Dell Powerconnect W 3400 Users Manual ArubaOS 6.4.x User Guide

2015-01-05

: Dell Dell-Powerconnect-W-3400-Users-Manual-136628 dell-powerconnect-w-3400-users-manual-136628 dell pdf

Open the PDF directly: View PDF .
Page Count: 1079 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Contents
About this Guide
- What's New In ArubaOS 6.4.x
- What’s New In ArubaOS 6.4.0.0
- Fundamentals
  - WebUI
  - CLI
- Related Documents
- Conventions
- Contacting Dell
The Basic User-Centric Networks
- Understanding Basic Deployment and Configuration Tasks
- Configuring the Controller
  - Running Initial Setup
  - Connecting to the Controller after Initial Setup
- Dell W-7200 Series Controller
  - New Port Numbering Scheme
  - Individual Port Behavior
- Using the LCD Screen
- Configuring a VLAN to Connect to the Network
- Enabling Wireless Connectivity
- Configuring Your User-Centric Network
Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
  - In the WebUI
  - In the CLI
- Managing AP Whitelists
- Managing Whitelists on Master and Local Controllers
  - Campus AP Whitelist Synchronization
  - Viewing and Managing the Master or Local Controller Whitelists
- Working in Environments with Multiple Master Controllers
  - Configuring Networks with a Backup Master Controller
  - Configuring Networks with Clusters of Master Controllers
- Replacing a Controller on a Multi-Controller Network
  - Replacing Controllers in a Single Master Network
  - Replacing Controllers in a Multi-Master Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
Software Licenses
- Understanding License Terminology
- Working with Licenses
- Centralized Licensing in a Multi-Controller Network
- Using Licenses
- Understanding License Interaction
- License Installation Best Practices and Exceptions
- Installing a License
- Deleting a License
- Moving Licenses
- Resetting the Controller
Network Configuration Parameters
- Configuring VLANs
- Configuring Ports
- Understanding VLAN Assignments
- Configuring Static Routes
  - In the WebUI
  - In the CLI
- Configuring the Loopback IP Address
  - In the WebUI
  - In the CLI
- Configuring the Controller IP Address
  - Using the CLI
- Configuring GRE Tunnels
- Configuring GRE Tunnel Group
  - Creating a Tunnel Group
    - In the WebUI
    - In the CLI
- Jumbo Frame Support
IPv6 Support
- Understanding IPv6 Notation
- Understanding IPv6 Topology
- Enabling IPv6
- Enabling IPv6 Support for Controller and APs
- Filtering an IPv6 Extension Header (EH)
- Configuring a Captive Portal over IPv6
- Working with IPv6 Router Advertisements (RAs)
  - Configuring an IPv6 RA on a VLAN
    - Using WebUI
    - Using CLI
  - Configuring Optional Parameters for RAs
    - In the WebUI
    - In the CLI
- RADIUS Over IPv6
  - In the CLI
  - In the WebUI
- TACACS Over IPv6
  - In the CLI
  - In the WebUI
- DHCPv6 Server
- Understanding ArubaOS Supported Network Configuration for IPv6 Clients
  - Supported Network Configuration
  - Understanding the Network Connection Sequence for Windows IPv6 Clients
- Understanding ArubaOS Authentication and Firewall Features that Support IPv6
- Managing IPv6 User Addresses
- Understanding IPv6 Exceptions and Best Practices
Link Aggregation Control Protocol (LACP)
- Understanding LACP Best Practices and Exceptions
- Configuring LACP
  - In the CLI
  - In the WebUI
- LACP Sample Configuration
OSPFv2
- Understanding OSPF Deployment Best Practices and Exceptions
- Understanding OSPFv2 by Example using a WLAN Scenario
  - WLAN Topology
  - WLAN Routing Table
- Understanding OSPFv2 by Example using a Branch Office Scenario
  - Branch Office Topology
  - Branch Office Routing Table
- Configuring OSPF
  - Exporting VPN Client Addresses to OSPF
    - In the WebUI
    - In the CLI
- Sample Topology and Configuration
Tunneled Nodes
- Understanding Tunneled Node Configuration
- Configuring a Wired Tunneled Node Client
Authentication Servers
- Understanding Authentication Server Best Practices and Exceptions
- Understanding Servers and Server Groups
- Configuring Authentication Servers
- Managing the Internal Database
- Configuring Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
  - Setting an Authentication Timer
    - Using the WebUI
    - Using the CLI
- Authentication Server Load Balancing
  - Enabling Authentication Server Load Balancing Functionality
MAC-based Authentication
- Configuring MAC-Based Authentication
  - Configuring the MAC Authentication Profile
    - Using the WebUI to configure a MAC authentication profile
    - Using the CLI to configure a MAC authentication profile
- Configuring Clients
  - In the WebUI
  - In the CLI
802.1X Authentication
- Understanding 802.1X Authentication
- Configuring 802.1X Authentication
- Enabling 802.1x Supplicant Support on an AP
  - Prerequisites
  - Provisioning an AP as an 802.1X Supplicant
    - In the WebUI
    - In the CLI
- Sample Configurations
- Performing Advanced Configuration Options for 802.1X
  - Configuring Reauthentication with Unicast Key Rotation
    - In the WebUI
    - In the CLI
- Application Single Sign-On Using L2 Authentication
Stateful and WISPr Authentication
- Working With Stateful Authentication
- Working With WISPr Authentication
- Understanding Stateful Authentication Best Practices
- Configuring Stateful 802.1X Authentication
  - In the WebUI
  - In the CLI
- Configuring Stateful NTLM Authentication
  - In the WebUI
  - In the CLI
- Configuring Stateful Kerberos Authentication
  - In the WebUI
  - In the CLI
- Configuring WISPr Authentication
  - In the WebUI
  - In the CLI
Certificate Revocation
- Understanding OCSP and CRL
  - Configuring a Controller as OCSP and CRL Clients
  - Configuring an OCSP Controller as a Responder
- Configuring the Controller as an OCSP Client
  - In the WebUI
  - In the CLI
- Configuring the Controller as a CRL Client
  - In the WebUI
  - In the CLI
- Configuring the Controller as an OCSP Responder
  - In the WebUI
  - In the CLI
- Certificate Revocation Checking for SSH Pubkey Authentication
Captive Portal Authentication
- Understanding Captive Portal
  - Policy Enforcement Firewall Next Generation (PEFNG) License
  - Controller Server Certificate
- Configuring Captive Portal in the Base Operating System
  - In the WebUI
  - In the CLI
- Using Captive Portal with a PEFNG License
  - Configuring Captive Portal in the WebUI
  - Configuring Captive Portal in the CLI
- Sample Authentication with Captive Portal
- Configuring Guest VLANs
  - In the WebUI
  - In the CLI
- Configuring Captive Portal Authentication Profiles
- Enabling Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating and Installing an Internal Captive Portal
- Creating Walled Garden Access
  - In the WebUI
  - In the CLI
- Enabling Captive Portal Enhancements
Virtual Private Networks
- Planning a VPN Configuration
- Working with VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec in the WebUI
- Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI
- Configuring a VPN for Smart Card Clients
  - Working with Smart Card clients using IKEv2
  - Working with Smart Card Clients using IKEv1
- Configuring a VPN for Clients with User Passwords
  - In the WebUI
  - In the CLI
- Configuring Remote Access VPNs for XAuth
  - Configuring VPNs for XAuth Clients using Smart Cards
  - Configuring a VPN for XAuth Clients Using a Username and Password
- Working with Remote Access VPNs for PPTP
  - In the WebUI
  - In the CLI
- Working with Site-to-Site VPNs
- Working with VPN Dialer
  - Configuring VPN Dialer
    - In the WebUI
    - In the CLI
  - Assigning a Dialer to a User Role
    - In the WebUI
    - In the CLI
Roles and Policies
- Configuring Firewall Policies
- User Roles
  - In the WebUI
  - In the CLI
- Assigning User Roles
- Understanding Global Firewall Parameters
- Using AppRF 2.0
ClearPass Policy Manager Integration
- Introduction
- Important Points to Remember
- Enabling Downloadable Role on a Controller
  - Using the WebUI
  - Using the CLI
- Sample Configuration
  - CPPM Server Configuration
  - Controller Configuration
Virtual APs
- Virtual AP Profiles
- Virtual AP Configuration Workflow
  - Using the WebUI
  - Using the CLI
- Radio Resource Management (802.11k)
- BSS Transition Management (802.11v)
  - Frame Types
  - 802.11k and 802.11v clients
- Fast BSS Transition ( 802.11r)
- SSID Profiles
  - SSID Profile Overview
  - Configuring the SSID Profile
    - In the WebUI
    - In the CLI
- WLAN Authentication
  - Configuring an AAA Profile in the WebUI
  - Configuring an AAA Profile in the CLI
- High-Throughput Virtual APs
- Guest WLANs
Adaptive Radio Management (ARM)
- ARM Feature Overviews
- Configuring ARM Settings
- ARM Troubleshooting
- Understanding ARM
  - ARM Support for 802.11n
  - Monitoring Your Network with ARM
- Client Match
- ARM Coverage and Interference Metrics
- Configuring ARM Profiles
- Assigning an ARM Profile to an AP Group
  - In the WebUI
  - In the CLI
- Using Multi-Band ARM for 802.11a/802.11g Traffic
- Band Steering
  - Steering Modes
  - Enabling Band Steering
    - In the WebUI
    - In the CLI
- Enabling Traffic Shaping
  - Enabling Traffic Shaping
    - In the WebUI
    - In the CLI
  - Enabling or Disabling the Hard Limit Parameter in Traffic Management Profile
    - Using the WebUI
    - Using the CLI
- Spectrum Load Balancing
- Reusing Channels to Control RX Sensitivity Tuning
- Configuring Non-802.11 Noise Interference Immunity
- Troubleshooting ARM
Wireless Intrusion Prevention
- Working with the Reusable Wizard
  - Understanding Wizard Intrusion Detection
  - Understanding Wizard Intrusion Protection
    - Protecting Your Infrastructure
    - Protecting Your Clients
- Monitoring the Dashboard
- Detecting Rogue APs
- Working with Intrusion Detection
  - Understanding Infrastructure Intrusion Detection
  - Understanding Client Intrusion Detection
- Configuring Intrusion Protection
  - Understanding Infrastructure Intrusion Protection
  - Understanding Client Intrusion Protection
    - Protecting Valid Stations
    - Protecting Windows Bridge
- Configuring the WLAN Management System (WMS)
  - In the WebUI
  - In the CLI
    - Configuring Local WMS Settings
    - Managing the WMS Database
- Understanding Client Blacklisting
- Working with WIP Advanced Features
- Configuring TotalWatch
- Administering TotalWatch
- Tarpit Shielding Overview
- Configuring Tarpit Shielding
  - EnablingTarpit Shielding
  - Understanding Tarpit Shielding Licensing CLI Commands
Access Points (APs)
- Basic Functions and Features
- Naming and Grouping APs
  - Creating an AP group
    - In the WebUI
    - In the CLI
  - Assigning APs to an AP Group
    - In the WebUI
    - In the CLI
- Understanding AP Configuration Profiles
- Before you Deploy an AP
  - Mesh AP Preconfiguration
  - Remote AP Preconfiguration
- Enable Controller Discovery
- Enable DHCP to Provide APs with IP Addresses
  - In the WebUI
  - In the CLI
- AP Provisioning Profiles
  - Defining an AP Provisioning Profile
  - Assigning Provisioning Profiles
- Configuring Installed APs
- Optional AP Configuration Settings
- RF Management
- Optimizing APs Over Low-Speed Links
  - Configuring the Bootstrap Threshold
  - Prioritizing AP heartbeats
- Configuring AP Channel Assignments
- Managing AP Console Settings
- Link Aggregation Support on W-AP220 Series and W-AP270 Series
- Service Tag
  - In the WebUI
  - In the CLI
Secure Enterprise Mesh
- Mesh Overview Information
- Mesh Configuration Procedures
- Understanding Mesh Access Points
- Understanding Mesh Links
  - Link Metrics
  - Optimizing Links
- Understanding Mesh Profiles
- Understanding Remote Mesh Portals (RMPs)
- Understanding the AP Boot Sequence
- Mesh Deployment Solutions
- Mesh Deployment Planning
- Configuring Mesh Cluster Profiles
  - Managing Mesh Cluster Profiles in the WebUI
  - Managing Mesh Cluster Profiles in the CLI
- Creating and Editing Mesh Radio Profiles
- Creating and Editing Mesh High-Throughput SSID Profiles
  - Managing Mesh High-Throughput SSID Profiles in the WebUI
  - Managing Mesh High-Throughput SSID Profiles in the CLI
- Configuring Ethernet Ports for Mesh
- Provisioning Mesh Nodes
  - Provisioning Caveats
  - Provisioning Mesh Nodes
    - In the WebUI
    - In the CLI
- Verifying Your Mesh Network
  - Verification Checklist
  - CLI Examples
- Configuring Remote Mesh Portals (RMPs)
  - Creating a Remote Mesh Portal In the WebUI
  - Provisioning a Remote Mesh Portal In the CLI
Increasing Network Uptime Through Redundancy and VRRP
- High Availability
  - Pre-Deployment Information
  - Configuration Procedures
- VRRP-Based Redundancy
- High Availability Deployment Models
- Client State Synchronization
  - Feature Guidelines and Limitations
- High Availability Inter-Controller Heartbeats
- High Availability Extended Controller Capacity
- Configuring High Availability
  - Pre-Deployment Information
  - Configuring High Availability
    - In the WebUI
    - In the CLI
- Migrating from VRRP or Backup-LMS Redundancy
  - Configuring a Master Controller for Redundancy and High Availability:
    - Migrating from VRRP Redundancy
    - Migrating from Backup-LMS Redundancy
- Configuring VRRP Redundancy
RSTP
- Understanding RSTP Migration and Interoperability
- Working with Rapid Convergence
  - Edge Port and Point-to-Point
- Configuring RSTP
- Troubleshooting RSTP
PVST+
- Understanding PVST+ Interoperability and Best Practices
- Enabling PVST+ in the CLI
- Enabling PVST+ in the WebUI
Link Layer Discovery Protocol
- Important Points to Remember
- LLDP Overview
  - Default LLDP Configuration
- Configuring LLDP
- Monitoring LLDP Configuration
IP Mobility
- Understanding Dell Mobility Architecture
- Configuring Mobility Domains
- Tracking Mobile Users
- Configuring Advanced Mobility Functions
- Understanding Bridge Mode Mobility Deployments
- Enabling Mobility Multicast
Palo Alto Networks Firewall Integration
- Limitations
- Preconfiguration on the PAN Firewall
  - User-ID Support
  - Device-Type Based Policy Support
- Configuring PAN Firewall Integration
External Firewall Configuration
- Understanding Firewall Port Configuration Among Dell Devices
- Enabling Network Access
- Ports Used for Virtual Internet Access (VIA)
- Configuring Ports to Allow Other Traffic Types
Remote Access Points
- About Remote Access Points
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Remote AP Advanced Configuration Options
- Understanding Split Tunneling
- Understanding Bridge
- Provisioning Wi-Fi Multimedia
- Reserving Uplink Bandwidth
  - Understanding Bandwidth Reservation for Uplink Voice Traffic
  - Configuring Bandwidth Reservation
    - In the WebUI
    - In the CLI
- Provisioning 4G USB Modems on Remote Access Points
- Provisioning RAPs at Home
  - Prerequisites
  - Provisioning RAP Using Zero Touch Provisioning
- Configuring W-IAP3WN and W-IAP3WNP Access Points
  - Using the WebUI
  - Using the CLI
- Converting an IAP to RAP or CAP
  - Converting IAP to RAP
  - Converting an IAP to CAP
- Enabling Bandwidth Contract Support for RAPs
  - Configuring Bandwidth Contracts for RAP
Virtual Intranet Access
- Understanding VIA Connection Manager
- Configuring the VIA Controller
- Downloading VIA
Spectrum Analysis
- Understanding Spectrum Analysis
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
  - View Connected Spectrum Analysis Devices
  - Disconnecting a Spectrum Device
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
  - Spectrum Analysis Graph Configuration Options
- Working with Non-Wi-Fi Interferers
- Understanding the Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data
- Recording Spectrum Analysis Data
- Troubleshooting Spectrum Analysis
Dashboard Monitoring
- Performance
- Usage
- Security
- Potential Issues
- WLANs
- Access Points
- Clients
- Firewall
- AppRF
  - All Traffic
  - Web Content Classification
- AirGroup
- UCC
  - Chart View
  - Details View
Management Access
- Configuring Certificate Authentication for WebUI Access
  - In the WebUI
  - In the CLI
- Secure Shell (SSH)
- Enabling Public Key Authentication
  - In the WebUI
  - In the CLI
- Enabling RADIUS Server Authentication
- Connecting to an AirWave Server
- Custom Certificate Support for RAP
  - Suite-B Support for ECDSA Certificate
- Implementing a Specific Management Password Policy
  - Defining a Management Password Policy
    - In the WebUI
  - Management Authentication Profile Parameters
- Configuring AP Image Preload
  - Enable and Configure AP Image Preload
    - In the WebUI
    - In the CLI
  - View AP Preload Status
- Configuring Centralized Image Upgrades
  - Configuring Centralized Image Upgrades
    - Using the WebUI
    - In the CLI
  - Viewing Controller Upgrade Statistics
- Managing Certificates
- Configuring SNMP
  - SNMP Parameters for the Controller
    - In the WebUI
    - In the CLI
- Enabling Capacity Alerts
- Configuring Logging
  - In the WebUI
  - In the CLI
- Enabling Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- ClearPass Profiling with IF-MAP
  - In the WebUI
  - In the CLI
- Whitelist Synchronization
  - In the WebUI
  - In the CLI
- Downloadable Regulatory Table
802.11u Hotspots
- Hotspot 2.0 Pre-Deployment Information
- Hotspot Profile Configuration Tasks
- Hotspot 2.0 Overview
- Configuring Hotspot 2.0 Profiles
  - In the WebUI
  - In the CLI
- Configuring Hotspot Advertisement Profiles
  - Configuring an Advertisement Profile
    - In the WebUI
    - In the CLI
  - Associating the Advertisement Profile to a Hotspot 2.0 Profile
    - In the WebUI
    - In the CLI
- Configuring ANQP Venue Name Profiles
- Configuring ANQP Network Authentication Profiles
  - In the WebUI
  - In the CLI
- Configuring ANQP Domain Name Profiles
  - In the WebUI
  - In the CLI
- Configuring ANQP IP Address Availability Profiles
  - In the WebUI
  - In the CLI
- Configuring ANQP NAI Realm Profiles
  - In the WebUI
  - In the CLI
- Configuring ANQP Roaming Consortium Profiles
  - In the WebUI
  - In the CLI
- Configuring ANQP 3GPP Cellular Network Profiles
  - In the WebUI
  - In the CLI
- Configuring H2QP Connection Capability Profiles
  - In the WebUI
  - In the CLI
- Configuring H2QP Operator Friendly Name Profiles
  - In the WebUI
  - In the CLI
- Configuring H2QP Operating Class Indication Profiles
  - In the WebUI
  - In the CLI
- Configuring H2QP WAN Metrics Profiles
  - In the WebUI
  - In the CLI
Adding Local Controllers
- Configuring Local Controllers
- Moving to a Multi-Controller Environment
  - Configuring a Preshared Key
  - Configuring a Controller Certificate
    - Using the CLI to configure a Local Controller Certificate
    - Using the CLI to configure the Master Controller Certificate
Advanced Security
- Securing Client Traffic
- Securing Controller-to-Controller Communication
  - Configuring Controllers for xSec
    - In the WebUI
    - In the CLI
- Configuring the Odyssey Client on Client Machines
  - Installing the Odyssey Client
Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- Working with QoS for Voice and Video
- Unified Communication and Collaboration
- Understanding Extended Voice and Video Features
- Advanced Voice Troubleshooting
AirGroup
- Zero Configuration Networking
- AirGroup Solution
- AirGroup Deployment Models
  - Integrated Deployment Model
  - AirGroup with ClearPass Policy Manager
- Features Supported in AirGroup
- ClearPass Policy Manager and ClearPass Guest Features
- Best Practices and Limitations
- Integrated Deployment Model
  - Master-Local Controller Synchronization
  - Configuring an AirGroup Integrated Deployment Model
- Controller Dashboard Monitoring
- Configuring the AirGroup-CPPM Interface
- AirGroup mDNS Static Records
  - Important Points to Remember
  - Creating mDNS Static Records on a Controller
    - Group mDNS Static Records
    - Individual Static mDNS Records
- Troubleshooting and Log Messages
Instant AP VPN Support
- Overview
- VPN Configuration
- Viewing Branch Status
  - Example
W-600 Series Controllers
- Connecting with a USB Cellular Modems
- Configuring a Supported USB Modem
- Configuring a New USB Modem
External Services Interface
- Sample ESI Topology
- Understanding the ESI Syslog Parser
- Configuring ESI
- Sample Route-mode ESI Topology
- Sample NAT-mode ESI Topology
- Understanding Basic Regular Expression (BRE) Syntax
External User Management
- Overview
  - Before you Begin
- Working with the ArubaOS XML API Works
- Creating an XML Request
- XML Response
  - Default Response Format
    - Response Codes
  - Query Command Response Format
- Using the XML API Server
- Sample Code
  - Using XML API in C Language
Behavior and Defaults
- Understanding Mode Support
- Understanding Basic System Defaults
- Understanding Default Management User Roles
- Understanding Default Open Ports
DHCP with Vendor-Specific Options
- Configuring a Windows-Based DHCP Server
  - Configuring Option 60
    - To configure option 60 on the Windows DHCP server
  - Configuring Option 43
    - To configure option 43 on the Windows DHCP server:
- Enabling DHCP Relay Agent Information Option (Option 82)
  - Configuring Option 82
    - In the WebUI
    - In the CLI
- Enabling Linux DHCP Servers
802.1X Configuration for IAS and Windows Clients
- Configuring Microsoft IAS
- Configuring Management Authentication using IAS
- Window XP Wireless Client Sample Configuration
Acronyms and Terms
- Acronyms
- Terms

Dell Networking W-Series

ArubaOS 6.4.x

User Guide

0511633-01v1 | August 2014 Dell Networking W-Series ArubaOS 6.4.x | User Guide

Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management

System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.

Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code

subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open

Source code used can be found at this site:

arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to

terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or

corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that

might be taken against it with respect to infringement of copyright on behalf of those vendors.

Dell Networking W-Series ArubaOS 6.4.x| User Guide Contents | 3

Contents

Contents 3

About this Guide 85

What's New In ArubaOS 6.4.x 85

What’s New In ArubaOS 6.4.0.0 89

Fundamentals 91

WebUI 91

CLI 91

Related Documents

The following guides are part of the complete documentation for the Dell user-centric network:

lDell Networking W-SeriesController Installation Guides

lDell Networking W-Series Access Point Installation Guides

lDell Networking W-Series ArubaOS Quick Start Guide

lDell Networking W-Series ArubaOS User Guide

lDell Networking W-Series ArubaOS Command Line Reference Guide

lDell Networking W-Series ArubaOS MIB Reference Guide

lDell Networking W-Series ArubaOS Release Notes

Conventions

The following conventions are used throughout this document to emphasize important concepts:

Type Style Description

Italics

This style is used to emphasize important terms and to mark the titles of books.

System items This fixed-width font depicts the following:

lSample screen output

lSystem prompts

lFilenames, software devices, and specific commands when mentioned in the text

Commands In the command examples, this bold font depicts text that you must type exactly as

shown.

Arguments

> In the command examples, italicized text within angle brackets represents items that

you should replace with information appropriate to your specific situation. For example:

#send <text message>

In this example, you would type “send” at the system prompt exactly as shown, followed

by the text of the message you wish to send. Do not type the angle brackets.

[Optional] Command examples enclosed in brackets are optional. Do not type the brackets.

{Item A |

Item B}

In the command examples, items within curled braces and separated by a vertical bar

represent the available choices. Enter only one choice. Do not type the braces or bars.

Table 6:

Typographical Conventions

The following informational icons are used throughout this guide:

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of damage to your hardware or loss of data.

Indicates a risk of personal injury or death.

Contacting Dell

Web Site Support

Main Website dell.com

Contact Information dell.com/contactdell

Support Website dell.com/support

Documentation Website dell.com/support/manuals

Table 7: Contact Information

Dell Networking W-Series ArubaOS 6.4.x | User Guide About this Guide | 93

Dell Networking W-Series ArubaOS 6.4.x| User Guide The Basic User-Centric Networks | 94

Chapter 1

The Basic User-Centric Networks

This chapter describes how to connect a Dell controller and Dell AP to your wired network. After completing the

tasks described in this chapter, see Access Points (APs) on page 485 for information on configuring APs.

This chapter describes the following topics:

lConfiguring Your User-Centric Network on page 106

lUnderstanding Basic Deployment and Configuration Tasks on page 94

lConfiguring the Controller on page 97

lConfiguring a VLAN to Connect to the Network on page 102

lEnabling Wireless Connectivity on page 105

Understanding Basic Deployment and Configuration Tasks

This section describes typical deployment scenarios and the tasks you must perform while connecting to a Dell

controller and Dell AP to your wired network. For details on performing the tasks mentioned in these scenarios,

refer to the other procedures within the Basic User-Centric Networks section of this document.

Deployment Scenario #1: Controller and APs on Same Subnet

Figure 1 Controller and APs on Same Subnet

In this deployment scenario, the APs and controller are on the same subnetwork and will use IP addresses

assigned to the subnetwork. The router is the default gateway for the controller and clients.There are no

routers between the APs and the controller. APs can be physically connected directly to the controller. The

uplink port on the controller is connected to a layer-2 switch or router.

For this scenario, you must perform the following tasks:

1. Run the initial setup wizard.

lSet the IP address of VLAN 1.

lSet the default gateway to the IP address of the interface of the upstream router to which you will

connect the controller.

2. Connect the uplink port on the controller to the switch or router interface. By default, all ports on the

controller are access ports and will carry traffic for a single VLAN.

3. Deploy APs. The APs will use the Aruba Discovery Protocol (ADP) to locate the controller.

4. Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users.

95 | The Basic User-Centric Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

Deployment Scenario #2: APs All on One Subnet Different from Controller Subnet

Figure 2 APs All on One Subnet Different from Controller Subnets

In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on

multiple subnetworks. The controller acts as a router for the wireless subnetworks (the controller is the default

gateway for the wireless clients). The uplink port on the controller is connected to a layer-2 switch or router;

this port is an access port in VLAN 1.

For this scenario, you must perform the following tasks:

1. Run the initial setup wizard.

lSet the IP address for VLAN 1.

lSet the default gateway to the IP address of the interface of the upstream router to which you will

connect the controller.

2. Connect the uplink port on the controller to the switch or router interface.

3. Deploy APs. The APs will use DNS or DHCP to locate the controller.

4. Configure VLANs for the wireless subnetworks on the controller.

5. Configure SSIDs with the VLANs assigned for each wireless subnetwork.

Each wireless client VLAN must be configured on the controller with an IP address. On the uplink switch or router, you

must configure static routes for each client VLAN, with the controller’s VLAN 1 IP address as the next hop.

Deployment Scenario #3: APs on Multiple Different Subnets from Controllers

Figure 3 APs on Multiple Different Subnets from Controllers

In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on

multiple subnetworks. There are routers between the APs and the controller. The controller is connected to a

layer-2 switch or router through a trunk port that carries traffic for all wireless client VLANs. An upstream

router functions as the default gateway for the wireless users.

Dell Networking W-Series ArubaOS 6.4.x | User Guide The Basic User-Centric Networks | 96

97 | The Basic User-Centric Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The

initial setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you

configure the appropriate VLAN to connect to the switch or router as well as the default gateway.

For this scenario, you must perform the following tasks:

1. Run the initial setup.

lUse the default IP address for VLAN 1. Since VLAN 1 is not used to connect to the layer-2 switch or router

through the trunk port, you must configure the appropriate VLAN in a later step.

lDo not specify a default gateway (use the default “none”). In a later step, you configure the default

gateway.

2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will connect the

controller. Add the uplink port on the controller to this VLAN and configure the port as a trunk port.

3. Add client VLANs to the trunk port.

4. Configure the default gateway on the controller. This gateway is the IP address of the router to which you

will connect the controller.

5. Configure the loopback interface for the controller.

6. Connect the uplink port on the controller to the switch or router interface.

7. Deploy APs. The APs will use DNS or DHCP to locate the controller.

8. Now configure VLANs on the controller for the wireless client subnetworks and configure SSIDs with the

VLANs assigned for each wireless subnetwork.

Configuring the Controller

The tasks in deploying a basic user-centric network fall into two main areas:

lConfiguring and connecting the controller to the wired network (described in this section)

lDeploying APs (described later in this section)

To connect the controller to the wired network:

1. Run the initial setup to configure administrative information for the controller.

Initial setup can be done using the browser-based Setup Wizard or by accessing the initial setup dialog via a

serial port connection. Both methods are described in the Dell Networking W-Series ArubaOS Quick Start

Guide and are referred to throughout this chapter as “initial setup.”

2. (Deployment #3) Configure a VLAN to connect the controller to your network. You do not need to perform

this step if you are using VLAN 1 to connect the controller to the wired network.

3. (Optional) Configure a loopback address for the controller. You do not need to perform this step if you are

using the VLAN 1 IP address as the controller’s IP address. Disable spanning tree on the controller if

necessary.

4. Configure the system clock.

5. (Optional) Install licenses; refer to Software Licenses on page 130.

6. Connect the ports on the controller to your network.

This section describes the steps in detail.

Running Initial Setup

When you connect to the controller for the first time using either a serial console or a Web browser, the initial

setup requires you to set the role (master or local) for the controller and passwords for administrator and

configuration access.

Do not connect the controller to your network when running the initial setup. The factory-default controller boots up

with a default IP address and both DHCP server and spanning tree functions are not enabled. Once you have

completed the initial setup, you can use either the CLI or WebUI for further configuration before connecting the

controller to your network.

The initial setup might require that you specify the country code for the country in which the controller will

operate; this sets the regulatory domain for the radio frequencies that the APs use.

You cannot change the country code for controllers designated for certain countries, such as the U.S. Improper

country code assignment can disrupt wireless transmissions. Many countries impose penalties and sanctions for

operators of wireless networks with devices set to improper country codes. If none of the channels supported by the

AP you are provisioning have received regulatory approval by the country whose country code you selected, the AP

will revert to Air Monitor mode.

The initial setup requires that you configure an IP address for the VLAN 1 interface, which you can use to access

and configure the controller remotely via an SSH or WebUI session. Configuring an IP address for the VLAN 1

interface ensures that there is an IP address and default gateway assigned to the controller upon completion

of the initial setup.

Connecting to the Controller after Initial Setup

After you complete the initial setup, the controller reboots using the new configuration. (See the Dell

Networking W-Series ArubaOS Quick Start Guide for information about using the initial setup.) You can then

connect to and configure the controller in several ways using the administrator password you entered during

the initial setup:

lYou can continue to use the connection to the serial port on the controller to enter the command line

interface (CLI). (Refer to Management Access on page 778 for information on how to access the CLI and

enter configuration commands.)

lYou can connect an Ethernet cable from a PC to an Ethernet port on the controller. You can then use one of

the following access methods:

nUse the VLAN 1 IP address to start an SSH session where you can enter CLI commands.

nEnter the VLAN 1 IP address in a browser window to start the WebUI.

nWebUi Wizards.

This chapter and the user guide in general focus on CLI and standard WebUI configuration examples. However, basic

controller configuration and WLAN/LAN creation can be completed using the alternative wizards from within the

WebUI. If you wish to use a configuration wizard, navigate to Configuration > Wizards, click on the desired wizard,

and follow the imbedded help instructions within the wizard.

Dell W-7200 Series Controller

The Dell W-7200 Series controller is a new controller platform that was introduced in conjunction with ArubaOS

6.2. This controller provides new functionality and improved capabilities over previous Dell controllers.

However, the W-7200 Series controller also introduces some changes that you must keep in mind when adding

it to your network.

New Port Numbering Scheme

The W-7200 Series controller uses a different port numbering scheme from previous controllers. All other

controller platforms use a slot/port numbering scheme. The W-7200 Series controller uses slot/module/port

Dell Networking W-Series ArubaOS 6.4.x | User Guide The Basic User-Centric Networks | 98

99 | The Basic User-Centric Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

instead.

It is important to consider this when migrating an older controller to the W-7200 Series. If you load a

configuration from a non-W-7200 controller, that controller will not have network connectivity because any

interface configuration will not be recognized. For information about migrating to a W-7200 Series controller,

see the Dell Networking W-Series ArubaOS 6.2 Release Notes.

Individual Port Behavior

The first two ports on the W-7200 Series controller, 0/0/0 and 0/0/1 are combination ports and can be used for

management, HA, and I/O. Ports 0/0/2 through 0/0/5 can only be used for I/O.

Using the LCD Screen

Some controllers are equipped with an LCD panel that displays a variety of information about the controller’s

status and provides a menu that allows for basic operations such as initial setup and reboot. The LCD panel

displays two lines of text with a maximum of 16 characters on each line. When using the LCD panel, the active

line is indicated by an arrow next to the first letter.

The LCD panel is operated using the two navigation buttons to the left of the screen.

lMenu: Allows you to navigate through the menus of the LCD panel.

lEnter: Confirms and executes the action currently displayed on the LCD panel.

The LCD has four modes:

lBoot: Displays the boot up status.

lLED Mode: Displays the mode that the STATUS LED is in.

lStatus: Displays the status of different components of the controller, including Power Supplies and

ArubaOS version.

lMaintenance: Allows you to execute some basic operations of the controller such as uploading an image or

rebooting the system.

Table 8: LCD Panel Mode: Boot

Function/Menu

Options Displays

Displays boot status "Booting ArubaOS...

Table 9: LCD Panel Mode: LED Mode

Function/Menu

Options Displays

Administrative LED MODE: ADM - displays whether the port is administratively enabled or dis-

abled.

Duplex LED MODE: DPX - displays the duplex mode of the port.

Speed LED MODE: SPD - displays the speed of the port.

Exit Idle Mode EXIT IDLE MENU

Table 10: LCD Panel Mode: Status

Function/Menu

Options Displays

ArubaOS Version ArubaOS X.X.X.X

PSU Status Displays status of the power supply unit.

PSU 0: [OK | FAILED | MISSING]

PSU 1: [OK | FAILED | MISSING]

Fan Tray Displays fan tray status.

FAN STATUS: [OK | ERROR | MISSING]

FAN TEMP: [OK | HIGH | SHUTDOWN]

Exit Status Menu EXIT STATUS

Table 11: LCD Panel Mode: Maintenance

Function/Menu

Options Displays

Upgrade Image Upgrade the software image on the selected partition from a predefined loc-

ation on the attached USB flash device.

Partition [0 | 1] Upgrade Image [no | yes]

Upload Config Uploads the controller’s current configuration to a predefined location on the

attached USB flash device.

Upload Config [no | yes]

Factory Default Allows you to return the controller to the factory default settings.

Factory Default [no | yes]

Media Eject Completes the reading or writing of the attached USB device.

Media Eject [no | yes]

System Reboot Allows you to reboot the controller.

Reboot [no | yes]

System Halt Allows you to halt the controller.

Halt [no | yes]

Exit Maintenance Menu EXIT MAINTENANCE

Using the LCD and USB Drive

You can upgrade your image or upload your pre-saved configuration by using your USB drive and your LCD

commands.

Dell Networking W-Series ArubaOS 6.4.x | User Guide The Basic User-Centric Networks | 100

101 | The Basic User-Centric Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

Upgrading an Image

1. Copy a new controller image onto your USB drive into a directory named /Dellimage.

2. Insert your USB drive into the controller’s USB slot. Wait for 30 seconds for the controller to mount the

USB.

3. Navigate to Upgrage Image in the LCD’s Maintenance menu. Select partition and confirm the upgrade (Y/N)

and then wait for controller to copy the image from USB to the system partition.

4. Execute a system reboot either from the LCD menu or from the command line to complete the upgrade.

Uploading a Pre-saved Configuration

1. Copy your pre-saved configuration and name the copied file Dell_usb.cfg.

2. Move your pre-saved configuration file onto your USB drive into a directory named /Dellimage.

3. Insert your USB drive into the controller’s USB slot. Wait for 30 seconds for the controller to mount the

USB.

4. Navigate to the Upload Config in the LCD’s Maintenance menu. Confirm the upload (Y/N) and then wait for

the upload to complete.

5. Execute a system reboot either from the LCD menu or from the command line to reload from the uploaded

configuration.

For detailed upgrade and upload instruction, see the Upgrade Chapter in the Release Notes.

Disabling LCD Menu Functions

For security purpose, you can disable all LCD menu functions by disabling the entire menu functionality using

the following command:

(host) (config) #lcd-menu

(host) (lcd-menu) #disable menu

To prevent inadvertent menu changes, you can disable LCD individual menu function using the following

commands:

(host) (lcd-menu) #disable menu maintenance ?

factory-default Disable factory default menu

media-eject Disable media eject menu on LCD

system-halt Disable system halt menu on LCD

system-reboot Disable system reboot menu on LCD

upgrade-image Disable image upgrade menu on LCD

upload-config Disable config upload menu on LCD

To display the current LCD functionality from the command line, use the following command:

(host) (config) #show lcd-menu

lcd-menu

--------

Parameter Value

--------- -----

menu maintenance upgrade-image partition0 enabled

menu maintenance upgrade-image partition1 enabled

menu maintenance upgrade-image enabled

menu maintenance upload-config enabled

menu maintenance factory-default enabled

menu maintenance media-eject enabled

menu maintenance reload-system enabled

menu maintenance halt-system enabled

menu maintenance enabled

menu enabled

Configuring a VLAN to Connect to the Network

You must follow the instructions in this section only if you need to configure a trunk port between the

controller and another layer-2 switch (shown in Deployment Scenario #3: APs on Multiple Different Subnets

from Controllers on page 96).

This section shows how to use both the WebUI and CLI for the following configurations (subsequent steps

show how to use the WebUI only):

lCreate a VLAN on the controller and assign it an IP address.

lOptionally, create a VLAN pool. A VLAN pool consists of two more VLAN IDs which are grouped together to

efficiently manage multi-controller networks from a single location. For example, policies and virtual

application configurations map users to different VLANs which may exist at different controllers. This

creates redundancy where one controller has to back up many other controllers. With the VLAN pool

feature you can control your configuration globally.

VLAN pooling should not be used with static IP addresses.

lAssign to the VLAN the ports that you will use to connect the controller to the network. (For example, the

uplink ports connected to a router are usually Gigabit ports.) In the example configurations shown in this

section, a controller is connected to the network through its Gigabit Ethernet port 1/25.

lConfigure the port as a trunk port.

lConfigure a default gateway for the controller.

Creating, Updating, and Viewing VLANs and Associated IDs

You can create and update a single VLAN or bulk VLANS using the WebUI or the CLI. See Configuring VLANs on

page 148.

In the WebUI configuration windows, clicking the Save Configuration button saves configuration changes so they

are retained after the controller is rebooted. Clicking the Apply button saves changes to the running configuration

but the changes are not retained when the controller is rebooted. A good practice is to use the Apply button to save

changes to the running configuration and, after ensuring that the system operates as desired, click Save

Configuration.

You can view VLAN IDs in the CLI.

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(host) (config) #show vlan

VLAN CONFIGURATION

------------------

VLAN Description Ports

---- ----------- -----

1 Default FE1/0-3 FE1/6 GE1/8

2 VLAN0002

4 VLAN0004

12 VLAN0012

210 VLAN0210

212 VLAN0212 FE1/5

213 VLAN0213 FE1/4

1170 VLAN1170 FE1/7

Dell Networking W-Series ArubaOS 6.4.x | User Guide The Basic User-Centric Networks | 102

103 | The Basic User-Centric Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

Creating, Updating, and Deleting VLAN Pools

VLAN pooling should not be used with static IP addresses.

You can create, update, and delete a VLAN pool using the WebUI or the CLI. See Creating a VLAN Pool on page

149.

Use the CLI to add existing VLAN IDS to a pool.

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(host) (config) #vlan-name mygroup pool

(host) (config) #vlan mygroup 2,4,12

(host) (config) #

To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command:

(host) (config) #show vlan mapping

VLAN Name Pool Status VLAN IDs

--------- ----------- --------

mygroup Enabled 2,4,12

group123 Disabled

Assigning and Configuring the Trunk Port

The following procedures configures a Gigabit Ethernet port as trunk port.

In the WebUI

1. Navigate to the Configuration > Network > Ports window on the WebUI.

2. In the Port Selection section, click the port that will connect the controller to the network. In this example,

click port 25.

3. For Port Mode, select Trunk.

4. For Native VLAN, select VLAN 5 from the scrolling list, then click the left (<--) arrow.

5. Click Apply.

In the CLI

interface gigabitethernet 1/25

switchport mode trunk

switchport trunk native vlan 5

To confirm the port assignments, use the show vlan command:

(host) (config) #show vlan

VLAN CONFIGURATION

------------------

VLAN Name Ports

---- ---- -----

1 Default Fa1/0-23 Gig1/24

5 VLAN0005 Gig1/25

Configuring the Default Gateway

The following configurations assign a default gateway for the controller.

In the WebUI

1. Navigate to the Configuration > Network > IP > IP Routes window.

2. To add a new static gateway, click the Add button below the static IP address list.

a. In the IP Address field, enter an IP address in dotted-decimal format.

b. In the Cost field, enter a value for the path cost.

c. Click Add.

3. You can define a dynamic gateway using DHCP, PPPOE or a cell uplink interface. In the Dynamic section,

click the DHCP,PPPoE or Cellular checkboxes to select one or more dynamic gateway options. If you select

more than one dynamic gateway type, you must also define a cost for the route to each gateway. The

controller will first attempt to obtain a gateway IP address using the option with the lowest cost. If the

controller is unable to obtain a gateway IP address, it will then attempt to obtain a gateway IP address using

the option with the next-lowest path cost.

4. Click Apply.

In the CLI

ip default-gateway <ipaddr>|{import cell|dhcp|pppoe}|{ipsec <name>} <cost>

Configuring the Loopback IP Address for the Controller

You must configure a loopback address if you are not using a VLAN ID address to connect the controller to the

network (see Deployment Scenario #3: APs on Multiple Different Subnets from Controllers on page 96).

After you configure or modify a loopback address, you must reboot the controller.

If configured, the loopback address is used as the controller’s IP address. If you do not configure a loopback

address for the controller, the IP address assigned to the first configured VLAN interface IP address. Generally,

VLAN 1 is configured first and is used as the controller’s IP address.

ArubaOS allows the loopback address to be part of the IP address space assigned to a VLAN interface. In the

example topology, the VLAN 5 interface on the controller was previously configured with the IP address

10.3.22.20/24. The loopback IP address in this example is 10.3.22.220.

You configure the loopback address as a host address with a 32-bit netmask. The loopback address should be

routable from all external networks.

Spanning tree protocol (STP) is enabled by default on the controller. STP ensures a single active path between

any two network nodes, thus avoiding bridge loops. Disable STP on the controller if you are not employing STP

in your network.

In the WebUI

1. Navigate to the Configuration > Network > Controller > System Settings window.

2. Enter the IP address under Loopback Interface.

3. On this window, you can also turn off spanning tree. Click No for Spanning Tree Enabled.

4. Click Apply at the bottom of the window (you might need to scroll down the window).

5. At the top of the window, click Save Configuration.

You must reboot the controller for the new IP address to take effect.

6. Navigate to the Maintenance > Controller > Reboot Controller window.

Dell Networking W-Series ArubaOS 6.4.x | User Guide The Basic User-Centric Networks | 104

105 | The Basic User-Centric Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

7. Click Continue.

In the CLI

interface loopback ip address 10.3.22.220

no spanning-tree

write memory

reload

The controller returns the following messages:

Do you really want to reset the system(y/n):

Enter yto reboot the controller or nto cancel.

System will now restart!

...

Restarting system.

To verify that the controller is accessible on the network, ping the loopback address from a workstation on the

network.

Configuring the System Clock

You can manually set the clock on the controller, or configure the controller to use a Network Time Protocol

(NTP) server to synchronize its system clock with a central time source. For more information about setting the

controller’s clock, see Setting the System Clock on page 824.

Installing Licenses

ArubaOS consists of a base operating system with optional software modules that you can activate by

installing license keys. If you use the Setup Wizard during the initial setup phase, you will have the opportunity

to install software licenses at that time. Refer to Software Licenses on page 130 for detailed information on

Licenses.

Connecting the Controller to the Network

Connect the ports on the controller to the appropriately-configured ports on an L2 switch or router. Make sure

that you have the correct cables and that the port LEDs indicate proper connections. Refer to the Installation

Guide for the controller for port LED and cable descriptions.

In many deployment scenarios, an external firewall is situated between various Dell devices. External Firewall

Configuration on page 626 describes the network ports that must be configured on the external firewall to allow

proper operation of the network.

To verify that the controller is accessible on the network:

lIf you are using VLAN 1 to connect the controller to the network (Deployment Scenario #2: APs All on One

Subnet Different from Controller Subnet on page 95 and Deployment Scenario #3: APs on Multiple

Different Subnets from Controllers on page 96), ping the VLAN 1 IP address from a workstation on the

network.

lIf you created and configured a new VLAN (Deployment Scenario #3: APs on Multiple Different Subnets

from Controllers on page 96), ping the IP address of the new VLAN from a workstation on the network.

Enabling Wireless Connectivity

Wireless users can connect to the SSID but because you have not yet configured authentication, policies, or

user roles, they will not have access to the network. Other chapters in the Dell Networking W-Series ArubaOS

User Guide describe how to build upon this basic deployment to configure user roles, firewall policies,

authentication, authentication servers, and other wireless features.

Configuring Your User-Centric Network

Configuring your controller and AP is done through either the Web User Interface (WebUI) or the command

line interface (CLI).

lWebUI is accessible through a standard Web browser from a remote management console or workstation.

The WebUI includes configuration wizards that step you through easy-to-follow configuration tasks. Each

wizard has embedded online help. The wizards are:

nAP Wizard—basic AP configurations including LAN, Remote, LAN Mesh and Remote Mesh deployment

scenarios

nController Wizard—basic controller configuration including system settings, Control Plane security,

cluster settings and licenses

nWLAN/LAN Wizard—creating and configuring new WLANs and LANs associated with the “default” ap-

group. Includes campus only and remote networking.

nLicense Wizard—installation and activation of software licenses (see Software Licenses on page 130)

Clicking Cancel from the Wizards return you to where you launched the wizard. Any configuration changes you

entered are not saved.

lThe command line interface (CLI) allows you to configure and manage controllers. The CLI is accessible from

a local console connected to the serial port on the controller or through a Telnet or Secure Shell (SSH)

session from a remote management console or workstation.

By default, you can only access the CLI from the serial port or from an SSH session. To use the CLI in a Telnet

session, you must explicitly enable Telnet on the controller.

Dell Networking W-Series ArubaOS 6.4.x | User Guide The Basic User-Centric Networks | 106

Dell Networking W-Series ArubaOS 6.4.x| User Guide Control Plane Security | 107

Chapter 2

Control Plane Security

ArubaOS supports secure IPsec communications between a controller and campus or remote APs using public-

key self-signed certificates created by each master controller. The controller certifies its APs by issuing them

certificates. If the master controller has any associated local controllers, the master controller sends a

certificate to each local controller, which in turn sends certificates to their own associated APs. If a local

controller is unable to contact the master controller to obtain its own certificate, it is not be able to certify its

APs, and those APs can not communicate with their local controller until master-local communication has been

reestablished. You create an initial control plane security configuration when you first configure the controller

using the initial setup wizard. The ArubaOS initial setup wizard enables control plane security by default, so it is

very important that the local controller be able to communicate with its master controller when it is first

provisioned.

Some AP model types have factory-installed digital certificates. These AP models use their factory-installed

certificates for IPsec, and do not need a certificate from the controller. Once a campus or remote AP is certified,

either through a factory-installed certificate or a certificate from the controller, the AP can failover between

local controllers and still stay connected to the secure network, because each AP has the same master

controller as a common trust anchor.

Starting with ArubaOS 6.2, the controller maintains two separate AP whitelists; one for campus APs and one for

Remote APs. These whitelists contain records of all campus APs or remote APs connected to the network. You

can use a campus or AP whitelist at any time to add a new valid campus or remote AP to the secure network, or

revoke network access to any suspected rogue or unauthorized APs.

The control plane security feature supports IPv4 campus and remote APs only. Do not enable control plane security

on a controller that terminates IPv6 APs.

When the controller sends an AP a certificate, that AP must reboot before it can connect to its controller over a

secure channel. If you are enabling control plane security for the first time on a large network, you may

experience several minutes of interrupted connectivity while each AP receives its certificate and establishes its

secure connection.

Topics in this chapter include:

lControl Plane Security Overview on page 107

lConfiguring Control Plane Security on page 108

lManaging Whitelists on Master and Local Controllers on page 117

lWorking in Environments with Multiple Master Controllers on page 120

lReplacing a Controller on a Multi-Controller Network on page 123

lConfiguring Control Plane Security after Upgrading on page 127

lTroubleshooting Control Plane Security on page 128

Control Plane Security Overview

Controllers using control plane security only send certificates to APs that you have identified as valid APs on

the network. If you want closer control over each AP that is certified, you can manually add individual campus

and remote APs to the secure network by adding each AP's information to the whitelists when you first run the

108 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

initial setup wizard. If you are confident that all APs currently on your network are valid APs, then you can use

the initial setup wizard to configure automatic certificate provisioning to send certificates from the controller to

each campus or remote AP, or to all campus and remote APs within specific ranges of IP addresses.

The default automatic certificate provisioning setting requires that you manually enter each campus AP’s

information into the campus AP whitelist, and each remote AP's information into the remote AP whitelist. If

you change the default automatic certificate provisioning values to let the controller send certificates to all APs

on the network, that new setting ensures that all valid APs receive a certificate, but also increases the chance

that you will certify a rogue or unwanted AP. If you configure the controller to send certificates to only those

APs within a range of IP addresses, there is a smaller chance that a rogue AP receives a certificate, but any valid

AP with an IP address outside the specified address ranges will not receive a certificate, and can not

communicate with the controller (except to obtain a certificate). Consider both options carefully before you

complete the control plane security portion of the initial setup wizard. If your controller has a publicly

accessible interface, you should identify the APs on the network by IP address range. This prevents the

controller from sending certificates to external or rogue campus APs that may attempt to access your

controller through that publicly accessible interface.

Configuring Control Plane Security

When you initially deploy the controller, you create your initial control plane security configuration using the

initial setup wizard. These settings can be changed at any time using the WebUI or the command-line

interfaces.

If you are configuring control plane security for the first time after upgrading from ArubaOS 5.0 or earlier, see

Configuring Control Plane Security after Upgrading on page 127 for details on enabling this feature using the WebUI

or CLI.

In the WebUI

1. Access the WebUI of a standalone or master controller, and navigate to Configuration > Network >

Controller.

2. Select the Control Plane Security tab.

3. Configure the following control plane security parameters:

Parameter Description

Control Plane

Security

Select enable or disable to turn the control plane security feature on or off. This

feature is enabled by default.

Auto Cert

Provisioning

When you enable the control plane security feature, you can select this checkbox to

turn on automatic certificate provisioning. When you enable this feature, the

controller attempts to send certificates to all associated campus APs. Auto

certificate provisioning is disabled by default.

NOTE: If you do not want to enable automatic certificate provisioning the first time

you enable control plane security on the controller, you must identify the valid APs

on your network by adding those to the campus AP whitelist. For details, see Viewing

and Managing the Master or Local Controller Whitelists on page 118.

After you have enabled automatic certificate provisioning, you must select either

Auto Cert Allow all or Addresses Allowed for Auto Cert.

Addresses allowed

for Auto Cert

The Addresses Allowed for Auto Cert section allows you to specify whether

certificates are sent to all associated APs, or just APs within one or more specific IP

address ranges. If your controller has a publicly accessible interface, you should

identify your campus and Remote APs by IP address range. This prevents the

controller from sending certificates to external or rogue campus APs that may

attempt to access your controller through that interface.

Select All to allow all associated campus and remote APs to receive automatic

certificate provisioning. This parameter is enabled by default.

Select Addresses Allowed for Auto Cert to send certificates to a group of campus

or remote APs within a range of IP addresses. In the two fields below, enter the start

and end IP addresses, then click Add. Repeat this procedure to add additional IP

ranges to the list of allowed addresses. If you enable both control plane security and

auto certificate provisioning, all APs in the address list receives automatic certificate

provisioning.

Remove a range of IP addresses from the list of allowed addresses by selecting the

IP address range from the list and clicking Delete.

Number of AP

Whitelist Entries

This parameter is the total number of APs in the remote AP and campus AP

Whitelists. This number is also a link to a combined whitelist that displays all campus

and remote AP entries.

Table 12: Control Plane Security Parameters

4. Click Apply .

The master controller generates its self-signed certificate and begins distributing certificates to campus APs and

any local controllers on the network over a clear channel. After all APs have received a certificate and have

connected to the network using a secure channel, access the Control Plane Security window and turn off

auto certificate provisioning if that feature was enabled. This prevents the controller from issuing a certificate

to any rogue APs that may appear on your network at a later time.

Figure 4 Control Plane Security Settings

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 109

110 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

In the CLI

Use the commands below to configure control plane security via the command line interface on a standalone

or master controller. Descriptions of the individual parameters are listed in Table 12, above.

control-plane-security

auto-cert-allow-all

auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end>

auto-cert-prov

cpsec-enable

Example:

(host)(config) # control-plane-security

auto-cert-prov

no auto-cert-allow-all

auto-cert-allowed-addrs 10.21.18.10 10.21.10.90

View the current control plane security settings using the following command:

show control-plane-security

Managing AP Whitelists

Campus and Remote APs appear as valid APs in the campus and Remote AP whitelists when you manually

enter their information into the whitelists via the controller’s CLI or WebUI, or after the controller sends the AP

a certificate via automatic certificate provisioning, and the AP connects to its controller via a secure tunnel. Any

APs not approved or certified on the network are also included in the whitelists, but these APs appear in an

unapproved state.

Use the whitelists to grant valid APs secure access to the network, or to revoke access from suspected rogue

APs. When you revoke or remove an AP from the campus or remote AP whitelist on a controller that uses

control plane security, that AP is not able to communicate with the controller again, except to obtain a new

certificate.

If you manually add APs to the whitelists (rather than automatically adding the APs via the automatic certificate

provisioning feature), make sure that the whitelists have been synchronized to all other controllers on the network

before enabling control plane security.

Adding APs to the Campus and Remote AP Whitelists

You can add an AP to the campus AP or remote AP whitelists via the WebUI or command-line interface. To add

an entry via the WebUI, use the following procedure:

1. Access the WebUI, and navigate to Configuration > Wireless > AP Installation.

2. Click the Whitelist tab.

3. Select the whitelist to which you want to add the AP. The Whitelist tab displays status information for the

Campus AP Whitelist by default. To add a remote AP to the Remote AP whitelist, click the blue Remote AP

link at the top of the table before you proceed to step 4 on page 111.

Figure 5 Control Plane Security Settings

4. Click Entries in the upper right corner of the whitelist status window.

5. Click New.

6. Define the following parameters for each AP you want to add to the whitelist.

Parameter Description

Campus AP whitelist configuration parameters

AP MAC Address MAC address of a campus AP that supports secure communications to and

from its controller.

Description (Optional) A brief description of the campus AP.

Remote AP whitelist configuration parameters

AP MAC Address MAC address of the remote AP, in colon-separated octets.

User Name Name of the end user who provisions and uses the remote AP.

AP Group Name of the AP group to which the remote AP is assigned.

AP Name Name of the remote AP. If you not specify a name, the AP uses its MAC

address as a name (Optional).

Description A brief description to help you identify the AP (Optional).

IP-Address The static inner IP address to be assigned to the remote APs.

Table 13: AP Whitelist Parameters

7. Click Add .

8. Click Apply.

To add an AP to the Campus AP whitelist via the command-line interface, issue the command

whitelist-db cpsec add mac-address <macaddr> description <description>

To add an AP to the Remote AP whitelist via the command-line interface, issue the command

whitelist-db rap add mac-address <macaddr> ap-group <ap-group> [ap-name <ap-name>]

[description <description>] [full-name <name>] remote-ip <inner-ip-adr>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 111

112 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

Viewing Whitelist Status

The WebUI can display either a table of entries in the selected whitelist, or a general nstatus summary for that

whitelist. The whitelist status pages show the current status each entry in the whitelist, and, for controllers in a

master/local controller topology, information for whitelist synchronization between controllers. This

information is updated automatically as the status of each entry changes.

The Wireless > AP Installation > Whitelist tab displays status information for the campus AP Whitelist by

default. To view status information for entries in the remote AP whitelist, click the blue Remote AP link on this

tab.

The following table describes the status information types available on the Whitelist status page.

Status Entry Description

Control Plane Security

(Campus AP Whitelist status

only)

Shows if control plane security has been enabled or disabled on the

controller. This status entry is also a link to the control plane security

configuration tab.

Number of Entries Total number of entries in the selected whitelist.

Approved Entries Number of entries that have been approved by the controller.

Unapproved Entries Number of entries that have not been approved by the controller

Certified Entries AP has an approved certificate from the controller.

Certified Hold Entries Shows if the controller thinks the AP has been certified with a factory

certificate yet the AP requests to be certified again. Because this is not a

normal condition, the AP is not approved as secure until a network

administrator manually changes the status of the AP to verify that it is not

compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP

recovers and is taken out of this hold state as soon as connectivity is

restored.

Revoked Entries Number of AP entries that have been manually revoked.

Marked For Deletion Entries Number of APs that have been marked for deletion, but that have not been

removed from the whitelist.

Table 14: Whitelist status information

The Remote AP whitelist entries page displays only the information you manually configure. The entries in the

campus AP whitelist include both user-defined settings and additional AP information that is updated as the

status of the AP changes.

Parameter Description

Cert Type The type of certificate used by the AP.

lswitch-cert: The AP is using a certificate signed by the controller.

lfactory-cert: The AP is using a factory-installed certificate.

State The Campus AP Whitelist reports one of the following states for each

campus AP:

lunapproved-no-cert: The AP has no certificate and is not approved.

lunapproved-factory-cert: The AP has a preinstalled certificate that

was not approved.

lapproved-ready-for-cert: The AP has been approved as a valid

campus AP and is ready to receive a certificate.

lcertified-factory-cert: The AP is already has a factory certificate. If an

AP has the factory-cert certificate type and is in the certified-factory-

cert state, then that campus AP is not reissued a new certificate if you

enable automatic certificate provisioning.

lcertified-switch-cert: The AP has an approved certificate from the

controller.

lcertified-hold-factory-cert: An AP is put in this state when the

controller thinks the AP has been certified with a factory certificate but

the AP requests to be certified again. Because this is not a normal

condition, the AP is not approved as a secure AP until a network

administrator manually changes the status of the AP to verify that it is

not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP

recovers and leaves this hold state as soon as connectivity is restored.

lcertified-hold-switch-cert: An AP is put in this state when the

controller thinks the AP has been certified with a controller certificate

but the AP requests to be certified again. Because this is not a normal

condition, the AP is not approved as a secure AP until a network

administrator manually changes the status of the AP to verify that it is

not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP

recovers and is taken out of this hold state as soon as connectivity is

restored.

Revoked Shows if the AP’s secure status has been revoked.

Revoked Text An optional, brief statement describing why the AP was revoked.

Last Update Time and date of the last AP status update.

Table 15: Additional Campus AP Status Information

To view information about the remote and campus AP whitelists using the command-line interface, use the

commands described in Table 16.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 113

114 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

Command Description

show whitelist-db cpsec

[mac-address <macaddr>]

Shows detailed information for each AP in the whitelist,

including the AP’s MAC address, approved state,

certificate type, and description. Include the optional mac-

address <macaddr> parameters to view data for a

single entry.

show whitelist-db cpsec-status The command gives aggregate information for the

numbers of APs in each of the following categories:

lTotal entries

lApproved entries

lUnapproved entries

lCertified entries

lCertified hold entries

lRevoked entries

lMarked for deletion entries

Table 16: View the Campus AP Whitelist via the CLI

Modifying an AP in the Campus AP Whitelist

Use the following procedure to modify a campus AP entry’s certificate type, state, description, and revoked

status via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration>AP Installation.

2. Click the Campus AP Whitelist tab.

3. Select the checkbox by the entry for the AP you want to edit, then click Modify.

If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to edit, select

the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab displays several

fields that allow you to search for an AP with a specified MAC address, certificate type or state. Specify the

values that match the AP you want locate, then click Search . The whitelist displays a list of APs that match

your search criteria. Select the AP from this list, then click Modify.

4. Update the AP’s whitelist entry with the new settings. Some of the configurable parameters were available

when you first defined the entry, and are described in Table 13 above. When you modify an existing

whitelist entry, you can also configure the following additional parameters that were not configurable when

you first created the entry:

lCert-type: The type of certificate used by the AP.

nswitch-cert: The campus AP is using a certificate signed by the controller.

nfactory-cert: The campus AP is using a factory-installed certificate.

lState: When you click the State drop-down list to modify this parameter, you may choose one of the

following options:

napproved-ready-for-cert: The AP has been approved state and is ready to receive a certificate.

ncertified-factory-cert: The AP is certified and has a factory-installed certificate.

lRevoke: Click the Revoke checkbox to revoke an AP’s secure status. When you select this checkbox, you

can enter a brief comment explaining why the AP is being revoked.

5. Click Update to update the campus AP whitelist entry with its new settings.

To modify an entry in the campus AP whitelist via the command-line interface, issue the following commands:

whitelist-db cpsec modify mac-address

cert-type switch-cert|factory-cert

description <description>

mode disable|enable

revoke-text <revoke-text>

state approved-ready-for-cert|certified-factory-cert

Revoking an AP via the Campus AP Whitelist

You can revoke an invalid or rogue AP either by opening the modify menu and modifying the AP’s revoke

status (as described in the section above), or by selecting the AP in the campus whitelist and revoking its secure

status directly, without modifying any other parameters or entering a description of why that AP was revoked.

When you revoke an AP’s secure status in the campus AP whitelist, the whitelist retains the AP’s status

information. To revoke an invalid or rogue AP and permanently remove the AP from the whitelist, you must

delete that entry.

To revoke an AP via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration > AP Installation.

2. Click the Campus AP Whitelist tab.

3. To revoke one or more secure campus APs, select the checkbox by the entry for each AP whose secure

status should be revoked, then click Revoke.

If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to revoke,

select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab displays

several fields that allow you to search for an AP with a specified MAC address, certificate type, or state.

Specify the values that match the AP you want locate, then click Search . The whitelist displays a list of APs

that match your search criteria. Select the AP from this list, then click Revoke.

To revoke an AP via the command-line interface, issue the command:

whitelist-db cpsec revoke mac-address <macaddr> revoke-text <"revoke text">

Deleting an AP Entry from the Campus AP Whitelist

Before you delete an AP entry from the campus whitelist, verify that auto certificate provisioning is either no

longer enabled, or only enabled for IP addresses that do not include the AP being removed. If you enable

automatic certificate provisioning for an AP that it is still connected to the network, you cannot permanently

delete it from the campus AP whitelist; the controller immediately recertifies the AP and recreates its whitelist

entry.

To delete an AP entry via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration > AP Installation.

2. Click the Campus AP Whitelist tab.

3. Select the checkbox by entry for each AP you want to remove, then click delete.

If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to delete,

select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab displays

several fields that allow you to search for an AP with a specified MAC address, certificate type, or state.

Specify the values that match the AP you want locate, then click Search . The whitelist displays a list of APs

that match your search criteria. Select the AP from this list, then click delete.

To delete an AP entry via the CLI, issue the command:

whitelist-db cpsec del mac-address <macaddr>

Purging the Campus AP Whitelist

Before you add a new local controller to a network using control plane security, you must purge the campus AP

whitelist on the new controller. As soon as you add the new controller to the hierarchy, the entries in the new

controller's campus AP whitelist merge into the whitelist for all other master and local controllers. If you add

any old or invalid AP entries to the campus AP whitelist, all controllers in the hierarchy will trust those APs,

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 115

116 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

creating a potential security risk. For additional information on adding a new local controller using control

plane security to your network, see Replacing a Local Controller on page 123

To purge a controller’s campus AP whitelist via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration > AP Installation.

2. Click the Campus AP Whitelist tab.

3. Click Purge.

To purge a campus AP whitelist via the command-line interface, issue the command:

whitelist-db cpsec purge

OffLoading a Controller RAP Whitelist to ClearPass Policy Manager

This feature allows whitelist entries for remote APs (RAPs) to be maintained externally in a ClearPass Policy

Manager (CPPM)server. The controller, if configured to use an external server, can send a RADIUS access

request to a CPPM server. The RAP MAC address is used as a username and password to construct the access

request packet and the CPPM validates the RADIUS message and returns the relevant parameters for the

authorized RAPs.

The following three supported parameters are associated with the following VSAs. They are sent by the CPPM

server in the RADIUS access accept packet for authorized RAPs:

lap-group: Dell-AP-Group

lap-name: Dell-Location-ID

lremote-ip: Dell-AP-IP-Address

The following defaults are used when any of the supported parameters are not provided by the CPPM server in

the RADIUS access accept response:

lap-group: The default ap-group is assigned to the RAP.

lap-name: The RAP MAC address is used as the AP name.

lremote-ip: The controller selects the remote IP address from its available pool of addresses.

There is no change in the RAP role assignment. The RAP is assigned the role that is configured in the VPN

default-rap profile.

In the WebUI

To assign a CPPM server to a RAP:

1. Configure a CPPM server using the controller WebUI:

a. Navigate to the Configuration > Security > Authentication > Servers page.

b. Select Radius Server to display the CPPM Server List.

c. To configure a CPPM server, enter the name for the server and click Add.

d. Select the name to configure server parameters. Select the Mode check box to activate the

authentication server.

e. Click Apply.

2. Create a server group that contains the CPPM server.

3. Navigate to Configuration > All Profile Managment > Wireless LAN > VPN Authentication >

default-rap > Server Group.

4. Select the CPPM server from the Server Group drop-down list.

5. Click Apply.

To assign a CPPM server to a RAP that was initially an IAP:

1. Make sure that a CPPM server is configured on the controller.

2. Navigate to Configuration > All Profile Managment > Wireless LAN > VPN Authentication >

default-iap > Server Group.

3. Select the CPPM server from the Server Group drop-down list.

4. Click Apply.

In the CLI

Configure a radius server with CPPM server as host address. In this example cppm-rad is the CPPM server

name and cppm-sg is the server group name.

(host)(config) #aaa authentication-server radius cppm-rad

Add this server to a server group:

(host)(config) #aaa server-group cppm-sg

auth-server cppm-rad

Add this server group to the default-rap vpn profile:

(host)(config) #aaa authentication vpn default-rap

server-group cppm-sg

Managing Whitelists on Master and Local Controllers

Every controller using the control plane security feature maintains a campus AP whitelist, a local controller

whitelist and a master controller whitelist. The contents of these whitelists vary, depending upon the role of

the controller, as shown in the figure below.

Controller Role Campus AP Whitelist Master Controller

Whitelist

Local Controller

Whitelist

On a (standalone)

master controller

with no local

controllers:

The campus AP whitelist contains

entries for the secure campus

APs associated with that

controller.

The master controller

whitelist is empty, and

does not appear in the

WebUI.

The local controller

whitelist is empty, and

does not appear in

the WebUI.

On a master

controller with local

controllers:

The campus AP whitelist contains

an entry for every secure

campus AP on the network,

regardless of the controller to

which it is connected.

The master controller

whitelist is empty, and

does not appear in the

WebUI.

The local controller

whitelist contains an

entry for each

associated local

controller.

On a local controller: The campus AP whitelist contains

an entry for every secure

campus AP on the network,

regardless of the controller to

which it is connected.

The master controller

whitelist contains the

MAC and the IP

addresses of the

master controller.

The local controller

whitelist is empty, and

does not appear in

the WebUI.

Table 17: Control Plane Security Whitelists

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 117

118 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 6 Local Controller Whitelist on a Master Controller

If your deployment includes both master and local controllers, then the campus AP whitelist on every

controller contains an entry for every secure AP on the network, regardless of the controller to which it is

connected. The master controller also maintains a whitelist of local controllers using control plane security.

When you change a campus AP whitelist on any controller, that controller contacts the other connected

controllers to notify them of the change.

The master controller whitelist on each local controller contains the IP and MAC addresses of its master

controller. If your network has a redundant master controller, then this whitelist contains more than one entry.

You rarely need to delete the master controller whitelist. Although you can delete an entry from the master

controller whitelist, you should do so only if you have removed a master controller from the network.

Campus AP Whitelist Synchronization

The current sequence number in the AP Whitelist Sync Status field shows the number of changes to the

campus AP whitelist made on that controller. Each controller compares its campus AP whitelist against

whitelists on other controllers every two minutes by default. If a controller detects a difference, it sends its

changes to the other controllers on the network. If all other controllers on the network have successfully

received and acknowledged all whitelist changes made on that controller, every entry in the sequencenumber

column in the local controller or master controller whitelists has the same value as the sequence number

displayed in the AP Whitelist Sync Status field. If a controller in the master or local controller whitelist has a

lower sequence number, that controller may still be waiting to complete its update, or receive its update

acknowledgement. In the example in Figure 6, the master controller has a current sequence number of 3, and

each sequence number in its local controller whitelist also shows a value of 3, indicating that both local

controllers have received and acknowledged all three campus AP whitelist changes made on the master

controller. For additional information on troubleshooting whitelist synchronization, see Verifying Whitelist

Synchronization on page 129.

You can view a controller’s current sequence number via the CLI using the command:

show whitelist-db cpsec-seq

Viewing and Managing the Master or Local Controller Whitelists

The following sections describe the commands to view and delete entries in a master or local controller

whitelist.

Viewing the Master or Local Controller Whitelist

To view the master or local controller whitelists via the WebUI, use the procedure below:

1. Access the controller’s WebUI, and navigate to Configuration > AP Instalation.

2. Select the Whitelist tab.

The master and local controller tables each include the following information:

Data Column Description

MAC-Address On a local controller whitelist: MAC address of the master controller.

On a master controller whitelist: MAC address of a local controller.

IP-Address On a local controller whitelist: IP address of the master controller.

On a master controller whitelist: IP address of a local controller.

Sequence Number The number of times the controller in the whitelist received and

acknowledged a campus AP whitelist change from the controller whose

WebUI you are currently viewing.

For deployments with both master and local controllers:

lThe sequence number on a master controller should be the same as the

remote sequence number on the local controller.

lThe sequence number on a local controller should be the same as the

remote sequence number on the master controller.

Remote Sequence Number The number of times that the controller whose WebUI you are viewing

received and acknowledged a campus AP whitelist change from the

controller in the whitelist.

For deployments with both master and local controllers:

lThe remote sequence number on a master controller should be the same

as the sequence number on the local controller.

lThe remote sequence number on a local controller should be the same as

the sequence number on the master controller.

Null Update Count The number of times the controller checked its campus AP whitelist and

found nothing to synchronize with the other controller. The controller

compares its control plane security whitelist against whitelists on other

controllers every two minutes by default. If the null update count reaches five,

the controller sends an “empty sync” heartbeat to the remote controller to

ensure the sequence numbers on both controllers are the same, then resets

the null update count to zero.

Table 18: Master and Local Controller Whitelist Information

To view the master or local controller whitelists via the command-line interface, issue the following commands:

show whitelist-db cpsec-master-switch-list [mac-address <mac-address>]

show whitelist-db cpsec-local-switch-list [mac-address <mac-address>]

Deleting an Entry from the Master or Local Controller Whitelist

You do not need to delete a master controller from the master controller whitelist during the course of normal

operation. However, if you remove a local controller from the network, you should also remove the local

controller from the local controller whitelist on the master controller. If the local controller whitelist contains

entries for controllers no longer on the network, then a campus AP whitelist entry can be marked for deletion

but is not physically deleted, as the controlleris waiting for an acknowledgment from another controller no

longer on the network. This can increase network traffic and reduce memory resources on the controller.

To delete an entry from the master or local controller whitelist via the WebUI:

1. Access the controller’s WebUI, and navigate to Configuration > Controller.

2. Select the Control Plane Security tab.

3. To delete an entry from the Local Controller Whitelist: In the Local Switch List For AP Whitelist Sync

section, click the Delete button by each controller entry you want to remove.

Or,

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 119

120 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

To delete an entry from the Master Controller Whitelist: In the Master Switch List For AP Whitelist Sync

section, click Delete by each controller entry you want to remove.

4. Click Apply.

To delete an entry from the master or local controller whitelist via the command-line interface, issue either of

the following commands:

whitelist-db cpsec-master-switch-list del mac-address <mac-address>

whitelist-db cpsec-local-switch-list del mac-address <mac-address>

Purging the Master or Local Controller Whitelist

There is no need to purge a master controller whitelist during the course of normal operation. If, however, you

are removing a controller from the network, you can purge its controller whitelist after it has been

disconnected from the network. To clear a local controller whitelist entry on a master controller that is still

connected to the network, select that individual whitelist entry and delete it using the delete option.

To purge a controller whitelist via the WebUI, use the following procedure:

1. Access the controller’s WebUI, and navigate to Configuration > Controller.

2. Select the Control Plane Security tab.

3. To clear the Local Controller Whitelist: In the Local Switch List For AP Whitelist Sync section, click

Purge.

Or,

4. To clear the Master Controller Whitelist: In the Master Switch List For AP Whitelist Sync section, click

Purge.

To purge a controller whitelist via the command-line interface, issue the following commands:

whitelist-db cpsec-master-switch-list purge

whitelist-db cpsec-local-switch-list purge

Working in Environments with Multiple Master Controllers

Configuring Networks with a Backup Master Controller

If your network includes a redundant backup master controller, you must synchronize the database from the

primary master to the backup master at least once after all APs are communicating with their controllers over a

secure channel. This ensures that all certificates, IPsec keys, and campus AP whitelist entries are synchronized

to the backup controller. You should also synchronize the database any time the campus AP whitelist changes

(APs are added or removed to ensure that the backup controller has the latest settings).

Master and backup controllers can be synchronized using either of the following methods:

lManual Synchronization: Issue the database synchronize CLI command in enable mode to manually

synchronize databases from your primary controller to the backup controller.

lAutomatic Synchronization: Schedule automatic database backups using the database synchronize

period CLI command in config mode.

If you add a new backup controller to an existing controller, you must add the backup controller as the lower priority

controller. If you do not add the backup controller as a lower priority controller, your control plane security keys and

certificates may be lost. If you want the new backup controller to become your primary controller, increase the

priority of that controller to a primary controller after you have synchronized your data.

Configuring Networks with Clusters of Master Controllers

If your network includes multiple master controllers each with their own hierarchy of APs and local controllers,

you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master

controllers. Each cluster has one master controller as its cluster root, and all other master controllers as cluster

members. The master controller operating as the cluster root creates a self-signed certificate, then certifies its

own local controllers and APs. Next, the cluster root sends a certificate to each cluster member, which in turn

certifies its own local controllers and APs. Because all controllers and APs in the cluster have the same trust

anchor, the APs can switch to any other controller in the cluster and still remain securely connected to the

network.

Figure 7 A Cluster of Master Controllers using Control Plane Security

To create a controller cluster, you must first define the root master controller and set an IPsec key or select a

certificate for communications between the cluster root and cluster members.

You must use the command-line interface to configure certificate authentication for cluster members. The WebUI

supports cluster authentication using IPsec keys only. If your master and local controllers use a pre-shared key for

authentication, they create the IPsec tunnel using IKEv1. If your master and local controllers use certificates for

authentication, the IPsec tunnel is created using IKEv2.

Creating a Cluster Root

Use the WebUI to identify a controller as a cluster root, and use an IPsec key to secure communication

between the cluster root and cluster members. Use the command-line interface to create a cluster root using

an IPsec key, factory-installed certificate, or custom certificate.

To create a cluster root using the WebUI:

1. Access the WebUI of the controller you want to identify as the cluster root, and navigate to Configuration

> Controller.

2. Click the Cluster Setting tab.

3. For the cluster role, select Root.

4. In the Cluster Member IPsec Keys section, enter the controller IP address of a member controller in the

cluster. If you want to use a single key for all member controllers, use the IP address 0.0.0.0.

5. In the IPsec Key and Retype IPsec Key fields, enter the IPsec key for communication between the

specified member controller and the cluster root.

6. Click Add.

7. Optional: repeat steps 4-6 to add another member controller to the cluster.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 121

122 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

8. Click Apply.

To create a cluster root via the CLI, access the command-line interface of the controller you want to identify as

the root of the controller cluster, then issue one of the following commands:

lTo authenticate cluster members using a custom certificate:

cluster-member-custom-cert member-mac <mac> ca-cert <ca> server-cert <cert> suite-b <gcm-

128 | gcm-256>]

lTo authenticate cluster members using a factory-installed certificate:

cluster-member-factory-cert member-mac <mac>

lTo authenticate cluster members using an IPsec key:

cluster-member-ip <ip-address> ipsec <key>

The <ip-address> parameter in this command is the IP address of a member controller in the cluster, and

the <key> parameter in each command is the IPsec key for communication between the specified member

controller and the cluster root. Use the IP address 0.0.0.0 in this command to set a single IPsec key for all

member controllers, or repeat this command as desired to define a different IPsec key for each cluster

member.

Creating a Cluster Member

Once you have identified the cluster root, you must then identify the member controllers in the cluster.

Use the WebUI to identify a controller as a cluster member, and use an IPsec key to secure communication

between the cluster member and the cluster root. Use the command-line interface to create a cluster member

and secure communications between that member and the cluster root using an IPsec key, factory-installed

certificate, or custom certificate.

To create a cluster member using the WebUI:

1. Access the WebUI of the cluster member controller, and navigate to Configuration > Controller.

2. Click the Cluster Setting tab.

3. For the cluster role, select Member.

4. In the Controller IP Address field, enter the IP address of the root controller in the cluster.

5. In the IPsec Key and Retype IPsec Key fields, enter the IPsec key for communication between the

specified member controller and the cluster root. This parameter must be have the same value as the key

defined for the cluster member in Creating a Cluster Root on page 121.

6. Click Add.

7. Click Apply.

To create a cluster root via the CLI, access each of the member master controllers and define the IPsec key or

certificate for communication between that controller and the cluster root.

cluster-root-ip <ip-address>

ipsec <key>

factory-cert master-mac <mac>

ipsec-custom-cert master-mac1 <mac1> [master-mac2 <mac2>] ca-cert <ca> server-cert <cert>

[suite-b <gcm-128 | gcm-256>]

In this command the <ip-address> parameter is the IP address of the root master controller in the cluster. If

you are using an IPsec key, the <key> parameter in this command must be have the same value as the key

defined for the cluster member via the cluster-member-ip command.

Viewing Controller Cluster Settings

To view your current cluster configuration via the WebUI:

1. Navigate to Configuration > Controller.

2. Click the Cluster Setting tab.

lIf you are viewing the WebUI of a cluster root, the output of this command displays the IP address of the

VLAN on the cluster member used to connect to the cluster root.

lIf you are viewing the WebUI of a cluster member, the output of this command displays the IP address

of the VLAN on the cluster root used to connect to the cluster member.

To view your current cluster configuration via the command-line interface, issue the CLI commands described

in Table 19.

Command Description

show cluster-switches When you issue this command from the cluster root, the output of this

command displays the IP address of the VLAN the cluster member uses to

connect to the cluster root.

