IAP Management and Monitoring. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant
Add to My manuals466 Pages
advertisement
Chapter 25
IAP Management and Monitoring
This chapter provides information on provisioning, managing and monitoring IAPs from the following management servers: n n
Managing an IAP from AirWave on page 310
Managing IAP from Aruba Central on page 321
Managing an IAP from AirWave
AirWave is a powerful platform and easy-to-use network operations system that manages Aruba wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of thirdparty manufacturers. With its easy-to-use interface, AirWave provides real-time monitoring, proactive alerts, historical reporting, as well as fast and efficient troubleshooting. It also offers tools that manage RF coverage, strengthen wireless security, and demonstrate regulatory compliance.
AirWave can be used to provision, manage, and monitor a multi-site deployment of Instant networks. For example,if you have 100 retail offices that require Instant to provide WLAN connectivity at each office, AirWave can be used to provision all the 100 offices from a central site. AirWave also provides the administrator with the ability to monitor these geographically dispersed Instant networks using an AirWave server depending on the scalability recommendations for AirWave.
The IAPs communicate with AirWave using the HTTPS protocol. This allows an AirWave server to be deployed in the cloud across a NAT device, such as a router.
The AirWave features available in the Instant network are described in the following sections:
Image Management
AirWave allows you to manage firmware updates on WLAN devices by defining a minimum acceptable firmware version for each make and model of a device. It remotely distributes the firmware image to the WLAN devices that require updates, and it schedules the firmware updates such that updating is completed without requiring you to manually monitor the devices.
The following models can be used to upgrade the firmware: n n
Automatic—In this model, the VC periodically checks for newer updates from a configured URL and automatically initiates upgrade of the network.
Manual—In this model, the user can manually start a firmware upgrade for each VC or set the desired firmware preference per group of devices.
Resetting an IAP
A VC is added to the AirWave database either on management mode or monitor mode based on the AirWave configuration.
An IAP device can be reset through AirWave in the Managed mode:
1. In the Modify Devices section, select the IAP devices you want to reset to factory-default by selecting the check box beside it.
2. From the Change Device Group Folder drop-down list, select Factory Reset selected devices .
3. Click the Factory Reset tab.
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 310
On resetting the IAP device from AirWave, all the configuration values will be set to default except for the per-apsettings and VC Key value.
IAP and Client Monitoring
AirWave allows you to find any IAP or client on the wireless network and to see real-time monitoring views.
These monitoring views can be used to aggregate critical information and high-end monitoring information.
In the AirWave User Interface (UI), you can select either Manage Read/Write or Monitor-only+Firmware
Upgrades as management modes. When the AirWave Management level is set to Manage Read/Write , the
Instant UI is in read-only mode. When the AirWave Management level is set to Monitor-only+Firmware
Upgrades , the Instant UI changes to the read-write mode.
With the latest version of AirWave, a new option in the AMP is available to put the IAP in config-only mode. In this mode, the IAP will receive the firmware upgrades and configurations, but will not send any statistics for monitoring. The load is reduced on IAP and AirWave and this assists in scaling AirWave effectively.
Template-Based Configuration
AirWave automatically creates a configuration template based on any of the existing IAPs, and it applies that template across the network as shown in the following figure. It audits every device on an ongoing basis to ensure that configurations never vary from the enterprise policies. It alerts you whenever a violation is detected and automatically repairs the incorrectly configured devices.
Figure 83 Template-Based Configuration
Trending Reports
AirWave saves up to 14 months of actionable information, including network performance data and user roaming patterns, so you can analyze how network usage and performance trends have changed over time. It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization.
Intrusion Detection System (IDS)
AirWave provides advanced, rules-based rogue classification. It automatically detects rogue IAPs irrespective of their location in the network and prevents authorized IAPs from being detected as rogue IAPs. It tracks and correlates the IDS events to provide a complete picture of network security.
311 | IAP Management and Monitoring Aruba Instant 6.5.2.0 | User Guide
Wireless Intrusion Detection System (WIDS) Event Reporting to AirWave
AirWave supports Wireless Intrusion Detection System (WIDS) Event Reporting, which is provided by Instant.
This includes WIDS classification integration with the Rogue Access Point Detection Software (RAPIDS) module.
RAPIDS is a powerful and easy-to-use tool for automatic detection of unauthorized wireless devices. It supports multiple methods of rogue detection and uses authorized wireless IAPs to report other devices within range.
The WIDS report cites the number of IDS events for devices that have experienced the most instances in the prior 24 hours and provides links to support additional analysis or configuration in response.
