Behavior and Defaults. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200
Add to My manuals1162 Pages
advertisement
Chapter 45
Behavior and Defaults
Topics in this chapter include: n n n n
Understanding Mode Support on page 1097
Understanding Basic System Defaults on page 1099
Understanding Default Management User Roles on page 1107
Understanding Default Open Ports on page 1110
Understanding Mode Support
Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are not supported in one or more forwarding modes. Campus APs do not support split-tunnel forwarding mode and the decrypt-tunnel forwarding mode does not support TKIP Counter measure management on campus
APs or remote APs.
describes the features that are not supported in each forwarding mode.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1097
Table 273: Features not Supported in Each Forwarding Mode
Forwarding Mode
Split Tunnel Mode on Remote APs
Feature Not Supported
AirGroup
AppRF
Bandwidth based CAC
Broadcast-filter
DHCP Fingerprinting
Dynamic Multicast Optimization
IGMP Proxy Mobility
Layer-2 Mobility
Layer-3 Mobility
Mobile IP
Named VLAN
Station blacklist by ACL action
TKIP countermeasure management
Video over Mesh
VLAN pooling
Voice over Mesh
WebCC
1098 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Forwarding Mode
Bridge Mode on Campus APs or Remote APs
Feature Not Supported
AirGroup
AppRF
Automatic Voice Flow Classification
Bandwidth based CAC
Broadcast filter
Captive Portal
DHCP enforcement
DHCP fingerprint
Dynamic Multicast Optimization
Firewall – Alcatel NOE Support
Firewall – SIP / SCCP / RTP / RTSP Voice Support
H.323 ALG
IGMP Proxy Mobility
Layer 3 Mobility
Lync SDN API
Management: Voice client statistics
Management: Voice client troubleshooting
Management: Voice-specific views
Mobile IP
Named VLAN
NOE ALG
Power save: Drop wireless multicast traffic
Power save: Proxy ARP (global)
Power save: Proxy ARP (per-SSID)
Power save: Wireless battery boost
RADIUS CoA
Rate Limiting for broadcast / multicast
SCCP ALG
SIP ALG
SIP: CAC enforcement enhancements
SIP: Delay measurement
SIP: Phone number awareness
SIP: R-Value computation
SIP: SIP authentication tracking
Station blacklist
Station blacklist by an ACL action
SVP ALG
TKIP countermeasure management
Video over Mesh
Vocera ALG
Voice over Mesh
Voice protocol monitoring / reporting
WebCC
XML-API
Understanding Basic System Defaults
The default administrator user name is admin , and the default password is also admin . The ArubaOS software includes several predefined network services, firewall policies, and roles.
Network Services
lists the predefined network services and their protocols and ports.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1099
Table 274: Predefined Network Services
Name Protocol Port(s) svc-pop3 svc-adp svc-noe svc-noe-oxo svc-dns svc-msrpc-tcp svc-rtsp svc-http svc-vocera svc-nterm svc-sip-udp svc-papi svc-ftp svc-natt svc-svp svc-dhcp svc-snmp-trap svc-smb-tcp svc-https svc-ike svc-l2tp svc-syslog svc-pptp svc-telnet svc-sccp svc-tftp svc-sip-tcp svc-kerberos tcp udp
119 udp tcp udp udp udp tcp tcp tcp tcp udp udp udp tcp udp tcp udp udp udp tcp tcp udp udp tcp tcp udp
110
8200
32512
5000
53
135 139
554
80
5002
1026 1028
5060
8211
21
4500
0
2000
69
5060
88
1701
514
1723
23
67 68
162
445
443
500
1100 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Name svc-gre svc-smtp svc-smb-udp svc-esp svc-bootp svc-snmp svc-icmp svc-ntp svc-msrpc-udp svc-ssh svc-h323-tcp svc-h323-udp svc-http-proxy1 svc-http-proxy2 svc-http-proxy3 svc-sips svc-v6-dhcp svc-v6-icmp any
Protocol tcp tcp udp tcp udp icmp udp udp gre tcp udp esp udp tcp tcp tcp udp icmp any
Policies
The following are predefined policies.
Table 275: Predefined Policies
Predefined Policy ip access-list session allowall any any any permit
Port(s)
0
0
8080
8888
5061
546 547
0
25
445
0
67 69
161
0
123
135 139
22
1720
1718 1719
3128
Description
An "allow all" firewall rule that permits all traffic.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1101
Predefined Policy ip access-list session control user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
Description
Controls traffic - Apply to untrusted wired ports in order to allow Aruba APs to boot up.
NOTE: In most cases wired ports should be made
"trusted" when attached to an internal network.
ip access-list session captiveportal user alias mswitch svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088
Enables Captive Portal authentication.
1. Any HTTPS traffic destined for the controller will be
NATed to port 8081, where the captive portal server will answer.
2. All HTTP traffic to any destination will be NATed to the controller on port 8080, where an HTTP redirect will be issued.
3. All HTTPS traffic to any destination will be NATed to the controller on port 8081, where an HTTP redirect will be issued.