If you issue this command from a cluster member, the output of this

command displays the IP address of the VLAN the cluster root uses to

connect to the cluster member.

show cluster-config When you issue this command from the cluster root, the output of this

command shows the cluster role of the controller, and the IP address of

each active member controller in the cluster.

When you issue this command from a cluster member, the output of this

command shows the cluster role of the controller, and the IP address of

the cluster root.

Table 19: CLI Commands to Display Cluster Settings

Replacing a Controller on a Multi-Controller Network

The procedure to replace a controller within a multi-controller network varies, depending upon the role of that

controller, whether the network has a single master controller or a cluster of master controllers, and whether or

not the controller has a backup.

The following sections describe the steps to replace an existing controller. To add a new local controller to a network,

or to permanently remove a local controller without replacing it, see Viewing and Managing the Master or Local

Controller Whitelists on page 118.

Replacing Controllers in a Single Master Network

Use the procedures in this section to replace a master or local controller in a network environment with a single

master controller.

Replacing a Local Controller

Use the following procedure to replace a local controller in a single-master network:

1. Disconnect the local controller from the network.

2. If you plan on moving the local controller to another location on the network, purge the campus AP

whitelist on the controller.

Access the command-line interface on the old local controller and issue the command whitelist-db cpsec

purge

or,

Access the local controller WebUI, navigate to Configuration > AP Installation > Campus AP Whitelist

and click Purge.

3. Once you purge the campus AP whitelist, you must inform the master controller that the local controlleris

no longer available using one of these two methods:

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 123

124 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

This step is very important; unused local controller entries in the local controller whitelist can significantly

increase network traffic and reduce controller memory resources.

lAccess the command-line interface on the master controller, and issue the command whitelist-db

cpsec-local-switch-list del mac-address <local-controller-mac>

lAccess the master controller WebUI, navigate to the Configuration > Controller > Control Plane

Security window, select the entry for the local controller you want to delete from the local controller

whitelist, and click Delete.

4. Install the new local controller, but do not connect it to the network yet. If the controller has been

previously installed on the network, you must ensure that the new local controller has a clean whitelist.

5. Purge the local controller whitelist using one of the following two methods:

lAccess the command-line interface on the new local controller and issue the command whitelist-db

cpsec purge

lAccess the local controller WebUI, navigate to Configuration > AP Installation > Campus AP

Whitelist and click Purge.

6. Now connect the new local controller to the network. It is very important that the local controller be able to

contact the master controller the first time it connects to the network, because the master controller

certifies the local controller's control plane security certificate the first time the local controller contacts its

master.

7. Once the local controller has a valid control plane security certificate and configuration, the local controller

receives the campus AP whitelist from the master controller and starts certifying approved APs.

8. APs associated with the new local controller reboots and creates new IPsec tunnels to their controller using

the new certificate keys.

Replacing a Master Controller with No Backup

Use the following procedure to replace a master controller that does not have a backup controller:

1. Remove the old master controller from the network.

2. Install and configure the new master controller, then connect the new master to the network. The new

master controller generates a new certificate when it first becomes active.

3. If the new master controller has a different IP address than the old master controller, change the master IP

address on the local controllers to reflect the address of the new master.

4. Reboot each local controller to ensure the local controllers obtain their certificate from the new master.

Each local controller begins using a new certificate signed by the master controller.

5. APs are now no longer able to securely communicate with the controller using their current key, and must

obtain a new certificate. Access the campus AP whitelist on any local controller, and change all APs in a

“certified” state to an “approved” state. The new master controller sends the approved APs new certificates.

The APs reboot and create new IPsec tunnels to their controller using the new certificate key.

If the master controller does not have any local controllers, you must recreate the campus AP whitelist by

turning on automatic certificate provisioning or manually reentering the campus AP whitelist entries.

Replacing a Redundant Master Controller

The control plane security feature requires you to synchronize databases from the primary master controller to

the backup master controller at least once after the network is up and running. This ensures that all certificates,

keys, and whitelist entries are synchronized to the backup controller. Because the AP whitelist may change

periodically, you should regularly synchronize these settings to the backup controller. For details, see

Configuring Networks with a Backup Master Controller on page 120.

When you install a new backup master controller, you must add it as a lower prioritycontroller than the existing

primary controller. After you install the backup controller on the network, synchronize the database from the

existing primary controller to the new backup controller to ensure that all certificates, keys, and whitelist

entries required for control plane security are added to the new backup controller configuration. If you want

the new controller to act as the primary controller, you can increase that controller’s priority after the settings

have been synchronized.

Replacing Controllers in a Multi-Master Network

Use the following procedures to replace a master or local controller in a network environment with a multiple

master controllers.

Replacing a Local Controller in a Multi-Master Network

The procedure to replace a local controller in a network with multiple master controllers is the same as the

procedure to replace a local controller in a single-master network. To replace a local controller in a multi-master

network, follow the procedure described in Replacing a Local Controller on page 123

Replacing a Cluster Member Controller with no Backup

The control plane security feature allows APs to fail over from one controller to another within a cluster.

Therefore, cluster members or their local controllers may have associated APs that were first certified under

some other cluster member (or the cluster root). If you permanently remove a cluster member whose APs were

all originally certified under the cluster member being removed, its associated APs do not need to reboot in

order to connect to a different controller. If, however, you remove a cluster member whose associated APs

were originally certified under a different cluster member, those APs need to reboot and be recertified before

they can connect to a different controller. If the cluster member you are removing has local controllers, the

local controllers also reboot so they can be updated with new certificates, then pass the trust update to their

terminating APs.

To replace a cluster member that does not have a backup controller:

1. On the cluster master to be removed, clear the cluster root IP address by accessing the command-line

interface and issuing the command no cluster-root-ip <cluster-root-ip> ipsec <clusterkey>.

2. Remove the cluster member from the network.

3. If the cluster master you removed has any associated APs, you must reboot those APs so they receive an

updated certificate.

4. If the cluster member you removed has any associated local controllers, reboot those local controllers so

they receive a new certificate and then pass that trust update to their APs.

5. Remove the cluster master from the cluster root’s master controller list by accessing the command-line

interface on the cluster root and issuing the command whitelist-db cpsec-master-switch-list del mac-

address <cluster-master-mac>.

This step is very important. Unused local controller entries in the local controller whitelist can significantly

increase network traffic and reduce controller memory resources.

6. Remove the old cluster member from the network. Remember, that controller still has campus AP whitelist

entries from the entire cluster. You may want to delete or revoke unwanted entries from the campus AP

whitelist.

Now, you must install the new cluster member controller according to the procedure described in Creating a

Cluster Member on page 122. The new cluster member obtains a certificate from the cluster root when it first

becomes active.

7. If the new cluster member has any associated APs, reboot those APs so they obtain a trust update.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 125

126 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

8. If the new cluster member has any local controllers, reboot the local controllers associated with the new

cluster member. The local controllers obtain a new certificate signed by the cluster member, and then pass

that trust update to their associated APs.

Replacing a Redundant Cluster Member Controller

The control plane security feature requires you to synchronize databases from the primary controller to the

backup controller at least once after the network is up and running. This ensures that all certificates, keys, and

whitelist entries are synchronized to the backup controller. Because the AP whitelist may change periodically,

you should regularly synchronize these settings to the backup controller. For details, see Configuring Networks

with a Backup Master Controller on page 120.

When you install a new backup cluster member, you must add it as a lower priority controller than the existing

primary controller. After you install the backup cluster member on the network, resynchronize the database

from the existing primary controller to the new backup controller to ensure that all certificates, keys, and

whitelist entries required for control plane security are added to the new backup controller configuration. If

you want the new controller to act as the primary controller, you can increase that controller’s priority after the

settings have been resynchronized.

Replacing a Cluster Root Controller with no Backup Controller

If you replace a cluster root controller that does not have a backup controller, the new cluster root controller

creates its own self-signed certificate. You then need to reboot each controller in the hierarchy in a specific

order to certify all APs with that new certificate:

1. Remove the old cluster root from the network.

2. Install and configure the new cluster root.

3. Connect the new cluster root to the network so it can access cluster masters and local controllers.

4. If necessary, reconfigure the cluster masters and local controllers with their new cluster root IP and master

IP addresses.

5. Reboot every cluster member controller. The cluster member begins using a new certificate signed by the

cluster root.

6. Reboot every local controller. Each local controllerbegins using a new certificate signed by the cluster

member.

7. Because the cluster root is new, it does not have a configured campus AP whitelist. Access the campus AP

whitelist on any local controller or cluster master, and change all APs in a “certified” state to an “approved”

state. The APs get recertified, reboot, and create new IPsec tunnels to their controller using the new

certificate key.

If a cluster root controller does not have any cluster master or local controllers, you must recreate the

campus AP whitelist on the cluster root by turning on automatic certificate provisioning or manually

reentering the campus AP whitelist entries.

Replacing a Redundant Cluster Root Controller

Best practices is to use a backup controller with your cluster root controller. If your cluster root has a backup

controller, you can replace the backup cluster root without having to reboot all cluster master and local

controllers, minimizing network disruptions.

The control plane security feature requires you to synchronize databases from the primary controller to the

backup controller at least once after the network is up at running. This ensures that all certificates, keys, and

whitelist entries are synchronized to the backup controller. Because the AP whitelist may change periodically,

you should regularly synchronize these settings to the backup controller. For details, see Configuring Networks

with a Backup Master Controller on page 120.

When you install a new backup cluster root, you must add it as a lower priority controller than the existing

primary controller. After you install the backup cluster root on the network, resynchronize the database from

the existing primary controller to the new backup controller to ensure that all certificates, keys, and whitelist

entries required for control plane security are added to the new backup controller configuration. If you want

the new controller to act as the primary controller, you can increase that controller’s priority after the settings

have been resynchronized.

Configuring Control Plane Security after Upgrading

When you initially deploy a controller running ArubaOS 6.0 or later, create your initial control plane security

configuration using the initial setup wizard. However, if you are upgrading to ArubaOS 6.0 or if you are

upgrading from ArubaOS 5.0 but did not yet have control plane security enabled before the upgrade, then you

can use the strategies described in Table 20 to enable and configure control plane security feature.

If you upgrade a controller running ArubaOS 5.0.x to ArubaOS 6.0 or later, then the controller’s control plane security

settings do not change after the upgrade. If control plane security was already enabled, then it remains enabled after

the upgrade. If it was not enabled previously, but you want to use the feature after upgrading, then you must

manually enable it.

Automatically send Certificates to Campus

APs Manually Certify Campus APs

1. Access the control plane security window and

enable both the control plane security feature and the

auto certificate provisioning option. Next, specify

whether you want all associated campus APs to

automatically receive a certificate, or if you want to

certify only those APs within a defined range of IP

addresses.

1. Identify the campus APs that should receive

certificates by entering the campus APs’ MAC

addresses in the campus AP whitelist.

2. Once all APs have received their certificates,

disable auto certificate provisioning to prevent

certificates from being issued to any rogue APs that

may appear on your network at a later time.

2. If your network includes both master and local

controllers, wait a few minutes, then verify that the

campus AP whitelist has been propagated to all

other controllers on the network. Access the WebUI

of the master controller, navigate to Configuration

> Controller > Control Plane Security, then verify

that the Current Sequence Number field has the

same value as theSequence Number entry for

each local controller in the local controller whitelist.

(For details, see Verifying Whitelist Synchronization

on page 129.)

3. If a valid AP did not receive a certificate during the

initial certificate distribution, you can manually certify

the AP by adding that AP’s MAC address to the

campus AP whitelist. You can also use this whitelist to

revoke certificates from APs that should not be

allowed access to the secure network.

3. Enable the control plane security feature.

Table 20: Control Plane Security Upgrade Strategies

If you upgraded your controller from ArubaOS 5.0 or earlier and you want to use this feature for the first time, you

must either add all valid APs to the campus AP whitelist, or enable automatic certificate provisioning before you

enable the feature. If you do not enable automatic certificate provisioning, only the APs currently approved in the

campus AP whitelist are allowed to communicate with the controller over a secure channel. Any APs that do not

receive a certificate will not be able to communicate with the controller except to request a certificate.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 127

128 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide

Troubleshooting Control Plane Security

Identifying Certificate Problems

If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in

either the certified-hold-factory-cert or certified-hold-switch-cert states, you may need to manually change the

status of that AP before it can be certified.

lcertified-hold-factory-cert: An AP is put in this state when the controller thinks the AP has been certified

with a factory certificate, but the AP requests to be certified again. Because this is not a normal condition,

the AP is not approved as a secure AP until you manually change the status of the AP to verify that it is not

compromised. If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of

this hold state as soon as connectivity is restored.

lcertified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified

with a controller certificate yet the AP requests to be certified again. Because this is not a normal condition,

the AP is not be approved as a secure AP until a network administrator manually changes the status of the

AP to verify that it is not compromised. If an AP is in this state due to connectivity problems, then the AP

recovers and is taken out of this hold state as soon as connectivity is restored.

Verifying Certificates

If you are unable to configure the control plane security feature on W-600 Series, W-6000M3, or W-3000 Series

controllers, verify that its Trusted Platform Module (TPM) and factory-installed certificates are present and

valid by accessing the controller’s command-line interface and issuing the command show tpm cert-info. If

the controller has a valid certificate, the output of the command appears similar to the output in the example

below.

If the controller displays the following output, it may have a corrupted or missing TPM and factory certificates.

Contact Dell support.

Disabling Control Plane Security

If you disable control plane security on a standalone or local controller, all APs connected to that controller

reboot then reconnect to the controller over a clear channel.

If your disable control plane security on a master controller, APs directly connected to the master controller

reboot then reconnect to the master controller over a clear channel. However, its local controllers continue to

communicate with their APs over a secure channel until you save your configuration on the master controller.

Once you save the configuration, the changes are pushed down to the local controllers. At that point, any APs

connected to the local controllers also reboot and reconnect over a secure channel.

Verifying Whitelist Synchronization

To verify that a network of master and local controllers are correctly sharing their campus AP whitelists, check

the sequence numbers on the master and local controller whitelists.

lThe sequence number value on a master controller should be the same as the remote sequence number on

the local controller.

lThe sequence number value on a local controller should be the same as the remote sequence number on

the master controller.

Figure 8 Sequence numbers on Master and Local Controllers

Rogue APs

If you enable auto certificate provisioning enabled with the Auto Cert Allow All option, any AP that appears

on the network receives a certificate. If you notice unwanted or rogue APs connecting to your controller via an

IPsec tunnel, verify that automatic certificate provisioning has been disabled, then manually remove the

unwanted APs by deleting their entries from the campus AP whitelist.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Control Plane Security | 129

Dell Networking W-Series ArubaOS 6.4.x| User Guide Software Licenses | 130

Chapter 3

Software Licenses

ArubaOS base features include sophisticated authentication and encryption, protection against rogue wireless

APs, seamless mobility with fast roaming, the origination and termination of IPsec/L2TP/PPTP tunnels between

controllers, clients, and other VPN gateways, adaptive RF management and analysis tools, centralized

configuration, and location tracking.

Optional add-on licenses provide advanced feature such as Wireless Intrusion Protection and Policy

Enforcement Firewall. Evaluation licenses are available for some of these advanced features.

ArubaOS licenses are detailed in the following sections:

lUnderstanding License Terminology on page 130

lWorking with Licenses on page 131

lCentralized Licensing in a Multi-Controller Network on page 132

lUsing Licenses on page 142

lLicense Installation Best Practices and Exceptions on page 144

lInstalling a License on page 144

lDeleting a License on page 146

lMoving Licenses on page 147

lResetting the Controller on page 147

Understanding License Terminology

For clarity, the following terminology is used throughout this chapter.

lBundle: a cost-effective way to purchase functionality that supports a controller and x-number of APs.

lCertificate ID: the identification number attached to the Software License Certificate. The Certificate ID is

used in conjunction with the controller’s serial number to create the License Key.

lEvaluation License: a license that allows you to evaluate a feature set (or module) for a maximum of 90

days. The evaluation licenses are uploaded in 30-day increments. Only modules that offer new and unique

functionality support Evaluation Licenses.

lLicense Certificate: a certificate (soft copy) that contains license information including:

nLicense Description

nQuantity

nPart Number/Order Number

nCertificate ID

lLicense Database: the licenses installed on your controller

lLicense Key: generated from the controller serial number

lPermanent License: the opposite of an evaluation license. This license permanently installs the specific

features represented by the license.

lUpgrade License: a license that adds AP capacity to your controller. Note that Upgrade Licenses do not

support an evaluation license.

131 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

Working with Licenses

Each license refers to specific functionality (or module) that supports unique features.

The licenses are:

lBase OS: base operating functions including VPN and VIA clients.

lAP Capacity: capacity license for RAP indoor and outdoor Mesh APs. Campus, Remote, or Mesh APs can

terminate on the controller without the need for a separate license.

lAdvanced Cryptography (ACR): this is required for the Suite B Cryptography in IPsec and 802.11 modes.

License enforcement behavior controls the total number of concurrent connections (IPsec or 802.11) using

Suite B Cryptography.The xSec license features are bundled with this license.

lPolicy Enforcement Firewall Virtual Private Network (PEFV): enables Policy Enforcement Firewall for VIA

clients. This is a controller license.

lPolicy Enforcement Firewall Next Generation (PEFNG): Wired, WLAN Licensed per AP numbers including

user roles, access rights, Layers 4 through 7 traffic control, per-service prioritization/QoS,

authentication/accounting APIs, External Service Interfaces (ESI), Voice and Video. This is an AP count

license.

lPublic Access: reserved for future use.

lRFProtect: Wireless Intrusion Protection (WIPS) and Spectrum Analysis. This is an AP count license.

lxSec (Extreme Security) for Federal: Layer 2 VPN for wired or wireless using FIPS-approved algorithms.

lInternal Test Functions: for internal use only.

The license categories are:

lPermanent license: this type of license permanently enables the desired software module on a specific Dell

controller. You obtain permanent licenses through the sales order process only. Permanent software license

keys are sent to you via email.

lEvaluation license: this type of license allows you to evaluate the unrestricted functionality of a software

module on a specific controller for 90 days (in three 30-day increments).

An expired evaluation license will remain in the license database until the controller is reset using the

command write erase all where all license keys are removed. An expired evaluation license has no impact

on the normal operation of the controller. It is kept in the license database to prevent abuse.

When you apply license keys on a controller, abnormal tampering of the device’s system clock (setting the system

clock back) results in the disabling of software licensed modules and their supported features. This can affect

network services.

To determine your time remaining on an evaluation license, a banner is displayed when you log in through

the command line:

NOTICE

NOTICE -- This switch has active licenses that will expire in 29 days

NOTICE

NOTICE -- See 'show license' for details.

NOTICE

From the WebUI, an “Alert” appears with information regarding the evaluation license status (see Figure 9).

Figure 9 Alert Flag

At the end of the 90-day period, you must apply for a permanent license to re-enable the features

permanently on the controller. Evaluation software license keys are only available in electronic form and are

emailed to you.

When an evaluation period expires:

nThe controller automatically backs up the startup configuration and reboots itself at midnight (according

to the system clock).

nAll permanent licenses are unaffected. The expired evaluation licensed feature is no longer available and

is displayed as Expired in the WebUI.

lUpgrade license—This license expands AP capacity. There are no Evaluation licenses available for Upgrade

licenses.

Centralized Licensing in a Multi-Controller Network

In order to configure each feature on the local controller, the master controller(s) must be licensed for each

feature configured on the local controllers. Centralized licensing simplifies licensing management by

distributing licenses installed on one controller to other controllers on the network. One controller acts as a

centralized license database for all other controllers connected to it, allowing all controllers to share a pool of

unused licenses. The primary and backup licensing servers can share a single set of licenses, eliminating the

need for a redundant license set on the backup server. Local licensing client controllers maintain information

sent from the licensing server, even if the licensing client controller and the licensing server controller can no

longer communicate. If an AP fails over from one client controller to another, the AP will be allowed to come up

even if there aren’t sufficient licenses present on the backup controller. the APs continue to stay active until

they reboot. However, if there are not sufficient available licenses to bring up an AP after it reboots, that AP will

not become active.

You can use the centralized licensing feature in a master-local topology with a redundant backup master, or in a

multi-master network where all the masters can communicate with each other (for example, if they are all

connected to a single AirWave server). In the master-local topology, the master controller acts as the primary

licensing server, and the redundant backup master acts as the backup licensing server. In a multi-master

network, one controller must be designated as a primary server, and a second controller must be configured as

a backup licensing server.

Centralized licensing can distribute the following license types:

lAP

lPEFNG

lRFProtect

lxSec

lACR

This section includes the following topics:

lPrimary and Backup Licensing Servers

lCommunication between the License Server and License Clients

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 132

133 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

lReplacing a Controller

lFailover Behaviors

lConfiguring Centralized Licensing

Primary and Backup Licensing Servers

Centralized licensing allows the primary and backup licensing server controllers to share a single set of licenses.

If you do not enable this feature, the master and backup master controller each require separate, identical

license sets. The two controllers acting as primary and backup license servers must use the same version of

ArubaOS, and must be connected on the same broadcast domain using the Virtual Router Redundancy

Protocol (VRRP). Other client controllers on the network connect to the licensing server using the VRRP virtual

IP address configured for that set of redundant servers. The primary licensing server uses the configured

virtual IP address by default. However, if the controller acting as the primary licensing server becomes

unavailable, the secondary licensing server will take ownership of the virtual IP address, allowing licensing

clients to retain seamless connectivity to a licensing server.

Only one backup licensing server can be defined for each primary server.

The example below shows a primary and backup license server connected using VRRP. Licenses installed on

either the primary or the backup server are shared between that pair of servers. If the primary and backup

controllers each had 16 AP licenses, 16 PEFNG licenses, and 16 xSec licenses installed, they would share a

combined pool of 32 AP, 32 PEFNG, and 32 xSec licenses. Any license client controllers connected to this pair of

redundant servers could also use licenses from this license pool.

Figure 10 Shared Licenses on a Primary and Backup Licensing Server

Communication between the License Server and License Clients

When you enable centralized licensing, information about the licenses already installed on the individual client

controllers are sent to the licensing server, where they are added into the server’s licensing table. The

information in this table is then shared with all client controllers as a pool of available licenses. When a client

controller uses a license in the available pool, it communicates this change to the licensing server master

controller, which updates the table before synchronizing it with the other clients.

Client controllers do not share information about built-in licenses to the licensing server. A controller using the

centralized licensing feature will use its built-in licenses before it consumes available licenses from the license

pool. As a result, when a client controller sends the licensing server information about the licenses that a client

is using, it only reports licenses taken from the licensing pool, and disregards any built-in licenses used. For

example, if a controller has a built-in 16-AP license and twenty connected APs, it will disregard the built-in

licenses being used, and will report to the licensing server that it is using only four AP licenses from the license

pool.

When centralized licensing is first enabled on the licensing server, its licensing table only contains information

about the licenses installed on that server. When the clients contact the server, the licensing server adds the

client licenses to the licensing table, then sends the clients information about the total available licenses for

each license type. In the following example, the licenses installed on two client controllers are imported into the

license table on the license server. The licensing server then shares the total number of available licenses with

other controllers on the network.

Figure 11 Licenses Shared by Licensing Clients

When new AP associates with a licensing client, the client sends updated licensing information to the server.

The licensing server then recalculates the available total, and sends the revised license count back to the clients.

If a client uses an AP license from the license pool, it also consumes a PEFNG and a RFProtect license from the

pool, even if that AP has not enabled any features that would require that license. A controller cannot use more

licenses than what is supported by its controller platform, regardless of how many licenses are available in the

license pool.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 134

135 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 12 License Pool Reflecting Used licenses

Supported Topologies

The following table describes the controller topologies supported by this feature.

Topology Example

All controllers are master controllers.

The master and standby licensing servers must be

defined.

A single master controller is connected to one

or more local controllers.

Only the master controller can be a license server.

A local controller can only be license client, not a

license server.

A master and standby master are connected to

one or more local controllers.

The master license server will reside on the master

controller, and the standby license server will

reside on the standby master controller. Local con-

trollers can only be license clients, not license serv-

ers.

Table 21: Centralized Licensing Topologies

Unsupported Topologies

The centralized licensing feature does NOT support topologies where multiple master controllers have one or

more attached local controllers.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 136

137 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 13 Topologies Not Supported by Centralized Licensing

Adding and Deleting Licenses

New licenses can be added to any controller managed by a centralized licensing system, although best practices

recommend adding them to the primary licensing server for easier management and tracking of licenses across

a wide network. Licenses can only be deleted from the controller on which the license is installed.

You do not need to reboot a controller after adding or deleting a license, regardless of whether you enable

centralized licensing. If you delete a license from a licensing client or server and there are no longer enough

licenses to support the number of active APs on the network, the APs continue to stay active until they reboot.

If there are not sufficient available licenses to bring up an AP after it reboots, that AP will not become active.

Centralized licensing supports evaluation licenses. When a client controller has an evaluation license installed,

those license limits will be sent to the licensing server and added to the license pool as long as the evaluation

period is active. When the evaluation period expires, the client with the expired license sends its revised limits

to the license server. The licensing server removes the evaluation licenses from its license table, then sends

updated license pool information to other clients on the network.

Replacing a Controller

If you need to replace the controller acting as a license server, the keys installed on the previous license server

must be regenerated and added to the new license server. If you need to replace a controller acting as license

client, you must regenerate the license keys installed on the client and reinstall them on the replacement client

or the licensing server.

Failover Behaviors

If the primary licensing server fails, the controller acting as a backup license server will retain the shared license

limits until the backup server reboots. If both the primary and the backup license servers fail, or if the backup

controller reboots before the primary controller comes back up, License clients will retain the license limits sent

to them by the licensing server for 30 days.

Although a client controller retains its licensing information for 30 days after it loses contact with the licensing

server, if the client reboots at any time during this 30-day window, the window will restart, and the client will retain its

information for another 30 days.

APs that use centralized licensing in conjunction with a ArubaOS high availability feature behave differently

than APs that do not use a high availability solution. APs using VRRP redundancy, a backup LMS, or the

ArubaOS fast failover feature can quickly fail over to a backup controller, even if that backup controller does

not have any AP licenses at the time of the failover. However, if that AP reboots, it will not obtain its licenses

until the backup controller receives the required licenses from the licensing master.

Client is Unreachable

The centralized licensing feature sends keepalive heartbeats between the license server and the licensing client

controllers every 30 seconds. If the licensing server fails to receive three consecutive heartbeats from a client, it

assumes that the licensing client is down, and that any APs associated with that client are also down or have

failed over to another controller . Therefore, the licensing server adds any licenses used by that client back into

to the available pool of licenses. If the license server fails to contact a license client for 30 consecutive days, any

licenses individually installed on that client will be removed from the server’s license database.

The WebUI of the licensing client and the licensing server both display a warning message when a licensing client

and licensing server are unable to communicate.

Server is Unreachable

If a licensing client does not receive three consecutive heartbeats from the server, it assumes that the server is

down, and that any APs directly associated to the server are also down or have failed over to another

controller. The client then adds any licenses used by the licensing server into to the pool of available licenses on

that client. When a license client is unable to reach a license server for 30 consecutive days, it removes any

shared licenses pushed to it from the licensing server, and reverts to its installed licenses. If the 30-day window

has passed and the controller does not have enough installed licenses for all of its associated APs, the

controller will nonetheless continue to support each AP. However, when an AP reboots and its controller does

not have enough licenses, that AP will not come up.

Configuring Centralized Licensing

The steps to configure centralized licensing on your network vary, depending upon whether you are enabling

this feature in a network with a master-local controller topology, or in a network where all controllers are

configured as masters. Before you enable this feature, you must ensure that the controllers are able to

properly communicate with the licensing master. Once you have identified your deployment type, follow the

steps in the appropriate section below.

Pre-configuration Setup in an All-Master Deployment

Follow the steps described below to configure the centralized licensing feature in a network with all master

controllers.

1. Ensure that the controllers that will use this feature are associated with the same AirWave server.

2. Identify a controller you want to designate as the primary licensing server. If that controller already has a

redundant backup controller, that backup controller will automatically become the backup license server.

3. (Optional) If your primary licensing server does not yet have a dedicated, redundant backup controller and

you want to use a backup server with the centralized licensing feature, you must identify a second controller

to use as the backup licensing server, and create a virtual router on the primary licensing server.

4. (Optional) Establish secure IPsec tunnels between the primary licensing server controller and the licensing

client controllers by enabling control plane security on that cluster of master controllers, or by creating site-

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 138

139 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

to-site VPN tunnels between the licensing server and client controllers. This step is not required, but if you

do not create secure tunnels between the controllers, the controllers will exchange clear, unencrypted

licensing information. This step is not required for a master-local topology.

Preconfiguration Setup in a Master/Local Topology

The master controller in a master-local topology is the primary licensing server by default. If this master

controller already has a redundant standby master, that redundant master will automatically act as the backup

licensing server with no additional configuration. If your primary licensing server does not yet have a

redundant standby controller and you want to use a backup server with the centralized licensing feature, you

must identify a second controller you want to designate as the backup licensing server, and define a virtual

router on the primary licensing server.

Enabling Centralized Licensing

The following steps describe the procedure to enable centralized licensing on both the licensing master and the

licensing clients.

Using the WebUI

1. Access the WebUI of the primary licensing master controller, navigate to Configuration > Controller and

select the Centralized Licenses tab.

2. Select Enable Centralized Licensing.

3. (Optional) If the licensing server already has a dedicated redundant standby controller, that standby

controller will automatically become the backup license server. If the primary licensing server in your

deployment does not have a dedicated, redundant master controller, but you want to define a backup

server for the licensing feature, follow steps a-c below:

a. In the VRRP ID field, enter the Virtual Router ID for the Virtual Router you configured in the

Preconfiguration Setup task in the section above.

b. In the Peer’s IP address field, enter the IP address of the backup licensing server.

c. In the License Server IP field, enter the virtual IP address for the Virtual Router used for license server

redundancy.

4. Click Apply.

If you are deploying centralized licensing on a cluster of master controllers, you must define the IP address that

the licensing clients in the cluster use to access the licensing server.

5. Access the WebUI of a licensing client, navigate to Configuration > Controller and select the Centralized

Licenses tab.

6. Select Enable Centralized Licensing.

7. In the License Server IP field, enter the IP address the client will use to connect to the licensing server. If you

have defined a backup licensing server using a virtual router ID, enter the IP address of that virtual router.

8. Click Apply.

9. Repeat steps 5-8 on each licensing client in the cluster.

Using the CLI

Access the command-line interface of the licensing server, and issue the following commands in config mode:

(host)(config) #license profile

(host)(License provisioning profile) #centralized-licensing-enable

If the licensing server already has a dedicated redundant standby controller, that standby controller will

automatically become the backup license server. If the primary licensing server in your deployment does not

have a redundant master controller but you want to define a backup server for the licensing feature, issue the

following commands on the licensing server:

(host)(License provisioning profile) #License server-redundancy

(host)(License provisioning profile) #License-vrrp <vrId>

(host)(License provisioning profile) #Peer-ip-address <ip>

If you are deploying centralized licensing on a cluster of master controllers, access the command-line interface

of a licensing client controller, and issue the following commands in config mode:

(host) (config) #license profile

(host) (License provisioning profile) #centralized-licensing-enable

(host) (License provisioning profile) #license server-ip <ip>

If a controller is designated as standby license server, it does not have the license-server-ip value configured.

Monitoring and Managing Centralized Licenses

A centralized licensing server displays a wide variety of licensing data that you can use to monitor licenses and

license usage. The tables described below are available on the Network > Controller > Centralized License

Management > Information page of the Licensing server WebUI.

License server Table

This table displays information about the different types of licenses in the license table, and how many total

licenses of each type are available and used. This table includes the following information:

Column Description

Service Type Type of license on the licensing server.

Aggregate Licenses Number of licenses in the licensing table on the licensing server.

Used Licenses Total number of licenses of each license type reported as used by the

licensing clients or licensing server.

Remaining Licenses Total number of remaining licenses available in the licensing table.

Table 22: License Server Table Data

License Client Table

This table displays centralized license limits applied to each licensing client. This table includes the following

information:

Column Description

Service Type Type of license on the licensing client.

System Limit The maximum number of licenses supported by the controller platform.

Server Licenses Number of licenses sent from the licensing server..

NOTE: This number is limited by the total license capacity of the controller

platform. A controller cannot use more licenses than is supported by that

controller platform, even if additional license are available.

Table 23: License Client Table Data

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 140

141 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

Column Description

Used Licenses Total number of licenses of each license type used by the licensing client

controller.

Contributed Licenses Total number of licenses of each license type contributed by the licensing

client controller.

Remaining Licenses Total number of remaining licensing available on this controller. This

number is also limited by the total license capacity of the controller platform.

License Client(s) Usage Table

This table displays information about the different types of licenses in the license table, and how many total

licenses of each type are available and used.

Column Description

Hostname Name of the licensing client controller.

IP Address IP address of the licensing client controller.

AP Total number of AP licenses used by a licensing client associated with this

controller.

PEF Total number of Policy Enforcement Firewall (PEF) licenses used by a

licensing client associated with this controller.

RF Protect Total number of RFProtect licenses used by a licensing client associated with

this controller.

xSec Module Total number of Extreme Security (xSec) licenses used by a licensing client

associated with this controller.

ACR Total number of advanced Cryptography (ACR) licenses used by a licensing

client associated with this controller.

Last update (secs. ago) Time, in seconds, that has elapsed since the licensing client received a heart-

beat response.

Table 24: License Clients(s) Usage Table Data

Aggregate License Table

Issue this command from the command-line interface of the centralized licensing server controller to view

license limits sent by licensing clients.

Column Description

Hostname Name of the licensing client controller.

IP Address IPaddress of the licensing client controller.

AP Total number of AP licenses sent from licensing clients associated with this

controller.

PEF Total number of Policy Enforcement Firewall (PEF) licenses sent from

licensing clients associated with this controller.

RF Protect Total number of RFProtect licenses sent from licensing clients associated

with this controller.

xSec Module Total number of Extreme Security (xSec) licenses sent from licensing clients

associated with this controller.

ACR Total number of advanced Cryptography (ACR) licenses sent from licensing

clients associated with this controller.

Table 25: Aggregate License Table Data

License Heartbeat Table

This table displays the license heartbeat statistics between the license server and the license client.

Column Description

IP address IP address of the licensing client.

HB Req Heartbeat requests sent from the licensing client.

HB Resp Heartbeat responses received from the license server.

Total Missed Total number of heartbeats that were not received by the licensing client.

Last Update Number of seconds elapsed since the licensing client last sent a heartbeat

request.

Table 26: License Heartbeat Table Data

Using Licenses

Licenses are platform independent and can be installed on any controller. Installation of the feature license

unlocks that feature’s functionality for the maximum capacity of the controller.

The license limits are enforced until you reach the controller limit (see Table 28).

Table 27 lists how licenses are consumed on the Controllers.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 142

143 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

License Basis What Consumes One License

PEFNG AP One operational AP

xSec Session One active client termination

RFprotect AP One operational AP

AP AP One operational LAN-connected or mesh AP that

is advertising at least one BSSID (virtual-AP) or

RAP

ACR Session One active client termination

Table 27: Usage per License

The controller licenses are variable-capacity (see Table 28).

In Table 28, the Remote AP count is equal to the total AP count for all the controllers. The Campus AP count is 1/4 of

the total AP count except for the W-6000M3 which is one half the AP count.

Controller Total AP Count Campus APs Remote APs

W-7210 512 512 512

W-7220 1024 1024 1024

W-7240 2048 2048 2048

W-6000M3 1024 512 1024

W-3200 128 32 128

W-3400 256 64 256

W-3600 512 128 512

W-620 8 8 8

W-650 16 16 16

Table 28: Controller AP Capacity

Understanding License Interaction

The some licenses interact with each other, and may require some equality.

lAP/PEFNG and RFProtect must be equal.

nAll active APs run AP/PEFNG and RFProtect services (if enabled). If they are not equal, the number of

active APs are restricted to the minimum of the AP/PEFNG and RFProtect license count.

It is not possible to designate specific APs for RFProtect/non-RFProtect operations.

nMesh portals/mesh points with no virtual APs, do not consume am RFProtect license

lIf a Mesh node is also configured for client service (for example, it advertises a BSSID ), it consumes one AP

license.

lRemote APs consume licenses the same as campus APs.

lACR Interaction

nOn a platform that supports 2048 IPsec tunnels, the maximum number of Suite B IPsec tunnels

supported is 2048, even if a larger capacity license is installed.

nThe ACR license is cumulative. If you want to support 2048 Suite B connections, install two ACR licenses

(LIC-ACR-1024).

nAn evaluation ACR license is available (EVL-ACR-1024). You can install the ACR evaluation license with a

higher capacity than the platform maximum.

nOn a platform that supports 2048 IPsec tunnels, with a LIC-ACR-512 installed, only 512 IPsec tunnels can

be terminated using Suite B encryption. An additional 1536 IPsec tunnels, using non-Suite B modes (for

example, AES-CBC), can still be supported.

nOn a platform with LIC-ACR-512 installed, a mixture of IPsec and 802.11i Suite B connections can be

supported. The combined number of these sessions may not exceed 512.

nA single client using both 802.11i Suite B and IPsec Suite B simultaneously will consume two ACR

licenses.

License Installation Best Practices and Exceptions

lBack up the controller’s configuration (backup flash command) and back up the License database (license

export filename) before making any changes.

(host) #backup flash

Please wait while we tar relevant files from flash...

Please wait while we compress the tar file...

Checking for free space on flash...

Copying file to flash...

File flashbackup.tar.gz created successfully on flash.

Please copy it out of the switch and delete it when done.

(host) #license export licensebackup.db

Successfully exported 1 licenses from the License Database to licensebackup.db

lAllow for the maximum quantity required at any given time.

lWhen calculating AP licenses, determine the normal AP load of your controller and add a backup load for

failure scenarios.

lUse 20 users per AP as a reasonable estimate when calculating user licenses. Do not forget to consider

occasional large assemblies or gatherings.

Installing a License

The Dell licensing system is controller-based. A license key is a unique alphanumerical string generated using

the controller’s serial number and is valid only for that controller only. Licenses can be pre-installed at the

factory so that all licensed features are available upon initial setup. You can also install license features

yourself.

It is recommended that you obtain a user account on the Dell Software License Management website

even if software license keys are preinstalled on your controller.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 144

145 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

Enabling a new license on your controller

The basic steps to installing and enabling a new license feature are listed below along with a reference to a

section in this document with more detailed information.

1. Obtain a valid Dell software license from your sales account manager or authorized reseller (see Requesting

a Software License in Email on page 145).

2. Locate the system serial number of your controller (see Locating the System Serial Number on page 145).

3. Use your system’s serial number to obtain a software license key from the Dell Software License

Management website.licensing.dell-pcw.com (see Obtaining a Software License Key on page 145).

4. Enter the software license key via the controller’s WebUI using one of the following procedures

lnavigate to Configuration > Network > Controller > System Settings page and select the License

tab.Enter the software license key and click Apply (see Applying the Software License Key in the WebUI

on page 146).

lLaunch the License Wizard from the Configuration tab and click New. Enter the software license key in

the space provided (see Applying the Software License Key in the License Wizard on page 146).

Requesting a Software License in Email

To obtain either a permanent or a evaluation software license, contact your sales account manager or

authorized reseller. The license details are provided via email with an attached text file. Use the text file to cut

and paste the licensing information into the WebUI or at the command line.

Ensure that you have provided your sales person with a valid email address.

The email also includes:

lThe orderable part number for the license

lA description of the software module type and controller for which it is valid

lA unique, 32-character alphanumerical string used to access the license management website and which, in

conjunction with the serial number of your controller, generates a unique software license key

Locating the System Serial Number

Each controller has a unique serial number located at the rear of the controller chassis. The W-6000M3 has the

serial number on the device itself.

You can also find the serial numbers by navigating to the Controller > Inventory page on the WebUI or by

executing the show inventory command from the CLI.

To physically inspect the system serial number on a W-6000M3 , you need to remove the device from the controller

chassis, which may result in network down time.

Obtaining a Software License Key

To obtain a software license key, you must log in to the Dell License Management website. If you are a first

time user of the licensing site, you can use the software license certificate ID number to log in initially and

request a user account. If you already have a user account, log in to the site.

Once logged in, you are presented with several options:

lActivate a certificate: Activate a new certificate and create the software license key that you will apply to

your controller.

lTransfer a certificate: Transfer a software license certificate ID from one controller to another (for

example, transferring licenses to a spare system).

lImport preloaded certificates: For controllers on which licenses are pre-installed at the factory. transfer

all software license certificate IDs used on the sales order to this user account.

lList your certificates: View all currently available and active software license certificates for your account.

Creating a Software License Key

To create a software license key, you must log to to the Dell License Management website at:

licensing.dell-pcw.com/

If you are a first time user of the licensing site, you can use the software license certificate ID number to log in

initially and request a user account. If you already have a user account, log in to the site.

1. Select Activate a Certificate.

2. Enter the certificate ID number and the system serial number of your controller.

3. Review the license agreement and select Yes to accept the agreement.

4. Click Activate it. A copy of the transaction and the software license key is emailed to you at the email

address you entered for your user account

The software license key is valid only for the system serial number for which you activated the certificate.

Applying the Software License Key in the WebUI

To enable the software module and functionality, you must apply the software license key to your controller.

1. Log in to your controller’s WebUI.

2. Navigate to the Configuration > Network > Controller > System Settings page and select the License

tab.

3. Copy the software license key, from your email, and paste it into the Add New License Key field.

4. Click Add.

Applying the Software License Key in the License Wizard

1. Launch the License Wizard from the Configuration tab and click New .

2. The License Wizard help walk you through the activation process. Click the Help tab within the License

Wizard for additional assistance.

Deleting a License

To remove a license from a system:

1. Navigate to the Configuration > Network > Controller > System Settings page and select the License

tab.

2. Scroll down to the License Table and locate the license you want to delete.

3. Click Delete at the far right hand side of the license to delete the license.

If a license feature is under an evaluation license, it will not generate a key is generated when the feature is

deleted.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Software Licenses | 146

147 | Software Licenses Dell Networking W-Series ArubaOS 6.4.x| User Guide

Moving Licenses

It may be necessary to move licenses from one controller to another or to delete a license for future use. To

move licenses, delete the license from the chassis as described inDeleting a License on page 146. Then install

the license key on the new controller as described in Applying the Software License Key in the WebUI on page

146.

ArubaOS provides the ability to move a license from one controller to another, for maximum flexibility in managing

an organization’s network and to minimize an RMA impact. Dell monitors and detects license fraud. Abnormally high

volumes of license transfers for the same license certificate to multiple controllers can indicate a breach of the Dell

end user software license agreement and will be investigated.

Resetting the Controller

Rebooting or resetting a controller has no effect on either a permanent or a evaluation license.

Issuing the write erase command on a controller running software licenses does not affect the license key

management database on the controller.

Issuing the write erase all command resets the controller to factory defaults, and deletes all databases on the

controller, including the license key management database. You must reinstall all previously-installed license

keys.

On a W-7200 Series controller, you can reset controller using the LCD screen. Issuing the Factory Default

option under the Maintenance menu returns the controller to the factory default settings. For more

information about the LCD menu, see Using the LCD Screen on page 99.

Dell Networking W-Series ArubaOS 6.4.x| User Guide Network Configuration Parameters | 148

Chapter 4

Network Configuration Parameters

The following topics in this chapter describe some basic network configuration on the controller:

lConfiguring VLANs on page 148

lConfiguring Ports on page 155

lUnderstanding VLAN Assignments on page 157

lConfiguring Static Routes on page 165

lConfiguring the Loopback IP Address on page 165

lConfiguring the Controller IP Address on page 166

lConfiguring GRE Tunnels on page 167

lJumbo Frame Support on page 171

Configuring VLANs

The controller operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the

controller requires an external router to route traffic between VLANs. The controller can also operate as a layer-

3 switch that can route traffic between VLANs defined on the controller.

You can configure one or more physical ports on the controller to be members of a VLAN. Additionally, each

wireless client association constitutes a connection to a virtual port on the controller, with membership in a

specified VLAN. You can place all authenticated wireless users into a single VLAN or into different VLANs,

depending upon your network. VLANs can remain inside the controller, or they can extend outside the

controller through 802.1q VLAN tagging.

You can optionally configure an IP address and netmask for a VLAN on the controller. The IP address is up

when at least one physical port in the VLAN is up. The VLAN IP address can be used as a gateway by external

devices; packets directed to a VLAN IP address that are not destined for the controller are forwarded according

to the controller’s IP routing table.

Creating and Updating VLANs

You can create and update a single VLAN or bulk VLANs.

In the WebUI

1. Navigate to the Configuration > Network > VLANs page.

2. Click Add a VLAN to create a new VLAN. (To edit an existing VLAN, click Edit for the VLAN entry.) See

Creating Bulk VLANs In the WebUI on page 149 to create a range of VLANs.

3. In the VLAN ID field, enter a valid VLAN ID. (Valid values are from 1 to 4094, inclusive).

4. To add physical ports to the VLAN, select Port. To associate the VLAN with specific port-channels, select

Port-Channel.

5. (Optional) Click the Wired AAA Profile drop-down list to assign an AAA profile to a VLAN. This wired AAA

profile enables role-based access for wired clients connected to an untrusted VLAN or port on the

controller.

Note that this profile will only take effect if the VLAN or port on the controller is untrusted. If you do not

assign a wired AAA profile to the VLAN, the global wired AAA profile applies to traffic from untrusted wired

ports.

149 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

6. If you selected Port in step 4, select the ports you want to associate with the VLAN from the Port

Selection window.

If you selected Port-Channel in step 4, click the Port-Channel ID drop-down list, select the specific

channel number you want to associate with the VLAN, then select the ports from the Port Selection

window.

7. Click Apply.

In the CLI

Use the following commands:

(host)(config) #vlan <id>

(host)(config) #interface fastethernet|gigabitethernet <slot>/<port>

(host)(config-if) #switchport access vlan <id>

Creating Bulk VLANs In the WebUI

1. To add multiple VLANs at one time, click Add Bulk VLANs.

2. In the VLAN Range pop-up window, enter a range of VLANs you want to create at once. For example, to

add VLAN IDs numbered 200-300 and 302-350, enter 200-300, 302-350.

3. Click OK.

4. To add physical ports to a VLAN, click Edit next to the VLAN you want to configure and click the port in the

Port Selection section.

5. Click Apply.

In the CLI

Use the following commands:

(host)(config) #vlan

(host)(config) #vlan range 200-300,302-350

Creating a VLAN Pool

You can create, update, and delete a VLAN pool. Each VLAN pool has a name and needs to have one or more

VLANs assigned to it. The following configurations create a VLAN Pool named mygroup. It has the assignment

type Even, and VLAN IDs 2, 4 and 12 are assigned to this pool.

ArubaOS supports maximum of 256 VLANs per VLAN Pool.

Using the WebUI

1. Navigate to Configuration > Network > VLANs.

2. Select the VLAN Pool tab to open the VLAN Pool window.

3. Click Add.

4. In the VLAN Name field, enter a name that identifies this VLAN pool.

5. In the Assignment Type field, select Hash or Even from the drop-down list. See Distinguishing Between

Even and Hash Assignment Types on page 150 for information and conditions regarding Hash and Even

assignment types.

The Even VLAN pool assignment type is only supported in tunnel and dtunnel modes. It is not supported in split or

bridge modes. It is not allowed for VLAN pools that are configured directly under a virtual AP (VAP). It must only be

used under named VLANs. L2 Mobility is not compatible with the existing implementation of the Even VLAN pool

assignment type.

6. Check the Pool check box if you want the VLAN to be part of a pool.

7. In the List of VLAN IDs field, enter the VLAN IDs you want to add to this pool. If you know the ID, enter

each ID separated by a comma. You can also click the drop-down list to view the IDs, then click the <-- arrow

to add the ID to the pool.

VLAN pooling should not be used with static IP addresses.

8. You must add two or more VLAN IDs to create a pool.

9. When you finish adding all the IDs, click Add.

The VLAN pool along with its assigned IDs appears on the VLAN Pool window. If the pool is valid, its status is

enabled.

Figure 14 Creating a VLAN Pool

10.Click Apply.

11.At the top of the window, click Save Configuration.

Distinguishing Between Even and Hash Assignment Types

The VLAN assignment type determines how the controller handles a VLAN assignment.

The Hash assignment type means that the VLAN assignment is based on the station MAC address. The Even

assignment type is based on an even distribution of VLAN pool assignments.

The Even VLAN Pool assignment type maintains a dynamic latest usage level of each VLAN ID in the pool.

Therefore, as users age out, the number of available addresses increases. This leads to a more even distribution

of addresses.

The Even type is only supported in tunnel and dtunnel modes. It is not supported in split or bridge modes and

it is not allowed for VLAN pools that are configured directly under a virtual AP. It can only be used under

named VLANs.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 150

151 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

If a VLAN pool is given an Even assignment and is assigned to user roles, user rules, VSA, or server derivation

rules, then while applying VLAN derivation for the client “on run time,” the Even assignment is ignored and the

Hash assignment is applied with a message displaying this change.

L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type.

Updating a VLAN Pool

1. On the VLAN Pool window, click Modify next to the VLAN name you want to edit.

2. Modify the assighment type and the list of VLAN IDs. Note that you can not modify the VLAN name.

3. Click Update.

4. Click Apply.

5. At the top of the window, click Save Configuration.

Deleting a VLAN Pool

1. On the VLAN Pool window, click Delete next to the VLAN name you want to delete. A prompt appears.

2. Click OK.

3. Click Apply.

4. At the top of the window, click Save Configuration.

Creating a VLAN Pool Using the CLI

VLAN pooling should not be used with static IP addresses.

This example creates a VLAN pool named mygroup that has the assignment type even.

(host)(config) #vlan-name mygroup pool assignment even

Viewing and Adding VLAN IDs Using the CLI

The following example shows how to view VLAN IDs in a VLAN pool:

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(host)(config) #show vlan

VLAN CONFIGURATION

------------------

VLAN Description Ports

---- ----------- -----

1 Default FE1/0-3 FE1/6 GE1/8

2 VLAN0002

4 VLAN0004

12 VLAN0012

210 VLAN0210

212 VLAN0212 FE1/5

213 VLAN0213 FE1/4

1170 VLAN1170 FE1/7

The following example shows how to add existing VLAN IDs to a VLAN pool:

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(host)(config) #vlan-name mygroup pool

(host)(config) #vlan mygroup 2,4,12

(host)(config) #

To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command:

(host)(config) #show vlan mapping

Vlan Mapping Table

------------------

VLAN Name Pool Status Assignment Type VLAN IDs

--------- ----------- --------------- --------

mygroup Enabled Hash 62,94

newpoolgroup Enabled Even

vlannametest Enabled Even 62,1511

Role Derivation for Named VLAN Pools

You can configure Named VLANs under user rule, server derivation, user derivation, and VSA in this release.

.You cannot modify a VLAN name, so choose the name carefully.

Named VLANs (single VLAN IDs or VLAN pools) can only be assigned to tunnel mode VAP’s and wired profiles.

They can also be assigned to user roles, user rule derivation, server derivation, and VSA for tunnel and bridge

mode.

For tunnel mode, VLAN pools that have the assignment type “hash” and “even” are supported.

For bridge mode only, VLAN pools with the assignment type “hash” are supported. If a VLAN pool with “even”

assignment is assigned to a user rule, user role, server derivation or VSA, than the “hash” assignment is applied

and the following error message displays:

"vlan pool assignment type EVEN not supported for bridge. Applying HASH algorithm to retrieve vlan-id"

Note that L2 roaming is not supported with an even VLAN assignment.

In the CLI

To apply a named VLAN pool name in a user rule, use the existing CLI commands:

(host)(config) #aaa derivation-rules

(host)(config) #aaa derivation-rules user <string>

(host)(config) #aaa derivation-rules user test-user-rule

(host)(user-rule) #set vlan

To apply a named VLAN pool in a user role, use the existing CLI commands:

(host)(config) #user-role test-vlan-name

(user)(config-role) #vlan test-vlan

To apply a named VLAN pool in server derivation, use the CLI commands:

(host)(config) #aaa server-group test-vlan-server-group

(user)(Server Group "test-vlan-server-group") set vlan

For a named VLAN derivation using VSA, configure the RADIUS server using these values:

Aruba-Named-UserVLAN 9 String Aruba 14823

In the WebUI

To apply a named VLAN pool in a user rule, navigate to the WebUI page:

Security > Authentication > User Rules

To apply a named VLAN pool in a user role, navigate to the WebUI page:

Security > Access Control > User Roles > Add or Edit Role

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 152

153 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

To apply a named VLAN pool in a server derivation (server group), navigate to the WebUI page:

Security > Authentication> Servers > Server Group > <server-group_name> >Server Rules

Creating a Named VLAN not in a Pool

The following configuration assigns the name myvlan to the VLAN ID 94:

In the WebUI

1. Navigate to Configuration > Network > VLANs.

2. Select the VLAN Pooltab to open the VLAN Pool window.

3. Click Add.

4. In the VLAN Name field, enter a name that identifies this VLAN.

5. Make sure the Pool field is unchecked. The Assignment Type is grayed out as this field applies only to

VLAN pools.

Figure 15 Named VLAN not in a Pool

6. In the List of VLAN IDs field, enter the VLAN ID you want to name. If you know the ID, enter the ID. You

can also click the drop-down list to view the IDs, then click the <-- arrow to add the ID to the pool.

7. Click Apply.

In the CLI

This example assigns a name to an existing VLAN ID.

(host)(config) #vlan-name myvlan

(host)(config) #vlan myvlan 94

This example assigns a VLAN name in a virtual AP:

(host)(config) #wlan virtual-ap default vlan mygroup

This example assigns a VLAN name in a wired profile for access VLAN:

(host)(Wired AP profile "default") #switchport access vlan mygroup

This example assigns a VLAN name in a wired profile for a trunk VLAN and an allowed VLAN:

(host)(Wired AP profile "default") #switchport access vlan mygroup

(host)(config) #ap wired-ap-profile default switchport trunk ?

allowed Set allowed VLAN characteristics when interface is

in trunking mode

native Set trunking native characteristics when interface

is in trunking mode

(host)(config) #ap wired-ap-profile default switchport trunk native vlan mynativevlan

(host)(config) #ap wired-ap-profile default switchport trunk allowed vlan myallowedvlan

Adding a Bandwidth Contract to the VLAN

Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal

exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST, and STP protocols. To

remove per-VLAN bandwidth contract limits on an additional broadcast or multicast protocol, add the MAC

address for that broadcast/multicast protocol to the VLAN Bandwidth Contracts MAC Exception List.

The command in the example below adds the MAC address for CDP (Cisco Discovery Protocol) and VTP (Virtual

Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts.

(host)(config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC

To show entries in the VLAN bandwidth contracts MAC exception list, use the

show vlan-bwcontract-explist [internal]command:

(host)(config) #show vlan-bwcontract-explist internal

VLAN BW Contracts Internal MAC Exception List

---------------------------------------------

MAC address

-----------

01:80:C2:00:00:00

01:00:0C:CC:CC:CD

01:80:C2:00:00:02

01:00:5E:00:82:11

Optimizing VLAN Broadcast and Multicast Traffic

Broadcast and Multicast (BCMC) traffic from APs, remote APs, or distributions terminating on the same VLAN

floods all VLAN member ports. This causes critical bandwidth wastage, especially when the APs are connected

to an L3 cloud where the available bandwidth is limited or expensive. Suppressing the VLAN BCMC traffic to

prevent flooding can result in loss of client connectivity.

To effectively prevent flooding of BCMC traffic on all VLAN member ports, use the bcmc-optimization

parameter under the interface vlan command. This parameter ensures controlled flooding of BCMC traffic

without compromising the client connectivity. This option is disabled by default. You must enable this

parameter for the controlled flooding of BCMC traffic.

If you enable BCMC Optimization on uplink ports, the controller-generated Layer-2 packets will be dropped.

The bcmc-optimization parameter has the following exemptions:

lAll DHCP traffic will continue to flood VLAN member ports even if you enable the bcmc-optimization

parameter.

lARP broadcasts and VRRP (multicast) traffic will still be allowed.

You can configure BCMC optimization using the CLI or WebUI.

Using the CLI

(host)(config) #interface vlan 1

(host)(config-subif)#bcmc-optimization

(host)(config-subif)#show interface vlan 1

VLAN1 is up line protocol is up

Hardware is CPU Interface, Interface address is 00:0B:86:61:5B:98 (bia 00:0B:86:61:5B:98)

Description: 802.1Q VLAN

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 154

155 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Internet address is 10.17.22.1 255.255.255.0

Routing interface is enable, Forwarding mode is enable

Directed broadcast is disabled, BCMC Optimization enable

Encapsulation 802, loopback not set

MTU 1500 bytes

Last clearing of "show interface" counters 12 day 1 hr 4 min 12 sec

link status last changed 12 day 1 hr 2 min 21 sec

Proxy Arp is disabled for the Interface

Using the WebUI

1. Navigate to Configuration > Network > IP.

2. In the IP Interfaces tab, click Edit of the VLAN for configuring BCMC optimization.

3. Select the Enable BCMC check box to enable BCMC Optimization for the selected VLAN.

Figure 16 Enable BCMC Optimization

Configuring Ports

Both Fast Ethernet and Gigabit Ethernet ports can be set to access or trunk mode. A port is in access mode

enabled by default and carries traffic only for the VLAN to which it is assigned. In trunk mode, a port can carry

traffic for multiple VLANs.

For a trunk port, specify whether the port will carry traffic for all VLANs configured on the controller or for

specific VLANs only. You can also specify the native VLAN for the port. A trunk port uses 802.1q tags to mark

frames for specific VLANs, However, frames on a native VLAN are not tagged.

Classifying Traffic as Trusted or Untrusted

You can classify wired traffic based not only on the incoming physical port and channel configuration, but also

on the VLAN associated with the port and channel.

About Trusted and Untrusted Physical Ports

Physical ports on the controller are trusted and usually connected to internal networks by default, while

untrusted ports connect to third-party APs, public areas, or other networks to which you can apply access

controls. When you define a physical port as untrusted, traffic passing through that port needs to go through a

predefined access control list policy.

About Trusted and Untrusted VLANs

You can also classify traffic as trusted or untrusted based on the VLAN interface and port or channel. This

means that wired traffic on the incoming port is trusted only when the port’s associated VLAN is also trusted;

otherwise the traffic is untrusted. When a port and its associated VLANs are untrusted, any incoming and

outgoing traffic must pass through a predefined ACL. For example, this setup is useful if your company

provides wired user guest access, and you want guest user traffic to pass through an ACL to connect to a

captive portal.

You can set a range of VLANs as trusted or untrusted in trunk mode. The following table lists the port, VLAN

and the trust/untrusted combination to determine if traffic is trusted or untrusted. Both the port and the

VLAN have to be configured as trusted for traffic to be considered as trusted. If the traffic is classified as

untrusted, then traffic must pass through the selected session access control list and firewall policies.

Port VLAN Traffic Status

Trusted Trusted Trusted

Untrusted Untrusted Untrusted

Untrusted Trusted Untrusted

Trusted Untrusted Untrusted

Table 29:

Classifying Trusted and Untrusted Traffic

Configuring Trusted/Untrusted Ports and VLANs

You can configure an Ethernet port as an untrusted access port, assign VLANs and classify them as untrusted,

and designate a policy through which VLAN traffic on this port must pass.

In the WebUI

1. Navigate to the Configuration > Network > Ports window.

2. In the Port Selection section, click the port you want to configure.

3. In the Make Port Trusted section, clear the Trusted check box to make the port untrusted. The default is

trusted (checked).

4. In the Port Mode section, select Access.

5. From the VLAN ID drop-down list, select the VLAN ID whose traffic will be carried by this port.

6. In the Enter VLAN(s) section,clear the Trusted check box to make the VLAN untrusted. The default is

trusted (checked).

7. In the VLAN Firewall Policy drop-down list, select the policy through which VLAN traffic must pass. You

can select a policy for both trusted and untrusted VLANs.

8. From the Firewall Policy section, select the policy from the in drop-down list through which inbound

traffic on this port must pass.

9. Select the policy from the out drop-down list through which outbound traffic on this port must pass.

10.To apply a policy to this session’s traffic on this port and VLAN, select the policy from the session drop-

down list.

11.Click Apply.

In the CLI

In this example,

(host)(config) #interface range fastethernet 1/2

(host)(config-if)#switchport mode access

(host)(config-if)#no trusted

(host)(config-if)#switchport access vlan 2

(host)(config-if)#no trusted vlan 2

(host)(config-if)#ip access-group ap-acl session vlan 2

(host)(config-if)#ip access-group validuserethacl in

(host)(config-if)#ip access-group validuserethacl out

(host)(config-if)#ip access-group validuser session

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 156

157 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring Trusted and Untrusted Ports and VLANs in Trunk Mode

The following procedures configure a range of Ethernet ports as untrusted native trunks ports, assign VLANs

and classify them as untrusted, and designate a policy through which VLAN traffic on the ports must pass.

In the WebUI

1. Navigate to the Configuration > Network > Ports window.

2. In the Port Selection section, click the port you want to configure.

3. For Port Mode select Trunk.

4. To specify the native VLAN, select a VLAN from the Native VLAN drop-down list and click the <-- arrow.

5. Choose one of the following options to control the type of traffic the port carries:

nAllow All VLANS Except: The port carries traffic for all VLANs except those from this drop-down list.

nAllow VLANs: The port carries traffic for all VLANs selected from this drop-down list.

nRemove VLANs: The port does not carry traffic for any VLANs selected from this drop-down list.

6. To designate untrusted VLANs on this port, click Trusted except. In the corresponding VLAN field enter a

range of VLANs that you want to make untrusted. (In this format, for example: 200-300, 401-500 and so

on). Only VLANs listed in this range are untrusted. To designate only one VLAN as untrusted, select a VLAN

from the drop-down list.

7. To designate trusted VLANs on this port, click Untrusted except. In the corresponding VLAN field, enter a

range of VLANs that you want to designate as trusted. (In this format, for example: 200-300, 401-500 and

so on). Only VLANs listed in this range are trusted. To designate only one VLAN as trusted, select a VLAN

from the drop-down menu.

8. To remove a VLAN, click the Remove VLANs option and select the VLAN you want to remove from the

drop-down list, and click the left arrow to add it back to the list.

9. To designate the policy through which VLAN traffic must pass, click New under the Session Firewall

Policy field.

10.Enter the VLAN ID or select it from the associated drop-down list. Then select the policy, through which the

VLAN traffic must pass, from the Policy drop-down list and click Add. Both the selected VLAN and the

policy appear in the Session Firewall Policy field.

11.When you are finished listing VLANs and policies, click Cancel.

12.Click Apply.

In the CLI

Use the following examples:

(host)(config) #interface fastethernet 2/0

(host)(config-if)#description FE2/

(host)(config-if)#trusted vlan 1-99,101, 104, 106-199, 201-299

(host)(config-range)# switchport mode trunk

(host) (config-if)#switchport trunk native vlan 100

(host) (config-range)# ip access-group

(host) (config-range)# ip access-group test session vlan 2

Understanding VLAN Assignments

A client is assigned to a VLAN by one of several methods, in order of precedence. The assignment of VLANs are

(from lowest to highest precedence):

1. The default VLAN is the VLAN configured for the WLAN (see Virtual AP Profiles on page 395).

2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID,

client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule

that derives a user role that may have a VLAN configured for it.

3. After client authentication, the VLAN can be configured for a default role for an authentication method,

such as 802.1x or VPN.

4. After client authentication, the VLAN can be derived from attributes returned by the authentication server

(server-derived rule). A rule that derives a specific VLAN takes precedence over a rule that derives a user role

that may have a VLAN configured for it.

5. After client authentication, the VLAN can be derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel

Medium Type, and Tunnel Private Group ID). All three attributes must be present as shown below. This does

not require a server-derived rule. For example:

Tunnel-Type="VLAN"(13)

Tunnel-Medium-Type="IEEE-802" (6)

Tunnel-Private-Group-Id="101"

6. After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS

server authentication. This does not require a server-derived rule. If a VSA is present, it overrides any

previous VLAN assignment. For example:

Dell-User-VLAN

Dell-Named-User-VLAN

VLAN Derivation Priorities for VLAN types

The VLAN derivation priorities for VLAN is defined below in the increasing order:

1. Default or Virtual AP VLAN

2. VLAN from Initial role

3. VLAN from User Derivation Rule (UDR) role

4. VLAN from UDR

5. VLAN from DHCP option 77 UDR role (wired clients)

6. VLAN from DHCP option 77 UDR (wired clients)

7. VLAN from MAC-based Authentication default role

8. VLAN from Server Derivation Rule (SDR) role during MAC-based Authentication

9. VLAN from SDR during MAC-based Authentication

10.VLAN from Vendor Specific Attributes (VSA) role during MAC-based Authentication

11.VLAN from VSA during MAC-based Authentication

12.VLAN from Microsoft Tunnel attributes during MAC-based Authentication

13.VLAN from 802.1X default role

14.VLAN from SDR role during 802.1X

15.VLAN from SDR during 802.1X

16.VLAN from VSA role during 802.1X

17.VLAN from VSA during 802.1X

18.VLAN from Microsoft Tunnel attributes during 802.1X

19.VLAN from DHCP options role

20.VLAN from DHCP options

A VLAN from DHCP options has highest priority for VLAN derivation. Note, however, that DHCP options are not

considered for derivation if the Aruba VSA ARUBA_NO_DHCP_FINGERPRINT (14) was sent for the user.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 158

159 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Use the following command to display user VLAN derivation related debug information:

(host) #show aaa debug vlan user [ip | ipv6 | mac]

How a VLAN Obtains an IP Address

A VLAN on the controller obtains its IP address in one of the following ways:

lYou can manually configure it. This is the default method and is described in Assigning a Static Address to a

VLAN on page 159. At least one VLAN on the controller must be assigned a static IP address.

lDynamically assigned from a Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over

Ethernet (PPPoE) server.

Assigning a Static Address to a VLAN

You can manually assign a static IP address to a VLAN on the controller. At least one VLAN on the controller a

static IP address.

In the WebUI

1. Navigate to the Configuration > Network > IP > IP Interfaces page on the WebUI. Click Edit for the

VLAN you just added.

2. Select the Use the following IP address option. Enter the IP address and network mask of the VLAN

interface. If required, you can also configure the address of the DHCP server for the VLAN by clicking Add.

3. Click Apply.

In the CLI

(host)(config) #interface vlan <id>

ip address <address> <netmask>

Configuring a VLAN to Receive a Dynamic Address

In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP

addresses to connected devices. For example, you can connect the controller to a DSL or cable modem, or a

broadband remote access server (BRAS). The following figure shows a branch office where a controller

connects to a cable modem. VLAN 1 has a static IP address, while VLAN 2 has a dynamic IP address assigned via

DHCP or PPPoE from the uplink device.

Figure 17 IP Address Assignment to VLAN via DHCP or PPPoE

Configuring Multiple Wired Uplink Interfaces (Active-Standby)

You can assign up to four VLAN interfaces to operate in active-standby topology. An active-standby topology

provides redundancy so that when an active interface fails, the user traffic can failover to the standby

interface.

To allow the controller to obtain a dynamic IP address for a VLAN, enable the DHCP or PPPoE client on the

controller for the VLAN.

The following restrictions apply when enabling the DHCP or PPPoE client on the controller:

lYou can enable the DHCP/PPPoE client multiple uplink VLAN interfaces (up to four) on the controller; these

VLANs cannot be VLAN 1.

lOnly one port in the VLAN can be connected to the modem or uplink switch.

lAt least one interface in the VLAN must be in the up state before the DHCP/PPPoE client requests an IP

address from the server.

Enabling the DHCP Client

The DHCP server assigns an IP address for a specified amount of time called a lease. The controller

automatically renews the lease before it expires. When you shut down the VLAN, the DHCP lease is released.

In the WebUI

1. Navigate to the Configuration > Network > IP > IP Interfaces page.

2. Click Edit for a previously-created VLAN.

3. Select Obtain an IP address from DHCP.

4. Enter a priority value for the VLAN ID in the Uplink Priority field. All wired uplink interfaces have the same

priority by default. If you want to use an active-standby topology, then prioritize each uplink interfaces by

entering a different priority value (1– 4) for each uplink interface.

Figure 18 Assigning VLAN Uplink Priority—Active-Standby Configuration

5. Click Apply.

In the CLI

In this example, the DHCP client has the client ID name myclient, and the interface VLAN 62 has an uplink

priority of 2:

interface vlan 62

uplink wired vlan 62 priority 2

interface vlan 62 ip address dhcp-client client-id myclient

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 160

161 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Enabling the PPPoE Client

To authenticate the BRAS and request a dynamic IP address, the controller must have the following configured:

lPPPoE user name and password to connect to the DSL network

lPPPoE service name: either an ISP name or a class of service configured on the PPPoE server

When you shut down the VLAN, the PPPoE session terminates.

In the WebUI

1. Navigate to the Configuration > Network > IP > IP Interfaces page.

2. Click Edit for a previously-created VLAN.

3. Select Obtain an IP address with PPPoE.

4. Enter the service name, username, and password for the PPPoE session.

5. Enter a priority value for the VLAN ID in the Uplink Priority field. All wired uplink interfaces have the same

priority by default. If you want to use an active-standby topology, then prioritize each uplink interfaces by

entering a different priority value (1– 4) for each uplink interface.

6. Click Apply.

In the CLI

In this example, a PPoE service name, username, and password are assigned, and the interface VLAN 14 has an

uplink priority of 3:

(host)(config) #interface vlan 14

ip address pppoe

(host)(config) #interface vlan 14 ip pppoe-service-name <service_name>

(host)(config) #interface vlan 14 ip pppoe-username <username>

(host)(config) #(host) (config) #interface vlan 14 ip pppoe-password *****

(host)(config) #uplink wired vlan 14 priority 3

Default Gateway from DHCP/PPPoE

You can specify that the router IP address obtained from the DHCP or PPPoE server be used as the default

gateway for the controller.

In the WebUI

1. Navigate to the Configuration > Network > IP > IP Routes page.

2. For Default Gateway, select (Obtain an IP address automatically).

3. Click Apply.

In the CLI

(host) (config) #ip default-gateway import

Configuring DNS/WINS Server from DHPC/PPPoE

The DHCP or PPPoE server can also provide the IP address of a DNS server or NetBIOS name server, which can

be passed to wireless clients through the controller’s internal DHCP server.

For example, the following configures the DHCP server on the controller to assign addresses to authenticated

employees; the IP address of the DNS server obtained by the controller via DHCP/PPPoE is provided to clients

along with their IP address.

In the WebUI

1. Navigate to the Configuration > Network > IP > DHCP Server page.

2. Select Enable DCHP Server.

3. Under Pool Configuration, select Add.

4. For Pool Name, enter employee-pool.

5. For Default Router, enter 10.1.1.254.

6. For DNS Servers, select Import from DHCP/PPPoE.

7. For WINS Servers, select Import from DHCP/PPPoE.

8. For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask.

9. Click Done.

In the CLI

Use the following commands:

(host)(config) #ip dhcp pool employee-pool

d>efault-router 10.1.1.254

d>ns-server import

netbios-name-server import

network 10.1.1.0 255.255.255.0

Configuring Source NAT to Dynamic VLAN Address

When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a

session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP

addresses. This allows you to configure policies that map private local addresses to the public address(es)

provided to the DHCP or PPPoE client. Whenever the IP address on the VLAN changes, the dynamic NAT pool

address also changes to match the new address.

For example, the following rules for a guest policy deny traffic to internal network addresses. Traffic to other

(external) destinations are source NATed to the IPaddress of the DHCP/PPPoE client on the controller.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page. Click Add to add the policy

guest.

2. To add a rule, click Add.

a. For Source, select any.

b. For Destination, select network and enter 10.1.0.0 for Host IP and 255.255.0.0 for Mask.

c. For Service, select any.

d. For Action, select reject.

e. Click Add.

3. To add another rule, click Add.

a. Leave Source, Destination, and Service as any.

b. For Action, select src-nat.

c. For NAT Pool, select dynamic-srcnat.

d. Click Add.

4. Click Apply.

In the CLI

Use the following commands:

(host)(config) #ip access-list session guest

any network 10.1.0.0 255.255.0.0 any deny

any any any src-nat pool dynamic-srcnat

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 162

163 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring Source NAT for VLAN Interfaces

The example configuration in the previous section illustrates how to configure source NAT using a policy that is

applied to a user role. You can also enable source NAT for a VLAN interface to perform NAT on the source

address for all traffic that exits the VLAN.

Packets that exit the VLAN are given a source IP address of the “outside” interface, which is determined by the

following:

lIf you configure “private” IP addresses for the VLAN, the controller is assumed to be the default gateway for

the subnetwork. Packets that exit the VLAN are given the IP address of the controller for their source IP

address.

lIf the controller is forwarding the packets at Layer-3, packets that exit the VLAN are given the IP address of

the next-hop VLAN for their source IP address.

Do not enable the NAT translation for inbound traffic option for VLAN 1, as this will prevent IPsec connectivity

between the controller and its IPsec peers.

Example Configuration

In the following example, the controller operates within an enterprise network. VLAN 1 is the outside VLAN,

and traffic from VLAN 6 is source NATed using the IP address of the controller. The IP address assigned to

VLAN 1 is used as the controller’s IP address; thus traffic from VLAN 6 would be source NATed to 66.1.131.5:

Figure 19 Example: Source NAT using Controller IP Address

In the WebUI

1. Navigate to the Configuration > Network > VLANs page. Click Add to configure VLAN 6 (VLAN 1 is

configured through the Initial Setup).

a. Enter 6for the VLAN ID.

b. Click Apply.

2. Navigate to the Configuration > Network > IP > IP Interfaces page.

3. Click Edit for VLAN 6:

a. Select Use the following IP address.

b. Enter 192.168.2.1 for the IP Address and 255.255.255.0 for the Net Mask.

c. Select the Enable source NAT for this VLAN checkbox.

4. Click Apply.

In the CLI

Use the following commands:

(host)(config) #interface vlan 1

ip address 66.1.131.5 255.255.255.0

(host)(config) #interface vlan 6

(host)(config) #ip address 192.168.2.1 255.255.255.0

ip nat inside

ip default-gateway 66.1.131.1

Inter-VLAN Routing

On the controller, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and a netmask,

or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface.

The controller, acting as a layer-3 switch, routes traffic between VLANs that are mapped to IP subnetworks; this

forwarding is enabled by default.

In Figure 20, VLAN 200 and VLAN 300 are assigned the IP addresses 2.1.1.1/24 and 3.1.1.1/24, respectively.

Client A in VLAN 200 is able to access server B in VLAN 300 and vice-versa, provided that there is no firewall rule

configured on the controller to prevent the flow of traffic between the VLANs.

Figure 20 Default Inter-VLAN Routing

You can optionally disable layer-3 traffic forwarding to or from a specified VLAN. When you disable layer-3

forwarding on a VLAN, the following restrictions apply:

lClients on the restricted VLAN can ping each other, but cannot ping the VLAN interface on the controller.

Forwarding of inter-VLAN traffic is blocked.

lIP mobility does not work when a mobile client roams to the restricted VLAN. You must ensure that a

mobile client on a restricted VLAN is not allowed to roam to a non-restricted VLAN. For example, a mobile

client on a guest VLAN will not be able to roam to a corporate VLAN.

To disable layer-3 forwarding for a VLAN configured on the controller:

Using the WebUI to restrict VLAN routing

1. Navigate to the Configuration > Network > IP > IP Interface page.

2. Click Edit for the VLAN for which routing is to be restricted.

3. Configure the VLAN to either obtain an IP address dynamically (via DHCP or PPPoE) or to use a static IP

address and netmask.

4. Deselect (uncheck) the Enable Inter-VLAN Routing checkbox.

5. Click Apply.

Using the CLI

Use the following commands:

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 164

165 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

interface vlan <id>

ip address {<ipaddr> <netmask>|dhcp-client|pppoe}

no ip routing

Configuring Static Routes

To configure a static route (such as a default route) on the controller, do the following:

In the WebUI

1. Navigate to the Configuration > Network > IP > IP Routes page.

2. Click Add to add a static route to a destination network or host. Enter the destination IP address and

network mask (255.255.255.255 for a host route) and the next hop IP address.

3. Click Done to add the entry. Note that the route has not yet been added to the routing table.

4. Click Apply .. The message Configuration Updated Successfully confirms that the route has been

added.

In the CLI

Use the following examples:

(host)(config) #ip route <address> <netmask> <next_hop>

Configuring the Loopback IP Address

The loopback IP address is a logical IP interface that is used by the controller to communicate with APs. The

loopback address is used as the controller’s IP address for terminating VPN and GRE tunnels, originating

requests to RADIUS servers, and accepting administrative communications. You configure the loopback

address as a host address with a 32-bit netmask. The loopback address is not bound to any specific interface

and is operational at all times. To use this interface, ensure that the IP address is reachable through one of the

VLAN interfaces. It will be routable from all external networks.

You must configure a loopback address if you are not using VLAN1 to connect the controller to the network. If

you do not configure the loopback interface address, then the first configured VLAN interface address is

selected. Generally, VLAN 1 is the factory default setting and thus becomes the controller IP address.

In the WebUI

1. Navigate to the Configuration > Network > Controller > System Settings page and locate the

Loopback Interface section.

2. Modify the IP Address as required.

3. Click Apply.

If you are use the loopback IP address to access the WebUI, changing the loopback IP address will result in loss of

connectivity. It is recommended that you use one of the VLAN interface IP addresses to access the WebUI.

4. Navigate to the Maintenance > Controller > Reboot Controller page to reboot the controller to apply

the change of loopback IP address.

5. Click Continue to save the configuration.

6. When prompted that the changes were written successfully to flash, click OK.

7. The controller boots up with the changed loopback IP address.

In the CLI

Use the following commands:

(host)(config) #interface loopback ip address <address>

(host)(config) #write memory

Enter the following command in Enable mode to reboot the controller :

(host) #reload

Configuring the Controller IP Address

The Controller IP address is used by the controller to communicate with external devices such as APs.

IP addresses used by the controller is not limited to the controller IP address.

You can set the Controller IP address to the loopback interface address or to an existing VLAN ID address. This

allows you to force the controller IP address to be a specific VLAN interface or loopback address across multiple

machine reboots. Once you configure an interface to be the controller IP address, that interface address

cannot be deleted until you remove it from the controller IP configuration.

If the controller IP address is not configured then the controller IP defaults to the current loopback interface

address. If the loopback interface address is not configured then the first configured VLAN interface address is

selected. Generally, VLAN 1 is the factory default setting and thus becomes the controller IP address.

Using the WebUI:

1. Navigate to Configuration > Network > Controller > System Settings page.

2. Locate the Controller IP Details section.

3. Select the address you want to set the Controller IP to from the VLAN ID drop-down list. This list contains

only VLAN IDs that have statically assigned IP addresses. If you have previously configured a loopback

interface IP address, then it will also appear in this list. Dynamically assigned IP addresses such as

DHCP/PPPOE do not display.

4. Click Apply.

Any change in the controller’s IP address requires a reboot.

5. Navigate to the Maintenance > Controller > Reboot Controller page to reboot the controller to apply

the change of controller IP address.

