108
Creating a Don’t Deploy Area .....................................................................109
Running the AP Plan ..................................................................................109
Running the AM Plan .................................................................................110
Chapter 4
Access Points ......................................................................................111
Basic Functions and Features ...........................................................................111
AP Names and Groups......................................................................................112
Creating an AP group..................................................................................113
in the WebUI .........................................................................................113
Creating an AP group in the CLI...........................................................113
Assigning APs to an AP group ....................................................................113
In the CLI ..............................................................................................114
AP Configuration Profiles ..................................................................................114
Wireless LAN Profiles..................................................................................114
AP Profiles...................................................................................................116
QoS Profiles ................................................................................................117
RF Management Profiles.............................................................................117
Mesh Profiles ..............................................................................................118
Other Profiles ..............................................................................................118
Viewing Profile Errors ..................................................................................118
Profile Hierarchy ................................................................................................119
Deploying APs ...................................................................................................121
Running the RF Plan ...................................................................................121
Ensure APs Can Connect to the Controller.................................................121
Configure Firewall Settings...................................................................121
Enable Controller Discovery .................................................................122
From a DNS Server...............................................................................122
From a DHCP Server ............................................................................122
Using the Aruba Discovery Protocol (ADP) ..........................................123
Ensure APs Can Obtain IP Addresses ........................................................123
Enabling the DHCP server on the controller in the WebUI ...................123
Enable the DHCP server on the controller in the CLI ...........................124
Provisioning APs for Mesh ..........................................................................124
Installing APs on the Network .....................................................................124
Updating the RF Plan ..................................................................................125
Provisioning Installed APs .................................................................................125
Remote AP (RAP) vs Campus AP (CAP) .....................................................125
AP Provisioning Wizard...............................................................................125
Provisioning an Individual AP......................................................................125
Provisioning Multiple APs using a Provisioning Profile ........................128
Assigning Provisioning Profiles ............................................................129
Troubleshooting....................................................................................129
Configuring a Provisioned AP............................................................................129
AP Installation Modes .................................................................................130
In the WebUI .........................................................................................130
In the CLI ..............................................................................................130
Renaming an AP .........................................................................................130
Renaming in the WebUI........................................................................131
Renaming in the CLI .............................................................................131
Optimize APs Over Low-Speed Links.........................................................131
6 |
ArubaOS 6.1 | User Guide
Configuring the Bootstrap Threshold ...................................................132
Prioritizing AP heartbeats .....................................................................134
AP Redundancy ..........................................................................................135
In the WebUI .........................................................................................135
In the CLI ..............................................................................................135
AP Maintenance Mode................................................................................135
In the WebUI .........................................................................................136
In the CLI ..............................................................................................136
Managing AP LEDs .....................................................................................136
Disabling LEDs in the WebUI................................................................136
Enable or Disable LEDs in the CLI........................................................137
Configuring Blinking LEDs in the CLI ...................................................137
Managing RF Interference .................................................................................137
RF Optimization ..........................................................................................137
In the WebUI .........................................................................................137
In the CLI ..............................................................................................138
RF Event Configuration ...............................................................................138
In the WebUI .........................................................................................138
In the CLI ..............................................................................................140
AP Channel Assignments ..................................................................................140
20 MHz and 40 MHz Static Channel Assignments .....................................140
In the WebUI .........................................................................................141
In the CLI ..............................................................................................142
Channel Switch Announcement (CSA)........................................................142
In the WebUI .........................................................................................142
In the CLI ..............................................................................................142
Automatic Channel and Transmit Power Selection ....................................142
AP Console Settings..........................................................................................143
Chapter 5
Virtual APs ............................................................................................145
Virtual AP Profiles ..............................................................................................145
Excluding a virtual AP profile from an AP in the WebUI .......................146
Excluding a virtual AP profile from an AP in the CLI ............................146
Configuring a Virtual AP.....................................................................................146
Configuring the WLAN ................................................................................147
Configuring the User Role...........................................................................148
In the WebUI .........................................................................................148
In the CLI ..............................................................................................148
Configuring Authentication Servers ............................................................148
In the WebUI .........................................................................................148
In the CLI ..............................................................................................149
Configuring Authentication .........................................................................149
In the WebUI .........................................................................................149
In the CLI ..............................................................................................150
Applying the Virtual AP ...............................................................................151
In the WebUI .........................................................................................151
In the CLI ..............................................................................................155
Creating a new SSID Profile........................................................................155
In the WebUI .........................................................................................155
In the CLI ..............................................................................................159
Configuring an SSID for Suite-B cryptography ....................................160
Guest WLAN ...............................................................................................160
Configuring the VLAN .................................................................................160
In the WebUI .........................................................................................160
In the CLI ..............................................................................................161
Configuring the Guest Role.........................................................................161
In the WebUI .........................................................................................161
ArubaOS 6.1 | User Guide
| 7
In the CLI ..............................................................................................161
Configuring the Guest Virtual AP ................................................................161
In the WebUI .........................................................................................162
In the CLI ..............................................................................................162
Enable 802.11k Support .............................................................................162
In the WebUI .........................................................................................162
In the CLI ..............................................................................................164
Example Configuration................................................................................164
Configuring a High-Throughput Virtual AP ........................................................164
In the WebUI ...............................................................................................165
In the CLI.....................................................................................................168
Managing High-throughput Profiles............................................................169
Chapter 6
Adaptive Radio Management (ARM) ..................................................171
ARM Overview ...................................................................................................171
ARM Support for 802.11n ...........................................................................171
Monitoring Your Network with ARM ...........................................................172
Noise and Error Monitoring ..................................................................172
Application Awareness .........................................................................172
ARM Profiles ......................................................................................................172
Creating a New ARM Profile .......................................................................173
Copying an Existing Profile .........................................................................173
Deleting a Profile .........................................................................................174
Configuring ARM Settings...........................................................................174
In the WebUI .........................................................................................174
In the CLI ..............................................................................................178
Assigning an ARM Profile to an AP Group ........................................................179
In the WebUI ...............................................................................................179
In the CLI.....................................................................................................179
Multi-Band ARM and 802.11a/802.11g Traffic..................................................179
Band Steering ....................................................................................................180
Steering Modes ...........................................................................................180
Enabling Band Steering ..............................................................................181
In the WebUI .........................................................................................181
In the CLI ..............................................................................................181
Traffic Shaping ..................................................................................................181
Enabling Traffic Shaping .............................................................................182
In the WebUI .........................................................................................182
In the CLI ..............................................................................................182
Spectrum Load Balancing .................................................................................183
RX Sensitivity Tuning Based Channel Reuse ....................................................183
Non-802.11 Noise Interference Immunity..........................................................184
ARM Metrics ......................................................................................................184
ARM Troubleshooting........................................................................................185
Too many APs on the Same Channel .........................................................185
Wireless Clients Report a Low Signal Level................................................185
Transmission Power Levels Change Too Often ..........................................186
APs Detect Errors but Do Not Change Channels .......................................186
APs Don’t Change Channels Due to Channel Noise ..................................186
Chapter 7
Remote Access Points ........................................................................187
Overview ............................................................................................................187
Configuring the Secure Remote Access Point Service .....................................188
Configure a Public IP Address for the Controller ........................................189
8 |
ArubaOS 6.1 | User Guide
Using the WebUI to create a DMZ address..........................................189
Using CLI ..............................................................................................189
Configure the VPN Server ...........................................................................189
Using the WebUI...................................................................................189
Using CLI ..............................................................................................190
CHAP Authentication Support over PPPoE ................................................190
Configure the Remote AP User Role...........................................................191
Using the WebUI...................................................................................191
Using CLI ..............................................................................................192
Configure VPN Authentication ....................................................................192
Using the WebUI...................................................................................192
Using CLI ..............................................................................................193
Configuring Internal Database for Authentication .......................................193
Using the WebUI...................................................................................193
Configure VPN authentication using the internal database..................195
Add the user to the internal database ..................................................195
Using CLI to configure the internal DB for a RAP user.........................195
Provision the AP..........................................................................................195
Creating a Remote AP Whitelist..................................................................196
Revoking an AP ....................................................................................197
Deploying a Branch Office/Home Office Solution .............................................197
Configuring the branch office AP ................................................................197
Troubleshooting Remote AP .......................................................................198
Local Debugging...................................................................................198
Remote AP Summary ...........................................................................198
Multihoming on remote AP (RAP) .........................................................200
Seamless failover from backup link to primary link on RAP.................200
Remote AP Connectivity.......................................................................201
Remote AP Diagnostics........................................................................201
Enabling Double Encryption ..............................................................................202
Using the WebUI...................................................................................202
Using CLI ..............................................................................................202
Advanced Configuration Options ......................................................................202
Understanding Remote AP Modes of Operation ........................................202
Fallback Mode.............................................................................................204
Backup Configuration Behavior for Wired Ports ..................................205
Configuring the fallback mode ....................................................................205
Using WebUI to configure the AAA profile ...........................................205
Using CLI ..............................................................................................206
Using the WebUI to configure virtual AP profile ...................................206
Using CLI ..............................................................................................207
Configuring the DHCP Server on the Remote AP.......................................207
Using the WebUI...................................................................................208
Using CLI ..............................................................................................208
Advanced Backup Configuration Options ..................................................209
Using the WebUI to configure the session ACL ...................................210
Using the WebUI to configure the AAA profile .....................................210
Using the WebUI to define the backup configuration ..........................211
Using the CLI to configure the session ACL.........................................212
Using the CLI to configure the AAA profile...........................................212
Using the CLI to define the backup configuration................................212
DNS Controller Setting................................................................................212
Specify the DNS name using the WebUI..............................................213
Backup Controller List ................................................................................213
Configuring the LMS and backup LMS IP addresses using WebUI.....214
Configuring the LMS and backup LMS IP addresses using CLI ..........214
Remote AP Failback....................................................................................214
ArubaOS 6.1 | User Guide
| 9
Using the WebUI...................................................................................214
Using the CLI ........................................................................................215
RAP Local Network Access ........................................................................215
Using the WebUI...................................................................................215
Using CLI ..............................................................................................215
Remote AP Authorization Profiles ...............................................................216
Add or Edit a Remote AP Authorization Profile ....................................216
Access Control Lists and Firewall Policies .................................................216
Split Tunneling ............................................................................................216
Configuring Split Tunneling ..................................................................217
Configuring the Session ACL ......................................................................218
Using the WebUI...................................................................................218
Using the CLI ........................................................................................219
Configuring ACL for restricted LD homepage access ................................219
Using CLI ..............................................................................................220
Configuring the AAA Profile and the Virtual AP Profile ...............................220
Using the WebUI...................................................................................220
Using CLI ..............................................................................................221
Configuring split tunneling in the virtual AP profile...............................221
Using the CLI to configure split tunneling in the virtual AP profile .......221
Using the WebUI to list the corporate DNS servers .............................222
Using the CLI to list the corporate DNS servers...................................222
Wi-Fi Multimedia................................................................................................222
Uplink Bandwidth Reservation ..........................................................................222
Bandwidth Reservation for Uplink Voice Traffic ...................................223
Configuring Bandwidth Reservation ...........................................................223
Using the WebUI...................................................................................223
Using CLI ..............................................................................................223
Chapter 8
Secure Enterprise Mesh......................................................................225
Mesh Access Points ..........................................................................................225
Mesh Portals ...............................................................................................226
Mesh Points ................................................................................................226
Mesh Clusters .............................................................................................227
Mesh Links ........................................................................................................227
Link Metrics.................................................................................................228
Optimizing Links..........................................................................................229
Mesh Profiles .....................................................................................................229
Mesh Cluster Profile....................................................................................229
Mesh Radio Profile ......................................................................................230
RF Management (802.11a and 802.11g) Profiles........................................230
Adaptive Radio Management Profiles ..................................................230
High-Throughput Profiles .....................................................................231
Mesh High-Throughput SSID Profile...........................................................231
Wired AP Profile ..........................................................................................231
Mesh Recovery Profile ................................................................................231
Mesh Solutions ..................................................................................................232
Thin AP Services with Wireless Backhaul Deployment...............................232
Point-to-Point Deployment .........................................................................232
Point-to-Multipoint Deployment..................................................................233
High-Availability Deployment ......................................................................233
Before You Begin ..............................................................................................234
Pre-Deployment Considerations.................................................................234
Outdoor-Specific Deployment Considerations ...........................................234
Configuration Considerations. ....................................................................235
Post-Deployment Considerations ...............................................................235
10 |
ArubaOS 6.1 | User Guide
Dual-Port AP Considerations ......................................................................235
Mesh Radio Profiles...........................................................................................236
Managing Mesh Profiles In the WebUI........................................................236
Creating a New Profile..........................................................................236
Assigning a Profile to a Mesh AP or AP Group ....................................239
Editing a Profile.....................................................................................239
Deleting a Profile...................................................................................239
Managing Mesh Profiles In the CLI .............................................................239
Creating or Modifying a Profile .............................................................239
Viewing Profile Settings ........................................................................240
Assigning a Profile to an AP Group ......................................................240
Deleting a Mesh Radio Profile ..............................................................241
RF Management (802.11a and 802.11g) Profiles ..............................................241
Managing 802.11a/802.11g Profiles In the WebUI .....................................241
Creating a Profile ..................................................................................241
Assigning an 802.11a/802.11g Profile ..................................................245
Assigning a High-throughput Profile ....................................................246
Assigning an ARM Profile .....................................................................246
Editing an 802.11a/802.11g Profile ......................................................247
Deleting a Profile...................................................................................248
Managing 802.11a/802.11g Profiles In the CLI...........................................248
Creating or Modifying a Profile .............................................................248
Viewing RF Management Settings .......................................................249
Assigning a 802.11a/802.11g Profile ....................................................249
Deleting a Profile...................................................................................249
Mesh High-Throughput SSID Profiles ...............................................................249
Managing Profiles In the WebUI .................................................................249
Creating a Profile ..................................................................................249
Assigning a Profile to an AP Group ......................................................251
Editing a Profile.....................................................................................252
Deleting a Profile...................................................................................252
Managing Profiles In the CLI .......................................................................252
Creating or Modifying a Profile .............................................................252
Assigning a Profile to an AP Group ......................................................253
Viewing High-throughput SSID Settings ..............................................253
Deleting a Profile...................................................................................253
Mesh Cluster Profiles ........................................................................................253
Deployments with Multiple Mesh Cluster Profiles ......................................253
Managing Mesh Cluster Profiles In the WebUI ...........................................254
Creating a Profile ..................................................................................254
Associating a Profile to Mesh APs........................................................256
Editing a Profile.....................................................................................256
Deleting a Mesh Cluster Profile ............................................................257
Managing Mesh Cluster Profiles In the CLI.................................................257
Viewing Mesh Cluster Profile Settings..................................................257
Associating Mesh Cluster Profiles ........................................................258
Excluding a Mesh Cluster Profile from a Mesh Node...........................258
Deleting a Mesh Cluster Profile ............................................................258
Ethernet Ports for Mesh.....................................................................................258
Configure bridging on the Ethernet port .....................................................259
Configuring Ethernet Ports for Secure Jack Operation ..............................259
In the WebUI .........................................................................................260
In the CLI ..............................................................................................260
Extending the Life of a Mesh Network ........................................................260
In the WebUI .........................................................................................261
In the CLI ..............................................................................................261
Provisioning Mesh Nodes..................................................................................261
ArubaOS 6.1 | User Guide
| 11
Outdoor AP Parameters ..............................................................................262
Provisioning Caveats ..................................................................................262
Provisioning Mesh Nodes ...........................................................................263
In the WebUI .........................................................................................263
In the CLI ..............................................................................................263
AP Boot Sequence ............................................................................................264
Mesh Portal .................................................................................................264
Mesh Point ..................................................................................................264
Air Monitoring and Mesh.............................................................................264
Verifying the Network ........................................................................................264
Verification Checklist ............................................................................265
CLI Examples........................................................................................265
Remote Mesh Portals ........................................................................................266
How RMP Works.........................................................................................266
Creating a Remote Mesh Portal In the WebUI ............................................267
Provisioning the AP ..............................................................................267
Defining the Mesh Private VLAN ..........................................................268
Selecting a Mesh Radio Profile.............................................................269
Selecting an RF Management Profile ...................................................269
Adding a Mesh Cluster Profile ..............................................................269
Configuring a DHCP Pool .....................................................................270
Configuring the VLAN ID of the Virtual AP Profile ................................270
Provisioning a Remote Mesh Portal In the CLI ...........................................271
Additional Information .................................................................................271
Chapter 9
Authentication Servers........................................................................273
Important Points to Remember .........................................................................273
Servers and Server Groups ...............................................................................273
Configuring Servers ...........................................................................................274
Configuring a RADIUS Server .....................................................................274
In the WebUI .........................................................................................275
In the CLI ..............................................................................................275
RADIUS Server Authentication Codes..................................................276
RADIUS Server Fully Qualified Domain Names ..........................................276
Set a DNS Query Interval ............................................................................276
In the WebUI .........................................................................................276
In the CLI ..............................................................................................276
Configuring an LDAP Server .......................................................................277
In the WebUI .........................................................................................277
In the CLI ..............................................................................................278
Configuring a TACACS+ Server ..................................................................278
In the WebUI .........................................................................................278
In the CLI ..............................................................................................278
Configuring a Windows Server....................................................................279
In the WebUI .........................................................................................279
In the CLI ..............................................................................................279
Internal Database...............................................................................................279
Configuring the Internal Database ..............................................................279
In the WebUI .........................................................................................280
In the CLI ..............................................................................................280
RAP Static Inner IP Address .......................................................................281
In the WebUI .........................................................................................281
In the CLI ..............................................................................................281
Managing Internal Database Files...............................................................282
Exporting files in the WebUI .................................................................282
Importing files in the WebUI .................................................................282
12 |
ArubaOS 6.1 | User Guide
In the CLI ..............................................................................................282
Internal Database Utilities ...........................................................................282
Deleting All User ...................................................................................282
Repairing the Internal Database ...........................................................283
Server Groups ...................................................................................................283
Configuring Server Groups .........................................................................283
In the WebUI .........................................................................................283
In the CLI ..............................................................................................283
Configuring Server List Order and Fail-Through .........................................283
In the WebUI .........................................................................................284
In the CLI ..............................................................................................284
Configuring Dynamic Server Selection .......................................................284
In the WebUI .........................................................................................285
In the CLI ..............................................................................................286
Configuring Match FQDN Option................................................................286
In the WebUI .........................................................................................286
In the CLI ..............................................................................................286
Trimming Domain Information from Requests ............................................287
In the WebUI .........................................................................................287
In the CLI ..............................................................................................287
Configuring Server-Derivation Rules...........................................................287
In the WebUI .........................................................................................288
In the CLI ..............................................................................................289
Configuring a Role Derivation Rule for the Internal Database ....................289
In the WebUI .........................................................................................289
In the CLI ..............................................................................................289
Assigning Server Groups...................................................................................289
User Authentication.....................................................................................290
Management Authentication .......................................................................290
In the WebUI .........................................................................................290
In the CLI ..............................................................................................290
Accounting ..................................................................................................290
RADIUS Accounting .............................................................................290
In the WebUI .........................................................................................292
In the CLI ..............................................................................................292
TACACS+ Accounting.................................................................................292
Configuring Authentication Timers ....................................................................293
Setting an Authentication Timer..................................................................293
In the WebUI .........................................................................................293
In the CLI ..............................................................................................293
Chapter 10
802.1x Authentication ..........................................................................295
Overview of 802.1x Authentication....................................................................295
Supported EAP Types.................................................................................296
Authentication with a RADIUS Server .........................................................296
Authentication Terminated on Controller ....................................................297
Configuring 802.1x Authentication ....................................................................298
Using the WebUI...................................................................................299
Using the CLI ........................................................................................304
Configuring and Using Certificates with AAA FastConnect ........................304
Using the WebUI...................................................................................305
Using the CLI ........................................................................................305
Configuring User and Machine Authentication ...........................................305
Role Assignment with Machine Authentication Enabled ............................305
Example Configurations ....................................................................................307
Authentication with an 802.1x RADIUS Server ...........................................307
Configuring Roles and Policies ...................................................................308
ArubaOS 6.1 | User Guide
| 13
Creating the student role and policy ....................................................308
Creating the faculty role and policy ......................................................309
Creating the guest role and policy........................................................310
Creating roles and policies for sysadmin and computer ......................311
Creating an alias for the internal network using CLI.............................312
Configuring the RADIUS Authentication Server..........................................312
Using the WebUI...................................................................................312
Using the CLI ........................................................................................313
Configure 802.1x Authentication.................................................................313
Using the WebUI...................................................................................313
Using the CLI ........................................................................................313
Configure VLANs.........................................................................................314
Using the WebUI...................................................................................314
Using the CLI ........................................................................................314
Configuring the WLANs...............................................................................315
Configuring the Guest WLAN......................................................................315
Using the WebUI...................................................................................315
Using the CLI ........................................................................................316
Configuring the Non-Guest WLANs ............................................................316
Using the WebUI...................................................................................316
Using the CLI ........................................................................................317
Authentication with the Controller’s Internal Database...............................317
Configuring the Internal Database ..............................................................317
Using the WebUI...................................................................................317
Using the CLI ........................................................................................318
Configuring a server rule using the WebUI...........................................318
Configuring a server rule using the CLI ................................................318
Configure 802.1x Authentication.................................................................318
Using the WebUI...................................................................................318
Using the CLI ........................................................................................319
Configure VLANs.........................................................................................319
Using the WebUI...................................................................................319
Using the CLI ........................................................................................320
Configuring the WLANs...............................................................................320
Configuring the Guest WLAN......................................................................320
Using the WebUI...................................................................................320
Using the CLI ........................................................................................321
Configuring the Non-Guest WLANs ............................................................321
Using the WebUI...................................................................................321
Using the CLI ........................................................................................322
Mixed Authentication Modes ......................................................................323
Using the CLI ........................................................................................323
Advanced Configuration Options for 802.1x .....................................................323
Configuring reauthentication with Unicast Key Rotation ............................323
Using the WebUI...................................................................................324
Using the CLI ........................................................................................324
Chapter 11
Certificate Revocation.........................................................................325
About OCSP and CRL .......................................................................................325
Controller as OCSP and CRL Clients..........................................................325
Configuring the Controller as an OCSP Client ..................................................326
In the WebUI ...............................................................................................326
In the CLI.....................................................................................................327
Configuring the Controller as a CRL Client .......................................................328
In the WebUI ...............................................................................................328
In the CLI.....................................................................................................328
Configuring the Controller as a OCSP Responder ............................................328
14 |
ArubaOS 6.1 | User Guide
In the WebUI ...............................................................................................328
In the CLI.....................................................................................................329
Chapter 12
Roles and Policies ...............................................................................331
Policies ..............................................................................................................331
Access Control Lists (ACLs)........................................................................332
Creating a Firewall Policy............................................................................332
In the WebUI .........................................................................................334
In the CLI ..............................................................................................334
Creating a Network Service Alias................................................................334
In the WebUI .........................................................................................334
In the CLI ..............................................................................................335
Creating an ACL White List .........................................................................335
Configuring a White List Bandwidth Contract in the WebUI ................335
Configuring the ACL White List in the WebUI ......................................336
Configuring the White List Bandwidth Contract in the CLI...................336
Configuring the ACL White List in the CLI ............................................336
User Roles .........................................................................................................336
Creating a User Role ...................................................................................337
In the WebUI .........................................................................................337
In the CLI ..............................................................................................338
Bandwidth Contracts ..................................................................................338
Configuring a Bandwidth Contract in the WebUI .................................339
Assigning a Bandwidth Contract to a User Role in the WebUI ............339
Configuring and Assigning Bandwidth Contracts in the CLI ................339
Bandwidth Contract Exceptions .................................................................339
Viewing the Current Exceptions List.....................................................340
Configuring Bandwidth Contract Exceptions .......................................340
User Role Assignments .....................................................................................340
User Role in AAA Profile..............................................................................340
In the WebUI .........................................................................................341
In the CLI ..............................................................................................341
User-Derived Roles or VLANs.....................................................................341
Device Identification .............................................................................342
Configuring a User-derived Role or VLAN in the WebUI ......................343
Configure a User-derived Role or VLAN in the CLI ..............................343
User-Derived Role Example .................................................................343
Default Role for Authentication Method......................................................344
In the WebUI .........................................................................................344
In the CLI ..............................................................................................345
Server-Derived Role ....................................................................................345
VSA-Derived Role .......................................................................................345
Global Firewall Parameters................................................................................345
Chapter 13
Dashboard Monitoring ........................................................................351
Performance ......................................................................................................351
Clients ........................................................................................................351
APs..............................................................................................................351
Using Dashboard Histograms .....................................................................352
Usage ................................................................................................................352
Clients ........................................................................................................352
APs..............................................................................................................352
Security..............................................................................................................353
Potential Issues................................................................................................353
WLANs ..............................................................................................................353
ArubaOS 6.1 | User Guide
| 15
Access Points ..................................................................................................354
Clients ...............................................................................................................354
Chapter 14
Stateful and WISPr Authentication.....................................................357
Stateful Authentication Overview ......................................................................357
WISPr Authentication Overview.........................................................................357
Important Points to Remember .........................................................................358
Configuring Stateful 802.1x Authentication.......................................................358
In the WebUI ...............................................................................................358
In the CLI.....................................................................................................359
Configuring Stateful NTLM Authentication........................................................359
In the WebUI ...............................................................................................359
In the CLI.....................................................................................................360
Configuring WISPr Authentication.....................................................................360
In the WebUI ...............................................................................................360
In the CLI.....................................................................................................361
Chapter 15
Captive Portal.......................................................................................363
Captive Portal Overview ....................................................................................363
Policy Enforcement Firewall Next Generation (PEFNG) License ................363
Controller Server Certificate........................................................................364
Captive Portal in the Base ArubaOS .................................................................364
Configuring Captive Portal via the WebUI ..................................................365
Configuring Captive Portal via the CLI........................................................366
Captive Portal with the PEFNG License ............................................................366
Configuring Captive Portal via the WebUI ..................................................368
Configuring Captive Portal via the CLI........................................................369
Example Authentication with Captive Portal .....................................................369
Creating a Guest-logon User Role ..............................................................370
Creating an Auth-guest User Role ..............................................................370
Configuring Policies and Roles in the WebUI .............................................370
Time Range...........................................................................................370
Aliases ..................................................................................................371
Auth-Guest-Access Policy....................................................................372
Block-Internal-Access Policy................................................................373
Drop-and-Log Policy ............................................................................373
Guest-logon Role..................................................................................373
Guest-Logon Role ................................................................................374
Configuring Policies and Roles in the CLI...................................................374
Time Range...........................................................................................374
Aliases ..................................................................................................375
Guest-Logon-Access Policy.................................................................375
Auth-Guest-Access Policy....................................................................375
Block-Internal-Access Policy................................................................375
Drop-and-Log Policy ............................................................................375
Guest-Logon Role ................................................................................375
Auth-Guest Role ...................................................................................375
Configuring Guest VLANs..................................................................................376
In the WebUI ...............................................................................................376
In the CLI.....................................................................................................376
Captive Portal Authentication............................................................................376
Modifying the Initial User Role ....................................................................377
Configuring the AAA Profile ........................................................................377
Configuring the WLAN ................................................................................378
User Account Administration ......................................................................379
16 |
ArubaOS 6.1 | User Guide
Captive Portal Configuration Parameters ...................................................379
Optional Captive Portal Configurations .............................................................381
Per-SSID Captive Portal Page ....................................................................381
Changing the Protocol to HTTP ..................................................................381
Proxy Server Redirect .................................................................................382
Redirecting Clients on Different VLANs ......................................................383
Web Client Configuration with Proxy Script................................................384
Personalizing the Captive Portal Page ..............................................................384
Creating Walled Garden Access........................................................................386
Creating Walled Garden Access .................................................................386
Using the WebUi to create Walled Garden access ..............................387
Using the CLI to create walled garden access.....................................387
Chapter 16
Advanced Security...............................................................................389
Securing Client Traffic .......................................................................................390
Securing Wireless Clients ...........................................................................390
In the WebUI .........................................................................................391
In the CLI ..............................................................................................391
Securing Wired Clients................................................................................392
In the WebUI .........................................................................................392
In the CLI ..............................................................................................393
Securing Wireless Clients Through Non-Aruba APs ...................................393
In the WebUI .........................................................................................394
In the CLI ..............................................................................................394
Securing Clients on an AP Wired Port ........................................................394
In the WebUI .........................................................................................395
In the CLI ..............................................................................................396
Securing Controller-to-Controller Communication............................................396
Configuring Controllers for xSec.................................................................396
In the WebUI .........................................................................................397
In the CLI ..............................................................................................397
Configuring the Odyssey Client on Client Machines .........................................397
Installing the Odyssey Client.......................................................................397
Chapter 17
Virtual Private Networks .....................................................................401
Planning a VPN Configuration ...........................................................................401
Selecting an IKE protocol............................................................................402
Suite-B Encryption Licensing......................................................................402
IKEv2 Clients ...............................................................................................403
Supported VPN AAA Deployments .............................................................403
Certificate Groups .......................................................................................404
VPN Authentication Profiles...............................................................................404
Configuring a Basic VPN for L2TP/IPsec ..........................................................405
In the WebUI ...............................................................................................405
Define Authentication Method and Server Addresses..........................405
Define Address Pools ...........................................................................406
Enable Source NAT ..............................................................................406
Select Certificates.................................................................................406
Define IKEv1 Shared Keys....................................................................407
Configure IKE Policies ..........................................................................407
Set the IPsec Dynamic Map .................................................................408
Finalize your WebUI changes ...............................................................408
Configuring a VPN for L2TP/IPsec with IKEv2 ..................................................409
In the WebUI ...............................................................................................409
Define Authentication Method and Server Addresses..........................410
ArubaOS 6.1 | User Guide
| 17
Define Address Pools ...........................................................................410
Enable Source NAT ..............................................................................410
Select Certificates.................................................................................410
Configure IKE Policies ..........................................................................411
Set the IPsec Dynamic Map .................................................................412
Finalize your WebUI changes ...............................................................412
Configuring a VPN for Smart Card Clients ........................................................413
Smart Card clients using IKEv2 ..................................................................414
Smart Card Clients using IKEv1..................................................................414
Configuring a VPN for Clients with User Passwords.........................................414
In the WebUI ...............................................................................................415
In the CLI.....................................................................................................415
Configuring Remote Access VPNs for XAuth ....................................................416
Configuring VPNs for XAuth Clients using Smart Cards.............................416
Configuring a VPN for XAuth Clients Using a Username/Password...........417
Remote Access VPNs for PPTP ........................................................................418
In the WebUI ...............................................................................................418
In the CLI.....................................................................................................418
Site-to-Site VPNs ..............................................................................................418
Third-Party Devices.....................................................................................419
Site-to-Site VPNs with Dynamic IP Addresses ...........................................419
VPN Topologies ..........................................................................................419
Configuring Site-to-Site VPNs ....................................................................420
In the WebUI .........................................................................................420
In the CLI ..............................................................................................421
Dead Peer Detection ...................................................................................423
Default IKE policies .....................................................................................423
VPN Dialer .........................................................................................................424
Configuring the VPN Dialer .........................................................................424
In the WebUI .........................................................................................424
In the CLI ..............................................................................................425
Assigning a Dialer to a User Role................................................................425
In the WebUI .........................................................................................425
In the CLI ..............................................................................................425
Chapter 18
Virtual Intranet Access ........................................................................427
VIA Connection Manager...................................................................................427
How it Works...............................................................................................427
Installing the VIA Connection Manager.......................................................428
On Microsoft Windows Computers ......................................................428
On Apple MacBooks.............................................................................428
Upgrade Workflow ......................................................................................429
Minimal Upgrade ..................................................................................429
Complete Upgrade ...............................................................................429
VIA Compatibility.........................................................................................429
Configuring the VIA Controller...........................................................................430
Before you Begin.........................................................................................430
Supported Authentication Mechanisms......................................................430
Authentication mechanisms supported in VIA 1.x................................430
Suite B Cryptography Support....................................................................431
Configuring VIA Settings .............................................................................431
Using WebUI to Configure VIA....................................................................432
Enable VPN Server Module ..................................................................432
Create VIA User Roles ..........................................................................432
Create VIA Authentication Profile .........................................................432
Create VIA Connection Profile ..............................................................433
18 |
ArubaOS 6.1 | User Guide
Configure VIA Web Authentication .......................................................436
Associate VIA Connection Profile to User Role ....................................437
Configure VIA Client WLAN Profiles .....................................................437
Re-branding VIA and Downloading the Installer...................................440
Using CLI to Configure VIA .........................................................................441
Create VIA roles ....................................................................................441
Create VIA authentication profiles ........................................................441
Create VIA connection profiles .............................................................441
Configure VIA web authentication ........................................................441
Associate VIA connection profile to user role.......................................441
Configure VIA client WLAN profiles ......................................................442
Customize VIA logo, landing page and downloading installer .............442
Configuring MAC-Based Authentication ...........................................................443
Configuring the MAC Authentication Profile ...............................................443
Chapter 19
MAC-based Authentication.................................................................443
Using the WebUI to configure a MAC authentication profile................444
Using the CLI to configure a MAC authentication profile .....................444
Configuring Clients ............................................................................................444
Using the WebUI to configure clients in the internal database...................444
Using the CLI to configure clients in the internal database ........................445
Chapter 20
Control Plane Security ........................................................................447
Control Plane Security Overview .......................................................................447
Configuring Control Plane Security ...................................................................448
In the WebUI .........................................................................................448
In the CLI ..............................................................................................449
Managing the Campus AP Whitelist ...........................................................449
Viewing Entries in the Campus AP Whitelist.........................................450
Modifying an AP in the Campus AP Whitelist.......................................452
Revoking an AP via the Campus AP Whitelist......................................453
Deleting an AP Entry from the Campus AP Whitelist ...........................453
Purging the Campus AP Whitelist ........................................................454
Whitelists on Master and Local Controllers.......................................................454
Campus AP Whitelist Synchronization........................................................455
Viewing and Managing the Master or Local Switch Whitelists ...................455
Viewing the Master or Local Switch Whitelist.......................................455
Deleting an Entry from the Master or Local Switch Whitelist ...............456
Purging the Master or Local Switch Whitelist.......................................457
Environments with Multiple Master Controllers.................................................457
Configuring Networks with a Backup Master Controller.............................457
Configuring Networks with Clusters of Master Controllers.........................458
Creating a Cluster Root ........................................................................458
Creating a Cluster Member ..................................................................459
Viewing Controller Cluster Settings ......................................................460
Replacing a Controller on a Multi-Controller Network ......................................460
Replacing Controllers in a Single Master Network .....................................460
Replacing a Local Controller ................................................................461
Replacing a Master Controller (With No Backup).................................461
Replacing a Redundant Master Controller ...........................................462
Replacing Controllers in a Multi-Master Network .......................................462
Replacing a Local Controller in a Multi-Master Network......................462
Replacing a Cluster Member Controller (With no Backup)...................462
Replacing a Redundant Cluster Member Controller.............................463
Replacing a Cluster Root Controller with no Backup Controller ..........463
Replacing a Redundant Cluster Root Controller ..................................464
ArubaOS 6.1 | User Guide
| 19
Configuring Control Plane Security after Upgrading .........................................464
Troubleshooting Control Plane Security............................................................465
Certificate Problems....................................................................................465
Verifying Certificates ...................................................................................466
Disabling Control Plane Security.................................................................466
Verify Whitelist Synchronization..................................................................466
Supported APs............................................................................................467
Rogue APs ..................................................................................................467
Chapter 21
Adding Local Controllers ....................................................................469
Moving to a Multi-Controller Environment.........................................................469
Configuring a Preshared Key ......................................................................470
Using the WebUI to configure a Local Controller PSK.........................470
Using the WebUI to configure a Master Controller PSK ......................470
Using the CLI to configure a PSK.........................................................471
Configuring a Controller Certificate.............................................................471
Using the CLI to configure a Local Controller Certificate.....................471
Using the CLI to configure the Master Controller Certificate ...............471
Configuring Local Controllers............................................................................471
Configuring the Local Controller .................................................................472
Using the Initial Setup...........................................................................472
Using the Web UI..................................................................................472
Using the CLI ........................................................................................472
Configuring Layer-2/Layer-3 Settings.........................................................472
Configuring Trusted Ports ...........................................................................473
Configuring Local Controller Settings .........................................................473
Configuring APs ..........................................................................................473
Using the WebUI to configure the LMS IP............................................473
Using the CLI to configure the LMS IP .................................................474
Chapter 22
Remote Nodes .....................................................................................475
Creating Remote Node Profiles.........................................................................475
Adding a New Remote Node Profile ...........................................................476
Defining Remote Node Address Pools .......................................................478
OSPF and Static Routes .............................................................................478
Configuration Examples ..............................................................................479
Create a remote node profile................................................................479
Define VLANs for a remote node profile and assign a wired aaa profile to
each VLAN ............................................................................................479
Identify the RN interfaces to be used as access ports for each VLAN 479
Configure each VLAN interface with an internal IP address.................480
Manage and configure the uplink network connection ........................480
Configure the uplink network connection and define a static IPsec route
map.......................................................................................................480
Configure user roles and passwords for administrative users .............480
Define the server used for name and address resolution.....................480
Define the OSPF settings for the upstream router ...............................480
(Optional) Define SNMP settings ..........................................................481
Specify that the RN use its internal database to authenticate clients ..481
Define NAT settings and identify the interface for outgoing RADIUS
packets .................................................................................................481
Define DHCP pools for a RN tunnel .....................................................481
Define RN DHCP pools for each VLAN ................................................481
Configuring the Remote Node Whitelist ............................................................483
Adding an RN to the whitelist .....................................................................483
Viewing Remote Node Whitelist Settings....................................................483
20 |
ArubaOS 6.1 | User Guide
Installing the Remote Node at the Remote Site ................................................484
Monitoring and Managing Remote Nodes ........................................................484
Editing a Remote Node Configuration ........................................................485
Monitoring a Remote Node.........................................................................485
In the WebUI .........................................................................................485
In the CLI ..............................................................................................485
RN Troubleshooting ....................................................................................486
Chapter 23
WIP Advanced Features ......................................................................487
TotalWatch ........................................................................................................487
Channel Types and Qualifiers .....................................................................487
Monitoring ...................................................................................................488
Scanning Spectrum.....................................................................................488
Channel Dwell Time ....................................................................................488
Channel Visiting ..........................................................................................489
Age out of Devices ......................................................................................489
TotalWatch Administration ................................................................................489
Configuring Per Radio Settings...................................................................489
Configuring Per AP Setting .........................................................................490
Licensing .....................................................................................................491
Tarpit Shielding..................................................................................................491
Tarpit Shielding Administration..........................................................................491
Configuring Tarpit Shielding........................................................................492
Licensing .....................................................................................................492
Chapter 24
IP Mobility.............................................................................................493
Aruba Mobility Architecture ...............................................................................493
Configuring Mobility Domains ...........................................................................494
Configuring a Mobility Domain....................................................................495
Using the WebUI...................................................................................495
Using the CLI ........................................................................................496
Joining a Mobility Domain...........................................................................496
In the WebUI .........................................................................................496
In the CLI ..............................................................................................496
Example Configuration................................................................................496
Configuring Mobility using the WebUI ..................................................497
Configuring Mobility using the CLI..............................................................498
Tracking Mobile Users.......................................................................................498
Mobile Client Roaming Status ....................................................................498
Viewing mobile client status using the WebUI......................................498
Viewing mobile client status using the CLI ...........................................499
Viewing user roaming status using the CLI ..........................................499
Viewing specific client information using the CLI .................................500
Mobile Client Roaming Locations ...............................................................500
In the WebUI .........................................................................................500
In the CLI ..............................................................................................500
HA Discovery on Association......................................................................500
Setting up mobility association using CLI ............................................500
Advanced Mobility Functions ............................................................................500
Configuring advanced mobility functions using the WebUI .................500
Configuring mobility functions using CLI..............................................503
Proxy Mobile IP ...........................................................................................503
Proxy DHCP ................................................................................................503
Revocations ................................................................................................504
Bridge Mode Mobility ........................................................................................504
ArubaOS 6.1 | User Guide
| 21
Mobility Multicast ..............................................................................................506
Proxy IGMP and Proxy Remote Subscription.............................................506
Inter-controller Mobility ...............................................................................506
Configuring Mobility Multicast Using the WebUI..................................507
Configuring Mobility Multicast Using the CLI .......................................508
Example ................................................................................................508
Chapter 25
VRRP .....................................................................................................509
Redundancy Parameters ...................................................................................509
Configuring the Local Controller for Redundancy ......................................510
In the WebUI .........................................................................................511
In the CLI ..............................................................................................511
Configuring the LMS IP ...............................................................................511
In the WebUI .........................................................................................511
In the CLI ..............................................................................................511
Configuring the Master Controller for Redundancy ....................................512
Configuring Database Synchronization.......................................................513
In the WebUI .........................................................................................513
In the CLI ..............................................................................................514
Incremental Configuration Synchronization ................................................514
In the CLI ..............................................................................................514
Configuring Master-Local Controller Redundancy .....................................514
Chapter 26
RSTP .....................................................................................................517
Migration and Interoperability............................................................................517
Rapid Convergence ...........................................................................................517
Edge Port and Point-to-Point......................................................................518
Configuring RSTP ..............................................................................................519
In the WebUI ...............................................................................................519
In the CLI.....................................................................................................520
Monitoring RSTP .........................................................................................520
Troubleshooting.................................................................................................520
Chapter 27
PVST+....................................................................................................523
Interoperability and Best Practices....................................................................523
Configure using the CLI.....................................................................................523
Configure using the WebUI ...............................................................................524
Chapter 28
600 Series Controller ...........................................................................525
Important Points to Remember .........................................................................525
Internal Access Point (AP) .................................................................................526
USB Cellular Modems .......................................................................................526
Functional Description ................................................................................526
Mode-Switching ..........................................................................................526
USB Modems Commands ..........................................................................526
Uplink Manager ..........................................................................................527
Cellular Profile .............................................................................................528
Dialer Group ................................................................................................529
Configuring a Supported USB Modem .............................................................530
Configuring a New USB Modem .......................................................................531
Configuring the Profile and Modem Driver..................................................531
Configuring the TTY Port ............................................................................533
Testing the TTY Port ...................................................................................534
Selecting the Dialer Profile ..........................................................................534
22 |
ArubaOS 6.1 | User Guide
Linux Support..............................................................................................535
NAS (Network-Attached Storage)......................................................................535
NAS Device Setup.......................................................................................535
Configuring in the CLI .................................................................................536
Managing NAS Devices ..............................................................................537
Mounting and Unmounting Devices ...........................................................537
Print Server ........................................................................................................538
Printer Setup Using the CLI ........................................................................538
Additional Commands for Managing Printers .............................................539
Sample Topology and Configuration.................................................................540
Remote Branch 1—651 Controller..............................................................540
Remote Branch 2—650 Controller..............................................................541
3200 Central Office Controller—Active .......................................................542
3200 Central Office Controller—Backup.....................................................544
Upgrading and Migrating...................................................................................545
Chapter 29
OSPFv2 .................................................................................................547
Important Points to Remember .........................................................................547
WLAN Scenario .................................................................................................547
WLAN Topology ..........................................................................................548
WLAN Routing Table...................................................................................548
Branch Office Scenario......................................................................................549
Branch Office Topology ..............................................................................549
Branch Office Routing Table .......................................................................550
Configuring OSPF..............................................................................................551
Deployment Best Practices ...............................................................................552
Sample Topology and Configuration.................................................................553
Remote Branch 1 ........................................................................................553
Remote Branch 2 ........................................................................................554
3200 Central Office Controller—Active .......................................................555
3200 Central Office Controller—Backup.....................................................557
Chapter 30
Wireless Intrusion Prevention.............................................................559
Reusable Wizard................................................................................................559
Wizard Intrusion Detection..........................................................................560
Wizard Intrusion Protection.........................................................................561
Protection for Infrastructure .................................................................561
Protection for Clients ............................................................................561
Monitoring Dashboard.......................................................................................562
Rogue AP Detection ..........................................................................................563
Classification Terminology ..........................................................................563
Classification Methodology.........................................................................564
Match Methods.....................................................................................564
Match Types .........................................................................................564
Suspected Rogue Confidence Level ....................................................565
AP Classification Rules ...............................................................................565
SSID specification ................................................................................565
SNR specification .................................................................................565
Discovered-AP-Count specification .....................................................566
Example Rules ......................................................................................566
Rule Matching .............................................................................................566
Intrusion Detection ............................................................................................566
Infrastructure Intrusion Detection ...............................................................566
Detect 802.11n 40MHz Intolerance Setting..........................................569
ArubaOS 6.1 | User Guide
| 23
Detect Active 802.11n Greenfield Mode...............................................569
Detect Ad hoc Networks ......................................................................570
Detect Ad hoc Network Using Valid SSID ............................................570
Detect AP Flood Attack ........................................................................570
Detect AP Impersonation......................................................................570
Detect AP Spoofing ..............................................................................570
Detect Bad WEP ...................................................................................570
Detect Beacon Wrong Channel ............................................................570
Detect Client Flood Attack....................................................................570
Detect CTS Rate Anomaly....................................................................570
Detect RTS Rate Anomaly ....................................................................570
Detect Devices with an Invalid MAC OUI .............................................571
Detect Invalid Address Combination ....................................................571
Detect Overflow EAPOL Key ................................................................571
Detect Overflow IE................................................................................571
Detect Malformed Frame-Assoc Request ............................................571
Detect Malformed Frame-Auth .............................................................571
Detect Malformed Frame-HT IE............................................................571
Detect Malformed Frame-Large Duration.............................................571
Detect Misconfigured AP......................................................................572
Detect Windows Bridge........................................................................572
Detect Wireless Bridge .........................................................................572
Detect Broadcast Deauthentication .....................................................572
Detect Broadcast Disassociation .........................................................572
Detect Netstumbler...............................................................................572
Detect Valid SSID Misuse.....................................................................572
Detect Wellenreiter ...............................................................................572
Client Intrusion Detection............................................................................572
Detect Block ACK DoS .........................................................................574
Detect ChopChop Attack .....................................................................575
Detect Disconnect Station Attack ........................................................575
Detect EAP Rate Anomaly ....................................................................575
Detect FATA-Jack Attack Structure .....................................................575
Detect Hotspotter Attack......................................................................575
Detect Meiners Power Save DoS Attack ..............................................575
Detect Omerta Attack ...........................................................................575
Detect Rate Anomalies .........................................................................575
Detect TKIP Replay Attack ...................................................................576
Detect Unencrypted Valid Clients.........................................................576
Detect Valid Client Misassociation .......................................................576
Detect AirJack ......................................................................................576
Detect ASLEAP.....................................................................................576
Detect Null Probe Response ................................................................576
Intrusion Protection ...........................................................................................576
Infrastructure Intrusion Protection ..............................................................577
Protect 40MHz 802.11 High Throughput Devices................................577
Protect 802.11n High Throughput Devices ..........................................577
Protect from Adhoc Networks ..............................................................578
Protect From AP Impersonation ...........................................................578
Protect Misconfigured AP.....................................................................578
Protect SSID .........................................................................................578
Rogue Containment..............................................................................578
Suspected Rogue Containment ...........................................................578
Client Intrusion Protection...........................................................................578
Protect Valid Stations ...........................................................................578
Protect Windows Bridge.......................................................................578
WLAN Management System .............................................................................579
Configuring WMS via the WebUI ................................................................579
24 |
ArubaOS 6.1 | User Guide
Configuring WMS via the CLI......................................................................580
Configuring Local WMS Settings .........................................................580
Managing the WMS Database..............................................................580
Client Blacklisting ..............................................................................................580
Methods of Blacklisting...............................................................................581
Manual Blacklisting .....................................................................................581
Authentication Failure Blacklisting ..............................................................581
Attack Blacklisting.......................................................................................582
Blacklist Duration ........................................................................................583
Removing a Client from Blacklisting ...........................................................583
Chapter 31
Link Aggregation Control Protocol ....................................................585
Important Points to Remember .........................................................................585
Configuring LACP ..............................................................................................585
In the CLI.....................................................................................................585
In the WebUI ...............................................................................................587
Best Practices ...................................................................................................587
Sample Configuration ........................................................................................588
Chapter 32
Automatic Reporting ...........................................................................589
SMTP Requirements..........................................................................................589
Configuring Weekly Automatic Reporting .........................................................589
In the WebUI ...............................................................................................589
In the CLI.....................................................................................................590
Generating and Sending an Individual Report...................................................590
In the WebUI ...............................................................................................591
In the CLI.....................................................................................................591
Viewing Report Status .......................................................................................591
In the WebUI ...............................................................................................591
In the CLI.....................................................................................................591
Chapter 33
Management Access...........................................................................593
Certificate Authentication for WebUI Access ....................................................593
Configuring Certificate Authentication for WebUI Access ..........................593
In the WebUI .........................................................................................593
In the CLI ..............................................................................................594
Public Key Authentication for SSH Access .......................................................594
In the WebUI .........................................................................................594
In the CLI ..............................................................................................595
Radius Server Authentication ............................................................................595
Radius Server Username/Password Authentication ...................................595
In the WebUI .........................................................................................595
In the CLI ..............................................................................................595
RADIUS Server Authentication with VSA ....................................................596
RADIUS Server Authentication with Server-Derivation Rule.......................596
Configuring a Value-of Server-derivation Rule in the WebUI ...............596
In the CLI ..............................................................................................597
Configuring a set-value server-derivation rule in the WebUI................597
In the CLI ..............................................................................................598
Disabling Authentication of Local Management User Accounts.................598
In the WebUI .........................................................................................598
In the CLI ..............................................................................................598
Verifying the configuration ..........................................................................598
Resetting the Admin or Enable Password ..................................................598
Bypassing the Enable Password Prompt....................................................599
ArubaOS 6.1 | User Guide
| 25
Setting an Administrator Session Timeout..................................................600
Setting a CLI Session Timeout .............................................................600
Setting a WebUI Session Timeout........................................................600
Management Password Policy ..........................................................................600
Defining a Management Password Policy ..................................................600
In the WebUI .........................................................................................600
Management Authentication Profile Parameters ........................................602
Managing Certificates........................................................................................603
About Digital Certificates ............................................................................603
Obtaining a Server Certificate .....................................................................604
In the WebUI .........................................................................................604
In the CLI ..............................................................................................605
Obtaining a Client Certificate ......................................................................605
Importing Certificates..................................................................................605
In the WebUI .........................................................................................605
In the CLI ..............................................................................................606
Viewing Certificate Information ...................................................................606
Imported Certificate Locations....................................................................606
Checking CRLs ...........................................................................................606
Configuring SNMP.............................................................................................607
SNMP Parameters for the Controller ..........................................................607
In the WebUI .........................................................................................608
In the CLI ..............................................................................................608
Configuring Logging ..........................................................................................609
In the WebUI .........................................................................................610
In the CLI ..............................................................................................610
Guest Provisioning ............................................................................................611
Configuring the Guest Provisioning Page ...................................................611
In the WebUI .........................................................................................611
Configuring the SMTP Server and Port in the WebUI ..........................614
Configuring an SMTP server and port in the CLI..................................614
Creating Email Messages in the WebUI ...............................................614
Configuring a Guest Provisioning User .......................................................615
In the WebUI .........................................................................................616
In the CLI ..............................................................................................617
Customizing the Guest Access Pass....................................................617
Creating Guest Accounts ............................................................................618
Guest Provisioning User Tasks.............................................................618
Importing Multiple Guest Entries ..........................................................619
Optional Configurations ..............................................................................623
Restricting one Captive Portal Session for each Guest .......................624
Setting the Maximum Time for Guest Accounts...................................624
Managing Files on the Controller.......................................................................624
Transferring ArubaOS Image Files ..............................................................625
In the WebUI .........................................................................................625
In the CLI ..............................................................................................626
Backing Up and Restoring the Flash File System.......................................626
Backup the flash file system in the WebUI ...........................................626
Backup the flash file system in the CLI ................................................626
Restore the flash file system in the WebUI...........................................626
Restore the flash file system using CLI ................................................626
Copying Log Files .......................................................................................626
In the WebUI .........................................................................................626
In the CLI ..............................................................................................627
Copying Other Files ....................................................................................627
In the WebUI .........................................................................................627
In the CLI ..............................................................................................627
26 |
ArubaOS 6.1 | User Guide
Setting the System Clock ..................................................................................627
Manually Setting the Clock .........................................................................627
In the WebUI .........................................................................................627
In the CLI ..............................................................................................628
Clock Synchronization ................................................................................628
In the WebUI .........................................................................................628
In the CLI ..............................................................................................628
Configuring NTP Authentication .................................................................628
In the WebUI .........................................................................................628
In the CLI ..............................................................................................629
Chapter 34
Spectrum Analysis ...............................................................................631
Overview ............................................................................................................631
Spectrum Analysis Clients ..........................................................................634
Hybrid AP Channel Changes ......................................................................635
Hybrid APs Using Mode-Aware ARM .........................................................635
Creating Spectrum Monitors and Hybrid APs ...................................................635
Converting APs to Hybrid APs ....................................................................635
In the WebUI .........................................................................................636
In the CLI ..............................................................................................636
Converting an Individual AP to a Spectrum Monitor...................................636
In the WebUI .........................................................................................637
In the CLI ..............................................................................................637
Converting a Group of APs to Spectrum Monitors .....................................637
In the WebUI .........................................................................................638
In the CLI ..............................................................................................638
Configuring the Spectrum Profile................................................................638
In the WebUI .........................................................................................638
In the CLI ..............................................................................................639
Connecting Spectrum Devices to the Spectrum Analysis Client ......................640
View Connected Spectrum Analysis Devices .............................................641
Disconnecting a Spectrum Device..............................................................642
Configuring the Spectrum Analysis Dashboards...............................................642
Selecting a Spectrum Monitor ....................................................................643
Changing Graphs within a Spectrum View .................................................643
Renaming a Spectrum Analysis Dashboard View.......................................644
Saving a Dashboard View ...........................................................................645
Resizing an Individual Graph ......................................................................645
Customizing Spectrum Analysis Graphs ...........................................................646
Spectrum Analysis Graph Configuration Options .......................................646
Active Devices ......................................................................................646
Active Devices Table ............................................................................648
Active Devices Trend ............................................................................650
Channel Metrics....................................................................................652
Channel Metrics Trend .........................................................................653
Channel Summary Table ......................................................................655
Device Duty Cycle ................................................................................656
Channel Utilization Trend .....................................................................658
Devices vs Channel ..............................................................................659
FFT Duty Cycle .....................................................................................661
Interference Power ...............................................................................663
Quality Spectrogram.............................................................................664
Real-Time FFT ......................................................................................666
Swept Spectrogram..............................................................................667
Recording Spectrum Analysis Data...................................................................670
Creating a Spectrum Analysis Record ........................................................670
Saving the Recording..................................................................................671
ArubaOS 6.1 | User Guide
| 27
Playing a Spectrum Analysis Recording .....................................................671
Non-Wi-Fi Interferers .........................................................................................672
Spectrum Analysis Session Log ........................................................................674
Viewing Spectrum Analysis Data via the CLI.....................................................674
Spectrum Analysis Troubleshooting Tips ..........................................................675
Spectrum Monitors support One Client per Radio .....................................675
Converting a Spectrum Monitor back to an AP or Air Monitor ...................675
Browser Issues............................................................................................675
Loading a Spectrum View ...........................................................................675
Issues with Adobe Flash Player 10.1 ..........................................................676
Spectrum Analysis Syslog Messages .........................................................676
Chapter 35
Software Licenses ...............................................................................677
Terminology .......................................................................................................677
Licenses.............................................................................................................678
License Types .............................................................................................678
Multi-Controller Network ...................................................................................679
License Usage ...................................................................................................679
Interaction..........................................................................................................680
Best Practices ...................................................................................................681
Installing a License ............................................................................................681
Enabling a new license on your controller ..................................................681
Software License Email...............................................................................682
Locating the System Serial Number ...........................................................682
Obtaining a Software License Key ..............................................................682
Creating a software license key............................................................683
Applying the Software License Key in the WebUI.......................................683
Applying the Software License Key in the License Wizard .........................683
Deleting a License .............................................................................................683
Moving Licenses................................................................................................684
Resetting the Controller.....................................................................................684
Chapter 36
IPv6 Support.........................................................................................685
About IPv6 .........................................................................................................685
IPv6 Topology....................................................................................................685
IPv6 Support for Controller and AP ...................................................................686
Configure IPv6 Interface Address ...............................................................688
Using WebUI.........................................................................................688
Using CLI ..............................................................................................689
Configure IPv6 Static Neighbor...................................................................689
Using WebUI.........................................................................................689
Using CLI ..............................................................................................689
Configure IPv6 Default Gateway and Static IPv6 Routes ...........................689
Using WebUI.........................................................................................690
Using CLI ..............................................................................................690
Manage Controller IP Address ....................................................................690
Using WebUI.........................................................................................690
Using CLI ..............................................................................................690
Configure Multicast Listener Discovery (MLD)............................................690
Using WebUI.........................................................................................691
Using CLI ..............................................................................................691
Debug IPv6 Controller.................................................................................692
Using WebUI.........................................................................................692
Using CLI ..............................................................................................692
28 |
ArubaOS 6.1 | User Guide
Provision IPv6 AP........................................................................................692
Using WebUI.........................................................................................692
Using CLI ..............................................................................................693
IPv6 Extension Header (EH) Filtering.................................................................693
Using CLI.....................................................................................................693
Captive Portal over IPv6 ....................................................................................693
Configuring Captive Portal over IPv6..........................................................693
ArubaOS Support for IPv6 Clients.....................................................................693
Enabling IPv6 ..............................................................................................694
Supported Network Configuration ..............................................................694
Network Connection for Windows IPv6 Clients ..........................................694
ArubaOS Features that Support IPv6 ................................................................695
Authentication .............................................................................................695
Firewall Functions .......................................................................................695
Firewall Policies...........................................................................................697
Creating an IPv6 firewall policy ............................................................699
Assigning an IPv6 Policy to a User Role...............................................700
DHCPv6 Passthrough/Relay .......................................................................700
IPv6 User Addresses .........................................................................................700
Viewing or Deleting User Entries.................................................................700
User Roles...................................................................................................700
Viewing Datapath Statistics for IPv6 Sessions ...........................................700
Important Points to Remember .........................................................................701
Chapter 37
Voice and Video ...................................................................................703
Voice and Video License Requirements ............................................................703
Configuring Voice and Video .............................................................................703
Setting up Net Services ..............................................................................703
Using Default Net Services...................................................................704
Creating Custom Net Services .............................................................704
Configuring User Roles ...............................................................................704
Using the Default User Role .................................................................705
Creating or Modifying Voice User Roles...............................................705
Using the User-Derivation Roles ..........................................................707
Configuring Firewall Settings for Voice and Video ALGs ............................708
Using WebUI.........................................................................................708
Using CLI ..............................................................................................708
Additional Video Configurations..................................................................708
Configuring Video over WLAN enhancements .....................................709
Pre-requisites .......................................................................................709
Using CLI ..............................................................................................709
Using the WebUI...................................................................................713
QoS for Voice and Video ...................................................................................717
VoIP Call Admission Control Profile............................................................717
Using the WebUI...................................................................................717
Using CLI ..............................................................................................718
Wi-Fi Multimedia .........................................................................................719
Enabling WMM .....................................................................................719
Configurable WMM AC Mapping..........................................................720
Dynamic WMM Queue Management ...................................................721
WMM Queue Content Enforcement............................................................724
Using the WebUI...................................................................................724
Using CLI ..............................................................................................724
Extended Voice and Video Functionalities ........................................................724
QoS for Microsoft Office OCS and Apple Facetime ...................................724
Microsoft OCS ......................................................................................724
ArubaOS 6.1 | User Guide
| 29
Apple Facetime.....................................................................................724
WPA Fast Handover....................................................................................725
Using the WebUI to enable WPA fast handover...................................725
Using the CLI to enable WPA fast handover ........................................726
Mobile IP Home Agent Assignment ............................................................726
VoIP-Aware ARM Scanning ........................................................................726
Using the WebUI...................................................................................726
Using CLI ..............................................................................................726
Voice-Aware 802.1x ....................................................................................726
Using the WebUI to disable voice awareness for 802.1x .....................727
Using the CLI to disable voice awareness for 802.1x ..........................727
SIP Authentication Tracking........................................................................727
Using the WebUI to configure the SIP client user role .........................727
Using the CLI to configure the SIP client user role...............................727
Real Time Call Quality Analysis...................................................................727
Using the Web UI..................................................................................728
Using CLI ..............................................................................................728
SIP Session Timer .......................................................................................729
Using the WebUI...................................................................................729
Using CLI ..............................................................................................730
Voice and Video Traffic Awareness for Encrypted Signaling Protocols......730
Using the WebUI...................................................................................731
Using the CLI ........................................................................................731
Wi-Fi Edge Detection and Handover for Voice Clients ...............................732
Using the WebUI...................................................................................732
Using CLI ..............................................................................................732
Dial Plan for SIP Calls .................................................................................733
Dial Plan Format ...................................................................................733
Configuring Dial Plans ..........................................................................734
Enhanced 911 Support ...............................................................................736
Voice over Remote Access Point................................................................737
Battery Boost ..............................................................................................737
Using the WebUI...................................................................................737
Using the CLI ........................................................................................738
Advanced Voice Troubleshooting......................................................................738
Viewing Troubleshooting Details on Voice Client Status ............................738
Using the WebUI...................................................................................738
Using CLI ..............................................................................................739
Viewing Troubleshooting Details on Voice Call CDRs ................................740
Using the WebUI...................................................................................740
Using CLI ..............................................................................................741
Enabling Voice Logs....................................................................................741
Using the WebUI...................................................................................741
Using CLI ..............................................................................................742
Viewing Voice Traces ..................................................................................742
Using the WebUI...................................................................................742
Using CLI ..............................................................................................743
Viewing Voice Configurations .....................................................................743
Using CLI ..............................................................................................743
Chapter 38
External Services Interface.................................................................745
Understanding ESI.............................................................................................745
Understanding the ESI Syslog Parser ...............................................................747
ESI Parser Domains ....................................................................................747
Peer Controllers ..........................................................................................748
Syslog Parser Rules ....................................................................................749
Condition Pattern Matching..................................................................749
30 |
ArubaOS 6.1 | User Guide
User Pattern Matching..........................................................................750
ESI Configuration Overview...............................................................................750
Configuring Health-Check Method, Groups, and Servers ..........................751
In the WebUI .........................................................................................751
In the CLI ..............................................................................................751
Defining the ESI Server ...............................................................................751
In the WebUI .........................................................................................752
In the CLI ..............................................................................................752
Defining the ESI Server Group ....................................................................752
In the WebUI .........................................................................................752
In the CLI ..............................................................................................753
Redirection Policies and User Role.............................................................753
In the WebUI .........................................................................................753
In the CLI ..............................................................................................754
ESI Syslog Parser Domains and Rules .......................................................754
Managing Syslog Parser Domains in the WebUI ........................................754
Adding a new syslog parser domain ....................................................754
Deleting an existing syslog parser domain...........................................755
Editing an existing syslog parser domain .............................................755
Managing Syslog Parser Domains in the CLI..............................................755
Adding a new syslog parser domain ....................................................755
Showing ESI syslog parser domain information...................................755
Deleting an existing syslog parser domain...........................................755
Editing an existing syslog parser domain .............................................755
Managing Syslog Parser Rules ...................................................................756
In the WebUI .........................................................................................756
Adding a new parser rule......................................................................756
Deleting a syslog parser rule ................................................................757
Editing an existing syslog parser rule ...................................................757
Testing a Parser Rule............................................................................757
In the CLI ..............................................................................................758
Adding a new parser rule......................................................................758
Showing ESI syslog parser rule information:........................................758
Deleting a syslog parser rule: ...............................................................758
Editing an existing syslog parser rule ...................................................758
Testing a parser rule .............................................................................758
Monitoring Syslog Parser Statistics ............................................................758
In the WebUI .........................................................................................758
In the CLI ..............................................................................................759
Example Route-mode ESI Topology .................................................................759
ESI server configuration on controller ..................................................759
IP routing configuration on Fortinet gateway .......................................759
Configuring the Example Routed ESI Topology .........................................760
Health-Check Method, Groups, and Servers..............................................760
Defining the Ping Health-Check Method ....................................................760
In the WebUI .........................................................................................760
In the CLI ..............................................................................................761
Defining the ESI Server ...............................................................................761
In the WebUI .........................................................................................761
In the CLI ..............................................................................................761
Defining the ESI Server Group ....................................................................761
In the WebUI .........................................................................................762
In the CLI ..............................................................................................762
Redirection Policies and User Role.............................................................762
In the WebUI .........................................................................................762
In the CLI ..............................................................................................763
Syslog Parser Domain and Rules................................................................763
Add a New Syslog Parser Domain in the WebUI..................................763
ArubaOS 6.1 | User Guide
| 31
Adding a New Parser Rule in the WebUI..............................................764
In the CLI ..............................................................................................764
Example NAT-mode ESI Topology....................................................................765
ESI server configuration on the controller ............................................765
Configuring the Example NAT-mode ESI Topology....................................766
Configuring the NAT-mode ESI Example in the WebUI..............................766
In the WebUI .........................................................................................766
Configuring the ESI Group in the WebUI..............................................767
Configure the ESI Servers in the WebUI...............................................767
Configuring the Redirection Filter in the WebUI ...................................767
Configuring the Example NAT-mode Topology in the CLI..........................768
Configuring a Health-Check Ping .........................................................768
Configuring ESI Servers........................................................................768
Configure an ESI Group, Add the Health-Check Ping and ESI Servers .....
768
Using the ESI Group in a Session Access Control List ........................768
CLI Configuration Example 1................................................................769
CLI Configuration Example 2................................................................769
Basic Regular Expression Syntax......................................................................769
Character-Matching Operators ...................................................................770
Regular Expression Repetition Operators...................................................770
Regular Expression Anchors.......................................................................771
References ..................................................................................................771
Chapter 39
External User Management ................................................................773
Overview ............................................................................................................773
Before you Begin.........................................................................................773
How the ArubaOS XML API Works....................................................................773
Using the XML API Server .................................................................................773
Configuring the XML API Server .................................................................774
Associate the XML API Server to AAA profile .............................................774
Set up Captive Portal profile.................................................................776
Associate Captive Portal profile to the an initial role ............................776
Creating an XML API Request ....................................................................776
Monitoring External Captive Portal Usage Statistics ..................................778
XML Request .....................................................................................................778
Adding a User .............................................................................................778
Deleting a User............................................................................................779
Authenticating a User..................................................................................779
Blacklisting a User ......................................................................................779
Querying a User Status ...............................................................................780
XML Response ..................................................................................................780
Default Response Format ...........................................................................780
Response Codes ..................................................................................780
Query Command Response Format ...........................................................781
Sample Code .....................................................................................................782
Using XML API in C Language....................................................................783
Request and Response ........................................................................785
XML API Request Parameters ..............................................................785
XMl API Response ................................................................................787
Adding a Client .....................................................................................787
Deleting a Client ...................................................................................788
Authenticating a Client .........................................................................788
Querying Client Information..................................................................790
Blacklisting a Client ..............................................................................791
32 |
ArubaOS 6.1 | User Guide
Chapter 40
Content Security Service ....................................................................793
Redirecting Traffic .............................................................................................793
Administration .............................................................................................793
Controllers...................................................................................................793
HTTP dst-nat to Scanning Server in a Corporate Network ..................793
HTTP dst-nat to any Static IP...............................................................793
RAPs ...........................................................................................................794
HTTP Route dst-nat to Cloud Service ..................................................794
HTTP Route dst-nat to any Static IP ....................................................794
Example Configuration................................................................................794
Verifying and Debugging ...................................................................................794
Appendix A
DHCP with Vendor-Specific Options .................................................795
Windows-Based DHCP Server..........................................................................795
Configuring Option 60.................................................................................796
To configure option 60 on the Windows DHCP server.........................796
Configuring Option 43.................................................................................796
To configure option 43 on the Windows DHCP server:........................796
DHCP Relay Agent Information Option (Option 82)...........................................797
Configuring Option 82.................................................................................798
In the WebUI .........................................................................................798
In the CLI ..............................................................................................798
Linux DHCP Servers ..........................................................................................798
Appendix B
External Firewall Configuration ..........................................................799
Communication Between Aruba Devices ..........................................................799
Network Management Access ..........................................................................800
Virtual Internet Access (VIA) ..............................................................................800
Other Communications......................................................................................800
Appendix C
Behavior and Defaults .........................................................................803
Mode Support....................................................................................................803
Basic System Defaults.......................................................................................804
Network Services ........................................................................................804
Policies ........................................................................................................806
Roles ...........................................................................................................809
Default Management User Roles.......................................................................811
Default Open Ports ............................................................................................814
Appendix D
802.1x Configuration for IAS and Windows Clients..........................817
Configuring Microsoft IAS .................................................................................817
RADIUS Client Configuration ......................................................................817
Remote Access Policies..............................................................................818
Active Directory Database ..........................................................................818
Configuring Policies ....................................................................................818
Configuring RADIUS Attributes ...................................................................820
Configure Management Authentication using IAS.............................................821
Configure the Controller to use IAS Management Authentication ..............822
Verify Communication between the Controller and the RADIUS Server.....824
Window XP Wireless Client Example Configuration..........................................824
Appendix E
Internal Captive Portal.........................................................................829
Creating a New Internal Web Page ...................................................................829
ArubaOS 6.1 | User Guide
| 33
Basic HTML Example..................................................................................830
Installing a New Captive Portal Page ................................................................831
Displaying Authentication Error Message..........................................................831
Reverting to the Default Captive Portal .............................................................832
Language Customization...................................................................................832
Customizing the Welcome Page .......................................................................835
Customizing the Pop-Up box ............................................................................837
Customizing the Logged Out Box .....................................................................838
Appendix F
Tunneled Nodes ...................................................................................841
Configuration Overview .....................................................................................841
Configuring a Wired Tunneled Node Client .......................................................842
Configuring an Access Port as a Tunneled Node Port ...............................843
Configuring a Trunk Port as a Tunneled Node Port ....................................843
Example Output.................................................................................................844
Appendix G
Pre-requisites ....................................................................................................845
Downloading VIA ...............................................................................................845
Installing VIA ......................................................................................................846
Using VIA ...........................................................................................................846
Connection Details Tab...............................................................................846
Diagnostic Tab ............................................................................................847
Diagnostics Tools .................................................................................847
Settings Tab ................................................................................................847
Troubleshooting ..........................................................................................847
Appendix H
Provisioning RAP at Home..................................................................849
Provision the RAP using a Static IP Address..............................................849
Provision the RAP on a PPPoE Connection................................................850
Using 3G/EVDO USB Modem.....................................................................851
Appendix I
Acronyms and Terms ..........................................................................855
Acronyms...........................................................................................................855
Terms.................................................................................................................861
Index ...................................................................................................................................869
34 |
ArubaOS 6.1 | User Guide
Figures
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
Figure 16
Figure 17
Figure 18
Figure 19
Figure 20
Figure 21
Figure 22
Figure 23
Figure 24
Figure 25
Figure 26
Figure 27
Figure 28
Figure 29
Figure 30
Figure 31
Figure 32
Figure 33
Figure 34
Figure 35
Figure 36
Figure 37
Figure 38
Figure 39
Figure 40
Figure 41
Figure 42
Figure 43
Figure 44
ArubaOS 6.1 | User Guide
Enable BCMC Optimization.................................................................................63
IP Address Assignment to VLAN via DHCP or PPPoE ........................................67
Assigning VLAN uplink priority—Active-Standby configuration ..........................68
Example: Source NAT using Controller IP Address ............................................71
Default Inter-VLAN Routing .................................................................................72
Plan>Campus List Window .................................................................................80
Plan>Building List Pane.......................................................................................81
Plan>New Building>Overview Window ...............................................................82
Plan>New Building>Specification Window .........................................................83
Plan>New Building>AP Modeling Parameters Window ......................................84
AM Modeling Page ..............................................................................................89
Coverage Map Example ......................................................................................91
Floor Editor Dialog Box........................................................................................92
Area Editor Dialog Box ........................................................................................93
Access Point Editor .............................................................................................95
AP Planning ........................................................................................................97
AP Groups .........................................................................................................113
AP Specific and AP Group Profile Hierarchies ..................................................119
Other Profile Hierarchies....................................................................................120
APs Connected to Controller.............................................................................124
Virtual AP Configurations Applied to the same AP............................................145
Excluding a Virtual AP Profile from an AP .........................................................146
Remote AP with a Private Network ...................................................................187
Remote AP with Controller on Public Network..................................................187
Remote AP with Controller Behind Firewall.......................................................188
Remote AP in a Multi-Controller Environment...................................................188
CHAP Authentication Using CHAP Secret ........................................................190
Remote AP with Single Controller .....................................................................197
Sample Backup Controller Scenario .................................................................214
Enable Remote AP Local Network Access........................................................215
Sample Split Tunnel Environment .....................................................................217
Enable Restricted Access to LD Homepage .....................................................220
Uplink Bandwidth Reservation ..........................................................................223
Sample Mesh Clusters ......................................................................................227
Sample Wireless Backhaul Deployment............................................................232
Sample Point-to-Point Deployment...................................................................233
Sample Point-to-Multipoint Deployment ...........................................................233
Sample High-Availability Deployment ...............................................................234
Working of RMP ................................................................................................267
Provisioning an AP as a Remote Mesh Portal ...................................................268
Server Group .....................................................................................................274
IP-Address parameter in the local database .....................................................281
IP-Address parameter in the RAP Whitelist.......................................................281
Domain-Based Server Selection Example.........................................................285
| 35
Figure 45
Figure 46
Figure 47
Figure 48
Figure 49
Figure 50
Figure 51
Figure 52
Figure 53
Figure 54
Figure 55
Figure 56
Figure 57
Figure 58
Figure 59
Figure 60
Figure 61
Figure 62
Figure 63
Figure 64
Figure 65
Figure 66
Figure 67
Figure 68
Figure 69
Figure 70
Figure 71
Figure 72
Figure 73
Figure 74
Figure 75
Figure 76
Figure 77
Figure 78
Figure 79
Figure 80
Figure 81
Figure 82
Figure 83
Figure 84
Figure 85
Figure 86
Figure 87
Figure 88
Figure 89
Figure 90
Figure 91
Figure 92
Figure 93
Figure 94
36 |
802.1x Authentication with RADIUS Server.......................................................296
802.1x Authentication with Termination on Controller ......................................297
Upload a certificate ...........................................................................................326
View certificate details.......................................................................................326
DHCP Option Rule.............................................................................................344
Wireless xSec Client Example ...........................................................................390
Wired xSec Client Example ...............................................................................392
Controller-to-Controller xSec Example .............................................................396
The regedit Window...........................................................................................397
Modifying a regedit Policy .................................................................................398
The Funk Odyssey Client Profile .......................................................................398
Certificate Information .......................................................................................399
Network Profile ..................................................................................................399
Site-to-Site VPN Configuration Components....................................................419
VIA - Associate User Role to VIA Authentication Profile ...................................433
VIA - Creating a new server group for VIA authentication profile......................433
VIA - Enter a name for the server group ............................................................433
VIA - Create VIA Connection Profile ..................................................................434
VIA - Select VIA Authentication Profile ..............................................................437
VIA - Associate VIA Connection Profile to User Role ........................................437
VIA - Create VIA Client WLAN Profile ................................................................438
VIA - Configure the SSID Profile........................................................................438
VIA - Configure VIA Client WLAN Profile ...........................................................438
VIA - Customize VIA logo, Landing Page, and download VIA Installer .............440
Control Plane Security Settings.........................................................................449
Local Switch Whitelist on a Master Controller..................................................455
A Cluster of Master Controllers using Control Plane Security...........................458
Sequence numbers on Master and Local Controllers .......................................467
Remote Nodes in a Network .............................................................................476
Selecting an RN via the WLAN Controllers ......................................................485
Routing of Traffic to Mobile Client within Mobility Domain ...............................494
Example Configuration: Campus-Wide ............................................................497
Bridge Mode Mobility ........................................................................................504
Inter-controller Mobility .....................................................................................507
Redundant Topology: Master-Local Redundancy ............................................515
Configuring RSTP ..............................................................................................519
Monitoring RSTP ...............................................................................................520
Cellular Profile Commands ...............................................................................527
Uplink Commands .............................................................................................527
Connected Cellular Devices .............................................................................527
WebUI Uplink Manager .....................................................................................528
Cellular Profile from the WebUI ........................................................................529
Configuring Dialer Group...................................................................................530
Display supported USB modems ......................................................................530
show usb verbose example (partial) ..................................................................530
show uplink........................................................................................................531
uplink cellular priority.........................................................................................531
show usb command ..........................................................................................531
show usb verbose for profile and driver ............................................................532
cellular profile new_card command...................................................................532
ArubaOS 6.1 | User Guide
Figure 95
Figure 96
Figure 97
Figure 98
Figure 99
Figure 100
Figure 101
Figure 102
Figure 103
Figure 104
Figure 105
Figure 106
Figure 107
Figure 108
Figure 109
Figure 110
Figure 111
Figure 112
Figure 113
Figure 114
Figure 115
Figure 116
Figure 117
Figure 118
Figure 119
Figure 120
Figure 121
Figure 122
Figure 123
Figure 124
Figure 125
Figure 126
Figure 127
Figure 128
Figure 129
Figure 130
Figure 131
Figure 132
Figure 133
Figure 134
Figure 135
Figure 136
Figure 137
Figure 138
Figure 139
Figure 140
Figure 141
Figure 142
Figure 143
Figure 144
ArubaOS 6.1 | User Guide
Driver options ....................................................................................................532
Driver=(none) ....................................................................................................533
show usb ports 13 command............................................................................533
show usb test command ...................................................................................533
Time out error example. ....................................................................................533
Port I/O error......................................................................................................534
Device Ready State ...........................................................................................534
usb test extended..............................................................................................534
show dialer group example ...............................................................................535
600 Series Sample Topology.............................................................................540
WLAN OSPF Topology ......................................................................................548
Branch Office OSPF Topology ..........................................................................549
General OSPF Configuration ............................................................................551
Add an OSPF Area ............................................................................................551
Edit OSPF VLAN Settings .................................................................................552
Sample OSPF Topology ....................................................................................553
WIP Wizard ........................................................................................................560
WIP Wizard’s Intrusion Detection .....................................................................561
WIP Wizard Intrusion Protection .......................................................................562
WIP Monitoring Dashboard ...............................................................................563
Configuring Automatic Reporting ......................................................................590
Resetting the Password ...................................................................................599
Reconfigure the enable mode password...........................................................599
Guest Provisioning Configuration Page—Guest Fields Tab..............................611
Guest Provisioning Configuration Page—Page Design Tab .............................613
Guest Provisioning Configuration Page—Email Tab .........................................614
Sample Guest Account Email – Sent to Sponsor..............................................615
Customized Guest Account Information Window .............................................617
Creating a Guest Account—Guest Provisioning Page ......................................618
Creating a Guest Account—New Guest Window..............................................618
Creating a Guest Account—Show Details Pop-up Window .............................619
CVS File Format—Guest Entries Information ....................................................620
Importing a CSV file that contains Guest Entries ..............................................620
Displaying the Guest Entries Log File................................................................621
Viewing and Editing Guest Entries in the Log File.............................................622
Viewing Multiple Imported Guest Entries—Guest Provisioning Page ...............622
Printing Guest Account Information ..................................................................623
Viewing a list of Connected Spectrum Monitors ...............................................641
Selecting a Spectrum Monitor...........................................................................643
Replacing a Graph in the Spectrum Analysis Dashboard .................................644
Renaming a Spectrum Dashboard View............................................................644
Save a Spectrum Analysis Dashboard Layout ..................................................645
Resizing a Spectrum Analysis Graph ................................................................645
Viewing Spectrum Analysis Graph Options.......................................................646
Active Devices Graph ........................................................................................647
Active Devices Table .........................................................................................648
Active Devices Trend Graph..............................................................................651
Channel Metrics Graph......................................................................................653
Channel Metrics Trend Chart ............................................................................654
Channel Summary Table ...................................................................................655
| 37
Figure 145
Figure 146
Figure 147
Figure 148
Figure 149
Figure 150
Figure 151
Figure 152
Figure 153
Figure 154
Figure 155
Figure 156
Figure 157
Figure 158
Figure 159
Figure 160
Figure 161
Figure 162
Figure 163
Figure 164
Figure 165
Figure 166
Figure 167
Figure 168
Figure 169
Figure 170
Figure 171
Figure 172
Figure 173
Figure 174
Figure 175
Figure 176
Figure 177
Figure 178
Figure 179
Figure 180
Figure 181
Figure 182
Figure 183
Figure 184
Figure 185
Figure 186
Figure 187
Figure 188
Figure 189
Figure 190
Figure 191
Figure 192
Figure 193
Figure 194
38 |
Device Duty Cycle .............................................................................................657
Channel Utilization Trend ..................................................................................658
Devices vs Channel ...........................................................................................660
FFT Duty Cycle ..................................................................................................662
Interference Power ............................................................................................663
Quality Spectrogram..........................................................................................665
Real-TIme FFT ...................................................................................................666
Simple Line Graph of FFT Power Data ..............................................................668
FFT Power Line Graph with Color .....................................................................668
FFT Power Spectrogram Sample ......................................................................668
Swept Spectrogram...........................................................................................669
Recording Spectrum Analysis Data...................................................................671
Saving Spectrum Analysis Data ........................................................................671
Playing a Recording with the Spectrum Playback Tool ....................................672
Spectrum Analysis Session Logs ......................................................................674
Alert Flag............................................................................................................679
IPv6 Topology....................................................................................................686
Supported Network Configuration.....................................................................694
Enable IGMP Proxy ...........................................................................................714
Enable IGMP Snooping .....................................................................................714
Enable Wireless Multimedia and Set DSCP Value ............................................714
Set ACL to Prioritize Video Traffic .....................................................................714
Apply ACL to User Role.....................................................................................715
Apply ACL to Port..............................................................................................715
Enabling Dynamic Multicast Optimization for Video and Set Threshold ...........715
Enable Multicast Rate Optimization ..................................................................716
Enabling Video Aware Scan ..............................................................................716
Configuring bandwidth management ................................................................716
Enable Firewall Multicast Shaping.....................................................................717
Enable Real Time Analysis.................................................................................728
Enabling SIP Session Timer...............................................................................730
Firewall Policies Tab ..........................................................................................731
Enabling Classify Media ....................................................................................731
Configuring Handover for Voice Clients ............................................................732
Dialplan Profile...................................................................................................734
Dialplan Details ..................................................................................................734
Select Dialplan Profile .....................................................................................735
View Dialplan Details .........................................................................................735
Enable Voice Logging........................................................................................741
Enable Logging for a Voice Client .....................................................................742
ESI-Fortinet Topology........................................................................................746
Load Balancing Groups.....................................................................................747
ESI Parser Domains...........................................................................................748
ESI Peer Controllers ..........................................................................................749
Example Route-Mode Topology........................................................................759
Example NAT-Mode Topology ..........................................................................765
Authentication Script Listing .............................................................................783
Adding a client—request and response ............................................................787
Authenticating the client—request and response .............................................789
Blacklisting a Client—request and response.....................................................791
ArubaOS 6.1 | User Guide
Figure 195
Figure 196
Figure 197
Figure 198
Figure 199
Figure 200
Figure 201
Figure 202
Figure 203
Figure 204
Figure 205
Figure 206
Figure 207
Figure 208
Figure 209
Figure 210
Figure 211
Figure 212
Figure 213
Figure 214
Figure 215
Figure 216
Figure 217
Figure 218
Figure 219
Figure 220
Figure 221
ArubaOS 6.1 | User Guide
Scope Options Dialog Box. ...............................................................................797
DHCP Scope Values..........................................................................................797
IAS RADIUS Clients ...........................................................................................817
IAS Remote Access Policies .............................................................................819
Policy Configuration Wizard—Authentication Methods ....................................819
Policy Configuration Wizard—PEAP Properties ................................................820
RADIUS class Attribute Configuration...............................................................820
Example RADIUS Class Attribute for “student” ...............................................821
Configuring a RADIUS Server for IAS Management Authentication .................823
Configuring a Server Group for IAS Management Authentication ....................823
Testing a RADIUS Server ..................................................................................824
Wireless Networks .............................................................................................825
Networks to Access...........................................................................................825
Wireless Network Association ..........................................................................826
Wireless Network Authentication ......................................................................827
Protected EAP Properties..................................................................................827
EAP MSCHAPv2 Properties ..............................................................................828
Sample Translated Page ...................................................................................835
Default Welcome Page ......................................................................................835
Tunneled node configuration operation.............................................................842
Login to Download VIA ......................................................................................846
Downloading VIA set up file after authentication...............................................846
Show Advanced Settings ..................................................................................849
Provision RAP using Static IP............................................................................850
Provision RAP on a PPPoE Connection ............................................................851
Provision using a pre-configured USB Modem ................................................852
Provision using a USB Modem with Custom Settings ......................................852
| 39
40 |
ArubaOS 6.1 | User Guide
Tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Table 7
Table 8
Table 9
Table 10
Table 11
Table 12
Table 13
Table 14
Table 15
Table 16
Table 17
Table 18
Table 19
Table 20
Table 21
Table 22
Table 23
Table 24
Table 25
Table 26
Table 27
Table 28
Table 29
Table 30
Table 31
Table 32
Table 33
Table 34
Table 35
Table 36
Table 37
Table 38
Table 39
Table 40
Table 41
Table 42
Table 43
Table 44
ArubaOS 6.1 | User Guide
Typographical Conventions.................................................................................46
Classifying Trusted and Untrusted Traffic ...........................................................64
Planning Worksheet - Building Dimensions ........................................................79
Planning Worksheet - AP Desired Rates (2.4 GHz Radio Properties) .................79
Planning Worksheet - AM Desired Rates ............................................................79
Definition of Campus List Buttons ......................................................................80
Building List Buttons ...........................................................................................81
New Building Specifications Parameters ............................................................83
AP Modeling Parameters.....................................................................................84
Radio Type Definitions.........................................................................................86
Design Model Radio Buttons...............................................................................86
Overlap Factor Values .........................................................................................87
Radio Properties ..................................................................................................87
AM Modeling Radio Buttons ...............................................................................89
Design Model Radio Buttons...............................................................................89
Floor Planning Features.......................................................................................90
AP Property Search ...........................................................................................102
Sample Building.................................................................................................104
Create a Building ...............................................................................................106
AP Configuration Function Overview.................................................................111
Profile Errors ......................................................................................................118
AP System Profile Configuration .......................................................................132
RF Optimization Profile Parameters ..................................................................137
RF Event Profile Parameters..............................................................................139
20 MHz and 40 MHz Static Channel Configuration Options .............................141
AP Console Commands ....................................................................................143
Applying WLAN Profiles to AP Groups..............................................................145
Profiles for Example Configuration....................................................................147
AAA Profile Parameters .....................................................................................149
Virtual AP Profile Parameters ............................................................................151
Basic SSID Profile Parameters ..........................................................................156
Advanced SSID Profile Parameters...................................................................156
802.11k Profile Parameters ...............................................................................163
High-Throughput Radio Profile Configuration Parameters...............................166
High-Throughput SSID Profile Parameters........................................................167
ARM Profile Types .............................................................................................173
ARM Profile Configuration Parameters..............................................................175
RAP Console Summary Tab Information...........................................................198
RAP Console Connectivity Tab Information ......................................................201
Remote AP Modes of Operation and Behavior .................................................203
Mesh Link Metric Computation .........................................................................228
Mesh Radio Profile Configuration Parameters ..................................................236
802.11a/802.11g RF Management Configuration Parameters.........................241
Mesh High-Throughput SSID Profile Configuration Parameters .......................250
| 41
Table 45
Table 46
Table 47
Table 48
Table 49
Table 50
Table 51
Table 52
Table 53
Table 54
Table 55
Table 56
Table 57
Table 58
Table 59
Table 60
Table 61
Table 62
Table 63
Table 64
Table 65
Table 66
Table 67
Table 68
Table 69
Table 70
Table 71
Table 72
Table 73
Table 74
Table 75
Table 76
Table 77
Table 78
Table 79
Table 80
Table 81
Table 82
Table 83
Table 84
Table 85
Table 86
Table 87
Table 88
Table 89
Table 90
Table 91
Table 92
Table 93
Table 94
42 |
Mesh Cluster Profile Configuration Parameters ................................................254
RADIUS Server Configuration Parameters ........................................................274
RADIUS Authentication Response Codes.........................................................276
LDAP Server Configuration Parameters ............................................................277
TACACS+ Server Configuration Parameters.....................................................278
Windows Server Configuration Parameters ......................................................279
Internal Database Configuration Parameters ....................................................280
Server Rule Configuration Parameters ..............................................................288
Server Types and Purposes ..............................................................................289
Authentication Timers........................................................................................293
802.1x Authentication Profile Basic WebUI Parameters ...................................299
Role Assignment for User and Machine Authentication....................................306
VLAN Assignment for User and Machine Authentication ..................................307
Mixed Authentication Modes.............................................................................323
Firewall Policy Rule Parameters ........................................................................332
User Role Parameters........................................................................................337
Conditions for a User-Derived Role or VLAN ....................................................341
IPv4 Firewall Parameters ...................................................................................346
WISPr Authentication Profile Parameters..........................................................361
Captive Portal Authentication Profile Parameters .............................................379
Captive Portal login Pages ................................................................................381
Ethernet Interface Port/ Wired AP Port Configuration Parameters ...................395
Suite-B Algorithms Supported by the ACR License..........................................402
Client Support for Suite-B .................................................................................402
VPN Clients Supporting IKEv2 ..........................................................................403
Supported VPN AAA Deployments ...................................................................403
Predefined Authentication Profile settings ........................................................404
Default IKE Policy Settings ................................................................................423
VIA Connectivity Behavior .................................................................................428
VIA Compatibility Matrix ....................................................................................429
VIA - Authentication Profile Parameters ............................................................432
VIA - Connection Profile Options.......................................................................434
Configure VIA client WLAN profile.....................................................................439
MAC Authentication Profile Configuration Parameters .....................................443
Control Plane Security Parameters ...................................................................448
Configure Campus AP Whitelist Parameters.....................................................450
View Campus AP Whitelist Parameters.............................................................450
View the Campus AP Whitelist via the CLI ........................................................451
Control Plane Security Whitelists ......................................................................454
Master and Local Switch Whitelist Information .................................................456
CLI Commands to Display Cluster Settings ......................................................460
Control Plane Security Upgrade Strategies.......................................................465
Configuration Commands Available in Remote-Node Profile Mode .................476
Remote Node DHCP Address Pool Parameters ...............................................478
RN Provisioning Checklist .................................................................................484
Useful RN Show Commands.............................................................................486
Frequency to Channel Mapping ........................................................................488
Example entries .................................................................................................497
Client Roaming Status.......................................................................................499
User Roaming status .........................................................................................499
ArubaOS 6.1 | User Guide
Table 95
Table 96
Table 97
Table 98
Table 99
Table 100
Table 101
Table 102
Table 103
Table 104
Table 105
Table 106
Table 107
Table 108
Table 109
Table 110
Table 111
Table 112
Table 113
Table 114
Table 115
Table 116
Table 117
Table 118
Table 119
Table 120
Table 121
Table 122
Table 123
Table 124
Table 125
Table 126
Table 127
Table 128
Table 129
Table 130
Table 131
Table 132
Table 133
Table 134
Table 135
Table 136
Table 137
Table 138
Table 139
Table 140
Table 141
Table 142
Table 143
Table 144
ArubaOS 6.1 | User Guide
IP Mobility Configuration Parameters................................................................500
Command Syntax ..............................................................................................508
VRRP Parameters ..............................................................................................509
VRRP Commands..............................................................................................512
Database synchronization commands ..............................................................514
Incremental Configuration Synchronization Commands...................................514
Port State Comparison ......................................................................................517
Port Role Descriptions.......................................................................................518
RSTP Default Values..........................................................................................519
600 Series Controller by the Numbers ..............................................................525
Multi-function Media Eject Button.....................................................................538
AP Classification Definition...............................................................................563
Client Classification Definitions ........................................................................564
Infrastructure Detection Summary.....................................................................567
Client Detection Summary.................................................................................573
Infrastructure Protection Summary ...................................................................577
Client Protection Summary................................................................................578
WMS Configuration Parameters........................................................................579
PhoneHome Statistics .......................................................................................591
Management Password Policy Settings............................................................600
Allowed Characters in a Management User Password .....................................601
Management Authentication Profile Parameters...............................................602
CSR Parameters ................................................................................................604
Certificate Show Commands.............................................................................606
Imported Certificate Locations ..........................................................................606
SNMP Parameters for the Controller.................................................................607
Software Modules..............................................................................................609
Logging Levels ..................................................................................................610
Guest Provisioning—Guest Field Descriptions .................................................612
File Transfer Configuration Parameters.............................................................625
Device support for spectrum analysis ...............................................................631
Spectrum Analysis Graphs ................................................................................632
Spectrum Profile Parameters ............................................................................639
Spectrum Device Selection Information ............................................................640
Active Devices Graph Options..........................................................................647
Active Devices Table Options...........................................................................648
Active Devices Trend Options ...........................................................................651
Channel Metrics Options ...................................................................................653
Channel Metrics Trend Options.........................................................................654
Channel Summary Table Parameters................................................................655
Device Duty Cycle Options................................................................................657
Channel Utilization Trend Options.....................................................................659
Devices vs Channel Options..............................................................................660
FFT Duty Cycle Options ....................................................................................662
Interference Power Options...............................................................................664
Quality Spectrogram Options ............................................................................665
Real-Time FFT Options......................................................................................667
Swept Spectrogram Options .............................................................................669
Non-Wi-Fi Interferer Types ................................................................................673
Spectrum Analysis CLI Commands...................................................................674
| 43
Table 145
Table 146
Table 147
Table 148
Table 149
Table 150
Table 151
Table 152
Table 153
Table 154
Table 155
Table 156
Table 157
Table 158
Table 159
Table 160
Table 161
Table 162
Table 163
Table 164
Table 165
Table 166
Table 167
Table 168
Table 169
Table 170
Table 171
Table 172
Table 173
Table 174
Table 175
Table 176
Table 177
Table 178
Table 179
Table 180
44 |
Usage per License.............................................................................................680
MIPS Controller AP Capacity ............................................................................680
IPv6 APs Support Matrix ...................................................................................687
IPv6 Client Authentication .................................................................................695
IPv6 Firewall Parameters ...................................................................................696
IPv6 Firewall Policy Rule Parameters ................................................................698
Default Voice Net Services and Ports................................................................704
Services for ALGs ..............................................................................................705
Other Mandatory Services for the ALGs............................................................706
VoIP Call Admission Control Configuration Parameters ...................................717
WMM Access Category to 802.1p Priority Mapping .........................................719
WMM Access Category to DSCP Mappings.....................................................720
WMM Access Categories and 802.1p Tags ......................................................721
EDCA Parameters Station and EDCA Parameters AP Profile Settings .............723
Ports used by the Apple Facetime Application .................................................725
Examples of Dial Plans ......................................................................................733
Character-matching operators in regular expressions ......................................770
Regular expression repetition operators ...........................................................770
Regular expression anchors ..............................................................................771
XML API Authentication Command...................................................................777
Authentication command options .....................................................................777
XML Response Codes.......................................................................................780
Query Response Code ......................................................................................782
XML API Request Parameters and Descriptions...............................................785
Configure option 60 on the Windows DHCP server ..........................................796
Features not Supported in Each Forwarding Mode ..........................................803
Predefined Network Services ............................................................................804
Predefined Policies ............................................................................................806
Predefined Roles ...............................................................................................809
Predefined Management Roles .........................................................................811
Default (Trusted) Open Ports .............................................................................814
Web Page Authentication Variables ..................................................................829
Provision using Static IP....................................................................................850
Provision using PPPoE Connection...................................................................851
List of acronyms ................................................................................................855
List of terms.......................................................................................................861
ArubaOS 6.1 | User Guide
About this Guide
This User Guide describes the features supported by ArubaOS and provides instructions and examples for
configuring controllers and Access Points (APs). This chapter covers:

“Audience” on page 45

“Fundamentals” on page 45

“Related Documents” on page 46

“Conventions” on page 46

“Contacting Support” on page 47
Audience
This guide is intended for system administrators responsible for configuring and maintaining wireless
networks and assumes you are knowledgeable in Layer 2 and Layer 3 networking technologies.
Fundamentals
Throughout this document reference are made to controllers; controllers categories are based on
architecture:

MIPS Controllers—M3, 3000 Series, 600 Series

PPC Controllers—200, 800, 2400, and SC1/SC2 Controllers
Configuring your controller and AP is accomplished using either the Web User Interface (WebUI) or the
command line interface (CLI).
WebUI
Each controller supports up to 22 simultaneous WebUI connections. The WebUI is accessible through a
standard Web browser from a remote management console or workstation. The WebUI includes
configuration wizards that step you through easy-to-follow configuration tasks. The wizards are:

AP Wizard—basic AP configuration

Controller Wizard—basic controller configuration

LAN Wizard—creating and configuring new WLAN(s) associated with the “default” ap-group

License Wizard—installation and activation of software licenses
In addition to the wizards, the WebUI includes a Dashboard monitoring feature that provides enhanced
visibility into your wireless network’s performance and usage. This allows you to easily locate and diagnose
WLAN issues. For details on the WebUI Dashboard, see Chapter 13, “Dashboard Monitoring” on page 351.
CLI
The CLI is a text-based interface accessible from a local console connected to the serial port on the
controller or through a Telnet or Secure Shell (SSH) session.
By default, you access the CLI from the serial port or from an SSH session. You must explicitly enable Telnet on your
controller in order to access the CLI via a Telnet session.
ArubaOS 6.1 | User Guide
About this Guide | 45
When entering commands remember that:

commands are not case sensitive

the space bar will complete your partial keyword

the backspace key will erase your entry one letter at a time

the question mark ( ? ) will list available commands and options
Related Documents
The following items are part of the complete documentation for the Aruba user-centric network:

Aruba Controller Installation Guides

Aruba Access Point Installation Guides

ArubaOS Quick Start Guide

ArubaOS User Guide

ArubaOS Command Line Reference Guide

ArubaOS MIB Reference Guide

Release Notes
Conventions
The following conventions are used throughout this manual to emphasize important concepts:
Table 1 Typographical Conventions
Type Style
Description
Italics
This style is used to emphasize important terms and to mark the titles of books.
System items
This fixed-width font depicts the following:
 Sample screen output
 System prompts
 Filenames, software devices, and specific commands when mentioned in the
text
Commands
In the command examples, this bold font depicts text that you must type exactly as
shown.
<Arguments>
In the command examples, italicized text within angle brackets represents items
that you should replace with information appropriate to your specific situation. For
example:
# send <text message>
In this example, you would type “send” at the system prompt exactly as shown,
followed by the text of the message you wish to send. Do not type the angle
brackets.
[Optional]
In the command examples, items enclosed in brackets are optional. Do not type the
brackets.
{Item A | Item B}
In the command examples, items within curled braces and separated by a vertical
bar represent the available choices. Enter only one choice. Do not type the braces
or bars.
46 | About this Guide
ArubaOS 6.1 | User Guide
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Contacting Support
Main Site
arubanetworks.com
Support Site
support.arubanetworks.com
North American Telephone
1-800-943-4526 (Toll Free)
1-408-754-1200
International Telephones
arubanetworks.com/support-services/aruba-support-program/contact-support/
Software Licensing Site
licensing.arubanetworks.com/login.php
Wireless Security Incident
Response Team (WSIRT)
arubanetworks.com/support/wsirt.php
Support Emails
Americas and APAC
[email protected]
EMEA
[email protected]
WSIRT Email
Please email details of any
securityproblem found in an
Aruba product.
[email protected]
ArubaOS 6.1 | User Guide
About this Guide | 47
48 | About this Guide
ArubaOS 6.1 | User Guide
Chapter 1
The Basic User-Centric
Networks
This chapter describes how to connect an Aruba controller and Aruba APs to your wired network. After
completing the tasks described in this chapter, see “Access Points” on page 111 for information on
configuring APs.
This chapter describes the following topics:

“Configuring the User-Centric Network” on page 49

“Deployment and Configuration Tasks” on page 49

“Configuring the Controller” on page 52

“Configuring a VLAN for Network Connection” on page 53

“Additional Configuration” on page 58
Configuring the User-Centric Network
Configuring your controller and AP is done through either the Web User Interface (WebUI) or the command
line interface (CLI).