4. All HTTP proxy traffic will be NATed to the controller on port 8088.
NOTE: In order for captive portal to work properly, DNS must also be permitted. This is normally done in the
"logon-control" firewall rule.
ip access-list session cplogout user alias mswitch svc-https dst-nat 8081 ip access-list session vpnlogon any any svc-ike permit any any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit
Used to enable the captive portal "logout" window. If the user attempts to connect to the controller on the standard HTTPS port (443) the client will be NATed to port
8081, where the captive portal server will answer. If this rule is not present, a wireless client may be able to access the controller's administrative interface.
This policy permits VPN sessions to be established to any destination. IPsec (IKE, ESP, and L2TP) and PPTP (PPTP and GRE) are supported.
ip access-list session ap-acl any any udp 5000 any any udp 5555 any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit
This is a policy for internal use and should not be modified. It permits APs to boot up and communicate with the controller.
1102 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Predefined Policy ip access-list session validuser any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session icmp-acl any any svc-icmp permit ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session dns-acl any any svc-dns permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session guest ip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit
Description
This firewall rule controls which users will be added to the user-table of the controller through untrusted interfaces.
Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table.
This policy should not be applied to any user role, it is an internal system policy.
Use for Vocera VoIP devices to automatically permit and prioritize Vocera traffic.
Permits all ICMP traffic.
Use for SIP VoIP devices to automatically permit and prioritize all SIP control and data traffic.
Permits all HTTPS traffic.
Permits all DNS traffic.
The default pre-authentication role that should be used by all wireless clients. Prohibits the client from acting as a
DHCP server. Permits all ICMP, DNS, and DHCP. Also permits IPsec NAT-T (UDP 4500). Remove NAT-T if not needed.
This policy can be used to source-NAT all traffic. Because no NAT pool is specified, traffic that matches this policy will be source NATed to the IP address of the controller.
Use for Cisco Skinny VoIP devices to automatically permit and prioritize VoIP traffic.
Permits all TFTP traffic.
This policy is not used.
Permits all DHCP traffic. If DHCP is not allowed, clients will not be able to request or renew IP addresses.
Permits all HTTP traffic.
Use for Spectralink VoIP devices to automatically permit and prioritize Spectralink Voice Protocol (SVP).
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1103
Predefined Policy ip access-list session noe-acl any any svc-noe permit queue high ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ipv6 access-list session v6-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit any any svc-tftp permit ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit ipv6 access-list session v6-https-acl any any svc-https permit ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit ipv6 access-list session v6-dns-acl any any svc-dns permit ipv6 access-list session v6-allowall any any any permit ipv6 access-list session v6-http-acl any any svc-http permit ipv6 access-list session v6-tftp-acl any any svc-tftp permit ipv6 access-list session v6-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit
Description
Use for Alcatel NOE VoIP devices to automatically permit and prioritize NOE traffic.
Use for H.323 VoIP devices to automatically permit and prioritize H.323 traffic.
Provides equivalent functionality to the "control" policy, but for IPv6 clients.
Permits all ICMPv6 traffic.
Permits all IPv6 HTTPS traffic.
Permits all IPv6 DHCP traffic.
Permits all IPv6 DNS traffic.
Permits all IPv6 traffic.
Permits all IPv6 HTTP traffic.
Permits all IPv6 TFTP traffic.
Provides equivalent functionality to the "logon-control" policy, but for IPv6 clients.
Validuser and Logon-control ACLs
Default firewall rules for both the validuser and logon-control ACLs prevent malicious users from ip spoofing source addresses the default firewall rule in the validuser ACL causes the packet to be dropped.
A client with the correct source address can send traffic to the below networks as a destination IP address. To deny traffic, the default firewall rule added to logon-control ACL denies traffic to the reserved addresses from user with the logon role.
The following networks can be blocked by the default firewall rules in both the validuser and logon-control
ACLs: n n
Network packets where the source address of the network packet is defined as being on a broadcast network (source address == 255.255.255.255)
Network packets where the source address of the network packet is defined as being on a multicast network (source address = 224.0.0.0 – 239.255.255.255)
1104 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
n n n n
Network packets where the source address of the network packet is defined as being a loopback address
(127.0.0.1 through 127.255.255.254)
Network packets where the source or destination address of the network packet is a link-local address
(169.254.0.0/16)
Network packets where the source or destination address of the network packet is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4; (240.0.0.0/4)
Network packets where the source or destination address of the network packet is defined as an
“unspecified address”(::/128) or an address “reserved for future definition and use”(addresses other than
2000::/3) as specified in RFC 3513 for IPv6. The IPv6 “an unspecified address”(::/128) is currently being checked in datapath and the packet is dropped. This is the default behavior and you can view the logs by enabling firewall enable-per-packet-logging configuration.
Roles
The following are predefined roles.
If you upgrade from a previous ArubaOS release, your existing configuration may have additional or different predefined roles. The information in this section only describes the predefined roles for this release.