6. Click Continue to save the configuration.

7. When prompted that the changes were written successfully to flash, click OK.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 166

167 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

8. The controller boots up with the changed controller IP address. of the selected VLAN ID.

Using the CLI

(host)(config) #controller-ip [loopback|vlan <VLAN ID>]

Configuring GRE Tunnels

A controller supports generic routing encapsulation (GRE) tunnels between the controller and APs. An AP opens

a GRE tunnel to the controller for each radio interface. On the AP, the other end of the GRE tunnel is specified

by the IP address configured and the variable values (in descending order of priority): <master>,<servername>,

and <serverip>. If these variable are left to default values, the AP uses DNS to look up Dell-master to discover

the IP address of the controller.

The controller also supports GRE tunnels between the controller and other GRE-capable devices. Static IPv6

L2/L3 GREtunnelscan be established between Dell devices and other devices that support IPv6 GRE tunnel.

IPv4 and IPv6 L2 GRETunnels carry both IPv6 and IPv4 traffic, and the IPv6 traffic can be redirected over the

IPv4 L3 GRETunnel. This section describes how to configure a GRE tunnel to such a device, and how to direct

traffic into the tunnel.

The controller uses GREtunnels for communication between master and local controllers; these GREtunnels are

automatically created and are not subject to the configuration described in this section. This feature is supported

only in IPv4.

If a VLANinterface has multiple IPv6 addresses configured, one of them is used as the tunnel source IPv6 address. If

the selected IPv6 address is deleted from the VLAN interface, then the tunnel source IPis re-configured with the next

available IPv6 address.

Important Points to Remember

lBy default a GRE Tunnel Interface is in IPv4 L3 mode.

lIPv6 configurations will be allowed on an IPv4 Tunnel only if the tunnel mode is set to IPv6. Similarly, IPv4

configurations will be allowed on an IPv6 Tunnel only if the tunnel mode is set to IP.

Limitations

ArubaOS does not support the following functions for Static IPv6 GRETunnels:

lIPv6 Auto configuration and IPv6 Neighbor Discovery mechanisms do not apply to IPv6 tunnels.

lNo support for Tunnel encapsulation limit and MTU discovery options on the IPv6 tunnels.

lYou cannot use IPv6 GRE for a master-local setup as IPSec is not supported in this release.

Creating a Tunnel Interface

To create a GRE tunnel on the controller, you need to specify the following:

lTunnel ID: a number between 1 and 2147483647.

lIP address and netmask for the tunnel.

lTunnel source: the local endpoint for the tunnel on the controller. This can be one of the following:

nLoopback address of the controller

nA specified IP address

nA specified VLAN

nController-IP

nIPAddress

lTunnel destination: the IP address of the remote endpoint of the tunnel on the other GRE device.

To create a L3 GRE tunnel on the controller, you need to specify the following:

lIP version : IPv4\IPv6

lTunnel ID: this can be a number between 1 and 2147483647.

lMode: Select L3

lIP Address and netmask for the tunnel.

lTunnel source: the local endpoint for the tunnel on the controller. This can be one of the following:

nLoopback address of the controller

nA specified IP address

nA specified VLAN

nController-IP

nIPAddress

In the WebUI

1. Navigate to the Configuration > Network > IP > GRE Tunnels page.

2. Click Add.

3. Enter the tunnel ID.

4. Enter the IP address and netmask for the tunnel.

5. Select Enabled to enable the tunnel interface.

6. Select the tunnel source, if it is not the loopback address of the controller. If you select IP Address, enter

the IP address for the tunnel source. If you select VLAN, select the ID of the VLAN.

7. Enter the IP address of the tunnel destination.

8. Click Apply.

In the CLI

Use the following commands:

(host)(config) #interface tunnel <number>

description <string>

inter-tunnel-flooding

ip address <ipaddr> <ipmask>|internal

ipv6 address <X:X:X:X::X>

mtu <mtu>

no ...

shutdown

trusted

tunnel destination {<A.B.C.D>|ipv6 <X:X:X:X::X>}|keepalive <interval>|<retries>|mode gre

{<num>|ip|ipv6}|source {<A.B.C.D>|controller-ip|ipv6 {X:X:X:X::X|controller-

ip|loopback|vlan <vlan id>}|loopback|vlan <vlan id>}|vlan <vlan id>}

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 168

169 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Directing Traffic into the Tunnel

You can direct traffic into the tunnel by configuring one of the following:

lStatic route, which redirects traffic to the IP address of the tunnel

While redirecting traffic through L3 GRETunnel the controller's tunnel IPaddress should be used as the next-

hop,instead of providing the destination IP address.

lFirewall policy (session-based ACL), which redirects traffic to the specified tunnel ID

Static Routes

You can configure a static route that specifies the IP address of a tunnel as the next-hop for traffic for a specific

destination. See Configuring Static Routes on page 165 for descriptions of how to configure a static route.

Firewall Policy

You can configure a firewall policy rule to redirect selected traffic into a tunnel.

Traffic redirected by a firewall policy rule is not forwarded to a tunnel that is “down” (see Tunnel Keepalives on

page 169 for more information on how GRE tunnel status is determined).

In the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Click Add to create a new firewall policy, or click Edit to edit a specific policy.

3. Click Add to create a new policy rule.

4. Configure the Source, Destination, and Service for the rule.

5. For Action, select redirect to tunnel. Enter the tunnel ID.

6. Configure any additional options, and click Add.

7. Click Apply.

In the CLI

Use the following commands:

(host)(config) #ip access-list session <name>

<source> <destination> <service> redirect tunnel <id>

Tunnel Keepalives

The controller can determine the status of a GRE tunnel by sending periodic keepalive frames on the L2 or L3

GRE tunnel. If you enable tunnel keepalives, the tunnel is considered “down” if there is repeated failure of the

keepalives. If you configured a firewall policy rule to redirect traffic to the tunnel, traffic is not forwarded to the

tunnel until it is “up”. When the tunnel comes up or goes down, an SNMP trap and logging message is

generated. The remote endpoint of the tunnel does not need to support the keepalive mechanism.

The controller sends keepalive frames at 60-second intervals by default and retries keepalives up to three times

before the tunnel is considered down. You can reconfigure the intervals from the default. For the interval,

specify a value between 1 and 86400 seconds. For the retries, specify a value between 0 and 1024.

In the WebUI

1. Navigate to the Configuration > Network > IP > GRE Tunnels page.

2. Click Edit for the tunnel for which you are enabling tunnel keepalives.

3. Select Enable Heartbeats to enable tunnel keepalives and display the Heartbeat Interval and Heartbeat

Retries fields.

4. Enter values for Heartbeat Interval and Heartbeat Retries.

5. Click Apply.

In the CLI

Use the following commands:

(host)(config) #interface tunnel id

tunnel keepalive [<interval> <retries>]

Configuring GRE Tunnel Group

ArubaOS provides redundancy for L3 generic routing encapsulation (GRE) tunnels. This feature enables

automatic redirection of the user traffic to a standby tunnel when the primary tunnel goes down.

To enable this functionality, you must:

lconfigure a tunnel-group to group a set of tunnels.

lenable tunnel keepalives on all the tunnel interfaces assigned to the tunnel-group, and

lconfigure the session ACL with the tunnel-group as the redirect destination.

GRE Tunnel Redundancy is not applicable for GRE tunnels created for communications between controllers and APs.

Creating a Tunnel Group

A tunnel-group is identified by a name or number. You can add multiple tunnels to a tunnel-group. The order

of the tunnels defined in the tunnel-group configuration specifies their standby precedence. The first member

of the tunnel-group is the primary tunnel. When the first tunnel fails, the second tunnel carries the traffic. The

third tunnel in the tunnel-group takes over if the second tunnel also fails. In the mean time, if the first tunnel

comes up, it becomes the most eligible standby tunnel.

You can configure up to 32 tunnel-groups on a controller with a maximum of five tunnels in each tunnel-group.

You can also enable or disable pre-emption as part of the tunnel-group configuration. Pre-emption is enabled

by default. The pre-emption option, automatically redirects the traffic whenever it detects an active tunnel with

a higher precedence in the tunnel-group. When pre-emption is disabled, the traffic gets redirected to a higher

precedence tunnel only when the tunnel carrying the traffic fails.

You can configure the tunnel-group using the WebUI or the CLI.

In the WebUI

1. Navigate to the Configuration > Network > IP > GRE Tunnels page.

2. Click Add under the Tunnel Group pane.

3. Specify a name for the tunnel-group in the Tunnel Group Name text box.

4. Specify the tunnel IDs with comma separators in the Tunnel Group Member text box.

5. Select the Enable Preemptive-Failover Mode check box to enable pre-emption (Default: enabled); clear

the checkbox to disable pre-emption.

6. Click Apply.

In the CLI

Execute the following commands to configure a tunnel-group:

(host)(config) #tunnel-group <tunnel-group-name>

(host)(config-tunnel-group)# tunnel <tunnel-id>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 170

171 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Execute the following command to enable pre-emption:

(host)(config-tunnel-group)#preemptive-failover

Following is a sample configuration:

(host)(config) #tunnel-group tgroup1

(host)(config-tunnel-group)# tunnel 10

(host)(config-tunnel-group)# tunnel 20

(host)(config-tunnel-group)#preemptive-failover

Execute the following command to view the operational status of a tunnel-group and its members:

(host)(config-tunnel-group)#show tunnel-group tgroup1

Tunnel-Group Table Entries

--------------------------

Tunnel Group Tunnel Group Id Preemptive Failover Active Tunnel Id Tunnel Members

------------ --------------- -------------------- ---------------- --------------

tgroup1 16385 enabled 10 20

Execute the following command to view the operational status of all the configured tunnel-groups:

(host)(config) #show tunnel-group

Tunnel-Group Table Entries

--------------------------

Tunnel Group Tunnel Group Id Preemptive Failover Active Tunnel Id Tunnel Members

------------ --------------- -------------------- ---------------- --------------

tgroup1 16385 enabled 0 10 20

tgroup2 16387 enabled 40 20 40 10

tgroup3 16386 enabled 0 20

Execute the following command to view the datapath Tunnel-Group table entries:

(host) #show datapath tunnel-group

Datapath Tunnel-Group Table Entries

-----------------------------------

Tunnel-Group Active Tunnel Members

------------ ------------- -------------------

16387 11 11

Jumbo Frame Support

Jumbo frames are the data frames that are larger than 1500 bytes and includes the Layer 2 header and Frame

Check Sequence (FCS). Jumbo frames functionality can be configured on W-7200 Series controllers to support

up to 9216 bytes of payload.

In centralized deployments, frames that are more than 1500 bytes in size are generated from AP to the

controller during encryption and enabling AMSDU. Therefore, whenever the AP associates to the controller,

jumbo frames are used to get the highest network performace. If this functionality is not supported, the data

frames gets fragmented, which reduces the overall throughput of the network and makes the network slow.

ArubaOS supports jumbo frames between 11ac APs and W-7200 Series controllers only.

You can enable the jumbo frame support in the following scenarios:

lTunnel node: In a tunneled node deployment, the wired clients connected on the tunneled nodes can send

and receive the jumbo frames.

lL2/L3 GRE tunnels: When you establish a GRE tunnel between two controllers, the clients on one controller

can send and receive jumbo frames from the clients on the other controller on enabling jumbo frames.

lBetween wired clients: In a network where clients connect to the controller with jumbo frames enabled

ports can send and receive the jumbo frames.

lWi-Fi tunnel: A Wi-Fi tunnel can support an AMSDU jumbo frame for an AP (The maximum MTU supported

is up to 9216 bytes).

Limitations for Jumbo Frame Support

This release of ArubaOS does not support the jumbo frames for the following scenarios:

lIPsec, IPIP, and xSec.

lIPv6 fragmentation/reassembly.

Configuring Jumbo Frame Support

You can use the WebUI or CLI to configure the jumbo frame support.

Using the WebUI

To enable jumbo frame support globally:

1. Navigate to the Configuration > ADVANCED SERVICES > Stateful firewall > Global Setting page.

2. Select the Jumbo frames processing checkbox to enable the jumbo frames support.

3. Enter the value of the MTU in the Jumbo MTU [1789-9216] bytes textbox.

4. Click Apply.

To enable jumbo frame support on a port:

1. Navigate to Configuration > NETWORK > Ports page.

2. Select the Enable Jumbo MTU checkbox to enable the jumbo frames support.

3. Click Apply.

To enable jumbo frame support on a port channel:

1. Navigate to the Configuration > NETWORK > Port-Channel page.

2. Select the Enable Jumbo MTU checkbox to enable the jumbo frames support.

3. Click Apply.

Using the CLI

To enable the jumbo frame support globally and to configure the MTU value:

(host)(config)# firewall jumbo mtu <val>

You can configure the MTU value between 1,789-9,216. The default MTU value is 9,216.

To disable the jumbo frame support:

(host)(config)# no firewall enable-jumbo-frames

In this case, the MTU value is considered as 9,216 (default).

To enable jumbo frame support on a port channel:

(host)(config)# interface port-channel <id> jumbo

To disable jumbo frame support on a port channel:

(host)(config)# interface port-channel <id> no jumbo

To enable jumbo frame support on a port:

(host)(config) # interface gigabitethernet <slot>/<module>/<port> jumbo

To disable jumbo frame support on a port:

(host)(config) # interface gigabitethernet <slot>/<module>/<port> no jumbo

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 172

173 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.x| User Guide

Viewing the Jumbo Frame Support Status

Execute the following command to view the global status of the jumbo frame support:

(host)#show firewall

Global firewall policies

------------------------

Policy Action Rate Port

------ ------ ---- ----

Enforce TCP handshake before allowing data Disabled

Prohibit RST replay attack Disabled

Deny all IP fragments Disabled

Prohibit IP Spoofing Enabled

Monitor ping attack Disabled

Monitor TCP SYN attack Disabled

Monitor IP sessions attack Disabled

Deny inter user bridging Disabled

Log all received ICMP errors Disabled

Per-packet logging Disabled

Blacklist Grat ARP attack client Disabled

Session mirror destination Disabled

Stateful SIP Processing Enabled

Allow tri-session with DNAT Disabled

Disable FTP server No

Blacklist ARP attack client Disabled

Monitor ARP attack Disabled

Monitor Gratuitous ARP attack Enabled

50/sec

GRE call id processing Disabled

Session Idle Timeout Disabled

Broadcast-filter ARP Disabled

WMM content enforcement Disabled

Session VOIP Timeout Disabled

Stateful H.323 Processing Enabled

Stateful SCCP Processing Enabled

Only allow local subnets in user table Disabled

Monitor/police CP attacks Disabled

Rate limit CP untrusted ucast traffic Enabled 9765 pps

Rate limit CP untrusted mcast traffic Enabled 1953 pps

Rate limit CP trusted ucast traffic Enabled 65535 pps

Rate limit CP trusted mcast traffic Enabled 1953 pps

Rate limit CP route traffic Enabled 976 pps

Rate limit CP session mirror traffic Enabled 976 pps

Rate limit CP auth process traffic Enabled 976 pps

Deny inter user traffic Disabled

Prohibit ARP Spoofing Disabled

Stateful VOCERA Processing Enabled

Stateful UA Processing Enabled

Stall Detection Disabled

Enforce bw contracts for broadcast traffic Disabled

Multicast automatic shaping Disabled

Enforce TCP Sequence numbers Disabled

AMSDU Enabled

Jumbo Frames Enabled MTU = 9216

Session-tunnel FIB Enabled

Prevent DHCP exhaustion Disabled

Stateful SIPS Processing Enabled

Deny source routing Disabled

Immediate Freeback Disabled

Session mirror IPSEC Disabled

Execute the following command to view the jumbo frame status on a port:

(host)# show interface gigabitethernet <slot>/<port>/<module>

Example:

(host)# show interface gigabitethernet 0/0/0

GE 0/0/0 is up, line protocol is up

Hardware is Gigabit Ethernet, address is 00:1A:1E:00:0D:09 (bia 00:1A:1E:00:0D:09)

Description: GE0/0/0 (RJ45 Connector)

Encapsulation ARPA, loopback not set

Configured: Duplex (AUTO ), speed (AUTO )

Negotiated: Duplex (Full), speed (1000 Mbps)

Jumbo Support is enabled on this interface MTU 9216

Last clearing of "show interface" counters 1 day 20 hr 32 min 38 sec

link status last changed 1 day 19 hr 37 min 57 sec

120719 packets input, 24577381 bytes

Received 84208 broadcasts, 0 runts, 0 giants, 780 throttles

0 input error bytes, 0 CRC, 0 frame

32939 multicast, 36511 unicast

19865402 packets output, 4953350248 bytes

0 output errors bytes, 0 deferred

0 collisions, 0 late collisions, 0 throttles

This port is TRUSTED

Execute the following command to view the jumbo frame status on a port channel:

(host)#show interface port-channel <id>

Example:

(host)#show interface port-channel 6

Port-Channel 6 is administratively up

Hardware is Port-Channel, address is 00:1A:1E:00:0D:08 (bia 00:1A:1E:00:0D:08)

Description: Link Aggregate (LACP)

Spanning Tree is forwarding

Switchport priority: 0

Jumbo Support is enabled on this interface MTU 9216

Member port:

GE 0/0/4, Admin is up, line protocol is up

GE 0/0/5, Admin is up, line protocol is up

Last clearing of "show interface" counters 1 day 20 hr 32 min 43 sec

link status last changed 1 day 20 hr 29 min 58 sec

69425936 packets input, 15102169223 bytes

Received 27578 broadcasts, 0 runts, 0 giants, 0 throttles

0 input error bytes, 0 CRC, 0 frame

27568 multicast, 69398358 unicast

270782 packets output, 37271325 bytes

0 output errors bytes, 0 deferred

0 collisions, 0 late collisions, 0 throttles

Port-Channel 6 is TRUSTED

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 174

Dell Networking W-Series ArubaOS 6.4.x| User Guide IPv6 Support | 175

Chapter 5

IPv6 Support

This chapter describes ArubaOS support for IPv6 features:

lUnderstanding IPv6 Notation on page 175

lUnderstanding IPv6 Topology on page 175

lEnabling IPv6 on page 176

lEnabling IPv6 Support for Controller and APs on page 176

lFiltering an IPv6 Extension Header (EH) on page 184

lConfiguring a Captive Portal over IPv6 on page 184

lWorking with IPv6 Router Advertisements (RAs) on page 184

lRADIUS Over IPv6 on page 188

lTACACS Over IPv6 on page 189

lDHCPv6 Server on page 190

lUnderstanding ArubaOS Supported Network Configuration for IPv6 Clients on page 193

lManaging IPv6 User Addresses on page 198

lUnderstanding IPv6 Exceptions and Best Practices on page 199

Understanding IPv6 Notation

The IPv6 protocol is the next generation of large-scale IP networks, it supports addresses that are 128 bits

long. This allows 2128 possible addresses (versus 232 possible IPv4 addresses).

Typically, the IP address assigned on an IPv6 host consists of a 64-bit subnet identifier and a 64-bit interface

identifier. IPv6 addresses are represented as eight colon-separated fields of up to four hexadecimal digits each.

The following are examples of IPv6 addresses:

2001:0000:0eab:DEAD:0000:00A0:ABCD:004E

The use of the “::” symbol is a special syntax that you can use to compress one or more group of zeros or to

compress leading or trailing zeros in an address. The “::” can appear only once in an address.

For example, the address, 2001:0000:0dea:C1AB:0000:00D0:ABCD:004E can also be represented as:

2001:0:eab:DEAD:0:A0:ABCD:4E – leading zeros can be omitted

2001:0:0eab:dead:0:a0:abcd:4e – not case sensitive

2001:0:0eab:dead::a0:abcd:4e - valid

2001::eab:dead::a0:abcd:4e - Invalid

IPv6 uses a "/" notation which describes the no: of bits in netmask, similar to IPv4.

2001:eab::1/128 – Single Host

2001:eab::/64 – Network

Understanding IPv6 Topology

IPv6 APs connect to the IPv6 controller over an IPv6 L3 network. The IPv6 controller can terminate both IPv4

and IPv6 APs. IPv4 and IPv6 clients can terminate to either IPv4 or IPv6 APs. ArubaOS supports Router

Advertisements (RA). You do not need an external IPv6 router in the subnet to generate RA for IPv6 APs and

clients that depend on stateless autoconfiguration to obtain IPv6 address. The external IPv6 router is the

176 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

default gateway in most deployments. However, the controller can be the default gateway by using static

routes. The master-local communication always occurs in IPv4.

The following image illustrates how IPv6 clients, APs, and controllers communicate with each other in an IPv6

network:

Figure 21 IPv6 Topology

lThe IPv6 controller (MC2) terminates both V4 AP (IPv4 AP) and V6 AP (IPv6 AP).

lClient 1 (IPv4 client) terminates to V6 AP and Client 2 (IPv6 client) terminates to V4 AP.

lRouter is an external IPv6 router in the subnet that acts as the default gateway in this illustration.

lMC1 (master) and MC2 (local) communicates in IPv4.

Enabling IPv6

You must enable the IPv6 option on the controller before using any of the IPv6 functions. You can use the

ipv6 enable command to enable the IPv6 packet/firewall processing on the controller. The IPv6 option is

disabled by default.

You can also use the WebUI to enable the IPv6 option:

1. Navigate to the Configuration > Advanced Services > Stateful Firewall page.

2. Select the Global Settings tab.

3. Select the IPv6 Enable check box to enable the IPv6 option.

4. Click Apply .

Enabling IPv6 Support for Controller and APs

This release of ArubaOS provides IPv6 support for controllers and access points. You can now configure the

master controller with an IPv6 address to manage the controllers and APs. Both IPv4 and IPv6 APs can

terminate on the IPv6 controller. You can provision an IPv6 AP in the network only if the controller interface is

configured with an IPv6 address. An IPv6 AP can serve both IPv4 and IPv6 clients.

You must manually configure an IPv6 address on the controller interface to enable IPv6 support.

You can perform the following IPv6 operations on the controller:

lConfiguring IPv6 Addresses on page 178

lConfiguring IPv6 Static Neighbors on page 179

lConfiguring IPv6 Default Gateway and Static IPv6 Routes on page 180

lManaging Controller IP Addresses on page 180

lConfiguring Multicast Listener Discovery (MLD) on page 181

lDebugging an IPv6 Controller on page 183

lProvisioning an IPv6 AP on page 183

You can also view the IPv6 statistics on the controller using the following commands:

lshow datapath ip-reassembly ipv6 — View the IPv6 contents of the IP Reassembly statistics table.

lshow datapath route ipv6 — View datapath IPv6 routing table.

lshow datapath route-cache ipv6 — View datapath IPv6 route cache.

lshow datapath tunnel ipv6 — View the tcp tunnel table filtered on IPv6 entries.

lshow datapath user ipv6 — View datapath IPv6 user statistics such as current entries, pending deletes,

high water mark, maximum entries, total entries, allocation failures, invalid users, and maximum link length.

lshow datapath session ipv6 — View datapath IPv6 session entries and statistics such as current entries,

pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users, and

maximum link length.

Additionally, you can view the IPv6 AP information on the controller using the following show commands:

lshow ap database

lshow ap active

lshow user

lshow ap details ip6-addr

lshow ap debug

The following table lists IPv6 features:

Features Supported on IPv6 APs?

Forward Mode - Tunnel Yes

Forward Mode - Decrypt Tunnel No

Forward Mode - Bridge No

Forward Mode - Split Tunnel No

AP Type - CAP Yes

AP Type - RAP No

Table 30: IPv6 APs Support Matrix

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 177

178 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

Features Supported on IPv6 APs?

AP Type - Mesh Node No

IPSEC No

CPSec No

Wired-AP/Secure-Jack No

Fragmentation/Reassembly Yes

MTU Discovery Yes

Provisioning through Static IPv6

Addresses

Yes

Provisioning through IPv6 FQDN Master

Name

Yes

Provisioning from WebUI Yes

AP boot by Flash Yes

AP boot by TFTP No

WMM QoS No

AP Debug and Syslog Yes

ARM & AM Yes

WIDS Yes (Limited)

CLI support for users & datapath Yes

Configuring IPv6 Addresses

You can configure IPv6 addresses for the management interface, VLAN interface, and the loopback interface of

the controller. The controller can have up to three IPv6 addresses for each VLAN interface. The IPv6 address

configured on the loopback interface or the first VLAN interface of the controller becomes the default IPv6

address of the controller.

If only one IPv6 address is configured on the controller, it becomes the default IPv6 address of the controller. With

this release of ArubaOS, you can delete this IPv6 address.

You can configure IPv6 interface address using the WebUI or CLI. As per Internet Assigned Numbers Authority

(IANA), Dell controllers support the following ranges of IPv6 addresses:

lGlobal unicast—2000::/3

lUnique local unicast—fc00::/7

lLink local unicast—fe80::/10

In the WebUI

To Configure Link Local Address

1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab.

2. Edit a VLAN # and select IP version as IPv6.

3. Enter the link local address in the Link Local Address field.

4. Click Apply.

To Configure Global Unicast Address

1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab.

2. Edit a VLAN # and select IP version as IPv6.

3. Enter the global unicast address and the prefix-length in the IP Address/Prefix-length field.

4. (Optional) Select the EUI64 Format check box, if applicable.

5. Click Add to add the address to the global address list.

6. Click Apply.

To Configure Loopback Interface Address

1. Navigate to the Configuration > Network > Controller page and select the System Settings tab.

2. Under Loopback Interface enter the loopback address in the IPv6 Address field.

3. Click Apply.

You cannot configure the management interface address using the WebUI.

In the CLI

To configure the link local address:

(host)(config)#interface vlan <vlan#>

(host)(config-subif)#ipv6 address <ipv6-address> link-local

To configure the global unicast address:

(host)(config)#interface vlan <vlan#>

(host)(config-subif)#ipv6 address <ipv6-prefix>/<prefix-length>

To configure the global unicast address (EUI 64 format):

(host)(config)#interface vlan <vlan#>

(host)(config-subif)#ipv6 address <ipv6-prefix/prefix-length> eui-64

To configure the management interface address:

(host)(config)#interface mgmt

(host)(config-subif)#ipv6 address <ipv6-prefix/prefix-length>

To configure the loopback interface address:

(host)(config)#interface loopback

(host)(config-subif)#ipv6 address <ipv6-prefix>

Configuring IPv6 Static Neighbors

You can configure a static neighbor on a VLAN interface either using the WebUI or the CLI.

In the WebUI

1. Navigate to the Configuration > Network > IP page and select the IPv6 Neighbors tab.

2. Click Add and enter the following details of the IPv6 neighbor:

lIPV6 Address

lLink-layer Addr

lVLAN Interface

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 179

180 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

3. Click Done to apply the configuration.

In the CLI

To configure a static neighbor on a VLAN interface:

(host)(config)#ipv6 neighbor <ipv6addr> vlan <vlan#> <mac>

Configuring IPv6 Default Gateway and Static IPv6 Routes

You can configure IPv6 default gateway and static IPv6 routes using the WebUI or CLI.

In the WebUI

To Configure IPv6 Default Gateway

1. Navigate to the Configuration > Network > IP page and select the IP Routes tab.

2. Under the Default Gateway section, click Add.

3. Select IPv6 as IP Version, and enter the IPv6 address in the IP Address field.

4. Click Add to add the address to the IPv6 default gateway table.

5. Click Apply.

To Configure Static IPv6 Routes

1. Under the IP Routes section, click Add and select IPv6 as IP Version.

2. Enter the destination IP address and the forwarding settings in the respective fields.

3. Click Done to add the static route to the IPv6 routes table.

4. Click Apply.

In the CLI

To configure the IPv6 default gateway:

(host)(config)#ipv6 default-gateway <ipv6-address> <cost>

To configure static IPv6 routes:

(host)(config)#ipv6 route <ipv6-prefix/prefix-length> <ipv6-next-hop> <cost>

<ipv6-next-hop> = X:X:X:X::X

Managing Controller IP Addresses

You can change the default controller IP address by assigning a different VLAN interface address or the loop

back interface address. You can also turn on Syslog messaging for IPv6 (similar to IPv4 logging) using the

logging <ipv6 address> command. For more information on logging, see Configuring Logging on page

804.You can use the WebUI or CLI to change the default controller IP address.

In the WebUI

1. Navigate to the Configuration > Network > Controller page and select the System Settings tab.

2. Under the Controller IP Details section, select the VLAN Id or the loopback interface Id in the IPv6

Address drop down.

3. Click Apply.

In the CLI

To configure an IPv6 address to the controller:

(host)(config)#controller-ipv6 loopback

(host)(config)#controller-ipv6 vlan <vlanId>

To enable logging over IPv6:

(host)(config)#logging <ipv6 address>

Configuring Multicast Listener Discovery (MLD)

You can enable the IPv6 multicast snooping on the controller by using the WebUI or CLI and configure MLD

parameters such as query interval, query response interval, robustness variable, and ssm-range.

The Source Specific Multicast (SSM) supports delivery of multicast packets that originate only from a specific

source address requested by the receiver. You can forward multicast streams to the clients if the source and

group match the client subscribed source group pairs (S,G).

The controller supports the following IPv6 multicast source filtering modes:

lInclude - In Include mode, the reception of packets sent to a specified multicast address is enabled only

from the source addresses listed in the source list. The default IPv6 SSMaddress range is FF3X::4000:1 –

FF3X::FFFF:FFFF, and the hosts subscribing to SSM groups can only be in the Include mode.

lExclude - In Exclude mode, the reception of packets sent to a specific multicast address is enabled from all

source addresses. If there is a client in the Exclude mode, the subscription is treated as an MLDv1 join.

For more information on MLD feature, see RFC 3810 and RFC 4604,

In the WebUI

To enable IPv6 MLD Snooping

1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab.

2. Click the Edit button listed under Actions to edit the required VLANinterface.

3. Select IPv6 from the IP version drop-down list.

4. Check the Enable MLD Snooping check box under MLD section to enable IPv6 MLD snooping.

5. Click Apply.

To Modify IPv6 MLD Parameters

1. Navigate to the Configuration > Network > IP page and select the Multicast tab.

2. Under the MLD section, enter the required values in the following fields:

lRobustness Variable: default value is 2

lQuery Interval (second): default value is 125 seconds

lQuery Response Interval (in 1/10 second): default value is 100 (1/10 seconds).

3. Click Apply.

To configure the SSM Range:

1. Navigate to Configuration>Network>IP page and select the Multicast tab.

2. In the MLD section, use the SSM Range Start-IP and SSM Range End-IP fields to configure the

SSMRange.

3. Click Apply to save your changes.

In the CLI

To enable IPv6 MLD snooping:

(host)(config) #interface vlan 1

(host)(config-subif)#ipv6 mld snooping

To view if IPv6 MLD snooping is enabled:

(host)(config-subif)#show ipv6 mld interface

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 181

182 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

To view the MLDGroup information:

(host)(config) #show ipv6 mld group

To modify IPv6 MLD parameters:

(host)(config) #ipv6 mld

(host)(config-mld) # query-interval <time in seconds (1-65535)>|query-response-interval <time

in 1/10th of seconds (1-65535)|robustness-variable <value (2-10)>

To view MLD configuration:

(host)(config-subif)#show ipv6 mld config

When you enter the SSM Range ensure that the upstream router has the same range, else the multicast stream

would be dropped.

Dynamic Multicast Optimization

When multiple clients are associated to an AP and when one client is subscribed for a multicast stream, all the

clients associated to the AP receive the stream, as the packets are directed to the multicast MAC address. To

restrict the multicast stream to only the subscribed clients, DMOsends the stream to the unicast MACaddress

of the subscribed clients. DMOis currently supported for both IPv4 and IPv6.

In the WebUI

You can configure the IPv6 DMO feature using the WebUI or CLI.

Using the WEBUI

To enable this feature using the WebUI:

1. Navigate to Configuration>Wireless>AP Configuration page.

2. Select the AP Group tab, click the AP Group you want to edit.

3. Expand the Wireless LAN menu, then expand the Virtual AP menu.

4. Select the Virtual AP profile for which you want to configure the Dynamic Multicast Optimization.

5. In the Basic tab under Broadcast/Multicast section configure the following parameters to enable

multicasting:

a. Select the Dynamic Multicast Optimization (DMO) checkbox,

b. Use the Dynamic Multicast Optimization (DMO) Threshold field to set the maximum number of

high-throughput stations in a multicast group.

6. Click Apply to save your changes.

In the CLI

To verify the DMOconfiguration, execute the following command:

(host) #show wlan virtual-ap

Limitations

The following are the MLDv2 limitations:

lController cannot route multicast packets.

lFor mobility clients mld proxy should be used.

lVLAN pool scenario stream is forwarded to clients in both the VLANs even if the client from one of the

VLANs is subscribed.

lDynamic Multicast Optimization is applicable for wired clients in controllers.

Debugging an IPv6 Controller

ArubaOS provides the following debug commands for IPv6:

lshow ipv6 global — displays if IPv6 is enabled globally or not

lshow ipv6 interface — displays the configured IPv6 address, and any duplicate addresses

lshow ipv6 route/show datapath route ipv6 — displays the IPv6 routing information

lshow ipv6 ra status — displays the Router Advertisement status

lshow Datapath session ipv6 — displays the IPv6 sessions created, and the sessions that are allowed

lshow datapath frame — displays the IPv6 specific counters

You can also use the debug options such as ping and tracepath for IPv6 hosts. You can either use the WebUI or

the CLI to use the ping and tracepath options.

In the WebUI

1. To ping an IPv6 host, navigate to the Diagnostics > Network > Ping page, enter an IPv6 address, and click

Ping.

2. To trace the path of an IPv6 host, navigate to the Diagnostics > Network > Tracepath page, enter an

IPv6 address, and click Trace.

In the CLI

To ping an IPv6 host:

(host)#ping ipv6 <global-ipv6-address>

(host)#ping ipv6 interface vlan <vlan-id> <linklocal-address>

To trace the path of an IPv6 host:

(host)#tracepath <global-ipv6-address>

Provisioning an IPv6 AP

You can provision an IPv6 AP on an IPv6 controller. You can either configure a static IP address or obtain a

dynamic IPv6 address via stateless-autoconfig. The controller can act as the default gateway for the IPv6

clients, if static IPv6 routes are set on the controller.

Starting from ArubaOS 6.3, a wired client can connect to the Ethernet interface of an IPv6 enabled AP.

You can provision an IPv6 AP using the WebUI or CLI.

In the WebUI

1. Navigate to the Configuration > AP Installation> Provision page and select the Provisioning tab.

2. Select an AP and click Provision.

3. Under the Master Discovery section, enter the host controller IP address and the IPv6 address of the

master controller.

4. To provision a static IP, select the Use the following IP address check box under the IP Settings section,

and enter the following details:

lIPv6 Address/Prefix-lengths

lGateway IPv6 Address

lDNS IPv6 Address

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 183

184 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

Ensure that CPSEC is disabled before rebooting the AP.

5. Click Apply and Reboot to bring the IPv6 AP up.

In the CLI

To provision a static IPv6 address:

(host)(config)# provision-ap

Enhancements to IPv6Support on AP

This release of ArubaOS provides the following IPv6 enhancements on the AP:

lDNS based ipv6 controller discovery

lFTP support for image upgrade in an IPv6 network

lDHCPv6 client support

Filtering an IPv6 Extension Header (EH)

ArubaOS firewall is enhanced to process the IPv6 Extension Header (EH) to enable IPv6 packet filtering. You

can now filter the incoming IPv6 packets based on the EH type. You can edit the packet filter options in the

default EH, using the CLI. The default EH alias permits all EH types.

Execute the following commands to permit or deny the IPv6 packets matching an EH type:

(host)(config) #netexthdr default

(host)(config-exthdr) #eh <eh-type> permit | deny

To view the EH types denied:

(host) (config-exthdr) #show netexthdr default

Extended Header type(s) Denied

------------------------------

51, 234,

Configuring a Captive Portal over IPv6

IPv6 is now enabled on the captive portal for user authentication on the Dell controller. For user

authentication, use the internal captive portal that is initiated from the controller. A new parameter captive

has been added to the IPv6 captive portal session ACL:

ipv6 user alias controller 6 svc-https captive

This release does not support external captive portal for IPv6. The captive portal authentication, customization of

pages, and other attributes are same as IPv4.

You can configure captive portal over IPv6 (similar to IPv4) using the WebUI or CLI. For more information on

configuration, see Configuring Captive Portal in the Base Operating System on page 300.

Working with IPv6 Router Advertisements (RAs)

ArubaOS enables the controllers to send router advertisements (RA) in an IPv6 network. Each host auto

generates a link local address when you enable ipv6 on the host. The link local address allows the host to

communicate between the nodes attached to the same link.

The IPv6 stateless autoconfiguration mechanism allows the host to generate its own addresses using a

combination of locally available information and information advertised by the routers. The host sends a

router solicitation multicast request for its configuration parameters in the IPv6 network. The source address

of the router solicitation request can be an IP address assigned to the sending interface, or an unspecified

address if no address is assigned to the sending interface.

The routers in the network respond with an RA. The RAs can also be sent at periodic intervals. The RA contains

the network part of the Layer 3 IPv6 address (IPv6 Prefix). The host uses the IPv6 prefix provided by the RA; it

generates the universally unique host part of the address (interface identifier), and combines the two to derive

the complete address. To establish continuous connectivity to the default router, the host starts the neighbor

reachability state machine for the router.

ArubaOS uses Radvd, an open source Linux IPv6 Router Advertisement daemon maintained by Litech Systems

Design.

You can perform the following tasks on the controller to enable, configure, and view the IPv6 RA status on a

VLAN interface:

lConfigure IPv6 RA on a VLAN

lConfigure Optional Parameters for RA

nConfigure neighbor discovery reachable time

nConfigure neighbor discovery retransmit time

nConfigure RA DNS

nConfigure RA hop-limit

nConfigure RA interval

nConfigure RA lifetime

nConfigure RA managed configuration flag

nConfigure RA MTU

nConfigure RA other configuration flag

nConfigure RA Preference

nConfigure RA prefix

lView IPv6 RA Status

Configuring an IPv6 RA on a VLAN

You must configure the IPv6 RA functionality on a VLAN for it to send solicited/unsolicited router

advertisements on the IPv6 network. You must configure the following for the IPv6 RA to be operational on a

VLAN:

lIPv6 global unicast address

lenable IPv6 RA

lIPv6 RA prefix

lThe advertised IPv6 prefix length must be 64 bits for the stateless address autoconfiguration to be operational.

lYou can configure up to three IPv6 prefixes per VLAN interface.

lEach IPv6 prefix must have an on-link interface address configured on the VLAN.

lEnsure you configure the upstream routers to route the packets back to Dell controller.

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 185

186 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

You can use the WebUI or CLI to configure the IPv6 RA on a VLAN.

Using WebUI

1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab.

2. Edit a VLAN # and select IP version as IPv6.

3. To configure an IPv6 global unicast address, follow the steps below:

a. Under Details, enter the IPv6 address and the prefix-length in the IP Address/Prefix-length field.

b. (Optional) Select the EUI64 Format check box, if applicable.

c. Click Add to add the address to the global address list.

4. To enable an IPv6 RA on a VLAN, select the Enable Router Advertisements (RA) check box under

Neighbor Discovery.

5. To configure an IPv6 RA prefix for a VLAN, follow the steps below:

a. Under Neighbor Discovery, enter an IPv6 prefix in the IPv6 RA Prefix field.

b. Click Add to configure an IPv6 prefix for the VLAN.

You can add up to three IPv6 prefixes per VLAN interface.

6. Click Apply.

Using CLI

Execute the following commands to configure router advertisements on a VLAN:

(host)(config) #interface vlan <vlanid>

(host)(config-subif)#ipv6 address <prefix>/<prefix-length>

(host)(config-subif)#ipv6 nd ra enable

(host)(config-subif)#ipv6 nd ra prefix X:X:X:X::X/64

Configuring Optional Parameters for RAs

In addition to enabling the RA functionality, you can configure the following IPv6 neighbor discovery and RA

options on a VLAN:

lNeighbor discovery reachable time – the time, in milliseconds, that a node assumes a neighbor is reachable

after receiving a reachability confirmation.

lNeighbor discovery retransmit time – the time, in milliseconds, between retransmitted Neighbor Solicitation

messages.

lRA DNS – the IPv6 recursive DNS Server for the VLAN.

lOn Linux systems, clients must run the open rdnssd daemon to support the DNS server option.

lWindows 7 does not support the DNS server option.

lRA hop-limit – the IPv6 RA hop-limit value. It is the default value to be placed in the Hop Count field of the

IP header for outgoing (unicast) IP packets.

lRA interval – the maximum and minimum time interval between sending unsolicited multicast router

advertisements from the interface, in seconds.

lRA lifetime – the lifetime associated with the default router in seconds. A value of zero indicates that the

router is not a default router and will not appear on the default router list. The router lifetime applies only

to the router's usefulness as a default router; it does not apply to information contained in other message

fields or options.

lRA managed configuration flag (Enable DHCP for address) – a flag that indicates that the hosts can use the

DHCP server for address autoconfiguration besides using RAs.

lRA maximum transmission unit (MTU) – the maximum transmission unit that all the nodes on a link use.

lRA other configuration flag (Enable DHCP for other information – a flag that indicates that the hosts can use

the administered (stateful) protocol for autoconfiguration of other (non-address) information.

lRA preference – the preference associated with the default router.

You can use the WebUI or CLI to configure these options.

It is recommended that you retain the default value of the RA interval to achieve better performance.

If you enable RAs on more than 100 VLAN interfaces, some of the interfaces may not send out the RAs at regular

intervals.

In the WebUI

1. Navigate to the Configuration > Network > IP page.

2. Select the IP Interfaces tab.

3. Edit the VLAN on which you want to configure the neighbor discovery or RA options.

4. Select IP Version as IPv6.

5. Under Neighbor Discovery, configure the following neighbor discovery and RA options for the VLAN

based on your requirements:

a. Enter a value in the Reachable Time field. The allowed range is 0-3,600,000 msec. The default value is

zero.

b. Enter a value in the Retransmit Time field. The allowed range is 0-3,600,000 msec.he default value is

zero.

c. Enter a DNS server name in the IPv6 Recursive DNS Server field.

d. Enter a hop-limit value in the RA hop-limit field. The allowed range is 1-255. The default value is 64.

e. Enter the maximum interval value in the RA Interval(sec) field. Allowed range is 4-1800 seconds.

Default value is 600 seconds.

f. Enter a value in the RA Minimum Interval(sec) field. Allowed range is 3-0.75 times the maximum RA

interval value in seconds. The default minimum value is 0.33 times the maximum RA interval value

g. Enter a value in the RA Lifetime field. A value of zero indicates that the router is not a default router.

Apart from a zero value, the allowed range for the lifetime value is the RA interval time to 9,000 seconds.

The default and minimum value is three times the RA interval time.

h. Select the DHCP for address check box to enable the hosts to use the DHCP server for address

autoconfiguration apart from any addresses auto configured using the RA.

i. Enter a value in the RA MTU Option option. The allowed range is 1,280-maximum MTU allowed for the

link.

j. Select the DHCP for Other Address check box to enable the hosts to use the DHCP server for

autoconfiguration of other (non-address) information.

k. Select the router preference as High,Medium, or Low.

6. Click Apply.

In the CLI

Execute the following CLI commands to configure the neighbor discovery and RA options for a VLAN interface:

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 187

188 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

To configure neighbor discovery reachable time:

(host)(config) #interface vlan <vlan-id>

(host)(config-subif)#ipv6 nd reachable-time <value>

To configure neighbor discovery retransmit time:

(host)(config-subif)#ipv6 nd retransmit-time <value>

To configure IPv6 recursive DNS server:

(host)(config-subif)#ipv6 nd ra dns X:X:X:X::X

To configure RA hop-limit:

(host)(config-subif)#ipv6 nd ra hop-limit <value>

To configure RA interval:

(host) (config-subif)#ipv6 nd ra interval <value> <min-value>

To configure RA lifetime:

(host)(config-subif)#ipv6 nd ra life-time <value>

To enable hosts to use DHCP server for stateful address autoconfiguration:

(host)(config-subif)#ipv6 nd ra managed-config-flag

To configure maximum transmission unit for RA:

(host)(config-subif)#ipv6 nd ra mtu <value>

To enable hosts to use DHCP server for other non-address stateful autoconfiguration:

(host)(config-subif)#ipv6 nd ra other-config-flag

To specify a router preference:

(host)(config-subif)#ipv6 nd ra preference [High | Low | Medium]

To view the IPv6 RA status on the VLAN interfaces:

(host) #show ipv6 ra status

RADIUS Over IPv6

ArubaOS provides support for RADIUS authentication server over IPv6. You can configure an IPv6 host or

specify an FQDN that can resolve to an IPv6 address for RADIUS authentication. The RADIUS server is in IPv4

mode by default. You must enable the RADIUS server in IPv6 mode to resolve the specified FQDN to IPv6

address.

You can only configure the global IPv6 address as the host for the Radius server in IPv6 mode.

You can configure the IPv6 host for the RADIUS server using the WebUI or CLI.

In the CLI

You must enable the enable-ipv6 parameter to configure the RADIUS server in IPv6 mode.

(host)(config) #aaa authentication-server radius IPv6

(host)(RADIUS Server "IPv6") #enable-ipv6

Configure an IPv6 address as the host for RADIUS server using the following command:

(host)(RADIUS Server "IPv6") #host <ipv6-address>

The <host> parameter can also be a fully qualified domain name that can resolve to an IPv6 address.

To resolve FQDN, you must configure the DNS server name using the ip name-server <ip4addr> command.

You can configure an IPv6 address for the NAS-IP parameter using the following CLI command:

(host) (RADIUS Server "Ipv6") #nas-ip6 <IPv6 address>

You can configure an IPv6 address for the Source Interface parameter using the following CLI command:

(host) (RADIUS Server "Ipv6") # source-interface vlan <vland-id> ip6addr <ip6addr>

Use the following CLI command to configure an IPv6 address for the global NAS IP which the controller uses to

communicate with all the RADIUS servers:

(host) (config) #ipv6 radius nas-ip6 <IPv6 address>

You can also configure an IPv6 global source-interface for all the RADIUS server requests using the following

commands:

(host)(config) #ipv6 radius source-interface loopback

(host)(config) #ipv6 radius source-interface vlan <vlan-id> <ip6addr>

In the WebUI

To configure an IPv6 host for a RADIUS server:

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select RADIUS Server to display the RADIUS server List.

3. Select the required RADIUS server from the list to go to the Radius server page.

4. To enable the RADIUS server in IPv6 mode select the Enable IPv6 check box.

5. To configure an IPv6 host for the selected RADIUS server specify an IPv6 address or an FQDN in the Host

field.

6. Click Apply.

To configure an IPv6 address for the NAS-IP:

1. Select the Advanced tab.

2. Specify an IPv6 address in the NAS IPv6 field.

3. Click Apply.

To configure an IPv6 global source-interface:

1. Select the Advanced tab.

2. To configure the IPv6 loopback interface as the source interface, select loopback from the Source

Interface v6 drop-down list.

3. To configure a VLAN interface as the source interface, specify the VLAN interface and the IPv6 address in

the Source Interface v6 field.

4. Click Apply.

TACACS Over IPv6

ArubaOS provides support for TACACS authentication server over IPv6. You can configure the global IPv6

address as the host for TACACS authentication using CLI or WebUI.

In the CLI

(host)(config) #aaa authentication-server tacacs IPv6

(host)(TACACS Server "IPv6") #host <ipv6-address>

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 189

190 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. SelectTACACS Server to display the Server List.

3. Select the required server from the list to go to the TACACS server page.

4. To configure an IPv6 host for the selected server, specify an IPv6 address in the Host field.

5. Click Apply.

DHCPv6 Server

The DHCPv6 server enables network administrators to configure stateful/stateless options and manage

dynamic IPv6 users connecting to a network. You can also configure domain name server using DHCPv6.

You can configure IPv6 pools with various configurations such as lease duration, DNS server, vendor specific

options, and user defined options using DHCPv6. You can also exclude IPv6 addresses from subnets.

Controller IPv6 addresses, VLAN interface IPv6 addresses, and DNS server addresses are excluded from use by

default.

Similar to DHCPv4, a DHCPv6 server pool is associated with a VLAN only through the IPv6 address configured

in that VLAN interface. A VLAN interface can have a maximum of three global unicast addresses, but only one

DHCPv6 pool.

DHCPv6 server supports stateless configuration of clients with options apart from the network addresses

described in RFC 3736.

Points to Remember

lSimilar to IPv4, the default router configuration is not required for IPv6 pools as IPv6 compliant routers will

send RAs. The RA source address will be the default-gateway for the clients.

lArubaOS does not support DHCPv6 relay and Hospitality feature on DHCPv6.

DHCP Lease Limit

The following table provides the maximum number of DHCP leases (both v4 and v6) supported per controller

platform:

There is a new enforcement to the existing DHCP limit during configuration.

Table 31: DHCP Lease Limits

Platform Maximum number of DHCP Leases Supported

W-620 256

W-650 512

W-3200 512

W-6000M3 512

W-3400 512

Platform Maximum number of DHCP Leases Supported

W-3600 512

W-7005 512

W-7010 1024

W-7030 2048

W-7210 5120

W-7220 10240

W-7240 15360

Configuring DHCPv6 Server

You must enable the global DHCPv6 knob for the DHCPv6 functionality to be operational. You can enable and

configure DHCPv6 server using the WebUI or CLI.

In the WebUI

1. Navigate to Configuration > Network > IP page and select the DHCP Server tab.

2. Select the IPv6 DHCP Server check box to enable DHCPv6 globally.

3. If there are addresses that should not be assigned in the subnetwork:

a. Under Excluded Address Range, click Add to create a list of IPv6 excluded address.

b. Enter the excluded IPv6 address range in IPv6 Excluded Range and click Done. The specified address

range gets added to the IPv6 Excluded Address list box. The starting IP address in the Exclude

Address Range should always contain a unique value, if the IP address is already present, then the

existing IP address is replaced with a new one, and a warning is displayed.

c. Click Apply.

4. Under Pool Configuration, click Add to create a new DHCP server pool or click Edit to modify an existing

DHCP server pool.

To enable the DHCPv6 Server functionality on an interface, select the IP Interfaces tab, edit the VLAN interface, and

select a DHCP pool from the drop-down list under the DHCP server section. Ensure that the IP version of the VLAN

interface is IPv6.

5. Select IP Version as IPv6 to create a DHCPv6 pool.

6. Enter a name in Pool Name to configure an IPv6 pool name.

7. Enter an IPv6 address in DNS Servers to configure an IPv6 DNS server.

To configure multiple DNS servers, enter the IPv6 addresses separated by space.

8. Enter a value in Domain Name to configure the domain name.

9. Enter the number of days, hours, minutes, and seconds in Lease to configure the lease time. The default

value is 12 hours.

10.Specify an IPv6 prefix in Network to configure an IPv6 network.

11.Enter the following details under Option to configure client specific DHCPv6 options.

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 191

192 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

a. Specify the option code in Option.

b. Select IP or text from the IP/Text drop-down list.

c. Enter a value in Value. If you selected IP in step b, then you must enter a valid IPv6 address in this field.

d. Click Add.

12.Click Apply.

In the CLI

To enable the DHCPv6 service you can use the following command:

(host)(config) #service dhcpv6

To configure a domain name server, execute the following commands:

(host)(config) #ipv6 dhcp pool <pool-name>

(host)(config-dhcpv6)#dns-server <ipv6-address>

To configure a domain name, use the following command:

(host)(config-dhcpv6)#domain-name <domain>

To configure DHCPv6 lease time, use the following command:

(host)(config-dhcpv6)#lease <days> <hours> <minutes> <seconds>

The default value is 12 hours.

To configure a DHCP network, use the following command:

(host)(config-dhcpv6)#network <network-prefix>

To configure a client specific option, use the following command:

(host)(config-dhcpv6)#option <code> [ip <ipv6-address> | text <string>]

To configure DHCP server preference, use the following command:

(host)(config-dhcpv6)#preference <value>

To enable DHCPv6 Server functionality on an interface, use the following command:

(host) (config) #interface vlan <vlan-id>

(host) (config-subif) #ipv6 dhcp server <pool-name>

The configured DHCPv6 pool subnet must match the interface prefix for DHCPv6 Server to be active.

To configure the IPv6 excluded address range for the DHCPv6 server, use the following command:

(host)(config)#ipv6 dhcp excluded-address <low-address> [<high-address>]

You can view the DHCPv6 server settings, statistics, and binding information using the CLI.

To view the DHCPv6 database, use the following command:

(host)#show ipv6 dhcp database

You can also view the DHCPv6 database for a specific pool, use the following command:

(host) (config) #show ipv6 dhcp database [pool <pool-name>]

(host) (config) #show ipv6 dhcp database pool DHCPv6

To view the DHCPv6 binding information, use the following command:

(host)# show ipv6 dhcp binding

To clear all the DHCPv6 bindings, use the following command:

(host)# clear ipv6 dhcp binding

To view the DHCPv6 server statistics, use the following command:

(host)(config) #show ip dhcp statistics

To view the DHCPv6 active pools, use the following command:

(host) #show ipv6 dhcp active-pools

Understanding ArubaOS Supported Network Configuration for

IPv6 Clients

ArubaOS provides wired or wireless clients using IPv6 addresses with services such as firewall functionality,

layer-2 authentication, and, with the installation of the Policy Enforcement Firewall Next Generation (PEFNG),

identity-based security. The Dell controller does not provide routing or Network Address Translation to IPv6

clients (see Understanding IPv6 Exceptions and Best Practices on page 199).

Supported Network Configuration

Clients can be wired or wireless and use IPv4 and/or IPv6 addresses. An external IPv6 router is recommended

for a complete routing experience (dynamic routing). You can use the WebUI or CLI to display IPv6 client

information.

On the controller, you can configure both IPv4 and IPv6 client addresses on the same VLAN.

Understanding the Network Connection Sequence for Windows IPv6 Clients

This section describes the network connection sequence for Windows Vista/XP clients that use IPv6 addresses,

and the actions performed by the AP and the controller.

1. The IPv6 client sends a Router Solicit message through the AP. The AP passes the Router Solicit message

from the IPv6 client through the GRE tunnel to the controller.

2. The controller removes the 802.11 frame and creates an 802.3 frame for the Router Solicit message.

a. The controller authenticates the user, applies firewall policies, and bridges the 802.3 frame to the IPv6

router.

b. The controller creates entries in the user and session tables.

3. The IPv6 router responds with a Router Advertisement message.

4. The controller applies firewall policies, then creates an 802.11 frame for the Router Advertisement message.

The controller sends the Router Advertisement through the GRE tunnel to the AP.

5. The IPv6 client sends a Neighbor Solicitation message.

6. The IPv6 router responds with a Neighbor Advertisement message.

7. If the DHCP is required to provide IPv6 addresses, the DHCPv6 process is started.

8. The IPv6 client sends data.

9. The controller removes the 802.11 frame and creates an 802.3 frame for the data.

The controller authenticates the user, applies firewall policies and bridges the 802.3 frame to the IPv6

router. The controller creates entries in the user and session tables.

A client can have an IPv4 address and an IPv6 address, but the controller does not relate the states of the IPv4 and

the IPv6 addresses on the same client. For example, if an IPv6 user session is active on a client, the controller will

delete an IPv4 user session on the same client if the idle timeout for the IPv4 session is reached.

Understanding ArubaOS Authentication and Firewall Features

that Support IPv6

This section describes ArubaOS features that support IPv6 clients.

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 193

194 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

Understanding Authentication

This release of ArubaOS only supports 802.1x authentication for IPv6 clients. You cannot configure layer-3

authentications to authenticate IPv6 clients.

Authentication Method Supported for IPv6 Clients?

802.1x Yes

Stateful 802.1x (with non-Dell APs) Yes

Local database Yes

Captive Portal Yes

VPN No

xSec No (not tested)

MAC-based Yes

Table 32:

IPv6 Client Authentication

You configure 802.1x authentication for IPv6 clients in the same way as for IPv4 client configurations. For

more information about configuring 802.1x authentication on the controller, see 802.1X Authentication on

page 253.

This release does not support authentication of management users on IPv6 clients.

Working with Firewall Features

If you installed a Policy Enforcement Firewall Next Generation (PEFNG) license in the controller, you can

configure firewall functions for IPv6 client traffic. While these firewall functions are identical to firewall

functions for IPv4 clients, you need to explicitly configure them for IPv6 traffic. For more information about

firewall policies, see Understanding Global Firewall Parameters on page 377.

Voice-related and NAT firewall functions are not supported for IPv6 traffic.

Parameter Description

Monitor Ping Attack (per

30 seconds)

Number of ICMP pings per 30 second, which if exceeded, can indicate a denial of

service attack. Valid range is 1-16384 pings per 30 seconds.

Recommended value is 120.

Default: No default

Monitor TCP SYN Attack

rate (per 30 seconds)

Number of TCP SYN messages per 30 second, which if exceeded, can indicate a

denial of service attack. Valid range is 1-16384 pings per 30 seconds.

Recommended value is 960.

Default: No default

Monitor IP Session Attack

(per 30 seconds)

Number of TCP or UDP connection requests per 30 second, which if exceeded, can

indicate a denial of service attack. Valid range is 1-16384 requests per 30 seconds.

Recommended value is 960.

Table 33: IPv6 Firewall Parameters

Parameter Description

Default: No default

Deny Inter User Bridging Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can

configure user role policies that prevent Layer-3 traffic between users or networks

but this does not block Layer-2 traffic. This option can be used to prevent traffic,

such as Appletalk or IPX, from being forwarded.

Default: Disabled

Deny All IP Fragments Drops all IP fragments.

NOTE: Do not enable this option unless instructed to do so by a Dell

representative.

Default: Disabled

Enforce TCP Handshake

Before Allowing Data

Prevents data from passing between two clients until the three-way TCP handshake

has been performed. This option should be disabled when you have mobile clients

on the network, as enabling this option will cause mobility to fail. You can enable

this option if there are no mobile clients on the network.

Default: Disabled

Prohibit IP Spoofing Enables detection of IP spoofing (where an intruder sends messages using the IP

address of a trusted client). When you enable this option, IP and MAC addresses

are checked for each ARP request/response. Traffic from a second MAC address

using a specific IP address is denied, and the entry is not added to the user table.

Possible IP spoofing attacks are logged and an SNMP trap is sent.

Default: Disabled

Prohibit RST Replay Attack When enabled, closes a TCP connection in both directions if a TCP RST is received

from either direction. You should not enable this option unless instructed to do so

by a Dell representative.

Default: Disabled

Session Mirror

Destination

Destination (IPv4 address or controller port) to which mirrored session packets are

sent. You can configure IPv6 flows to be mirrored with the session ACL “mirror”

option. This option is used only for troubleshooting or debugging.

Default: N/A

Session Idle Timeout Set the time, in seconds, that a non-TCP session can be idle before it is removed

from the session table. Specify a value in the range 16–259 seconds. You should

not set this option unless instructed to do so by a Dell representative.

Default: 30 seconds

Per-packet Logging Enables logging of every packet if logging is enabled for the corresponding session

rule. Normally, one event is logged per session. If you enable this option, each

packet in the session is logged. You should not enable this option unless instructed

to do so by a Dell representative, as doing so may create unnecessary overhead on

the controller.

Default: Disabled (per-session logging is performed)

IPv6 Enable Enables IPv6 globally.

Table 33: IPv6 Firewall Parameters

The following examples configure attack rates and the session timeout for IPv6 traffic.

To configure the firewall function via the WebUI:

1. Navigate to the Configuration > Advanced Services > Stateful Firewall > Global Setting page.

2. Under the IPv6 column, enter the following:

lFor Monitor Ping Attack, enter 15

lFor Monitor IP Session Attack, enter 25

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 195

196 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

lFor Session Idle Timeout, enter 60

3. Click Apply.

To configure firewall functions using the command line interface, issue the following commands in config

mode:

ipv6 firewall attack-rate ping 15

ipv6 firewall attack-rate session 25

ipv6 firewall session-idle-timeout 60

Understanding Firewall Policies

A user role, which determines a client’s network privileges, is defined by one or more firewall policies. A firewall

policy consists of rules that define the source, destination, and service type for specific traffic, and whether you

want the controller to permit or deny traffic that matches the rule.

You can configure firewall policies for IPv4 traffic or IPv6 traffic, and apply IPv4 and IPv6 firewall policies to the

same user role. For example, if you have employees that use both IPv4 and IPv6 clients, you can configure

both IPv4 and IPv6 firewall policies and apply them both to the “employee” user role.

The procedure to configure an IPv6 firewall policy rule is similar to configuring a firewall policy rule for IPv4

traffic, but with some differences. Table 18 describes the required and optional parameters for an IPv6 firewall

policy rule.

Field Description

Source

(required)

Source of the traffic:

lany: Acts as a wildcard and applies to any source address.

luser: This refers to traffic from the wireless client.

lhost: This refers to traffic from a specific host. When this option is chosen, you must

configure the IPv6 address of the host. For example,

2002:d81f:f9f0:1000:c7e:5d61:585c:3ab.

lnetwork: This refers to a traffic that has a source IP from a subnet of IP addresses.

When you chose this option, you must configure the IPv6 address and network mask of

the subnet. For example, 2002:ac10:fe:: ffff:ffff:ffff::.

lalias: This refers to using an alias for a host or network.

NOTE: This release does not support IPv6 aliases. You cannot configure an alias for an IPv6

host or network.

Destination

(required)

Destination of the traffic, which you can configure in the same manner as Source.

Service

(required)

NOTE: Voice over IP services are unavailable for IPv6 policies.

Type of traffic:

lany: This option specifies that this rule applies to any type of traffic.

ltcp: Using this option, you configure a range of TCP port(s) to match the rule to be

applied.

ludp: Using this option, you configure a range of UDP port(s) to match the rule to be

applied.

lservice: Using this option, you use one of the pre-defined services (common protocols

such as HTTPS, HTTP, and others) as the protocol to match the rule to be applied. You

can also specify a network service that you configure by navigating to the

Configuration > Advanced Services > Stateful Firewall > Network Services page.

lprotocol: Using this option, you specify a different layer 4 protocol (other than

TCP/UDP) by configuring the IP protocol value.

Action

(required)

The action that you want the controller to perform on a packet that matches the specified

criteria.

Table 34: IPv6 Firewall Policy Rule Parameters

Field Description

lpermit: Permits traffic matching this rule.

ldrop: Drops packets matching this rule without any notification.

NOTE: The only actions for IPv6 policy rules are permit or deny; in this release, the

controller cannot perform network address translation (NAT) or redirection on IPv6

packets. You can specify options such as logging, mirroring, or blacklisting (described

below).

Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security breach,

such as a data packet on a policy that is meant only to be used for voice calls.

Mirror

(optional)

Mirrors session packets to a datapath or remote destination specified in the IPv6 firewall

function (see “Session Mirror Destination” in Table 33). If the destination is an IP address, it

must be an IPv4 IP address.

Queue

(optional)

The queue in which a packet matching this rule should be placed. Select High for higher

priority data, such as voice, and Low for lower priority traffic.

Time Range

(optional)

Time range for which this rule is applicable. You configure time ranges in the

Configuration > Security > Access Control > Time Ranges page.

Black List

(optional)

Automatically blacklists a client that is the source or destination of traffic matching this

rule. This option is recommended for rules that indicate a security breach where the

blacklisting option can be used to prevent access to clients that are attempting to breach

the security.

TOS (optional) Value of type of service (TOS) bits to be marked in the IP header of a packet matching this

rule when it leaves the controller.

802.1p Priority

(optional)

Value of 802.1p priority bits to be marked in the frame of a packet matching this rule when

it leaves the controller.

Table 34: IPv6 Firewall Policy Rule Parameters

The following example creates a policy "ipv6-web-only" that allows only web (HTTP and HTTPS) access for IPv6

clients and assigns the policy to the user role “web-guest."

The user role “web-guest” can include both IPv6 and IPv4 policies, although this example only shows configuration of

an IPv6 policy.

Creating an IPv6 Firewall Policy

Following the procedure below to create an IPv6 firewall policy via the WebUI.

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Click Add to create a new policy.

3. Enter ipv6-web-only for the Policy Name.

4. To configure a firewall policy, select Session for Policy Type.

5. Click Add to add a rule that allows HTTP traffic.

a. Under IP Version column, select IPv6.

b. Under Source, select network from the drop-down list.

c. For Host IP, enter 2002:d81f:f9f0:1000::.

d. For Mask, enter 64as the prefix-length.

e. Under Service, select service from the drop-down list.

f. Select svc-http from the scrolling list.

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 197

198 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

g. Click Add.

6. Click Add to add a rule that allows HTTPS traffic.

a. Under IP Version column, select IPv6.

b. Under Source, select network from the drop-down list.

c. For Host IP, enter 2002:d81f:f9f0:1000::.

d. For Mask, enter 64 as the prefix-length.

e. Under Service, select service from the drop-down list.

f. Select svc-https from the scrolling list.

g. Click Add.

Rules can be reordered using the up and down arrow buttons provided for each rule.

7. Click Apply. The policy is not created until the configuration is applied.

To create an IPv6 firewall policy using the command-line interface, issue the following commands in config

mode:

ip access-list session ipv6-web-only

ipv6 network 2002:d81f:f9f0:1000::/64 any svc-http permit

ipv6 network 2002:d81f:f9f0:1000::/64 any svc-https permit

Assigning an IPv6 Policy to a User Role

To assign an IPv6 policy using the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Click Add to create a new user role.

3. Enter web-guest for Role Name.

4. Under Firewall Policies, click Add. From Choose from Configured Policies, select the “ipv6-web-only” IPv6

session policy from the list.

5. Click Done to add the policy to the user role.

6. Click Apply.

To assign an IPv6 policy to a user role via the command-line interface, issue the following command in config

mode:

user-role web-guest

access-list session ipv6-web-only position 1

Understanding DHCPv6 Passthrough/Relay

The controller forwards DHCPv6 requests from IPv6 clients to the external IPv6 router. On the external IPv6

router, you must configure the controller’s IP address as the DHCP relay. You do not need to configure an IP

helper address on the controller to forward DHCPv6 requests.

Managing IPv6 User Addresses

Viewing or Deleting User Entries

To view or delete IPv6 user entries via the WebUI:

1. Navigate to the Monitoring > Controller > Clients page.

2. Click the IPv6 tab to display IPv6 clients.

3. To delete an entry in the IPv6 client display, click the radio button to the left of the client and then click

Disconnect.

To view user entries for IPv6 clients using the command line interface, use the show user-table command in

enable mode. To delete a user entry for an IPv6 client, access the CLI in config mode and use the aaa ipv6

user delete command. For example:

aaa ipv6 user delete 2002:d81f:f9f0:1000:e409:9331:1d27:ef44

Understanding User Roles

An IPv6 user or a client can inherit the corresponding IPv4 roles. A user or client entry on the user table will

contain the user or client’s IPv4 and IPv6 entries. After captive-portal authentication, a IPv4 client can acquire a

different role. This role is also updated on the client’s IPv6 entry in the user table.

Viewing Datapath Statistics for IPv6 Sessions

To view datapath session statistics for individual IPv6 sessions, access the command-line interface in enable

mode and issue the command show datapath session ipv6. To display the user entries in the datapath,

access the command-line interface in enable mode, and issue the command show datapath user ipv6. For

details on each of these commands and the output they display, refer to the Dell Networking W-Series ArubaOS

Command Line Reference Guide.

Understanding IPv6 Exceptions and Best Practices

The IPv6 best practices are provided below:

lEnsure that you enable IPv6 globally.

lThe uplink port must be trusted. This is the same behavior as IPv4.

lEnsure that the validuser session ACL does not block IPv6 traffic.

lThere must not be any ACLs that drop ICMPv6 or DHCPv6 traffic. It is acceptable to drop DHCPv6 traffic if

the deployment uses Stateless Address Auto Configuration (SLAAC) only.

lIf an external device provides RA:

nIt is not recommended to advertise too many prefixes in RA.

nThe controller supports a maximum of four IPv6 user entries in the user table. If a client uses more than

four IPv6 addresses at a time, the user table is refreshed with the latest four active entries without

disrupting the traffic flow. However, this may have some performance impact.

lEnable BCMC Optimization under interface VLAN to drop any random IPv6 multicast traffic. DHCPv6, ND,

NS, and RA traffic are not dropped when you enable this option.

It is recommended to enable BCMC Optimization only if mDNS traffic is not used in the network, as mDNS traffic

gets dropped if this option is enabled.

lIt is not recommended to enable preemption on the master redundancy model. If preemption is disabled

and if there is a failover, the new primary controller remains the primary controller even when the original

master is online again. The new primary controller does not revert to it's original state unless forced by the

administrator. Disabling preemption prevents the master from “flapping” between two controllers and

allows the administrator to investigate the cause of the outage.

lWhile selecting a source address, the number of common bits between each source address in the list, is

checked from the left most bit. This is followed by selection of the source address that has the maximum

number of matching bits with the destination address. If more than one source addresses has the same

Dell Networking W-Series ArubaOS 6.4.x | User Guide IPv6 Support | 199

200 | IPv6 Support Dell Networking W-Series ArubaOS 6.4.x| User Guide

number of matching bits with the destination address, the kernel selects that source address that is most

recently configured on the system. It is essential that the administrator/user configures the network

appropriately, if a particular VLAN interface needs to be selected as the source. For example, in case of

Dot1x authentication the administrator/user can configure the source interface appropriately so that it is

selected for authentication process. For more information on IPv6 source address selection, see RFC 3848.

ArubaOS does not support the following functions for IPv6 clients:

lThe controller offers limited routing services to IPv6 clients, so it is recommended to use an external IPv6

router for a complete routing experience (dynamic routing).

lVo IP ALGis not supported for IPv6 clients.

lRemote AP supports IPv6 clients in tunnel forwarding mode only. The Remote AP bridge and split-tunnel

forwarding modes do not support IPv6 clients. Secure Thin Remote Access Point (STRAP) cannot support

IPv6 clients.

lIPSec is not supported over IPv6.

lIPv6 Auto configuration and IPv6 Neighbor Discovery mechanisms does not apply to IPv6 tunnels.

lTunnel Encapsulation Limit, Tunnel-group, and MTU discovery options on IPv6 tunnels are not supported.

lIPSec is not supported in this release, so IPv6 GRE cannot be used for master-local setup.

Dell Networking W-Series ArubaOS 6.4.x| User Guide Link Aggregation Control Protocol (LACP) | 201

Chapter 6

Link Aggregation Control Protocol (LACP)

The ArubaOS implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified

in 802.3ad. LACP provides a standardized means for exchanging information, with partner systems, to form a

link aggregation group (LAG). LACP avoids port channel misconfiguration.

Two devices (actor and partner) exchange LACP data units (DUs) when forming a LAG. Once multiple ports in

the system have the same actor system ID, actor key, partner system ID, and partner key, they belong to the

same LAG.

The maximum number of supported port-channels is eight. With the introduction of LACP, this number

remains the same. A port-channel group (LAG) is created either statically or dynamically via LACP. This chapter

contains the following topics:

lUnderstanding LACP Best Practices and Exceptions on page 201

lConfiguring LACP on page 201

lLACP Sample Configuration on page 203

For information on configuring LACP on W-AP220 Series and W-AP270 Series access points, see Link Aggregation

Support on W-AP220 Series and W-AP270 Series on page 529

Understanding LACP Best Practices and Exceptions

lLACP is disabled by default.

lLACP depends on periodical Tx/Rx of LACP data units (LACPDU). Any failures are noticed immediately and

that port is removed from the LAG.

lThe maximum LAG supported per system is 8 groups; each group can be created statically or via LACP.

lEach LAG can have up to 8 member ports.

lThe LAG group identification (ID) range is 0–7 for both static (port-channel) and LACP groups.

lWhen a port is added to a LACP LAG, it inherits the port-channel’s properties (in other words, VLAN

membership, trunk status , and so on.)

lWhen a port is added to LACP LAG, the port’s property (i.e. speed) is compared to the existing port

properties. If there is a mismatch, the command is rejected.

lThe LACP commands can not be configured on a port that is already a member of a static port-channel.

Similarly, if the group assigned in the command lacp group <number> already contains static port

members, the command is rejected.

lThe port uses the group number as its actor admin key.

lAll ports use long timeout values (90 seconds) by default.

lThe output of the command show interface port-channel now indicates if the LAG is created by LACP

(dynamic) or static configuration. If the LAG is created via LACP, you can not add/delete any ports under

that port channel. All other commands are allowed.

Configuring LACP

Two LACP configured devices exchange LACPDUs to form a link aggregation group (LAG). A device is

configurable as an active or passive participant. In active mode, the device initiates DUs irrespective of the

202 | Link Aggregation Control Protocol

(LACP) Dell Networking W-Series ArubaOS 6.4.x| User Guide

partner state; passive mode devices respond only to the incoming DUs sent by the partner device. Hence, to

form a LAG group between two devices, one device must be an active participant. For detailed information on

the LACP commands, see the Command-Line Interface Reference Guide.

In the CLI

LACPDUs exchange their corresponding system identifier/priority along with their port’s key/priority. This

information determines the LAG of a given port. The LAG for a port is selected based on its keys; the port is

placed in that LAG only when its system ID/key and partner's system ID/key matches the other ports in the

LAG (if the group has ports).

1. Enable LACP and configure the per-port specific LACP. The group number range is 0–7.

lacp group <group_number> mode {active | passive}

lActive mode—the interface is in an active negotiating state. LACP runs on any link that is configured to

be in the active state. The port in an active mode also automatically initiates negotiations with other

ports by initiating LACP packets.

lPassive mode—the interface is not in an active negotiating state. LACP runs on any link that is configured

in a passive mode. The port in a passive mode responds to negotiations requests from other ports that

are in an active mode. Ports in passive mode respond to LACP packets.

A port in a passive mode cannot set up a port channel (LAG group) with another port in a passive mode.

2. Set the timeout for the LACP session. The timeout value is the amount of time that a port-channel interface

waits for a LACPDU from the remote system before terminating the LACP session. The default long time-

out value is 90 seconds; short is 3 seconds.

lacp timeout {long | short}

3. Set the port priority.

lacp port-priority <priority_value>

The higher the priority value the lower the priority. The range is 1-65535 and the default is 255.

4. View your LACP configuration.

The port uses the group number +1 as the “actor admin key”. All the ports use the long timeout value (90

seconds) by default.

(host)#show lacp 0 neighbor

Flags: S - Device is requesting Slow LACPDUs

F - Device is requesting fast LACPDUs

A - Device is in active mode P - Device is in passive mode

Partner's information

---------------------

Port Flags Pri OperKey State Num Dev Id

---- ----- ---- ------- ----- ---- ----------------

FE 1/1 SA 1 0x10 0x45 0x5 00:0b:86:51:1e:70

FE 1/2 SA 1 0x10 0x45 0x6 00:0b:86:51:1e:70

When a port in a LAG is misconfigured (the partner device is different than the other ports), or the neighbor

timesout or can not exchange LACPDUs with the partner, the port status is displayed as “DOWN” (see the

following example):

(host)#show lacp 0 internal

Flags: S - Device is requesting Slow LACPDUs

F - Device is requesting fast LACPDUs

A - Device is in active mode P - Device is in passive mode

Port Flags Pri AdminKey OperKey State Num Status

---- ----- ---- -------- -------- ----- ---- -------

FE 1/1 SA 1 0x1 0x1 0x45 0x2 DOWN

FE 1/2 SA 1 0x1 0x1 0x45 0x3 UP

In the WebUI

Access LACP from the Configuration >Network >Port tabs. Use the drop-down list to enter the LACP values.

lLACP Group— the link aggregation group (LAG) number; the range is 0 to 7.

lMode— active negotiation state or not in an active negotiation state indicated by the passive option.

lPriority—the port priority value; the range is 1-65535 and the default is 255.

lTimeout— time out value for the LACP session. The long default is 90 seconds; the short default is 3

seconds.

For information on configuring LACP on W-AP220 Series and W-AP270 Series access points, see Link Aggregation

Support on W-AP220 Series and W-AP270 Series on page 529

LACP Sample Configuration

The following sample configuration is for FastEthernet (FE) port/slot 1/0, 1/1, and 1/2:

interface fastethernet 1/0

description "FE1/0"

trusted vlan 1-4094

lacp group 0 mode active

interface fastethernet 1/1

description "FE1/1"

Dell Networking W-Series ArubaOS 6.4.x | User Guide Link Aggregation Control Protocol (LACP) | 203

204 | Link Aggregation Control Protocol

(LACP) Dell Networking W-Series ArubaOS 6.4.x| User Guide

trusted vlan 1-4094

lacp timeout short

lacp group 0 mode active

interface fastethernet 1/2

description "FE1/2"

trusted vlan 1-4094

lacp group 0 mode passive

Dell Networking W-Series ArubaOS 6.4.x| User Guide OSPFv2 | 205

Chapter 7

OSPFv2

OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC

2328. The OSPF uses the shortest or fastest routing path. Dell’s implementation of OSPFv2 allows Dell

controllers to deploy effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients

and forward user packets to the upstream router. An Dell controller can be used for Instant AP VPN

termination from the branch office, and the OSPF on the controller can be used to redistribute branch routes

into corporate OSPF domain. The information on this chapter is in the following sections:

lUnderstanding OSPF Deployment Best Practices and Exceptions on page 205

lUnderstanding OSPFv2 by Example using a WLAN Scenario on page 206

lUnderstanding OSPFv2 by Example using a Branch Office Scenario on page 207

lConfiguring OSPF on page 208

lSample Topology and Configuration on page 210

Understanding OSPF Deployment Best Practices and Exceptions

OSPF is a robust routing protocol addressing various link types and deployment scenarios. The Dell

implementation applies to two main use cases; WLAN Scenarios and Branch Office Scenario.

lOSPF is disabled by default.

lDell controllers support only one OSPF instance.

lConvergence takes between 5 and 15 seconds.

lAll area types are supported.

lMultiple configured areas are supported.

lA Dell controller can act as an ABR (Area border router).

lOSPF supports VLAN and GRE tunnel interfaces.

lTo run OSPF over IPSec tunnels, a Layer 3 GRE tunnel is configured between two routers with GRE

destination addresses as the inner address of the IPsec tunnel. OSPF is enabled on the Layer 3 GRE tunnel

interface, and all of the OSPF control packets undergo GRE encapsulation before entering the IPsec tunnels.

The default MTU value for a Layer 3 GRE tunnel in a Dell controller is 1100. When running OSPF over a GRE

tunnel between a Dell controller and another vendor’s router, the MTU values must be the same on both

sides of the GRE tunnel.

The following table provides information on the maximum OSPF routes supported for various platforms:

Platform Branches Routes

W-3600 8K 8K

W-6000M3 8K 8K

W-7210 8K 8K

Table 35: Maximum OSPF Routes

206 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

Platform Branches Routes

W-7220 16K 16K

W-7240 32K 32K

Below are some guidelines regarding deployment and topology for this release of OSPFv2.

lIn the WLAN scenario, configure the Dell controller and all upstream routers in totally stub area; in the

Branch Office scenario, configure as stub area so that the Branch Office controller can receive corporate

subnets.

lIn the WLAN scenario upstream router, only configure the interface connected to the controller in the same

area as the controller. This will minimize the number of local subnet addresses advertised by the upstream

router to the controller.

lUse the upstream router as the designated router (DR) for the link/interface between the controller and the

upstream router.

lThe default MTU value for a Layer 3 GRE tunnel in a Dell controller is 1100. When running OSPF over a GRE

tunnel between a Dell controller and another vendor’s router, the MTU values must be the same on both

sides of the GRE tunnel.

lDo not enable OSPF on any uplink/WAN interfaces on the Branch Office Controller. Enable OSPF only on

the Layer 3 GRE tunnel connecting the master controller.

lUse only one physical port in the uplink VLAN interface that is connecting to the upstream router. This will

prevent broadcasting the protocol PDUs to other ports and hence limit the number of adjacencies on the

uplink interface to only one.