WebUI is accessible through a standard Web browser from a remote management console or
workstation. The WebUI includes configuration wizards that step you through easy-to-follow
configuration tasks. Each wizard has embedded online help. The wizards are:

AP Wizard—basic AP configuration s including LAN, Remote, LAN Mesh and Remote Mesh
deployment scenarios

Controller Wizard—basic controller configuration including system settings, Control Plane security,
cluster settings and licenses

WLAN/LAN Wizard—creating and configuring new WLANs and LANs associated with the “default”
ap-group. Includes campus only and remote networking.

License Wizard—installation and activation of software licenses (see Chapter 35 on page 677)
Clicking Cancel from the Wizards return you to where you launched the wizard. Any configuration changes you
entered are not saved.

The command line interface (CLI) allows you to configure and manage controllers. The CLI is accessible
from a local console connected to the serial port on the controller or through a Telnet or Secure Shell
(SSH) session from a remote management console or workstation.
By default, you can only access the CLI from the serial port or from an SSH session. To use the CLI in a Telnet
session, you must explicitly enable Telnet on the controller.
Deployment and Configuration Tasks
This section describes typical deployment scenarios and the tasks you must perform in connecting an
Aruba controller and Aruba APs to your wired network. For details on performing the tasks mentioned in
these scenarios, refer to the remaining sections within this chapter.
ArubaOS 6.1 | User Guide
The Basic User-Centric Networks | 49
Deployment Scenario #1
Router is Default Gateway for
controller and clients
In this deployment scenario, the APs and controller are on the same subnetwork and will use IP addresses
assigned to the subnetwork. There are no routers between the APs and the controller. APs can be physically
connected directly to the controller. The uplink port on the controller is connected to a layer-2 switch or
router.
For this scenario, you must perform the following tasks:
1. Run the initial setup wizard.

Set the IP address of VLAN 1.

Set the default gateway to the IP address of the interface of the upstream router to which you will
connect the controller.
2. Connect the uplink port on the controller to the switch or router interface. By default, all ports on the
controller are access ports and will carry traffic for a single VLAN.
3. Deploy APs. The APs will use the Aruba Discovery Protocol (ADP) to locate the controller.
Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users.
Deployment Scenario #2
Floor 3 subnet
Floor 2 subnet
Floor 1 subnet
Controller is default
gateway for clients
Data Center
In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on
multiple subnetworks. The controller acts as a router for the wireless subnetworks (the controller is the
default gateway for the wireless clients). The uplink port on the controller is connected to a layer-2 switch
or router; this port is an access port in VLAN 1.
50 | The Basic User-Centric Networks
ArubaOS 6.1 | User Guide
For this scenario, you must perform the following tasks:
1. Run the initial setup wizard.

Set the IP address for VLAN 1.

Set the default gateway to the IP address of the interface of the upstream router to which you will
connect the controller.
2. Connect the uplink port on the controller to the switch or router interface.
3. Deploy APs. The APs will use DNS or DHCP to locate the controller.
4. Configure VLANs for the wireless subnetworks on the controller.
5. Configure SSIDs with the VLANs assigned for each wireless subnetwork.
Each wireless client VLAN must be configured on the controller with an IP address. On the uplink switch or router,
you must configure static routes for each client VLAN, with the controller’s VLAN 1 IP address as the next hop.
Deployment Scenario #3
Floor 3 subnet
Floor 2 subnet
Floor 1 subnet
Trunk port
carries client
Router is default
gateway for controller
and clients
Data Center
In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on
multiple subnetworks. There are routers between the APs and the controller. The controller is connected to
a layer-2 switch or router through a trunk port that carries traffic for all wireless client VLANs. An upstream
router functions as the default gateway for the wireless users.
This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The
initial setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you
configure the appropriate VLAN to connect to the switch or router as well as the default gateway.
ArubaOS 6.1 | User Guide
The Basic User-Centric Networks | 51
For this scenario, you must perform the following tasks:
1. Run the initial setup.

Use the default IP address for VLAN 1. Since VLAN 1 is not used to connect to the layer-2 switch or
router through the trunk port, you must configure the appropriate VLAN in a later step.

Do not specify a default gateway (use the default “none”). In a later step, you configure the default
gateway.
2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will
connect the controller. Add the uplink port on the controller to this VLAN and configure the port as a
trunk port.
3. Add client VLANs to the trunk port.
4. Configure the default gateway on the controller. This gateway is the IP address of the router to which
you will connect the controller.
5. Configure the loopback interface for the controller.
6. Connect the uplink port on the controller to the switch or router interface.
7. Deploy APs. The APs will use DNS or DHCP to locate the controller.
8. Now configure VLANs on the controller for the wireless client subnetworks and configure SSIDs with
the VLANs assigned for each wireless subnetwork.
Configuring the Controller
The tasks in deploying a basic user-centric network fall into two main areas:

Configuring and connecting the controller to the wired network (described in this section)

Deploying APs (described later in this section)
To connect the controller to the wired network:
1. Run the initial setup to configure administrative information for the controller.
Initial setup can be done using the browser-based Setup Wizard or by accessing the initial setup dialog
via a serial port connection. Both methods are described in the ArubaOS Quick Start Guide and are
referred to throughout this chapter as “initial setup.”
2. (Deployment #3) Configure a VLAN to connect the controller to your network. You do not need to
perform this step if you are using VLAN 1 to connect the controller to the wired network.
3. (Optional) Configure a loopback address for the controller. You do not need to perform this step if you
are using the VLAN 1 IP address as the controller’s IP address. Disable spanning tree on the controller if
necessary.
4. Configure the system clock.
5. (Optional) Install licenses; refer to Chapter 35, “Software Licenses” on page 677.
6. Connect the ports on the controller to your network.
This section describes the steps in detail.
52 | The Basic User-Centric Networks
ArubaOS 6.1 | User Guide
Running the Initial Setup
When you connect to the controller for the first time using either a serial console or a Web browser, the
initial setup requires you to set the role (master or local) for the controller and passwords for administrator
and configuration access.
Do not connect the controller to your network when running the initial setup. The factory-default controller boots up
with a default IP address and both DHCP server and spanning tree functions are not enabled. Once you have
completed the initial setup, you can use either the CLI or WebUI for further configuration before connecting the
controller to your network.
The initial setup might require that you specify the country code for the country in which the controller will
operate; this sets the regulatory domain for the radio frequencies that the APs use.
You cannot change the country code for controllers designated for certain countries, such as the U.S.
Improper country code assignment can disrupt wireless transmissions. Many countries impose penalties and
sanctions for operators of wireless networks with devices set to improper country codes.
If none of the channels supported by the AP you are provisioning have received regulatory approval by the country
whose country code you selected, the AP will revert to Air Monitor mode.
The initial setup requires that you configure an IP address for the VLAN 1 interface, which you can use to
access and configure the controller remotely via an SSH or WebUI session. Configuring an IP address for
the VLAN 1 interface ensures that there is an IP address and default gateway assigned to the controller upon
completion of the initial setup.
Connecting to the Controller after Initial Setup
After you complete the initial setup, the controller reboots using the new configuration. (See the ArubaOS
Quick Start Guide for information about using the initial setup.) You can then connect to and configure the
controller in several ways using the administrator password you entered during the initial setup:

You can continue to use the connection to the serial port on the controller to enter the command line
interface (CLI). (Refer to Chapter 33, “Management Access” for information on how to access the CLI
and enter configuration commands.)

You can connect an Ethernet cable from a PC to an Ethernet port on the controller. You can then use
one of the following access methods:

Use the VLAN 1 IP address to start an SSH session where you can enter CLI commands.

Enter the VLAN 1 IP address in a browser window to start the WebUI.

WebUi Wizards.
This chapter and the user guide in general focus on CLI and standard WebUI configuration examples. However, basic
controller configuration and WLAN/LAN creation can be completed using the alternative wizards from within the
WebUI. If you wish to use a configuration wizard, navigate to Configuration > Wizards, click on the desired wizard,
and follow the imbedded help instructions within the wizard.
Configuring a VLAN for Network Connection
You must follow the instructions in this section only if you need to configure a trunk port between the
controller and another layer-2 switch (shown in “Deployment Scenario #3” on page 51).
ArubaOS 6.1 | User Guide
The Basic User-Centric Networks | 53
This section shows how to use both the WebUI and CLI for the following configurations (subsequent steps
show how to use the WebUI only):

Create a VLAN on the controller and assign it an IP address.

Optionally, create a VLAN pool. A VLAN pool consists of two more VLAN IDs which are grouped
together to efficiently manage multi-controller networks from a single location. For example, policies
and virtual application configurations map users to different VLANs which may exist at different
controllers. This creates redundancy where one controller has to back up many other controllers. With
the VLAN pool feature you can control your configuration globally.
VLAN pooling should not be used with static IP addresses.

Assign to the VLAN the ports) that you will use to connect the controller to the network. (For example,
the uplink ports connected to a router are usually Gigabit ports.) In the example configurations shown in
this section, a controller is connected to the network through its Gigabit Ethernet port 1/25.

Configure the port as a trunk port.

Configure a default gateway for the controller.
Creating and Updating a VLAN
You can create and update a single VLAN or bulk VLANS using the WebUI or the CLI. See “Creating and
Updating VLANs” on page 59.
In the WebUI configuration windows, clicking the Save Configuration button saves configuration changes so they
are retained after the controller is rebooted. Clicking the Apply button saves changes to the running configuration but
the changes are not retained when the controller is rebooted. A good practice is to use the Apply button to save
changes to the running configuration and, after ensuring that the system operates as desired, click Save
Configuration.
Viewing Existing VLAN IDs
Use the CLI to view VLAN IDs.
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #show vlan
VLAN CONFIGURATION
-----------------VLAN
Description
-------------1
Default
2
VLAN0002
4
VLAN0004
12
VLAN0012
210
VLAN0210
212
VLAN0212
213
VLAN0213
1170
VLAN1170
54 | The Basic User-Centric Networks
Ports
----FE1/0-3 FE1/6 GE1/8
FE1/5
FE1/4
FE1/7
ArubaOS 6.1 | User Guide
Creating, Updating, and Deleting VLAN Pools
VLAN pooling should not be used with static IP addresses.
You can create, update, delete a VLAN pool using the WebUI or the CLI. See “Creating, Updating and
Deleting VLAN Pools” on page 60.
Adding existing VLAN IDs to a VLAN Pool in the CLI
Use the CLI to add existing VLAN IDS to a pool.
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #vlan-name mygroup pool
(host) (config) #vlan mygroup 2,4,12
(host) (config) #
To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command:
(host) (config) #show vlan mapping
VLAN Name
Pool Status VLAN IDs
------------------- -------mygroup
Enabled
2,4,12
group123 Disabled
Assigning and Configuring the Trunk Port
The following procedures configures a Gigabit Ethernet port as trunk port.
In the WebUI
1. Navigate to the Configuration > Network > Ports window on the WebUI.
2. In the Port Selection section, click the port that will connect the controller to the network. In this
example, click port 25.
3. For Port Mode, select Trunk.
4. For Native VLAN, select VLAN 5 from the scrolling list, then click the left (<--) arrow.
5. Click Apply.
ArubaOS 6.1 | User Guide
The Basic User-Centric Networks | 55
In the CLI
interface gigabitethernet 1/25
switchport mode trunk
switchport trunk native vlan 5
To confirm the port assignments, use the show vlan command:
(host) (config) #show vlan
VLAN CONFIGURATION
-----------------VLAN
Name
Ports
----------1
Default
Fa1/0-23 Gig1/24
5
VLAN0005
Gig1/25
Configuring the Default Gateway
The following configurations assign a default gateway for the controller.
In the WebUI
1. Navigate to the Configuration > Network > IP > IP Routes window.
2. To add a new static gateway, click the Add button below the static IP address list.
a. In the IP Address field, enter an IP address in dotted-decimal format.
b. In the Cost field, enter a value for the path cost.
c. Click Add.
3. You can define a dynamic gateway using DHCP, PPPOE or a cell uplink interface. In the Dynamic
section, click the DHCP, PPPoE or Cellular checkboxes to select one or more dynamic gateway
options. If you select more than one dynamic gateway type, you must also define a cost for the route to
each gateway. The controller will first attempt to obtain a gateway IP address using the option with the
lowest cost. If the controller is unable to obtain a gateway IP address, it will then attempt to obtain a
gateway IP address using the option with the next-lowest path cost.
4. Click Apply.
In the CLI
ip default-gateway <ipaddr>|{import cell|dhcp|pppoe}|{ipsec <name>} <cost>
Configuring the Loopback for the Controller
You must configure a loopback address if you are not using a VLAN ID address to connect the controller to
the network (see “Deployment Scenario #3” on page 51).
After you configure or modify a loopback address, you must reboot the controller.
If configured, the loopback address is used as the controller’s IP address. If you do not configure a loopback
address for the controller, the IP address assigned to the first configured VLAN interface IP address.
Generally, VLAN 1 is configured first and is used as the controller’s IP address.
ArubaOS allows the loopback address to be part of the IP address space assigned to a VLAN interface. In
the example topology, the VLAN 5 interface on the controller was previously configured with the IP address
10.3.22.20/24. The loopback IP address in this example is 10.3.22.220.
56 | The Basic User-Centric Networks
ArubaOS 6.1 | User Guide
You configure the loopback address as a host address with a 32-bit netmask. The loopback address should be
routable from all external networks.
Spanning tree protocol (STP) is enabled by default on the controller. STP ensures a single active path
between any two network nodes, thus avoiding bridge loops. Disable STP on the controller if you are not
employing STP in your network.
In the WebUI
1. Navigate to the Configuration > Network > Controller > System Settings window.
2. Enter the IP address under Loopback Interface.
3. On this window, you can also turn off spanning tree. Click No for Spanning Tree Enabled.
4. Click Apply at the bottom of the window (you might need to scroll down the window).
5. At the top of the window, click Save Configuration. Note that you must reboot the controller for the
new IP address to take effect.
6. Navigate to the Maintenance > Controller > Reboot Controller window.
7. Click Continue.
In the CLI
interface loopback ip address 10.3.22.220
no spanning-tree
write memory
reload
The controller returns the following messages:
Do you really want to reset the system(y/n):
Enter y to reboot the controller or n to cancel.
System will now restart!
...
Restarting system.
To verify that the controller is accessible on the network, ping the loopback address from a workstation on
the network.
Configuring the System Clock
You can manually set the clock on the controller, or configure the controller to use a Network Time
Protocol (NTP) server to synchronize its system clock with a central time source. For more information
about setting the controller’s clock, see “Setting the System Clock” on page 627.
Installing Licenses
ArubaOS consists of a base operating system with optional software modules that you can activate by
installing license keys. If you use the Setup Wizard during the initial setup phase, you will have the
opportunity to install software licenses at that time. Refer to Chapter 35, “Software Licenses” on page 677
for detailed information on Licenses.
ArubaOS 6.1 | User Guide
The Basic User-Centric Networks | 57
Connecting the Controller to the Network
Connect the ports on the controller to the appropriately-configured ports on an L2 switch or router. Make
sure that you have the correct cables and that the port LEDs indicate proper connections. Refer to the
Installation Guide for the controller for port LED and cable descriptions.
In many deployment scenarios, an external firewall is situated between various Aruba devices. Appendix B,
“External Firewall Configuration” describes the network ports that must be configured on the external firewall to
allow proper operation of the network.
To verify that the controller is accessible on the network:

If you are using VLAN 1 to connect the controller to the network (“Deployment Scenario #2” on page 50
and “Deployment Scenario #3” on page 51), ping the VLAN 1 IP address from a workstation on the
network.

If you created and configured a new VLAN (“Deployment Scenario #3” on page 51), ping the IP address
of the new VLAN from a workstation on the network.
Additional Configuration
Wireless users can connect to the SSID but because you have not yet configured authentication, policies, or
user roles, they will not have access to the network. Other chapters in the ArubaOS User Guide describe
how to build upon this basic deployment to configure user roles, firewall policies, authentication,
authentication servers, and other wireless features.
58 | The Basic User-Centric Networks
ArubaOS 6.1 | User Guide
Chapter 2
Network Parameters
This chapter describes some basic network configuration on the controller. This chapter describes the
following topics:

“Configuring VLANs” on page 59

“Configuring Ports” on page 63

“About VLAN Assignments” on page 66

“Configuring Static Routes” on page 72

“Configuring the Loopback IP Address” on page 73

“Configuring the Controller IP Address” on page 73

“Configuring GRE Tunnels” on page 75
Configuring VLANs
The controller operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the
controller requires an external router to route traffic between VLANs. The controller can also operate as a
layer-3 switch that can route traffic between VLANs defined on the controller.
You can configure one or more physical ports on the controller to be members of a VLAN. Additionally,
each wireless client association constitutes a connection to a virtual port on the controller, with
membership in a specified VLAN. You can place all authenticated wireless users into a single VLAN or into
different VLANs, depending upon your network. VLANs can exist only inside the controller or they can
extend outside the controller through 802.1q VLAN tagging.
You can optionally configure an IP address and netmask for a VLAN on the controller. The IP address is up
when at least one physical port in the VLAN is up. The VLAN IP address can be used as a gateway by
external devices; packets directed to a VLAN IP address that are not destined for the controller are
forwarded according to the controller’s IP routing table.
Creating and Updating VLANs
You can create and update a single VLAN or bulk VLANs.
Using the WebUI
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add a VLAN to create a new VLAN. (To edit an existing VLAN click Edit for the VLAN entry.) See
“Create a Bulk VLANs using the WebUI” on page 60 to create a range of VLANs.
3. In the VLAN ID field, enter a valid VLAN ID. (Valid values are from 1 to 4094, inclusive).
4. To add physical ports to the VLAN, select Port. To associate the VLAN with specific port-channels,
select Port-Channel.
5. (Optional) Click the Wired AAA Profile drop-down list to assign an AAA profile to a VLAN. This wired
AAA profile enables role-based access for wired clients connected to an untrusted VLAN or port on the
controller.
Note that this profile will only take effect if the VLAN or port on the controller is untrusted. If you do not
assign an wired AAA profile to the VLAN, the global wired AAA profile applies to traffic from untrusted
wired ports.
ArubaOS 6.1 | User Guide
Network Parameters | 59
6. If you selected Port in step 4, select the ports you want to associate with the VLAN from the Port
Selection window.
-orIf you selected Port-Channel in step 4, click the Port-Channel ID drop-down list, select the specific
channel number you want to associate with the VLAN, then select the ports from the Port Selection
window.
7. Click Apply.
Using CLI
(host) (config) #vlan <id>
(host) (config) #interface fastethernet|gigabitethernet <slot>/<port>
(host) (config-if) #switchport access vlan <id>
Create a Bulk VLANs using the WebUI
1. To add multiple VLANs at one time, click Add Bulk VLANs.
2. In the VLAN Range pop-up window, enter a range of VLANs you want to create at once. For example, to
add VLAN IDs numbered 200-300 and 302-350, enter 200-300, 302-350.
3. Click OK.
4. To add physical ports to a VLAN, click Edit next to the VLAN you want to configure and click the port in
the Port Selection section.
5. Click Apply.
Using CLI
(host) (config) #vlan
(host) (config) #vlan range 200-300,302-350
Creating, Updating and Deleting VLAN Pools
You can create, update and delete a VLAN pool.
Creating a VLAN pool using the WebUI
The following configurations create a VLAN Pool named mygroup. VLAN IDs 2, 4 and 12 are then assigned
to the VLAN pool mygroup.
1. Navigate to Configuration > Network > VLAN.
2. Select the VLAN Pool tab to open the VLAN Pool window.
3. Click Add.
4. In the VLAN Name field, enter a name that identifies this VLAN pool. Names must be between 1 and 32
characters; spaces are not allowed. The VLAN name can not be modified; choose the name carefully.
5. In the List of VLAN IDs field, enter the VLAN IDs you want to add to this pool. If you know the ID,
enter each ID separated by a comma. Or, click the drop-down list to view the IDs then click the <-- arrow
to add the ID to the pool..
VLAN pooling should not be used with static IP addresses.
6. You must add two or more VLAN IDs to create a pool.
7. When you finish adding all the IDs, click Add.
60 | Network Parameters
ArubaOS 6.1 | User Guide
The VLAN pool along with its assigned IDs appears on the VLAN Pool window. If the pool is valid (it has
two or more IDs assigned to it), its status is enabled. If you create a VLAN pool and add only one or no
VLAN IDs, its status appears as disabled.
8. Click Apply.
9. At the top of the window, click Save Configuration.
Updating a VLAN Pool
1. On the VLAN Pool window, click Modify next to the VLAN name you want to edit.
2. Modify the list of VLAN IDs. Note that you can not modify the VLAN name.
3. Click Update.
4. Click Apply.
5. At the top of the window, click Save Configuration.
Deleting a VLAN Pool
1. On the VLAN Pool window, click Delete next to the VLAN name you want to delete. A prompt appears.
2. Click OK.
3. Click Apply.
4. At the top of the window, click Save Configuration.
Create a VLAN Pool using CLI..
VLAN pooling should not be used with static IP addresses.
The pool option allows you to create a VLAN pool consisting of two more VLAN IDs.
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #vlan-name mygroup pool
(host) (config) #
Viewing existing VLAN IDs using CLI
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #show vlan
VLAN CONFIGURATION
-----------------VLAN
Description
-------------1
Default
2
VLAN0002
4
VLAN0004
12
VLAN0012
210
VLAN0210
212
VLAN0212
213
VLAN0213
1170
VLAN1170
1170
VLAN1170
Ports
----FE1/0-3 FE1/6 GE1/8
FE1/5
FE1/4
FE1/7
FE1/7
Adding existing VLAN IDs using CLI
The following example illustrates adding existing VLAN IDs to a VLAN pool:
ArubaOS 6.1 | User Guide
Network Parameters | 61
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #vlan-name mygroup pool
(host) (config) #vlan mygroup 2,4,12
(host) (config) #
To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command:
(host) (config) #show vlan mapping
VLAN Name
Pool Status
------------------mygroup
Enabled
group123
Disabled
VLAN IDs
-------2,4,12
Add a Bandwidth Contract to the VLAN
Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal
exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP
protocols. To remove per-VLAN bandwidth contract limits on an additional broadcast or multicast protocol,
add the MAC address for that broadcast/multicast protocol to the VLAN Bandwidth Contracts MAC
Exception List.
The command in the example below adds the MAC address for CDP (Cisco Discovery Protocol) and VTP
(Virtual Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts.
(host) (config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC
To show entries in the VLAN bandwidth contracts MAC exception list, use the show vlan-bwcontractexplist [internal] command:
(host) (config) #show vlan-bwcontract-explist internal
VLAN BW Contracts Internal MAC Exception List
--------------------------------------------MAC address
----------01:80:C2:00:00:00
01:00:0C:CC:CC:CD
01:80:C2:00:00:02
01:00:5E:00:82:11
Optimize VLAN Broadcast and Multicast Traffic
Broadcast and Multicast (BCMC) traffic from APs, remote APs, or distributions terminating on the same
VLAN floods all VLAN member ports. This causes critical bandwidth wastage especially when the APs are
connected to L3 cloud where the available bandwidth is limited or expensive. Suppressing the VLAN BCMC
traffic to prevent flooding can result in loss of client connectivity.
To effectively prevent flooding of BCMC traffic on all VLAN member ports, use the bcmc-optimization
parameter under the interface vlan command. This parameter ensures controlled flooding of BCMC
traffic without compromising the client connectivity. By default this option is disabled. You must enable
this parameter for the controlled flooding of BCMC traffic.
The bcmc-optimization parameter has the following exemptions:

All DHCP traffic will continue to flood VLAN member ports even if the bcmc-optimization parameter
is enabled.

The controller will do proxy ARP if the target IP entry exists on the controller. If the target IP does not
exist on the controller, ARP requests will be flooded on all VLAN member ports.
You can configure BCMC optimization in CLI and in the WebUI.
62 | Network Parameters
ArubaOS 6.1 | User Guide
In the CLI
(host) (config) #interface vlan 1
(host) (config-subif)#bcmc-optimization
(host) (config-subif)#show interface vlan 1
VLAN1 is up line protocol is up
Hardware is CPU Interface, Interface address is 00:0B:86:61:5B:98 (bia
00:0B:86:61:5B:98)
Description: 802.1Q VLAN
Internet address is 10.17.22.1 255.255.255.0
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization enable
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 12 day 1 hr 4 min 12 sec
link status last changed 12 day 1 hr 2 min 21 sec
Proxy Arp is disabled for the Interface
In the WebUI
1. Navigate to Configuration > Network > IP.
2. In the IP Interfaces tab, click the Edit button of the VLAN for configuring BCMC optimization.
3. Select Enable BCMC check box to enable BCMC Optimization for the selected VLAN.
Figure 1 Enable BCMC Optimization
Configuring Ports
Both Fast Ethernet and Gigabit Ethernet ports can be set to access or trunk mode. By default, a port is in
access mode and carries traffic only for the VLAN to which it is assigned. In trunk mode, a port can carry
traffic for multiple VLANs.
For a trunk port, specify whether the port will carry traffic for all VLANs configured on the controller or for
specific VLANs. You can also specify the native VLAN for the port. A trunk port uses 802.1q tags to mark
frames for specific VLANs, However, frames on a native VLAN are not tagged.
Classifying Traffic as Trusted or Untrusted
You can classify wired traffic based not only on the incoming physical port and channel configuration but
also on the VLAN associated with the port and channel.
About Trusted and Untrusted Physical Ports
By default, physical ports on the controller are trusted and are typically connected to internal networks
while untrusted ports connect to third-party APs, public areas, or other networks to which access controls
ArubaOS 6.1 | User Guide
Network Parameters | 63
can be applied. When you define a physical port as untrusted, traffic passing through that port needs to go
through a predefined access control list policy.
About Trusted and Untrusted VLANs
You can also classify traffic as trusted or untrusted based on the VLAN interface and port/channel. This
means that wired traffic on the incoming port is trusted only when the port’s associated VLAN is also
trusted, otherwise the traffic is untrusted. When a port and its associated VLANs are untrusted, any
incoming and outgoing traffic must pass through a predefined ACL. For example, this setup is useful if your
company provides wired user guest access and you want guest user traffic to pass through an ACL to
connect to a captive portal.
You can set a range of VLANs as trusted or untrusted in trunk mode. The following table lists the port, VLAN
and the trust/untrusted combination to determine if traffic is trusted or untrusted. both the port and the
VLAN have to be configured as trusted for traffic to be considered as trusted. If the traffic is classified as
untrusted then traffic must pass through the selected session access control list and firewall policies.
Table 2 Classifying Trusted and Untrusted Traffic
Port
VLAN
Traffic Status
Trusted
Trusted
Trusted
Untrusted
Untrusted
Untrusted
Untrusted
Trusted
Untrusted
Trusted
Untrusted
Untrusted
Configuring Trusted/Untrusted Ports and VLANs
You can configure an Ethernet port as an untrusted access port, assign VLANs and make them untrusted,
and designate a policy through which VLAN traffic on this port must pass.
Using WebUI
1. Navigate to the Configuration > Network > Ports window.
2. In the Port Selection section, click the port you want to configure.
3. In the Make Port Trusted section, clear the Trusted check box to make the port untrusted. The
default is trusted (checked).
4. In the Port Mode section, select Access.
5. From the VLAN ID drop-down list select the VLAN ID whose traffic will be carried by this port.
6. In the Enter VLAN(s) section, clear the Trusted check box to make the VLAN untrusted. The default
is trusted (checked).
7. In the VLAN Firewall Policy drop-down list, select the policy through which VLAN traffic must pass.
You can select a policy for both trusted and untrusted VLANs.
8. From the Firewall Policy section, select the policy from the in drop-down list through which inbound
traffic on this port must pass.
9. Select the policy from the out drop-down list through which outbound traffic on this port must pass.
10. Select the policy To apply a policy to this session’s traffic on this port and VLAN, select the policy from
the session drop-down list.
11. Click Apply.
64 | Network Parameters
ArubaOS 6.1 | User Guide
Using CLI
In this example,
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(config) #interface range fastethernet 1/2
(config-if)#switchport mode access
(config-if)#no trusted
(config-if)#switchport access vlan 2
(config-if)#no trusted vlan 2
(config-if)#ip access-group ap-acl session vlan 2
(config-if)#ip access-group validuserethacl in
(config-if)#ip access-group validuserethacl out
(config-if)#ip access-group validuser session
Configure Trusted/Untrusted Ports and VLANs in Trunk Mode
The following procedures configure a range of Ethernet ports as untrusted native trunks ports, assign
VLANs and make them untrusted and designate a policy through which VLAN traffic on the ports must pass.
Using the WebUI
1. Navigate to the Configuration > Network > Ports window.
2. In the Port Selection section, click the port you want to configure.
3. For Port Mode select Trunk.
4. To specify the native VLAN, select a VLAN from the Native VLAN drop-down list and click the <-arrow.
5. Choose one of the following options to control the type of traffic the port carries:

Allow All VLANS Except– The port carries traffic for all VLANs except the ones from this dropdown list.

Allow VLANs – The port carries traffic for all VLANs selected from this drop-down list.

Remove VLANs – The port does not carry traffic for any VLANs selected from this drop-down list.
6. To designate untrusted VLANs on this port, click Trusted except. In the corresponding VLAN field
enter a range of VLANs that you want to make untrusted. (In this format, for example: 200-300, 401-500
and so on). Only VLANs listed in this range are untrusted. Or, to make only one VLAN untrusted, select a
VLAN from the drop-down menu.
7. To designate trusted VLANs on this port, click Untrusted except. In the corresponding VLAN field
enter a range of VLANs that you want to make trusted. (In this format, for example: 200-300, 401-500 and
so on). Only VLANs listed in this range are trusted. Or, to make only one VLAN trusted, select a VLAN
from the drop-down menu.
8. To remove a VLAN, click the Remove VLANs option and select the VLAN you want to remove from the
drop-down list and click the left arrow to add it to the list.
9. To designate the policy through which VLAN traffic must pass, click New under the Session Firewall
Policy field.
10. Enter the VLAN ID or select it from the associated drop-down list. Then select the policy, through which
the VLAN traffic must pass, from the Policy drop-down list and click Add. Both the selected VLAN and
the policy appear in the Session Firewall Policy field.
11. When you are finished listing VLAN and policies, click Cancel.
12. Click Apply.
ArubaOS 6.1 | User Guide
Network Parameters | 65
Using CLI
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(config) #interface fastethernet 2/0
(config-if)#description FE2/
(config-if)#trusted vlan 1-99,101, 104, 106-199, 201-299
(config-range)# switchport mode trunk
(config-if)#switchport trunk native vlan 100
(config-range)# ip access-group
(config-range)# ip access-group test session vlan 2
About VLAN Assignments
A client is assigned to a VLAN by one of several methods. There is an order of precedence by which VLANs
are assigned. The assignment of VLANs are (from lowest to highest precedence):
1. The default VLAN is the VLAN configured for the WLAN (see “Virtual AP Profiles” on page 145).
2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID,
BSSID, client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence
over a rule that derives a user role that may have a VLAN configured for it.
3. After client authentication, the VLAN can be the VLAN configured for a default role for an authentication
method, such as 802.1x or VPN.
4. After client authentication, the VLAN can be derived from attributes returned by the authentication
server (server-derived rule). A rule that derives a specific VLAN takes precedence over a rule that
derives a user role that may have a VLAN configured for it.
5. After client authentication, the VLAN can be derived from Microsoft Tunnel attributes (Tunnel-Type,
Tunnel Medium Type, and Tunnel Private Group ID). All three attributes must be present. This does not
require any server-derived rule.
6. After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS
server authentication. This does not require any server-derived rule. If a VSA is present, it overrides any
previous VLAN assignment.
How a VLAN obtains its IP Address
A VLAN on the controller obtains its IP address in one of the following ways:

Manually configured by the network administrator. This is the default method and is described in
“Assigning a Static Address to a VLAN” on page 66. At least one VLAN on the controller must be assigned
a static IP address.

Dynamically assigned from a Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol
over Ethernet (PPPoE) server.
Assigning a Static Address to a VLAN
You can manually assign a static IP address to a VLAN on the controller. At least one VLAN on the controller
must be assigned a static IP address.
Using the WebUI
1. Navigate to the Configuration > Network > IP > IP Interfaces page on the WebUI. Click Edit for the
VLAN you just added.
2. Select the Use the following IP address option. Enter the IP address and network mask of the VLAN
interface. If required, you can also configure the address of the DHCP server for the VLAN by clicking
Add.
3. Click Apply.
66 | Network Parameters
ArubaOS 6.1 | User Guide
Using CLI
interface vlan <id>
ip address <address> <netmask>
Configuring a VLAN to Receive a Dynamic Address
In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP
addresses to connected devices. For example, the controller can be connected to a DSL or cable modem, or
a broadband remote access server (BRAS). shows a branch office where a controller connects to a cable
modem. VLAN 1 has a static IP address, while VLAN 2 has a dynamic IP address assigned via DHCP or
PPPoE from the uplink device.
Figure 2 IP Address Assignment to VLAN via DHCP or PPPoE
VLAN 1
To Local
Network
VLAN 2
To Internet
Controller
Cable Modem or
BRAS
Configuring Multiple Wired Uplink Interfaces (Active-Standby)
You can assign up to four VLAN interfaces to operate in active-standby topology. An active-standby
topology provides redundancy so that when an active interface fails, the user traffic can failover to the
standby interface.
To allow the controller to obtain a dynamic IP address for a VLAN, enable the DHCP or PPPoE client on the
controller for the VLAN.
The following restrictions apply when enabling the DHCP or PPPoE client on the controller:

You can enable the DHCP/PPPoE client multiple uplink VLAN interfaces (up to four) on the controller;
these VLANs cannot be VLAN 1.

Only one port in the VLAN can be connected to the modem or uplink switch.

At least one interface in the VLAN must be in the up state before the DHCP/PPPoE client requests an IP
address from the server.
Enabling the DHCP Client
The DHCP server assigns an IP address for a specified amount of time called a lease. The controller
automatically renews the lease before it expires. When you shut down the VLAN, the DHCP lease is
released.
Using the WebUI
1. Navigate to the Configuration > Network > IP > IP Interfaces page.
2. Click Edit for a previously-created VLAN.
3. Select Obtain an IP address from DHCP.
4. Enter a priority value for the VLAN ID in the Uplink Priority field. By default, all wired uplink
interfaces have the same priority. If you want to use an active-standby topology then prioritize each
uplink interfaces by entering a different priority value (1– 4) for each uplink interface.
ArubaOS 6.1 | User Guide
Network Parameters | 67
Figure 3 Assigning VLAN uplink priority—Active-Standby configuration
5. Click Apply.
Using the CLI
In this example, the DHCP client has the client ID name myclient and the interface VLAN 62 has an uplink
priority of 2.
interface vlan 62
uplink wired vlan 62 priority 3
interface vlan 62 ip address dhcp-client client-id myclient
Enabling the PPPoE Client
To authenticate to the BRAS and request a dynamic IP address, the controller must have the following
configured:

PPPoE user name and password to connect to the DSL network

PPPoE service name — either an ISP name or a class of service configured on the PPPoE server
When you shut down the VLAN, the PPPoE session terminates.
Using the WebUI
1. Navigate to the Configuration > Network > IP > IP Interfaces page.
2. Click Edit for a previously-created VLAN.
3. Select Obtain an IP address with PPPoE.
4. Enter the service name, username, and password for the PPPoE session.
5. Enter a priority value for the VLAN ID in the Uplink Priority field. By default, all wired uplink
interfaces have the same priority. If you want to use an active-standby topology then prioritize each
uplink interfaces by entering a different priority value (1– 4) for each uplink interface.
6. Click Apply.
Using CLI
In this example, a PPoE service name, username and password are assigned. The nterface VLAN 14 has an
uplink priority of 3.
interface vlan 14
ip address pppoe
68 | Network Parameters
ArubaOS 6.1 | User Guide
interface vlan 14
interface vlan 14
interface vlan 14
uplink wired vlan
ip
ip
ip
14
pppoe-service-name <service_name>
pppoe-username <username>
pppoe-password *****
priority 3
Default Gateway from DHCP/PPPoE
You can specify that the router IP address obtained from the DHCP or PPPoE server be used as the default
gateway for the controller.
Using the WebUI
1. Navigate to the Configuration > Network > IP > IP Routes page.
2. For Default Gateway, select (Obtain an IP address automatically).
3. Select Apply.
Using CLI
ip default-gateway import
Configuring DNS/WINS Server from DHPC/PPPoE
The DHCP or PPPoE server can also provide the IP address of a DNS server or NetBIOS name server, which
can be passed to wireless clients through the controller’s internal DHCP server.
For example, the following configures the DHCP server on the controller to assign addresses to
authenticated employees; the IP address of the DNS server obtained by the controller via DHCP/PPPoE is
provided to clients along with their IP address.
Using the WebUI
1. Navigate to the Configuration > Network > IP > DHCP Server page.
2. Select Enable DCHP Server.
3. Under Pool Configuration, select Add.
4. For Pool Name, enter employee-pool.
5. For Default Router, enter 10.1.1.254.
6. For DNS Servers, select Import from DHCP/PPPoE.
7. For WINS Servers, select Import from DHCP/PPPoE.
8. For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask.
9. Click Done.
Using CLI
ip dhcp pool employee-pool
default-router 10.1.1.254
dns-server import
netbios-name-server import
network 10.1.1.0 255.255.255.0
Configuring Source NAT to Dynamic VLAN Address
When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a
session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP
addresses. This allows you to configure policies that map private local addresses to the public address(es)
ArubaOS 6.1 | User Guide
Network Parameters | 69
provided to the DHCP or PPPoE client. Whenever the IP address on the VLAN changes, the dynamic NAT
pool address also changes to match the new address.
For example, the following rules for a guest policy deny traffic to internal network addresses. Traffic to
other (external) destinations are source NATed to the IP address of the DHCP/PPPoE client on the
controller.
Using the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page. Click Add to add the
policy guest.
2. To add a rule, click Add.
a. For Source, select any.
b. For Destination, select network and enter 10.1.0.0 for Host IP and 255.255.0.0 for Mask.
c. For Service, select any.
d. For Action, select reject.
e. Click Add.
3. To add another rule, click Add.
a. Leave Source, Destination, and Service as any.
b. For Action, select src-nat.
c. For NAT Pool, select dynamic-srcnat.
d. Click Add.
4. Click Apply.
Using CLI
ip access-list session guest
any network 10.1.0.0 255.255.0.0 any deny
any any any src-nat pool dynamic-srcnat
Configuring Source NAT for VLAN Interfaces
The example configuration in the previous section illustrates how to configure source NAT using a policy
that is applied to a user role. You can also enable source NAT for a VLAN interface to cause NAT to be
performed on the source address for all traffic that exits the VLAN.
Packets that exit the VLAN are given a source IP address of the “outside” interface, which is determined by
the following:

If you configure “private” IP addresses for the VLAN, the controller is assumed to be the default gateway
for the subnetwork. Packets that exit the VLAN are given the IP address of the controller for their source
IP address.

If the controller is forwarding the packets at Layer-3, packets that exit the VLAN are given the IP address
of the next-hop VLAN for their source IP address.
Example Configuration
In the following example, the controller operates within an enterprise network. VLAN 1 is the outside
VLAN. Traffic from VLAN 6 is source NATed using the IP address of the controller. In this example, the IP
address assigned to VLAN 1 is used as the controller’s IP address; thus traffic from VLAN 6 would be source
NATed to 66.1.131.5.
70 | Network Parameters
ArubaOS 6.1 | User Guide
Figure 4 Example: Source NAT using Controller IP Address
Private IP addresses:
192.168.2.1/24
VLAN 6
Public IP addresses:
66.1.131.5/24
VLAN 1
Inside
Outside
Using the WebUI
1. Navigate to the Configuration > Network > VLANs page. Click Add to configure VLAN 6 (VLAN 1 is
configured through the Initial Setup).
a. Enter 6 for the VLAN ID.
b. Click Apply.
2. Navigate to the Configuration > Network > IP > IP Interfaces page.
3. Click Edit for VLAN 6:
a. Select Use the following IP address.
b. Enter 192.168.2.1 for the IP Address and 255.255.255.0 for the Net Mask.
c. Select the Enable source NAT for this VLAN checkbox.
4. Click Apply.
Using CLI
interface vlan 1
ip address 66.1.131.5 255.255.255.0
interface vlan 6
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip default-gateway 66.1.131.1
Inter-VLAN Routing
On the controller, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and
netmask or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the
VLAN interface. The controller, acting as a layer-3 switch, routes traffic between VLANs that are mapped to
IP subnetworks; this forwarding is enabled by default.
In Figure 5, VLAN 200 and VLAN 300 are assigned the IP addresses 2.1.1.1/24 and 3.1.1.1/24, respectively.
Client A in VLAN 200 is able to access server B in VLAN 300 and vice versa, provided that there is no firewall
rule configured on the controller to prevent the flow of traffic between the VLANs.
ArubaOS 6.1 | User Guide
Network Parameters | 71
Figure 5 Default Inter-VLAN Routing
Client A
VLAN 200
VLAN 300
Server B
You can optionally disable layer-3 traffic forwarding to or from a specified VLAN. When you disable layer-3
forwarding on a VLAN, the following restrictions apply:

Clients on the restricted VLAN can ping each other, but cannot ping the VLAN interface on the
controller. Forwarding of inter-VLAN traffic is blocked.

IP mobility does not work when a mobile client roams to the restricted VLAN. You must ensure that a
mobile client on a restricted VLAN is not allowed to roam to a non-restricted VLAN. For example, a
mobile client on a guest VLAN should not be able to roam to a corporate VLAN.
To disable layer-3 forwarding for a VLAN configured on the controller:
Using the WebUI to restrict VLAN routing
1. Navigate to the Configuration > Network > IP > IP Interface page.
2. Click Edit for the VLAN for which routing is to be restricted.
3. Configure the VLAN to either obtain an IP address dynamically (via DHCP or PPPoE) or to use a static
IP address and netmask.
4. Deselect (uncheck) the Enable Inter-VLAN Routing checkbox.
5. Click Apply.
Using CLI
interface vlan <id>
ip address {<ipaddr> <netmask>|dhcp-client|pppoe}
no ip routing
Configuring Static Routes
To configure a static route (such as a default route) on the controller, do the following:
Using the WebUI
1. Navigate to the Configuration > Network > IP > IP Routes page.
2. Click Add to add a static route to a destination network or host. Enter the destination IP address and
network mask (255.255.255.255 for a host route) and the next hop IP address.
3. Click Done to add the entry. Note that the route has not yet been added to the routing table.
4. Click Apply to add this route to the routing table. The message Configuration Updated Successfully
confirms that the route has been added.
72 | Network Parameters
ArubaOS 6.1 | User Guide
Using CLI
ip route <address> <netmask> <next_hop>
Configuring the Loopback IP Address
The loopback IP address is a logical IP interface that is used by the controller to communicate with APs.
The loopback address is used as the controller’s IP address for terminating VPN and GRE tunnels,
originating requests to RADIUS servers and accepting administrative communications. You configure the
loopback address as a host address with a 32-bit netmask. The loopback address is not bound to any
specific interface and is operational at all times. To use this interface, ensure that the IP address is
reachable through one of the VLAN interfaces. It should be routable from all external networks.
You must configure a loopback address if you are not using VLAN1 to connect the controller to the network.
If the loopback interface address is not configured then the first configured VLAN interface address is
selected. Generally, VLAN 1 is the factory default setting and thus becomes the controller IP address
Using the WebUI
1. Navigate to the Configuration > Network > Controller > System Settings page and locate the
Loopback Interface section.
2. Modify the IP Address as required.
3. Click Apply.
If you are using the loopback IP address to access the WebUI, changing the loopback IP address will result in
loss of connectivity. Aruba recommends that you use one of the VLAN interface IP addresses to access the
WebUI.
4. Navigate to the Maintenance > Controller > Reboot Controller page to reboot the controller to
apply the change of loopback IP address.
5. Click Continue to save the configuration.
6. When prompted that the changes were written successfully to flash, click OK.
7. The controller boots up with the changed loopback IP address.
Using CLI
interface loopback ip address <address>
write memory
Using the CLI to reboot the controller
Enter the following command in Enable mode:
reload
Configuring the Controller IP Address
The Controller IP address is used by the controller to communicate with external devices such as APs.
ArubaOS 6.1 | User Guide
Network Parameters | 73
You can set the Controller IP address to the loopback interface address or to an existing VLAN ID address.
This allows you to force the controller IP address to be a specific VLAN interface or loopback address
across multiple machine reboots. Once you configure an interface to be the controller IP address, that
interface address cannot be deleted until you remove it from the controller IP configuration.
If the controller IP address is not configured then the controller IP defaults to the current loopback
interface address. If the loopback interface address is not configured then the first configured VLAN
interface address is selected. Generally, VLAN 1 is the factory default setting and thus becomes the
controller IP address.
Using the WebUI
1. Navigate to the Configuration > Network > Controller > System Settings page.
2. Locate the Controller IP Details section.
3. Select the address you want to set the Controller IP to from the VLAN ID drop-down menu. This list only
contains VLAN IDs that have statically assigned IP addresses. If a loopback interface IP address has
been previously configured then it will also appear in this list. Dynamically assigned IP addresses, for
example DHCP/PPPOE do not display.
4. Click Apply.
Any change in the controller’s IP address requires a reboot.
5. Navigate to the Maintenance > Controller > Reboot Controller page to reboot the controller to
apply the change of controller IP address.
6. Click Continue to save the configuration.
7. When prompted that the changes were written successfully to flash, click OK.
8. The controller boots up with the changed controller IP address. of the selected VLAN ID.
Using CLI
(host) (config) #controller-ip [loopback|vlan <VLAN ID>]
74 | Network Parameters
ArubaOS 6.1 | User Guide
Configuring GRE Tunnels
A controller supports generic routing encapsulation (GRE) tunnels between the controller and APs. An AP
opens a GRE tunnel to the controller for each radio interface. On the AP, the other end of the GRE tunnel is
specified by the IP address configured variable values (in descending order of priority) <master>,
<servername>, and <serverip>. If these variable are left to default values, the AP uses DNS to look up
aruba-master to discover the IP address of the controller.
The controller also supports GRE tunnels between the controller and other GRE-capable devices. This
section describes how to configure a GRE tunnel to such a device and how to direct traffic into the tunnel.
The controller uses GRE tunnels for communications between master and local controllers; these GRE tunnels
are automatically created and are not subject to the configuration described in this section.
Creating a Tunnel Interface
To create a GRE tunnel on the controller, you need to specify the following:

Tunnel ID: this can be a number between 1 and 2147483647.

IP address and netmask for the tunnel.

Tunnel source: the local endpoint for the tunnel on the controller. This can be one of the following:


Loopback address of the controller

A specified IP address

A specified VLAN
Tunnel destination: the IP address of the remote endpoint of the tunnel on the other GRE device.
Using the WebUI
1. Navigate to the Configuration > Network > IP > GRE Tunnels page.
2. Click Add.
3. Enter the tunnel ID.
4. Enter the IP address and netmask for the tunnel.
5. Select (check) Enabled to enable the tunnel interface.
6. Select the tunnel source, if it is not the loopback address of the controller. If you select IP Address, enter
the IP address for the tunnel source. If you select VLAN, select the ID of the VLAN.
7. Enter the IP address of the tunnel destination.
8. Click Apply.
Using CLI
interface tunnel <id>
tunnel mode gre <num> <ip>
ip address <ipaddr> <netmask>
no shutdown
tunnel source {<ipaddr>| loopback | vlan <vlan>}
tunnel destination <ipaddr>
Directing Traffic into the Tunnel
You can direct traffic into the tunnel by configuring one of the following:

Static route, which redirects traffic to the IP address of the tunnel

Firewall policy (session-based ACL), which redirects traffic to the specified tunnel ID
ArubaOS 6.1 | User Guide
Network Parameters | 75
Static Routes
You can configure a static route that specifies the IP address of a tunnel as the next-hop for traffic for a
specific destination. See “Configuring Static Routes” on page 72 for descriptions of how to configure a static
route.
Firewall Policy
You can configure a firewall policy rule to redirect selected traffic into a tunnel.
Traffic redirected by a firewall policy rule is not forwarded to a tunnel that is “down” (see “Tunnel
Keepalives” on page 76 for more information on how GRE tunnel status is determined). If you have more
than one GRE tunnel configured, you can create multiple firewall policy rules with each rule redirecting the
same traffic to different tunnels. If the tunnel in the first traffic redirect rule is down, then the tunnel in the
subsequent traffic redirect rule is used instead.
WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a new firewall policy, or click Edit to edit a specific policy.
3. Click Add to create a new policy rule.
4. Configure the Source, Destination, and Service for the rule.
5. For Action, select redirect to tunnel. Enter the tunnel ID.
6. Configure any additional options, and click Add.
7. Click Apply.
CLI
ip access-list session <name>
<source> <destination> <service> redirect tunnel <id>
Tunnel Keepalives
The controller can determine the status of a GRE tunnel by sending periodic keepalive frames on the tunnel.
If you enable tunnel keepalives, the tunnel is considered to be “down” if there is repeated failure of the
keepalives. If you configured a firewall policy rule to redirect traffic to the tunnel, traffic is not forwarded to
the tunnel until it is “up”. When the tunnel comes up or goes down, an SNMP trap and logging message is
generated. The remote endpoint of the tunnel does not need to support the keepalive mechanism.
By default, the controller sends keepalive frames at 60-second intervals and retries keepalives up to three
times before the tunnel is considered to be down. You can reconfigure the intervals from the default. For
the interval, specify a value between 1-86400 seconds. For the retries, specify a value between 0-1024.
Using the WebUI
1. Navigate to the Configuration > Network > IP > GRE Tunnels page.
2. Click Edit for the tunnel for which you are enabling tunnel keepalives.
3. Select (check) Enable Heartbeats to enable tunnel keepalives and display the Heartbeat Interval and
Heartbeat Retries fields.
4. Enter values for Heartbeat Interval and Heartbeat Retries.
5. Click Apply.
Using CLI
interface tunnel id
tunnel keepalive [<interval> <retries>]
76 | Network Parameters
ArubaOS 6.1 | User Guide
Chapter 3
RF Plan
RF Plan is a wireless deployment modeling tool that helps you design an efficient Wireless Local Area
Network (WLAN) that optimizes coverage and performance, without complicated WLAN network setup. RF
Plan provides the following critical functionality:

Defines WLAN coverage.

Defines WLAN environment security coverage.

Assesses equipment requirements.

Optimizes radio resources.
RF Plan provides a view of each floor, allowing you to specify how you want to provide wireless coverage
for each area. RF Plan also generates coverage maps with AP and AM placement.
Unlike other static site survey tools that require administrators to have intricate knowledge of building
materials and other potential radio frequency (RF) hazards, RF Plan calibrates coverage in real-time
through a sophisticated RF calibration algorithm. This real-time calibration lets you characterize the indoor
propagation of RF signals to determine the best channel and transmission power settings for each AP. You
can program the calibration to occur automatically or you can manually launch the calibration at any time
to quickly adapt to changes in your wireless environment.
This chapter discusses the following topics:

“Supported Planning” on page 77

“Before You Begin” on page 78

“Launching the RF Plan” on page 80

“Using the FQLN Mapper in the AP Provision Page” on page 103

“Legacy RF Plan Example” on page 104
A Java-based version of the RF Plan tool allows you to input the serial number or MAC address of each AP. For
information about using the Java-based RF Plan tool, see the RF Plan Installation and User Guide.
Supported Planning
All the features included in the WebUI RF Plan tool will aide you in the planning of legacy deployments and
802.11n standard compliant deployments. The term legacy refers to Aruba APs that are not 802.11n
compliant and support 802.11a and/or 802.11b/g networks only.
This WebUI RF Plan supports planning of the following types of deployments:

Legacy Deployments—The RF Plan allows you to plan for legacy environments. Legacy refers to
Aruba APs that are not 802.11n compliant and support 802.11a and/or 802.11b/g networks only. Planning
for these environments works in the same way as previous versions of RF Plan.

802.11n Deployments—The RF Plan now supports planning of network environments that use the
Aruba’s AP-12x series of indoor access points, which are 802.11n compliant. RF Plan supports the
planning of these APs in the following capacity: 802.11a/n, 802.11b/g/n, or 802.11a/b/g/n.
ArubaOS 6.1 | User Guide
RF Plan | 77

802.11n Hotspot Deployment within an Existing Legacy Environment—This version of RF plan
allows you to plan for an 802.11n hotspot deployment within an existing legacy environment. This type
of environment requires that legacy AP/AM locations be fixed at the building level, see “Fix All
Suggested AP/AMs” on page 99. If you set and fix the location of legacy APs prior to planning for the
802.11n APs, the legacy APs will not move when you initialize/optimize the 802.11n AP locations.

802.11n Hotspot Deployment and New Legacy Environment—The RF Plan allows you to plan for a
new deployment that uses an 802.11n hotspot and 802.11a and/or 802.11 b/g support outside of the
hotspot.
To plan for this type of deployment, start by planning your 802.11n hotspot. When you initialize and
optimize the APs planned for the hotspot, the 802.11n APs are placed within the hotspot area. However,
the same AP type will also be placed outside of the hotspot area with 802.11n support disabled.
RF Plan will deploy APs outside of the hotspot area based on the 802.11a and/or 802.11b/g rates defined
by the system. For the system to define 802.11a and/or 802.11b/g rates, the system looks at the defined
802.11n rate and the distance covered by the defined rate; it then selects corresponding 802.11a and/or
802.11b/g rates based on the distance covered. Since the APs outside of the 802.11n hotspot area utilize
802.11a/b/g rates only, you can deploy legacy APs in their place if desired.
Before You Begin
Review the following steps to create a building model and plan the WLAN for your model.
Task Overview
1. Gather information about your building’s dimensions and floor plan.
2. Determine the level of coverage you want for your APs and AMs.
3. Create a new building and add its dimensions.
4. Enter the parameters of your AP coverage.
5. Enter the parameters of your AM coverage.
6. Add floors to your building and import the floor plans.
7. Define special areas.
8. Generate suggested AP and AM tables by executing the AP/AM Plan features.
Planning Requirements
You should collect the following information before using RF Plan. Having this information readily available
will expedite your planning efforts.
78 | RF Plan

Building dimensions

Number of floors

Distance between floors

Number of users and number of users per AP

Radio type(s)

Overlap Factor

Desired data rates for APs

Desired monitoring rates for AMs

Areas of your building(s) that you do not necessarily want coverage
ArubaOS 6.1 | User Guide

Areas of your building(s) where you do not want or cannot deploy an AP or AM

Areas of your building(s) where you want to deploy an 802.11n Hotspot (Zone)

Any area where you want to deploy a fixed AP or AM
Use the worksheets (Table 3, Table 4, and Table 5) to collect your information:
Table 3 Planning Worksheet - Building Dimensions
Building Dimensions
Height:
Width:
Number of Floors:
Number of Users:
Users per AP:
Radio Types:
AP Type:
Overlap Factor:
802.11a Desired Rate:
802.11n (HT) Support:
Use 40 MHz Channel Spacing:
802.11n Desired Rate:
Table 4 Planning Worksheet - AP Desired Rates (2.4 GHz Radio Properties)
AP Desired Rates (2.4 GHz Radio Properties)
802.11b/g Desired Rate:
802.11n (HT) Support:
Use 40 MHz Channel Spacing:
802.11n Desired Rate:
Table 5 Planning Worksheet - AM Desired Rates
AM Desired Rates
802.11b|g:
802.11a:
ArubaOS 6.1 | User Guide
RF Plan | 79
Table 5 Planning Worksheet - AM Desired Rates
AM Desired Rates
Don’t Care/Don’t Deploy Areas
802.11n Hotspot (Zone) Areas
If 802.11n (HT) support is enabled, the system will automatically define the 802.11a and/or 802.11b/g rate as
applicable. For details, see “Radio Properties (Desired Rates and HT Support Options)” on page 87.
Launching the RF Plan
This section describes how to launch the RF Plan and enter information in RF Plan windows.
To launch RF Plan from the WebUI, click the Plan tab in the WebUI menu bar. When you launch the RF
Plan, the browser window displays the Campus List page.
Campus List Page
The Campus List is the first page you see when you start RF Plan. This list contains a default campus and
any campus you have defined using the RF Plan software.
Figure 6 Plan>Campus List Window
You may add, edit, and delete campuses using this page. You may also import and export campus
information. Table 6 details the buttons on the Campus page.
Table 6 Definition of Campus List Buttons
80 | RF Plan
Buttons
Description
New Campus
Use this button to create a new campus.
Browse Campus
Use this button to edit existing campuses from the campus list. To edit a campus, select the
checkbox next to the campus name, then click Browse Campus. When you edit a campus,
you can access other RF Plan pages.
ArubaOS 6.1 | User Guide
Table 6 Definition of Campus List Buttons (Continued)
Buttons
Description
Rename Campus
Use this button to rename an existing campus in the list. To rename a campus, select the
checkbox next to the campus name, then click Rename Campus.
A dialog box appears into which you enter the new name of the campus. Click OK to accept
the new name, or click Cancel to exit this action.
Delete Campuses
Use this button to delete existing campuses in the list. To delete a campus, select the
checkbox next to the building ID, then click Delete Campuses.
You can only delete empty campuses. If you attempt to delete a campus that contains one or
more buildings, an error message appears.
Export
Use this button to export a database file with all the specifications and background images
of one or more selected campuses in the list. See “Exporting and Importing Files” on
page 99.
Import
Use this button to import database files that define campuses into the RF Plan list. See
“Exporting and Importing Files” on page 99.
AP FQLN Mapper
The AP name is a fully-qualified location name (FQLN) in the format
APname.floor.building.campus (the APname portion of the FQLN must be unique).
The FQLN is not case sensitive and supports a maximum of 249 characters, including
spaces. You can use any combination of characters except a new line, carriage return, and
non-printable control characters.
You can manually set the FQLN for the AP by clicking the AP FQLN Mapper button. Setting
the FQLN will reboot the APs. See “FQLN Mapper” on page 101
Building List Pane
Edit a campus from the building list pane.
Figure 7 Plan>Building List Pane
You can add, edit, and delete buildings using this page. You may also import and export building
information. The buttons on this page are defined in Table 7.
Table 7 Building List Buttons
Buttons
Description
New Building
Use this button to create a new building. When you add or edit a building, you can access other
RF Plan pages.
Edit Building
Use this button to edit existing buildings in the building list. To edit a building, select the
checkbox next to the building ID, then click Edit Building. When you add or edit a building, you
can access other RF Plan pages.
ArubaOS 6.1 | User Guide
RF Plan | 81
Table 7 Building List Buttons
Buttons
Description
Delete Buildings
Use this button to delete existing buildings in the building list. To delete a building, select the
checkbox next to the building ID, then click Delete Building.
Export
Use this button to export a database file with all the specifications and background images of
one or more selected buildings in the building list. See “Exporting and Importing Files” on
page 99.
Import
Use this button to import database files that define buildings into the RF Plan building list. See
“Exporting and Importing Files” on page 99.
Locate
Use this button to locate Wi-Fi devices in a building. See “Locate” on page 101.
AP FQLN
Mapper
The AP name is a fully-qualified location name (FQLN) in the format
APname.floor.building.campus (the APname portion of the FQLN must be unique).
The FQLN is not case sensitive and supports a maximum of 249 characters, including spaces.
You can use any combination of characters except a new line, carriage return, and non-printable
control characters.
You can manually set the FQLN for the AP by clicking the AP FQLN Mapper button. Setting the
FQLN will reboot the APs. See “FQLN Mapper” on page 101.
Building Specifications Overview
The Building Specification Overview window displays the default values for a building that you are adding
or the current values for a building that you are modifying.
Figure 8 Plan>New Building>Overview Window
The Overview page includes the following:

Building Dimensions: Your building’s name and dimensions

Access Point Modeling Parameters

Air Monitor Modeling Parameters

Building Dimension button (in the upper right-hand portion of the page). Click on this button to edit
the building dimensions settings.
When you create or edit information for a building, there are several ways you can navigate through RF Plan
windows:
82 | RF Plan

The navigation pane on the left side of the browser window displays RF Plan pages in the order in which
they should be accessed when you are creating a new building. If you are editing a building, simply click
on the page you want to display or modify.

A button for the next page appears in the upper right-hand portion of the page. You can click on this
button to display the next page. For example, the Building Dimension button appears in the Building
Specifications Overview page.
ArubaOS 6.1 | User Guide

Clicking Apply on editable pages sequences you to the next page. For example, when you click Apply in
the Building Dimensions page, the AP Modeling Parameters page displays.
Building Dimension Page
The Building Dimension page allows you to specify the name and identification for the building and its
dimensions. Table 8 defines the parameters to insert in this window.
Figure 9 Plan>New Building>Specification Window
Table 8 contains the information for you to enter in the Specification window.
Table 8 New Building Specifications Parameters
Parameter
Description
Campus Name
Select a campus for this building from the drop-down menu.
Building Name
The Building Name is an alphanumeric string up to 64 characters in length.
Width and Length
Enter the rectangular exterior dimensions of the building.
The valid range for this field is any integer from 1 to a value corresponding to 1x10,000.
If your building has an irregular shape,
the width and length should represent
the maximum width and length of the
overall footprint of the building as seen
from above. For example:
When width and length are specified, RF
Plan creates a rectangular area in the
Planning feature pages that represent
the overall area covered by the building.
You need to import an appropriate
background image (see “Floor Editor
Dialog Box” on page 92.) to aid you in
defining areas that do not require
coverage or areas in which you do not
wish to deploy APs and AMs (see “Area
Editor Dialog Box” on page 93).
Inter-Floor Height
This is the distance between floor surfaces in the building. The valid range for this field is
any integer from 1 to a value corresponding to 1x10,000. RF Plan uses the inter-floor
height to allow APs on one floor to service users on adjacent floors. If you do not want RF
Plan to factor adjacent floors, select a high inter-floor height value (for example, 300).
Note: This is not the distance from floor to ceiling. Some buildings have a large space
between the interior ceilings and the floor above.
ArubaOS 6.1 | User Guide
RF Plan | 83
Table 8 New Building Specifications Parameters (Continued)
Parameter
Description
Floors
Enter the number of floors in your building here.The valid range for this field is any integer
from 1 to 255. A building can have a maximum of 255 floors. You can also configure
negative floor IDs. Negative floor IDs let you allocate floors as sub floors, ground floors,
basements or other underground floors, or floors where you do not need to deploy APs.
Note: In concert, RF Plan 2.0, MMS 2.0, and ArubaOS 3.1 or later support the concept of
negative floor IDs. If your controller is running ArubaOS 2.5 or earlier, or you are running
RF Plan 1.0.x or MMS 1.0.x, you cannot configure negative floor IDs.
You specify a negative integer when modifying an existing floor; you do not configure
negative floor settings when adding a building or adding a floor. For more information, see
“Level” on page 92.
Unit
Specify the unit of measurement for the dimensions you specified on the page. The
choices are feet and meters.
AP Modeling Parameters Page
The AP Modeling Parameters page allows you to specify the information necessary for RF Plan to
determine the appropriate placement of your APs. These settings are on a per-building basis. If you have a
mix of APs, choose the most common one to define the building parameters.
Figure 10 Plan>New Building>AP Modeling Parameters Window
This window allows you to select or control the parameters as defined in Table 9.
Table 9 AP Modeling Parameters
84 | RF Plan
Parameter
Description
Radio Type
Use this drop-down menu to specify the radio type. See “Radio Type” on page 86
AP Type
Aruba AP device. Use the drop-down menu to select the device type. The supported APs
listed in the drop-down menu are dependent on the selected radio type.
Design Model
Use the Coverage, Capacity, and Custom radio buttons to specify a design model to use
in the placement of APs. See“Design Model” on page 86
Overlap Factor
Use this field and drop-down to specify an overlap factor. See“Overlap Factor” on
page 86.
Users
Use this field to specify the number of users on your WLAN. See “Users/AP” on page 87.
Radio Properties
(Desired Rates and HT
Support Options)
Use this drop-down to define 802.11a, 802.11b/g, and 802.11n settings for the 5 GHz and
2.4 GHz frequency bands, including high-throughput, data rates, and 40 Mhz channel
spacing
See “Radio Properties (Desired Rates and HT Support Options)” on page 87.
ArubaOS 6.1 | User Guide
Table 9 AP Modeling Parameters
Parameter
Description
APs
Use this field to enter the fixed number of APs to be used in this building’s network
(Custom model only).
ArubaOS 6.1 | User Guide
RF Plan | 85
Radio Type
Use the drop-down radio type menu to specify radio type of your AP. The available types are defined in
Table 10.
Table 10 Radio Type Definitions
Parameter
Description
801.11a/b/g
Simultaneous use of 802.11b/g and 802.11a.
802.11b/g
2.4 GHz, Direct Spread Spectrum (DSSS) multiplexing with data rates up to 11 Mbps, combined
with Orthogonal Frequency Division Multiplexing/Complementary Code Keying (OFDM/CCK)
with data rates up to 54 Mbps.
802.11a
5 GHz Orthogonal Frequency Division Multiplexing (OFDM) with data rates up to 54 Mbps.
802.11a/b/g +
n
Mixed-mode radio type which allows for simultaneous use of 802.11b/g and 802.11n traffic on
the 2.4 GHz frequency band, and 802.11a and 802.11n traffic on the 5 GHZ frequency band.
802.11b/g + n
Mixed-mode radio type that allows for simultaneous use of 802.11b/g and 802.11n traffic on the
2.4 GHz frequency band.
802.11a + n
Mixed-mode radio type that allows for simultaneous use of 802.11a and 802.11n traffic on the 5
GHz frequency band.
Select the radio type prior to the AP type. The supported APs listed in the AP type drop-down menu are dependent
on the selected radio type.
Design Model
Three radio buttons, defined in Table 11, allow you to control the kind of model used to determine the
number and type of APs.
Table 11 Design Model Radio Buttons
Radio
Button
Description
Coverage
Use this option to let RF Plan automatically determine the number of APs based on
desired data rates and the configuration of your building.
The higher the data rate, the smaller the coverage area, and the more APs that are
required. Coverage is the most common type of installation.
Capacity
Use this option to let RF Plan determine the number of APs based on the total number of
users, ratio of users to APs, and desired data rates.
Capacity-based coverage is useful for high capacity conference or training rooms,
where the APs could have a high volume of users.
Custom
Use this option to specify a fixed number of APs.
Custom coverage is useful for deployments with a known number of APs or if you have a
fixed project budget.
Overlap Factor
The Overlap Factor is the amount of signal area overlap when the APs are operating. Overlap is important if
an AP fails as it allows the network to self-heal with adjacent APs powering up to assume some of the load
from the failed device. Although there may be no holes in coverage in this scenario, there is likely to be a
86 | RF Plan
ArubaOS 6.1 | User Guide
loss of throughput. Increasing the overlap allows for higher throughputs when an AP has failed and allows
for future capacity as the number of users increases.600 Series
You can select a pre-determined value from the drop-down overlap menu or specify a value in the text box
to the left of the drop-down. The following table describes the available options.
Table 12 Overlap Factor Values
Overlap
Factor
Description
100% Low
Use this option for buildings that contain open spaces such as warehouses.
150% Medium
Use this option for most typical office environments with cubicles and sheetrock walls that have
higher WLAN user density than warehouses.
200% High
Use this option for dense deployments such as buildings with poor RF coverage characteristics
including buildings with thick brick or concrete walls, lots of metal, or excess RF noise (for
example, data centers).
Custom
Use this option to enter a custom rate. For most office spaces, 120% works well.
When specifying the custom rate, the valid range is 1% to 1000%.
Users/AP
The Users text boxes are active only when the Capacity model is selected.
Enter the number of users you expect to have on your WLAN in the Users text box. Enter the number of
users per AP you expect in the Users/AP text box.
The numbers entered in these two text boxes must be non-zero integers between 1-255 inclusive.
Radio Properties (Desired Rates and HT Support Options)
Define 802.11a, 802.11b/g, and 802.11n settings for the 5 GHz and 2.4 GHz frequency bands, including highthroughput, data rates, and 40 Mhz channel spacing.
Table 13 Radio Properties
Radio Property
Description
802.11a Desired Rate
The desired 802.11a rate defines the estimated transmit rate within the WLAN
coverage area. The higher the speed, the smaller the coverage area, and the more APs
required. The valid values are: 54, 48, 36, 24, 18, 12, 9, 6.
This option is only available when 802.11n (HT) support is disabled (unchecked or
grayed out).
When an 802.11n radio type, such as 802.11a + n or 802.11a/b/g + n, is selected and
802.11n (HT) support is enabled (checked) on the 5 GHz band, the system will
automatically define the 802.11a rate. The system looks at the defined 802.11n rate
and the distance covered by the defined rate; the system then selects a corresponding
802.11a rate based on the distance covered.
5 GHz 802.11 (HT)
Support
High-throughput is available when utilizing the IEEE 802.11n standard and can be
enabled on the 5 GHz frequency band when either the 802.11a + n or 802.11a/b/g + n
mixed-mode radio type is selected.
The 802.11n (high-throughput) draft standard supports MIMO (Multiple Input, Multiple
Output) and the option of 40 MHz mode of operation. However, high-throughput can
be utilized on a 20 MHz channel or on a 40 MHz channel (bonded channel pair).
ArubaOS 6.1 | User Guide
RF Plan | 87
Table 13 Radio Properties (Continued)
Radio Property
Description
5 GHz 802.11n Desired
Rate
The desired 802.11n rate defines the estimated transmit rate within the WLAN
coverage area. The higher the speed, the smaller the coverage area, and the more APs
required.
This option is only available when 802.11n (HT) support is enabled (checked).
The valid values when using 20 MHz channel spacing: 6.5, 13.0, 19.5, 26.0, 39.0, 52.0,
58.5, 65.0, 78.0, 104.0, 117.0, 130.0.
The valid values when using 40 MHz channel spacing: 13.5, 27.0, 40.5, 54.0, 81.0,
108.0, 121.15, 135.0, 162.0, 216.0, 243.0, 270.0.
5 GHz Use 40 MHz
Channel Spacing
Use 40 MHz Channel Spacing—40 MHz operation, which supports higher data rates
by utilizing two 20 MHz channels as a bonded pair, requires that high-throughput be
enabled (checked). 40 MHz mode is most often utilized on the 5 GHz frequency band
due to a greater number of available channels.
This option is only available when 802.11n (HT) support is enabled (checked).
802.11b/g Desired Rate
The desired 802.11b/g rate defines the estimated transmit rate within the WLAN
coverage area. The higher the speed, the smaller the coverage area, and the more APs
required. The valid values are: 54, 48, 36, 24, 18, 12, 9, 6, 11, 5.5, 2, 1.
This option is only available when 802.11n (HT) support is disabled (unchecked or
grayed out).
When an 802.11n radio type, such as 802.11g + n or 802.11a/b/g + n, is selected and
802.11n (HT) support is enabled (checked) on the 2.4 GHz band, the system will
automatically define the 802.11b/g rate. The system looks at the defined 802.11n rate
and the distance covered by the defined rate; the system then selects a corresponding
802.11b/g rate based on the distance covered.
2.4 GHz 802.11 (HT)
Support
High-throughput is available when utilizing the IEEE 802.11n standard and can be
enabled on the 2.4 GHz frequency band when either the
802.11g + n or 802.11a/b/g + n mixed-mode radio type is selected.
The 802.11n (high-throughput) draft standard supports MIMO (Multiple Input, Multiple
Output) and the option of 40 MHz mode of operation. However, high-throughput can
be utilized on a 20 MHz channel or on a 40 MHz channel (bonded channel pair).
2.4 GHz 802.11n Desired
Rate
The desired 802.11n rate defines the estimated transmit rate within the WLAN
coverage area. The higher the speed, the smaller the coverage area, and the more APs
required.
This option is only available when 802.11n (HT) support is enabled (checked).
The valid values when using 20 MHz channel spacing: 6.5, 13.0, 19.5, 26.0, 39.0, 52.0,
58.5, 65.0, 78.0, 104.0, 117.0, 130.0.
The valid values when using 40 MHz channel spacing: 13.5, 27.0, 40.5, 54.0, 81.0,
108.0, 121.15, 135.0, 162.0, 216.0, 243.0, 270.0.
2.4 GHz Use 40 MHz
Channel Spacing
40 MHz operation, which supports higher data rates by utilizing two 20 MHz channels
as a bonded pair, requires that high-throughput be enabled (checked). Due to a limited
number of channels on the 2.4 GHz frequency band, 40 MHz mode is most often
utilized on the 5 GHz frequency band where a greater number of channels are
available.
This option is only available when 802.11n (HT) support is enabled (checked).
AM Modeling Page
The AM Modeling page allows you to specify the information necessary for RF Plan to determine the
appropriate placement of your AMs.
AM coverage rates refer to the rate at which an AM captures packets. RF Plan uses that information to determine the
placement of AMs.
88 | RF Plan
ArubaOS 6.1 | User Guide
Figure 11 AM Modeling Page
Controls on this page allow you to select the following functions, which are described in more detail in this
section:
Table 14 AM Modeling Radio Buttons
Radio Button
Description
Design Model
Use these radio buttons to specify a design model to use in the placement of AMs. See
“Design Models” on page 89.
Monitor Rates
Use this drop-down menu to specify the desired monitor rate for the AMs. See “Monitor
Rates” on page 89.
AMs
Use this field to manually specify the number of AMs to deploy (Custom Model only).
Design Models
Two radio buttons on the page allow you to specify the model used to determine the number and type of
APs.
Table 15 Design Model Radio Buttons
Radio Button
Description
Coverage
Use this option to let RF Plan automatically determine the number of AMs based on
desired monitor rates and the configuration of the building.
Desired rate is selectable from 1 to 54 Mbps in the Coverage model.
Custom
Use this option to specify a fixed number of AMs. When the AM Plan portion of RF Plan is
executed, RF Plan distributes the AMs evenly.
The monitor rates you select for the AMs should be less than the data rates you selected for the APs. If you set the
rate for the AMs at a value equal to that specified for the corresponding PHY type AP, RF Plan allocates one AM per
AP. If you specify a monitor rate greater than the data rate, RF Plan allocates more than one AM per AP.
Monitor Rates
Use the drop down menus to select the desired monitor rates for the 2.4 Ghz (802.11b/g) and 5 GHz
(802.11a) frequency bands. The available monitor rates that display in drop-down lists will vary: these rates
are dependent on the radio type selected on AP modeling page and they will also be adjusted to
accommodate for 20 MHz vs. 40 MHz channel spacing when 802.11n (HT) support is enabled.
This option is available only when the coverage design model is selected.
ArubaOS 6.1 | User Guide
RF Plan | 89
Planning Floors Page
The Planning Floors page enables you to see the footprint of your floors.
You can select or adjust the features as described in Table 16:
Table 16 Floor Planning Features
Feature
Description
Zoom
Use this drop-down menu or type a zoom factor in the text field to increase or
decrease the size of the displayed floor area.
See “Zoom” on page 91.
Approximate Coverage Map
(select radio type)
Use this drop-down to select a particular radio type for which to show
estimated coverage.
See “Approximate Coverage Map” on page 91.
Coverage Rate
Use this drop-down to modify the coverage areas based on a different data
rate. If a map type has not been selected, this option is not applicable (N/A).
See “Coverage Rate” on page 91. The available coverage rates are dependent
on the map type and HT mode selected.
Channel
Use this drop-down to select a channel value to apply to the selected map.
Note: The country code configured on your controller determines the available
channel options. If a map type has not been selected, this option is not
applicable (N/A). See “Channel” on page 92.
90 | RF Plan
HT Mode
Use this drop-down to select the APs types you want to view on the coverage
map. This drop-down determines if the coverage map will display legacy plus
HT APs, legacy only APs, or HT only APs.
HT stands for high-throughput. High-throughput APs are compliant with the
802.11n standard.
Legacy represents APs that are not compliant with the 802.11n standard and
are capable of 802.11a and/or 802.11b/g only support.
See “HT Mode” on page 92.
Edit Floor
Click on this link to launch the Floor Editor dialog box. See “Floor Editor Dialog
Box” on page 92.
New in Areas section
Click on this link to launch the Area Editor dialog box. See “Area Editor Dialog
Box” on page 93.
ArubaOS 6.1 | User Guide
Table 16 Floor Planning Features
Feature
Description
New in Suggested Access Points
and Air Monitors section
Click on this link to launch the Suggested Access Point Editor dialog box. See
“Access Point Editor Dialog Box” on page 95.
Status in Deployed Access Points
and Air Monitors section
The Status column displays the status of each AP for the floor you are viewing
within a live network.
Up: AP is up (live). The corresponding AP icon on the floor map will display a
live AP icon.
Down: AP is down. The corresponding AP icon on the floor map will display
with a red “X” over the AP icon symbolizing that the AP is down.
Zoom
The Zoom control sets the viewing size of the floor image. It is adjustable in finite views from 10% to 1000%.
You may select a value from the drop-down zoom menu or specify a value in the text box to the left of the
drop-down. When you specify a value, RF Plan adjusts the values in the drop-down to display a set of values
both above and below the value you typed in the text box.
Approximate Coverage Map
Select a radio type from the Coverage drop-down menu to view the approximate coverage area for each of
the APs that RF Plan has deployed in AP Plan or AM Plan. Adjusting the coverage values help you to
understand how the AP coverage works in your building.
You will not see coverage areas displayed here until you have executed either an AP Plan or an AM Plan.
Figure 12 Coverage Map Example
Coverage Rate
Adjusting the coverage rate also affects the size of the coverage areas for AMs. Adjusting the rate values
help you to understand how the coverage works in your proposed building.
The available coverage rates are dependent on the map type and HT mode selected.
ArubaOS 6.1 | User Guide
RF Plan | 91
Channel
Select a channel from the Channel drop-down menu for transmitting and receiving electromagnetic signals.
Changing the country code causes the valid channel lists to be reset to the defaults for that country.
HT Mode
Select an HT mode from the drop-down menu, which determines if the coverage map will display legacy
plus HT APs, legacy only APs, or HT only APs.
HT stands for high-throughput. High-throughput APs are compliant with the 802.11n standard.
Legacy represents APs that are not compliant with the 802.11n standard and are capable of 802.11a and/or
802.11b/g only support.
When viewing a plan or coverage map utilizing HT compliant APs, data in the 2.4G HT or 5G HT columns will display
in the Suggested or Deployed Access Points and Air Monitors sections as applicable. These columns indicate if the
AP is in 20MHz or 40MHz mode of operation. If operating in 40Mhz mode, the secondary channel also displays in this
column.
Floor Editor Dialog Box
The Floor Editor dialog box allows you to modify the floor level, specify the background image, and name
the floor. The Floor Editor is accessible from the Floors Page by clicking on the Edit Floor link.
Figure 13 Floor Editor Dialog Box
Level
When modifying an existing floor, you can configure it with a negative integer to specify a basement or
some other underground floor that you do not need or want to deploy APs.
In concert, RF Plan 2.0, MMS 2.0, and ArubaOS 3.1 or later support the concept of negative floor IDs. If your
controller is running ArubaOS 2.5 or earlier, or you are running RF Plan 1.0.x or MMS 1.0.x, you cannot configure
negative floor IDs.
To configure a negative floor, specify a negative integer in the Level field. The valid range is -100 to 255;
however, a building can have a maximum of 255 floors.
Naming
You may name the floor anything you choose as long as the name is an alphanumeric string with a
maximum length of 64 characters. The name you specify appears to the right of the Floor Number displayed
above the background image in the Planning view.
Background Images
You can import a background image (floor plan image) into RF Plan for each floor. A background image is
extremely helpful when specifying areas where coverage is not desired or areas where an AP/AM is not to
be physically deployed.
92 | RF Plan
ArubaOS 6.1 | User Guide
Use the guidelines in this section when importing background images. By becoming familiar with these
guidelines, you can ensure that your graphic file is edited properly for pre- and post-deployment planning.

Edit the image—Use an appropriate graphics editor to edit the file as needed.

Scale the image—If the image is not scaled, proportional triangulation and heat map displays can be
incorrect when the plan is deployed.

Calculate image dimensions—Calculate the image pixels per feet (or meters) against a known
dimension. Use that value to calculate the width and length of the image.

Leave a border around the image—When creating the image, leave a boarder around the image to help
triangulate Wi-Fi devices outside of the building.

Multiple floors—If your building has multiple floors, make sure there is a common anchor point for all
floors; for example an elevator shaft, a staircase, and so on.

Larger dimensions—Use larger dimensions only for scaling to more accurately calculate the full
dimensions. For best results, final floor images 2048 X 2048 and smaller perform best.
Select a background image using the Browse button on the Floor Editor dialog box.