Table 276: Predefined Roles
Predefined Role system-role ap-role
session-acl control
session-acl ap-acl system-role stateful-dot1x system-role sys-ap-role user-role authenticated
session-acl allowall
ipv6 session-acl v6-allowall user-role cpbase user-role default-iap-userrole user-role default-via-role user-role default-vpn-role
session-acl allowall
ipv6 session-acl v6-allowall user-role denyall
Description
This is an internal role and should not be edited.
Can This Role be
Deleted? (Yes/No)
No
This is an internal role used for Stateful 802.1X. It should not be edited.
This is a limited role applied to Aruba APs to allow the AP to boot up and terminate on the controller.
This is a default role that can be used for authenticated users. It permits all IPv4 and IPv6 traffic for users who are part of this role.
No
No
No
This is a role for cpbase.
Yes
This is a default user role for IAPs. This role is applied to GRE tunnel between IAP and controller, thus also applied to all CL2 users, which are created in the controller.
No
No This is a default user role for VIA users.It is referenced as default in the default VIA
Authentication profile.
This is the default role used for VPN-connected clients. It is referenced in the default "aaa authentication vpn" profile.
No
This role blocks all traffic to and from the user.
Yes
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1105
Predefined Role user-role guest
session-acl http-acl
session-acl https-acl
session-acl dhcp-acl
session-acl icmp-acl
session-acl dns-acl
ipv6 session-acl v6-http-acl
ipv6 session-acl v6-https-acl
ipv6 session-acl v6-dhcp-acl
ipv6 session-acl v6-icmp-acl
ipv6 session-acl v6-dns-acl user-role guest-logon captive-portal default session-acl logon-control session-acl captiveportal user-role <ssid>-guest-logon captive-portal default session-acl logon-control session-acl captiveportal user-role logon session-acl logon-control session-acl captiveportal session-acl vpnlogon
ipv6 session-acl v6-logoncontrol user-role <ssid>-logon session-acl control session-acl captiveportal session-acl vpnlogon
Description
Can This Role be
Deleted? (Yes/No)
This is a default role for guest users. It permits only HTTP, HTTPS, DHCP, ICMP, and DNS for the guest user. To increase security, a "deny" rule for internal network destinations could be added at the beginning.
No
This role is used as the pre-authentication role for guest SSIDs. It allows control traffic such as
DNS, DHCP, and ICMP, and also enables captive portal.
No
This role is only generated when creating a new
WLAN using the WLAN Wizard. The WLAN Wizard creates this role when captive portal is enabled.
This is the initial role that a guest will be placed in prior to captive portal authentication. By using a different guest logon role for each SSID, it is possible to enable multiple captive portal profiles with different customization.
Yes
This is a user role that is normally applied to a user prior to authentication. This applies to wired users and non-802.1X wireless users.
The role allows certain control protocols such as
DNS, DHCP, and ICMP, and also enables captive portal and VPN termination/pass through. The logon role should be edited to provide only the required services to a pre-authenticated user.
For example, VPN pass through should be disabled if it is not needed.
No
This role is only generated when creating a new
WLAN using the WLAN Wizard. The WLAN Wizard creates this role when captive portal is enabled and a PEFNG license is installed. This is the initial role that a client will be placed in prior to captive portal authentication. By using a different logon role for each SSID, it is possible to enable multiple captive portal profiles with different customization.
Yes
1106 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Predefined Role user-role <ssid>captiveportal-profile
Description
Can This Role be
Deleted? (Yes/No)
When utilizing the WLAN Wizard and you do not have a PEF NG installed and you are configuring an Internal or Guest WLAN with captive portal enabled, the controller creates an implicit user role with the same name as the captive portal profile, <ssid>-captiveportal-profile.
This implicit user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal.
You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned
VLAN. Once the WLAN configuration is pushed to the controller, the WLAN wizard will associate the new role with the initial user role that you specify in the AAA profile. This role will not be visible to the user in the WLAN wizard.
This role can be applied to voice devices in order to automatically permit and prioritize all VoIP protocols.
Yes
Yes user-role voice
session-acl sip-acl
session-acl noe-acl
session-acl svp-acl
session-acl vocera-acl
session-acl skinny-acl
session-acl h323-acl
session-acl dhcp-acl
session-acl tftp-acl
session-acl dns-acl
session-acl icmp-acl
Understanding Default Management User Roles
The ArubaOS software includes predefined management user roles.
If you upgrade from a previous ArubaOS release, your existing configuration may have different management roles.
The information in this section only describes the predefined management roles for this release.
Table 277: Predefined Management Roles
Predefined Role root
Permissions
This role permits access to all management functions (commands and operations) on the controller.
read-only This role permits access to CLI show commands or WebUI monitoring pages only.
guest-provisioning This role permits access to configuring guest users in the controller’s internal database only. This user only has access via the WebUI to create guest accounts; there is no CLI access.
Guest-provisioning tasks include creating or generating the user name and password for a guest account as well as configuring when the account expires.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1107
Predefined Role location-api-mgmt
Permissions
This role permits access to location API information and the CLI; however, you cannot use any CLI commands. This role does not permit access to the WebUI.