Understanding OSPFv2 by Example using a WLAN Scenario

In the WLAN scenario, the Dell controller acts as a default gateway for all the clients, and talks to one or two

upstream routers for redundancy. The controller advertises all the user subnet addresses as stub addresses to

the routers via LSAs.

Totally stub areas see only default route and to the areas themselves.

WLAN Topology

The controller is configured with VLAN 10 and VLAN 12 as user VLANs. These VLANs have clients on the

subnets, and the controller is the default router for those clients. VLAN 4 and VLAN 5 both have OSPF enabled.

These interfaces are connected to upstream routers (Router 1 and Router 2). The OSPF interface cost on VLAN

4 is configured lower than VLAN 5. The IDs are:

lDell controller— 40.1.1.1

lRouter 1— 50.1.1.1

lRouter 2— 60.1.1.1

Based on the cost of the uplink interface, the default route from one of the upstream routers is installed in the

forwarding information base (FIB) by the routing information base/route table manager (RIB/RTM) module.

WLAN Routing Table

View the controller routing table using the show ip route command:

(host)#show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static

M - mgmt, U - route usable, * - candidate default

Below is the routing table for Router 1:

(router1) #show ip route

O 10.1.1.0/24 [1/0] via 4.1.1.1

O 12.1.1.0/24 [1/0] via 4.1.1.1

C 4.1.1.0 is directly connected, VLAN4

Below is the routing table for Router 2:

(router2) #show ip route

O 10.1.1.0/24 [2/0] via 5.1.1.1

O 12.1.1.0/24 [2/0] via 5.1.1.1

C 5.1.1.0 is directly connected, VLAN5

Understanding OSPFv2 by Example using a Branch Office Scenario

The branch office scenario has a number of remote branch offices with controllers talking to a central office via

a concentrator/controller using site-to-site VPN tunnels or master-local IPsec tunnels. The central office

controller is in turn talking to upstream routers (see Figure 22). In this scenario, the default route is normally

pointed to the uplink router, in many cases the ISP. Configure the area as stub so that inter-area routes are also

advertised enabling the branch office controller to reach the corporate subnets.

Branch Office Topology

All the OSPF control packets exchanged between the Branch office and the central office controllers undergo

GRE encapsulation before entering the IPsec tunnels. The controllers in the branch offices advertise all the user

subnet addresses to the Central office controller as stub addresses in router LSA. The central office controller in

turn forwards those router LSAs to the upstream routers.

Figure 22 Branch Office OSPF Topology

All the branch office controllers, the Central office controller, and the upstream routers are part of a stub area.

Because the OSPF packets follow GRE encapsulation over IPsec tunnels, the Central office controller can be a

controller or any vendor’s VPN concentrator. Regardless, the controller in the branch office will operate with

other vendors seamlessly.

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 207

208 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

In Figure 22, the branch office controller is configured using VLAN 14 and VLAN 15. Layer 3 GRE tunnel is

configured with IP address 20.1.1.1/24 and OSPF is enabled on the tunnel interface.

In the Central office controller, OSPF is enabled on VLAN interfaces 4, 5, and the Layer 3 GRE tunnel interface

(configured with IP address 20.1.1.2/24). OSPF interface cost on VLAN 4 is configured lower than VLAN 5.

Branch Office Routing Table

View the branch office controller routing table using the show ip route command:

(host)#show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static

M - mgmt, U - route usable, * - candidate default

The routing table for the central office controller is below:

(host)#show ip route

Gateway of last resort is 4.1.1.2 to network 0.0.0.0

O* 0.0.0.0/0 [1/0] via 4.1.1.2*

O 14.1.1.0/24 [1/0] via 30.1.1.1*

O 15.1.1.0/24 [1/0] via 30.1.1.1*

C 4.1.1.0 is directly connected, VLAN4

C 5.1.1.0 is directly connected, VLAN5

C 20.1.1.0 is directly connected, Tunnel 1

The routing table for Router 1 is below:

(router1) #show ip route

O 14.1.1.0/24 [1/0] via 4.1.1.1

O 15.1.1.0/24 [1/0] via 4.1.1.1

C 4.1.1.0 is directly connected, VLAN4

The routing table for Router 2 is below:

(router2) #show ip route

O 14.1.1.0/24 [1/0] via 5.1.1.1

O 15.1.1.0/24 [1/0] via 5.1.1.1

C 5.1.1.0 is directly connected, VLAN5

Configuring OSPF

To configure general OSPF settings from the OSPF tab, perform the following steps:

1. Navigate to the Configuration >IP page (see Figure 23). The Area and Excluded subnets are displayed in

table format. If not explicitly specified for OSPF, the router ID defaults to the switch IP.

Figure 23 General OSPF Configuration

2. Click Add to add an area (see Figure 24).

Figure 24 Add an OSPF Area

3. Configure the OSPF interface settings in the Configuration screen (Figure 25). If OSPF is enabled, the

parameters contain the correct default values. You can edit the OSPF values only when you enable OSPF on

the interface.

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 209

210 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 25 Edit OSPF VLAN Settings

OSPF monitoring is available from an IP Routing sub-section (Controller > IP Routing > Routing). Both Static

and OSPF routes are available in table format.

OSPF Interfaces and Neighboring information is available from the OSPF tab. The Interface information

includes transmit (TX) and receive (RX) statistics.

Exporting VPN Client Addresses to OSPF

You can configure VPN client addresses so that they can be exported to OSPF and be advertised as host routes

(/32). Exporting applies to any VPN client address regardless of how it is assigned.

In the WebUI

1. Navigate to the Configuration > Advanced Services > All Profiles > VPN Authentication > default

page.

2. (Optional) Regardless of how an authentication server is contacted, the Export VPN IP address as a

route option causes any VPN client address to be exported to OSPF using IPC. Note that the Framed-IP-

Address attribute is assigned the IP address as long as any server returns the attribute. The Framed-IP-

Address value always has a higher priority than the local address pool.

3. Click Apply.

In the CLI

Use this command to export the VPN client’s assigned address to OSPF using IPC:

(host) (config) #aaa authentication vpn default

(host) (VPN Authentication Profile "default") #

(host) (VPN Authentication Profile "default") # export-route

Use the show ip ospf database command to show LSA types that are generated.

Sample Topology and Configuration

The figure below displays a sample OSPF topology followed by sample configurations of the Remote Branch 1,

Remote Branch 2, and the W-3200 Central Office Controller (Active and Backup).

Figure 26 Sample OSPF Topology

Remote Branch 1

controller-ip vlan 30

vlan 16

vlan 30

vlan 31

vlan 32

interface gigabitethernet 1/0

description "GE1/0"

trusted

switchport access vlan 16

interface gigabitethernet 1/1

description "GE1/1"

trusted

switchport access vlan 30

interface gigabitethernet 1/2

description "GE1/2"

trusted

switchport access vlan 31

interface gigabitethernet 1/3

description "GE1/3"

trusted

switchport access vlan 32

interface vlan 16

ip address 192.168.16.251 255.255.255.0

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 211

212 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

interface vlan 30

ip address 192.168.30.1 255.255.255.0

interface vlan 31

ip address 192.168.31.1 255.255.255.0

interface vlan 32

ip address 192.168.32.1 255.255.255.0

uplink wired priority 202

uplink cellular priority 201

uplink wired vlan 16

interface tunnel 2003

description "Tunnel Interface"

ip address 2.0.0.3 255.0.0.0

tunnel source 192.168.30.1

tunnel destination 192.168.68.217

trusted

ip ospf area 10.10.10.10

ip default-gateway 192.168.16.254

ip route 192.168.0.0 255.255.0.0 null 0

router ospf

router ospf router-id 192.168.30.1

router ospf area 10.10.10.10 stub

router ospf redistribute vlan 30-32

Remote Branch 2

controller-ip vlan 50

vlan 20

vlan 50

vlan 51

vlan 52

interface gigabitethernet 1/0

description "GE1/0"

trusted

switchport access vlan 20

interface gigabitethernet 1/1

description "GE1/1"

trusted

switchport access vlan 50

interface gigabitethernet 1/2

description "GE1/2"

trusted

switchport access vlan 51

interface gigabitethernet 1/3

description "GE1/3"

trusted

switchport access vlan 52

interface vlan 20

ip address 192.168.20.1 255.255.255.0

interface vlan 50

ip address 192.168.50.1 255.255.255.0

interface vlan 51

ip address 192.168.51.1 255.255.255.0

interface vlan 52

ip address 192.168.52.1 255.255.255.0

uplink wired priority 206

uplink cellular priority 205

uplink wired vlan 20

interface tunnel 2005

description "Tunnel Interface"

ip address 2.0.0.5 255.0.0.0

tunnel source 192.168.50.1

tunnel destination 192.168.68.217

trusted

ip ospf area 10.10.10.10

ip default-gateway 192.168.20.254

ip route 192.168.0.0 255.255.0.0 null 0

router ospf

router ospf router-id 192.168.50.1

router ospf area 10.10.10.10 stub

router ospf redistribute vlan 50-52

W-3200 Central Office Controller—Active

localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f

controller-ip vlan 225

vlan 68

vlan 100

vlan 225

interface gigabitethernet 1/0

description "GE1/0"

trusted

switchport access vlan 225

interface gigabitethernet 1/1

description "GE1/1"

trusted

switchport access vlan 100

interface gigabitethernet 1/2

description "GE1/2"

trusted

switchport access vlan 68

interface vlan 68

ip address 192.168.68.220 255.255.255.0

interface vlan 100

ip address 192.168.100.1 255.255.255.0

interface vlan 225

ip address 192.168.225.2 255.255.255.0

interface tunnel 2003

description "Tunnel Interface"

ip address 2.1.0.3 255.0.0.0

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 213

214 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

tunnel source 192.168.225.2

tunnel destination 192.168.30.1

trusted

ip ospf area 10.10.10.10

interface tunnel 2005

description "Tunnel Interface"

ip address 2.1.0.5 255.0.0.0

tunnel source 192.168.225.2

tunnel destination 192.168.50.1

trusted

ip ospf area 10.10.10.10

master-redundancy

master-vrrp 2

peer-ip-address 192.168.68.221 ipsec password123

vrrp 1

priority 120

authentication password123

ip address 192.168.68.217

vlan 68

preempt

tracking vlan 68 sub 40

tracking vlan 100 sub 40

tracking vlan 225 sub 40

no shutdown

vrrp 2

priority 120

ip address 192.168.225.9

vlan 225

preempt

tracking vlan 68 sub 40

tracking vlan 100 sub 40

tracking vlan 225 sub 40

no shutdown

ip default-gateway 192.168.68.1

ip route 192.168.0.0 255.255.0.0 null 0

router ospf

router ospf router-id 192.168.225.1

router ospf area 10.10.10.10 stub

router ospf redistribute vlan 100,225

W-3200 Central Office Controller—Backup

localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f

controller-ip vlan 225

interface gigabitethernet 1/0

description "GE1/0"

trusted

switchport access vlan 225

interface gigabitethernet 1/1

description "GE1/1"

trusted

switchport access vlan 100

interface gigabitethernet 1/2

description "GE1/2"

trusted

switchport access vlan 68

interface vlan 68

ip address 192.168.68.221 255.255.255.224

interface vlan 100

ip address 192.168.100.5 255.255.255.0

interface vlan 225

ip address 192.168.225.1 255.255.255.0

interface tunnel 2003

description "Tunnel Interface"

ip address 2.1.0.3 255.0.0.0

tunnel source 192.168.225.1

tunnel destination 192.168.30.1

trusted

ip ospf area 10.10.10.10

interface tunnel 2005

description "Tunnel Interface"

ip address 2.1.0.5 255.0.0.0

tunnel source 192.168.225.1

tunnel destination 192.168.50.1

trusted

ip ospf area 10.10.10.10

master-redundancy

master-vrrp 2

peer-ip-address 192.168.68.220 ipsec password123

vrrp 1

priority 99

authentication password123

ip address 192.168.68.217

vlan 68

tracking vlan 68 sub 40

tracking vlan 100 sub 40

tracking vlan 225 sub 40

no shutdown

vrrp 2

priority 99

ip address 192.168.225.9

vlan 225

tracking vlan 68 sub 40

tracking vlan 100 sub 40

tracking vlan 225 sub 40

no shutdown

ip default-gateway 192.168.68.1

ip route 192.168.0.0 255.255.0.0 null 0

router ospf

router ospf router-id 192.168.225.1

router ospf area 10.10.10.10 stub

router ospf redistribute vlan 100,225

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 215

216 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

The following figure displays how the controller is configured for Instant AP VPN for different OSPF cases.

Topology

lArea-10 is NSSA (Not-So-Stubby Area)

lArea-11 is Normal area.

lRAPNG AP-1 is configured to have a 3600-UP controller as its primary controller and a 3600-DOWN as

secondary controller.

lRAPNG AP-2 is configured to have a 3600-DOWN as its primary controller and a 3600-UP as secondary

controller.

lRAPNG AP-1 is configured to have a 201.201.203.0/24 L3-distributed network.

lRAPNG AP-2 is configured to have a 202.202.202.0/24 L3-distributed network.

Observation

lW-3600-UP Controller will send Type-5 LSA (External LSA) of VPN route 201.201.203.0/24 to it’s upstream

router, Cisco-3750.

lW-3600-DOWN Controller will send Type-7 LSA (NSSA) of VPN route 202.202.202.0/24 to it’s upstream

router, Cisco-2950.

lW-3600-UP Controller will send a Type-4 asbr-summary LSA.

Configuring W-3600-UP Controller

interface vlan 21

ip address 21.21.21.2 255.255.255.0

ip ospf area 0.0.0.11

router ospf

router ospf area 0.0.0.11

router ospf redistribute rapng-vpn

The following commands displays the configuration and run time protocol details on W-3600-UP Controller:

(host)#show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static

M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10

Gateway of last resort is 10.15.231.185 to network 0.0.0.0 at cost 1

S* 0.0.0.0/0 [1/0] via 10.15.231.185*

O 10.15.228.0/27 [333/0] via 21.21.21.1*

O 12.12.12.0/25 [0/0] via 21.21.21.1*

O 22.22.22.0/24 [3/0] via 21.21.21.1*

O 23.23.23.0/24 [2/0] via 21.21.21.1*

O 25.25.25.0/24 [333/0] via 21.21.21.1*

S 192.100.3.0/24 [1/0] via 192.100.2.1*

S 192.100.4.0/24 [1/0] via 192.100.2.1*

S 192.100.5.0/24 [1/0] via 192.100.2.1*

S 192.100.6.0/24 [1/0] via 192.100.2.1*

S 192.100.7.0/24 [1/0] via 192.100.2.1*

S 192.100.8.0/24 [1/0] via 192.100.2.1*

S 192.100.9.0/24 [1/0] via 192.100.2.1*

S 192.100.10.0/24 [1/0] via 192.100.2.1*

S 192.100.11.0/24 [1/0] via 192.100.2.1*

S 192.100.12.0/24 [1/0] via 192.100.2.1*

S 192.100.13.0/24 [1/0] via 192.100.2.1*

S 192.100.14.0/24 [1/0] via 192.100.2.1*

S 192.168.1.0/24 [1/0] via 192.100.2.1*

S 192.169.1.0/24 [1/0] via 192.100.2.1*

S 192.170.1.0/24 [1/0] via 192.100.2.1*

S 192.171.1.0/24 [1/0] via 192.100.2.1*

S 192.172.1.0/24 [1/0] via 192.100.2.1*

S 192.173.1.0/24 [1/0] via 192.100.2.1*

S 192.174.1.0/24 [1/0] via 192.100.2.1*

S 192.175.1.0/24 [1/0] via 192.100.2.1*

S 192.176.1.0/24 [1/0] via 192.100.2.1*

S 192.177.1.0/24 [1/0] via 192.100.2.1*

S 192.178.1.0/24 [1/0] via 192.100.2.1*

S 192.179.1.0/24 [1/0] via 192.100.2.1*

V 201.201.203.0/26 [10/0] ipsec map

O 202.202.202.0/29 [0/0] via 21.21.21.1*

C 192.100.2.0/24 is directly connected, VLAN2

C 10.15.231.184/29 is directly connected, VLAN1

C 172.16.0.0/24 is directly connected, VLAN3

C 21.21.21.0/24 is directly connected, VLAN21

C 5.5.0.2/32 is an ipsec map 10.15.149.30-5.5.0.2

(host) #show ip ospf database

OSPF Database Table

-------------------

Area ID LSA Type Link ID Adv Router Age Seq# Checksum

------- -------- ------- ---------- --- ---- --------

0.0.0.11 ROUTER 21.21.21.1 21.21.21.1 178 0x80000017 0xca50

0.0.0.11 ROUTER 192.100.2.3 192.100.2.3 1406 0x80000007 0x2253

0.0.0.11 NETWORK 21.21.21.1 21.21.21.1 178 0x80000003 0xdf6d

0.0.0.11 IPNET_SUMMARY 22.22.22.0 21.21.21.1 178 0x80000003 0x7e38

0.0.0.11 IPNET_SUMMARY 23.23.23.0 21.21.21.1 178 0x80000003 0x5064

0.0.0.11 ASBR_SUMMARY 25.25.25.1 21.21.21.1 178 0x80000003 0xefbc

0.0.0.11 ASBR_SUMMARY 192.100.2.3 192.100.2.3 1412 0x80000002 0xa85d

N/A AS_EXTERNAL 10.15.228.0 25.25.25.1 1014 0x8000000e 0xea43

N/A AS_EXTERNAL 12.12.12.0 25.25.25.1 268 0x80000003 0x433a

N/A AS_EXTERNAL 25.25.25.0 25.25.25.1 1761 0x80000005 0x3d8d

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 217

218 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

N/A AS_EXTERNAL 201.201.203.0 10.15.231.186 3600 0x80000001 0x6690

N/A AS_EXTERNAL 201.201.203.0 192.100.2.3 1104 0x80000002 0xe4a2

N/A AS_EXTERNAL 202.202.202.0 25.25.25.1 268 0x80000003 0x4385

(host) #show ip ospf neighbor

OSPF Neighbor Table

-------------------

Neighbor ID Pri State Address Interface

----------- --- ----- ------- ---------

21.21.21.1 1 FULL/DR 21.21.21.1 Vlan

Configuring W-3600-DOWN Controller

interface vlan 22

ip address 22.22.22.2 255.255.255.0

ip ospf area 0.0.0.10

router ospf

router ospf area 0.0.0.10 nssa

router ospf redistribute rapng-vpn

The following commands displays the configuration and run time protocol details on W-3600-DOWN

Controller:

(host)#show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static

M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10

O 0.0.0.0/0 [1/0] via 22.22.22.1*

S 10.0.0.0/8 [1/0] via 10.15.231.177*

O 10.15.228.0/27 [333/0] via 22.22.22.1*

V 12.12.12.0/25 [10/0] ipsec map

O 21.21.21.0/24 [3/0] via 22.22.22.1*

O 23.23.23.0/24 [2/0] via 22.22.22.1*

O 25.25.25.0/24 [333/0] via 22.22.22.1*

V 202.202.202.0/29 [10/0] ipsec map

C 192.100.2.0/24 is directly connected, VLAN2

C 10.15.231.176/29 is directly connected, VLAN1

C 22.22.22.0/24 is directly connected, VLAN22

C 4.4.0.2/32 is an ipsec map 10.15.149.35-4.4.0.2

C 4.4.0.1/32 is an ipsec map 10.17.87.126-4.4.0.1

(host) #show ip ospf neighbor

OSPF Neighbor Table

-------------------

Neighbor ID Pri State Address Interface

----------- --- ----- ------- ---------

25.25.25.1 1 FULL/BDR 22.22.22.1 Vlan 22

(host) #show ip ospf database

OSPF Database Table

-------------------

Area ID LSA Type Link ID Adv Router Age Seq# Checksum

------- -------- ------- ---------- --- ---- --------

0.0.0.10 ROUTER 25.25.25.1 25.25.25.1 1736 0x80000021 0xb732

0.0.0.10 ROUTER 192.100.2.2 192.100.2.2 500 0x80000005 0x9ad9

0.0.0.10 NETWORK 22.22.22.2 192.100.2.2 500 0x80000004 0x8aeb

0.0.0.10 IPNET_SUMMARY 21.21.21.0 25.25.25.1 1990 0x80000003 0xe7bf

0.0.0.10 IPNET_SUMMARY 23.23.23.0 25.25.25.1 1990 0x80000003 0x950d

0.0.0.10 NSSA 0.0.0.0 25.25.25.1 725 0x80000002 0xaab9

0.0.0.10 NSSA 10.15.228.0 25.25.25.1 1228 0x80000010 0xca5f

0.0.0.10 NSSA 12.12.12.0 192.100.2.2 352 0x80000005 0xe8cb

0.0.0.10 NSSA 25.25.25.0 25.25.25.1 1485 0x80000006 0x1fa8

0.0.0.10 NSSA 202.202.202.0 192.100.2.2 352 0x80000005 0xe817

N/A AS_EXTERNAL 12.12.12.0 192.100.2.2 352 0x80000005 0x28d8

N/A AS_EXTERNAL 202.202.202.0 192.100.2.2 352 0x80000005 0x2824

Viewing the Status of Instant AP VPN

RAPNG AP-1

(host)# show vpn status

profile name:default

--------------------------------------------------

current using tunnel :primary tunnel

ipsec is preempt status :disable

ipsec is fast failover status :disable

ipsec hold on period :600

ipsec tunnel monitor frequency (seconds/packet) :5

ipsec tunnel monitor timeout by lost packet cnt :2

ipsec primary tunnel crypto type :Cert

ipsec primary tunnel peer address :10.15.231.186

ipsec primary tunnel peer tunnel ip :192.100.2.3

ipsec primary tunnel ap tunnel ip :5.5.0.2

ipsec primary tunnel current sm status :Up

ipsec primary tunnel tunnel status :Up

ipsec primary tunnel tunnel retry times :2

ipsec primary tunnel tunnel uptime :1 hour 24 minutes 50 seconds

ipsec backup tunnel crypto type :Cert

ipsec backup tunnel peer address :10.15.231.178

ipsec backup tunnel peer tunnel ip :0.0.0.0

ipsec backup tunnel ap tunnel ip :0.0.0.0

ipsec backup tunnel current sm status :Init

ipsec backup tunnel tunnel status :Down

ipsec backup tunnel tunnel retry times :0

ipsec backup tunnel tunnel uptime :0

(host)# show datapath route

Route Table Entries

-------------------

Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop

IP Mask Gateway Cost VLAN Flags

--------------- --------------- --------------- ---- ---- -----

0.0.0.0 0.0.0.0 10.15.149.25 0 0

0.0.0.0 128.0.0.0 192.100.2.3 0 0 T

128.0.0.0 128.0.0.0 192.100.2.3 0 0 T

192.168.10.0 255.255.254.0 192.168.10.1 0 3333 D

201.201.203.0 255.255.255.192 0.0.0.0 0 103 LP

10.15.149.24 255.255.255.248 10.15.149.30 0 1 L

10.15.231.186 255.255.255.255 10.15.149.25 0 0

Route Cache Entries

-------------------

Flags: L - local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop

IP MAC VLAN Flags

--------------- ----------------- ----------- -----

202.202.202.6 00:00:00:00:00:00 0 T

192.100.2.3 00:00:00:00:00:00 0 PT

192.168.10.51 10:40:F3:98:80:94 1 PA

192.168.10.1 00:24:6C:C9:27:A3 3333 LP

201.201.203.8 00:26:C6:52:6B:14 103

201.201.203.1 00:24:6C:C9:27:A3 103 LP

10.1.1.50 00:00:00:00:00:00 0 T

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 219

220 | OSPFv2 Dell Networking W-Series ArubaOS 6.4.x| User Guide

5.5.0.2 00:24:6C:C9:27:A3 1 LP

10.15.149.30 00:24:6C:C9:27:A3 1 LP

10.15.149.25 00:0B:86:40:93:00 1 A

(host)# show clients

Client List

-----------

Name IP Address MAC Address OS Network Access Point Channel Type Role

Signal Speed (mbps)

---- ---------- ----------- -- ------- ------------ ------- ---- ----

------ ------------

201.201.203.8 00:26:c6:52:6b:14 149.30 00:24:6c:c9:27:a3 48- AN 149.30 43

(good) 6(poor)

Info timestamp :80259

RAPNG AP-3

(host)# show vpn status

profile name:default

--------------------------------------------------

current using tunnel :primary tunnel

ipsec is preempt status :disable

ipsec is fast failover status :disable

ipsec hold on period :600

ipsec tunnel monitor frequency (seconds/packet) :5

ipsec tunnel monitor timeout by lost packet cnt :2

ipsec primary tunnel crypto type :Cert

ipsec primary tunnel peer address :10.15.231.178

ipsec primary tunnel peer tunnel ip :192.100.2.2

ipsec primary tunnel ap tunnel ip :4.4.0.2

ipsec primary tunnel current sm status :Up

ipsec primary tunnel tunnel status :Up

ipsec primary tunnel tunnel retry times :13

ipsec primary tunnel tunnel uptime :1 hour 55 minutes 6 seconds

ipsec backup tunnel crypto type :Cert

ipsec backup tunnel peer address :10.15.231.186

ipsec backup tunnel peer tunnel ip :0.0.0.0

ipsec backup tunnel ap tunnel ip :0.0.0.0

ipsec backup tunnel current sm status :Init

ipsec backup tunnel tunnel status :Down

ipsec backup tunnel tunnel retry times :0

ipsec backup tunnel tunnel uptime :0

(host)# show datapath route

Route Table Entries

-------------------

Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop

IP Mask Gateway Cost VLAN Flags

--------------- --------------- --------------- ---- ---- -----

0.0.0.0 0.0.0.0 10.15.149.33 0 0

0.0.0.0 128.0.0.0 192.100.2.2 0 0 T

128.0.0.0 128.0.0.0 192.100.2.2 0 0 T

192.168.10.0 255.255.254.0 192.168.10.1 0 3333 D

10.15.149.32 255.255.255.248 10.15.149.35 0 1 L

202.202.202.0 255.255.255.248 0.0.0.0 0 203 LP

10.15.231.178 255.255.255.255 10.15.149.33 0 0

Route Cache Entries

-------------------

Flags: L - local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop

IP MAC VLAN Flags

--------------- ----------------- ----------- -----

202.202.202.1 00:24:6C:C0:41:F2 203 LP

202.202.202.6 08:ED:B9:E1:51:7B 203

192.100.2.2 00:00:00:00:00:00 0 PT

192.168.10.1 00:24:6C:C0:41:F2 3333 LP

201.201.203.8 00:00:00:00:00:00 0 T

10.1.1.50 00:00:00:00:00:00 0 T

192.168.11.7 00:26:C6:52:6B:14 1 PA

4.4.0.2 00:24:6C:C0:41:F2 1 LP

10.13.6.110 00:00:00:00:00:00 0 T

10.15.149.38 00:24:6C:C9:27:CC 1 A

10.15.149.35 00:24:6C:C0:41:F2 1 LP

10.15.149.33 00:0B:86:40:93:00 1 A

(host)# show clients

Client List

-----------

Name IP Address MAC Address OS Network Access Point Channel Type Role

Signal Speed (mbps)

---- ---------- ----------- -- ------- ------------ ------- ---- ----

------ ------------

202.202.202.6 08:ed:b9:e1:51:7b 149.35 00:24:6c:c0:41:f2 48- AN 149.35 53

(good) 48(poor)

Info timestamp :80748

Dell Networking W-Series ArubaOS 6.4.x | User Guide OSPFv2 | 221

Dell Networking W-Series ArubaOS 6.4.x| User Guide Tunneled Nodes | 222

Chapter 8

Tunneled Nodes

This chapter describes how to configure a Dell tunneled node, also known as a wired tunneled node. Dell

tunneled nodes provide access and security using an overlay architecture.

This chapter describes the following topics:

lUnderstanding Tunneled Node Configuration on page 222

lConfiguring a Wired Tunneled Node Client on page 223

Understanding Tunneled Node Configuration

The Dell tunneled node connects to one or more client devices at the edge of the network and then establishes

a secure GRE tunnel to the controlling concentrator server. This approach allows the controller to support all

the centralized security features, such as 802.1x authentication, captive-portal authentication, and stateful

firewall. The Dell tunneled node is required to handle only the physical connection to clients and support for its

end of the GRE tunnel.

To support the wired concentrator, the controller must have a license to terminate access points (APs). No

other configuration is required. To configure the Dell tunneled node, you must specify the IP address of the

controller and identify the ports that are to be used as active tunneled node ports. Tunnels are established

between the controller and each active tunneled node port on the tunneled node. All tunneled node units

must be running the same version of software. The tunneled node port can also be configured as a trunk port.

This allows customers to have multiple clients on different VLANs that come through the trunk port instead of

having clients on a single vlan.

Figure 27 shows how the tunneled node fits into network operations. Traffic moves through GRE tunnels

between the active tunneled node ports and the controller or controllers. Policies are configured on a master

server and enforced on the local controllers. The master and the local controller can run on the same or

different systems. The tunneled node can connect to the master, but it is not required.

On the controlling controller, you can assign the same policy to tunneled node user traffic as you would to any

untrusted wired traffic. The profile specified by the aaa authentication wired command determines the

initial role, which contains the policy. The VLAN setting on the concentrator port must match the VLAN that will

be used for users at the local controller.

223 | Tunneled Nodes Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 27 Tunneled Node Configuration Operation

Configuring a Wired Tunneled Node Client

ArubaOS does not allow a tunneled-node client and tunneled-node server to co-exist on the same controller at the

same time. The controller must be configured as either a tunneled-node client or a tunneled-node server. By default,

the controller behaves as a tunneled-node server. However, once tunneled-node-server xxx.xxx.xxx.xxx is configured

on the controller, the controller becomes a tunneled-node client. To remove the tunneled-node client function, use

the command tunneled-node-server 0.0.0.0 to disable the tunneled-node client on the controller side.

This section describes how to configure a tunneled node client. You can use the WebUI or the CLI to complete

the configuration steps.

1. Access the Wired tunneled node CLI according to the instructions provided in the installation guide that

shipped with your tunneled node. Console access (9600 8N1) and SSH access are supported.

2. Specify the IP address of the controller and specify tunnel loop prevention.

nCLI:

(host)(config) #tunneled-node-address ipaddress

(host)(config) #tunnel-loop-prevention

nWebUI

a. Navigate to Configuration>Advanced Services>Wired Access page.

b. Locate the Wired Access Concentration Configuration section.

c. T o enable tunneled nodes, click the Enable Wired Access Concentrator checkbox.

d. Enter the IP address of the controller in the Wired Access Concentrator Server IP field.

e. To enable tunnel loop prevention, click the Enable Wired Access Concentrator Loop Prevention

checkbox.

f. Click Apply.

3. Access each interface that you want to use, and assign it as a tunneled node port.

(host (config) # interface fastethernet n/m

(host (config-if) # tunneled-node port

4. Verify the configuration.

(host) (config-if) # exit

(host) # show tunneled-port config

Configuring an Access Port as a Tunneled Node Port

You can configure any port on any controller as a tunneled node port using the tunneled-node-port command.

Set the tunneled-nod -address as the controller to act as the tunneled node termination point. The tunneled-

node-port command tells the physical interface to tunnel that traffic to the controller.

1. Enable portfast on the Wired tunneled node.

(host)(config) #interface fastethernet <slot>/<port>

(host) (config-if) # spanning-tree portfast

2. Assign a VLAN to the tunneled node port.

(host) (config-if) # switchport mode access

(host) (config-if) # switchport access vlan <vlanid>

Configuring a Trunk Port as a Tunneled Node Port

To enable portfast on the Wired tunneled node execute the following commands:

l(host) (config-if) # switchport mode trunk

l(host) (config-if) # switchport trunk allowed vlan <WORD>

Show commands

To verify the status of the Wired tunneled node execute the following command:

l(host) # show tunneled-node state

l(host) #show tunneled-node config

To check the current usage on the controller execute the following command. Each tunneled node client uses

one AP license. Attaching an additional wired client on the tunneled node client does not increment the AP

license usage on the controller.

l(host) #show license-usage ap

Dell Networking W-Series ArubaOS 6.4.x | User Guide Tunneled Nodes | 224

Dell Networking W-Series ArubaOS 6.4.x| User Guide Authentication Servers | 225

Chapter 9

Authentication Servers

The ArubaOS software allows you to use an external authentication server or the controller internal user

database to authenticate clients who need to access the wireless network.

This chapter describes the following topics:

lUnderstanding Authentication Server Best Practices and Exceptions on page 225

lUnderstanding Servers and Server Groups on page 225

lConfiguring Authentication Servers on page 226

lManaging the Internal Database on page 235

lConfiguring Server Groups on page 238

lAssigning Server Groups on page 244

lConfiguring Authentication Timers on page 248

lAuthentication Server Load Balancing on page 249

Understanding Authentication Server Best Practices and

Exceptions

lFor an external authentication server to process requests from the Dell controller, you must configure the

server to recognize the controller. Refer to the vendor documentation for information on configuring the

authentication server.

lInstructions on how to configure Microsoft’s IAS and Active Directory can be viewed at:

Microsoft’s IAS:

technet2.microsoft.com/windowsserver/en/technologies/ias.mspx

Active Directory:

microsoft.com/en-us/server-cloud/windows-server/active-directory.aspx

Understanding Servers and Server Groups

ArubaOS supports the following external authentication servers:

lRADIUS (Remote Authentication Dial-In User Service)

lLDAP (Lightweight Directory Access Protocol)

lTACACS+ (Terminal Access Controller Access Control System)

lWindows (For stateful NTLM authentication)

Starting from ArubaOS 6.4, a maximum of 128 LDAP, RADIUS, and TACACS servers, each can be configured on the

controller.

Additionally, you can use the controller’s internal database to authenticate users. You create entries in the

database for users, their passwords, and their default role.

You can create groups of servers for specific types of authentication. For example, you can specify one or more

RADIUS servers to be used for 802.1x authentication. The list of servers in a server group is an ordered list.

This means that the first server in the list is always used unless it is unavailable, in which case the next server in

226 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

the list is used. You can configure servers of different types in one group. For example, you can include the

internal database as a backup to a RADIUS server.

Figure 28 graphically represents a server group named “Radii” that consists of two RADIUS servers, Radius-1

and Radius-2. The server group is assigned to the server group for 802.1x authentication.

Figure 28 Server Group

Server names are unique. You can configure the same server in multiple server groups. You must configure the

server before you can add it to a server group.

If you use the controller’s internal database for user authentication, use the predefined “Internal” server group.

You can also include conditions for server-derived user roles or VLANs in the server group configuration. The

server derivation rules apply to all servers in the group.

Configuring Authentication Servers

This section describes how to configure RADIUS, LDAP, TACACS+ and Windows external authentication servers

and the internal database on the controller.

This section includes the following information:

lConfiguring a RADIUS Server on page 226

lConfiguring an RFC-3576 RADIUS Server on page 232

lConfiguring an LDAP Server on page 232

lConfiguring a TACACS+ Server on page 234

lConfiguring a Windows Server on page 235

Configuring a RADIUS Server

Follow the procedures below to configure a RADIUS server using the WebUIor CLI.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Radius Server to display the Radius Server List.

3. To configure a RADIUS server, enter the name for the server and click Add.

4. Select the name to configure server parameters. Enter parameters as described in Table 36. Select the

Mode checkbox to activate the authentication server.

5. Click Apply.

The configuration does not take effect until you perform this step.

Using the CLI

(host)(config) #aaa authentication-server radius <name>

host <ipaddr>

key <key>

enable

Parameter Description

Host IP address or fully qualified domain name (FQDN) of the authentication server. The

maximum supported FQDN length is 63 characters.

Default: N/A

Key Shared secret between the controller and the authentication server. The maximum

length is 128 characters.

Default: N/A

Authentication

Port

Authentication port on the server.

Default: 1812

Accounting Port Accounting port on the server

Default: 1813

Retransmits Maximum number of retries sent to the server by the controller before the server is

marked as down.

Default: 3

Timeout Maximum time, in seconds, that the controller waits before timing out the request and

resending it.

Default: 5 seconds

NAS ID Network Access Server (NAS) identifier to use in RADIUS packets.

Default: N/A

NAS IP NAS IP address to send in RADIUS packets.

You can configure a “global” NAS IP address that the controller uses for

communications with all RADIUS servers. If you do not configure a server-specific NAS

IP, the global NAS IP is used. To set the global NAS IP in the WebUI, navigate to the

Configuration > Security > Authentication > Advanced page. To set the global NAS

IP in the CLI, enter the ip radius nas-ip <ipaddr> command.

Default: N/A

Source Interface Enter a VLAN number ID.

Allows you to use source IP addresses to differentiate RADIUS requests.

Associates a VLAN interface with the RADIUS server to allow the server-specific source

interface to override the global configuration.

lIf you associate a Source Interface (by entering a VLAN number) with a configured

server, then the source IP address of the packet is that interface’s IP address.

Table 36: RADIUS Server Configuration Parameters

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 227

228 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

lIf you do not associate the Source Interface with a configured server (leave the field

blank), the IP address of the global Source Interface is used.

Use MD5 Use MD5 hash of cleartext password.

Default: Disabled

Mode Enables or disables the server.

Default: Enabled

RADIUS Server VSAs

Vendor-Specific Attributes (VSAs) are a method for communicating vendor-specific information between

Network Access Servers and RADIUS servers, allowing vendors to support their own extended attributes. You

can use DellVSAs to derive the user role and VLAN for RADIUS-authenticated clients; however the VSAs must be

present on your RADIUS server. This requires that you update the RADIUS dictionary file with the vendor name

(Aruba) and/or the vendor-specific code (14823), the vendor-assigned attribute number, and the attribute

format (such as string or integer) for each VSA. For more information on VSA-derived user roles, see

Configuring a VSA-Derived Role on page 376

The following table describes Dell-specific RADIUS VSAs. For the current and complete list of all RADIUS VSAs

available in the version of ArubaOS currently running on your controller, access the command-line interface

and issue the command show aaa radius attributes.

VSA Type Value Description

Aruba-User-Role String 1 This VSA returns the role, to be assigned to the user post authen-

tication. The user will be granted access based on the role attrib-

utes defined in the role.

Aruba-User-Vlan Integer 2 This VSA returns the VLAN to be used by the client. Range: 1–

4094.

Aruba-Priv-

Admin-User

Integer 2 If this VSA is set in the RADIUS accept message, the user can

bypass the enable prompt.

Aruba-Admin-

Role

String 4 This VSA returns the management role to be assigned to the user

post management authentication. This role can be seen using the

command show mgmt-role in the command-line interface.

Aruba-Essid-

Name

String 5 String that identifies the name of the ESSID.

Aruba-Location-Id String 6 String that identifies the name of the AP location.

Aruba-Port-Id String 7 String that identifies the Port ID.

Aruba-Template-

User

String 8 String that identifies the name of a Dell user template.

Table 37: RADIUS VSAs

VSA Type Value Description

Aruba-Named-

User-Vlan

String 9 This VSA returns a VLAN name for a user. This VLANname on a

controller could be mapped to user-defined name or or multiple

VLAN IDs.

Aruba-AP-Group String 10 String that identifies the name of a Dell AP Group.

Aruba-Framed-

IPv6-Address

String 11 This attribute is used for RADIUS accounting for IPv6 users.

Aruba-Device-

Type

String 12 String that identifies a Dell device on the network.

Aruba-No-DHCP-

Fingerprint

Integer 14 This VSA prevents the controller from deriving a role and VLAN

based on DHCP finger printing.

Aruba-Mdps-

Device-Udid

String 15 UDID is unique device identifier which is used as input attribute by

the Onboard application while performing the device author-

ization to the internal RADIUS server within the ClearPass Policy

Manager (CPPM). The UDID checks against role mappings or

enforcement policies to determine if the device is authorized to

be onboarded.

Aruba-Mdps-

Device-Imei

String 16 The Onboard application uses IMEIas an input attribute while per-

forming the device authorization to the internal RADIUS server

within the CPPM. IMEI checks against role mappings or enforce-

ment policies to determine if the device is authorized to be

onboarded.

Aruba-Mdps-

Device-Iccid

String 17 The Onboard application uses ICCIDas an input attribute while

performing the device authorization to the internal RADIUS server

within the CPPM. ICCID checks against role mappings or enforce-

ment policies to determine if the device is authorized to be

onboarded.

Aruba-Mdps-Max-

Devices

String 18 Used by Onboard as a way to define and enforce the maximum

number of devices that can be provisioned by a given user.

Aruba-Mdps-

Device-Name

String 19 The Onboard application uses device name as an input attribute

while performing the device authorization to the internal RADIUS

server within the CPPM. Device name checks against role map-

pings or enforcement policies to determine if the device is author-

ized to be onboarded.

Aruba-Mdps-

Device-Product

String 20 The device product is used as input attribute by the Onboard

application while performing the device authorization to the

internal RADIUS server within the CPPM. Device Product checks

against role mappings or enforcement policies to determine if the

device is authorized to be onboarded.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 229

230 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

VSA Type Value Description

Aruba-Mdps-

Device-Version

String 21 The device version is used as input attribute by the Onboard

application while performing the device authorization to the

internal RADIUS server within the CPPM. Device Version checks

against role mappings or enforcement policies to determine if the

device is authorized to be onboarded.

Aruba-Mdps-

Device-Serial

String 22 The device serial number is used as input attribute by the

Onboard application while performing the device authorization to

the internal RADIUS server within the CPPM. Device Serial checks

against role mappings or enforcement policies to determine if the

device is authorized to be onboarded.

Aruba-AirGroup-

User-Name

String 24 A device owner or username associated with the device.

Aruba-AirGroup-

Shared-User

String 25 This VSA contains a comma separated list of user names with

whom the device is shared.

Aruba-AirGroup-

Shared-Role

String 26 This VSA contains a comma separated list of user roles with

whom the device is shared.

Aruba-AirGroup-

Device-Type

Integer 27 A value of 1 for this VSA indicates that the device authenticating

on the network is a personal device and a value of 2 indicates that

it is a shared device.

Aruba-Auth-Sur-

vivability

String 28 The Instant AP Auth survivability feature uses the VSA to indicate

that the CPPM server sends the Aruba-AS-User-Name and

Aruba-AS-Credential-Hash values. This attribute is just used as a

flag with no specific value required.

Aruba-AS-User-

Name

String 29 The Auth survivability feature uses the VSA for Instant APs. The

CPPM sends the actual user name to the Instant AP which can be

used by the Instant AP to authenticate the user if the CPPM server

is not reachable.

Aruba-AS-Cre-

dential-Hash

String 30 The Auth survivability feature uses the VSA for Instant APs. The

CPPM sends the NT hash of the password to the Instant AP which

can be used by the Instant AP to authenticate the user if the CPPM

server is not reachable.

VSA Type Value Description

Aruba-

WorkSpace-App-

Name

String 31 This VSA identifies an application supported by Dell WorkSpace.

Aruba-Mdps-Pro-

visioning-Settings

String 32 Used as part of the ClearPass Onboard technology, this attribute

allows the CPPM to signal back to the onboard process the con-

text of the device provisioning settings that should be applied to

the device based on applied role mappings.

Aruba-Mdps-

Device-Profile

String 33 Used as part of the ClearPass Onboard technology, this attribute

allows CPPM to signal back to the onboard process the device pro-

file that should be applied to the device based on applied role

mappings.

RADIUS Server Authentication Codes

A configured RADIUS server returns the following standard response codes.

Code Description

0 Authentication OK.

1 Authentication failed :user/password combination not correct.

2 Authentication request timed out :No response from server.

3 Internal authentication error.

4 Bad Response from RADIUS server :verify shared secret is correct.

5 No RADIUS authentication server is configured.

6 Challenge from server. (This does not necessarily indicate an error condition.)

Table 38: RADIUS Authentication Response Codes

RADIUS Server Fully Qualified Domain Names

If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller

periodically generates a DNS request and caches the IP address returned in the DNS response. To view the IP

address that currently correlates to each RADIUS server FQDN, access the command-line interface in config

mode and issue the following command:

show aaa fqdn-server-names

DNS Query Intervals

If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller

periodically generates a DNS request and caches the IP address returned in the DNS response. DNS requests

are sent every 15 minutes by default.

You can use either the WebUI or the CLI to configure how often the controller will generate a DNS request to

cache the IP address for a RADIUS server identified via its fully qualified domain name (FQDN).

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 231

232 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Advanced page.

2. In the DNS Query Interval (min) field, enter a new DNS query interval, from 1-1440 minutes, inclusive.

3. Click Apply.

Using the CLI

(host)(config) #aaa dns-query-period <minutes>

Configuring an RFC-3576 RADIUS Server

You can configure a RADIUS server to send user disconnect, change-of-authorization (CoA), and session

timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service

(RADIUS).”

The disconnect, session timeout, and change-of-authorization messages sent from the server to the controller

contains information to identify the user for which the message is sent. The controller supports the following

attributes for identifying the users who authenticate with an RFC 3576 server:

luser-name: name of the user to be authenticated

lframed-ip-address: user’s IP address

lcalling-station-id: phone number of a station that originated a call

laccounting-session-id: unique accounting ID for the user session.

If the authentication server sends both supported and unsupported attributes to the controller, the unknown

or unsupported attributes are ignored. If no matching user is found, the controller sends a 503: Session Not

Found error message back to the RFC 3576 server.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select RFC 3576 Server to display the Radius Server List.

3. To define a new RFC 3576 RADIUS server, enter the IP address for the server and click Add.

4. Select the server name to configure server parameters.

5. Enter the server authentication key into the Key and Retype fields.

6. Click Apply.

The configuration does not take effect until you perform this step.

Using the CLI

(host)(config) #aaa rfc-3576-server <ipaddr>

clone <server>

key <psk>

no ...

Configuring an LDAP Server

Table 39 describes the parameters you configure for an LDAP server.

Parameter Description

Host IP address of the LDAP server.

Default: N/A

Admin-DN Distinguished name for the admin user who has read/search privileges across all

the entries in the LDAP database (the user does need write privileges, but will be

able to search the database, and read attributes of other users in the database).

Admin Password Password for the admin user.

Default: N/A

Allow Clear-Text Allows clear-text (unencrypted) communication with the LDAP server.

Default: disabled

Authentication Port Port number used for authentication.

Default: 389

Base-DN Distinguished Name of the node that contains the entire user database.

Default: N/A

Filter A string searches for users in the LDAP database. The default filter string is:

(objectclass=*).

Default: N/A

Key Attribute A string searches for a LDAP server. For Active Directory, the value is

sAMAccountName.

Default: sAMAccountName

Timeout Timeout period of a LDAP request, in seconds.

Default: 20 seconds

Mode Enables or disables the server.

Default: enabled

Preferred Connection

Type

Preferred type of connection between the controller and the LDAP server. The

default order of connection type is:

1. ldap-s

2. start-tls

3. clear-text

The controller first tries to contact the LDAP server using the preferred connection

type, and only attempts to use a lower-priority connection type if the first attempt is

not successful.

NOTE: If you select clear-text as the preferred connection type, you must also

enable the allow-cleartext option.

Table 39: LDAP Server Configuration Parameters

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select LDAP Server to display the LDAP Server List.

3. To configure an LDAP server, enter the name for the server and click Add.

4. Select the name to configure server parameters. Enter parameters as described in Table 39. Select the

Mode checkbox to activate the authentication server.

5. Click Apply.

The configuration does not take effect until you perform this step.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 233

234 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Using the CLI

(host)(config) #aaa authentication-server ldap <name>

host <ipaddr>

(enter parameters as described in Table 39)

enable

Configuring a TACACS+ Server

Table 40 defines the TACACS+ server parameters.

Parameter Description

Host IP address of the server.

Default: N/A

Key Shared secret to authenticate communication between the TACACS+ client and

server.

Default: N/A

TCP Port TCP port used by server.

Default: 49

Retransmits Maximum number of times a request is retried.

Default: 3

Timeout Timeout period for TACACS+ requests, in seconds.

Default: 20 seconds

Mode Enables or disables the server.

Default: enabled

Session

Authorization

Enables or disables session authorization. Session authorization turns on the

optional authorization session for admin users.

Default: disabled

Table 40: TACACS+ Server Configuration Parameters

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select TACACS Server to display the TACACS Server List.

3. To configure a TACACS+ server, enter the name for the server and click Add.

4. Select the name to configure server parameters. Enter parameters as described in Table 40. Select the

Mode checkbox to activate the authentication server.

5. Click Apply.

The configuration does not take effect until you perform this step.

Using the CLI

The following command configures, enables a TACACS+ server and enables session authorization:

(host)(config) #aaa authentication-server tacacs <name>

clone default

host <ipaddr>

key <key>

enable

session-authorization

Configuring a Windows Server

Table 41 defines parameters for a Windows server used for stateful NTLM authentication.

Parameter Description

Host IP address of the server.

Default: N/A

Mode Enables or disables the server.

Default: enabled

Windows Domain Name of the Windows Domain assigned to the server.

Table 41: Windows Server Configuration Parameters

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Windows Server to display the Windows Server List.

3. To configure a Windows server, enter the name for the server and click Add.

4. Select the name of the server to configure its parameters. Enter the parameters as described in Table 41.

5. Select the Mode checkbox to activate the authentication server.

6. Click Apply.

The configuration does not take effect until you perform this step.

Using the CLI

aaa authentication-server windows <windows-server-name>

host <ipaddr>

enable

Managing the Internal Database

You can create entries in the controller’s internal database, to use to authenticate clients. The internal database

contains a list of clients, along with the password and default role for each client. When you configure the

internal database as an authentication server, client information is checked in incoming authentication

requests against the internal database.

Configuring the Internal Database

The master controller uses the internal database for authentication by default. You can choose to use the

internal database in a local controller by entering the CLI command aaa authentication-server internal

use-local-switch. If you use the internal database in a local controller, you need to add clients on the local

controller.

Table 42 defines the required and optional parameters used in the internal database.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 235

236 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameters Description

User Name (Required) Enter a user name or select Generate to automatically generate a user

name. An entered user name can be up to 64 characters in length.

Password (Required) Enter a password or select Generate to automatically generate a

password string. An entered password must be a minimum of 6 characters and can

be up to 128 characters in length.

Role Role for the client.

For this role to be assigned to a client, you need to configure a server derivation rule,

as described in Configuring Server-Derivation Rules on page 242. (A user role

assigned through a server-derivation rule takes precedence over the default role

configured for an authentication method.)

E-mail (Optional) E-mail address of the client.

Enabled Select this checkbox to enable the user as soon as the user entry is created.

Expiration Select one of the following options:

lEntry does not expire: No expiration on user entry.

lSet Expiry time (mins): Enter the number of minutes the user is authenticated

before their user entry expires.

lSet Expiry Date (mm/dd/yyyy) Expiry Time (hh:mm): To select a specific expiration

date and time, enter the expiration date in mm/dd/yyyy format, and the expiration

time in hh:mm format.

Static Inner IP

Address (for RAPs

only)

Assign a static inner IP address to a Remote AP. If this database entry is not for a

remote AP, leave this field empty.

Table 42: Internal Database Configuration Parameters

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Internal DB.

3. Click Add User in the Users section. The user configuration page displays.

4. Enter the information for the client, as described in the table above.

5. Click Enabled to activate this entry on creation.

6. Click Apply. The configuration does not take effect until you perform this step.

7. At the Servers page, click Apply.

The Internal DB Maintenance window also includes a Guest User Page feature that allows you to create user entries

for guests only. For details on creating guest users, see Guest Provisioning User Tasks on page 814.

Using the CLI

Enter the following command in enable mode:

(host)(config) #local-userdb add {generate-username|username <name>}{

generate-password|password <password>}

Managing Internal Database Files

ArubaOS allows you to import and export tables of user information to and from the internal database. These

files should not be edited once they are exported. ArubaOS only supports the importing of database files that

were created during the export process. Note that importing a file into the internal database overwrite and

removes all existing entries.

Exporting Files in the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Internal DB.

3. Click Export in the Internal DB Maintenance section. A popup window opens.

4. Enter the name of the file you want to export

5. Click OK.

Importing Files in the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Internal DB.

3. Click Import in the Internal DB Maintenance section. A popup window opens.

4. Enter the name of the file you want to import.

5. Click OK.

Exporting and Importing Files in the CLI

Enter the following command in enable mode:

(host)(config) #local-userdb export <filename>

(host)(config) #local-userdb import <filename>

Working with Internal Database Utilities

The local internal database also includes utilities to clear all users from the database and to restart the internal

database to repair internal errors. Under normal circumstances, neither of these utilities are necessary.

Deleting All Users

Issue this command to remove users from the internal database after you have moved your user database

from the controller’s internal server to an external server.

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Internal DB.

3. Click Delete All Users in the Internal DB Maintenance section. A popup window open and asks you to

confirm that you want to remove all users.

4. Click OK.

Repairing the Internal Database

Use this utility under the supervision of Dell technical support to recreate the internal database. This may clear

internal database errors, but also removes all information from the database. Make sure you export your

current user information before you start the repair procedure.

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Internal DB.

3. Click Repair Database in the Internal DB Maintenance section. A popup window open and asks you to

confirm that you want to recreate the database.

4. Click OK.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 237

238 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring Server Groups

You can create groups of servers for specific types of authentication – for example, you can specify one or

more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in one

group. For example, you can include the internal database as a backup to a RADIUS server.

Configuring Server Groups

Server names are unique. You can configure the same server in more than one server group. You must

configure the server before you can include it in a server group.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Server Group to display the Server Group list.

3. Enter the name of the new server group and click Add.

4. Select the name to configure the server group.

5. Under Servers, click New to add a server to the group.

a. Select a server from the drop-down list and click Add Server.

b. Repeat the above step to add other servers to the group.

6. Click Apply.

Using the CLI

(host)(config) #aaa server-group <name>

auth-server <name>

Configuring Server List Order and Fail-Through

The list of servers in a server group is an ordered list. The first server in the list is always used by default, unless

it is unavailable in which case the next server in the list is used. You can configure the order of servers in the

server group. In the WebUI, use the up or down arrows to order the servers (the top server is the first server in

the list). In the CLI, use the position parameter to specify the relative order of servers in the list (the lowest

value denotes the first server in the list).

As mentioned previously, the first available server in the list is used for authentication. If the server responds

with an authentication failure, there is no further processing for the user or client for which the authentication

request failed. You can optionally enable fail-through authentication for the server group so that if the first

server in the list returns an authentication deny, the controller attempts authentication with the next server in

the ordered list. The controller attempts authentication with each server in the list until either there is a

successful authentication or the list of servers in the group is exhausted. This feature is useful in environments

where there are multiple, independent authentication servers; users may fail authentication on one server but

can be authenticated on another server.

Before enabling fail-through authentication, note the following:

lThis feature is not supported for 802.1x authentication with a server group that consists of external EAP-

compliant RADIUS servers. You can, however, use fail-through authentication when the 802.1x

authentication is terminated on the controller (AAA FastConnect).

lEnabling this feature for a large server group list may cause excess processing load on the controller. It is

recommended that you use server selection based on domain matching whenever possible (see Configuring

Dynamic Server Selection on page 239).

lCertain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication

failures. Therefore you should not enable fail-through authentication with these servers.

In the following example, you create a server group "corp-serv" with two LDAP servers (ldap-1 and ldap-2), each

of which contains a subset of the usernames and passwords used in the network. When you enable fail-

through authentication, users that fail authentication on the first server in the server list will be authenticated

with the second server.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select LDAP Server to display the LDAP Server List.

3. Enter ldap-1 for the server name and click Add.

4. Enter ldap-2 for the server name and click Add.

5. Under the Servers tab, select ldap-1 to configure server parameters. Enter the IP address for the server.

Select the Mode checkbox to activate the authentication server. Click Apply.

6. Repeat step 5 on page 239 to configure ldap-2.

7. Display the Server Group list: Under the Servers tab, select Server Group.

8. Enter corp-serv as the new server group and click Add.

9. Select corp-serv, under the Server tab, to configure the server group.

10.Select Fail Through.

11.Under Servers, click New to add a server to the group. Select ldap-1 from the drop-down list and click Add

Server.

12.Repeat step 11 on page 239 to add ldap-2 to the group.

13.Click Apply.

Using the CLI

(host)(config) #aaa authentication-server ldap ldap-1

host 10.1.1.234

(host)(config) #aaa authentication-server ldap ldap-2

host 10.2.2.234

(host)(config) #aaa server-group corp-serv

auth-server ldap-1 position 1

auth-server ldap-2 position 2

allow-fail-through

Configuring Dynamic Server Selection

The controller can dynamically select an authentication server from a server group based on the user

information sent by the client in an authentication request. For example, an authentication request can include

client or user information in one of the following formats:

l<domain>\<user> : for example, corpnet.com\darwin

l<user>@<domain> : for example, darwin@corpnet.com

lhost/<pc-name>.<domain> : for example, host/darwin-g.finance.corpnet.com (this format is used with

802.1x machine authentication in Windows environments)

When you configure a server in a server group, you can optionally associate the server with one or more match

rules. A match rule for a server can be one of the following:

lThe server is selected if the client/user information contains a specified string.

lThe server is selected if the client/user information begins with a specified string.

lThe server is selected if the client/user information exactly matches a specified string.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 239

240 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

You can configure multiple match rules for the same server. The controller compares the client/user

information with the match rules configured for each server, starting with the first server in the server group. If

a match is found, the controller sends the authentication request to the server with the matching rule. If no

match is found before the end of the server list is reached, an error is returned and no authentication request

for the client/user is sent.

For example, Figure 29 depicts a network consisting of several subdomains in corpnet.com. The server radius-1

provides 802.1x machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and

hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.

Figure 29 Domain-Based Server Selection Example

You configure the following rules for servers in the corp-serv server group:

lradius-1 is selected if the client information starts with “host.”

lradius-2 is selected if the client information contains “abc.corpnet.com.”

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Under the Servers tab, select Server Group to display the Server Group list.

3. Enter corp-serv for the new server group and click Add.

4. Under the Servers tab, select corp-serv to configure the server group.

5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down list.

a. For Match Type, select Authstring.

b. For Operator, select starts-with.

c. For Match String, enter host/.

d. Click Add Rule >>.

e. Scroll to the right and click Add Server.

6. Under Servers, click New to add the radius-2 server to the group. Select radius-2 from the drop-down list.

a. For Match Type, select Authstring.

b. For Operator, select contains.

c. For Match String, enter abc.corpnet.com.

d. Click Add Rule >>.

e. Scroll to the right and click Add Server.

The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this

example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the

up or down arrow for the appropriate server.

7. Click Apply.

Using the CLI

(host)(config) #aaa server-group corp-serv

auth-server radius-1 match-authstring starts-with host/ position 1

auth-server radius-2 match-authstring contains abc.corpnet.com position 2

Configuring Match FQDN Option

You can also use the “match FQDN” option for a server match rule. With a match FQDN rule, the server is

selected if the <domain> portion of the user information in the formats <domain>\<user> or

<user>@<domain> exactly matches a specified string. Note the following caveats when using a match FQDN

rule:

lThis rule does not support client information in the host/<pc-name>.<domain> format, so it is not useful

for 802.1x machine authentication.

lThe match FQDN option performs matches on only the <domain> portion of the user information sent in

an authentication request. The match-authstring option (described previously) allows you to match all or a

portion of the user information sent in an authentication request.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Under the Servers tab, select Server Group to display the Server Group list.

3. Enter corp-serv for the new server group and click Add.

4. Under the Servers tab, select corp-serv to configure the server group.

5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down list.

a. For Match Type, select FQDN.

b. For Match String, enter corpnet.com.

c. Click Add Rule >>.

d. Scroll to the right and click Add Server.

6. Click Apply.

Using the CLI

(host)(config) #aaa server-group corp-serv

auth-server radius-1 match-fqdn corpnet.com

Trimming Domain Information from Requests

Before the controller forwards an authentication request to a specified server, it can truncate the domain-

specific portion of the user information. This is useful when user entries on the authenticating server do not

include domain information. You can specify this option with any server match rule. This option is only

applicable when the user information is sent to the controller in the following formats:

l<domain>\<user> : the <domain>\ portion is truncated

l<user>@<domain> : the @<domain> portion is truncated

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 241

242 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

This option does not support client information sent in the format host/<pc-name>.<domain>

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Server Group to display the Server Group list.

3. Enter the name of the new server group and click Add.

4. Select the name to configure the server group.

5. Under Servers, click Edit for a configured server or click New to add a server to the group.

lIf editing a configured server, select Trim FQDN, scroll right, and click Update Server.

lIf adding a new server, select a server from the drop-down list, then select Trim FQDN, scroll right, and

click Add Server.

6. Click Apply.

Using the CLI

(host)(config) #aaa server-group corp-serv

auth-server radius-2 match-authstring contains abc.corpnet.com trim-fqdn

Configuring Server-Derivation Rules

When you configure a server group, you can set the VLAN or role for clients based on attributes returned for

the client by the server during authentication. The server derivation rules apply to all servers in the group. The

user role or VLAN assigned through server derivation rules takes precedence over the default role and VLAN

configured for the authentication method.

The authentication servers must be configured to return the attributes for the clients during authentication. For

instructions on configuring the authentication attributes in a Windows environment using IAS, refer to the

documentation attechnet2.microsoft.com/windowsserver/en/technologies/ias.mspx

The server rules are applied based on the first match principle. The first rule that is applicable for the server and

the attribute returned is applied to the client, and would be the only rule applied from the server rules. These

rules are applied uniformly across all servers in the server group.

Table 43 describes the server rule parameters you can configure.

Parameter Description

Role or VLAN The server derivation rules can be for either user role or VLAN assignment.

With Role assignment, a client can be assigned a specific role based on the

attributes returned. In case of VLAN assignment, the client can be placed in a

specific VLAN based on the attributes returned.

Attribute This is the attribute returned by the authentication server that is examined for

Operation and Operand match.

Operation This is the match method by which the string in Operand is matched with the

attribute value returned by the authentication server.

lcontains : The rule is applied if and only if the attribute value contains the

string in parameter Operand.

lstarts-with : The rule is applied if and only if the attribute value returned

Table 43: Server Rule Configuration Parameters

Parameter Description

starts with the string in parameter Operand.

lends-with : The rule is applied if and only if the attribute value returned ends

with the string in parameter Operand.

lequals : The rule is applied if and only if the attribute value returned equals

the string in parameter Operand.

lnot-equals : The rule is applied if and only if the attribute value returned is

not equal to the string in parameter Operand.

lvalue-of : This is a special condition. What this implies is that the role or

VLAN is set to the value of the attribute returned. For this to be successful,

the role and the VLAN ID returned as the value of the attribute selected

must be already configured on the controller when the rule is applied.

Operand This is the string to which the value of the returned attribute is matched.

Value The user role or the VLAN name applied to the client when the rule is matched.

position Position of the condition rule. Rules are applied based on the first match

principle. One is the top.

Default: bottom

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Server Group to display the Server Group list.

3. Enter the name of the new server group and click Add.

4. Select the name to configure the server group.

5. Under Servers, click New to add a server to the group.

a. Select a server from the drop-down list and click Add.

b. Repeat the above step to add other servers to the group.

6. Under Server Rules, click New to add server derivation rules for assigning a user role or VLAN.

a. Enter the attribute.

b. Select the operation from the drop-down list.

c. Enter the operand.

d. To set the role, select set role from the Set drop-down list and enter the value to be assigned from the

Value drop-down list.

e. Or, to set the vlan, select set vlan from the Set drop-down list and select the VLAN name or ID from the

Value drop-down list and click the left-arrow.

f. Click Add.

g. Repeat the above steps to add other rules for the server group.

7. Click Apply.

Using the CLI

(host) (config) #aaa server-group name

(host) (Server Group name) #set {role|vlan} condition condition contains operand set-value

set-value-str> position number

Configuring a Role Derivation Rule for the Internal Database

When you add a user entry in the controller’s internal database, you can optionally specify a user role (see

Managing the Internal Database on page 235). The role specified in the internal database entry to be assigned

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 243

244 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

to the authenticated client, you must configure a server derivation rule as shown in the following sections:

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Server Group to display the Server Group list.

3. Select the internal server group.

4. Under Server Rules, click New to add a server derivation rule.

a. For Condition, enter Role.

b. Select value-of from the drop-down list.

c. Select Set Role from the drop-down list.

d. Click Add.

5. Click Apply.

Using the CLI

(host)(config) #aaa server-group internal

set role condition Role value-of

Assigning Server Groups

You can create server groups for the following purposes:

luser authentication

lmanagement authentication

laccounting

You can configure all types of servers for user and management authentication (see Table 44). Accounting is

only supported with RADIUS and TACACS+ servers when RADIUS or TACACS+ is used for authentication.

RADIUS TACACS+ LDAP Internal Database

User authentication Yes Yes Yes Yes

Management authentication Yes Yes Yes Yes

Accounting Yes Yes No No

Table 44: Server Types and Purposes

User Authentication

For information about assigning a server group for user authentication, refer to the Roles and Policies chapter

of the Dell Networking W-Series ArubaOS User Guide.

Management Authentication

Users who need to access the controller to monitor, manage, or configure the Dell user-centric network can be

authenticated with RADIUS, TACACS+, or LDAP servers or the internal database.

Only user record attributes are returned upon a successful authentication. Therefore, to derive a different

management role other than the default mgmt auth role, set the server derivation rule based on the user

attributes.

Using the WebUI

1. Navigate to the Configuration > Management > Administration page.

2. Under the Management Authentication Servers section, select the following:

lEnable checkbox

lServer Group

3. Click Apply.

Using the CLI

(host)(config) #aaa authentication mgmt

server-group <group>

enable

Accounting

You can configure accounting for RADIUS and TACACS+ server groups.

RADIUS or TACACS+ accounting is only supported when RADIUS or TACACS+ is used for authentication.

RADIUS Accounting

RADIUS accounting allows user activity and statistics to be reported from the controller to RADIUS servers:

1. The controller generates an Accounting Start packet when a user logs in. The code field of transmitted

RADIUS packet is set to 4 (Accounting-Request). Note that sensitive information, such as user passwords,

are not sent to the accounting server. The RADIUS server sends an acknowledgement of the packet.

2. The controller sends an Accounting Stop packet when a user logs off; the packet information includes

various statistics such as elapsed time, input and output bytes, and packets. The RADIUS server sends an

acknowledgment of the packet.

The following is the list of attributes that the controller can send to a RADIUS accounting server:

lAcct-Status-Type: This attribute marks the beginning or end of accounting record for a user. Current values

are Start and Stop.

lUser-Name: Name of user.

lAcct-Session-Id: A unique identifier to facilitate matching of accounting records for a user. It is derived from

the user name, IP address, and MAC address. This is set in all accounting packets.

lAcct-Authentic: This indicates how the user was authenticated. Current values are 1 (RADIUS), 2 (Local) and

3 (LDAP).

lAcct-Session-Time: The elapsed time, in seconds, that the client was logged in to the controller. This is only

sent in Accounting-Request records where the Acct-Status-Type is Stop.

lAcct-Terminate-Cause: Indicates how the session was terminated and is sent in Accounting-Request records

where the Acct-Status-Type is Stop. Possible values are:

1: User logged off

4: Idle Timeout

5: Session Timeout. Maximum session length timer expired.

7: Admin Reboot: Administrator is ending service, for example prior to rebooting the controller.

lNAS-Identifier: This is set in the RADIUS server configuration.

lNAS-IP-Address: IP address of the master controller. You can configure a “global” NAS IP address: in the

WebUI, navigate to the Configuration > Security > Authentication > Advanced page; in the CLI, use

the, ip radius nas-ip command.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 245

246 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

lNAS-Port: Physical or virtual port (tunnel) number through which the user traffic is entering the controller.

lNAS-Port-Type: Type of port used in the connection. This is set to one of the following:

n5: admin login

n15: wired user type

n19: wireless user

lFramed-IP-Address: IP address of the user.

lCalling-Station-ID: MAC address of the user.

lCalled-station-ID: MAC address of the controller.

The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Start:

lAcct-Status-Type

lUser-Name

lNAS-IP-Address

lNAS-Port

lNAS-Port-Type

lNAS-Identifier

lFramed-IP-Address

lCalling-Station-ID

lCalled-station-ID

lAcct-Session-ID

lAcct-Authentic

The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop:

lAcct-Status-Type

lUser-Name

lNAS-IP-Address

lNAS-Port

lNAS-Port-Type

lNAS-Identifier

lFramed-IP-Address

lCalling-Station-ID

lCalled-station-ID

lAcct-Session-ID

lAcct-Authentic

lTerminate-Cause

lAcct-Session-Time

The following attributes are sent only in Accounting Stop packets (they are not sent in Accounting Start

packets):

lAcct-Input-Octets

lAcct-Output-Octets

lAcct-Input-Packets

lAcct-Output-Packets

Remote APs in split-tunnel mode now support RADIUS accounting. If you enable RADIUS accounting in a split-

tunnel Remote AP’s AAA profile, the controller sends a RADIUS accounting start record to the RADIUS server

when a user associates with the remote AP, and sends a stop record when the user logs out or is deleted from

the user database. If interim accounting is enabled, the controller sends updates at regular intervals. Each

interim record includes cumulative user statistics, including received bytes and packets counters.

You can use either the WebUI or CLI to assign a server group for RADIUS accounting.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.

2. Select AAA Profile, then the AAA profile instance.

3. (Optional) In the Profile Details pane, select RADIUS Interim Accounting to allow the controller to send

Interim-Update messages with current user statistics to the server at regular intervals. This option is

disabled by default, allowing the controller to send only start and stop messages RADIUS accounting server.

4. In the profile list, scroll down and select the Radius Accounting Server Group for the AAA profile. Select the

server group from the drop-down list.

You can add additional servers to the group or configure server rules.

5. Click Apply.

Using the CLI

(host)(config) #aaa profile <profile>

radius-accounting <group>

radius-interim-accounting

RADIUS Accounting on Multiple Servers

ArubaOS provides support for the controllers to send RADIUS accounting to multiple RADIUS servers. The

controller notifies all the RADIUS servers to track the status of authenticated users. Accounting messages are

sent to all the servers configured in the server group in a sequential order.

You can enable multiple server account functionality by using CLI and WebUI:

Using the CLI:

To enable RADIUS Accounting on Multiple Servers functionality, use the following CLI:

(host) (config) # aaa profile <profile_name>

multiple-server-accounting

Using the WebUI:

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.

2. Select AAA Profile, then select the AAA profile instance.

3. Select Multiple Server Accounting checkbox.

4. Click Apply.

TACACS+ Accounting

TACACS+ accounting allows commands issued on the controller to be reported to TACACS+ servers. You can

specify the types of commands that are reported (action, configuration, or show commands) or have all

commands reported.

You can configure TACACS+ accounting only with the CLI:

(host)(config) #aaa tacacs-accounting server-group <group> command

{action|all|configuration|show} mode {enable|disable}

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 247

248 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring Authentication Timers

Table 45 describes the timers you can configure that apply to all clients and servers. These timers can be left at

their default values for most implementations.

Timer Description

User Idle Timeout Maximum period after which a client is considered idle if there is no

wireless traffic from the client.The timeout period is reset if there is

wireless traffic. If there is no wireless traffic in the timeout period, the

client is aged out. Once the timeout period has expired, the user is

removed. If the keyword seconds is not specified, the value defaults to

minutes at the command line.

Range: 1–255 minutes (30–15300 seconds)

Default: 5 minutes (300 seconds)

Authentication Server

Dead Time

Maximum period, in minutes, that the controller considers an

unresponsive authentication server to be “out of service.”

This timer is only applicable if there are two or more authentication

servers configured on the controller. If there is only one authentication

server configured, the server is never considered out of service and all

requests are sent to the server.

If one or more backup servers are configured and a server is

unresponsive, it is marked as out of service for the dead time;

subsequent requests are sent to the next server on the priority list for

the duration of the dead time. If the server is responsive after the dead

time has elapsed, it can take over servicing requests from a lower-

priority server; if the server continues to be unresponsive, it is marked

as down for the dead time.

Range: 0–50 minutes

Default: 10 minutes

Logon User Lifetime Maximum time, in minutes, unauthenticated clients are allowed to

remain logged on.

Range: 0–255 minutes

Default: 5 minutes

User Interim stats

frequency

Set the timeout value for user stats reporting in minutes or seconds.

Range ;300-600 seconds, or 5-10 minutes

Default : 600 seconds

Table 45: Authentication Timers

Setting an Authentication Timer

To set an authentication timer, complete one of the following procedures:

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Advanced page.

2. Configure the timers as described above.

3. Click Apply before moving on to another page or closing the browser window. If you do not perform this

step, you will lose your configuration changes.

Using the CLI

The commands below configure timers you can apply to clients. If the optional seconds keyword is not

specified for the idle-timeout and stats-timeout parameters, the value defaults to minutes.

(host)(config) #aaa timers

dead-time <minutes>

idle-timeout <time> [seconds]

logon-lifetime <0-255>

stats-timeout <time> [seconds]

Authentication Server Load Balancing

Load balancing of authentication servers ensures that the authentication load is split across multiple

authentication servers, thus avoiding any one particular authentication server from being overloaded.

Authentication Server Load Balancing functionality enables the Dell Mobility Controller to perform load

balancing of authentication requests destined to external authentication servers (Radius/LDAP etc). This

prevents any one authentication server from having to handle the full load during heavy authentication

periods, such as at the start of the business day.

Earlier, the controller used the first authentication server in the server group list. The remaining servers in that

server group will be used in sequential order only when an authentication server is down. Thus, the controllers

performed fail-over and not load balancing of authentication servers.

The load balancing algorithm computes the expected time taken to authenticate a new client for each

authentication server and chooses that authentication server for which the expected authentication time is

least. The load balancing algorithm maintains re-authentication stickiness i.e. at the time of re-authentication

the request will be forwarded to the same server where it was authenticated earlier.

Enabling Authentication Server Load Balancing Functionality

A new load–balancing enable parameter has been introduced in aaa server-group test command to

enable authentication server load balancing functionality.

aaa server-group <sg_name>

load-balance

auth-server s1

auth-server s2

You can use the following command to disable load balancing:

aaa server-group<sg_name>

no load-balance

If you configure internal server in the server group, load balancing is not applicable to the internal server. Internal

server will be used as fall back when all the other servers in the server group are down.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 249

Dell Networking W-Series ArubaOS 6.4.x| User Guide MAC-based Authentication | 250

Chapter 10

MAC-based Authentication

This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI.

Use MAC-based authentication to authenticate devices based on their physical media access control (MAC)

address. While not the most secure and scalable method, MAC-based authentication implicitly provides an

addition layer of security authentication devices. MAC-based authentication is often used to authenticate and

allow network access through certain devices while denying access to the rest. For example, if clients are

allowed access to the network via station A, then one method of authenticating station A is MAC-based. Clients

may be required to authenticate themselves using other methods depending on the network privileges

required.

MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to

prevent other devices from accessing the voice network using what is normally an insecure SSID.

This chapter describes the following topics:

lConfiguring MAC-Based Authentication on page 250

lConfiguring Clients on page 251

Configuring MAC-Based Authentication

Before configuring MAC-based authentication, you must configure the following options:

lUser role—The user role that will be assigned as the default role for the MAC-based authenticated clients.

(See Roles and Policies on page 364 for information on firewall policies to configure roles.)

Configure the default user role for MAC-based authentication in the AAA profile. If derivation rules exist or if

the client configuration in the internal database has a role assignment, these values take precedence over

the default user role.

lAuthentication server group— The authentication server group that the controller uses to validate the

clients. The internal database can be used to configure the clients for MAC-based authentication. See

Configuring Clients on page 251 for information on configuring the clients on the local database. For

information on configuring authentication servers and server groups, see Authentication Servers on page

225.

Configuring the MAC Authentication Profile

Table 46 describes the parameters you can configure for MAC-based authentication.

251 | MAC-based Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Delimiter Delimiter used in the MAC string:

lcolon specifies the format Xx:XX:XX:XX:XX:XX

ldash specifies the format XX-XX-XX-XX-XX-XX

lnone specifies the format XXXXXXXXXXXX

loui-nic specifies the format XXXXXX:XXXXXX

Default: none

NOTE: This parameter is available for the aaa authentication-server

radius command.

Case The case (upper or lower) used in the MAC string.

Default: lower

Max Authentication failures Number of times a station can fail to authenticate before it is blacklisted. A

value of zero disables blacklisting.

Default: zero (0)

Table 46:

MAC Authentication Profile Configuration Parameters

Using the WebUI to configure a MAC authentication profile

1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.

2. Select MAC Authentication Profile.

3. Enter a profile name and click Add.

4. Select the profile name to display configurable parameters.

5. Configure the parameters, as described in Table 46.

6. Click Apply.

Using the CLI to configure a MAC authentication profile

Execute the following command to configure a MACauthentication profile:

(host)(configure) #aaa authentication mac <profile>

case {lower|upper}

delimiter {colon|dash|none}

max-authentication-failures <number>

Configuring Clients

You can create entries in the controller’s internal database to authenticate client MAC addresses. The internal

database contains a list of clients along with the password and default role for each client. To configure entries

in the internal database for MAC authentication, you enter the MAC address for both the username and

password for each client.

You must enter the MAC address using the delimiter format configured in the MAC authentication profile. The

default delimiter is none, which means that MAC addresses should be in the format xxxxxxxxxxxx. If you specify

colons for the delimiter, you can enter MAC addresses in the format xx:xx:xx:xx:xx:xx.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Internal DB.

3. Click Add User in the Users section. The user configuration page displays.

4. For User Name and Password, enter the MAC address for the client. Use the format specified by the

Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile

specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx.

5. Click Enabled to activate this entry on creation.

6. Click Apply.

The configuration does not take effect until you perform this step.

In the CLI

Enter the following command in enable mode:

(host)(config) #local-userdb add username <macaddr> password <macaddr>...

Dell Networking W-Series ArubaOS 6.4.x | User Guide MAC-based Authentication | 252

Dell Networking W-Series ArubaOS 6.4.x| User Guide 802.1X Authentication | 253

Chapter 11

802.1X Authentication

802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication

framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during

the authentication process. The authentication protocols that operate inside the 802.1X framework that are

suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-

Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the

client to authenticate the network.

This chapter describes the following topics:

lUnderstanding 802.1X Authentication on page 253

lConfiguring 802.1X Authentication on page 256

lSample Configurations on page 265

lPerforming Advanced Configuration Options for 802.1X on page 281

Other types of authentication not discussed in this section can be found in the following sections of this guide:

lCaptive portal authentication: Configuring Captive Portal Authentication Profiles on page 312

lVPN authentication: Planning a VPN Configuration on page 337

lMAC authentication: Configuring MAC-Based Authentication on page 250

lStateful 802.1x, stateful NTLM, and WISPr authentication: Stateful and WISPr Authentication on page 285

Understanding 802.1X Authentication

802.1x authentication consists of three components:

lThe supplicant, or client, is the device attempting to gain access to the network. You can configure the Dell

user-centric network to support 802.1x authentication for wired usersa wireless users.

lThe authenticator is the gatekeeper to the network and permits or denies access to the supplicants.

lThe Dell controller acts as the authenticator, relaying information between the authentication server and

supplicant. The EAP type must be consistent between the authentication server and supplicant, and is

transparent to the controller.

The authentication server provides a database of information required for authentication, and informs the

authenticator to deny or permit access to the supplicant.

The 802.1X authentication server is typically an EAP-compliant Remote Access Dial-In User Service (RADIUS)

server which can authenticate either users (through passwords or certificates) or the client computer.

An example of an 802.1X authentication server is the Internet Authentication Service (IAS) in Windows (see

technet.microsoft.com/en-us/library/cc759077(WS.10).aspx).