File Type and Size
Background images must be JPEG format and may not exceed 2048 X 2048 pixels in size. Attempting to
import a file with a larger pixel footprint than that specified here results in the image not scaling to fit
the image area in the floor display area.
Because background images for your floors are embedded in the XML file that defines your building, you
should strongly consider minimizing the file size of the JPEGs that you use for your backgrounds. You
can minimize the file size by selecting the maximum compression (lowest quality) in most graphics
programs.
The ArubaOS WebUI displays floor plans using Adobe Flash Player, which does not support progressive JPEG
images. If you have a progressive JPEG image you want to use as background image, open the image in an image
editing program and re-save the image with standard/baseline compression.

Image Scaling
Images are scaled (stretched) to fit the display area. The display area aspect ratio is determined by the
building dimensions specified on the Dimension page.
Area Editor Dialog Box
The Area Editor dialog box allows you to specify areas on your building floors where you either do not care
about coverage, or where you do not want to place an AP or AM.
Open the Area Editor dialog box by clicking New in the Areas section.
You specify these areas by placing them on top of the background image using the Area Editor.
Figure 14 Area Editor Dialog Box
ArubaOS 6.1 | User Guide
RF Plan | 93
Naming
Logical name of area, as an alphanumeric string consisting of 1 to 64 characters. Aruba recommends that
you provide a meaningful name to the area to ensure that it is readily identifiable.
Location and Dimensions
Specify absolute coordinates for the lower left corner and upper right corner of the box that represents the
area being defined.

Begin the measurement with the lower left corner of the rectangular display area that represents your
building’s footprint.

The coordinates of the upper right-hand corner of the display area are the absolute values of the
dimensions you provided for the building.
Location settings are zero-based. Values range from 0 to (height -1 and width -1). For example, coordinates
of the upper right corner for a building that measures 200 ft. wide x 400 ft. in length, would be 199 and 399.
The unit of measurement displayed as either feet or meters is based on your building settings. See “Building
Dimension Page” on page 83 for details about configuring building parameters.
You may also use the drag and drop feature of the Area Editor to drag your area to where you want it and
resize it by dragging one or more of the handles displayed in the corners of the area.
Area Types
Select one of the area types from the drop-down menu: Don’t Care, Don’t Deploy, or 802.11n Zone.

Don’t Care: Coverage is not required in the area specified in this dialog box. This specification typically
applies to areas where coverage cannot be guaranteed.
This setting results in the display of an orange rectangle at the associated area in the floor diagram.

Don’t Deploy: No APs are to be positioned in the area specified in this dialog box.
This setting results in display of a yellow rectangle at the associated area in the floor diagram.

802.11n Zone: 802.11n compliant APs are required to be positioned in the area specified in this dialog
box only. When utilizing legacy AP types on the same floor, 802.11n APs can be restricted to a specified
zone, creating an 802.11n hotspot.
This setting results in display of a green rectangle at the associated area in the floor diagram.
When deploying a hotspot on a floor utilizing legacy APs, ensure that the existing AP/AM locations are fixed at the
building level. If existing AP/AM locations are fixed, legacy AP/AMs will not move from their fixed locations during
initialization or optimization. See “Fix All Suggested AP/AMs” on page 98. In this instance, the only APs that will move
during initialization or optimization are the 802.11n APs within the specified hotspot.
You cannot right-click within an existing area to add another area inside of it. For instance, if a Don’t Care
or Don’t Deploy Area needs to overlap with an 802.11n Zone, you must create each of the areas outside of
one another and then move them to the correct position of overlap. You can click and drag the areas to the
appropriate positions of overlap, or you can right-click on the area to modify its location.
94 | RF Plan
ArubaOS 6.1 | User Guide
Access Point Editor Dialog Box
The Access Point Editor allows you to manually create or modify a suggested AP.
To create an AP, open the Access Point Editor dialog box by clicking New in the Suggested Access Points
and Air Monitors section.
To modify an existing AP, place the cursor over the AP and click it to display the Suggested Access Point
Editor dialog box.
Figure 15 Access Point Editor
Naming
RF Plan automatically names APs using the default convention ap number, where number starts at 1 and
increments by one for each new AP. When you manually create an AP, the new AP is assigned the next
number and is added to the bottom of the suggested AP list.
You may name an AP anything you wish. The name must consist of alphanumeric characters and be 64
characters or less in length.
Fixed
Fixed APs do not move when RF Plan executes the positioning algorithm.
You might typically set a fixed AP when you have a specific room, such as a conference room, in which you want
saturated coverage. You might also want to consider using a fixed AP when you have an area that has an unusually
high user density.
Choose Yes or No from the drop-down menu. Choosing Yes locks the position of the AP as it is shown in the
coordinate boxes of the Access Editor. Choosing No allows RF Plan to move the AP as necessary to achieve
best performance.
Radio Types
The Radio drop-down menu allows you to specify what frequency band the AP uses. You can choose from
one of the following:

802.11a/b/g (2.4 GHz and 5 GHz frequency bands)

802.11a (5 GHz frequency band)
ArubaOS 6.1 | User Guide
RF Plan | 95

802.1 b/g (2.4 GHz frequency band)
802.11n (HT) support features are available on the 2.4 or 5 GHz frequency band. The availability of these options on
these frequency bands is dependent on the radio (frequency band) chosen and whether or not these feature were
enabled on the AP modeling page at the building level.
X and Y Coordinates
The physical location of the AP is specified by X-Y coordinates that begin at the lower left corner of the
display area. The numbers you specify in the X and Y text boxes are whole units. The Y-coordinate
increases as a point moves up the display and the X-coordinate increases as they move from left to right
across the display.
802.11 Types
The 802.11 b/g and 802.11a Type drop-down menus allow you to choose the mode of operation for the AP.
You may choose to set the mode of operation to Access Point or Air Monitor.
802.11 Channels
The 802.11a and 802.11b/g channel drop-down menus allow you to select from the available channels.
The available channels vary depending on the regulatory domain (country) in which the device is being operated.
802.11 Power Levels
The power level drop-down menus allow you to specify the transmission power of the AP. Choices are OFF,
0, 1, 2, 3, and 4. A setting of 4 applies the maximum Effective Isotropic Radiated Power (EIRP) allowed in
the regulatory domain (country) in which you are operating the AP.
802.11n Features

802.11n (HT) Support (2.4 or 5 GHz): Specify if 802.11n high-throughput support should be enabled
on this AP.
In order to enable high-throughput on a new AP being added to the plan at the floor level, 802.11n (HT)
support must first be enabled at the building level within the AP modeling parameters. If not, this option
will be grayed out. See “AP Modeling Parameters Page” on page 84 for details about AP modeling
parameters.

Use 40 MHz Channel (2.4 or 5 GHz): Specify if 802.11n high-throughput support should utilize a 40
MHz channel (bonded channel pair).
In order to select a valid 40 MHz channel for a new AP being added at the floor level, use of 40 MHz
channel spacing must first be enabled at the building level within the AP modeling parameters. If not,
this option will be grayed out. See “AP Modeling Parameters Page” on page 84 for details about AP
modeling parameters.
96 | RF Plan
ArubaOS 6.1 | User Guide
If high-throughput is enabled and use of a 40 MHz channel pair is not enabled, a 20 Mhz channel will be
utilized.
Memo
The Memo text field allows you to enter notes regarding the AP. You can enter a maximum of 256
alphanumeric characters in the Memo field.
AP Plan Page
The AP Plan page uses the information entered in the modeling pages to locate APs in the building(s) you
described. All of the options on the Floors page can also be viewed and configured on the AP Plan page. The
AP Plan page also includes some additional options, such as initializing, optimizing, and fixing AP/AM
locations.
Figure 16 AP Planning
Initialize
Initialize the Algorithm by clicking the Initialize button. This makes an initial placement of the APs and
prepares RF Plan for the task of determining the optimum location for each of the APs. As soon as you click
Initialize you see the AP symbols appear on the floor plan.
Colored circles around the AP symbols on the floor plan indicate the approximate coverage of the
individual AP and the color of the circle represents the channel on which the AP is operating. The circles
appear when you select an approximate coverage value on one of the Floors pages. You may also click an
AP icon and drag it to manually reposition it.
Optimize
Click Optimize to launch the optimizing algorithm. The AP symbols move on the page as RF Plan finds the
optimum location for each.
The process may take several minutes. You may watch the progress on the status bar of your browser. The
algorithm stops when the movement is less than a threshold value calculated based on the number of APs.
The threshold value may be seen in the status bar at the bottom of the browser window.
Viewing the Results
The results of optimizing algorithm may be viewed two ways: graphically and in a table of suggested APs.
You may obtain information about a specific AP by placing the cursor over its symbol. An information box
appears that contains information regarding location, radio type, high-throughput support, channel(s), and
power.
ArubaOS 6.1 | User Guide
RF Plan | 97
The Suggested Access Points and Air Monitors table lists the coordinates, power, location, power setting,
high-throughput support, and channel(s) for each of the APs that are shown in the floor plan.
Fix All Suggested AP/AMs
Fix existing AP/AM locations at the building level. If AP/AM locations are fixed, AP/AMs will not move from
their fixed locations during initialization or optimization. Clicking on this button will fix the locations of
existing APs and AMs. You only need to click this button on either the AP or AM Plan page.
Use this feature when planning an environment that utilizes legacy AP/AMs and 802.11n standard AP/AMs. If you set
and fix the location of legacy devices prior to planning for the 802.11n devices, the legacy AP/AMs will not move
when you initialize/optimize the 802.11n AP/AM locations.
AM Plan Page
The AM Plan page uses the information entered in the modeling pages to locate AMs in the building(s) you
described and calculate the optimum placement for the AMs. All of the options on the Floors page can also
be viewed and configured on the AM Plan page. The AM Plan page also includes some additional options,
such as initializing, optimizing, and fixing AP/AM locations.
Initialize
Initialize the Algorithm by clicking Initialize. This makes an initial placement of the AMs and prepares RF
Plan for the task of determining the optimum location for each of the AMs. When you click Initialize, the
AM symbols appear on the floor plan.
Optimize
Click Optimize to launch the optimizing algorithm. The AM symbols move on the page as RF Plan finds the
optimum location for each.
The process may take several minutes. You may watch the progress on the status bar of your browser. The
algorithm stops when the movement is less than a threshold value calculated based on the number of AMs.
The threshold value may be seen in the status bar at the bottom of the browser window.
Viewing the Results
Viewing the results of the AM Plan feature is similar to that for the AP Plan feature.
The results of optimizing algorithm may be viewed two ways: graphically and in a table of suggested AMs.
You may obtain information about a specific AM by placing the cursor over its symbol. An information box
98 | RF Plan
ArubaOS 6.1 | User Guide
appears that contains information about the exact location, PHY type, high-throughout-support, channel,
power, and so on.
The Suggested Access Points and Air Monitors table lists the coordinates, power, location, power setting,
and channel for each of the AMs that are shown in the floor plan.
Fix All Suggested AP/AMs
Fix existing AP/AM locations at the building level. If AP/AM locations are fixed, AP/AMs will not move from
their fixed locations during initialization or optimization. Clicking on this button will fix the locations of
existing APs and AMs. You only need to click this button on either the AP or AM Plan page.
Use this feature when planning an environment that utilizes legacy AP/AMs and 802.11n standard AP/AMs. If you set
and fix the location of legacy devices prior to planning for the 802.11n devices, the legacy AP/AMs will not move
when you initialize/optimize the 802.11n AP/AM locations.
Exporting and Importing Files
Both the Campus List page and the Building List page have Export and Import buttons, which allow you to
export and import files that define the parameters of your campus and buildings. You can export a file so
that it may be imported into and used to automatically configure a controller. On a controller, you can
import a file that has been exported from another controller or from the standalone version of RF Plan that
runs as a Windows application.
The WebUI version of RF Plan only supports JPEG file formats for background images.
The files that you export and import are XML files and, depending on how many buildings are in your
campus, floors are in your buildings, and how many background images you have for your floors, the XML
files may be quite large. (See “Background Images” on page 92.)
In order for the WebUI RF Plan tool to import and read a standalone plan that incorporates 802.11n standard APs and
was originally created in the Java-based standalone RF Plan tool, the plan must be exported out from the standalone
tool using the Controller WebUI Format (version 3.0).
Export Campus
To export a file that defines the parameters of one or more campuses, including all of its associated
buildings, select the campus(es) to be exported in the Campus List page and then click Export.
After you click the Export button, you are prompted to include the background images.
ArubaOS 6.1 | User Guide
RF Plan | 99
When exporting a campus file, Aruba recommends that you click OK to export the background images. If
you click Cancel, the exported file does not include the background images. The File Download window
appears.
From the File Download window, click Save to save the file. The Save As dialog box appears. From here,
navigate to the location where you want to save the file and enter the name for the exported file. When
naming your exported file, be sure to give the file the.XML file extension, for example, My_Campus.XML.
Exported campus files include detailed information about the campus and the selected building(s).
Import Campus
You can import only XML files exported from another controller or from the standalone version of RF Plan
that runs as a Windows application.
Importing any other file, including XML files from other applications, may result in unpredictable results.
To import a file that defines the building parameters of one or more campuses, click the Import button in
the Campus List page. The Import Buildings page appears, as described in “Import Buildings Page” on
page 100.
Export Buildings Page
To export a file that defines the parameters of one or more buildings, select the building(s) to be exported
in the Building List page and then click Export.
After you click the Export button, you are prompted to include the background images.
When exporting a building file, Aruba recommends that you click OK to export the background images. If
you click Cancel, the exported file does not include the background images. The File Download window
appears.
From the File Download window, click Save to save the file. The Save As dialog box appears. From here,
navigate to the location where want to save the file and enter the name for the exported file. When naming
your exported file, be sure to give the file the.XML file extension, for example, My_Building.XML.
Exported building files include the name of the campus to which the building belongs; however, detailed
campus parameters are not included.
Import Buildings Page
You can import only XML files exported from another controller or from the standalone version of RF Plan
that runs as a Windows application.
Importing any other file, including XML files from other applications, may result in unpredictable results.
To import a file that defines the parameters of one or more buildings, click the Import button in the
Building List page.
100 | RF Plan
ArubaOS 6.1 | User Guide
In the Import Buildings page, click Browse to select the file to be imported, then click the Import button.
Locate
The Locate button on the Building List page allows you to search for APs, AMs, monitored clients, etc. on a
building by building basis. To use this feature, select the building in which you want to search, and click
Locate.
The Target Devices table displays information on each of these devices. To add a device, click Add Device.
To delete a device, click Remove Device. To select a device, click Choose Devices.
FQLN Mapper
Both the Campus List page and the Building List page have the AP FQLN Mapper button, which allows you
to create a fully-qualified location name (FQLN) for the specified AP/AM in the format
APname.Floor.Building.Campus. This format replaces the AP location ID format used in ArubaOS 2.5 and
earlier.
The FQLN is not case sensitive and supports a maximum of 249 characters, including spaces. You can use
any combination of characters except a new line, carriage return, and non-printable control characters.
If the AP was provisioned with ArubaOS 3.1 or later, the FQLN for the AP is automatically set.
You can use the FQLN mapper for multiple purposes, including:

Searching for deployed APs/AMs

Configuring the AP name in the form APname.Floor.Building.Campus

Modifying the location of APs
To use this feature, select one or more campuses from the Campus List page, or one or more buildings from
the Building List page, and click AP FQLN Mapper.
The AP FQLN Mapper page appears. From here, you can search for deployed APs by entering one or more
parameters in the Search fields, view the results in the Search Results table, configure the FQLN, and
modify the location of an AP.
To search for deployed APs, enter information in the Search fields and click Search.
You can perform a search based on one or more of the following AP properties:
ArubaOS 6.1 | User Guide
RF Plan | 101
Table 17 AP Property Search
Property
Description
AP Name
Logical name of the AP or AM. You can enter a portion of the name to widen the
search.
Wired MAC
MAC address of the AP or AM. You can enter a portion of the MAC address to
widen the search.
IP Address
IP address of the AP or AM. You can enter a portion of the IP address to widen the
search.
FQLN
Fully-qualified location name of the AP, in the form APname.floor.building.campus.
You can enter a portion of the FQLN to widen the search.
Serial Number
Serial number of the AP. You can enter a portion of the serial number to widen the
search.
Status
Current state of the AP, including Up/Down/Any.
Use the drop-down list to the right of the Number of results per page to specify the number of APs to display
in the search results.
After entering the search criteria, you can either click Reset to clear the entries or click Search to search
for APs. If you click Search, the results are displayed in the Search Result table:
You can view the information in ascending or descending order. By default, the display is in ascending
order, based on the AP name (the white arrow indicates the row that is being used to sort the information).
Left-click on a column head to view the information in ascending or descending order (you may need to
click multiple times to get the desired display).
In addition to displaying AP names, wired MAC addresses, serial numbers, IP addresses, FQLNs, and AP
status, the Search Result table displays the AP type and when it was last updating.
From here you can modify the attributes that create the FQLN for the selected AP, using the following dropdown lists:

Campus—Displays the campus where the AP is deployed. To deploy the AP in a different campus, select
a campus form the drop-down list. The Campus defines the buildings and floors displayed.
This drop-down list only displays the existing campuses that you are managing. To add a new campus, see “Campus
List Page” on page 80.

Building—Displays the building where the AP is deployed. To deploy the AP in a different building,
select a building from the drop-down list.
This drop-down list only displays the available buildings in the selected campus. To add a
new building, see “Building List Pane” on page 81.
102 | RF Plan
ArubaOS 6.1 | User Guide

Floor—Displays the floor where the AP is deployed. To deploy the AP on a different floor, select a floor
from the drop-down list.
This drop-down lists only displays the available floors in the selected building. To add a new floor, see “Planning
Floors Page” on page 90.
To submit your changes, click Set FQLN. Setting the FQLN reboots the APs.
Using the FQLN Mapper in the AP Provision Page
The AP Provision page (available from Configuration > Wireless > AP Installation) allows you to set an
FQLN during the AP provisioning process.
Scroll to the FQLN Mapper near the bottom of the AP Provision page to modify the following attributes that
create the FQLN:

Campus

Building

Floor
The AP name appears in the AP List at the bottom of the page and will be used when provisioning the AP. To
rename an AP, enter the new name in the AP Name field.
If you enable MMS and use the RF Live application to design, plan, and monitor your network and RF environment,
the campus, building, and floor drop-down lists will only show N/A. With MMS enabled, the WebUI RF Plan
application is not available.
To retain the old FQLN value when reprovisioning an AP, do not select the Overwrite FQLN checkbox.
However, if you configure new values for the campus, building, and floor settings, the FQLN value is
changed, even if the Overwrite FQLN checkbox is selected. To remove a previously configured value, you
can select N/A for a specific attribute.
If you provision more than one AP, the selected value for the campus, building, and floor is based on the
first selected AP and applies to all APs. Only the AP name will be different as each AP must have a unique
name.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Installation page. The list of discovered APs appears
in the page.
2. Select the AP you want to set an FQLN, and click Provision.
3. Modify the FQLN attributes:

In the Provisioning page, scroll to the FQLN Mapper near the bottom of the page and modify the
campus, building, and floor attributes.

Optionally, if you want rename an AP, scroll to the AP List at the bottom of the page and enter the
new name in the AP Name field. For more information about AP names, see Chapter 4, “Access
Points”
4. Click Apply and Reboot.
Using CLI
Reprovisioning the AP causes it to automatically reboot. When configuring the FQLN, you may also
provision other AP settings.
ArubaOS 6.1 | User Guide
RF Plan | 103
The following example assumes you are not renaming an AP For more information about AP names, see
Chapter 4, “Access Points” .
provision-ap
read-bootinfo ap-name <name>
copy-provisioning-params ap-name <name>
fqln <name>
reprovision ap-name <name>
Legacy RF Plan Example
This section guides you through the process of creating a building and populating it with legacy APs and
AMs using RF Plan. Ensure you have sample.JPEG floor images handy for walking through this planning
example.
Sample Building
Table 18 lists the information to be used in this coverage-based legacy planning example.
Table 18 Sample Building
Building Dimensions
Height: 100
Width: 100
Number of Floors: 2
User Information
Number of Users: N/A
Users per AP: N/A
Radio Types: 802.11a/b/g/n
AP Type: AP-93
Overlap Factor: 150% (Medium)
AP Desired Rates (5 GHz Radio Properties)
802.11a Desired Rate: 48 Mbps
802.11n (HT) Support: N/A
Use 40 MHz Channel Spacing: N/A
802.11n Desired Rate: N/A
AP Desired Rates (2.4 GHz Radio Properties)
802.11b/g Desired Rate: 48 Mbps
802.11n (HT) Support: N/A
Use 40 MHz Channel Spacing: N/A
104 | RF Plan
ArubaOS 6.1 | User Guide
Table 18 Sample Building
Building Dimensions
802.11n Desired Rate: N/A
AM Desired Rates
802.11b|g: 24 Mbps
802.11a: 24 Mbps
ArubaOS 6.1 | User Guide
RF Plan | 105
Table 18 Sample Building
Building Dimensions
Don’t Care/Don’t Deploy Areas
Shipping & Receiving = Don’t CareLobby = Don’t Deploy
802.11n Hotspot (Zone) Areas
N/A
Create a Building
In this section you create a building using the information supplied in the planning table.
1. In the Campus List, select New Campus. Enter: My Campus and click OK.
2. In the Campus List, select the checkbox next to My Campus, and click Browse Campus.
3. Click New Building. The Overview page appears.
4. Click Save. A dialog box appears that indicates the new building was saved successfully. Click OK to
close the dialog box.
5. Click Building Dimension. The Specification page appears.
6. Enter the following information in the text boxes.
Table 19 Create a Building
Text Box
Information
Campus Name
My Campus
(The name is automatically populated based on what you
entered in step 1)
Building Name
My Building
Width
100
Length
100
Inter Floor Height
20
Units
Feet
Floors
2
7. Click Save. A dialog box appears that asks if you want to save and reload this building now since the
building name was changed. Click OK to accept.
Another dialog box appears stating that the building was saved successfully. Click OK to close the dialog
box.
8. Click Apply. RF Plan returns you to the Overview page.
106 | RF Plan
ArubaOS 6.1 | User Guide
Model the Access Points
You now determine how many APs are required to cover your building with a specified data transfer rate
and overlap.
In this example, you use the Coverage Model. The following are assumed about the performance of the
WLAN:

Radio Types: 802.11a/b/g/n

AP Type: AP-93

Overlap factor: Medium (150%)

802.11a desired rate: 48 Mbps

802.11b desired rate: 48 Mbps
1. From the navigation tree, Click on Modeling:AP under Building Specification. The AP Modeling
Parameters page appears.
2. Select 801.11 a|b|g|n from the Radio Type drop-down menu.
3. Select Medium from the Overlap Factor drop-down menu.
4. Notice that the percentage show at the left of the drop-down menu changes to 150%.
5. Select 48 from the 802.11 b|g Desired Rate drop-down menu.
6. Select 48 from the 801.11 a Desired Rate drop-down menu.
7. Click Save, then OK.
8. Click Apply. RF Plan moves to the AM Modeling Parameters page.
Model the Air Monitors
You now determine how many AMs are required to provide a specified monitoring rate. In this example you
continue to use the Coverage Model and make the following assumptions:

802.11 b|g monitor rate: 24 Mbps

802.11 a monitor rate: 24 Mbps
1. Select 24 from the 802.11 b|g Monitor Rate drop-down menu.
2. Select 24 from the 802.11 a Monitor Rate drop-down menu.
3. Click Save, then OK.
4. Click Apply. RF Plan moves to the Planning page.
Add and Edit a Floor
You now add floor plans to your floors. In this section you:

Add a background image floor plan for each floor

Name the floors
The information in this section assumes that you have a JPEG file that you can use as a sample background image
when re-creating the steps.
Adding the background image and naming the first floor
1. In the Planning page, click the Edit Floor link at the right of the Floor 1 indicator. The Floor Editor
dialog box appears.
2. Enter: Entrance Level in the Name box of the Floor Editor Dialog.
3. Use the Browse button to locate the background image for the 1st floor.
ArubaOS 6.1 | User Guide
RF Plan | 107
4. Click Apply.
Adding the background image and naming the second floor
1. Click the Edit Floor link at the right of the Floor 2 indicator.
2. Enter: Second Level in the Name box of the Floor Editor Dialog.
3. Use the Browse button to locate the background image for the 2nd floor.
4. Click Apply.
5. Click Save on the Planning page, then OK.
Defining Areas
Before you advance to the AP and AM Planning pages, define special areas, such as Don’t Care, Don’t
Deploy, or 802.11n Zone. This example includes a Don’t Care and a Don’t Deploy Area.
This example assumes the following:

We do not care if we have coverage in the Shipping and Receiving Area

We do not want to deploy APs or AMs in the Lobby Area
Creating a Don’t Care Area
You can zoom in on the floor plan using the Zoom drop-down near the top of the AP Planning page, or type a zoom
value in the text box at the left of the drop-down and press the enter key on your keyboard. For example, enter a
zoom factor of 400.
1. In the Planning page, click the New link in the Areas section under Floor 1 (named Entrance Level).
This opens the Area Editor.
2. Enter: Shipping and Receiving in the Name text box in the Area Editor.
3. Select Don’t Care from the Type drop-down menu box.
4. Click Apply.
Notice that an orange box appears near the center of the floor plan.
5. Use your mouse (or other pointing device) to place the cursor over the box.
Notice that the information you typed in the editor appears in the box. You see the name and type of
area, as well as the coordinates of the lower left corner and upper right corner of the box.
The x = 0 and y = 0 coordinates correspond to the lower left corner of the layout space.
6. Using your mouse, left-click and drag the box to the area of your floor plan that will represent the
shipping and receiving area.
7. To position the Don’t Care box, drag one corner of the box to a corresponding corner and using one of
the corner handles of the box, stretch it to fit.
You can also position the box by entering values in the Left, Bottom, Right, and Top fields.
8. Click Save, then OK.
108 | RF Plan
ArubaOS 6.1 | User Guide
Creating a Don’t Deploy Area
1. Click the New link in the Areas section under Floor 1 (named Entrance Level) to open the Area
Editor.
2. Enter: Lobby in the Name text box in the Area Editor.
3. Select Don’t Deploy from the Type drop-down menu box.
4. Click Apply.
Notice that an yellow box appears near the center of the floor plan.
5. Use your mouse (or other pointing device) to place the cursor over the box.
Notice that the information you typed in the editor appears in the box. You see the name and type of
area, as well as the coordinates of the lower left corner and upper right corner of the box.
The x = 0 and y = 0 coordinates correspond to the lower left corner of the layout space.
6. Using your mouse, left-click and drag the box to the area of your floor plan that you wish to designate
are the Lobby Area.
7. To position the Don’t Deploy box, drag one corner of the box to a corresponding corner and using one
of the corner handles of the box, stretch it to fit.
You can also position the box by entering values in the Left, Bottom, Right, and Top fields.
8. Click Save, then OK.
Running the AP Plan
In this section you run the algorithm that searches for the best place to put the APs.
1. From the navigation tree, click AP Plan under the Planning section. The AP Planning page appears.
You might want to zoom in on the floor plan. Zoom in using the zoom drop-down near the top of the AP
Planning page, or type a zoom factor in the text box at the left of the drop-down and press the enter key
on your keyboard.
Try entering a zoom factor of 400.
Notice that the number of required APs displays towards the top of the page, which represents the same
value that you saw when you modeled your APs on the AP Modeling Parameters page. Notice that the
APs are not yet displayed on the floor plan.
2. Click Initialize.
You should see the required total number of AP symbols appear on the two floor diagrams. Also notice
that the Suggested Access Points tables below each floor diagram have been populated with information
about the suggested APs for each corresponding floor.
3. Click Optimize.
After you Initialize the APs you must optimize the algorithm. The APs move around on the floor plans as
the algorithm is running.
The algorithm stops when the movement is less than a threshold value calculated based on the number
of APs. The threshold value may be seen in the status bar at the bottom of the browser window.
To see the approximate coverage areas of each of the APs, select an AP type from the Approx. Coverage dropdown box and select a rate from the Coverage Rate drop-down box.
4. Click Save, then OK.
ArubaOS 6.1 | User Guide
RF Plan | 109
Running the AM Plan
Running the AM Plan algorithm is similar to running the AP Plan.
1. From the navigation tree, click AM Plan under the Planning section. The AM Planning page appears.
2. Click Initialize then Optimize.
The algorithm stops when the movement is less than a threshold value calculated based on the number
of AMs. The threshold value may be seen in the status bar at the bottom of the browser window.
3. Click Save, then OK.
110 | RF Plan
ArubaOS 6.1 | User Guide
Chapter 4
:P
Access Points
In ArubaOS, related configuration parameters are grouped into profiles that you can apply as needed to an
AP group or to individual APs. When an AP is first installed on the network and powered on, the AP locates
its host controller and the AP’s designated configuration is “pushed” from the controller to the AP. This
chapter gives an overview of the basic function of each AP profile, and describes the process to install and
configure the APs on your network.
The following topics are included in this chapter:

“Basic Functions and Features” on page 111

“AP Configuration Profiles” on page 114

“Profile Hierarchy” on page 119

“Deploying APs” on page 121

“Provisioning Installed APs” on page 125

“Configuring a Provisioned AP” on page 129

“Managing RF Interference” on page 137

“AP Channel Assignments” on page 140

“AP Console Settings” on page 143
Basic Functions and Features
You configure APs using the WebUI and the CLI on the controller. Table 20 list the basic configuration
functions and features.
Table 20 AP Configuration Function Overview
Features and
Function
Wireless LANs
Description
A wireless LAN (WLAN) permits wireless clients to connect to the network. An AP broadcasts the
SSID (which corresponds to a WLAN configured on the controller) to wireless clients. APs
support multiple SSIDs. WLAN configuration includes the authentication method and the
authentication servers by which wireless users are validated for access.
The WebUI includes a WLAN Wizard that provides easy-to-follow steps to configure a new
WLAN.
NOTE: All new WLANs are associated with the ap-group named “default”.
AP operation
An Aruba AP can function as an AP that serves clients, as an air monitor (AM) performing
network and radio frequency (RF) monitoring, or as a hybrid AP that both serves clients and
performs spectrum analysis a single radio channel. You can also specify the regulatory domain
(the country) which determines the 802.11 transmission spectrum in which the AP will operate.
Within the regulated transmission spectrum, you can configure 802.11a, 802.11b/g, or 802.11n
(high-throughput) radio settings.
Note: The 802.11n features, such as high-throughput and 40 MHz configuration settings, are
supported on APs that are 802.11n standard compliant.
Quality of
Service (QoS)
Configure Voice over IP call admission control options and bandwidth allocation for 5 GHz
(802.11a) or 2.4 GHz (802.11b/g) frequency bands of traffic.
ArubaOS 6.1 | User Guide
Access Points | 111
Table 20 AP Configuration Function Overview
Features and
Function
Description
RF management
Configure settings for balancing wireless traffic across APs, detect holes in radio coverage, or
other metrics that can indicate interference and potential problems on the wireless network.
Adaptive Radio Management (ARM) is an RF spectrum management technology that allows
each AP to determine the best 802.11 channel and transmit power settings. ARM provides
several configurable settings.
Intrusion
Detection
System
Configure settings to detect and disable rogue APs, ad-hoc networks, and unauthorized
devices, and prevent attacks on the network. You can also configure signatures to detect and
prevent intrusions and attacks.
Mesh
Configure Aruba APs as mesh nodes to bridge multiple Ethernet LANs or extend wireless
coverage. A mesh node is either
 a mesh portal—an AP that uses its wired interface to reach the controller
 or a mesh point—an AP that establishes a path to the controller via the mesh portal
Mesh environments use a wireless backhaul to carry traffic between mesh nodes. This allows
one 802.11 radio to carry traditional WLAN services to clients and one 802.11radio to carry
mesh traffic as well as WLAN services. Chapter 8, “Secure Enterprise Mesh” on page 225
contains more specific information on the Mesh feature.
AP Names and Groups
In the Aruba user-centric network, each AP has a unique name and belongs to an AP group.
Each AP is identified with an automatically-derived name. The default name depends on if the AP has been
previously configured.

The AP has not been configured—the name is the AP’s Ethernet MAC address in colon-separated
hexadecimal digits.

Configured with a previous ArubaOS release—the name is in the format building.floor.location
You can assign a new name (up to 63 characters) to an AP; the new name must be unique within your
network. For example, you can rename an AP to reflect its physical location within your network, such as
“building3-lobby”.
Renaming an AP requires a reboot of the AP before the new name takes effect. Therefore, if you need to do this, there
should be little or no client traffic passing through the AP.
In RF Plan or RF Live, the AP name can be part of a fully-qualified location name (FQLN) in the format
APname.floor.building.campus. The APname portion of the FQLN must be unique.
An AP group is a set of APs to which the same configuration is applied. There is an AP group called
“default” to which all APs discovered by the controller are assigned. By using the “default” AP group, you
can configure features that are applied globally to all APs.
You can create additional AP groups and assign APs to that new group. However, an AP can belong to only
one AP group at a time. For example, you can create an AP group “Victoria” that consists of the APs that are
installed in a company’s location in British Columbia. You can create another AP group “Toronto” that
consists of the APs in Ontario. You can configure the “Toronto” AP group with different information from
the APs in the “Victoria” AP group (see Figure 17).
112 | Access Points
ArubaOS 6.1 | User Guide
Figure 17 AP Groups
“DEFAULT” AP GROUP
“VICTORIA” AP GROUP
“TORONTO” AP GROUP
NOTE: An AP can belong to only
one AP group at a time.
While you can use an AP group to apply a feature to a set of APs, you can also configure a feature or option
for a specific AP by referencing the AP’s name. Any options or values that you configure for a specific AP
will override the same options or values configured for the AP group to which the AP belongs.
The following procedures describes how to create an AP group and, because all discovered APs initially
belong to the AP group named “default”, how to reassign an AP to your newly-created AP group.
Reassigning an AP from an AP group requires a reboot of the AP for the new group assignment to take effect.
Therefore, if you need to do this, there should be little or no client traffic passing through the AP.
Creating an AP group
You can use the WebUI or the CLI to create a new AP group.
in the WebUI
1. Navigate to the Configuration > Wireless> AP Configuration > AP Group page.
2. Click New. Enter the new AP group name and click Add. The new AP group appears in the Profile list.
Creating an AP group in the CLI
Use the following command to create an AP group:
ap-group <group>
When you create an AP group with the CLI, you can specify the virtual AP definitions and configuration
profiles you want applied to the APs in the group.
Assigning APs to an AP group
Although you will assign an AP to an AP group when you first deploy the device, you can assign an AP to a
different AP group at any time.
Once the ap-regroup command is executed, the AP automatically reboots. If the AP is powered off or otherwise not
connected to the network or controller, the executed command is queued until the AP is powered on or reconnected.
Again, the AP will automatically reboot as soon as the command is executed.
In the WebUI
1. Navigate to the Configuration > Wireless> AP Installation page. The list of discovered APs appears
in this page (all discovered APs initially belong to the AP group named “default”).
ArubaOS 6.1 | User Guide
Access Points | 113
2. Select the AP you want to reassign, and click Provision. From the Provisioning page, select the AP
group from the drop-down menu.
3. Click Apply and Reboot.
In the CLI
Use the following command to assign a single AP to an existing AP group. Use the WebUI to assign multiple
APs to an AP group at the same time.
ap-regroup {ap-name <name>|serial-num <number>|wired-mac <macaddr>} <group>
AP Configuration Profiles
ArubaOS has a predefined version of each profile named “default.” You can use these default profiles or
create new profiles that you can edit as required. You can also change the values of any parameter in a
profile. ArubaOS gives you the flexibility of applying the default versions of profiles in addition to
customizing profiles that are necessary for the AP or AP group to function.
For example, if your wireless network includes a master controller in Boston and a local controller in
Toronto, you may want to segregate the APs into two AP groups: an AP group named “default” for the APs
in Boston, and an AP group named “Toronto” for the APs in Toronto. Now, suppose you wanted the APs in
Boston to boot from the master controller and the APs in Toronto to boot from their local controller. You
would need to create a second instance of the AP system profile, configure that profile to allow the APs to
boot from the local controller, then apply it to the “Toronto” AP group. If no other differences between the
two AP groups are required, both groups could use the same “default” profiles for other configuration
profile types.
Each of the profiles described can be configured via the CLI or the WebUI. To see a full list of profiles
available in ArubaOS, select the Configuration tab in the WebUI and navigate to Advanced Services>All
Profiles. The All Profiles arranges group configuration profiles into six categories:

“Wireless LAN Profiles” on page 114

“AP Profiles” on page 116

“QoS Profiles” on page 117

“RF Management Profiles” on page 117

“Mesh Profiles” on page 118

“Other Profiles” on page 118
Wireless LAN Profiles
The Wireless LAN collection of profiles configure WLANs in the form of virtual AP profiles. A virtual AP
profile contains an SSID profile which defines the WLAN, the high-throughput SSID profile, and an AAA
profile that defines the authentication for the WLAN.
Unlike other profile types, you can configure and apply multiple instances of virtual AP profiles to an AP
group or to an individual AP.

114 | Access Points
802.11k profile—Manages settings for the 802.11k protocol. The 802.11k protocol allows APs and
clients to dynamically query their radio environment and take appropriate connection actions. For
example: In a 802.11k network if the AP with the strongest signal reaches its CAC (Call Admission
Control) limits for voice calls, then on-hook voice clients may connect to an under utilized AP with a
weaker signal. You can configure the following options in 802.11k profile:

Enable or disable 802.11K support on the AP

Forceful disassociation of on-hook voice clients

Measurement mode for beacon reports.
ArubaOS 6.1 | User Guide
For more details, see “Enable 802.11k Support” on page 162.

SSID profile—Configures network authentication and encryption types. This profile also includes
references to the EDCA (enhanced distributed channel access) Parameters Station Profile, the EDCA
Parameters AP Profile and a High-throughput SSID profile.
Use this profile to configure basic settings such as 802.11 authentication and encryption settings, or
advanced settings such as DTIM (delivery traffic indication message) intervals, 802.11a/802.11g basic
and transmit rates, DHCP settings and WEP keys. The advanced SSID profile settings allows you to deny
broadcast probes and hide the SSID. For details on configuring an SSID profile, see “Creating a new
SSID Profile” on page 155.
Configuring the 802.11a and 802.11g beacon rates should only be used in conjunction with Distributed Antenna
Systems (DAS). Configuring beacon rates during normal operation may cause connectivity problems.

High-throughput SSID profile—High-throughput APs support additional settings not available in
legacy APs. A High-throughput SSID profile enables/disables high-throughput (802.11n) features with 40
MHz channel usage, and define values for aggregated MAC protocol data units (MDPUs) and Modulation
and Coding Scheme (MCS) ranges. If you modify a currently provisioned and running high-throughput
SSID profile, your changes take effect immediately; rebooting is not required. For details on configuring
a high-throughput SSID profile, see Table 35 on page 167.

Virtual AP profile—This profile defines your WLAN by enabling or disabling the bandsteering, fast
roaming and DoS prevention features. It defines radio band, forwarding mode and blacklisting
parameters, and includes references to an AAA Profile, 802.11K Profile, and a High-throughput SSID
profile. You can apply multiple virtual AP profiles to an AP group or to an individual AP; for most other
profiles, you can apply only one instance of the profile to an AP group or AP at a time.

AAA profile—This defines authentication settings for the WLAN users, including the role for
unauthenticated users, and the different roles that should be assigned to users authenticated via 802.1x,
MAC or SIP authentication. This profile includes references to:

MAC Authentication Profile

MAC Authentication Server Group

802.1X Authentication Profile

802.1X Authentication Server Group

RADIUS Accounting Server Group
For details on configuring an AAA profile, see “AAA Profile Parameters” on page 149.

XML API server profile—Specifies the IP address of an external XML API server.

RFC 3576 server—Specifies the IP address of a RFC 3576 RADIUS server.

MAC authentication profile—Defines parameters for MAC address authentication, including upperor lower-case MAC string, the diameter format in the string, and the maximum number of authentication
failures before a user is blacklisted.

Captive portal authentication profile—This profile directs clients to a web page that requires them
to enter a username and password before being granted access to the network. This profile defines login
wait times, the URLs for login and welcome pages, and manages the default user role for authenticated
captive portal clients.
You can also set the maximum number of authentication failures allowed per user before that user is
blacklisted. This profile includes a reference to a Server group profile. For complete information on
configuring a Captive portal authentication profile, refer to Chapter 15, “Captive Portal” on page 363.

802.1x authentication profile—Defines default user roles for machine or 802.1x authentication, and
parameters for 8021.x termination and failed authentication attempts. For a list of the basic parameters
in the 802.1x authentication profile, refer to Chapter 10, “802.1x Authentication” on page 295
ArubaOS 6.1 | User Guide
Access Points | 115

RADIUS server profile—Identifies the IP address of a RADIUS server and sets RADIUS server
parameters such as authentication and accounting ports and the maximum allowed number of
authentication retries. For a list of the parameters in the RADIUS profile, refer to “Configuring a RADIUS
Server” on page 274

LDAP server profile—Defines an external LDAP authentication server that processes requests from
the controller. This profile specifies the authentication and accounting ports used by the server, as well
as administrator passwords, filters and keys for server access. For a list of the parameters in the LDAP
profile, refer to “Configuring an LDAP Server” on page 277.

TACACS server profile—Specifies the TCP port used by the server, the timeout period for a
TACACS+ request, and the maximum number of allowed retries per user. For a list of the parameters in
the TACACS profile, refer to “Configuring a TACACS+ Server” on page 278.

Server group—This profile manages groups of servers for specific types of authentication. Server
Groups identify individual authentication servers and let you create rules for clients based on attributes
returned for the client by the server during authentication. For additional information on configuring
server rules, see “Configuring Server-Derivation Rules” on page 287

VPN Authentication profile—This profile identifies the default role for authenticated VPN clients and
also references a server group. It also provides a separate VPN AAA authentication for a terminating
remote AP (default-rap) and a campus AP (default-CAP). If you want to simultaneously deploy various
combinations of a VPN client, RAP-psk, RAP-certs and CAP on the same controller, see Table 70 on page
403.

Management authentication profile—Enables or disables management authentication, and identifies
the default role for authenticated management clients. This profile also references a server group.

Wired authentication profile—This profile merely references an AAA profile to be used for wired
authentication.

Stateful 802.1x authentication Profile—Enables or disables 802.1x authentication for clients on
non-Aruba APs, and defines the default role for those users once they are authenticated. This profile also
references a server group to be used for authentication.

Stateful NTLM authentication Profile—Monitor the NTLM (NT LAN Manager) authentication
messages between clients and an authentication server. If the client authenticates via an NTLM
authentication server, the controller can recognize that the client has been authenticated and assign that
client a specified user role
AP Profiles
The AP profiles configure AP operation parameters, radio settings, port operations, regulatory domain, and
SNMP information.

AP system profile—Defines administrative options for the controller, including the IP addresses of the
local, backup, and master controllers, Real-time Locating Systems (RTLS) server values and the number
of consecutive missed heartbeats on a GRE tunnel before an AP reboots.

Regulatory domain—Defines the AP’s country code and valid channels for both legacy and highthroughput 802.11a and 802.11b/g radios.

Wired AP profile—Determines if 802.11 frames are tunneled to the controller using Generic Routing
Encapsulation (GRE) tunnels, bridged into the local Ethernet LAN, or configured for a combination of
the two (split-mode). In tunnel forwarding mode, the AP handles all 802.11 association requests and
responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the
controller for processing. When a remote AP or campus AP is in bridge mode, the AP handles all 802.11
association requests and responses, encryption/decryption processes, and firewall enforcement. In splittunnel mode, 802.11 frames are either tunneled or bridged, depending on the destination (corporate
traffic goes to the controller, and Internet access remains local). For details, see “Ethernet Ports for
Mesh” on page 258
116 | Access Points
ArubaOS 6.1 | User Guide

Ethernet interface profile—Sets the duplex mode and speed of the AP’s Ethernet link. The
configurable speed is dependent on the port type, and you can define a separate Ethernet Interface
profile for each Ethernet link.

Ethernet Interface Port/Wired Port Profile—Specifies a AAA profile for users connected to the
wired port on an AP. For details on configuring this profile, see “Securing Clients on an AP Wired Port”
on page 394.

AP Provisioning profile—Defines a group of provisioning parameters for an AP or AP group.

AP Authorization Profile—Allows you to assign an to a provisioned but unauthorized AP to a AP
group with a restricted configuration profile.

EDCA parameters profile (Station)—Client to AP traffic prioritization parameters, including
Enhanced Distributed Channel Access (EDCA) parameters for background, best-effort, voice and video
queues. For additional information on configuring this profile, see “Using the WebUI to configure EDCA
parameters” on page 722.

EDCA parameters profile (AP)—AP to client traffic prioritization, including EDCA parameters for
background, best-effort, voice and video queues. For additional information on configuring this profile,
see “Using the WebUI to configure EDCA parameters” on page 722.
QoS Profiles
The QoS profiles configure traffic management and VoIP functions.

VoIP call admission control profile— Aruba’s Voice Call Admission Control limits the number of
active voice calls per AP by load-balancing or ignoring excess call requests. This profile enables active
load balancing and call admission controls, and sets limits for the numbers of simultaneous Session
Initiated Protocol (SIP), SpectraLink Voice Priority (SVP), Cisco Skinny Client Control Protocol (SCCP),
Vocera or New Office Environment (NOE) calls that can be handled by a single radio. For additional
information on configuring this profile, see “VoIP-Aware ARM Scanning” on page 726.

Traffic management profile—Specifies the minimum percentage of available bandwidth to be
allocated to a specific SSID when there is congestion on the wireless network, and sets the interval
between bandwidth usage reports.
RF Management Profiles
The profiles configure radio tuning and calibration, AP load balancing, and RSSI metrics.

802.11a radio profile—Defines AP radio settings for the 5 GHz frequency band, including the Adaptive
Radio Management (ARM) profile and the high-throughput (802.11n) radio profile.

802.11g radio profile—Defines AP radio settings for the 2.4 GHz frequency band, including the
Adaptive Radio Management (ARM) profile and the high-throughput (802.11n) radio profile. Each
802.11a and 802.11b radio profile includes a reference to an Adaptive Radio Management (ARM) profile.
If you want the ARM feature to dynamically select the best channel and transmission power for the
radio, verify that the 802.11a/802.11g radio profile references an active and enabled ARM profile. If you
want to manually select a channel for each AP group, create separate 802.11a and 802.11g profiles for
each AP group and assign a different transmission channel for each profile.

ARM profile—Defines the Adaptive Radio Management (ARM) settings for scanning, acceptable
coverage levels, transmission power and noise thresholds. In most network environments, ARM does
not need any adjustments from its factory-configured settings. However, if you are using VoIP or have
unusually high security requirements you may want to manually adjust the ARM thresholds. For
complete details on Adaptive Radio Management, refer to Chapter 6, “Adaptive Radio Management
(ARM)” on page 171.

High-throughput radio profile—Manages high-throughput (802.11n) radio settings for 802.11ncapable APs. A high-throughput profile determines 40 Mhz tolerance settings, and controls whether or
ArubaOS 6.1 | User Guide
Access Points | 117
not the APs using this profile will advertise intolerance of 40 MHz operation. (This option is disabled by
default, allowing 40 MHz operation.)

RF optimization profile—Enables or disables load balancing based on a user-defined number of
clients or degree of AP utilization on an AP. Use this profile to detect coverage holes, radio interference
and STA association failures and configure Received signal strength indication (RSSI) metrics.

RF event thresholds profile—Defines error event conditions, based on a customizable percentage of
low-speed frames, non-unicast frames, or fragmented, retry or error frames.

Spectrum Profile—Defines the spectrum band monitored by a spectrum monitor, or the individual
channel monitored by a hybrid AP. For details on the spectrum analysis feature, see “Configuring the
Spectrum Profile” on page 638.
Mesh Profiles
You can provision Aruba APs to operate as mesh points, mesh portals or remote mesh portals. The secure
enterprise mesh environment routes network traffic between APs over wireless hops to join multiple
Ethernet LANs or to extend wireless coverage. The Mesh profiles are:

Mesh high-throughput SSID profile—Enables or disables high-throughput (802.11n) features and 40
Mhz channel usage, and define values for aggregated MAC protocol data units (MDPUs) and Modulation
and Coding Scheme (MCS) ranges. If none of the APs in your Mesh deployment are 802.11n-capable, you
do not need to configure a mesh high-throughput SSID profile.

Mesh radio profile—Determines many of the settings used by mesh nodes to establish mesh links and
the path to the mesh portal, including the maximum number of children a mesh node can accept, and
transmit rates for the 802.11a and 802.11g radios.

Mesh cluster profile—Contains the mesh cluster name (MSSID), authentication methods, security
credentials, and cluster priority.
Other Profiles
These controller profiles set the management password policy, define equipment OUIs, or configure VIA
authentication and connection settings.

Valid Equipment OUI Profile—Set one or more Aruba OUIs for the controller.

VIA Authentication Profile—Define an authentication profile for the VIA feature.

VIA Connection Profile—Define authentication and connection settings profile for the VIA feature.

VIA Web Authentication—Define a VIA authentication profile to be used for Web authentication.

VIA Global Configuration—Select whether or not the controller should allow VIA SSL fallback.

Management Password Policy—Define a policy for creating management passwords.

Dialplan Profile—Define SIP dial plans on the controller to provide outgoing PSTN calls.

Spectrum Local Override Profile—Configure an individual AP radio as a spectrum monitor, For
details, see “Converting an Individual AP to a Spectrum Monitor” on page 636.
Viewing Profile Errors
To view the list of profile errors using the CLI, use the show profile-errors command. The WebUI displays
them with a flag icon next to the main horizontal menu (Table 21). Click the flag to view the list of errors.
Table 21 Profile Errors
118 | Access Points
ArubaOS 6.1 | User Guide
Profile Hierarchy
ArubaOS WebUI includes several wizards that allow you to configure an AP, controller, WLAN, or License
installation. You can also configure profiles using the WebUI Profile list or via the command line interface.
Best practices is to configure the lowest-level settings first. For example, if you are defining a virtual AP
profile, you should first define a session policy, then define your server group, then create an AAA profile
that references the session policy and your server group.
Figure 18 represents the AP and AP Group profile hierarchy in the WebUI (navigate to Configuration>AP
configuration).
Figure 18 AP Specific and AP Group Profile Hierarchies
ArubaOS 6.1 | User Guide
Access Points | 119
Figure 19 displays how other higher-level configuration profiles reference other profiles. To view the profile
hierarchy for Layer 2 authentication profiles in the WebUI, navigate to Configuration>Authentication
and select the L2 Authentication tab. To view the profile hierarchy for Layer 3 authentication profiles,
navigate to Configuration>Authentication and select the L3 Authentication tab.
Figure 19 Other Profile Hierarchies
120 | Access Points
ArubaOS 6.1 | User Guide
Deploying APs
Aruba APs and AMs are designed to require only minimal setup to make them operational in an user-centric
network. Once APs have established communication with the controller, you can apply advanced
configuration to individual APs or groups of APs in the network using the WebUI on the controller.
Deploy APs on your network using the following steps:
1. Run the Java-based RF Plan tool to help position APs and import floorplans for your installation.
2. Prior to installation, configure firewall settings and enable controller discovery so the APs can locate
and identify the controller.
3. Ensure that APs will be able to obtain an IP address once they are connected to the network.
If you are deploying APs in a mesh networking environment, best practices are to define the mesh cluster profile and
mesh radio profiles before you install and provision the AP as a mesh portal or mesh point. Note that this step is
required only if you are configuring a mesh node. For further information on configuring a Mesh network, see “Secure
Enterprise Mesh” on page 225
4. Install the APs by connecting the AP to an Ethernet port on the controller. If the AP does not use Power
over Ethernet (PoE) is not used, connect the AP to a power source.
5. On the controller, provision the installed APs.
The following sections explain each of the above steps.
Running the RF Plan
The Java-based RF Plan tool is an application that allows you to determine AP placement based on your
specified coverage and capacity requirements without impacting the live network. For more information
about using RF Plan, see the RF Plan Installation and User Guide.
Ensure APs Can Connect to the Controller
Before you install APs in a network environment, you must ensure that the APs are able to locate and
connect to the controller. Specifically, you must ensure the following:

When connected to the network, each AP is assigned a valid IP address

APs are able to locate the controller
In a network with a master and local controllers, an AP will initially connect to the master controller. Alternatively, you
can instruct your AP to download its configuration (and ArubaOS) from a local controller (see Chapter 21, “Adding
Local Controllers” for details).
Configure Firewall Settings
APs use Trivial File Transfer Protocol (TFTP) during their initial boot to grab their software image and
configuration from the controller. After the initial boot, the APs use FTP to grab their software images and
configurations from the controller.
In many deployment scenarios, an external firewall is situated between various Aruba devices. Appendix B,
“External Firewall Configuration” describes the network ports that must be configured on the external
firewall to allow proper operation of the network.
ArubaOS 6.1 | User Guide
Access Points | 121
Enable Controller Discovery
An AP can discover the IP address of the controller in the following ways:

From a DNS server

From a DHCP server

Using the Aruba Discovery Protocol (ADP)
At boot time, the AP builds a list of controller IP addresses and then tries these addresses in order until a
controller is reached successfully. The list of controller addresses is constructed as follows:
1. If the master provisioning parameter is set to a DNS name, that name is resolved and all resulting
addresses are put on the list. If master is set to an IP address, that address is put on the list.
2. If the master provisioning parameter is not set and a controller address was received in DHCP Option
43, that address is put on the list.
3. If the master provisioning parameter is not set and no address was received via DHCP option 43, ADP is
used to discover a controller address and that address is put on the list.
4. Controller addresses derived from the server-name and server-ip provisioning parameters and the
default controller name aruba-master are added to the list. Note that if a DNS name resolves to
multiple addresses, all addresses are added to the list.
This list of controller IP addresses provides an enhanced redundancy scheme for controllers that are
located in multiple data centers separated across Layer-3 networks.
From a DNS Server
APs are factory-configured to use the host name aruba-master for the master controller. For the DNS
server to resolve this host name to the IP address of the master controller, you must configure an entry on
the DNS server for the name aruba-master.
For information on how to configure a host name entry on the DNS server, refer to the vendor
documentation for your server.
Aruba recommends using a DNS server to provide APs with the IP address of the master controller because
it involves minimal changes to the network and provides the greatest flexibility in the placement of APs.
When using DNS, the AP can learn multiple IP addresses to associate with a controller. If the primary
controller is unavailable or does not respond, the AP continues through the list of learned IP addresses until
it establishes a connection with an available controller. This takes approximately 3.5 minutes per LMS.
From a DHCP Server
You can configure a DHCP server to provide the master controller’s IP address. You must configure the
DHCP server to send the controller’s IP address using the DHCP vendor-specific attribute option 43. APs
identify themselves with a vendor class identifier set to Aruba AP in their DHCP request. When the DHCP
server responds to the request, it will send the controller’s IP address as the value of option 43.
When using DHCP option 43, the AP accepts only one IP address. If the IP address of the controller
provided by DHCP is not available, the AP can use the other IP addresses provisioned or learned by DNS to
establish a connection.
For more information on how to configure vendor-specific information on a DHCP server, see Appendix A,
“DHCP with Vendor-Specific Options” or refer to the vendor documentation for your server.
122 | Access Points
ArubaOS 6.1 | User Guide
Using the Aruba Discovery Protocol (ADP)
ADP is enabled by default on all Aruba APs and controllers. To use ADP, all APs and controllers must be
connected to the same Layer-2 network. If the devices are on different networks, a Layer-3 compatible
discovery mechanism, such as DNS, DHCP, or IGMP forwarding, must be used instead.
With ADP, APs send out periodic multicast and broadcast queries to locate the master controller. You might
need to perform additional network configuration, depending on whether the APs are in the same broadcast
domain as the controller:

If the APs are in the same broadcast domain as the master controller, the controller automatically
responds to the APs’ queries with its IP address.

If the APs are not in the same broadcast domain as the master controller, you must enable multicast on
the network (ADP multicast queries are sent to the IP multicast group address 239.0.82.11) for the
controller to respond to the APs’ queries. You also must make sure that all routers are configured to
listen for Internet Group Management Protocol (IGMP) join requests from the controller and can route
these multicast packets.
To verify that ADP and IGMP join options are enabled on the controller, use the following CLI command:
(host) #show adp config
ADP Configuration
----------------key
value
------discovery enable
igmp-join enable
If ADP or IGMP join options are not enabled, use the following CLI commands:
(host) (config) #adp discovery enable
(host) (config) #adp igmp-join enable
Ensure APs Can Obtain IP Addresses
Each AP requires a unique IP address on a subnetwork that has connectivity to a controller. Aruba
recommends using the Dynamic Host Configuration Protocol (DHCP) to provide IP addresses for APs; the
DHCP server can be an existing network server or an controller configured as a DHCP server.
You can use an existing DHCP server in the same subnetwork as the AP to provide the AP with its IP
information. You can also configure a device in the same subnetwork to act as a relay agent for a DHCP
server on a different subnetwork. Refer to the vendor documentation for the DHCP Server or relay agent for
information.
If an AP is on the same subnetwork as the master controller, you can configure the controller as a DHCP
server to assign an IP address to the AP. The controller must be the only DHCP server for this subnetwork.
Enabling the DHCP server on the controller in the WebUI
1. Navigate to the Configuration > Network > IP > DHCP Server window.
2. Select the Enable DHCP Server checkbox.
3. In the Pool Configuration section, click Add.
4. Enter information about the subnetwork for which IP addresses are to be assigned. Click Done.
5. If there are addresses that should not be assigned in the subnetwork:
a. Click Add in the Excluded Address Range section.
b. Enter the address range in the Add Excluded Address section.
c. Click Done.
6. Click Apply at the bottom of the window.
ArubaOS 6.1 | User Guide
Access Points | 123
Enable the DHCP server on the controller in the CLI
(host)(config)# ip dhcp excluded-address ipaddr ipaddr2
(host)(config)# ip dhcp pool name
default-router ipaddr
dns-server ipaddr
domain-name name
network ipaddr mask
(host)(config)# service dhcp
Provisioning APs for Mesh
The information in this section applies only if you are configuring and deploying APs in a mesh networking
environment. If you are not, proceed to “Installing APs on the Network” on page 124.
Before you install APs in a mesh networking environment, you must do the following:

Define and configure the mesh cluster profile and mesh radio profile before configuring an AP to
operate as a mesh node. An AP configured for mesh is also known as a mesh node.

Provision one of the following mesh roles on the AP:

Mesh portal—The gateway between the wireless mesh network and the enterprise wired LAN.

Mesh point—APs that can provide traditional Aruba WLAN services (such as client connectivity,
intrusion detection system (IDS) capabilities, user roles association, LAN-to-LAN bridging, and
Quality of Service (QoS) for LAN-to-mesh communication) to clients on one radio and perform mesh
backhaul/network connectivity on the other radio. Mesh points can also provide LAN-to-LAN
bridging through their Ethernet interfaces and provide WLAN services on the backhaul radio

Remote Mesh Portal: The Remote Mesh Portal feature allows you to configure a remote AP at a
branch office to operate as a mesh portal for a mesh cluster.
For detailed provisioning guidelines, caveats, and instructions, see Chapter 8, “Secure Enterprise Mesh” on
page 225.
Installing APs on the Network
Use the AP placement map generated by RF Plan to install APs. You can either connect the AP directly to a
port on the controller, or connect the AP to another switch or router that has layer-2 or layer-3 connectivity
to the controller.
If the Ethernet port on the controller is an 802.3af Power over Ethernet (PoE) port, the AP automatically
uses it to power up. If a PoE port is not available, you must get an AC adapter for the AP from Aruba
Networks. For more information, see the Installation Guide for the specific AP.
Once an AP is connected to the network and powered up, it attempts to locate the master controller using
one of the methods described in “Enable Controller Discovery” on page 122.
On the master controller, you can view the APs that have connected to the controller in the WebUI.
Navigate to the Configuration > Wireless > AP Installation window. Figure 20 shows an example of this
window.
Figure 20 APs Connected to Controller
124 | Access Points
ArubaOS 6.1 | User Guide
Updating the RF Plan
After installing APs, update the AP placement map in RF Plan. This allows more accurate reconciliation of
location tracking features provided by the user-centric network—for example, locating users, intruders,
rogue APs and other security threats, assets, and sources of RF interference—with the physical
environment.
Provisioning Installed APs
The two most common ways to provision an AP for remote authentication are certificate-based AP
provisioning and provisioning using a pre-shared key. Although both options allow for a simple secure setup
of your remote network, you should make sure that the procedure you select is supported by your
controller, the AP model type and the end user’s client software. If you must provision your APs using a preshared key, you need to know which controller models you have that do not support certificate-based
provisioning.
Remote AP (RAP) vs Campus AP (CAP)
Before you provision an AP, you should decide whether you want it to function as a Remote AP (RAP) or a
Campus AP (CAP).

When the network between the AP and controller is an un-trusted/non-routable network, such as the
Internet, a RAP is recommended; in cases where the AP needs to connect over private links (LAN, WAN,
MPLS), a CAP is recommended. The reason that CAP is not recommended over a non-routable network
is because the IPsec within control plane security is in tunnel mode.

RAP supports internal DHCP server; CAP does not.
For both RAPs and CAPs, tunneled SSIDs will be brought down eight (8) seconds after the AP detects that
there is no connectivity to the controller. For CAP bridge-mode SSIDs, the CAP will be brought down after
the keepalive times out (default 3.5 minutes). RAP bridge mode SSIDs are configurable to stay up
indefinitely (always-on / persistent). Backup mode SSID is supported on the RAP only.
AP Provisioning Wizard
The easiest way to provision any remote AP is to use the ArubaOS AP Wizard in the WebUI. This wizard will
walk you through the specific steps required to provision a remote AP (or any other AP type). To access the
AP wizard to provision a remote AP:
1. Select Configuration>Wizards>AP Wizard. The Specify Deployment Scenario window appears.
2. Select the Remote deployment scenario option.
3. The wizard allows you to configure remote APs to be provisioned by a user at a remote location, or
provisioned by a network administrator who will connect those APs directly to the controller as the
wizard is being run.

Select the User-Provisioned option to provision AP models using certificate-based AP provisioning.

Select the Administrator-Provisioned option to provision any AP model authenticated using a PreShared Key (PSK).
4. Click Next to continue to the next window in the Wizard. Continue working your way through the
wizard to complete the provisioning process.
If you do not want to use the provisioning wizard, you can also define certificate-based and PSK
provisioning parameters for a remote AP using the Configuration > Wireless > AP Installation >
Provisioning window in the WebUI.
Provisioning an Individual AP
The following steps describe the process to provision a AP:
ArubaOS 6.1 | User Guide
Access Points | 125
1. If you are provisioning a new AP that has never been provisioned before, connect the AP to the
controller according the instructions included with that AP. If you are reprovisioning existing active APs
as remote APs, this step is not necessary, as the APs are already communicating with the controller.
2. Navigate to the Configuration > Wireless > AP Installation > Provisioning window.
3. Click the checkbox by the AP you want to provision, then click Provision. The Provisioning window
opens.
4. In the AP Parameters section, click the AP Group drop-down list and select the AP group to which
this AP should be assigned.
5. (Optional) Some AP models support an external antenna in addition to their internal antenna. If the AP
you are provisioning supports an external antenna, the Provisioning window displays an additional
Antenna Parameters section. If you want to use an External antenna for the remote AP you are
126 | Access Points
ArubaOS 6.1 | User Guide
provisioning, select External Antenna and define settings for that antenna. Otherwise, the remote AP
will use its internal antenna by default.
6. If you are provisioning a remote AP, select Yes for the Remote AP option.
7. (For Remote APs only) In the Remote IP Authentication Method section, select either Pre-shared
key or certificate authentication type.
Certificate based authentication allows a controller to authenticate a AP using its certificates
instead of a PSK. You can manually provision an individual AP with a full set of provisioning parameters,
or simultaneously provision an entire group of APs by defining a provisioning profile which contains a
smaller set of provisioning parameters that can be applied the entire AP group. When you manually
provision an individual AP to use certificated-based authentication, you must connect that AP to the
controller before you can define its provisioning settings.
Use Pre-Shared Key (PSK) authentication to provision an individual remote AP or a group of remote
APs using an Internet Key Exchange Pre-Shared Key (IKE PSK). This option requires you to perform the
following additional steps:
a. Enter and confirm the pre-shared key (IKE PSK).
b. In the User credential assignment section, specify if you want to use a Global User Name/password
or a Per AP User Name/Password.

If you use the Per AP User Names/Passwords option, each RAP is given its own user name and
password. I

If you use the Global User Name/Password option, all selected RAPs are given the same (shared)
user name and password.
c. Enter the user name, and enter and confirm the password. If you want the controller to automatically
generate a user name and password, select Use Automatic Generation, then click Generate by
the User Name and Password fields.
8. (Optional) If your AP will use Point-to-Point Protocol over Ethernet (PPPoE) to authenticate itself to a
service provider, select the PPPoE Parameters checkbox and enter the following PPPoE values:

Service Name: Either an ISP name or a class of service configured on the PPPoE server.

User Name: Set the PPPoE User Name for this remote AP.

Password: Enter and then confirm the PPPoE password for this remote AP.
9. In the Master Discovery section, set the Master IP Address.

For a campus AP or a remote AP on a private network, enter the controller’s IP address

For a Remote AP with the controller on a public network, enter the controller’s public IP address

For a remote AP with a controller behind a firewall, enter the public address of the NAT device to
which the controller is connected
10. (Optional) In the IP Settings section, specify a trunk VLAN by entering a VLAN ID from 1-4095,
inclusive. If you configure an uplink VLAN on an AP connected to a port in trunk mode, the AP sends
and receives frames tagged with this VLAN on its Ethernet uplink.
By default, an AP has an uplink vlan of 0, which disables this feature. Note that if an AP is provisioned
with an uplink VLAN, it must be connected to a trunk mode port or the AP’s frames will be dropped.
11. Under IP Settings, select Obtain IP Address Using DHCP to obtain an IP address for your AP using
DHCP.
or
select Use the Following IP address and enter the appropriate values in the following fields:

IP address: IP address for the AP, in dotted-decimal format

Subnet mask: Subnet mask for the IP, in dotted-decimal format.

Gateway IP address: The IP address the AP uses to reach other networks.
ArubaOS 6.1 | User Guide
Access Points | 127

DNS IP address: The IP address of the Domain Name Server.

Domain name: (optional) The default domain name.
12. (Optional) In the FQLN Mapper section, you may click the Campus, Building and Floor drop-down
lists to identify a fully qualified location name (FQLN) for the AP. To clear an existing FQLN, click the
Remove FQLN checkbox.
13. (Optional) If you are provisioning remote AP models AP-70, RAP-5, and RAP-5WN USB, and you want to
configure them to support USB cellular modems, you must complete the fields in the USB settings
section.
14. The AP list section displays current information for the AP you are provisioning or reprovisioning, and
allows you to define additional parameters for your remote AP, such as AP Name, SNMP System
Location and (if you are provisioning a Mesh Point or Portal) the AP’s Mesh role.
15. Click Apply and Reboot. (Reprovisioning the AP causes it to automatically reboot).
Provisioning Multiple APs using a Provisioning Profile
When you create a provisioning profile, you can then apply that profile to an AP group and provision that
entire group of campus or remote APs with the settings in that profile.
By default, an AP group does not have a provisioning profile. Make sure that any provisioning profiles you
create are complete and accurate before you assign that profile to an AP group. If a misconfigured
provisioning profile is assigned to a group of APs, the APs in that group may be automatically provisioned
with erroneous parameters and become lost.
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning window.
2. Next, select the Provisioning Profile tab and enter a provisioning profile name in the text box (next to
the Add button).
3. Click the Add button to add the profile name.
4. Select your new provisioning profile name from the list at the left.
5. (Optional) If you are provisioning a remote AP, select the Remote-AP checkbox.
6. Enter the IP address or the fully qualified domain name of the master controller in the Master IP/FQDN
field.
7. If your AP will use Point-to-Point Protocol over Ethernet (PPPoE) to authenticate itself to a service
provider, select the PPPoE Parameters checkbox and enter the following PPPoE values:

PPPoE User Name: Set the PPPoE User Name for this remote AP.

PPPoE Password: Enter and then confirm the PPPoE password for this remote AP.

PPPoE Service Name: Either an ISP name or a class of service configured on the PPPoE server.
8. (Optional) If you want to use this provisioning profile to provision APs with more than one interface,
you must also configure the USB settings and priority levels for this profile.
128 | Access Points
ArubaOS 6.1 | User Guide
9. Click Apply.
Assigning Provisioning Profiles
Once you have defined a provisioning profile, you must assign that profile to an AP group.
1. Navigate to the Configuration>AP configuration window and select the AP group tab.
2. Click the Edit button by the name of the AP group to which you want to assign the provisioning profile.
3. In the profiles list, expand the AP menu, and select Provisioning Profile. The Profile Details window
appears.
4. Click the Provisioning Profile drop-down list and select the name of the provisioning profile you want
to assign to this AP group.
5. Click Apply.
If you are provisioning remote APs, you must also add the remote APs to the RAP whitelist. For details, see
“Remote Access Points” on page 187.
Troubleshooting
After the AP has been provisioned, navigate to Monitoring>All Access Points window and verify that the
AP has an up status. The AP on your network does not appear in this table, it may have been classified as an
inactive AP for any of the following reasons:

The AP is configured with a missing or incorrect VLAN. (For example, the AP is configured to use a
tunneled SSID of VLAN 2 but the controller doesn't have a VLAN 2.)

The AP has an unknown AP group.

The AP has a duplicate AP name.

An AP with an external antenna is not provisioned with external antenna gain settings.

Both radios on the AP are disabled.

No virtual APs are defined on the AP.

The AP has profile errors. For details, access the command-line interface and issue the command “show
profile errors”.

The GRE tunnel between the AP and the controller was blocked by a firewall after the AP became active.

The AP is temporarily down while it is upgrading its software. The AP will become active again after
upgrading.
Configuring a Provisioned AP
Once the AP has been installed and provisioned, you can use the WebUI or CLI to configure the optional AP
settings described in the following sections:

“AP Installation Modes” on page 130

“RF Event Configuration” on page 138

“20 MHz and 40 MHz Static Channel Assignments” on page 140

“Automatic Channel and Transmit Power Selection” on page 142

“Optimize APs Over Low-Speed Links” on page 131

“AP Redundancy” on page 135

“Managing AP LEDs” on page 136
ArubaOS 6.1 | User Guide
Access Points | 129
AP Installation Modes
By default, all AP models initially ship with an indoor or outdoor installation mode. This means that APs
with an indoor installation mode are normally placed in enclosed, protected environments and those with
an outdoor installation mode are used in outdoor environments and exposed to harsh elements.
In most countries, there are different channels and power that are allowed for indoor and outdoor
operation. You may want to change an AP’s installation mode from indoor to outdoor or vice versa.
In the WebUI
To configure the installation mode for an AP, follow these steps:
1. Navigate to the Configuration > Wireless> AP Installation page. The list of discovered APs are
displayed on this page.
2. Select the AP you want to change.
3. Click Provision to reveal the Provisioning page.
Locate the AP Installation Mode section. By default, the Default mode is selected. This means that
the AP installation type is based on the AP model.
4. Select the Indoor option to change the installation to Indoor mode. Select the Outdoor option to
change the to Outdoor mode.
5. Click Apply and Reboot (at the bottom of the page).
In the CLI
This example displays the AP installation mode options and sets the AP to indoor installation mode.
(host) (config) #provision-ap
(host) (AP provisioning) #installation ?
default
Decide by AP model
indoor
Indoor installation
outdoor
Outdoor installation
(host) (AP provisioning) #installation indoor
This example shows basic information details about the configuration of an AP named “MyAP.” The AP
installation mode is indoor.
(host) #show ap details ap-name myAP
AP "MyAP" Basic Information
---------------------------Item
Value
-------AP IP Address
10.0.0.253
LMS IP Address 10.0.0.1
Group
default
Location Name
N/A
Status
Up; Mesh
Up time
9m:55s
Installation
indoor
Renaming an AP
You can display the status of APs in your database by executing the show ap database long command.
The output will flag an AP that has a duplicate name (N flag).
To clear the AP with the duplicate name (assuming it is no longer connected to your network), use the
command clear gap-db wired-mac.
130 | Access Points
ArubaOS 6.1 | User Guide
Renaming in the WebUI
1. Navigate to the Configuration > Wireless> AP Installation page. A list of discovered APs are on this
page.
2. Select the AP you want to rename, and click Provision.
3. On the Provisioning page, scroll to the AP list at the bottom of the page and find the AP you want to
rename.
4. In the AP Name field, enter the new unique name for the AP.
5. Click Apply and Reboot.
Renaming in the CLI
Execute the following command (from enable mode) only on a master controller. Executing the command
causes the AP to automatically reboot.
ap-rename {ap-name <name>|serial-num <number>|wired-mac <macaddr>} <new-name>
If an AP is recognized by the controller but is powered off or not connected to the network or controller
when you execute the command, the request is queued until the AP is powered back on or reconnected.
Optimize APs Over Low-Speed Links
Depending on your deployment scenario, you may have APs or remote APs that connect to a controller
located across low-speed (less than 1 Mbps capacity) or high-latency (greater than 100 ms) links.
With low-speed links, if heartbeat or keep alive packets are not received between the AP and controller
during the defined interval, APs may reboot causing clients to re-associate. You can adjust the bootstrap
threshold and prioritize AP heartbeats to optimize these types of links. In addition, high bandwidth
applications may saturate low-speed links. For example, if you have tunnel-mode SSIDs, use them with lowbandwidth applications such as barcode scanning, small database lookups, and Telnet to avoid saturating
the link. If you have traffic that will remain local, deploying remote APs and configuring SSIDs as bridgemode SSIDs can also prevent link saturation.
With high-latency links, consider the amount and type of client devices accessing the links. Aruba APs
locally process 802.11 probe-requests and probe-responses, but the 802.11 association process requires
interaction with the controller.
When deploying APs across low-speed or high-latency links, Aruba recommends the following best
practices:

Connect APs and controllers over a link with a capacity of 1 Mbps or greater.

Maintain a minimum link speed of 64 Kbps per GRE tunnel and per bridge-mode SSID. This is the
minimum speed required for downloading software images.

Adjust the bootstrap threshold to 30 if the network experiences packet loss. This makes the AP recover
more slowly in the event of a failure, but it will be more tolerant to heartbeat packet loss.

Prioritize AP heartbeats to prevent losing connectivity with the controller.

If possible, reduce the number of tunnel-mode SSIDs. Each SSID creates a tunnel to the controller with
its own tunnel keep alive traffic.

If most of the data traffic will remain local to the site, deploy remote APs in bridging mode. For more
information about remote APs, see Chapter 4, “Access Points” .

If high-latency links such as transoceanic or satellite links are used in the network, deploy a controller
geographically close to the APs.

If high-latency causes association issues with certain handheld devices or barcode scanners, check the
manufacturer of the device for recent firmware and driver updates.
ArubaOS 6.1 | User Guide
Access Points | 131
Configuring the Bootstrap Threshold
To configure the bootstrap threshold using the WebUI:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit by the AP group or AP name.
3. Under Profiles, select AP, then AP system profile. The configuration settings displayed in the Profile
Details window are described in Table 22.
Table 22 AP System Profile Configuration
132 | Access Points
Parameter
Description
LMS IP
In multi-controller networks, this parameter specifies the IP address of the
local management switch (LMS)—the Aruba controller—which is responsible
for terminating user traffic from the APs, and processing and forwarding the
traffic to the wired network. This can be the IP address of the local or master
controller.
When using redundant controllers as the LMS, set this parameter to be the
VRRP IP address to ensure that APs always have an active IP address with
which to terminate sessions.
LMS IPv6
The IPv6 address of the LMS for this AP or group
Backup LMS IP
In multi-controller networks, specifies the IP address of a backup to the IP
address specified with the lms-ip parameter.
Backup LMS IPv6
The IPv6 address of the backup LMS for this AP or group
LMS Preemption
When this parameter is enabled, the AP automatically reverts to the primary
LMS IP address when it becomes available.
LMS Hold-down Period
Time, in seconds, that the primary LMS must be available before an AP returns
to that LMS after failover.
Number of IPSEC retries
Number of times the AP will try to create an IPsec tunnel with the master
controller before the AP will reboot. If you specify a value of 0, and AP will not
reboot if it cannot create the IPsec tunnel. The supported range of values is 01000 retries, and the default value is 360 retries.
LED operating mode (11n APs
only)
The operating mode for the AP LEDs (AP-120, AP-121, AP-124 and AP-125
only)
RF Band
For APs that support both a and b/g RF bands, RF band in which the AP
should operate:
 g = 2.4 GHz
 a = 5 GHz
Double Encrypt
This parameter applies only to remote APs. Use double encryption for traffic to
and from a wireless client that is connected to a tunneled SSID.
When enabled, all traffic is re-encrypted in the IPsec tunnel. When disabled,
the wireless frame is only encapsulated inside the IPsec tunnel.
All other types of data traffic between the controller and the AP (wired traffic
and traffic from a split-tunneled SSID) are always encrypted in the IPsec
tunnel.
Native VLAN ID
Native VLAN for bridge mode virtual APs (frames on the native VLAN are not
tagged with 802.1q tags).
SAP MTU
MTU, in bytes, on the wired link for the AP.
ArubaOS 6.1 | User Guide
Table 22 AP System Profile Configuration
Parameter
Description
Bootstrap threshold
Number of consecutive missed heartbeats on a GRE tunnel (heartbeats are
sent once per second on each tunnel) before an AP rebootstraps. On the
controller, the GRE tunnel timeout is 1.5 x bootstrap-threshold; the tunnel is
torn down after this number of seconds of inactivity on the tunnel. The
supported range is 1-65535, and the default value is 8.
Request Retry Interval
Interval, in seconds, between the first and second retries of AP-generated
requests. If the configured interval is less than 30 seconds, the interval for
subsequent retries is increased up to 30 seconds.
Maximum Request Retries
Maximum number of times to retry AP-generated requests, including keepalive
messages. After the maximum number of retries, the AP either tries the IP
address specified by the bkup-lms-ip (if configured) or reboots.
Dump Server
(For debugging purposes.) Specifies the server to receive a core dump
generated when an AP process crashes.
Telnet
Select this checkbox to enable telnet to the AP.
SNMP sysContact
SNMP system contact information.
AeroScout RTLS Server
Enables the AP to send RFID tag information to an AeroScout real-time asset
location (RTLS) server. Specify the IP address and port number of the
AeroScout server to which location reports should be sent.
RF Band for AM mode scanning
Scanning band for multiple RF radios.
Ortronics Walljack
Enable or disable the wall jack on Ortronics DuoWJ APs.
Ortronics LED off Time-out
Enable or disable the LED off timeout feature for Ortronics APs.
Ortronics Low Temp
Temperature (in degrees Celsius) at which to restore configured power on
Ortronics APs.
Ortronics High Temp
Temperature (in degrees Celsius) at which to decrease transmit power on
Ortronics APs.
RTLS Server configuration
Enables the AP to send RFID tag information to an RTLS server. You must
specify the IP address and port number of the server to which location reports
are sent, a shared secret key, and the frequency at which packets are sent to
the server.
Remote-AP DHCP Server VLAN
VLAN ID of the remote AP DHCP server used if the controller is unavailable.
This VLAN enables the DHCP server on the AP (also known as the remote AP
DHCP server VLAN). If you enter the native VLAN ID, the DHCP server is
unavailable.
Remote-AP DHCP Server Id
IP address used as the DHCP server identifier.
Remote-AP DHCP Default Router
IP address for the default DHCP router.
Remote-AP DHCP DNS Server
IP address of the DNS server.
Remote-AP DHCP Pool Start
Configures a DHCP pool for remote APs. This is the first IP address of the
DHCP pool.
Remote-AP DHCP Pool End
Configures a DHCP pool for remote APs. This is the last IP address of the
DHCP pool.
ArubaOS 6.1 | User Guide
Access Points | 133
Table 22 AP System Profile Configuration
Parameter
Description
Remote-AP DHCP Pool Netmask
Configures a DHCP pool for remote APs. This is the netmask used for the
DHCP pool.
Remote-AP DHCP Lease Time
The amount of days that the assigned IP address is valid for the client. Specify
the lease in <days>. A value of 0 indicates the IP address is always valid; the
lease does not expire.
Remote-AP uplink total
bandwidth
This is the total reserved uplink bandwidth (in Kilobits per second).
Remote-AP bw reservation 1
Remote-AP bw reservation 2
Remote-AP bw reservation 3
Session ACLs with uplink bandwidth reservation in kilobits per second. You
can specify up to three session ACLs to reserve uplink bandwidth. The sum of
the three uplink bandwidths should not exceed the Remote-AP uplink total
bandwidth.
Heartbeat DSCP
DSCP value of AP heartbeats. The supported range is 0-63, and the default
value is 0.
Session ACL
Session ACL configured with the ip access-list session command.
Note: This parameter requires the PEFNG license.
Corporate DNS Domain
Name of domain that is resolved by corporate DNS servers. Use this
parameter when configuring split tunnel.
Maintenance Mode
Enable or disable AP maintenance mode.
This setting is useful when deploying, maintaining, or upgrading the network.
If enabled, APs stop flooding unnecessary traps and syslog messages to
network management systems or network operations centers when deploying,
maintaining, or upgrading the network. The controller still generates debug
syslog messages if debug logging is enabled.
Remote-AP Local Network
Access
Enable or disable local network access across VLANs in a Remote-AP.
4. In the Bootstrap threshold field, enter 30.
5. Click Apply.
To configure the bootstrap threshold using the command-line interface, access the CLI in config mode and
issue the following command:
ap system-profile <profile>
bootstrap-threshold 30
Prioritizing AP heartbeats
To prioritize AP heartbeats using the WebUI:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP, then AP system profile. The configuration settings are displayed in Profile
Details.
4. Under Profile Details:
a. In the Heartbeat DSCP field, enter a value greater than zero.
b. Click Apply.
134 | Access Points
ArubaOS 6.1 | User Guide
To prioritize AP heartbeats using the command-line interface, access the CLI in config mode and issue the
following command:
ap system-profile <profile>
heartbeat-dscp <number>
AP Redundancy
In conjunction with the controller redundancy features described in Chapter 25, “VRRP” the information in
this section describes redundancy for APs. Remote APs also offer redundancy solutions via a backup
configuration, backup controller list, and remote AP failback. For more information relevant to remote APs,
see Chapter 7, “Remote Access Points” .
The AP failback feature allows an AP associated with the backup controller (backup LMS) to fail back to
the primary controller (primary LMS) if it becomes available.
If configured, the AP monitors the primary controller by sending probes every 600 seconds by default. If the
AP successfully contacts the primary controller for the entire hold-down period, it will fail back to the
primary controller. If the AP is unsuccessful, the AP maintains its connection to the backup controller,
restarts the LMS hold-down timer, and continues monitoring the primary controller.
The following example assumes:

You have not configured the LMS or backup LMS IP addresses

Default values unless otherwise noted.
In the WebUI
Follow the procedure below to use the AP system profile to configure a redundant controller. For additional
information on AP system profile settings, see Table 22 on page 132.
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details:
a. At the LMS IP field, enter the primary controller IP address.
b. At the Backup LMS IP field, enter the backup controller IP address.
c. Click (select) LMS Preemption. This is disabled by default.
6. Click Apply.
In the CLI
ap system-profile <profile>
lms-ip <ipaddr>
bkup-lms-ip <ipaddr>
lms-preemption
ap-group <group>
ap-system-profile <profile>
ap-name <name>
ap-system-profile <profile>
AP Maintenance Mode
You can configure APs to suppress traps and syslog messages related to those APs. Known as AP
maintenance mode, this setting in the AP system profile is particularly useful when deploying, maintaining,
ArubaOS 6.1 | User Guide
Access Points | 135
or upgrading the network. If enabled, APs stop flooding unnecessary traps and syslog messages to network
management systems or network operations centers during a deployment or scheduled maintenance. The
controller still generates debug syslog messages if debug logging is enabled. After completing the network
maintenance, disable AP maintenance mode to ensure all traps and syslog messages are sent. AP
maintenance mode is disabled by default.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details, do the following:

To enable AP maintenance mode, check (select) the Maintenance Mode checkbox.

To disable AP maintenance mode, clear (deselect) the Maintenance Mode checkbox.
6. Click Apply.
In the CLI
To enable AP maintenance mode:
ap system-profile <profile>
maintenance-mode
To disable AP maintenance mode:
ap system-profile <profile>
no maintenance-mode
To view the maintenance mode status of APs, use the following commands:
show ap config {ap-group <name>|ap-name <name>|essid <name>}
show ap debug system-status {ap-name <name>|bssid <name>| ip-addr <ipaddr>}
On the local controller, you can also view maintenance mode status using the following commands:
show ap active {ap-name <name>|essid <name>|ip-addr <ipaddr>}
show ap database
show ap details {ap-name <name>|bssid <name>|ip-addr <ipaddr>}
Managing AP LEDs
AP LEDs can be configured in two modes: normal and off. In normal mode, the AP LEDs will light as
expected. When the mode is set to off, all of the LEDs on the affected APs are disabled.
Disabling LEDs in the WebUI
An AP system profile’s LED operating mode affects LEDS on all APs using that profile.
This option is available on the AP-120 Series, AP-90 Series, AP-105, and the RAP-5.
1. Navigate to the Configuration > Advanced Services> All Profiles page.
2. Select the AP tab and then select the AP system profiles tab.
3. Select the AP system profile you want to modify.
4. Locate the LED operating mode (AP-120 series only) parameter.
5. From the drop-down list, select off.
6. Click Apply.
136 | Access Points
ArubaOS 6.1 | User Guide
Enable or Disable LEDs in the CLI
Use the ap system-profile command to disable LEDs for all APs using a particular system profile.
(host) (config)# ap system-profile <profile-name> led-mode {normal | off}
Configuring Blinking LEDs in the CLI
Use the ap-leds command to make the LEDs on a defined set of APs either blink or display in the currently
configured LED operating mode. Note that if the LED operating mode defined in the AP’s system profile is
set to “off”, then the normal parameter in the ap-leds command will disable the LEDs. If the LED operating
mode in the AP system profile is set to “normal” then the normal parameter in this command will allow the
LEDs light as usual.
(host) (config)# ap-leds {all | ap-group <ap-group> | ap-name <ap-name> | ip-addr <ip
address> | wired-mac <mac address>} {global blink|normal}|{local blink|normal}
Managing RF Interference
RF Optimization
Each AP includes an RF Optimization profile that allows you to configure settings for detecting
interference. The controller can detect interference near a wireless client station or AP is based on an
increase in the frame retry rate or frame receive error rate.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected the AP Group tab, click the Edit button by the AP group name for which you want to
configure the RF Optimization profile.

If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the
RF Optimization profile.
2. Expand the RF Management menu, then expand the RF Optimization Profile menu.
3. Select the profile you want to edit from the Profile Details window pane.
or
Enter a new RF Optimization profile name in the field at the bottom of the Profile Details window, then
click Add. Next, select that profile name from the profile list to edit its parameters.
4. Configure your RF Optimization radio settings. Table 23 describes the parameters. Click Apply to save
your settings.
Table 23 RF Optimization Profile Parameters
Parameter
Description
Station Handoff Assist
Allows the controller to force a client off an AP when the RSSI drops below a
defined minimum threshold.
Default: Disabled
Detect Association Failure
Enables or disables detection of station association failures.
Default: Disabled
Detect interference
Select this checkbox to enable the interference detection.
Default: Disabled
ArubaOS 6.1 | User Guide
Access Points | 137
Table 23 RF Optimization Profile Parameters
Parameter
Description
Interference Threshold
Percentage increase in the frame retry rate or frame receive error rate before
interference monitoring begins on a given channel.
Interference Threshold Exceed
Time
Amount of time the frame retry rate or frame receive error rate should be
exceed by the threshold before interference is reported. Max 360000.
Interference Baseline Time
Time, in seconds, the air monitor should learn the state of the link between the
AP and client to create frame retry rate (FRR) and frame receive error rate
(FRER) baselines.
RSSI Falloff Wait Time
Time, in seconds, to wait with decreasing RSSI before a de-authorization
message is sent to the client.
Maximum value: 8 seconds
Default value: 0 seconds
Low RSSI Threshold
Minimum RSSI above which de-authorization messages should never be sent.
RSSI Check Frequency
Interval, in seconds, to sample RSSI.
In the CLI
Use the following command to configure RF Optimization profiles. The parameters described in Table 23.
rf optimization-profile <profile>
clone <profile>
detect-association-failure
detect-interference
handoff-assist
interference-baseline <seconds>
interference-exceed-threshold <seconds>
interference-threshold <percent>
low-rssi-threshold <number>
no ...
rssi-check-frequency <number>
rssi-falloff-wait-time <seconds>
RF Event Configuration
An AP’s event threshold profile configures Received Signal Strength Indication (RSSI) metrics, including
high and low watermarks for frame error rates and frame retry rates. When certain RF parameters are
exceeded, these events can signal excessive load on the network, excessive interference, or faulty
equipment.
This profile and many of the detection parameters are disabled (value is 0) by default.
The following procedure details the steps to configure RF Event parameters.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

138 | Access Points
If you selected the AP Group tab, click the Edit button by the AP group name for which you want to
configure the RF Event profile.
ArubaOS 6.1 | User Guide

If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the
RF Event profile.
2. In the Profiles list, expand the RF Management menu, then expand the RF Event Profile menu.
3. To edit an existing RF Event profile, select the profile you want to edit from the Profile Details window
pane.
-or4. To create a new profile, enter a new RF Event profile name in the field at the bottom of the Profile
Details window, then click Add. Next, select that profile name from the profile list to edit its
parameters.
5. Configure your settings as detailed in Table 24 and click Apply to save your settings.
Table 24 RF Event Profile Parameters
Parameter
Description
Detect Frame Rate Anomalies
Enable or disables detection of frame rate anomalies. This feature is disabled
by default.
Bandwidth Rate High Watermark
If bandwidth in an AP exceeds this value, a bandwidth exceeded condition
exists. The value represents the percentage of maximum for a given radio.
(For 802.11b, the maximum bandwidth is 7 Mbps. For 802.11 a and g, the
maximum is 30 Mbps.) The recommended value is 85%.
Bandwidth Rate Low Watermark
After a bandwidth exceeded condition exists, the condition persists until
bandwidth drops below this value. The recommended value is 70%.
Frame Error Rate High Watermark
If the frame error rate (as a percentage of total frames in an AP) exceeds this
value, a frame error rate exceeded condition exists. The recommended value
is 16%.
Frame Error Rate Low Watermark
After a frame error rate exceeded condition exists, the condition persists until
the frame error rate drops below this value. The recommended value is 8%.
Frame Fragmentation Rate
High Watermark
If the frame fragmentation rate (as a percentage of total frames in an AP)
exceeds this value, a frame fragmentation rate exceeded condition exists.
The recommended value is 16%.
Frame Fragmentation Rate
Low Watermark
After a frame fragmentation rate exceeded condition exists, the condition persists until the frame fragmentation rate drops below this value. The recommended value is 8%
Frame Low Speed Rate High
Watermark
If the rate of low-speed frames (as a percentage of total frames in an AP)
exceeds this value, a low-speed rate exceeded condition exists. This could
indicate a coverage hole. The recommended value is 16%.
Frame Low Speed Rate Low
Watermark
After a low-speed rate exceeded condition exists, the condition persists until
the percentage of low-speed frames drops below this value. The recommended value is 8%.
Frame Non Unicast Rate High
Watermark
If the non-unicast rate (as a percentage of total frames in an AP) exceeds this
value, a non-unicast rate exceeded condition exists. This value depends
upon the applications used on the network.
Frame Non Unicast Rate Low
Watermark
After a non-unicast rate exceeded condition exists, the condition persists
until the non-unicast rate drops below this value.
Frame Receive Error Rate High
Watermark
If the frame receive error rate (as a percentage of total frames in an AP)
exceeds this value, a frame receive error rate exceeded condition exists. The
recommended value is 16%
ArubaOS 6.1 | User Guide
Access Points | 139
Table 24 RF Event Profile Parameters
Parameter
Description
Frame Receive Error Rate Low
Watermark
After a frame receive error rate exceeded condition exists, the condition persists until the frame receive error rate drops below this value. The recommended value is 8%.
Frame Retry Rate High Watermark
If the frame retry rate (as a percentage of total frames in an AP) exceeds this
value, a frame retry rate exceeded condition exists. The recommended value
is 16%.
Frame Retry Rate Low Watermark
After a frame retry rate exceeded condition exists, the condition persists until
the frame retry rate drops below this value. The recommended value is 8%.
In the CLI
Use the following command to configure RF event profiles. The available parameters for this profile are
detailed in Table 24.
rf event-thresholds-profile <profile>
bwr-high-wm <percent>
bwr-low-wm <percent>
clone <profile>
detect-frame-rate-anomalies
fer-high-wm <percent>
fer-low-wm <percent>
ffr-high-wm <percent>
ffr-low-wm <percent>
flsr-high-wm <percent>
flsr-low-wm <percent>
fnur-high-wm <percent>
fnur-low-wm <percent>
frer-high-wm <percent>
frer-low-wm <percent>
frr-high-wm <percent>
frr-low-wm <percent>
AP Channel Assignments
20 MHz and 40 MHz Static Channel Assignments
With the implementation of the high-throughput IEEE 802.11n standard, 40 MHz channels were added in
addition to the existing 20 MHz channel options. Available 20 MHz and 40 MHz channels are dependent on
the country code entered in the regulatory domain profile.
The following channel configurations are now available in ArubaOS:

A 20 MHz channel assignment consists of a single 20 MHz channel assignment. This channel assignment
is valid for 802.11a/b/g and for 802.11n 20 MHz mode of operation.