RF Visualization Support for Instant
AirWave supports RF visualization for Instant. The VisualRF module provides a real-time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new sites. VisualRF uses sophisticated RF fingerprinting to accurately display coverage patterns and calculate the location of every
Instant device in range. VisualRF provides graphical access to floor plans, client location, and RF visualization for floors, buildings, and campuses that host your network.
Figure 84 Adding an IAP in VisualRF
PSK-Based and Certificate-Based Authentication
The PSK-Based and Certificate-Based Authentication are determined by the AMP configuration field.
For a PSK-based authentication, the AMS-IP and PSK must be configured in the IAP. The VC attempts to use the login message to initiate a connection.
For a Certificate-based authentication, the AMS-IP and the PSK or just the AMS hostname must be configured in the IAP. The IAP sends a login message to the AMP. The AMP responds with a randomly generated string.
The IAP signs the string with its private key and certificate, and sends it back to the AMP. The AMP verifies if the certificate and signature are valid.
A VC is approved based on the status of the Whitelist database: n n
When Whitelist is enabled, the AMP verifies if the MAC address and serial number in the login message of the VC and the whitelist database match. If they match, a VC is created and approved. If they do not match, no VC is created.
When Whitelist is disabled, the VC is created based on the following conditions: l
Presence of other VCs with the same organization string and PSK in the AMP.
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 312
l
Approval of atleast one of the VCs in the AMP.
Configurable Port for IAP and AirWave Management Server Communication
You can now customize the port number of the AMP server through the server_host:server_port format, for example, amp.aruba.com:4343 .
The following example shows how to configure the port number of the AMP server:
24:de:c6:cf:63:60 (config) # ams-ip 10.65.182.15:65535
24:de:c6:cf:63:60 (config) # end
24:de:c6:cf:63:60# commit apply
Configuring Organization String
The Organization string is a set of colon-separated strings created by the AirWave administrator to accurately represent the deployment of each IAP. This string is defined by the installation personnel on the site.
You can use any of the following strings: n
AMP Role—"Org Admin" (initially disabled) n n n
AMP User—"Org Admin" (assigned to the role "Org Admin")
Folder—"Org" (under the Top folder in AMP)
Configuration Group—"Org"
You can also assign additional strings to create a hierarchy of subfolders under the folder named "Org". For example: l l subfolder1 for a folder under the "Org" folder subfolder2 for a folder under subfolder1
Shared Key
The Shared Secret key is an optional key used by the administrator to manually authorize the first VC for an organization. Any string is acceptable.
The AirWave administrator can use a shared key to manually authorize the first Virtual Controller for an organization. Any string is acceptable, but this string must be the same for all devices in your organization.
The AirWave administrator sends the shared secret key, Organization String and the AirWave IP address to the on-site installer setting up the VC and other Instantdevices on the network. The AirWave administrator then manually authorizes the Virtual Controller shared secret key when it appears in the APs/Devices > New list .
After the VC has been validated, other Instant devices using that shared key will automatically be sent to the
AirWave server, and appear in the APs/Devices > New list .
Configuring AirWave Information
You can configure AirWave information by using the Instant UI or the CLI.
In the Instant UI
To configure AirWave information:
1. Click the AirWave Set Up Now link of the main window. The System window is displayed with the AirWave parameters on the Admin tab.
2. Enter the name of your organization in the Organization name text box. The name defined for the organization is displayed under the Groups tab in the AirWave UI.
3. Enter the IP address or domain name of the AirWave server in the AirWave server text box.
313 | IAP Management and Monitoring Aruba Instant 6.5.2.0 | User Guide
4. Enter the IP address or domain name of a backup AirWave server in the AirWave backup server text box.
The backup server provides connectivity when the primary server is down. If the IAP cannot send data to the primary server, the VC switches to the backup server automatically.
5. Enter the shared key in the Shared key text box and reconfirm. This shared key is used for configuring the first IAP in the Instant network.
6. Click OK .
In the CLI
To configure AirWave information:
(Instant AP)(config)# organization <name>
(Instant AP)(config)# ams-ip <IP-address or domain name>
(Instant AP)(config)# ams-backup-ip <IP-address or domain name>
(Instant AP)(config)# ams-key <key>
(Instant AP)(config)# end
(Instant AP)# commit apply
Configuring for AirWave Discovery Through DHCP
AirWave can be discovered through the DHCP server. You can configure this only if AirWave was not configured earlier or if you have deleted the precedent configuration.
On the DHCP server, the format for option 60 is “ InstantAP “, and the two formats for option 43 are
“ <organization>,<ams-ip>,<ams-key> ” and “ <organization>,<ams-domain> ” .