In Dell user-centric networks, you can terminate the 802.1x authentication on the controller. The controller

passes user authentication to its internal database or to a “backend” non-802.1X server. This feature, also

called AAA FastConnect, is useful for deployments where an 802.1X EAP-compliant RADIUS server is not

available or required for authentication.

254 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Supported EAP Types

Following is the list of supported EAP types:

lPEAP—Protected EAP (PEAP) is an 802.1X authentication method that uses server-side public key

certificates to authenticate clients with the server. The PEAP authentication creates an encrypted SSL / TLS

tunnel between the client and the authentication server. The exchange of information is encrypted and

stored in the tunnel to ensure that the user credentials are kept secure.

lEAP-GTC—The EAP-GTC (Generic Token Card) type uses clear text method to exchange authentication

controls between the client and the server. Since the authentication mechanism uses the one-time tokens

(generated by the card), this method of credential exchange is considered safe. In addition, EAP-GTC is used

in PEAP or TTLS tunnels in wireless environments. The EAP-GTC is described in RFC 2284.

lEAP-AKA—The EAP-AKA (Authentication and Key Agreement) authentication mechanism is typically used in

mobile networks that include Universal Mobile Telecommunication Systems (UMTS) and CDMA 2000. This

method uses the information stored in the Subscriber Identity Module (SIM) for authentication. The EAP-

AKA is described in RFC 4187.

lEAP-FAST—The EAP-FAST (Flexible Authentication via Secure Tunneling) is an alternative authentication

method to PEAP. This method uses the Protected Access Credential (PAC) for verifying clients on the

network. The EAP-FAST is described in RFC 4851.

lEAP-MD5—The EAP-MD5 method verifies MD5 hash of a user password for authentication. This method is

commonly used in a trusted network. The EAP-MD5 is described in RFC 2284.

lEAP-POTP—The EAP type 32 is supported. Complete details are described in RFC 4793.

lEAP-SIM—The EAP-SIM (Subscriber Identity Module) uses Global System for Mobile Communication (GSM)

Subscriber Identity Module (SIM) for authentication and session key distribution. This authentication

mechanism includes network authentication, user anonymity support, result indication, and fast re-

authentication procedure. Complete details about this authentication mechanism is described in RFC 4186.

lEAP-TLS—The EAP-TLS (Transport Layer Security) uses Public key Infrastructure (PKI) to set up

authentication with a RADIUS server or any authentication server. This method requires the use of a client-

side certificate for communicating with the authentication server. The EAP-TLS is described in RFC 5216.

lEAP-TLV—The EAP-TLV (type-length-value) method allows you to add additional information in an EAP

message. Often this method is used to provide more information about an EAP message such as status

information or authorization data. This method is always used after a typical EAP authentication process.

lEAP-TTLS—The EAP-TTLS (Tunneled Transport Layer Security) method uses server-side certificates to set up

authentication between clients and servers. The actual authentication is, however, performed using

passwords. Complete details about EAP-TTLS is described in RFC 5281.

lLEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys and mutual

authentication between the client and the RADIUS server.

lZLXEAP—ZoneLabs EAP is an EAP method that has been allocated EAP Type 44 by IANA. For more

information, visit tools.ietf.org/html/draft-bersani-eap-synthesis-sharedkeymethods-00#page-30.

Configuring Authentication with a RADIUS Server

See Table 47 for an overview of the parameters that you need to configure on authentication components

when the authentication server is an 802.1X EAP-compliant RADIUS server.

Figure 30 802.1X Authentication with RADIUS Server

The supplicant and the authentication server must be configured to use the same EAP type. The controller

does not need to know the EAP type used between the supplicant and authentication server.

For the controller to communicate with the authentication server, you must configure the IP address,

authentication port, and accounting port of the server on the controller. The authentication server must be

configured with the IP address of the RADIUS client, which is the controller in this case. Both the controller and

the authentication server must be configured to use the same shared secret.

Additional information on EAP types supported in a Windows environment, Microsoft supplicants, and

authentication servers, is available at technet.microsoft.com/en-us/library/cc782851(WS.10).aspx.

The client communicates with the controller through a GRE tunnel to form an association with an AP and to get

authenticated in the network. Therefore, the network authentication and encryption configured for an ESSID

must be the same on both the client and the controller.

Configuring Authentication Terminated on Controller

User authentication is performed either via the controller’s internal database or a non-802.1X server. See

802.1x Authentication Profile Basic WebUI Parameters on page 257 for an overview of the parameters that

you need to configure on 802.1X authentication components when 802.1X authentication is terminated on

the controller (AAA FastConnect).

Figure 31 802.1X Authentication with Termination on Controller

In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP

(PEAP).

lEAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with the

user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAP-

TLS relies on digital certificates to verify the identities of both the client and the server.

EAP-TLS requires that you import server and certification authority (CA) certificates onto the controller (see

Configuring and Using Certificates with AAA FastConnect on page 261). The client certificate is verified on

the controller (the client certificate must be signed by a known CA) before the username is checked on the

authentication server.

lEAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP”

methods is used:

nEAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of

unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time

token cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication

server. You can also enable caching of user credentials on the controller as a backup to an external

authentication server.

nEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC

2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the

backend authentication server.

If you use the controller’s internal database for user authentication, you need to add the names and passwords

of the users to be authenticated. If you use an LDAP server for user authentication, you need to configure

both the LDAP server and the user IDs and passwords on the controller. If you use a RADIUS server for user

authentication, you need to configure the RADIUS server on the controller.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 255

256 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring 802.1X Authentication

On the controller, use the following steps to configure a wireless network that uses 802.1x authentication:

1. Configure the VLANs to which the authenticated users will be assigned. See Network Configuration

Parameters on page 148.

2. Configure policies and roles. You can specify a default role for users who are successfully authenticated

using 802.1X. You can also configure server derivation rules to assign a user role based on attributes

returned by the authentication server; server-derived user roles take precedence over default roles. For

more information about policies and roles, see Roles and Policies on page 364.

The Policy Enforcement Firewall Virtual Private Network (PEFV) module provides identity-based security for wired and

wireless users and must be installed on the controller. The stateful firewall allows user classification based on user

identity, device type, location, and time of day to provide differentiated access for different classes of users. For

information about obtaining and installing licenses, see Software Licenses on page 130.

3. Configure the authentication server(s) and server group. The server can be an 802.1X RADIUS server or, if

you use AAA FastConnect, a non-802.1X server or the controller’s internal database. If you use EAP-GTC

within a PEAP tunnel, you can configure an LDAP or RADIUS server as the authentication server (see

Authentication Servers on page 225). If you use EAP-TLS, you need to import server and CA certificates on

the controller (see Configuring and Using Certificates with AAA FastConnect on page 261).

4. Configure the AAA profile:

nSelect the 802.1X default user role.

nSelect the server group you previously configured for the 802.1x authentication server group.

5. Configure the 802.1X authentication profile. See In the WebUI on page 276.

6. Configure the virtual AP profile for an AP group or for a specific AP:

nSelect the AAA profile you previously configured.

nIn the SSID profile, configure the WLAN for 802.1X authentication.

For details on how to complete the above steps, see Sample Configurations on page 265.

In the WebUI

This section describes how to create and configure a new instance of an 802.1X authentication profile in the

WebUI or the CLI.

1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.

2. In the Profiles list, select 802.1X Authentication Profile.

3. Enter a name for the profile, then click Add.

4. Click Apply.

5. In the Profiles list, select the 802.1X authentication profile you just created.

6. Change the settings described in Table 47 as desired, then click Apply.

The 802.1X authentication profile configuration settings are divided into two tabs—Basic and Advanced.

The Basic tab displays only those configuration settings that often need to be adjusted to suit a specific

network. The Advanced tab shows all configuration settings, including settings that do not need frequent

adjustment or should be kept at their default values. If you change a setting on one tab, then click and

display the other tab without saving your configuration, that setting will revert to its previous value.

Parameter Description

Basic 802.1x Authentication Settings

Max authentication

failures

Number of times a user can try to log in with wrong credentials

after which the user is blacklisted as a security threat. Set to 0

to disable blacklisting, otherwise enter a non-zero integer to

blacklist the user after the specified number of failures.

Range: 0-5 failures.

Default: 0 failure.

NOTE: This option may require a license.

Enforce Machine

Authentication

Select the Enforce Machine Authentication option to require

machine authentication. This option is also available on the Basic settings tab.

NOTE: This option may require a license.

Machine

Authentication: Default

Machine Role

Default role assigned to the user after completing only machine authentication.

The default role for this setting is the “guest” role.

Machine

Authentication: Default

User Role

Default role assigned to the user after 802.1x authentication. The default role for

this setting is the “guest” role.

Reauthentication Select the Reauthentication checkbox to force the client to do a 802.1X

reauthentication after the expiration of the default timer for reauthentication.

(The default value of the timer is 24 hours.) If the user fails to reauthenticate with

valid credentials, the state of the user is cleared. If derivation rules are used to

classify 802.1x-authenticated users, then the reauthentication timer per role

overrides this setting.

This option is disabled by default.

Termination Select the Termination checkbox to allow 802.1X authentication to terminate on

the controller. This option is disabled by default.

Termination EAP-Type If you enable termination, click either EAP-PEAP or EAP-TLS to select a Extensible

Authentication Protocol (EAP) method.

Termination Inner EAP-

Type

If you use EAP-PEAP as the EAP method, specify one of the following

inner EAP types:

leap-gtc: Described in RFC 2284, this EAP method permits the transfer of

unencrypted usernames and passwords from client to server. The main uses

for EAP-GTC are one-time token cards such as SecureID and the use of LDAP

or RADIUS as the user authentication server. You can also enable caching of

user credentials on the controller as a backup to an external authentication

server.

leap-mschapv2: Described in RFC 2759, this EAP method is widely supported

by Microsoft clients.

Enforce Suite-B 128 bit

or more security level

Authentication

Configure Suite-B 128 bit or more security level authentication enforcement.

Enforce Suite-B 128 bit

or more security level

Authentication

Configure Suite-B 192 bit security level authentication enforcement.

Advanced 802.1x Authentication Settings

Table 47: 802.1x Authentication Profile Basic WebUI Parameters

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 257

258 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Machine Authentication

Cache Timeout

The timeout, in hours, for machine authentication. The allowed range of values is

1-1000 hours, and the default value is 24 hours.

Blacklist on Machine

Authentication Failure

Select the Blacklist on Machine Authentication Failure checkbox to blacklist a

client if machine authentication fails. This setting is disabled by default.

Interval between

Identity Requests

Interval, in seconds, between identity request retries.

Range: 1-65535 seconds.

Default: 30 seconds.

Quiet Period after

Failed Authentication

The enforced quiet period interval, in seconds, following failed authentication.

Range: 1-65535 seconds.

Default: 30 seconds.

Reauthentication

Interval

Interval, in seconds, between reauthentication attempts.

Range: 60-864000 seconds.

Default: 86400 seconds (1 day).

Use Server provided

Reauthentication

Interval

Select this option to override any user-defined reauthentication interval and use

the reauthentication period defined by the authentication server.

Multicast Key Rotation

Time Interval

Interval, in seconds, between multicast key rotation.

Range: 60-864000 seconds.

Default: 1800 seconds.

Unicast Key Rotation

Time Interval

Interval, in seconds, between unicast key rotation.

Range: 60-864000 seconds. Default: 900 seconds.

Authentication Server

Retry Interval

Server group retry interval, in seconds.

Range: 5-65535 seconds.

Default: 30 seconds.

Authentication Server

Retry Count

Maximum number of authentication requests that are sent to server group.

Range: 0-3 requests.

Default: 2 requests.

Framed MTU Sets the framed Maximum Transmission Unit (MTU) attribute sent to the

authentication server.

Range: 500-1500 bytes.

Default: 1100 bytes.

Number of times ID-

Requests are retried

Maximum number of times ID requests are sent to the client.

Range: 1-10 retries.

Default: 3 retries.

Maximum Number of

Reauthentication

Attempts

Number of times a user can try to log in with wrong credentials after which the

user is blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise

enter a value from 0-5 to blacklist the user after the specified number of failures.

NOTE: If changed from its default value, this option may require a license.

Maximum number of

times Held State can be

bypassed

Number of consecutive authentication failures which, when reached, causes the

controller to not respond to authentication requests from a client while the

controller is in a held state after the authentication failure. Before this number is

reached, the controller responds to authentication requests from the client even

while the controller is in its held state.

Table 47: 802.1x Authentication Profile Basic WebUI Parameters

Parameter Description

(This parameter is applicable when 802.1X authentication is terminated on the

controller, also known as AAA FastConnect.) The allowed range of values for this

parameter is 0-3 failures, and the default value is 0.

Dynamic WEP Key

Message Retry Count

Set the Number of times WPA/WPA2 Key Messages are retried.

Range: 1-5 retries.

Default: 3 retries.

Dynamic WEP Key Size The default dynamic WEP key size is 128 bits, If desired, you can change this

parameter to 40 bits.

Interval between

WPA/WPA2 Key

Messages

Interval, in milliseconds, between each WPA key exchanges.

Range: 1000-5000 ms.

Default: 1000 ms.

Delay between EAP-

Success and WPA2

Unicast Key Exchange

Interval, in milliseconds, between EAP-Success and unicast key exchanges.

Range: 0-2000 ms.

Default: 0 ms (no delay).

Delay between

WPA/WPA2 Unicast Key

and Group Key

Exchange

Interval, in milliseconds, between unicast and multicast key exchange. Time

interval in milliseconds.

Range: 0-2000.

Default: 0 (no delay).

Time interval after

which the PMKSA will be

deleted

The time interval after which the PMKSA (Pairwise Master Key Security

Association) cache is deleted. Time interval in Hours.

Range: 1-2000.

Default: 8.

WPA/WPA2 Key

Message Retry Count

Number of times WPA/WPA2 key messages are retried.

Range: 1-5 retries.

Default: 3 retries.

Multicast Key Rotation Select this checkbox to enable multicast key rotation. This feature is disabled by

default.

Unicast Key Rotation Select this checkbox to enable unicast key rotation. This feature is disabled by

default.

Opportunistic Key

Caching

By default, the 802.1X authentication profile enables a cached pairwise master

key (PMK) which is derived through a client and an associated AP. This key is used

when the client roams to a new AP. This allows clients faster roaming without a

full 802.1x authentication. Uncheck this option to disable this feature.

NOTE: Make sure that the wireless client (the 802.1X supplicant) supports this

feature. If the client does not support this feature, the client will attempt to

renegotiate the key whenever it roams to a new AP. As a result, the key cached on

the controller can be out of sync with the client's key.

Validate PMKID This parameter instructs the controller to check the pairwise master key (PMK) ID

sent by the client. When you enable this option, the client must send a PMKID in

the associate or reassociate frame to indicate that it supports OKC or PMK

caching; otherwise, full 802.1x authentication takes place.

NOTE: This feature is optional, since most clients that support OKC and PMK

caching do not send the PMKID in their association request.

Table 47: 802.1x Authentication Profile Basic WebUI Parameters

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 259

260 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Use Session Key Select the Use Session Key option to use the RADIUS session key as the unicast

WEP key. This option is disabled by default.

Use Static Key Select the Use Static Key option to use a static key as the unicast/multicast WEP

key. This option is disabled by default.

xSec MTU Set the maximum transmission unit (MTU) for frames using the xSec protocol.

Range: 1024-1500 bytes.

Default: 1300 bytes.

Token Caching If you select EAP-GTC as the inner EAP method, you can select the Token Caching

checkbox to enable the controller to cache the username and password of each

authenticated user. The controller continues to reauthenticate users with the

remote authentication server. However, if the authentication server is

unavailable, the controller will inspect its cached credentials to reauthenticate

users.

This option is disabled by default.

Token Caching Period If you select EAP-GTC as the inner EAP method, you can specify the timeout

period, in hours, for the cached information. The default value is 24 hours.

CA-Certificate Click the CA-Certificate drop-down list and select a certificate for client

authentication. The CA certificate needs to be loaded in the controller before it will

appear on this list.

Server-Certificate Click the Server-Certificate drop-down list and select a server certificate the

controller will use to authenticate itself to the client.

TLS Guest Access Select TLS Guest Access to enable guest access for EAP-TLS users with valid

certificates. This option is disabled by default.

TLS Guest Role Click the TLS Guest Role drop-down list and select the default user role for EAP-

TLS guest users. This option may require a license.

Ignore EAPOL-START

after authentication

Select Ignore EAPOL-START after authentication to ignore EAPOL-START

messages after authentication. This option is disabled by default.

Handle EAPOL-Logoff Select Handle EAPOL-Logoff to enable handling of EAPOL-LOGOFF messages.

This option is disabled by default.

Ignore EAP ID during

negotiation

Select Ignore EAP ID during negotiation to ignore EAP IDs during negotiation.

This option is disabled by default.

WPA-Fast-Handover Select this option to enable WPA-fast-handover on phones that support this

feature. WAP fast-handover is disabled by default.

Disable rekey and

reauthentication for

clients on call

This feature disables rekey and reauthentication for VoWLAN clients. It is disabled

by default, meaning that rekey and reauthentication is enabled.

NOTE: This option may require a license This option may require a license.

Check certificate

common name against

AAA server

If you use client certificates for user authentication, enable this option to verify

that the certificate's common name exists in the server. This parameter is

enabled by default in the default-cap and default-rap VPN profiles, and disabled by

default on all other VPN profiles.

Table 47: 802.1x Authentication Profile Basic WebUI Parameters

In the CLI

The following command configures settings for an 802.1X authentication profiles. Individual parameters are

described in the previous table.

(host)(config) #aaa authentication dot1x {<profile>|countermeasures}

ca-cert <certificate>

clear

clone <profile>

eapol-logoff

framed-mtu <mtu>

heldstate-bypass-counter <number>

ignore-eap-id-match

ignore-eapolstart-afterauthentication

machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable|

{machine-default-role <role>}|{user-default-role <role>}

max-authentication-failures <number>

max-requests <number>

multicast-keyrotation

no ...

opp-key-caching

reauth-max <number>

reauthentication

server {server-retry <number>|server-retry-period <seconds>}

server-cert <certificate>

termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eapgtc|

eap-mschapv2)}|{token-caching-period <hours>}

timer {idrequest_period <seconds>}|{mkey-rotation-period <seconds>}|{quiet-period

<seconds>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpagroupkey-

delay <seconds>}|{wpa-key-period <milliseconds>}

tls-guest-access

tls-guest-role <role>

unicast-keyrotation

use-session-key

use-static-key

validate-pmkid

voice-aware

wep-key-retries <number>

wep-key-size {40|128}

wpa-fast-handover

wpa-key-retries <number>

xSec-mtu <mtu>

Configuring and Using Certificates with AAA FastConnect

The controller supports 802.1x authentication using digital certificates for AAA FastConnect.

lServer Certificate—A server certificate installed in the controller verifies the authenticity of the controller for

802.1x authentication. Dell controllers ship with a demonstration digital certificate. Until you install a

customer-specific server certificate in the controller, this demonstration certificate is used by default for all

secure HTTP connections (such as the WebUI and captive portal) and AAA FastConnect. This certificate is

included primarily for the purposes of feature demonstration and convenience, and is not intended for

long-term use in production networks. Users in a production environment are urged to obtain and install a

certificate issued for their site or domain by a well-known certificate authority (CA). You can generate a

Certificate Signing Request (CSR) on the controller to submit to a CA. For information on how to generate a

CSR and how to import the CA-signed certificate into the controller, see Managing Certificates on page 795.

lClient Certificates—Client certificates are verified on the controller (the client certificate must be signed by a

known CA) before the username is checked on the authentication server. To use client certificate

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 261

262 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

authentication for AAA FastConnect, you need to import the following certificates into the controller (see

Importing Certificates on page 798):

nController’s server certificate

nCA certificate for the CA that signed the client certificates

In the WebUI

1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.

2. In the Profiles list, select 802.1x Authentication Profile.

3. Select the default 802.1x authentication profile from the drop-down list to display configuration

parameters.

4. In the Basic tab, select Termination.

5. Select the Advanced Tab.

6. In the Server-Certificate field, select the server certificate imported into the controller.

7. In the CA-Certificate field, select the CA certificate imported into the controller.

8. Click Save As. Enter a name for the 802.1x authentication profile.

9. Click Apply.

In the CLI

Use the following commands to configure the 802.1x profile:

(host)(config) #aaa authentication dot1x <profile>

termination enable

server-cert <certificate>

ca-cert <certificate>

Configuring User and Machine Authentication

When a Windows device boots, it logs onto the network domain using a machine account. Within the domain,

the device is authenticated before computer group policies and software settings can be executed; this process

is known as machine authentication. Machine authentication ensures that only authorized devices are allowed

on the network.

You can configure 802.1x for both user and machine authentication (select the Enforce Machine

Authentication option described in Table 47). This tightens the authentication process further, since both the

device and user need to be authenticated.

Working with Role Assignment with Machine Authentication Enabled

When you enable machine authentication, there are two additional roles you can define in the 802.1x

authentication profile:

lMachine authentication default machine role

lMachine authentication default user role

While you can select the same role for both options, you should define the roles as per the polices that need to

be enforced. Also, these roles can be different from the 802.1x authentication default role configured in the

AAA profile.

With machine authentication enabled, the assigned role depends upon the success or failure of the machine

and user authentications. In certain cases, the role that is ultimately assigned to a client can also depend upon

attributes returned by the authentication server or server derivation rules configured on the controller.

Table 48 describes role assignment based on the results of the machine and user authentications.

Machine

Auth

Status

User

Auth

Status

Description Role Assigned

Failed Failed Both machine authentication and user

authentication failed. L2 authentication

failed.

No role assigned. No access to the

network allowed.

Failed Passed Machine authentication failed (for

example, the machine information is

not present on the server) and user

authentication succeeded. Server-

derived roles do not apply.

Machine authentication default user

role configured in the 802.1x

authentication profile.

Passed Failed Machine authentication succeeded

and user authentication has not been

initiated. Server-derived roles do not

apply.

Machine authentication default

machine role configured in the 802.1x

authentication profile.

Passed Passed Both machine and user are

successfully authenticated. If there are

server-derived roles, the role assigned

via the derivation take precedence.

This is the only case where server-

derived roles are applied.

A role derived from the authentication

server takes precedence. Otherwise,

the 802.1x authentication default role

configured in the AAA profile is

assigned.

Table 48: Role Assignment for User and Machine Authentication

For example, if the following roles are configured:

l802.1x authentication default role (in AAA profile): dot1x_user

lMachine authentication default machine role (in 802.1x authentication profile): dot1x_mc

lMachine authentication default user role (in 802.1x authentication profile): guest

Role assignment is as follows:

lIf both machine and user authentication succeed, the role is dot1x_user. If there is a server-derived role, the

server-derived role takes precedence.

lIf only machine authentication succeeds, the role is dot1x_mc.

lIf only user authentication succeeds, the role is guest.

lOn failure of both machine and user authentication, the user does not have access to the network.

With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains

its IP address) depends upon the success or failure of the machine and user authentications. The VLAN that is

ultimately assigned to a client can also depend upon attributes returned by the authentication server or server

derivation rules configured on the controller (see Understanding VLAN Assignments on page 157). If machine

authentication is successful, the client is assigned the VLAN configured in the virtual AP profile. However, the

client can be assigned a derived VLAN upon successful user authentication.

You can optionally assign a VLAN as part of a user role configuration. You should not use VLAN derivation

if you configure user roles with VLAN assignments.

Table 49 describes VLAN assignment based on the results of the machine and user authentications when VLAN

derivation is used.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 263

264 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Machine Auth

Status

User

Auth

Status

Description VLAN Assigned

Failed Failed Both machine authentication and user

authentication failed. L2 authentication

failed.

No VLAN.

Failed Passed Machine authentication failed (for

example, the machine information is not

present on the server) and user

authentication succeeded.

VLAN configured in the

virtual AP profile.

Passed Failed Machine authentication succeeded and

user authentication has not been initiated.

VLAN configured in the

virtual AP profile.

Passed Passed Both machine and user are successfully

authenticated.

Derived VLAN.

Otherwise, VLAN

configured in the virtual

AP profile.

Table 49: VLAN Assignment for User and Machine Authentication

The administrator can now associate a VLAN ID to a client data based on the authentication credentials in a bridge

mode.

Enabling 802.1x Supplicant Support on an AP

This release of ArubaOS provides 802.1X supplicant support on the Access Point (AP). The AP can be used as a

802.1x supplicant where access to the wired Ethernet network is restricted to those devices that can

authenticate using 802.1x.You can provision an AP to act as an 802.1X supplicant and authenticate to the

infrastructure using the PEAP protocol.

Both Campus APs (CAPs) and Remote APs (RAPs) can be provisioned to use 802.1X authentication.

Prerequisites

lAn AP has to be configured with the credentials for 802.1X authentication. These credentials are stored

securely in the AP flash.

lThe AP must complete the 802.1X authentication before it sends or receives IP traffic such as DHCP.

If the AP cannot complete 802.1x authentication (explicit failure or reply timeout) within 1 minute, the AP will proceed

to initiate the IP traffic and attempt to contact the controller. The infrastructure can be configured to allow this. If the

AP contacts the controller it will be marked as unprovisioned so that the administrator can take corrective action.

Provisioning an AP as an 802.1X Supplicant

This section describes how an AP can be provisioned as an 802.1X supplicant using CLI or the WebUI.

In the WebUI

To provision an AP as an 802.1X supplicant using the WebUI, follow these steps:

1. Navigate to the Configuration > Wireless > AP Installation > Provisioning window. The list of

discovered APs are displayed on this page.

2. Select the AP you want to provision.

3. Click Provision. The provisioning window opens.

4. Select the 802.1x Parameters using PEAP checkbox and enter the following credentials:

a. User Name: Enter the username of the AP in the User Name field.

b. Password: Enter the password of the AP in the Password field.

5. Enter the password again in the Confirm Password field and reconfirm it.

6. Click Apply and Reboot (at the bottom of the page).

In the CLI

To provision an AP as a 802.1X supplicant using the CLI, enter the following commands in the config mode:

(host) (config)# provision-ap

(host) (AP provisioning) # apdot1x-username <username>

(host) (AP provisioning) # apdot1x-passwd <password>

(host) (AP provisioning) # reprovision ap-name <apname>

To view the 802.1x authentication details on the controller:

(host) # show ap active

Active AP Table

---------------

Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a

Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP

---- ----- ---------- ----------- ------------------- ----------- ----------------

--- ------- ----- ------ --------

AP1X default 10.3.15.107 0 AP:HT:1/15/21.5 0 AP:HT:44/15/21

125 1E2 5m:48s N/A

Flags: a = Reduce ARP packets in the air; A = Enet1 in active/standby mode;

B = Battery Boost On; C = Cellular; D = Disconn. Extra Calls On;

d = Drop Mcast/Bcast On; E = Wired AP enabled; K = 802.11K Enabled;

L = Client Balancing Enabled; M = Mesh; N = 802.11b protection disabled;

P = PPPOE; R = Remote AP; X = Maintenance Mode;

1 = 802.1x authenticated AP; 2 = Using IKE version 2;

Sample Configurations

The following examples show basic configurations on the controller for:

lConfiguring Authentication with an 802.1X RADIUS Server on page 265

lConfiguring Authentication with the Controller’s Internal Database on page 275

In the following examples:

lWireless clients associate to the ESSID WLAN-01.

lThe following roles allow different networks access capabilities:

nstudent

nfaculty

nguest

nsystem administrators

The examples show how to configure using the WebUI and CLI commands.

Configuring Authentication with an 802.1X RADIUS Server

lAn EAP-compliant RADIUS server provides the 802.1X authentication. The RADIUS server administrator

must configure the server to support this authentication. The administrator must also configure the server

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 265

266 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

to all communications with the Dell controller.

lThe authentication type is WPA. From the 802.1X authentication exchange, the client and the controller

derive dynamic keys to encrypt data transmitted on the wireless network.

l802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and user authentication. If

a user attempts to log in without the computer being authenticated first, the user is placed into a more

limited “guest” user role.

Windows domain credentials are used for computer authentication, and the user’s Windows login and

password are used for user authentication. A single user sign-on facilitates both authentication to the

wireless network and access to the Windows server resources.

802.1X Configuration for IAS and Windows Clients on page 1060 describes how to configure the Microsoft Internet

Authentication Server and Windows XP wireless client to operate with the controller configuration shown in this

section.

Configuring Roles and Policies

You can create the following policies and user roles for:

lStudent

lFaculty

lGuest

lSysadmin

lComputer

Creating the Student Role and Policy

The student policy prevents students from using telnet, POP3, FTP, SMTP, SNMP, or SSH to the wired portion

of the network. The student policy is mapped to the student user role.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page. Select Add to add the

student policy.

2. For Policy Name, enter student.

3. For Policy Type, select IPv4 Session.

4. Under Rules, select Add to add rules for the policy.

a. Under Source, select user.

b. Under Destination, select alias.

The following step defines an alias representing all internal network addresses. Once defined,

you can use the alias for other rules and policies.

c. Under the alias selection, click New. For Destination Name, enter Internal Network. Click Add to add a

rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter

255.0.0.0. Click Add to add the network range. Repeat these steps to add the network range 172.16.0.0

- 255.255.0.0. Click Done. The alias Internal Network appears in the Destination menu. This step defines

an alias representing all internal network addresses. Once defined, you can use the alias for other rules

and policies.

d. Under Destination, select Internal Network.

e. Under Service, select service. In the Service scrolling list, select svc-telnet.

f. Under Action, select drop.

g. Click Add.

5. Under Rules, click Add.

a. Under Source, select user.

b. Under Destination, select alias and then select Internal Network.

c. Under Service, select service. In the Service scrolling list, select svc-pop3.

d. Under Action, select drop.

e. Click Add.

6. Repeat steps 4A-E to create rules for the following services: svc-ftp, svc-smtp, svc-snmp, and svc-ssh.

7. Click Apply.

8. Click the User Roles tab. Click Add to create the student role.

9. For Role Name, enter student.

10.Under Firewall Policies, click Add. In Choose from Configured Policies, select the student policy you

previously created. Click Done.

11.Click Apply.

In the CLI

Use the following commands to configure a student role and policy:

(host)(config) #ip access-list session student

user alias “Internal Network” svc-telnet deny

user alias “Internal Network” svc-pop3 deny

user alias “Internal Network” svc-ftp deny

user alias “Internal Network” svc-smtp deny

user alias “Internal Network” svc-snmp deny

user alias “Internal Network” svc-ssh deny

(host)(config) #user-role student

session-acl student

session-acl allowall

Creating the Faculty Role and Policy

The faculty policy is similar to the student policy, however faculty members are allowed to use POP3 and

SMTP for VPN remote access from home. (Students are not permitted to use VPN remote access.) The faculty

policy is mapped to the faculty user role.

Using the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page. Click Add to add the faculty

policy.

2. For Policy Name, enter faculty.

3. For Policy Type, select IPv4 Session.

4. Under Rules, click Add to add rules for the policy.

a. Under Source, select user.

b. Under Destination, select alias, then select Internal Network.

c. Under Service, select service. In the Service scrolling list, select svc-telnet.

d. Under Action, select drop.

e. Click Add.

f. Repeat steps A-E to create rules for the following services: svc-ftp, svc-snmp, and svc-ssh.

5. Click Apply.

6. Select the User Roles tab. Click Add to create the faculty role.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 267

268 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

7. For Role Name, enter faculty.

8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you

previously created. Click Done.

In the CLI

Use the following commands to configure a faculty role and policy:

(host)(config) #ip access-list session faculty

user alias “Internal Network” svc-telnet deny

user alias “Internal Network” svc-ftp deny

user alias “Internal Network” svc-snmp deny

user alias “Internal Network” svc-ssh deny

(host)(config) #user-role faculty

session-acl faculty

session-acl allowall

Creating the Guest Role and Policy

The guest policy permits only access to the internet (via HTTP or HTTPS) and only during daytime working

hours. The guest policy is mapped to the guest user role.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > Time Ranges page to define the time

range working-hours. Click Add.

a. For Name, enter working-hours.

b. For Type, select Periodic.

c. Click Add.

d. For Start Day, click Weekday.

e. For Start Time, enter 07:30.

f. For End Time, enter 17:00.

g. Click Done.

h. Click Apply.

2. Click the Policies tab. Click Add to add the guest policy.

3. For ePolicy Name, enter guest.

4. For Policy Type, select IPv4 Session.

5. Under Rules, click Add to add rules for the policy.

To create rules to permit access to DHCP and DNS servers during working hours:

a. Under Source, select user.

b. Under Destination, select host. In Host IP, enter 10.1.1.25.

c. Under Service, select service. In the Service scrolling list, select svc-dhcp.

d. Under Action, select permit.

e. Under Time Range, select working-hours.

f. Click Add.

g. Repeat steps A-F to create a rule for svc-dns.

To create a rule to deny access to the internal network:

a. Under Source, select user.

b. Under Destination, select alias. Select Internal Network.

c. Under Service, select any.

d. Under Action, select drop.

e. Click Add.

To create rules to permit HTTP and HTTPS access during working hours:

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select service. In the Services scrolling list, select svc-http.

d. Under Action, select permit.

e. Under Time Range, select working-hours.

f. Click Add.

g. Repeat steps A-F for the svc-https service.

To create a rule that denies the user access to all destinations and all services:

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select any.

d. Under Action, select drop.

e. Click Add.

6. Click Apply.

7. Click the User Roles tab. Click Add to create the guest role.

8. For Role Name, enter guest.

9. Under Firewall Policies, click Add. In Choose from Configured Policies, select the guest policy you

previously created. Click Done.

In the CLI

Use the following commands to configure a guest role and policy:

time-range working-hours periodic

weekday 07:30 to 17:00

(host)(config) #ip access-list session guest

user host 10.1.1.25 svc-dhcp permit time-range working-hours

user host 10.1.1.25 svc-dns permit time-range working-hours

user alias “Internal Network” any deny

user any svc-http permit time-range working-hours

user any svc-https permit time-range working-hours

user any any deny

(host)(config) #user-role guest

session-acl guest

Creating Roles and Policies for Sysadmin and Computer

The allowall policy, a predefined policy, allows unrestricted access to the network. The allowall policy is

mapped to both the sysadmin user role and the computer user role.

In the WebUI

1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the

sysadmin role.

2. For Role Name, enter sysadmin.

3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy.

Click Done.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 269

270 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

4. Click Apply.

In the CLI

(host)(config) #user-role sysadmin

session-acl allowall

Using the WebUI to create the computer role

1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the

computer role.

2. For Role Name, enter computer.

3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy.

Click Done.

4. Click Apply.

Using the CLI to create the computer role

Use the following command to create a computer role:

(host)(config) #user-role computer

session-acl allowall

Creating an Alias for the Internal Network Using the CLI

Use the following commands to create an alias for the internal network:

(host)(config) #netdestination “Internal Network”

network 10.0.0.0 255.0.0.0

network 172.16.0.0 255.255.0.0

Configuring the RADIUS Authentication Server

Configure the RADIUS server IAS1, with IP address 10.1.1.21 and shared key. The RADIUS server is configured

to sent an attribute called Class to the controller; the value of this attribute is set to either “student,” “faculty,”

or “sysadmin” to identify the user’s group. The controller uses the literal value of this attribute to determine the

role name.

On the controller, you add the configured server (IAS1) into a server group. For the server group, you configure

the server rule that allows the Class attribute returned by the server to set the user role.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. In the Servers list, select Radius Server. In the RADIUS Server Instance list, enter IAS1 and click Add.

a. Select IAS1 to display configuration parameters for the RADIUS server.

b. For IP Address, enter 10.1.1.21.

c. For Key, enter |*a^t%183923!. (You must enter the key string twice.)

d. Click Apply.

3. In the Servers list, select Server Group. In the Server Group Instance list, enter IAS and click Add.

a. Select the server group IAS to display configuration parameters for the server group.

b. Under Servers, click New.

c. From the Server Name drop-down list, select IAS1. Click Add Server.

4. Under Server Rules, click New.

a. For Condition, enter Class.

b. For Attribute, select value-of from the drop-down list.

c. For Operand, select set role.

d. Click Add.

5. Click Apply.

In the CLI

Use the following commands to configure the RADIUS authentication server:

(host)(config) #aaa authentication-server radius IAS1

host 10.1.1.21

key |*a^t%183923!

(host)(config) #aaa server-group IAS

auth-server IAS1

set role condition Class value-of

Configuring 802.1X Authentication

An AAA profile specifies the 802.1X authentication profile and 802.1x server group to be used for

authenticating clients for a WLAN. The AAA profile also specifies the default user roles for 802.1X and MAC

authentication.

In the 802.1X authentication profile, configure enforcement of machine authentication before user

authentication. If a user attempts to log in before machine authentication completes, the user is placed in the

limited guest role.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.

2. Select 802.1X Authentication Profile.

a. At the bottom of the Instance list, enter dot1x, then click Add.

b. Select the profile name you just added.

c. Select Enforce Machine Authentication.

d. For the Machine Authentication: Default Machine Role, select computer.

e. For the Machine Authentication: Default User Role, select guest.

f. Click Apply.

3. Select the AAA Profiles tab.

a. In the AAA Profiles Summary, click Add to add a new profile.

b. Enter aaa_dot1x, then click Add.

a. Select the profile name you just added.

b. For MAC Auth Default Role, select computer.

c. For 802.1x Authentication Default Role, select faculty.

d. Click Apply.

4. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication Profile.

a. From the drop-down list, select the dot1x 802.1x authentication profile you configured previously.

b. Click Apply.

5. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication Server Group.

a. From the drop-down list, select the IAS server group you created previously.

b. Click Apply.

In the CLI

Use the following commands to configure an 802.1x profile:

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 271

272 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

(host)(config) #aaa authentication dot1x dot1x

machine-authentication enable

machine-authentication machine-default-role computer

machine-authentication user-default-role guest

(host)(config) #aaa profile aaa_dot1x

d>ot1x-default-role faculty

mac-default-role computer

authentication-dot1x dot1x

d>ot1x-server-group IAS

Configuring VLANs

In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to VLAN

63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast

traffic. The VLANs are internal to the Dell controller only and do not extend into other parts of the wired

network. The clients’ default gateway is the Dell controller, which routes traffic out to the 10.1.1.0 subnetwork.

You configure the VLANs, assign IP addresses to each VLAN, and establish the “helper address” to which client

DHCP requests are forwarded.

In the WebUI

1. Navigate to the Configuration > Network > VLANs page. Click Add to add VLAN 60.

a. For VLAN ID, enter 60.

b. Click Apply.

c. Repeat steps A and B to add VLANs 61 and 63.

2. To configure IP parameters for the VLANs, navigate to the Configuration > Network > IP > IPInterfaces

page.

a. Click Edit for VLAN 60.

b. For IP Address, enter 10.1.60.1.

c. For Net Mask, enter 255.255.255.0.

d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

e. Click Apply.

3. In the IP Interfaces page, click Edit for VLAN 61.

a. For IP Address, enter 10.1.61.1.

b. For Net Mask, enter 255.255.255.0.

c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

d. Click Apply.

4. In the IP Interfaces page, click Edit for VLAN 63.

a. For IP Address, enter 10.1.63.1.

b. For Net Mask, enter 255.255.255.0.

c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

d. Click Apply.

5. Select the IP Routes tab.

a. For Default Gateway, enter 10.1.1.254.

b. Click Apply.

In the CLI

Use the following commands to configure VLANs:

(host)(config) #vlan 60

(host)(config) #interface vlan 60

ip address 10.1.60.1 255.255.255.0

ip helper-address 10.1.1.25

(host)(config) #vlan 61

(host)(config) #interface vlan 61

ip address 10.1.61.1 255.255.255.0

ip helper-address 10.1.1.25

(host)(config) #vlan 63

(host)(config) #interface vlan 63

ip address 10.1.63.1 255.255.255.0

ip helper-address 10.1.1.25

(host)(config) #ip default-gateway 10.1.1.254

Configuring the WLANs

In this example, default AP parameters for the entire network are: the default ESSID is WLAN-01 and the

encryption mode is TKIP. A second ESSID called “guest” has the encryption mode set to static WEP with a

configured WEP key.

In this example, the non-guest clients that associate to an AP are mapped into one of two different user VLANs.

The initial AP to which the client associates determines the VLAN: clients that associate to APs in the first floor

of the building are mapped to VLAN 60, and clients that associate to APs in the second floor of the building are

mapped to VLAN 61. Therefore, the APs in the network are segregated into two AP groups, named first-floor

and second-floor. (See Creating an AP group on page 487 for information about creating AP groups.) The guest

clients are mapped into VLAN 63.

Configuring the Guest WLAN

You create and configure the virtual AP profile, guest and apply the profile to each AP group. The “guest” virtual

AP profile contains the SSID profile “guest” which configures static WEP with a WEP key.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration page.

2. In the AP Group list, click Edit for first-floor.

3. Under Profiles, select Wireless LAN and then Virtual AP.

4. To create the guest virtual AP:

a. Select NEW from the Add a profile drop-down list. Enter guest, and click Add.

b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile drop-down

list. A pop-up window allows you to configure the SSID profile.

c. For the name for the SSID profile enter guest.

d. For the Network Name for the SSID, enter guest.

e. For Network Authentication, select None.

f. For Encryption, select WEP.

g. Enter the WEP Key.

h. Click Apply to apply the SSID profile to the Virtual AP.

i. Under Profile Details, click Apply.

5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration

parameters.

a. Ensure that you select Virtual AP enable.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 273

274 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

b. For VLAN, select 63.

c. Click Apply.

6. Navigate to the Configuration > Wireless > AP Configuration page.

7. In the AP Group list, click Edit for the second-floor.

8. In the Profiles list, select Wireless LAN and then Virtual AP.

9. Select guest from the Add a profile drop-down list. Click Add.

10.Click Apply.

In the CLI

Use the following commands to configure the Guest WLAN:

(host)(config) #wlan ssid-profile guest

essid guest

wepkey1 aaaaaaaaaa

opmode static-wep

(host)(config) #wlan virtual-ap guest

vlan 63

ssid-profile guest

(host)(config) #ap-group first-floor

virtual-ap guest

(host)(config) #ap-group second-floor

virtual-ap guest

Configuring the Non-Guest WLANs

You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01” and WPA TKIP encryption. You

need to create and configure two virtual AP profiles: one with VLAN 60 for the first-floor AP group and the

other with VLAN 61 for the second-floor AP group. Each virtual AP profile references the SSID profile “WLAN-

01” and the previously-configured AAA profile aaa_dot1x.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration page.

2. In the AP Group list, click Edit for the first-floor.

3. In the Profiles list, select Wireless LAN and then Virtual AP.

4. To configure the WLAN-01_first-floor virtual AP:

a. Select NEW from the Add a profile drop-down list. Enter WLAN-01_first-floor, and click Add.

b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select the aaa_dot1x AAA

profile you previously configured. A pop-up window displays the configured AAA profile parameters.

Click Apply.

c. From the SSID profile drop-down list, select NEW. A pop-up window allows you to configure the SSID

profile.

d. Enter WLAN-01 for the name of the SSID profile.

e. For Network Name, enter WLAN-01.

f. For Network Authentication, select WPA.

g. Click Apply.

h. At the bottom of the Profile Details page, click Apply.

5. Click on the WLAN-01_first-floor virtual AP name in the Profiles list or in Profile Details to display

configuration parameters.

a. Ensurer that you select Virtual AP enable.

b. For VLAN, select 60.

c. Click Apply.

6. Navigate to the Configuration > Wireless > AP Configuration page.

7. In the AP Group list, click Edit for the second-floor.

8. In the Profiles list, select Wireless LAN and then Virtual AP.

9. To configure the WLAN-01_second-floor virtual AP:

a. Select NEW from the Add a profile drop-down list. Enter WLAN-second-floor, and click Add.

b. In the Profile Details entry for the virtual AP profile, select aaa_dot1x from the AAA profile drop-down

list. A pop-up window displays the configured AAA profile parameters. Click Apply .

c. From the SSID profile drop-down list, select WLAN-01. A pop-up window displays the configured SSID

profile parameters. Click Apply .

d. At the bottom of the Profile Details page, click Apply.

10.Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration

parameters.

a. Ensure that you select Virtual AP enable.

b. For VLAN, select 61.

c. Click Apply.

In the CLI

Use the following commands to configure non-guest WLANs:

(host)(config) #wlan ssid-profile WLAN-01

essid WLAN-01

opmode wpa-tkip

(host)(config) #wlan virtual-ap WLAN-01_first-floor

vlan 60

aaa-profile aaa_dot1x

ssid-profile WLAN-01

(host)(config) #wlan virtual-ap WLAN-01_second-floor

vlan 61

aaa-profile aaa_dot1x

ssid-profile WLAN-01

(host)(config) #ap-group first-floor

virtual-ap WLAN-01_first-floor

ap-group second-floor

virtual-ap WLAN-01_second-floor

Configuring Authentication with the Controller’s Internal Database

In the following example:

lThe controller’s internal database provides user authentication.

lThe authentication type is WPA. From the 802.1x authentication exchange, the client and the controller

derive dynamic keys to encrypt data transmitted on the wireless network.

Configuring the Internal Database

Configure the internal database with the username, password, and role (student, faculty, or sysadmin) for each

user. There is a default internal server group that includes the internal database. For the internal server

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 275

276 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

group, configure a server derivation rule that assigns the role to the authenticated client.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. In the Servers list, select Internal DB.

3. Under Users, click Add User to add users.

4. For each user, enter a username and password.

5. Select a role for each user (if a role is not specified, the default role is guest).

6. Select the expiration time for the user account in the internal database.

7. Click Apply.

In the CLI

Use the privileged mode in the CLI to configure users in the controller’s internal database.

Use the following command to configure the internal database:

(host)(config) #local-userdb add username <user> password <password>

Configuring a Server Rule Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Server Group to display the Server Group list.

3. Select the internal server group.

4. Under Server Rules, click New to add a server derivation rule.

a. For Condition, enter Role.

b. Select value-of from the drop-down list.

c. Select Set Role from the drop-down list.

d. Click Add.

5. Click Apply.

Configuring a Server Rule Using the CLI

Use the following command to configure a server rule:

(host)(config) #aaa server-group internal

set role condition Role value-of

Configuring 802.1x Authentication

An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for

authenticating clients for a WLAN. The AAA profile also specifies the default user role for 802.1x

authentication.

For this example, you enable both 802.1x authentication and termination on the controller.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. In the profiles

list, select 802.1x Authentication Profile.

a. In the Instance list, enter dot1x, then click Add.

b. Select the dot1x profile you just created.

c. Select Termination.

The defaults for EAP Method and Inner EAP Method are EAP-PEAP and EAP-MSCHAPv2, respectively.

d. Click Apply.

2. Select the AAA Profiles tab.

a. In the AAA Profiles Summary, click Add to add a new profile.

b. Enter aaa_dot1x, then click Add.

c. Select the aaa_dot1x profile you just created.

d. For 802.1x Authentication Default Role, select faculty.

e. Click Apply.

3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Profile.

a. Select the dot1x profile from the 802.1x Authentication Profile drop-down list.

b. Click Apply.

4. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Server

Group.

a. Select the internal server group.

b. Click Apply.

In the CLI

Use the following commands to configure 802.1x profile:

(host)(config) #aaa authentication dot1x dot1x

termination enable

(host)(config) #aaa profile aaa_dot1x

d>ot1x-default-role student

authentication-dot1x dot1x

d>ot1x-server-group internal

Configuring VLANs

In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to VLAN

63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast

traffic. The VLANs are internal to the Dell controller only and do not extend into other parts of the wired

network. The clients’ default gateway is the Dell controller, which routes traffic out to the 10.1.1.0 subnetwork.

You configure the VLANs, assign IP addresses to each VLAN, and establish the “helper address” to which client

DHCP requests are forwarded.

In the WebUI

1. Navigate to the Configuration > Network > VLAN page. Click Add to add VLAN 60.

a. For VLAN ID, enter 60.

b. Click Apply.

c. Repeat steps A and B to add VLANs 61 and 63.

2. To configure IP parameters for the VLANs, navigate to the Configuration > Network > IP > IP Interfaces

page.

a. Click Edit for VLAN 60.

b. For IP Address, enter 10.1.60.1.

c. For Net Mask, enter 255.255.255.0.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 277

278 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

e. Click Apply.

3. In the IP Interfaces page, click Edit for VLAN 61.

a. For IP Address, enter 10.1.61.1.

b. For Net Mask, enter 255.255.255.0.

c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

d. Click Apply.

4. In the IP Interfaces page, click Edit for VLAN 63.

a. For IP Address, enter 10.1.63.1.

b. For Net Mask, enter 255.255.255.0.

c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

d. Click Apply.

5. Select the IP Routes tab.

a. For Default Gateway, enter 10.1.1.254.

b. Click Apply.

In the CLI

Use the following commands to configure VLANs:

(host)(config) #vlan 60

(host)(config) #interface vlan 60

ip address 10.1.60.1 255.255.255.0

ip helper-address 10.1.1.25

(host)(config) #vlan 61

(host)(config) #interface vlan 61

ip address 10.1.61.1 255.255.255.0

ip helper-address 10.1.1.25

(host)(config) #vlan 63

(host)(config) #interface vlan 63

ip address 10.1.63.1 255.255.255.0

ip helper-address 10.1.1.25

(host)(config) #ip default-gateway 10.1.1.254

Configuring WLANs

In this example, default AP parameters for the entire network are as follows: the default ESSID is WLAN-01 and

the encryption mode is TKIP. A second ESSID called guest has the encryption mode set to static WEP with a

configured WEP key.

In this example, the non-guest clients that associate to an AP are mapped into one of two different user VLANs.

The initial AP to which the client associates determines the VLAN: clients that associate to APs in the first floor

of the building are mapped to VLAN 60, and clients that associate to APs in the second floor of the building are

mapped to VLAN 61. Therefore, the APs in the network are segregated into two AP groups, named first-floor

and second-floor. (See Creating an AP group on page 487 for information about creating AP groups.) The guest

clients are mapped into VLAN 63.

Configuring the Guest WLAN

You create and configure the virtual AP profile, guest and apply the profile to each AP group. The guest virtual

AP profile contains the SSID profile, guest which configures static WEP with a WEP key.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration page.

2. In the AP Group list, select first-floor.

3. In the Profiles list, select Wireless LAN and then Virtual AP.

4. To configure the guest virtual AP:

a. Select NEW from the Add a profile drop-down list. Enter guest for the name of the virtual AP profile,

and click Add.

b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile drop-down

list. A pop-up window allows you to configure the SSID profile.

c. Enter guest for the name of the SSID profile.

d. Enter guest for the Network Name.

e. For Network Authentication, select None.

f. For Encryption, select WEP.

g. Enter the WEP key.

h. Click Apply.

i. Under Profile Details, click Apply.

5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration

parameters.

a. Ensure that you select Virtual AP enable.

b. For VLAN, select 63.

c. Click Apply.

6. Navigate to the Configuration > Wireless > AP Configuration page.

7. In the AP Group list, select second-floor.

8. In the Profiles list, select Wireless LAN and then Virtual AP.

9. Select guest from the Add a profile drop-down list. Click Add.

10.Click Apply.

In the CLI

Use the following commands to configure a Guest WLAN:

(host)(config) #wlan ssid-profile guest

essid guest

wepkey1 aaaaaaaaaa

opmode static-wep

(host)(config) #wlan virtual-ap guest

vlan 63

ssid-profile guest

(host)(config) #ap-group first-floor

virtual-ap guest

(host)(config) #ap-group second-floor

virtual-ap guest

Configuring the Non-Guest WLANs

You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01” and WPA TKIP encryption. You

need to create and configure two virtual AP profiles: one with VLAN 60 for the first-floor AP group and the

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 279

280 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

other with VLAN 61 for the second-floor AP group. Each virtual AP profile references the SSID profile “WLAN-

01” and the previously-configured AAA profile “aaa_dot1x”.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration page.

2. In the AP Group list, select first-floor.

3. In the Profiles list, select Wireless LAN, then select Virtual AP.

4. To configure the WLAN-01_first-floor virtual AP:

a. Select NEW from the Add a profile drop-down list. Enter WLAN-01_first-floor, and click Add.

b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select aaa_dot1x from the

AAA Profile drop-down list. A pop-up window displays the configured AAA parameters. Click Apply.

c. From the SSID profile drop-down list, select NEW. A pop-up window allows you to configure the SSID

profile.

d. Enter WLAN-01 for the name of the SSID profile.

e. Enter WLAN-01 for the Network Name.

f. Select WPA for Network Authentication.

g. Click Apply.

h. At the bottom of the Profile Details page, click Apply.

5. Click on the WLAN-01_first-floor virtual AP profile name in the Profiles list or in Profile Details to display

configuration parameters.

a. Ensure that you select Virtual AP enable.

b. For VLAN, select 60.

c. Click Apply.

6. Navigate to the Configuration > Wireless > AP Configuration page.

7. In the AP Group list, select second-floor.

8. In the Profiles list, select Wireless LAN and then Virtual AP.

9. To create the WLAN-01_second-floor virtual AP:

a. Select NEW from the Add a profile drop-down list. Enter WLAN-01_second-floor, and click Add.

b. In the Profile Details entry for the virtual AP profile, select aaa_dot1x from the AAA Profile drop-

down list. A pop-up window displays the configured AAA profile parameters. Click Apply.

c. From the SSID profile drop-down list, select WLAN-01. A pop-up window displays the configured SSID

profile parameters. Click Apply.

d. At the bottom of the Profile Details page, click Apply.

10.Click on the WLAN-01_second-floor virtual AP profile name in the Profiles list or in Profile Details to

display the configuration parameters.

a. Ensure that you select Virtual AP enable.

b. For VLAN, select 61.

c. Click Apply.

In the CLI

Use the following commands to configure a non-guest WLAN:

(host)(config) #wlan ssid-profile WLAN-01

essid WLAN-01

opmode wpa-tkip

(host)(config) #wlan virtual-ap WLAN-01_first-floor

vlan 60

aaa-profile aaa_dot1x

ssid-profile WLAN-01

(host)(config) #wlan virtual-ap WLAN-01_second-floor

vlan 61

aaa-profile aaa_dot1x

sid-profile WLAN-01

(host)(config) #ap-group first-floor

virtual-ap WLAN-01_first-floor

(host)(config) #ap-group second-floor

virtual-ap WLAN-01_second-floor

Configuring Mixed Authentication Modes

Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x

authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform

802.1x authentication.

By default the l2-auth-fail-through command is disabled.

Authentication 1 2 3 4 5 6

MAC

authentication

Success Success Success Fail Fail Fail

802.1x

authentication

Success Fail — Success Fail —

Association dynamic-

wep

Association

static-

wep

dynamic-

wep

Association

static-

wep

Role Assignment 802.1x — MAC 802.1x — logon

Table 50: Mixed Authentication Modes

Table 50 describes the different authentication possibilities

In the CLI

Use the following command to configure Layer 2 authentication fail-through option:

(host)(config) #aaa profile test

l2-auth-fail-through

Performing Advanced Configuration Options for 802.1X

This section describes advanced configuration options for 802.1X authentication.

Configuring Reauthentication with Unicast Key Rotation

When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to

configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least

15 minutes. Make sure these intervals are mutually prime, and the factor of the unicast key rotation interval

and the multicast key rotation interval is less than the reauthentication interval.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 281

282 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Unicast key rotation depends upon both the AP/controller and wireless client behavior. It is known that some wireless

NICs have issues with unicast key rotation.

The following is an example of the parameters you can configure for reauthentication with unicast and

multicast key rotation:

lReauthentication: Enabled

lReauthentication Time Interval: 6011 Seconds

lMulticast Key Rotation: Enabled

lMulticast Key Rotation Time Interval: 1867 Seconds

lUnicast Key Rotation: Enabled

lUnicast Key Rotation Time Interval: 1021 Seconds

In the WebUI

1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.

2. Select 802.1x Authentication Profile, then select the name of the profile you want to configure.

3. Select the Advanced tab. Enter the following values:

nReauthentication Interval: 6011

nMulticast Key Rotation Time Interval: 1867

nUnicast Key Rotation Time Interval: 1021

nMulticast Key Rotation: (select)

nUnicast Key Rotation: (select)

nReauthentication: (select)

4. Click Apply.

In the CLI

(host)(config) #aaa authentication dot1x profile

reauthentication

timer reauth-period 6011

unicast-keyrotation

timer ukey-rotation-period 1021

multicast-keyrotation

timer mkey-rotation-period 1867

Application Single Sign-On Using L2 Authentication

This feature allows single sign-on (SSO) for different web-based applications using Layer 2 authentication

information. Single sign-on for web-based application uses Security Assertion Markup Language (SAML), which

happens between the web service provider and an identity provider (IDP) that the web server trusts. A request

made from the client to a web server is redirected to the IDP for authentication. If the user has already been

authenticated using L2 credentials, the IDP server already knows the authentication details and returns a SAML

response, redirecting the client browser to the web-based application. The user enters the web-based

application without needing to enter the credentials again.

Enabling application SSO using L2 network information requires configuration on the controllerand on the IDP

server. The Dell ClearPass Policy Manager (CPPM) is the only IDP supported. The controllerhas been optimized

to work with CPPM to provide better functionality as an IDP.

Important Points to Remember

lCPPM is the only supported IDP.

lSSO occurs after 802.1x authentication. Therefore, SSO after captive portal authentication is not

supported. Roles for captive portal and SSO are mutually exclusive and, therefore, a user in the captive

portal role cannot perform SSO and vice-versa.

lSSO with VIA is not supported.

lThere is a limit on the number of concurrent sessions that can be serviced at a given instant. This limit is set

at the webserver level using the web-server web-max-clients command. The default value is 320 for W-

7200 Series controller platforms and 25 for other controller platforms. The maximum number of

concurrent SSO sessions that can be handled is dependent on the other web services being handled and the

same time.

Enabling Application SSO

Enabling application SSO using L2 authentication information requires configuration on the controller and

CPPM. This feature is enabled by completing the following steps:

lController:

nConfiguring an SSO-IDP Profile

nApplying an SSO Profile to a User Role

nSelecting an IDP Certificate

lCPPM (refer to the ClearPass Policy Manager for configuration of the following procedures):

nAdd the controller’s IP address as a network device

nAdd the user to the local user DB

nCreate an enforcement profile to return the Aruba vendor-specific attribute (VSA) SSO token

nCreate an IDP attribute enforcement profile

nCreate an enforcement policy binding the Aruba VSA SSO token enforcement profile

nCreate an enforcement policy binding the IDP enforcement profile

nCreate a service, allowing the respective authentication types and authentication database, and bind the

Aruba VSA SSO token enforcement policy.

nCreate a service, allowing the respective authentication types and authentication database, and bind the

IDP enforcement policy.

nConfigure SSO for the CPPM.

Configuring SSO IDP-Profiles

Before SSO can be enabled, you must configure an SSO profile by completing the procedure detailed below.

In the WebUI

1. Navigate to Configuration > Advanced Services > All Profiles > Wireless LANs > SSO.

2. Enter the name of the SSO profile and click Add.

3. Click on the name of the IDP profile in the Instance list to edit the profile.

4. Click New.

5. Enter the name of the IDP URL in the URL Name text box.

6. Enter the IDP URL into the URL text box.

7. Click Add.

8. Repeat steps 4 through 7 for each IDP URL you are adding to the SSO profile.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 283

284 | 802.1X Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

9. Click Apply when all URLs have been added.

In the CLI

sso idp-profile <idp profile name>

idp <urlname> <url>

Applying an SSO Profile to a User Role

The newly created SSO profile must be applied to any applicable user rules that require SSO. Apply the SSO

profile be completing the steps below.

In the WebUI

1. Navigate to Configuration > Security > Access Control.

2. Select the User Roles tab.

3. Select the User Role that the SSO profile will be linked to and click Edit.

4. Under Misc. Configuration, select an IDP profile from the idp profile name drop-down menu.

5. Click Apply.

In the CLI

user-role <role name>

sso <idp profile name>

Selecting an IDP Certificate

An SSL certificate is needed for SSL negotiation with browser. The certificate can be imported in PKCS12

format, so that it contains the certificate and private key, or the key pair can be generated and a certificate

signing request (CSR) request sent to the enterprise CA server to generate a certificate which can then be

uploaded to the controller.

For information about uploading or generating a certificate, see Managing Certificates.

After a certificate is uploaded or generated, the IDP certificate must be selected.

In the WebUI

1. Navigate to Configuration > Management > General.

2. Under IDP Server Certificate, select the IDP certificate from the Server Certificate drop-down menu.

3. Click Apply.

In the CLI

web-server

idp-certificate <name of the certificate>

Dell Networking W-Series ArubaOS 6.4.x| User Guide Stateful and WISPr Authentication | 285

Chapter 12

Stateful and WISPr Authentication

ArubaOS supports stateful 802.1X authentication, stateful NTLM authentication and authentication for

Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.1X authentication

in that the controller does not manage the authentication process directly, but monitors the authentication

messages between a user and an external authentication server, and then assigns a role to that user based

upon the information in those authentication messages. WISPr authentication allows clients to roam between

hotspots using different ISPs.

This chapter describes the following topics:

lWorking With Stateful Authentication on page 285

lWorking With WISPr Authentication on page 286

lUnderstanding Stateful Authentication Best Practices on page 286

lConfiguring Stateful 802.1X Authentication on page 286

lConfiguring Stateful NTLM Authentication on page 287

lConfiguring Stateful Kerberos Authentication on page 288

lConfiguring WISPr Authentication on page 289

Working With Stateful Authentication

ArubaOS supports three different types of stateful authentication:

lStateful 802.1X authentication: This feature allows the controller to learn the identity and role of a user

connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple

vendors. When an 802.1X-capable access point sends an authentication request to a RADIUS server, the

controller inspects this request and the associated response to learn the authentication state of the user. It

then applies an identity-based user role through the Policy Enforcement Firewall.

lStateful Kerberos authentication: Use stateful Kerberos authentication to configure a controller to

monitor the Kerberos authentication messages between a client and a Windows authentication server. If

the client successfully authenticates via an Kerberos authentication server, the controller recognizes that

the client has been authenticated and assigns that client a specified user role.

lStateful NTLM authentication: NT LAN Manager (NTLM) is a suite of Microsoft authentication and

session security protocols. You can use stateful NTLM authentication to configure a controller to monitor

the NTLM authentication messages between a client and a Windows authentication server. If the client

successfully authenticates via an NTLM authentication server, the controller recognizes that the client has

been authenticated and assigns that client a specified user role.

The default Windows authentication method changed from the older NTLM protocol to the newer Kerberos

protocol, starting with Windows 2000. Therefore, stateful NTLM authentication is most useful for networks

with legacy, pre-Windows 2000 clients. Note also that unlike other types of authentication, all users

authenticated via stateful NTLM authentication must be assigned to the user role specified in the Stateful

NTLM Authentication profile. Dell’s stateful NTLM authentication does not support placing users in various

roles based upon group membership or other role-derivation attributes.

286 | Stateful and WISPr Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Working With WISPr Authentication

WISPr authentication allows a “smart client” to authenticate on the network when they roam between Wireless

Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an

account.

If you are a hotspot operator using WISPr authentication, and a client that has an account with your ISP

attempts to access the Internet at your hotspot, then your ISP’s WISPr AAA server authenticates that client

directly, and allows the client access on the network. If, however, the client only has an account with a partner

ISP, then your ISP’s WISPr AAA server forwards that client’s credentials to the partner ISP’s WISPr AAA server

for authentication. Once the client has been authenticated on the partner ISP, it is authenticated on your

hotspot’s own ISP, as per their service agreements. After your ISP sends an authentication message to the

controller, the controller assigns the default WISPr user role to that client.

ArubaOS supports the following smart clients, which enable client authentication and roaming between

hotspots by embedding iPass Generic Interface Specification (GIS) redirect,proxy,authentication, and logoff

messages within HTLM messages to the controller.

liPass

lBoingo

lTrustive

lweRoam

lAT&T

Understanding Stateful Authentication Best Practices

Before you can configure a stateful authentication feature, you must define a user role you want to assign to

the authenticated users, and create a server group that includes a RADIUS authentication server for stateful

802.1X authentication or a Windows server for stateful NTLM authentication. For details on performing these

tasks, see the following sections of this User Guide:

lRoles and Policies on page 364

lConfiguring a RADIUS Server on page 226

lConfiguring a Windows Server on page 235

lConfiguring Server Groups on page 238

You can use the default stateful NTLM authentication and WISPr authentication profiles to manage the

settings for these features, or you can create additional profiles as desired. Note, however, that unlike most

other types of authentication, stateful 802.lx authentication uses only a single Stateful 802.1X profile. This

profile can be enabled or disabled, but you can not configure more than one Stateful 802.1X profile.

Configuring Stateful 802.1X Authentication

When you configure 802.1X authentication for clients on non-Dell APs, you must specify the group of RADIUS

servers that performs the user authentication, and select the role to be assigned to those users who

successfully complete authentication. When the user logs off or shuts down the client machine, ArubaOSnote

sthe deauthentication message from the RADIUS server, and changes the user’s role from the specified

authenticated role back to the logon role. For details on defining a RADIUS server used for stateful 802.1X

authentication, see Configuring a RADIUS Server on page 226.

In the WebUI

To configure the Stateful 802.1X Authentication profile via the WebUI:

1. Navigate to the Configuration > Security > Authentication > L2 Authentication window.

2. In the Profiles list, select Stateful 802.1X Authentication Profile.

3. Click the Default Role drop-down list, and select the role assigned to stateful 802.1X authenticated users.

4. Specify the timeout period for authentication requests, from1 to 20 seconds. The default value is 10

seconds.

5. Select the Mode checkbox to enable stateful 802.1X authentication.

In the CLI

Use the commands below to configure stateful 802.1X authentication via the command-line interface. The first

set of commands defines the RADIUS server used for 802.1X authentication, and the second set assigns that

server to a server group. The third set associates that server group with the stateful 802.1X authentication

profile, then sets the authentication role and timeout period.

(host)(config)# aaa authentication-server radius <server-name>

acctport <port>

authport <port>

clone <server>

enable

host <ipaddr>

key <psk>

nas-identifier <string>

nas-ip <ipaddr>

retransmit <number>

timeout <seconds>

use-md5

(host)(config)# aaa server-group group <server-group>

auth-server <server-name>

(host)(config)# aaa authentication stateful-dot1x

server-group <server-group>

default-role <role>

enable

timeout <seconds>

Configuring Stateful NTLM Authentication

The Stateful NTLM Authentication profile requires that you specify a server group which includes the servers

performing NTLM authentication, and the role to be assigned to users who are successfully authenticated. For

details on defining a windows server used for NTLM authentication, see Configuring a Windows Server on page

235.

When the user logs off or shuts down the client machine, the user remains in the authenticated role until the

user ages out, that is, until the user has sent no traffic for the amount of time specified in the User Idle Timeout

setting in the Configuration > Security > Authentication > Advanced page.

In the WebUI

To create and configure a new instance of a stateful NTLM authentication profile via the WebUI:

1. Navigate to the Configuration > Security > Authentication > L3 Authenticationpage.

2. In the Profiles list, expand the Stateful NTLM Authentication Profile.

3. To define settings for an existing profile, click that profile name in the profiles list.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Stateful and WISPr Authentication | 287

288 | Stateful and WISPr Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

To create and define settings for a Stateful NTLM Authentication profile, select an existing profile, then click

Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right

window pane.

4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete

stateful NTLM authentication.

5. Specify the timeout period for authentication requests, from 1to 20 seconds. The default value is 10

seconds.

6. Select the Mode checkbox to enable stateful NTLM authentication.

7. Click Apply.

8. In the Profiles list, select the Server Group entry below the Stateful NTLM Authentication profile.

9. Click the Server Group drop-down list and select the group of Windows servers you want to use for

stateful NTLM authentication.

10.Click Apply.

In the CLI

Use the commands below to configure stateful NTLM authentication via the command-line interface. The first

set of commands defines the Windows server used for NTLM authentication, the second set adds that server

to a server group. The third set associates that server group with the stateful NTLM authentication profile then

defines the profile settings.

(host)(config)# aaa authentication-server windows <windows_server_name>

host <ipaddr>

enable

(host)(config)# aaa server-group group <server-group>

auth-server <windows_server_name>

(host)(config)# aaa authentication stateful-ntlm

default-role <role>

enable

server-group <server-group>

timeout <seconds>

Configuring Stateful Kerberos Authentication

The Stateful Kerberos Authentication profile requires that you specify a server group which includes the

Kerberos servers and the role to be assigned to users who are successfully authenticated. For details on

defining a windows server used for Kerberos authentication, see Configuring a Windows Server on page 235.

When the user logs off or shuts down the client machine, the user remains in the authenticated role until the

user ages out, that is, until the user has sent no traffic for the amount of time specified in the User Idle Timeout

setting in the Configuration > Security > Authentication > Advanced page.

In the WebUI

To create and configure a new instance of a stateful Kerberos authentication profile via the WebUI:

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.

2. In the Profiles list, expand the Stateful Kerberos Authentication Profile.

3. To define settings for an existing profile, click that profile name in the Profiles list.

To create and define settings for a new Stateful Kerberos Authentication profile, select an existing profile,

then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of

the right window pane.

4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete

stateful Kerberos authentication.

5. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10 seconds.

6. Click Apply.

7. In the Profiles list, select the Server Group entry below the Stateful Kerberos Authentication profile.

8. Click the Server Group drop-down list and select the group of Windows servers you want to use for

stateful Kerberos authentication.

9. Click Apply.

In the CLI

Use the commands below to configure stateful Kerberos authentication via the command-line interface. The

first set of commands defines the server used for Kerberos authentication, the second set adds that server to a

server group, and the third set of commands associates that server group with the stateful NTLM

authentication profile then defines the profile settings.

(host)(config)# aaa authentication-server windows <windows_server_name>

host <ipaddr>

enable

(host)(config)# aaa server-group group <server-group>

auth-server <windows_server_name>

(host)(config)# aaa authentication stateful-kerberos

default-role <role>

enable

server-group <server-group>

timeout <seconds>

Configuring WISPr Authentication

A WISPr authentication profile includes parameters to define RADIUS attributes, the default role for

authenticated WISPr users, maximum numbers of authenticated failures, and logon wait times. The WISPr-

Location-ID sent from the controller to the WISPr RADIUS server is the concatenation of the ISO Country Code,

E.164 Country Code, E.164 Area Code and SSID/Zone parameters configured in this profile.

The parameters to define WISPr RADIUS attributes are specific to the RADIUS server your ISP uses for WISPr

authentication; contact your ISP to determine these values. You can find a list of ISO and ITU country and area

codes at the ISO and ITU websites (iso.org)and itu.int.)

In the WebUI

This section describes how to create and configure a new instance of a WISPr authentication profile in the

WebUI.

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.

2. In the Profiles list, expand the WISPr Authentication Profile.

3. To define settings for an existing profile, click that profile name in the Profiles list.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Stateful and WISPr Authentication | 289

290 | Stateful and WISPr Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

To create and define settings for a new WISPr Authentication profile, select an existing profile, then click

Save As in the right window pane. Enter a name for the new profile in the entry field. at the top of the right

window pane.

4. Define values for the parameters below.

Parameter Description

Default Role Default role assigned to users that complete WISPr authentication.

Logon wait minimum wait If the controller’s CPU utilization has surpassed the Login wait CPU

utilization threshold value, the Logon wait minimum wait

parameter defines the minimum number of seconds a user has to

wait to retry a login attempt. Range: 1–10 seconds. Default: 5 seconds.

Logon wait maximum wait If the controller’s CPU utilization has surpassed the Login wait

CPUutilization threshold value, the Logon wait maximum wait

parameter defines the maximum number of seconds a user has to

wait to retry a login attempt. Range: 1–10 seconds. Default: 10

seconds.

Logon wait CPU utilization

threshold

Percentage of CPU utilization at which the maximum and minimum

WISPr Location-ID ISO Country

Code

The ISO Country Code section of the WISPr Location ID.

WISPr Location-ID E.164 Country

Code

The E.164 Country Code section of the WISPr Location ID.

WISPr Location-ID E.164 Area Code The E.164 Area Code section of the WISPr Location ID.

WISPr Location-ID SSID/Zone The SSID/Zone section of the WISPr Location ID.

WISPr Operator Name A name identifying the hotspot operator.

WISPr Location Name A name identifying the hotspot location. If no name is defined, the

parameter uses the name of the AP to which the user has associated.

Table 51: WISPr Authentication Profile Parameters

5. Click Apply.

6. In the Profiles list, select the Server Group entry below the WISPr Authentication profile.

7. Click the Server Group drop-down list and select the group of RADIUS servers you want to use for WISPr

authentication.

8. Click Apply.

A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To

support Boingo clients, you must also configure the NAS identifier parameter in the Radius server profile for the

WISPr server

In the CLI

Use the CLI commands below to configure WISPr authentication. The first set of commands defines the

RADIUS server used for WISPr authentication, and the second set adds that server to a server group. The third

set of commands associates that server group with the WISPR authentication profile, then defines the profile

settings.

(host)(config)# aaa authentication-server radius <rad_server_name>

host 172.4.77.214

key qwERtyuIOp

enable

nas-identifier corp_venue1

(host)(config)# aaa server-group group <server-group>

auth-server <radius_server_name>

(host)(config)# aaa authentication wispr

default-role <role>

logon-wait {cpu-threshold|maximum-delay|minimum-delay}

server-group <server-group>

wispr-location-id-ac <wispr-location-id-ac>

wispr-location-id-cc <wispr-location-id-cc>

wispr-location-id-isocc <wispr-location-id-isocc>

wispr-location-id-network <wispr-location-id-network>

wispr-location-name-location <wispr-location-name-location>

wispr-location-name-operator-name <wispr-location-name-location>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Stateful and WISPr Authentication | 291

Dell Networking W-Series ArubaOS 6.4.x| User Guide Certificate Revocation | 292

Chapter 13

Certificate Revocation

The Certificate Revocation feature enables the controller to perform real-time certificate revocation checks

using the Online Certificate Status Protocol (OCSP), or traditional certificate validation using the Certificate

Revocation List (CRL) client.

Topics in this chapter include:

lUnderstanding OCSP and CRL on page 292

lConfiguring the Controller as a CRL Client on page 295

lConfiguring the Controller as an OCSP Responder on page 296

lConfiguring the Controller as an OCSP Client on page 293

lCertificate Revocation Checking for SSH Pubkey Authentication on page 297

Understanding OCSP and CRL

OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder. This protocol

determines revocation status of a given digital public-key certificate without downloading the entire CRL.

CRL is the traditional method of checking certificate validity. A CRL provides a list of certificate serial numbers

that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the

presented certificate while verifying it. CRLs are limited to 512 entries.

Both the Delegated Trust Model and the Direct Trust Model are supported to verify digitally signed OCSP

responses. Unlike the Direct Trust Model, the Delegated Trust Model does not require the OCSP responder

certificates to be explicitly available on the controller.

Configuring a Controller as OCSP and CRL Clients

The controller can act as an OCSP client and issues OCSP queries to remote OCSP responders located on the

intranet or Internet. Since many applications in ArubaOS (such as IKE), use digital certificates, a protocol such as

OCSP needs to be implemented for revocation.

An entity that relies on the content of a certificate (a relying party) needs to do the checking before accepting

the certificate as being valid. One check verifies that the certificate has not been revoked. The OCSP client

retrieves certificate revocation status from an OCSP responder. The responder may be the CA (Certificate

Authority) that has issued the certificate in question, or it may be some other designated entity which provides

the service on behalf of the CA. A revocation checkpoint is a logical profile that is tied to each CA certificate that

the controller has (trusted or intermediate). Also, the user can specify revocation preferences within each

profile.

The OCSP request is not signed by the Dell OCSP client at this time. However, the OCSP response is always

signed by the responder.

Both OCSP and CRL configuration and administration is usually performed by the administrator who manages

the web access policy for an organization.

In small networks where there are is no Internet connection or connection to an OCSP responder, CRL is

preferable to than OCSP.

293 | Certificate Revocation Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring an OCSP Controller as a Responder

The controller can be configured to act as an OCSP responder (server) and respond to OCSP queries from

clients that want to obtain revocation status of certificates.

The OCSP responder on the controller is accessible over HTTP port 8084. You cannot configure this port.

Although the OCSP responder accepts signed OCSP requests, it does not attempt to verify the signature before

processing the request. Therefore, even unsigned OCSP requests are supported.

The controller as an OCSP responder provides revocation status information to Dell applications that use CRLs.

This is useful in small disconnected networks where clients cannot reach outside OCSP server to validate

certificates. Typical scenarios include client to client or client to other server communication situations where

the certificates of either party need to be validated.

Configuring the Controller as an OCSP Client

When OCSP is used as the revocation method, you need to configure the OCSP responder certificate and the

OCSP URL.

In the WebUI

1. Navigate to the Configuration > Management > Certificates > Upload page.

2. Enter a name in the Certificate Name field. This name identifies the certificate you are uploading.

3. Enter the certificate file name in the Certificate Filename field. Use the Browse button to enter the full

pathname.

4. Select the certificate format from the Certificate Format drop-down menu.

5. Select OCSP Responder Cert from the Certificate Type drop-down menu.

A revocation check method (OCSP or CRL) can be chosen independently for every revocation checkpoint. In this

example, we are only describing the OCSP check method.

Once this certificate is uploaded it is maintained in the certificate store for OCSP responder certificates.

These certificates are used for signature verification.

Figure 32 Upload a certificate

6. Click Upload. The certificate appears in the Certificate Lists pane.

7. For detailed information about an uploaded certificate, click View next to the certificate.

Figure 33 View certificate details

8. Select the Revocation Checkpoint tab.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Certificate Revocation | 294

295 | Certificate Revocation Dell Networking W-Series ArubaOS 6.4.x| User Guide

9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to

configure. The Revocation Checkpoint pane displays.

10.In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check

method.

11.In the OCSP URL field, enter the URL of the OCSP responder.

12.In the OCSP Responder Cert field, select the OCSP certificate you want to configure from the drop-down

menu.

13.Click Apply.

In the CLI

This example configures an OCSP client with the revocation check method as OCSP for revocation check point

CAroot.

The OCSP responder certificate is configured as RootCA-Ocsp_responder. The corresponding OCSP responder

service is available at http://10.4.46.202/ocsp. The check method is OCSP for revocation check point

CARoot.

(host) (config) #crypto-local pki rcp CARoot

(host) (RCP-CARoot) #ocsp-responder-cert RootCA-Ocsp_responder

(host) (RCP-CARoot) #ocsp-url http://10.4.46.202/ocsp

(host) (RCP-CARoot) #revocation-check ocsp

The show crypto-local pki OCSPResponderCert CLI command lists the contents of the OCSP Responder

Certificate store.

The show crypto-local pki revocation checkpoint rcp_name CLI command shows the entire

configuration for a given revocation checkpoint.

Configuring the Controller as a CRL Client

CRL is the traditional method of checking certificate validity. When you want to check certificate validity using a

CRL, you need to import the CRL. You can import CRLs only through the WebUI.

In the WebUI

1. Navigate to the Configuration > Management > Certificates > Upload page.

2. Enter a name in the Certificate Name field. This name identifies the CRL certificate you are uploading.

3. Enter the certificate file name in the Certificate Filename field. Use Browse to enter the full pathname.

4. Select the certificate format from the Certificate Format drop-down menu.

5. Select CRL from the Certificate Type drop-down menu.

A revocation check method (OCSP or CRL) can be chosen independently for every revocation checkpoint. In this

example, we are only describing the CRL check method.