A 40 MHz channel assignment consists of two 20 MHz channels bonded together (a bonded pair). This
channel assignment is valid for 802.11n 40 MHz mode of operation and is most often utilized on the
5 GHz frequency band.
If high-throughput is disabled, a 40 MHz channel assignment can be configured, but only the primary
channel assignment is utilized. The 20 MHz clients can also associate using this configuration, but only
the primary channel is utilized.
140 | Access Points
ArubaOS 6.1 | User Guide
Table 25 20 MHz and 40 MHz Static Channel Configuration Options
WebUI
CLI
Definition
Channel Text Field
None Radio Button
channel <num>
Entering a channel number in the CLI, or entering a channel number in
the WebUI and selecting the None radio button, disables 40 MHz
mode and activates 20 MHz mode for the entered channel.
Channel Text Field
Above Radio Button
channel <num>+
Entering a channel number with a plus (+) sign in the CLI, or entering a
channel number and selecting the Above radio button in the WebUI,
selects a primary and secondary channel for 40 MHz mode.
The number entered becomes the primary channel and the secondary
channel is determined by increasing the primary channel number by
4.
Example: 157+ represents 157 as the primary channel and 161 as the
secondary channel.
Channel Text Field
Below Radio Button
channel <num>-
Entering a channel number with a minus (-) sign in the CLI, or entering
a channel number and selecting the Below radio button in the WebUI,
selects a primary and secondary channel for 40 MHz mode.
The number entered becomes the primary channel and the secondary
channel is determined by decreasing the primary channel number by
4.
Example: 157- represents 157 as the primary channel and 153 as the
secondary channel.
The example in this section illustrates a static channel assignment and assumes that the radio and
regulatory domain profiles being configured were previously created and assigned to an existing AP group
named “ht-corpnet-ap.” These settings also allow for the default ARM profile settings, see “Automatic
Channel and Transmit Power Selection Using ARM” on page 159, and Aruba’s recommended highthroughput channel assignments for the 802.11a and 802.11b/g bands:
1. Enter a valid country code (US) for the “default” regulatory domain profile. This will determine the
available channels.
2. Configure a 40 MHz channel (bonded pair) for an 802.11a (5 GHz) radio profile named “ht-corpnet-a.”
3. Configure a 20 MHz channel for an 802.11g (2.4 GHz) radio profile named “ht-corpnet-g.”
If you want the channel assignments to utilize high-throughput, ensure that high-throughput is enabled within the
radio profile. For details, see “force-disassoc” on page 164.
In the WebUI
1. Navigate to Configuration > Wireless > AP Configuration > AP Group page.
2. Click Edit for the AP group ht-corpnet-ap.
3. Under the Profiles list, select AP to display the AP profiles.
4. Select the Regulatory Domain profile named “default.”
5. Select US - United States from the Country Code drop-down menu.
6. Click Apply.
7. Under the Profiles list, select RF Management to display the radio profiles.
8. Select the 802.11a radio profile named “ht-corpnet-a.”
9. Enter 36 in the Channel text field and select the Above radio button. In this instance, channel 36
becomes the primary channel and the secondary channel is 40.
10. Click Apply.
ArubaOS 6.1 | User Guide
Access Points | 141
11. Select the 802.11g radio profile named “ht-corpnet-g.”
12. Enter 1 in the Channel text field and select the None radio button. In this instance, channel 1 is the
assigned 20 MHz channel and 40 MHz mode is disabled and click Apply.
In the CLI
ap regulatory-domain-profile default
country-code US
rf dot11a-radio-profile ht-corpnet-a
channel 36+
rf dot11g-radio-profile ht-corpnet-g
channel 1
Channel Switch Announcement (CSA)
When an AP changes its channel, an existing wireless clients may “time out” while waiting to receive a new
beacon from the AP; the client must begin scanning to discover the new channel on which the AP is
operating. If the disruption is long enough, the client may need to reassociate, reauthenticate, and rerequest an IP address. Channel Switch Announcement (CSA), as defined by IEEE 802.11h, enables an AP to
announce that it is switching to a new channel before it begins transmitting on that channel. This allows the
clients, who support CSA, to transition to the new channel with minimal downtime.
When CSA is enabled, the AP does not change to a new channel immediately. Instead, it sends a number of
beacons (the default is 4) which contain the CSA announcement before it switches to the new channel. You
can configure the number of announcements sent before the change.
Clients must support CSA in order to track the channel change without experiencing disruption.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Select RF Management in the Profile list.
4. Select the 802.11a or 802.11g radio profile.
5. Select Enable CSA. You can configure a different value for CSA Count.
6. Click Apply.
In the CLI
rf radio-profile <profile>
csa
csa-count <number>
Automatic Channel and Transmit Power Selection
To allow automatic channel and transmit power selection based on the radio environment, enable Adaptive
Radio Management (ARM). Note that ARM assignments will override the static channel and power
configurations done using the radio profile. For complete information on the Adaptive Radio Management
feature, refer to Chapter 6, “Adaptive Radio Management (ARM)” on page 171.
142 | Access Points
ArubaOS 6.1 | User Guide
AP Console Settings
An AP’s provisioning parameters are unique to each AP. These parameters are initially configured on the
controller and then pushed out to the AP and stored on the AP itself. Best practices are to configure an
AP’s provisioning settings using the controller WebUI. If you find it necessary to alter an AP’s
provisioning settings for troubleshooting purposes, you can do so using the controller WebUI and CLI, or
alternatively, through a console connection to the AP itself.
To create a console connection to the AP:
1. Connect a local console to the serial port on the AP. You can connect the AP’s serial port to a terminal or
terminal server using an Ethernet cable, or connect the serial console port to a DB-9 adapter, then
connect the adapter to a laptop using an RS-232 cable. For details on connecting to an AP’s serial
console port, refer to the Installation Guide included with the AP.
2. Establish a console communication to the AP, then power-cycle the AP to reboot it.
3. To access the AP console command prompt, press Enter when the AP displays the message “Hit
<Enter> to stop autoboot.” If the autoboot countdown expires before you can interrupt it, turn the
device off and then back on.
4. Once the AP boot prompt appears, you can issue any of the AP provisioning commands described in the
Table 26. Remember, though these commands may be useful for troubleshooting, they are all optional
and are not necessary for normal AP provisioning.
Table 26 AP Console Commands
Command
Description
setenv ipaddr <ipaddr>
IP address to be assigned to the AP.
setenv netmask <netmaskip>
Netmask to be assigned to the AP.
setenv gatewayip <ipaddr>
IP address of the internet gateway used by the AP.
setenv name <ap name>
Name of the AP.
setenv group <group name>
Name of the AP group to which the AP should belong.
setenv master <ipaddr>
IP address of the AP’s master controller.
setenv serverip <ipaddr>
IP address of the TFTP server from which the AP can download its boot image.
setenv dnsip <ipaddr>
IP address of the DNS server used by the AP.
setenv domainname <domain>
Domain name used by the AP.
Other AP console commands may be available when accessing an AP directly through its console port, but these
commands can cause configuration errors if used improperly and should only be issued under the direct supervision
of Aruba technical support.
5. When you are finished, type Save and then press Enter to save your settings.
ArubaOS 6.1 | User Guide
Access Points | 143
The example below configures an AP location and domain name using an AP console connection:
Hit <Enter> to stop autoboot: 0
apboot> <INTERRUPT>
apboot>setenv group corporate2
apboot>setenv domainname mycompany.com
apboot>save
apboot>reboot
To view current AP settings using the AP console, issue the command printenv <name> where <name> is
one of the variable names listed in Table 26, such as ipaddr, dnsip or gatewayip.
apboot> printenv domainname
domainname=mycompany.com
144 | Access Points
ArubaOS 6.1 | User Guide
Chapter 5
:P
Virtual APs
APs advertise WLANs to wireless clients by sending out beacons and probe responses that contain the
WLAN’s SSID and supported authentication and data rates. When a wireless client associates to an AP, it
sends traffic to the AP’s Basic Service Set Identifier (BSSID) which is usually the AP’s MAC address.
In the Aruba network, an AP uses a unique BSSID for each WLAN. Thus a physical AP can support multiple
WLANs. The WLAN configuration applied to a BSSID on an AP is called a virtual AP. You can configure and
apply multiple virtual APs to an AP group or to an individual AP by defining one or more virtual AP profiles.
This chapter describes the following topics:

“Virtual AP Profiles” on page 145

“Configuring a Virtual AP” on page 146

“Configuring a High-Throughput Virtual AP” on page 164
Virtual AP Profiles
You can configure virtual AP profiles to provide different network access or services to users on the same
physical network. For example, you can configure a WLAN to provide access to guest users and another
WLAN to provide access to employee users through the same APs. You can also configure a WLAN that
offers open authentication and Captive Portal access with data rates of 1 and 2 Mbps and another WLAN
that requires WPA authentication with data rates of up to 11 Mbps. You can apply both virtual AP
configurations to the same AP or an AP group (see Figure 21).
Figure 21 Virtual AP Configurations Applied to the same AP
Virtual AP
“guest” SSID with
open system using
Captive Portal
Virtual AP
“employee” SSID
with WPA2
authentication
AP
You can apply the same virtual AP profiles to one or more AP groups. For example, there are users in both
Edmonton and Toronto that access the same “Corpnet” WLAN. Note that if your WLAN requires
authentication to an external server, you may want to have users who associate with the APs in Toronto
authenticate with their local servers. In this case, you can configure a slightly different AAA profiles; one
that references authentication servers in the Edmonton and the other that references servers in Toronto
(see to Table 27).
Table 27 Applying WLAN Profiles to AP Groups
WLAN Profiles
“default” AP Group
“Toronto” AP Group
Virtual AP
“Corpnet-E”
“Corpnet-T”
SSID
“Corpnet”
“Corpnet”
AAA
“E-Servers”
“T-Servers”
ArubaOS 6.1 | User Guide
Virtual APs | 145
When you assign a profile to an individual AP, the values in the profile override the profile assigned to the
AP group to which the AP belongs. The exception is the virtual AP profile. You can apply multiple virtual AP
profiles to individual APs, as well as to AP groups.
You can exclude one or more virtual AP profiles from an individual AP. This prevents a virtual AP, defined
at the AP group level, from being applied to a specific AP. For example, you can apply the virtual AP profile
that corresponds to the “Corpnet” SSID to the “default” AP group. If you do not want the “Corpnet” SSID to
be advertised on the AP in the lobby, you can specify the virtual AP profile that contains the “Corpnet” SSID
configuration be excluded from that AP.
Figure 22 Excluding a Virtual AP Profile from an AP
“DEFAULT” AP GROUP
“Corpnet” virtual AP profile
applied to the AP group
X
but not to this AP
Excluding a virtual AP profile from an AP in the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific page.
2. Do one of the following:

If the AP you want to exclude is in included in the list, click Edit for the AP.

If the AP does not appear in the list, click New. Either type in the name of the AP, or select the AP
from the drop-down list. Then click Add.
3. Select Wireless LAN under the Profiles list, then select Excluded Virtual AP.
4. Select the name of the virtual AP profile you want to exclude from the drop down menu (under Profile
Details) and click Add. The profile name appears in the Excluded Virtual APs list. You can add
multiple profile names in the same way.
5. To remove a profile name from the Excluded Virtual APs list, select the profile name and click Delete.
6. Click Apply.
Excluding a virtual AP profile from an AP in the CLI
ap-name <name<
exclude-virtual-ap <profile>
Configuring a Virtual AP
This section includes examples of how to create virtual APs for a specific AP as well as for the “default” AP
group, which includes all APs discovered by the controller. The configuration in this example contain the
following WLANs:

146 | Virtual APs
An 802.11a/b/g SSID called “Corpnet” that uses WPA2 and is available on all APs in the network
ArubaOS 6.1 | User Guide

An 802.11a/b/g SSID called “Guest” that uses open system and is only available on the AP “building3lobby” (this AP will support both the “Corpnet” and “Guest” SSIDs)
Each WLAN requires a different SSID profile that maps into a separate virtual AP profile. For the SSID
“Corpnet”, which will use WPA2, you need to configure an AAA profile that includes 802.1x authentication
and an 802.1x authentication server group.
Because all APs discovered by the controller belong to the AP group called “default”, you assign the virtual
AP profile that contains the SSID profile “Corpnet” to the “default” AP group. For the “Guest” SSID, you
configure a new virtual AP profile that you assign to the AP named “building3-lobby”. Table 28 lists the
profiles that you need to modify or create for these examples.
Table 28 Profiles for Example Configuration
AP Group/Name Virtual AP Profile
SSID Profile
AAA Profile
“default”
“corpnet”
VLAN: 1
 SSID profile: “corpnet”
 AAA profile: “corpnet”
“corpnet”
 SSID:
Corpnet
 WPA2
“corpnet”
 802.1x authentication default role:
“employee”
 802.1x authentication server group:
“corpnet”
- Radius1
- Radius2
“guest”
VLAN: 2
 Deny Time Range
 SSID profile: “guest”
 AAA profile: “default-open”
“guest”
 SSID: Guest
 Open system
“default-open”
(This is a predefined, read-only AAA
profile that specifies open system
authentication)

“building3-lobby”

Configuring the WLAN
In this example WLAN, users are validated against a corporate database on a RADIUS authentication server
before they are allowed access to the network. Once validated, users are placed into a specified VLAN
(VLAN 1 in this example) and assigned the user role “employee” that permits access to the corporate
network.
Aruba recommends that you assign a unique name to each virtual AP, SSID, and AAA profile that you modify. In this
example, you use the name “corpnet” to identify each of the profiles.
Follow the steps below to configure the Corpnet WLAN. Each of these steps are described in further detail
later in this document.
1. Configure a policy for the user role employee and configure the user role employee with the specified
policy.
2. Configure RADIUS authentication servers and assign them to the corpnet 802.1x authentication server
group.
3. Configure authentication for the WLAN.
a. Create the corpnet 802.1x authentication profile.
b. Create the AAA profile corpnet and specify the previously-configured employee user role for the
802.1x authentication default role.
c. Specify the previously-configured corpnet 802.1x authentication server group.
4. For the AP group “default”, create and configure the virtual AP corpnet.
a. Create a new virtual AP profile corpnet.
ArubaOS 6.1 | User Guide
Virtual APs | 147
b. Select the previously-configured corpnet AAA profile for this virtual AP.
c. Create a new SSID profile corpnet to configure “Corpnet” for the SSID name and WPA2 for the
authentication.
The following sections describe how to do this using the WebUI and the CLI.
Configuring the User Role
In this example, the employee user role allows unrestricted access to network resources and is granted
only to users who have been successfully authenticated with an external RADIUS server. You can configure
a more restrictive user role by specifying allowed or disallowed source and destination, protocol, and
service for the traffic. For more information about configuring user roles, see “User Roles” on page 336.
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to add a new policy. Enter the name of the policy.
Default settings for a policy rule permit all traffic from any source to any destination, but you can make
a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the
traffic is applied. Click Add to add a rule. When you are done adding rules, click Apply.
3. Click the User Roles tab. Click Add to add a new user role. Enter the name of the role. Under Firewall
Policies, click Add. In the Choose from Configured Policies drop-down list, select the policy you
previously created. Click Done.
4. Click Apply.
In the CLI
ip access-list session <policy>
<source> <dest> <service> <action>
user-role employee
access-list session <policy>
Configuring Authentication Servers
This example uses RADIUS servers for the client authentication. You need to specify the hostname and IP
address for each RADIUS server and the shared secret used to authenticate communication between the
server and the controller. After configuring authentication servers, assign them to the corpnet server
group, an ordered list of the servers to be used for 802.1x authentication.
For more information about configuring authentication servers, see “Configuring Servers” on page 274.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Radius Server to display the Radius Server List.
3. Enter the name of the server, and click Add. The server name appears in the list of servers.
4. Select the server name. Enter the IP address and shared secret for the server. Select the Mode checkbox
to activate the authentication server.
5. Click Apply to apply the configuration.
6. Select Server Group on the Servers page.
7. Enter the name of the group, and click Add. The server group name appears in the list of server groups.
8. Select the server group name. Click New to add a server to the group. Under Server Name, select the
server you just configured and click Add.
9. Click Apply to apply the configuration.
148 | Virtual APs
ArubaOS 6.1 | User Guide
In the CLI
aaa authentication-server radius Radius1
host <ipaddr>
key <key>
enable
aaa server-group corpnet
auth-server Radius1
Configuring Authentication
In this example, you create the 802.1x authentication profile corpnet. The AAA profile configures the
authentication for a WLAN. The AAA profile defines the type of authentication (802.1x in this example), the
authentication server group, and the default user role for authenticated users.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. Select
802.1x Authentication Profile.
a. In the 802.1x Authentication Profile list on the right window pane, enter corpnet in the entry blank at
the bottom of the list, and click Add.
b. Select the corpnet 802.1x authentication profile you just created.
c. You can configure parameters in the Basic or Advanced tabs. These parameters are described in
detail in Table 55. For this example, you use the default values, so click Apply.
2. Select the AAA Profiles tab.
a. Scroll down to the bottom of the AAA Profiles Summary pane, then click Add. An entry blank
appears.
b. Enter corpnet, then click Add.
c. Scroll back up the AAA Profiles Summary pane, and select the corpnet AAA profile you just created.
d. For this example, change the 802.1x Authentication Default Role, select the employee role you
previously configured. You can also configure other the AAA profile parameters (see Table 29).
e. Click Apply.
Table 29 AAA Profile Parameters
ArubaOS 6.1 | User Guide
Parameter
Description
Initial role
Click the Initial Role drop-down list and select a role for unauthenticated
users. The default role for unauthenticated users is logon.
MAC Authentication Default Role
Click the MAC Authentication Default Role drop-down list and select the
role assigned to the user when the device is MAC authenticated. The
default role for MAC authentication is the guest user role. If derivation
rules are present, the role assigned to the client through these rules take
precedence over the default role.
Note: This feature requires the PEFNG license.
802.1X Authentication Default
Role
Click the 802.1X Authentication Default Role drop-down list and select
the role assigned to the client after 802.1x authentication. The default
role for 802.1x authentication is the guest user role. If derivation rules
are present, the role assigned to the client through these rules take
precedence over the default role.
Note: This feature requires the PEFNG license.
Virtual APs | 149
Table 29 AAA Profile Parameters
Parameter
Description
RADIUS Interim Accounting
When this option is enabled, the RADIUS accounting feature allows the
controller to send Interim-Update messages with current user statistics
to the server at regular intervals. This option is disabled by default,
allowing the controller to send only start and stop messages to the
RADIUS accounting server.
User derivation rules
Click the User derivation rules drop-down list and specify a user
attribute profile from which the user role or VLAN is derived.
Wired to Wireless Roaming
Enable this feature to keep users authenticated when they roam from the
wired side of the network. This feature is enabled by default.
SIP authentication role
Click the SIP authentication role drop-down list and specify the role
assigned to a session initiation protocol (SIP) client upon registration.
Note: This feature requires the PEFNG license.
Device Type Classification
When you select this option, the controller will parse user-agent strings
and attempt to identify the type of device connecting to the AP. When
the device type classification is enabled, the Global client table shown in
the Monitoring>Network > All WLAN Clients window shows each
client’s device type, if that client device can be identified.
Enforce DHCP
When you select this option, clients must obtain an IP using DHCP
before they are allowed to associate to an AP. Enable this option when
you create a user rule that assigns a specific role or VLAN based upon
the client device’s type. For details, see “User-Derived Roles or VLANs”
on page 341.
Note: If a client is removed from the user table by the “Logon user
lifetime” AAA timer, then that client will not be able to send traffic until it
renews it’s DHCP.
3. Select the 802.1x Authentication Profile under the corpnet AAA profile to reveal the 802.1X
Authentication Profile pane.
a. Click the 802.1X Authentication Profile drop-down list and select corpnet.
b. Click Apply.
4. Select the 802.1x Authentication Server Group under the corpnet AAA profile to reveal the 802.1X
Authentication Server Group pane.
a. Click the 802.1X Authentication Server Group drop-down list and select the corpnet server
group you previously configured.
b. Click Apply.
In the CLI
aaa authentication dot1x corpnet
aaa profile corpnet
authentication-dot1x corpnet
dot1x-default-role employee
dot1x-server-group corpnet
radius-interim-accounting
150 | Virtual APs
ArubaOS 6.1 | User Guide
Applying the Virtual AP
In this example, you apply the corpnet virtual AP to the “default” AP group which consists of all APs.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration > AP Group page.
2. Click Edit for the “default” AP group.
3. Select Wireless LAN (under Profiles), then select Virtual AP.
4. Select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for
example, corpnet), and click Add.
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID
profile with the default “Aruba-ap” ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile
before you apply the profile.
5. Click the new Virtual AP name in the Profiles list or the Profile Details to display the configuration
parameters defined in Table 30.
6. Verify that Virtual AP enable is selected; select 1 for the VLAN.
7. Click Apply.
Table 30 Virtual AP Profile Parameters
Parameter
Description
Virtual AP enable
Select the Virtual AP enable checkbox to enable or disable the virtual AP.
Allowed band
The band(s) on which to use the virtual AP:
a—802.11a band only (5 GHz).
 g—802.11b/g band only (2.4 GHz).
 all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default
setting.

VLAN
ArubaOS 6.1 | User Guide
The VLAN(s) into which users are placed in order to obtain an IP address. Click the dropdown list to select a configured VLAN, the click the arrow button to associate that VLAN
with the virtual AP profile.
Virtual APs | 151
Table 30 Virtual AP Profile Parameters
152 | Virtual APs
Parameter
Description
Forward mode
This parameter controls whether data is tunneled to the controller using generic routing
encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a
combination thereof depending on the destination (corporate traffic goes to the
controller, and Internet access remains local). All forwarding modes support band
steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.
Click the drop-down list to select one of the following forward modes:
 Tunnel: The AP handles all 802.11 association requests and responses, but sends
all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the
controller for processing. The controller removes or adds the GRE headers, decrypts
or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both
remote and campus APs can be configured in tunnel mode.
 Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or
campus AP is in bridge mode, the AP (and not the controller) handles all 802.11
association requests and responses, encryption/decryption processes, and firewall
enforcement. The 802.11e and 802.11k action frames are also processed by the AP,
which then sends out responses as needed.
An AP in bridge mode does not support captive portal authentication. Both remote
and campus APs can be configured in bridge mode. Note that you must enable the
control plane security feature on the controller before you configure campus APs in
bridge mode.
 Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the
destination (corporate traffic goes to the controller, and Internet access remains
local).
A remote AP in split-tunnel forwarding mode handles all 802.11 association requests
and responses, encryption/decryption, and firewall enforcement. the 802.11e and
802.11k action frames are also processed by the remote AP, which then sends out
responses as needed.
 Decrypt-Tunnel: Both remote and campus APs can be configured in decrypt-tunnel
mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and
decapsulates all 802.11 frames from a client and sends the 802.3 frames through the
GRE tunnel to the controller, which then applies firewall policies to the user traffic.
When the controller sends traffic to a client, the controller sends 802.3 traffic through
the GRE tunnel to the AP, which then converts it to encrypted 802.11 and forwards to
the client. This forwarding mode allows a network to utilize the encryption/decryption
capacity of the AP while reducing the demand for processing resources on the
controller.
APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests
and responses, and process all 802.11e and 802.11k action frames. APs using
decrypt-tunnel mode do have some limitations that not present for APs in regular
tunnel forwarding mode.
You must enable the control plane security feature on the controller before you
configure campus APs in decrypt-tunnel forward mode.
Note: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 24 on the controller. Key slot 1 should only be used with Virtual APs in tunnel mode.
Deny time range
Click the drop-down list and select a configured time range for which the AP will deny
access. If you have not yet configured a time range, navigate to Configuration >
Security > Access Control > Time Ranges to define a time range before configuring
this setting in the virtual AP profile.
Mobile IP
Enables or disables IP mobility for this virtual AP.
Default: Enabled
HA Discovery
on-association
If enabled, all clients of a virtual AP will receive mobility service on association.
Default: Disabled
DoS Prevention
If enabled, APs ignore deauthentication frames from clients. This prevents a successful
deauthorization attack from being carried out against the AP. This does not affect thirdparty APs. Default: Disabled
ArubaOS 6.1 | User Guide
Table 30 Virtual AP Profile Parameters
Parameter
Description
Station Blacklisting
Select the Station Blacklisting checkbox to enable detection of denial of service (DoS)
attacks, such as ping or SYN floods, that are not spoofed deauthorization attacks.
Default: Enabled
Blacklist Time
Number of seconds that a client is quarantined from the network after being blacklisted.
Default: 3600 seconds (1 hour)
Multicast Optimization
for Video
Enable/Disable dynamic multicast optimization. This parameter is disabled by default,
and cannot be enabled without the PEFNG license.
Multicast Optimization
Threshold
Maximum number of high-throughput stations in a multicast group beyond which
dynamic multicast optimization stops.
Range: 2-255 stations
Default: 6 stations.
Authentication Failure
Blacklist Time
Time, in seconds, a client is blocked if it fails repeated authentication. The default setting
is 3600 seconds (1 hour). A value of 0 blocks the client indefinitely.
Multi Association
Enables or disables multi-association for this virtual AP. When enabled, this feature
allows a station to be associated to multiple APs. If this feature is disabled, when a
station moves to new AP it will be de-authorized by the AP to which it was previously
connected, deleting station context and flushing key caching information.
Important things to know when using the Multi Association feature:
 When enabled, the system allows multiple associations per client. If the maximum
number of clients allowed per AP is limited to a small number there is a risk of
increased association failures.
 If a client has multiple associations, it may not do active scanning before roaming
event which could result in it not being associated to nearest AP.
 Multiple associations may result in more frequent roaming.
Strict Compliance
If enabled, the AP denies client association requests if the AP and client station have no
common rates defined. Some legacy client stations which are not fully 802.11-compliant
may not include their configured rates in their association requests. Such non-compliant
stations may have difficulty associating with APs unless strict compliance is disabled.
This parameter is disabled by default.
VLAN Mobility
Enable or disable VLAN (Layer-2) mobility.
Default: Disabled
Remote-AP Operation
Configures when the virtual AP operates on a remote AP:
always—Permanently enables the virtual AP (Bridge Mode only). No authentication
supported.
 backup—Enables the virtual AP if the remote AP cannot connect to the controller
(Bridge Mode only). No authentication supported.
 persistent—Permanently enables the virtual AP after the remote AP initially
connects to the controller (Bridge Mode only).
 standard—Enables the virtual AP when the remote AP connects to the controller.
Use standard option for tunneled, split-tunneled, and Bridge SSIDs.
Note: Only open/PSK security mode is allowed for always/backup RAP operation. No
authentication is supported for always/backup.

ArubaOS 6.1 | User Guide
Virtual APs | 153
Table 30 Virtual AP Profile Parameters
154 | Virtual APs
Parameter
Description
Drop Broadcast and
Multicast
Select the Drop Broadcast and Multicast checkbox to filter out broadcast and
multicast traffic in the air.
Do not enable this option for virtual APs configured in bridge forwarding mode. This
configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel
mode, all packets travel to the controller, so the controller is able to drop all broadcast
traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic
stays local to the AP, and the controller is not able to filter out that broadcast traffic.
IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter ARP
parameter in the stateful firewall configuration to prevent ARP requests from being
dropped. To enable this setting:
1. Navigate to Configuration > Stateful Firewall.
2. Click the Global Setting tab.
3. Select the Broadcast-Filter ARP checkbox.
4. Click Apply to save your settings before you return to the Virtual AP Profile.
Note also that although a virtual AP profile can be replicated from a master controller to
local controllers, stateful firewall settings do not. If you select the Drop Broadcast and
Multicast option for a Virtual AP Profile on a master controller, you must enable the
Broadcast-Filter ARP setting on each individual local controller.
Convert Broadcast ARP
requests to unicast
If enabled, all broadcast ARP requests are converted to unicast and sent directly to the
client. You can check the status of this option using the show ap active and the show
datapath tunnel command. If enabled, the output will display the letter a in the flags
column. This parameter is disabled by default.
Do not enable this option for virtual APs configured in bridge forwarding mode. This
configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel
mode, all packets travel to the controller, so the controller is able to convert ARP
requests directed to the broadcast address into unicast.
When a virtual AP is configured to use bridge forwarding mode, most data traffic stays
local to the AP, and the controller is not able to convert that broadcast traffic.
Deny inter user traffic
Select this checkbox to deny traffic between the clients using this virtual AP profile.
The global firewall shown the Configuration>Advanced Services > Stateful Firewall >
Global window also include an option to deny all inter-user traffic, regardless of the
Virtual AP profile used by those clients.
If the global setting to deny inter-user traffic is enabled, all inter-user traffic between
clients will be denied, regardless of the settings configured in the virtual AP profiles. If
the setting to deny inter-user traffic is disabled globally but enabled on an individual
virtual ap, only the traffic between un-trusted users and the clients on that particular
virtual AP will be blocked.
Band Steering
ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz
band on dual-band APs. This frees up resources on the 2.4GHz band for single band
clients like VoIP phones.
Band steering reduces co-channel interference and increases available bandwidth for
dual-band clients, because there are more channels on the 5GHz band than on the
2.4GHz band. Dual-band 802.11n-capable clients may see even greater bandwidth
improvements, because the band steering feature will automatically select between
40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and
must be enabled in a Virtual AP profile.
The band steering feature supports both campus APs and remote APs that have a virtual
AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a
campus or remote APs has virtual AP profiles configured in bridge or split-tunnel
forwarding mode but no virtual AP in tunnel mode, those APs will gather information
about 5G-capable clients independently and will not exchange this information with
other APs that also have bridge or split-tunnel virtual APs only.
5.
ArubaOS 6.1 | User Guide
Table 30 Virtual AP Profile Parameters
Parameter
Steering Mode
Description
Band steering supports the following three different band steering modes.
Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP
will try to force 5Ghz-capable APs to use that radio band.
 Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering
mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will
let the client connect on the 2.4G band if the client persists in 2.4G association
attempts.
 Balance-bands: In this band steering mode, the AP tries to balance the clients
across the two radios in order to best utilize the available 2.4G bandwidth. This
feature takes into account the fact that the 5Ghz band has more channels than the
2.4 Ghz band, and that the 5Ghz channels operate in 40MHz while the 2.5Ghz band
operates in 20MHz.

In the Profile Details entry for the new virtual AP profile, navigate to the AAA Profile drop-down list and
select the AAA profile you previously configured to reveal the AAA Profile pop-up window. Click Apply to
set the AAA profile and close the pop-up window.
In the CLI
wlan virtual-ap corpnet
vlan 1
aaa-profile corpnet
ap-group default
virtual-ap corpnet
Creating a new SSID Profile
Follow the procedures below to create a new SSID profile and associate that profile to your Virtual AP.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration > AP Group page.
2. Click Edit for the “default” AP group.
3. Select Wireless LAN (under Profiles), then select Virtual AP.
4. Click the new Virtual AP name in the Profiles list.
5. Select New from the SSID Profile drop-down menu in the Profile Details entry for the new virtual AP
profile. This launches an SSID profile pop-up window.
6. Click the Basic tab, and enter the name for the SSID profile (for example, SSIDprofile).
7. Enter a name in the Network Name (SSID) field (for example, Corpnet).
8. Select WPA2 for Network Authentication.
9. Configure other basic SSID profile settings, as described in Table 31.
10. Click the Advanced tab and click SSID Enable to enable the SSID.
11. (Optional) Configure advanced SSID profile settings, as described in Table 32.
12. Click Apply to set the SSID profile and close the pop-up window.
13. Click Apply again at the bottom of the Profile Details window.
ArubaOS 6.1 | User Guide
Virtual APs | 155
.
Table 31 Basic SSID Profile Parameters
Parameter
Description
Network Name
Name that uniquely identifies a wireless network. The network name, or ESSID can be
up to 31 characters. If the ESSID includes spaces, you must enclose it in quotation
marks.
Network Authentication
The layer-2 authentication to be used on this ESSID to protect access and ensure the
privacy of the data transmitted to and from the network.
 None
 802.1x/WEP
 WPA
 WPA-PSK
 WPA2
 WPA2-PSK
 xSec
 Mixed
If you select the Mixed authentication option, a drop-down list will appear in the
Network Authentication section. Click this drop-down list and select the combination of
authentication types supported by APs using this SSID profile.
Encryption
This field shows the default encryption type used on this ESSID. Unselect the default
encryption type if you do not want encryption, or click the Advanced tab to define a
new encryption type.
Keys
If you selected WPA-PSK or WPA2-PSK authentication or a mixed authentication type
that supports pre-shared keys, enter and confirm the Hex Key or PSK passphrase in the
PSK Key/Passphrase and Confirm PSK Key/Passphrase fields.
 To define a hex key, enter a 64-character hexadecimal string.
 To define a PSK passphrase, enter san ASCII string 8-63 characters in length.
Next click the Format drop-down list and select Hex or PSK Passphrase to select the
format for the key or passphrase. T
Table 32 Advanced SSID Profile Parameters
156 | Virtual APs
Parameter
Description
SSID Enable
Click this checkbox to enable or disable the SSID.
Encryption
Select one of the following encryption types
xSec
Encryption and tunneling of Layer-2 traffic between the controller and wired or wireless
clients, or between controllers. To use xSec encryption, you must use a RADIUS
authentication server. For clients, you must install the Funk Odyssey client software.
Requires installation of the xSec license. For xSec between controllers, you must install
an xSec license in each controller.
opensystem
No authentication and encryption.
static-wep
WEP with static keys.
dynamic-wep
WEP with dynamic keys.
wpa-tkip
WPA with TKIP encryption and dynamic keys using 802.1x.
wpa-aes
WPA with AES encryption and dynamic keys using 802.1x.
ArubaOS 6.1 | User Guide
Table 32 Advanced SSID Profile Parameters
Parameter
Description
wpa-psk-tkip
WPA with TKIP encryption using a preshared key.
wpa-psk-aes
WPA with AES encryption using a preshared key.
wpa2-aes
WPA2 with AES encryption and dynamic keys using 802.1x.
wpa2-psk-aes
WPA2 with AES encryption using a preshared key.
wpa2-psk-tkip
WPA2 with TKIP encryption using a preshared key.
wpa2-tkip
WPA2 with TKIP encryption and dynamic keys using 802.1x.
wpa2-aes-gcm-128
WPA2 with AES GCM-128 (Suite-b) encryption and dynamic keys
using 802.1X.
Note: This parameter requires the ACR license. For further information on Suite-B
encryption, see “Configuring an SSID for Suite-B cryptography” on page 160.
wpa2-aes-gcm-256
WPA2 with AES GCM-256 (Suite-b) encryption and dynamic keys
using 802.1X.
Note: This parameter requires the ACR license. For further information on Suite-B
encryption, see “Configuring an SSID for Suite-B cryptography” on page 160.
DTIM Interval
Specifies the interval, in milliseconds, between the sending of Delivery Traffic Indication
Messages (DTIMs) in the beacon. This is the maximum number of beacon cycles before
unacknowledged network broadcasts are flushed. When using wireless clients that
employ power management features to sleep, the client must revive at least once during
the DTIM period to receive broadcasts
Station Ageout Time
Time, in seconds, that a client is allowed to remain idle before being aged out.
802.11g Transmit Rates
Select the set of 802.11b/g rates at which the AP is allowed to send data. The actual
transmit rate depends on what the client is able to handle, based on information sent at
the time of association and on the current error/loss rate of the client.
802.11g Basic Rates
Select the set of supported 802.11b/g rates that are advertised in beacon frames and
probe responses.
802.11a Transmit Rates
Select the set of 802.11a rates at which the AP is allowed to send data. The actual
transmit rate depends on what the client is able to handle, based on information sent at
the time of association and on the current error/loss rate of the client.
802.11a Basic Rates
Select the set of supported 802.11a rates, in Mbps, that are advertised in beacon frames
and probe responses.
Max Transmit Attempts
Maximum number of retries allowed for the AP to send a frame.
RTS Threshold
Wireless clients transmitting frames larger than this threshold must issue Request to
Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This helps prevent
mid-air collisions for wireless clients that are not within wireless peer range and cannot
detect when other wireless clients are transmitting.
The default value is 2333 bytes.
Short Preamble
Click this checkbox to enable or disable a short preamble for 802.11b/g radios. Network
performance may be higher when short preamble is enabled. In mixed radio
environments, some 802.11b wireless client stations may experience difficulty
associating with the AP using short preamble. To use only long preamble, disable short
preamble. Legacy client devices that use only long preamble generally can be updated
to support short preamble.
ArubaOS 6.1 | User Guide
Virtual APs | 157
Table 32 Advanced SSID Profile Parameters
158 | Virtual APs
Parameter
Description
Max Associations
Maximum number of wireless clients for the AP.
The supported range is 0-256 clients.
Wireless Multimedia
(WMM)
Enables or disables WMM, also known as IEEE 802.11e Enhanced Distribution
Coordination Function (EDCF). WMM provides prioritization of specific traffic relative to
other traffic in the network.
Wireless Multimedia UAPSD (WMM-UAPSD)
Powersave
Enable Wireless Multimedia (WMM) UAPSD powersave.
WMM TSPEC Min
Inactivity Interval
Specify the minimum inactivity time-out threshold of WMM traffic. This setting is useful
in environments where low inactivity interval time-outs are advertised, which may cause
unwanted timeouts.
The supported range is 0-3,600,000 milliseconds, and the default value is 0
milliseconds.
Override DSCP
mappings for WMM
clients
Override the default DSCP mappings in the SSID profile with the ToS value. This setting
is useful when you want to set a non-default ToS value for a specific traffic.
DSCP mapping for
WMM voice AC
DSCP used to map WMM voice traffic.
The supported range is 0-255, and the default is 56.
DSCP mapping for
WMM video AC
Select the DSCP used to map WMM video traffic.
The supported range is 0-255, and the default is 40.
DSCP mapping for
WMM best-effort AC
Select the DSCP value used to map WMM best-effort traffic.
The supported range is 0-255, and the default is 24.
DSCP mapping for
WMM background AC
Select the DSCP used to map WMM background traffic.
The supported range is 0-255, and the default is 8.
Hide SSID
Select this checkbox to enable or disable the hiding of the SSID name in beacon frames.
Note that hiding the SSID does very little to increase security.
Deny_Broadcast Probes
When a client sends a broadcast probe request frame to search for all available SSIDs,
this option controls whether or not the system responds for this SSID. When enabled, no
response is sent and clients have to know the SSID in order to associate to the SSID.
When disabled, a probe response frame is sent for this SSID.
Local Probe Request
Threshold (dB)
Enter the SNR threshold below which incoming probe requests will get ignored. The
supported range of values is 0-100 dB. A value of 0 disables this feature.
Disable Probe Retry
Click this checkbox to enable or disable battery MAC level retries for probe response
frames. By default this parameter is enabled, which mean that MAC level retries for
probe response frames is disabled.
Battery Boost
Converts multicast traffic to unicast before delivery to the client, thus allowing you to set
a longer DTIM interval. The longer interval keeps associated wireless clients from
activating their radios for multicast indication and delivery, leaving them in power-save
mode longer and thus lengthening battery life.
This parameter requires the PEFNG license.
WEP Key 1
First static WEP key associated with the key index. Can be 10 or 26 hex characters in
length.
ArubaOS 6.1 | User Guide
Table 32 Advanced SSID Profile Parameters
Parameter
Description
WEP Key 2
Second static WEP key associated with the key index. Can be 10 or 26 hex characters in
length.
WEP Key 3
Third Static WEP key associated with the key index. Can be 10 or 26 hex characters in
length.
WEP Key 4
Fourth Static WEP key associated with the key index. Can be 10 or 26 hex characters in
length.
WEP Transmit Key Index Key index that specifies which static WEP key is to be used. Can be 1, 2, 3, or 4.
WPA Hexkey
WPA pre-shared key (PSK).
WPA Passphrase
WPA passphrase with which to generate a pre-shared key (PSK).
Maximum Transmit
Failures
Maximum transmission failures allowed before the client gives up
BC/MC Rate
Optimization
Click this checkbox to enable or disable scanning of all active stations currently
associated to an AP to select the lowest transmission rate for broadcast and multicast
frames. This option only applies to broadcast and multicast data frames; 802.11
management frames are transmitted at the lowest configured rate.
Note: Do not enable this parameter unless instructed to do so by your Aruba technical
support representative.
Strict Spectralink Voice
Protocol (SVP)
Click this checkbox to enable Strict Spectralink Voice Protocol (SVP)
802.11g Beacon Rate
Click this drop-down list to select the beacon rate for 802.11g (use for Distributed
Antenna System (DAS) only). Using this parameter in normal operation may cause
connectivity problems.
802.11a Beacon Rate
Click this drop-down list to select the beacon rate for 802.11a (use for Distributed
Antenna System (DAS) only). Using this parameter in normal operation may cause
connectivity problems.
Advertise QBSS Load IE
Click this checkbox to enable the AP to advertise the QBSS load element. The element
includes the following parameters that provide information on the traffic situation:
 Station count: The total number of stations associated to the QBSS.
 Channel utilization: The percentage of time (normalized to 255) the channel is
sensed to be busy. The access point uses either the physical or the virtual carrier
sense mechanism to sense a busy channel.
 Available admission capacity: The remaining amount of medium time (measured as
number of 32us/s) available for a station via explicit admission control.
The QAP uses these parameters to decide whether to accept an admission control
request. A wireless station uses these parameters to choose the appropriate access
points.
Note: Ensure that wmm is enabled for legacy APs to advertize the QBSS load element.
For 802.11n APs, ensure that either wmm or high throughput is enabled.
In the CLI
wlan ssid-profile SSIDprofile
essid Corpnet
opmode wpa2-aes
wlan virtual-ap corpnet
ssid-profile SSIDprofile
ap-group default
ArubaOS 6.1 | User Guide
Virtual APs | 159
virtual-ap corpnet
Configuring an SSID for Suite-B cryptography
Suite-B AES-128-GCM and AES-256-GCM encryption is supported by the ArubaOS hardware, and requires
the ACR license. Note, however, that not all controllers support Suite-B encryption. The table below
describes the controller support for Suite-B encryption in ArubaOS.
Controller
Serial Number Prefix
ACR License Support
600 Series
All serial numbers supported
Yes
3000 Series
AK
Yes
3000 Series
A
No
M3 card
FC
Yes
M3 card
F
No
To determine the serial number prefix for your controller, issue the CLI command show inventory and
note the prefix before the system serial number. The serial number prefix in the example below appears in
bold.
(host) #show inventory
Supervisor Card slot
System Serial#
SC
Assembly#
SC
Serial#
SC
Model#
:
:
:
:
:
0
AK0093676
2010052B (Rev:02.01)
F01629529 (Date:03/29/10)
3600-US
Guest WLAN
To configure Guest WLAN, the following basic steps are required.

Configure the VLAN for guest users.

Configure the guest role which only allows HTTP and HTTPS traffic from 9:00 a.m. to 5 p.m. on
weekdays.

Create and configure the virtual AP profile guest for the AP named “building3-lobby”:

Create a new virtual AP profile guest.

Select the predefined AAA profile default-open.

Create a new SSID profile guest to configure “Guest” for the SSID name and open system for the
authentication.
The following sections describe how to do this using the WebUI and the CLI.
Configuring the VLAN
In this example, users on the “Corpnet” WLAN are placed into VLAN 1, which is the default VLAN
configured on the controller. For guest users, you need to create another VLAN and assign the VLAN
interface an IP address.
In the WebUI
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add to add a VLAN. Enter 2 in the VLAN ID, and click Apply.
160 | Virtual APs
ArubaOS 6.1 | User Guide
3. To assign an IP address and netmask to the VLAN you just created, navigate to the Configuration >
Network > IP > IP Interfaces page. Click Edit for VLAN 2. Enter an IP address and netmask for the
VLAN interface, and then click Apply.
In the CLI
vlan 2
interface vlan 2
ip address <address> <netmask>
Configuring the Guest Role
The guest role allows web (HTTP and HTTPS) access only during normal business hours (9:00 a.m. to 5:00
p.m. Monday through Friday).
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Time Ranges page.
2. Click Add. Enter a name, such as “workhours”. Select Periodic. Click Add. Under Add Periodic Rule,
select Weekday. For Start Time, enter 9:00. For End Time, enter 17:00. Click Done. Click Apply.
3. Select the Policies tab. Click Add. Enter a policy name, such as “restricted”. From the Policy Type
drop-down list, select Session.
4. Click Add.
5. (Optional) By default, firewall policies apply to IPv4 clients only. To configure a firewall policy for IPv6
clients, click the IP Version drop-down list and select IPv6.
6. Click the Service drop-down list, select service, then select svc-http.
7. Click the Time Range drop-down list and select the time range you previously configured.
8. Click Add.
9. Repeat steps 4-8 to add another rule for the svc-https service. Click Apply.
10. Select the User Roles tab. Click Add. Enter guest for Role Name. Under Firewall Policies, click Add.
Select Choose from Configured Policies and select the policy you previously configured. Click Done.
11. Click Apply.
In the CLI
time-range workhours periodic
weekday 09:00 to 17:00
ip access-list session restricted
any any svc-http permit time-range workhours
any any svc-https permit time-range workhours
user-role guest
session-acl restricted
Configuring the Guest Virtual AP
In this example, you apply the guest virtual AP profile to a specific AP.
Best practices are to assign a unique name to each virtual AP, SSID, and AAA profile that you modify. In this example,
you use the name guest to identify the virtual AP and SSID profiles.
ArubaOS 6.1 | User Guide
Virtual APs | 161
In the WebUI
1. Navigate to Configuration > Wireless > AP Configuration > AP Specific page.
2. Click New. Either enter the AP name or select an AP from the list of discovered APs. Click Add. The AP
name appears in the list.
3. Click Edit by the AP name to display the profiles that you can configure for the AP.
4. Expand the Wireless LAN profile menu.
5. Select Virtual AP.
a. Click the Add a profile drop down list in the Profile Details window and select NEW.
b. Enter guest, and click Add.
c. Click Apply.
6. Click the guest virtual AP to display profile details.
a. Make sure Virtual AP Enable is selected.
b. Select 2 for the VLAN.
c. Click Apply.
7. Under Profiles, select the AAA profile under the guest virtual AP profile.
a. In the Profile Details, select default-open from the AAA Profile drop-down list.
b. Click Apply.
8. Under Profiles, select the SSID profile under the guest virtual AP profile.
a. Select NEW from the SSID Profile drop-down menu.
b. Enter guest.
c. In the Profile Details, enter Guest for the Network Name.
d. Select None for Network Authentication and Open for Encryption.
e. Click Apply.
In the CLI
wlan ssid-profile guest
opmode opensystem
wlan virtual-ap guest
vap-enable
vlan 2
deny-time-range workhours
ssid-profile guest
aaa-profile default-open
ap-name building3-lobby
virtual-ap guest
Enable 802.11k Support
The 802.11k protocol provides mechanisms for APs and clients to dynamically measure the available radio
resources. In an 802.11k enabled network, APs and clients can send neighbor reports, beacon reports, and
link measurement reports to each other. This allows the APs and clients to take appropriate connection
actions. The following procedure outlines the steps to configure 802.11k parameters.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

162 | Virtual APs
If you selected the AP Group tab, click the Edit button by the AP group name for which you want to
configure the new 802.11K profile.
ArubaOS 6.1 | User Guide

If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the
802.11K profile.
2. In the Profiles list, expand the Wireless LAN menu, then expand the Virtual AP menu.
3. Select the Virtual AP profile for which you want to configure 802.11k settings.
To edit an existing 802.11k profile, click the 802.11K Profile drop-down list In the Profile Details
window pane and select the 802.1x profile you want to edit.
or
To create a new 802.11k Profile, click the 802.11K Profile drop-down list and select New. Enter a new
802.11k profile name in the field to the right of the drop-down list.
You cannot use spaces in profile names.
4. Configure your 802.11k radio settings. Table 33 outlines the parameters you can configure in the 802.11k
profile. Click Apply to save your settings.
Table 33 802.11k Profile Parameters
Parameter
Description
Advertise 802.11K Capability
Select this option to allow Virtual APs using this profile to advertise 802.11K
capability.
Default: Disabled
Forcefully disassociate on-hook
voice clients
Select this option to allow the AP to forcefully disassociate on-hook voice
clients (clients that are not on a call) after period of inactivity. Without the
forced disassociation feature, if an AP has reached its call admission
control limits and an on-hook voice client wants to start a new call, that
client may be denied. If forced disassociation is enabled, those clients can
associate to a neighboring AP that can fulfill their QoS requirements.
Default: Disabled
Measurement Mode for Beacon
Reports
Click the Measurement Mode for Beacon Reports drop-down list and
specify one of the following measurement modes:
 active—Enables active beacon measurement mode. In this mode, the
client sends a probe request to the broadcast destination address on all
supported channels, sets a measurement duration timer, and, at the
end of the measurement duration, compiles all received beacons or
probe response with the requested SSID and BSSID into a
measurement report.
 beacon-table—Enables beacon-table beacon measurement mode.In
this mode, the client measures beacons and returns a report with stored
beacon information for any supported channel with the requested SSID
and BSSID. The client does not perform any additional measurements.
 passive—Enables passive beacon measurement mode. In this mode,
the client sets a measurement duration timer, and, at the end of the
measurement duration, compiles all received beacons or probe
response with the requested SSID and BSSID into a measurement
report.
Note: If a station doesn't support the selected measurement mode, it
returns a Beacon Measurement Report with the Incapable bit set in the
Measurement Report Mode field.
Default Mode: beacon-table
ArubaOS 6.1 | User Guide
Virtual APs | 163
In the CLI
Use the following command to configure 802.11k profiles. The available parameters for this profile are
described in Table 33.
wlan dotllk <profile>
bcn-measurement-mode {active|beacon-table|passive}
clone <profile>
dot11k-enable
force-disassoc
Example Configuration
The example below follows the suggested order of steps to configure a virtual AP using the command-line
interface.
vlan 60
!
ip access-list session THR-POLICY-NAME-WPA2
user any any permit
!
user-role THR-ROLE-NAME-WPA2
session-acl THR-POLICY-NAME-WPA2
!
aaa authentication dot1x "THR-DOT1X-AUTH-PROFILE-WPA2"
termination enable
!
aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2"
auth-server Internal
!
aaa profile "THR-AAA-PROFILE-WPA2"
authentication-dot1x "THR-DOT1X-AUTH-PROFILE-WPA2"
dot1x-default-role "THR-ROLE-NAME-WPA2"
dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2"
!
wlan ssid-profile "THR-SSID-PROFILE-WPA2"
essid "THR-WPA2"
opmode wpa2-aes
!
wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"
ssid-profile "THR-SSID-PROFILE-WPA2"
aaa-profile "THR-AAA-PROFILE-WPA2"
vlan 60
!
ap system-profile "THR-AP-SYSTEM-PROFILE"
lms-ip 1.1.1.1
bkup-lms-ip 2.2.2.2
!
ap-group "THRHQ1-STANDARD"
virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"
ap-system-profile "THR-AP-SYSTEM-PROFILE"
Configuring a High-Throughput Virtual AP
With the implementation of the IEEE 802.11n standard, high-throughput can be configured to operate on
the 5 GHz and/or 2.4 GHz frequency band.
164 | Virtual APs
ArubaOS 6.1 | User Guide
For high-throughput to function on a virtual AP profile for the assigned AP group or specific AP, highthroughput must be enabled within the assigned ht-ssid-profile and the radio-profile(s) for the desired
frequency band(s).
By default, high-throughput is enabled; however, the examples in this section guide you through manually
creating profiles and enabling high-throughput on the 5 GHz and 2.4 GHz frequency bands to ensure proper
functionality of a virtual AP profile named “ht-vap-corpnet” assigned to an existing AP group named “htcorpnet-aps.”
For an example of 20 MHz channel versus 40 MHz channel pair configuration, see “20 MHz and 40 MHz Static
Channel Assignments” on page 157.
This example includes the following tasks:

Create two high-throughput radio profiles named “ht-radioa-corpnet” and “ht-radiog-corpnet.”

Create and configure a 5 GHz radio profile named “ht-corpnet-a” and assign the high-throughput radio
profile named “ht-radioa-corpnet.”

Create and configure a 2.4 GHz radio profile named “ht-corpnet-g” and assign the high-throughput radio
profile named “ht-radiog-corpnet.”

Create and configure a high-throughput SSID profile named “ht-ssid-corpnet.”

Create an SSID profile named “ht-corpnet” and assign the high-throughput SSID profile named “ht-ssidcorpnet.”

Create a virtual AP profile named “ht-vap-corpnet” and assign the SSID profile named “ht-corpnet.”

Assign the required profiles to an existing AP group named “ht-corpnet-ap.”
The following procedures are presented for the WebUI and the CLI.
In the WebUI
1. Navigate to Configuration > Wireless > AP Configuration > AP Group page.
2. Click Edit for the AP group ht-corpnet-ap.
3. Under the Profiles list, select RF Management to display the radio profiles.
4. Select the 802.11a radio profile.
This radio profile represents activity on the 5 GHz frequency band. Since the high-throughput IEEE 802.11n standard
operates on the 5 GHz and/or 2.4 GHz frequency band, high-throughput can be enabled on 802.11a or 802.11g radio
profiles.
a. Select New from the 802.11a radio profile drop-down menu.
b. Enter ht-corpnet-a for the 802.11a radio profile name.
c. Select (check) the High Throughput enable (radio) checkbox to enable high-throughput. By
default, this is enabled (checked).
d. Click Apply.
5. Select the High-throughput Radio Profile under the 802.11a radio profile.
a. Select New from the High-throughput Radio Profile drop-down menu.
b. Enter ht-radioa-corpnet for the high-throughput radio profile name.
ArubaOS 6.1 | User Guide
Virtual APs | 165
c. Configure the high-throughput radio settings (see Table 34 for details) and click Apply.
Table 34 High-Throughput Radio Profile Configuration Parameters
Parameter
Description
40MHz intolerance
This parameter controls whether or not APs using this radio profile will advertise
intolerance of 40 MHz operation. By default, this option is disabled, and 40 MHz
operation is allowed. If you do not want to use 40 Mhz operation, select the
40MHz intolerance checkbox to enable this feature.
honor 40MHz intolerance
When enabled, the radio will stop using the 40 MHz channels if the 40 MHz
intolerance indication is received from another AP or station. Uncheck the Honor
40 Mhz intolerance checkbox to disable this feature.
Default: Enabled
Legacy station workaround Select this option to enable interoperability for misbehaving legacy stations. This
option is disabled by default, and should only be enabled under the supervision of
Aruba technical support.
6. Select the 802.11g radio profile.
This radio profile represents activity on the 2.4 GHz frequency band. Since the high-throughput IEEE 802.11n
standard operates on the 5 GHz and/or 2.4 GHz frequency band, high-throughput can be enabled on 802.11a or
802.11g radio profiles.
a. Select New from the 802.11g radio profile drop-down menu.
b. Enter ht-corpnet-g for the 802.11a radio profile name.
c. Select (check) the High Throughput enable (radio) checkbox to enable high-throughput. By
default, this is enabled (checked).
d. Click Apply.
7. Select the High-throughput Radio Profile under the 802.11g radio profile.
a. Select New from the High-throughput Radio Profile drop-down menu.
b. Enter ht-radiog-corpnet for the high-throughput radio profile name.
c. Configure the high-throughput radio settings (see Table 34 for details) and Click Apply.
8. Select Wireless LAN, under the Profiles list, to reveal the WLAN profiles.
9. Select the Virtual AP profile.
a. Select New from the Add a Profile drop-down menu.
b. Enter ht-vap-corpnet for the virtual AP profile name.
c. Click Add.
d. Select New from the SSID Profile drop-down menu associated with the “ht-vap-corpnet” virtual AP
profile. The SSID Profile dialog box appears.
e. Enter ht-corpnet for the SSID profile name.
f. Click Apply to create the SSID profile and return to the virtual AP profile page.
g. Click Apply on the virtual AP profile page.
10. Select the ht-vap-corpnet virtual AP profile.
a. Select all from the Allowed band drop-down menu.
b. Click Apply.
166 | Virtual APs
ArubaOS 6.1 | User Guide
11. Select the SSID profile ht-corpnet. The High-throughput SSID profile option will appear below
ht-corpnet in the profiles list.
12. Select the High-throughput SSID Profile.
a. Select New from the High-throughput SSID Profile drop-down menu.
b. Enter ht-ssid-corpnet for the high-throughput SSID profile name.
c. Configure the high-throughput SSID profile settings (see Table 35 for details) and click Apply to
assign it to the SSID profile.
Table 35 High-Throughput SSID Profile Parameters
High throughput enable (SSID)
Enable or disable high-throughput (802.11n) features on this SSID. This
parameter is enabled by default.
40 MHz channel usage
Enable or disable the use of 40 MHz channels. This parameter is enabled by
default.
Low-density Parity Check
If enabled, the AP will advertise Low-density Parity Check (LDPC) support.
LDPC improves data transmission over radio channels with high levels of
background noise.
MPDU Aggregation
Enable or disable MAC protocol data unit (MPDU) aggregation.
High-throughput mesh APs are able to send aggregated MAC protocol data
units (MDPUs), which allow an AP to receive a single block acknowledgment
instead of multiple ACK signals. This option, which is enabled by default,
reduces network traffic overhead by effectively eliminating the need to initiate a
new transfer for every MPDU.
Max transmitted A-MPDU size
Maximum size of a transmitted aggregate MPDU, in bytes.
Range: 1576–65535
Max received A-MPDU size
Maximum size of a received aggregate MPDU, in bytes. Allowed values: 8191,
16383, 32767, 65535.
Min MPDU start spacing
Minimum time between the start of adjacent MPDUs within an aggregate
MPDU, in microseconds. Allowed values: 0 (No restriction on MDPU start
spacing), .25 μsec, .5 μsec, 1 μsec, 2 μsec, 4 μsec.
Supported MCS set
A list of Modulation Coding Scheme (MCS) values or ranges of values to be
supported on this SSID. The MCS you choose determines the channel width
(20MHz vs. 40MHz) and the number of spatial streams used by the mesh node.
The default value is 1–15; the complete set of supported values. To specify a
smaller range of values, enter a hyphen between the lower and upper values.
To specify a series of different values, separate each value with a comma.
Examples:
2–10
1,3,6,9,12
Range: 0–15.
ArubaOS 6.1 | User Guide
Virtual APs | 167
Table 35 High-Throughput SSID Profile Parameters
Short guard interval in 20 MHz
mode
Enable or disable use of short (400ns) guard interval in 20 MHz mode. This
parameter is enabled by default.
A guard interval is a period of time between transmissions that allows
reflections from the previous data transmission to settle before an AP transmits
data again. An AP identifies any signal content received inside this interval as
unwanted inter-symbol interference, and rejects that data. The 802.11n
standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling
a short guard interval can decrease network overhead by reducing
unnecessary idle time on each AP. Some outdoor deployments, may, however
require a longer guard interval. If the short guard interval does not allow enough
time for reflections to settle in your mesh deployment, inter-symbol interference
values may increase and degrade throughput.
Short guard interval in 40 MHz
mode
Enable or disable use of short (400ns) guard interval in 40 MHz mode. This
parameter is enabled by default.
A guard interval is a period of time between transmissions that allows
reflections from the previous data transmission to settle before an AP transmits
data again. An AP identifies any signal content received inside this interval as
unwanted inter-symbol interference, and rejects that data. The 802.11n
standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling
a short guard interval can decrease network overhead by reducing
unnecessary idle time on each AP. Some outdoor deployments, may, however
require a longer guard interval. If the short guard interval does not allow enough
time for reflections to settle in your mesh deployment, inter-symbol interference
values may increase and degrade throughput.
Maximum number of spatial
streams usable for STBC
reception
Controls the maximum number of spatial streams usable for STBC reception. 0
disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are
not supported. (Supported on the AP-90 series, AP-130 Series, AP-68, AP-175
and AP-105 only. The configured value will be adjusted based on AP
capabilities.)
Maximum number of spatial
streams usable for STBC
transmission.
Controls the maximum number of spatial streams usable for STBC
transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher
MCS values are not supported. (Supported on AP-90 series, AP-175, AP-130
Series and AP-105 only. The configured value will be adjusted based on AP
capabilities.)
Legacy stations
Allow or disallow associations from legacy (non-HT) stations. By default, this
parameter is enabled (legacy stations are allowed).
In the CLI
rf ht-radio-profile ht-radioa-corpnet
rf ht-radio-profile ht-radiog-corpnet
rf dot11a-radio-profile ht-corpnet-a
high-throughput-enable
ht-radio-profile ht-radioa-corpnet
rf dot11g-radio-profile ht-corpnet-g
high-throughput-enable
ht-radio-profile ht-radiog-corpnet
wlan ht-ssid-profile ht-ssid-corpnet
high-throughput-enable
wlan ssid-profile ht-corpnet
ht-ssid-profile ht-ssid-corpnet
wlan virtual-ap ht-vap-corpnet
allowed-bands all
ssid-profile ht-corpnet
ap-group ht-corpnet-ap
168 | Virtual APs
ArubaOS 6.1 | User Guide
dot11a-radio-profile ht-corpnet-a
dot11g-radio-profile ht-corpnet-g
virtual-ap ht-vap-corpnet
Managing High-throughput Profiles
Use the following commands to create a high-throughput radio profile or edit an existing profile. For
details, see Table 34.
rf ht-radio-profile <profile>
40MHz-intolerance
clone <profile>
honor-40MHz-intolerance
no
single-chain-legacy
Use the following commands to create a high-throughput SSID profile or edit an existing profile. For details,
see Table 35.
wlan ht-ssid-profile <profile>
40MHz-enable
clone <profile>
high-throughput-enable
ldpc
legacy-stations
max-rx-a-mpdu-size {8191|16383|32767|65535}
max-tx-a-mpdu-size <bytes>
min-mpdu-start-spacing {0|.25|.5|1|2|4|8|16}
mpdu-agg
no...
short-guard-intvl-20MHz
short-guard-intvl-40MHz
STBC-rx-streams
STBC-tx-streams
supported-mcs-set <mcs-list>
ArubaOS 6.1 | User Guide
Virtual APs | 169
170 | Virtual APs
ArubaOS 6.1 | User Guide
Chapter 6
Adaptive Radio Management
(ARM)
This document describes how to configure the ARM function to automatically select the best channel and
transmission power settings for each AP on your WLAN. After completing the tasks described in the
following pages, you can continue configuring your APs as described in the Aruba User Guide.
This document includes the following topics:

“ARM Overview” on page 171

“ARM Profiles” on page 172

“Assigning an ARM Profile to an AP Group” on page 179

“Multi-Band ARM and 802.11a/802.11g Traffic” on page 179

“Band Steering” on page 180

“Traffic Shaping” on page 181

“Spectrum Load Balancing” on page 183

“RX Sensitivity Tuning Based Channel Reuse” on page 183

“Non-802.11 Noise Interference Immunity” on page 184

“ARM Metrics” on page 184

“ARM Troubleshooting” on page 185
ARM Overview
Aruba's Adaptive Radio Management (ARM) technology maximizes WLAN performance even in the highest
traffic networks by dynamically and intelligently choosing the best 802.11 channel and transmit power for
each Aruba AP in its current RF environment.
Aruba’s ARM technology solves wireless networking challenges such as large deployments, dense
deployments, and installations that must support VoIP or mobile users. Deployments with dozens of users
per access point can cause network contention and interference, but ARM dynamically monitors and
adjusts the network to ensure that all users are allowed ready access. ARM provides the best voice call
quality with voice-aware spectrum scanning and call admission control.
With earlier technologies, network administrators would have to perform a site survey at each location to
discover areas of RF coverage and interference, and then manually configure each AP according to the
results of this survey. Static site surveys can help you choose channel and power assignments for APs, but
these surveys are often time-consuming and expensive, and only reflect the state of the network at a single
point in time. ARM is more efficient than static calibration, and, unlike older technologies, it continually
monitors and adjusts radio resources to provide optimal network performance. Automatic power control
can adjust AP power settings if adjacent APs are added, removed, or moved to a new location within the
network, minimizing interference with other WLAN networks. ARM adjusts only the affected APs, so the
entire network does not require systemic changes.
ARM Support for 802.11n
ArubaOS version 3.3.x or later supports APs with the 802.11n standard, ensuring seamless integration of
802.11n devices into your RF domain. An Aruba AP’s 5 Ghz band capacity simplifies the integration of new
APs into your legacy network. You can also replace older APs with newer 802.11n-compliant APs while
reusing your existing cabling and PoE infrastructure.
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 171
A high-throughput (802.11n) AP can use a 40 MHz channel pair comprised of two adjacent 20 MHz channels
available in the regulatory domain profile for your country. When ARM is configured for a dual-band AP, it
will dynamically select the primary and secondary channels for these devices. It can, however, continue to
scan all changes in the a+b/g bands to calculate interference and detect rogue APs.
Monitoring Your Network with ARM
When ARM is enabled, an Aruba AP will dynamically scan all 802.11 channels in its regulatory domain at
regular intervals and will report everything it sees to the controller on each channel it scans. (By default,
802.11n-capable APs scan channels in all regulatory domains.) This includes, but is not limited to, data
regarding WLAN coverage, interference, and intrusion detection. You can retrieve this information from the
controller to get a quick health check of your WLAN deployment without having to walk around every part
of a building with a network analyzer. (For additional information on the individual matrix gathered on the
AP’s current assigned RF channel, see “ARM Metrics” on page 184.)
Noise and Error Monitoring
An AP configured with ARM is aware of both 802.11 and non-802.11 noise, and will adjust to a better
channel if it reaches a configured threshold for either noise, MAC errors or PHY errors. The ARM algorithm
is based on what the individual AP hears, so each AP on your WLAN can effectively “self heal” by
compensating for changing scenarios like a broken antenna or blocked signals from neighboring APs.
Additionally, ARM periodically collects information about neighboring APs to help each AP better adapt to
its own changing environment.
Application Awareness
Aruba APs keep a count of the number of data bytes transmitted and received by their radios to calculate
the traffic load. When a WLAN gets very busy and traffic exceeds a predefined threshold, load-aware ARM
dynamically adjusts scanning behavior to maintain uninterrupted data transfer on heavily loaded systems.
ARM-enabled APs will resume their complete monitoring scans when the traffic has dropped to normal
levels. You can also define a firewall policy that pauses ARM scanning when the AP detects critically
important or latency-sensitive traffic from a specified host or network.
ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-band
APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones.
The ARM “Mode Aware” option is a useful feature for single radio, dual-band WLAN networks with high
density AP deployments. If there is too much AP coverage, those APs can cause interference and negatively
impact your network. Mode aware ARM can turn APs into Air Monitors if necessary, then turn those Air
Monitors back into APs when they detect gaps in coverage. Note that an Air Monitor will not turn back into
an AP if it detects client traffic (or client traffic increases), but will change to an AP only if it detects
coverage holes.
ARM Profiles
You configure ARM by defining ARM profiles, a set of configuration parameters that you can apply as
needed to an AP group or to individual APs. Aruba controllers have one preconfigured ARM profile, called
default. Most network administrators will find that this one default ARM profile is sufficient to manage all
the Aruba APs on their WLAN. Others may want to define multiple profiles to suit their APs’ varying needs.
When managing ARM profiles, you should first consider whether or not all the APs on your WLAN operate
in similar environments and manage similar traffic loads and client types.
If your APs' environment and traffic loads are mostly the same, you can use the default ARM profile to
manage all the APs on your WLAN. If you ever modify the default profile, all APs on the WLAN will be
updated with the new settings. If, however, you have APs on your WLAN that are in different physical
environments, or your APs each manage widely varying client loads or traffic types, you should consider
172 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
defining additional ARM profiles for your AP groups. The following table describes different WLAN
environments, and the type of ARM profiles appropriate for each.
Table 36 ARM Profile Types
ARM Profiles
Example WLAN Description
default profile
only


multiple profiles


A warehouse where the physical environment is nearly the same for all APs, and each AP
manages the same number of clients and traffic load.
A training room, where the clients are evenly spaced throughout the room, have the same
security requirements and are using the same amount of network resources.
Universities where APs are in different building types (open auditoriums, small brick
classrooms), some APs must support VoIP or video streaming, and mobile clients are
constantly moving from one AP coverage area to another.
Healthcare environments where some APs must balance the network demands of large
digital radiology files, secure electronic patient record transfers, diagnostic videos, and
collaborative VoIP sessions, while other APs (like those in a lobby or cafeteria) support only
lower-priority traffic like Internet browsing.
You assign ARM profiles to AP groups by associating an ARM profile with that AP group’s 802.11a or
802.11g RF management profile. For details on associating an ARM profile with an AP group, see “Assigning
an ARM Profile to an AP Group” on page 179.
There are two ways to create a new ARM profile. You can make an entirely new profile with all default
settings, or you can create a new profile based upon the settings of an existing profile by making a copy of
that other profile.
Creating a New ARM Profile
To create a new ARM profile with all default settings via the WebUI:
1. Select Configuration > All Profiles. The All Profile Management window opens.
2. Select RF Management to expand the RF Management section.
3. Select Adaptive Radio Management (ARM) Profile. Any currently defined ARM profiles appears in
the right pane of the window. If you have not yet created any ARM profiles, this pane displays the
default profile only.
4. To create a new profile with all default settings, enter a name in the entry blank. The name must be 1–63
characters, and can be composed of alphanumeric characters, special characters and spaces. If your
profile name includes a space, it must be enclosed within quotation marks.
5. Click Add.
To create a new ARM profile via the command-line interface, access the CLI in config mode and issue the
following command.
rf arm-profile <profile>
where <profile> is a unique name for the new ARM profile. The name must be 1–63 characters, and can be
composed of alphanumeric characters, special characters and spaces. If your profile name includes a space,
it must be enclosed within quotation marks
Copying an Existing Profile
To create a new ARM profile based upon the settings of another existing profile:
1. Follow steps 1–3 in the above procedure to access the Adaptive Radio Management (ARM) profile
window.
2. From the list of profiles, select the profile with the settings you would like to copy.
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 173
3. Click Save As.
4. Enter a name for the new profile in the entry blank. The name must be 1–63 characters, and can be
composed of alphanumeric characters, special characters and spaces.
5. Click Apply.
To create a copy of an existing ARM profile via the command-line interface, access the CLI in config mode
and issue the following command.
rf arm-profile <newprofile> clone <profile>
where <newprofile> is a unique name for the new ARM profile, and <profile> is the name of the existing
profile whose setting you want to copy. The name must be 1–63 characters, and can be composed of
alphanumeric characters, special characters and spaces. If your profile name includes a space, it must be
enclosed within quotation marks
Deleting a Profile
You can only delete unused ARM profiles; Aruba will not let you delete an ARM profile that is currently
assigned to an AP group.
To delete an ARM profile In the WebUI:
1. Select Configuration > All Profiles. The All Profile Management window opens.
2. Select RF Management to expand the RF Management section.
3. Select Adaptive Radio Management (ARM) Profile.
4. Select the name of the profile you want to delete.
5. Click Delete.
To delete an ARM profile using the CLI, issue the command
no rf arm-profile <profile>
where <profile> is the name of the ARM profile you wish to remove.
Configuring ARM Settings
In most network environments, ARM does not need any adjustments from its factory-configured settings.
However, if you are using VoIP or have unusually high security requirements you may want to manually
adjust the ARM thresholds.
If you plan on using Adaptive Radio Management on an Aruba AP-60 or AP-61in a network with both 802.11a and
802.11g traffic, Aruba suggests that you enable the Mode aware ARM feature in that AP’s ARM profile, and set the
profile’s ARM assignment option to multi-band.
In the WebUI
To change an ARM profile:
1. Select Configuration > All Profiles. The All Profile Management window opens.
2. Select RF Management to expand the RF Management section.
3. Select Adaptive Radio Management (ARM) Profile.
4. Select the name of the profile you want to edit. The Adaptive Radio Management (ARM) profile
window opens.
174 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
5. Change any of the ARM settings described in the table below, then click Apply to save your changes.
Table 37 ARM Profile Configuration Parameters
Setting
Assignment
Description
Activates one of four ARM channel/power assignment modes.
disable: Disables ARM calibration and reverts APs back to default channel and power settings
specified by the AP’s radio profile
 maintain: APs maintain their current channel and power settings. This setting can be used to
maintain AP channel and power levels after ARM has initially selected the best settings.
 multi-band: For single-radio APs, this value computes ARM assignments for both 5 GHZ
(802.11a) and 2.4 GHZ (802.11b/g) frequency bands.
 single-band: For dual-radio APs, this value enables APs to change transmit power and
channels within their same frequency band, and to adapt to changing channel conditions.
Default: single-band

Allowed bands
for 40MHz
channels
The specified setting allows ARM to determine if 40 MHz mode of operation is allowed on the 5
GHz or 2.4 GHz frequency band only, on both frequency bands, or on neither frequency band.
Client Aware
If the Client Aware option is enabled, the AP does not change channels if there is an active client
associated to that AP. (Activity is defined by the sta-inactivity-time parameter in the IDS general
profile. By default, a client is considered active if it has sent or received traffic within the last 60
seconds.)
If Client Aware is disabled, the AP may change to a more optimal channel, but this change may
also disrupt current client traffic.
Default: enabled
Min Tx EIRP
Minimum effective isotropic radiated power (EIRP) from 3 to 33 dBm in 3 dBm increments. You
may also specify a special value of 127 dBm for regulatory maximum to disable power
adjustments for environments such as outdoor mesh links. Note that power settings will not
change if the Assignment option is set to disabled or maintain. Higher power level settings may
be constrained by local regulatory requirements and AP capabilities. In the event that an AP is
configured for a Min Tx EIRP setting it cannot support, this value will be reduced to the highest
supported power setting.
Default: 9 dBm
Note: Consider configuring a Min Tx Power setting higher than the default value if most of your
APs are placed on the ceiling. APs on a ceiling often have good line of sight between them, which
will cause ARM to decrease their power to prevent interference. However, if the wireless clients
down on the floor do not have such a clear line back to the AP, you could end up with coverage
gaps.
Max Tx EIRP
Maximum effective isotropic radiated power (EIRP) from 3 to 33 dBm in 3 dBm increments. You
may also specify a special value of 127 dBm for regulatory maximum. Higher power level settings
may be constrained by local regulatory requirements and AP capabilities. In the event that an AP
is configured for a Max Tx EIRP setting it cannot support, this value will be reduced to the
highest supported power setting.
Default: 127 dBm
Note: Power settings will not change if the Assignment option is set to disabled or maintain.
Multi Band
Scan
If enabled, single radio channel APs scans for rogue APs across multiple channels. This option
requires that Scanning is also enabled.
(The Multi Band Scan option does not apply to APs that have two radios, as these devices
already scan across multiple channels. If one of these dual-radio devices are assigned an ARM
profile with Multi Band enabled, that device will ignore this setting.)
Default: disabled
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 175
Table 37 ARM Profile Configuration Parameters
Setting
Description
Rogue AP
Aware
If you have enabled both the Scanning and Rogue AP options, Aruba APs may change channels
to contain off-channel rogue APs with active clients. This security features allows APs to change
channels even if the Client Aware setting is disabled.
This setting is disabled by default, and should only be enabled in high-security environments
where security requirements are allowed to consume higher levels of network resources. You may
prefer to receive Rogue AP alerts via SNMP traps or syslog events.
Default: disabled
Scan Interval
If Scanning is enabled, the Scan Interval defines how often the AP will leave its current channel
to scan other channels in the band.
Off-channel scanning can impact client performance. Typically, the shorter the scan interval, the
higher the impact on performance. If you are deploying a large number of new APs on the
network, you may want to lower the Scan Interval to help those APs find their optimal settings
more quickly. Raise the Scan Interval back to its default setting after the APs are functioning as
desired.
The supported range for this setting is 0–2,147,483,647 seconds.
Default: 10 seconds
Active Scan
When the Active Scan checkbox is selected, an AP initiates active scanning via probe request.
This option elicits more information from nearby APs, but also creates additional management
traffic on the network. Active Scan is disabled by default, and should not be enabled except
under the direct supervision of Aruba Support.
Default: disabled
Scanning
The Scanning checkbox enables or disables AP scanning across multiple channels. Disabling
this option also disables the following scanning features:
 Multi Band Scan
 Rogue AP Aware
 Voip Aware Scan
 Power Save Scan
Do not disable Scanning unless you want to disable ARM and manually configure AP channel and
transmission power.
Default: enabled
Scan Time
The amount of time, in milliseconds, an AP will step out of the current channel to scan another
channel. The supported range for this setting is 0–2,147,483,647 seconds. Aruba recommends a
scan time between 50–200 msec.
Default: 110 msec
VoIP Aware
Scan
Aruba’s VoIP Call Admission Control (CAC) prevents any single AP from becoming congested
with voice calls. When you enable CAC, you should also enable VoIP Aware Scan in the ARM
profile, so the AP will not attempt to scan a different channel if one of its clients has an active
VoIP call. This option requires that Scanning is also enabled.
Default: disabled
Power Save
Aware Scan
If enabled, the AP will not scan a different channel if it has one or more clients that is in power
save mode.
Default: disabled
Video Aware
Scan
As long as there is at least one video frame every 100 mSec the AP will reject an ARM scanning
request. Note that for each radio interface, video frames must be defined in one of two ways:
 Classify the frame as video traffic via a session ACL.
 Enable WMM on the WLAN’s SSID profile and define a specific DSCP value as a video
stream. Next, create a session ACL to tag the video traffic with the that DSCP value.
176 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
Table 37 ARM Profile Configuration Parameters
Setting
Description
Ideal Coverage
Index
The Aruba coverage index metric is a weighted calculation based on the RF coverage for all
ArubaAPs and neighboring APs on a specified channel. The Ideal Coverage Index specifies the
ideal coverage that an AP should try to achieve on its channel. The denser the AP deployment,
the lower this value should be. The range of possible values is 2–20.
Default: 10
For additional information on how this the Coverage Index is calculated, see “ARM Metrics” on
page 184
Acceptable
For multi-band implementations, the Acceptable Coverage Index specifies the minimal
Coverage Index coverage an AP it should achieve on its channel. The denser the AP deployment, the lower this
value should be. The range of possible values is 1–6.
Default: 4
Free Channel
Index
The Aruba Interference index metric measures interference for a specified channel and its
surrounding channels. This value is calculated and weighted for all APs on those channels
(including 3rd-party APs).
An AP will only move to a new channel if the new channel has a lower interference index value
than the current channel. Free Channel Index specifies the required difference between the two
interference index values before the AP moves to the new channel. The lower this value, the more
likely it is that the AP will move to the new channel. The range of possible values is 10–40.
Default: 25
For additional information on how this the Channel Index is calculated, see “ARM Metrics” on
page 184
Backoff Time
After an AP changes channel or power settings, it waits for the backoff time interval before it asks
for a new channel/power setting. The range of possible values is 120–3600 seconds.
Default: 240 seconds
Error Rate
Threshold
The minimum percentage of PHY errors and MAC errors in the channel that will trigger a channel
change.
Default: 50%
Error Rate Wait
Time
Minimum time in seconds the error rate has to exceed the Error Rate Threshold before it triggers
a channel change.
Default: 30 seconds
Noise
Threshold
Maximum level of noise in channel that triggers a channel change. The range of possible 0–
2,147,483,647 dBm.
Default 75 dBm
Noise Wait
Time
Minimum time in seconds the noise level has to exceed the Noise Threshold before it triggers a
channel change. The range of possible values is 15–3600 seconds.
Default: 120 seconds
Minimum Scan
Time
Minimum number of times a channel must be scanned before it is considered for assignment.
The supported range for this setting is 0–2,147,483,647 scans. Aruba recommends a Minimum
Scan Time between 1–20 scans.
Default: 8 scans
Load Aware
Load aware ARM preserves network resources during periods of high traffic by temporarily
Scan Threshold halting ARM scanning if the load for the AP gets too high.
The Load Aware Scan Threshold is the traffic throughput level an AP must reach before it stops
scanning. The supported range for this setting is 0–20000000 bytes/second. (Specify 0 to disable
this feature.)
Default: 1250000 Bps
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 177
Table 37 ARM Profile Configuration Parameters
Setting
Description
Mode Aware
ARM
If enabled, ARM will turn APs into Air Monitors (AMs) if it detects higher coverage levels than
necessary. This helps avoid higher levels of interference on the WLAN. Although this setting is
disabled by default, you may want to enable this feature if your APs are deployed in close
proximity (e.g. less than 60 feet apart).
Mode aware ARM turns Air Monitors back into APs when they detect gaps in coverage. Note that
an Air Monitor will not turn back into an AP if it detects client traffic (or client traffic increases), but
will change to an AP only if it detects coverage holes.
Default: disabled
Scan Mode
By default, 802.11n-capable APs scan channels within all regulatory domains. To limit the AP
scans to just the regulatory domain for that AP, click the Scan Mode drop-down list and select
reg-domain.
Note: This setting does not apply to APs that do not support 802.11n; these APs will scan their
regulatory domain only.
In the CLI
You must be in config mode to create, modify or delete an ARM profile using the CLI. Specify an existing
ARM profile with the <profile-name> parameter to modify an existing ARM profile, or enter a new name to
create an entirely new profile.
Configuration details and any default values for each of these parameters are described in Table 37 on page
175. If you do not specify a parameter for a new profile, that profile uses the default value for that
parameter. Put the no option before any parameter to remove the current value for that parameter and
return it to its default setting. Enter exit to leave the ARM profile mode.
Use the following command to create or modify an ARM profile:
rf arm-profile <profile>
40MHz-allowed-bands {All|None|a-only|g-only}
acceptable-coverage-index <number>
active-scan (not intended for use)
assignment {disable|maintain|multi-band|single-band}
backoff-time <seconds>
client-aware
clone <profile>
error-rate-threshold <percent>
error-rate-wait-time <seconds>
free-channel-index <number>
ideal-coverage-index <number>
load-aware-scan-threshold <Mbps>
max-tx-power <dBm>
min-scan-time <# of scans>
min-tx-power <dBm>
mode-aware
multi-band-scan
no
noise-threshold <number>
noise-wait-time <seconds>
ps-aware-scan
rogue-ap-aware
scan-interval <seconds>
scan mode all-reg-domain|reg-domain
scan-time <milliseconds>
scanning
voip-aware-scan
178 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
Assigning an ARM Profile to an AP Group
Once you have created a new ARM profile, you must assign it to a group of APs before those ARM settings
go into effect. Each AP group has a separate set of configuration settings for its 802.11a radio profile and its
802.11g radio profile. You can assign the same ARM profile to each radio profile, or select different ARM
profiles for each radio.
In the WebUI
To assign an ARM profile to an AP group via the Web User Interface:
1. Select Configuration > AP Configuration.
2. If it is not already selected, click the AP Group tab.
3. Click the Edit button beside the AP group to which you want to assign the new ARM profile.
4. Expand the RF Management section in the left window pane.
5. Select a radio profile for the new ARM profile.

To assign a new profile to an AP group’s 802.11a radio profile, expand the 802.11a radio profile
section.

To assign a new profile to an AP group’s 802.11g radio profile, expand the 802.11g radio profile
section.
6. Select Adaptive Radio management (ARM) Profile.
7. Click the Adaptive Radio Management (ARM) Profile drop-down list in the right window pane, and
select a new ARM profile.
8. (Optional) repeat steps 6–8 to select an ARM profile for another profile.
9. Click Apply to save your changes.
You can also assign an ARM profile to an AP group by selecting a radio profile, identifying an AP group
assigned to that radio profile, and then assigning an ARM profile to one of those groups.
1. Select Configuration > All Profiles.
2. Select RF Management and then expand either the 802.11a radio profile or 802.11b radio profile.
3. Select an individual radio profile name to expand that profile.
4. Click Adaptive Radio Management (ARM) Profile, and then use the Adaptive Radio management
(ARM) Profile drop-down list in the right window pane to select a new ARM profile for that radio.
In the CLI
To assign an ARM profile to an AP group via the command-line interface, access the CLI in config mode and
issue the following commands:
rf dot11a-radio-profile <ap_profile>
arm-profile <arm_profile>
and
rf dot11g-radio-profile <ap_profile>
arm-profile <arm_profile>
Where <ap_profile> is the name of the AP group, and <arm_profile> is the name of the ARM profile you
want to assign to that radio band.
Multi-Band ARM and 802.11a/802.11g Traffic
Aruba recommends using the multi-band ARM assignment and Mode Aware ARM feature for single-radio
APs in networks with traffic in the 802.11a and 802.11g bands. This feature allows a single-radio AP to
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 179
dynamically change its radio bands based on current coverage on the configured band. This feature is
enabled via the AP's ARM profile.
When you first provision a single-radio AP, it initially operates in the radio band specified in its AP system
profile. If the AP finds adequate coverage on multiple channels in its current band of operation, the modeaware feature allows the AP to temporarily turn itself off and become an AP Air Monitor (APM). In AP
Monitor mode, the AP scans all channels across both bands to verify that each channel meets or exceeds its
required level of acceptable radio coverage (as defined by the in the ARM profile).
If the AP Monitor detects that a channel on the 802.11g band does not have adequate radio coverage, it will
convert back to an AP on that 802.11 channel. If the 802.11g band is adequately covered, the AP Monitor will
next check the 802.11a band. If a channel on the 802.11a band lacks coverage, the AP Monitor will convert
back to an AP on that 802.11a channel.
Band Steering
ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-band
APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones.
Band steering reduces co-channel interference and increases available bandwidth for dual-band clients,
because there are more channels on the 5GHz band than on the 2.4GHz band. Dual-band 802.11n-capable
clients may see even greater bandwidth improvements, because the band steering feature will automatically
select between 40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and must
be enabled in a Virtual AP profile.
The band steering feature supports both campus APs and remote APs that have a virtual AP profile set to
tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote AP has virtual AP
profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs
will gather information about 5G-capable clients independently and will not exchange this information with
other APs that also have bridge or split-tunnel virtual APs only. The band steering feature will not
proactively disconnect clients that are already associated with a radio. All band steering occurs when a
client is trying to associate to a new AP radio.
Best practices is to use either the Band Steering or the Spectrum Load Balancing feature to balance client load
across channels, but not both at the same time.
Steering Modes
Band steering supports the following three different band steering modes.



Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will
not respond to 2.4 Ghz probe requests from a client if all the following conditions are met.

The client has already probed the AP on the 5Ghz band and therefore is known to be capable of
sending probes on the 5Ghz band.

The client is not currently associated on the 2.4Ghz radio to this AP.

The client has sent less than 8 probes requests/auth in the last 10 seconds. If the client has sent more
than 8 probes in the last 10 seconds, the client will be able to connect using whatever band it prefers
Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will not respond to
2.4 Ghz probe requests from a client if all the following conditions are met.

The client has already probed the AP on the 5Ghz band and therefore is known to be capable of
sending probes on the 5Ghz band.

