Cluster Security. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant
Add to My manuals466 Pages
advertisement
![Cluster Security. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant | Manualzz Cluster Security. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant | Manualzz](http://s3.manualzz.com/store/data/065045696_1-2596b7af9e274a2b316ebd13b4ae14bd-360x466.png)
Chapter 24
Cluster Security
This chapter describes cluster security and the procedure for configuring cluster security DTLS for secure communication. It includes the following topics: n n n n
Enabling Cluster Security on page 308
Cluster Security Debugging Logs on page 309 on page 309
Overview
Cluster security is a communication protocol that secures control plane messages between Instant access points. Control plane messages such as configuration, cluster join, and other messages distributed between the devices in a cluster are secured using this protocol. Cluster security operates on the UDP port 4434 and uses
DTLS protocol to secure messages.
Cluster Security Using DTLS
Cluster security provides secure communication using Datagram Transport Layer Security (DTLS). A DTLS connection is established between the IAPs communicating with each other in the cluster. Following are some of the advantages of using DTLS for cluster security: n n n
Mutual authentication is done between the IAPs in a cluster using device certificate.
Peer MAC address validation against AP whitelist can be enabled in the configuration.
Control plane messages between cluster members are transmitted securely using the DTLS connection established.
If auto-join is enabled, backward compatibility and recovery of IAPs is allowed on ARUBA UDP port 8211. Messages required for image synchronization and cluster security DTLS state synchronization are the only messages allowed.
If auto-join is disabled, the MAC address of a peer IAP is verified against the AP whitelist during device certificate validation.
Locked Mode Slave IAP
A slave IAP with non-factory default configuration and DTLS enabled in that configuration is considered to be in locked mode of operation. These slave IAPs will not be able to join the existing non-DTLS cluster as backward compatibility and recovery is not allowed. This is done for security reasons.
To recover the slave IAPs in locked mode: n n
Execute the disable-cluster-security-dtls action command on the slave IAP , or
Factory reset the slave IAP.
Auto-Join Disabled Mode
A cluster with DTLS enabled and auto-join disabled is the most secure mode of operation. In this mode, the cluster communicates only using DTLS, and backward compatility and recovery are denied. This is done for security reasons.
Aruba Instant 6.5.2.0 | User Guide Cluster Security | 307
In this mode, a new slave IAP with DTLS disabled or running a software version prior to Instant 6.5.1.0-4.3.1.0
will not be able to join the cluster even if the MAC address of the slave IAP is added to the allowed AP whitelist.
To recover the slave IAP: n
Enable Auto join mode.
n n
Wait for the new slave IAP to join the cluster. The MAC address of the IAP is automatically added to the allowed AP whitelist.
Disable Auto join mode.
Enabling Cluster Security
You can enable cluster security using the Instant UI or the CLI. Ensure that the following pre-requisites are satisfied:
Pre-requisites
1. NTP server must be reachable—If internet is reachable, pool.ntp.org will be used by default, otherwise a static NTP server needs to be configured.
2. UDP port 4434 should be permitted.
In the Instant UI
To enable cluster security:
1. Navigate to System > General .
2. Select Enabled from the Cluster security drop-down list.
3. Click OK .
Reboot all the IAPs in the swarm for the configuration to take effect.
In the CLI:
To enable cluster security:
(Instant AP)(config)# cluster-security
(Instant AP)(cluster-security)# dtls
(Instant AP)(cluster-security)# end
(Instant AP)# commit apply
To disable cluster security DTLS:
(Instant AP)(config)# cluster-security
(Instant AP)(cluster-security)# no dtls
(Instant AP)(cluster-security)# end
(Instant AP)# commit apply
To change per module logging level of cluster security:
(Instant AP)# cluster-security logging module <module_name> log-level <level>
To set individual log level for each module:
(Instant AP)# cluster-security logging module <module_name> log-level-individual <level>
After enabling or disabling the cluster security option, ensure that the Config Sync Status is TRUE in the output of the show summary command, before rebooting the cluster.
Cluster security is not supported for L3 mobility.
308 | Cluster Security Aruba Instant 6.5.2.0 | User Guide
Cluster Security Debugging Logs
Cluster security logging is organized into modules based on functionality. The following are the core modules which are useful and should be used for debugging: peer —The peer module is used to log connection initiation, renegotiation, collision and active connection updates. The log-level should be set to debug level while debugging any issues.
conn —The connection module is used to log connection creation, establishment, data transfer and maintenance updates. The log-level should be set to debug level for debugging DTLS connection issues.
mcap—The module capture module is used to log messages sent and received to the socket. Set log-level to debug to log only control messages. Set log-level to debug1 to log control and data messages.