Once this CRL is uploaded it is maintained in the store for CRLs. These CRLs are used for signature

verification.

6. Click Upload. The CRL appears in the Certificate Lists pane. Select CRL from the Group drop-down list if you

want to display only CRLs.

7. For detailed information about an uploaded CRL, click View next to the CRL.

8. Select the Revocation Checkpoint tab.

9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to

configure. The Revocation Checkpoint pane displays.

10.In the Revocation Check field, select crl from the Method 1 drop-down list.

11.In the CRL Location field, enter the CRL you want to use for this revocation checkpoint. The CRLs listed are

files that have already been imported onto the controller.

12.Click Apply.

In the CLI

This example configures an OCSP responder with the check method as CRL for revocation check point ROOTCa-

ssh-webui. The CRL location is crl1 and the revocation check method is crl.

(host) (config) #crypto-local pki rcp ROOTCa-ssh-webui

(host) (RCP-CARoot) #crl-location file crl1

(host) (RCP-CARoot) #revocation-check crl

Configuring the Controller as an OCSP Responder

When configured as an OCSP responder, the controller provides revocation status information to ArubaOS

applications that use CRLs.

In the WebUI

1. Navigate to the Configuration > Management > Certificates > Upload page.

2. Enter a name in the Certificate Name field. This name identifies the OCSP signer certificate you are

uploading.

3. Enter the certificate file name in the Certificate Filename field. Use Browse to enter the full pathname.

4. Select the certificate format from the Certificate Format drop-down menu.

5. Select OCSP signer cert from the Certificate Type drop-down menu. Once this certificate is uploaded, it

is maintained in the certificate store for OCSP signer certificates. These certificates are used for signature

verification.

The OCSP signer cert signs OCSP responses for this revocation check point. The OCSP signer cert can be the

same trusted CA as the check point, a designated OCSP signer certificate issued by the same CA as the check

point or some other local trusted authority.

If you do not specify an OCSP signer cert, OCSP responses are signed using the global OCSP signer

certificate. If that is not present, than an error message is sent out to clients.

The OCSP signer certificate takes precedence over the global OCSP signer certificate as it is check point specific.

6. Click Upload. The certificate appears in the Certificate Lists pane. Select OCSP signer cert from the Group

drop-down list if you want to display only those certificates which are OCSP signer certificates.

7. For detailed information about an uploaded certificate, click View next to the certificate.

8. Select the Revocation Checkpoint tab.

9. Select Enable next to Enable OCSP Responder.

Enable OCSP Responder is a global knob that turns the OCSP responder service on or off on the controller.

The default is disabled (off). Enabling this option automatically adds the OCSP responder port (TCP 8084) to

the permit list in the CP firewall so this can be accessed from outside the controller.

10.Select the OCSP signer cert from the OCSP Certificates drop-down menu to be used to sign OCSP

responses for this revocation check point.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Certificate Revocation | 296

297 | Certificate Revocation Dell Networking W-Series ArubaOS 6.4.x| User Guide

11.In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to

configure. The Revocation Checkpoint pane displays.

12.In the Revocation Check field, optionally select a check method from the Method 1 drop-down list.

Optionally, select a backup check method from the Method 2 drop-down list.

13.Select Enable next to Enable OCSP Responder.

14.Select OCSP signer cert from the OCSP Signer Cert drop-down menu.

15.In the CRL Location field, enter the CRL you want used for this revocation checkpoint. The CRLs listed are

files that have already been imported onto the controller.

16.Click Apply.

In the CLI

This example configures the controller as an OCSP responder. The OCSP responder service is enabled, the

revocation check point is CAroot, the OCSP signer cert is “oscap_CA1,” and the CRL file location is “Sec1-WIN-

05PRGNGEKAO-CA-unrevoked.crl.”

(host) (config) #crypto-local pki service-ocsp-responder

(host) (config) #crypto-local pki rcp CAroot

(host) (CAroot) #ocsp-signer-cert oscsp_CA1

(host) (CAroot) #crl-location file Sec1-WIN-05PRGNGEKAO-CA-unrevoked.crl

(host) (CAroot) #enable-ocsp-responder

Certificate Revocation Checking for SSH Pubkey Authentication

This feature allows the ssh-pubkey management user to be optionally configured with a Revocation

Checkpoint (RCP). This meets the requirement for a two-factor authentication and integration of device

management with PKI for SSH pubkey authentication. The ArubaOS implementation of SSH using Pubkey

authentication is designed for integration with smart cards or other technologies that use X.509 certificates.

The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the

revocation check fails, the user is denied access using the ssh-pubkey authentication method. However, the

user can still authenticate through a username and password if configured to do so.

For information about configuring a revocation checkpoint, see Certificate Revocation.

Configuring the SSH Pubkey User with RCP

You can configure the SSH pubkey user with RCP to check the validity of the user’s x.509 certificate.

In the WebUI

1. Navigate to Configuration > Management > Administration.

2. Under Management Users, click Add. The Add User page displays.

3. Select Certificate Management, then SSH Public Key.

4. When adding an ssh-pubkey user, when revocation check is enabled, perform either of the following tasks :

lTo enable the RCP check, select a valid configured RCP from Revocation Checkpoint drop-down menu.

lSelect None if you do not want the RCP check enabled for the ssh pubkey user.

In the CLI

The CLI allows you to configure an optional RCP for an ssh-pubkey user. Users can still be configured without

the RCP. In this example, the certificate name is

“client1-rg,”, the username is “test1,” the role name is “root,” and the rcp is “ca-rg:”

(host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root ?

rcp Revocation Checkpoint for ssh user's client certificate

(host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root rcp ca-rg

In this example, a user is configured without the RCP:

(host)(config) #mgmt-user ssh-pubkey client-cert client2-rg test2 root

Displaying Revocation Checkpoint for the SSH Pubkey User

The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the

revocation check fails, the user is denied access using the ssh-pubkey authentication method. However, the

user can still authenticate through a username and password if configured to do so. This feature allows the

ssh-pubkey management user to be optionally configured with a Revocation Checkpoint (RCP). This meets the

requirement for a two-factor authentication and integration of device management with PKI for SSH pubkey

authentication. The ArubaOS implementation of SSH using Pubkey authentication is designed for integration

with smart cards or other technologies that use X.50.

Configuring the SSH Pubkey User with RCP

In the WebUI

Navigate to Configuration > Management > Administration. The column SSH Revocation Checkpoint

displays the RCP configured (if any) for the ssh pubkey user.

In the CLI

The show mgmt-user ssh-pubkey CLI command displays the column REVOCATION CHECKPOINT which

displays the configured RCP for the ssh-pubkey user. If no RCP is configured for the user, the word none is

displayed.

(host)#show mgmt-user ssh-pubkey

Removing the SSH Pubkey User

In the WebUI

1. Navigate to Configuration > Management > Administration.

2. Click Delete next to the management user you want to delete.

In the CLI

Remove ssh pubkey users by using the following command:

(host) (config) #no mgmt-user ssh-pubkey client-cert <certname> <username>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Certificate Revocation | 298

Dell Networking W-Series ArubaOS 6.4.x| User Guide Captive Portal Authentication | 299

Chapter 14

Captive Portal Authentication

Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web

page which requires user action before network access is granted. The required action can be simply viewing

and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a

database of authorized users.

You can also configure captive portal to allow clients to download the Dell VPN dialer for Microsoft VPN clients

if the VPN is to be terminated on the controller. For more information about the VPN dialer, see Virtual Private

Networks on page 337.

Topics in this chapter include:

lUnderstanding Captive Portal on page 299

lConfiguring Captive Portal in the Base Operating System on page 300

lUsing Captive Portal with a PEFNG License on page 302

lSample Authentication with Captive Portal on page 305

lConfiguring Guest VLANs on page 311

lConfiguring Captive Portal Authentication Profiles on page 312

lEnabling Optional Captive Portal Configurations on page 317

lPersonalizing the Captive Portal Page on page 321

lCreating and Installing an Internal Captive Portal on page 323

lCreating Walled Garden Access on page 332

lEnabling Captive Portal Enhancements

Understanding Captive Portal

You can configure captive portal for guest users, where no authentication is required, or for registered users

who must be authenticated against an external server or the controller’s internal database.

While you can use captive portal to authenticate users, it does not provide for encryption of user data and should not

be used in networks where data security is required. Captive portal is most often used for guest access, access to

open systems (such as public hot spots), or as a way to connect to a VPN.

You can use captive portal for guest and registered users at the same time. The default captive portal web page

provided with ArubaOS displays login prompts for both registered users and guests. (You can customize the

default captive portal page, as described in Personalizing the Captive Portal Page on page 321)

You can also load up to 16 different customized login pages into the controller. The login page displayed is

based on the SSID to which the client associates.

Policy Enforcement Firewall Next Generation (PEFNG) License

You can use captive portal with or without the PEFNG license installed in the controller. The PEFNG license

provides identity-based security to wired and wireless clients through user roles and firewall rules. You must

purchase and install the PEFNG license on the controller to use identity-based security features.

300 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

There are differences in how captive portal functions work and how you configure captive portal, depending on

whether the license is installed. Other parts of this chapter describe how to configure captive portal in the base

operating system (without the PEFNG license) and with the license installed.

Controller Server Certificate

The Dell controller is designed to provide secure services through the use of digital certificates. A server

certificate installed in the controller verifies the authenticity of the controller for captive portal.

Dell controllers ship with a demonstration digital certificate. Until you install a customer-specific server

certificate in the controller, this demonstration certificate is used by default for all secure HTTP connections

such as captive portal. This certificate is included primarily for the purposes of feature demonstration and

convenience and is not intended for long-term use in production networks. Users in a production environment

are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority

(CA). You can generate a Certificate Signing Request (CSR) on the controller to submit to a CA. For information

on how to generate a CSR and how to import the CA-signed certificate into the controller, see Managing

Certificates on page 795 in Management Access on page 778.

The controllercan accept wild card server certificates (CN begins with an asterisk). If a wildcard certificate is

uploaded (for example, CN=*.domain.com), the asterisk in CN is replaced with 'captiveportal-login' in order to

derive the Captive Portal logon page URL (captiveportal-login.domain.com).

Once you have imported a server certificate into the controller, you can select the certificate to be used with

captive portal as described in the following sections.

To select a certificate for captive portal using the WebUI:

1. Navigate to the Configuration > Management > General page.

2. Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list.

3. Click Apply.

To select a certificate for captive portal using the command-line interface, access the CLI in config mode and

issue the following commands:

(host)(config) #web-server

captive-portal-cert <certificate>

To specify a different server certificate for captive portal with the CLI, use the no command to revert back to

the default certificate before you specify the new certificate:

(host)(config) #web-server

captive-portal-cert ServerCert1

no captive-portal-cert

captive-portal-cert ServerCert2

Configuring Captive Portal in the Base Operating System

The base operating system (ArubaOS without any licenses) allows full network access to all users who connect

to an ESSID, both guest and registered users. In the base operating system, you cannot configure or customize

user roles; this function is only available by installing the PEFNG license. Captive portal allows you to control or

identify who has access to network resources.

When you create a captive portal profile in the base operating system, an implicit user role is automatically

created with same name as the captive portal profile. This implicit user role allows only DNS and DHCP traffic

between the client and network and directs all HTTP or HTTPS requests to the captive portal. You cannot

directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full

access to their assigned VLAN.

The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated with

the “default” ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the

wizard and refer to the help tab for assistance.

What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and

profile names appear inside quotation marks.

lCreate the Server Group name. In this example, the server group name is “cp-srv”.

If you are configuring captive portal for registered users, configure the server(s) and create the server

group. For more information about configuring authentication servers and server groups, see

Authentication Servers on page 225.

lCreate Captive Portal Authentication Profile. In this example, the profile name is “c-portal”.

Create and configure an instance of the captive portal authentication profile. Creating the captive portal

profile automatically creates an implicit user role and ACL with the same name. Creating the profile “c-

portal” creates an implicit user role called “c-portal”. That user role allows only DNS and DHCP traffic

between the client and network and directs all HTTP or HTTPS requests to the captive portal.

lCreate an AAA Profile. In this example, the profile name is “aaa_c-portal”.

Create and configure an instance of the AAA profile. For the initial role, enter the implicit user role that was

created in step on page 301. The initial role in the profile “aaa_c-portal” must be set to “c-portal”.

lCreate SSID Profile. In this example, the profile name is “ssid_c-portal”.

Create and configure an instance of the virtual AP profile which you apply to an AP group or AP name.

Specify the AAA profile you created in step on page 301.

lCreate a Virtual AP Profile. In this example, the profile name is “vp_c-portal”.

Create and configure an instance of the SSID profile for the virtual AP.

The following sections present the procedure for configuring the captive portal authentication profile, the AAA

profile, and the virtual AP profile using the WebUI or the command line (CLI). Configuring the VLAN and

authentication servers and server groups are described elsewhere in this document.

In the WebUI

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. Select the

Captive Portal Authentication profile.

a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, c-

portal), then click Add.

b. Select the captive portal authentication profile you just created.

c. You can enable user login and/or guest login, and configure other captive portal profile parameters as

described in Table 52.

d. Click Apply.

2. To specify authentication servers, select Server Group under the captive portal authentication profile you

just configured.

a. Select the server group (for example, cp-srv) from the drop-down menu.

b. Click Apply.

3. Select the AAA Profiles tab.

a. In the AAA Profiles Summary, click Add to add a new profile. Enter the name of the profile (for example,

aaa_c-portal), then click Add.

b. Select the AAA profile you just created.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 301

302 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created

previously.

The Initial Role must be exactly the same as the name of the captive portal authentication profile you created.

d. Click Apply.

4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP

Specific tab. Click Edit for the applicable AP group name or AP name.

5. Under Profiles, select Wireless LAN, then select Virtual AP.

6. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for

the virtual AP profile (for example, vp_c-portal), then click Add.

a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously created

from the AAA Profile drop-down menu. A pop-up window displays the configured AAA profile

parameters. Click Apply in the pop-up window.

b. From the SSID profile drop-down menu, select NEW. A pop-up window allows to you configure the SSID

profile.

c. Enter the name for the SSID profile (for example, ssid_c-portal).

d. Enter the Network Name for the SSID (for example, c-portal-ap).

e. Click Apply in the pop-up window.

f. At the bottom of the Profile Details page, click Apply.

7. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.

a. Make sure Virtual AP enable is selected.

b. For VLAN, select the VLAN to which users are assigned (for example, 20).

c. Click Apply.

In the CLI

To configure captive portal in the base operating system via the command-line interface, access the CLI in

config mode and issue the following commands:

(host)(config) #aaa authentication captive-portal c-portal

server-group cp-srv

(host)(config) #aaa profile aaa_c-portal

initial-role c-portal

(host)(config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

(host)(config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal

vlan 20

Using Captive Portal with a PEFNG License

The PEFNG license provides identity-based security for wired and wireless users. There are two user roles that

are important for captive portal:

lDefault user role, which you specify in the captive portal authentication profile, is the role granted to clients

upon captive portal authentication. This can be the predefined guest system role.

lInitial user role, which you specify in the AAA profile, directs clients who associate to the SSID to captive

portal whenever the user initiates a Web browser connection. This can be the predefined logon system role.

The captive portal authentication profile specifies the captive portal login page and other configurable

parameters. The initial user role configuration must include the applicable captive portal authentication

profile instance.

MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication.

The following are the basic tasks for configuring captive portal using role-based access provided by the Policy

Enforcement Firewall software module. Note that you must install the PEFNG license before proceeding (see

Software Licenses on page 130).

lConfigure the user role for a default user.

Create and configure user roles and policies for guest or registered captive portal users. (See Roles and

Policies on page 364 for more information about configuring policies and user roles.)

lCreate a server group.

If you are configuring captive portal for registered users, configure the server(s) and create the server

group. (See Authentication Servers on page 225for more information about configuring authentication

servers and server groups.)

If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group.

You need to configure entries in the internal database, as described in Authentication Servers on page 225.

lCreate the captive portal authentication profile.

Create and configure an instance of the captive portal authentication profile. Specify the default user role

for captive portal users.

lConfigure the initial user role.

Create and configure the initial user role for captive portal. You need to include the predefined

captiveportal policy, which directs clients to the captive portal, in the initial user role configuration.

You also need to specify the captive portal authentication profile instance in the initial user role

configuration. For example, if you are using the predefined logon system role for the initial role, you need

to edit the role to specify the captive portal authentication profile instance.

lCreate the AAA Profile.

Create and configure an instance of the AAA profile. Specify the initial user role.

lCreate the SSID Profile “ssid_c-portal”.

Create and configure an instance of the virtual AP profile that you apply to an AP group or AP name. Specify

the AAA profile you just created.

lCreate the Virtual AP Profile “vp_c-portal”.

Create and configure an instance of the SSID profile for the virtual AP.

The following sections present the WebUI and Command Line (CLI) procedures for configuring the captive

portal authentication profile, initial user role, the AAA profile, and the virtual AP profile. Other chapters within

this document detail the configuration of the user roles and policies, authentication servers, and server groups.

Configuring Captive Portal in the WebUI

To configure captive portal with PEFNG license via the WebUI:

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.

2. Select Captive Portal Authentication Profile.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 303

304 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, c-

portal), then click Add.

b. Select the captive portal authentication profile you just created.

c. Select the default role (for example, employee) for captive portal users.

d. Enable guest login and/or user login, as well as other parameters (refer to Table 52).

e. Click Apply.

3. To specify the authentication servers, select Server Group under the captive portal authentication profile

you just configured.

a. Select the server group (for example, cp-srv) from the drop-down menu.

b. Click Apply.

4. Select the AAA Profiles tab.

a. In the AAA Profiles Summary, click Add to add a new profile. Enter the name of the profile (for example,

aaa_c-portal), then click Add.

b. Set the Initial role to a role that you will configure with the captive portal authentication profile.

c. Click Apply.

5. Navigate to the Configuration > Security > Access Control page to configure the initial user role to use

captive portal authentication.

a. To edit the predefined logon role, select the System Roles tab, then click Edit for the logon role.

b. To configure a new role, first configure policy rules in the Policies tab, then select the User Roles tab to

add a new user role and assign policies.

c. To specify the captive portal authentication profile, scroll down to the bottom of the page. Select the

profile from the Captive Portal Profile drop-down menu, and click Change.

d. Click Apply.

6. Navigate to the Configuration > Wireless > AP Configuration page to configure the virtual AP profile.

7. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.

8. Under Profiles, select Wireless LAN, then select Virtual AP.

9. Select NEW from the Add a profile drop-down menu to create a new virtual AP profile. Enter the name for

the virtual AP profile (for example, vp_c-portal), then click Add.

a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously

configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up

window.

b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID

profile.

c. Enter the name for the SSID profile (for example, ssid_c-portal).

d. Enter the Network Name for the SSID (for example, c-portal-ap).

e. Click Apply in the pop-up window.

f. At the bottom of the Profile Details page, click Apply.

10.Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.

a. Make sure Virtual AP enable is selected.

b. For VLAN, select the VLAN to which users are assigned (for example, 20).

c. Click Apply.

Configuring Captive Portal in the CLI

To configure captive portal with the PEFNG license via the command-line interface, access the CLI in config

mode and issue the following commands:

(host)(config) #aaa authentication captive-portal c-portal

d>efault-role employee

server-group cp-srv

(host)(config) #user-role logon

captive-portal c-portal

(host)(config) #aaa profile aaa_c-portal

initial-role logon

(host)(config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

vlan 20

(host)(config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal

Sample Authentication with Captive Portal

In the following example:

lGuest clients associate to the guestnet SSID which is an open wireless LAN. Guest clients are placed into

VLAN 900 and assigned IP addresses by the controller’s internal DHCP server. The user has no access to

network resources beyond DHCP and DNS until they open a web browser and log in with a guest account

using captive portal.

lGuest users are given a login and password from guest accounts created in the controller’s internal

database. The temporary guest accounts are created and administered by the site receptionist.

lGuest users must enter their assigned login and password into the captive portal login before they are given

access to use web browsers (HTTP and HTTPS), POP3 email clients, and VPN clients (IPsec, PPTP, and L2TP)

on the Internet and only during specified working hours. Guest users are prohibited from accessing internal

networks and resources. All traffic to the Internet is source-NATed.

This example assumes a Policy Enforcement Firewall Next Generation (PEFNG) license is installed in the

controller.

In this example, you create two user roles:

lguest-logon is a user role assigned to any client who associates to the guestnet SSID. Normally, any client

that associates to an SSID will be placed into the logon system role. The guest-logon user role is more

restrictive than the logon role.

lauth-guest is a user role granted to clients who successfully authenticate via the captive portal.

Creating a Guest User Role

The guest-logon user role consists of the following ordered policies:

lcaptiveportal is a predefined policy that allows captive portal authentication.

lguest-logon-access is a policy that you create with the following rules:

nAllows DHCP exchanges between the user and the DHCP server during business hours while blocking

other users from responding to DHCP requests.

nAllows ICMP exchanges between the user and the controller during business hours.

lblock-internal-access is a policy that you create that denies user access to the internal networks.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 305

306 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

The guest-logon user role configuration needs to include the name of the captive portal authentication profile

instance. You can modify the user role configuration after you create the captive portal authentication profile

instance.

Creating an Auth-guest User Role

The auth-guest user role consists of the following ordered policies:

lcplogout is a predefined policy that allows captive portal logout.

lguest-logon-access is a policy that you create with the following rules:

nAllows DHCP exchanges between the user and the DHCP server during business hours while blocking

other users from responding to DHCP requests.

nAllows DNS exchanges between the user and the public DNS server during business hours. Traffic is

source-NATed using the IP interface of the controller for the VLAN.

lblock-internal-access is a policy that you create that denies user access to the internal networks.

lauth-guest-access is a policy that you create with the following rules:

nAllows DHCP exchanges between the user and the DHCP server during business hours while blocking

other users from responding to DHCP requests.

nAllows DNS exchanges between the user and the public DNS server during business hours. Traffic is

source-NATed using the IP interface of the controller for the VLAN.

nAllows HTTP/S traffic from the user during business hours. Traffic is source-NATed using the I interface

of the controller for the VLAN.

ldrop-and-log is a policy that you create that denies all traffic and logs the attempted network access.

Configuring Policies and Roles in the WebUI

Creating a Time Range

To create a time range via the WebUI:

1. Navigate to the Configuration > Security > Access Control > Time Ranges page to define the time

range “working-hours”.

2. Click Add.

a. For Name, enter working-hours.

b. For Type, select Periodic.

c. Click Add.

d. For Start Day, click Weekday.

e. For Start Time, enter 07:30.

f. For End Time, enter 17:00.

g. Click Done.

3. Click Apply.

To create the guest-logon-access policy via the WebUI:

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Select Add to add the guest-logon-access policy.

3. For Policy Name, enter guest-logon-access.

4. For Policy Type, select IPv4 Session.

5. Under Rules, select Add to add rules for the policy.

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select udp. Enter 68.

d. Under Action, select drop.

e. Click Add.

6. Under Rules, click Add.

a. Under Source, select any.

b. Under Destination, select any.

c. Under Service, select service. Select svc-dhcp.

d. Under Action, select permit.

e. Under Time Range, select working-hours.

f. Click Add.

Creating Aliases

The following step defines an alias representing the public DNS server addresses. Once defined, you can use

the alias for other rules and policies.

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Select Add to add the guest-logon-access policy.

3. For Policy Name, enter guest-logon-access.

4. For Policy Type, select IPv4 Session.

5. Under Rules, click Add.

a. Under Source, select user.

b. Under Destination, select alias.

c. Under the alias selection, click New.

nFor Destination Name, enter “Public DNS“.

nClick Add to add a rule. For Rule Type, select host.

nFor IP Address, enter 64.151.103.120.

nClick Add. For Rule Type, select host.

nFor IP Address, enter 216.87.84.209.

nClick Add.

nClick Apply. The alias “Public DNS” appears in the Destination menu

d. Under Destination, select Public DNS.

e. Under Service, select svc-dns.

f. Under Action, select src-nat.

g. Under Time Range, select working-hours.

h. Click Add.

6. Click Apply.

Creating an Auth-Guest-Access Policy

To configure the auth-guest-access policy via the WebUI:

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Select Add to add the guest-logon-access policy.

3. For Policy Name, enter auth-guest-access.

4. For Policy Type, select IPv4 Session.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 307

308 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

5. Under Rules, select Add to add rules for the policy.

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select udp. Enter 68.

d. Under Action, select drop.

e. Click Add.

6. Under Rules, click Add.

a. Under Source, select any.

b. Under Destination, select any.

c. Under Service, select service. Select svc-dhcp.

d. Under Action, select permit.

e. Under Time Range, select working-hours.

f. Click Add.

7. Under Rules, click Add.

a. Under Source, select user.

b. Under Destination, select alias. Select Public DNS from the drop-down menu.

c. Under Service, select service. Select svc-dns.

d. Under Action, select src-nat.

e. Under Time Range, select working-hours.

f. Click Add.

8. Under Rules, click Add.

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select service. Select svc-http.

d. Under Action, select src-nat.

e. Under Time Range, select working-hours.

f. Click Add.

9. Under Rules, click Add.

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select service. Select svc-https.

d. Under Action, select src-nat.

e. Under Time Range, select working-hours.

f. Click Add.

10.Click Apply.

Creating an Block-Internal-Access Policy

To create the block-internal-access policy via the WebUI:

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Select Add to add the block-internal-access policy.

3. For Policy Name, enter block-internal-access.

4. For Policy Type, select IPv4 Session.

5. Under Rules, select Add to add rules for the policy.

a. Under Source, select user.

b. Under Destination, select alias.

The following step defines an alias representing all internal network addresses. Once defined, you can use the

alias for other rules and policies.

c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to add a

rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter

255.0.0.0. Click Add to add the network range. Repeat these steps to add the network ranges

172.16.0.0 255.255.0.0 and 192.168.0.0 255.255.0.0. Click Apply. The alias “Internal Network”

appears in the Destination menu

d. Under Destination, select Internal Network.

e. Under Service, select any.

f. Under Action, select drop.

g. Click Add.

6. Click Apply.

Creating a Drop-and-Log Policy

To create the drop-and-log policy via the WebUI:

1. Navigate to the Configuration > Security > Access Control > Policies page.

2. Select Add to add the drop-and-log policy.

3. For Policy Name, enter drop-and-log.

4. For Policy Type, select IPv4 Session.

5. Under Rules, select Add to add rules for the policy.

a. Under Source, select user.

b. Under Destination, select any.

c. Under Service, select any.

d. Under Action, select drop.

e. Select Log.

f. Click Add.

6. Click Apply.

Creating a Guest Role

To create a guest role via the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Click Add.

3. For Role Name, enter guest-logon.

4. Under Firewall Policies, click Add.

5. For Choose from Configured Policies, select captiveportal from the drop-down menu.

6. Click Done.

7. Under Firewall Policies, click Add.

8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu.

9. Click Done.

10.Under Firewall Policies, click Add.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 309

310 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

11.For Choose from Configured Policies, select block-internal-access from the drop-down menu.

12.Click Done.

13.Click Apply.

Creating an Auth-Guest Role

To create the guest-logon role via the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Click Add.

3. For Role Name, enter auth-guest.

4. Under Firewall Policies, click Add.

5. For Choose from Configured Policies, select cplogout from the drop-down menu.

6. Click Done.

7. Under Firewall Policies, click Add.

8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu.

9. Click Done.

10.Under Firewall Policies, click Add.

11.For Choose from Configured Policies, select block-internal-access from the drop-down menu.

12.Click Done.

13.Under Firewall Policies, click Add.

14.For Choose from Configured Policies, select auth-guest-access from the drop-down menu.

15.Click Done.

16.Under Firewall Policies, click Add.

17.For Choose from Configured Policies, select drop-and-log from the drop-down menu.

18.Click Done.

19.Click Apply.

Configuring Policies and Roles in the CLI

Defining a Time Range

To create a time range via the command-line interface, access the CLI in config mode and issue the following

commands:

(host)(config) #time-range working-hours periodic

weekday 07:30 to 17:00

Creating Aliases

To create aliases via the command-line interface, access the CLI in config mode and issue the following

commands:

(host)(config) #netdestination “Internal Network”

network 10.0.0.0 255.0.0.0

network 172.16.0.0 255.255.0.0

network 192.168.0.0 255.255.0.0

(host)(config) #netdestination “Public DNS”

host 64.151.103.120

host 216.87.84.209

Creating a Guest-Logon-Access Policy

To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue

the following commands:

(host)(config) #ip access-list session guest-logon-access

user any udp 68 deny

any any svc-dhcp permit time-range working-hours

user alias “Public DNS” svc-dns src-nat time-range working-hours

Creating an Auth-Guest-Access Policy

To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue

the following commands:

(host)(config) #ip access-list session auth-guest-access

user any udp 68 deny

any any svc-dhcp permit time-range working-hours

user alias “Public DNS” svc-dns src-nat time-range working-hours

user any svc-http src-nat time-range working-hours

user any svc-https src-nat time-range working-hours

Creating a Block-Internal-Access Policy

To create a block-internal-access policy via the command-line interface, access the CLI in config mode and issue

the following commands:

(host)(config) #ip access-list session block-internal-access

user alias “Internal Network” any deny

Creating a Drop-and-Log Policy

To create a drop-and-log policy via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #ip access-list session drop-and-log

user any any deny log

Creating a Guest-Logon Role

To create a guest-logon-role via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #user-role guest-logon

session-acl captiveportal position 1

session-acl guest-logon-access position 2

session-acl block-internal-access position 3

Creating an Auth-Guest Role

To create an auth-guest role via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #user-role auth-guest

session-acl cplogout position 1

session-acl guest-logon-access position 2

session-acl block-internal-access position 3

session-acl auth-guest-access position 4

session-acl drop-and-log position 5

Configuring Guest VLANs

Guests using the WLAN are assigned to VLAN 900 and are given IP addresses via DHCP from the controller.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 311

312 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

In the WebUI

1. Navigate to the Configuration > Network > VLANs page.

a. Select the VLAN ID tab.

a. Click Add.

b. For VLAN ID, enter 900.

c. Click Apply.

2. Navigate to the Configuration > Network > IP > IP Interfaces page.

a. Click the IPInterfaces tab.

a. Click Edit for VLAN 900.

b. For IP Address, enter 192.168.200.20.

c. For Net Mask, enter 255.255.255.0.

d. Click Apply.

3. Click the DHCP Server tab.

a. Select Enable DHCP Server.

b. Click Add under Pool Configuration.

c. In the Pool Name field, enter guestpool.

d. In the Default Router field, enter 192.168.200.20.

e. In the DNS Server field, enter 64.151.103.120.

f. In the Lease field, enter 4 hours.

g. In the Network field, enter 192.168.200.0. In the Netmask field, enter 255.255.255.0.

h. Click Done.

4. Click Apply.

In the CLI

(host)(config) #vlan 900

(host)(config) #interface vlan 900

(host)(config) #ip address 192.168.200.20 255.255.255.0

(host)(config) #ip dhcp pool "guestpool"

(host)(config) #default-router 192.168.200.20

(host)(config) #dns-server 64.151.103.120

(host)(config) #lease 0 4 0

(host)(config) #network 192.168.200.0 255.255.255.0

Configuring Captive Portal Authentication Profiles

In this section, you create an instance of the captive portal authentication profile and the AAA profile. For the

captive portal authentication profile, you specify the previously-created auth-guest user role as the default

user role for authenticated captive portal clients and the authentication server group (“Internal”).

To configure captive portal authentication via the WebUI:

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. In the Profiles

list, select Captive Portal Authentication Profile.

a. In the Captive Portal Authentication Profile Instance list, enter guestnet for the name of the profile,

then click Add.

b. Select the captive portal authentication profile you just created.

c. For Default Role, select auth-guest.

d. Select User Login.

e. Deselect (uncheck) Guest Login.

f. Click Apply.

2. Select Server Group under the guestnet captive portal authentication profile you just created.

a. Select internal from the Server Group drop-down menu.

b. Click Apply.

To configure captive portal authentication via the command-line interface, access the CLI in config mode and

issue the following commands:

(host)(config) #aaa authentication captive-portal guestnet

d>efault-role auth-guest

user-logon

no guest-logon

server-group internal

Modifying the Initial User Role

The captive portal authentication profile specifies the captive portal login page and other configurable

parameters. The initial user role configuration must include the applicable captive portal authentication profile

instance. Therefore, you need to modify the guest-logon user role configuration to include the guestnet

captive portal authentication profile.

To modify the guest-logon role via the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Select Edit for the guest-logon role.

3. Scroll down to the bottom of the page.

4. Select the captive portal authentication profile you just created from the Captive Portal Profile drop-down

menu, and click Change.

5. Click Apply.

To modify the guest-logon role via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #user-role guest-logon

captive-portal guestnet

Configuring the AAA Profile

In this section, you configure the guestnet AAA profile, which specifies the previously-created guest-logon

role as the initial role for clients who associate to the WLAN.

To configure the AAA profile via the WebUI:

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.

2. In the AAA Profiles Summary, click Add to add a new profile. Enter guestnet for the name of the profile,

then click Add.

3. For Initial role, select guest-logon.

4. Click Apply.

To configure the AAA profile via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #aaa profile guestnet

initial-role guest-logon

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 313

314 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring the WLAN

In this section, you create the guestnet virtual AP profile for the WLAN. The guestnet virtual AP profile

contains the SSID profile guestnet (which configures opensystem for the SSID) and the AAA profile guestnet.

To configure the guest WLAN via the WebUI:

1. Navigate to the Configuration > Wireless > AP Configuration page.

2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.

3. To configure the virtual AP profile, navigate to the Configuration > Wireless > AP Configuration page.

Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.

4. Under Profiles, select Wireless LAN, then select Virtual AP.

5. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for

the virtual AP profile (for example, guestnet), and click Add.

a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously

configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up

window.

b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID

profile.

c. Enter the name for the SSID profile (for example, guestnet).

d. Enter the Network Name for the SSID (for example, guestnet).

e. For Network Authentication, select None.

f. For Encryption, select Open.

g. Click Apply in the pop-up window.

h. At the bottom of the Profile Details page, click Apply.

6. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.

a. Make sure Virtual AP enable is selected.

b. For VLAN, select the ID of the VLAN in which captive portal users are placed (for example, VLAN 900).

c. Click Apply.

To configure the guest WLAN via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #wlan ssid-profile guestnet

essid guestnet

opmode opensystem

(host)(config) #aaa profile guestnet

initial-role guest-logon

(host)(config) #wlan virtual-ap guestnet

vlan 900

aaa-profile guestnet

ssid-profile guestnet

Managing User Accounts

Temporary user accounts are created in the internal database on the controller. You can create a user role

which will allow a receptionist to create temporary user accounts. Guests can use the accounts to log into a

captive portal login page to gain Internet access.

See Creating Guest Accounts on page 813 for more information about configuring guest provisioning users

and administering guest accounts.

Configuring Captive Portal Configuration Parameters

Table 52 describes configuration parameters on the WebUI Captive Portal Authentication profile page.

In the CLI, you configure these options with the aaa authentication captive-portal commands.

Parameter Description

Default Role Role assigned to the Captive Portal user upon login. When both user and guest logon

are enabled, the default role applies to the user logon; users logging in using the

guest interface are assigned the guest role.

Default: guest

Default Guest Role Role assigned to guest.

Default: guest

Redirect Pause Time, in seconds, that the system remains in the initial welcome page before

redirecting the user to the final web URL. If set to 0, the welcome page displays until

the user clicks on the indicated link.

Default: 10 seconds

Default: /auth/index.html

User Logon Enables Captive Portal with authentication of user credentials.

Default: Enabled

Guest Login Enables Captive Portal logon without authentication.

Default: Disabled

Logout popout

window

Enables a pop-up window with the Logout link for the user to logout after logon. If this

is disabled, the user remains logged in until the user timeout period has elapsed or

the station reloads.

Default: Enabled

Use HTTP for

authentication

Use HTTP protocol on redirection to the Captive Portal page. If you use this option,

modify the captive portal policy to allow HTTP traffic.

Default: disabled (HTTPS is used)

Logon wait

minimum wait

Minimum time, in seconds, the user will have to wait for the logon page to pop up if

the CPU load is high. This works in conjunction with the Logon wait CPU utilization

threshold parameter.

Default: 5 seconds

Logon wait

maximum wait

Configure parameters for the logon wait interval

Default: 10 seconds

Logon wait CPU

utilization threshold

CPU utilization percentage above which the Logon wait interval is applied when

presenting the user with the logon page.

Default: 60%

Max Authentication

failures

Maximum number of authentication failures before the user is blacklisted.

Default: 0

Show FDQN Allows the user to see and select the fully-qualified domain name (FQDN) on the login

page. The FQDNs shown are specified when configuring individual servers for the

server group used with captive portal authentication.

Table 52: Captive Portal Authentication Profile Parameters

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 315

316 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Default: Disabled

Authentication Pro-

tocol

Select the PAP, CHAP or MS-CHAPv2 authentication protocol.

NOTE: Do not use the CHAP = option unless instructed to do so by aDell

representative.

Logon Page URL of the page that appears before logon. This can be set to any URL.

Default: /auth/index.html

Welcome Page URL of the page that appears after logon and before redirection to the web URL. This

can be set to any URL.

Default: /auth/welcome.html

Show Welcome

Page

Displays the configured welcome page before the user is redirected to their original

URL. If this option is disabled, users are redirected to the web URL immediately after

they log in.

Default: Enabled

Add switch IP

address in

redirection URL

Sends the controller’s IP address in the redirection URL when external captive portal

servers are used. An external captive portal server can determine the controller from

which a request originated by parsing the ‘switchip’ variable in the URL.

Default: Disabled

Add User VLAN in

the Redirection URL

Sends the user’s VLAN ID in the redirection URL when external captive portal servers

are used.

Add a controller

interface in the

redirection URL

Sends the controller’s interface IP address in the redirection URL when external

captive portal servers are used. An external captive portal server can determine the

controller from which a request originated by parsing the ‘switchip’ variable in the

URL. This parameter requires the Public Access license.

Allow only one

active user session

Allows only one active user session at a time.

Default: Disabled

White List To add a netdestination to the captive portal whitelist, enter the destination host or

subnet, then click Add. The netdestination will be added to the whitelist. To remove a

netdestination from the whitelist, select it in the whitelist field, then click Delete.

If you have not yet defined a netdestination, use the CLI command netdestination to

define a destination host or subnet before you add it to the whitelist.

This parameter requires the Public Access license.

Black List To add a netdestination to the captive portal blacklist, enter the destination host or

subnet, then click Add. The netdestination will be added to the blacklist. To remove a

netdestination from the blacklist, select it in the blacklist field, then click Delete.

If you have not yet defined a netdestination, use the CLI command netdestination to

define a destination host or subnet before you add it to the blacklist.

Show Acceptable

Use Policy Page

Show the acceptable use policy page before the logon page.

Default: Disabled

Parameter Description

User idle timeout The user idle timeout value for this profile. Specify the idle timeout value for the client

in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option

overrides the global settings configured in the AAA timers. If this is disabled, the

global settings are used.

Redirect URL URL to which an authenticated user will be directed. This parameter must be an abso-

lute URL that begins with either http:// or https://.

URL Hash Key If a redirection URL is defined, enter a URLHash Key to hash the redirect URL using

the specified key.

This parameter enhances security for the Clearpass Guest login URL so that Clear-

pass can trust and ensure that the client MAC address in the redirect URL has not

been tampered with by anyone. Default: Disabled.

Enabling Optional Captive Portal Configurations

The following are optional captive portal configurations:

lUploading Captive Portal Pages by SSID Association on page 317

lChanging the Protocol to HTTP on page 318

lConfiguring Redirection to a Proxy Server on page 319

lRedirecting Clients on Different VLANs on page 320

lWeb Client Configuration with Proxy Script on page 320

Uploading Captive Portal Pages by SSID Association

You can upload custom login pages for captive portal into the controller through the WebUI (refer to Creating

and Installing an Internal Captive Portal on page 323). The SSID to which the client associates determines the

captive portal login page displayed.

You specify the captive portal login page in the captive portal authentication profile, along with other

configurable parameters. The initial user role configuration must include the applicable captive portal

authentication profile instance. (In the case of captive portal in the base operating system, the initial user role is

automatically created when you create the captive portal authentication profile instance.) You then specify the

initial user role for captive portal in the AAA profile for the WLAN.

When you have multiple captive portal login pages loaded in the controller, you must configure a unique initial

user role and user role, and captive portal authentication profile, AAA profile, SSID profile, and virtual AP profile

for each WLAN that will use captive portal. For example, if you want to have different captive portal login pages

for the engineering, business and faculty departments, you need to create and configure according to Table 53.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 317

318 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Entity Engineering Business Faculty

Captive portal login

page

/auth/eng-login.html /auth/bus-login.html /auth/fac-login.html

Captive portal user role eng-user bus-user fac-user

Captive portal

authentication profile

eng-cp

(Specify /auth/eng-

bus-cp

(Specify /auth/bus-

fac-cp

(Specify /auth/bus-

Initial user role eng-logon

(Specify the eng-cp

profile)

bus-logon

(Specify the bus-cp

profile)

fac-logon

(Specify the fac-logon

profile)

AAA profile eng-aaa

(Specify the eng-logon

user role)

bus-aaa

(Specify the bus-logon

user role)

fac-aaa

(Specify the fac-logon

user role)

SSID profile eng-ssid bus-ssid fac-ssid

Virtual AP profile eng-vap bus-vap fac-vap

Table 53: Captive Portal login Pages

Changing the Protocol to HTTP

By default, the HTTPS protocol is used on redirection to the Captive Portal page. If you need to use HTTP

instead, you need to do the following:

lModify the captive portal authentication profile to enable the HTTP protocol.

lFor captive portal with role-based access only—Modify the captiveportal policy to permit HTTP traffic

instead of HTTPS traffic.

In the base operating system, the implicit ACL captive-portal-profile is automatically modified.

To change the protocol to HTTP via the WebUI:

1. Edit the captive portal authentication profile by navigating to the Configuration > Security >

Authentication > L3 Authentication page.

a. Enable (select) “Use HTTP for authentication”.

b. Click Apply.

2. (For captive portal with role-based access only) Edit the captiveportal policy by navigating to the

Configuration > Security > Access Control > Policies page.

a. Delete the rule for “user mswitch svc-https dst-nat”.

b. Add a new rule with the following values and move this rule to the top of the rules list:

lsource is user

ldestination is the mswitch alias

lservice is svc-http

laction is dst-nat

c. Click Apply.

To change the protocol to HTTP via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #aaa authentication captive-portal profile

protocol-http

(For captive portal with role-based access only)

(host)(config) #ip access-list session captiveportal

no user alias mswitch svc-https dst-nat

user alias mswitch svc-http dst-nat

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Configuring Redirection to a Proxy Server

You can configure captive portal to work with proxy Web servers. When proxy Web servers are used, browser

proxy server settings for end users are configured for the proxy server’s IP address and TCP port. When the

user opens a Web browser, the HTTP/S connection request must be redirected from the proxy server to the

captive portal on the controller.

To configure captive portal to work with a proxy server:

l(For captive portal with base operating system) Modify the captive portal authentication profile to specify

the proxy server’s IP address and TCP port.

l(For captive portal with role-based access) Modify the captiveportal policy to have traffic for the proxy

server’s port destination NATed to port 8088 on the controller.

The base operating system automatically modifies the implicit ACL captive-portal-profile.

The following sections describe how use the WebUI and CLI to configure the captive portal with a proxy server.

When HTTPS traffic is redirected from a proxy server to the controller, the user’s browser will display a warning that

the subject name on the certificate does not match the hostname to which the user is connecting.

To redirect proxy server traffic using the WebUI:

1. For captive portal with Dell base operating system, edit the captive portal authentication profile by

navigating to the Configuration > Security > Authentication > L3 Authentication page.

a. For Proxy Server, enter the IP address and port for the proxy server.

b. Click Apply.

2. For captive portal with role-based access, edit the captiveportal policy by navigating to the Configuration

> Security > Access Control > Policies page.

3. Add a new rule with the following values:

a. Source is user

b. Destination is any

c. Service is TCP

d. Port is the TCP port on the proxy server

e. Action is dst-nat

f. IP address is the IP address of the proxy port

g. Port is the port on the proxy server

4. Click Add to add the rule. Use the up arrows to move this rule just below the rule that allows HTTP(S) traffic.

5. Click Apply.

To redirect proxy server traffic via the command-line interface, access the CLI in config mode and issue the

following commands.

For captive portal with Dell base operating system:

(host)(config) #aaa authentication captive-portal profile

proxy host ipaddr port port

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 319

320 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

For captive portal with role-based access:

(host)(config) #ip access-list session captiveportal

user alias mswitch svc-https permit

user any tcp port dst-nat 8088

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Redirecting Clients on Different VLANs

You can redirect wireless clients that are on different VLANs (from the controller’s IP address) to the captive

portal on the controller. To do this:

1. Specify the redirect address for the captive portal.

2. For captive portal with the PEFNG license only, you need to modify the captiveportal policy that is assigned

to the user. To do this:

a. Create a network destination alias to the controller interface.

b. Modify the rule set to allow HTTPS to the new alias instead of the mswitch alias.

In the base operating system, the implicit ACL captive-portal-profile is automatically modified.

This example shows how to use the command-line interface to create a network destination called cp-redirect

and use that in the captiveportal policy:

(host)(config) #ip cp-redirect-address ipaddr

For captive portal with PEFNG license:

(host)(config) #netdestination cp-redirect ipaddr

(host)(config) #ip access-list session captiveportal

user alias cp-redirect svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Web Client Configuration with Proxy Script

If the web client proxy configuration is distributed through a proxy script (a .pac file), you need to configure

the captiveportal policy to allow the client to download the file. Note that in order modify the captiveportal

policy, you must have the PEFNG license installed in the controller.

To allow clients to download proxy script via the WebUI:

1. Edit the captiveportal policy by navigating to the Configuration > Security > Access Control >

Policies page.

2. Add a new rule with the following values:

nSource is user

nDestination is host

nHost IP is the IP address of the proxy server

nService is svc-https or svc-http

nAction is permit

3. Click Add to add the rule. Use the up arrows to move this rule above the rules that perform destination

NAT.

4. Click Apply.

To allow clients to download proxy script via the command-line interface, access the CLI in config mode and

issue the following commands:

(host)(config) #ip access-list session captiveportal

user alias mswitch svc-https permit

user any tcp port dst-nat 8088

user host ipaddr svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Personalizing the Captive Portal Page

The following can be personalized on the default captive portal page:

lCaptive portal background

lPage text

lAcceptance Use Policy

The background image and text should be visible to users with a browser window on a 1024 by 768 pixel

screen. The background should not clash if viewed on a much larger monitor. A good option is to have the

background image at 800 by 600 pixels, and set the background color to be compatible. The maximum image

size for the background can be around 960 by 720 pixels, as long as the image can be cropped at the bottom

and right edges. Leave space on the left side for the login box.

You can create your own web pages and install them in the controller for use with captive portal. See “Internal

Captive Portal” on page265

1. Navigate to the Configuration > Management > Captive Portal > Customize Login Page page.

You can choose one of three page designs. To select an existing design, click the first or the second page

design present.

2. To customize the page background:

a. Select the YOUR CUSTOM BACKGROUND page.

b. Under Additional options, enter the location of the JPEG image in the Upload your own custom

background field.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 321

322 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

c. Set the background color in the Custom page background color field. The color code must a hexadecimal

value in the format #hhhhhh.

d. To view the page background changes, click Submit at the bottom on the page and then click the View

CaptivePortal link. The User Agreement Policy page appears and displays the Captive Portal page as

it will be seen by users.

3. To customize the captive portal background text:

a. Enter the text that needs to be displayed in the Page Text (in HTML format) message box.

b. To view the background text changes, click Submitat the bottom on the page and then click the View

CaptivePortal link. The User Agreement Policy page appears.

c. Click Accept. This displays the Captive Portal page as it will be seen by users.

4. To customize the text under the Acceptable Use Policy:

a. Enter the policy information in the Policy Text text box. Use this only in the case of guest logon.

b. To view the use policy information changes, click Submitat the bottom on the page and then click the

View CaptivePortal link. The User Agreement Policy page appears. The text you entered appears in

the Acceptable Use Policy text box.

c. Click Accept. This displays the Captive Portal page as it will be seen by users.

Creating and Installing an Internal Captive Portal

If you do not wish to customize the default captive portal page, you can use the following procedures to create

and install a new internal captive portal page. This section describes the following topics:

lCreating a New Internal Web Page on page 323

lInstalling a New Captive Portal Page on page 325

lDisplaying Authentication Error Messages on page 325

lReverting to the Default Captive Portal on page 326

lConfiguring Localization on page 326

lCustomizing the Welcome Page on page 329

lCustomizing the Pop-Up box on page 330

lCustomizing the Logged Out Box on page 331

Creating a New Internal Web Page

In addition to customizing the default captive portal page, you can also create your own internal web page. A

custom web page must include an authentication form to authenticate a user. The authentication form can

include any of the following variables listed in Table 54:

Variable Description

user (Required)

password (Required)

FQDN The fully-qualified domain name (this is dependent on the setting of the

controller and is supported only in Global Catalog Servers software.

Table 54: Web Page Authentication Variables

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 323

324 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

The form can use either the "get" or the "post" methods, but the "post" method is recommended. The form's

action must absolutely or relatively reference https://<controller_IP>/auth/index.html/u.

You can construct an authentication form using the following HTML:

...

</FORM>

A recommended option for the <FORM> element is:

autocomplete="off"

This option prevents Internet Explorer from caching the form inputs. The form variables are input using any

form control method available such as INPUT, SELECT, TEXTAREA, and BUTTON. Example HTML code follows.

Username Example

Minimal:

Recommended Options:

accesskey="u" Sets the keyboard shortcut to 'u'

SIZE="25 "Sets the size of the input box to 25

VALUE= ""Ensures no default value

Password Example

Minimal:

Recommended Options:

accesskey="p" Sets the keyboard shortcut to 'p'

SIZE="25 "Sets the size of the input box to 25

VALUE= ""Ensures no default value

FQDN Example

Minimal:

</SELECT>

Recommended Options:

None

Finally, an HTML also requires an input button:

Basic HTML Example

<HTML>

<HEAD>

</HEAD>

<BODY>

Username:<BR>

<BR>

Password:<BR>

<INPUT type="password" name="password" accesskey="p" SIZE="25"

VALUE="">

<BR>

</FORM>

</BODY>

</HTML>

You can find a more advanced example simply by using your browser’s "view-source" function while viewing

the default captive portal page.

Installing a New Captive Portal Page

You can install the captive portal page by using the Maintenance function of the WebUI.

Log into the WebUI and navigate to Configuration > Management > Captive Portal > Upload Custom

This page lets you upload your own files to the controller. There are different page types that you can choose:

lCaptive Portal Login (top level): This type uploads the file into the controller and sets the captive portal page

to reference the file that you are uploading. Use with caution on a production controller as this takes effect

immediately.

lCaptive Portal Welcome Page: This type uploads the file that appears after logon and before redirection to

the web URL. The display of the welcome page can be disabled or enabled in the captive portal profile.

lContent: The content page type allows you to upload all miscellaneous files that you need to reference from

your main captive portal login page. This can be used for images, scripts or any other file that you need to

reference. These files are uploaded into the same directory as the top level captive portal page and thus all

files can be referenced relatively.

Uploaded files can be referenced using:

https://<controller_IP>/upload/custom/<CP-Profile-Name>/<file>

Displaying Authentication Error Messages

This section contains a script that performs the following tasks:

lWhen the user is redirected to the main captive portal login when there is authentication failure, the redirect

URL includes a query parameter "errmsg" which java script can extract and display.

lStore the originally requested URL in a cookie so that once the user has authenticated, they are

automatically redirected to its original page. Note that for this feature to work, you need ArubaOS release

2.4.2.0 or later. If you don't want this feature, delete the part of the script shown in red.

{

function createCookie(name,value,days)

{

if (days)

{

var date = new Date();

date.setTime(date.getTime()+(days*24*60*60*1000));

var expires = "; expires="+date.toGMTString();

}

else var expires = "";

document.cookie = name+"="+value+expires+"; path=/";

}

var q = window.location.search;

var errmsg = null;

if (q && q.length > 1) {

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 325

326 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

q = q.substring(1).split(/[=&]/);

for (var i = 0; i < q.length - 1; i += 2) {

if (q[i] == "errmsg") {

errmsg = unescape(q[i + 1]);

break;

}

if (q[i] == "host") {

createCookie('url',unescape(q[i+1]),0)

}

if (errmsg && errmsg.length > 0) {

errmsg = "<div id='errorbox'>\n" + errmsg + "\n</div>\n";

document.write(errmsg);

}

</script>

Reverting to the Default Captive Portal

You can reassign the default captive portal site using the "Revert to factory default settings" check box in the

"Upload Custom Login Pages" section of the Maintenance tab in the WebUI.

Configuring Localization

The ability to customize the internal captive portal provides you with a very flexible interface to the Dell captive

portal system. However, other than posting site-specific messages onto the captive portal website, the most

common type of customization is likely to be language localization. This section describes a simple method for

creating a native language captive portal implementation using the Dell internal captive portal system.

1. Customize the configurable parts of the captive portal settings to your liking. To do this, navigate to the

Configuration > Management > Captive Portal > Customize Login Page in the WebUI:

For example, choose a page design, upload a custom logo and/or a custom background. Also include any

page text and acceptable use policy that you would like to include. Put this in your target language or else

you will need to translate this at a later time.

Ensure that Guest login is enabled or disabled as necessary by navigating to the Configuration > Security

> Authentication > L3 Authentication > Captive Portal Authentication Profile page to create or

edit the captive portal profile. Select or deselect "Guest Login".

2. Click Submit and then click on View Captive Portal. Check that your customization and text/html is

correct, with the default interface still in English and the character set still autodetects to ISO-8859-1.

Repeat steps 1 and 2 until you are satisfied with your page.

3. Once you have a page you find acceptable, click on View Captive Portal one more time to display your

source for the captive portal page. Save this source as a file on your local system.

4. Open the file that you saved in step 3 on page 326, using a standard text editor, and make the following

changes:

a. Fix the character set. The default <HEAD>...</HEAD> section of the file will appear as:

<head>

<title>Portal Login</title>

function showPolicy()

{win = window.open("/auth/acceptableusepolicy.html", "policy",

"height=550,width=550,scrollbars=1");}

</script>

</head>

In order to control the character set that the browser will use to show the text with, you will need to

insert the following line inside the <HEAD>...</HEAD> element:

Replace the "Shift_JIS" part of the above line with the character set that is used by your system. In

theory, any character encoding that has been registered with IANA can be used, but you must ensure

that any text you enter uses this character set and that your target browsers support the required

character set encoding.

b. The final <HEAD>...</HEAD> portion of the document should look similar to this:

<head>

<title>Portal Login</title>

function showPolicy()

{win = window.open("/auth/acceptableusepolicy.html", "policy",

"height=550,width=550,scrollbars=1");}

</script>

</head>

c. Fix references: If you have used the built-in preferences, you will need to update the reference for the

logo image and the CSS style sheet.

To update the CSS reference, search the text for "<link href" and update the reference to include "/auth/"

in front of the reference. The original link should look similar to the following:

This should be replaced with a link like the following:

The easiest way to update the image reference is to search for "src" using your text editor and updating

the reference to include "/auth/" in front of the image file. The original link should look similar to the

following:

This should be replaced with a link like this:

d. Insert javascript to handle error cases:

When the controller detects an error situation, it will pass the user's page a variable called "errmsg" with a

value of what the error is in English. Currently, only "Authentication Failed" is supported as a valid error

message.

To localize the authentication failure message, replace the following text (it is just a few lines below the

<body> tag):

</div>

with the script below. You will need to translate the "Authentication Failed" error message into your local

language and add it into the script below where it states: localized_msg="...":

{

var q = window.location.search;

var errmsg = null;

if (q && q.length > 1) {

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 327

328 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

q = q.substring(1).split(/[=&]/);

for (var i = 0; i < q.length - 1; i += 2) {

if (q[i] == "errmsg") {

errmsg = unescape(q[i + 1]);

break;

}

if (errmsg && errmsg.length > 0) {

switch(errmsg) {

case "Authentication Failed":

localized_msg="Authentication Failed";

break;

default:

localised_msg=errmsg;

break;

}

errmsg = "<div id='errorbox'>\n" + localised_msg + "\n</div>\n";

document.write(errmsg);

};

}

</script>

e. Translate the web page text. Once you have made the changes as above, you only need to translate the

rest of the text that appears on the page. The exact text that appears will depend on the controller

settings when you originally viewed the captive portal. You will need to translate all relevant text such as

"REGISTERED USER", "USERNAME", "PASSWORD", the value="" part of the INPUT type="submit" button

and all other text. Ensure that the character set you use to translate into is the same as you have

selected in part i) above.

Feel free to edit the HTML as you go if you are familiar with HTML.

5. After saving the changes made in step 4 above, upload the file to the controller using the

Configuration > Management > Captive Portal > Upload Custom Login Pages section of the WebUI.

Choose the captive portal profile from the drop-down menu. Browse your local computer for the file you

saved. For Page Type, select “Captive Portal Login”. Ensure that the "Revert to factory default settings" box

is NOT checked and click Apply. This will upload the file to the controller and set the captive portal profile to

use this page as the redirection page.

In order to check that your site is operating correctly, go back to the "Customize Login Page" and click on

"View Captive Portal" to view the page you have uploaded. Check that your browser has automatically

detected the character set and that your text is not garbled.

To make any adjustments to your page, edit your file locally and simply re-upload to the controller in order

to view the page again.

6. Finally, it is possible to customize the welcome page on the controller, however for language localization it is

recommended to use an "external welcome page" instead. This can be a web site on an external server, or it

can be a static page that is uploaded to a controller.

You set the welcome page in the captive portal authentication profile. This is the page that the user will be

redirected to after successful authentication.

If this is required to be a page on the controller, the user needs to create their own web page (using the

charset meta attribute in step 4 above). Upload this page to the designated controller in the same manner

as uploading the captive portal login page under "Configuration > Management > Captive Portal >

Upload Custom Login Pages. For Page Type, select “Captive Portal Welcome Page”.

Any required client side script (CSS) and media files can also be uploaded using the “Content” Page Type,

however file space is limited (use the CLI command show storage to see available space). Remember to

leave ample room for system files.

The "Registered User" and "Guest User" sections of the login page are implemented as graphics files, referenced by

the default CSS styles. In order to change these, you will need to create new graphic files, download the CSS file, edit

the reference to the graphics files, change the style reference in your index file and then upload all files as "content"

to the controller.

A sample of a translated page is displayed in Figure 34.

Figure 34 Sample Translated Page

Customizing the Welcome Page

Once a user is authenticated by the controller, a Welcome page is launched. The default welcome page depends

on your configuration, but will look similar to Figure 35:

Figure 35 Default Welcome Page

You can customize this welcome page by building your own HTML page and uploading it to the controller. You

upload it to the controller by navigating to Management > Captive Portal > Upload Login Pagesand select

“Captive Portal Welcome Page” from the Page Type drop-down menu. This file is stored in a directory called

"/upload/" on the controller using the file's original name.

In order to actually use this file, you will need to configure the welcome page on the controller. To do this use

the CLI command: "aaa captive-portal welcome-page /upload/welc.html" where "welc.html" is the name of the

file that you uploaded, or you can change the Welcome page in the captive portal authentication profile in the

WebUI.

An example that will create the same page as displayed in Figure 35 is shown below. The part in red will redirect

the user to the web page you originally setup. For this to work, please follow the procedure described above in

this document.

<html>

<head>

{

function readCookie(name)

{

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 329

330 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

var nameEQ = name + "=";

var ca = document.cookie.split(';');

for(var i=0;i < ca.length;i++)

{

var c = ca[i];

while (c.charAt(0)==' ') c = c.substring(1,c.length);

if (c.indexOf(nameEQ) == 0) return c.substring

(nameEQ.length,c.length);

}

return null;

}

var cookieval = readCookie('url');

if (cookieval.length>0) document.write("<meta http-equiv=\"refresh\"

content=\"2;url=http://"+cookieval+"\""+">");

}

</script>

</head>

<b>User Authenticated </b>

<p>In 2 seconds you will be automatically redirected to your original web page</p>

<p> Press control-d to bookmark this page.</p>

</FORM>

</font>

</body>

</html>

Customizing the Pop-Up box

In order to customize the Pop-Up box, you must first customize your Welcome page. Once you have

customized your welcome page, then you can configure your custom page to use a pop-up box. The default

HTML for the pop-up box is:

<html>

<b>Logout</b></font>

<p>

<a href="/auth/logout.html"> Click to Logout </a>

</body>

</html>

If you wish your users to be able to logout using this pop-up box, then you must include a reference to

/auth/logout.html Once a user accesses this URL then the controller will log them out. It is easiest to simply edit

the above HTML to suit your users and then upload the resulting file to the controller using the WebUI under

Configuration > Management > Captive Portal > Upload custom pages and choose "content” as the

page type.

Once you have completed your HTML, then you must get the clients to create the pop-up box once they have

logged into the controller. This is done by inserting the following code into your welcome page text and re-

uploading the welcome page text to your controller.

Common things to change:

lURL: set the URL to be the name of the pop-up HTML file that you created and uploaded. This should be

preceded by "/upload/".

lWidth: set w to be the required width of the pop-up box.

lHeight: set h to be the required height of the pop-up box.

lTitle: set the second parameter in the window.open command to be the title of the pop-up box. Be sure to

include the quotes as shown:

var url="/upload/popup.html";

var w=210;

var h=80;

var x=window.screen.width - w - 20;

var y=window.screen.height - h - 60;

window.open(url, 'logout',

"toolbar=no,location=no,width="+w+",height="+h+",top="+y+",left="+x+",screenX="+x+",screenY

="+y);

</script>

Customizing the Logged Out Box

In order to customize the Logged Out box, you must first customize your Welcome page and also your Pop-Up

box. To customize the message that occurs after you have logged out then you need to replace the URL that

the pop-up box will access in order to log out with your own HTML file.

First you must write the HTML web page that will actually log out the user and will also display page that you

wish. An example page is shown below. The key part that must be included is the <iframe>..</iframe> section.

This is the part of the HTML that actually does the user logging out. The logout is always performed by the

client accessing the /auth/logout.html file on the controller and so it is hidden in the html page here in order to

get the client to access this page and for the controller to update its authentication status. If a client does not

support the iframe tag, then the text between the <iframe> and the </iframe> is used. This is simply a 0 pixel

sized image file that references /auth/logout.html. Either method should allow the client to logout from the

controller.

Everything else can be customized.

<html>

width=0 height=0></iframe>

You have now logged out.</font></P>

<form> <input type="button" onclick="window.close()" name="close" value="Close

Window"></form>

</body>

</html>

After writing your own HTML, then you need to ensure that your customized pop-up box will access your new

logged out file. In the pop-up box example above, you simply replace the "/auth/logout.html" with your own

file that you upload to the controller. For example, if your customized logout HTML is stored in a file called

"loggedout.html" then your "pop-up.html" file should reference it like this:

<html>

<b>Logout</b></font>

<p>

<a href="/upload/loggedout.html"> Click to Logout </a>

</body>

</html>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 331

332 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Creating Walled Garden Access

On the Internet, a walled garden typically controls a user’s access to web content and services. The walled

garden directs the user’s navigation within particular areas to allow access to a selection of websites or prevent

access to other websites.

The Walled Garden feature can be used with the PEFNG or PEFV licenses.

Walled garden access is needed when an external or internal captive portal is used. A common example could

be a hotel environment where unauthenticated users are allowed to navigate to a designated login page (for

example, a hotel website) and all its contents.

Users who do not sign up for Internet service can view “allowed” websites (typically hotel property websites).

The website names must be DNS-based (not IP address based) and support the option to define wildcards.

Note that the walled garden access feature does not support clients that are configured to use HTTP/HTTPS

proxy.

When a user attempts to navigate to other websites not configured in the white list walled garden profile, the

user is redirected back to the login page. In addition, the black listed walled garden profile is configured to

explicitly block navigation to websites from unauthenticated users.

In the WebUI

1. Navigate to Advanced Services > Stateful Firewall > Destination.

2. Click Add to add a destination name.

3. Select the controller IP version, IPv4 or IPv6, from the IP Versiondrop-down menu.

4. In the Destination Name field, enter a name and click Add.

5. Select namefrom the Rule Type drop-down menu and add a hostname or wildcard with domain name to

which an unauthenticated user is redirected.

6. Click Apply.

7. Navigate to Configuration > Security > Authentication > L3 Authentication.

8. Select Captive Portal Authentication Profile.

9. To allow users to access a domain, enter the destination name that contains the allowed domain names in

the White List field. This stops unauthenticated users from viewing specific domains such as a hotel

website.

A rule in the white list must explicitly permit a traffic session before it is forwarded to the controller. The last

rule in the white list denies everything else.

10.To deny users access to a domain, enter the destination name that contains prohibited domain names in

the Black List field. This prevents unauthenticated users from viewing specific websites.

11.Click Apply.

In the CLI

This example configures a destination named Mywhite-list and adds the domain names, example.com and

example.net to that destination. It then adds the destination name Mywhite-list (which contains the allowed

domain names example.com and example.net) to the white list.

(host)(config)# netdestination "Mywhite-list"

(host)(config)#name example.com

(host)(config)#name example.net

(host) (config) #aaa authentication captive-portal default

(host)(Captive Portal Authentication Profile "default")#white-list Mywhite-list

Enabling Captive Portal Enhancements

This release of ArubaOS introduces the following enhancements in Captive Portal:

lLocation information such as AP name and AP group name have been included in the Captive Portal redirect

URL. The following example shows a Captive Portal redirect URL that contains the AP name and the AP

group name:

https://securelogin.example.com/cgi-

bin/login?cmd=login&mac=00:24:d7:ed:84:14&ip=10.15.104.13&essid=example-test-

tunnel&apname=ap135&apgroup=example&url=http%3A%2F%2Fwww%2Eespncricinfo%2Ecom%2F

lA new option redirect-url is introduced in the Captive Portal Authentication profile which allows you to

redirect the users to a specific URL after the authentication is complete.

lCaptive Portal Login URL length has been increased from 256 characters to 2048 characters.

lSupport for “?” (question mark) inside the Captive Portal login URL has been added.

lA new field, description has been introduced in the netdestination and netdestination6 commands to

provide a description about the netdestination up to 128 characters long.

lSupport for configuring Whitelist in Captive Portal has been introduced.

The Captive Portal enhancements are available on Tunnel and Split-Tunnel forwarding modes.

Configuring the Redirect-URL

You can configure the Captive Portal redirect URL using the following commands:

(host) (config) # aaa authentication captive-portal REDIRECT

(host) (Captive Portal Authentication Profile "REDIRECT") #redirect-url <absolute-URL>

Example:

(host) (config) # aaa authentication captive-portal REDIRECT

(host) (Captive Portal Authentication Profile "REDIRECT") #redirect-url https://test-login.php

Configuring the Login URL

You can configure a Captive Portal login URL up to 2048 characters using the following commands:

(host) (config) # aaa authentication captive-portal LOGIN

(host) (Captive Portal Authentication Profile "LOGIN")#login-page

"http://10.17.36.100/login.php?isinit=1&mac=00:11:22:33:44:55&loginURL=https://captiveportal-

You can configure the login URL with “?” (question mark) character in it provided the URL containing the question

mark is within the double quotes.

Defining Netdestination Descriptions

You can provide a description (up to 128 characters) for the netdestination using the CLI.

Use the following commands to provide description for an IPv4 netdestination:

(host) (config) #netdestination Local-Server

(host) (config-dest) #description “This is a local server for IPv4 client registration”

Use the following commands to provide description for an IPv6 netdestination:

(host) (config) #netdestination6 Local-Server6

(host) (config-dest) #description “This is a local server for IPv6 client registration”

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 333

334 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

The following command displays the details of the specified IPv4 netdestination:

(host) (config-dest) #show netdestination Local-Server

Local-Server Description: This is a local server for IPv4 client registration

-------------------------------------------------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.1 yahoomail

2 name 0.0.0.2 mycorp

3 name 0.0.0.3 cricinfo

The following command displays the details of the specified IPv6 netdestination:

(host) (config-dest) #show netdestination Local-Server6

Local-Server6 Description: This is a local server for IPv6 client registration

-------------------------------------------------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.1 yahoomail

2 name 0.0.0.2 mycorp

3 name 0.0.0.3 cricinfo

Configuring a Whitelist

You can now configure a Whitelist in Captive Portal using the CLI.

Configuring the Netdestination for a Whitelist:

Use the following commands to configure a netdestination alias for Whitelist:

(host) (config) #netdestination whitelist

(host) (config-dest) #description guest_whitelist

(host) (config-dest) #name mycorp

Associating a Whitelist to Captive Portal Profile

Use the following CLI commands to associate a whitelist to the Captive profile:

(host) (config) #aaa authentication captive-portal CP_Profile

(host) (Captive Portal Authentication Profile "CP_Profile”) #white-list whitelist

Applying a Captive Portal Profile to a User-Role

Use the following commands to apply the Captive Portal profile to a user-role:

(host) (config) # user-role guest_role

(host) (config-role) #session-acl logon-control

(host) (config-role) #session-acl captiveportal

(host) (config-role) #captive-portal CP_Profile

Verifying a Whitelist Configuration

Use the following commands to verify the whitelist alias:

(host) (config) #show netdestination whitelist

whitelist Description: guest_whitelist

--------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.6 mycorp

Verifying a Captive Portal Profile Linked to a Whitelist

Use the following commands to verify the Captive Portal profile linked to the whitelist:

(host) (config) #show aaa authentication captive-portal CP_Profile

Captive Portal Authentication Profile "CP_Profile"

-----------------------------------------------------------------

Parameter Value

--------- -----

Default Role guest

Default Guest Role guest

Server Group default

Redirect Pause 10 sec

User Login Enabled

Guest Login Disabled

Logout popup window Enabled

Use HTTP for authentication Disabled

Logon wait minimum wait 5 sec

Logon wait maximum wait 10 sec

logon wait CPU utilization threshold 60 %

Max Authentication failures 0

Show FQDN Disabled

Use CHAP (non-standard) Disabled

Welcome page /auth/welcome.html

Show Welcome Page Yes

Add switch IP address in the redirection URL Disabled

Adding user vlan in redirection URL Disabled

Add a controller interface in the redirection URL N/A

Allow only one active user session Disabled

White List whitelist

Black List N/A

Show the acceptable use policy page Disabled

Redirect URL N/A

Verifying Dynamic ACLs for a Whitelist

Use the following commands to verify the dynamically created ACLs for the whitelist:

(host) (config) #show rights guest_role

Derived Role = 'guest_role'

Up BW:No Limit Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

ACL Number = 79/0

Max Sessions = 65535

Captive Portal profile = CP_Profile

access-list List

----------------

Position Name Location

-------- ---- --------

1 CP_Profile_list_operations

2 logon-control

3 captiveportal

CP_Profile_list_operations

-----------------------------------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P

Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- -----

--------- ------ ------- ------------- ------

1 user whitelist svc-http permit Low

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 335

336 | Captive Portal Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

2 user whitelist svc-https permit Low

logon-control

-------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P

Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- -

-------- ------ ------- ------------- ------

1 user any udp 68 deny Low

2 any any svc-icmp permit Low

3 any any svc-dns permit Low

4 any any svc-dhcp permit Low

5 any any svc-natt permit Low

captiveportal

-------------

Priority Source Destination Service Action TimeRange Log Expired Queue

TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- -----

--- ----- --------- ------ ------- ------------- ------

1 user controller svc-https dst-nat 8081 Low

2 user any svc-http dst-nat 8080 Low

3 user any svc-https dst-nat 8081 Low

4 user any svc-http-proxy1 dst-nat 8088 Low

5 user any svc-http-proxy2 dst-nat 8088 Low

6 user any svc-http-proxy3 dst-nat 8088 Low

Expired Policies (due to time constraints) = 0

Verifying DNS Resolved IP Addresses for Whitelisted URLs

Use the following command to verify the DNS resolved IP addresses for the whitelisted URLs:

(host) #show firewall dns-names ap-name <AP-name>

Example:

(host) #show firewall dns-names ap-name ap135

Firewall DNS names

------------------

Index Name Id Num-IP List

----- ---- -- ------ ----

0 bugzilla 10 1 0.0.0.0

1 cricinfo 9 0

2 yahoo 1 0

3 mycorp 6 1 1.1.1.1

Dell Networking W-Series ArubaOS 6.4.x| User Guide Virtual Private Networks | 337

Chapter 15

Virtual Private Networks

Wireless networks can use virtual private network (VPN) connections to further secure wireless data from

attackers. The Dell controller can be used as a VPN concentrator that terminates all VPN connections from

both wired and wireless clients.

This chapter describes the following topics:

lPlanning a VPN Configuration on page 337

lWorking with VPN Authentication Profiles on page 340

lConfiguring a Basic VPN for L2TP/IPsec in the WebUI on page 342

lConfiguring a VPN for L2TP/IPsec with IKEv2 in the WebUI on page 346

lConfiguring a VPN for Smart Card Clients on page 350

lConfiguring a VPN for Clients with User Passwords on page 351

lConfiguring Remote Access VPNs for XAuth on page 353

lWorking with Remote Access VPNs for PPTP on page 355

lWorking with Site-to-Site VPNs on page 355

lWorking with VPN Dialer on page 361

Planning a VPN Configuration

You can configure the controller for the following types of VPNs:

lRemote access VPNs allow hosts (for example, telecommuters or traveling employees) to connect to private

networks (for example, a corporate network) over the Internet. Each host must run VPN client software

which encapsulates and encrypts traffic, then sends it to a VPN gateway at the destination network. The

controller supports the following remote access VPN protocols:

nLayer-2 Tunneling Protocol over IPsec (L2TP/IPsec)

nPoint-to-Point Tunneling Protocol (PPTP)

nXAUTH IKE/IPsec

nIKEv2 with Certificates

nIKEv2 with EAP

lSite-to-site VPNs allow networks (for example, a branch office network) to connect to other networks (for

example, a corporate network). Unlike a remote access VPN, hosts in a site-to-site VPN do not run VPN

client software. All traffic for the other network is sent and received through a VPN gateway, which

encapsulates and encrypts the traffic.

Before enabling VPN authentication, you must configure the following:

lThe default user role for authenticated VPN clients. See Roles and Policies on page 364 for information

about configuring user roles.

lThe authentication server group the controller uses to validate the clients. See Authentication Servers on

page 225 for configuration details.

A server-derived role, if present, takes precedence over the default user role.

338 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

You then specify the default user role and authentication server group in the VPN authentication default

profile, as described in the sections below.

ESP Tunnel Mode is the only supported IPsec mode of operation. ArubaOS does not support AH and Transport

modes.

Selecting an IKE protocol

Controllers running ArubaOS version 6.1 and later support both IKEv1 and the newer IKEv2 protocol to

establish IPsec tunnels. IKEv2 is simpler, faster, and a more reliable protocol than IKEv1, though both IKEv1

and IKEv2 support the same suite-B cryptographic algorithms.

If your IKE policy uses IKEv2, you should be aware of the following caveats when you configure your VPN:

lArubaOS does not support separate pre-shared keys for both directions of an exchange; both peers must

use the same pre-shared key. ArubaOS does not support mixed authentication with both pre-shared keys

and certificates; each authentication exchange requires a single authentication type. For example, if a client

authenticates with a pre-shared key, the controller must also authenticate with a pre-shared key.

lArubaOS does not support IKEv2 mobility (MOBIKE), Authentication Headers (AH), or IP Payload

Compression Protocol (IPComp).

Understanding Suite-B Encryption Licensing

Dell controllers support Suite-B cryptographic algorithms when the Advanced Cryptography (ACR) license is

installed. Table 55 describes the Suite-B algorithms supported by ArubaOS IKE Policies and IPsec tunnels. For

further details on configuring a VPN to use Suite-B algorithms, see Configuring a VPN for L2TP/IPsec with IKEv2

in the WebUI on page 346.

IKE Policies Suite-B for IPsec tunnels

hash: SHA-256-128, SHA-384-192 Encryption: AES-128-GCM, AES-256-GCM

Diffie-Hellman (DH) Groups: ECP-256, ECP-384 Perfect Forward Secrecy (PFS): ECP-256, ECP-

384

Pseudo-Random Function (PRF): HMAC_SHA_256, HMAC_

SHA_384

—

Suite-B certificates: ECDSA-256, ECDSA-384 —

Table 55: Suite-B Algorithms Supported by the ACR License

The ArubaOS hardware supports IKE Suite-B AES-128-GCM and AES-256-GCM encryption. ArubaOS software

performs the KE Suite-B Diffie-Hellman and Certificate-based signature operations, and hash, PFS, and PRF algorithm

functions.

The following VPN clients support Suite-B algorithms when establishing an L2TP/IPsec VPN:

Client Operating

System

Supported Suite-B

IKE Authentication

Supported Suite-B IPsec

Encryption

lWindows 7

lWindows Vista

lWindows XP

lIKEv1 Clients using ECDSA

Certificates

lIKEv1/IKEv2 Clients using ECDSA

Certificates with L2TP/PPP/EAP-TLS

certificate user-authentication

lAES-128-GCM

lAES-256-GCM

Table 56: Client Support for Suite-B

The Suite-B algorithms described in Table 55 are also supported by Site-to-Site VPNs between Dell controllers,

or between a Dell controller and a server running Windows 2008 or StrongSwan 4.3.

Working with IKEv2 Clients

Not all clients support the both the IKEv1 and IKEv2 protocols. Only the clients in Table 57 support IKEv2 with

the following authentication types:

Windows 7 Client StrongSwan 4.3 Client VIA Client

lMachine authentication

with Certificates

lUser name password

authentication using EAP-

MSCHAPv2 or PEAP-

MSCHAPv2

lUser smart-card

authentication with EAP-

TLS / IKEv2

NOTE: Windows 7 clients

using IKEv2 do not support

pre-shared key

authentication.

lMachine authentication

with Certificates

lUser name password

authentication using EAP-

MSCHAPv2

lSuite-B cryptographic

algorithms

lMachine authentication with

Certificates

lUser name password authentication

using EAP-MSCHAPv2

lEAP-TLS using Microsoft cert

repository

NOTE: VIA clients using IKEv2 do not

support pre-shared key authentication.

Table 57: VPN Clients Supporting IKEv2

Understanding Supported VPN AAA Deployments

If you want to simultaneously deploy various combinations of a VPN client, RAP-psk, RAP-certs, and CAP on the

same controller, see Table 58.

Each row in this table specifies the allowed combinations of AAA servers for simultaneous deployment.

Configuration rules include:

lRAP-certs can only use LocalDB-AP.

lA RAP-psk and RAP-cert can only terminate on the same controller if the RAP VPN profile’s AAA server uses

Local-db.

lIf a RAP-psk is using an external AAA server, then the RAP-cert cannot be terminated on the same controller.

lClients can use any type of AAA server, regardless of the RAP/CAP authentication configuration server.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 339

340 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

VPN Client RAP psk RAP certs CAP

External AAA server 1 LocalDB LocalDB-AP CPSEC-whitelist

External AAA server 1 External AAA server 1 Not supported CPSEC-whitelist

External AAA server 1 External AAA server 2 Not supported CPSEC-whitelist

LocalDB LocalDB LocalDB-AP CPSEC-whitelist

LocalDB External AAA server 1 Not supported CPSEC-whitelist

Table 58: Supported VPN AAA Deployments

Working with Certificate Groups

The certificate group feature allows you to access multiple types of certificates on the same controller. To

create a certificate group, use the following command:

(host) (config) #crypto-local isakmp certificate-group server-certificate server_certificate

ca-certificate ca_certificate

You can view existing certificate groups using:

show crypto-local isakmp certificate-group

Working with VPN Authentication Profiles

VPN Authentication profiles identify a user role for authenticated VPN clients, an authentication server, and the

server group to which the authentication server belongs. There are three predefined VPN authentication

profiles: default,default-rap and default-cap. These different profiles allow you to use different

authentication servers, user roles and IP pools for VPN, remote AP, and campus AP clients.