The client is not currently associated on the 2.4Ghz radio of this AP.
Balance-bands: In this band steering mode, the AP tries to balance the clients across the two radios in
order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5Ghz
180 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
band has more channels than the 2.4 Ghz band, and that the 5Ghz channels operate in 40MHz while the
2.4Ghz band operates in 20MHz.
NOTE: The band steering feature in ArubaOS versions 3.3.2.x-3.4.2.x does not support multiple bandsteering modes.
The band-steering feature in these versions of ArubaOS functions the same way as the default prefer-5GHz steering
mode available in ArubaOS 3.4.3.x and later.
Enabling Band Steering
Band steering is configured in a virtual AP profile. Use the following procedures to enable or disable Band
Steering using the WebUI or command-line interfaces.
In the WebUI
1. Select Configuration > All Profiles. The All Profile Management window opens.
2. Select Wireless LAN to expand the Wireless LAN section.
3. Select Virtual AP profile to expand the Virtual AP Profile section.
4. Select the name of the Virtual AP profile for which you want to enable band steering.
(To create a new virtual AP profile, enter a name for a new profile in the Profile Details window, then
click Add button. The new profile will appear in the Profiles list. Select that profile to open the Profile
Details pane.)
5. In the Profile Details pane, select Band Steering. to enable this feature, or uncheck the Band
Steering checkbox to disable this feature.
6. Once band steering is enabled, click the steering mode drop-down list and select the desired steering
mode.
7. Click Apply to save your changes.
In the CLI
Use the following commands to enable band steering via the command-line interface. Access the CLI in
config mode then specify an existing virtual AP with the <name> parameter to modify an existing profile, or
enter a new name to create an entirely new virtual AP profile.
wlan virtual-ap <profile> band-steering
wlan virtual-ap <profile> steering-mode balance-bands|force-5ghz|prefer-5ghz
To disable band steering, include the no parameter
wlan virtual-ap <profile> no band-steering
You can also use the command-line interface to configure and apply multiple instances of virtual AP profiles
to an AP group or to an individual AP. Use the following commands to apply a virtual AP profile to an AP
group or an individual AP.
ap-group <name> virtual-ap <profile>
ap-name <name> virtual-ap <profile>
Traffic Shaping
In a mixed-client network, it is possible for slower clients to bring down the performance of the whole
network. To solve this problem and ensure fair access to all clients independent of their WLAN or IP stack
capabilities, an AP can implement the traffic shaping feature. This feature has the following three options:

default-access: Traffic shaping is disabled, and client performance is dependent on MAC contention
resolution. This is the default traffic shaping setting.
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 181

fair-access: Each client gets the same airtime, regardless of client capability and capacity. This option is
useful in environments like a training facility or exam hall, where a mix of 802.11a/g, 802.11g and 802.11n
clients need equal to network resources, regardless of their capabilities.

preferred-access: High-throughput (802.11n) clients do not get penalized because of slower 802.11a/g
or 802.11b transmissions that take more air time due to lower rates. Similarly, faster 802.11a/g clients get
more access than 802.11b clients
With this feature, an AP keeps track of all BSSIDs active on a radio, all clients connected to the BSSID, and
802.11a/g, 802.11b, or 802.11n capabilities of each client. Every sampling period, airtime is allocated to each
client, giving it opportunity to get and receive traffic. The specific amount of airtime given to an individual
client is determined by the following factors:

Client capabilities (802.11a/g, 802.11b or 802.11n)

Amount of time the client spent receiving data during the last sampling period

Number of active clients in the last sampling period

Activity of the current client in the last sampling period
The bw-alloc parameter of a traffic management profile allows you to set a minimum bandwidth to be
allocated to a virtual AP profile when there is congestion on the wireless network. You must set traffic
shaping to fair-access to use this bandwidth allocation value for an individual virtual AP.
Enabling Traffic Shaping
Traffic shaping is configured in an traffic management profile.
In the WebUI
To configure traffic shaping via the WebUI:
1. Select Configuration > All Profiles. The All Profile Management window opens.
2. Select QoS to expand the QoS section.
3. Select Traffic management profile.
4. In the Profiles Details window, select the name of the traffic management profile for which you want
to configure traffic shaping.
(If you do not have any traffic management profiles configured, enter a name for a new profile in the
Profile Details pane, then click Add. Select the new profile from the profiles list.)
5. In the Profile Details pane, click the Station Shaping Policy drop-down list and select either
default-access, fair-access or preferred-access.
6. Click Apply to save your changes.
In the CLI
To enable and configure traffic shaping via the command-line interface, access the CLI in config mode and
issue the following commands:
wlan traffic-management-profile <profile> shaping-policy fair-access|preferredaccess
To disable traffic shaping, use the default-access parameter:
wlan traffic-management-profile <profile> shaping-policy default-access
Use the following commands to apply an 802.11a or 802.11g traffic management profile to an AP group or an
individual AP.
ap-group <name> dot11a-traffic-mgmt-profile|dot11g-traffic-mgmt-profile <profile>
ap-name <name> dot11a-traffic-mgmt-profile|dot11g-traffic-mgmt-profile <profile>
182 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
Spectrum Load Balancing
The spectrum load balancing feature helps optimize network resources by balancing clients across
channels, regardless of whether the AP or the controller is responding to the wireless clients' probe
requests. The controller uses the ARM neighbor update messages that pass between APs and the controller
to determine the distribution of clients connected to each AP's immediate (one-hop) neighbors. This feature
also takes into account the number of APs visible to the clients in the RF neighborhood and can factor the
client’s perspective on the network into its coverage calculations.
The controller compares whether or not an AP has more clients than its neighboring APs on other channels.
If an AP’s client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a
neighboring Aruba AP on another channel does not have any clients, load balancing will be enabled on that
AP.
When an AP has the spectrum load balancing feature enabled, the AP will send an association response with
error code 17 to new clients trying to associate. If the client receiving the error code tries to associate to the
AP a second time, it will be admitted. If a client is rejected by two APs in a row, it will be admitted by any
AP on its third try. Note that the load balancing feature only affects the association of new clients; this
feature does not reject or attempt to balance clients that are already associated to the AP.
Spectrum load balancing is disabled by default, and can be enabled for 2.4G traffic through an 802.11g
profile or for 5G traffic through an 802.11a RF management profile. The spectrum load balancing feature
also requires that the 802.11a or 802.11g RF management profiles reference an ARM profile with ARM
scanning enabled.
The spectrum load balancing feature available in ArubaOS 3.4.x and later releases completely replaces the
AP load balancing feature available earlier versions of ArubaOS. When you upgrade to ArubaOS 3.4.x or later, you
must manually configure the spectrum load balancing settings, as the AP load balancing feature can no longer be
used, and any previous AP load balancing settings will not be preserved.
For details on modifying 802.11a or 802.11g RF management profiles, refer to “RF Management (802.11a and
802.11g) Profiles” on page 241.
RX Sensitivity Tuning Based Channel Reuse
In some dense deployments, it is possible for APs to hear other APs on the same channel. This creates cochannel interference and reduces the overall utilization of the channel in a given area. Channel reuse
enables dynamic control over the receive (Rx) sensitivity in order to improve spatial reuse of the channel.
The channel reuse feature applies to non-DFS channels only. It is internally disabled for DFS channels and is does not
affect DFS radar signature detection.
You can configure the channel reuse feature to operate in either of the following three modes; static,
dynamic or disable. (This feature is disabled by default.)

Static mode: This mode of operation is a coverage-based adaptation of the Clear Channel Assessment
(CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured
transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold
increases, and vice versa.

Dynamic mode: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel
loads, and take into account the location of the associated clients. When you set the Channel Reuse
feature to dynamic mode, this feature is automatically enabled when the wireless medium around the AP
is busy greater than half the time, and the CCA threshold adjusts to accommodate transmissions
between the AP its most distant associated client.
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 183

Disable mode: This mode does not support the tuning of the CCA Detect Threshold.
The channel reuse mode is configured through an 802.11a or 802.11g RF management profile. For details on
modifying 802.11a or 802.11g RF management profiles, refer to “RF Management (802.11a and 802.11g)
Profiles” on page 241.
Non-802.11 Noise Interference Immunity
When an AP attempts to decode a non-802.11 signal, that attempt can momentarily interrupt its ability to
receive traffic. The noise immunity feature can help improve network performance in environments with a
high level of non-802.11 noise from devices such as Bluetooth headsets, video monitors and cordless
phones.
You can configure the noise immunity feature for any one of the following levels of noise sensitivity. Note
that increasing the level makes the AP slightly “deaf” to its surroundings, causing the AP to lose a small
amount of range.

Level 0: no ANI adaptation.

Level 1: Noise immunity only. This level enables power-based packet detection by controlling the
amount of power increase that makes a radio aware that it has received a packet.

Level 2: Noise and spur immunity. This level also controls the detection of OFDM packets, and is the
default setting for the Noise Immunity feature.

Level 3: Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due
to interference, but may also reduce radio sensitivity. This level is recommended for environments with
a high-level of interference related to 2.4Ghz appliances such as cordless phones.

Level 4: Level 3 settings, and FIR immunity. At this level, the AP adjusts its sensitivity to in-band power,
which can improve performance in environments with high and constant levels of noise interference.

Level 5: The AP completely disables PHY error reporting, improving performance by eliminating the time
the controller would spend on PHY processing.
You can manage Non-802.11 Noise Immunity settings through the 802.11g RF management profile. Do not
raise the noise immunity feature’s default setting if the RX Sensitivity Tuning Based Channel Reuse feature
is also enabled. A level-3 to level-5 Noise Immunity setting is not compatible with the Channel Reuse
feature. For details refer to “Mesh Radio Profiles” on page 236.
ARM Metrics
ARM computes coverage and interference metrics for each valid channel and chooses the best performing
channel and transmit power settings for each AP’s RF environment. Each AP gathers other metrics on their
ARM-assigned channel to provide a snapshot of the current RF health state.
The following two metrics help the AP decide which channel and transmit power setting is best.

Coverage Index: The AP uses this metric to measure RF coverage. The coverage index is calculated as
x/y, where “x” is the AP’s weighted calculation of the Signal-to-Noise Ratio (SNR) on all valid APs on a
specified 802.11 channel, and “y” is the weighted calculation of the Aruba APs SNR the neighboring APs
see on that channel.
To view these values for an AP in your current WLAN environment issue the CLI command show ap
arm rf-summary ap-name <ap-name>, where <ap-name> is the name of an AP for which you want to
view information.

Interference Index: The AP uses this metric to measure co-channel and adjacent channel interference.
The Interference Index is calculated as a/b//c/d, where:

Metric value “a” is the channel interference the AP sees on its selected channel.
184 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide

Metric value “b” is the interference the AP sees on the adjacent channel.

Metric value “c” is the channel interference the AP’s neighbors see on the selected channel.

Metric value “d” is the interference the AP’s neighbors see on the adjacent channel
To manually calculate the total Interference Index for a channel, issue the CLI command show ap arm
rf-summary ap-name <ap-name>, then add the values a+b+c+d.
Each AP also gathers the following additional metrics, which can provide a snapshot of the current RF
health state. View these values for each AP using the CLI command show ap arm rf-summary ip-addr <ap
ip address>.

Amount of Retry frames (measured in %)

Amount of Low-speed frames (measured in %)

Amount of Non-unicast frames (measured in %)

Amount of Fragmented frames (measured in %)

Amount of Bandwidth seen on the channel (measured in kbps)

Amount of PHY errors seen on the channel (measured in %)

Amount of MAC errors seen on the channel (measured in %)

Noise floor value for the specified AP
ARM Troubleshooting
If the APs on your WLAN do not seem to be operating at an optimal channel or power setting, you should
first verify that both the ARM feature and ARM scanning have been enabled. Optimal ARM performance
requires that the APs have IP connectivity to their master controller, as it is the master controller that gives
each AP the global classification information required to keep accurate coverage index values. If ARM is
enabled but does not seem to be working properly, try some of the following troubleshooting tips.
Too many APs on the Same Channel
If many APs are selecting the same RF channel, there may be excessive interference on the other valid
802.11 channels. Issue the CLI commands show ap arm rf-summary ap-name <ap-name> or show ap
arm rf-summary ip-addr <ap ip address> and calculate the Interference index (intf_idx) for all the valid
channels.
An AP will only move to a new channel if the new channel has a lower interference index value than the
current channel. The ARM Free Channel Index parameter specifies the required difference between two
interference index values. If this value is set too high, the AP will not switch channels, even if the
interference is slightly lower on another channel. Lower the Free Channel Index to improve the likelihood
that the AP will switch to a better channel.
Wireless Clients Report a Low Signal Level
If APs detect strong signals from other APs on the same channel, they may decrease their power levels
accordingly. Issue the CLI commands show ap arm rf-summary ap-name <ap-name> or show ap arm
rf-summary ip-addr <ap ip address> for all APs and check their current coverage index (cov-idx). If the
AP’s coverage index is at or higher than the configured coverage index value, then the APs have correctly
chosen the transmit power setting. To manually increase the minimum power level for the APs using a
specific ARM profile, define a higher minimum value with the command
rf arm-profile <profile> min-tx-power <dBm>.
If wireless clients still report that they see low signal levels for the APs, check that the AP’s antennas are
correctly connected to the AP and correctly placed according to the manufacturer’s installation guide.
ArubaOS 6.1 | User Guide
Adaptive Radio Management (ARM) | 185
Transmission Power Levels Change Too Often
Frequent changes in transmission power levels can indicate an unstable RF environment, but can also
reflect incorrect ARM or AP settings. To slow down the frequency at which the APs change their transmit
power, set the ARM Backoff Time to a higher value. If APs are using external antennas, check the
Configuration > Wireless > AP Installation > Provisioning window to make sure the APs are statically
configured for the correct dBi gain, antenna type, and antenna number. If only one external antenna is
connected to its radio, you must select either antenna number 1 or 2.
APs Detect Errors but Do Not Change Channels
First, ensure that ARM error checking is not disabled. The ARM Error Rate Threshold should be set to a
percentage higher than zero. The suggested configuration value for the ARM Error Rate Threshold is 30–
50%.
APs Don’t Change Channels Due to Channel Noise
APs will only change channels due to interference if ARM noise checking is enabled. Check to verify that
the ARM Noise Threshold is set to a value higher than 0 dBm. The suggested setting for this threshold is 75
dBm.
186 | Adaptive Radio Management (ARM)
ArubaOS 6.1 | User Guide
Chapter 7
Remote Access Points
The Secure Remote Access Point Service allows AP users, at remote locations, to connect to an Aruba
controller over the Internet. Since the Internet is involved, data traffic between the controller and the
remote AP is VPN encapsulated. That is, the traffic between the controller and AP is encrypted. Remote AP
operations are supported on all of Aruba’s APs. This chapter discusses the following topics:

“Overview” on page 187

“Configuring the Secure Remote Access Point Service” on page 188

“Deploying a Branch Office/Home Office Solution” on page 197

“Enabling Double Encryption” on page 202

“Advanced Configuration Options” on page 202
Overview
Remote APs connect to a controller using Extended Authentication and Internet Protocol Security (XAuth/
IPSec). AP control and 802.11 data traffic are carried through this tunnel. Secure Remote Access Point
Service extends the corporate office to the remote site. Remote users can use the same features as
corporate office users. For example, voice over IP (VoIP) applications can be extended to remote sites
while the servers and the PBX remain secure in the corporate office.
Secure Remote Access Point Service can also be used to secure control traffic between an AP and the
controller in a corporate environment. In this case, both the AP and controller are in the company’s private
address space.
The remote AP must be configured with the IPSec VPN tunnel termination point. Once the VPN tunnel is
established, the AP bootstraps and becomes operational. The tunnel termination point used by the remote
AP depends upon the AP deployment, as shown in the following scenarios:

Deployment Scenario 1: The remote AP and controller reside in a private network which is used to
secure AP-to-controller communication. (Aruba recommends this deployment when AP-to-controller
communications on a private network need to be secured.) In this scenario, the remote AP uses the
controller’s IP address on the private network to establish the IPSec VPN tunnel.
Figure 23 Remote AP with a Private Network
Intranet
Corporate Network
Controller’s
IP Address

Deployment Scenario 2: The remote AP is on the public network or behind a NAT device and the
controller is on the public network. The remote AP must be configured with the tunnel termination point
which must be a publicly-routable IP address. In this scenario, a routable interface is configured on the
controller in the DMZ. The remote AP uses the controller’s IP address on the public network to establish
the IPSec VPN tunnel.
Figure 24 Remote AP with Controller on Public Network
ArubaOS 6.1 | User Guide
Remote Access Points | 187
Internet
Corporate Network
Controller’s
IP Address

Deployment Scenario 3: The remote AP is on the public network or behind a NAT device and the
controller is also behind a NAT device. (Aruba recommends this deployment for remote access.) The
remote AP must be configured with the tunnel termination point which must be a publicly-routable IP
address. In this scenario, the remote AP uses the public IP address of the corporate firewall. The firewall
forwards traffic to an existing interface on the controller. (The firewall must be configured to pass NATT traffic (UDP port 4500) to the controller.)
Figure 25 Remote AP with Controller Behind Firewall
Internet
Corporate Network
Firewall’s
IP Address
In any of the described deployment scenarios, the IPSec VPN tunnel can be terminated on a local controller,
with a master controller located elsewhere in the corporate network (Figure 26). The remote AP must be
able to communicate with the master controller after the IPSec tunnel is established. Make sure that the
L2TP IP pool configured on the local controller (from which the remote AP obtains its address) is reachable
in the network by the master controller.
Figure 26 Remote AP in a Multi-Controller Environment
Local Controller
Internet
Master Controller
Corporate Network
Firewall’s
IP Address
Configuring the Secure Remote Access Point Service
The tasks for configuring an Aruba Access Points as a Secure Remote Access Point Service are:

Configure a public IP address for the controller.
You must install one or more AP licenses in the controller. There are several AP licenses available that
support different maximum numbers of APs. The licenses are cumulative; each additional license
installed increases the maximum number of APs supported by the controller.

Configure the VPN server on the controller. The remote AP will be a VPN client to the server.

Provision the AP with IPSec settings, including the username and password for the AP, before you
install it at the remote location.
ArubaOS supports multiple remote AP modes of operation. By default, the remote AP operates in
standard mode. This mode enables the virtual AP when the remote AP connects to the controller. The
information in this section assumes the default mode of operation. For information on remote AP modes
of operation, refer to “Advanced Configuration Options” on page 202.
188 | Remote Access Points
ArubaOS 6.1 | User Guide
Configure a Public IP Address for the Controller
The remote AP requires an IP address to which it can connect in order to establish a VPN tunnel to the
controller. This can be either a routable IP address that you configure on the controller, or the address of an
external router or firewall that forwards traffic to the controller. The following procedure describes how to
create a DMZ address on the controller.
Using the WebUI to create a DMZ address
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add to add a VLAN.
3. Enter the VLAN ID.
4. Select the port that belongs to this VLAN.
5. Click Apply.
6. Navigate to the Configuration > Network > IP page.
7. Click Edit for the VLAN you just created.
8. Enter the IP Address and Net Mask fields.
9. Click Apply.
Using CLI
vlan <id>
interface fastethernet <slot>/<port>
switchport access vlan <id>
interface vlan <id>
ip address <ipaddr> <mask>
Configure the NAT Device
Communication between the AP and secure controller uses the UDP 4500 port. When both the controller
and the AP are behind NAT devices, configure the AP to use the NAT device’s public address as its master
address. On the NAT device, you must enable NAT-T (UDP port 4500 only) and forward all packets to the
public address of the NAT device on UDP port 4500 to the controller to ensure that the remote AP boots
successfully.
Configure the VPN Server
This section describes how to configure the IPSec VPN server on the controller. For more details, see
Chapter 17, “Virtual Private Networks” on page 401. The remote AP will be a VPN client that connects to the
VPN server on the controller.
Using the WebUI
1. Navigate to the Configuration > Advanced Services > VPN Services > IPSec page.
2. Select (check) Enable L2TP.
3. Make sure that only PAP (Password Authentication Protocol) is selected for Authentication Protocols.
4. To configure the L2TP IP pool, click Add in the Address Pools section. Configure the L2TP pool from
which the APs will be assigned addresses, then click Done.
The size of the pool should correspond to the maximum number of APs that the controller is licensed to manage.
ArubaOS 6.1 | User Guide
Remote Access Points | 189
5. To configure an Internet Security Association and Key Management Protocol (ISAKMP) encrypted
subnet and preshared key, click Add in the IKE Shared Secrets section and configure the preshared
key. Click Done to return to the IPSec page.
6. Click Apply.
Using CLI
vpdn group l2tp
ppp authentication PAP
ip local pool <pool> <start-ipaddr> <end-ipaddr>
crypto isakmp key <key> address <ipaddr> netmask <mask>
CHAP Authentication Support over PPPoE
RAPs can now establish a PPPoE session with a PPPoE server at the ISP side and get authenticated using
the Challenge Handshake Authentication Protocol (CHAP). The PPPoE client running on a RAP is capable
of handling the CHAP authentication requests from the PPPoE server.
The PPPoE client selects either the PAP or the CHAP credentials for the RAP authentication depending upon the
request from the PPPoE server.
You can use the CLI or the WebUI to configure CHAP.
Using the WebUI to configure CHAP
1. Navigate to the Configuration > Wireless > AP Installation page. The list of discovered APs are
displayed on this page.
2. Select the AP you want to configure using CHAP and click Provision button.
3. Enter the CHAP Secret in the text box under Authentication Method.
You can use all the special characters except question mark (?) and the space can be used within double quotes
(“ “).
4. Enter the CHAP Secret again in the Confim CHAP Secret text box for confirmation.
Figure 27 CHAP Authentication Using CHAP Secret
5. Click Apply and Reboot.
Using the CLI to configure the CHAP
provision-ap pppoe-chap-secret <KEY>
reprovision ap-name <name>
190 | Remote Access Points
ArubaOS 6.1 | User Guide
Configure the Remote AP User Role
Once the remote AP is authenticated for the VPN and established a IPSec connection, it is assigned a role.
This role is a temporary role assigned to the AP until it completes the bootstrap process after which it
inherits the ap-role. The appropriate ACLs need to be enabled to permit traffic from the controller to the AP
and back to facilitate the bootstrap process.
User roles and policies require the PEFNG license. You must install the PEFNG license, as described in Chapter 35,
“Software Licenses” .
To configure the user role, you create a policy that permits the following traffic:

AP control traffic via the Aruba PAPI protocol

GRE tunnel traffic

Layer-2 Tunneling Protocol (L2TP) traffic

TFTP traffic from the remote AP to the controller

FTP traffic from the remote AP to the controller
Then, you create a user role that contains this policy.
Using the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a policy.
3. Enter the Policy Name (for example, remote-AP-access).
4. From the Policy Type drop-down list, select IPv4 Session.
5. To create the first rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-papi.
e. Click Add.
6. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-gre.
e. Click Add.
7. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-l2tp.
e. Click Add.
8. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
ArubaOS 6.1 | User Guide
Remote Access Points | 191
c. For Destination, select alias, then select mswitch.
d. For Service, select service, then select svc-tftp.
e. Click Add.
9. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select alias, then select mswitch.
d. For Service, select service, then select svc-ftp.
e. Click Add.
10. Click Apply.
11. Click the User Roles tab.
a. Click Add.
b. Enter the Role Name (for example, RemoteAP).
c. Click Add under Firewall Policies.
d. In the Choose from Configured Policies menu, select the policy you just created.
e. Click Done.
12. Click Apply.
Using CLI
ip access-list session <policy>
any any svc-papi permit
any any svc-gre permit
any any svc-l2tp permit
any alias mswitch svc-tftp permit
any alias mswitch svc-ftp permit
user-role <role>
session-acl <policy>
Configure VPN Authentication
Before you enable VPN authentication, you must configure the authentication server(s) and server group
that the controller will use to validate the remote AP. When you provision the remote AP, you configure
IPSec settings for the AP, including the username and password. This username and password must be
validated by an authentication server before the remote AP is allowed to establish a VPN tunnel to the
controller. The authentication server can be any type of server supported by the controller, including the
controller’s internal database.
For security purposes, Aruba best practices is to assign a unique username and password for each remote AP.
For more information about configuring authentication servers and server groups, refer to Chapter 9,
“Authentication Servers” .
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.
2. In the Profiles list, select the VPN Authentication Profile> default-rap.
192 | Remote Access Points
ArubaOS 6.1 | User Guide
3. For Default Role, enter the user role you created previously (for example, RemoteAP).
User roles and policies require the PEFNG and PEFV license. You must install the PEFNG and PEFV license, as
described in Chapter 35, “Software Licenses” .
4. Click Apply.
5. In the Profile list, under VPN Authentication Profile, select Server Group.
6. Select the server group from the drop-down menu.
7. Click Apply.
Using CLI
aaa server-group <group>
auth-server <server>
aaa authentication vpn default-rap
default-role <role>
server-group <group>
Configuring Internal Database for Authentication
You can use the controller’s internal database as an authentication server. To configure the internal
database for a remote AP user, do the following:
1. Configure a public IP address for the controller.
2. Configure the VPN server on the controller.
3. Configure the remote AP user role.
4. Configure VPN authentication using the internal database.
5. Add the user to the internal database.
The information in this section assumes you have configured a public IP address for the controller and the
VPN server. For information about configuring the public IP address, see “Configure a Public IP Address for
the Controller” on page 189. For information about configuring the VPN server, see “Configure the VPN
Server” on page 189.
Using the WebUI
The following procedure illustrates the steps to configure an internal database for a remote AP user. To
configure the user role, you first create a policy that permits the following traffic:

AP control traffic via the Aruba PAPI protocol

GRE tunnel traffic

ESP tunnel traffic

Layer-2 Tunneling Protocol (L2TP) traffic

TFTP traffic

FTP traffic
Then, you create a user role that contains this policy.
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a policy.
3. Enter the Policy Name (for example, rap_policy).
4. From the Policy Type drop-down list, select IPv4 Session.
5. To create the first rule:
ArubaOS 6.1 | User Guide
Remote Access Points | 193
f. Under Rules, click Add.
g. For Source, select any.
h. For Destination, select any.
i. For Service, select service, then select svc-papi.
j. Click Add.
6. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-l2tp.
e. Click Add.
7. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-gre.
e. Click Add.
8. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-esp.
e. Click Add.
9. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-tftp.
e. Click Add.
10. To create the next rule:
a. Under Rules, click Add.
b. For Source, select any.
c. For Destination, select any.
d. For Service, select service, then select svc-ftp.
e. Click Add.
11. Click Apply.
12. Click the User Roles tab.
a. Click Add.
b. Enter the Role Name (for example, rap_role).
c. Click Add under Firewall Policies.
d. In the Choose from Configured Policies menu, select the policy you just created.
194 | Remote Access Points
ArubaOS 6.1 | User Guide
e. Click Done.
13. Click Apply.
Configure VPN authentication using the internal database
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.
2. In the Profiles list, select VPN Authentication Profile.
3. For Default Role, enter the user role you created previously (for example, rap_role).
4. Click Apply.
5. In the Profile list, under VPN Authentication Profile, select Server Group.
6. Select the internal server group from the drop-down menu.
7. Click Apply.
Add the user to the internal database
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Internal DB.
3. Click Add User in the Users section. The user configuration page displays.
4. Enter the user name and password.
5. Click Enabled to activate this entry on creation.
6. Click Apply to apply the configuration. Note that the configuration does not take effect until you
perform this step.
7. At the Servers page, click Apply.
Using CLI to configure the internal DB for a RAP user
ip access-list session rap_policy
any any svc-papi permit
any any svc-l2tp permit
any any svc-gre permit
any any svc-esp permit
any any svc-tftp permit
any any svc-ftp permit
user-role rap_role
session-acl rap_policy
Configure VPN authentication using the internal database:
aaa authentication vpn
default-role rap_role
server-group internal
Add the user to the internal database:
local-userdb add username rapuser1 password <password>
Provision the AP
You need to configure the VPN client settings on the AP to instruct the AP to use IPSec to connect to the
controller. You can provision the remote AP and give it to users and allow remote users to provision AP at
their home. See Appendix H, “Provisioning RAP at Home” for more information about provisioning remote
AP at home.
You must provision the AP before you install it at its remote location. To provision the AP, the AP must be
physically connected to the local network or directly connected to the controller. When connected and
ArubaOS 6.1 | User Guide
Remote Access Points | 195
powered on, the AP must also be able to obtain an IP address from a DHCP server on the local network or
from the controller.
If your configuration has an internal LMS IP address, remote APs may attempt to switch over to the LMS IP
address, which is not reachable from the Internet. For remote APs, ensure that the LMS IP address in the AP
system profile for the AP group has an externally routable IP address.
Reprovisioning the AP causes it to automatically reboot. The easiest way to provision an AP is to use the
Provisioning page in the WebUI, as described in the following steps:
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning page. Select the remote
AP and click Provision.
2. Under Authentication Method, select IPSec Parameters. Enter the Internet Key Exchange (IKE) PreShared Key (PSK), username, and password.
The username and password you enter must match the username and password configured on the authentication
server for the remote AP
3. Under Master Discovery, set the Master IP Address as shown below:
Deployment Scenario
Master IP Address Value
Deployment 1
Controller IP address
Deployment 2
Controller public IP address
Deployment 3
Public address of the NAT device to which the controller is connected
The username and password you enter must match the username and password configured on the authentication
server for the remote AP
4. Under IP Settings, make sure that Obtain IP Address Using DHCP is selected.
5. Click Apply and Reboot.
Creating a Remote AP Whitelist
Remote AP whitelist is the list of approved AP’s that can be provisioned on your controller. To create a
remote AP whitelist:
1. Navigate to Configuration > AP Installation (under Wireless) and then click the RAP Whitelist tab
on the right side.
2. Click the New button and provide the following details:

AP MAC Address—Mandatory parameter. Enter the MAC address of the AP.

Username—Enter a username that will be used when the AP is provisioned.

AP Group—Select a group to add the AP.

AP Name—Enter a name for the AP. If an AP name is not entered, the MAC address will be used
instead.

Description—Enter a text description for the AP

IP-Address—Enter an IP address for the AP.
3. Click the Add button to add the remote AP to the whitelist.
196 | Remote Access Points
ArubaOS 6.1 | User Guide
Revoking an AP
In some cases, if an AP in the whitelist is retired from active usage, you can set the AP as revoked. This
option restricts the AP from connecting to your controller. To revoke a remote AP:
1. Select an AP from the whitelist by selecting the checkbox.
2. Click the Modify button.
3. Select the checkbox under the Revoked column.
4. Click the Update button.
Deploying a Branch Office/Home Office Solution
In a branch office, the AP is deployed in a separate IP network from the corporate network. Typically, there
are one or two NAT devices between the two networks. Branch office users need access to corporate
resources like printers and servers but traffic to and from these resources must not impact the corporate
head office.
The Figure 28 is a graphic representation of a remote AP in a branch or home office with a single controller
providing access to both a corporate WLAN and a branch office WLAN.
Figure 28 Remote AP with Single Controller
Branch office users want continued operation of the branch office WLAN even if the link to the corporate
network goes down. The branch office AP solves these requirements by providing the following capabilities
on the branch office WLAN:

Local termination of 802.11 management frames which provides survivability of the branch office
WLAN.

All 802.1x authenticator functionality is implemented in the AP. The controller is used as a RADIUS
pass-through when the authenticator has to communicate with a RADIUS server (which also supports
survivability).

802.11 encryption/decryption is in the AP to provide access to local resources.

Local bridging of client traffic connected to the WLAN or to an AP 70 enet1 port to provide access to
local resources.
Configuring the branch office AP

Specify forward mode for the Extended Service Set Identifier (ESSID) in the virtual AP profile

Specify remote AP operation in the virtual AP profile (by default, the remote AP operates in standard
mode)

Set how long the AP stays up after connectivity to controller has gone down in the SSID profile
ArubaOS 6.1 | User Guide
Remote Access Points | 197

Set the VLAN ID in the virtual AP profile

Set the native VLAN ID in the AP system profile

Set forward mode for enet1 port
Remote APs support 802.1q VLAN tagging. Data from the remote AP will be tagged on the wired side.
Troubleshooting Remote AP
The following WebUI options are available to troubleshoot issues with remote AP:

Using local debugging feature

Viewing the remote AP summary report

Viewing remote AP connectivity report

Using remote AP diagnostic options
Local Debugging
Local Debugging is A WebUI feature that allows end users to perform diagnostics and view the status of
their remote AP through a wired or wireless client. This feature is useful for troubleshooting connectivity
problems on remote AP and to performing throughput tests. There are three tabs in the Local Debugging
WebUI window, Summary, Connectivity and Diagnostics. Each tab displays different information for the
AP, but all three tabs include a Generate & save support file link that, when clicked, will automatically
generate a support.tgz file that can be sent to a corporate IT department for additional analysis and
debugging.
Remote AP Summary
The Summary tab has two views; basic and advanced. Click the basic or advanced links at the top of this
tab to toggle between the two views. The table below shows the information displayed for both the basic
and advanced views of the Summary tab.
Table 38 RAP Console Summary Tab Information
Summary Table
Basic View Information
Name
Wired Ports Status


198 | Remote Access Points
Port: Port numbers of the wired ports on
the AP.
Status: Current status of each port
(Connected, Link Down or Disabled).
Advanced View Information
The advanced view of the Wired Access Ports
table displays the following data:
 Port: Port numbers of the wired ports on
the AP.
 Status: Current status of each port
(Connected, Link Down or Disabled).
 MAC Address: MAC address of the wired
port.
 Speed: Speed of the link.
 Duplex Type: Duplex mode of the link, full
or half.
 Forwarding mode: Forwarding mode for
the port: Bridge, Tunnel or Split Tunnel.
 Users: Number of users accessing each
port.
 Rx Packets: Number of packets received
on the port.
 Tx packets: Number of packets transmitted
via the port.
ArubaOS 6.1 | User Guide
Table 38 RAP Console Summary Tab Information
Summary Table
Basic View Information
Name
Advanced View Information
Wireless SSIDs




SSID: Name of the SSID.
Status: SSID Status (up, down, or
disabled).
Band: Radio band available on the SSID.










Wired Users


MAC Address: MAC address of the
wired user.
IP address: IP address of the wired user.



Wireless User


MAC Address: MAC address of the
wireless user.
IP address: IP address of the wireless
user.









ArubaOS 6.1 | User Guide
SSID: Name of the SSID.
Status: SSID Status (up, down, or
disabled).
Band: Radio band available on the SSID.
Channel: Channel used on the radio band.
BSSID: BSSID of the wireless SSID.
Forwarding Mode: Forwarding mode used
by the Wireless SSID (Bridge, Tunnel or
Split-Tunnel).
EIRP: Equivalent Isotropic Radiated Power,
in dBm.
Noise floor: The residual background noise
detected by an AP. Noise seen by an AP is
reported as -dBm. Therefore, a noise floor
of -100 dBm is smaller (lower) than a noise
floor of -50 dBm.
Users: Number of users on the radio band.
Rx Packets: Number of packets received
on the BSSID.
Tx packets: Number of packets transmitted
via the BSSID.
MAC Address: MAC address of the wired
user.
IP address: IP address of the wired user.
Port: AP port used by the wired user.
MAC Address: MAC address of the wired
user.
IP address: IP address of the wired user.
SSID: Name of the SSID.
BSSID: BSSID of the wireless user.
Assoc State: Shows if the user is
associated or just authorized.
Auth: Type of authentication: WPA, 802.1x,
none, open, or shared.
Encryption: Encryption type used by the
wireless user.
Band: Radio band used by the wireless
client.
RSSI: The Receive Signal Strength Indicator
(RSSI) value displayed in the output of this
command represents signal strength as a
signal to noise ratio.
Remote Access Points | 199
Table 38 RAP Console Summary Tab Information
Summary Table
Basic View Information
Name
Advanced View Information
Device Info
N/A









Uplink Info
Type: AP device/model type.
Name: Name assigned to the AP.
Wired MAC address: MAC address of
the wired port.
Serial #: AP serial number.
Tunnel IP address: IP address of the
tunnel between the AP and controller.
Software Version: Software version
currently running on the AP.
Uptime: Amount of time the AP has been
active since it was last reset.
Master: IP address of the master
controller.
lms: IP address of the local controller.
The Uplink Info table can display some or all N/A
of the following information for your remote
AP, depending upon whether a link is active
and the number of links supported by the AP.
Active uplink information, including:
 Interface name
 Port speed
 IP address
Standby link information, including:
 Name (3G)
 Device connected (yes/no)
 Provisioned (yes/no)
 IP address
 Device
 User
 Password
Multihoming on remote AP (RAP)
You can uplink a RAP as an Ethernet or a USB based modem. These uplinks can be used as a backup link if
the primary link fails. The uplink becomes active based on the order of the priority configured on the RAP.
The RAP switches back to the primary link when the primary connection is restored.
For information on provisioning the RAP using the USB based modem, see , “Provisioning RAP at Home” on
page 849.
Seamless failover from backup link to primary link on RAP
RAPs can failover from a backup link to a primary link without much disruption to traffic. Also the failover
is performed only if the controller is reachable via the primary link.
200 | Remote Access Points
ArubaOS 6.1 | User Guide
Remote AP Connectivity
The information shown on the Connectivity tab will vary, depending upon the current status of the remote
AP. If a remote AP has been successfully provisioned and connected, it should display some or all of the
information in Table 39.
Table 39 RAP Console Connectivity Tab Information
Data
Description
Uplink status
Shows if the link connected failed. If the link is connected, the Uplink status
also displays the name of the interface.
IP Information
If the AP has successfully received an IP address, this data row will show the
AP’s IP address, subnet mask, and gateway IP address.
Gateway Connectivity
If successful, this item also shows the percentage of packet loss for data
received from the gateway
TPM Certificates
If successful, the AP has a Trusted Platform Module (TPM) certificate.
Master Connectivity
Shows if the AP was able to connect to the master controller. This item also
shows the IP address to which the AP attempted to connect, and, if the AP did
connect successfully, the link that was used to connect to that controller.
LMS Connectivity
Shows if the AP was able to connect to a local controller. This item also shows
the IP address to which the AP attempted to connect, and, if the AP did
connect successfully, the link that was used to connect to that controller.
The top of the Connectivity tab has a Refresh link that allows users to refresh the data on their screen.
Additional information at the bottom of this tab shows the date, time and reason the remote AP last
rebooted. The Reboot RAP Now button reboots the remote AP.
Remote AP Diagnostics
Use the Diagnostics tab to view log files, or run diagnostic tests that can help the IT department
troubleshoot errors. You can also use the Reboot AP Now button at the bottom of the Diagnostic window
reboots the remote AP.
To run a diagnostic test on a remote AP:
1. Access the RAP console, and click the Diagnostics tab
2. Click the Test drop-down list and select Ping, Traceroute, NSLookup or Throughput.
The ping and traceroute tests require that you enter a network destination in the form of an IP address
or fully-qualified domain name, and select either bridge or tunnel mode for the test. The NSLookup
diagnostic test requires that you enter a destination only. The throughput test checks the throughput of
the link between the AP and the controller, and does not require any additional test configuration
settings.
3. Click OK to start the test. The results of the test will appear in the Diagnostics window.
To display log files in a separate browser window, click the logs drop-down list at the upper right corner of
the Diagnostics window, and select any of the log file name. The type of log files available will vary,
depending upon your remote AP configuration.
ArubaOS 6.1 | User Guide
Remote Access Points | 201
Enabling Double Encryption
The double encryption feature applies only for traffic to and from a wireless client that is connected to a
tunneled SSID. When this feature is enabled, all traffic (which is already encrypted using Layer-2
encryption) is re-encrypted in the IPSec tunnel. When this feature is disabled, the wireless frame is only
encapsulated inside the IPSec tunnel.
All other types of data traffic between the controller and the AP (wired traffic and traffic from a splittunneled SSID) are always encrypted in the IPSec tunnel.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific page. Click Edit for
the remote AP.
2. Under Profiles, select AP, then select AP system profile.
3. Under Profile Details, select the AP system profile for this AP from the drop-down menu. Select Double
Encrypt. Click Apply.
Using CLI
ap system-profile <profile>
double-encrypt
ap-name <name>
ap-system-profile <profile>
Aruba recommends that double-encryption not be turned on for inter-device communication over untrusted
networks, as doing so is redundant and adds significant processing overhead for APs.
Advanced Configuration Options
This section describes the following features designed to enhance your remote AP configuration:

“Understanding Remote AP Modes of Operation” on page 202

“Fallback Mode” on page 204

“DNS Controller Setting” on page 212

“Backup Controller List” on page 213

“Remote AP Failback” on page 214

“Access Control Lists and Firewall Policies” on page 2161

“Split Tunneling” on page 216

“Wi-Fi Multimedia” on page 222
The information in this section assumes you have already configured the remote AP functionality, as described
“Configuring the Secure Remote Access Point Service” on page 188.
Understanding Remote AP Modes of Operation
Table 40 summarizes the different remote AP modes of operation. You specify both the forward mode
setting (which controls whether 802.11 frames are tunneled to the controller using GRE, bridged to the local
Ethernet LAN, or a combination thereof) and the remote AP mode of operation (when the virtual AP
operates on a remote AP) in the virtual AP profile.
202 | Remote Access Points
ArubaOS 6.1 | User Guide
The column on the left of the table lists the remote AP operation settings. The row across the top of the
table lists the forward mode settings. To understand how these settings work in concert, scan the desired
remote AP operation with the forward mode setting and read the information in the appropriate table cell.
The “all” column and row lists features that all remote AP operation and forward mode settings have in
common regardless of other settings. For example, at the intersection of “all” and “bridge,” the description
outlines what happens in bridge mode regardless of the remote AP mode of operation.
802.1x and PSK authentication is supported when you configure the remote AP to operate in bridge or split-tunnel
mode.
Table 40 Remote AP Modes of Operation and Behavior
Remote
AP
Operation
Setting
Forward Mode Setting
all
bridge
split-tunnel
tunnel
decrypt-tunnel
Management frames
on AP.
Frames are bridged
between wired and
wireless interfaces.
No frames are
tunneled to the
controller.
Station acquires its IP
address locally from
an external DHCP
server.
Management frames
on AP.
Frames are either
GRE tunneled to the
controller to a trusted
tunnel or NATed and
bridged on the wired
interface according to
user role and session
ACL.
Typically, the station
obtains an IP address
from a VLAN on the
controller.
Typically, the AP has
ACLs that forward
corporate traffic
through the tunnel
and source NAT the
non-corporate traffic
to the Internet.
Frames are GRE
tunneled to the
controller to an
untrusted tunnel.
100% of station frames
are tunneled to the
controller.
Management
frames on AP.
Frames are always
GRE tunneled to
controller.
ESSID is always up
when the AP is up
regardless if the
controller is
reachable.
Supports PSK ESSID
only.
SSID configuration
stored in flash on AP.
Provides an SSID that
is always available for
local access.
Not supported
Not supported
Not supported
all
bridge
split-tunnel
tunnel
all
always
ArubaOS 6.1 | User Guide
Remote Access Points | 203
Table 40 Remote AP Modes of Operation and Behavior (Continued)
Remote
AP
Operation
Setting
Forward Mode Setting
backup
ESSID is only up
when controller is
unreachable.
Supports PSK ESSID
only.
SSID configuration
stored in flash on AP.
Provides a backup
SSID for local access
only when the
controller is
unreachable.
Not supported
Not supported
Not supported
persistent
ESSID is up when the
AP contacts the
controller and stays
up if connectivity is
disrupted with the
controller.
SSID configuration
obtained from the
controller.
Designed for 802.1x
SSIDs.
Same behavior as
standard, described
below, except the
ESSID is up if
connectivity to the
controller is lost.
Not supported
Not supported
Not supported
standard
ESSID is up only
when there is
connectivity with the
controller.
SSID configuration
obtained from the
controller.
Behaves like a classic
Aruba branch office
AP.
Provides a bridged
ESSID that is
configured from the
controller and stays
up if there is
controller
connectivity.
Split tunneling mode.
Classic Aruba thin AP
operation.
Decrypt tunnel
mode
Fallback Mode
The fallback mode (also known as backup configuration ) operates the remote AP if the master controller
or the configured primary and backup LMS are unreachable. The remote AP saves configuration
information that allows it to operate autonomously using one or more SSIDs in local bridging mode while
supporting open association or encryption with PSKs. You can also use the backup configuration if you
experience network connectivity issues, such as the WAN link or the central data center becomes
unavailable. With the backup configuration, the remote site does not go down if the WAN link fails or the
data center is unavailable.
You define the backup configuration in the virtual AP profile on the controller. The remote AP checks for
configuration updates each time it establishes a connection with the controller. If the remote AP detects a
change, it downloads the configuration changes.
The following remote AP backup configuration options define when the SSID is advertised (refer to Table
40 for more information):

Always—Permanently enables the virtual AP. Recommended for bridge SSIDs.

Backup—Enables the virtual AP if the remote AP cannot connect to the controller. This SSID is
advertised until the controller is reachable. Recommended for bridge SSIDs.

Persistent—Permanently enables the virtual AP after the remote AP initially connects to the controller.
Recommended for 802.1x SSIDs.
204 | Remote Access Points
ArubaOS 6.1 | User Guide

Standard—Enables the virtual AP when the remote AP connects to the controller. Recommended for
802.1x, tunneled, and split-tunneled SSIDs. This is the default behavior.
While using the backup configuration, the remote AP periodically retries its IPSec tunnel to the controller.
If you configure the remote AP in backup mode, and a connection to the controller is re-established, the
remote AP stops using the backup configuration and immediately brings up the standard remote AP
configuration. If you configure the remote AP in always or persistent mode, the backup configuration
remains active after the IPSec tunnel to the controller has been re-established.
Backup Configuration Behavior for Wired Ports
If the connection between remote AP and the controller is disconnected, the remote AP will be exhibit the
following behavior:

All access ports on the remote AP, irrespective of their original forwarding mode will be moved to bridge
forwarding mode.

Clients will receive IP address from the remote AP's DHCP server.

Client will have complete access to Remote AP's uplink network. You cannot enforce or modify any
access control policies on the clients connected in this mode.
This section describes the following topics:

“Configuring the fallback mode” on page 205

“Configuring the DHCP Server on the Remote AP” on page 207

“Advanced Backup Configuration Options” on page 2093
Configuring the fallback mode
To configure the fallback mode, you must

Configure the AAA profile.

Configure the virtual AP profile
Using WebUI to configure the AAA profile
The AAA profile defines the authentication method and the default user role for unauthenticated users.
802.1x and PSK authentication is supported when configuring bridge or split tunnel mode.
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary
list, click Add.
2. Enter the AAA profile name, then click Add.
3. Select the AAA profile that you just created:
a. For Initial role, select the appropriate role (for example, “logon”).
b. For 802.1X Authentication Default Role, select the appropriate role (for example, “default”), then
click Apply.
c. Under the AAA profile that you created, locate 802.1x Authentication Server Group, and select the
authentication server group to use (for example “default”), then click Apply.
If you need to create an 802.1x authentication server group, select new from the 802.1X Authentication Server Group
drop-down list, and enter the appropriate parameters.
ArubaOS 6.1 | User Guide
Remote Access Points | 205
d. Under the AAA profile that you created, locate 802.1X Authentication Profile, and select the profile to
use (for example, “default”), then click Apply.
If you need to create an 802.1x authentication profile, select new from the 802.1X Authentication Profile drop-down
list, and enter the appropriate parameters.
Using CLI
aaa profile <name>
initial-role <role>
authentication-dot1x <dot1x-profile>
dot1x-default-role <role>
dot1x-server-group <group>
Using the WebUI to configure virtual AP profile
To configure virtual AP profile:

Set the remote AP operation to “always,” “backup,” or “persistent.”

Create and apply the applicable SSID profile.
The SSID profile for the backup configuration in always, backup, or persistent mode must be a bridge
SSID. When configuring the virtual AP profile, specify forward mode as “bridge.”
The SSID profile for the backup configuration in standard mode can be a bridge, tunnel, or split
tunnel SSID. When configuring the virtual AP profile, specify forward mode as “bridge,” “tunnel,” or
“split tunnel.”
When creating a new virtual AP profile In the WebUI, you can also configure the SSID at the same time. For
information about AP profiles, see “AP Configuration Profiles” on page 114.
1. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or
AP Specific tab. Click Edit for the AP group or AP name.
2. Under Profiles, select Wireless LAN, then Virtual AP.
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu.
Enter the name for the virtual AP profile, and click Add.
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID
profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you
apply the profile.
a. In the Profile Details entry for the new virtual AP profile, go to the AAA Profile drop-down list and
select the previously configured AAA profile (for example, “logon”). The AAA Profile pop-up window
appears.
b. To set the AAA profile and close the pop-up window, Click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile dropdown menu. The SSID Profile pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile (for example, “backup”).
e. Under Network, enter a name in the Network Name (SSID) field (for example, “backup-psk”).
f. Under Security, select the network authentication and encryption methods (for example, wpa-psktkip, with the passphrase “remote123”).
g. To set the SSID profile and close the pop-up window, click Apply.
206 | Remote Access Points
ArubaOS 6.1 | User Guide
4. At the bottom of the Profile Details window, Click Apply.
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration
parameters.
6. Under Profile Details, do the following:
a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID to use for the virtual AP profile.
c. From the Forward mode drop-down menu, select bridge.
d. From the Remote-AP Operation drop-down menu, select always, backup, or persistent. The
default is standard.Click Apply.
Using CLI
wlan ssid-profile <profile>
essid <name>
opmode <method>
wpa-passphrase <string> (if necessary)
wlan virtual-ap <name>
ssid-profile <profile>
vlan <vlan>
forward-mode bridge
aaa-profile <name>
rap-operation {always|backup|persistent}
ap-group <name>
virtual-ap <name>
or
ap-name <name>
virtual-ap <name>
Configuring the DHCP Server on the Remote AP
You can configure the internal DHCP server on the remote AP to provide an IP address for the “backup”
SSID if the controller is unreachable. If configured, the remote AP DHCP server intercepts all DHCP
requests and assigns an IP address from the configured DHCP pool.
To configure the remote AP DHCP server:

Enter the VLAN ID for the remote AP DHCP VLAN in the AP system profile. This VLAN enables the
DHCP server on the AP (also known as the remote AP DHCP server VLAN). If you enter the native VLAN
ID, the DHCP server is not configured and is unavailable.

Specify the DHCP IP address pool and netmask. By default, the AP assigns IP addresses from the DHCP
pool 192.168.11.0/24, with an IP address range from 192.168.11.2 through 192.168.11.254. You can
manually define the DHCP IP address pool and netmask based on your network design and IP address
scheme.

Specify the IP address of the DHCP server, DHCP router, and the DHCP DNS server. By default, the AP
uses IP address 192.168.11.1 for the DHCP server, the DHCP router and the DHCP DNS server.

Enter the amount of days the assigned IP address is valid (also known as the remote AP DHCP lease). By
default, the lease does not expire, which means the IP address is always valid.

Assign the VLAN ID for the remote AP DHCP VLAN to a virtual AP profile. When a client connects to that
virtual AP profile, the AP assigns the IP address from the DHCP pool.
ArubaOS 6.1 | User Guide
Remote Access Points | 207
The following is a high-level description of the steps required to configure the DHCP server on the remote AP. The
steps assume you have already created the virtual AP profile, AAA profile, SSID profile, and other settings for your
remote AP operation (for information about the backup configuration, see “Configuring the fallback mode” on
page 205).
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details:
a. At the LMS IP field, enter the LMS IP address.
b. At the Master controller IP address field, enter the master controller IP address.
c. At the Remote-AP DHCP Server VLAN field, enter the VLAN ID of the backup configuration virtual
AP VLAN.
d. At the Remote-AP DHCP Server ID field, enter the IP address for the DHCP server.
e. At the Remote-AP DHCP Default Router field, enter the IP address for the default DHCP router.
f. At the Remote-AP DHCP DNS Server list, enter an IP address in the field to right and click Add.
You can add multiple IP addresses the same way. To delete an IP address, select an IP address from
the list and click Delete.
g. Specify the DHCP IP address pool. This configures the pool of IP addresses from which the remote
AP uses to assign IP addresses.
—At the Remote-AP DHCP Pool Start field, enter the first IP address of the pool.
—At the Remote-AP-DHCP Pool End field, enter the last IP address of the pool.
—At the Remote-AP-DHCP Pool Netmask field, enter the netmask.
h. At the Remote-AP DHCP Lease Time field, specify the amount of time the IP address is valid.
6. Click Apply.
7. Under Profiles, select Wireless LAN, then Virtual AP, then the virtual AP profile you want to
configure.
8. Under Profile Details, at the VLAN drop-list, select the VLAN ID of the remote AP DHCP VLAN, click the
left arrow to move the VLAN ID to the VLAN field, and click Apply.
Using CLI
ap system-profile <name>
lms-ip <ipaddr>
master-ip <ipaddr>
rap-dhcp-default-router <ipaddr>
rap-dhcp-dns-server <ipaddr>
rap-dhcp-lease <days>
rap-dhcp-pool-end <ipaddr>
rap-dhacp-pool-netmask <netmask>
rap-dhcp-pool-start <ipaddr>
rap-dhcp-server-id <ipaddr>
rap-dhcp-server-vlan <vlan>
wlan virtual-ap <name>
ssid-profile <profile>
208 | Remote Access Points
ArubaOS 6.1 | User Guide
vlan <vlan>
forward-mode bridge
aaa-profile <name>
rap-operation {always|backup|persistent}
ap-group <name>
ap-system-profile <name>
virtual-ap <name>
or
ap-name <name>
ap-system-profile <name>
virtual-ap <name>
Advanced Backup Configuration Options
You can also use the backup configuration (fallback mode) to allow the remote AP to pass through a
captive portal, such as network access in a hotel, airport, or other public network, to access the corporate
network. For this scenario:

Define a session ACL for the bridge SSID to source NAT all user traffic, except DHCP. For example, use
any any svc-dhcp permit followed by any any any route src-nat. Apply the session ACL to a remote
AP user role.

Configure the AAA profile. Make sure the initial role contains the session ACL previously configured.
The AAA profile defines the authentication method and the default user role.
802.1x and PSK authentication is supported when configuring bridge or split tunnel mode.

Configure the virtual AP profile for the backup configuration.

Set the remote AP operation to “always” or “backup.”

Create and apply the applicable SSID profile.

Configure a bridge SSID for the backup configuration. In the virtual AP profile, specify forward mode
as “bridge.”
For more information about the backup configuration, see “Configuring the fallback mode” on page 205.

Enter the remote AP DHCP server parameters in the AP system profile. For more information about the
parameters, see “Configuring the DHCP Server on the Remote AP” on page 207.
If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit
traffic between clients without source NATing the traffic. Using the previously configured ACL, add
user alias internal-network any permit before any any any route src-nat.

Connect the remote AP to the available public network (for example, a hotel or airport network).
The remote AP advertises the backup SSID so the wireless client can connect and obtain an IP address
from the available DHCP server.
The client can obtain an IP address from the public network, for example a hotel or airport, or from the DHCP server
on the remote AP.
After obtaining an IP address, the wireless client can connect and access the corporate network and
bring up the configured corporate SSIDs.
The following is a high-level description of what is needed to configure the remote AP to pass through a
captive portal and access the corporate controller This information assumes you are familiar with
ArubaOS 6.1 | User Guide
Remote Access Points | 209
configuring session ACLs, AAA profiles, virtual APs, and AP system profiles and highlights the modified
parameters.
Using the WebUI to configure the session ACL
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to crete a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select IPv4 Session.
5. To create the first rule:
a. Under Rules, click Add.
b. Under Source, select any.
c. Under Destination, select any.
d. Under Service, select service. In the service drop-down list, select svc-dhcp.
e. Under Action, select permit.
f. Click Add.
6. To create the next rule:
a. Under Rules, click Add.
b. Under Source, select any.
c. Under Destination, select any.
d. Under Service, select any.
e. Under Action, select route, and select the src-nat checkbox.
f. Click Add.
7. Click Apply
.
If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit traffic between
clients without source NATing the traffic. Add user alias internal-network any permit before any any any route srcnat.
8. Click the User Roles tab.
a. Click Add.
b. Enter the Role Name.
c. Click Add under Firewall Policies.
d. In the Choose from Configured Policies menu, select the policy you just created.
e. Click Done.
Using the WebUI to configure the AAA profile
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary
list, click Add.
2. Enter the AAA profile name, then click Add.
3. Select the AAA profile that you just created:
a. For Initial role, select the user role you just created.
b. For 802.1X Authentication Default Role, select the appropriate role for your remote AP
configuration, then click Apply.
210 | Remote Access Points
ArubaOS 6.1 | User Guide
c. Under the AAA profile that you created, locate 802.1x Authentication Server Group, and select the
authentication server group to use for your remote AP configuration, then click Apply.
If you need to create an 802.1x authentication server group, select new from the 802.1X Authentication Server
Group drop-down list, and enter the appropriate parameters.
d. Under the AAA profile that you created, locate 802.1X Authentication Profile, and select the profile to
use for your remote AP configuration, then click Apply.
Using the WebUI to define the backup configuration
1. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or
AP Specific tab. Click Edit for the AP group or AP name.
2. Under Profiles, select Wireless LAN, then Virtual AP.
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu.
Enter the name for the virtual AP profile, and click Add.
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID
profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you
apply the profile.
a. In the Profile Details entry for the new virtual AP profile, go to the AAA Profile drop-down list and
select the previously configured AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the pop-up window, Click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile dropdown menu. The SSID Profile pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network, enter a name in the Network Name (SSID) field.
f. Under Security, select the network authentication and encryption methods.
g. To set the SSID profile and close the pop-up window, click Apply.
4. At the bottom of the Profile Details window, Click Apply.
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration
parameters.
6. Under Profile Details, do the following:
a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID to use for the Virtual AP profile.
c. From the Forward mode drop-down menu, select bridge.
d. From the Remote-AP Operation drop-down menu, select always or backup.
e. Click Apply.
7. Under Profiles, select AP, then AP system profile.
8. Under Profile Details, do the following:
a. Select the AP system profile to edit.
b. At the LMS IP field, enter the LMS IP address.
c. At the Master controller IP address field, enter the master controller IP address.
d. Configure the Remote-AP DHCP Server fields.
e. Click Apply.
ArubaOS 6.1 | User Guide
Remote Access Points | 211
Using the CLI to configure the session ACL
ip access-list session <policy>
any any svc-dhcp permit
any any any route src-nat
If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit traffic
between clients without source NATing the traffic. Add user alias internal-network any permit before
any any any route src-nat.
user-role <role>
session-acl <policy>
Using the CLI to configure the AAA profile
aaa profile <name>
initial-role <role>
You can define other parameters as needed.
Using the CLI to define the backup configuration
wlan ssid-profile <profile>
essid <name>
opmode <method>
wpa-passphrase <string> (if necessary)
wlan virtual-ap <name>
ssid-profile <profile>
vlan <vlan>
forward-mode bridge
aaa-profile <name>
rap-operation {always|backup}
ap system-profile <name>
lms-ip <ipaddr>
master-ip <ipaddr>
rap-dhcp-default-router <ipaddr>
rap-dhcp-dns-server <ipaddr>
rap-dhcp-lease <days>
rap-dhcp-pool-end <ipaddr>
rap-dhacp-pool-netmask <netmask>
rap-dhcp-pool-start <ipaddr>
rap-dhcp-server-id <ipaddr>
rap-dhcp-server-vlan <vlan>
ap-group <name>
virtual-ap <name>
ap-system-profile <name>
or
ap-name <name>
virtual-ap <name>
ap-system-profile <name>
DNS Controller Setting
In addition to specifying IP addresses for controllers, you can also specify the master DNS name for the
controller when provisioning the remote AP. The name must be resolved to an IP address when attempting
to setup the IPSec tunnel. For information on how to configure a host name entry on the DNS server, refer
212 | Remote Access Points
ArubaOS 6.1 | User Guide
to the vendor documentation for your server. Aruba recommends using a maximum of 8 IP addresses to
resolve a controller name.
If the remote AP gets multiple IP addresses responding to a host name lookup, the remote AP can use one of
them to establish a connection to the controller. For more detailed information, see the next section
“Backup Controller List” on page 213.
Specifying the name also lets you move or change remote AP concentrators without reprovisioning your
APs. For example, in a DNS load-balancing model, the host name resolves to a different IP address
depending on the location of the user. This allows the remote AP to contact the controller to which it is
geographically closest.
The DNS setting is part of provisioning the AP. The easiest way to provision an AP is to use the Provisioning
page in the WebUI. These instructions assume you are only modifying the controller information in the
Master Discovery section of the Provision page.
Reprovisioning the AP causes it to automatically reboot.
Specify the DNS name using the WebUI
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning page. Select the remote
AP and click Provision.
2. Under Master Discovery enter the master DNS name of the controller.
3. Click Apply and Reboot.
For more information, see “Provision the AP” on page 195.
Backup Controller List
Using DNS, the remote AP receives multiple IP addresses in response to a host name lookup. Known as the
backup controller list, remote APs go through this list to associate with a controller. If the primary
controller is unavailable or does not respond, the remote AP continues through the list until it finds an
available controller. This provides redundancy and failover protection.
If the remote AP loses connectivity on the IPSec tunnel to the controller, the remote AP establishes
connectivity with a backup controller from the list and automatically reboots. Network connectivity is lost
during this time. As described in the section “Remote AP Failback” on page 214, you can also configure a
remote AP to revert back to the primary controller when it becomes available.To complete this scenario,
you must also configure the LMS IP address and the backup LMS IP address.
For example, assume you have two data centers, data center 1 and data center 2, and each data center has
one master controller in the DMZ. You can provision the remote APs to use the controller in data center 1 as
the primary controller, and the controller in data center 2 as the backup controller. If the remote AP loses
connectivity to the primary, it will attempt to establish connectivity to the backup. You define the LMS
parameters in the AP system profile.
ArubaOS 6.1 | User Guide
Remote Access Points | 213
Figure 29 Sample Backup Controller Scenario
data center 1
remote office
data center 2
arun_023
Configuring the LMS and backup LMS IP addresses using WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details:
a. At the LMS IP field, enter the primary controller IP address.
b. At the Backup LMS IP field, enter the backup controller IP address.
6. Click Apply.
Configuring the LMS and backup LMS IP addresses using CLI
ap system-profile <profile>
lms-ip <ipaddr>
bkup-lms-ip <ipaddr>
ap-group <group>
ap-system-profile <profile>
ap-name <name>
ap-system-profile <profile>
Remote AP Failback
In conjunction with the backup controller list, you can configure remote APs to revert back (failback) to the
primary controller if it becomes available. If you do not explicitly configure this behavior, the remote AP
will keep its connection with the backup controller until the remote AP, controller, or both have rebooted
or some type of network failure occurs. If any of these events occur, the remote AP will go through the
backup controller list and attempt to connect with the primary controller.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
214 | Remote Access Points
ArubaOS 6.1 | User Guide
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details:
a. Click (select) LMS Preemption. This is disabled by default.
b. At the LMS Hold-down period field, enter the amount of time the remote AP must wait before
moving back to the primary controller.
6. Click Apply.
Using the CLI
ap system-profile <profile>
lms-preemption
lms-hold-down period <seconds>
RAP Local Network Access
You can enable local network access between the clients (from same or different subnets and VLANs)
connected to a RAP through wired or wireless interfaces in split-tunnel/bridge forwarding modes. This
allows the clients to effectively communicate with each other without routing the traffic via the controller.
You can use CLI or the WebUI to enable the local network access.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select the AP Group tab. Click Edit for the AP group or AP name.
3. Under Profiles, expand the AP menu, then select AP system profile.
4. To enable remote network access, select the Remote-AP Local Network Access check box.
Figure 30 Enable Remote AP Local Network Access
5. Click Apply.
Using CLI

To enable, enter:
ap system-profile <ap-profile> rap-local-network-access

To disable, enter:
ap system-profile <ap-profile> no rap-local-network-access
See the Aruba Command Line Reference for detailed information on the command options.
ArubaOS 6.1 | User Guide
Remote Access Points | 215
Remote AP Authorization Profiles
Remote AP configurations include an authorization profile that specifies which profile settings should be
assigned to a remote AP that has been provisioned but not yet authenticated at the remote site. By default,
these yet-unauthorized APs are put into the temporary AP group authorization-group and assigned the
predefined profile NoAuthApGroup. This configuration allows the user to connect to an unauthorized
remote AP via a wired port then enter a corporate username and password. Once a valid user has
authorized the AP and the remote AP will be marked as authorized on the network. The remote AP will then
download the configuration assigned to that AP by it's permanent AP group.
Add or Edit a Remote AP Authorization Profile
To create a new authorization profile or edit an existing authorization profile via the WebUI:
1. Select Configuration > All Profiles. The All Profile Management window opens.
2. Select AP to expand the AP profile menu.
3. Select AP Authorization Profile. The Profile Details pane appears and displays the list of existing AP
authorization profiles.

To edit an existing profile, select a profile from from the Profile Details pane.

To create a new authorization profile, enter a new profile name in the entry blank on the Profile
Details pane, then click Add.
4. The Profile Details window will display the AP group currently defined for that authorization profile.
To select a new AP group, click the drop-down list and select a different AP group name.
5. Click Apply to save your changes.
To create a new authorization profile or edit an existing authorization profile via the command-line
interface, access the command-line interface in enable mode, and issue the following commands.
ap authorization-profile <profile>
authorization-group <ap-group>
Access Control Lists and Firewall Policies
Remote APs support the following access control lists (ACLs); unless otherwise noted, you apply these
ACLS to user roles:

Standard ACLs—Permit or deny traffic based on the source IP address of the packet.

Ethertype ACLs—Filter traffic based on the Ethertype field in the frame header.

MAC ACLs—Filter traffic on a specific source MAC address or range of MAC addresses.

Firewall policies (session ACLs)—Identifies specific characteristics about a data packet passing through
the Aruba controller and takes some action based on that identification. You apply these ACLs to user
roles or uplink ports.
To configure firewall policies, you must install the PEFNG license.
For more information about ACLs and firewall policies, see “Configuring the fallback mode” on page 205.
Split Tunneling
The split tunneling feature allows you to optimize traffic flow by directing only corporate traffic back to the
controller, while local application traffic remains local. This ensures that local traffic does not incur the
overhead of the round trip to the controller, which decreases traffic on the WAN link and minimizes latency
for local application traffic. This is useful for sites that have local servers and printers. With split tunneling,
a remote user associates with a single SSID, not multiple SSIDs, to access corporate resources (for
216 | Remote Access Points
ArubaOS 6.1 | User Guide
example, a mail server) and local resources (for example, a local printer). The remote AP examines session
ACLs to distinguish between corporate traffic destined for the controller and local traffic.
Figure 31 Sample Split Tunnel Environment
corporate traffic tunneled
to the controller
corporate
remote office
local traffic remains
local
local server
arun_022
Figure 31 displays corporate traffic is GRE tunneled to the controller through a trusted tunnel and local
traffic is source NATed and bridged on the wired interface based on the configured user role and session
ACL.
Configuring Split Tunneling
To configure split tunneling:

Define a session ACL that forwards only corporate traffic to the controller.

Configure a netdestination for the corporate subnets.

Create rules to permit DHCP and corporate traffic to the corporate controller. When specifying the
action that you want the controller to perform on a packet that matches the specified criteria,
“permit” implies tunneling, which is used for corporate traffic, and “route” implies local bridging,
which is used for local traffic.
You must install the PEFNG license in the controller. For information about user roles and policies,
see Chapter 12, “Roles and Policies” .


Apply the session ACL to a user role.
Configure the AAA profile.
The AAA profile defines the authentication method and the default user role for authenticated users. The
configured user role contains the split ACL.
802.1x and PSK authentication is supported when configuring split tunnel mode.

Configure the virtual AP profile:
When configuring the virtual AP profile, you specify which AP group or AP the profile applies to.

Set the VLAN used for split tunneling. Only one VLAN can be configured for split tunneling; VLAN
pooling is not allowed.

When specifying the use of a split tunnel configuration, use “split-tunnel” forward mode.
ArubaOS 6.1 | User Guide
Remote Access Points | 217

Create and apply the applicable SSID profile.
When creating a new virtual AP profile In the WebUI, you can also configure the SSID at the same time. For
information about AP profiles, see “AP Configuration Profiles” on page 114 .

Optionally, create a list of network names resolved by corporate DNS servers.
Clients send DNS requests to the corporate DNS server address that it learned from DHCP. If configured
for split tunneling, corporate domains and traffic destined for corporate use the corporate DNS server.
For non-corporate domains and local traffic, other DNS servers can be used.
Configuring the Session ACL
First you need to configure the session ACL. By applying this policy, local traffic remains local, and
corporate traffic is forwarded (tunneled) to the controller.
Using the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to crete a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select Session.
5. From the IP Version drop-down list, select IPv4 or IPv6.
6. To create the first rule:
a. Under Rules, click Add.
b. Under Source, select any.
c. Under Destination, select any.
d. Under Service, select service. In the service drop-down list, select svc-dhcp.
e. Under Action, select permit for IPv4 or captive for IPv6.
f. Click Add.
7. To create the next rule:
a. Under Rules, click Add.
b. Under Source, select any.
c. Under Destination, select alias.
The following steps define an alias representing the corporate network. Once defined, you can use
the alias for other rules and policies. You can also create multiple destinations the same way.
8. Under the alias section, click New. Enter a name in the Destination Name field.
a. Click Add.
b. For Rule Type, select Network.
c. Enter the public IP address of the controller.
d. Enter the Network Mask/Range.
e. Click Add to add the network range.
f. Click Apply. The new alias appears in the Destination menu.
9. Under Destination, select the alias you just created.
10. Under Service, select any.
11. Under Action, select permit for IPv4 or captive for IPv6.
218 | Remote Access Points
ArubaOS 6.1 | User Guide
12. Click Add.
13. To create the next rule:
a. Under Rules, click Add.
b. Under Source, select user.
c. Under Destination, select any.
d. Under Service, select any.
e. Under Action, select any and check src-nat.
f. Click Add.
14. Click Apply.
15. Click the User Roles tab.
a. Click Add to create and configure a new user role.
b. Enter the desired name for the role in the Role Name field.
c. Under Firewall Policies, click Add.
d. From the Choose from Configured Policies drop-down menu, select the policy you just
configured.
e. Click Done.
16. Click Apply.
Using the CLI
netdestination <policy>
network <ipaddr> <netmask>
network <ipaddr> <netmask>
ip access-list session <policy>
any any svc-dhcp permit
any alias <name> any permit
user any any route src-nat
user-role <role>
session-acl <policy>
When defining the alias, there are a number of other session ACLs that you can create to define the handling
of local traffic, such as:
ip access-list session <policy>
user alias <name> any redirect 0
user alias <name> any route
user alias <name> any route src-nat
Configuring ACL for restricted LD homepage access
A user in split or bridge role using a remote AP (RAP) can log on to the local debug (LD) homepage (for
example, (http://rapconsole.arubanetworks.com) and perform a reboot or reset operations. The LD
homepage provides various information about the RAP and also has a button to reboot the RAP. You can
now restrict a RAP user from resetting or rebooting a RAP by using the new localip keyword in the in the
user role ACL .
You will require the PEF license to use this feature. See Chapter 35, “Software Licenses” on page 677 for more
information on licensing requirements.
ArubaOS 6.1 | User Guide
Remote Access Points | 219
Any user associated to that role can be allowed or denied access to the LD homepage. You can use the
localip keyword in the ACL rule to identify the local IP address on the RAP. The localip keyword
identifies the set of all local IP addresses on the system to which the ACL is applied. The existing keywords
controller and mswitch indicate only the primary IP address on the controller.
Using CLI
Use the localip keyword in the user role ACL.
By default, all users have an ACL entry of type any any deny. This rule restricts access to all users. When
the ACL is configured for a user role, if a user any permit ACL rule is configured, add a deny ACL before
that for localip for restricting the user from accessing the LD homepage.
Example:
ip access-list session logon-control
user localip svc-http deny
user any permit
Using WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to crete a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select IPv4 Session.
5. To create the first rule:
a. Under Rules, click Add.
b. Under Source, select localip.
c. Under Destination, select any.
d. Under Action, select permit.
e. Click Apply.
Figure 32 Enable Restricted Access to LD Homepage
Configuring the AAA Profile and the Virtual AP Profile
After you configure the session ACL, you define the AAA profile and virtual AP used for split tunneling.
When defining the AAA parameters, specify the previously configured user role that contains the session
ACL used for split tunneling.
Using the WebUI
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary
list, click Add.
2. Enter the AAA profile name, then click Add.
220 | Remote Access Points
ArubaOS 6.1 | User Guide
3. Select the AAA profile that you just created:
a. For 802.1X Authentication Default Role, select the user role you previously configured for split
tunneling, then click Apply.
b. Under the AAA profile that you created, locate 802.1x Authentication Server Group, and select the
authentication server group to use, then click Apply.
If you need to create an authentication server group, select new and enter the appropriate parameters.
Using CLI
aaa profile <name>
authentication-dot1x <dot1x-profile>
dot1x-default-role <role>
dot1x-server-group <group>
Configuring split tunneling in the virtual AP profile
1. Navigate to Configuration > Wireless > AP Configuration page. Select either the AP Group or AP
Specific tab. Click Edit for the applicable AP group name or AP name.
2. Under Profiles, select Wireless LAN, then Virtual AP.
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu.
Enter the name for the virtual AP profile, and click Add.
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID
profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you
apply the profile.
a. In the Profile Details entry, go to the AAA Profile drop-down list and select the previously configured
AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the window, click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile dropdown menu. A pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network, enter a name in the Network Name (SSID) field.
f. Under Security, select the network authentication and encryption methods.
g. To set the SSID profile and close the window, click Apply.
4. Click Apply at the bottom of the Profile Details window.
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration
parameters.
6. Under Profile Details:
a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID for the VLAN to be used for split tunneling.
c. From the Forward mode drop-down menu, select split-tunnel.
d. Click Apply.
Using the CLI to configure split tunneling in the virtual AP profile
wlan ssid-profile <profile>
essid <name>
opmode <method>
ArubaOS 6.1 | User Guide
Remote Access Points | 221
wlan virtual-ap <profile>
ssid-profile <name>
forward-mode split-tunnel
vlan <vlan id>
aaa-profile <profile>
ap-group <name>
virtual-ap <profile>
or
ap-name <name>
virtual-ap <profile>
Using the WebUI to list the corporate DNS servers
1. Navigate to Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP, then AP system profile.
4. Under Profile Details:
a. Enter the corporate DNS servers.
b. Click Add.
The DNS name appears in Corporate DNS Domain list. You can add multiple names the same way.
5. Click Apply.
Using the CLI to list the corporate DNS servers
ap system-profile <profile>
dns-domain <domain name>
Wi-Fi Multimedia
Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless Quality of
Service (QoS) standard. WMM works with 802.11a, b, g, and n physical layer standards. The IEEE 802.11e
standard also defines the mapping between WMM access categories (ACs) and Differentiated Services
Codepoint (DSCP) tags. Remote APs support WMM.
WMM supports four ACs: voice, video, best effort, and background. You apply and configure WMM in the
SSID profile.
When planning your configuration, make sure that immediate switches or routers do not have conflicting
802.1p or DSCP configurations/mappings. If this occurs, your traffic may not be prioritized correctly.
For more detailed information about WMM and the applicable configuration commands, see Chapter 37,
“Voice and Video” .
Uplink Bandwidth Reservation
You can reserve and prioritize uplink bandwidth traffic to provide higher QoS for specific applications,
traffic or ports. This is done by applying bandwidth reservation on existing session ACLs. Typically, the
bandwidth reservation is applied for uplink voice traffic.
The following must be noted before you configure bandwidth reservation:

You must know the total bandwidth available.

The bandwidth reservation are applicable only on session ACLs.
222 | Remote Access Points
ArubaOS 6.1 | User Guide

Bandwidth reservation on voice traffic ACLs receives higher priority over other reserved traffic.

You can configure up to three unique priority for bandwidth reservation.

The bandwidth reservation must be specified in absolute value (kbps).

Priorities for bandwidth reservation are optional and bandwidth reservations without priorities will be
treated equal.
Bandwidth Reservation for Uplink Voice Traffic
The voice ACLs are applicable on the voice signalling traffic used to establish voice call through a firewall.
When a voice ACL is executed, a dynamic session is introduced to allow voice traffic through the firewall.
This prevents the re-use of voice ACLs for bandwidth reservation. However, you can create bandwidth
reservation rules that can be applied on voice signalling traffic and also on ports used for voice data traffic.
This mechanism filters traffic as per the security requirements.
Configuring Bandwidth Reservation
You can configure bandwidth reservation ACLs using CLI or the WebUI.
Using the WebUI
To configure bandwidth reservation
1. Navigate to Configuration > Advanced Services > All Profiles
2. Under Profiles, navigate to AP > AP System Profile. You can create a new AP system profile to
configure bandwidth reservation or edit an existing AP system profile. Under the Profile Details page,
specify bandwidth reservation values.
Figure 33 Uplink Bandwidth Reservation
Using CLI
(host) (config)#ap system-profile remotebw
(host) (AP system profile "remotebw") #rap-bw-total 1024
(host) (AP system profile "remotebw") #rap-bw-resv-1 acl voice 128 priority 1
To view bandwidth reservations:
(host) #show datapath rap-bw-resv ap-name remote-ap-1
RAP Uplink BW reservation statistics
-----------------------------------Pos: Acl
Resv Prio XmitPkts XmitByte
Marked Enqueued Onqueue
Drops TokenFin
------------------------------------------------------------------------------------1 : 11
200
0
0
0
3
0
0
0
0
2 :
0
0
0
0
0
0
0
0
0
0
3 :
0
0
0
0
0
0
0
0
0
0
ArubaOS 6.1 | User Guide
Remote Access Points | 223
4
:
224 | Remote Access Points
0
0
0
1524
370962
0
1524
0
0
0
ArubaOS 6.1 | User Guide
Chapter 8
Secure Enterprise Mesh
The Aruba secure enterprise mesh solution is an effective way to expand network coverage for outdoor and
indoor enterprise environments without any wires. Using mesh, you can bridge multiple Ethernet LANs or
you can extend your wireless coverage. As traffic traverses across mesh APs, the mesh network
automatically reconfigures around broken or blocked paths. This self-healing feature provides increased
reliability and redundancy: the network continues to operate if an AP stops functioning or a connection
fails.
Aruba controllers provide centralized configuration and management for APs in a mesh environment; local
mesh APs provide encryption and traffic forwarding for mesh links. This chapter describes the Aruba
secure enterprise mesh architecture, in the following topics:

“Mesh Access Points” on page 225

“Mesh Links” on page 227

“Mesh Profiles” on page 229

“Mesh Solutions” on page 232

“Before You Begin” on page 234

“Mesh Radio Profiles” on page 236

“RF Management (802.11a and 802.11g) Profiles” on page 241

“Mesh High-Throughput SSID Profiles” on page 249

“Mesh Cluster Profiles” on page 253

“Ethernet Ports for Mesh” on page 258

“Provisioning Mesh Nodes” on page 261

“AP Boot Sequence” on page 264

“Verifying the Network” on page 264

“Remote Mesh Portals” on page 266
Aruba strongly recommends staging mesh APs before you deploy them. Identify the physical location of the APs,
configure them for mesh, provision the APs and verify connectivity before physically deploying them in a live network.
For other pre-installation considerations, see “Before You Begin” on page 234.
Mesh Access Points
Mesh APs learn about their environment when they boot up. Mesh APs are either configured as a mesh
portal (MPP), an AP that uses its wired interface to reach the controller, or a mesh point (MP), an AP that
establishes an all-wireless path to the mesh portal. Mesh APs locate and associate with their nearest
neighbor, which provides the best path to the mesh portal. Mesh portals and mesh points are also known as
mesh nodes, a generic term used to describe APs configured for mesh.
Remote Mesh Portal only (not Mesh points) is supported on RAP-5WN. Mesh is not supported on RAP-2WG.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 225
A mesh radio’s bandwidth can be shared between mesh-backhaul traffic and client traffic. You can,
however, configure a radio for mesh services only. If you have a dual-radio AP, a mesh node can be
configured to deliver client services on one radio and both mesh and WLAN services to clients on the other.
If you configure a single-radio AP to deliver mesh services only (by disabling the mesh radio in its 802.11a or
802.11g radio profile) that mesh node will not deliver WLAN services to its clients.
For mesh as well as traditional thin AP deployments, the Aruba controller provides centralized
provisioning, configuration, policy definition, ongoing network management and wireless and security
services. However, unlike the traditional thin AP case, mesh nodes also perform network traffic encryption
and decryption, and packet forwarding over wired and wireless links.
You configure the AP for mesh on the controller using either the WebUI or the CLI. All mesh related
configuration parameters are grouped into mesh profiles that you can apply as needed to an AP group or to
individual APs.
By default, APs operate as thin APs, which means their primary function is to receive and transmit
electromagnetic signals; other WLAN processing is left to the controller. When planning a mesh network,
you manually configure APs to operate in mesh portal or mesh point roles. Unlike a traditional WLAN
environment, local mesh nodes provide encryption and traffic forwarding for mesh links in a mesh
environment. Virtual APs are still applied to non-mesh radios.
Provisioning mesh APs is similar to thin APs; however, there are some key differences. Thin APs establish a
channel to the controller from which they receive the configuration for each radio interface. Mesh nodes, in
contrast, get their radio interfaces up and running before making contact with the controller. This requires a
minimum set of parameters from the AP group and mesh cluster that enables the mesh node to discover a
neighbor to create a mesh link and subsequent channel with the controller. To do this, you must first define
and configure the mesh cluster profile before configuring an AP to operate as a mesh node. This chapter
first describes how to configure the mesh profile, then describes how to configure APs to operate in mesh
mode. If you have already configured a complete mesh profile, continue to “Ethernet Ports for Mesh” or
“Provisioning Mesh Nodes”.
Mesh Portals
The mesh portal (MPP) is the gateway between the wireless mesh network and the enterprise wired LAN.
You configure an Aruba AP to perform the mesh portal role, which uses its wired interface to establish a
link to the wired LAN. You can deploy multiple mesh portals to support redundant mesh paths (mesh links
between neighboring mesh points that establish the best path to the mesh portal) from the wireless mesh
network to the wired LAN.
The mesh portal broadcasts the configured mesh service set identifier (MSSID/mesh cluster name), and
advertises the mesh network service to available mesh points. Neighboring mesh points that have been
provisioned with the same MSSID authenticate to the portal and establish a secure mesh link over which
traffic is forwarded. The authentication process requires secure key negotiation, common to all APs, and
the mesh link is established and secured using Advanced Encryption Standard (AES) encryption. Mesh
portals also propagate channel information, including CSAs.
Mesh Points
The mesh point (MP) is an Aruba AP configured for mesh and assigned the mesh point role. Depending on
the AP model, configuration parameters, and how it was provisioned, the mesh point can perform multiple
tasks. The mesh point provides traditional Aruba WLAN services (such as client connectivity, intrusion
detection system (IDS) capabilities, user role association, LAN-to-LAN bridging, and Quality of Service
(QoS) for LAN-to-mesh communication) to clients and performs mesh backhaul/network connectivity. A
mesh radio can be configured to carry mesh-backhaul traffic only. Additionally, a mesh point can provide
LAN-to-LAN Ethernet bridging by sending tagged/untagged VLAN traffic across a mesh backhaul/network to
a mesh portal.
226 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Mesh points use one of their wireless interfaces to carry traffic and reach the controller. Mesh points are
also aware of potential neighbors and can form new mesh links if the current mesh link is no longer
preferred or available.
A RAP-2WG and RAP-5WN cannot be configured as a Mesh Point AP.
Mesh Clusters
Mesh clusters are similar to an Extended-Service Set (ESS) in a WLAN infrastructure. A mesh cluster is a
logical set of mesh nodes that share the common connection and security parameters required to create
mesh links. Mesh clusters are grouped and defined by a mesh cluster profile, as described in “Mesh Cluster
Profile”.
Mesh clusters may enforce predictability in mesh networking by limiting the amount of concurrent mesh
points, hop counts, and bandwidth used in the mesh network. A mesh cluster can have multiple mesh
portals and mesh points that facilitate wireless communication between wired LANs. Mesh portals in a
mesh cluster do not need to be on the same VLAN. Figure 34 shows two mesh clusters and their relationship
to the controller.
Figure 34 Sample Mesh Clusters
cluster one
mesh
point
mesh portal
cluster two
controller
mesh
point
mesh portal
Mesh Links
In simple terms, the mesh link is the data link between a mesh point and its parent. A mesh point uses the
parameters defined in the mesh cluster, specifically the mesh cluster profile, to establish a mesh link with a
neighboring mesh point. The mesh link uses a series of metrics to establish the best path to the mesh portal.
Through out the rest of this chapter, the term “uplink” is also used to distinguish the active association between a
mesh point and its parent.
The following list describes how mesh links are created.

Creating the initial mesh link
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 227
When creating the initial mesh link, mesh points look for others advertising the same MSSID as the one
contained in its mesh cluster profile. The mesh point scans the channels in its provisioned band of
operation to identify a list of neighbors that match its mesh cluster profile. The mesh point then selects
the from highest priority neighbors based on the least expected path cost.
If no provisioned mesh cluster profile is unavailable, mesh points use the recovery profile to establish an
uplink. If multiple cluster profiles are configured. mesh points search in order of priority their list of
provisioned backup mesh cluster profiles to establish an uplink. If the configured profiles are
unavailable after searching for 5 minutes, the recovery profile is used.

Moving to a better mesh link
If the existing uplink quality degrades below the configured threshold, and a lower cost or more
preferable uplink is available on the same channel and cluster, the mesh point reselects that link without
re-scanning. In some cases, this invalidates all of the entries that have this mesh point as a next hop to
the destination and triggers new learning of the bridge tables.