If you use the <organization>,<ams-ip>,<ams-key> format, the PSK-based authentication is used to access the AMP server.
If you use the <organization>,<ams-domain> format, the IAP resolves the domain name into two IP addresses—AirWave Primary and AirWave Backup.
For option 43, when you choose to enter the domain name, the IP address and key are not available.
Enabling DNS-Based Discovery of the Provisioning AMP Server
IAPs can now automatically discover the provisioning AMP server if the DHCP option 43 and Activate cannot perform zero-touch provisioning (ZTP )and transfer the AirWave configuration to the IAP.
When a domain option xxx is included in the DHCP configuration, the IAP will search the DNS server records for aruba-airwave.xxx
. When there is no domain option, the IAP will search only the server records for aruba-airwave .
To enable IAPs to automatically discover the AMP server, create a DNS record for aruba-airwave.xxx
or arubaairwave in the DNS server. To use this feature on the AirWave side, enable certificate-based login. For information on how to enable certificate-based login, see
PSK-Based and Certificate-Based Authentication on page 312 .
Standard DHCP Options 60 and 43 on Windows Server 2008
In networks that are not using DHCP options 60 and 43, it is easy to use the standard DHCP options 60 and 43 for an IAP or AP. For APs, these options can be used to indicate the master controller or the local controller. For
IAPs, these options can be used to define the AirWave IP, group, password, and domain name.
1. From a server running Windows Server 2008, navigate to Server Manager > Roles > DHCP sever > domain > DHCP Server > IPv4 .
2. Right-click IPv4 and select Set Predefined Options.
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 314
Figure 85 Instant and DHCP options for AirWave: Set Predefined Options
3. Select DHCP Standard Options in the Option class drop-down list and then click Add .
4. Enter the following information: l
Name—Instant l l l
Data Type—String
Code—60
Description—Instant AP
315 | IAP Management and Monitoring Aruba Instant 6.5.2.0 | User Guide
Figure 86 Instant and DHCP options for AirWave: Predefined Options and Values
5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally.
Use options on a per-scope basis to override the global options.)
6. Right-click Server Options and select the configuration options.
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 316
Figure 87 Instant and DHCP options for AirWave: Server Options
7. Select 060 Aruba Instant AP in the Server Options window and enter ArubaInstantAP in the String value text box.
Figure 88 Instant and DHCP options for AirWave—060 IAP in Server Options
8. Select 043 Vendor Specific Info and enter a value for either of the following in the ASCII text box: n airwave-orgn, airwave-ip, airwave-key ; for example: Aruba,192.0.2.20, 12344567 n airwave-orgn, airwave-domain ; for example: Aruba, aruba.support.com
317 | IAP Management and Monitoring Aruba Instant 6.5.2.0 | User Guide
Figure 89 Instant and DHCP options for—043 Vendor-Specific Info
This creates DHCP options 60 and 43 on a global basis. You can do the same on a per-scope basis. The perscope option overrides the global option.
Figure 90 Instant and DHCP options for AirWave: Scope Options
Alternate Method for Defining Vendor-Specific DHCP Options
This section describes how to add vendor-specific DHCP options for IAPs in a network that already uses DHCP options 60 and 43 for other services. Some networks use DHCP standard options 60 and 43 to provide the
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 318
DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for IAPs.
This method describes how to set up a DHCP server to send option 43 with AirWave information to the IAP.
This section assumes that option 43 is sent per scope, because option 60 is being shared by other devices as well.
The DHCP scope must be specific to Instant, and the PXE devices that use options 60 and 43 must not connect to the subnet defined by this scope. This is because you can specify only one option 43 for a scope, and if other devices that use option 43 connect to this subnet, they are presented with the information specific to the IAP.
1. In Windows Server 2008, navigate to Server Manager > Roles > DHCP Server > Domain DHCP Server
> IPv4 .
2. Select a scope [subnet]. Scope [10.169.145.0]145 is selected in the example shown in the figure below.
3. Right-click and select Advanced, and then specify the following options: l l l l
Vendor class—DHCP Standard Options
User class—Default User Class
Available options—Select 043 Vendor-Specific Info
String Value—ArubaInstantAP, tme-store4, 10.169.240.8, Aruba123 (which is the IAP description, organization string, AirWave IP address or domain name, Pre-shared key, for AirWave)
Figure 91 Vendor-Specific DHCP options
Upon completion, the IAP shows up as a new device in AirWave, and a new group called tme-store4 is created.
Navigate to APs/Devices > New > Group to view this group.