You can configure the default and default-rap profiles, but not the default-cap profile.

Parameter Description default default-rap default-cap

Default Role for

authenticated users The role that will be

assigned to the authen-

ticated users.

default-vpn-

role

default-vpn-

role

sys-ap-role

Maximum allowed

authentication failures The number of contiguous

authentication failures

before the station is black-

listed.

0 (feature is

disabled)

0 (feature is

disabled)

0 (feature is

disabled)

Check certificate common

name against AAA server

disabled enabled enabled

Export VPNIP address as

a route

When enabled, this

causes any VPN client

address to be exported to

enabled enabled enabled

Table 59: Predefined Authentication Profile settings

Parameter Description default default-rap default-cap

OSPF using IPC.

NOTE: Note that the

Framed-IP-Address

attribute is assigned the

IP address as long as the

any server returns the

attribute. The Framed-IP-

Address value always has

a higher priority than the

local address pool.

User idle timeout The user idle timeout

value for this profile. Spe-

cify the idle timeout value

for the client in seconds.

Valid range is 30-15300 in

multiples of 30 seconds.

Enabling this option over-

rides the global settings

configured in the AAA

timers. If this is disabled,

the global settings are

used.

disabled N/A N/A

PAN firewalls Integration Requires IP mapping at

Palo Alto Networks fire-

walls.

disabled disabled disabled

To edit the default VPN authentication profile:

1. Navigate to the Configuration > Advanced Services > All Profiles > VPN Authentication >

defaultpage.

2. In the Profiles list in the left window pane, select the default VPN Authentication Profile.

3. Click the Default Role drop-down list, and select the default user role for authenticated VPN users. (For

detailed information on creating and managing user roles and policies, see Roles and Policies on page 364.)

4. (Optional) If you use client certificates for user authentication, select the Check certificate common

name against AAA server checkbox to verify that the certificate's common name exists in the server.

This parameter is enabled by default in the default-cap and default-rap VPN profiles, and disabled by

default on all other VPN profiles.

5. (Optional) Set Max Authentication failures to an integer value. The default value is 0, which disables this

feature.

6. (Optional) Regardless of how an authentication server is contacted, the Export VPN IP address as a

route option causes any VPN client address to be exported to OSPF using IPC. Note that the Framed-IP-

Address attribute is assigned the IP address as long as any server returns the attribute. The Framed-IP-

Address value always has a higher priority than the local address pool.

7. (Optional) Enabling PAN firewalls Integration requires IPmapping at Palo Alto Networks firewalls. (For more

information about PAN firewall integration, see Palo Alto Networks Firewall Integration on page 620.)

8. Click Apply.

9. In the Default profile menu in the left window pane, select Server Group.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 341

342 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

10.From the Server Group drop-down list, select the server group to be used for VPN authentication.

11.Click Apply.

To configure VPN authentication via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #aaa authentication vpn default

cert-cn-lookup

clone

default-role <role>

export-route

max-authentication-failure <number>

pan-integration

radius-accounting <server_group_name>

server-group <name>

user-idle-timeout <seconds>

Configuring a Basic VPN for L2TP/IPsec in the WebUI

The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) is a highly-secure

technology that enables VPN connections across public networks such as the Internet. L2TP/IPsec provides

both a logical transport mechanism on which to transmit PPP frames, tunneling, or encapsulation, so that the

PPP frames can be sent across an IP network. L2TP/IPsec relies on the PPP connection process to perform user

authentication and protocol configuration. With L2TP/IPsec, the user authentication process is encrypted using

the Data Encryption Standard (DES) or Triple DES (3DES) algorithm.

L2TP/IPsec using IKEv1 requires two levels of authentication:

lComputer-level authentication with a preshared key to create the IPsec security associations (SAs) to

protect the L2TP-encapsulated data.

lUser-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital

certificates, or smart cards after successful creation of the SAs.

Note that only Windows 7 clients, StrongSwan 4.3 clients, and VIA clients support IKEv2. For additional information on

the authentication types supported by these clients, see Working with IKEv2 Clients on page 339.

Use the following procedures to configure a remote access VPN for L2TP IPsec for clients using pre-shared

keys, certificates or EAP for authentication using the WebUI:

lDefining Authentication Method and Server Addresses on page 347

lDefining Address Pools on page 347

lEnabling Source NAT on page 347

lSelecting Certificates on page 347

lDefining IKEv1 Shared Keys on page 344

lConfiguring IKE Policies on page 348

lSetting the IPsec Dynamic Map on page 349

lFinalizing WebUI changes on page 350

Defining Authentication Method and Server Addresses

1. Define the authentication method and server addresses.

2. Navigate to Configuration > Advanced Services > VPN Services and click the IPSECtab.

3. To enable L2TP, select Enable L2TP (this is enabled by default).

4. Select the authentication method for IKEv1 clients. Currently supported methods are:

nPassword Authentication Protocol (PAP)

nExtensible Authentication Protocol (EAP)

nChallenge Handshake Authentication Protocol (CHAP)

nMicrosoft Challenge Handshake Authentication Protocol (MSCHAP)

5. Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and the

primary and secondary Windows Internet Naming Service (WINS) Server that are pushed to the VPN client.

Defining Address Pools

Next, define the pool from which the clients are assigned addresses.

1. In the Address Pools section of the IPSEC tab, click Add to open the Add Address Pool page.

2. Specify the pool name, the start address, and the end address.

3. Click Done.

RADIUS Framed-IP-Address for VPN Clients

IP addresses are usually assigned to VPN clients from configured local address pools. However, the Framed-IP-

Address attribute that is returned from a RADIUS server can be used to assign the address.

VPN clients use different mechanisms to establish VPN connections with the controller, such as IKEv1, IKEv2,

EAP, or a user certificate. Regardless of how the RADIUS server is contacted for authentication, the Framed-IP-

Address attribute is assigned the IP address as long as the RADIUS server returns the attribute. The Framed-IP-

Address value always has a higher priority than the local address pool.

Enabling Source NAT

In the Source NAT section of the IPSEC tab, select Enable Source NAT if the IP addresses of clients need to

be translated to access the network. If you enabled source NAT, click the NAT pool drop-down list and select

an existing NAT pool. If you have not yet created the NAT pool you want to use:

1. Navigate to Configuration > IP > NAT Pools.

2. Click Add.

3. In the Pool Name field, enter a name for the new NAT pool, up to 63 alphanumeric characters.

4. In the Start IP address field, enter the dotted-decimal IP address that defines the beginning of the range

of source NAT addresses in the pool.

5. In the End IP address field, enter the dotted-decimal IP address that defines the end of the range of source

NAT addresses in the pool.

6. In the Destination NAT IP Address field, enter the destination NAT IP address in dotted-decimal format.

If you do not enter an address into this field, the NAT pool uses the destination NAT IP 0.0.0.0.

7. Click Done.

8. Navigate to Configuration > Advanced Services > VPN Services and click the IPSEC tab to return to the

IPsec window.

9. Click the NAT Pool drop-down list and select the NAT pool you just created.

Selecting Certificates

If you are configuring a VPN to support machine authentication using certificates, define the IKE Server

certificates for VPN clients using IKE. Note that these certificate must be imported into the controller, as

described in Management Access on page 778.

1. Select the server certificate for client machines using IKE by clicking the IKE Server Certificate drop-down

list and selecting an available certificate name.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 343

344 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

2. If you are configuring a VPN to support clients using certificates, you must also assign one or more trusted

CA certificates to VPN clients.

a. Under CA Certificate Assigned for VPN-clients, click Add.

b. Select a CA certificate from the drop-down list of CA certificates imported in the controller.

c. Click Done.

d. Repeat the above steps to add additional CA certificates.

Defining IKEv1 Shared Keys

If you are configuring a VPN to support IKEv1 and clients using pre-shared keys, You can configure a global IKE

key or configure an IKE key for each subnet. Make sure that this key matches the key on the client.

1. In the IKE Shared Secrets section of the IPsec tab, click Add to open the Add IKE Secret page.

2. Enter the subnet and subnet mask. To make the IKE key global, specify 0.0.0.0 for both values.

3. Enter the IKE Shared Secret and Verify IKE Shared Secret.

4. Click Done.

Configuring IKE Policies

ArubaOS contains several predefined default IKE policies, as described in Table 60. If you do not want to use

any of these predefined policies, you can use the procedures below to edit an existing policy or create your

own custom IKE policy instead.

The IKE policy selections, along with any preshared key, need to be reflected in the VPN client configuration. When

using a third-party VPN client, set the VPN configuration on clients to match the choices made above. In case the Dell

dialer is used, these configurations need to be made on the dialer prior to downloading the dialer onto the local

client.

1. Scroll down to the IKE Policies section of the IPSEC tab, then click Edit to edit an existing policy or click Add

to create a new policy.

2. Enter a number into the Priority field to set the priority for this policy. Enter a priority of 1 for the

configuration to take priority over the Default setting.

3. Select the IKE version. Click the Version drop-down list and select V1 for IKEv1 or V2 for IKEv2.

4. Set the Encryption type. Click the Encryption drop-down list and select one of the following encryption

types:

lDES

l3DES

lAES128

lAES192

lAES256

5. Set the HASH function. Click the Hash drop-down list and select one of the following hash types:

lMD5

lSHA

lSHA1-96

lSHA2-256-128

lSHA2-384-192

6. ArubaOS VPNs support client authentication using pre-shared keys, RSA digital certificates, or Elliptic Curve

Digital Signature Algorithm (ECDSA) certificates. To set the authentication type for the IKE rule, click the

Authentication drop-down list and select one of the following types:

lPre-Share (for IKEv1 clients using pre-shared keys)

lRSA (for clients using certificates)

lECDSA-256 (for clients using certificates)

lECDSA-384 (for clients using certificates)

7. Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is

used within IKE to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP policy,

click the Diffi–Hellman Group drop-down list and select one of the following groups:

lGroup 1: 768-bit Diffie–Hellman prime modulus group.

lGroup 2: 1024-bit Diffie–Hellman prime modulus group.

lGroup 14: 2048-bit Diffie–Hellman prime modulus group.

lGroup 19: 256-bit random Diffie–Hellman ECP modulus group.

lGroup 20: 384-bit random Diffie–Hellman ECP modulus group.

8. Set the Security Association Lifetime to define the lifetime of the security association, in seconds. The

default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value from

300 to 86400 seconds.

9. Click Done.

Setting the IPsec Dynamic Map

Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. ArubaOS has a

predefined IPsec dynamic map for IKEv1. If you do not want to use this predefined map, you can use the

procedures below to edit an existing map, or create your own custom IPsec dynamic map instead.

1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an

existing map or click Add to create a new map.

2. In the Name field, enter a name for the dynamic map.

3. In the Priority field, enter a priority number for the map. Negotiation requests for security associations try

to match the highest-priority map first. If that map does not match, the negotiation request continues

down the list to the next-highest priority map until a match is made.

4. Click the Version drop-down list and select V1 to create an IPsec map for remote peers using IKEv1.

5. (Optional) Configure Perfect Forward Secrecy (PFS) settings for the dynamic peer by assigning a Diffie-

Hellman prime modulus group. PFS provides an additional level of security by ensuring that the IPsec SA

key was not derived from any other key, and therefore can not be compromised if another key is broken.

Click the Set PFS drop-down list and select one of the following groups:

lGroup 1: 768-bit Diffie–Hellman prime modulus group.

lGroup 2: 1024-bit Diffie–Hellman prime modulus group.

lGroup 14: 2048-bit Diffie–Hellman prime modulus group.

lGroup 19: 256-bit random Diffie–Hellman ECP modulus group.

lGroup 20: 384-bit random Diffie–Hellman ECP modulus group.

6. Select the transform set for the map to define a specific encryption and authentication type used by the

dynamic peer. Click the Transform Set drop-down list, and select the transform set for the dynamic peer.

To view current configuration settings for an IPsec transform-set, access the command-line interface and issue the

command crypto ipsec transform-set tag <transform-set-name>.

7. Set the Security Association Lifetime to define the lifetime of the security association for the dynamic

peer, in seconds. The default value is 7200 seconds. To change this value, uncheck the default checkbox

and enter a value from 300 to 86400 seconds.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 345

346 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

8. Click Done.

Finalizing WebUI changes

When you have finished configuring your IPsec VPN settings, click Apply to apply the new settings before

navigating to other pages.

Configuring a Basic L2TP VPN in the CLI

Use the following procedures to use the command-line interface to configure a remote access VPN for L2TP

IPsec:

1. Define the authentication method and server addresses:

(host)(config) #vpdn group l2tp

enable

client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

2. Enable authentication methods for IKEv1 clients:

vpdn group l2tp ppp authentication {cache-securid|chap|eap|mschap|mschapv2|pap

3. Create address pools:

(host)(config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>

4. Configure source NAT:

(host)(config) #ip access-list session srcnatuser any any src-nat pool <pool> position 1

5. If you are configuring a VPN to support machine authentication using certificates, define server certificates

for VPN clients using IKEv1:

(host)(config) #crypto-local isakmp server-certificate <cert>

6. If you are configuring a VPN to support IKEv1 Clients using pre-shared keys, you can configure a global IKE

key by entering 0.0.0.0 for both the address and netmask parameters in the command below, or configure

an IKE key for an individual subnet by specifying the IP address and netmask for that subnet:

crypto isakmp key <key> address <ipaddr|> netmask <mask>

7. Define IKE Policies:

(host)(config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v1|v2

authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

lifetime <seconds>

Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI

Only clients running Windows 7, StrongSwan 4.3, and Dell VIA support IKEv2. For additional information on the

authentication types supported by these clients, see “Working with IKEv2 Clients on page 339."

Use the following procedures to in the WebUI configure a remote access VPN for IKEv2 clients using

certificates.

lDefining Authentication Method and Server Addresses on page 347

lDefining Address Pools on page 347

lEnabling Source NAT on page 347

lSelecting Certificates on page 347

lConfiguring IKE Policies on page 348

lSetting the IPsec Dynamic Map on page 349

lFinalizing WebUI changes on page 350

Defining Authentication Method and Server Addresses

1. Define the authentication method and server addresses.

2. Navigate to Configuration > Advanced Services > VPN Services and click the IPSEC tab.

3. To enable L2TP, select Enable L2TP (this is enabled by default).

4. Select the authentication method for IKEv1 clients. Currently supported methods are:

nPassword Authentication Protocol (PAP)

nExtensible Authentication Protocol (EAP)

nChallenge Handshake Authentication Protocol (CHAP)

nMicrosoft Challenge Handshake Authentication Protocol (MSCHAP)

nMicrosoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2)

5. Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary

and secondary Windows Internet Naming Service (WINS) Server that is pushed to the VPN client.

Defining Address Pools

Next, define the pool from which the clients are assigned addresses.

1. In the Address Pools section of the IPSEC tab, click Add to open the Add Address Pool page.

2. Specify the pool name, the start address, and the end address.

3. Click Done.

Enabling Source NAT

In the Source NAT section of the IPSEC tab, select Enable Source NAT if the IP addresses of clients need to

be translated to access the network. If you enabled source NAT, click the NAT pool drop-down list and select

an existing NAT pool. If you have not yet created the NAT pool you want to use:

1. Navigate to Configuration > IP > NAT Pools.

2. Click Add.

3. In the Pool Name field, enter a name for the new NAT pool, up to 63 alphanumeric characters.

4. In the Start IP address field, enter the dotted-decimal IP address that defines the beginning of the range

of source NAT addresses in the pool.

5. In the End IP address field, enter the dotted-decimal IP address that defines the end of the range of source

NAT addresses in the pool.

6. In the Destination NAT IP Address field, enter the destination NAT IP address in dotted-decimal format.

If you do not enter an address into this field, the NAT pool uses the destination NAT IP 0.0.0.0.

7. Click Done to close the NAT pools tab.

8. Navigate to Configuration > Advanced Services > VPN Services and click the IPSEC tab to return to the

IPSEC window.

9. Click the NAT Pool drop-down list and select the NAT pool you just created.

Selecting Certificates

To configure the VPN to support machine authentication using certificates, define the IKE Server certificates for

VPN clients using IKEv2. Note that these certificate must be imported into the controller, as described in

Management Access on page 778.

1. Select the IKEv2 server certificate for client machines using IKEv2 by clicking the IKEv2 Server Certificate

drop-down list and selecting an available certificate name.

2. If you are configuring a VPN to support IKEv2 clients using certificates, you must also assign one or more

trusted CA certificates to VPN clients.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 347

348 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

a. Under CA Certificate Assigned for VPN-clients, click Add.

b. Select a CA certificate from the drop-down list of CA certificates imported in the controller.

c. Click Done.

d. Repeat the above steps to add additional CA certificates.

Configuring IKE Policies

ArubaOS contains several predefined default IKE policies, as described in Table 60. If you do not want to use

any of these predefined policies, you can use the procedures below to delete a factory-default policy, edit an

existing policy, or create your own custom IKE policy instead.

The IKE policy selections need to be reflected in the VPN client configuration. When using a third-party VPN client, set

the VPN configuration on clients to match the choices made above. In case the Dell dialer is used, these

configurations need to be made on the dialer prior to downloading the dialer onto the local client.

1. Scroll down to the IKE Policies section of the IPSEC tab, then click Edit to edit an existing policy or click Add

to create a new policy.

You can also delete a predefined factory-default IKE policy by clicking Delete.

2. Enter a number into the Priority field to set the priority for this policy. Enter a priority of 1 for the

configuration to take priority over the Default setting.

3. Select the IKE version. Click the Version drop-down list and select V2 for IKEv2.

4. Set the Encryption type. Click the Encryption drop-down list and select one of the following encryption

types:

lDES

l3DES

lAES128

lAES192

lAES256

5. Set the HASH function. Click the Hash drop-down list and select one of the following hash types:

lMD5

lSHA

lSHA1-96

lSHA2-256-128

lSHA2-384-192

6. ArubaOS VPNs support IKEv2 client authentication using RSA digital certificates, or Elliptic Curve Digital

Signature Algorithm (ECDSA) certificates. To set the authentication type for the IKE rule, click the

Authentication drop-down list and select one of the following types:

lRSA

lECDSA-256

lECDSA-384

7. Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is

used within IKE to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP policy,

click the Diffie–Hellman Group drop-down list and select one of the following groups:

lGroup 1: 768-bit Diffie–Hellman prime modulus group.

lGroup 2: 1024-bit Diffie–Hellman prime modulus group.

lGroup 19: 256-bit random Diffie–Hellman ECP modulus group.

lGroup 20: 384-bit random Diffie–Hellman ECP modulus group.

8. Set the Pseudo-Random Function (PRF) value. This algorithm is an HMAC function to used to hash certain

values during the key exchange:

lPRF-HMAC-MD5

lPRF-HMAC-SHA1

lPRF-HMAC-SHA256

lPRF-HMAC-SHA384

9. Set the Security Association Lifetime to define the lifetime of the security association, in seconds. The

default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value from

300 to 86400 seconds.

10.Click Done.

Setting the IPsec Dynamic Map

Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. ArubaOS has a

predefined IPsec dynamic maps for IKEv2. If you do not want to use of these predefined maps, you can use

the procedures below to to delete a factory-default map,edit an existing map or create your own custom IPsec

dynamic map instead.

In the WebUI

1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an

existing map or click Add to create a new map.

You can also delete a predefined factory-default dynamic map by clicking Delete.

2. In the Name field, enter a name for the dynamic map.

3. In the Priority field, enter a priority number for the map. Negotiation requests for security associations try

to match the highest-priority map first. If that map does not match, the negotiation request continues

down the list to the next-highest priority map until a match is made.

4. Click the Version drop-down list, and select v2 to create a map for remote peers using IKEv2.

5. (Optional) Configure Perfect Forward Secrecy (PFS) settings for the dynamic peer by assigning a Diffie-

Hellman prime modulus group. PFS provides an additional level of security by ensuring that the IPsec SA

key was not derived from any other key, and therefore can not be compromised if another key is broken.

Click the Set PFS drop-down list and select one of the following groups:

lGroup 1: 768-bit Diffie–Hellman prime modulus group.

lGroup 2: 1024-bit Diffie–Hellman prime modulus group.

lGroup 14: 2048-bit Diffie–Hellman prime modulus group.

lGroup 19: 256-bit random Diffie–Hellman ECP modulus group.

lGroup 20: 384-bit random Diffie–Hellman ECP modulus group.

6. Select the transform set for the map to define a specific encryption and authentication type used by the

dynamic peer. Click the Transform Set drop-down list, and select the transform set for the dynamic peer.

To view current configuration settings for an IPsec transform-set, access the command-line interface and issue the

command crypto ipsec transform-set tag <transform-set-name>.

7. Set the Security Association Lifetime to define the lifetime of the security association for the dynamic

peer, in seconds. The default value is 7200 seconds. To change this value, uncheck the default checkbox

and enter a value from 300 to 86400 seconds.

8. Click Done.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 349

350 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

Finalizing WebUI changes

When you have finished configuring your IPsec VPN settings, click Apply to apply the new settings before

navigating to other pages.

In the CLI

Use the following procedures to use the command-line interface to configure a remote access VPN for L2TP

IPsec using IKEv2.

1. Define the server addresses:

(host)(config) #vpdn group l2tp

enable

client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

2. Enable authentication methods for IKEv2 clients:

(host)(config) #crypto isakmp eap-passthrough {eap-mschapv2|eap-peap|eap-tls}

3. Create address pools:

(host)(config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>

4. Configure source NAT:

(host)(config) #ip access-list session srcnat user any any src-nat pool <pool> position 1

5. If you are configuring a VPN to support machine authentication using certificates, define server certificates

for VPN clients using IKEv2:

(host)(config) #crypto-local isakmp server-certificate <cert>

The IKE pre-shared key value must be between 6-64 characters. To configure a pre-shared IKE key that contains non-

alphanumeric characters, surround the key with quotation marks.

For example: crypto-local isakmp key "key with spaces" fqdn-any.

6. Define IKEv2 Policies:

(host)(config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v2

authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384

lifetime <seconds>

7. Define IPsec Tunnel parameters:

(host)(config) #crypto ipsec

mtu <max-mtu>

transform-set <transform-set-name> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|esp-

aes256|esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-mac|esp-sha-hmac

Configuring a VPN for Smart Card Clients

This section describes how to configure a remote access VPN on the controller for Microsoft L2TP/IPsec clients

with smart cards. (A smart card contains a digital certificate which allows user-level authentication without the

user entering a username and password.) As described previously in this chapter, L2TP/IPsec requires two

levels of authentication: first, IKE SA (machine) authentication, and then user-level authentication with an IKEv2

or PPP-based authentication protocol.

Microsoft clients running Windows 7 (or later versions) support both IKEv1 and IKEv2. Microsoft clients using

IKEv2 support machine authentication using RSA certificates (but not ECDSA certificates or pre-shared keys)

and smart card user-level authentication with EAP-TLS over IKEv2.

Windows 7 clients without smart cards also support user password authentication using EAP-MSCHAPv2 or PEAP-

MSCHAPv2.

Working with Smart Card clients using IKEv2

To configure a VPN for Windows 7 clients using smart cards and IKEv2, follow the procedure described in

Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on page 346, and ensure that the following settings

are configured:

lL2TP is enabled

lUser Authentication is set to EAP-TLS

lIKE version is set to V2

lThe IKE policy is configured for ECDSA or RSA certificate authentication

Working with Smart Card Clients using IKEv1

Microsoft clients using IKEv1 (including clients running Windows Vista or earlier versions of Windows) only

support machine authentication using a pre-shared key. In this scenario, user-level authentication is performed

by an external RADIUS server using PPP EAP-TLS, and client and server certificates are mutually authenticated

during the EAP-TLS exchange. During the authentication, the controller encapsulates EAP-TLS messages from

the client into RADIUS messages and forwards them to the server.

On the controller, you need to configure the L2TP/IPsec VPN with EAP as the PPP authentication and IKE policy

for preshared key authentication of the SA.

On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users

and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.

To configure a L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are

configured:

1. On a RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card

users and select a server certificate. The user entry in Microsoft Active Directory must be configured for

smart cards. (For detailed information on creating and managing user roles and policies, see Roles and

Policies on page 364.)

lEnsure that RADIUS server is part of the server group used for VPN authentication.

lConfigure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on

page 346, while selecting the following options:

nSelect Enable L2TP

nSelect EAP for the Authentication Protocol.

nDefine an IKE Shared Secret to be used for machine authentication. (To make the IKE key global, specify

0.0.0.0 and 0.0.0.0 for both subnet and subnet mask.)

nConfigure the IKE policy for Pre-Share authentication.

Configuring a VPN for Clients with User Passwords

This section describes how to configure a remote access VPN on the controller for L2TP/IPsec clients with user

passwords. As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 351

352 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

SA authentication, and then user-level authentication with the PAP authentication protocol. IKE SA is

authenticated with a preshared key, which you must configure as an IKE shared secret on the controller. User-

level authentication is performed by the controller’s internal database.

On the controller, you need to configure the following:

lAAA database entries for username and passwords

lVPN authentication profile, which defines the internal server group and the default role assigned to

authenticated clients

lL2TP/IPsec VPN with PAP as the PPP authentication (IKEv1 only).

l(For IKEv1 clients) An IKE policy for preshared key authentication of the SA.

l(For IKEv2 clients) A server certificate to authenticate the controller to clients and a CA certificate to

authenticate VPN clients.

In the WebUI

Use the following procedure the configure L2TP/IPsec VPN for username/password clients via the WebUI:

1. Navigate to the Configuration > Security > Authentication > Servers window.

a. Select Internal DB to display entries for the internal database.

b. Click Add User.

c. Enter username and password information for the client.

d. Click Enabled to activate this entry on creation.

e. Click Apply.

2. Navigate to the Configuration > Security > Authentication > L3 Authentication window.

a. Under default VPN Authentication Profile, select Server Group.

b. Select the internal server group from the drop-down menu.

c. Click Apply.

3. Navigate to the Configuration > Advanced Services > VPN Services > IPsec window.

a. Select Enable L2TP (this is enabled by default).

b. Select PAP for Authentication Protocols.

4. Configure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on

page 346, while ensuring that the following settings are selected:

lIn the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab,

enable L2TP.

lIn the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab,

select PAP as the authentication protocol.

In the CLI

The following example uses the command-line interface to configure a L2TP/IPsec VPN for

username/password clients using IKEv1:

(host)(config) #vpdn group l2tp

enable

ppp authentication pap

client dns 101.1.1.245

(host)(config) #ip local pool pw-clients 10.1.1.1 10.1.1.250

(host)(config) #crypto isakmp key <key> address 0.0.0.0 netmask 0.0.00

(host)(config) #crypto isakmp policy 1

authentication pre-share

Next, issue the following command in enable mode to configure client entries in the internal database:

(host)(config) #local-userdb add username <name> password <password>

Configuring Remote Access VPNs for XAuth

Extended Authentication (XAuth) is an Internet Draft that allows user authentication after IKE Phase 1

authentication. This authentication prompts the user for a username and password, with user credentials

authenticated with an external RADIUS or LDAP server or the controller’s internal database. Alternatively, the

user can start the client authentication with a smart card, which contains a digital certificate to verify the client

credentials. IKE Phase 1 authentication can be done with either an IKE preshared key or digital certificates.

Configuring VPNs for XAuth Clients using Smart Cards

This section describes how to configure a remote access VPN on the controller for Cisco VPN XAuth clients

using smart cards. (A smart card contains a digital certificate which allows user-level authentication without the

user entering a username and password.) IKE Phase 1 authentication can be done with either an IKE preshared

key or digital certificates; for XAuth clients using smart cards, the smart card digital certificates must be used

for IKE authentication. The client is authenticated with the internal database on the controller.

On the controller, you need to configure the following:

1. Add entries for Cisco VPN XAuth clients to the controller’s internal database, or to an external RADIUS or

LDAP server. For details on configuring an authentication server, see Authentication Servers on page 225.

For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname

in X.509 certificates) or Common Name as it appears on the certificate.

2. Verify that the server with the client data is part of the server group associated with the VPN authentication

profile.

3. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable

L2TP.

4. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable

XAuth to enable prompting for the username and password.

5. The Phase 1 IKE exchange for XAuth clients can be either Main Mode or Aggressive Mode. Aggressive

Mode condenses the IKE SA negotiations into three packets (versus six packets for Main Mode). In the

Aggressive Mode section of the Configuration > VPN Services > IPsec tab, Enter the authentication

group name for aggressive mode to associate this setting to multiple clients. Make sure that the group

name matches the aggressive mode group name configured in the VPN client software.

6. Configure other VPNsettings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on

page 346, while ensuring that the following settings are selected:

lIn the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPSEC tab,

enable L2TP.

ln the L2TP and XAUTH Parameters section of the Configuration > VPN Services> IPSEC tab,

enable XAuth to enable prompting for the username and password.

nDefine an IKE policy to use RSA or ECDSA authentication.

The following example describes the steps to use the command-line interface to configure a VPN for Cisco

Smart Card Clients using certificate authentication and IKEv1, where the client is authenticated against user

entries added to the internal database:

(host)(config) #aaa authentication vpn default

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 353

354 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

server-group internal

(host)(config) #no crypto-local isakmp xauth

(host)(config) #vpdn group l2tp

enable

client dns 101.1.1.245

(host)(config) #ip local pool sc-clients 10.1.1.1 10.1.1.250

(host)(config) #crypto-local isakmp server-certificate MyServerCert

(host)(config) #crypto-local isakmp ca-certificate TrustedCA

(host)(config) #crypto isakmp policy 1

authentication rsa-sig

Enter the following command in enable mode to configure client entries in the internal database:

(host)(config) #local-userdb add username <name> password <password>

Configuring a VPN for XAuth Clients Using a Username and Password

This section describes how to configure a remote access VPN on the controller for Cisco VPN XAuth clients

using passwords. IKE Phase 1 authentication is done with an IKE preshared key; users are then prompted to

enter their username and password, which is verified with the internal database on the controller.

On the controller, you need to configure the following:

1. Add entries for Cisco VPN XAuth clients to the controller’s internal database. For details on configuring an

authentication server, see Authentication Servers on page 225

For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname

in X.509 certificates) or Common Name as it appears on the certificate.

2. Verify that the server with the client data is part of the server group associated with the VPN authentication

profile.

3. Configure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on

page 346, while ensuring that the following settings are selected:

lIn the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPSEC tab,

enable L2TP.

lIn the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPSEC tab,

enable XAuth to enable prompting for the username and password.

lThe IKE policy must have pre-shared authentication.

The following example configures a VPN for XAuth IKEv1 clients using a username and passwords. Access the

command-line interface and issue the following commands in config mode:

(host)(config) #aaa authentication vpn default

server-group internal

crypto-local isakmp xauth

(host)(config) #vpdn group l2tp

enable

client dns 101.1.1.245

(host)(config) #ip local pool pw-clients 10.1.1.1 10.1.1.250

(host)(config) #crypto isakmp key 0987654 address 0.0.0.0 netmask 0.0.00

(host)(config) #crypto isakmp policy 1

authentication pre-share

Enter the following command in enable mode to configure client entries in the internal database:

(host)(config) #local-userdb add username <name> password <password>

Working with Remote Access VPNs for PPTP

Point-to-Point Tunneling Protocol (PPTP) is an alternative to L2TP/IPsec. Like L2TP/IPsec, PPTP provides a

logical transport mechanism to send PPP frames and tunneling or encapsulation, so that the PPP frames can

be sent across an IP network. PPTP relies on the PPP connection process to perform user authentication and

protocol configuration.

With PPTP, data encryption begins after PPP authentication and connection process is completed. PPTP

connections use Microsoft Point-to-Point Encryption (MPPE), which uses the Rivest-Shamir-Aldeman (RSA) RC-4

encryption algorithm. PPTP connections require user-level authentication through a PPP-based authentication

protocol (MSCHAPv2 is the currently-supported method).

In the WebUI

1. Navigate to the Configuration > Advanced Services > VPN Services > PPTPpage.

2. To enable PPTP, select Enable PPTP.

3. Select either MSCHAP or MSCHAPv2 as the authentication protocol.

4. Configure IP addresses of the primary and secondary DNS servers.

5. Configure the primary and secondary WINS Server IP addresses that are pushed to the VPN Dialer.

6. Configure the VPN Address Pool.

a. Click Add. The Add Address Pool window displays.

b. Specify the pool name, start address, and end address.

c. Click Done.

7. Click Apply to apply the changes made before navigating to other pages.

In the CLI

(host)(config) #vpdn group pptp

enable

client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

ppp authentication {mschapv2}

(host)(config) #pptp ip local pool <pool> <start-ipaddr> <end-ipaddr>

Working with Site-to-Site VPNs

Site-to-site VPN allows sites at different physical locations to securely communicate with each other over a

Layer-3 network such as the Internet. You can use Dell controllers instead of VPN concentrators to connect the

sites. You can also use a VPN concentrator at one site and a controller at the other site.

The Dell controller supports the following IKE SA authentication methods for site-to-site VPNs:

lPreshared key: Note that the same IKE shared secret must be configured on both the local and remote

sites.

lSuite-B cryptographic algorithms

lDigital certificates: You can configure a RSA or ECDSA server certificate and a CA certificate for each site-to-

site VPN IPsec map configuration. If you use certificate-based authentication, the peer must be identified by

its certificate subject-name distinguished name (for deployments using IKEv2) or by the peer’s IP address

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 355

356 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

(for IKEv1). For more information about importing server and CA certificates into the controller, see

Management Access on page 778.

Certificate-based authentication is only supported for site-to-site VPN between two controllers with static IP

addresses. IKEv1 site-to-site tunnels can not be created between master and local controllers.

Working with Third-Party Devices

Dell controllers can use IKEv1 or IKEv2 to establish a site-to-site VPN between another Dell controller or

between that controller and third-party remote client devices. Devices running Microsoft® Windows 2008 can

use Suite-B cryptographic algorithms and IKEv1 to support authentication using RSA or ECDSA. strongSwan®

4.3 devices can use IKEv2 to support authentication using RSA or ECDSA certificates, Suite-B cryptographic

algorithms, and pre-shared keys. These two remote clients are tested to work with Dell controllers using Suite-B

cryptographic algorithm.

Working with Site-to-Site VPNs with Dynamic IP Addresses

ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one

dynamically addressed controller. Two methods are supported to enable dynamically addressed peers:

lPre-shared Key Authentication with IKE Aggressive Mode: The Dell controller with a dynamic IP address

must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a

static IP address must be configured as the responder of IKE Aggressive mode. Note that when the

controller is operating in FIPS mode, IKE aggressive mode must be disabled.

lX.509 certificates: IPsec peers will identify each other using the subject name of X.509 certificates. IKE

operates in main mode when this option is selected. This method is preferred from a security perspective.

Understanding VPN Topologies

You must configure VPN settings on the controllers at both the local and remote sites. In the following figure, a

VPN tunnel connects Network A to Network B across the Internet.

Figure 36 Site-to-Site VPN Configuration Components

To configure the VPN tunnel on controller A, you need to configure the following:

lThe source network (Network A)

lThe destination network (Network B)

lThe VLAN on which controller A’s interface to the Layer-3 network is located (Interface A in Figure 36)

lThe peer gateway, which is the IP address of controller B’s interface to the Layer-3 network (Interface B in

Figure 36)

Configure VPN settings on the controllers at both the local and remote sites.

Configuring Site-to-Site VPNs

Use the following procedures to create a site-to-site VPN via the WebUI or command-line interfaces.

In the WebUI

1. Navigate to the Configuration > Advanced Services > VPN Services > Site-to-Site page.

2. In the IPsec Maps section, click Add to open the Add IPsec Map window.

3. Enter a name for this VPN connection in the Name field.

4. Enter a priority level for the IPsec map. Negotiation requests for security associations try to match the

highest-priority map first. If that map does not match, the negotiation request continues down the list to

the next-highest priority map until a match is made.

5. In the Source Network and Source Subnet Mask fields, enter the IP address and netmask for the

source (the local network connected to the controller). (See controller A in Figure 36.)

6. In the Destination Network and Destination Subnet Mask fields, enter the IP address and netmask for

the destination (the remote network to which the local network communicates). (See controller B in Figure

36.)

7. If you use IKEv1 to establish a site-to-site VPN to a statically addressed remote peer, in the Peer Gateway

field, enter the IP address of the interface used by remote peer to connect to the L3 network. (See Interface

B in Figure 36.) If you are configuring an IPsec map for a dynamically addressed remote peer, you must

leave the peer gateway set to its default value of 0.0.0.0.

8. If you use IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device

by entering its certificate subject name in the Peer Certificate Subject Name field.

To identify the subject name of a peer certificate, access the command-line interface and issue the command

show crypto-local pki servercert <certname> subject

9. The Security Association Lifetime parameter defines the lifetime of the security association, in seconds

and kilobytes. For seconds, the default value is 7200. To change this value, uncheck the default checkbox

and enter a value from 300 to 86400 seconds. Range: 1000–1000000000 kilobytes.

10.Click the Version drop-down list and select V1 to configure the VPN for IKEv1, or V2 for IKEv2.

11.Select the VLAN that contains the interface of the local controller which connects to the Layer-3 network.

(See Interface A in Figure 36.)

This determines the source IP address used to initiate IKE. If you select 0or None, the default is the VLAN

of the controller’s IP address (either the VLAN where the loopback IP is configured, or VLAN 1 if no loopback

IP is configured).

12.If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously

used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous

session keys. PFS mode is disabled by default. To enable this feature, click the PFS drop-down list and select

one of the following Perfect Forward Secrecy modes:

lgroup1: 768-bit Diffie–Hellman prime modulus group.

lgroup2: 1024-bit Diffie–Hellman prime modulus group.

lgroup 14: 2048-bit Diffie–Hellman prime modulus group.

lgroup19: 256-bit random Diffie–Hellman ECP modulus group.

lgroup20: 384-bit random Diffie–Hellman ECP modulus group.

13.Select Pre-Connect to have the VPN connection established, even if there is no traffic being sent from the

local network. If you do not select this the VPN connection established only when traffic is sent from the

local network to the remote network.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 357

358 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

14.Select Trusted Tunnel if traffic between the networks is trusted. If you do not select this, traffic between

the networks is untrusted.

15.Select the Enforce NATT checkbox to always enforce UDP 4500 for IKE and IPSEC. This option is disabled

by default.

16.Add one or more transform sets to be used by the IPsec map. Click the Transform Set drop down list,

select an existing transform set, then click the arrow button by the drop-down list to add that transform set

to the IPsec map.

17.For site-to-site VPNs with dynamically addressed peers, click the Dynamically Addressed Peers checkbox.

a. Select Initiator if the dynamically addressed switch is the initiator of IKE Aggressive-mode for Site-Site

VPN, or select Responder if the dynamically addressed switch is the responder for IKE Aggressive-mode.

b. In the FQDN field, enter a fully qualified domain name (FQDN) for the controller. If the controller is

defined as a dynamically addressed responder, you can select all peers to make the controller a

responder for all VPN peers, or select Per Peer ID and specify the FQDN to make the controller a

responder for one specific initiator only.

18.Select one of the following authentication types:

a. For pre-shared key authentication, select Pre-Shared Key, then enter a shared secret in the IKE Shared

Secret and Verify IKE Shared Secret fields. This authentication type is generally required in IPsec

maps for a VPN with a dynamically addressed peers but can also be used for a static site-to-site VPN.

b. For certificate authentication, select Certificate, then click the Server Certificate and CA certificate

drop-down lists to select certificates previously imported into the controller. See Management Access on

page 778 for more information.

19.Click Done to apply the site-to-site VPN configuration.

20.Click Apply.

21.Click the IPSEC tab to configure an IKE policy.

a. Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.

b. Set the Priority to 1for this configuration to take priority over the Default setting.

c. Set the Version type to match the IKE version you selected in Step 10 above.

d. Set the Encryption type from the drop-down list.

e. Set the HASH Algorithm from the drop-down list.

f. Set the Authentication to PRE-SHARE if you use preshared keys. If you use certificate-based IKE, select

RSA or ECDSA.

g. Set the Diffie–Hellman Group from the drop-down list.

h. The IKE policy selections, including any preshared key, need to be reflected in the VPN client

configuration. When using a third party VPN client, set the VPN configuration on clients to match the

choices made above. If you use the Dell dialer, you must configure the dialer prior to downloading the

dialer onto the local client.

i. Click Done to activate the changes.

j. Click Apply.

In the CLI

To use the command-line interface to configure a site-to-site VPN with two static IP controllers using IKEv1,

issue the following commands:

(host)(config) #crypto-local ipsec-map <name> <priority>

src-net <ipaddr> <mask>

dst-net <ipaddr> <mask>

peer-ip <ipaddr>

vlan <id>

version v1|v2

peer-cert-dn <peer-dn>

pre-connect enable|disable

trusted enable

For certificate authentication:

set ca-certificate <cacert-name>

set server-certificate <cert-name>

(host)(config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v1|v2

authentication {rsa-sig|ecdsa-256ecdsa-384}

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

lifetime <seconds>

For preshared key authentication:

(host)(config) #crypto-local isakmp key <key> address <ipaddr> netmask <mask>

(host)(config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v1|v2

authentication pre-share

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

lifetime <seconds>

To configure site-to-site VPN with a static and a dynamically addressed controller that initiates IKE Aggressive-

mode for Site-Site VPN:

(host)(config) #crypto-local ipsec-map <name> <priority>

src-net <ipaddr> <mask>

dst-net <ipaddr> <mask>

peer-ip <ipaddr>local-fqdn <local_id_fqdn>

vlan <id>

pre-connect enable|disable

trusted enable

For the Pre-shared-key:

(host)(config) #crypto-local isakmp key <key> address <ipaddr> netmask 255.255.255.255

For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN:

crypto-local ipsec-map <name2> <priority>

src-net <ipaddr> <mask>

dst-net <ipaddr> <mask>

peer-ip 0.0.0.0

peer-fqdn fqdn-id <peer_id_fqdn>

vlan <id>

trusted enable

For the Pre-shared-key:

(host)(config) #crypto-local isakmp key <key> fqdn <fqdn-id>

For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN with One PSK for All FQDNs:

(host)(config) #crypto-local ipsec-map <name2> <priority>

src-net <ipaddr> <mask>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 359

360 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

peer-ip 0.0.0.0

peer-fqdn any-fqdn

vlan <id>

trusted enable

For the Pre-shared-key for All FQDNs:

(host)(config) #crypto-local isakmp key <key> fqdn-any

Detecting Dead Peers

Dead Peer Detection (DPD) is enabled by default on the controller for site-to-site VPNs. DPD, as described in

RFC 3706, “A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPsec traffic

patterns to minimize the number of IKE messages required to determine the liveliness of an IKE peer.

After a dead peer is detected, the controller tears down the IPsec session. Once the network path or other

failure condition has been corrected, a new IPsec session is automatically re-established.

To configure DPD parameters, issue the following commands via the command-line interface:

(host)(config) #crypto-local isakmp dpd idle-timeout <idle_seconds> retry-timeout <retry_

seconds> retry-attempts <number>

About Default IKE Policies

ArubaOS includes the following default IKE policies. These policies are predefined and canbe edited and

deleted. You can do this by using the crypto isakmp policy and crypto dynamic-map CLI commands. Or,

use the WebUI and navigate to Advanced Services > VPN Services > IPSEC and use the Delete button

next to the default IKE policy or IPsec dynamic map you want to delete.

Policy

Name

Policy

Number

IKE

Version

Encryption

Algorithm

Hash

Algorithm

Authentica

-tion

Method

PRF

Method

Diffie-

Hellman

Group

Default

protection

suite

10001 IKEv1 3DES-168 SHA 160 Pre-Shared

Key

N/A 2 (1024

bit)

Default

RAP

Certificate

protection

suite

10002 IKEv1 AES -256 SHA 160 RSA

Signature

N/A 2 (1024

bit)

Default

RAP PSK

protection

suite

10003 AES -256 SHA 160 Pre-Shared

Key

N/A 2 (1024

bit)

Default

RAP IKEv2

RSA

protection

suite

1004 IKEv2 AES -256 SSHA160 RSA

Signature

hmac-

sha1

2 (1024

bit)

Table 60: Default IKE Policy Settings

Policy

Name

Policy

Number

IKE

Version

Encryption

Algorithm

Hash

Algorithm

Authentica

-tion

Method

PRF

Method

Diffie-

Hellman

Group

Default

Cluster

PSK

protection

suite

10005 IKEv1 AES -256 SHA160 Pre-Shared

Key

Pre-

Shared

Key

2 (1024

bit)

Default

IKEv2 RSA

protection

suite

1006 IKEv2 AES - 128 SHA 96 RSA

Signature

hmac-

sha1

2 (1024

bit)

Default

IKEv2 PSK

protection

suite

10007 IKEv2 AES - 128 SHA 96 Pre-shared

key

hmac-

sha1

2 (1024

bit)

Default

Suite-B

128bit

ECDSA

protection

suite

10008 IKEv2 AES - 128 SHA 256-

128

ECDSA-256

Signature

hmac-

sha2-256

Random

ECP

Group

(256 bit)

Default

Suite-B

256 bit

ECDSA

protection

suite

10009 IKEv2 AES -256 SHA 384-

192

ECDSA-384

Signature

hmac-

sha2-384

Random

ECP

Group

(384 bit)

Default

Suite-B

128bit

IKEv1

ECDSA

protection

suite

10010 IKEv1 AES-GCM-

128

SHA 256-

128

ECDSA-256

Signature

hmac-

sha2-256

Random

ECP

Group

(256 bit)

Default

Suite-B

256-bit

IKEv1

ECDSA

protection

suite

10011 IKEv1 AES-GCM-

256

SHA 256-

128

ECDSA-256

Signature

hmac-

sha2-256

Random

ECP

Group

(256 bit)

Working with VPN Dialer

For Windows clients, a dialer can be downloaded from the controller to auto configure tunnel settings on the

client.

Configuring VPN Dialer

Use the following procedures to configure the VPN dialer via the WebUI or command-line interfaces

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 361

362 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide

In the WebUI

1. Navigate to the Configuration > Advanced Services > VPN Services > Dialers page. Click Add to add a

new dialer or the Edit tab to edit an existing dialer.

2. Enter the Dialer Name that identifies this setting.

3. Configure the dialer to work with PPTP or L2TP by selecting Enable PPTP or Enable L2TP.

4. Select the authentication protocol. This should match the L2TP or PPTP authentication type configured for

the VPN in the Configuration > Advanced Services > VPN Services > IPSEC window.

5. (Optional) Select Send Direct Network Traffic In Clear to enable “split tunneling” functionality so that

traffic destined for the internal network is tunneled, while traffic for the Internet is not.

This option is not recommended for security reasons.

6. (Optional) Select Disable Wireless Devices When Client is Wired to allow the dialer to shut down the

wireless interface when it detects that a wired network connection is in use.

7. (Optional) Select Enable SecurID New and Next Pin Mode to enable site-to-site VPN support for SecurID

new and next pin modes.

8. For L2TP:

nSet the IKE Hash Algorithm to the value defined in the IKE policy on the Advanced Services > VPN

Services > IPSEC window.

nIf a preshared key is configured for an IKE Shared Secret in the VPN Services > IPSEC window, enter the

key.

nThe key you enter in the Dialers window must match the preshared key configured on the IPsec page.

nSelect the IPsec Mode Group that matches the Diffie–Hellman Group configured for the IPsec policy.

nSelect the IPsec Encryption that matches the encryption configured for the IPsec policy.

nSelect the IPsec Hash Algorithm that matches the hash algorithm configured for the IPsec policy.

9. Click Done to apply the changes made prior to navigating to another page.

In the CLI

Issue the following commands to configure the VPN dialer via the CLI:

(host(config) #vpn-dialer <name>

enable {dnctclear|l2tp|pptp|secureid_newpinmode|wirednowifi}

ike authentication {pre-share <key>|rsa-sig}

ike encryption {3des|des}

ike group {1|2}

ike hash {md5|sha}

ipsec encryption {esp-3des|esp-des}

ipsec hash {esp-md5-hmac|esp-sha-hmac}

ppp authentication {cache-securid|chap|mschap|mschapv2|pap}

Assigning a Dialer to a User Role

The VPN dialer can be downloaded using Captive Portal. For the user role assigned through Captive Portal,

configure the dialer by the name used to identify the dialer.

For example, if the captive portal client is assigned the guest role after logging on through captive portal and

the dialer is called mydialer, configure mydialer as the dialer to be used in the guest role.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Click Edit for the user role.

3. Under VPN Dialer, select the dialer you configured and click Change.

4. Click Apply.

In the CLI

To configure the captive portal dialer for a user role via the command-line interface, access the CLI in config

mode and issue the following commands:

(host) (config) #user-role <role>

dialer <name>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 363

Dell Networking W-Series ArubaOS 6.4.x| User Guide Roles and Policies | 364

Chapter 16

Roles and Policies

The client in a Dell user-centric network is associated with a user role, which determines the client’s network

privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A policy is a set of

rules that applies to traffic that passes through the Dell controller. You specify one or more policies for a user

role. Finally, you can assign a user role to clients before or after they authenticate to the system.

This chapter describes assigning and creating roles and policies using the ArubaOS CLI or WebUI. Roles and

policies can also be configured for WLANs associated with the “default” ap-group via the WLAN Wizard:

Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and

refer to the help tab for assistance.

Topics in this chapter include:

lConfiguring Firewall Policies on page 364

lCreating a Firewall Policy on page 365

lCreating a Network Service Alias on page 368

lCreating an ACL White List on page 369

lUser Roles on page 370

lAssigning User Roles on page 372

lUnderstanding Global Firewall Parameters on page 377

lUsing AppRF 2.0 on page 381

This chapter describes configuring firewall policies and parameters that relate to IPv4 traffic. See IPv6 Support on

page 175 for information about configuring IPv6 firewall policies and parameters.

Configuring Firewall Policies

A firewall policy identifies specific characteristics about a data packet passing through the Dell controller and

takes some action based on that identification. In a Dell controller, that action can be a firewall-type action

such as permitting or denying the packet, an administrative action such as logging the packet, or a quality of

service (QoS) action such as setting 802.1p bits or placing the packet into a priority queue. You can apply

firewall policies to user roles to give differential treatment to different users on the same network, or to

physical ports to apply the same policy to all traffic through the port.

Firewall policies differ from access control lists (ACLs) in the following ways:

lFirewall policies are stateful, meaning that they recognize flows in a network and keep track of the state of

sessions. For example, if a firewall policy permits telnet traffic from a client, the policy also recognizes that

inbound traffic associated with that session should be allowed.

lFirewall policies are bi-directional, meaning that they keep track of data connections traveling into or out of

the network. ACLs are normally applied to either traffic inbound to an interface or outbound from an

interface.

lFirewall policies are dynamic, meaning that address information in the policy rules can change as the policies

are applied to users. For example, the alias user in a policy automatically applies to the IP address assigned

to a particular user. ACLs typically require static IP addresses in the rule.

You can apply IPv4 and IPv6 firewall policies to the same user role. See IPv6 Support on page 175 for

information about configuring IPv6 firewall policies.

365 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

Working With Access Control Lists (ACLs)

Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. ArubaOS

provides the following types of ACLs:

lStandard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can be

either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs use a

bitwise mask to specify the portion of the source IP address to be matched.

lExtended ACLs permit or deny traffic based on source or destination IP address, source or destination port

number, or IP protocol. Extended ACLs can be named or numbered, with valid numbers in the range 100-

199 and 2000-2699.

lMAC ACLs are used to filter traffic on a specific source MAC address or range of MAC addresses. Optionally,

you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes.

MAC ACLs can be either named or numbered, with valid numbers in the range of 700-799 and 1200-1299.

lEthertype ACLs are used to filter based on the Ethertype field in the frame header. Optionally, you can

mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. Ethertype

ACLs can be either named or numbered, with valid numbers in the range of 200-299.These ACLs can be

used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk.

lService ACLs provide a generic way to restrict how protocols and services from specific hosts and subnets to

the controller are used. Rules with this ACL are applied to all traffic on the controller regardless of the

ingress port or VLAN.

ArubaOS provides both standard and extended ACLs for compatibility with router software from popular

vendors, however firewall policies provide equivalent and greater function than standard and extended ACLs

and should be used instead.

You can apply MAC and Ethertype ACLs to a user role, however these ACLs only apply to non-IP traffic from the

user.

Support for Desktop Virtualization Protocols

ArubaOS supports desktop virtualization protocols by providing preconfigured ACLs for Citrix and VMware

clients. You can apply these ACLs to the user-role when using the Virtual Desktop Infrastructure (VDI) clients.

This ensures that any enterprise application that uses the VDI client performs optimally with appropriate QoS.

Disable the voice aware ARM when applying the ACLs for the VDI clients as the virtual desktop sessions may prevent

the ARM scanning.

Creating a Firewall Policy

This section describes how to configure the rules that constitute a firewall policy. A firewall policy can then be

applied to a user role (until the policy is applied to a user role, it does not have any effect).

Table 61 describes required and optional parameters for a rule.

Field Description

Source

(required)

Source of the traffic, which can be one of the following:

lany: Acts as a wildcard and applies to any source address.

luser: This refers to traffic from the wireless client.

lhost: This refers to traffic from a specific host. When this option is chosen, you must

configure the IP address of the host.

lnetwork: This refers to a traffic that has a source IP from a subnet of IP addresses.

When this option is chosen, you must configure the IP address and network mask of

the subnet.

lalias: This refers to using an alias for a host or network. You configure the alias by

navigating to the Configuration > Advanced Services > Stateful Firewall >

Destination page.

Destination

(required)

Destination of the traffic, which can be configured in the same manner as Source.

Service

(required)

Type of traffic, which can be one of the following:

lany: This option specifies that this rule applies to any type of traffic.

ltcp: Using this option, you configure a range of TCP port(s) to match for the rule to

be applied.

ludp: Using this option, you configure a range of UDP port(s) to match for the rule to

be applied.

lservice: Using this option, you use one of the pre-defined services (common

protocols such as HTTPS, HTTP, and others) as the protocol to match for the rule to

be applied. You can also specify a network service that you configure by navigating

to the Configuration > Advanced Services > Stateful Firewall > Network

Services page.

lprotocol: Using this option, you specify a different layer 4 protocol (other than

TCP/UDP) by configuring the IP protocol value.

Action

(required)

The action that you want the controller to perform on a packet that matches the

specified criteria. This can be one of the following:

lpermit: Permits traffic matching this rule.

ldrop: Drops packets matching this rule without any notification.

lreject: Drops the packet and sends an ICMP notification to the traffic source.

lsrc-nat: Performs network address translation (NAT) on packets matching the rule.

When this option is selected, you need to select a NAT pool. (If this pool is not

configured, you configure a NAT pool by navigating to the Configuration >

Advanced > Security > Advanced > NAT Pools). Source IP changes to the

outgoing interface IP address (implied NAT pool) or from the pool configured

(manual NAT pool). This action functions in tunnel/decrypt-tunnel forwarding mode.

ldst-nat: This option redirects traffic to the configured IP address and destination

port. An example of this option is to redirect all HTTP packets to the captive portal

port on the Dell controller as used in the pre-defined policy called “captiveportal”.

This action functions in tunnel/decrypt-tunnel forwarding mode. User should

configure the NAT pool in the controller.

ldual-nat: This option performs both source and destination NAT on packets

matching the rule. Forward packets from source network to destination; re-mark

them with destination IP of the target network. This action functions in

tunnel/decrypt-tunnel forwarding mode. User should configure the NAT pool in the

controller.

lredirect to tunnel: This option redirects traffic into a GRE tunnel. This option is used

primarily to redirect all guest traffic into a GRE tunnel to a DMZ router/switch.

lredirect to ESI group: This option redirects traffic to the specified ESI server group.

You also specify the direction of traffic to be redirected: forward, reverse, or both

directions.

lroute:Specify the next hop to which packets are routed, which can be one of the

following:

Table 61: Firewall Policy Rule Parameters

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 366

367 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

Field Description

ldst-nat: Destination IP changes to the IP configured from the NAT pool. This

action functions in bridge/split-tunnel forwarding mode. User should configure

the NAT pool in the controller.

lsrc-nat:Source IP changes to RAP’s external IP. This action functions in bridge/s-

plit-tunnel forwarding mode and uses implied NAT pool.

Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security

breach, such as a data packet on a policy that is meant only to be used for voice calls.

Mirror

(optional)

Mirrors session packets to datapath or remote destination.

Queue

(optional)

The queue in which a packet matching this rule should be placed.

Select High for higher priority data, such as voice, and Low for lower priority traffic.

Time Range

(optional)

Time range for which this rule is applicable.

Configure time ranges on the Configuration > Security > Access Control > Time

Ranges page.

Pause ARM

Scanning

(optional)

Pause ARM scanning while traffic is present. Note that you must enable “VoIP Aware

Scanning” in the ARM profile for this feature to work.

Black List

(optional)

Automatically blacklists a client that is the source or destination of traffic matching this

rule. This option is recommended for rules that indicate a security breach where the

blacklisting option can be used to prevent access to clients that are attempting to

breach the security.

White List

(optional)

A rule must explicitly permit a traffic session before it is forwarded to the controller.

The last rule in the white list denies everything else.

Configure white list ACLs on the Configuration > Advanced Services> Stateful

Firewall> White List (ACL) page.

TOS (optional) Value of type of service (TOS) bits to be marked in the IP header of a packet matching

this rule when it leaves the controller.

802.1p Priority

(optional)

Value of 802.1p priority bits to be marked in the frame of a packet matching this rule

when it leaves the controller.

The following example creates a policy ‘web-only’ that allows web (HTTP and HTTPS) access.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > Policies page on the WebUI.

2. To configure a firewall policy, select the policy type from the Policies title bar. You can select All,IPv4

Session,IPv6 Session,Ethernet,MAC,Standard or Extended.

3. Click Add to create a new policy.

4. If you selected All in Step 2, then select the type of policy you are adding from the Policy Type drop-down

menu.

5. Click Add to add a rule that allows HTTP traffic.

a. Under Service, select service from the drop-down list.

b. Select svc-http from the scrolling list.

c. Click Add.

6. Click Add to add a rule that allows HTTPS traffic.

a. Under Service, select service from the drop-down list.

b. Select svc-https from the scrolling list.

c. Click Add.

Rules can be re-ordered by using the up and down buttons provided for each rule.

7. Click Apply to apply this configuration. The policy is not created until the configuration is applied.

In the CLI

(host)(config) #ip access-list session web-only

any any svc-http permit

any any svc-https permit

Creating a Network Service Alias

A network service alias defines a TCP, UDP or IP protocol and a list or range of ports supported by that service.

When you create a network service alias, you can use that alias when specifying the network service for

multiple session ACLs.

In the WebUI

1. Navigate to the Configuration > Advanced Services> Stateful Firewall > Network Services page on

the WebUI.

2. Click Add to create a new alias.

3. Enter a name for the alias in the Service Name field.

4. In the Protocol section, select either TCP or UDP, or select Protocol and enter the IP protocol number of the

protocol for which you want to create an alias.

5. In the Port Type section, specify whether you want to define the port by a contiguous range of ports, or by

a list of non-contiguous port numbers.

lIf you selected Range, enter the starting and ending port numbers in the Starting Port and End Port

fields.

lIf you selected list, enter a comma-separated list of port numbers.

6. To limit the service alias to a specific application, click the Application Level Gateway (ALG) drop-down

list and select one of the following service types

ldhcp: Service is DHCP

ldns: Service is DNS

lftp: Service is FTP

lh323: Service is H323

lnoe: Service is Alcatel NOE

lrtsp: Service is RTSP

lsccp: Service is SCCP

lsip: Service is SIP

lsips: Service is Secure SIP

lsvp: Service is SVP

ltftp: Service is TFTP

lvocera: Service is VOCERA

7. Click Apply to save your changes.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 368

369 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

In the CLI

To define a service alias via the command-line interface, access the CLI in config mode and issue the following

command:

(host)(config) #netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}

[ALG <service>]

Creating an ACL White List

The ACL White List consists of rules that explicitly permit or deny session traffic from being forwarded to or

blocked from the controller. The white list protects the controller during traffic session processing by

prohibiting traffic from being automatically forwarded to the controller if it was not specifically denied in a

blacklist. The maximum number of entries allowed in the ACL White List is 64. To create an ACL white list, you

must first define a white list bandwidth contract, and then assign it to an ACL.

In the WebUI

1. Navigate to the Configuration > Advanced Services > Stateful Firewall > White List BW Contracts

page.

2. Click Add to create a new contract.

3. In the White list contract name field, enter the name of a bandwidth contract.

4. The Bandwidth Rate field allows you to define a bandwidth rate in either kbps or Mbps. Enter a rate value

the Bandwidth rate field, then click the drop-down list and select either kbps or Mbps.

5. Click Done.

Configuring the ACL White List in the WebUI

1. Navigate to the Configuration > Stateful Firewall> ACL White Listpage.

2. To add an entry, click the Addbutton at the bottom of the page. The Add New Protocolsection displays.

3. Click the Action drop-down list and select Permit or Deny. Permit allows session traffic to be forwarded

to the controller while Deny blocks session traffic.

4. Click the IP Version drop-down list and select theIPv4 or IPv6 filter. You need to select one of three

following choices from the Source drop-down list:

nFor a specific IPv4 or IPv6 filter, select IP/Mask. Enter the IP address and mask of the IPv4 or IPv6 filter

in the corresponding fields.

nFor a IPv4 or IPv6 host, select Any and enter the source address.

5. In the IP Protocol Number or IP Protocol field, enter the number for a protocol or select the protocol

from the drop-down list used by session traffic.

6. In the Starting Ports field, enter a starting port. This is the first port, in the port range, on which permitted

or denied session traffic is running. Port range: 1–65535.

7. In the End Ports field, enter an ending port. This is the last port, in the port range, on which permitted or

denied session traffic is running. Port range: 1–65535.

8. (Optional) Click the White list Bandwidth Contract drop-down list and specify the name of a bandwidth

contract to apply to the session traffic. For further information on creating Bandwidth Contracts, see User

Roles on page 370

9. Click Done. The ACL displays on the white list section.

10.To delete an entry, click Delete next to the entry you want to delete.

11.Click Apply to save changes.

Configuring the White List Bandwidth Contract in the CLI

(host)(config) #cp-bandwidth-contract <name> {mbits <1..2000>}|{kbits <256..2000000>}

Configuring the ACL White List in the CLI

Use the following CLI command to create ACL White Lists.

(host) (config-fw-cp)ipv4|ipv6 deny|permit <ip-addr><ip-mask>|any|{host <ip-addr>} proto{<ip-

protocol-number> ports <start port number> <end port number>}

To create a whitelist ACL that allows traffic on an ipv4 filter with the ipv4 source address 10.10.10.10 and the

ipv4 source mask 2.2.2.2 where the protocol is ftp and the the bandwidth contract name is mycontract.

(host) (config-fw-cp) #ipv4 permit 10.10.10.10 2.2.2.2 proto ftp bandwidth-contract name

mycontract

to create a whitelist ACL entry that denies traffic using protocol 2 on port 5000 from being forwarded to the

controller:

(host) (config-fw-cp) deny proto 2 ports 5000 5000

User Roles

User roles are comprised of user role settings, firewall policies, and bandwidth contracts. This section describes

the procedure to create a new user role, and associate a firewall policy with that role.

This section describes how to create a new user role. When you create a user role, you must specify one or

more firewall policies for the role.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Click Add to create and configure a new user role.

3. Enter a user role name.

4. Under Firewall Policies, click Add.

5. Select one of the following three options to add a policy to the role.

lTo use an associate an existing policy to the user role, select Choose from Configured Policies then

select an existing policy from the drop-down list.

lto create a new policy based upon the settings of an existing policy, select Create New Policy from

Existing Policy drop-down list, then select an existing policy from the drop-down list. The Policies page

appears, allowing you to configure a new firewall policy.

lTo create and configure an entirely new policy, select Create New Policy, then click Create. The

Policies page appears, allowing you to configure a new firewall policy.

6. Click Done to add the policy to the user role.

7. (Optional) If the user role contains more than one firewall policy, use the up and down arrows to assign

priorities to each role. The higher the policy on the list, the higher its priority.

8. In the Misc. Configuration section, enter configuration values as described in Table 62.

9. Click Apply.

10.Next, you must assign the user role to a AAA profile. After assigning the user role you can use the show

reference user-role <role> command to see the profiles that reference this user role.For more

information, see Assigning User Roles on page 372

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 370

371 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

Field Description

Role name Name of the user role

Re-authentication

Interval (optional)

Time, in minutes, after which the client is required to reauthenticate. Enter a value

between 0-4096. 0 disables reauthentication.

Default: 0 (disabled)

Role VLAN ID

(optional)

By default, a client is assigned a VLAN on the basis of the ingress VLAN for the client to the

controller. You can override this assignment and configure the VLAN ID that is to be

assigned to the user role. You configure a VLAN by navigating to the Configuration >

Network > VLANs page.

Bandwidth Contract

(optional)

You can assign a bandwidth contract to provide an upper limit to upstream or downstream

bandwidth utilized by clients in this role. You can select the Per User option to apply the

bandwidth contracts on a per-user basis instead of to all clients in the role.

For more information, see User Roles on page 370.

VPN Dialer (optional) This assigns a VPN dialer to a user role. For details about VPN dialer, see Virtual Private

Networks on page 337.

Select a dialer from the drop-down list and assign it to the user role. This dialer will be

available for download when a client logs in using captive portal and is assigned this role.

L2TP Pool (optional) This assigns an L2TP pool to the user role. For more details about L2TP pools, see Virtual

Private Networks on page 337.

Select the required L2TP pool from the list to assign to the user role. The inner IP

addresses of VPN tunnels using L2TP will be assigned from this pool of IP addresses for

clients in this user role.

PPTP Pool (optional) This assigns a PPTP pool to the user role. For more details about PPTP pools, see Virtual

Private Networks on page 337.

Select the required PPTP pool from the list to assign to the user role. The inner IP

addresses of VPN tunnels using PPTP will be assigned from this pool of IP addresses for

clients in this user role.

Captive Portal Profile

(optional)

This assigns a Captive Portal profile to this role. For more details about Captive Portal

profiles, see Captive Portal Authentication on page 299.

Captive Portal Check

for Accounting

This setting is enabled by default. If disabled, RADIUS accounting is done for an authen-

ticated users irrespective of the captive-portal profile in the role of an authenticated user.

If enabled, accounting is not done as long as the user's role has a captive portal profile on

it. Accounting will start when Auth/XML-Add/CoA changes the role of an authenticated user

to a role which doesn't have captive portal profile.

Max Sessions This parameter configures the maximum number of sessions per user in this role. If the

sessions reach the maximum value, any additional sessions from this user that are

reaching the threshold are blocked till the session usage count for the user falls back

below the configured limit.

The default is 65535. You can configure any value between 0-65535.

Table 62: User Role Parameters

To a delete a user role in the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Click the Delete button against the role you want to delete.

You cannot delete a user-role that is referenced to profile or server derived role. Deleting a server referenced role

will result in an error. Remove all references to the role and then perform the delete operation.

In the CLI

(host)(config) #user-role web-guest

access-list session web-only position 1

Assigning User Roles

A client is assigned a user role by one of several methods. A role assigned by one method may take precedence

over one assigned by a different method. The methods of assigning user roles are, from lowest to highest

precedence:

1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP (see

Access Points (APs) on page 485).

2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a

user-derived role). You can configure rules that assign a user role to clients that match a certain set of

criteria. For example, you can configure a rule to assign the role VoIP-Phone to any client that has a MAC

address that starts with bytes xx:yy:zz.User-derivation rules are executed before client authentication.

3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN.

For each authentication method, you can configure a default role for clients who are successfully

authenticated using that method.

4. The user role can be derived from attributes returned by the authentication server and certain client

attributes (this is known as a server-derived role). If the client is authenticated via an authentication server,

the user role for the client can be based on one or more attributes returned by the server during

authentication, or on client attributes such as SSID (even if the attribute is not returned by the server).

Server-derivation rules are executed after client authentication.

5. The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication. A

role derived from a Dell VSA takes precedence over any other user roles.

The following sections describe the methods of assigning user roles.

Assigning User Roles in AAA Profiles

An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role for

MAC and 802.1x authentication. To configure user roles in the AAA profile:

In the WebUI

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.

2. Select the default profile or a user-defined AAA profile.

3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.

4. Click the 802.1x Authentication Default Role drop-down list and select the desired user role for users

who have completed 802.1x authentication.

5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients

who have completed MAC authentication.

6. Click Apply.

In the CLI

(host)(config) #aaa profile <profile>

initial-role <role>

dot1x-default-role <role>

mac-default-role <role>

For additional information on creating AAA profiles, see WLAN Authentication on page 421.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 372

373 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

Working with User-Derived VLANs

Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or

VLAN, as user-derivation rules are executed before the client is authenticated.

You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition

is met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule;

the order of rules is important as the first matching condition is applied. You can optionally add a description

of the user rule.

Table 63 describes the conditions for which you can specify a user role or VLAN.

Rule Type Condition Value

BSSID: Assign client to a role or VLAN

based upon the BSSID of AP to which client

is associating.

One of the following:

lcontains

lends with

lequals

ldoes not equal

lstarts with

MAC address (xx:xx:xx:xx:xx:xx)

DHCP-Option: Assign client to a role or

VLAN based upon the DHCP signature ID.

One of the following:

lequals

lstarts with

DHCP signature ID.

NOTE: This string is not case

sensitive.

DHCP-Option-77: Assign client to a role or

VLAN based upon the user class identifier

returned by DHCP server.

equals string

Encryption: Assign client to a role or VLAN

based upon the encryption type used by

the client.

One of the following:

lequals

ldoes not equal

lOpen (no encryption)

lWPA/WPA2 AES

lWPA-TKIP (static or dynamic)

lDynamic WEP

lWPA/WPA2 AES PSK

lStatic WEP

lxSec

ESSID: Assign client to a role or VLAN

based upon the ESSID to which the client is

associated

One of the following:

lcontains

lends with

lequals

ldoes not equal

lstarts with

lvalue of (does not

take string;

attribute value is

used as role)

string

Location: Assign client to a role or VLAN

based upon the ESSID to which the client is

associated

One of the following:

lequals

ldoes not equal

string

MAC address of the client One of the following:

lcontains

lends with

lequals

ldoes not equal

lstarts with

MAC address (xx:xx:xx:xx:xx:xx)

Table 63: Conditions for a User-Derived Roleor VLAN

Understanding Device Identification

The device identification feature allows you to assign a user role or VLAN to a specific device type by identifying

a DHCP option and signature for that device. If you create a user rule with the DHCP-Option rule type, the first

two characters in the Value field must represent the hexadecimal value of the DHCP option that this rule

should match, while the rest of the characters in the Value field indicate the DHCP signature the rule should

match. To create a rule that matches DHCP option 12 (host name), the first two characters of the in the Value

field must be the hexadecimal value of 12, which is 0C. To create a rule that matches DHCP option 55, the first

two characters in the Value field must be the hexadecimal value of 55, which is 37.

The following table describes some of the DHCP options that are useful for assigning a user role or VLAN.

DHCP Option Description Hexadecimal Equivalent

12 Host name 0C

55 Parameter Request List 37

60 Vendor Class Identifier 3C

81 Client FQDN 51

DHCP Option values

The device identification features in ArubaOS can also automatically identify different client device types and

operating systems by parsing the User-Agent strings in the client’s HTTP packets. To enable this feature, select

the Device Type Classification option in the AP’s AAA profile. For details, see WLAN Authentication on page

421.

Configuring a User-derived VLAN in the WebUI

1. Navigate to the Configuration > Security > Authentication > User Rules page.

2. Click Add to add a new set of derivation rules. Enter a name for the set of rules, and click Add. The name

appears in the User Rules Summary list.

3. In the User Rules Summary list, select the name of the rule set to configure rules.

4. Click Add to add a rule. For Set Type, select the VLAN name or ID from the VLAN the drop-down menu.

(You can select VLAN to create d>erivation rules for setting the VLAN assigned to a client.)

5. Configure the condition for the rule by setting the Rule Type, Condition, Value parameters and optional

description of the rule. See Table 63 for descriptions of these parameters.

6. Select the role assigned to the client when this condition is met.

7. Click Add.

8. You can configure additional rules for this rule set. When you have added rules to the set, use the up or

down arrows in the Actions column to modify the order of the rules. (The first matching rule is applied.)

9. Click Apply.

10.(Optional) If the rule uses the DHCP-Option condition, best practices is to enable the Enforce DHCP

parameter in the AP group’s AAA profile, which requires users to complete a DHCP exchange to obtain an IP

address. For details on configuring this parameter in an AAA profile, seeWLAN Authentication on page 421.

Configuring a User-derived Role or VLAN in the CLI

(host)(config) #aaa derivation-rules user <name>

set role|vlan

set-value <role>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 374

375 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

position <number>

See Table 63 for descriptions of these parameters.

User-Derived Role Example

The example rule shown in Figure 37 below sets a user role for clients whose host name (DHCP option 12) has

a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCII string laptop. The first two digits in

the Value field are the hexadecimal value of 12 (which is 0C), followed by the specific signature to be matched.

There are many online tools available for converting ASCII text to a hexadecimal string.

Figure 37 DHCP Option Rule

To identify DHCP strings used by an individual device, access the command-line interface in config mode and

issue the following command to include DHCP option values for DHCP-DISCOVER and DHCP-REQUEST frames

in the controller’s log files:

logging level debugging network process dhcpd

Now, connect the device you want to identify to the network, and issue the CLI command show log network.

The sample below is an example of the output that may be generated by this command.

Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices from

different manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCP-

Option rule that uses the starts-with condition instead of the equals condition, the rule may assign a role or

VLAN to more than one device type.

RADIUS Override of User-Derived Roles

This feature introduces a new RADIUS vendor specific attribute (VSA) named “Aruba-No-DHCP-Fingerprint,”

value 14. This attribute signals the RADIUS Client (controller) to ignore the DHCP Fingerprint user role and

VLAN change post L2 authentication. This feature applies to both CAP and RAP in tunnel mode and for the L2

authenticated role only.

Configuring a Default Role for Authentication Method

For each authentication method, you can configure a default role for clients who are successfully authenticated

using that method. To configure a default role for an authentication method:

In the WebUI

1. Navigate to the Configuration > Security > Authentication page.

2. To configure the default user role for MAC or 802.1x authentication, select the AAA Profiles tab. Select the

AAA profile. Enter the user role for MAC Authentication Default Role or 802.1x Authentication Default Role.

3. To configure the default user role for other authentication methods, select the L2 Authentication or L3

Authentication tab. Select the authentication type (Stateful 802.1x or stateful NTLM for L2

Authentication, Captive Portal or VPN for L3 Authentication), and then select the profile. Enter the user role

for Default Role.

4. Click Apply.

For additional information on configuring captive portal authentication, see Captive Portal Authentication on

page 299.

In the CLI

To configure the default user role for MAC or 802.1x authentication:

(host)(config) #aaa profile <profile>

mac-default-role <role>

dot1x-default-role <role>

To configure the default user role for other authentication methods:

(host)(config) #aaa authentication captive-portal <profile>

d>efault-role <role>

(host)(config) #aaa authentication stateful-dot1x

d>efault-role <role>

(host)(config) #aaa authentication stateful-ntlm

d>efault-role <role>

(host)(config) #aaa authentication vpn

d>efault-role <role>

Configuring a Server-Derived Role

If the client is authenticated through an authentication server, the user role for the client can be based on one

or more attributes returned by the server during authentication. You configure the user role to be derived by

specifying condition rules; when a condition is met, the specified user role is assigned to the client. You can

specify more than one condition rule; the order of rules is important as the first matching condition is applied.

You can also define server rules based on client attributes such as ESSID, BSSID, or MAC address, even though

these attributes are not returned by the server.

For information about configuring a server-derived role, see Configuring Server-Derivation Rules on page 242.

Configuring a VSA-Derived Role

Many Network Address Server (NAS) vendors, including Dell, use VSAs to provide features not supported in

standard RADIUS attributes. For Dell systems, VSAs can be employed to provide the user role and VLAN for

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 376

377 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

RADIUS-authenticated clients, however the VSAs must be present on your RADIUS server. This involves

defining the vendor (Dell) and/or the vendor-specific code (14823), vendor-assigned attribute number,

attribute format (such as string or integer), and attribute value in the RADIUS dictionary file. VSAs supported

on controllers conform to the format recommended in RFC 2865, “Remote Authentication Dial In User Service

(RADIUS)”.

For more information on Dell VSAs, see RADIUS Server VSAs on page 228. Dictionary files that contain Dell

VSAs are available on the Dell support website for various RADIUS servers. Log into the Dell support website to

download a dictionary file from the Tools folder.

Understanding Global Firewall Parameters

Table 64 describes optional firewall parameters you can set on the controller for IPv4 traffic. To set these

options in the WebUI, navigate to the Configuration > Advanced Services > Stateful Firewall > Global

Setting page and select or enter values in the IPv4 column. To set these options in the CLI, use the firewall

configuration commands.

See IPv6 Support on page 175 for information about configuring firewall parameters for IPv6 traffic.

Parameter Description

Monitor Ping Attack (per 30

seconds)

Number of ICMP pings per 30 second, which if exceeded, can indicate a

denial of service attack. Valid range is 1-16384 pings per 30 seconds.

Recommended value is 120.

Default: No default

Monitor TCP SYN Attack rate

(per 30 seconds)

Number of TCP SYN messages per 30 second, which if exceeded, can

indicate a denial of service attack. Valid range is 1-16384 pings per 30

seconds.

Recommended value is 960.

Default: No default

Monitor IP Session Attack (per

30 seconds)

Number of TCP or UDP connection requests per 30 second, which if

exceeded, can indicate a denial of service attack. Valid range is 1-16384

requests per 30 seconds.

Recommended value is 960.

Default: No default

Monitor/Police ARP Attack (non

Gratuitous ARP) rate (per 30

seconds)

Number of ARP packets (other than Gratuitous ARP packets) per 30

seconds, which if exceeded, can indicate a denial of service attack. Valid

range is 1-16384 packets per 30 seconds.

Recommended value is 960.

Default: No default

NOTE: Blacklisting of wired clients is not supported.

Monitor/Police CP Attack rate

(per 30 seconds)

Rate of misbehaving user’s traffic, which if exceeded, can indicate a

denial or service attack.

Recommended value is 3000 frames per 30 seconds.

Default: No default

Monitor/Police Gratuitous ARP

Attack rate (per 30 seconds)

Number of Gratuitous ARP packets per 30 seconds, which if exceeded,

can indicate denial of service attack. Valid range is 1-16384 packets per

30 seconds.

Recommended value is 50.

Default: 50

NOTE: Blacklisting of wired clients is not supported.

Table 64: IPv4 Firewall Parameters

Parameter Description

Deny Inter User Bridging Prevents the forwarding of Layer-2 traffic between wired or wireless

users. You can configure user role policies that prevent Layer-3 traffic

between users or networks but this does not block Layer-2 traffic. This

option can be used to prevent traffic, such as Appletalk or IPX, from being

forwarded.