Using a new mesh link if the current mesh link goes down
If an uplink goes down, the affected mesh nodes re-establish a connection with the mesh portal by rescanning to choose a new path to the mesh portal. If a mesh portal goes down, and a redundant mesh
portal is available, the affected mesh nodes update their forwarding tables to reflect the path to the new
mesh portal.
Link Metrics
Mesh points use the configured algorithm to compute a metric value, or “path cost,” for each potential
uplink and select the one with the lowest value as the optimal path to the mesh portal.Table 41 describes
the components that make up the metric value: node cost, hop count, link cost and 802.11 capacity.
The link metrics indicate the relative cost of a path to the mesh portal. The best path (lowest metric value)
is used to create the uplink.
Table 41 Mesh Link Metric Computation
Component
Description
Node cost
Indicates the amount of traffic expected to traverse the mesh node. The more traffic, the higher
the node cost. When establishing a mesh link, nodes with less traffic take precedence. The node
cost is dependent on the number of children a mesh node supports. It can change as the mesh
network topology changes, for example if new children are added to the network or old children
disconnect from the network.
Hop count
Indicates the number of hops it takes the mesh node to get to the mesh portal. The mesh portal
advertises a hop count of 0, while all other mesh nodes advertise a cumulative count based on the
parent mesh node.
Link cost
Represents the quality of the link to an active neighbor. The higher the Received Signal Strength
Indication (RSSI), the better the path to the neighbor and the mesh portal. If the RSSI value is
below the configured threshold, the link cost is penalized to filter marginal links. A less direct,
higher quality link may be preferred over the marginal link.
The following factors also affect mesh link metrics


High-throughput APs add a high cost penalty for links to non-high-throughput APs.
Multi-stream high-through APs add proportional cost penalties for links to high-throughput
APs that support fewer streams.
802.11 capacity High-throughput APs can send 802.11 information elements (IEs) in their management frames,
allowing high-throughput mesh nodes to identify other mesh nodes with a high-throughput
capacity. High-throughput mesh points prefer to select other 802.11-capable mesh points in their
path to the mesh portal, but will use a legacy path if no high-throughput path is available.
228 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Table 41 Mesh Link Metric Computation
Component
Description
Path Cost
Path cost is calculated by analyzing the other components in this table, and adding the link cost
plus mesh parent's path cost plus the parent's node cost.
Mesh portals typically advertise a path-cost of zero, but high-throughput portals will add an offset
penalty if they are connected to a 10/100mbps port that is too slow to for the high-throughput link
capacity.
Optimizing Links
You can configure and optimize operation of the link metric algorithm via the mesh radio profile. These
configurable mesh link trigger thresholds can determine when the uplink or mesh path is dropped and
another is chosen, provide enhanced network reliability, and contain flapping links. Although you can
modify the behavior of the link metric algorithm, Aruba recommends the default values for most
deployments. For information, see “metric algorithm” on page 237.
Mesh Profiles
Mesh profiles help define and bring-up the mesh network. The following sections describe the mesh cluster,
mesh radio, and mesh recovery profiles in more detail.
The complete mesh profile consists of a mesh radio profile, RF management (802.11a and 802.11g) radio
profiles, a high-throughput SSID profile (if your deployment includes 802.11n-capable APs), a mesh cluster
profile, and a read-only recovery profile. The recovery profile is dynamically generated by the master
controller; you do not explicitly configure the recovery profile.
Aruba provides a “default” version of the mesh radio, RF management, high-throughput SSID and cluster
profiles with default values for most parameters. You can use the “default” version of a profile or create a
new instance of a profile which you can then edit as you need. You can change the values of any parameter
in a profile. You have the flexibility of applying the “default” versions of profiles in addition to customizing
profiles that are necessary for the AP or AP group to function.
If you assign a profile to an individual AP, the values in the profile override the profile assigned to the AP
group to which the AP belongs. The exception is the mesh cluster profile—you can apply multiple mesh
cluster profiles to individual APs, as well as to AP groups.
Mesh Cluster Profile
Mesh clusters are grouped and defined by a mesh cluster profile, which provides the framework of the mesh
network. Similar to virtual AP profiles, the mesh cluster profile contains the MSSID (mesh cluster name),
authentication methods, security credentials, and cluster priority required for mesh nodes to associate with
their neighbors and join the cluster. Associated mesh nodes store this information in flash memory.
Although most mesh deployments will require only a single mesh cluster profile, you can configure and
apply multiple mesh cluster profiles to an AP group or an individual AP. If you have multiple cluster
profiles, the mesh portal uses the profile with the highest priority to bring up the mesh network. Mesh
points, in contrast, go through the list of mesh cluster profiles in order of priority to decide which profile to
use to associate themselves with the network. The mesh cluster priority determines the order by which the
mesh cluster profiles are used. This allows you, rather than the link metric algorithm, to explicitly segment
the network by defining multiple cluster profiles.
Aruba provides a “default” version of the mesh cluster profile. You can use the “default” version or create a
new instance of a profile which you can then edit as you need. You can configure a maximum of 16 mesh
cluster profiles on a mesh node. For details about configuring mesh cluster profiles, see “Mesh Cluster
Profiles”.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 229
Mesh Radio Profile
Aruba provides a “default” version of the mesh radio profile. You can use the “default” version or create a
new instance of a profile which you can then edit as you need. The mesh radio profile allows you to specify
the set of rates used to transmit data on the mesh link. For information about configuring mesh radio
profiles, see “Mesh Radio Profiles”.
RF Management (802.11a and 802.11g) Profiles
The two 802.11a and 802.11g RF management profiles for an AP configure its 802.11a (5 Ghz) and 802.11b/g
(2.4 GHz) radio settings. Use these profile settings to determine the channel, beacon period, transmit
power, and ARM profile for a mesh AP’s 5 GHz and 2.5 Ghz frequency bands. You can either use the
“default” version of each profile, or create a new 802.11a or 802.11g profile which you can then configure as
necessary. Each RF management profile also has a radio-enable parameter that allows you to enable or
disable the AP’s ability to simultaneously carry WLAN client traffic and mesh-backhaul traffic on that radio.
This value is enabled by default. For information about configuring RF Management Radio profiles, see “RF
Management (802.11a and 802.11g) Profiles”.
If you do not want the mesh radios carrying mesh-backhaul traffic to support client traffic, consider using a dedicated
802.11a/80211/g radio profile with the mesh radio disabled: in this scenario, the radio will carry mesh backhaul traffic
but will not support client Virtual APs.
Mesh nodes operating in different cluster profiles can share the same radio profile. Conversely, mesh
portals using the same cluster profile can be assigned different RF Management Radio profiles to achieve
frequency separation (for more information, see “Deployments with Multiple Mesh Cluster Profiles”).
Adaptive Radio Management Profiles
Each 802.11a and 802.11g radio profile references an Adaptive Radio Management (ARM) profile. When you
assign an active ARM profile to a mesh radio, ARM's automatic power-assignment and channel-assignment
features will automatically select the radio channel with the least amount of interference for each mesh
portal, maximizing end user performance. In earlier versions of this software, an AP with a mesh radio
received its beacon period, transmission power and 11a/11g portal channel settings from its mesh radio
profile. Mesh-access AP portals now inherit these radio settings from their dot11a or dot11g radio profiles.
Each ARM-enabled mesh portal monitors defined thresholds for interference, noise, errors, rogue APs and
radar settings, then calculates interference and coverage values and selects the best channel for its radio
band(s). The mesh portal communicates its channel selection to its mesh points via Channel Switch
Announcements (CSAs), and the mesh points will change their channel to match their mesh portal.
Although channel settings can still be defined for a mesh point via that mesh point's 802.11a and 802.11g
radio profiles, these settings will be overridden by any channel changes from the mesh portal. A mesh point
will take the same channel setting as its mesh portal, regardless of its associated clients. If you want to
manually assign channels to mesh portals or mesh points, disable the ARM profile associated with the
802.11a or 802.11g radio profile by setting the ARM profile’s assignment parameter to disable.
Mesh points, unlike mesh portals, do not scan channels. This means that once a mesh point has selected a
mesh portal or an upstream mesh point, it will tune to this channel, form the link, and will not scan again
unless the mesh link gets broken. This provides good mesh link stability, but may adversely affect system
throughput in networks with mesh portals and mesh points. When ARM assigns optimal channels to mesh
portals, those portals use different channels, and once the mesh network has formed and all the mesh
points have selected a portal (or upstream mesh point), those mesh points will not be able to detect other
portals on other channels that could offer better throughput. This type of suboptimal mesh network may
form if, for example, two or three mesh points select the same mesh portal after booting, form the mesh
network, and leave a nearby mesh portal without any mesh points. Again, this will not affect mesh
functionality, but may affect total system throughput. For details about associating an ARM profile with a
mesh AP, see “Assigning an ARM Profile”.
230 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
High-Throughput Profiles
Each 802.11a and 802.11g radio profile also references a high-throughput profile that manages an AP or AP
group’s 40Mhz tolerance settings. For information about referencing a high-throughput profile, see
“Assigning a High-throughput Profile”.
Mesh High-Throughput SSID Profile
High-throughput APs support additional settings not available in legacy APs. A mesh high-throughput SSID
profile can enable or disable high-throughput (802.11n) features and 40 MHz channel usage, and define
values for aggregated MAC protocol data units (MDPUs) and Modulation and Coding Scheme (MCS) ranges.
Aruba provides a “default” version of the mesh high-throughput SSID profile. You can use the “default”
version or create a new instance of a profile which you can then edit as you need. High-throughput Mesh
nodes operating in different cluster profiles can share the same high-throughput SSID radio profile. For
information about configuring mesh high-throughput SSID profiles, see “Mesh High-Throughput SSID
Profiles”.
Wired AP Profile
The wired AP profile controls the configuration of the Ethernet port(s) on your AP. You can use the wired
AP profile to configure Ethernet ports for bridging or secure jack operation using the wired AP profile. For
details, see “Ethernet Ports for Mesh” on page 258
Mesh Recovery Profile
In addition to the “default” and user-defined mesh cluster profiles, mesh nodes also have a recovery profile.
The master controller dynamically generates a recovery profile, and each mesh node provisioned by the
same master controller has the same recovery profile. The recovery profile is based on a pre-shared key
(PSK), and mesh nodes use the recovery profile to establish a link to the controller if the mesh link is
broken and no other mesh cluster profiles are available.
The mesh portal advertises the provisioned cluster profile. If a mesh point is unaware of the active mesh
cluster profile, but is aware of and has the same recovery profile as the mesh portal, the mesh point can use
the recovery profile to connect to the mesh portal.
The mesh point must have the same recovery profile as the parent to which it connects. If you provision the mesh
points with the same master controller, the recovery profiles should match.
To verify that the recovery profile names match, use the following command: show ap mesh debug provisionedclusters {ap-name <name> | bssid <bssid> | ip-addr <ipaddr>}.
To view the recovery profile on the controller, use the following command: show running-config | include recovery.
If a mesh point connects to a parent using the recovery profile, it may immediately exit recovery if the
parent is actively using one of its provisioned mesh cluster profiles. Once in recovery, a mesh point
periodically exits recovery to see if it can connect using an available provisioned mesh cluster profile. The
recovery profile is read-only; it cannot be modified or deleted.
The recovery profile is stored in the master controllers’ configuration file and is unique to that master
controller. If necessary, you can transfer your configuration to another controller. If you do this, make sure
your new mesh cluster is running and you have re-provisioned the mesh nodes before deleting your
previous configuration. The APs will learn the new recovery profile after they are provisioned with the new
controller. This is also true if you provision a mesh node with one master controller and use it with a
different master controller. In this case, the recovery profile will not work on the mesh node until you reprovision it with the new master controller.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 231
Mesh Solutions
You can configure the following single-hop and multi-hop solutions:

Thin AP services with wireless backhaul deployment

Point-to-point deployment

Point-to-multipoint deployment

High-availability deployment
With a thin AP wireless backhaul deployment, mesh provides services and security to remote wireless
clients and sends all control and user traffic to the master controller over a wireless backhaul mesh link.
The remaining deployments allow you to extend your existing wired network by providing a wireless bridge
to connect Ethernet LAN segments. You can use these deployments to bridge Ethernet LANs between
floors, office buildings, campuses, factories, warehouses and other environments where you do not have
access to physical ports or cable to extend the wired network. In these scenarios, a wireless backhaul
carries traffic between the Aruba APs configured as the mesh portal and the mesh point, to the Ethernet
LAN.
Thin AP Services with Wireless Backhaul Deployment
To expand your wireless coverage without bridging Ethernet LAN segments, you can use thin AP services
with a wireless backhaul. In this scenario, the mesh point provides network access for wireless clients and
establishes a mesh path to the mesh portal, which uses its wired interface to connect to the controller. Use
the 802.11g radio for WLAN and controller services and the 802.11a radio for mesh services. Figure 35
shows the wireless backhaul between the mesh portal to the mesh point that services the wireless clients.
Figure 35 Sample Wireless Backhaul Deployment
mesh portal
controller
mesh point
Point-to-Point Deployment
In this point-to-point scenario, two Ethernet LAN segments are bridged via a wireless connection that
carries both client services traffic and mesh-backhaul traffic between the mesh portal and the mesh point.
This provides communication from one LAN to another. Figure 36 shows a single-hop point-to-point
deployment.
232 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Figure 36 Sample Point-to-Point Deployment
vlan one
vlan one
mesh point
mesh portal
vlan two
vlan two
Point-to-Multipoint Deployment
In a point-to-multipoint scenario, multiple Ethernet LAN segments are bridged via multiple wireless/mesh
backhauls that carry traffic between the mesh portal and the mesh points. This provides communication
from the local LAN to multiple remote LANs. Figure 37 shows a single-hop point-to-multipoint deployment.
Figure 37 Sample Point-to-Multipoint Deployment
remote sites with
connectivity via the
mesh points
mesh point
mesh portal
host site with access to
the data center and the
controller
mesh point
arun_019
High-Availability Deployment
In this high-availability scenario, multiple Ethernet LAN segments are bridged via multiple wireless
backhauls that carry traffic between the mesh portal and the mesh points. You configure one mesh portal
for each remote LAN that you are bridging with the host LAN. This provides communication from the host
LAN to multiple remote LANs. In the event of a link failure between a mesh point and its mesh portal, the
affected mesh point could create a link to the other mesh portal. Figure 38 shows a sample single-hop highavailability deployment. The dashed lines represent the current mesh link between the mesh points and
their mesh portals. The diagonal dotted lines represent possible links that could be formed in the event of a
mesh link or mesh portal failure.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 233
Figure 38 Sample High-Availability Deployment
Mesh Point
Mesh Point
Mesh Portal
Mesh Portal
Before You Begin
Aruba recommends the following when planning and deploying a mesh solution:
Pre-Deployment Considerations

Stage the APs before deployment. Identify the location of the APs, configure them for mesh,
provision them and verify connectivity before physically deploying the mesh APs in a live
network.

Ensure the controller has Layer-2/3 network connectivity to the network segment where the mesh portal
will be installed.

Keep the AP packaging materials and reuse them to send the APs to the installation location.

Verify the layout of the physical location to determine the appropriate configuration and placement of
the APs. Use this information to avoid problems that would necessitate a physical recovery.

Label the AP before sending it to the physical location for installation.
Outdoor-Specific Deployment Considerations

Provision the AP with the latitude and longitude coordinates of the installation location. This allows you
to more easily identify the AP for inventory and troubleshooting purposes.

Identify a “radio line of sight” between the antennas for optimum performance. The radio line of sight
involves the area along a link through which the bulk of the radio signal power travels.

Identify the minimum antenna height required to ensure a reliable mesh link.

Scan your proposed site to avoid radio interference caused by other radio transmissions using the same
or an adjacent frequency.

Consider extreme weather conditions known to affect your location, including: temperature, wind
velocity, lightning, rain, snow, and ice.

Allow for seasonal variations, such as growth of foliage.
234 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
For more detailed outdoor deployment information, refer to the Installation Guide that came with your
outdoor AP.
Configuration Considerations.

On dual-radio APs, you can configure only one of the radio for mesh. If you want a dual-radio AP to carry
mesh backhaul traffic and client services traffic on separate radios, Aruba recommends using 802.11a
radios for mesh-backhaul traffic and 802.11g radios for traditional WLAN access.

If you configure more than one mesh node in the same VLAN, prevent network loops by enabling STP on
the Layer-2 switch used to connect the mesh nodes.

Mesh nodes learn a maximum of 1024 source MAC addresses; this cannot be changed.

Place all APs for a specific mesh cluster in the same AP group.

Create and keep separate mesh cluster profiles for specific mesh clusters. Do not overwrite or delete the
cluster profiles.

Enable bridging on mesh point Ethernet ports when deploying LAN bridging solutions.

APs configured as mesh points support secure jack operation on enet0. APs with multiple ethernet ports
configured as mesh portals support secure jack operation on enet1. If an AP with multiple ethernet ports
is configured as a mesh point, it supports secure jack operation on enet1 and enet0.

Mesh networks forward tagged/untagged VLAN traffic, but do not tag traffic. The allowed VLANS are
controlled by the wired ap profile.
Post-Deployment Considerations

Do not connect mesh point Ethernet ports in such a way that causes a network loop.

Have a trained professional install the AP. After installation, check to ensure the AP receives power and
boots up, enabling RSSI outputs.
Although the AP is up and operational, it is not connected to the network.

Align the AP antenna for optimal RSSI.

Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes. You can
recover the mesh point if the original cluster profile is still available. Aruba recommends creating a new
mesh cluster profile if needed.

If you create a new mesh cluster profile for an existing deployment, you must re-provision the AP for the
new profile to take effect. If you re-provision mesh nodes that are already operating, re-provision the
most distant (highest hop count) mesh points first followed by the mesh portals. If you re-provision the
mesh portal first, the mesh points may be unable to form a mesh link. Note that re-provisioning the AP
causes it to automatically reboot, which may cause a disruption of service to the network.
Dual-Port AP Considerations
The AP-70, AP-130 Series and AP-120 Series models have two 10/100 Mbps Ethernet ports (enet0 and enet1,
respectively). When using these APs in a mesh environment, note the following Ethernet port requirements:


If configured as a mesh portal:

Connect enet0 to the controller to obtain an IP address. The wired AP profile controls enet1.

Only enet1 supports secure jack operation.
If configured as a mesh point, enet0 and enet1 can be configured using separate wired-port-profiles.
However, the wired-ap-profile for enet0 is also applied to enet1.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 235
Mesh Radio Profiles
The mesh radio profile determines many of the settings used by mesh nodes to establish mesh links and the
path to the mesh portal, including the maximum number of children a mesh node can accept, and transmit
rates for the 802.11a and 802.11g radios. The attributes of the mesh radio profile are applied to a mesh point
upon receiving its configuration from the controller. You can configure multiple radio profiles; however,
you select and deploy only one radio profile per AP group. Radio profiles, including the “default” profile, are
not active until you provision your APs for mesh.
If you modify a currently provisioned and running radio profile, your changes take effect immediately. You
do not reboot the controller or the AP.
Managing Mesh Profiles In the WebUI
Use the following procedures to define and manage mesh radio profiles using the WebUI.
Creating a New Profile
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected the AP Group tab, click the Edit button by the AP group name for which you want to
configure the new mesh radio profile.

If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the
mesh radio profile.
2. In the Profiles list, expand the Mesh menu, then select Mesh radio profile.
3. In the Profile Details window pane, click the Mesh radio profile drop-down list and select New.
Enter a new mesh radio profile name in the field to the right of the drop-down list. You cannot use
spaces in radio profile names.
4. Configure your desired mesh radio settings. Table 42 describes the parameters you can configure in the
mesh radio profile
Table 42 Mesh Radio Profile Configuration Parameters
Parameter
Description
Mesh radio
profile
Select an existing radio profile to modify or create a new radio profile.
The radio profile can have a maximum of 32 characters.
Default: Mesh radio profile named “default.”
Maximum
Children
Indicates the maximum number of children a mesh node can accept.
Maximum Hop
Count
Indicates the maximum hop count from the mesh portal.
Heartbeat
threshold
Indicates the maximum number of heartbeat messages that can be lost between neighboring
mesh nodes.
Default: 64 children. The range is 1–64.
Default: 8 hops. The range is 1–32.
Default: 10 missed heartbeats. The range is 1–255.
236 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Table 42 Mesh Radio Profile Configuration Parameters (Continued)
Parameter
Link Threshold
Description
Use this setting to optimize operation of the link metric algorithm.
Indicates the minimal RSSI value. If the RSSI value is below this threshold, the link may be
considered a sub-threshold link. A sub-threshold link is one whose average RSSI value falls
below the configured link threshold.
If this occurs, the mesh node may try to find a better link on the same channel and cluster (only
neighbors on the same channel are considered).
Default: 12. The supported threshold is hardware dependent, with a practical range of 10–90.
Reselection
mode
Use this setting to optimize operation of the link metric algorithm. The reselection mode
specifies the method a mesh node uses to find a better uplink to create a path to the mesh
portal. Only neighbors on the same channel in the same mesh cluster are considered.
Available options are:




reselect-anytime—Mesh points using the reselect-anytime reselection mode perform a
single topology readjustment scan within 9 minutes of startup and 4 minutes after a link is
formed. If no better parent is found, the mesh point returns to its original parent. This initial
scan evaluates more distant mesh points before closer mesh points, and incurs a dropout of
5–8 seconds for each mesh point. After the initial startup scan is completed, connected
mesh nodes evaluate mesh links every 30 seconds. If a mesh node finds a better uplink, the
mesh node connects to the new parent to create an improved path to the mesh portal.
reselect-never—Connected mesh nodes do not evaluate other mesh links to create an
improved path to the mesh portal.
startup-subthreshold—Mesh points using the startup-subthreshold reselection mode
perform a single topology readjustment scan within 9 minutes of startup and 4 minutes after
a link is formed. If no better parent is found, the mesh point returns to its original parent.
This initial startup scan evaluates more distant mesh points before closer mesh points, and
incurs a dropout of 5–8 seconds for each mesh point. After that time, each mesh node
evaluates alternative links if the existing uplink falls below the configured threshold level (the
link becomes a sub-threshold link). Aruba recommends using this default startupsubthreshold value.
subthreshold-only—Connected mesh nodes evaluate alternative links only if the existing
uplink becomes a sub-threshold link.
Note: Starting with ArubaOS 3.4.1, if a mesh point using the startup-subthreshold or
subthreshold-only mode reselects a more distant parent because its original, closer parent
falls below the acceptable threshold, then as long as that mesh point is connected to that more
distant parent, it will seek to reselect a parent at the earlier, shorter distance (or less) with good
link quality. For example, if a mesh point disconnects from a mesh parent 2 hops away and
subsequently reconnects to a mesh parent 3 hops away, then the mesh point will continue to
seek a connection to a mesh parent with both an acceptable link quality and a distance of two
hops or less, even if the more distant parent also has an acceptable link quality.
metric algorithm
Use this setting to optimize operation of the link metric algorithm.
Specifies the algorithm used by a mesh node to select its parent.
Available options are:
best-link-rssi—Selects the parent with the strongest RSSI, regardless of the number of
children a potential parent has.
 distributed-tree-rssi—Selects the parent based on link-RSSI and node cost based on the
number of children.
This option evenly distributes the mesh points over high quality uplinks. Low quality uplinks are
selected as a last resort.

Note: Aruba recommends using the default value.
Default: distributed-tree-rssi.
Retry Limit
Indicates the number of times a mesh node can re-send a packet.
Default: 4 times. The range is 0– 15.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 237
Table 42 Mesh Radio Profile Configuration Parameters (Continued)
Parameter
Description
RTS Threshold
Defines the packet size sent by mesh nodes. Mesh nodes transmitting frames larger than this
threshold must issue request to send (RTS) and wait for other mesh nodes to respond with clear
to send (CTS) to begin transmission. This helps prevent mid-air collisions.
Default: 2,333 bytes. The range is 256– 2,346.
802.11a Transmit
Rates
Indicates the transmit rates for the 802.11a radio.
The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is
unavailable, the AP goes through the list and uses the next highest rate.
To modify transmit rates, do one of the following:
In the WebUI, deselect (uncheck) a specific rate box to use fewer rates when establishing a
mesh link.
 In the CLI, enter the specific rates to use.
Default: All transmission rates are selected and used. If you do not select 802.11a or 802.11g
transmit rates, all rates are selected by default when you click Apply.

802.11g Transmit
Rates
Indicates the transmit rates for the 802.11g radio.
The AP attempts to use the highest transmission rate to establish a mesh link. If a rate is
unavailable, the AP goes through the list and uses the next highest rate.
To modify transmit rates, do one of the following:
In the WebUI, deselect (uncheck) a specific rate box to use fewer rates when establishing a
mesh link.
 In the CLI, enter the specific rates to use.
Default: All transmission rates are selected and used. If you do not select 802.11a or 802.11g
transmit rates, all rates are selected by default when you click Apply.

Mesh Private
VLAN
A VLAN ID for control traffic between an remote mesh portal and mesh nodes. This VLAN ID
must not be used for user traffic.
Range: 0–4094. Default: 0 (disabled).
For further information on configuring a remote mesh portal, see “Remote Mesh Portals” on
page 266
Allowed VLANs
on Mesh Link
(For the internal AP on 651 controllers only): List the VLAN ID numbers of VLANs allowed on the
mesh link.
Mesh
Survivability
This feature is currently not supported and should only be enabled under the supervision of
Aruba technical support.
BC/MC Rate
Optimization
Broadcast/Multicast Rate Optimization dynamically selects the rate for sending broadcast/
multicast frames on any BSS. This feature determines the optimal rate for sending broadcast
and multicast frames based on the lowest of the unicast rates across all associated clients.
When the Multicast Rate Optimization feature is enabled, the controller scans the list of all
associated stations in that BSS and finds the lowest transmission rate as indicated by the rate
adaptation state for each station. If there are no associated stations in the BSS, it selects the
lowest configured rate as the transmission rate for broadcast and multicast frames.
This feature is enabled by default. Multicast Rate Optimization applies to broadcast and
multicast frames only. 802.11 management frames are not affected by this feature and will be
transmitted at the lowest configured rate. When enabled, this setting dynamically adjusts the
multicast rate to that of the slowest connected mesh child. Multicast frames are not sent if there
are no mesh children.
Note: This feature should only be enabled on a BSS where all associated stations are sending
or receiving unicast data. If there is no unicast data to or from a particular station, then the rate
adaptation state may not accurately reflect the current sustainable transmission rate for that
station. This could result in a higher packet error rate for broadcast/multicast packets at that
station.
Default: Enabled.
238 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
5. Click Apply. The profile name appears in the Mesh Radio Profile list with your configured settings.
If you configure this for the AP group, this profile also becomes the selected radio profile used by the
mesh portal for your mesh network.
Assigning a Profile to a Mesh AP or AP Group
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group to which you want to assign a new
mesh radio profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new mesh
radio profile.
2. Under the Profiles list, expand the Mesh menu, then select Mesh radio profile.
3. In the Profile Details window pane, click the Mesh radio profile drop-down list and select the desired
mesh radio profile from the list.
4. Click Apply. The profile name appears in the Mesh Radio Profile list with your configured settings. If
you configure this for the AP group, this profile also becomes the selected radio profile used by the mesh
portal for your mesh network.
Editing a Profile
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected the AP Group tab, click the Edit button by the AP group name with the profile you
want to edit.

If you selected the AP Specific tab, click the Edit button by the AP with the profile you want to edit.
2. In the Profiles list, expand the Mesh menu, then select Mesh radio profile.
3. In the Profile Details window pane, click the Mesh radio profile drop-down list and select the name
of the profile you want to edit.
4. Change the mesh radio settings as desired. Table 42 describes the parameters you can configure in the
mesh radio profile.
5. Click Apply to save your changes.
Deleting a Profile
Use the following procedure to delete an existing mesh radio profile using the WebUI. You can delete a
mesh radio profile only if no other APs or AP groups are using that profile.
1. Navigate to the Configuration > Advanced Services> All Profiles window.
2. Expand the Mesh menu, then select Mesh radio profile. A list of mesh radio profiles appears in the
Profile Details window pane.
3. Click the Delete button by the name of the profile you want to delete.
Managing Mesh Profiles In the CLI
You must be in config mode to create, modify or delete a mesh radio profile using the CLI. Specify an
existing mesh profile with the <profile-name> parameter to modify an existing profile, or enter a new name
to create an entirely new profile.
Creating or Modifying a Profile
Configuration details and any default values for each of these parameters are described in Table 42 on page
236. If you do not specify a parameter for a new profile, that profile uses the default value for that
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 239
parameter. Put the no option before any parameter to remove the current value for that parameter and
return it to its default setting. Enter exit to leave the mesh radio profile mode.
ap mesh-radio-profile <profile-name>
a-tx-rates
allowed-vlans
children <children>
clone <source-profile-name>
g-tx-rates [1|2|5|6|9|11|12|18|24|36|48|54]
heartbeat-threshold <count>
hop-count <hop-count>
link-threshold <count>
max-retries <max-retries>
mesh-ht-ssid-profile
mesh-mcast-opt
metric-algorithm {best-link-rssi|distributed-tree-rssi}
mpv <vlan-id>
no
reselection-mode
rts-threshold <rts-threshold>
tx-power <tx-power>>
You can also create a new mesh radio profile by copying the settings of an existing profile using the clone
parameter. Using the clone command to create a new profile makes it easier to keep constant attributes in
common within multiple profiles.
ap mesh-radio-profile <profile-name>
clone <source-profile-name>
Viewing Profile Settings
To view a complete list of mesh radio profiles and their status:
show ap mesh-radio-profile
To view the settings of a specific mesh radio profile:
show ap mesh-radio-profile <name>
Assigning a Profile to an AP Group
To associate a mesh radio profile with an AP group, use the following commands. When you add the mesh
cluster profile to the AP group, you must also define the cluster priority.
ap-group <group>
mesh-radio-profile <profile-name> priority <priority>
To associate a mesh radio profile with an individual AP:
ap-name <name>
mesh-radio-profile <profile-name> priority <priority>
The following examples assign the mesh cluster profiles cluster1 and cluster2 to two different AP groups.
In the AP group group1, cluster1 has a priority of 5, and cluster2 has a priority of 10, so cluster1 has the
higher priority. In the AP group group2, cluster1 has a priority of 10, and cluster2 has a priority of 5, so
cluster5 has the higher priority.
group2—cluster1 has a priority of 10, and cluster2 has a priority of 5.
ap-group group1
mesh-cluster-profile cluster1 priority 5
mesh-cluster-profile cluster2 priority 10
ap-group2
mesh-cluster-profile cluster1 priority 10
mesh-cluster-profile cluster2 priority 5
240 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Deleting a Mesh Radio Profile
If no AP or AP group is using a mesh radio profile, you can delete that profile using the no parameter:
no ap mesh-radio-profile <profile-name>
RF Management (802.11a and 802.11g) Profiles
The two 802.11a and 802.11g RF management profiles for an AP configure its 802.11a (5 Ghz) and 802.11b/g
(2.4 GHz) radio settings. You can either use the “default” version of each profile, or create a new 802.11a or
802.11g profile using the procedures below. Each RF management radio profile includes a reference to an
Adaptive Radio Management (ARM) profile. If you would like the ARM feature to dynamically select the
best channel and transmission power for the radio, verify that the RF management profile references an
active and enabled ARM profile. It can be useful to set the Max Tx EIRP parameter in the ARM profile to
127 (the maximum power level permissible) until it determines the signal-to-noise radio on the links. If ARM
is active, the Max Tx EIRP can also be set to 127 to allow maximum power levels.
If you want to manually select a channel for each AP group, create separate 802.11a and 802.11g profiles for
each AP group and assign a different transmission channel for each profile. For example, one AP group
could have an 802.11a profile that uses channel 36 and an 802.11g profile that uses channel 11, and another
AP group could have an 802.11a profile that uses channel 40 and an 802.11g profile that uses channel 9.
Managing 802.11a/802.11g Profiles In the WebUI
Use the following procedures to define and manage 802.11a and 802.11g RF management profiles via the
WebUI.
Creating a Profile
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group for which you want to create a new
RF management profile.

If you selected AP Specific, click the Edit button by the AP for which you want to create a new RF
management profile.
2. In the Profiles list, expand the RF Management menu, then select either 802.11a radio profile or
802.11g radio profile.
3. If you selected 802.11a radio profile, click the 802.11a radio profile drop-down list in the Profile
Details window pane and select NEW.
-orIf you selected 802.11g radio profile, click the 802.11g radio profile drop-down list in the Profile
Details window pane and select NEW.
4. Enter a name for your new 802.11a or 802.11g radio profile.
5. Configure the radio settings described in Table 43, then click Apply to save your settings. The profile
name appears in the Profile list with your configured settings.
Table 43 802.11a/802.11g RF Management Configuration Parameters
Parameter
Description
Radio Enable
Enable transmissions on this radio band.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 241
Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued)
Parameter
Mode
Description
Access Point operating mode. Available options are:
am-mode: Air Monitor mode
ap-mode: Access Point mode
 spectrum-mode: Spectrum Monitor mode
The default settings is ap-mode.


High throughput
enable (Radio)
Enable/Disable high-throughput (802.11n) features on the radio. This option is enabled by
default.
Channel
Transmit channel for this radio. The available channels depend on the regulatory domain
(country). This parameter includes the following channel number configuration options for
20 MHz and 40 MHz modes:
 none: Select this option to disable 40 MHz mode and activate 20 MHz mode for the
entered channel.
 above: When you select this option, the number entered becomes the primary
channel and the secondary channel is determined by increasing the primary channel
number by 4. For example, if you entered 157 into the Channel field and selected the
above option, radios using that profile would select 157 as the primary channel and
153 as the secondary channel.
 below: When you select this option, the number entered becomes the primary
channel and the secondary channel is determined by decreasing the primary channel
number by 4. For example, if you entered 157 into the Channel field and selected the
below option, radios using that profile would select 157 as the primary channel and
153 as the secondary channel.
If you select the Spectrum Monitoring checkbox on this profile page, the AP will operate
as a hybrid AP and scan the selected channel for spectrum analysis data.
Beacon Period
Beacon Period for the AP in msec. The minimum value is 60 msec, and the default value
is 100 msec.
Beacon Regulate
Enable this setting to introduce randomness in the beacon generation so that multiple
APs on the same channel do not send beacons at the same time.
Transmit EIRP
Maximum transmit EIRP in dBm from 0 to 51 in .5 dBm increments, or 127 for regulatory
maximum. Transmit power may be further limited by regulatory domain constraints and
AP capabilities.
Advertise 802.11d and
802.11h Capabilities
Enable the radio to advertise its 802.11d (Country Information) and 802.11h (Transmit
Power Control) capabilities. This option is disabled by default.
TPC power
The transmit power advertised in the TPC IE of beacons and probe responses.
The supported range is 0-51 dBm, and the default value is 15 dBm.
Spectrum load
balancing
The Spectrum Load Balancing feature helps optimize network resources by balancing
clients across channels, regardless of whether the AP or the controller is responding to
the wireless clients' probe requests.
If enabled, the controller compares whether or not an AP has more clients than its
neighboring APs on other channels. If an AP’s client load is at or over a predetermined
threshold as compared to its immediate neighbors, or if a neighboring Aruba AP on
another channel does not have any clients, load balancing will be enabled on that AP. This
feature is disabled by default. For details, see “Spectrum Load Balancing”.
Spectrum load
balancing mode
The spectrum load balancing mode allows you to allows control over how to balance
clients. Select one of the following options:
 channel: Channel-based load-balancing balances clients across channels. This is the
default load-balancing mode
 radio: Radio-based load-balancing balances clients across APs.
242 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued)
Parameter
Description
Spectrum Load
Balancing Interval
Specify how often spectrum load balancing calculations are made (in seconds). The
supported range is 1-2147483647 seconds and the default value is 30 seconds.
Spectrum Load
Balancing threshold
If the spectrum load balancing feature is enabled, this parameter controls the percentage
difference between number of clients on a channel that triggers load balancing. The
default value is 20%, meaning that spectrum load balancing is activated when there are
20% more clients on one channel than on another channel used by the AP radio.
Advertised Regulatory
Max EIRP
Work around a known issue on Cisco 7921G telephones by specifying a cap for a radio’s
maximum equivalent isotropic radiated power (EIRP). When you enable this parameter,
even if the regulatory approved maximum for a given channel is higher than this EIRP
cap, the AP radio using this profile will advertise only this capped maximum EIRP in its
radio beacons.
The supported range is 1-31dBm.
Spectrum Load
Balancing Domain
Enter a spectrum load balancing domain name to manually create RF neighborhoods.
Use this option to create RF neighborhood information for networks that have disabled
Adaptive Radio Management (ARM) scanning and channel assignment.
 If spectrum load balancing is enabled in a 802.11a or 802.11g radio profile but the
spectrum load balancing domain is not defined, ArubaOS uses the ARM feature to
calculate RF neighborhoods.
 If spectrum load balancing is enabled in a 802.11a or 802.11g radio profile and a
spectrum load balancing domain is also defined, AP radios belonging to the same
spectrum load balancing domain will be considered part of the same RF
neighborhood for load balancing, and will not recognize RF neighborhoods defined by
the ARM feature.
RX Sensitivity Tuning
Based Channel Reuse
In some dense deployments, it is possible for APs to hear other APs on the same
channel. This creates co-channel interference and reduces the overall utilization of the
channel in a given area. Channel reuse enables dynamic control over the receive (Rx)
sensitivity in order to improve spatial reuse of the channel.
This feature is disabled by default. To enable this feature, click the RX Sensitivity Tuning
Based Channel Reuse drop-down list and select either static or dynamic. To disable
this feature, click the RX Sensitivity Tuning Based Channel Reuse drop-down list and
select disable. For details on each of these modes, see “RX Sensitivity Tuning Based
Channel Reuse”.
Note: Do not enable the Channel Reuse feature if Non 802.11 Interference Immunity is set
to level 3 or higher. A level-3 to level-4 Noise Immunity setting is not compatible with the
Channel Reuse feature. The channel reuse feature applies to non-DFS channels only. It is
internally disabled for DFS channels and is does not affect DFS radar signature detection.
RX Sensitivity
Threshold
ArubaOS 6.1 | User Guide
RX sensitivity tuning based channel reuse threshold, in - dBm.
If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode, this
parameter manually sets the AP’s Rx sensitivity threshold
(in -dBm). The AP will filter out and ignore weak signals that are below the channel
threshold signal strength.
If the value for this parameter is set to zero, the feature will automatically determine an
appropriate threshold.
Secure Enterprise Mesh | 243
Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued)
Parameter
Non 802.11
Interference Immunity
Description
Set a value for 802.11 Interference Immunity.
The default setting for this parameter is level 2. When performance drops due to
interference from non-802.11 interferers (such as DECT or Bluetooth devices), the level
can be increased up to level 5 for improved performance. However, increasing the level
makes the AP slightly “deaf” to its surroundings, causing the AP to lose a small amount of
range.
The levels for this parameter are:






Level 0: no ANI adaptation.
Level 1: noise immunity only.
Level 2: noise and spur immunity.
Level 3: level 2 and weak OFDM immunity.
Level 4: level 3 and FIR immunity.
Level 5: disable PHY reporting.
Note: Do not raise the noise immunity feature’s default setting if the RX Sensitivity Tuning
Based Channel Reuse feature is also enabled. A level-3 to level-5 Noise Immunity setting
is not compatible with the Channel Reuse feature.
Enable CSA
Channel Switch Announcements (CSAs), as defined by IEEE 802.11h, enable an AP to
announce that it is switching to a new channel before it begins transmitting on that
channel. This allows clients that support CSA to transition to the new channel with
minimal downtime.
CSA Count
Number of channel switch announcements that must be sent prior to switching to a new
channel. The default CSA count is 4 announcements.
Management Frame
Throttle Interval
Averaging interval for rate limiting management frames from this radio, in seconds. A
management frame throttle interval of 0 seconds disables rate limiting.
Management Frame
Throttle Limit
Maximum number of management frames that can come in from this radio in each
throttle interval.
ARM/WIDS Override
If selected, this option disables Adaptive Radio Management (ARM) and Wireless IDS
functions and slightly increases packet processing performance. If a radio is configured
to operate in Air Monitor mode, then the ARM/WIDS override functions are always
enabled, regardless of whether or not this check box is selected.
Protection for 802.11b
Clients
(For 802.11g RF Management Profiles only) Enable or disable protection for 802.11b
clients. This parameter is enabled by default. Disabling this feature may improve
performance if there are no 802.11b clients on the WLAN.
WARNING: Disabling protection violates the 802.11 standard and may cause
interoperability issues. If this feature is disabled on a WLAN with 802.11b clients, the
802.11b clients will not detect an 802.11g client talking and can potentially transmit at the
same time, thus garbling both frames.
Maximum Distance
Maximum client distance, in meters. This value is used to derive ACK and CTS timeout
times. A value of 0 specifies default settings for this parameter, where timeouts are only
modified for outdoor mesh radios which use a distance of 16km.
The upper limit for this parameter varies from 24–58km, depending on the radio’s band (a/
g) and 20/40 MHz mode. Note that if you configure a value above the supported
maximum, the maximum supported value will be used instead. Values below 600m will
use default settings.
Spectrum Monitoring
Select this option to convert APs using this radio profile to a hybrid APs that will continue
to serve clients as an Access Point, but will also scan and analyze spectrum analysis data
for a single radio channel. For more details on hybrid APs, see “Spectrum Analysis” on
page 631.
244 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued)
Parameter
Description
ARM profile
Aruba's proprietary Adaptive Radio Management (ARM) technology maximizes WLAN
performance by dynamically and intelligently choosing the best 802.11 channel and
transmit power for each Aruba AP in its current RF environment.
Every RF management profile references an ARM profile. If you specify an active and
enabled ARM profile, you do not need to manually configure the Channel and Transmit
Power parameters for this 802.11a or 802.11g profile. For details on referencing an ARM
profile, see “Assigning an ARM Profile”.
The Adaptive Radio Management (ARM) profile associated with this 802.11a or 802.11g
radio profile appears beneath the 802.11a/802.11g radio profile name in the profiles list.
To change the ARM profile associated with an 802.11a or 802.11g radio profile, select the
associated ARM profile in the profiles list then click the drop-down list in the Profile
Details section of the page to select a new profile.
High-throughput radio
profile
A high-throughput profile manages 40 MHz tolerance settings, and controls whether or
not APs using this profile will advertise intolerance of 40 MHz operation. (This option is
disabled by default, allowing 40 MHz operation.)
A high-throughput profile also determines whether an AP radio using the profile will stop
using the 40 MHz channels surrounding APs or stations advertise 40 MHz intolerance.
This option is enabled by default. For details on referencing a high-throughput radio
profile, see “Assigning a High-throughput Profile”.
The high-throughput radio profile associated with this 802.11a or 802.11g radio profile
appears beneath the 802.11a/802.11g radio profile name in the profiles list. To change the
high-throughput radio profile associated with an 802.11a or 802.11g radio profile, select
the associated high-throughput radio profile in the profiles list then click the drop-down
list in the Profile Details section of the page to select a new profile.
Spectrum Monitoring
Profile
The spectrum monitoring profile defines the spectrum band and device ageout times
used by a spectrum monitor radio.
The spectrum monitoring profile associated with this 802.11a or 802.11g radio profile
appears beneath the 802.11a/802.11g radio profile name in the profiles list. To change the
spectrum monitoring profile associated with an 802.11a or 802.11g radio profile, select
the associated spectrum monitoring profile in the profiles list then click the drop-down list
in the Profile Details section of the page to select a new profile.
AM Scanning Profile
The AM scanning profile associated with this 802.11a or 802.11g radio profile appears
beneath the 802.11a/802.11g radio profile name in the profiles list. To change the AM
scanning profile associated with an 802.11a or 802.11g radio profile, select the
associated AM scanning profile in the profiles list then click the drop-down list in the
Profile Details section of the page to select a new profile.
Assigning an 802.11a/802.11g Profile
Use the following procedure to assign an 802.11a or 802.11g RF management profile to an AP group or
individual AP using the WebUI.
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new 802.11a or 802.11g RF management profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new
802.11a or 802.11g RF management profile
2. Under the Profiles list, expand the RF management menu.
3. To select a 802.11a radio profile for an AP or AP group, click 802.11a radio profile. In the Profile
Details window pane, click the 802.11a radio profile drop-down list and select the desired profile
from the list
-or-
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 245
To select a 802.11g radio profile for an AP or AP group, click 802.11g radio profile. In the Profile
Details window pane, click the 802.11g radio profile drop-down list and select the desired profile from
the list
4. Click Apply. The profile name appears in the Profile list with your configured settings. If you configure
this for the AP group, this profile also becomes the selected 802.11a or 802.11g RF management profile
used by the mesh portal for your mesh network.
Assigning a High-throughput Profile
Each 802.11a or 802.11g RF management radio profile references a high-throughput profile that manages
the AP group’s 40Mhz tolerance settings. By default, an 802.11a profile references a high-throughput profile
named default-a and an 802.11g profile references a high-throughput profile named default-g. If you do
not want to use these default profiles, use the procedure below to reference a different high-throughput
profile for your 802.11a or 802.11g RF management profiles.
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new high-throughput profile.

If you selected AP Specific, click the Edit button by the AP which you want to assign a new highthroughput profile.
2. In the Profiles list, expand the RF Management menu.
3. To reference a new high-throughput profile for an 802.11a RF management profile, expand the 802.11a
radio profile menu, then select High-throughput radio profile.
-orTo reference a new high-throughput profile for an 802.11g RF management profile, expand the 802.11g
radio profile menu, then select High-throughput radio profile.
4. The Profile Details pane appears and displays information for the currently referenced highthroughput profile. Use this window pane to select a different high-throughput profile, or to create an
entirely new high-throughput profile for that 802.11a or 802.11g radio.

To reference a different high-throughput profile, click the High-throughput Radio Profile dropdown list and select a new profile name from the list. Click Apply to save your changes.

To create a new high-throughput profile, click the High-throughput Radio Profile drop-down list
and select NEW.
a.
Enter a name for the new high-throughput profile.
b.
(Optional) Select 40 MHz intolerance if you want to enable 40 MHz intolerance. This
parameter controls whether or not APs using this high-throughput profile will advertise
intolerance of 40 MHz operation. By default, this option is disabled and 40 MHz operation is
allowed.
d.
(Optional) Select honor 40 MHz intolerance to allow a radio using this profile to stop using
the 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station.
This option is enabled by default.
d.
Click Apply to save your settings.
5. The high-throughput profile name appears in the Profile list with your configured settings.
Assigning an ARM Profile
By default, an 802.11a or 802.11g profile references an ARM profile named default. Most network
administrators will find that this one default ARM profile is sufficient to manage all the Aruba APs on their
WLAN. If, however, you do not want to use this default ARM profile, use the procedure below to reference a
different ARM profile for your 802.11a or 802.11g RF management profiles.
246 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new ARM profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new ARM
profile
2. Under the Profiles list, expand the RF Management menu.
3. To reference an ARM profile for a 802.11a radio profile, expand the 802.11a radio profile menu.
-orTo reference an ARM profile for a 802.11g radio profile, expand the 802.11g radio profile menu.
4. The Profile Details pane appears and displays information for the currently referenced ARM profile.
You can now select a different profile, or create an entirely new ARM profile for that 802.11a or 802.11g
radio.

To reference a different ARM profile, click the Adaptive Radio Management (ARM) Profile dropdown list and select a new profile name from the list. Click Apply to save your changes.

To create a new ARM profile, click the Adaptive Radio Management (ARM) Profile drop-down
list and select NEW.
a. Enter a name for your new ARM profile.
b. (Optional) If you are not configuring ARM for a mesh node, select 40 MHz intolerance if you
want to enable 40 MHz intolerance. This parameter controls whether or not APs using this highthroughput profile will advertise intolerance of 40 MHz operation. By default, this option is
disabled and 40 MHz operation is allowed.
c. (Optional) If you are not configuring ARM for a mesh node, select honor 40 MHz intolerance to
allow a radio using this profile to stop using the 40 MHz channels if the 40 MHz intolerance
indication is received from another AP or station. This option is enabled by default.
5. Click Apply to save your settings.
The ARM profile name appears in the Profile list with your configured settings. If you configured this profile
for the AP group, this ARM profile becomes part of the selected 802.11a or 802.11g RF management profile
used by the mesh portal for your mesh network.
Editing an 802.11a/802.11g Profile
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name using the 802.11a or 802.11g
RF management profile you want to edit.

If you selected AP Specific, click the Edit button by the AP using the 802.11a or 802.11g RF
management profile you want to edit.
2. Under the Profiles list, expand the RF menu.
3. To edit an 802.11a radio profile for an AP or AP group, click 802.11a radio profile. In the Profile
Details window pane, click the 802.11a radio profile drop-down list and select the desired profile
from the list
-orTo select a 802.11g radio profile for an AP or AP group, click 802.11g radio profile. In the Profile
Details window pane, click the 802.11g radio profile drop-down list and select the desired profile from
the list
4. Change the profile settings as desired. Table 43 describes the parameters you can configure in the mesh
802.11a or 802.11g RF management profile.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 247
5. Click Apply to save your changes.
Deleting a Profile
You can delete a mesh high-throughput SSID profile only if no APs or AP groups are associated with that
profile. To delete a 802.11a or 802.11g radio profile using the WebUI.
1. Navigate to the Configuration > Advanced Services> All Profiles window.
2. Expand the RF menu, then select 802.11a radio profile or 802.11g radio profile. A list of profiles of
the specified type appears in the Profile Details window pane.
3. Click the Delete button by the name of the profile you want to delete.
Managing 802.11a/802.11g Profiles In the CLI
You must be in config mode to create, modify or delete a 802.11a or 802.11g RF management radio profile
using the CLI. Specify an existing mesh profile with the <profile-name> parameter to modify an existing
profile, or enter a new name to create an entirely new profile.
Creating or Modifying a Profile
Configuration details and any default values for each of these parameters are described in Table 43 on page
241. This CLI command also allows you to reference an ARM profile and high-throughput radio profile for
the 802.11a or 802.11g radio. If you do not specify a parameter for a new profile, that profile uses the default
value for that parameter. Put the no option before any parameter to remove the current value for that
parameter and return it to its default setting. Enter exit to leave the 802.11a or 802.11g profile mode.
rf dot11a-radio-profile|dot11g-radio-profile <profile-name>
am-scan-profile
arm-profile
beacon-period
beacon-regulate
cap-reg-eirp
channel
channel-reuse
channel-reuse-threshold
clone
csa
csa-count
disable-arm-wids-function
dot11b-protection (for 802.11g radio profiles only)
dot11h
high-throughput-enable
ht-radio-profile
interference-immunity
maximum-distance
mgmt-frame-throttle-interval
mgmt-frame-throttle-limit
mode {ap-mode|am-mode|spectrum-mode}
no
radio-enable
slb-mode
slb-threshold
slb-update-interval
spectrum-load-bal-domain
spectrum-load-balancing
spectrum-monitoring
spectrum-profile
tpc-power
tx-power
248 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
You can also create a new 802.11a or 802.11g RF management profile by copying the settings of an existing
profile using the clone parameter. Using the clone command to create a new profile makes it easier to
keep constant attributes in common within multiple profiles.
rf dot11a-radio-profile <profile-name>
clone <source-profile-name>
rf dot11g-radio-profile <profile-name>
clone <source-profile-name>
Viewing RF Management Settings
To view a complete list of 802.11a or 802.11g RF management profiles and their status:
show rf dot11a-radio-profile|dot11g-radio-profile
To view the settings of a specific RF management profile:
show rf dot11a-radio-profile|dot11g-radio-profile <profile-name>
Assigning a 802.11a/802.11g Profile
To assign an 802.11a or 802.11g RF management profile to an AP group:
ap-group <group> dot11a-radio-profile <profile-name>
-orap-group <group> dot11g-radio-profile <profile-name>
To assign an 802.11a or 802.11g RF management profile to an individual AP:
ap-name <name> dot11a-radio-profile <profile-name>
-orap-name <name> dot11g-radio-profile <profile-name>
Deleting a Profile
If no AP or AP group is using an RF management profile, you can delete that profile using the no parameter:
no rf dot11a-radio-profile <profile-name>
Mesh High-Throughput SSID Profiles
The mesh high-throughput SSID profile defines settings unique to 802.11n-capable, high-throughput APs. If
none of the APs in your mesh deployment are 802.11n-capable APs, you do not need to configure a highthroughput SSID profile.
If you modify a currently provisioned and running high-throughput SSID profile, your changes take effect
immediately. You do not reboot the controller or the AP.
Managing Profiles In the WebUI
Use the following procedures to manage your high-throughput SSID profiles using the WebUI.
Creating a Profile
To create a high-throughput SSID profile:
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

ArubaOS 6.1 | User Guide
If you selected AP Group, click the Edit button by the AP group for which you want to create the
new high-throughput SSID profile.
Secure Enterprise Mesh | 249

If you selected AP Specific, click Edit button by the AP for which you want to create the new highthroughput SSID profile.
2. In the Profiles list, expand the Mesh menu, then select Mesh High-throughput SSID profile.
3. In the Profile Details window pane, click the Mesh High-throughput SSID profile drop-down list
and select NEW.
4. Enter a name for the new profile.
5. Configure the high-throughput SSID described in Table 44, then click Apply to save your settings. The
profile name appears in the Mesh High-throughput SSID Profile list with your configured settings.
Table 44 Mesh High-Throughput SSID Profile Configuration Parameters
Parameter
Description
Mesh high-throughput SSID
profile
Enter the name of an existing mesh high-throughput SSID profile to modify that
profile, or enter a new name or create a new mesh high-throughput profile. The
mesh high-throughput profile can have a maximum of 32 characters. To view
existing high-throughput SSID radio profiles, use the command: show ap meshradio-profile.
High throughput enable
(SSID)
Enable or disable high-throughput (802.11n) features on this SSID. This parameter
is enabled by default.
40 MHz channel usage
Enable or disable the use of 40 MHz channels. This parameter is enabled by
default.
Low-density Parity Check
If enabled, the AP will advertise Low-density Parity Check (LDPC) support. LDPC
improves data transmission over radio channels with high levels of background
noise.
MPDU Aggregation
Enable or disable MAC protocol data unit (MPDU) aggregation.
High-throughput mesh APs are able to send aggregated MAC protocol data units
(MDPUs), which allow an AP to receive a single block acknowledgment instead of
multiple ACK signals. This option, which is enabled by default, reduces network
traffic overhead by effectively eliminating the need to initiate a new transfer for
every MPDU.
Max transmitted A-MPDU
size
Maximum size of a transmitted aggregate MPDU, in bytes.
Max received A-MPDU size
Maximum size of a received aggregate MPDU, in bytes. Allowed values: 8191,
16383, 32767, 65535.
Min MPDU start spacing
Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in
microseconds. Allowed values: 0 (No restriction on MDPU start spacing), .25 μsec,
.5 μsec, 1 μsec, 2 μsec, 4 μsec.
Supported MCS set
A list of Modulation Coding Scheme (MCS) values or ranges of values to be
supported on this SSID. The MCS you choose determines the channel width
(20MHz vs. 40MHz) and the number of spatial streams used by the mesh node.
Range: 1576–65535
The default value is 1–15; the complete set of supported values. To specify a
smaller range of values, enter a hyphen between the lower and upper values. To
specify a series of different values, separate each value with a comma.
Examples:
2–10
1,3,6,9,12
Range: 0–15.
250 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Table 44 Mesh High-Throughput SSID Profile Configuration Parameters (Continued)
Parameter
Description
Short guard interval in 20
MHz mode
Enable or disable use of short (400ns) guard interval for a AP-130 Series AP in 20
MHz mode. This parameter is enabled by default.
A guard interval is a period of time between transmissions that allows reflections
from the previous data transmission to settle before an AP transmits data again. An
AP identifies any signal content received inside this interval as unwanted intersymbol interference, and rejects that data. The 802.11n standard specifies two
guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can
decrease network overhead by reducing unnecessary idle time on each AP. Some
outdoor deployments, may, however require a longer guard interval. If the short
guard interval does not allow enough time for reflections to settle in your mesh
deployment, inter-symbol interference values may increase and degrade
throughput.
Short guard interval in 40
MHz mode
Enable or disable use of short (400ns) guard interval in 40 MHz mode. This
parameter is enabled by default.
A guard interval is a period of time between transmissions that allows reflections
from the previous data transmission to settle before an AP transmits data again. An
AP identifies any signal content received inside this interval as unwanted intersymbol interference, and rejects that data. The 802.11n standard specifies two
guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can
decrease network overhead by reducing unnecessary idle time on each AP. Some
outdoor deployments, may, however require a longer guard interval. If the short
guard interval does not allow enough time for reflections to settle in your mesh
deployment, inter-symbol interference values may increase and degrade
throughput.
Maximum number of spatial
streams usable for STBC
reception
Controls the maximum number of spatial streams usable for STBC reception. 0
disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are not
supported. (Supported on the AP-90 series, AP-130 Series, AP-68, AP-175 and
AP-105 only. The configured value will be adjusted based on AP capabilities.)
Maximum number of spatial
streams usable for STBC
transmission.
Controls the maximum number of spatial streams usable for STBC transmission. 0
disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not
supported. (Supported on AP-90 series, AP-175, AP-130 Series and AP-105 only.
The configured value will be adjusted based on AP capabilities.)
Legacy stations
Allow or disallow associations from legacy (non-HT) stations. By default, this
parameter is enabled (legacy stations are allowed).
Assigning a Profile to an AP Group
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new high-throughput SSID profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new highthroughput SSID profile
2. Under the Profiles list, expand the Mesh menu, then select Mesh High-throughput SSID profile.
3. In the Profile Details window pane, click the Mesh High-throughput SSID profile drop-down list
and select the desired profile from the list.
4. Click Apply. The profile name appears in the Mesh High-throughput SSID Profile list with your
configured settings. If you configure this for the AP group, this profile also becomes the selected highthroughput SSID profile used by the mesh portal for your mesh network.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 251
Editing a Profile
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected the AP Group tab, click the Edit button by the AP group name with the profile you
want to edit.

If you selected the AP Specific tab, click the Edit button by the AP with the profile you want to edit.
2. In the Profiles list, expand the Mesh menu, then select Mesh High-throughput SSID profile.
3. In the Profile Details window pane, click the Mesh High-throughput SSID profile drop-down list
and select the name of the profile you want to edit.
4. Change the settings as desired. Table 44 describes the parameters you can configure in this profile.
5. Click Apply to save your changes.
Deleting a Profile
You can delete a mesh high-throughput SSID profile only if no APs or AP groups are associated with that
profile.
1. Navigate to the Configuration > Advanced Services> All Profiles window.
2. Expand the Mesh menu, then select Mesh High-throughput SSID profile. A list of high-throughput
SSID profiles appears in the Profile Details window pane.
3. Click the Delete button by the name of the profile you want to delete.
Managing Profiles In the CLI
You must be in config mode to create, modify or delete a mesh radio profile using the CLI. Specify an
existing high-throughput SSID profile with the <profile-name> parameter to modify an existing profile, or
enter a new name to create an entirely new profile.
Creating or Modifying a Profile
Configuration details and any default values for each of these parameters are described in Table 44 on page
250. If you do not specify a parameter for a new profile, that profile uses the default value for that
parameter. Put the no option before any parameter to remove the current value for that parameter and
return it to its default setting.Enter exit to leave the high-throughput radio profile mode
ap mesh-ht-ssid-profile <profile-name>
40MHz-enable
clone
high-throughput-enable
legacy-stations
max-rx-a-mpdu-size
max-tx-a-mpdu-size
min-mpdu-start-spacing
mpdu-agg
no
short-guard-intvl-20mhz
short-guard-intvl-40mhz
stbc-rx-streams
stbc-tx-streams
supported-mcs-set
You can also create a new mesh high-throughput SSID profile by copying the settings of an existing profile
using the clone parameter. Using the clone command to create a new profile makes it easier to keep
constant attributes in common within multiple profiles.
ap mesh-ht-ssid-profile <profile-name> clone <source-profile-name>
252 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Assigning a Profile to an AP Group
To associate a mesh high-throughput SSID profile with an AP group:
ap-group <group> mesh-ht-ssid-profile <profile-name>
To associate a mesh radio profile with an individual AP:
ap-name <name> mesh-ht-ssid-profile <profile-name>
Viewing High-throughput SSID Settings
To view a complete list of high-throughput profiles and their status:
show ap mesh-ht-ssid-profile
To view the settings of a specific high-throughput profile:
show ap mesh-ht-ssid-profile <profile-name>
Deleting a Profile
If no AP or AP group is using a mesh high-throughput SSID profile, you can delete that profile using the no
parameter:
no ap mesh-ht-ssid-profile <profile-name>
Mesh Cluster Profiles
The mesh cluster configuration gets pushed from the controller to the mesh portal and the other mesh
points, which allows them to inherit the characteristics of the mesh cluster of which they are a member.
Mesh nodes are grouped according to a mesh cluster profile that contains the MSSID, authentication
methods, security credentials, and cluster priority. Cluster profiles, including the “default” profile, are not
applied until you provision your APs for mesh.
Since the mesh cluster profile provides the framework of the mesh network, you must define and configure
the mesh cluster profile before configuring an AP to operate as a mesh node. You can use either the
“default” cluster profile or create your own. If you find it necessary to define more than one mesh cluster
profile, you must assign priorities to each profile to allow the Mesh AP group to identify the primary and
backup mesh cluster profile(s). The primary mesh cluster profile and each backup mesh cluster profile
must be configured to use the same RF channel. The APs may not provision correctly if they are assigned to
a backup mesh cluster profile with a different RF channel than the primary mesh cluster profile.
If the mesh cluster profile is unavailable, the mesh node can revert to the recovery profile to bring-up the
mesh network until the cluster profile is available. You can also exclude one or more mesh cluster profiles
from an individual AP—this prevents a mesh cluster profile defined at the AP group level from being
applied to a specific AP.
Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes. You can recover
the mesh point if the original cluster profile is still available. Aruba recommends creating a new mesh
cluster profile if needed. If you modify any mesh cluster setting, you must reprovision your AP for the
changes to take effect (this also causes the AP to automatically reboot). See “Provisioning Mesh Nodes” for
more information.
Deployments with Multiple Mesh Cluster Profiles
If you configure multiple cluster profiles with different cluster priorities, you manually override the link
metric algorithm because the priority takes precedence over the path cost. In this scenario, the mesh portal
uses the profile with the highest priority to bring-up the mesh network. The mesh portal stores and
advertises that one profile to neighboring mesh nodes to build the mesh network. This profile is known as
the “primary” cluster profile. Mesh points, in contrast, go through the list of configured mesh cluster
profiles in order of priority to find the profile being advertised by the mesh portal. Once the primary profile
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 253
has been identified, the other profiles are considered “backup” cluster profiles. Use this deployment if you
want to enforce a particular mesh topology rather than allowing the link metric algorithm to determine the
topology.
For this scenario, do the following:

Configure multiple mesh cluster profiles with different priorities. The primary cluster profile has a lower
priority number, which gives it a higher priority.

Configure the mesh radio profile.

Create an AP group for 802.11a radios and 802.11g radios

Configure the 802.11a or 802.11g RF management profiles for each AP group.

If your deployment includes high-throughput APs, configure the mesh high-throughput SSID profile. The
mesh radio profile will use the default high-throughput SSID profile unless you specifically configure the
mesh radio profile to use a different high-throughput SSID profile

Create an AP group for each 802.11a channel.
If a mesh link breaks or the primary cluster profile is unavailable, mesh nodes use the highest priority
backup cluster profile to re-establish the uplink or check for parents in the backup profiles. If these profiles
are unavailable, the mesh node can revert to the recovery profile to bring up the mesh network until a
cluster profile is available. For a sample configuration, see “show ap mesh topology”.
Managing Mesh Cluster Profiles In the WebUI
Use the following procedures to define and manage mesh cluster profiles using the WebUI.
Creating a Profile
1. Navigate to the Configuration > Wireless > AP Configuration window. Select the AP Group or AP
Specific tab.

If you selected AP Group, click the Edit button by the AP group name for which you want to create
the new mesh cluster profile.

If you selected AP Specific, click the Edit button by AP for which you want to create the new mesh
cluster profile.
2. In the Profiles list, expand the Mesh menu, then select Mesh Cluster profile.
3. In the Profile Details window pane, click the Add a profile drop-down list and select NEW.
4. Enter a name for the new profile.
5. Configure the mesh cluster settings described in Table 45, then click Apply to save your settings.
Table 45 Mesh Cluster Profile Configuration Parameters
Parameter
Description
Profile Name
Name of the mesh cluster profile. The name must be 1–63 characters.
Default: Mesh cluster profile named “default.”
254 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Table 45 Mesh Cluster Profile Configuration Parameters (Continued)
Parameter
Description
Cluster Name
Indicates the mesh cluster name. The name can have a maximum of 32 characters, and is used
as the MSSID for the mesh cluster. When you first create a new mesh cluster profile, the profile
uses the default cluster name “Aruba-mesh”. Use the Cluster Name parameter to define a
new, unique MSSID before you assign APs or AP groups to the mesh cluster profile.
Note: If you want a mesh cluster to use WPA2-PSK-AES encryption, do not use spaces in the
mesh cluster name, as this may cause errors in mesh points associated with that mesh cluster.
To view existing mesh cluster profiles, use the CLI command: show ap mesh-clusterprofile.
A mesh portal chooses the best cluster profile and provisions it for use. A mesh point can have
a maximum of 16 cluster profiles.
Default: Mesh cluster named “Aruba-mesh.”
RF Band
Indicates the band for mesh operation for multiband radios. Select a or g.
Important: If you create more than one mesh cluster profile for an AP or AP group, each mesh
cluster profile must use the same band.
Encryption
Configures the data encryption, which can be either opensystem (no authentication or
encryption) or wpa2-psk-aes (WPA2 with AES encryption using a preshared key).
Aruba recommends selecting wpa2-psk-aes and using the wpa-passphrase parameter to
select a passphrase. Keep the passphrase in a safe place.
Default: opensystem.
WPA Hexkey
Configures a WPA pre-shared key. This key must be 64 hexadecimal characters
WPA Passphrase
Sets the WPA password that generates the PSK. The passphrase must be between 8–63
characters, inclusive.
Priority
Indicates the priority of the cluster profile.
The mesh cluster priority determines the order by which the mesh cluster profiles are used. This
allows you, rather than the link metric algorithm, to control the network topology by defining the
cluster profiles to use if one becomes unavailable
Specify the cluster priority when creating a new profile or adding an existing profile to a mesh
cluster. If more than two mesh cluster profiles are configured, mesh points use the priority
numbers to identify primary and backup profile(s).
Note: The lower the number, the higher the priority. Therefore, the profile with the lowest
number is the primary profile. Each profile must use a unique priority value to ensure a
deterministic mesh path.
Default: 1 for the “default” mesh cluster profile and all user-created cluster profiles. The
recovery profile has a priority of 255 (this is not a user-configured profile). The range is 1–16.
Cluster Name
Indicates the mesh cluster name. The name can have a maximum of 32 characters, which is
used as the MSSID. When you create a new cluster profile, it is a member of the “Aruba-mesh”
cluster.
Note: Each mesh cluster profile should have a unique MSSID. Configure a new MSSID before
you apply the mesh cluster profile.
To view existing mesh cluster profiles, use the command: show ap mesh-clusterprofile.
A mesh portal chooses the best cluster profile and provisions it for use. A mesh point can have
a maximum of 16 cluster profiles.
Default: Mesh cluster named “Aruba-mesh.”
RF Band
ArubaOS 6.1 | User Guide
Indicates the band for mesh operation for multiband radios. Select a or g.
Secure Enterprise Mesh | 255
Associating a Profile to Mesh APs
Use the following procedure to associate a mesh cluster profile to a group of mesh APs or an individual
mesh AP using the WebUI. If you configure multiple cluster profiles with different cluster priorities, you
manually override the link metric algorithm because the priority takes precedence over the path cost. In
this scenario, the mesh portal uses the profile with the highest priority to bring-up the mesh network.
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new mesh cluster profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new mesh
cluster profile
2. Under the Profiles list, expand the Mesh menu, then select Mesh Cluster profile.
3. In the Profile Details window pane, click the Mesh Cluster profile drop-down list select New.

To add an existing mesh cluster profile to the selected AP group, click the Add a profile drop-down
list and select a new profile name from the list.

To create a new mesh cluster profile to the selected AP group, click the Add a profile drop-down list
and select NEW. Enter a name for the new mesh cluster profile.
4. Click the using priority drop-down list to select a priority for the mesh cluster profile. The lower the
number, the higher the priority.
5. Click Add to add the mesh cluster profile to the AP group.
6. Click Apply. The profile name appears in the mesh cluster profile list with your configured settings. If
you configure this for the AP group, this profile also becomes the mesh cluster profile used by the mesh
portal for your mesh network.
Editing a Profile
If you modify any mesh cluster profile setting, you must reprovision your AP. For example, if you change
the priority of a cluster profile from 5 to 2, you must reprovision the AP before you can assign priority 5 to
another cluster profile. Reprovisioning the AP causes it to automatically reboot. For more information, see
“Provisioning Mesh Nodes”.
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected the AP Group tab, click the Edit button by the AP group name with the profile you
want to edit.

If you selected the AP Specific tab, click the Edit button by the AP with the profile you want to edit.
2. In the Profiles list, expand the Mesh menu, then select Mesh Cluster profile.
3. In the Profile Details window pane, click the Mesh Cluster profile drop-down list and select the
name of the profile you want to edit.
4. Change the desired mesh radio settings as desired. Table 44 describes the parameters you can configure
in the mesh high-throughput SSID profile.
A mesh cluster profile configured with wpa2-psk-aes encryption must have a defined WPA hexkey or a WPA
passphrase (or both). If you have configured one encryption type but not the other, and want switch from a hexkey to
a passphrase or vice versa, you must add the new encryption type, click Apply, then remove the encryption type you
no longer want and click Apply again. You cannot delete one encryption type and add a different type in a single
step.
5. Click Apply to save your changes.
256 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Deleting a Mesh Cluster Profile
You can delete a mesh cluster profile only if no APs or AP groups are associated with that profile.
1. Navigate to the Configuration > Advanced Services> All Profiles window.
2. Expand the Mesh menu, then select Mesh Cluster profile. A list of high-throughput SSID profiles
appears in the Profile Details window pane.
3. Click the Delete button by the name of the profile you want to delete.
Managing Mesh Cluster Profiles In the CLI
You must be in config mode to create, modify or delete a mesh cluster profile using the CLI. Specify an
existing mesh cluster profile with the <profile-name> parameter to modify an existing profile, or enter a
new name to create an entirely new profile.
Configuration details and any default values for each of these parameters are described in Table 45 on page
254. If you do not specify a parameter for a new profile, that profile uses the default value for that
parameter.
Use the no option before any parameter to remove the current value for that parameter and return it to its
default setting. Enter exit to leave the mesh cluster profile mode.
ap mesh-cluster-profile <profile>
clone <profile>
cluster <name>
no ...
opmode [opensystem | wpa2-psk-aes]
rf-band {a | g}
wpa-hexkey <wpa-hexkey>
wpa-passphrase <wpa-passphrase>
The following examples create and configure the mesh cluster profiles cluster1 and cluster2.
ap mesh-cluster-profile cluster1
cluster corporate
opmode wpa2-psk-aes
wpa-passphrase mesh_123
rf-band a
ap mesh-cluster-profile cluster2
cluster corporate
opmode wpa2-psk-aes
wpa-passphrase mesh_123
rf-band a
You can also create a new mesh radio profile by copying the settings of an existing profile using the clone
parameter. Using the clone command to create a new profile makes it easier to keep constant attributes in
common within multiple profiles.
ap mesh-cluster-profile <profile-name>
clone <source-profile-name>
Viewing Mesh Cluster Profile Settings
To view a complete list of mesh cluster profiles and their status:
show mesh-cluster-profile
To view the settings of a specific mesh cluster profile:
show ap mesh-cluster-profile <profile-name>
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 257
Associating Mesh Cluster Profiles
The following commands associate a mesh cluster profile to an AP group or an individual AP. For
deployments with multiple mesh clusters, you must also configure also the profile’s priority. Remember, the
lower the priority number, the high the priority. The mesh cluster priority determines the order by which
the mesh cluster profiles are used. This allows you, rather than the link metric algorithm, to control the
network topology by defining the cluster profiles to use if one becomes unavailable.
To associate a mesh cluster profile to an AP group in a single-cluster deployment:
ap-group <group> mesh-cluster-profile <profile-name>
To associate a mesh cluster profile to an individual AP in a single-cluster deployment:
ap-name <name> mesh-cluster-profile <profile-name>
To associate a mesh cluster profile to an AP group in a multiple-cluster deployment:
ap-group <group> mesh-cluster-profile <profile-name> priority <priority>
To associate a mesh cluster profile to an individual AP in a multiple-cluster deployment, use the command
ap-name <name>
mesh-cluster-profile <profile-name> priority <priority>
Example:
ap-group group1
mesh-cluster-profile cluster1
mesh-cluster-profile cluster2
ap-group2
mesh-cluster-profile cluster1
mesh-cluster-profile cluster2
mesh-radio-profile channel2
priority 5
priority 10
priority 10
priority 5
Excluding a Mesh Cluster Profile from a Mesh Node
To exclude a specific mesh cluster profile from an AP:
ap-name <name> exclude-mesh-cluster-profile-ap <profile-name>
Deleting a Mesh Cluster Profile
If no AP or is using a mesh cluster profile, you can delete that profile using the no parameter:
no ap mesh-cluster-profile <profile-name>
Ethernet Ports for Mesh
If you are using mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point
Ethernet port This section describes how to configure Ethernet ports for bridging or secure jack operation
using the wired AP profile. The wired AP profile controls the configuration of the Ethernet port(s) on your
AP.
Mesh nodes only support bridge mode and tunnel mode on their wired ports (enet0 or enet1). Split tunnel mode is
not supported. Use bridge mode to configure bridging on the mesh point Ethernet port. Use tunnel mode to
configure secure jack operation on the mesh node Ethernet port.
When configuring the Ethernet ports on the AP-70, AP-130 Series or AP-120 Series, note the following
requirements:

If the AP is configured as a mesh portal:

Connect enet0 to the controller to obtain an IP address. The wired AP profile controls enet1.
258 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide


Only enet1 supports secure jack operation.
If the AP is configured as a mesh point, the same wired AP profile will control both enet0 and enet1.
Configure bridging on the Ethernet port
Use the following procedure to configure bridging on the Ethernet port via the WebUI.
1. Navigate to the Configuration > Wireless > AP Configuration > AP Group window.
2. Click the Edit button by the AP group name with the wired ap profile you want to edit.
3. Under the Profiles list, expand the AP menu, then select Wired AP profile. The settings for the
currently selected wired AP profile appear.
You can use a different wired AP profile by selecting a profile from the Wired AP profile drop-down
list.
4. Under Profile Details, do the following:
a. Select the Wired AP enable check box. This option is not selected by default.
b. From the Forward mode drop-down list, select bridge.
c. Optionally, from the Switchport mode drop-down list, select access or trunk. These options only
apply to bridge mode configurations.

Access mode forwards untagged packets received on the port to the controller and they appear on
the configured access mode VLAN. Tagged packets are dropped. All packets received from the
controller and sent via this port are untagged. Define the access mode VLAN in the Access mode
VLAN field.

Trunk mode contains a list of allowed VLANs. Any packet received on the port that is tagged with
an allowed VLAN is forwarded to the controller. Untagged packets are forwarded to the controller
on the configured Native VLAN. Packets received from the controller and sent out the port remain
tagged unless the tag value in the packet is the Native VLAN, in which case the tag is removed.
Define the Native VLAN in the Trunk mode native VLAN field and the other allowed VLANs in
the Trunk mode allowed VLANs field.
d. Optionally, select Trusted to configure this as a trusted port.
5. Click Apply.
Use the following commands to configure ethernet port bridging via the CLI.
ap wired-ap-profile <profile>
forward-mode bridge
wired-ap-enable
Optionally, you can configure the following wired AP profile settings:
ap wired-ap-profile <profile>
switchport mode {access | trunk}
switchport access vlan <vlan>
switchport trunk native vlan <vlan>
switchport trunk allowed vlan <vlan>
trusted
Configuring Ethernet Ports for Secure Jack Operation
You can configure the Ethernet port(s) on mesh nodes to operate in tunnel mode. Known as secure jack
operation for mesh, this configuration allows Ethernet frames coming into the specified wired interface to
be generic routing encapsulation (GRE) tunneled to the controller. Likewise, Ethernet frames coming from
the tunnel are bridged to the corresponding wired interface. This allows an Ethernet port on the mesh node
to appear as an Ethernet port on the controller separated by one or more Layer-3 domains. You can also
enable VLAN tagging.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 259
Unlike secure jack on non-mesh APs, any mesh node configured for secure jack uses the mesh link, rather
than enet0, to tunnel the frame to the controller.
When configuring mesh Ethernet ports for secure jack operation, note the following guidelines:

Mesh points support secure jack on enet0 and enet1.

Mesh portals only support secure jack on enet1. This function is only applicable to Aruba APs that
support a second Ethernet port and mesh, such as the AP-70, AP-130 Series and AP-120 Series.
You configure secure jack operation in the wired AP profile.
The parameters in the wired AP profile only apply to the wired AP interface to which they are applied. Two wired
interfaces can have different parameter values.
In the WebUI
Use the following procedure to configure secure jack operation using the WebUI.
1. Navigate to the Configuration > Wireless > AP Configuration > AP Group window.
2. Click the Edit button by the AP group with the wired AP profile you want to edit.
3. Under the Profiles list, expand the AP menu, then select Wired AP profile. The settings for the
currently selected wired AP profile appear.
You can use a different wired AP profile by selecting a profile from the Wired AP profile drop-down
list.
4. In the Profile Details window pane, do the following:
a. Select the Wired AP enable check box. This option is not selected by default.
b. From the Forward mode drop-down list, select tunnel.
c. Optionally, select Trusted to configure this as a trusted port.
5. Click Apply to save your settings.
In the CLI
To configure secure jack operation using the command-line interface, access the CLI in config mode and
issue the following commands:
ap wired-ap-profile <profile>
forward-mode tunnel
wired-ap-enable
Optionally, you can configure the following wired AP profile settings:
ap wired-ap-profile <profile>
trusted
Extending the Life of a Mesh Network
To prevent your mesh network from going down if you experience a controller failure, modify the following
settings in the AP system profile(s) used by mesh nodes to maintain the mesh network until the controller is
available:
Aruba recommends the default maximum request retries and bootstrap threshold settings for most mesh networks;
however, if you must keep your mesh network alive, you can modify the settings as described in this section. The
modified settings are not applicable if mesh portals are directly connected to the controller.

Maximum request retries—Maximum number of times to retry AP-generated requests. The default is 10
times. If you must modify this setting, Aruba recommends a value of 10,000.
260 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide

Bootstrap threshold—Number of consecutive missed heartbeats before the AP rebootstraps.
(Heartbeats are sent once per second.) The default is 9 missed heartbeats. If you must modify this
setting, Aruba recommends a value of 5,000.
When the controller comes back online, the affected mesh nodes (mesh portals and mesh points) will
rebootstrap; however, the mesh link is not affected and will continue to be up.
In the WebUI
Use the following procedure to modify the AP system profile via the WebUI.
1. Navigate to the Configuration > Wireless > AP Configuration > AP Group window.
2. Click the Edit button by the AP group with the AP system profile you want to edit.
3. Under Profiles list, expand the AP menu, then select AP system profile. The settings for the currently
selected AP system profile appear in the Profile Details window pane.
4. Make the following changes in the Profile Details window pane.
a. Change the Maximum Request Retries to 10000.
b. Change the Bootstrap threshold to 5000.
5. Click Apply.
In the CLI
To modify the AP system profile via the command-line interface, access the CLI in config mode and issue
the following commands:
ap system-profile <profile>
max-request-retries 10000
bootstrap-threshold 5000
Provisioning Mesh Nodes
Provisioning mesh nodes is similar to thin APs; however, there are some key differences. Thin APs establish
a channel to the controller from which they receive the configuration for each radio interface. Mesh nodes,
in contrast, get their radio interfaces up and running before making contact with the controller. This
requires a minimum set of parameters from the AP group and mesh cluster that enables the mesh node to
discover a neighbor to create a mesh link and subsequent channel with the controller. To do this, you must
first configure mesh cluster profiles for each mesh node prior to deployment. See “Mesh Radio Profiles” for
more information.
On each radio interface, you provision a mode of operation: mesh node or thin AP (access) mode. If you do
not specify mesh, the AP operates in thin AP (access) mode. If you configure mesh, the AP is provisioned
with a minimum of two mesh cluster profiles: the “default” mesh cluster profile and an emergency read-only
recovery profile, as described in the section “Mesh Clusters”. If you create and select multiple mesh cluster
profiles, the AP is provisioned with those as well. If you have a dual-radio AP and configure one radio for
mesh and the other as a thin AP, each radio will be provisioned as configured.
Each radio provisioned in mesh mode can operate in one of two roles: mesh portal or mesh point. You
explicitly configure the role, as described in this section. This allows the AP to know whether it uses the
mesh link (via the mesh point/mesh portal) or an Ethernet link to establish a connection to the controller.
During the provisioning process, mesh nodes look for a mesh profile that the AP group and AP name is a
member of and stores that information in flash. If you have multiple cluster profiles, the mesh portal uses
the best profile to bring-up the mesh network. Mesh points in contrast go through the list of mesh cluster
profiles in order of priority to decide which profile to use to associate themselves with the network. In
addition, when a mesh point is provisioned, the country code is sent to the AP from its AP name or AP
group along with the mesh cluster profiles. Mesh nodes also learn the recovery profile, which is
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 261
automatically generated by the master controller. If the other mesh cluster profiles are unavailable, mesh
nodes will use the recovery profile to establish a link to the master controller; data forwarding does not take
place.
If you create a new mesh cluster profile for an existing deployment, you must re-provision the AP for the new profile
to take effect. If you re-provision mesh nodes that are already operating, re-provision the most distant (highest hop
count) mesh points first followed by the mesh portals. If you re-provision the mesh portal first, the mesh points may
be unable to form a mesh link. Re-provisioning the AP causes it to automatically reboot. This may cause a disruption
of service to the network.
This section describes the following topics:

“Outdoor AP Parameters”

“Provisioning Caveats”

“Provisioning Mesh Nodes”
Outdoor AP Parameters
If you are using outdoor APs and planning an outdoor mesh deployment, you can enter the following
outdoor parameters when provisioning the AP:

Latitude and longitude coordinates of the AP. These location identifiers allow you to more easily locate
the AP for inventory and troubleshooting purposes.

Altitude, in meters, of the AP.

Antenna bearing to determine horizontal coverage.

Antenna angle for optimum antenna coverage.
The above parameters apply to all outdoor APs, not just outdoor APs configured for mesh.
Provisioning Caveats
Remember the following when provisioning APs for mesh:

You must provision the AP before you install it as a mesh node in a mesh deployment. To provision the
AP, it must be physically connected to the local network or directly connected to the controller. When
connected and powered on, the AP must also be able to obtain an IP address from a DHCP server on the
local network or from the controller.

Make sure the provisioned mesh nodes form a connected mesh network before physically deploying the
APs. For more information, see “Verifying the Network”.

In multi-controller networks, save your mesh cluster configuration before provisioning the mesh nodes.
To save your configuration in the WebUI, at the top of any window click Save Configuration. To save
your configuration in the CLI, use the command: write memory.

If the same port on the controller is used to provision APs and provide PoE for mesh nodes, you must
stop traffic from passing through that port after you provision the AP. To stop traffic, shut down
(disable) the port either by using the CLI command interface fastethernet <slot>/<port> shutdown,
or by following the procedure below.
1. Navigate to the Configuration > Network > Ports window.
2. Under Port Selection, click the port to configure.
3. Under Configure Selected Port, deselect (uncheck) Enable Port.
4. Make sure Enable 802.3af Power Over Ethernet is selected.
262 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
5. Click Apply.
Provisioning Mesh Nodes
Reprovisioning the AP causes it to automatically reboot. The following procedures describe the process to
provision a mesh portal or mesh node via the WebUI or CLI. (The easiest way to provision a mesh node is to
use the Provisioning window in the WebUI.) To provision a remote mesh portal, see “Remote Mesh Portals”.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning window. Select the AP
to provision for mesh and click Provision.
2. In the Master Discovery section, set the Master IP address as the controller IP address.
3. In the IP settings section, select Obtain IP Address Using DHCP.
4. In the AP List section, do the following:


Configure the Mesh Role:

To configure the AP as the mesh portal, select Mesh Portal.

To configure the AP as a mesh point, select Mesh Point
Configure the Outdoor Parameters, if needed. The following parameters are available only if
configuring an outdoor AP:

Latitude coordinates (degrees, minutes, seconds, north or south)

Longitude coordinates (degrees, minutes, seconds, east or west)

Altitude (in meters)

Antenna bearing (horizontal coverage)

Antenna tilt angle (optimum coverage)
5. Click Apply and Reboot. After the controller reboots, mesh cluster profiles are extracted from the AP
group and the AP name.
In the CLI
When you use the command-line interface to reprovision a mesh node, you may also provision other AP
settings. To provision a remote mesh portal, see “Remote Mesh Portals”.
Access the CLI in config mode and issue the following commands:
provision-ap
read-bootinfo ap-name <name>
mesh-role {mesh-point|mesh-portal}
reprovision ap-name <name>
If you are provisioning an outdoor AP, you can also configure the following parameters:
provision-ap
read-bootinfo ap-name <name>
mesh-role {mesh-point|mesh-portal|remote-mesh-portal}
a-ant-bearing <bearing>
a-ant-tilt-angle <angle>
g-ant-bearing <bearing>
g-ant-tilt-angle <angle>
altitude <altitude>
latitude <location>
longitude <location>
reprovision ap-name <name>
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 263
AP Boot Sequence
The information in this section describes the boot sequence for mesh APs. Depending on their configured
role, the AP performs a slightly different boot sequence.
Mesh Portal
When the mesh portal boots, it recognizes that one radio is configured to operate as a mesh portal. It then
obtains an IP address from a DHCP server on its Ethernet interface, discovers the master controller on that
interface, registers the mesh radio with the controller, and obtains regulatory domain and mesh radio
profiles for each mesh point interface. A mesh virtual AP is created on the mesh portal radio interface, the
regulatory domain and radio profiles are used to bring up the radio on the correct channel, and the
provisioned mesh cluster profile is used to setup the mesh virtual AP with the correct announcements on
beacons and probe responses. On the non-mesh radio provisioned for access mode, that radio is a thin AP
and everything on that interface works as a thin AP radio interface.
If the 802.11a/802.11g radio profile assigned to the mesh radio is enabled, the radio will support both mesh
backhaul and client access Virtual APs. If the mesh radio is to be used exclusively for mesh backhaul traffic,
associate that radio to a dedicated 802.11a/802.11g radio profile with the radio disabled so the mesh radios
will carry backhaul traffic only.
Mesh Point
When the mesh point boots, it scans for neighboring mesh nodes to establish a link to the mesh portal. All of
the mesh nodes that establish the link are in the same mesh cluster. After the link is up, the mesh point uses
the DHCP to obtain an IP address and uses the same master controller as their parent. The remaining boot
sequence, if applicable, is similar to that of a thin AP. Remember, the priority of the mesh point is
establishing a link with neighboring mesh nodes, not establishing a control link to the controller.
In a single hop environment, the mesh point establishes a direct link with the mesh portal.
Air Monitoring and Mesh
Each mesh node has an air monitor (AM) process that registers the BSSID and the MAC address of the mesh
node to distinguish it from a thin AP. This allows the WLAN management system (WMS) on the controller
and AMs deployed in your network to distinguish between APs, wireless clients, and mesh nodes. The WMS
tables also identify the mesh nodes.
For all thin APs and mesh nodes, the AM identifies a mesh node from other packets monitored on the air,
and the AM will not trigger “wireless-bridging” events for packets transmitted between mesh nodes.
Verifying the Network
To view a list of your Mesh APs via the WebUI, navigate to the one of the following windows:

Monitoring > Network > All Mesh Nodes

Monitoring > Controller> Mesh Nodes
To view mesh APs and the mesh topology tree using the command line interface, access the command-line
interface in enable mode and issue the following commands:

show ap mesh active

show ap mesh topology
264 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Verification Checklist
After provisioning the mesh APs, follow the steps below to ensure that the mesh network is up and
operating correctly.

Issue the command show ap mesh topology to verify all the mesh APs are up and the topology is as
expected. (Wait 10 minutes after startup for the topology to stabilize.)

Verify each mesh node has the expected RSSI to its neighboring mesh nodes. The mesh topology is
updated periodically, so access the command-line interface and issue the command show ap mesh
neighbors for the current status. If the RSSI is low, verify that the tx-power settings in the mesh node’s
802.11a/802.11g radio profiles are correct, or, if ARM is used, verify the correct minimum tx-power
setting.

Issue the command show ap mesh debug provisioned-clusters to verify that the mesh clusters are
correctly defined and provisioned (with encryption if desired). Issue the show running-config |
include recovery command to verify that the cluster’s recovery profile matches the controller's.

Verify antenna provisioning by issuing the show ap provisioning command and verify installation
parameters for non-default installations (e.g. standard indoor APs deployed outside, or AP-85 and
AP-175 outdoor APs deployed inside.). Ensure all APs use the same channel list by issuing the show ap
allowed-channels command.

If the mesh-radio is to be reserved exclusively for mesh backhaul traffic, issue the show ap
profile-usage command to identify the radio’s 802.11a or 802.11g radio profile, then issue the command
show rf dot11a-radio-profile <profile> or show rf dot11g-radio-profile <profile> to verify the
radio is disabled in the profile. Next, use the show ap bss-table command to that verify no access
Virtual APs are up on the mesh radio.
CLI Examples
Use the show ap mesh active command to verify all nodes are present and that EIRP is correct:
(host) # show ap mesh active
Mesh Cluster Name: ad-sw-mesh3400
--------------------------------Name
Group
IP Address
BSSID
Band/Ch/EIRP/MaxEIRP MTU
#Children AP Type Uptime
---------------------------------------- ----- ------- -----point-13 default 10.3.129.140 00:1a:1e:25:99:50 802.11a/149+/19/19
125
1h:20m:52s
point-17 default 10.3.129.31 00:0b:86:38:7a:c0 802.11a/149/23/23
60
33m:31s
point-18 default 10.3.129.29 00:24:6c:80:db:b8 802.11a/149+/24/24
105
39m:56s
portal-9 default 10.3.129.53
d8:c7:c8:80:0c:b0 802.11a/149+/21/21
1500
134
42m:48s
Total APs :4
Enet Ports
Mesh Role
----------
---------
Tunnel/Tunnel Point
Parent
------
------
portal-9 0
Tunnel
Point
portal-9 0
Tunnel
Point
portal-9 0
-/Tunnel
Portal
-
3
Use the show ap mesh topology command to verify the cluster topology, RSSI in presence of network
traffic, and Tx and Rx rates.
(host) # show ap mesh topology (
Mesh Cluster Name: ad-sw-mesh3400
--------------------------------Name
Mesh Role
Parent
Path Cost Node Cost Link Cost Hop Count
#Children
------------------------- --------- --------- --------point-13 Point (N)
portal-9 3
0
0
1
point-17 Point
portal-9 2
0
0
1
point-18 Point (N)
portal-9 3
0
0
1
portal-9 Portal (N) 0
3
0
0
Total APs :4
(R): Recovery AP. (N): 11N Enabled. For Portals 'Uplink Age' equals uptime.
ArubaOS 6.1 | User Guide
RSSI
Rate Tx/Rx
Last Update
Uplink Age
---66
46
26
0
---------300/300
54/54
180/6
-
----------1m:26s
7m:30s
1m:36s
1m:40s
---------9m:51s
32m:49s
1m:40s
42m:59s
0
0
0
3
Secure Enterprise Mesh | 265
Issue the command show ap mesh neighbors ap-name <name> to verify visibility of other mesh nodes is
as expected:
(host) # show ap mesh neighbors ap-name point-18
Neighbor list:
-------------MAC
Portal
Channel Age Hops Cost
Relation
Flags RSSI Rate Tx/Rx A-Req A-Resp AFail HT-Details
Cluster \
ID
----------------- ----------------- ------- --- ---- --------------- ---- ---------- ----- ------ ----- -----------------\
-portal-9
Yes
149+
0
0
3.00
P 49m:28s HL
29
180/120
1
1
0
HT-40MHzsgi-3ss ad-sw-me\
sh3400
point-17[p]
d8:c7:c8:80:0c:b0 149
0
1
25.00 N 55m:21s S
12
0
0
0
Unsupported
ad-sw-me\
sh3400
point-13[p]
d8:c7:c8:80:0c:b0 149+
0
1
3.00
N 49m:33s HL
47
3
3
0
HT-40MHzsgi-2ss ad-sw-me\
sh3400
Total count :3
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor.
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; L =
Legacy allowed; a = SAE Accepte\ d; b = SAE Blacklisted-neighbour; e = SAE Enabled
Remote Mesh Portals
You can deploy mesh portals to create a hybrid mesh/remote AP environment to extend network coverage
to remote locations; this feature is called remote mesh portal, or RMP. The RMP feature integrates the
functions of a remote AP (RAP) and the Mesh portal. As a RAP, it sets up a VPN tunnel back to the
corporate switch that is used to secure control traffic between the RAP and the switch.
The Remote Mesh Portal feature allows you to configure a remote AP at a branch office to operate as a
mesh portal for a mesh cluster. Other mesh points belonging to that cluster get their IP address and
configuration settings from the main office via an IPsec tunnel between the remote mesh portal and the
main office controller. This feature is useful for deploying an all-wireless branch office or creating a
complete wireless network in locations where there is no wired infrastructure in place.
When the client at the branch office associates to a virtual AP in split-tunnel forwarding mode, the client’s
DHCP requests are forwarded over a GRE tunnel (split tunnel) to the corporate network. This
communication is done over a secure VPN tunnel. The IPs are assigned from the corporate pool based on
the VLAN tag information, which helps to determine the corresponding VLAN. The VLAN tag also
determines the subnet from which the DHCP address has assigned.
A mesh point sends the DHCP request with the mesh private VLAN (MPV) parameter. The mesh point learns
the MPV value from the response during the mesh association. When the split tunnel is setup for the RMP on
the controller, the VLAN of the tunnel should be the MPV.A DHCP pool for the MPV should be setup on the
switch. The use of MPV makes it easy for the RMP to decide which requests to forward over the split tunnel.
All requests tagged with the MPV are sent over the split tunnel. Hence the MPV should be different from any
user VLAN that is bridged using the mesh network.
The RMP configuration requires an AP license. For more information about Aruba software licenses, see
Chapter 35, “Software Licenses” on page 677.”
A RAP-2WG cannot be configured as a Remote Mesh Portal AP.
How RMP Works
When a client at the branch office associates to a split VAP, the client’s DHCP requests are forwarded over a
GRE tunnel (split tunnel) to the corporate network. This communication is done over a secure VPN tunnel.
The IPs are assigned from the corporate pool based on the VLAN tag information, which helps to determine
266 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
the corresponding VLAN. The VLAN tag also determines the subnet from which the DHCP address has
assigned.
A mesh point sends the DHCP request with the mesh private VLAN (MPV) parameter. The mesh point learns
the MPV value from the response during the mesh association. When the split tunnel is set up for the RMP
on the controller, the VLAN of the tunnel should be the MPV. A DHCP pool for the MPV should be set up on
the controller. The use of MPV makes it easy for the RMP to decide which requests to forward over the split
tunnel. All requests tagged with the MPV are sent over the split tunnel. Hence the MPV should be different
from any user VLAN that is bridged using the mesh network.
Figure 39 Working of RMP
Creating a Remote Mesh Portal In the WebUI
A remote mesh portal must be provisioned as both a remote access point and a mesh portal. For
instructions on provisioning the remote mesh portal as a remote access point, see “Configuring the Secure
Remote Access Point Service” on page 188.
Wired ports on remote mesh portals can be configured in either bridge or split-tunnel forwarding mode.
There are, however, limitations to the forwarding modes that can be used by other mesh node types. Do not
use bridge or split-tunnel forwarding mode for wired ports on mesh points. Virtual APs on remote mesh
portals and remote mesh points also do not support bridge or split-tunnel forwarding mode.
A remote mesh portal does not support bridge mode Virtual APs or offline Virtual APs.
Provisioning the AP
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning window.
2. Select the AP to provision as a remote mesh portal and click Provision. The Provisioning window
appears.
3. In the Authentication section, select the Remote AP radio button.
4. In the Remote AP Authentication Method section of this window, select either Pre-shared Key or
Certificate. If you selected Pre-Shared Key, enter and confirm the Internet Key Exchange Pre-Shared
Key (IKE PSK).
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 267
5. In the Master Discovery section, set the Master IP address as the controller IP address.
6. In the IP settings section, select Obtain IP Address Using DHCP.
7. In the AP List section, click the Mesh Role drop-down list and select Remote Mesh Portal.
Figure 40 Provisioning an AP as a Remote Mesh Portal
Defining the Mesh Private VLAN
Edit the mesh radio profile for the remote mesh portal and choose a new, non-zero tag value for the mesh
private VLAN. Make sure that the mesh private VLAN so that it does not conflict with any local tags assigned
in the mesh network. once configured, all Mesh Points will come up in that Mesh Private Vlan. This mesh
private VLAN must not be used as a VLAN for any other virtual AP.
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected the AP Group tab, click the Edit button by the remote mesh portal AP group with the
profile you want to edit.