Using a third-party location appliance, you can gather information about the location of 802.11 stations.
To log in to the controller using a third-party location appliance, enter: http[s]://<ipaddress>[:port]/screens/wms/wms.login.
You are prompted to enter your username and password (for example, the username and password associated with the location API management role). Once authenticated, you can use an API call to request location information from the controller, for example: http[s]://<ipaddress>[:port]/screens/wms/wms.cgi?opcode=wlm-getspot&campus-name=<campus id>&building-name<building id>&mac=<client1>,<client2>....
network-operations
1108 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Predefined Role network-operations
(continued)
Permissions
Monitoring > Network > All Access PointsMonitoring
> Network > All Wired Access Points
You can view the reports created by the following CLI commands: n DB:opcode=monitor-summary n n
DB:opcode=cr-load
DB:opcode=wlm-search&class=probes&start n n
DB:opcode=wlm-search&class=amii
DB:opcode=monitor-get-all-gps&status=any n show ap-group n show vlan status
Monitoring > Controller > Controller Summary
You can view the reports created by the following CLI commands: n show switches n show switches summary
Monitoring > Controller > Air Monitors
You can view the reports created by the following CLI commands: n show wlan-ap start *
Monitoring > Controller > Clients
You can view the reports created by the following CLI commands: n show ip mobile host n n n n n n n n show ip mobile trail {<ipaddr> | <macaddr>}
<span class="CLI">show ap essid</span> show esi servers show esi ping show esi parser stats show private port status * show vlan show port stats n n n show spanning-tree interface fastethernet
<slot>/<module>/<port> show interface fastethernet <slot>/<module>/<port> counters clear counters fastethernet <slot>/<module>/<port> n show snmp trap-queue <page>
Monitoring > Controller > Clients > Packet CaptureMonitoring
> Controller > Clients > LocateMonitoring
> Controller > Clients > Debug
You can view the reports created by the following CLI commands: n aaa user debug mac
Monitoring > Controller > Clients > Disconnect
You can view the reports created by the following CLI commands: n stm kick-off-sta <macaddr> n aaa user logout <ipaddr>
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1109
Predefined Role network-operations
(continued) standard
Permissions
Monitoring > Controller > Clients > Blacklist
You can view the reports created by the following CLI commands: n stm add-blacklist-client <macaddr> n aaa user delete {<ipaddr> | all | mac <macaddr> | name
<username> | role <role>}
Monitoring > Controller > Blacklist Clients
You can view the reports created by the following CLI commands: n stm remove-blacklist-client <macaddr>
Monitoring > Controller > External Services Interface
You can view the reports created by the following CLI commands: n show esi groups n n show esi servers show esi ping n show esi parser stats
Monitoring > Controller > Ports
You can view the reports created by the following CLI commands: n show model-switch-internal * n n show slots show private port status * n show vlan
Monitoring > Controller > Inventory
You can view the reports created by the following CLI commands: n show keys
Monitoring > WLAN
You can view the reports created by the following CLI commands: n DB:opcode=get-permissions n n n show switches summary
Monitoring > Voice
You can view the reports created by the following CLI commands: n show ap association voip-only n show ap active voip-only n n show voice call-counters show voice client status n
DB:opcode=cr-load show switches n n n show voice call-quality show voice call-density show voice call-cdrs show voice call-perf
This role has root privileges but cannot make changes to the management users.
The purpose of creating this new role is to prevent changes to the local account from externally authenticated management user.
Understanding Default Open Ports
By default, Aruba controllers and access points treat ports as untrusted. However, certain ports are open by default only on the trusted side of the network. These open ports are listed in
1110 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Table 278: Default (Trusted) Open Ports
Port
Number
17
21
22
23
53
67
68
69
80
123
161
443
500
514
1144
1701
Protocol
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
TCP
UDP
UDP
TCP
UDP
UDP
RTLS
UDP
Where Used controller
Description
This is used for certain types of VPN clients that accept a banner (QOTD). During normal operation, this port will only accept a connection and immediately close it.
controller controller
AP and controller controller
AP (and controller if
DHCP server is configured)
AP (and controller if
DHCP server is configured) controller
AP and controller controller
AP and controller controller
SSH
Telnet is disabled by default but the port is still open.
Internal domain.
DHCP server.
DHCP client.
TFTP
Used for remote packet capture where the capture is saved on the access point. Provides access to the WebUI on the controller.
NTP
SNMP. Disabled by default.
controller controller
Access points controller
Used internally for captive portal authentication (HTTPS) and is exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.
Required for VIA : During the initializing phase, VIA uses
HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks.
ISAKMP
Syslog
Open only when the RTLS feature is enabled
L2TP
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1111
Port
Number
1723
2300
Protocol
TCP
TCP
3306
4343, 443
TCP
TCP
4500
8080
8081
8082
8083
8088
8200
8211
8888
UDP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
TCP
Where Used controller controller controller controller controller controller controller controller controller controller controller controller controller
Description
PPTP
Internal terminal server opened by telnet soe command.