The following command can be used to set per module logging level:
(Instant AP)# cluster-security logging module <module_name> log-level <level>
Once the log-level is set, logs can be viewed using:
(Instant AP)# show log papi-handler
Verifying the Configuration
The following show commands can be used to view the cluster security configuration:
To view current cluster security Configuration and running state
(Instant AP)# show cluster-security
To view the cluster security statistics:
(Instant AP)# show cluster-security stats
To view the cluster security connection table:
(Instant AP)# show cluster-security connections
To view the cluster security peers:
(Instant AP)# show cluster-security peers
To view the message handler process logs:
(Instant AP) # show log papi-handler <count>
Aruba Instant 6.5.2.0 | User Guide Cluster Security | 309
advertisement
Related manuals
advertisement
Table of contents
- 3 Contents
- 11 Revision History
- 12 About this Guide
- 12 Intended Audience
- 12 Related Documents
- 12 Conventions
- 13 Contacting Support
- 14 About Aruba Instant
- 14 Instant Overview
- 17 What is New in this Release
- 19 Setting up an IAP
- 19 Setting up Instant Network
- 20 Provisioning an IAP
- 23 Logging in to the Instant UI
- 24 Accessing the Instant CLI
- 28 Automatic Retrieval of Configuration
- 28 Managed Mode Operations
- 28 Prerequisites
- 29 Configuring Managed Mode Parameters
- 30 Verifying the Configuration
- 31 Instant User Interface
- 31 Login Screen
- 32 Main Window
- 60 Initial Configuration Tasks
- 60 Configuring System Parameters
- 66 Changing Password
- 67 Customizing IAP Settings
- 67 IAP Discovery Logic
- 72 Modifying the IAP Host Name
- 72 Configuring Zone Settings on an IAP
- 73 Specifying a Method for Obtaining IP Address
- 73 Configuring External Antenna
- 75 Configuring Radio Profiles for an IAP
- 76 Enabling Flexible Radio
- 77 Configuring Uplink VLAN for an IAP
- 77 Changing the IAP Installation Mode
- 78 Changing USB Port Status
- 79 Master Election and Virtual Controller
- 80 Adding an IAP to the Network
- 81 Removing an IAP from the Network
- 81 Support for BLE Asset Tracking
- 82 Intelligent Power Monitoring
- 83 Transmit Power Calculation Support on 200 Series and 300 Series Access Points
- 84 VLAN Configuration
- 84 VLAN Pooling
- 84 Uplink VLAN Monitoring and Detection on Upstream Devices
- 85 IPv6 Support
- 85 IPv6 Notation
- 85 Enabling IPv6 Support for IAP Configuration
- 87 Firewall Support for IPv6
- 87 Debugging Commands
- 88 Wireless Network Profiles
- 88 Configuring Wireless Network Profiles
- 106 Configuring Fast Roaming for Wireless Clients
- 110 Configuring Modulation Rates on a WLAN SSID
- 110 Multi-User-MIMO
- 111 Management Frame Protection
- 111 Disabling Short Preamble for Wireless Client
- 112 Editing Status of a WLAN SSID Profile
- 112 Editing a WLAN SSID Profile
- 112 Deleting a WLAN SSID Profile
- 113 Wired Profiles
- 113 Configuring a Wired Profile
- 118 Assigning a Profile to Ethernet Ports
- 118 Editing a Wired Profile
- 119 Deleting a Wired Profile
- 119 Link Aggregation Control Protocol
- 121 Understanding Hierarchical Deployment
- 122 Captive Portal for Guest Access
- 122 Understanding Captive Portal
- 123 Configuring a WLAN SSID for Guest Access
- 128 Configuring Wired Profile for Guest Access
- 129 Configuring Internal Captive Portal for Guest Network
- 132 Configuring External Captive Portal for a Guest Network
- 138 Configuring Facebook Login
- 139 Configuring Guest Logon Role and Access Rules for Guest Users
- 141 Configuring Captive Portal Roles for an SSID
- 143 Configuring Walled Garden Access
- 146 Authentication and User Management
- 146 Managing IAP Users
- 151 Supported Authentication Methods
- 152 Supported EAP Authentication Frameworks
- 153 Configuring Authentication Servers
- 167 Understanding Encryption Types
- 168 Configuring Authentication Survivability
- 170 Configuring 802.1X Authentication for a Network Profile
- 172 Enabling 802.1X Supplicant Support
- 173 Configuring MAC Authentication for a Network Profile
- 175 Configuring MAC Authentication with 802.1X Authentication