If you selected the AP Specific tab, click the Edit button by the remote mesh portal with the profile
you want to edit.
2. In the Profiles list, expand the Mesh menu, then select Mesh radio profile.
3. In the Profile Details window pane, click the Mesh radio profile drop-down list and select the name
of the profile you want to edit.
4. Set the Mesh Private VLAN parameter to define a VLAN ID (0–4094) for control traffic between an
remote mesh point and mesh nodes.
5. Click Apply to save your changes.
Next, assign the remote mesh points with the same mesh cluster profile, 802.11a and 802.11g RF
management profiles, and mesh radio profile as the remote mesh portal. If you have defined an AP group for
268 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
all your remote mesh points, you can just assign the required profiles to the remote mesh point AP group.
Otherwise, you must assign the required profiles to each individual remote AP.
Selecting a Mesh Radio Profile
Use the following procedure to select a mesh radio profile for a remote mesh AP or AP group:
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group to which you want to assign a new
mesh radio profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new mesh
radio profile.
2. Under the Profiles list, expand the Mesh menu, then select Mesh radio profile.
3. In the Profile Details window pane, click the Mesh radio profile drop-down list and select the desired
mesh radio profile from the list.
4. Click Apply. The profile name appears in the Mesh Radio Profile list with your configured settings. If
you configure this for the AP group, this profile also becomes the selected radio profile used by the mesh
portal for your mesh network.
Selecting an RF Management Profile
Use the following procedure to select an RF management profile for a remote mesh AP or AP group:
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new 802.11a or 802.11g RF management profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new
802.11a or 802.11g RF management profile
2. Under the Profiles list, expand the RF management menu.
3. To select a 802.11a radio profile for an AP or AP group, click 802.11a radio profile. In the Profile
Details window pane, click the 802.11a radio profile drop-down list and select the desired profile
from the list
-orTo select a 802.11g radio profile for an AP or AP group, click 802.11g radio profile. In the Profile
Details window pane, click the 802.11g radio profile drop-down list and select the desired profile from
the list
4. Click Apply. The profile name appears in the Profile list with your configured settings. If you configure
this for the AP group, this profile also becomes the selected 802.11a or 802.11g RF management profile
used by the mesh portal for your mesh network.
Adding a Mesh Cluster Profile
Use the following procedure to add a mesh cluster profile to a remote mesh AP or AP group:
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group
or AP Specific tab.

If you selected AP Group, click the Edit button by the AP group name to which you want to assign a
new mesh cluster profile.

If you selected AP Specific, click the Edit button by the AP to which you want to assign a new mesh
cluster profile
2. Under the Profiles list, expand the Mesh menu, then select Mesh Cluster profile.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 269
3. In the Profile Details window pane, click the Mesh Cluster profile drop-down list select New.

To add an existing mesh-cluster profile to the selected AP group, click the Add a profile drop-down
list and select a new profile name from the list.
4. Click the using priority drop-down list to select a priority for the mesh cluster profile. The lower the
number, the higher the priority.
If you configure multiple cluster profiles with different cluster priorities, you manually override the link metric
algorithm because the priority takes precedence over the path cost. In this scenario, the mesh portal uses the profile
with the highest priority to bring-up the mesh network.
5. Click Add to add the mesh cluster profile to the AP group.
Configuring a DHCP Pool
In this next step, you must configure a DHCP pool where the DHCP server is on the subnet associated with
mesh private VLAN. Mesh points will get their IP address from this subnet pool. To complete this task, refer
to the procedure described in “Configuring the DHCP Server on the Remote AP”.
Configuring the VLAN ID of the Virtual AP Profile
The VLAN of this Virtual AP must have the same VLAN ID as the mesh private VLAN.
1. Navigate to Configuration > Wireless > AP Configuration window. Select either the AP Group or
AP Specific tab. Click the Edit button by the applicable AP group name or AP name with the virtual AP
profile you want to configure.
2. Under Profiles, select Wireless LAN, then Virtual AP.
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu.
Enter the name for the virtual AP profile, and click Add.
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID
profile with the default “Aruba-ap” ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile
before you apply the profile.
a. In the Profile Details window, click the AAA Profile drop-down list and select the previously
configured AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the window, click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile dropdown menu. A pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network, enter a name in the Network Name (SSID) field.
f. Under Security, select the network authentication and encryption methods.
g. To set the SSID profile and close the window, click Apply.
4. Click Apply at the bottom of the Profile Details window.
5. Click the new virtual AP name in the Profiles list or Profile Details window pane to display the
configuration parameters for this profile.
6. In the Profile Details window:
a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID for the mesh private VLAN.
c. From the Forward mode drop-down menu, select split-tunnel.
d. Click Apply.
270 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Provisioning a Remote Mesh Portal In the CLI
Reprovisioning the AP causes it to automatically reboot. When you use the CLI to reprovision a mesh node,
you may also provision other AP settings.
provision-ap
read-bootinfo ap-name <name>
mesh-role remote-mesh-portal
reprovision ap-name <name>
Additional Information
By default, the data frames the mesh portal receives on its mesh link are forwarded according to the bridge
table entries on the portal. However, frames received on mesh private VLAN (MPV) are treated differently
by the remote mesh portal. These frames are treated the same as frames received on a split SSID and are
routed rather than bridged. Mesh points obtain DHCP addresses from the corporate network. then register
with the controller using these IP addresses. When these mesh points send and receive PAPI control traffic
from the main office controller, it controls these mesh points just as if they were on a local VLAN. PAPI
traffic containing keys and other secret information receives IPsec encryption and decryption when it is
forwarded to the controller through the VPN tunnel.
Not all traffic from a mesh point is sent on the mesh private VLAN. When a mesh point bridges data received
via its Ethernet interface or from clients connected to an access radio VAP, the mesh point does not tag the
frame with the mesh private VLAN tag when it sends the data through mesh link to the remote mesh portal.
Note that the mesh point may still tag the frame depending on the VLAN of the virtual AP and the native
VLAN specified in the system profile. Care must be taken to assign the MPV value so that it does not clash
with any local tags assigned in the mesh network. In this case, the portal performs the default operation that
is to bridge the frame based on its bridge table.
Traffic destined to the Internet is recognized as such by the remote mesh portal based on ACL rules. This
traffic is NATed on the remote mesh portal’s Ethernet interface.
ArubaOS 6.1 | User Guide
Secure Enterprise Mesh | 271
272 | Secure Enterprise Mesh
ArubaOS 6.1 | User Guide
Chapter 9
Authentication Servers
The ArubaOS software allows you to use an external authentication server or the controller internal user
database to authenticate clients who need to access the wireless network.
Important Points to Remember

In order for an external authentication server to process requests from the Aruba controller, you must
configure the server to recognize the controller. Refer to the vendor documentation for information on
configuring the authentication server.

Instructions on how to configure Microsoft’s IAS and Active Directory can be viewed at:
Microsoft’s IAS
http://technet2.microsoft.com/windowsserver/en/technologies/ias.mspx
Active Directory
http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/default.mspx
This chapter describes the following topics:

“Servers and Server Groups” on page 273

“Configuring Servers” on page 274

“Internal Database” on page 279

“Server Groups” on page 283
Servers and Server Groups
ArubaOS supports the following external authentication servers:

RADIUS (Remote Authentication Dial-In User Service)

(Lightweight Directory Access Protocol)

TACACS+ (Terminal Access controller Access Control System)

Windows (For stateful NTLM authentication)
Additionally, you can use the controller’s internal database to authenticate users. You create entries in the
database for users and their passwords and default role.
You can create groups of servers for specific types of authentication. For example, you can specify one or
more RADIUS servers to be used for 802.1x authentication. The list of servers in a server group is an
ordered list. This means that the first server in the list is always used unless it is unavailable, in which case
the next server in the list is used. You can configure servers of different types in one group — for example,
you can include the internal database as a backup to a RADIUS server.
Figure 41 graphically represents a server group named “Radii” that consists of two RADIUS servers, Radius1 and Radius-2. The server group is assigned to the server group for 802.1x authentication.
ArubaOS 6.1 | User Guide
Authentication Servers | 273
Figure 41 Server Group
802.1x
Server Group
Server
Group Radii
RADIUS-1
RADIUS-2
Server names are unique. You can configure the same server in multiple server groups. You must configure
the server before you can add it to a server group.
If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group.
You can also include conditions for server-derived user roles or VLANs in the server group configuration.
The server derivation rules apply to all servers in the group.
Configuring Servers
This section describes how to configure RADIUS, LDAP, TACACS+ and Windows external authentication
servers and the internal database on the controller.
Configuring a RADIUS Server
Table 46 describes the parameters you configure for a RADIUS server.
Table 46 RADIUS Server Configuration Parameters
Parameter
Description
Host
IP address or fully qualified domain name (FQDN) of the authentication server. The maximum
supported FQDN length is 63 characters.
Default: N/A
Key
Shared secret between the controller and the authentication server. The maximum length is
128 characters.
Default: N/A
Authentication Port
Authentication port on the server.
Default: 1812
Accounting Port
Accounting port on the server
Default: 1813
Retransmits
Maximum number of retries sent to the server by the controller before the server is marked
as down.
Default: 3
274 | Authentication Servers
ArubaOS 6.1 | User Guide
Table 46 RADIUS Server Configuration Parameters (Continued)
Parameter
Description
Timeout
Maximum time, in seconds, that the controller waits before timing out the request and
resending it.
Default: 5 seconds
NAS ID
Network Access Server (NAS) identifier to use in RADIUS packets.
Default: N/A
NAS IP
NAS IP address to send in RADIUS packets.
You can configure a “global” NAS IP address that the controller uses for communications
with all RADIUS servers. If you do not configure a server-specific NAS IP, the global NAS IP
is used. To set the global NAS IP in the WebUI, navigate to the Configuration > Security >
Authentication > Advanced page. To set the global NAS IP in the CLI, enter the ip radius
nas-ip ipaddr command.
Default: N/A
Source Interface
Enter a VLAN number ID.
Allows you to use source IP addresses to differentiate RADIUS requests.
Associates a VLAN interface with the RADIUS server to allow the server-specific source
interface to override the global configuration.
 If you associate a Source Interface (by entering a VLAN number) with a configured
server, then the source IP address of the packet will be that interface’s IP address.
 If you do not associate the Source Interface with a configured server (leave the field
blank), the IP address of the global Source Interface will be used.
Use MD5
Use MD5 hash of cleartext password.
Default: disabled
Mode
Enables or disables the server.
Default: enabled
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Radius Server to display the Radius Server List.
3. To configure a RADIUS server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Enter parameters as described in Table 46. Select the
Mode checkbox to activate the authentication server.
5. Click Apply to apply the configuration.
The configuration does not take effect until you perform this step.
In the CLI
aaa authentication-server radius <name>
host <ipaddr>
key <key>
enable
ArubaOS 6.1 | User Guide
Authentication Servers | 275
RADIUS Server Authentication Codes
A configured RADIUS server will return the following standard response codes.
Table 47 RADIUS Authentication Response Codes
Code
Description
0
Authentication OK.
1
Authentication failed—user/password combination not correct.
2
Authentication request timed out—No response from server.
3
Internal authentication error.
4
Bad Response from RADIUS server. Verify shared secret is correct.
5
No RADIUS authentication server is configured.
6
Challenge from server. (This does not necessarily indicate an error condition.)
RADIUS Server Fully Qualified Domain Names
If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller will
periodically generate a DNS request and cache the IP address returned in the DNS response. To view the IP
address that currently correlate to each RADIUS server FQDN, access the command-line interface in config
mode and issue the following command:
show aaa fqdn-server-names
Set a DNS Query Interval
If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller will
periodically generate a DNS request and cache the IP address returned in the DNS response. By default,
DNS requests are sent every 15 minutes.
You can use either the WebUI or the CLI to configure how often the controller should generate a DNS
request to cache the IP address for a RADIUS server identified via its fully qualified domain name (FQDN).
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Advanced page.
2. In the DNS Query Interval (min) field, enter a new DNS query interval, from 1-1440 minutes, inclusive.
3. Click Apply to save your changes.
In the CLI
aaa dns-query-period <minutes>
276 | Authentication Servers
ArubaOS 6.1 | User Guide
Configuring an LDAP Server
Table 48 describes the parameters you configure for an LDAP server.
Table 48 LDAP Server Configuration Parameters
Parameter
Description
Host
IP address of the LDAP server.
Default: N/A
Admin-DN
Distinguished name for the admin user who has read/search privileges across all the
entries in the LDAP database (the user does need write privileges but should be able to
search the database, and read attributes of other users in the database).
Admin Password
Password for the admin user.
Default: N/A
Allow Clear-Text
Allows clear-text (unencrypted) communication with the LDAP server.
Default: disabled
Authentication Port
Port number used for authentication.
Default: 389
Base-DN
Distinguished Name of the node that contains the entire user database.
Default: N/A
Filter
A string that is used to search for users in the LDAP database (default filter string is:
ì(objectclass=*)î ).
Default: N/A
Key Attribute
A string that is used to search for a LDAP server. For Active Directory, the value is
sAMAccountName.
Default: sAMAccountName
Timeout
Timeout period of a LDAP request, in seconds.
Default: 20 seconds
Mode
Enables or disables the server.
Default: enabled
Preferred Connection
Type
Preferred type of connection between the controller and the LDAP server. The default
order of connection type is:
1. ldap-s
2. start-tls
3. clear-text
The controller first tries to contact the LDAP server using the preferred connection type,
and only attempts to use a lower-priority connection type if the first attempt is not
successful.
Note: If you select clear-text as the preferred connection type, you must also enable the
allow-cleartext option.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select LDAP Server to display the LDAP Server List.
3. To configure an LDAP server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Enter parameters as described in Table 48. Select the
Mode checkbox to activate the authentication server.
ArubaOS 6.1 | User Guide
Authentication Servers | 277
5. Click Apply to apply the configuration.
The configuration does not take effect until you perform this step.
In the CLI
aaa authentication-server ldap <name>
host <ipaddr>
(enter parameters as described in Table 48)
enable
Configuring a TACACS+ Server
Table 49 defines the TACACS+ server parameters.
Table 49 TACACS+ Server Configuration Parameters
Parameter
Description
Host
IP address of the server.
Default: N/A
Key
Shared secret to authenticate communication between the TACACS+ client and server.
Default: N/A
TCP Port
TCP port used by server.
Default: 49
Retransmits
Maximum number of times a request is retried.
Default: 3
Timeout
Timeout period for TACACS+ requests, in seconds.
Default: 20 seconds
Mode
Enables or disables the server.
Default: enabled
Session Authorization
Enables or disables session authorization. Session authorization turns on the optional
authorization session for admin users.
Default: disabled
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select TACACS Server to display the TACACS Server List.
3. To configure a TACACS+ server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Enter parameters as described in Table 49. Select the
Mode checkbox to activate the authentication server.
5. Click Apply to apply the configuration.
The configuration does not take effect until you perform this step.
In the CLI
The following command configures, enables a TACACS+ server and enables session authorization:
278 | Authentication Servers
ArubaOS 6.1 | User Guide
aaa authentication-server tacacs <name>
clone default
host <ipaddr>
key <key>
enable
session-authorization
Configuring a Windows Server
Table 50 defines parameters for a Windows server used for stateful NTLM authentication.
Table 50 Windows Server Configuration Parameters
Parameter
Description
Host
IP address of the server.
Default: N/A
Mode
Enables or disables the server.
Default: enabled
Windows Domain
Name of the Windows Domain assigned to the server.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Windows Server to display the Windows Server List.
3. To configure a Windows server, enter the name for the server and click Add.
4. Select the name of the server to configure its parameters. Enter the parameters as described in Table 50.
5. Select the Mode checkbox to activate the authentication server.
6. Click Apply to apply the configuration.
The configuration does not take effect until you perform this step.
In the CLI
aaa authentication-server windows <windows-server-name>
host <ipaddr>
enable
Internal Database
You can create entries, in the controller’s internal database, to use to authenticate clients. The internal
database contains a list of clients along with the password and default role for each client. When you
configure the internal database as an authentication server, client information in incoming authentication
requests is checked against the internal database.
Configuring the Internal Database
By default, the internal database in the master controller is used for authentication. You can choose to use
the internal database in a local controller by entering the CLI command aaa authentication-server
internal use-local-switch. If you use the internal database in a local controller, you need to add clients on
the local controller.
.
ArubaOS 6.1 | User Guide
Authentication Servers | 279
Table 51 defines the required and optional parameters used in the internal database.
Table 51 Internal Database Configuration Parameters
Parameters
Description
User Name
(Required) Enter a user name or select Generate to automatically generate a user name. An
entered username can be up to 64 characters in length.
Password
(Required) Enter a password or select Generate to automatically generate a password
string. An entered password must be a minimum of 6 characters and can be up to 128
characters in length.
Role
Role for the client.
In order for this role to be assigned to a client, you need to configure a server derivation
rule, as described in “Configuring Server-Derivation Rules” on page 287. (A user role
assigned through a server-derivation rule takes precedence over the default role configured
for an authentication method.)
E-mail
(Optional) E-mail address of the client.
Enabled
Select this checkbox to enable the user as soon as the user entry is created.
Expiration
Select one of the following options:
Entry does not expire: No expiration on user entry
 Set Expiry time (mins): Enter the number of minutes the user will be authenticated
before their user entry expires.
 Set Expiry Date (mm/dd/yyyy) Expiry Time (hh:mm): To select a specific expiration date
and time, enter the expiration date in mm/dd/yyyy format, and the expiration time in
hh:mm format.

Static Inner IP
Address (for RAPs
only)
Assign a static inner IP address to a Remote AP. If this database entry is not for a remote
AP, leave this field empty.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Add User in the Users section. The user configuration page displays.
4. Enter the information for the client, as described in the table above.
5. Click Enabled to activate this entry on creation.
6. Click Apply to apply the configuration. The configuration does not take effect until you perform this
step
7. At the Servers page, click Apply.
The Internal DB Maintenance window also includes a Guest User Page feature that allows you to create user entries
for guests only. For details on creating guest users, see “Guest Provisioning User Tasks” on page 618.
In the CLI
Enter the following command in enable mode:
local-userdb add {generate-username|username <name>} {generate-password|password
<password>}L
280 | Authentication Servers
ArubaOS 6.1 | User Guide
RAP Static Inner IP Address
The RAP static inner IP address feature assigns a static inner IP address to a remote access point (RAP). A
new IP address parameter is added to the existing configuration commands: local-userdb add, localuserdb modify, local-userdb-ap add, and local-userdb-ap modify.
In the WebUI
To view IP address parameter in the local database, navigate to the Configuration > Security >
Authentication > Servers > Internal DB page.
Figure 42 IP-Address parameter in the local database
To view IP-address parameter in the RAP Whitelist, navigate to the Wireless > AP Installation > RAP
Whitelist page.
Figure 43 IP-Address parameter in the RAP Whitelist
You cannot configure the IP-Address parameter using the WebUI.
In the CLI
local-userdb add {generate-username|username <name>} {generate-password|password
<password>} {remote-ip<remote-ip>}
local-userdb modify {username < name>} {remote-ip<remote-ip>}
local-userdb-ap add {mac-address <address>} {ap-group|<ap_grup>} {remote-ip<remoteip>}
local-userdb-ap modify {mac-address <address>} {remote-ip<remote-ip>}
The output of show local-userdb command:
(host) #show local-userdb
User Summary
-----------Name
Pwd
Role
E-Mail
Enabled
Expiry
Status
Sponsor-Name
Remote-IP
Grantor-Name
----
---
----
------
-------
------
------
------------
---------
------------
John
***
default-vpn-role
[email protected] Yes
Active
0.0.0.0
admin
user1
***
default-vpn-role
Yes
Active
0.0.0.0
admin
Sam
***
default-vpn-role
Yes
Active
0.0.0.0
admin
ArubaOS 6.1 | User Guide
Authentication Servers | 281
The output of show local-userdb-ap command:
(host) #show local-userdb-ap
AP-entry Details
---------------Name
AP-Group AP-Name
Full-Name
Auth-Uname
Rvok-txt
AP_Auth
Descrp
Date-Added
En Rem-IP
----
-------- -------
---------
----------
--------
-----------
------
----------
--- -------
MAC-ADD
CP_TEST
AP-125-Port-2
test
Provisioned
wq
Fri Nov 27 2009
Yes 0.0.0.0
MAC-ADD
CP_TEST
AP-rap5-port-18 John
Provisioned
desc
Mon Nov 30 2009
Yes 0.0.0.0
Managing Internal Database Files
ArubaOS allows you to import and export tables of user information to and from the internal database.
These files should not be edited once they are exported. ArubaOS only supports the importing of database
files that were created during the export process. Note that importing a file into the internal database
overwrite and removes all existing entries.
Exporting files in the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Export in the Internal DB Maintenance section. A popup window opens.
4. Enter the name of the file you want to export
5. Click OK.
Importing files in the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Import in the Internal DB Maintenance section. A popup window opens.
4. Enter the name of the file you want to import
5. Click OK.
In the CLI
Enter the following command in enable mode:
local-userdb export <filename>
local-userdb import <filename>
Internal Database Utilities
The local internal database also includes utilities to clear all users from the database and to restart the
internal database to repair internal errors. Under normal circumstances, neither of these utilities are
necessary.
Deleting All User
Issue this command to remove users from the internal database after you have moved your user database
from the controller’s internal server to an external server.
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Delete All Users in the Internal DB Maintenance section. A popup window open and asks you
to confirm that you want to remove all users.
4. Click OK.
282 | Authentication Servers
ArubaOS 6.1 | User Guide
Repairing the Internal Database
Use this utility under the supervision of Aruba technical support to recreate the internal database. This may
clear internal database errors, but will also remove all information from the database. Make sure you export
your current user information before you start the repair procedure.
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Repair Database in the Internal DB Maintenance section. A popup window open and asks you
to confirm that you want to recreate the database.
4. Click OK.
Server Groups
You can create groups of servers for specific types of authentication — for example, you can specify one or
more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in
one group — for example, you can include the internal database as a backup to a RADIUS server.
Configuring Server Groups
Server names are unique. You can configure the same server in more than one server group. The server
must be configured before you can include it in a server group.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click New to add a server to the group.
a. Select a server from the drop-down menu and click Add Server.
b. Repeat the above step to add other servers to the group.
6. Click Apply.
In the CLI
aaa server-group <name>
auth-server <name>
Configuring Server List Order and Fail-Through
The list of servers in a server group is an ordered list. By default, the first server in the list is always used
unless it is unavailable, in which case the next server in the list is used. You can configure the order of
servers in the server group. In the WebUI, use the up or down arrows to order the servers (the top server is
the first server in the list). In the CLI, use the position parameter to specify the relative order of servers in
the list (the lowest value denotes the first server in the list).
As mentioned previously, the first available server in the list is used for authentication. If the server
responds with an authentication failure, there is no further processing for the user or client for which the
authentication request failed. You can optionally enable fail-through authentication for the server group so
that if the first server in the list returns an authentication deny, the controller attempts authentication with
the next server in the ordered list. The controller attempts authentication with each server in the list until
either there is a successful authentication or the list of servers in the group is exhausted. This feature is
ArubaOS 6.1 | User Guide
Authentication Servers | 283
useful in environments where there are multiple, independent authentication servers; users may fail
authentication on one server but can be authenticated on another server.
Before enabling fail-through authentication, note the following:

This feature is not supported for 802.1x authentication with a server group that consists of external EAPcompliant RADIUS servers. You can, however, use fail-through authentication when the 802.1x
authentication is terminated on the controller (AAA FastConnect).

Enabling this feature for a large server group list may cause excess processing load on the controller.
Aruba recommends that you use server selection based on domain matching whenever possible (see
“Configuring Dynamic Server Selection” on page 284).

Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple
authentication failures. Therefore you should not enable fail-through authentication with these servers.
In the following example, you create a server group ‘corp-serv’ with two LDAP servers (ldap-1 and ldap-2),
each of which contains a subset of the usernames and passwords used in the network. When fail-through
authentication is enabled, users that fail authentication on the first server in the server list should be
authenticated with the second server.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select LDAP Server to display the LDAP Server List.
3. Enter ldap-1 for the server name and click Add.
4. Enter ldap-2 for the server name and click Add.
5. Under the Servers tab, select ldap-1 to configure server parameters. Enter the IP address for the server.
Select the Mode checkbox to activate the authentication server. Click Apply.
6. Repeat step 5 to configure ldap-2.
7. Display the Server Group list: Under the Servers tab, select Server Group.
8. Enter corp-serv as the new server group and click Add.
9. Select corp-serv, under the Server tab, to configure the server group.
10. Select Fail Through.
11. Under Servers, click New to add a server to the group. Select ldap-1 from the drop-down menu and click
Add Server.
12. Repeat step 11 to add ldap-2 to the group.
13. Click Apply.
In the CLI
aaa authentication-server ldap ldap-1
host 10.1.1.234
aaa authentication-server ldap ldap-2
host 10.2.2.234
aaa server-group corp-serv
auth-server ldap-1 position 1
auth-server ldap-2 position 2
allow-fail-through
Configuring Dynamic Server Selection
The controller can dynamically select an authentication server from a server group based on the user
information sent by the client in an authentication request. For example, an authentication request can
include client or user information in one of the following formats:
284 | Authentication Servers
ArubaOS 6.1 | User Guide

<domain>\<user> — for example, corpnet.com\darwin

<user>@<domain> — for example, [email protected]

host/<pc-name>.<domain> — for example, host/darwin-g.finance.corpnet.com (this format is used with
802.1x machine authentication in Windows environments)
When you configure a server in a server group, you can optionally associate the server with one or more
match rules. A match rule for a server can be one of the following:

The server is selected if the client/user information contains a specified string.

The server is selected if the client/user information begins with a specified string.

The server is selected if the client/user information exactly matches a specified string.
You can configure multiple match rules for the same server. The controller compares the client/user
information with the match rules configured for each server, starting with the first server in the server
group. If a match is found, the controller sends the authentication request to the server with the matching
rule. If no match is found before the end of the server list is reached, an error is returned and no
authentication request for the client/user is sent.
For example, Figure 44 depicts a network consisting of several subdomains in corpnet.com. The server
radius-1 provides 802.1x machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and
hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.
Figure 44 Domain-Based Server Selection Example
host/<pc-name>.xyz.corpnet.com
host/<pc-name>.sales.corpnet.com
host/<pc-name>.hq.corpnet.com
abc.corpnet.com\<user>
<user>@abc.corpnet.com
radius-1
radius-2
You configure the following rules for servers in the corp-serv server group:

radius-1 will be selected if the client information starts with “host/”.

radius-2 will be selected if the client information contains “abc.corpnet.com”.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Under the Servers tab, select Server Group to display the Server Group list.
3. Enter corp-serv for the new server group and click Add.
4. Under the Servers tab, select corp-serv to configure the server group.
5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down
menu.
a. For Match Type, select Authstring.
b. For Operator, select starts-with.
c. For Match String, enter host/.
d. Click Add Rule >>.
e. Scroll to the right and click Add Server.
ArubaOS 6.1 | User Guide
Authentication Servers | 285
6. Under Servers, click New to add the radius-2 server to the group. Select radius-2 from the drop-down
menu.
a. For Match Type, select Authstring.
b. For Operator, select contains.
c. For Match String, enter abc.corpnet.com.
d. Click Add Rule >>.
e. Scroll to the right and click Add Server.
The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this
example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the
up or down arrow for the appropriate server.
7. Click Apply.
In the CLI
aaa server-group corp-serv
auth-server radius-1 match-authstring starts-with host/ position 1
auth-server radius-2 match-authstring contains abc.corpnet.com position 2
Configuring Match FQDN Option
You can also use the “match FQDN” option for a server match rule. With a match FQDN rule, the server is
selected if the <domain> portion of the user information in the formats <domain>\<user> or
<user>@<domain> exactly matches a specified string. Note the following caveats when using a match
FQDN rule:

This rule does not support client information in the host/<pc-name>.<domain> format, so it is not useful
for 802.1x machine authentication.

The match FQDN option performs matches on only the <domain> portion of the user information sent in
an authentication request. The match-authstring option (described previously) allows you to match all
or a portion of the user information sent in an authentication request.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page
2. Under the Servers tab, select Server Group to display the Server Group list.
3. Enter corp-serv for the new server group and click Add.
4. Under the Servers tab, select corp-serv to configure the server group.
5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down
menu.
a. For Match Type, select FQDN.
b. For Match String, enter corpnet.com.
c. Click Add Rule >>.
d. Scroll to the right and click Add Server.
6. Click Apply.
In the CLI
aaa server-group corp-serv
auth-server radius-1 match-fqdn corpnet.com
286 | Authentication Servers
ArubaOS 6.1 | User Guide
Trimming Domain Information from Requests
Before the controller forwards an authentication request to a specified server, it can truncate the domainspecific portion of the user information. This is useful when user entries on the authenticating server do not
include domain information. You can specify this option with any server match rule. This option is only
applicable when the user information is sent to the controller in the following formats:

<domain>\<user> — the <domain>\ portion is truncated

<user>@<domain> — the @<domain> portion is truncated
This option does not support client information sent in the format host/<pc-name>.<domain>
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click Edit for a configured server or click New to add a server to the group.

If editing a configured server, select Trim FQDN, scroll right, and click Update Server.

If adding a new server, select a server from the drop-down menu, then select Trim FQDN, scroll right,
and click Add Server.
6. Click Apply.
In the CLI
aaa server-group corp-serv
auth-server radius-2 match-authstring contains abc.corpnet.com trim-fqdn
Configuring Server-Derivation Rules
When you configure a server group, you can set the VLAN or role for clients based on attributes returned for
the client by the server during authentication. The server derivation rules apply to all servers in the group.
The user role or VLAN assigned through server derivation rules takes precedence over the default role and
VLAN configured for the authentication method.
The authentication servers must be configured to return the attributes for the clients during authentication. For
instructions on configuring the authentication attributes in a Windows environment using IAS, refer to the
documentation at http://technet2.microsoft.com/windowsserver/en/technologies/ias.mspx.
The server rules are applied based on the first match principle. The first rule that is applicable for the server
and the attribute returned is applied to the client and would be the only rule applied from the server rules.
These rules are applied uniformly across all servers in the server group.
Table 52 describes the server rule parameters you can configure.
ArubaOS 6.1 | User Guide
Authentication Servers | 287
Table 52 Server Rule Configuration Parameters
Parameter
Description
Role or VLAN
The server derivation rules can be for either user role or VLAN assignment. With Role
assignment, a client can be assigned a specific role based on the attributes
returned. In case of VLAN assignment, the client can be placed in a specific VLAN
based on the attributes returned.
Attribute
This is the attribute returned by the authentication server that is examined for
Operation and Operand match.
Operation
This is the match method by which the string in Operand is matched with the
attribute value returned by the authentication server.
 contains – The rule is applied if and only if the attribute value contains the string
in parameter Operand.
 starts-with – The rule is applied if and only if the attribute value returned starts
with the string in parameter Operand.
 ends-with – The rule is applied if and only if the attribute value returned ends with
the string in parameter Operand.
 equals – The rule is applied if and only if the attribute value returned equals the
string in parameter Operand.
 not-equals – The rule is applied if and only if the attribute value returned is not
equal to the string in parameter Operand.
 value-of – This is a special condition. What this implies is that the role or VLAN is
set to the value of the attribute returned. For this to be successful, the role and
the VLAN ID returned as the value of the attribute selected must be already
configured on the controller when the rule is applied.
Operand
This is the string to which the value of the returned attribute is matched.
Value
The user role or the VLAN applied to the client when the rule is matched.
position
Position of the condition rule. Rules are applied based on the first match principle. 1
is the top.
Default: bottom
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click New to add a server to the group.
a. Select a server from the drop-down menu and click Add.
b. Repeat the above step to add other servers to the group.
6. Under Server Rules, click New to add server derivation rules for assigning a user role or VLAN.
a. Enter the attribute.
b. Select the operation from the drop-down menu.
c. Enter the operand.
d. Select Set VLAN or Set Role from the drop-down menu.
e. Enter the value (either user role or VLAN) to be assigned.
f. Click Add.
g. Repeat the above steps to add other rules for the server group.
288 | Authentication Servers
ArubaOS 6.1 | User Guide
7. Click Apply.
In the CLI
aaa server-group <name>
auth-server <name>
set {role|vlan} condition <condition> set-value {<role>|<vlan>}
[position number]
Configuring a Role Derivation Rule for the Internal Database
When you add a user entry in the controller’s internal database, you can optionally specify a user role (see
“Internal Database” on page 279). In order for the role specified in the internal database entry to be assigned
to the authenticated client, you must configure a server derivation rule as shown in the following sections:
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Select the internal server group.
4. Under Server Rules, click New to add a server derivation rule.
a. For Condition, enter Role.
b. Select value-of from the drop-down menu.
c. Select Set Role from the drop-down menu.
d. Click Add.
5. Click Apply.
In the CLI
aaa server-group internal
set role condition Role value-of
Assigning Server Groups
You can create server groups for the following purposes:

user authentication

management authentication

accounting
You can configure all types of servers for user and management authentication (see Table 53). Accounting
is only supported with RADIUS and TACACS+ servers when RADIUS or TACACS+ is used for
authentication.
Table 53 Server Types and Purposes
RADIUS
TACACS+
LDAP
Internal Database
User authentication
Yes
Yes
Yes
Yes
Management authentication
Yes
Yes
Yes
Yes
Accounting
Yes
Yes
No
No
ArubaOS 6.1 | User Guide
Authentication Servers | 289
User Authentication
For information about assigning a server group for user authentication, see the configuration chapter for
the authentication method.
Management Authentication
Users who need to access the controller to monitor, manage, or configure the Aruba user-centric network
can be authenticated with RADIUS, TACACS+, or LDAP servers or the internal database.
Only user record attributes are returned upon a successful authentication. Therefore, to derive a different
management role other than the default mgmt auth role, set the server derivation rule based on the user attributes.
In the WebUI
1. Navigate to the Configuration > Management > Administration page.
2. Under the Management Authentication Servers section, select the Server Group.
3. Click Apply.
In the CLI
aaa authentication mgmt
server-group <group>
Accounting
You can configure accounting for RADIUS and TACACS+ server groups.
RADIUS or TACACS+ accounting is only supported when RADIUS or TACACS+ is used for authentication.
RADIUS Accounting
RADIUS accounting allows user activity and statistics to be reported from the controller to RADIUS
servers. RADIUS accounting works as follows:
1. The controller generates an Accounting Start packet when a user logs in. The code field of transmitted
RADIUS packet is set to 4 (Accounting-Request). Note that sensitive information, such user passwords,
are not sent to the accounting server. The RADIUS server sends an acknowledgement of the packet.
2. The controller sends an Accounting Stop packet when a user logs off; the packet information includes
various statistics such as elapsed time, input and output bytes and packets. The RADIUS server sends an
acknowledgement of the packet.
The following is the list of attributes that the controller can send to a RADIUS accounting server:

Acct-Status-Type: This attribute marks the beginning or end of accounting record for a user. Currently,
possible values include Start and Stop.

User-Name: Name of user.

Acct-Session-Id: A unique identifier to facilitate matching of accounting records for a user. It is derived
from the user name, IP address and MAC address. This is set in all accounting packets.

Acct-Authentic: This indicates how the user was authenticated. Current values are 1 (RADIUS), 2 (Local)
and 3 (LDAP).

Acct-Session-Time: The elapsed time, in seconds, that the client was logged in to the controller. This is
only sent in Accounting-Request records where the Acct-Status-Type is Stop.
290 | Authentication Servers
ArubaOS 6.1 | User Guide

Acct-Terminate-Cause: Indicates how the session was terminated and is sent in Accounting-Request
records where the Acct-Status-Type is Stop. Possible values are:
1: User logged off
4: Idle Timeout
5: Session Timeout. Maximum session length timer expired.
7: Admin Reboot: Administrator is ending service, for example prior to rebooting the controller.

NAS-Identifier: This is set in the RADIUS server configuration.

NAS-IP-Address: IP address of the master controller. You can configure a “global” NAS IP address: in the
WebUI, navigate to the Configuration > Security > Authentication > Advanced page; in the CLI, use
the ip radius nas-ip command.

NAS-Port: Physical or virtual port (tunnel) number through which the user traffic is entering the
controller.

NAS-Port-Type: Type of port used in the connection. This is set to one of the following:

5: admin login

15: wired user type

19: wireless user

Framed-IP-Address: IP address of the user.

Calling-Station-ID: MAC address of the user.

Called-station-ID: MAC address of the controller.
The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Start:

Acct-Status-Type

User-Name

NAS-IP-Address

NAS-Port

NAS-Port-Type

NAS-Identifier

Framed-IP-Address

Calling-Station-ID

Called-station-ID

Acct-Session-Id

Acct-Authentic
The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop:

Acct-Status-Type

User-Name

NAS-IP-Address

NAS-Port

NAS-Port-Type

NAS-Identifier

Framed-IP-Address

Calling-Station-ID

Called-station-ID

Acct-Session-Id
ArubaOS 6.1 | User Guide
Authentication Servers | 291

Acct-Authentic

Terminate-Cause

Acct-Session-Time
The following attributes are sent only in Accounting Stop packets (they are not sent in Accounting Start
packets):

Acct-Input-Octets

Acct-Output-Octets

Acct-Input-Packets

Acct-Output-Packets
You can use either the WebUI or CLI to assign a server group for RADIUS accounting.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select AAA Profile, then select the AAA profile instance.
3. (Optional) In the Profile Details pane, select RADIUS Interim Accounting to allow the controller to send
Interim-Update messages with current user statistics to the server at regular intervals. This option is
disabled by default, allowing the controller to send only start and stop messages RADIUS accounting
server.
4. In the profile list, scroll down and select the Radius Accounting Server Group for the AAA profile. Select
the server group from the drop-down menu.
You can add additional servers to the group or configure server rules.
5. Click Apply.
In the CLI
aaa profile <profile>
radius-accounting <group>
radius-interim-accounting
TACACS+ Accounting
TACACS+ accounting allows commands issued on the controller to be reported to TACACS+ servers. You
can specify the types of commands that are reported (action, configuration, or show commands) or have all
commands reported.
You can configure TACACS+ accounting only with the CLI:
aaa tacacs-accounting server-group <group> command {action|all|configuration|show} mode
{enable|disable}
292 | Authentication Servers
ArubaOS 6.1 | User Guide
Configuring Authentication Timers
Table 54 describes the timers you can configure that apply to all clients and servers. These timers can be left
at their default values for most implementations.
Table 54 Authentication Timers
Timer
Description
User Idle Timeout
Maximum period after which a client is considered idle if there is no user
traffic from the client.
The timeout period is reset if there is a user traffic. After this timeout period
has elapsed, the controller sends probe packets to the client; if the client
responds to the probe, it is considered active and the User Idle Timeout is
reset (an active client that is not initiating new sessions is not removed). If
the client does not respond to the probe, it is removed from the system. If
the keyword seconds is not specified, the value defaults to minutes at the
command line.
Range: 1 to 255 minutes (30 to 15300 seconds)
Default: 5 minutes (300 seconds)
Authentication Server
Dead Time
Maximum period, in minutes, that the controller considers an unresponsive
authentication server to be “out of service”.
This timer is only applicable if there are two or more authentication servers
configured on the controller. If there is only one authentication server
configured, the server is never considered out of service and all requests
are sent to the server.
If one or more backup servers are configured and a server is unresponsive,
it is marked as out of service for the dead time; subsequent requests are
sent to the next server on the priority list for the duration of the dead time. If
the server is responsive after the dead time has elapsed, it can take over
servicing requests from a lower-priority server; if the server continues to be
unresponsive, it is marked as down for the dead time.
Range: 0–50
Default: 10 minutes
Logon User Lifetime
Maximum time, in minutes, unauthenticated clients are allowed to remain
logged on.
Range: 0–255
Default: 5 minutes
User Interim stats
frequency
Set the timeout value for user stats reporting in minutes or seconds. The
supported range is 300-600 seconds, or 5-10 minutes, and the default
value is 600 seconds..
Setting an Authentication Timer
To set an authentication timer, complete one of the following procedures:
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Advanced page.
2. Configure the timers as described above.
3. Click Apply before moving on to another page or closing the browser window. Failure to do this results
in loss of configuration and you will have to reconfigure the settings.
In the CLI
aaa timers {dead-time <minutes>|idle-timeout <number>|logon-lifetime <minutes>|statstimeout <seconds>}
ArubaOS 6.1 | User Guide
Authentication Servers | 293
294 | Authentication Servers
ArubaOS 6.1 | User Guide
Chapter 10
802.1x Authentication
802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an
authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to
exchange messages during the authentication process. The authentication protocols that operate inside the
802.1x framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS),
Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to
authenticate the client while also allowing the client to authenticate the network.
This chapter describes the following topics:

“Overview of 802.1x Authentication” on page 295

“Configuring 802.1x Authentication” on page 298

“Example Configurations” on page 307

“Advanced Configuration Options for 802.1x” on page 323
Other types of authentication not discussed in this chapter can be found in the following sections of this
guide:

Captive portal authentication: “Captive Portal Authentication” on page 376

VPN authentication: “Planning a VPN Configuration” on page 401

MAC authentication: “Configuring MAC-Based Authentication” on page 443

Stateful 802.1x, stateful NTLM, and WISPr authentication: “Stateful and WISPr Authentication” on
page 357
Overview of 802.1x Authentication
802.1x authentication consists of three components:

The supplicant, or client, is the device attempting to gain access to the network. You can configure the
Aruba user-centric network to support 802.1x authentication for wired users as well as wireless users.

The authenticator is the gatekeeper to the network and permits or denies access to the supplicants.

The Aruba controller acts as the authenticator, relaying information between the authentication server
and supplicant. The EAP type must be consistent between the authentication server and supplicant and
is transparent to the controller.
The authentication server provides a database of information required for authentication and informs
the authenticator to deny or permit access to the supplicant.
The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service
(RADIUS) server which can authenticate either users (through passwords or certificates) or the client
computer.
An example of an 802.1x authentication server is the Internet Authentication Service (IAS) in Windows
(see http://technet.microsoft.com/en-us/library/cc759077(WS.10).aspx).
Aruba user-centric networks, you can terminate the 802.1x authentication on the controller. The
controller passes user authentication to its internal database or to a “backend” non-802.1x server. This
feature, also called “AAA FastConnect,” is useful for deployments where an 802.1x EAP-compliant
RADIUS server is not available or required for authentication.
ArubaOS 6.1 | User Guide
802.1x Authentication | 295
Supported EAP Types
The following is the list of supported EAP types.

PEAP—Protected EAP (PEAP) is an 802.1x authentication method that uses server-side public key
certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS
tunnel between the client and the authentication server. The exchange of information is encrypted and
stored in the tunnel ensuring the user credentials are kept secure.

EAP-GTC—The EAP-GTC (Generic Token Card) type uses clear text method to exchange authentication
controls between client and server. Since the authentication mechanism uses the one-time tokens
(generated by the card), this method of credential exchange is considered safe. In addition, EAP-GTC is
used in PEAP or TTLS tunnels in wireless environments. The EAP-GTC is described in RFC 2284.

EAP-AKA—The EAP-AKA (Authentication and Key Agreement) authentication mechanism is typically
used in mobile networks that include Universal Mobile Telecommunication Systems (UMTS) and CDMA
2000. This method uses the information stored in the Subscriber Identity Module (SIM) for
authentication. The EAP-AKA is described in RFC 4187.

EAP-FAST—The EAP-FAST (Flexible Authentication via Secure Tunneling) is an alternative
authentication method to PEAP. This method uses the Protected Access Credential (PAC) for verifying
clients on the network. The EAP-FAST is described in RFC 4851.

EAP-MD5—The EAP-MD5 method verifies MD5 hash of a user password for authentication. This
method is commonly used in a trusted network. The EAP-MD5 is described in RFC 2284.

EAP-POTP—The EAP type 32 is supported. Complete details are described in RFC 4793.

EAP-SIM—The EAP-SIM (Subscriber Identity Module) uses Global System for Mobile Communication
(GSM) Subscriber Identity Module (SIM) for authentication and session key distribution. This
authentication mechanism includes network authentication, user anonymity support, result indication,
and fast re-authentication procedure. Complete details about this authentication mechanism is
described in RFC 4186.

EAP-TLS—The EAP-TLS (Transport Layer Security) uses Public key Infrastructure (PKI) to set up
authentication with a RADIUS server or any authentication server. This method requires the use of a
client-side certificate for communicating with the authentication server. The EAP-TLS is described in
RFC 5216.

EAP-TLV- The EAP-TLV (type-length-value) method allows you to add additional information in an EAP
message. Often this method is used to provide more information about a EAP message. For example,
status information or authorization data. This method is always used after a typical EAP authentication
process.

EAP-TTLS—The EAP-TTLS (Tunneled Transport Layer Security) method uses server-side certificates to
set up authentication between clients and servers. The actually authentication is, however, performed
using passwords. Complete details about EAP-TTLS is described in RFC 5281.

LEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys and mutual
authentication between client and RADIUS server.

ZLXEAP—This is Zonelabs EAP. For more information, visit http://tools.ietf.org/html/draft-bersani-eapsynthesis-sharedkeymethods-00#page-30.
Authentication with a RADIUS Server
See Table 55 for an overview of the parameters that you need to configure on authentication components
when the authentication server is an 802.1x EAP-compliant RADIUS server.
Figure 45 802.1x Authentication with RADIUS Server
296 | 802.1x Authentication
ArubaOS 6.1 | User Guide
Client
(Supplicant)
WLAN Switch
(Authenticator)
Authentication
Server
• EAP Type
• EAP Type
• Server IP
• Shared Secret
• Auth Port
• Acct Port
• ESSID
• Network Authentication
• Data Encryption
• Client IP
• Shared Secret
• ESSID
• Network Authentication
• Data Encryption
The supplicant and authentication server must be configured to use the same EAP type. The controller does
not need to know the EAP type used between the supplicant and authentication server.
For the controller to communicate with the authentication server, you must configure the IP address,
authentication port, and accounting port of the server on the controller. The authentication server must be
configured with the IP address of the RADIUS client, which is the controller in this case. Both the controller
and the authentication server must be configured to use the same shared secret.
Additional information on EAP types supported in a Windows environment, Microsoft supplicants, and
authentication server, is available at http://technet.microsoft.com/en-us/library/cc782851(WS.10).aspx.
The client communicates with the controller through a GRE tunnel in order to form an association with an
AP and to authenticate to the network. Therefore, the network authentication and encryption configured
for an ESSID must be the same on both the client and the controller.
Authentication Terminated on Controller
User authentication is performed either via the controller’s internal database or a non-802.1x server. See
“802.1x Authentication Profile Basic WebUI Parameters” on page 299 for an overview of the parameters that
you need to configure on 802.1x authentication components when 802.1x authentication is terminated on
the controller (AAA FastConnect).
Figure 46 802.1x Authentication with Termination on Controller
User authentication via
internal database or non802.1x server
ArubaOS 6.1 | User Guide
Client
(Supplicant)
WLAN Switch
(Authenticator and
Authentication Server)
• EAP Type = EAP-TLS
or EAP-PEAP
• ESSID
• Network Authentication
• Data Encryption
• EAP Type = EAP-TLS
or EAP-PEAP
• ESSID
• Network Authentication
• Data Encryption
802.1x Authentication | 297
In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP
(PEAP).

EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with
the user-entered personal identification number (PIN), allows the user to be authenticated on the
network. EAP-TLS relies on digital certificates to verify the identities of both the client and server.
EAP-TLS requires that you import server and certification authority (CA) certificates onto the controller
(see “Configuring and Using Certificates with AAA FastConnect” on page 304). The client certificate is
verified on the controller (the client certificate must be signed by a known CA) before the user name is
checked on the authentication server.

EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP”
methods is used:

EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of
unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are onetime token cards such as SecureID and the use of an LDAP or RADIUS server as the user
authentication server. You can also enable caching of user credentials on the controller as a backup
to an external authentication server.

EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in
RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used
as the backend authentication server.
If you are using the controller’s internal database for user authentication, you need to add the names and
passwords of the users to be authenticated. If you are using an LDAP server for user authentication, you
need to configure the LDAP server on the controller, and configure user IDs and passwords. If you are using
a RADIUS server for user authentication, you need to configure the RADIUS server on the controller.
Configuring 802.1x Authentication
On the controller, use the following steps to configure a wireless network that uses 802.1x authentication:
1. Configure the VLANs to which the authenticated users will be assigned. See Chapter 2, “Network
Parameters” on page 59
2. Configure policies and roles. You can specify a default role for users who are successfully authenticated
using 802.1x. You can also configure server derivation rules to assign a user role based on attributes
returned by the authentication server; server-derived user roles take precedence over default roles. For
more information about policies and roles, see Chapter 12, “Roles and Policies” .
The Policy Enforcement Firewall Virtual Private Network (PEFV) module provides identity-based security for wired and
wireless users and must be installed on the controller. The stateful firewall allows user classification based on user
identity, device type, location and time of day and provides differentiated access for different classes of users. For
information about obtaining and installing licenses, see Chapter 35, “Software Licenses” .
3. Configure the authentication server(s) and server group. The server can be an 802.1x RADIUS server or,
if you are using AAA FastConnect, a non-802.1x server or the controller’s internal database. If you are
using EAP-GTC within a PEAP tunnel, you can configure an LDAP or RADIUS server as the
authentication server (see Chapter 9, “Authentication Servers” ) If you are using EAP-TLS, you need to
import server and CA certificates on the controller (see “Configuring and Using Certificates with AAA
FastConnect” on page 304).
4. Configure the AAA profile.

Select the 802.1x default user role.

Select the server group you previously configured for the 802.1x authentication server group.
5. Configure the 802.1x authentication profile. See “Using the WebUI” on page 318
298 | 802.1x Authentication
ArubaOS 6.1 | User Guide
6. Configure the virtual AP profile for an AP group or for a specific AP:

Select the AAA profile you previously configured.

In the SSID profile, configure the WLAN for 802.1x authentication.
For details on how to complete the above steps, see “Example Configurations” on page 307
Using the WebUI
This section describes how to create and configure a new instance of an 802.1x authentication profile in the
WebUI or the CLI.
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.
2. In the Profiles list, select 802.1x Authentication Profile.
3. Enter a name for the profile, then click Add.
4. Click Apply.
5. In the Profiles list, select the 802.1x authentication profile you just created.
6. The profile details window includes Basic and Advanced tabs for basic and advanced configuration
settings. Click on one or both of these tab to configure the 802.1x Authentication settings. Table 55
describes the parameters you can configure in the high-throughput radio profile.
Table 55 802.1x Authentication Profile Basic WebUI Parameters
Parameter
Description
Basic 802.1x Authentication Profile settings
Max authentication
failures
Number of times a user can try to login with wrong credentials after which the user will
be blacklisted as a security threat.
Set to 0 to disable blacklisting, otherwise enter a non-zero integer to blacklist the user
after the specified number of failures.
Default: 0
Enforce Machine
Authentication
(For Windows environments only) Select this option to enforce machine authentication
before user authentication. If selected, either the Machine Authentication Default Role
or the User Authentication Default Role is assigned to the user, depending on which
authentication is successful. This option is disabled by default.
Note: This option may require a PEFNG or PEFV license (see license descriptions at
“License Types” on page 678). The Enforce Machine Authentication checkbox is
also available on the Advanced settings tab.
Machine Authentication:
Default Machine Role
Select the default role to be assigned to the user after completing only machine
authentication.
Default: guest
Machine Authentication:
Default User Role
Select the default role to be assigned to the user after completing 802.1x
authentication.
Default: guest
Reauthentication
Select this option to force the client to do a 802.1x re-authentication after the
expiration of the default timer for re-authentication. The default value of the timer
(Reauthentication Interval) is 24 hours. If the user fails to re-authenticate with valid
credentials, the state of the user is cleared.
If derivation rules are used to classify 802.1x-authenticated users, then the Reauthentication timer per role overrides this setting.
Default: disabled
Termination
Select this option to terminate 802.1x authentication on the controller.
Default: disabled
ArubaOS 6.1 | User Guide
802.1x Authentication | 299
Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued)
Parameter
Description
Termination EAP-Type
The EAP method, either EAP-PEAP or EAP-TLS.
Default: eap-peap
Termination Inner EAPType
Select one of the following:
 EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits
the transfer of unencrypted usernames and passwords from client to server. The
main uses for EAP-GTC are one-time token cards such as SecureID and the use of
LDAP or RADIUS as the user authentication server. You can also enable caching of
user credentials on the controller as a backup to an external authentication server.
 EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2):
Described in RFC 2759, this EAP method is widely supported by Microsoft clients.
Default: eap-mschapv2
Enforce Suite-B 128 bit or
more security level
Authentication
Configure Suite-B 128 bit or more security level authentication enforcement.
Enforce Suite-B 128 bit or
more security level
Authentication
Configure Suite-B 192 bit security level authentication enforcement.
Advanced 802.1x Authentication Profile settings
Max authentication
failures
Number of times a user can try to login with wrong credentials
after which the user is blacklisted as a security threat. Set to 0
to disable blacklisting, otherwise enter a non-zero integer to
blacklist the user after the specified number of failures. The range of allowed values is
0-5 failures, and the default value is 0 failures.
Note: This option may require a license (see license descriptions at “License Types” on
page 678).
Enforce Machine
Authentication
Select the Enforce Machine Authentication option to require
machine authentication. This option is also available on the Basic settings tab.
Note: This option may require a license (see license descriptions at “License Types” on
page 678).
Machine Authentication:
Default Machine Role
Default role assigned to the user after completing only machine authentication. The
default role for this setting is the “guest” role.
Machine Authentication
Cache Timeout
The timeout, in hours, for machine authentication. The allowed range of values is 11000 hours, and the default value is 24 hours.
Blacklist on Machine
Authentication Failure
Select the Blacklist on Machine Authentication Failure checkbox to blacklist a client
if machine authentication fails. This setting is disabled by default
Machine Authentication:
Default User Role
Default role assigned to the user after 802.1x authentication. The default role for this
setting is the “guest” role.
Interval between Identity
Requests
Interval, in seconds, between identity request retries. The allowed range of values is 165535 seconds, and the default value is 30 seconds.
Quiet Period after Failed
Authentication
The enforced quiet period interval, in seconds, following failed authentication. The
allowed range of values is 1-65535 seconds, and the default value is 30 seconds.
Reauthentication Interval
Interval, in seconds, between reauthentication attempts. The allowed range of values
for this parameter is 60-864000 seconds, and the default value is 86400 seconds
(1day).
300 | 802.1x Authentication
ArubaOS 6.1 | User Guide
Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued)
Parameter
Description
Use Server provided
Reauthentication Interval
Select this option to override any user-defined reauthentication interval and use the
reauthentication period defined by the authentication server.
Multicast Key Rotation
Time Interval
Interval, in seconds, between multicast key rotation. The allowed range of values for
this parameter is 60-864000 seconds, and the default value is 1800 seconds.
Unicast Key Rotation
Time Interval
Interval, in seconds, between unicast key rotation. The allowed range of values for this
parameter is 60-864000 seconds, and the default value is 900 seconds.
Authentication Server
Retry Interval
Server group retry interval, in seconds. The allowed range of values for this parameter
is 5-65535 seconds, and the default value is 30 seconds.
Authentication Server
Retry Count
Maximum number of authentication requests that are sent to server group.
The allowed range of values for this parameter is 0-3 requests, and the default value is
2 requests.
Framed MTU
Sets the framed Maximum Transmission Unit (MTU) attribute sent to the authentication
server.
The allowed range of values for this parameter is 500-1500 bytes, and the default value
is 1100 bytes.
Number of times IDRequests are retried
Maximum number of times ID requests are sent to the client. The allowed range of
values for this parameter is 1-10 retries, and the default value is 3 retries.
Maximum Number of
Reauthentication
Attempts
Number of times a user can try to login with wrong credentials after which the user is
blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a value
from 0-5 to blacklist the user after the specified number of failures.
Note: If changed from its default value, this may require a license This option may
require a license (see license descriptions at “License Types” on page 678).
Maximum number of
times Held State can be
bypassed
Number of consecutive authentication failures which, when reached, causes the
controller to not respond to authentication requests from a client while the controller is
in a held state after the authentication failure. Before this number is reached, the
controller responds to authentication requests from the client even while the controller
is in its held state.
(This parameter is applicable when 802.1x authentication is terminated on the
controller, also known as AAA FastConnect.)
The allowed range of values for this parameter is 0-3 failures, and the default value is 0.
Dynamic WEP Key
Message Retry Count
Set the Number of times WPA/WPA2 Key Messages are retried. The allowed range of
values is 1-5 retries, and the default value is 3 retries.
Dynamic WEP Key Size
The default dynamic WEP key size is 128 bits, If desired, you can change this
parameter to either 40 bits.
Interval between WPA/
WPA2 Key Messages
Interval, in milliseconds, between each WPA key exchange.s The allowed range of
values is 1000-5000ms, and the default value is 3000 ms.
Delay between EAPSuccess and WPA2
Unicast Key Exchange
Interval, in milliseconds, between unicast and multicast key exchanges. The allowed
range of values is 0-2000ms, and the default value is 0 ms (no delay).
Time interval after which
the PMKSA will be
deleted
The time interval after which the PMKSA (Pairwise Master Key Security Association)
cache is deleted. Time interval in Hours. Range: 1-2000. Default: 8 hrs.
Delay between WPA/
WPA2 Unicast Key and
Group Key Exchange
Interval, in milliseconds, between unicast and multicast key exchanges. The allowed
range of values is 0-2000ms, and the default value is 0 ms (no delay).
ArubaOS 6.1 | User Guide
802.1x Authentication | 301
Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued)
Parameter
Description
WPA/WPA2 Key Message
Retry Count
Number of times WPA/WPA2 key messages are retried. The allowed range of values for
this parameter is 1-5 retries, and the default value is 3 retries.
Multicast Key Rotation
Select this checkbox to enable multicast key rotation. This feature is disabled by
default.
Unicast Key Rotation
Select this checkbox to enable unicast key rotation. This feature is disabled by default.
Reauthentication
Select the Reauthentication checkbox to force the client to do a 802.1x
reauthentication after the expiration of the default timer for reauthentication. (The
default value of the timer is 24 hours.) If the user fails to reauthenticate with valid
credentials, the state of the user is cleared. If derivation rules are used to classify
802.1x-authenticated users, then the reauthentication timer per role overrides this
setting.
This option is disabled by default.
Opportunistic Key
Caching
By default, the 802.1x authentication profile enables a cached pairwise master key
(PMK) derived via a client and an associated AP and used when the client roams to a
new AP. This allows clients faster roaming without a full 802.1x authentication.
Uncheck this option to disable this feature.
Note: Make sure that the wireless client (the 802.1x supplicant) supports this feature. If
the client does not support this feature, the client will attempt to renegotiate the key
whenever it roams to a new AP. As a result, the key cached on the controller can be out
of sync with the key used by the client.
Validate PMKID
This parameter instructs the controller to check the pairwise master key (PMK) ID sent
by the client. When this option is enabled, the client must send a PMKID in the
associate or reassociate frame to indicate that it supports OKC or PMK caching;
otherwise, full 802.1x authentication takes place.
Note: This feature is optional, since most clients that support OKC and PMK caching
do not send the PMKID in their association request.
Use Session Key
Select the Use Session Key option to use the RADIUS session key as the unicast
WEP key. This option is disabled by default.
Use Static Key
Select the Use Static Key option to use a static key as the unicast/multicast WEP key.
This option is disabled by default.
xSec MTU
Set the maximum transmission unit (MTU) for frames using the xSec protocol. The
range of allowed values is 1024-1500 bytes, and 1300 bytes
Termination
Select the Termination checkbox to allow 802.1x authentication to terminate on the
controller. This option is disabled by default.
Termination EAP-Type
If termination is enabled, click either EAP-PEAP or EAP-TLS to select a Extensible
Authentication Protocol (EAP) method.
Termination Inner EAPType
If you are using EAP-PEAP as the EAP method, specify one of the following
inner EAP types:
 eap-gtc: Described in RFC 2284, this EAP method permits the transfer of
unencrypted
 usernames and passwords from client to server. The main uses for EAP-GTC are
one-time token cards such as SecureID and the use of LDAP or RADIUS as the
user authentication server. You can also enable caching of user credentials on the
controller as a backup to an external authentication server.
 eap-mschapv2: Described in RFC 2759, this EAP method is widely supported by
Microsoft clients.
302 | 802.1x Authentication
ArubaOS 6.1 | User Guide
Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued)
Parameter
Description
Enforce Suite-B 128 bit or
more security level
Authentication
Configure Suite-B 128 bit or more security level authentication enforcement.
Enforce Suite-B 128 bit or
more security level
Authentication
Configure Suite-B 192 bit security level authentication enforcement.
Token Caching
If you select EAP-GTC as the inner EAP method, you can select the Token Caching
checkbox to enable the controller to cache the username and password of each
authenticated user. The controller continues to reauthenticate users with the remote
authentication server, however, if the authentication server is not available, the
controller will inspect its cached credentials to reauthenticate users.
This option is disabled by default.
Token Caching Period
If you select EAP-GTC as the inner EAP method, you can specify the timeout period, in
hours, for the cached information. The default value is 24 hours.
CA-Certificate
Click the CA-Certificate drop-down list and select a certificate for client
authentication. The CA certificate needs to be loaded in the controller before it will
appear on this list.
Server-Certificate
Click the Server-Certificate drop-down list and select a server certificate the
controller will use to authenticate itself to the client.
TLS Guest Access
Select TLS Guest Access to enable guest access for EAP-TLS users with valid
certificates. This option is disabled by default.
TLS Guest Role
Click the TLS Guest Role drop-down list and select the default user role for EAP-TLS
guest users.
Note: This option may require a license This option may require a license (see license
descriptions at “License Types” on page 678).
Ignore EAPOL-START
after authentication
Select Ignore EAPOL-START after authentication to ignore EAPOL-START messages
after authentication. This option is disabled by default.
Handle EAPOL-Logoff
Select Handle EAPOL-Logoff to enable handling of EAPOL-LOGOFF messages. This
option is disabled by default.
Ignore EAP ID during
negotiation
Select Ignore EAP ID during negotiation to ignore EAP IDs during negotiation. This
option is disabled by default.
WPA-Fast-Handover
Select this option to enable WPA-fast-handover on phones that support this feature.
WAP fast-handover is disabled by default.
Disable rekey and
reauthentication for
clients on call
This feature disables rekey and reauthentication for VoWLAN clients. It is disabled by
default, meaning that rekey and reauthentication is enabled.
Note: This option may require a license This option may require a license (see license
descriptions at “License Types” on page 678).
Check certificate common
name against AAA server
If you use client certificates for user authentication, enable this option to verify that the
certificate's common name exists in the server. This parameter is enabled by default in
the default-cap and default-rap VPN profiles, and disabled by default on all other VPN
profiles.
7. Click Apply.
ArubaOS 6.1 | User Guide
802.1x Authentication | 303
Using the CLI
The following command configures settings for an 802.1x authentication profiles. Individual parameters are
described in Table 55, above.
aaa authentication dot1x {<profile>|countermeasures}
ca-cert <certificate>
clear
clone <profile>
eapol-logoff
framed-mtu <mtu>
heldstate-bypass-counter <number>
ignore-eap-id-match
ignore-eapolstart-afterauthentication
machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable|
{machine-default-role <role>}|{user-default-role <role>}
max-authentication-failures <number>
max-requests <number>
multicast-keyrotation
no ...
opp-key-caching
reauth-max <number>
reauthentication
server {server-retry <number>|server-retry-period <seconds>}
server-cert <certificate>
termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eapgtc|
eap-mschapv2)}|{token-caching-period <hours>}
timer {idrequest_period <seconds>}|{mkey-rotation-period <seconds>}|{quiet-period
<seconds>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpagroupkeydelay <seconds>}|{wpa-key-period <milliseconds>}
tls-guest-access
tls-guest-role <role>
unicast-keyrotation
use-session-key
use-static-key
validate-pmkid
voice-aware
wep-key-retries <number>
wep-key-size {40|128}
wpa-fast-handover
wpa-key-retries <number>
xSec-mtu <mtu>
Configuring and Using Certificates with AAA FastConnect
The controller supports 802.1x authentication using digital certificates for AAA FastConnect.

Server Certificate—A server certificate installed in the controller verifies the authenticity of the
controller for 802.1x authentication. Aruba controllers ship with a demonstration digital certificate.
Until you install a customer-specific server certificate in the controller, this demonstration certificate is
used by default for all secure HTTP connections (such as the WebUI and captive portal) and AAA
FastConnect. This certificate is included primarily for the purposes of feature demonstration and
convenience and is not intended for long-term use in production networks. Users in a production
environment are urged to obtain and install a certificate issued for their site or domain by a well-known
certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the controller to
submit to a CA. For information on how to generate a CSR and how to import the CA-signed certificate
into the controller, see “Managing Certificates” on page 603
304 | 802.1x Authentication
ArubaOS 6.1 | User Guide

Client Certificates—Client certificates are verified on the controller (the client certificate must be signed
by a known CA) before the user name is checked on the authentication server. To use client certificate
authentication for AAA FastConnect, you need to import the following certificates into the controller
(see “Importing Certificates” on page 605):

Controller’s server certificate

CA certificate for the CA that signed the client certificates
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.
2. In the Profiles list, select 802.1x Authentication Profile.
3. Select the “default” 802.1x authentication profile from the drop-down menu to display configuration
parameters.
4. In the Basic tab, select Termination.
5. Select the Advanced Tab.
6. In the Server-Certificate field, select the server certificate imported into the controller.
7. In the CA-Certificate field, select the CA certificate imported into the controller.
8. Click Save As. Enter a name for the 802.1x authentication profile.
9. Click Apply.
Using the CLI
aaa authentication dot1x <profile>
termination enable
server-cert <certificate>
ca-cert <certificate>
Configuring User and Machine Authentication
When a Windows device boots, it logs onto the network domain using a machine account. Within the
domain, the device is authenticated before computer group policies and software settings can be executed;
this process is known as machine authentication. Machine authentication ensures that only authorized
devices are allowed on the network.
You can configure 802.1x for both user and machine authentication (select the Enforce Machine
Authentication option described in Table 55 on page 299). This tightens the authentication process further
since both the device and user need to be authenticated.
Role Assignment with Machine Authentication Enabled
When you enable machine authentication, there are two additional roles you can define in the 802.1x
authentication profile:

Machine authentication default machine role

Machine authentication default user role
While you can select the same role for both options, you should define the roles as per the polices that need
to be enforced. Also, these roles can be different from the 802.1x authentication default role configured in
the AAA profile.
With machine authentication enabled, the assigned role depends upon the success or failure of the machine
and user authentications. In certain cases, the role that is ultimately assigned to a client can also depend
upon attributes returned by the authentication server or server derivation rules configured on the
controller.
Table 56 describes role assignment based on the results of the machine and user authentications.
ArubaOS 6.1 | User Guide
802.1x Authentication | 305
Table 56 Role Assignment for User and Machine Authentication
Machine
Auth
Status
User
Auth
Status
Failed
Description
Role Assigned
Failed
Both machine authentication and user
authentication failed. L2 authentication failed.
No role assigned. No access to the
network allowed.
Failed
Passed
Machine authentication fails (for example, the
machine information is not present on the server)
and user authentication succeeds. Server-derived
roles do not apply.
Machine authentication default user
role configured in the 802.1x
authentication profile.
Passed
Failed
Machine authentication succeeds and user
authentication has not been initiated. Serverderived roles do not apply.
Machine authentication default
machine role configured in the 802.1x
authentication profile.
Passed
Passed
Both machine and user are successfully
authenticated. If there are server-derived roles,
the role assigned via the derivation take
precedence. This is the only case where serverderived roles are applied.
A role derived from the authentication
server takes precedence. Otherwise,
the 802.1x authentication default role
configured in the AAA profile is
assigned.
For example, if the following roles are configured:

802.1x authentication default role (in AAA profile): dot1x_user

Machine authentication default machine role (in 802.1x authentication profile): dot1x_mc

Machine authentication default user role (in 802.1x authentication profile): guest
Role assignments would be as follows:

If both machine and user authentication succeed, the role is dot1x_user. If there is a server-derived role,
the server-derived role takes precedence.

If only machine authentication succeeds, the role is dot1x_mc.

If only user authentication succeeds, the role is guest.

On failure of both machine and user authentication, the user does not have access to the network.
With machine authentication enabled, the VLAN to which a client is assigned (and from which the client
obtains its IP address) depends upon the success or failure of the machine and user authentications. The
VLAN that is ultimately assigned to a client can also depend upon attributes returned by the authentication
server or server derivation rules configured on the controller (see “About VLAN Assignments” on page 66).
If machine authentication is successful, the client is assigned the VLAN configured in the virtual AP profile.
However, the client can be assigned a derived VLAN upon successful user authentication.
You can optionally assign a VLAN as part of a user role configuration. You should not use VLAN derivation if you
configure user roles with VLAN assignments
306 | 802.1x Authentication
ArubaOS 6.1 | User Guide
Table 57 describes VLAN assignment based on the results of the machine and user authentications when
VLAN derivation is used.
Table 57 VLAN Assignment for User and Machine Authentication
Machine Auth
Status
User Auth
Status
Failed
Description
VLAN Assigned
Failed
Both machine authentication and user
authentication failed. L2 authentication failed.
No VLAN
Failed
Passed
Machine authentication fails (for example, the
machine information is not present on the
server) and user authentication succeeds.
VLAN configured in the
virtual AP profile
Passed
Failed
Machine authentication succeeds and user
authentication has not been initiated.
VLAN configured in the
virtual AP profile
Passed
Passed
Both machine and user are successfully
authenticated.
Derived VLAN.
Otherwise, VLAN
configured in the virtual
AP profile.
The administrator can now associate a VLAN Id to a client data based on the authentication credentials in a
bridge mode.
Example Configurations
The following examples show basic configurations on the controller for:

“Authentication with an 802.1x RADIUS Server” on page 307

“Authentication with the Controller’s Internal Database” on page 317
In the following examples:

Wireless clients associate to the ESSID WLAN-01.

The following roles allow different networks access capabilities:

student

faculty

guest

system administrators
The examples show how to configure using the WebUI and CLI commands.
Authentication with an 802.1x RADIUS Server

An EAP-compliant RADIUS server provides the 802.1x authentication. The RADIUS server administrator
must configure the server to support this authentication. The administrator must also configure the
server to all communications with the Aruba controller.

The authentication type is WPA. From the 802.1x authentication exchange, the client and the controller
derive dynamic keys to encrypt data transmitted on the wireless network.

802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and user
authentication. If a user attempts to log in without the computer being authenticated first, the user is
placed into a more limited “guest” user role.
ArubaOS 6.1 | User Guide
802.1x Authentication | 307
Windows domain credentials are used for computer authentication, and the user’s Windows login and
password are used for user authentication. A single user sign-on facilitates both authentication to the
wireless network and access to the Windows server resources.
Appendix D, “802.1x Configuration for IAS and Windows Clients”describes how to configure the Microsoft Internet
Authentication Server and Windows XP wireless client to operate with the controller configuration shown in this
section.
Configuring Roles and Policies
You can create the following policies and user roles for:

Student

Faculty

Guest

Sysadming

Computer
Creating the student role and policy
The student policy prevents students from using telnet, POP3, FTP, SMTP, SNMP, or SSH to the wired
portion of the network. The student policy is mapped to the student user role.
Using the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page. Select Add to add the
student policy.
2. For Policy Name, enter student.
3. For Policy Type, select IPv4 Session.
4. Under Rules, select Add to add rules for the policy.
a. Under Source, select user.
b. Under Destination, select alias.
The following step defines an alias representing all internal network addresses. Once defined, you can use the alias
for other rules and policies.
c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to
add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range,
enter 255.0.0.0. Click Add to add the network range. Repeat these steps to add the network range
172.16.0.0 255.255.0.0. Click Done. The alias “Internal Network” appears in the Destination menu.
This step defines an alias representing all internal network addresses. Once defined, you can use the
alias for other rules and policies.
d. Under Destination, select Internal Network.
e. Under Service, select service. In the Service scrolling list, select svc-telnet.
f. Under Action, select drop.
g. Click Add.
5. Under Rules, click Add.
a. Under Source, select user.
b. Under Destination, select alias. Then select Internal Network.
c. Under Service, select service. In the Service scrolling list, select svc-pop3.
308 | 802.1x Authentication
ArubaOS 6.1 | User Guide
d. Under Action, select drop.
e. Click Add.
6. Repeat steps 4A-E to create rules for the following services: svc-ftp, svc-smtp, svc-snmp, and svc-ssh.
7. Click Apply.
8. Click the User Roles tab. Click Add to create the student role.
9. For Role Name, enter student.
10. Under Firewall Policies, click Add. In Choose from Configured Policies, select the student policy you
previously created. Click Done.
11. Click Apply.
Using the CLI
ip access-list session student
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
svc-telnet deny
svc-pop3 deny
svc-ftp deny
svc-smtp deny
svc-snmp deny
svc-ssh deny
user-role student
session-acl student
session-acl allowall
Creating the faculty role and policy
The faculty policy is similar to the student policy, however faculty members are allowed to use POP3 and
SMTP for VPN remote access from home. (Students are not permitted to use VPN remote access.) The
faculty policy is mapped to the faculty user role.
Using the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page. Click Add to add the
faculty policy.
2. For Policy Name, enter faculty.
3. For Policy Type, select IPv4 Session.
4. Under Rules, click Add to add rules for the policy.
a. Under Source, select user.
b. Under Destination, select alias, then select Internal Network.
c. Under Service, select service. In the Service scrolling list, select svc-telnet.
d. Under Action, select drop.
e. Click Add.
f. Repeat steps A-E to create rules for the following services: svc-ftp, svc-snmp, and svc-ssh.
5. Click Apply.
6. Select the User Roles tab. Click Add to create the faculty role.
7. For Role Name, enter faculty.
8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you
previously created. Click Done.
ArubaOS 6.1 | User Guide
802.1x Authentication | 309
Using the CLI
ip access-list session faculty
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
svc-telnet deny
svc-ftp deny
svc-snmp deny
svc-ssh deny
user-role faculty
session-acl faculty
session-acl allowall
Creating the guest role and policy
The guest policy permits only access to the Internet (via HTTP or HTTPS) and only during daytime working
hours. The guest policy is mapped to the guest user role.
Using the WebUI
1. Navigate to the Configuration > Security > Access Control > Time Ranges page to define the time
range “working-hours”. Click Add.
a. For Name, enter working-hours.
b. For Type, select Periodic.
c. Click Add.
d. For Start Day, click Weekday.
e. For Start Time, enter 07:30.
f. For End Time, enter 17:00.
g. Click Done.
h. Click Apply.
2. Click the Policies tab. Click Add to add the guest policy.
3. For Policy Name, enter guest.
4. For Policy Type, select IPv4 Session.
5. Under Rules, click Add to add rules for the policy.
To create rules to permit access to DHCP and DNS servers during working hours:
a. Under Source, select user.
b. Under Destination, select host. In Host IP, enter 10.1.1.25.
c. Under Service, select service. In the Service scrolling list, select svc-dhcp.
d. Under Action, select permit.
e. Under Time Range, select working-hours.
f. Click Add.
g. Repeat steps A-F to create a rule for svc-dns.
To create a rule to deny access to the internal network:
a. Under Source, select user.
b. Under Destination, select alias. Select Internal Network.
c. Under Service, select any.
d. Under Action, select drop.
e. Click Add.
310 | 802.1x Authentication
ArubaOS 6.1 | User Guide
To create rules to permit HTTP and HTTPS access during working hours:
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select service. In the Services scrolling list, select svc-http.
d. Under Action, select permit.
e. Under Time Range, select working-hours.
f. Click Add.
g. Repeat steps A-F for the svc-https service.
To create a rule that denies the user access to all destinations and all services:
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select any.
d. Under Action, select drop.
e. Click Add.
6. Click Apply.
7. Click the User Roles tab. Click Add to create the guest role.
8. For Role Name, enter guest.
9. Under Firewall Policies, click Add. In Choose from Configured Policies, select the guest policy you
previously created. Click Done.
Using the CLI
time-range working-hours periodic
weekday 07:30 to 17:00
ip access-list session guest
user host 10.1.1.25 svc-dhcp permit time-range working-hours
user host 10.1.1.25 svc-dns permit time-range working-hours
user alias “Internal Network” any deny
user any svc-http permit time-range working-hours
user any svc-https permit time-range working-hours
user any any deny
user-role guest
session-acl guest
Creating roles and policies for sysadmin and computer

The allowall policy, a predefined policy, allows unrestricted access to the network. The allowall policy
is mapped to both the sysadmin user role and the computer user role.
Using the WebUI to create the sysadmin role
1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the
sysadmin role.
2. For Role Name, enter sysadmin.
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall
policy. Click Done.
4. Click Apply.
ArubaOS 6.1 | User Guide
802.1x Authentication | 311
Using the CLI to create the sysadmin role
user-role sysadmin
session-acl allowall
Using the WebUI to create the computer role
1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the
computer role.
2. For Role Name, enter computer.
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall
policy. Click Done.
4. Click Apply.
Using the CLI to create the computer role
user-role computer
session-acl allowall
Creating an alias for the internal network using CLI
netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
Configuring the RADIUS Authentication Server
Configure the RADIUS server IAS1, with IP address 10.1.1.21 and shared key. The RADIUS server is
configured to sent an attribute called Class to the controller; the value of this attribute is set to either
“student,” “faculty,” or “sysadmin” to identify the user’s group. The controller uses the literal value of this
attribute to determine the role name.
On the controller, you add the configured server (IAS1) into a server group. For the server group, you
configure the server rule that allows the Class attribute returned by the server to set the user role.
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. In the Servers list, select Radius Server. In the RADIUS Server Instance list, enter IAS1 and click Add.
a. Select IAS1 to display configuration parameters for the RADIUS server.
b. For IP Address, enter 10.1.1.21.
c. For Key, enter |*a^t%183923!. (You must enter the key string twice.)
d. Click Apply.
3. In the Servers list, select Server Group. In the Server Group Instance list, enter IAS and click Add.
a. Select the server group IAS to display configuration parameters for the server group.
b. Under Servers, click New.
c. From the Server Name drop-down menu, select IAS1. Click Add Server.
4. Under Server Rules, click New.
a. For Condition, enter Class.
b. For Attribute, select value-of from the drop-down menu.
c. For Operand, select set role.
d. Click Add.
5. Click Apply.
312 | 802.1x Authentication
ArubaOS 6.1 | User Guide
Using the CLI
aaa authentication-server radius IAS1
host 10.1.1.21
key |*a^t%183923!
aaa server-group IAS
auth-server IAS1
set role condition Class value-of
Configure 802.1x Authentication
An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for
authenticating clients for a WLAN. The AAA profile also specifies the default user roles for 802.1x and MAC
authentication.
In the 802.1x authentication profile, configure enforcement of machine authentication before user
authentication. If a user attempts to log in without machine authentication taking place first, the user is
placed in the limited guest role.
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.
2. Select 802.1x Authentication Profile.
a. In the list of instances, enter dot1x, then click Add.
b. Select the profile name you just added.
c. Select Enforce Machine Authentication.
d. For the Machine Authentication: Default Machine Role, select computer.
e. For the Machine Authentication: Default User Role, select guest.
f. Click Apply.
3. Select the AAA Profiles tab.
a. In the AAA Profiles Summary, click Add to add a new profile.
b. Enter aaa_dot1x, then click Add.
a. Select the profile name you just added.
b. For MAC Auth Default Role, select computer.
c. For 802.1x Authentication Default Role, select faculty.
d. Click Apply.
4. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication Profile.
a. From the drop-down menu, select the dot1x 802.1x authentication profile you configured previously.
b. Click Apply.
5. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication Server Group.
a. From the drop-down menu, select the IAS server group you created previously.
b. Click Apply.
Using the CLI
aaa authentication dot1x dot1x
machine-authentication enable
machine-authentication machine-default-role computer
machine-authentication user-default-role guest
aaa profile aaa_dot1x
ArubaOS 6.1 | User Guide
802.1x Authentication | 313
dot1x-default-role faculty
mac-default-role computer
authentication-dot1x dot1x
dot1x-server-group IAS
Configure VLANs
In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to
VLAN 63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing
broadcast traffic. The VLANs are internal to the Aruba controller only and do not extend into other parts of
the wired network. The clients’ default gateway is the Aruba controller, which routes traffic out to the
10.1.1.0 subnetwork.
You configure the VLANs, assign IP addresses to each VLAN, and establish the “helper address” to which
client DHCP requests are forwarded.
Using the WebUI
1. Navigate to the Configuration > Network > VLANs page. Click Add to add VLAN 60.
a. For VLAN ID, enter 60.
b. Click Apply.
c. Repeat steps A and B to add VLANs 61 and 63.
2. To configure IP parameters for the VLANs, navigate to the Configuration > Network > IP > IP
Interfaces page.
a. Click Edit for VLAN 60.
b. For IP Address, enter 10.1.60.1.
c. For Net Mask, enter 255.255.255.0.
d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
e. Click Apply.
3. In the IP Interfaces page, click Edit for VLAN 61.
a. For IP Address, enter 10.1.61.1.
b. For Net Mask, enter 255.255.255.0.
c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
d. Click Apply.
4. In the IP Interfaces page, click Edit for VLAN 63.
a. For IP Address, enter 10.1.63.1.
b. For Net Mask, enter 255.255.255.0.
c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
d. Click Apply.
5. Select the IP Routes tab.
a. For Default Gateway, enter 10.1.1.254.
b. Click Apply.
Using the CLI
vlan 60
interface vlan 60
ip address 10.1.60.1 255.255.255.0
ip helper-address 10.1.1.25
314 | 802.1x Authentication
ArubaOS 6.1 | User Guide
vlan 61
interface vlan 61
ip address 10.1.61.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 63
interface vlan 63
ip address 10.1.63.1 255.255.255.0
ip helper-address 10.1.1.25
ip default-gateway 10.1.1.254
Configuring the WLANs
In this example, default AP parameters for the entire network are as follows: the default ESSID is WLAN-01
and the encryption mode is TKIP. A second ESSID called “guest” has the encryption mode set to static WEP
with a configured WEP key.
In this example, the non-guest clients that associate to an AP are mapped into one of two different user
VLANs. The initial AP to which the client associates determines the VLAN: clients that associate to APs in
the first floor of the building are mapped to VLAN 60 and clients that associate to APs in the second floor of
the building are mapped to VLAN 61. Therefore, the APs in the network are segregated into two AP groups,
named “first-floor” and “second-floor”. (See “Creating an AP group” on page 113 for information about
creating AP groups.) The guest clients are mapped into VLAN 63.
Configuring the Guest WLAN
You create and configure the virtual AP profile “guest” and apply the profile to each AP group. The “guest”
virtual AP profile contains the SSID profile “guest” which configures static WEP with a WEP key.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, click Edit for first-floor.
3. Under Profiles, select Wireless LAN, then select Virtual AP.
4. To create the guest virtual AP:
a. Select NEW from the Add a profile drop-down menu. Enter guest, and click Add.
b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile dropdown menu. A pop-up window allows you to configure the SSID profile.
c. For the name for the SSID profile enter guest.
d. For the Network Name for the SSID, enter guest.
e. For Network Authentication, select None.
f. For Encryption, select WEP.
g. Enter the WEP Key.
h. Click Apply to apply the SSID profile to the Virtual AP.
i. Under Profile Details, click Apply.
5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration
parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select 63.
c. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page.
ArubaOS 6.1 | User Guide
802.1x Authentication | 315
7. In the AP Group list, click Edit for the second-floor.
8. In the Profiles list, select Wireless LAN, then select Virtual AP.
9. Select guest from the Add a profile drop-down menu. Click Add.
10. Click Apply.
Using the CLI
wlan ssid-profile guest
essid guest
wepkey1 aaaaaaaaaa
opmode static-wep
wlan virtual-ap guest
vlan 63
ssid-profile guest
ap-group first-floor
virtual-ap guest
ap-group second-floor
virtual-ap guest
Configuring the Non-Guest WLANs
You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01” and WPA TKIP
encryption. You need to create and configure two virtual AP profiles: one with VLAN 60 for the first-floor
AP group and the other with VLAN 61 for the second-floor AP group. Each virtual AP profile references the
SSID profile “WLAN-01” and the previously-configured AAA profile “aaa_dot1x”.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, click Edit for the first-floor.
3. In the Profiles list, select Wireless LAN, then select Virtual AP.
4. To configure the WLAN-01_first-floor virtual AP:
a. Select NEW from the Add a profile drop-down menu. Enter WLAN-01_first-floor, and click Add.
b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select the aaa_dot1x AAA
profile you previously configured. A pop-up window displays the configured AAA profile parameters.
Click Apply in the pop-up window.
c. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the
SSID profile.
d. Enter WLAN-01 for the name of the SSID profile.
e. For Network Name, enter WLAN-01.
f. For Network Authentication, select WPA.
g. Click Apply in the pop-up window.
h. At the bottom of the Profile Details page, click Apply.
5. Click on the WLAN-01_first-floor virtual AP name in the Profiles list or in Profile Details to display
configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select 60.
c. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page.
316 | 802.1x Authentication
ArubaOS 6.1 | User Guide
7. In the AP Group list, click Edit for the second-floor.
8. In the Profiles list, select Wireless LAN, then select Virtual AP.
9. To configure the WLAN-01_second-floor virtual AP:
a. Select NEW from the Add a profile drop-down menu. Enter WLAN-second-floor, and click Add.
b. In the Profile Details entry for the virtual AP profile, select aaa_dot1x from the AAA profile dropdown menu. A pop-up window displays the configured AAA profile parameters. Click Apply in the
pop-up window.
c. From the SSID profile drop-down menu, select WLAN-01. A pop-up window displays the configured
SSID profile parameters. Click Apply in the pop-up window.
d. At the bottom of the Profile Details page, click Apply.
10. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration
parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select 61.
c. Click Apply.
Using the CLI
wlan ssid-profile WLAN-01
essid WLAN-01
opmode wpa-tkip
wlan virtual-ap WLAN-01_first-floor
vlan 60
aaa-profile aaa_dot1x
ssid-profile WLAN-01
wlan virtual-ap WLAN-01_second-floor
vlan 61
aaa-profile aaa_dot1x
ssid-profile WLAN-01
ap-group first-floor
virtual-ap WLAN-01_first-floor
ap-group second-floor
virtual-ap WLAN-01_second-floor
Authentication with the Controller’s Internal Database
In the following example:

The controller’s internal database provides user authentication.