Remote wired MAC lookup.
HTTPS.Both port 4343 and 443 are supported. If port
4343 is used it redirects to port 443. If port 443 is used it continues to connect using this port. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing sae-urn
Required for VIA : During the initializing phase, VIA uses
HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 4500 on your network to allow VIA to perform these checks.
Used internally for captive portal authentication (HTTPproxy). This port is not exposed to wireless users.
Used internally for captive portal authentication (HTTPS).
Not exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.
Used internally for single sign-on authentication (HTTP).
Not exposed to wireless users.
Used internally for single sign-on authentication (HTTPS).
Not exposed to wireless users.
For internal use.
The Aruba Discovery Protocol (ADP)
For internal use.
Used for HTTP access.
1112 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
advertisement
Related manuals
advertisement
Table of contents
- 3 Contents
- 16 Revision History
- 17 About this Guide
- 17 What's New In ArubaOS 6.5.x
- 29 Fundamentals
- 30 Related Documents
- 31 Conventions
- 32 Contacting Support
- 33 The Basic User-Centric Networks
- 33 Understanding Basic Deployment and Configuration Tasks
- 36 Controller Configuration Workflow
- 37 Connect the Controller to the Network
- 38 7000 Series and 7200 Series Controllers
- 40 Using the LCD Screen
- 43 Configuring a VLAN to Connect to the Network
- 46 Enabling Wireless Connectivity
- 47 Enabling Wireless Connectivity
- 47 Configuring Your User-Centric Network
- 47 Replacing a Controller
- 54 Control Plane Security
- 55 Control Plane Security Overview
- 55 Configuring Control Plane Security
- 57 Managing AP Whitelists
- 64 Managing Whitelists on Master and Local Controllers
- 68 Working in Environments with Multiple Master Controllers
- 71 Replacing a Controller on a Multi-Controller Network
- 75 Configuring Control Plane Security after Upgrading
- 76 Troubleshooting Control Plane Security
- 78 Software Licenses
- 78 Getting Started with ArubaOS Licenses
- 78 License Types and Usage
- 81 Licensing Best Practices and Limitations
- 82 Centralized Licensing Overview
- 88 Configuring Centralized Licensing
- 90 Installing a License
- 92 Deleting a License
- 93 Monitoring and Managing Centralized Licenses
- 96 Network Configuration Parameters
- 96 Campus WLAN Workflow
- 97 Understanding VLAN Assignments
- 105 Configuring VLANs
- 109 Configuring Ports
- 112 Configuring Static Routes
- 112 Configuring the Loopback IP Address
- 113 Configuring the Controller IP Address
- 114 Configuring GRE Tunnels
- 123 Configuring GRE Tunnel Groups
- 126 Jumbo Frame Support
- 129 IPv6 Support
- 129 Understanding IPv6 Notation
- 129 Understanding IPv6 Topology
- 130 Enabling IPv6
- 130 Enabling IPv6 Support for Controller and APs
- 138 Filtering an IPv6 Extension Header (EH)
- 138 Configuring a Captive Portal over IPv6
- 139 Working with IPv6 Router Advertisements (RAs)
- 143 RADIUS Over IPv6
- 144 TACACS Over IPv6
- 145 DHCPv6 Server
- 147 Understanding ArubaOS Supported Network Configuration for IPv6 Clients
- 148 Understanding ArubaOS Authentication and Firewall Features that Support IPv6
- 153 Managing IPv6 User Addresses
- 154 Understanding IPv6 Exceptions and Best Practices
- 156 Link Aggregation Control Protocol
- 156 Understanding LACP Best Practices and Exceptions
- 157 Configuring LACP
- 159 LACP Sample Configuration
- 160 OSPFv2
- 160 Understanding OSPF Deployment Best Practices and Exceptions
- 161 Understanding OSPFv2 by Example using a WLAN Scenario
- 162 Understanding OSPFv2 by Example using a Branch Scenario
- 164 Configuring OSPF
- 165 Sample Topology and Configuration
- 176 Tunneled Nodes
- 176 Understanding Tunneled Node Configuration
- 177 Configuring a Wired Tunneled Node Client
- 179 Authentication Servers
- 179 Understanding Authentication Server Best Practices and Exceptions
- 179 Understanding Servers and Server Groups
- 180 Configuring Authentication Servers
- 198 Managing the Internal Database
- 201 Configuring Server Groups
- 207 Assigning Server Groups
- 212 Configuring Authentication Timers
- 213 Authentication Server Load Balancing
- 214 MAC-based Authentication
- 214 Configuring MAC-Based Authentication