319 | IAP Management and Monitoring Aruba Instant 6.5.2.0 | User Guide
Figure 92 AirWave—New Group
Figure 93 AirWave—Monitor
For more information on provisioning, managing, and monitoring the IAPs from AirWave, refer to the AirWave
Aruba Instant Deployment Guide .
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 320
Managing IAP from Aruba Central
Aruba Central uses a secure HTTPs connection and provides a strong mutual authentication mechanism using certificates for all communication with IAPs. These certificates ensure the highest level of protection.
Provisioning an IAP using Central
Accessing Central
After you subscribe and register an IAP, log in to the Central dashboard to manage your IAP using the following
URL: http://www.arubanetworks.com/iap-motd
The Central UI is categorized into the following sections:
1. Monitoring
2. Configuration
3. Reporting
4. Maintenance
These sections are layered under groups. The configuration details of the IAPs are defined at a group level.
IAP Provisioning
Obtaining Cloud Activation Key
The IAPs obtain the cloud activation key from the Aruba Activate server in the following scenarios: n n
During reboot, if the VC has the Central URL stored, it will connect directly to Central using the activation key obtained from the Aruba Activate server. If there is no URL stored, the VC tries to establish a connection with the Activate server every 5 minutes, until a successful SSL connection is established and the activation key is obtained.
If the IAP VC has a Central URL stored, but fails to establish a connection to Central in three attempts, the
VC reconnects to the Activate server to obtain a new activation key.
The cloud activation key obtained from the Activate server is valid for 10 days. To obtain a new activation key,
IAPs reconnect to the Activate server after the initially assigned key expires.
Managing Subscriptions
Aruba Central maintains a subscription list for the IAPs. If an IAP is not included in this list, Central identifies it as an unauthorized IAP and prevents it from joining the network. The service providers use Aruba Central to track the subscription of each IAP based on its serial number and MAC address.
The following types of subscription status are listed for the IAPs: n n
Active—Central allows the IAP to join the network.
Expired—Central denies the IAP from joining the network.
If the status of a master IAP changes from active to expired, the VC is set to factory defaults and it reboots.
If the status of a slave IAP changes from active to expired, the VC sets the slave IAP to factory defaults and reboots the IAP.
Slave IAPs can connect to Aruba Central through WebSocket.
n
Unknown—Central does not allow the IAP to join the network. However, it gives an option to retry the connection.
321 | IAP Management and Monitoring Aruba Instant 6.5.2.0 | User Guide
The list maintained by Aruba Central is different from the list maintained by the end users. Therefore, Central can prevent an IAP from joining the network when the subscription expires, even if the IAP is present in the subscription list maintained by the end user.
The subscription list is dynamic and gets updated each time an IAP is included in Central.
Firmware Management
For a multiclass IAP network, ensure that the IAP can download software images from the Aruba Cloud-Based
Image Service. You may also need to configure HTTP proxy settings on the IAP if they are required for Internet access in your network. For more information about image upgrade and HTTP proxy configuration, see sections
Image Management Using Cloud Server on page 355
and
Configuring HTTP Proxy on an IAP on page
.
IAP Configuration
Any IAP joining a group inherits the configuration defined for the group. After you create a group, navigate to the Wireless Configuration section and create a new SSID. Aruba Central supports zero-touch provisioning, which allows the network administrators to configure the IAPs even before the hardware arrives.
After you turn on the IAP and connect to the uplink port, the IAP is displayed under the default group in the
Aruba Central UI. You can choose to move the IAP to a different group that you created. The configuration defined in this group is automatically applied to the IAP.
WebSocket Connection
WebSocket is a protocol based on which the VCs and the slave IAPs can establish and maintain a connection with Central cloud services. The Central cloud services comprise cloud management, supportability (debug commands), presence analytics, and AppRF.
Instant 6.4.3.1-4.2.0.0 introduces a WebSocket support.It is more efficient than HTTP because Central does not depend on a client request to respond to anIAP. When a WebSocket connection is established, all the access points including VCs and slaves can communicate with the cloud server at any time. VCs can communicate with the cloud management. Slave IAPs can communicate with application level components such as supportability, presence analytics, and AppRF.
A new WebSocket capable IAP connects to cloud through HTTPS post. If a server supports WebSocket, it will send an HTTP redirect message to the IAP. The IAP closes the existing HTTPS connection and connects to the cloud server through WebSocket. If the server does not support WebSocket, it will ignore the header and IAPs will continue using HTTPS and XML to communicate with the cloud server.
Aruba Instant 6.5.2.0 | User Guide IAP Management and Monitoring | 322
advertisement
Related manuals
advertisement