The authentication type is WPA. From the 802.1x authentication exchange, the client and the controller
derive dynamic keys to encrypt data transmitted on the wireless network.
Configuring the Internal Database
Configure the internal database with the username, password, and role (student, faculty, or sysadmin) for
each user. There is a default internal server group that includes the internal database. For the internal
server group, configure a server derivation rule that assigns the role to the authenticated client.
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
ArubaOS 6.1 | User Guide
802.1x Authentication | 317
2. In the Servers list, select Internal DB.
3. Under Users, click Add User to add users.
4. For each user, enter a username and password.
5. Select the Role for each user (if a role is not specified, the default role is guest).
6. Select the expiration time for the user account in the internal database.
7. Click Apply.
Using the CLI
Use the privileged mode in the CLI to configure users in the controller’s internal database.
local-userdb add username <user> password <password>
Configuring a server rule using the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Select the internal server group.
4. Under Server Rules, click New to add a server derivation rule.
a. For Condition, enter Role.
b. Select value-of from the drop-down menu.
c. Select Set Role from the drop-down menu.
d. Click Add.
5. Click Apply.
Configuring a server rule using the CLI
aaa server-group internal
set role condition Role value-of
Configure 802.1x Authentication
An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for
authenticating clients for a WLAN. The AAA profile also specifies the default user role for 802.1x
authentication.
For this example, you enable both 802.1x authentication and termination on the controller.
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. In the
profiles list, select 802.1x Authentication Profile.
a. In the Instance list, enter dot1x, then click Add.
b. Select the dot1x profile you just created.
c. Select Termination.
The defaults for EAP Method and Inner EAP Method are EAP-PEAP and EAP-MSCHAPv2, respectively.
d. Click Apply.
318 | 802.1x Authentication
ArubaOS 6.1 | User Guide
2. Select the AAA Profiles tab.
a. In the AAA Profiles Summary, click Add to add a new profile.
b. Enter aaa_dot1x, then click Add.
c. Select the aaa_dot1x profile you just created.
d. For 802.1x Authentication Default Role, select faculty.
e. Click Apply.
3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Profile.
a. Select the dot1x profile from the 802.1x Authentication Profile drop-down menu.
b. Click Apply.
4. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Server
Group.
a. Select the internal server group.
b. Click Apply.
Using the CLI
aaa authentication dot1x dot1x
termination enable
aaa profile aaa_dot1x
dot1x-default-role student
authentication-dot1x dot1x
dot1x-server-group internal
Configure VLANs
In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to
VLAN 63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing
broadcast traffic. The VLANs are internal to the Aruba controller only and do not extend into other parts of
the wired network. The clients’ default gateway is the Aruba controller, which routes traffic out to the
10.1.1.0 subnetwork.
You configure the VLANs, assign IP addresses to each VLAN, and establish the “helper address” to which
client DHCP requests are forwarded.
Using the WebUI
1. Navigate to the Configuration > Network > VLAN page. Click Add to add VLAN 60.
a. For VLAN ID, enter 60.
b. Click Apply.
c. Repeat steps A and B to add VLANs 61 and 63.
2. To configure IP parameters for the VLANs, navigate to the Configuration > Network > IP > IP
Interfaces page.
a. Click Edit for VLAN 60.
b. For IP Address, enter 10.1.60.1.
c. For Net Mask, enter 255.255.255.0.
d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
e. Click Apply.
3. In the IP Interfaces page, click Edit for VLAN 61.
a. For IP Address, enter 10.1.61.1.
ArubaOS 6.1 | User Guide
802.1x Authentication | 319
b. For Net Mask, enter 255.255.255.0.
c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
d. Click Apply.
4. In the IP Interfaces page, click Edit for VLAN 63.
a. For IP Address, enter 10.1.63.1.
b. For Net Mask, enter 255.255.255.0.
c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
d. Click Apply.
5. Select the IP Routes tab.
a. For Default Gateway, enter 10.1.1.254.
b. Click Apply.
Using the CLI
vlan 60
interface vlan 60
ip address 10.1.60.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 61
interface vlan 61
ip address 10.1.61.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 63
interface vlan 63
ip address 10.1.63.1 255.255.255.0
ip helper-address 10.1.1.25
ip default-gateway 10.1.1.254
Configuring the WLANs
In this example, default AP parameters for the entire network are as follows: the default ESSID is WLAN-01
and the encryption mode is TKIP. A second ESSID called “guest” has the encryption mode set to static WEP
with a configured WEP key.
In this example, the non-guest clients that associate to an AP are mapped into one of two different user
VLANs. The initial AP to which the client associates determines the VLAN: clients that associate to APs in
the first floor of the building are mapped to VLAN 60 and clients that associate to APs in the second floor of
the building are mapped to VLAN 61. Therefore, the APs in the network are segregated into two AP groups,
named “first-floor” and “second-floor”. (See “Creating an AP group” on page 113 for information about
creating AP groups.) The guest clients are mapped into VLAN 63.
Configuring the Guest WLAN
You create and configure the virtual AP profile “guest” and apply the profile to each AP group. The “guest”
virtual AP profile contains the SSID profile “guest” which configures static WEP with a WEP key.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, select first-floor.
3. In the Profiles list, select Wireless LAN then select Virtual AP.
320 | 802.1x Authentication
ArubaOS 6.1 | User Guide
4. To configure the guest virtual AP:
a. Select NEW from the Add a profile drop-down menu. Enter guest for the name of the virtual AP
profile, and click Add.
b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile dropdown menu. A pop-up window allows you to configure the SSID profile.
c. Enter guest for the name of the SSID profile.
d. Enter guest for the Network Name.
e. For Network Authentication, select None.
f. For Encryption, select WEP.
g. Enter the WEP key.
h. Click Apply.
i. Under Profile Details, click Apply.
5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration
parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select 63.
c. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page.
7. In the AP Group list, select second-floor.
8. In the Profiles list, select Wireless LAN, then select Virtual AP.
9. Select guest from the Add a profile drop-down menu. Click Add.
10. Click Apply.
Using the CLI
wlan ssid-profile guest
essid guest
wepkey1 aaaaaaaaaa
opmode static-wep
wlan virtual-ap guest
vlan 63
ssid-profile guest
ap-group first-floor
virtual-ap guest
ap-group second-floor
virtual-ap guest
Configuring the Non-Guest WLANs
You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01” and WPA TKIP
encryption. You need to create and configure two virtual AP profiles: one with VLAN 60 for the first-floor
AP group and the other with VLAN 61 for the second-floor AP group. Each virtual AP profile references the
SSID profile “WLAN-01” and the previously-configured AAA profile “aaa_dot1x”.
Using the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, select first-floor.
3. In the Profiles list, select Wireless LAN, then select Virtual AP.
ArubaOS 6.1 | User Guide
802.1x Authentication | 321
4. To configure the WLAN-01_first-floor virtual AP:
a. Select NEW from the Add a profile drop-down menu. Enter WLAN-01_first-floor, and click Add.
b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select aaa_dot1x from the
AAA Profile drop-down menu. A pop-up window displays the configured AAA parameters. Click
Apply in the pop-up window.
c. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the
SSID profile.
d. Enter WLAN-01 for the name of the SSID profile.
e. Enter WLAN-01 for the Network Name.
f. Select WPA for Network Authentication.
g. Click Apply in the pop-up window.
h. At the bottom of the Profile Details page, click Apply.
5. Click on the WLAN-01_first-floor virtual AP profile name in the Profiles list or in Profile Details to
display configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select 60.
c. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page.
7. In the AP Group list, select second-floor.
8. In the Profiles list, select Wireless LAN then select Virtual AP.
9. To create the WLAN-01_second-floor virtual AP:
a. Select NEW from the Add a profile drop-down menu. Enter WLAN-01_second-floor, and click Add.
b. In the Profile Details entry for the virtual AP profile, select aaa_dot1x from the AAA Profile dropdown menu. A pop-up window displays the configured AAA profile parameters. Click Apply in the
pop-up window.
c. From the SSID profile drop-down menu, select WLAN-01. a pop-up window displays the configured
SSID profile parameters. Click Apply in the pop-up window.
d. At the bottom of the Profile Details page, click Apply.
10. Click on the WLAN-01_second-floor virtual AP profile name in the Profiles list or in Profile Details to
display configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select 61.
c. Click Apply.
Using the CLI
wlan ssid-profile WLAN-01
essid WLAN-01
opmode wpa-tkip
wlan virtual-ap WLAN-01_first-floor
vlan 60
aaa-profile aaa_dot1x
ssid-profile WLAN-01
wlan virtual-ap WLAN-01_second-floor
vlan 61
aaa-profile aaa_dot1x
322 | 802.1x Authentication
ArubaOS 6.1 | User Guide
ssid-profile WLAN-01
ap-group first-floor
virtual-ap WLAN-01_first-floor
ap-group second-floor
virtual-ap WLAN-01_second-floor
Mixed Authentication Modes
Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and
802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to
perform 802.1x authentication.
By default the l2-auth-fail-through command is disabled.
Table 58 describes the different authentication possibilities
Table 58 Mixed Authentication Modes
Authentication
1
2
3
4
5
6
MAC
authentication
Success
Success
Success
Fail
Fail
Fail
802.1x
authentication
Success
Fail
—
Success
Fail
—
Association
dynamic-wep
No
Association
static-wep
dynamicwep
No
Association
static-wep
Role Assignment
802.1x
—
MAC
802.1x
—
logon
Using the CLI
aaa profile test
l2-auth-fail-through
Advanced Configuration Options for 802.1x
This section describes advanced configuration options for 802.1x authentication.
Configuring reauthentication with Unicast Key Rotation
When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to
configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at
least 15 minutes. Make sure these intervals are mutually prime, and the factor of the unicast key rotation
interval and the multicast key rotation interval is less than the reauthentication interval.
Unicast key rotation depends upon both the AP/controller and wireless client behavior. It is known that some wireless
NICs have issues with unicast key rotation.
The following is an example of the parameters you can configure for reauthentication with unicast and
multicast key rotation:
ArubaOS 6.1 | User Guide
802.1x Authentication | 323

Reauthentication: Enabled

Reauthentication Time Interval: 6011 Seconds

Multicast Key Rotation: Enabled

Multicast Key Rotation Time Interval:1867 Seconds

Unicast Key Rotation: Enabled

Unicast Key Rotation Time Interval: 1021 Seconds
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.
2. Select 802.1x Authentication Profile, then select the name of the profile you want to configure.
3. Select the Advanced tab. Enter the following values:

Reauthentication Interval: 6011

Multicast Key Rotation Time Interval: 1867

Unicast Key Rotation Time Interval: 1021

Multicast Key Rotation: (select)

Unicast Key Rotation: (select)

Reauthentication: (select)
4. Click Apply.
Using the CLI
aaa authentication dot1x profile
reauthentication
timer reauth-period 6011
unicast-keyrotation
timer ukey-rotation-period 1021
multicast-keyrotation
timer mkey-rotation-period 1867
324 | 802.1x Authentication
ArubaOS 6.1 | User Guide
Chapter 11
Certificate Revocation
The Certificate Revocation feature enables the ArubaOS controller to perform real-time certificate
revocation checks using the Online Certificate Status Protocol (OCSP) or traditional certificate validation
using the Certificate Revocation List (CRL) client.
About OCSP and CRL
OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder. This
protocol determines revocation status of a given digital public-key certificate without having to download
the entire CRL.
CRL is the traditional method of checking certificate validity. A CRL provides a list of certificate serial
numbers that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of
the presented certificate while verifying it. CRLs are limited to 512 entries.
Controller as OCSP and CRL Clients
The ArubaOS controller can act as an OCSP client and issues OCSP queries to remote OCSP responders
located on the intranet or Internet. As many applications in ArubaOS (such as IKE), use digital certificates,
a protocol such as OCSP needs to be implemented for revocation.
An entity that relies on the content of a certificate (a relying party) needs to do the checking before
accepting the certificate as being valid. One check verifies that the certificate has not been revoked. The
OCSP client retrieves certificate revocation status from an OCSP responder. The responder may be the CA
(Certificate Authority) that has issued the certificate in question or it may be some other designated entity
which provides the service on behalf of the CA. A revocation checkpoint is a logical profile that is tied to
each CA certificate that the controller has (trusted or intermediate). Also, the user can specify revocation
preferences within each profile.
The OCSP request is not signed by the Aruba OCSP client at this time. However, the OCSP response is
always signed by the responder.
Both OCSP and CRL configuration and administration is usually performed by the administrator who
manages the web access policy for an organization.
In small networks where there are is no Internet connection or connection to an OCSP responder, CRL is
better option than OCSP.
Controller as OCSP Responder
The ArubaOS controller can be configured to act as an OCSP responder (server) and respond to OCSP
queries from clients that are trying to obtain revocation status of certificates.
The OCSP responder on the controller is accessible over HTTP port 8084. This port is not configurable by
the administrator. Although the OCSP responder accepts signed OCSP requests, it does not attempt to
verify the signature before processing the request. Therefore, even unsigned OCSP requests are supported.
The controller as an OCSP responder provides revocation status information to ArubaOS applications that
are using CRLs. This is useful in small disconnected networks where clients cannot reach outside OCSP
server to validate certificates. Typical scenarios include client to client or client to other server
communication situations where the certificates of either party need to be validated.
ArubaOS 6.1 | User Guide
Certificate Revocation | 325
Configuring the Controller as an OCSP Client
When OCSP is used as the revocation method, you need to configure the OCSP responder certificate and
the OCSP URL.
In the WebUI
1. Navigate to the Configuration > Management > Certificates > Upload page.
2. Enter a name in the Certificate Name field. This name identifies the certificate you are uploading.
3. Enter the certificate file name in the Certificate Filename field. Use the Browse button to enter the
full pathname.
4. Select the certificate format from the Certificate Format drop-down menu.
5. Select OCSP Responder Cert from the Certificate Type drop-down menu.
A revocation check method (OCSP or CRL) can be chosen independently for every revocation checkpoint. In this
example, we are only describing the OCSP check method.
Once this certificate is uploaded it is maintained in the certificate store for OCSP responder certificates.
These certificates are used for signature verification.
Figure 47 Upload a certificate
6. Click Upload. The certificate appears in the Certificate Lists pane.
7. For detailed information about an uploaded certificate, click View next to the certificate.
Figure 48 View certificate details
326 | Certificate Revocation
ArubaOS 6.1 | User Guide
8. Select the Revocation Checkpoint tab.
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to
configure. The Revocation Checkpoint pane displays.
10. In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check
method.
11. In the OCSP URL field, enter the URL of the OCSP responder.
12. In the OCSP Responder Cert field, select the OCSP certificate you want to configure from the dropdown menu.
13. Click Apply.
In the CLI
This example configures an OCSP client with the revocation check method as OCSP for revocation check
point CAroot.
The OCSP responder certificate is configured as RootCA-Ocsp_responder. The corresponding OCSP
responder service is available at http://10.4.46.202/ocsp. The check method is OCSP for revocation check
point CARoot.
(host) (config) #crypto-local pki rcp CARoot
(host) (RCP-CARoot) #ocsp-responder-cert RootCA-Ocsp_responder
(host) (RCP-CARoot) #ocsp-url http://10.4.46.202/ocsp
(host) (RCP-CARoot) #revocation-check ocsp
The show crypto-local pki OCSPResponderCert CLI command lists the contents of the OCSP Responder
Certificate store.
The show crypto-local pki revocation checkpoint rcp_name CLI command shows the entire configuration
for a given revocation checkpoint.
ArubaOS 6.1 | User Guide
Certificate Revocation | 327
Configuring the Controller as a CRL Client
CRL is the traditional method of checking certificate validity. When you want to check certificate validity
using a CRL, you need to import the CRL. CRLs can only be imported using the WebUI.
In the WebUI
1. Navigate to the Configuration > Management > Certificates > Upload page.
2. Enter a name in the Certificate Name field. This name identifies the CRL certificate you are uploading.
3. Enter the certificate file name in the Certificate Filename field. Use the Browse button to enter the
full pathname.
4. Select the certificate format from the Certificate Format drop-down menu.
5. Select CRL from the Certificate Type drop-down menu.
A revocation check method (OCSP or CRL) can be chosen independently for every revocation checkpoint. In this
example, we are only describing the CRL check method.
Once this CRL is uploaded it is maintained in the store for CRLs. These CRLs are used for signature
verification.
6. Click Upload. The CRL appears in the Certificate Lists pane. Select CRL from the Group drop-down list
if you want to display only CRLs.
7. For detailed information about an uploaded CRL, click View next to the CRL.
8. Select the Revocation Checkpoint tab.
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to
configure. The Revocation Checkpoint pane displays.
10. In the Revocation Check field, select crl from the Method 1 drop-down list.
11. In the CRL Location field, enter the CRL you want used for this revocation checkpoint. The CRLs listed
are files that have already been imported onto the controller.
12. Click Apply.
In the CLI
This example configures an OCSP responder with the check method as CRL for revocation check point
ROOTCa-ssh-webui.The CRL location is crl1 and the revocation check method is crl.
(host) (config) #crypto-local pki rcp ROOTCa-ssh-webui
(host) (RCP-CARoot) #crl-location file crl1
(host) (RCP-CARoot) #revocation-check crl
Configuring the Controller as a OCSP Responder
When configured as an OCSP responder, the controller provides revocation status information to ArubaOS
applications that are using CRLs.
In the WebUI
1. Navigate to the Configuration > Management > Certificates > Upload page.
2. Enter a name in the Certificate Name field. This name identifies the OCSP signer certificate you are
uploading.
3. Enter the certificate file name in the Certificate Filename field. Use the Browse button to enter the
full pathname.
328 | Certificate Revocation
ArubaOS 6.1 | User Guide
4. Select the certificate format from the Certificate Format drop-down menu.
5. Select OCSP signer cert from the Certificate Type drop-down menu. Once this certificate is
uploaded it is maintained in the certificate store for OCSP signer certificates. These certificates are used
for signature verification.
The OCSP signer cert is used to sign OCSP responses for this revocation check point. The OCSP signer
cert can be the same trusted CA as the check point, a designated OCSP signer certificate issued by the
same CA as the check point or some other local trusted authority.
If you do not specify an OCSP signer cert, OCSP responses are signed using the global OCSP signer
certificate. If that is not present, than an error message is sent out to clients.
The OCSP signer certificate takes precedence over the global OCSP signer certificate as this is check point specific
6. Click Upload. The certificate appears in the Certificate Lists pane. Select OCSP signer cert from the
Group drop-down list if you want to display only those certificates which are OCSP signer certificates.
7. For detailed information about an uploaded certificate, click View next to the certificate.
8. Select the Revocation Checkpoint tab.
9. Select Enable next to Enable OCSP Responder.
Enable OCSP Responder is a global knob that turns the OCSP responder service on or off on the
controller. The default is disabled (off). Enabling this knob automatically adds the OCSP responder port
(TCP 8084) to the permit list in the CP firewall so this can be accessed from outside the controller.
10. Select the OCSP signer cert from the OCSP Certificates drop-down menu to be used to sign OCSP
responses for this revocation check point.
11. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to
configure. The Revocation Checkpoint pane displays.
12. In the Revocation Check field, optionally select a check method from the Method 1 drop-down list.
Optionally, select a backup check method from the Method2 drop-down list.
13. Select Enable next to Enable OCSP Responder.
14. Select the OCSP signer cert from the OCSP Signer Cert drop-down menu.
15. IN the CRL Location field, enter the CRL you want used for this revocation checkpoint. The CRLs listed
are files that have already been imported onto the controller.
16. Click Apply.
In the CLI
This example configures the controller as an OCSP responder. The OCSP responder service is enabled, the
revocation check point is CAroot, the OCSP signer cert is “oscap_CA1,” the CRL file location is “Sec1-WIN05PRGNGEKAO-CA-unrevoked.crl.”
(host) (config) #crypto-local pki service-ocsp-responder
(host) (config) #crypto-local pki rcp CAroot
(host) (CAroot) #ocsp-signer-cert oscsp_CA1
(host) (CAroot) #crl-location file Sec1-WIN-05PRGNGEKAO-CA-unrevoked.crl
(host) (CAroot) #enable-ocsp-responder
ArubaOS 6.1 | User Guide
Certificate Revocation | 329
330 | Certificate Revocation
ArubaOS 6.1 | User Guide
Chapter 12
Roles and Policies
Every client in an Aruba user-centric network is associated with a user role, which determines the client’s
network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A
policy is a set of rules that applies to traffic that passes through the Aruba controller. You specify one or
more policies for a user role. Finally, you can assign a user role to clients before or after they authenticate
to the system.
This chapter describes assigning and creating roles and policies using the ArubaOS CLI or WebUI. Roles
and policies can also be configured for WLANs associated with the “default” ap-group via the WLAN Wizard:
Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and
refer to the help tab for assistance.
This chapter describes the following topics:

“Policies” on page 331

“Creating a Firewall Policy” on page 332

“Creating a Network Service Alias” on page 334

“Creating an ACL White List” on page 335

“User Roles” on page 336

“User Role Assignments” on page 340

“Global Firewall Parameters” on page 345
This chapter describes configuring firewall policies and parameters that relate to IPv4 traffic. See Chapter 36, “IPv6
Support” on page 685 for information about configuring IPv6 firewall policies and parameters.
Policies
A firewall policy identifies specific characteristics about a data packet passing through the Aruba controller
and takes some action based on that identification. In an Aruba controller, that action can be a firewall-type
action such as permitting or denying the packet, an administrative action such as logging the packet, or a
quality of service (QoS) action such as setting 802.1p bits or placing the packet into a priority queue. You
can apply firewall policies to user roles to give differential treatment to different users on the same
network, or to physical ports to apply the same policy to all traffic through the port.
Firewall policies differ from access control lists (ACLs) in the following ways:

Firewall policies are stateful, meaning that they recognize flows in a network and keep track of the state
of sessions. For example, if a firewall policy permits telnet traffic from a client, the policy also
recognizes that inbound traffic associated with that session should be allowed.

Firewall policies are bi-directional, meaning that they keep track of data connections traveling into or
out of the network. ACLs are normally applied to either traffic inbound to an interface or outbound from
an interface.
ArubaOS 6.1 | User Guide
Roles and Policies | 331

Firewall policies are dynamic, meaning that address information in the policy rules can change as the
policies are applied to users. For example, the alias user in a policy automatically applies to the IP
address assigned to a particular user. ACLs typically require static IP addresses in the rule.
You can apply IPv4 and IPv6 firewall policies to the same user role. See Chapter 36, “IPv6 Support” on page 685
for information about configuring IPv6 firewall policies.
Access Control Lists (ACLs)
Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port.
ArubaOS provides the following types of ACLs:

Standard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can
be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs use
a bitwise mask to specify the portion of the source IP address to be matched.

Extended ACLs permit or deny traffic based on source or destination IP address, source or destination
port number, or IP protocol. Extended ACLs can be named or numbered, with valid numbers in the
range 100-199 and 2000-2699.

MAC ACLs are used to filter traffic on a specific source MAC address or range of MAC addresses.
Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and
debugging purposes. MAC ACLs can be either named or numbered, with valid numbers in the range of
700-799 and 1200-1299.

Ethertype ACLs are used to filter based on the Ethertype field in the frame header. Optionally, you can
mirror packets to a datapath or remote destination for troubleshooting and debugging purposes.
Ethertype ACLs can be either named or numbered, with valid numbers in the range of 200-299.These
ACLs can be used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk.
ArubaOS provides both standard and extended ACLs for compatibility with router software from popular
vendors, however firewall policies provide equivalent and greater function than standard and extended
ACLs and should be used instead.
You can apply MAC and Ethertype ACLs to a user role, however these ACLs only apply to non-IP traffic
from the user.
Creating a Firewall Policy
This section describes how to configure the rules that constitute a firewall policy. A firewall policy can then
be applied to a user role (until the policy is applied to a user role, it does not have any effect).
Table 59 describes required and optional parameters for a rule.
Table 59 Firewall Policy Rule Parameters
Field
Description
Source
(required)

332 | Roles and Policies
Source of the traffic, which can be one of the following:
any: Acts as a wildcard and applies to any source address.
 user: This refers to traffic from the wireless client.
 host: This refers to traffic from a specific host. When this option is chosen, you must
configure the IP address of the host.
 network: This refers to a traffic that has a source IP from a subnet of IP addresses.
When this option is chosen, you must configure the IP address and network mask of the
subnet.
 alias: This refers to using an alias for a host or network. You configure the alias by
navigating to the Configuration > Advanced Services > Stateful Firewall >
Destination page.
ArubaOS 6.1 | User Guide
Table 59 Firewall Policy Rule Parameters (Continued)
Field
Description
Destination
(required)
Destination of the traffic, which can be configured in the same manner as Source.
Service
(required)
Type of traffic, which can be one of the following:
any: This option specifies that this rule applies to any type of traffic.
 tcp: Using this option, you configure a range of TCP port(s) to match for the rule to be
applied.
 udp: Using this option, you configure a range of UDP port(s) to match for the rule to be
applied.
 service: Using this option, you use one of the pre-defined services (common protocols
such as HTTPS, HTTP, and others) as the protocol to match for the rule to be applied.
You can also specify a network service that you configure by navigating to the
Configuration > Advanced Services > Stateful Firewall > Network Services page.
 protocol: Using this option, you specify a different layer 4 protocol (other than TCP/
UDP) by configuring the IP protocol value.

Action (required)
The action that you want the controller to perform on a packet that matches the specified
criteria. This can be one of the following:
 permit: Permits traffic matching this rule.
 drop: Drops packets matching this rule without any notification.
 reject: Drops the packet and sends an ICMP notification to the traffic source.
 src-nat: Performs network address translation (NAT) on packets matching the rule.
When this option is selected, you need to select a NAT pool. (If this pool is not
configured, you configure a NAT pool by navigating to the Configuration > Advanced >
Security > Advanced > NAT Pools.)
 dst-nat: This option redirects traffic to the configured IP address and destination port.
An example of this option is to redirect all HTTP packets to the captive portal port on the
Aruba controller as used in the pre-defined policy called “captiveportal”.
 dual-nat: This option performs both source and destination NAT on packets matching
the rule.
 redirect to tunnel: This option redirects traffic into a GRE tunnel. This option is used
primarily to redirect all guest traffic into a GRE tunnel to a DMZ router/switch.
 redirect to ESI group: This option redirects traffic to the specified ESI server group. You
also specify the direction of traffic to be redirected: forward, reverse, or both directions.
Log (optional)
Logs a match to this rule. This is recommended when a rule indicates a security breach,
such as a data packet on a policy that is meant only to be used for voice calls.
Mirror (optional)
Mirrors session packets to datapath or remote destination.
Queue (optional)
The queue in which a packet matching this rule should be placed.
Select High for higher priority data, such as voice, and Low for lower priority traffic.
Time Range
(optional)
Time range for which this rule is applicable.
Configure time ranges on the Configuration > Security > Access Control > Time Ranges
page.
Pause ARM
Scanning
(optional)
Pause ARM scanning while traffic is present. Note that you must enable “VoIP Aware
Scanning” in the ARM profile for this feature to work.
Black List
(optional)
Automatically blacklists a client that is the source or destination of traffic matching this rule.
This option is recommended for rules that indicate a security breach where the blacklisting
option can be used to prevent access to clients that are attempting to breach the security.
White List
(optional)
A rule must explicitly permit a traffic session before it is forwarded to the controller. The last
rule in the white list denies everything else.
Configure white list ACLs on the Configuration > Advanced Services> Stateful Firewall>
White List (ACL) page.
ArubaOS 6.1 | User Guide
Roles and Policies | 333
Table 59 Firewall Policy Rule Parameters (Continued)
Field
Description
TOS (optional)
Value of type of service (TOS) bits to be marked in the IP header of a packet matching this
rule when it leaves the controller.
802.1p Priority
(optional)
Value of 802.1p priority bits to be marked in the frame of a packet matching this rule when it
leaves the controller.
The following example creates a policy ‘web-only’ that allows web (HTTP and HTTPS) access.
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page on the WebUI.
2. To configure a firewall policy, select the policy type from the Policies title bar. You can select All, IPv4
Session, IPv6 Session, Ethernet, MAC, Standard or Extended.
3. Click Add to create a new policy.
4. If you selected All in Step 2, then select the type of policy you are adding from the Policy Type dropdown menu.
5. Click Add to add a rule that allows HTTP traffic.
a. Under Service, select service from the drop-down list.
b. Select svc-http from the scrolling list.
c. Click Add.
6. Click Add to add a rule that allows HTTPS traffic.
a. Under Service, select service from the drop-down list.
b. Select svc-https from the scrolling list.
c. Click Add.
Rules can be re-ordered by using the up and down buttons provided for each rule.
7. Click Apply to apply this configuration. The policy is not created until the configuration is applied.
In the CLI
ip access-list session web-only
any any svc-http permit
any any svc-https permit
Creating a Network Service Alias
A network service alias defines a TCP, UDP or IP protocol and a list or range of ports supported by that
service. When you create a network service alias, you can use that alias when specifying the network
service for multiple session ACLs.
In the WebUI
1. Navigate to the Configuration > Advanced Services> Stateful Firewall > Network Services page
on the WebUI.
2. Click Add to create a new alias. ]
3. Enter a name for the alias in the Service Name field.
334 | Roles and Policies
ArubaOS 6.1 | User Guide
4. In the Protocol section, select either TCP or UDP, or select Protocol and enter the IP protocol number
of the protocol for which you want to create an alias.
5. In the Port Type section, specify whether you want to define the port by a contiguous range of ports, or
by a list of non-contiguous port numbers.

If you selected Range, enter the starting and ending port numbers in the Starting Port and End
Port fields.

If you selected list, enter a comma-separated list of port numbers.
6. To limit the service alias to a specific application, click the Application Level Gateway (ALG) dropdown list and select one of the following service types

dhcp: Service is DHCP

dns: Service is DNS

ftp: Service is FTP

h323: Service is H323

noe: Service is Alcatel NOE

rtsp: Service is RTSP

sccp: Service is SCCP

sip: Service is SIP

sips: Service is Secure SIP

svp: Service is SVP

tftp: Service is TFTP

vocera: Service is VOCERA
7. Click Apply to save your changes.
In the CLI
To define a service alias via the command-line interface, access the CLI in config mode and issue the
following command:
netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}
[ALG <service>]
Creating an ACL White List
The ACL White List consists of rules that explicitly permit or deny session traffic from being forwarded to
or blocked from the controller. The white list protects the controller during traffic session processing by
prohibiting traffic from being automatically forwarded to the controller if it was not specifically denied in a
blacklist. The maximum number of entries allowed in the ACL White List is 64. To create an ACL white list,
you must first define a white list bandwidth contract, and then assign it to an ACL.
Configuring a White List Bandwidth Contract in the WebUI
1. Navigate to the Configuration > Advanced Services > Stateful Firewall > White List BW
Contracts page.
2. Click Add to create a new contract.
3. In the White list contract name field, enter the name of a bandwidth contract.
4. The Bandwidth Rate field allows you to define a bandwidth rate in either kbps or Mbps. Enter a rate
value the Bandwidth rate field, then click the drop-down list and select either kbps or Mbps.
5. Click Done.
ArubaOS 6.1 | User Guide
Roles and Policies | 335
Configuring the ACL White List in the WebUI
1. Navigate to the Configuration > Stateful Firewall> ACL White List page.
2. To add an entry, click the Add button at the bottom of the page. The Add New Protocol section
displays.
3. Click the Action drop-down list and select Permit or Deny. Permit allows session traffic to be
forwarded to the controller while Deny blocks session traffic.
4. In the IP Protocol Number field, enter the number for a protocol used by session traffic.
5. In the Starting Ports field, enter a starting port. This is the first port, in the port range, on which
permitted or denied session traffic is running. Port range: 1–65535.
6. In the End Ports field, enter an ending port. This is the last port, in the port range, on which permitted
or denied session traffic is running. Port range: 1–65535.
7. (Optional) Click the White list Bandwidth Contract drop-down list and specify the name of a
bandwidth contract to apply to the session traffic. For further information on creating Bandwidth
Contracts, see “Configuring a Bandwidth Contract in the WebUI” on page 339
8. Click Done. The ACL displays on the white list section.
9. To delete an entry, click Delete next to the entry you want to delete.
10. Click Apply to save changes.
Configuring the White List Bandwidth Contract in the CLI
cp-bandwidth-contract <name> {mbits <1..2000>}|{kbits <256..2000000>}
Configuring the ACL White List in the CLI
Use the following CLI command to create ACL White Lists.
(host) (config) #firewall cp {deny|permit} proto <IP protocol number> ports <start port
number> <last port number> [bandwidth-contract <name>]
To create a whitelist ACL entry that permits traffic using protocol 6 on ports 5000 through 6000 to be
forwarded to the controller:
(host) (config-fw-cp) #firewall cp permit proto 6 ports 5000 6000
To create a whitelist ACL entry that denies traffic using protocol 2 on port 5000 from being forwarded to the
controller:
(host) (config-fw-cp) #firewall cp deny proto 2 ports 5000 5000
User Roles
This section describes how to create a new user role. When you create a user role, you specify one or more
policies for the role.
Table 60 describes the different parameters you can configure for the user role.
336 | Roles and Policies
ArubaOS 6.1 | User Guide
Table 60 User Role Parameters
Field
Description
Firewall Policies
(required)
One or more policies that define the privileges of a wireless client in this role. There are three
ways to add a firewall policy to a user role:
 Choose from configured policies (see “Creating a Firewall Policy” on page 332): Select a
policy from the list of configured policies and click the “Done” button to add the policy to
the list of policies in the user role. If this policy is to be applied to this user role only for
specific AP groups, you can specify the applicable AP group.
 Create a new policy from a configured policy: This option can be used to create a new
policy that is derived from an existing policy.
 Create a new policy: The rules for the policy can be added as explained in “Creating a
Firewall Policy” on page 332.
Re-authentication
Interval (optional)
Time, in minutes, after which the client is required to reauthenticate. Enter a value between 04096. 0 disables reauthentication.
Default: 0 (disabled)
Role VLAN ID
(optional)
By default, a client is assigned a VLAN on the basis of the ingress VLAN for the client to the
controller. You can override this assignment and configure the VLAN ID that is to be assigned to
the user role. You configure a VLAN by navigating to the Configuration > Network > VLANs
page.
Bandwidth
Contract
(optional)
You can assign a bandwidth contract to provide an upper limit to upstream or downstream
bandwidth utilized by clients in this role. You can select the Per User option to apply the
bandwidth contracts on a per-user basis instead of to all clients in the role.
For more information, see “Bandwidth Contracts” on page 338.
VPN Dialer
(optional)
This assigns a VPN dialer to a user role. For details about VPN dialer, see Chapter 17, “Virtual
Private Networks” .
Select a dialer from the drop-down list and assign it to the user role. This dialer will be available
for download when a client logs in using captive portal and is assigned this role.
L2TP Pool
(optional)
This assigns an L2TP pool to the user role. For more details about L2TP pools, see Chapter 17,
“Virtual Private Networks” .
Select the required L2TP pool from the list to assign to the user role. The inner IP addresses of
VPN tunnels using L2TP will be assigned from this pool of IP addresses for clients in this user
role.
PPTP Pool
(optional)
This assigns a PPTP pool to the user role. For more details about PPTP pools, see Chapter 17,
“Virtual Private Networks” .
Select the required PPTP pool from the list to assign to the user role. The inner IP addresses of
VPN tunnels using PPTP will be assigned from this pool of IP addresses for clients in this user
role.
Captive Portal
Profile (optional)
This assigns a Captive Portal profile to this role. For more details about Captive Portal profiles,
see Chapter 15, “Captive Portal” .
Max Sessions
This configures a maximum number of sessions per user in this role. The default is 65535. You
can configure any value between 0-65535.
Creating a User Role
The following example creates the user role ‘web-guest’ and assigns the previously-configured ‘web-only’
policy to this user role.
In the WebUI
1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Click Add to create and configure a new user role.
ArubaOS 6.1 | User Guide
Roles and Policies | 337
3. Enter web-guest for Role Name.
4. Under Firewall Policies, click Add. From Choose from Configured Policies, select the ‘web-only’ session
policy from the list. You can click Create to create and configure a new policy.
5. Click Done to add the policy to the user role.
If there are multiple policies for this role, policies can be re-ordered by the using the up and down buttons
provided for each policy.
6. You can optionally enter configuration values as described in Table 60.
7. Click Apply to apply this configuration. The role is not created until the configuration is applied.
After assigning the user role (see “User Role Assignments” on page 340), you can click the Show Reference
button to see the profiles that reference this user role.
To a delete a user role in the WebUI:
1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Click the Delete button against the role you want to delete.
You cannot delete a user-role that is referenced to profile or server derived role. Deleting a server referenced role will
result in an error. Remove all references to the role and then perform the delete operation.
In the CLI
user-role web-guest
access-list session web-only position 1
After assigning the user role (see “User Role Assignments” on page 340), you can use the show reference
user-role <role> command to see the profiles that reference this user role.
Bandwidth Contracts
You can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts, to
user roles. You can configure bandwidth contracts, in kilobits per second (Kbps) or megabits per second
(Mbps), for the following types of traffic:

from the client to the controller (“upstream” traffic)

from the controller to the client (“downstream” traffic)
You can assign different bandwidth contracts to upstream and downstream traffic for the same user role.
You can also assign a bandwidth contract for only upstream or only downstream traffic for a user role; if
there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.
By default, all users that belong to the same role share a configured bandwidth rate for upstream or
downstream traffic. You can optionally apply a bandwidth contract on a per-user basis; each user who
belongs to the role is allowed the configured bandwidth rate.
For example, if clients are connected to the controller through a DSL line, you may want to restrict the
upstream bandwidth rate allowed for each user to 128 Kbps. Or, you can limit the total downstream
bandwidth used by all users in the ‘guest’ role to 128 Mbps. The following example configures a bandwidth
rate of 128 Kbps and applies it to upstream traffic for the previously-configured ‘web-guest’ user role on a
per-user basis.
338 | Roles and Policies
ArubaOS 6.1 | User Guide
Configuring a Bandwidth Contract in the WebUI
In the WebUI, you can first configure a bandwidth contract and then assign it to a user role:
1. Navigate to the Configuration > Advanced Services > Stateful Firewall > BW Contracts page.
2. Click Add to create a new contract.
3. In the Contract Name field, enter BC512_up.
4. The Bandwidth field allows you to define a bandwidth rate in either kbps or Mbps. For this example,
enter 512 in the Bandwidth field, then click the drop-down list and select kbps.
5. Click Done.
Assigning a Bandwidth Contract to a User Role in the WebUI
Now that you have a defined bandwidth contract, you can assign that contract to a user role.
1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Select Edit for the web-guest user role.
3. Under Bandwidth Contract, select BC512_up from the drop-down menu for Upstream.
4. Select Per User.
5. Scroll to the bottom of the page, and click Apply.
You can also can configure the user role and create the bandwidth contract from the User Roles page:
1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Select Edit for the web-guest user role.
3. In the Bandwidth Contract section, click the Upstream drop-down list and select Add New. The New
Bandwidth Contract fields appear.
a. In the Name field, enter BC512_up.
b. In the Bandwidth field, enter 512.
c. Click the Bandwidth drop-down list and select kbps.
d. Click Done to add the new contract and assign it to the role. The New Bandwidth Contract section
closes.
4. In the Bandwidth Contract section, select the Per User checkbox.
5. Scroll to the bottom of the page, and click Apply.
Configuring and Assigning Bandwidth Contracts in the CLI
aaa bandwidth-contract BC512_up kbps 512
user-role web-guest
bw-contract BC512_up per-user upstream
Bandwidth Contract Exceptions
Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal
exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP
protocols. To remove per-vlan bandwidth contract limits on an additional broadcast or multicast protocol,
add the MAC address for that broadcast/multicast protocol to the Vlan Bandwidth Contracts MAC
Exception List
ArubaOS 6.1 | User Guide
Roles and Policies | 339
Viewing the Current Exceptions List
To view the current bandwidth contract exception list, access the command-line interface in enable mode
and issue the command show vlan-bwcontract-explist. To view the preconfigured internal bandwidth
contract exception list, include the optional internal parameter, as shown in the example below:
(host) (config) #show vlan-bwcontract-explist internal
Vlan Bw Contracts Internal Mac Exception List
--------------------------------------------Mac address
----------01:80:C2:00:00:00
01:00:0C:CC:CC:CD
01:80:C2:00:00:02
01:00:5E:00:82:11
Configuring Bandwidth Contract Exceptions
To add the MAC address of a protocol to the exception list for bandwidth contracts, access the commandline interface in config mode and issue the command vlan-bwcontract-explist <mac-addr>.
The following example adds the MAC address for CDP (Cisco Discovery Protocol) and VTP (Virtual
Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts.
(host) (config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC
User Role Assignments
A client is assigned a user role by one of several methods. A role assigned by one method may take
precedence over one assigned by a different method. The methods of assigning user roles are, from lowest
to highest precedence:
1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP
(see Chapter 4, “Access Points” ).
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known
as a user-derived role). You can configure rules that assign a user role to clients that match a certain set
of criteria. For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has a
MAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before client
authentication.
3. The user role can be the default user role configured for an authentication method, such as 802.1x or
VPN. For each authentication method, you can configure a default role for clients who are successfully
authenticated using that method.
4. The user role can be derived from attributes returned by the authentication server and certain client
attributes (this is known as a server-derived role). If the client is authenticated via an authentication
server, the user role for the client can be based on one or more attributes returned by the server during
authentication, or on client attributes such as SSID (even if the attribute is not returned by the server).
Server-derivation rules are executed after client authentication.
5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server
authentication. A role derived from an Aruba VSA takes precedence over any other user roles.
The following sections describe the methods of assigning user roles.
User Role in AAA Profile
An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role
for MAC and 802.1x authentication. To configure user roles in the AAA profile:
340 | Roles and Policies
ArubaOS 6.1 | User Guide
In the WebUI
1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select the “default” profile or a user-defined AAA profile.
3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.
4. Click the 802.1x Authentication Default Role drop-down list and select the desired user role for
users who have completed 802.1x authentication.
5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients
who have completed MAC authentication.
6. Click Apply.
In the CLI
aaa profile <profile>
initial-role <role>
dot1x-default-role <role>
mac-default-role <role>
For additional information on creating AAA profiles, see “AAA Profile Parameters” on page 149.
User-Derived Roles or VLANs
Attributes derived from the client’s association with an AP can be used to assign the client to a specific role
or VLAN, as user-derivation rules are executed before the client is authenticated.
You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a
condition is met, the specified user role or VLAN is assigned to the client. You can specify more than one
condition rule; the order of rules is important as the first matching condition is applied. You can optionally
add a description of the user rule.
Table 61 describes the conditions for which you can specify a user role or VLAN.
Table 61 Conditions for a User-Derived Role or VLAN
Rule Type
Condition
Value
BSSID: Assign client to a role or VLAN based
upon the BSSID of AP to which client is
associating.
One of the following:
contains
 ends with
 equals
 does not equal
 starts with
MAC address (xx:xx:xx:xx:xx:xx)

DHCP-Option: Assign client to a role or VLAN
based upon the DHCP signature ID.
One of the following:
 equals
 starts with
DHCP signature ID.
Note: This string is not case sensitive.
DHCP-Option-77: Assign client to a role or
VLAN based upon the user class identifier
returned by DHCP server.
equals
string
ArubaOS 6.1 | User Guide
Roles and Policies | 341
Table 61 Conditions for a User-Derived Role (Continued)or VLAN
Rule Type
Condition
Value
Encryption: Assign client to a role or VLAN
based upon the encryption type used by the
client.
One of the following:
equals
 does not equal








Open (no encryption)
WPA/WPA2 AES
WPA-TKIP (static or dynamic)
Dynamic WEP
WPA/WPA2 AES PSK
Static WEP
xSec
ESSID: Assign client to a role or VLAN based
upon the ESSID to which the client is
associated
One of the following:
 contains
 ends with
 equals
 does not equal
 starts with
 value of (does not
take string; attribute
value is used as
role)
string
Location: Assign client to a role or VLAN
based upon the ESSID to which the client is
associated
One of the following:
 equals
 does not equal
string
MAC address of the client
One of the following:
 contains
 ends with
 equals
 does not equal
 starts with
MAC address (xx:xx:xx:xx:xx:xx)
Device Identification
The device identification feature allows you to assign a user role or VLAN to a specific device type by
identifying a DHCP option and signature for that device. If you create a user rule with the DHCP-Option
rule type, the first two characters in the Value field must represent the hexadecimal value of the DHCP
option that this rule should match, while the rest of the characters in the Value field indicate the DHCP
signature the rule should match. To create a rule that matches DHCP option 12 (host name), the first two
characters of the in the Value field must be the hexadecimal value of 12, which is 0C. To create a rule that
matches DHCP option 55, the first two characters in the Value field must be the hexadecimal value of 55,
which is 37.
The following table describes some of the DHCP options that are useful for assigning a user role or VLAN.
DHCP Option values
DHCP Option
Description
Hexadecimal Equivalent
12
Host name
0C
55
Parameter Request List
37
60
Vendor Class Identifier
3C
81
Client FQDN
51
342 | Roles and Policies
ArubaOS 6.1 | User Guide
The device identification features in ArubaOS can also automatically identify different client device types
and operating systems by parsing the User-Agent strings in the client’s HTTP packets. To enable this
feature, select the Device Type Classification option in the AP’s AAA profile. For details, see “Device
Type Classification” on page 150.
Configuring a User-derived Role or VLAN in the WebUI
1. Navigate to the Configuration > Security > Authentication > User Rules page.
2. Click Add to add a new set of derivation rules. Enter a name for the set of rules, and click Add. The
name appears in the User Rules Summary list.
3. In the User Rules Summary list, select the name of the rule set to configure rules.
4. Click Add to add a rule. For Set Type, select Role from the drop-down menu. (You can select VLAN to
create a derivation rules for setting the VLAN assigned to a client.)
5. Configure the condition for the rule by setting the Rule Type, Condition, Value parameters and optional
description of the rule. See Table 61 for descriptions of these parameters.
6. Select the role assigned to the client when this condition is met.
7. Click Add.
8. You can configure additional rules for this rule set. When you have added rules to the set, use the up or
down arrows in the Actions column to modify the order of the rules. (The first matching rule is applied.)
9. Click Apply.
10. (Optional) If the rule uses the DHCP-Option condition, best practices is to enable the Enforce DHCP
parameter in the AP group’s AAA profile, which requires users to complete a DHCP exchange to obtain
an IP address. For details on configuring this parameter in an AAA profile, see “Configuring
Authentication” on page 149.
Configure a User-derived Role or VLAN in the CLI
aaa derivation-rules user <name>
set role|vlan
condition bssid|dhcp-option|dhcp-option-77|encryption-type|essid|location|macaddr
contains|ends-with|equals|not-equals|starts-with|value-of <string>
set-value <role>
position <number>
See Table 61 for descriptions of these parameters.
User-Derived Role Example
The example rule shown in Figure 49 below sets a user role for clients whose host name (DHCP option 12)
has a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCII string “laptop”. The first
two digits in the Value field are the hexadecimal value of 12 (which is 0C), followed by the specific
signature to be matched.
There are many online tools available for converting ASCII text to a hexadecimal string.
ArubaOS 6.1 | User Guide
Roles and Policies | 343
Figure 49 DHCP Option Rule
To identify DHCP strings used by an individual device, access the command-line interface in config mode
and issue the following command to include DHCP option values for DHCP-DISCOVER and DHCPREQUEST frames in the controller’s log files:
logging level debugging network process dhcpd
Now, connect the device you want to identify to the network, and issue the CLI command show log
network. The sample below is an example of the output that may be generated by this command.
(host) (config) #show log network all | include DISCOVER
Feb 26 02:50:34 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01
3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b
Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01
3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b
Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84 Options 74:01
3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b
Feb 26 02:53:03 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: DISCOVER 00:26:c6:52:6b:7c Options 74:01
3d:010026c6526b7c 0c:41525542412d46416c73653232 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc00
...
(host) #show log network all| include REQUEST
Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254
Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232
51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100
Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254
Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232
51:00000041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100
Feb 26 02:56:02 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c reqIP=10.10.10.254
Options 3d:010026c6526b7c 0c:41525542412d46416c73653232 51:00000041525542412d46416c736532322e73757279612e636f6d
Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices
from different manufacturers may use vendor class identifiers that begin with similar strings. If you create a
DHCP-Option rule that uses the starts-with condition instead of the equals condition, the rule may assign
a role or VLAN to more than one device type.
Default Role for Authentication Method
For each authentication method, you can configure a default role for clients who are successfully
authenticated using that method. To configure a default role for an authentication method:
In the WebUI
1. Navigate to the Configuration > Security > Authentication page.
2. To configure the default user role for MAC or 802.1x authentication, select the AAA Profiles tab. Select
the AAA profile. Enter the user role for MAC Authentication Default Role or 802.1x Authentication
Default Role.
3. To configure the default user role for other authentication methods, select the L2 Authentication or
L3 Authentication tab. Select the authentication type (Stateful 802.1x or stateful NTLM for L2
344 | Roles and Policies
ArubaOS 6.1 | User Guide
Authentication, Captive Portal or VPN for L3 Authentication), and then select the profile. Enter the user
role for Default Role.
4. Click Apply.
For additional information on configuring captive portal authentication, see “Captive Portal” on page 363.
In the CLI
To configure the default user role for MAC or 802.1x authentication:
aaa profile <profile>
mac-default-role <role>
dot1x-default-role <role>
To configure the default user role for other authentication methods:
aaa authentication captive-portal <profile>
default-role <role>
aaa authentication stateful-dot1x
default-role <role>
aaa authentication stateful-ntlm
default-role <role>
aaa authentication vpn
default-role <role>
Server-Derived Role
If the client is authenticated via an authentication server, the user role for the client can be based on one or
more attributes returned by the server during authentication. You configure the user role to be derived by
specifying condition rules; when a condition is met, the specified user role is assigned to the client. You can
specify more than one condition rule; the order of rules is important as the first matching condition is
applied. You can also define server rules based on client attributes such as ESSID, BSSID, or MAC address,
even though these attributes are not returned by the server.
For information about configuring a server-derived role, see “Configuring Server-Derivation Rules” on
page 287.
VSA-Derived Role
Many Network Address Server (NAS) vendors, including Aruba, use VSAs to provide features not supported
in standard RADIUS attributes. For Aruba systems, VSAs can be employed to provide the user role and
VLAN for RADIUS-authenticated clients, however the VSAs must be present on your RADIUS server. This
involves defining the vendor (Aruba) and/or the vendor-specific code (14823), vendor-assigned attribute
number, attribute format (such as string or integer), and attribute value in the RADIUS dictionary file. VSAs
supported on controllers conform to the format recommended in RFC 2865, “Remote Authentication Dial In
User Service (RADIUS)”.
Dictionary files that contain Aruba VSAs are available on the Aruba support website for various RADIUS
servers. Log into the Aruba support website to download a dictionary file from the Tools folder.
Global Firewall Parameters
Table 62 describes optional firewall parameters you can set on the controller for IPv4 traffic. To set these
options in the WebUI, navigate to the Configuration > Advanced Services > Stateful Firewall > Global
Setting page and select or enter values in the IPv4 column. To set these options in the CLI, use the firewall
configuration commands.
ArubaOS 6.1 | User Guide
Roles and Policies | 345
See Chapter 36, “IPv6 Support” for information about configuring firewall parameters for IPv6 traffic.
Table 62 IPv4 Firewall Parameters
Parameter
Description
Monitor Ping Attack
Number of ICMP pings per second, which if exceeded, can indicate a denial of
service attack. Valid range is 1-255 pings per second. Recommended value is
4.
Default: No default
Monitor TCP SYN Attack rate
Number of TCP SYN messages per second, which if exceeded, can indicate a
denial of service attack. Valid range is 1-255 messages per second.
Recommended value is 32.
Default: No default
Monitor IP Session Attack
Number of TCP or UDP connection requests per second, which if exceeded,
can indicate a denial of service attack. Valid range is 1-255 requests per
second. Recommended value is 32.
Default: No default
Monitor/Police CP Attack rate (per
sec)
Rate of misbehaving user’s inbound traffic, which if exceeded, can indicate a
denial or service attack.
Recommended value is 100 frames per second.
Deny Inter User Bridging
Prevents the forwarding of Layer-2 traffic between wired or wireless users. You
can configure user role policies that prevent Layer-3 traffic between users or
networks but this does not block Layer-2 traffic. This option can be used to
prevent traffic, such as Appletalk or IPX, from being forwarded.
Default: Disabled
Deny Inter User Traffic
Denies traffic between untrusted users by disallowing layer2 and layer3 traffic.
This parameter does not depend on the deny-inter-user-bridging parameter
being enabled or disabled.
Default: Disabled
Deny All IP Fragments
Drops all IP fragments.
Note: Do not enable this option unless instructed to do so by an Aruba
representative.
Default: Disabled
Enforce TCP Handshake Before
Allowing Data
Prevents data from passing between two clients until the three-way TCP
handshake has been performed. This option should be disabled when you
have mobile clients on the network as enabling this option will cause mobility
to fail. You can enable this option if there are no mobile clients on the network.
Default: Disabled
Prohibit IP Spoofing
Enables detection of IP spoofing (where an intruder sends messages using the
IP address of a trusted client). When this option is enabled, source and
destination IP and MAC addresses are checked for each ARP request/
response. Traffic from a second MAC address using a specific IP address is
denied, and the entry is not added to the user table. Possible IP spoofing
attacks are logged and an SNMP trap is sent.
Default: Disabled
Prohibit RST Replay Attack
When enabled, closes a TCP connection in both directions if a TCP RST is
received from either direction. You should not enable this option unless
instructed to do so by an Aruba representative.
Default: Disabled
346 | Roles and Policies
ArubaOS 6.1 | User Guide
Table 62 IPv4 Firewall Parameters (Continued)
Parameter
Description
Log ICMP Errors
Enables logging of received ICMP errors. You should not enable this option
unless instructed to do so by an Aruba representative.
Default: Disabled
Stateful SIP Processing
Disables monitoring of exchanges between a voice over IP or voice over WLAN
device and a SIP server. This option should be enabled only when there is no
VoIP or VoWLAN traffic on the network.
Default: Disabled (stateful SIP processing is enabled)
Allow Tri-session with DNAT
Allows three-way session when performing destination NAT. This option should
be enabled when the controller is not the default gateway for wireless clients
and the default gateway is behind the controller. This option is typically used
for captive portal configuration.
Default: Disabled.
Session Mirror Destination
Destination (IP address or port) to which mirrored session packets are sent.
This option is used only for troubleshooting or debugging.
Packets can be mirrored in multiple ACLs, so only a single copy is mirrored if
there is a match within more than one ACL.
You can configure the following:
 Ethertype to be mirrored with the Ethertype ACL mirror option.
 IP flows to be mirrored with the session ACL mirror option.
 MAC flows to be mirrored with the MAC ACL mirror option.
 If you configure both an IP address and a port to receive mirrored packets,
the IP address takes precedence.
Default: N/A
Session Idle Timeout (sec)
Set the time, in seconds, that a non-TCP session can be idle before it is
removed from the session table. Specify a value in the range 16-259 seconds.
You should not set this option unless instructed to do so by an Aruba
representative.
Default: 15 seconds
Disable FTP Server
Disables the FTP server on the controller. Enabling this option prevents FTP
transfers. You should not enable this option unless instructed to do so by an
Aruba representative.
Default: Disabled (FTP server is enabled)
GRE Call ID Processing
Creates a unique state for each PPTP tunnel. You should not enable this option
unless instructed to do so by an Aruba representative.
Default: Disabled
Per-packet Logging
Enables logging of every packet if logging is enabled for the corresponding
session rule. Normally, one event is logged per session. If you enable this
option, each packet in the session is logged. You should not enable this option
unless instructed to do so by an Aruba representative, as doing so may create
unnecessary overhead on the controller.
Default: Disabled (per-session logging is performed)
Broadcast-filter ARP
Reduces the number of broadcast packets sent to VoIP clients, thereby
improving the battery life of voice handsets. You can enable this option for
voice handsets in conjunction with increasing the DTIM interval on
clients.
Default: Disabled
Prohibit ARP Spoofing
Detects and prohibits arp spoofing. When this option is enabled, possible arp
spoofing attacks are logged and an SNMP trap is sent.
Default: Disabled
ArubaOS 6.1 | User Guide
Roles and Policies | 347
Table 62 IPv4 Firewall Parameters (Continued)
Parameter
Description
Session VOIP Timeout (sec)
Sets the idle session timeout for sessions that are marked as voice sessions. If
no voice packet exchange occurs over a voice session for the specified time,
the voice session is removed. Range is 16 – 300 seconds.
Default: 300 seconds
Stateful H.323 Processing
Disables stateful H.323 processing.
Default: Enabled
Stateful SCCP Processing
Disables stateful SCCP processing.
Default: Disabled
Only allow local subnets in user
table
Adds only IP addresses, which belong to a local subnet, to the user-table.
Default: Disabled
Session mirror IPSEC
Configures session mirroring of all frames that are processed by IPsec. Frames
are sent to IP address specified by the session-mirror-destination option.
Note: Use this option for debugging or troubleshooting only.
Default: Disabled
Multicast automatic shaping
Enables multicast optimization and provides excellent streaming quality
regardless of the amount of VLANs or IP IGMP groups that are used.
Default: Disabled
Stateful VOCERA Processing
Disables stateful VOCERA processing.
Default: Disabled
Stateful UA Processing
Disables stateful UA processing.
Default: Disabled
Enforce bw contracts for
broadcast traffic
Applies bw contracts to local subnet broadcast traffic.
Clear Sessions on Role Update
If enabled, this setting clears all existing user role sessions after a user or client
roles is modified.
Enforce TCP Sequence numbers
Enforces the TCP sequence numbers for all packets.
Default:Disabled
Enforce WMM Voice Priority
Matches Flow Content
If traffic to or from the user is inconsistent with the associated QoS policy for
voice, the traffic is reclassified to best effort and data path counters
incremented.
Default: Disabled
Rate limit CP untrusted ucast
traffic (Mbps)
Specifies the untrusted unicast traffic rate limit. Range is 1-200 Mbps.
Default: 10 Mbps
Rate limit CP untrusted mcast
traffic (Mbps)
Specifies the untrusted multicast traffic rate limit. Range is 1-200 Mbps.
Default: 2 Mbps
Rate limit CP trusted ucast traffic
(Mbps)
Specifies the trusted unicast traffic rate limit. Range is 1-200 Mbps.
Default: 80 Mbps
Rate limit CP trusted mcast traffic
(Mbps)
Specifies the trusted multicast traffic rate limit. Range is 1-200 Mbps.
Default: 2 Mbps
348 | Roles and Policies
ArubaOS 6.1 | User Guide
Table 62 IPv4 Firewall Parameters (Continued)
Parameter
Description
Rate limit CP route traffic (Mbps)
Specifies the traffic rate limit that needs ARP requests. Range is 1-200 Mbps.
Default: 1 Mbps
Rate limit CP session mirror traffic
(Mbps)
Specifies the session mirrored traffic forwarded to the controller. Range is 1200 Mbps.
Default: 1 Mbps
Rate limit CP auth process traffic
(Mbps)
Specifies the traffic rate limit that is forwarded to the authentication process.
Range is 1-200 Mbps.
Default: 1 Mbps
ArubaOS 6.1 | User Guide
Roles and Policies | 349
350 | Roles and Policies
ArubaOS 6.1 | User Guide
Chapter 13
Dashboard Monitoring
The ArubaOS dashboard monitoring functionality provides enhanced visibility into your wireless network
performance and usage within a controller. This allows you to easily locate and diagnose WLAN issues in
the controller.
The dashboard monitoring is available via the WebUI. To monitor and troubleshoot RF issues in the WLAN,
click the Dashboard tab. The following pages in the Dashboard page allows you to view various
performance and usage information:

Performance

Usage

Security

Potential Issues

WLANs

Access Points

Clients
Additionally, you can view the context sensitive help for each field in the Dashboard UI by doing a right
click on the field.
Performance
This page displays the performance details of the wireless clients and APs connected to the controller.
Clients
This section displays the total number of wireless clients connected to the controller. You can view the
distribution of clients in different SNR ranges, associated data rate ranges, and data transfer speed ranges
using the histograms. You can click on the hyperlinked number to view the Clients page. Additionally, you
can view the following client performance details:

Signal to noise ratio (SNR)

Phy type

Client connection speed

Effective data rate of the clients connected to the controller
To understand histogram information, see “Using Dashboard Histograms” on page 352.
APs
This section displays the following performance details of the APs on the controller:

To client or from client frame rates

Overall goodput

Percentage of frames dropped

Frame rate distribution of the APs
ArubaOS 6.1 | User Guide
Dashboard Monitoring | 351
Additionally, you can view the distribution of the APs in different noise floor ranges, channel utilization
ranges, and non-Wi-Fi interference ranges using the histograms. To understand histogram information, see
“Using Dashboard Histograms” on page 352.
Using Dashboard Histograms
Dashboard histograms are a visual representation of the distribution of the wireless clients, access points,
and radios across different performance parameters in the controller. Histograms help you to quickly
identify any performance issues in the network from the color of the distribution. For example, critical
ranges of the distribution are highlighted in red and the normal ranges are highlighted in green.
You can view the number of clients or APs falling in each range of the distribution with a hyperlink. You can
also perform the following tasks on the histograms to get additional information on the clients and APs in
the distribution:

View Client or AP details: Click the hyperlinked number to view the details of the clients or APs in a
pop-up window.

Sort: Click a column header of the clients or APs table to sort the complete list based on the entries on
the active column. You can also use the sort icon that appears when you click on a column for sorting.

Filter: Click the filter icon and select the filter criterion on any column to filter the entries.

Customize column view: Select or deselect the columns to view or hide by doing a right click on the
clients or AP table header.

Close pop-up window: Click on the close icon to close the client or AP details pop-up window.
Usage
This page displays the usage details of the clients and APs on the controller.
Clients
This section displays the client and WLAN utilization in the controller. You can view the trends of the
following client usage details in the last 15 minutes:

Number of wireless clients connected to the controller

Number of active wireless clients

Number of wireless clients that have low usage

Number of wireless clients associated per WLAN
Additionally, you can click on the hyperlinked number to view the respective client details on the Clients
page.
APs
This section displays the AP utilization in the controller. You can view the following AP and radio details:

Number of APs

Number of APs that are down

Radios with low usage

Overall AP usage
You can click on the hyperlinked number to view the respective AP or radio details on the Access Points
or Radios page. Additionally, you can view the trends of the average data bytes transmitted and received by
the AP per second and the usage per WLAN in the last 15 minutes.
352 | Dashboard Monitoring
ArubaOS 6.1 | User Guide
Security
This page allows you to monitor the detection and protection of wireless intrusions in your network.
The two top tables—Discovered APs & Clients and Events—contain data as links. When these links are
selected they arrange, filter, and display the appropriate information in the lower table.
The term events in this document refers to security threats, vulnerabilities, attacks (intrusion or Denial of Service) and
other related events.
Potential Issues
This page displays the total number of radios and wireless clients that may have potential issues in the
network. You can right click on the total number to view the trend of the clients and radios with potential
issues in the last 15 minutes.You can also view the number of clients or radios that have a specific potential
issue in each radio band.
The potential issues that a client may have are:

Low SNR: Clients that have signal to noise ratio of 30 dBm or lower.

Low speed: Clients that have a connection speed of 36 Mbps or lower.

Low goodput: Clients that have an average data rate of 24 Mbps or lower.
The potential issues that a radio may have are:

High noise floor: Radios that have a noise floor of -85 dB or greater.

Busy channel: Radios that have a channel utilization of 80% or greater.

High non-Wi-Fi interference: Radios that have a non-Wi-Fi interference of 20% or greater.

Low goodput: Radios that have an average data rate of 24 Mbps or lower.

High client association: Radios that have 15 or more clients connected.
You can click on the hyperlinked number to view the details of the respective clients or radios in the bottom
pane of the page. You can perform the following tasks on the details table:

Sort: Click a column header of the table to sort the complete list based on the entries on the active
column. You can also use the sort icon that appears when you click on a column for sorting.

View or hide columns: Select or deselect the columns to view or hide by doing a right click on the table
header.
WLANs
You can view the WLAN details such as the number of associated APs, radios, and wireless clients as well as
the WLAN usage in the controller. You can also view the details of the associated APs and clients as tables.
You can perform the following tasks on this page:

Sort: Click a column header of the WLAN table to sort the complete list based on the entries on the
active column. You can also use the sort icon that appears when you click on a column for sorting.

Filter: Click the filter icon and select the filter criterion on any column of the details table to filter the
entries.

Customize column view: Select or deselect the columns to view or hide by doing a right click on the
details table header. You can also choose one of the following system defined views that have the
appropriate pre-selected columns.

ArubaOS 6.1 | User Guide
Default Columns
Dashboard Monitoring | 353

To/From Client Stats

View WLAN trends: View the trends of the clients connected in the WLAN and the WLAN usage in the
last 15 minutes.

View client summary: Click on the hyperlinked client name on the client details table to view the
Client Summary page. In this page, you can view the client details summary (air quality metrics and
from and to clients statistics), bandwidth of the client usage, trend of the client frame loss in the last 15
minutes, and the frame rate distribution of the client.

View AP or radio summary: Click on the hyperlinked AP name or the radio band on the AP details
table to view the Access Points page. In this page you can view the summary of the AP details such as
air quality metrics, from and to clients statistics, and the number of clients associated with the AP under
different SNR ranges. Additionally, you can view the details of the associated clients and WLANs.
Access Points
You can view the details of all the radios and APs associated with the controller by selecting the respective
tab. You can also view the trends of the connected wireless clients and the client usage under the 2.4 Ghz
and 5 Ghz radio bands in the last 15 minutes.
You can perform the following tasks on this page:

Sort: Click a column header of the AP table to sort the complete list based on the entries on the active
column. You can also use the sort icon that appears when you click on a column for sorting.

Filter: Click the filter icon and select the filter criterion on any column of the details table to filter the
entries.

Customize column view: Select or deselect the columns to view or hide by doing a right click on the
details table header. You can also choose one of the following system defined views that have the
appropriate pre-selected columns.

Default Columns

Air Quality Metrics

To/From Client Stats

View client details: Click on the number of clients associated with the AP to view the details of the
clients on the Clients page.

View AP or radio summary: Click on the hyperlinked AP name or the radio band on the AP details
table to view the summary of the AP details such as air quality metrics, from and to clients statistics, and
the number of clients associated with the AP under different SNR ranges. Additionally, you can view the
details of the associated clients and WLANs.
Clients
You can view the details of all the wireless clients on the controller. You can also view the trends of the
connected clients and the client usage under the 2.4 Ghz and 5 Ghz radio bands in the last 15 minutes.
You can perform the following tasks on this page:

Sort: Click a column header of the AP table to sort the complete list based on the entries on the active
column. You can also use the sort icon that appears when you click on a column for sorting.

Filter: Click the filter icon and select the filter criterion on any column of the details table to filter the
entries.
354 | Dashboard Monitoring
ArubaOS 6.1 | User Guide

Customize column view: Select or deselect the columns to view or hide by doing a right click on the
details table header. You can also choose one of the following system defined views that have the
appropriate pre-selected columns.

Default Columns

Air Quality Metrics

To/From Client Stats

View client summary: Click on the hyperlinked client name on the client details table to view the
Client Summary page. In this page, you can view the client details summary (air quality metrics and
from or to clients statistics), bandwidth of the client usage, trend of the client frame loss in the last 15
minutes, and the frame rate distribution of the client.

View AP details: Click on the hyperlinked AP name to view the Access Points page.

View WLAN details: Click on the hyperlinked SSID of the WLAN to view the WLANs page.
ArubaOS 6.1 | User Guide
Dashboard Monitoring | 355
356 | Dashboard Monitoring
ArubaOS 6.1 | User Guide
Chapter 14
Stateful and WISPr
Authentication
ArubaOS supports stateful 802.1x authentication, stateful NTLM authentication and authentication for
Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.1x
authentication in that the controller does not manage the authentication process directly, but monitors the
authentication messages between a user and an external authentication server, and then assigns a role to
that user based upon the information in those authentication messages. WISPr authentication allows clients
to roam between hotspots using different ISPs.
This chapter describes the following topics:

“Stateful Authentication Overview” on page 357

“WISPr Authentication Overview” on page 357

“Important Points to Remember” on page 358

“Configuring Stateful 802.1x Authentication” on page 358

“Configuring Stateful NTLM Authentication” on page 359

“Configuring WISPr Authentication” on page 360
Stateful Authentication Overview
ArubaOS supports two different types of stateful authentication, stateful 802.1x and stateful NTLM.

Stateful 802.1x authentication: This feature allows the controller to learn the identity and role of a
user connected to a third-party AP, and is useful for authenticating users to networks with APs from
multiple vendors. When an 802.1x-capable access point sends a authentication request to a RADIUS
server, the controller inspects this request and the associated response to learn the authentication state
of the user. It then applies an identity-based user role through the Policy Enforcement Firewall.

Stateful NTLM authentication: NT LAN Manager (NTLM) is a suite of Microsoft authentication and
session security protocols. You can use stateful NTLM authentication to configure a controller to
monitor the NTLM authentication messages between a client and a Windows authentication server. If
the client successfully authenticates via an NTLM authentication server, the controller can recognize
that the client has been authenticated and assign that client a specified user role.
The default Windows authentication method changed from the older NTLM protocol to the newer
Kerberos protocol, starting with Windows 2000. Therefore, stateful NTLM authentication is most useful
for networks with legacy, pre-Windows 2000 clients. Note also that unlike other types of authentication,
all users authenticated via stateful NTLM authentication must be assigned to the user role specified in
the Stateful NTLM Authentication profile. Aruba’s stateful NTLM authentication does not support
placing users in various roles based upon group membership or other role-derivation attributes.
WISPr Authentication Overview
WISPr authentication allows a “smart client” to authenticate on the network when they roam between
Wireless Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not
have an account.
If you are a hotspot operator using WISPr authentication, and a client that has an account with your ISP
attempts to access the Internet at your hotspot, then your ISP’s WISPr AAA server authenticates that client
directly, and allows the client access on the network. If, however, the client only has an account with a
ArubaOS 6.1 | User Guide
Stateful and WISPr Authentication | 357
partner ISP, then your ISP’s WISPr AAA server will forward that client’s credentials to the partner ISP’s
WISPr AAA server for authentication. Once the client has been authenticated on the partner ISP, it will be
authenticated on your hotspot’s own ISP, as per their service agreements. Once your ISP sends an
authentication message to the controller, the controller assigns the default WISPr user role to that client.
ArubaOS supports the following smart clients, which enable client authentication and roaming between
hotspots by embedding iPass Generic Interface Specification (GIS) redirect, proxy, authentication and
logoff messages within HTLM messages to the controller.

iPass

Bongo

Trustive

weRoam

AT&T
Important Points to Remember
Before you can configure a stateful authentication feature, you should have defined a user role you want to
assign to the authenticated users, and created a server group that includes a RADIUS authentication server
for stateful 802.1x authentication or a Windows server for stateful NTLM authentication. For details on
performing these tasks, see the following sections of this User Guide:

“Roles and Policies” on page 331

“Configuring a RADIUS Server” on page 274

“Configuring a Windows Server” on page 279

“Server Groups” on page 283
You can use the default stateful NTLM authentication and WISPr authentication profiles to manage the
settings for these features, or you can create additional profiles as desired. Note, however, that unlike most
other types of authentication, stateful 802.lx authentication uses only a single Stateful 802.1x profile. This
profile can be enabled or disabled, but you can not configure more than one instance of a Stateful 802.1x
profile.
Configuring Stateful 802.1x Authentication
When you configure 802.1x authentication for clients on non-Aruba APs, you must specify the group of
RADIUS servers that will perform the user authentication, and select the role to be assigned to those users
who successfully complete authentication. When the user logs off or shuts down the client machine,
ArubaOS will note the deauthentication message from the RADIUS server, and will change the user’s role
from the specified authenticated role back to the logon role. For details on defining a RADIUS server used
for stateful 802.1x authentication, see “Configuring a RADIUS Server” on page 274
In the WebUI
To configure the Stateful 802.1x Authentication profile via the WebUI:
1. Navigate to the Configuration > Security > Authentication > L2 Authentication window.
2. In the Profiles list, select Stateful 802.1x Authentication Profile.
3. Click the Default Role drop-down list, and select the role that will be assigned to stateful 802.1x
authenticated users.
4. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10
seconds.
5. Select the Mode checkbox to enable stateful 802.1x authentication.
358 | Stateful and WISPr Authentication
ArubaOS 6.1 | User Guide
In the CLI
Use the following commands to configure stateful 802.1x authentication via the command-line interface.
The first set of commands defines the RADIUS server used for 802.1x authentication, and the second set
assigns that server to a server group. The third set of commands associates that server group with the
stateful 802.1x authentication profile, then sets the authentication role and timeout period.
aaa authentication-server radius <server-name>
acctport <port>
authport <port>
clone <server>
enable
host <ipaddr>
key <psk>
nas-identifier <string>
nas-ip <ipaddr>
retransmit <number>
timeout <seconds>
use-md5
!
aaa server-group group <server-group>
auth-server <server-name>
!
aaa authentication stateful-dot1x
server-group <server-group>
default-role <role>
enable
timeout <seconds>
Configuring Stateful NTLM Authentication
The Stateful NTLM Authentication profile requires that you specify a server group which includes the
servers performing NTLM authentication, and the role to be assigned to users who are successfully
authenticated. For details on defining a windows server used for NTLM authentication, see “Configuring a
Windows Server” on page 279.
When the user logs off or shuts down the client machine, the user will remain in the authenticated role until
the user ages out, that is, until the user has sent no traffic for the amount of time specified in the User Idle
Timeout setting in the Configuration > Security > Authentication > Advanced page.
In the WebUI
To create and configure a new instance of a stateful NTLM authentication profile via the WebUI:
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.
2. In the Profiles list, expand the Stateful NTLM Authentication Profile.
3. To define settings for an existing profile, click that profile name in the profiles list.
To create and define settings for a new Stateful NTLM Authentication profile, select an existing profile,
then click the Save As button in the right window pane. Enter a name for the new profile in the entry
field. at the top of the right window pane.
4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete
stateful NTLM authentication.
5. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10
seconds.
ArubaOS 6.1 | User Guide
Stateful and WISPr Authentication | 359
6. Select the Mode checkbox to enable stateful NTLM authentication.
7. Click Apply.
8. In the Profiles list, select the Server Group entry below the Stateful NTLM Authentication profile.
9. Click the Server Group drop-down list and select the group of Windows servers you want to use for
stateful NTLM authentication.
10. Click Apply.
In the CLI
Use the following commands to configure stateful NTLM authentication via the command-line interface.
The first set of commands defines the Windows server used for NTLM authentication, the second set adds
that server to a server group, and the third set of commands associates that server group with the stateful
NTLM authentication profile then defines the profile settings.
aaa authentication-server windows <windows_server_name>
host <ipaddr>
enable
!
aaa server-group group <server-group>
auth-server <windows_server_name>
!
aaa authentication stateful-ntlm
default-role <role>
enable
server-group <server-group>
timeout <seconds>
Configuring WISPr Authentication
A WISPr authentication profile includes parameters to define RADIUS attributes, the default role for
authenticated WISPr users, maximum numbers of authenticated failures and logon wait times. The WISPrLocation-ID sent from the controller to the WISPr RADIUS server will be the concatenation of the ISO
Country Code, E.164 Country Code, E.164 Area Code and SSID/Zone parameters configured in this profile
The parameters to define WISPr RADIUS attributes are specific to the RADIUS server your ISP uses for
WISPr authentication; contact your ISP to determine these values. You can find a list of ISO and ITU
country and area codes at the ISO and ITU websites (www.iso.org and http://www.itu.int.)
In the WebUI
This section describes how to create and configure a new instance of a WISPr authentication profile in the
WebUI.
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.
2. In the Profiles list, expand the WISPr Authentication Profile.
3. To define settings for an existing profile, click that profile name in the profiles list.
To create and define settings for a new WISPr Authentication profile, select an existing profile, then
click the Save As button in the right window pane. Enter a name for the new profile in the entry field. at
the top of the right window pane.
360 | Stateful and WISPr Authentication
ArubaOS 6.1 | User Guide
4. Define values for the following parameters
Table 63 WISPr Authentication Profile Parameters
Parameter
Description
Default Role
Default role assigned to users that complete WISPr authentication.
Logon wait minimum wait
If the controller’s CPU utilization has surpassed the Login wait CPU
utilization threshold value, the Logon wait minimum wait parameter
defines the minimum number of seconds a user will have to wait to retry a
login attempt. Range: 1–10 seconds. Default: 5 seconds.
Logon wait maximum wait
If the controller’s CPU utilization has surpassed the Login wait CPU
utilization threshold value, the Logon wait maximum wait parameter
defines the maximum number of seconds a user will have to wait to retry a
login attempt. Range: 1–10 seconds. Default: 10 seconds.
Logon wait CPU utilization threshold
Percentage of CPU utilization at which the maximum and minimum login
wait times are enforced. Range: 1–100%. Default: 60%.
WISPr Location-ID ISO Country Code
The ISO Country Code section of the WISPr Location ID.
WISPr Location-ID E.164 Country
Code
The E.164 Country Code section of the WISPr Location ID.
WISPr Location-ID E.164 Area Code
The E.164 Area Code section of the WISPr Location ID.
WISPr Location-ID SSID/Zone
The SSID/Zone section of the WISPr Location ID.
WISPr Operator Name
A name identifying the hotspot operator.
WISPr Location Name
A name identifying the hotspot location. If no name is defined, the
parameter will use the name of the AP to which the user has associated.
5. Click Apply.
6. In the Profiles list, select the Server Group entry below the WISPr Authentication profile.
7. Click the Server Group drop-down list and select the group of RADIUS servers you want to use for
WISPr authentication.
8. Click Apply.
A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To
support Boingo clients, you must also configure the NAS identifier parameter in the Radius server profile for the
WISPr server
In the CLI
Use the following CLI commands to configure WISPr authentication. The first set of commands defines the
RADIUS server used for WISPr authentication, the second set adds that server to a server group, and the
third set of commands associates that server group with the WISPR authentication profile then defines the
profile settings.
aaa authentication-server radius <rad_server_name>
host 172.4.77.214
key qwERtyuIOp
enable
nas-identifier corp_venue1
!
ArubaOS 6.1 | User Guide
Stateful and WISPr Authentication | 361
aaa server-group group <server-group>
auth-server <radius_server_name>
!
aaa authentication wispr
default-role <role>
logon-wait {cpu-threshold|maximum-delay|minimum-delay}
server-group <server-group>
wispr-location-id-ac <wispr-location-id-ac>
wispr-location-id-cc <wispr-location-id-cc>
wispr-location-id-isocc <wispr-location-id-isocc>
wispr-location-id-network <wispr-location-id-network>
wispr-location-name-location <wispr-location-name-location>
wispr-location-name-operator-name <wispr-location-name-location>
362 | Stateful and WISPr Authentication
ArubaOS 6.1 | User Guide
Chapter 15
Captive Portal
Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a
web page which requires user action before network access is granted. The required action can be simply
viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be
validated against a database of authorized users.
You can also configure captive portal to allow clients to download the Aruba VPN dialer for Microsoft VPN
clients if the VPN is to be terminated on the Aruba controller. For more information about the VPN dialer,
see Chapter 17, “Virtual Private Networks” on page 401.
This chapter describes the following topics:

“Captive Portal Overview” on page 363

“Captive Portal in the Base ArubaOS” on page 364

“Captive Portal with the PEFNG License” on page 366

“Example Authentication with Captive Portal” on page 369

“Configuring Guest VLANs” on page 376

“Captive Portal Authentication” on page 376

“Optional Captive Portal Configurations” on page 381

“Personalizing the Captive Portal Page” on page 384

“Creating Walled Garden Access” on page 386
Captive Portal Overview
You can configure captive portal for guest users, where no authentication is required, or for registered users
who must be authenticated against an external server or the controller’s internal database.
While you can use captive portal to authenticate users, it does not provide for encryption of user data and should not
be used in networks where data security is required. Captive portal is most often used for guest access, access to
open systems (such as public hot spots), or as a way to connect to a VPN.
You can use captive portal for guest and registered users at the same time. The default captive portal web
page provided with ArubaOS displays login prompts for both registered users and guests. (You can
customize the default captive portal page, as described in “Personalizing the Captive Portal Page” on
page 384)
You can also load up to 16 different customized login pages into the controller. The login page displayed is
based on the SSID to which the client associates.
Policy Enforcement Firewall Next Generation (PEFNG) License
You can use captive portal with or without the PEFNG license installed in the controller. The PEFNG
license provides identity-based security to wired and wireless clients through user roles and firewall rules.
You must purchase and install the PEFNG license on the controller to use identity-based security features.
ArubaOS 6.1 | User Guide
Captive Portal | 363
There are differences in how captive portal functions work and how you configure captive portal,
depending on whether the license is installed. Later sections in this chapter describe how to configure
captive portal in the base operating system (without the PEFNG license) and with the license installed.
Controller Server Certificate
The Aruba controller is designed to provide secure services through the use of digital certificates. A server
certificate installed in the controller verifies the authenticity of the controller for captive portal.
Aruba controllers ship with a demonstration digital certificate. Until you install a customer-specific server
certificate in the controller, this demonstration certificate is used by default for all secure HTTP
connections such as captive portal. This certificate is included primarily for the purposes of feature
demonstration and convenience and is not intended for long-term use in production networks. Users in a
production environment are urged to obtain and install a certificate issued for their site or domain by a wellknown certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the controller to
submit to a CA. For information on how to generate a CSR and how to import the CA-signed certificate into
the controller, see “Managing Certificates” on page 603 in Chapter 33, “Management Access” .
Once you have imported a server certificate into the controller, you can select the certificate to be used
with captive portal as described in the following sections.
To select a certificate for captive portal using the WebUI:
1. Navigate to the Configuration > Management > General page.
2. Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list.
3. Click Apply.
To select a certificate for captive portal using the command-line interface, access the CLI in config mode
and issue the following commands:
web-server
captive-portal-cert <certificate>
To specify a different server certificate for captive portal with the CLI, use the no command to revert back
to the default certificate before you specify the new certificate:
web-server
captive-portal-cert ServerCert1
no captive-portal-cert
captive-portal-cert ServerCert2
Captive Portal in the Base ArubaOS
The base operating system (ArubaOS without any licenses) allows full network access to all users who
connect to an ESSID, both guest and registered users. In the base operating system, you cannot configure or
customize user roles; this function is only available by installing the PEFNG license. Captive portal allows
you to control or identify who has access to network resources.
When you create a captive portal profile in the base operating system, an implicit user role is automatically
created with same name as the captive portal profile. This implicit user role allows only DNS and DHCP
traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal. You
cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are
allowed full access to their assigned VLAN.
The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated
with the “default” ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within
the wizard and refer to the help tab for assistance.
364 | Captive Portal
ArubaOS 6.1 | User Guide
What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group
and profile names appear inside quotation marks.

Create the Server Group name. In this example, the server group name is “cp-srv”.
If you are configuring captive portal for registered users, configure the server(s) and create the server
group. For more information about configuring authentication servers and server groups, see Chapter 9,
“Authentication Servers” .

Create Captive Portal Authentication Profile. In this example, the profile name is “c-portal”.
Create and configure an instance of the captive portal authentication profile. Creating the captive portal
profile automatically creates an implicit user role and ACL with the same name. Creating the profile “cportal” creates an implicit user role called “c-portal”. That user role allows only DNS and DHCP traffic
between the client and network and directs all HTTP or HTTPS requests to the captive portal.

Create an AAA Profile. In this example, the profile name is “aaa_c-portal”.
Create and configure an instance of the AAA profile. For the initial role, enter the implicit user role that
was created in step l. The initial role in the profile “aaa_c-portal” must be set to “c-portal”.

Create SSID Profile. In this example, the profile name is “ssid_c-portal”.
Create and configure an instance of the virtual AP profile which you apply to an AP group or AP name.
Specify the AAA profile you created in step l.

Create a Virtual AP Profile. In this example, the profile name is “vp_c-portal”.
Create and configure an instance of the SSID profile for the virtual AP.
The following sections present the procedure for configuring the captive portal authentication profile, the
AAA profile, and the virtual AP profile using the WebUI or the command line (CLI). Configuring the VLAN
and authentication servers and server groups are described elsewhere in this document.
In ArubaOS 2.5.2 and later 2.5.x releases, captive portal users in the base operating system are placed into the
predefined cpbase initial user role before authentication. The cpbase role is not supported in ArubaOS 3.x. You need
to create new captive portal profiles in the base operating system, as described in this section, which automatically
generates the required policies and roles.
Configuring Captive Portal via the WebUI
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. Select
Captive Portal Authentication Profile.
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example,
c-portal), then click Add.
b. Select the captive portal authentication profile you just created.
c. You can enable user login and/or guest login, and configure other captive portal profile parameters as
described in Table 64.
d. Click Apply.
2. To specify authentication servers, select Server Group under the captive portal authentication profile
you just configured.
a. Select the server group (for example, cp-srv) from the drop-down menu.
b. Click Apply.
3. Select the AAA Profiles tab.
a. In the AAA Profiles Summary, click Add to add a new profile. Enter the name of the profile (for
example, aaa_c-portal), then click Add.
b. Select the AAA profile you just created.
ArubaOS 6.1 | User Guide
Captive Portal | 365
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created
previously.
The Initial Role must be exactly the same as the name of the captive portal authentication profile you created.
d. Click Apply.
4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or
AP Specific tab. Click Edit for the applicable AP group name or AP name.
5. Under Profiles, select Wireless LAN, then select Virtual AP.
6. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name
for the virtual AP profile (for example, vp_c-portal), then click Add.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously
created from the AAA Profile drop-down menu. A pop-up window displays the configured AAA
profile parameters. Click Apply in the pop-up window.
b. From the SSID profile drop-down menu, select NEW. A pop-up window allows to you configure the
SSID profile.
c. Enter the name for the SSID profile (for example, ssid_c-portal).
d. Enter the Network Name for the SSID (for example, c-portal-ap).
e. Click Apply in the pop-up window.
f. At the bottom of the Profile Details page, click Apply.
7. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration
parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select the VLAN to which users are assigned (for example, 20).
c. Click Apply.
Configuring Captive Portal via the CLI
To configure captive portal in the base operating system via the command-line interface, access the CLI in
config mode and issue the following commands:
aaa authentication captive-portal c-portal
server-group cp-srv
aaa profile aaa_c-portal
initial-role c-portal
wlan ssid-profile ssid_c-portal
essid c-portal-ap
wlan virtual-ap vp_c-portal
aaa-profile aaa_c-portal
ssid-profile ssid_c-portal
vlan 20
Captive Portal with the PEFNG License
The PEFNG license provides identity-based security for wired and wireless users. There are two user roles
that are important for captive portal:

366 | Captive Portal
Default user role, which you specify in the captive portal authentication profile, is the role granted to
clients upon captive portal authentication. This can be the predefined guest system role.
ArubaOS 6.1 | User Guide

Initial user role, which you specify in the AAA profile, directs clients who associate to the SSID to
captive portal whenever the user initiates a Web browser connection. This can be the predefined logon
system role.
The captive portal authentication profile specifies the captive portal login page and other configurable
parameters. The initial user role configuration must include the applicable captive portal authentication
profile instance.
MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication.
The following are the basic tasks for configuring captive portal using role-based access provided by the
Policy Enforcement Firewall software module. Note that you must install the PEFNG license before
proceeding (see Chapter 35, “Software Licenses” ).

Configure the user role for a default user.
Create and configure user roles and policies for guest or registered captive portal users. (See Chapter 12,
“Roles and Policies” for more information about configuring policies and user roles.)

Create a server group.
If you are configuring captive portal for registered users, configure the server(s) and create the server
group. (See Chapter 9, “Authentication Servers” for more information about configuring authentication
servers and server groups.)
If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group.
You need to configure entries in the internal database, as described in Chapter 9, “Authentication Servers” .

Create the captive portal authentication profile.
Create and configure an instance of the captive portal authentication profile. Specify the default user
role for captive portal users.

Configure the initial user role.
Create and configure the initial user role for captive portal. You need to include the predefined
captiveportal policy, which directs clients to the captive portal, in the initial user role configuration.
You also need to specify the captive portal authentication profile instance in the initial user role
configuration. For example, if you are using the predefined logon system role for the initial role, you
need to edit the role to specify the captive portal authentication profile instance.

Create the AAA Profile .
Create and configure an instance of the AAA profile. Specify the initial user role.

Create the SSID Profile “ssid_c-portal”.
Create and configure an instance of the virtual AP profile that you apply to an AP group or AP name.
Specify the AAA profile you just created.

Create the Virtual AP Profile “vp_c-portal”.
Create and configure an instance of the SSID profile for the virtual AP.
The following sections present the WebUI and Command Line (CLI) procedures for configuring the captive
portal authentication profile, initial user role, the AAA profile, and the virtual AP profile. Other chapters
within this document detail the configuration of the user roles and policies, authentication servers, and
server groups.
ArubaOS 6.1 | User Guide
Captive Portal | 367
Configuring Captive Portal via the WebUI
To configure captive portal with PEFNG license via the WebUI:
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.
2. Select Captive Portal Authentication Profile.
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example,
c-portal), then click Add.
b. Select the captive portal authentication profile you just created.
c. Select the default role (for example, employee) for captive portal users.
d. Enable guest login and/or user login, as well as other parameters (refer to Table 64).
e. Click Apply.
3. To specify the authentication servers, select Server Group under the captive portal authentication
profile you just configured.
a. Select the server group (for example, cp-srv) from the drop-down menu.
b. Click Apply.
4. Select the AAA Profiles tab.
a. In the AAA Profiles Summary, click Add to add a new profile. Enter the name of the profile (for
example, aaa_c-portal), then click Add.
b. Set the Initial role to a role that you will configure with the captive portal authentication profile.
c. Click Apply.
5. Navigate to the Configuration > Security > Access Control page to configure the initial user role to
use captive portal authentication.
a. To edit the predefined logon role, select the System Roles tab, then click Edit for the logon role.
b. To configure a new role, first configure policy rules in the Policies tab, then select the User Roles
tab to add a new user role and assign policies.
c. To specify the captive portal authentication profile, scroll down to the bottom of the page. Select the
profile from the Captive Portal Profile drop-down menu, and click Change.
d. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page to configure the virtual AP
profile.
7. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.
8. Under Profiles, select Wireless LAN, then select Virtual AP.
9. Select NEW from the Add a profile drop-down menu to create a new virtual AP profile. Enter the name
for the virtual AP profile (for example, vp_c-portal), then click Add.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously
configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the
pop-up window.
b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the
SSID profile.
c. Enter the name for the SSID profile (for example, ssid_c-portal).
d. Enter the Network Name for the SSID (for example, c-portal-ap).
e. Click Apply in the pop-up window.
f. At the bottom of the Profile Details page, click Apply.
368 | Captive Portal
ArubaOS 6.1 | User Guide
10. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration
parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select the VLAN to which users are assigned (for example, 20).
c. Click Apply.
Configuring Captive Portal via the CLI
To configure captive portal with the PEFNG license via the command-line interface, access the CLI in
config mode and issue the following commands:
aaa authentication captive-portal c-portal
default-role employee
server-group cp-srv
user-role logon
captive-portal c-portal
aaa profile aaa_c-portal
initial-role logon
wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 20
wlan virtual-ap vp_c-portal
aaa-profile aaa_c-portal
ssid-profile ssid_c-portal
Example Authentication with Captive Portal
In the following example:

Guest clients associate to the guestnet SSID which is an open wireless LAN. Guest clients are placed
into VLAN 900 and assigned IP addresses by the controller’s internal DHCP server. The user has no
access to network resources beyond DHCP and DNS until they open a web browser and log in with a
guest account using captive portal.

Guest users are given a login and password from guest accounts created in the controller’s internal
database. The temporary guest accounts are created and administered by the site receptionist.

Guest users must enter their assigned login and password into the captive portal login before they are
given access to use web browsers (HTTP and HTTPS), POP3 email clients, and VPN clients (IPsec,
PPTP, and L2TP) on the Internet and only during specified working hours. Guest users are prohibited
from accessing internal networks and resources. All traffic to the Internet is source-NATed.
This example assumes a Policy Enforcement Firewall Next Generation (PEFNG) license is installed in the controller.
In this example, you create two user roles:

guest-logon is a user role assigned to any client who associates to the guestnet SSID. Normally, any
client that associates to an SSID will be placed into the logon system role. The guest-logon user role is
more restrictive than the logon role.

auth-guest is a user role granted to clients who successfully authenticate via the captive portal.
ArubaOS 6.1 | User Guide
Captive Portal | 369
Creating a Guest-logon User Role
The guest-logon user role consists of the following ordered policies:

captiveportal is a predefined policy that allows captive portal authentication.

guest-logon-access is a policy that you create with the following rules:


Allows DHCP exchanges between the user and the DHCP server during business hours while
blocking other users from responding to DHCP requests.

Allows ICMP exchanges between the user and the controller during business hours.
block-internal-access is a policy that you create that denies user access to the internal networks.
The guest-logon user role configuration needs to include the name of the captive portal authentication profile
instance. You can modify the user role configuration after you create the captive portal authenti