- 215 Configuring Clients
- 217 Branch Controller Config for Cloud Services Controllers
- 218 Branch Deployment Features
- 219 Scalable Site-to-Site VPN Tunnels
- 219 Layer-3 Redundancy for Branch Controller Masters
- 220 WAN Failure (Authentication) Survivability
- 226 WAN Health Check
- 226 WAN Optimization through IP Payload Compression
- 227 Interface Bandwidth Contracts
- 228 Branch Integration with a Palo Alto Networks (PAN) Portal
- 231 Branch Controller Routing Features
- 232 Cloud Management
- 232 Zero-Touch Provisioning
- 239 Using Smart Config to create a Branch Config Group
- 260 PortFast and BPDU Guard
- 262 Preventing WAN Link Failure on Virtual APs
- 263 Branch WAN Dashboard
- 265 802.1X Authentication
- 265 Understanding 802.1X Authentication
- 268 Configuring 802.1X Authentication
- 276 Enabling 802.1X Supplicant Support on an AP
- 277 Sample Configurations
- 293 Performing Advanced Configuration Options for 802.1X
- 294 Application Single Sign-On Using L2 Authentication
- 296 Device Name as User Name for Non-802.1X Authentication
- 297 Stateful and WISPr Authentication
- 297 Working With Stateful Authentication
- 298 Working With WISPr Authentication
- 298 Understanding Stateful Authentication Best Practices
- 298 Configuring Stateful 802.1X Authentication
- 299 Configuring Stateful NTLM Authentication
- 300 Configuring Stateful Kerberos Authentication
- 301 Configuring WISPr Authentication
- 304 Certificate Revocation
- 304 Understanding OCSP and CRL
- 305 Configuring the Controller as an OCSP Client
- 307 Configuring the Controller as a CRL Client
- 308 Configuring the Controller as an OCSP Responder
- 309 Certificate Revocation Checking for SSH Pubkey Authentication
- 310 OCSP Configuration for VIA
- 312 Captive Portal Authentication
- 312 Understanding Captive Portal
- 313 Configuring Captive Portal in the Base Operating System
- 315 Using Captive Portal with a PEFNG License
- 318 Sample Authentication with Captive Portal
- 324 Configuring Guest VLANs
- 325 Configuring Captive Portal Authentication Profiles
- 330 Enabling Optional Captive Portal Configurations
- 333 Personalizing the Captive Portal Page
- 336 Creating and Installing an Internal Captive Portal
- 346 Creating Walled Garden Access
- 347 Enabling Captive Portal Enhancements
- 351 Netdestination for AAAA Records
- 352 Virtual Private Networks
- 352 Planning a VPN Configuration
- 356 Working with VPN Authentication Profiles
- 358 Configuring a Basic VPN for L2TP/IPsec
- 362 Configuring a VPN for L2TP/IPsec with IKEv2
- 367 Configuring a VPN for Smart Card Clients
- 368 Configuring a VPN for Clients with User Passwords
- 369 Configuring Remote Access VPNs for XAuth
- 370 Working with Remote Access VPNs for PPTP
- 371 Working with Site-to-Site VPNs
- 379 Working with VPN Dialer
- 381 Roles and Policies
- 381 Configuring Firewall Policies
- 391 User Roles
- 393 Assigning User Roles
- 399 Understanding Global Firewall Parameters
- 403 Using AppRF 2.0
- 408 ClearPass Policy Manager Integration
- 408 Introduction
- 408 Important Points to Remember
- 409 Enabling Downloadable Role on a Controller
- 409 Sample Configuration
- 417 Virtual APs
- 417 Virtual AP Configuration Workflow
- 418 Virtual AP Profiles
- 426 Changing a Virtual AP Forwarding Mode
- 427 Radio Resource Management (802.11k)
- 434 BSS Transition Management (802.11v)
- 434 Fast BSS Transition ( 802.11r)
- 436 SSID Profiles
- 443 WLAN Authentication
- 446 High-Throughput Virtual APs
- 451 Guest WLANs
- 454 Changing a Virtual AP Forwarding Mode
- 455 Adaptive Radio Management
- 455 Understanding ARM
- 457 Client Match
- 459 ARM Coverage and Interference Metrics
- 460 Configuring ARM Profiles
- 470 Assigning an ARM Profile to an AP Group
- 470 Using Multi-Band ARM for 802.11a/802.11g Traffic
- 471 Band Steering
- 472 Dynamic Bandwidth Switch
- 473 Enabling Traffic Shaping
- 475 Traffic Steering
- 476 Spectrum Load Balancing
- 476 Reusing Channels to Control RX Sensitivity Tuning
- 477 Configuring Non-802.11 Noise Interference Immunity
- 477 Troubleshooting ARM
- 479 Wireless Intrusion Prevention
- 479 Working with the Reusable Wizard
- 482 Monitoring the Dashboard
- 483 Detecting Rogue APs
- 486 Working with Intrusion Detection
- 498 Configuring Intrusion Protection
- 502 Configuring the WLAN Management System