- 177 Configuring MAC Authentication with Captive Portal Authentication
- 178 Configuring WISPr Authentication
- 179 Blacklisting Clients
- 182 Uploading Certificates
- 185 Roles and Policies
- 185 Firewall Policies
- 198 Content Filtering
- 202 Configuring User Roles
- 204 Configuring Derivation Rules
- 211 Using Advanced Expressions in Role and VLAN Derivation Rules
- 214 DHCP Configuration
- 214 Configuring DHCP Scopes
- 221 Configuring the Default DHCP Scope for Client IP Assignment
- 223 Configuring Time-Based Services
- 223 Time Range Profiles
- 223 Configuring a Time Range Profile
- 224 Applying a Time Range Profile to a WLAN SSID
- 225 Verifying the Configuration
- 226 Dynamic DNS Registration
- 226 Enabling Dynamic DNS
- 227 Configuring Dynamic DNS Updates for DL3 Clients
- 227 Verifying the Configuration
- 229 VPN Configuration
- 229 Understanding VPN Features
- 230 Configuring a Tunnel from an IAP to a Mobility Controller
- 241 Configuring Routing Profiles
- 243 IAP-VPN Deployment
- 243 Understanding IAP-VPN Architecture
- 246 Configuring IAP and Controller for IAP-VPN Operations
- 254 Adaptive Radio Management
- 254 ARM Overview
- 255 Configuring ARM Features on an IAP
- 261 Configuring Radio Settings
- 265 Deep Packet Inspection and Application Visibility
- 265 Deep Packet Inspection
- 265 Enabling Application Visibility
- 266 Application Visibility
- 271 Enabling URL Visibility
- 271 Configuring ACL Rules for Application and Application Categories
- 274 Configuring Web Policy Enforcement Service
- 276 Voice and Video
- 276 Wi-Fi Multimedia Traffic Management
- 279 Media Classification for Voice and Video Calls
- 280 Enabling Enhanced Voice Call Tracking
- 282 Services
- 282 Configuring AirGroup
- 291 Configuring an IAP for RTLS Support
- 292 Configuring an IAP for Analytics and Location Engine Support
- 293 Managing BLE Beacons
- 294 Clarity Live
- 296 Configuring OpenDNS Credentials
- 296 Integrating an IAP with Palo Alto Networks Firewall
- 298 Integrating an IAP with an XML API Interface
- 301 CALEA Integration and Lawful Intercept Compliance
- 307 Cluster Security
- 307 Overview
- 308 Enabling Cluster Security
- 309 Cluster Security Debugging Logs
- 309 Verifying the Configuration
- 310 IAP Management and Monitoring
- 310 Managing an IAP from AirWave
- 321 Managing IAP from Aruba Central
- 323 Uplink Configuration
- 323 Uplink Interfaces
- 328 Uplink Preferences and Switching
- 333 Intrusion Detection
- 333 Detecting and Classifying Rogue IAPs
- 333 OS Fingerprinting
- 334 Configuring Wireless Intrusion Protection and Detection Levels
- 339 Configuring IDS
- 341 Mesh IAP Configuration
- 341 Mesh Network Overview
- 342 Setting up Instant Mesh Network
- 342 Configuring Wired Bridging on Ethernet 0 for Mesh Point
- 344 Mobility and Client Management
- 344 Layer-3 Mobility Overview
- 345 Configuring L3-Mobility
- 347 Spectrum Monitor
- 347 Understanding Spectrum Data
- 352 Configuring Spectrum Monitors and Hybrid IAPs
- 355 IAP Maintenance
- 355 Upgrading an IAP
- 358 Backing up and Restoring IAP Configuration Data
- 359 Converting an IAP to a Remote AP and Campus AP
- 365 Resetting a Remote AP or Campus AP to an IAP
- 365 Rebooting the IAP
- 367 Monitoring Devices and Logs
- 367 Configuring SNMP
- 370 Configuring a Syslog Server
- 372 Configuring TFTP Dump Server
- 373 Running Debug Commands
- 377 Uplink Bandwidth Monitoring
- 379 Hotspot Profiles
- 379 Understanding Hotspot Profiles
- 380 Configuring Hotspot Profiles
- 391 Sample Configuration
- 394 Mobility Access Switch Integration
- 394 Mobility Access Switch Overview
- 395 Configuring IAPs for Mobility Access Switch Integration
- 396 ClearPass Guest Setup
- 396 Configuring ClearPass Guest
- 400 Verifying ClearPass Guest Setup
- 401 Troubleshooting
- 402 IAP-VPN Deployment Scenarios
- 402 Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy
- 408 Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy
- 414 Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Cont...
- 421 Scenario 4—GRE: Single Datacenter Deployment with No Redundancy
- 427 Glossary of Terms