- 505 Understanding Client Blacklisting
- 508 Working with WIP Advanced Features
- 508 Configuring TotalWatch
- 510 Administering TotalWatch
- 511 Tarpit Shielding Overview
- 512 Configuring Tarpit Shielding
- 513 Access Points
- 513 Important Points to Remember
- 514 AP Discovery Logic
- 527 Basic Functions and Features
- 528 Naming and Grouping APs
- 530 Understanding AP Configuration Profiles
- 537 Before you Deploy an AP
- 537 Enable Controller Discovery
- 538 Enable DHCP to Provide APs with IP Addresses
- 539 AP Provisioning Profiles
- 542 Configuring Installed APs
- 547 Optional AP Configuration Settings
- 563 RF Management
- 577 Optimizing APs Over Low-Speed Links
- 585 AP Scanning Optimization
- 587 Channel Group Scanning
- 588 Configuring AP Channel Assignments
- 590 Managing AP Console Settings
- 593 Link Aggregation Support on 220 Series, 270 Series, 320 Series, and 330 Series
- 596 Recording Consolidated AP-Provisioned Information
- 598 Intelligent Power Monitoring
- 600 Secure Enterprise Mesh
- 600 Mesh Overview Information
- 600 Mesh Configuration Procedures
- 600 Understanding Mesh Access Points
- 602 Understanding Mesh Links
- 604 Understanding Mesh Profiles
- 608 Understanding Remote Mesh Portals (RMPs)
- 609 Understanding the AP Boot Sequence
- 610 Mesh Deployment Solutions
- 612 Mesh Deployment Planning
- 614 Configuring Mesh Cluster Profiles
- 618 Creating and Editing Mesh Radio Profiles
- 623 Creating and Editing Mesh High-Throughput SSID Profiles
- 629 Configuring Ethernet Ports for Mesh
- 631 Provisioning Mesh Nodes
- 633 Verifying Your Mesh Network
- 635 Configuring Remote Mesh Portals (RMPs)
- 638 Increasing Network Uptime Through Redundancy and VRRP
- 638 High Availability
- 638 VRRP-Based Redundancy
- 639 High Availability Deployment Models
- 641 Client State Synchronization
- 642 High Availability Inter-Controller Heartbeats
- 642 High Availability Extended Controller Capacity
- 643 Configuring High Availability
- 645 High Availability Alerting
- 646 Migrating from VRRP or Backup-LMS Redundancy
- 648 Configuring VRRP Redundancy
- 656 RSTP
- 656 Understanding RSTP Migration and Interoperability
- 656 Working with Rapid Convergence
- 657 Configuring RSTP
- 659 Troubleshooting RSTP
- 660 PVST+
- 660 Understanding PVST+ Interoperability and Best Practices
- 660 Enabling PVST+ in the CLI
- 661 Enabling PVST+ in the WebUI
- 662 Link Layer Discovery Protocol
- 662 Important Points to Remember
- 662 LLDP Overview
- 663 Configuring LLDP
- 664 Monitoring LLDP Configuration
- 668 IP Mobility
- 668 Understanding Aruba Mobility Architecture
- 669 Configuring Mobility Domains
- 673 Tracking Mobile Users
- 675 Configuring Advanced Mobility Functions
- 684 Understanding Bridge Mode Mobility Deployments
- 684 Enabling Mobility Multicast
- 689 External Firewall Configuration
- 689 Understanding Firewall Port Configuration Among Aruba Devices
- 690 Enabling Network Access
- 690 Ports Used for Virtual Intranet Access (VIA)
- 692 Configuring Ports to Allow Other Traffic Types
- 693 PAPI Enhanced Security
- 693 Interoperability
- 693 Configuring PAPI Enhanced Security
- 694 Verifying PAPI Enhanced Security
- 695 Palo Alto Networks Firewall Integration
- 695 Limitation
- 695 Preconfiguration on the PAN Firewall
- 697 Configuring PAN Firewall Integration
- 701 Remote Access Points
- 701 About Remote Access Points
- 703 Configuring the Secure Remote Access Point Service
- 709 Deploying a Branch/Home Office Solution
- 714 Enabling Remote AP Advanced Configuration Options
- 728 Understanding Split Tunneling
- 734 Understanding Bridge
- 739 Provisioning Wi-Fi Multimedia
- 739 Reserving Uplink Bandwidth
- 740 Provisioning 4G USB Modems on Remote Access Points
- 742 Provisioning RAPs at Home
- 745 Configuring RAP-3WN and RAP-3WNP Access Points
- 746 Converting an IAP to RAP or CAP
- 747 Enabling Bandwidth Contract Support for RAPs
- 750 RAP TFTP Image Upgrade
- 753 Virtual Intranet Access
- 754 Spectrum Analysis
- 754 Understanding Spectrum Analysis
- 759 Creating Spectrum Monitors and Hybrid APs
- 761 Connecting Spectrum Devices to the Spectrum Analysis Client
- 764 Configuring the Spectrum Analysis Dashboards
- 767 Customizing Spectrum Analysis Graphs
- 793 Working with Non-Wi-Fi Interferers
- 795 Understanding the Spectrum Analysis Session Log
- 795 Viewing Spectrum Analysis Data
- 796 Recording Spectrum Analysis Data
- 799 Troubleshooting Spectrum Analysis
- 801 Dashboard Monitoring
- 801 WAN
- 802 Performance
- 803 Usage
- 804 Potential Issues
- 804 Traffic Analysis
- 826 AirGroup
- 827 Security
- 827 UCC
- 829 Controller
- 831 WLANs
- 832 Access Points
- 832 Clients
- 833 Firewall
- 839 Automatic Reporting (PhoneHome)
- 839 Pre-Deployment Information
- 839 Configuration Procedures
- 839 Sending Reports to Activate vs. SMTP Servers
- 840 Configuring PhoneHome Automatic Reporting
- 841 Sending an Individual Report
- 842 Viewing Report Status
- 843 PhoneHome-Lite
- 844 Management Access
- 844 Configuring Certificate Authentication for WebUI Access
- 845 Secure Shell (SSH)
- 846 WebUI Session Timer
- 847 Enabling RADIUS Server Authentication
- 853 Connecting to an AirWave Server
- 856 Custom Certificate Support for RAP
- 858 Implementing a Specific Management Password Policy
- 860 Configuring AP Image Preload
- 863 Configuring Centralized Image Upgrades
- 865 Managing Certificates
- 871 Configuring SNMP
- 873 Enabling Capacity Alerts
- 874 Configuring Logging
- 878 Enabling Guest Provisioning
- 894 Managing Files on the Controller
- 897 Setting the System Clock
- 899 ClearPass Profiling with IF-MAP
- 900 Whitelist Synchronization
- 901 Downloadable Regulatory Table
- 904 802.11u Hotspots
- 904 Hotspot Profile Configuration Tasks
- 904 Hotspot 2.0 Overview
- 907 Configuring Hotspot 2.0 Profiles
- 911 Configuring Hotspot Advertisement Profiles
- 913 Configuring ANQP Venue Name Profiles
- 915 Configuring ANQP Network Authentication Profiles
- 916 Configuring ANQP Domain Name Profiles
- 917 Configuring ANQP IP Address Availability Profiles
- 918 Configuring ANQP NAI Realm Profiles
- 921 Configuring ANQP Roaming Consortium Profiles
- 921 Configuring ANQP 3GPP Cellular Network Profiles
- 922 Configuring H2QP Connection Capability Profiles
- 924 Configuring H2QP Operator Friendly Name Profiles
- 925 Configuring H2QP Operating Class Indication Profiles
- 926 Configuring H2QP WAN Metrics Profiles
- 927 Configuring H2QP OSU Provider List Profiles
- 930 Adding Local Controllers
- 930 Moving to a Multi-Controller Environment
- 933 Configuring Local Controllers
- 935 Uplink Monitoring and Management
- 937 Voice and Video
- 937 Voice and Video License Requirements
- 937 Configuring Voice and Video
- 946 Working with QoS for Voice and Video
- 955 Unified Communication and Collaboration
- 974 Understanding Extended Voice and Video Features
- 998 Advanced Voice Troubleshooting
- 1004 AirGroup
- 1004 Zero Configuration Networking
- 1004 AirGroup Solution
- 1008 AirGroup Integrated Deployment Model
- 1009 Features Supported in AirGroup
- 1014 ClearPass Policy Manager and ClearPass Guest Features
- 1014 Auto-association and Controller-based Policy
- 1016 Best Practices and Limitations
- 1020 Integrated Deployment Model
- 1028 Controller Dashboard Monitoring
- 1031 Configuring the AirGroup-CPPM Interface
- 1038 Bluetooth-Based Discovery and AirGroup
- 1039 AirGroup mDNS Static Records
- 1041 mDNS AP VLAN Aggregation
- 1043 mDNS Multicast Response Propagation
- 1045 Troubleshooting and Log Messages
- 1048 Instant AP VPN Support
- 1048 Overview
- 1053 VPN Configuration
- 1054 Viewing Branch Status
- 1056 External Services Interface
- 1056 Sample ESI Topology
- 1058 Understanding the ESI Syslog Parser
- 1060 Configuring ESI
- 1067 Sample Route-Mode ESI Topology
- 1072 Sample NAT-mode ESI Topology
- 1077 Understanding Basic Regular Expression (BRE) Syntax
- 1080 External User Management
- 1080 Overview
- 1080 How the ArubaOS XML API Works
- 1080 Creating an XML Request
- 1083 XML Response
- 1086 Using the XML API Server
- 1091 Sample Scripts
- 1097 Behavior and Defaults
- 1097 Understanding Mode Support
- 1099 Understanding Basic System Defaults
- 1107 Understanding Default Management User Roles
- 1110 Understanding Default Open Ports
- 1113 DHCP with Vendor-Specific Options
- 1113 Configuring a Windows-Based DHCP Server
- 1116 Enabling DHCP Relay Agent Information Option (Option-82)
- 1118 Enabling Linux DHCP Servers
- 1120 802.1X Configuration for IAS and Windows Clients
- 1120 Configuring Microsoft IAS
- 1122 Configuring Management Authentication using IAS
- 1124 Window XP Wireless Client Sample Configuration
- 1127 Glossary of Terms