Default: Disabled

Deny Inter User Traffic Denies traffic between untrusted users by disallowing layer2 and layer3

traffic. This parameter does not depend on the deny-inter-user-bridging

parameter being enabled or disabled.

Default: Disabled

Deny Source Routing Permits the firewall to reject and log packets with the specified IP options

loose source routing, strict source routing, and record route. Note that

network packets where the IPv6 source or destination address of the

network packet is defined as an “link-local address (fe80::/64) are

permitted.

Default: Disabled

Deny All IP Fragments Drops all IP fragments.

NOTE: Do not enable this option unless instructed to do so by a Dell

representative.

Default: Disabled

Enforce TCP Handshake Before

Allowing Data

Prevents data from passing between two clients until the three-way TCP

handshake has been performed. This option should be disabled when

you have mobile clients on the network as enabling this option will cause

mobility to fail. You can enable this option if there are no mobile clients

on the network.

Default: Disabled

Prohibit IP Spoofing Enables detection of IP spoofing (where an intruder sends messages

using the IP address of a trusted client). When this option is enabled,

source and destination IP and MAC addresses are checked for each ARP

request/response. Traffic from a second MAC address using a specific IP

address is denied, and the entry is not added to the user table. Possible

IP spoofing attacks are logged and an SNMP trap is sent.

Default: Enabled

Prohibit RST Replay Attack When enabled, closes a TCP connection in both directions if a TCP RST is

received from either direction. You should not enable this option unless

instructed to do so by a Dell representative.

Default: Disabled

Log ICMP Errors Enables logging of received ICMP errors. You should not enable this

option unless instructed to do so by a Dell representative.

Default: Disabled

Stateful SIP Processing Disables monitoring of exchanges between a voice over IP or voice over

WLAN device and a SIP server. This option should be enabled only when

there is no VoIP or VoWLAN traffic on the network.

Default: Disabled (stateful SIP processing is enabled)

Allow Tri-session with DNAT Allows three-way session when performing destination NAT. This option

should be enabled when the controller is not the default gateway for

wireless clients and the default gateway is behind the controller. This

option is typically used for captive portal configuration.

Default: Disabled.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 378

379 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Amsdu Configuration Enables handling AMSDU traffic from clients.

Default: Disabled

Session Mirror Destination Destination (IP address or port) to which mirrored session packets are

sent. This option is used only for troubleshooting or debugging.

Packets can be mirrored in multiple ACLs, so only a single copy is

mirrored if there is a match within more than one ACL.

You can configure the following:

lEthertype to be mirrored with the Ethertype ACL mirror option.

lIP flows to be mirrored with the session ACL mirror option.

lMAC flows to be mirrored with the MAC ACL mirror option.

lIf you configure both an IP address and a port to receive mirrored

packets, the IP address takes precedence.

Default: N/A

Session Idle Timeout (sec) Set the time, in seconds, that a non-TCP session can be idle before it is

removed from the session table. Specify a value in the range 16-259

seconds. You should not set this option unless instructed to do so by a

Dell representative.

Default: 15 seconds

Disable FTP Server Disables the FTP server on the controller. Enabling this option prevents

FTP transfers. You should not enable this option unless instructed to do

so by a Dell representative.

Default: Disabled (FTP server is enabled)

GRE Call ID Processing Creates a unique state for each PPTP tunnel. You should not enable this

option unless instructed to do so by a Dell representative.

Default: Disabled

Per-packet Logging Enables logging of every packet if logging is enabled for the

corresponding session rule. Normally, one event is logged per session. If

you enable this option, each packet in the session is logged. You should

not enable this option unless instructed to do so by a Dell representative,

as doing so may create unnecessary overhead on the controller.

Default: Disabled (per-session logging is performed)

Broadcast-filter ARP Reduces the number of broadcast packets sent to VoIP clients, thereby

improving the battery life of voice handsets. You can enable this option

for voice handsets in conjunction with increasing the DTIM interval on

clients.

Default: Disabled

Prohibit ARP Spoofing Detects and prohibits arp spoofing. When this option is enabled, possible

arp spoofing attacks are logged and an SNMP trap is sent.

Default: Disabled

Prevent DHCP exhaustion Enable check for DHCP client hardware address against the packet

source MAC address. This command checks the frame's source-MAC

against the DHCPv4 client hardware address and drops the packet if it

does not match. Enabling this feature prevents a client from submitting

multiple DHCP requests with different hardware addresses, thereby

preventing DHCP pool depletion.

Default: Disabled

Parameter Description

Session VOIP Timeout (sec) Sets the idle session timeout for sessions that are marked as voice

sessions. If no voice packet exchange occurs over a voice session for the

specified time, the voice session is removed. Range is 16 – 300 seconds.

Default: 300 seconds

Stateful H.323 Processing Disables stateful H.323 processing.

Default: Enabled

Stateful SCCP Processing Disables stateful SCCP processing.

Default: Disabled

Only allow local subnets in user

table

Adds only IP addresses, which belong to a local subnet, to the user-table.

Default: Disabled

Session mirror IPSEC Configures session mirroring of all frames that are processed by IPsec.

Frames are sent to IP address specified by the session-mirror-

destination option.

NOTE: Use this option for debugging or troubleshooting only.

Default: Disabled

Session-tunnel FIB Enable session-tunnel based forwarding.

NOTE: Best practices is to enable this parameter only during

maintenance window or off-peak production hours.

Multicast automatic shaping Enables multicast optimization and provides excellent streaming quality

regardless of the amount of VLANs or IP IGMP groups that are used.

Default: Disabled

Stateful VOCERA Processing Disables stateful VOCERA processing.

Default: Disabled

Stateful UA Processing Disables stateful UA processing.

Default: Disabled

Enforce bw contracts for

broadcast traffic

Applies bw contracts to local subnet broadcast traffic.

Enforce TCP Sequence numbers Enforces the TCP sequence numbers for all packets.

Default:Disabled

Enforce WMM Voice Priority

Matches Flow Content

If traffic to or from the user is inconsistent with the associated QoS policy

for voice, the traffic is reclassified to best effort and data path counters

incremented.

Default: Disabled

Rate limit CP untrusted ucast

traffic (pps)

Specifies the untrusted unicast traffic rate limit. Range is 1-65535 pps.

Default: 9765 pps

Rate limit CP untrusted mcast

traffic (pps)

Specifies the untrusted multicast traffic rate limit. Range is 1-65535 pps.

Default: 1953 pps

Rate limit CP trusted ucast traffic

(pps)

Specifies the trusted unicast traffic rate limit. Range is 1-65535 pps.

Default: 65535 pps

Rate limit CP trusted mcast

traffic (pps)

Specifies the trusted multicast traffic rate limit. Range is 1-65535 pps.

Default: 1953 pps

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 380

381 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Rate limit CP route traffic (pps) Specifies the traffic rate limit that needs ARP requests. Range is 1-65535

pps.

Default: 976 pps

Rate limit CP session mirror

traffic (pps)

Specifies the session mirrored traffic forwarded to the controller. Range

is 1-65535 pps.

Default: 976 pps

Rate limit CP auth process traffic

(pps)

Specifies the traffic rate limit that is forwarded to the authentication

process. Range is Range is 1-65535 pps.

Default: 976 pps

Using AppRF 2.0

The AppRF 2.0 feature improves application visibility and control by allowing you to configure access control

list (ACL) and bandwidth-control applications and application categories. AppRF 2.0 supports a Deep Packet

Inspection (DPI) engine for application detection for over a thousand applications. All wired and wireless traffic

that traverses the controller can now be categorized and controlled by application and application category.

AppRF 2.0 provides the ability to:

lpermit or deny an application or application category for a specific role. For example, you can block

bandwidth monopolizing applications on a guest role within an enterprise.

lrate limit an application or application category, such as video streaming applications, globally or for a

specific role.

lmark different L2/L3 Quality of Service (QoS) for an application or application category for a user role. For

example, you can mark video and voice sessions that originate from wireless users with different priorities

so that traffic is prioritized accordingly in your network.

To configure AppRF 2.0, see the following topics:

lEnabling Deep Packet Inspection (DPI) on page 381

lConfiguring Policies for AppRF 2.0 on page 382

lConfiguring Bandwidth Contracts for AppRF 2.0 on page 384

Enabling Deep Packet Inspection (DPI)

For application and application category specific configuration to take affect, you must first enable DPI.

In the WebUI

1. Navigate to Configuration > Advanced Services > Stateful Firewall > Global Settings.

2. Check the Enable Deep Packet Inspection option. To disable DPI, uncheck the checkbox.

3. Click Apply.

4. Reload the controller.

In the CLI

To enable global DPI:

(host)(config) #firewall dpi

(host) #reload

You must reboot (reload) the controller after you enable DPI for global classification to take effect.

To disable global DPI:

(host)(config)# no firewall dpi

You must reboot (reload) the controller after you disable DPI for global classification to be disabled.

Show Command Output

The show datapath session output now includes:

lA new parameter, show datapath session dpi, displays application ID, application name, and the

following ACL/ACE index information for a given session:

nAclVersion: This is used to store the current version number of the ACL that is used at session creation

time and is used for troubleshooting purposes.

nPktsDpi: The number of packets sent to the DPI engine for a given session.

nAceIdx: The Index of the Access List entry (in a given ACL) that triggered a match during session creation.

nDpiTIdx: This is an index to the DPI engine Tbl and is only used for troubleshooting purposes.

lA new flag, A - Application Firewall Inspect, indicates that a flow is being subjected to DPI.

Configuring Policies for AppRF 2.0

Access control lists now contain new application and application category options that let you permit or deny

an application or application category on a given role. See the Dashboard Monitoring AppRF topic for details

about configuring policies from the Dashboard.

How ACL Works with AppRF

A session entry proceeds through two phases: the application detection phase (phase1) and the post-

application detection phase (phase 2). A session ACL is applied in phase1 and in phase 2.

In phase1, if the session ACL lookup results in an L3/L4 ACE entry request, the traffic pertaining to the session

is guided by this L3/L4 ACE entry. However, if the session ACL lookup results in an application/application

category specific ACE entry, the enforcement is postponed until phase 2. Once the application is determined,

the session ACL is re-applied with "application/application category" information to determine the final action

on the traffic.

Global Session ACL

The Global Session ACL is used to configure ACL rules that span across or are common to all roles. They are

applied to all roles. The "global-sacl" rules take precedence over any other ACLs that may be in the user role.

A new session ACL has been added named "global-sacl." This session, by default, is in position one for every

user role configured on the controller. The global-sacl session ACL has the following properties:

lIt cannot be deleted.

lIt always remains at position one in every role and its position cannot be modified.

lIt contains only application rules.

lIt can be modified in the WebUI, CLI, and dashboard on a master controller.

lAny modifications to it resulst in the regeneration of ACE’s of all roles.

Role Default Session ACL

You can configure role-specific application configuration using the WebUI and dashboard. For example, you

can deny the facebook application on the guest role using the CLI or dashboard without having to change the

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 382

383 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

firewall configuration. This per-user role configuration from WebUI or Dashboard is placed in the Role Default

Session ACL.

A new role session ACL named apprf-“role-name”-sacl has been added. This session, by default, is in position

two for every user role configured on the controller.

The string "apprf" is added to the beginning and "sacl" to the end of a role’s name to form a controllerunique

name for role default session ACL. This session ACL is in position two of the given user role after the global

session ACL and takes the next higher priority after global policy rules.

The predefined role session ACL has the following properties:

lIt cannot be deleted through the WebUI or CLI. It it is only deleted automatically when the corresponding

role is deleted.

lIt always remains at position 2 in every role and its position cannot be modified.

lIt contains only application rules.

lIt can be modified using the WebUI, CLI, or dashboard on a master controller, however any modification

results in the regeneration of ACE’s for that role.

lIt cannot be applied to any other role.

Session ACL Examples

The following CLI configuration shows how pre-classification and post-classification occurs during

enforcement.

Any any app skype permit

Any any deny

Each application has an implicit set of ports that are used for communication. In phase 1, if an application ACE

entry is hit, the traffic matching this application’s implicit port is allowed (as governed by the application ACE).

The DPI engine can monitor the exchange on these ports and determine the application. Once the application

is determined, phase 2 occurs when an evaluation is done to determine the final outcome for the session.

The following CLIconfiguration example is a user role with both the global and role session ACLs:

User-role employee

ip access-list session global-sacl

ip access-list session apprf-employee-sacl

ip access-list session control

any any app gmail-chat permit

any any app youtube permit

any any any deny

This example shows a DPI rule along with a L3/L4 rule with forwarding action in the same ACL.

ip access-list session AppRules

any any app Facebook permit tos 45

any any app YouTube deny

any any appcategory peer-to-peer deny

any any tcp 23 permit

network 40.1.0.0/16 any tcp 80 permit tos 60

network 20.1.0.0/16 any tcp 80 src-nat

ip access-list session NetRules

network 80.0.0.0/24 any tcp 80 deny

network 60.0.0.0/24 any tcp 80 dual-nat pool <pool1>

network 10.0.0.0/24 any tcp 80 dst-nat

user-role Role1

session-acl AppRules

session-acl NetRules

In the WebUI

1. Navigate to Configuration > Access Control > Policies.

2. Click Add/Edit.

3. Click Add under Rules/IP Version.

4. Select application or application category from the Service drop-down menu and select configuration

options.

5. Click Apply.

In the CLI

To configure the ACL application-specific parameters using the command-line interface, access the command-

line interface in config mode, run the following commands:

ip access-list session <accname>

<source> <dest> <service> <action>[<extended action>]

Configuring Bandwidth Contracts for AppRF 2.0

Bandwidth contract configuration lets you configure bandwidth contracts for both the global or application-

specific levels.

Global Bandwidth Contract Configuration

You can configure bandwidth contracts to limit application and application categories on an application or

global level.

In the CLI

To configure global bandwidth contracts:

(host)(config) #dpi global-bandwidth-contract[app|appcategory]

<name>[downstream|upstream][kbits|mbits]<256..2000000>

To show global bandwidth contract configuration output:

(host) #show dpi global-bandwidth-contract all

(host) #show dpi global-bandwidth-contract app name

(host) #show dpi global-bandwidth-contract appcategory name

Role-Specific Bandwidth Contracts

Application-specific bandwidth contracts (unlike "generic" bandwidth-contracts) allow you to control or reserve

rates for specific applications only on a per-role basis. An optional exclude list is provided that allows you to

exclude applications or application categories on which a generic user/role bandwidth-contract is not applied.

Using an Exclude List

The exclude list enables you to give specific enterprise mission-critical applications priority over other user

traffic. An enterprise may have well known applications such as Microsoft Exchange, SAP, Oracle, accounting

and finance applications, and other enterprise resource planning (ERP) or customer relationship management

(CRM) applications.

An exclude list helps you to prioritize these mission-critical enterprise applications.

Instead of enumerating bandwidth limits for each application individually on a per-user/per-role basis, you can

configure a single bandwidth contract on a per-user/per-role to limit all non-mission critical applications. You

can then exclude all mission-critical applications by placing them in an exclude list. This way all mission-critical

applications will not be rate-limited.

Important points regarding bandwidth contracts include:

lApplication bandwidth contracts are per-role by default.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 384

385 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

lWhen an application bandwidth-contract is configured for both a cateogry and an application within the

category, always apply the most specific bandwidth contract.

In the WebUI

1. Navigate to Configuration > Security > Access Control > User Roles.

2. Click Add to create a new user role or Edit to modify an existing role.

3. Select the Bandwidth Contracts tab.

4. To exclude an application or application category, click the Add button below the Exceptions section, select

an item from the Name drop-down menu and click Done.

5. To add an application or application category to a bandwidth contract, click Add under Application

Bandwidth Contracts.

6. Select the application from the Name drop-down me and whether it is enforced.

7. Enter a name of the new bandwidth contract, the bandwidth in kpbs or mbps, and if downstream is

enforced.

8. Select an option from the Downstream drop-down menu and Per Role, Per User, or Per AP Group from the

adjacent drop-down menu.

9. Select additional configuration parameters from the Misc. Configuration pane.

Make sure that the Enable Deep Packet Inspection option is checked.

10.Click Apply.

In the CLI

To configure the bandwidth application-specific parameters using the CLI, access the command-line interface in

config mode, and issue the following commands:

(host)config t #user-role <string>

(host)(config-role) #bw-contract exclude[app|app-cat]

<string>|[upstream|downstream]

To exclude a specific application or application category, use the following command.

(host)(config-role)#bw-contract exclude[app|app-cat]|<name>

Dell Networking W-Series ArubaOS 6.4.x| User Guide ClearPass Policy Manager Integration | 386

Chapter 17

ClearPass Policy Manager Integration

ArubaOS and ClearPass Policy Manager (CPPM) include support for centralized policy definition and

distribution. ArubaOS now supports downloadable roles. By using this feature, when CPPM successfully

authenticates a user, the user is assigned a role by CPPM and if the role is not defined on the controller, the role

attributes can also be automatically downloaded.

This chapter contains the following sections:

nIntroduction on page 386

nImportant Points to Remember on page 386

nEnabling Downloadable Role on a Controller on page 387

nSample Configuration on page 387

Introduction

In order to provide highly granular per-user level access, user roles can be created when a user has been

successfully authenticated. During the configuration of a policy enforcement profile at CPPM, the

administrator can define a role that should be assigned to the user after successful authentication. In RADIUS

authentication, when CPPM successfully authenticates a user, the user is assigned a role by CPPM and if the

role is not defined on the controller, the role attributes can also be automatically downloaded. This feature

supports roles obtained by the following authentication methods:

l802.1x (wireless and wired users)

lMAC authentication

lCaptive Portal

Important Points to Remember

lUnder Advanced mode, CPPM does not perform any error checking to confirm accuracy of the role

definition. Therefore, it is recommended that you review the role defined in CPPM prior to enabling this

feature.

lAttributes that are listed below, herein referred to as whitelist role attributes, can be defined in CPPM.

nnetdestination

nnetservice

nip access-list eth

nip access-list mac

nip access-list session

nuser-role

lThe above attributes that are referred to by a role definition must either be defined within the role

definition itself or configured on the controller before the policy is downloaded.

lIn CPPM, two or more attributes (as listed above) should not have the same name. Example below is

considered invalid as both the attributes have test as the profile/net destination name.

qos-profile test

netdestination test

387 | ClearPass Policy Manager Integration Dell Networking W-Series ArubaOS 6.4.x| User Guide

lAn instance name (name of a whitelist role attribute as stated above) is case-sensitive. Attributes must

adhere to the following rules:

nShould not match any CLI option nested under a command from the whitelist.

nShould not contain a number or a combination of numbers.

nShould not contain any periods '.'.

nShould not contain any spaces.

Example below is considered as invalid configurations and will fail CPPM role download on a controller:

netservice 'tcp' tcp 443

The first instance of tcp is a user-defined field while the second is an operator of the netservice command.

This violates the first rule.

netdestination 'alias'

The user-defined name alias is also a valid operator of the netdestination command. This violates the

first rule.

netdestination '10.1.5'

This user-defined name uses both numbers and periods. This violates the second and third rule.

ip access-list stateless '100'

This user-defined name uses numbers. This violates the second rule.

qos-profile emp role

This profile name emp role contains spaces. This violates the fourth rule.

It is recommended that some naming convention similar to the CamelCase (mixture of upper and lower case

letters in a single word) be used to avoid collisions with the CLI options in the role description.

Enabling Downloadable Role on a Controller

You can enable role download using the CLI or WebUI.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > AAA Profiles.

2. Select an AAA profile.

3. Check the Download Role from CPPM check box to enable role download.

Using the CLI

(host) (config) #aaa profile <profile-name>

(host) (AAA profile) #download-role

Sample Configuration

The following example shows the configuration details to integrate CPPM server with a controller to

automatically download roles.

CPPM Server Configuration

Adding a Device

1. From the Configuration > Network > Devices page, click the Add Device link.

2. On the Device tab, enter the Name,IP or Subnet Address, and RADIUS Shared Secret fields.

Keep the rest of the fields as default.

3. Click Add.

The fields are described in Figure 38 and Table 65.

Figure 38 Device Tab

Container Description

Name Specify the name or identity of the device.

IP or Subnet Address Specify the IP address or subnet (example 10.1.1.1/24) of the device.

RADIUS Shared Secret Enter and confirm a Shared Secret for each of the two supported request

protocols.

Table 65:

Device Tab

Adding Enforcement Profile

1. From Configuration > Enforcement > Profiles page, click Add Enforcement Profile.

2. On the Profile tab, select Aruba Downloadable Role Enforcement from the Template drop-down list.

3. Enter the Name of the enforcement profile.

4. From the Role Configuration Mode, select Advanced.

Keep the rest of the fields as default.

5. Click Next.

For the rest of the configuration, see Advanced Role Configuration Mode.

The fields are described in Figure 39 and Table 66.

Dell Networking W-Series ArubaOS 6.4.x | User Guide ClearPass Policy Manager Integration | 388

389 | ClearPass Policy Manager Integration Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 39 Enforcement Profiles Page

Container Description

Template Policy Manager comes pre-packaged with several enforcement profile templates. In

this example, select Aruba Downloadable Role Enforcement - RADIUS template

that can be filled with user role definition to create roles that can be assigned to

users after successful authentication.

Name Specify the name of the enforcement profile.

Role Configuration

Mode

Standard—Configure enforcement profile role using standard mode.

Advanced—Configure enforcement profile role using advanced mode.

Table 66: Enforcement Profiles Page

Advanced Role Configuration Mode

1. On the Attributes tab, select Radius:Aruba from the Type drop-down list.

2. From the Name drop-down list, select Aruba-CPPM-Role.

3. In the Value field, enter the attribute for the downloadable-role.

4. Click the save icon to save the attribute.

5. Click Save to save the enforcement profile.

The fields are described in Figure 40 and Table 67.

Figure 40 Enforcement Profiles Attributes Tab

Container Description

Type Type is any RADIUS vendor dictionary that is pre-packaged with Policy Manager, or

imported by the Administrator. This field is pre-populated with the dictionary

names.

Name Name is the name of the attribute from the dictionary selected in the Type field.

The attribute names are pre-populated from the dictionary.

Value Value is attribute for the downloadable role. You can enter free-form text to define

the role and policy.

NOTE: The maximum limit for free form text is 16,000 bytes.

Table 67: Enforcement Profiles Attributes Tab

Adding Enforcement Policy

1. From Configuration > Enforcement > Policies page, click Add Enforcement Policy.

2. On the Enforcement tab, enter the name of the enforcement policy.

3. From the Default Profile drop-down list, select [Deny Access Profile].

Keep the rest of the fields as default.

4. Click Next.

The fields are described in Figure 41 and Table 68.

Figure 41 Enforcement Policies Enforcement Tab

Dell Networking W-Series ArubaOS 6.4.x | User Guide ClearPass Policy Manager Integration | 390

391 | ClearPass Policy Manager Integration Dell Networking W-Series ArubaOS 6.4.x| User Guide

Container Description

Name Specify the name of the enforcement policy.

Default Profile An Enforcement Policy applies Conditions (roles, health, and time attributes)

against specific values associated with those attributes to determine the

Enforcement Profile. If none of the rules matches, Policy Manager applies the

Default Profile.

See Adding Enforcement Profile on page 388 to add a new profile.

Table 68: Enforcement Policies Enforcement Tab

5. On the Rules tab, click Add Rule.

6. On the Rules Editor pop-up, select the appropriate values in the Conditions section and click the save

icon.

7. In the Enforcement Profiles section, select the RADIUS enforcement profile that you created in step

Adding Enforcement Profile on page 388 from the Profile Names drop-down list.

8. Click Save.

The fields are described in Figure 42 and Table 69.

Figure 42 Enforcement Policies Rules Editor

Container Description

Type The rules editor appears throughout the Policy Manager interface. It exposes

different

namespace dictionaries depending on Service type. When working with service

rules, you can select Authentication namespace dictionary

Name Drop-down list of attributes present in the selected namespace. In this example,

select Source.

Operator Drop-down list of context-appropriate (with respect to the attribute) operators. In

this example, select EQUALS.

Value Drop-down list of the Authentication source database. In this example, select [Local

User Repository].

Profile Names Name of the RADIUS enforcement profile.

Table 69: Enforcement Policies Rules Editor

Adding Services

1. From the Configuration > Services page, click the Add Service link.

2. On the Service tab, select 802.1X Wired from the Type drop-down-list.

3. In the Name field, enter the name of the service.

Keep the rest of the fields as default.

4. Click Next.

The fields are described in Figure 43 and Table 70.

Figure 43 Service Tab

Container Description

Type Select the desired service type from the drop down menu. In this example, select

802.1X Wired.

Name Specify the name of the service.

Table 70: Service Tab

5. On the Authentication tab, select [Local User Repository] [Local SQL DB] from the Authentication

Sources drop-down list.

Keep the rest of the fields as default.

6. Click Next twice.

The fields are displayed in Figure 44.

Dell Networking W-Series ArubaOS 6.4.x | User Guide ClearPass Policy Manager Integration | 392

393 | ClearPass Policy Manager Integration Dell Networking W-Series ArubaOS 6.4.x| User Guide

Figure 44 Authentication Tab

7. On the Enforcement tab, select the enforcement policy that you created in step Adding Enforcement

Policy on page 390 from the Enforcement Policy drop-down list.

Keep the rest of the fields as default.

8. Click Save.

The fields are displayed in Figure 45.

Figure 45 Enforcement Tab

For more configuration details on CPPM, see the ClearPass Policy Manager 6.2 User Guide.

Controller Configuration

Configuring CPPM Server on Controller

(host) (config) #aaa authentication-server radius cppm_server

(host) (RADIUS Server "cppm_server") #host <ip_address_of_cppm_server>

(host) (RADIUS Server "cppm_server") #key <shared_secret>

Configuring Server Group to include CPPM Server

(host) (config) #aaa server-group cppm_grp

(host) (Server Group "cppm_grp") #auth-server cppm_server

Configuring 802.1X Profile

(host) (config) #aaa authentication dot1x cppm_dot1x_prof

Configuring AAA Profile

(host) (config) #aaa profile cppm_aaa_prof

(host) (AAA Profile "cppm_aaa_prof") #authentication-dot1x cppm_dot1x_prof

(host) (AAA Profile "cppm_aaa_prof") #dot1x-server-group cppm_grp

(host) (AAA Profile "cppm_aaa_prof") #download-role

Show AAA Profile

(host) #show aaa profile cppm_aaa_prof

Dell Networking W-Series ArubaOS 6.4.x | User Guide ClearPass Policy Manager Integration | 394

Dell Networking W-Series ArubaOS 6.4.x| User Guide Virtual APs | 395

Chapter 18

Virtual APs

APs advertise WLANs to wireless clients by sending out beacons and probe responses that contain the WLAN’s

SSID and supported authentication and data rates. When a wireless client associates to an AP, it sends traffic to

the AP’s Basic Service Set Identifier (BSSID) which is usually the AP’s MAC address.

In the Dell network, an AP uses a unique BSSID for each WLAN. Thus, a physical AP can support multiple

WLANs. The WLAN configuration applied to a BSSID on an AP is called a virtual AP. You can configure and apply

multiple virtual APs to an AP group or to an individual AP by defining one or more virtual AP profiles.

This chapter describes the following topics:

lVirtual AP Profiles on page 395

lVirtual AP Configuration Workflow on page 403

lRadio Resource Management (802.11k) on page 404

lBSSTransition Management (802.11v) on page 411

lFast BSS Transition ( 802.11r) on page 412

lSSIDProfiles on page 414

lWLAN Authentication on page 421

lHigh-Throughput Virtual APs on page 424

lGuest WLANs on page 428

Virtual AP Profiles

You can configure virtual AP profiles to provide different network access or services to users on the same

physical network. For example, you can configure a WLAN to provide access to guest users and another WLAN

to provide access to employee users through the same APs. You can also configure a WLAN that offers open

authentication and Captive Portal access with data rates of 1 and 2 Mbps, and another WLAN that requires

WPA authentication with data rates of up to 11 Mbps. You can apply both virtual AP configurations to the

same AP or an AP group .

As an example, suppose there are users in both Edmonton and Toronto that access the same “Corpnet” WLAN.

If the WLAN required authentication to an external server, users who associate with the APs in Toronto would

want to authenticate with their local servers. In this case, you can configure two virtual APs that each reference

a slightly different AAA profile; one AAA profile that references authentication servers in Edmonton and the

other that references servers in Toronto (see Table 71).

WLAN Profiles “default” AP Group “Toronto” AP Group

Virtual AP “Corpnet-Ed” “Corpnet-Tr”

SSID “Corpnet” “Corpnet”

AAA “E-Servers” “T-Servers”

Table 71: Applying WLAN Profiles to AP Groups

396 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

You can apply multiple virtual AP profiles to individual APs. You can also apply the same virtual AP profile to

one or more AP groups.

Configuring the Virtual AP Profile

Follow the procedures below to configure a Virtual APprofile using the WebUI or command-line interfaces.

Creating and Configuring a Profile

1. Navigate to Configuration > Advanced Services > All Profiles.

2. In the Profiles pane, expand the Wireless LAN menu.

3. Select Virtual AP. The list of existing Virtual AP profiles appears in the Profile Details pane.

4. Select the virtual APprofile you want to configure:

lTo configure an existing Virtual AP profile, select the name of the profile in the Profile Details pane.

lTo create a new Virtual AP profile, enter a name for the profile in the entry blank at the bottom of the

Profile Details pane, then click Add. Select the name of the profile in the Profile Details pane.

Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID

profile with the default “Dell-ap” ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile

before you apply the profile.

5. Configure the profile parameters described in Table 72.

The Virtual AP profile is divided into two tabs, Basic and Advanced. The Basic tab displays only those

configuration settings that often need to be adjusted to suit a specific network. The Advanced tab shows

all configuration settings, including settings that do not need frequent adjustment or should be kept at their

default values. If you change a setting on one tab then click and display the other tab without saving your

configuration, that setting will revert to its previous value.

Parameter Description

Basic Configuration Settings

Virtual AP enable Select the Virtual AP enable checkbox to enable or disable the virtual AP.

VLAN The VLAN(s) into which users are placed in order to obtain an IP address. Click the

drop-down list to select a configured VLAN, the click the arrow button to associate

that VLAN with the virtual AP profile.

Forward mode This parameter controls whether data is tunneled to the controller using generic

routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs),

or a combination thereof depending on the destination (corporate traffic goes to

the controller, and Internet access remains local). All forwarding modes support

band steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.

Click the drop-down list to select one of the following forward modes:

lTunnel: The AP handles all 802.11 association requests and responses, but

sends all 802.11 data packets, action frames and EAPOL frames over a GRE

tunnel to the controller for processing. The controller removes or adds the GRE

headers, decrypts or encrypts 802.11 frames and applies firewall rules to the

user traffic as usual. Both remote and campus APs can be configured in tunnel

mode.

lBridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote

AP or campus AP is in bridge mode, the AP (and not the controller) handles all

802.11 association requests and responses, encryption/decryption processes,

and firewall enforcement. The 802.11e and 802.11k action frames are also

Table 72: Virtual AP Profile Parameters

Parameter Description

processed by the AP, which then sends out responses as needed.

An AP in bridge mode does not support captive portal authentication. Both

remote and campus APs can be configured in bridge mode. Note that you must

enable the control plane security feature on the controller before you configure

campus APs in bridge mode.

lSplit-Tunnel: 802.11 frames are either tunneled or bridged, depending on the

destination (corporate traffic goes to the controller, and Internet access

remains local).

A remote AP in split-tunnel forwarding mode handles all 802.11 association

requests and responses, encryption/decryption, and firewall enforcement. the

802.11e and 802.11k action frames are also processed by the remote AP, which

then sends out responses as needed.

lDecrypt-Tunnel: Both remote and campus APs can be configured in decrypt-

tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP

decrypts and decapsulates all 802.11 frames from a client and sends the 802.3

frames through the GRE tunnel to the controller, which then applies firewall

policies to the user traffic.

When the controller sends traffic to a client, the controller sends 802.3 traffic

through the GRE tunnel to the AP, which then converts it to encrypted 802.11

and forwards to the client. This forwarding mode allows a network to utilize the

encryption/decryption capacity of the AP while reducing the demand for

processing resources on the controller.

APs in decrypt-tunnel forwarding mode also manage all 802.11 association

requests and responses, and process all 802.11e and 802.11k action frames.

APs using decrypt-tunnel mode do have some limitations that not present for

APs in regular tunnel forwarding mode.

You must enable the control plane security feature on the controller before you

configure campus APs in decrypt-tunnel forward mode.

NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key

slots 2-4 on the controller. Key slot 1 should only be used with Virtual APs in tunnel

mode.

Allowed band The band(s) on which to use the virtual AP:

la—802.11a band only (5 GHz).

lg—802.11b/g band only (2.4 GHz).

lall—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default

setting.

Band Steering ARM’s band steering feature encourages dual-band capable clients to stay on the

5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for

single band clients like VoIP phones.

Band steering reduces co-channel interference and increases available bandwidth

for dual-band clients, because there are more channels on the 5GHz band than on

the 2.4GHz band. Dual-band 802.11n-capable clients may see even greater

bandwidth improvements, because the band steering feature will automatically

select between 40MHz or 20MHz channels in 802.11n networks. This feature is

disabled by default, and must be enabled in a Virtual AP profile.

The band steering feature supports both campus APs and remote APs that have a

virtual AP profile set to tunnel,split-tunnel or bridge forwarding mode. Note,

however, that if a campus or remote APs has virtual AP profiles configured in

bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs

will gather information about 5G-capable clients independently and will not

exchange this information with other APs that also have bridge or split-tunnel

virtual APs only.

Steering Mode Band steering supports the following three different band steering modes.

lForce-5GHz: When the AP is configured in force-5GHz band steering mode, the

AP will try to force 5Ghz-capable APs to use that radio band.

lPrefer-5GHz (Default): If you configure the AP to use prefer-5GHz band

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 397

398 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

steering mode, the AP will try to steer the client to 5G band (if the client is 5G

capable) but will let the client connect on the 2.4G band if the client persists in

2.4G association attempts.

lBalance-bands: In this band steering mode, the AP tries to balance the clients

across the two radios in order to best utilize the available 2.4G bandwidth. This

feature takes into account the fact that the 5Ghz band has more channels than

the 2.4 Ghz band, and that the 5Ghz channels operate in 40MHz while the

2.5Ghz band operates in 20MHz.

Dynamic Multicast

Optimization (DMO)

Enable/Disable dynamic multicast optimization. This parameter is disabled by

default, and cannot be enabled without the PEFNG license.

Drop Broadcast and

Multicast

Select the Drop Broadcast and Multicast checkbox to filter out broadcast and

multicast traffic in the air.

Do not enable this option for virtual APs configured in bridge forwarding mode. This

configuration parameter is only intended for use for virtual APs in tunnel mode. In

tunnel mode, all packets travel to the controller, so the controller is able to drop all

broadcast traffic. When a virtual AP is configured to use bridge forwarding mode,

most data traffic stays local to the AP, and the controller is not able to filter out that

broadcast traffic.

IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter

ARP parameter on the virtual AP profile to prevent ARP requests from being

dropped. You can enable this parameter by checking the Convert Broadcast ARP

requests to unicast check box as described in the following parameter

description.

Convert Broadcast

ARP requests to

unicast

If enabled, all broadcast ARP requests are converted to unicast and sent directly to

the client. You can check the status of this option using the show ap active and the

show datapath tunnel command. If enabled, the output will display the letter ain

the flags column.

This configuration parameter is only intended for use for virtual APs in tunnel

mode. In tunnel mode, all packets travel to the controller, so the controller is able to

convert ARP requests directed to the broadcast address into unicast.

When a virtual AP is configured to use bridge forwarding mode, most data traffic

stays local to the AP, and the controller is not able to convert that broadcast traffic.

Beginning with ArubaOS 6.1.3.2, this parameter is enabled by default. Behaviors

associated with these settings are enabled upon upgrade to ArubaOS 6.1.3.2. If

your controller supports clients behind a wireless bridge or virtual clients on

VMware devices, you must disable this setting to allow those clients to obtain an IP

address. In previous releases of ArubaOS, the virtual AP profile included two unique

broadcast filter parameters; the drop broadcast and multicast parameter, which

filtered out all broadcast and multicast traffic in the air except DHCP response

frames (these were converted to unicast frames and sent to the corresponding

client) and the conert ARP requests to unicast parameter, which converted

broadcast ARP requests to unicast messages sent directly to the client.

Starting with ArubaOS 6.1.3.2, the Convert Broadcast ARP requests to unicast

setting includes the additional functionality of broadcast-filter all parameter, where

DHCP response frames are sent as unicast to the corresponding client. This can

impact DHCP discover/requested packets for clients behind a wireless bridge and

virtual clients on VMware devices. Disable this option to resolve this issue and allow

clients behind a wireless bridge or VMware devices to receive an IP address.

Default: Enabled

Advanced Configuration Settings

Dynamic Multicast

Optimization (DMO)

Threshold

Maximum number of high-throughput stations in a multicast group beyond which

dynamic multicast optimization stops.

Range: 2-255 stations

Default: 6 stations.

Parameter Description

Blacklist Time Number of seconds that a client is quarantined from the network after being

blacklisted. Default: 3600 seconds (1 hour)

Authentication Failure

Blacklist Time

Time, in seconds, a client is blocked if it fails repeated authentication. The default

setting is 3600 seconds (1 hour). A value of 0 blocks the client indefinitely.

Deny inter user traffic Select this checkbox to deny traffic between the clients using this virtual AP profile.

The global firewall shown the Configuration>Advanced Services > Stateful

Firewall > Global window also includes an option to deny all inter-user traffic,

regardless of the Virtual AP profile used by those clients.

If the global setting to deny inter-user traffic is enabled, all inter-user traffic

between clients will be denied, regardless of the settings configured in the virtual

AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled

on an individual virtual ap, only the traffic between un-trusted users and the clients

on that particular virtual AP will be blocked.

Deny time range Click the drop-down list and select a configured time range for which the AP will

deny access. If you have not yet configured a time range, navigate to

Configuration > Security > Access Control > Time Ranges to define a time

range before configuring this setting in the virtual AP profile.

DoS Prevention If enabled, APs ignore deauthentication frames from clients. This prevents a

successful deauthorization attack from being carried out against the AP. This does

not affect third-party APs. Default: Disabled

HA Discovery

on-association

If enabled, home agent discovery is triggered on client association instead of home

agent discovery based on traffic from client. Mobility on association can speed up

roaming and improve connectivity for clients that do not send many uplink packets

to trigger mobility (VoIP clients). Best practices is to disable this parameter as it

increases IP mobility control traffic between controllers in the same mobility

domain. Enable this parameter only when voice issues are observed in VoIP clients.

Default: Disabled

NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and

configured on the controller. For more information about this parameter, see HA

Discovery on Association on page 605

Mobile IP Enables or disables IP mobility for this virtual AP.

Default: Enabled

Preserve Client VLAN If you select this checkbox, clients retain their previous VLAN assignment if the cli-

ent disassociates from an AP and then immediately re-outassociates either with

same AP or another AP on the same controller.

Remote-AP Operation Configures when the virtual AP operates on a remote AP:

lalways—Permanently enables the virtual AP (Bridge Mode only). No

authentication supported.

lbackup—Enables the virtual AP if the remote AP cannot connect to the

controller (Bridge Mode only). No authentication supported.

lpersistent—Permanently enables the virtual AP after the remote AP initially

connects to the controller (Bridge Mode only).

lstandard—Enables the virtual AP when the remote AP connects to the

controller. Use standard option for tunneled, split-tunneled, and Bridge SSIDs.

NOTE: Only open/PSK security mode is allowed for always/backup RAP operation.

No authentication is supported for always/backup.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 399

400 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Station Blacklisting Select the Station Blacklisting checkbox to enable detection of denial of service

(DoS) attacks, such as ping or SYN floods, that are not spoofed deauthorization

attacks.

Default: Enabled

Strict Compliance If enabled, the AP denies client association requests if the AP and client station

have no common rates defined. Some legacy client stations which are not fully

802.11-compliant may not include their configured rates in their association

requests. Such non-compliant stations may have difficulty associating with APs

unless strict compliance is disabled. This parameter is disabled by default.

VLAN Mobility Enable or disable VLAN (Layer-2) mobility.

Default: Disabled

FDB Update on Assoc This parameter enables seamless failover for silent clients, allowing them to re-

associate. If you select this option, the controller will generate a Layer 2 update on

behalf of client to update forwarding tables in bridge devices.

Default: Disabled

6. Click Apply.

Selective Multicast Stream

The selective multicast group is based only on the packets learned through Internet Group Management

Protocol (IGMP).

lWhen broadcast-filter all parameter is enabled, the controller would allow multicast packets to be

forwarded only if the following conditions are met:

npackets originating from the wired side have a destination address range of 225.0.0.0 -

239.255.255.255

na station has subscribed to a multicast group.

lWhen IGMP snooping/proxy is disabled, the controller is not aware of the IGMP membership and drops the

multicast flow.

lIf DMO is enabled, the packets are sent with 802.11 unicast header.

lIf AirGroup is enabled, mDNS (SSDP) packets are sent to the AirGroup application. The common address for

mDNS is 224.0.0.251 and SSDP is 239.255.255.250.

Associating Other Profiles to the Virtual AP

Each Virtual AP profile can be associated with the following profile types.

lAAA

l802.11K

lHandover Trigger Feature Settings

lRRM IE Settings

lBeacon Report Request Settings

lTSM Report Request Settings

lHotspot 2.0

lSSID

lEDCA Parameters Station

lEDCA Parameters AP

lHigh-throughput SSID

l802.11r

lWMM Traffic Management

As a part of the virtual APprofile configuration procedure, you must identify which instance of each profile

type associates with the Virtual AP profile. By default, each Virtual AP profile is associated with the default

versions of the AAA, 802.11k, Hotspot 2.0 and SSID profiles. The Virtual AP profile can also associate with a

WMMtraffic management profile, but as no WMM profile is associated by default, one must be manually

configured.

To configure Virtual AP profile associations:

1. Navigate to Configuration > Advanced Services > All Profiles.

2. Expand the Wireless LAN menu.

3. Expand the Virtual AP menu.

4. Select the Virtual AP you want to configure. The list of associated profile types appears in the Profiles list.

5. If a plus [+] sign appears beside an associated profile category, there is more than one profile type in that

category. Select that profile category to display the associated profiles within that category.

6. To associate a different profile with the Virtual APprofile, click the name of the any currently associated

profile in the Profiles list.

7. Click the drop-down list at the top of the Profile Details pane and select a different profile to associate to

the Virtual AP.

8. Click Apply.

Configuring a Virtual AP in the CLI

The example below follows the suggested order of steps to configure a virtual AP using the command-line

interface.

(host)(config) #vlan 60

(host)(config) #ip access-list session THR-POLICY-NAME-WPA2

user any any permit

(host)(config) #user-role THR-ROLE-NAME-WPA2

session-acl THR-POLICY-NAME-WPA2

(host)(config) #aaa authentication dot1x "THR-DOT1X-AUTH-PROFILE-WPA2"

termination enable

(host)(config) #aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2"

auth-server Internal

(host)(config) #aaa profile "THR-AAA-PROFILE-WPA2"

authentication-dot1x "THR-DOT1X-AUTH-PROFILE-WPA2"

dot1x-default-role "THR-ROLE-NAME-WPA2"

dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2"

(host)(config) #wlan ssid-profile "THR-SSID-PROFILE-WPA2"

essid "THR-WPA2"

opmode wpa2-aes

(host)(config) #wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"

ssid-profile "THR-SSID-PROFILE-WPA2"

aaa-profile "THR-AAA-PROFILE-WPA2"

vlan 60

(host)(config) #ap system-profile "THR-AP-SYSTEM-PROFILE"

lms-ip 1.1.1.1

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 401

402 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

bkup-lms-ip 2.2.2.2

(host)(config) #ap-group "THRHQ1-STANDARD"

virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"

(host)(config) #ap-system-profile "THR-AP-SYSTEM-PROFILE"

Associating a Virtual AP Profile to an AP or AP Group

Use the following procedures to associate a virtual APprofile to an AP or group of APs.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration page.

2. Do one of the following:

lTo associate the Virtual APprofile to a single AP, click the AP specific tab, and select the AP.

lTo associate the Virtual APprofile to an APgroup, click the AP Group tab, and select the AP Group.

3. In the Profiles list, expand the Wireless LAN menu.

4. Select Virtual AP. The Profile Details window dislays the Virtual AP profiles currently associated to the AP or

AP group.

5. Click the Add a Profile drop-down list and select a new Virtual AP profile to associate to the AP. You can

associate multiple APprofiiles to an AP, but each virtual AP profile must reference a SSID profile with a

different network name (SSID).

6. Click Apply

Although you can create mutliple Virtual AP profiles that reference a single SSID profile, only one of these profiles

can be applied to an AP or AP group.

In the CLI

(host) (config) ap-group <ap-group>

virtual-ap <vap-profile>

(host) (config) ap-name <ap-name>

virtual-ap <vap-profile>

Excluding a Virtual AP Profile

You can exclude one or more virtual AP profiles from an individual AP. This prevents a virtual AP, defined at the

AP group level, from being applied to a specific AP. For example, you can apply the virtual AP profile that

corresponds to the “Corpnet” SSID to the “default” AP group. If you do not want the “Corpnet” SSID to be

advertised on the AP in the lobby, you can specify the virtual AP profile that contains the “Corpnet” SSID

configuration be excluded from that AP.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific page.

2. Do one of the following:

lIf the AP you want to exclude is included in the list, click Edit for the AP.

lIf the AP does not appear in the list, click New. Either type in the name of the AP, or select the AP from

the drop-down list. Then click Add.

3. Select Wireless LAN under the Profiles list, then select Excluded Virtual AP.

4. Select the name of the virtual AP profile you want to exclude from the drop down menu (under Profile

Details) and click Add. The profile name appears in the Excluded Virtual APs list. You can add multiple

profile names in the same way.

5. To remove a profile name from the Excluded Virtual APs list, select the profile name and click Delete.

6. Click Apply.

In the CLI

(host)(config) #ap-name <name>

exclude-virtual-ap <profile>

Virtual AP Configuration Workflow

The following workflow lists the tasks to configure a virtual AP that uses 802.1X authentication. Click any of the

links below for details on the configuration procedures for that task.

Using the WebUI

1. Configure your authentication servers.

2. Create an authentication server group, and assign the authentication servers you configured in step 1 to

that server group.

3. Configure a firewall access policy for a group of users

4. Create a user role, and assign the firewall access policy you created in step 3 to that user role.

5. Create an AAA profile.

a. Assign the user role defined in step 4 to the AAA profile's 802.1X Authentication Default Role

b. Associate the server group you created in step 2 to the AAA profile.

6. Create a new SSID profile

7. Create a new virtual AP profile.

8. Associate the virtual AP profile to the AAA profile you created in Step 5.

9. Associate the virtual AP profile to the SSID profile you created in Step 6.

Using the CLI

The example below follows the suggested order of steps to configure a virtual AP using the command-line

interface.

(host)(config) #aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2"

auth-server Internal

ip access-list session THR-POLICY-NAME-WPA2

user any any permit

(host)(config) #user-role THR-ROLE-NAME-WPA2

session-acl THR-POLICY-NAME-WPA2

(host)(config) #aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2"

auth-server Internal

(host)(config) #aaa profile "THR-AAA-PROFILE-WPA2"

dot1x-default-role "THR-ROLE-NAME-WPA2"

dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2"

(host)(config) #wlan ssid-profile "THR-SSID-PROFILE-WPA2"

essid "THR-WPA2"

opmode wpa2-aes

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 403

404 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

(host)(config) #wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"

ssid-profile "THR-SSID-PROFILE-WPA2"

aaa-profile "THR-AAA-PROFILE-WPA2"

vlan 60

(host)(config) #ap-group "THRHQ1-STANDARD"

virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"

Radio Resource Management (802.11k)

The 802.11k protocol provides mechanisms for APs and clients to dynamically measure the available radio

resources. In an 802.11k enabled network, APs and clients can send neighbor reports, beacon reports, and link

measurement reports to each other. This allows the APs and clients to take appropriate connection actions.

The handover process is available for voice clients that support the 802.11k standard and have the ability to transmit

and receive beacon reports. For information on configuring the handoff trigger feature, see Enabling Wi-Fi Edge

Detection and Handover for Voice Clients on page 922

This topic includes the following procedures:

lConfiguring the 802.11k Profile

lConfiguring Radio Resource Management Information Elements

lConfiguring Beacon Report Requests

lConfiguring Traffic Stream Measurement Report Requests

Configuring the 802.11k Profile

The following procedures outline the steps to configure 802.11k parameters.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP

Specific tab.

lIf you selected the AP Group tab, click the Edit button by the AP group name for which you want to

configure the new 802.11k profile.

lIf you selected the AP Specific tab, click the Edit button by the AP for which you want to create the

802.11K profile.

2. In the Profiles list, expand the Wireless LAN menu, then expand the Virtual AP menu.

3. Select the Virtual AP profile for which you want to configure 802.11k settings.

To edit an existing 802.11k profile, click the 802.11K Profile drop-down list In the Profile Details window

pane and select the 802.1x profile you want to edit.

To create a new 802.11k profile, click the 802.11k Profile drop-down list and select New. Enter a new

802.11k profile name in the field to the right of the drop-down list.

4. Configure your 802.11k radio settings. Table 73 outlines the parameters you can configure in the 802.11k

profile. Click Apply to save your settings.

Parameter Description

Advertise 802.11k Capability Select this option to allow Virtual APs using this profile to advertise

802.11k capability.

Default: Disabled

Forcefully disassociate on-

hook voice clients

Select this option to allow the AP to forcefully disassociate on-hook

voice clients (clients that are not on a call) after period of inactivity.

Without the forced disassociation feature, if an AP has reached its call

admission control limits and an on-hook voice client wants to start a

new call, that client may be denied. If forced disassociation is enabled,

those clients can associate to a neighboring AP that can fulfill their QoS

requirements.

Default: Disabled

Measurement Mode for

Beacon Reports

Click the Measurement Mode for Beacon Reports drop-down list and

specify one of the following measurement modes:

lactive—Enables active beacon measurement mode. In this mode,

the client sends a probe request to the broadcast destination

address on all supported channels, sets a measurement duration

timer, and, at the end of the measurement duration, compiles all

received beacons or probe response with the requested SSID and

BSSID into a measurement report.

lbeacon-table—Enables beacon-table beacon measurement mode.

In this mode, the client measures beacons and returns a report with

stored beacon information for any supported channel with the

requested SSID and BSSID. The client does not perform any

additional measurements.

lpassive—Enables passive beacon measurement mode. In this

mode, the client sets a measurement duration timer, and, at the

end of the measurement duration, compiles all received beacons or

probe response with the requested SSID and BSSID into a

measurement report.

NOTE: If a station doesn't support the selected measurement mode, it

returns a Beacon Measurement Report with the Incapable bit set in the

Measurement Report Mode field.

Default Mode: beacon-table

Channel for Beacon

Requests in 'A' band

This value is sent in the 'Channel' field of the beacon requests on the 'A'

radio. You can specify values in the range 34 to 165. The default value

is 36.

Channel for Beacon

Requests in 'BG' band

This value is sent in the 'Channel' field of the Beacon Requests on the

'BG' radio. You can specify values in the range 1 to 14. The default

value is 1.

Channel for AP Channel

Reports in 'A' band

This value is sent in the 'Channel' field of the AP channel reports on the

'A' radio. You can specify values in the range 34 to 165. The default

value is 36.

Channel for AP Channel

Reports in 'BG' band

This value is sent in the 'Channel' field of the AP channel reports on the

'BG' radio. You can specify values in the range 1 to 14. The default

value is 1.

Time duration between

consecutive Beacon

Requests

This option configures the time duration between two consecutive

beacon requests sent to a dot11K client. By default, the beacon

requests are sent to a dot11K client every 60 seconds. However, if a

different value is required, the bcn-req-time option can be used.

Table 73: 802.11k Profile Parameters

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 405

406 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

This permits values in the range from 10 seconds to 200 seconds. A

value of 0 is used to indicate that the generation of Beacon Request

frames is turned off.

Time duration between

consecutive Link

Measurement Requests

This option configures the time duration between two consecutive link

measurement requests sent to an dot11K client. By default, link

measurement requests are sent to a dot11K client every 61 seconds.

This parameter permits values in the range from 10 seconds to 200

seconds. A value of 0 is used to indicate that the generation of Link

Measurement Request frames is turned off.

Time duration between con-

secutive Transmit Stream

Measurement Request

This option configures the time duration between two consecutive

transmit stream measurement requests sent to a dot11K client. By

default, the transmit stream measurement requests are sent to a

dot11K client every 90 seconds.

This permits values in the range from 10 seconds to 200 seconds. A

value of 0 is used to indicate that the generation of Transmit Stream

Measurement Request frames is turned off.

Handover Trigger Feature

Settings Profile

This command configures a Handover Trigger Profile. This profile

consists of the configurable parameters for the ‘Wi-Fi Edge Detection

and Handover of Voice Clients’ feature.

Beacon Report Request

Settings Profile

Configure a Beacon Report Request Profile to provide the parameters

for the Beacon Report Request frames.

TSM Report Request Settings

Profile

This command configures a TSM Report Request Profile which is used

to provide values to the Transmit Stream/Category Measurement

Request frame.

In the CLI

Use the following command to configure 802.11k profiles. The available parameters for this profile are

described in Table 73.

wlan dotllk <profile-name>

Configuring Radio Resource Management Information Elements

ArubaOS supports the following radio resource management information elements (RRM IEs) for APs with

802.11k support enabled. These settings can be enabled through the WebUI or CLI.

In the WebUI

To select the RRM IEs to be sent in beacons and probe responses using the WebUI:

1. Navigate to Configuration>Advanced Services>All Profile Management.

2. Expand the Wireless LAN menu and select RRM IE.

3. Select the RRM IE profile you want to configure, then select any of the following IE types to enable that

information element in beacons and probe responses. (All IE types are sent by default.)

Parameter Description

Advertise Enabled Capabilities

This value is used to determine if the RRM Enabled Capabilities IE

should be advertised in the beacon frames. A value of "Enabled" allows

the RRM Enabled Capabilities IE to be present in the beacon frames

when 802.11K capability is enabled. A value of "Disabled" prevents the

advertisement of the RRM Enabled Capabilities IE in the beacon frames

when 802.11K capability is enabled.

Advertise Country IE This value is used to determine if the Country IE should be advertised in

the beacon frames. A value of "Enabled" allows the Country IE to be

present in the beacon frames when 802.11K capability is enabled. A

value of "Disabled" prevents the advertisement of the Country IE in the

beacon frames when 802.11K capability is enabled.

Advertise Power Constraint IE This value is used to determine if the Power Constraint IE should be

advertised in the beacon frames. A value of "Enabled" allows the Power

Constraint IE to be present in the beacon frames when 802.11K

capability is enabled. A value of "Disabled" prevents the advertisement

of the Power Constraint IE in the beacon frames when 802.11K

capability is enabled.

Advertise TPC Report IE This value is used to determine if the TPC Report IE should be

advertised in the beacon frames. A value of "Enabled" allows the TPC

Report IE to be present in the beacon frames when 802.11K capability is

enabled. A value of "Disabled" prevents the advertisement of the TPC

Report IE in the beacon frames when 802.11K capability is enabled.

Advertise QBSS Load IE This value is used to determine if the QBSS Load IE should be

advertised in the beacon frames. A value of "Enabled" allows the QBSS

Load IE to be present in the beacon frames when 802.11K capability is

enabled. A value of "Disabled" prevents the advertisement of the QBSS

Load IE in the beacon frames when 802.11K capability is enabled. The

default value is "Enabled".

Advertise BSS AAC IE This value is used to determine if the BSS Available Admission Capacity

IE should be advertised in the beacon frames. A value of "Enabled"

allows the BSS Available Admission Capacity IE to be present in the

beacon frames when 802.11K capability is enabled. A value of

"Disabled" prevents the advertisement of the BSS Available Admission

Capacity IE in the beacon frames when 802.11K capability is enabled.

Advertise Quiet IE This value is used to determine if the Quiet IE should be advertised in

the beacon frames. A value of "Enabled" allows the Quiet IE to be

present in the beacon frames when 802.11K capability is enabled. A

value of "Disabled" prevents the advertisement of the Quiet IE in the

beacon frames when 802.11K capability is enabled.

Table 74: RRM IE Parameters

4. Click Apply Changes to save your settings.

In the CLI

To use the CLI to configure radio resource management information elements in the RRM IEprofile, access the

CLI in config mode and issue the following commands:

wlan rrm-ie-profile <profile>

bss-aac-ie

clone

country-ie

enabled-capabilities-ie

no...

pwr-constraint-ie

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 407

408 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

qbss-load-ie

quiet-ie

tpc-report-ie

Configuring Beacon Report Requests

The beacon report requests are sent only to 802.11k-compliant clients that advertise Beacon Report Capability

in their RRM Enabled Capabilities IE. The beacon request frames are sent every 60 seconds.

The content of the report requests can be defined in the Beacon Report Request profile using the WebUI or

CLI.

In the WebUI

To select the information to be sent in beacon report reqeusts using the WebUI:

1. Navigate to Configuration>Advanced Services>All Profile Management.

2. Expand the Wireless LAN menu and select Beacon Report Request.

3. Select the Beacon Report Request profile you want to configure.

4. Define the settings described in the table below, then click Apply Changes to save your settings.

Table 75: Beacon Report Request Settings

Parameter Description

Interface This field is used to specify the Radio interface for transmitting the Beacon

Report Request frame. It can have a value of either 0 or 1. The default value is 1.

Regulatory Class This option is used to specify the Regulatory Class field in the Beacon Report

Request frame. It can be set to one of the following: -

l5(for 5 GHz band)

l12 (for 2.4 GHz band)

Channel This option is used to set the Channel field in the Beacon Report Request frame.

The Channel value can be set to one of the following: - the channel of the AP

(when Measurement Mode is set to either 'Passive' or 'Active-All channels') - 0

(when Measurement Mode is set to 'Beacon Table') - 255 (when Measurement

Mode is set to 'Active-Channel Report')

Randomization Inter-

val

This value is used to set the Randomization Interval field in the Beacon Report

Request frame. The Randomization Interval is used to specify the desired max-

imum random delay in the measurement start time. It is expressed in units of

TUs (Time Units). A Randomization Interval of 0 in a measurement request indic-

ates that no random delay is to be used. This field can be given a value in the

range (0, 65535). The default value is 0.

Measurement Dur-

ation

This value is used to set the Measurement Duration field in the Beacon Report

Request frame. The Measurement Duration is set to the duration of the reques-

ted measurement. It is expressed in units of TUs. This field can be given a value

in the range (0, 65535). The default value is 0.

Measurement Mode

for Beacon Reports

Click the Measurement Mode for Beacon Reports drop-down list and specify

one of the following measurement modes:

lactive—Enables active beacon measurement mode. In this mode, the client

Parameter Description

sends a probe request to the broadcast destination address on all supported

channels, sets a measurement duration timer, and, at the end of the

measurement duration, compiles all received beacons or probe response

with the requested SSID and BSSID into a measurement report.

lbeacon-table—Enables beacon-table beacon measurement mode. In this

mode, the client measures beacons and returns a report with stored beacon

information for any supported channel with the requested SSID and BSSID.

The client does not perform any additional measurements.

lpassive—Enables passive beacon measurement mode. In this mode, the

client sets a measurement duration timer, and, at the end of the

measurement duration, compiles all received beacons or probe response

with the requested SSID and BSSID into a measurement report.

NOTE: If a station doesn't support the selected measurement mode, it returns a

Beacon Measurement Report with the Incapable bit set in the Measurement

Report Mode field. Default Mode: beacon-table

Reporting Condition This option is used to indicate the value for the "Reporting Condition" field in the

Beacon Reporting Information sub-element present in the Beacon Report

Request frame. It can have a range from 0 to 255. The default value is 0.

ESSID name This option is used to indicate the value for the "SSID" field in the Beacon Report

Request frame. It corresponds to the SSID Name for which the Beacon Report

Request frame needs to be generated. It is a string with a minimum length of 1

and a maximum length of 32.

Reporting Detail This option is used to indicate the value for the "Detail" field in the Reporting

Detail sub-element present in the Beacon Report Request frame. It is set to "Dis-

abled" by default.

Measurement Dur-

ation Mandatory

This value is used to set the "Duration Mandatory" bit of the Measurement

Request Mode field of the Beacon Report Request frame. The default value is

"Disabled".

Request Information

values

This option is used to indicate the contents of the Request Information IE that

could be present in the Beacon Report Request frame. The Request Information

IE is present for all Measurement Modes except the 'Beacon Table' mode. It con-

sists of a list of Element IDs that should be included by the client in the response

frame.

In the CLI

To select the information to be sent in beacon report requests using the command-line interface, access the

CLIin config mode and issue the following commands.

wlan bcn-rpt-req-profile <profile>

Configuring Traffic Stream Measurement Report Requests

The Traffic Stream Measurement(TSM) report requests are sent only to dot11k compliant clients that advertise

a traffic stream report capability. The TSM report request frames are sent every 60 seconds. The content of the

report requests can be defined in the TSMReport Request profile using the WebUI or CLI.

In the WebUI

To select the information to be sent in TSM report reqeusts using the WebUI:

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 409

410 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

1. Navigate to Configuration > Advanced Services > All Profile Management.

2. Expand the Wireless LAN menu and select TSM Report Request.

3. Select the TSMReport Request profile you want to configure.

4. Define the settings described in the table below, then click Apply Changes to save your settings.

Table 76: TSM Report Request Settings

Parameter Description

Request Mode for TSM Report

Request

Select one of the following request modes:

lnormal

ltriggered

This value is used to determine the request mode for the Trans-

mit Stream/Category Measurement Request frame. A Transmit

Stream/Category Measurement Request frame can be sent in

either normal mode or triggered mode. There are two options

for this parameter normal and triggered. When the triggered

option is selected, the Transmit Stream/Category Measurement

Request frame is sent only when the trigger condition occurs.

The default value for this field is normal.

Number of repetitions This value is used to set the "Number of Repetitions" field in the

Transmit Stream/Category Measurement Request frame. The

Number of Repetitions field contains the requested number of

repetitions for all the Measurement Request elements in this

frame. A value of zero in this field indicates Measurement

Request elements are executed once without repetition. A value

of 65535 in the Number of Repetitions field indicates Meas-

urement Request elements are repeated until the measurement

is cancelled or superseded. This field has values in the range (0,

65535). The default value is 65535.

Duration Mandatory This value is used to set the "Duration Mandatory" bit of the

Measurement Request Mode field of the Transmit Stream/Cat-

egory Measurement Request frame. The default value is

enabled.

Randomization Interval This value is used to set the Randomization Interval field in the

Transmit Stream/Category Measurement Request frame. The

Randomization Interval is used to specify the desired maximum

random delay in the measurement start time. It is expressed in

units of TUs (Time Units). When the request mode for the Trans-

mit Stream/Category Measurement Request frame is set to

"triggered", the Randomization Interval is not used and is set to

0. A Randomization Interval of 0 in a measurement request indic-

ates that no random delay is to be used. This field can be given a

value in the range (0, 65535). The default value is 0.

Measurement Duration This value is used to set the Measurement Duration field in the

Parameter Description

Transmit Stream/Category Measurement Request frame. The

Measurement Duration is set to the duration of the requested

measurement. It is expressed in units of TUs. When the request

mode for the Transmit Stream/Category Measurement Request

frame is set to triggered, the Measurement Duration field

should be set to 0. This field can be given a value in the range (0,

65535). The default value is 9776.

Traffic ID The value is used to set the Traffic Identifier field in the Transmit

Stream/Category Measurement Request frame. The Traffic Iden-

tifier field contains the TID subfield. The TID subfield indicates

the TC or TS for which traffic is to be measured. This field can be

given a value in the range (0, 255). The default value is 96

Bin 0 Range This value is used to set the 'Bin 0 Range' field in the Transmit

Stream/Category Measurement Request frame. Bin 0 Range

indicates the delay range of the first bin (Bin 0) of the Transmit

Delay Histogram, expressed in units of TUs. This field can be

given a value in the range (0, 255). The default value is 6.

In the CLI

To select the information to be sent in TSM report requests using the command-line interface, access the CLIin

config mode and issue the following commands.

wlan tsm-req-profile <default>

BSSTransition Management (802.11v)

BSS Transition Management enables an AP to request a voice client to transition to a specific AP, or suggest a

set of preferred APs to a voice client, due to network load balancing or BSS termination. This helps the voice

client identify the best AP to which that client should transition to as that client roams. ArubaOS supports BSS

Transition Management features defined by the 802.11v standard.

The BSS Transition capability can improve throughput, data rates and QoS for the voice clients in a network by

shifting (via transition) the individual voice traffic loads to more appropriate points of association within the

ESS.

Frame Types

BSS Transition Management uses the following frame types:

lQuery: A Query frame is sent by the voice client that supports BSS transition management requesting a

BSS transition candidate list to its associated AP, if the associated AP indicates that it supports the BSS

transition capability.

lRequest: An AP that supports BSS Transition Management responds to a BSS Transition Management

Query frame with a BSS Transition Management Request frame. The AP may also send an unsolicited BSS

Transition Management Request frame to a voice client at any time, if the client supports the BSS Transition

Management capability. The Request frame also contains a Disassociation flag. If the flag is set, then the AP

forcefully disassociates the client after 10 beacon intervals.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 411

412 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

lResponse: A Response frame is sent by the voice client back to the AP, informing whether it accepts or

denies the transition.

802.11k and 802.11v clients

For 802.11k capable clients, the client management framework uses the actual beacon report generated by the

client in response to a beacon report request sent by the AP. This beacon report replaces the virtual beacon

report for that client.

For 802.11v capable clients, the controller uses the 802.11v BSS Transition message to steer clients to the

desired AP upon receiving a client steer trigger from the AP.

Enabling Vss

802.11To enable 802.11v BSS transition management, enable the Advertise 802.11k Capability parameter

in an 802.11k profile, then ensure that 802.11k profile is associated to a Virtual AP profile.

For more information on the 802.11k profile, see Radio Resource Management (802.11k) on page 404.

Fast BSS Transition ( 802.11r)

ArubaOS provides support for Fast BSS Transition as part of the 802.11r implementation. Fast BSS Transition

mechanism minimizes the delay when a voice client transitions from one BSS to another within the same ESS.

Fast BSS Transition establishes security and QoS states at the target AP before or during a re-association. This

minimizes the time required to resume data connectivity when a BSS transition happens.

The following table provides the modes in which Fast BSS Transition is supported:

VAP Forwarding Mode Support for 802.11r

Tunnel Mode Yes

Decrypt-Tunnel Mode Yes

Split-Tunnel Mode No

Bridge Mode Beta quality

Table 77: Supported VAP Forwarding Modes

Important Points to Remember

lFast BSS Transition is operational only if the wireless client has support for 802.11r standard. If the client

does not have support for 802.11r standard, it falls back to normal WPA2 authentication method.

lIf dot11r is enabled, iOS clients such as iPad/iPhone gen1 (limitation on iOS) and all MAC-OS clients

(limitation on MAC) fail to connect to the network.

Configuring Fast BSS Transition

You can enable and configure Fast BSS Transition on a per Virtual AP basis. You must create an 802.11r profile

and associate that with the Virtual AP profile through an SSID profile. You can create and configure an 802.11r

profile using the WebUI or CLI.

Fast BSS transition is operational only with WPA2-Enterprise or WPA2-Personal.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configurationwindow. Select either the AP Group or AP

Specific tab.

a. If you selected the AP Group tab, click the AP group name for which you want to configure the 802.11R

profile.

b. If you selected the AP Specific tab, click the AP for which you want to configure the 802.11R profile.

2. In the Profiles list, expand the Wireless LANmenu, then expand the Virtual APmenu.

3. Select the Virtual AP profile for which you want to configure the 802.11r settings and expand SSID Profile.

4. Select the SSID profile on which you want to configure the 802.11r settings and select 802.11R Profile.

a. To edit an existing 802.11r profile, click the 802.11R Profiledrop-down list in the Profile

Detailswindow pane and select the 802.11r profile you want to edit.

b. To create a new 802.11r Profile, click the 802.11R Profile drop-down list and select New. Enter a new

802.11r profile name in the field to the right of the drop-down list.

You cannot use spaces in profile names.

5. Configure the following 802.11r radio settings.

a. Select the Advertise 802.11r Capability option to allow Virtual APs using this profile to advertise

802.11r capability.

b. Enter the mobility domain ID value (1-65535) in the 802.11r Mobility Domain ID field. The default

value is 1.

c. Enter the R1 Key timeout value in seconds (60-86400) for decrypt-tunnel or bridge mode in the 802.11r

R1 Key Duration field. The default value is 3600.

6. ClickApply to save your settings.

In the CLI

Create an 802.11r profile using the following command:

(host) (config) #wlan dot11r-profile voice-enterprise

Enable Fast BSS Transition using the following command:

(host) (802.11R Profile "voice-enterprise") #dot11r

Configure a mobility domain ID that uniquely identifies a mobility domain using the following command:

(host) (802.11R Profile "voice-enterprise") #mob-domain-id <1-65535>

The default value is 1.

Configure the r1 key timeout value in seconds for decrypt-tunnel or bridge mode using the following

command:

(host) (802.11R Profile "voice-enterprise") #key_duration <60-86400>

The default value is 3600 seconds.

Apply the 802.11r profile to an SSID profile using the following command:

(host) (config) #wlan ssid-profile voice dot11r-profile voice-enterprise

You can advertise the 802.11r capability on the Virtual AP profile by applying the SSID profile. Use the

following command to apply the SSID profile to the Virtual AP profile:

(host) (config) #wlan virtual-ap voice-AP ssid-profile voice

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 413

414 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Troubleshooting Fast BSS Transition

ArubaOS provides various troubleshooting options to verify the Fast BSS Transition functionalities.

In decrypt-tunnel mode and bridge mode, each r0 key generates up to four r1 keys and the controller pushes

each r1 key to the corresponding AP. A few commands are added to help verifying the pushing functionality:

Execute the following command to view all the r1 keys that are stored in an AP:

(host)(config) #show ap debug dot11r state

[ap-name <ap-name> | ip-addr <ip-addr>]

You can filter the output based on the AP name, BSSID, or IP address.

(host)(config) #show ap debug dot11r state ap-name MAcage-105-GL

Stored R1 Keys

--------------

Station MAC Mobility Domain ID Validity Duration R1 Key

----------- ------------------ ----------------- ------

00:50:43:21:01:b8 1 3568 (32): 94 ff 18 0a 5f 47 8b 3e 95

2b 93 31 bd

44 58 fe fe 6a ad aa 1d d7 29 94 fb 5b 7c 15 76 66 d2 1f

You can use the following command to remove an r1 key from an AP when the AP does not have a cached r1

key during Fast BSS Transition roaming.

(host) #ap debug dot11r remove-key <sta-mac> ap-name <ap-name> | ip-addr <ip-addr>

(host) #ap debug dot11r remove-key 00:50:43:21:01:b8 ap-name MAcage-105-GL

Execute the following command to check if the r1 key is removed from the AP:

(host)(config) #show ap debug dot11r state ap-name MAcage-105-GL

Stored R1 Keys

--------------

Station MAC Mobility Domain ID Validity Duration R1 Key

----------- ------------------ ----------------- ------

Execute the following command to view the hit/miss rate of r1 keys cached on an AP before a Fast BSS

Transition roaming. This counter helps to verify if enough r1 keys are pushed to the neighboring APs.

(host)(config) #show ap debug dot11r efficiency <client-mac>

(host)(config) #show ap debug dot11r efficiency

Fast Roaming R1 Key Efficiency

------------------------------

Client MAC Hit (%) Miss (%)

---------- ------- --------

00:50:43:21:01:b8 0 (0%) 0 (0%)

SSIDProfiles

A Service Set Identifier (SSID) is the network or WLAN that any client sees. A SSID profile defines the name of

the network, authentication type for the network, basic rates, transmit rates, SSID cloaking, and certain WMM

settings for the network.

SSID Profile Overview

ArubaOS supports different types of the Advanced Encryption Standard (AES), Temporal Key Integrity Protocol

(TKIP), and wired equivalent privacy (WEP) encryption. AES is the most secure and recommended encryption

method. Most modern devices are AES capable and AES should be the default encryption method. Use TKIP

only when the network includes devices that do not support AES. In these situations, use a separate SSID for

devices that are only capable of TKIP.

Suite-B Cryptography

The Suite-B (bSec) protocol is a pre-standard protocol that has been proposed to the IEEE 802.11 committee as

an alternative to 802.11i. The main difference between bSec and standard 802.11i is that bSec implements

Suite-B algorithms wherever possible. Notably, AES-CCM is replaced by AES-GCM, and the Key Derivation

Function (KDF) of 802.11i is upgraded to support SHA-256 and SHA-384. In order to provide interoperability

with standard Wi-Fi software drivers, bSec is implemented as a shim layer between standard 802.11 Wi-Fi and a

Layer 3 protocol such as IP. A controller configured to advertise a bSec SSID will advertise an open network,

however only bSec frames will be permitted on the network.

This feature requires the ACR license.

The bSec protocol requires that you use VIA 2.1.1 or greater on the client device. Consult VIA documentation

for more information on configuring and installing VIA.

The bSec protocol is available in 128-bit mode and 256-bit mode. The number of bits specifies the length of the

AES-GCM encryption key. Using United States Department of Defense classification terminology, bSec-128 is

suitable for protection of information up to the SECRET level, while bSec-256 is suitable for protection of

information up to the TOP SECRET level.

Suite-B AES-128-GCM and AES-256-GCM encryption is supported by the ArubaOS hardware. Note, however,

that not all controllers support Suite-B encryption. The table below describes the controller support for Suite-B

encryption in ArubaOS.

Controller Serial Number Prefix ACR License Support

W-7200 Series All serial numbers supported Yes

W-600 Series All serial numbers supported Yes

W-3000 Series FC Yes

W-3000 Series F No

W-6000M3 card AK Yes

W-6000M3 card A No

To determine the serial number prefix for your controller, issue the CLI command show inventory and note

the prefix before the system serial number. The serial number prefix in the example below appears in bold.

(host) #show inventory

Supervisor Card slot : 0

System Serial# : AK0093676

SC Assembly# : 2010052B (Rev:02.01)

SC Serial# : F01629529 (Date:03/29/10)

SC Model# : W-3600-US

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 415

416 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Wi-Fi Multimedia Protection

Wi-Fi Multimedia (WMM®) is a Wi-Fi Alliance® certification program that is based on the IEEE 802.11e

amendment. WMM ensures QoS for latency-sensitive traffic in the air. WMM divides the traffic into four

queues or access categories:

lvoice

lvideo

lbest effort

lbackground

Management Frame Protection

ArubaOS supports the IEEE 802.11w standard, also known as Management Frame Protection (MFP). MFP

makes it difficult for an attacker to deny service by spoofing Deauth and Disassoc management frames.

MFPuses 802.11i (Robust Security Network) framework that establishes encryption keys between the client

and AP.

MFP is configured on a virtual AP (VAP) as part of the wlan ssid-profile. There are two parameters that can be

configured, mfp-capable and mfp-required. Both are disabled by default.

MFP can only be enabled on SSIDs that support WPA2. MFP is not supported on virtual APs using tunnel forwarding

mode.

Configuring the SSIDProfile

Follow the procedures below to create a new SSID profile and associate that profile to your Virtual AP.

In the WebUI

1. Navigate to Advanced Services > All Profile Management.

2. In the Profiles list, expand the Wireless LAN menu, then select SSID.

3. Select an existing profile from the Profile Details pane, or enter create a new profile by entering a new name

into the entry blank, then clicking Add.

4. Configure the SSIDprofile parameters described in Table 51, then click Apply.

The SSID profile configuration settings are divided into two tabs, Basic and Advanced. The Basic tab displays

only those configuration settings that often need to be adjusted to suit a specific network. The Advanced tab

shows all configuration settings, including settings that do not need frequent adjustment or should be kept at

their default values. If you change a setting on one tab then click and display the other tab without saving your

configuration, that setting will revert to its previous value.

Parameter Description

Basic SSID Profile Settings

Network Name Name that uniquely identifies a wireless network. The network name, or ESSID can

be up to 31 characters. If the ESSID includes spaces, you must enclose it in

quotation marks.

Network

Authentication

The layer-2 authentication to be used on this ESSID to protect access and ensure

the privacy of the data transmitted to and from the network.

lNone

Table 78: SSID Profile Parameters

Parameter Description

l802.1x/WEP

lWPA

lWPA-PSK

lWPA2

lWPA2-PSK

lxSec

lMixed

If you select the Mixed authentication option, a drop-down list will appear in the

Network Authentication section. Click this drop-down list and select the

combination of authentication types supported by APs using this SSID profile.

Encryption This field shows the default encryption type used on this ESSID. Unselect the

default encryption type if you do not want encryption, or click the Advanced tab to

define a new encryption type.

Keys If you selected WPA-PSK or WPA2-PSK authentication or a mixed authentication

type that supports pre-shared keys, enter and confirm the Hex Key or PSK

passphrase in the PSK Key/Passphrase and Confirm PSK Key/Passphrase

fields.

lTo define a hex key, enter a 64-character hexadecimal string.

lTo define a PSK passphrase, enter san ASCII string 8-63 characters in length.

Next click the Format drop-down list and select Hex or PSK Passphrase to select

the format for the key or passphrase.

Advanced SSID Profile Settings

SSID Enable Click this checkbox to enable or disable the SSID. The SSID is enabled by default.

Encryption Select one of the following encryption types

xSec Encryption and tunneling of Layer-2 traffic between the controller and wired or

wireless clients, or between controllers. To use xSec encryption, you must use a

RADIUS authentication server. For clients, you must install the Funk Odyssey client

software.

Requires installation of the xSec license. For xSec between controllers, you must

install an xSec license in each controller.

opensystem No authentication and encryption.

static-wep WEP with static keys.

dynamic-wep WEP with dynamic keys.

wpa-tkip WPA with TKIP encryption and dynamic keys using 802.1x.

wpa-aes WPA with AES encryption and dynamic keys using 802.1x.

wpa-psk-tkip WPA with TKIP encryption using a preshared key.

wpa-psk-aes WPA with AES encryption using a preshared key.

wpa2-aes WPA2 with AES encryption and dynamic keys using 802.1x.

wpa2-psk-aes WPA2 with AES encryption using a preshared key.

wpa2-psk-tkip WPA2 with TKIP encryption using a preshared key.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 417

418 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

wpa2-tkip WPA2 with TKIP encryption and dynamic keys using 802.1x.

wpa2-aes-gcm-128 WPA2 with AES GCM-128 (Suite-b) encryption and dynamic keys

using 802.1X.

NOTE: This parameter requires the ACR license. For further information on Suite-B

encryption, see SSIDProfiles on page 414.

wpa2-aes-gcm-256 WPA2 with AES GCM-256 (Suite-b) encryption and dynamic keys

using 802.1X.

NOTE: This parameter requires the ACR license. For further information on Suite-B

encryption, see SSIDProfiles on page 414.

Enable Management

Frame Protection

When selected, the SSID supports MFP-capable and traditional clients.

NOTE: MFP can only be enabled on SSIDs that support WPA2.

Require Management

Frame Protection

When selected, the SSIDsupports MFP-capable clients only.

NOTE: MFP can only be enabled on SSIDs that support WPA2.

DTIM Interval Specifies the interval, in milliseconds, between the sending of Delivery Traffic

Indication Messages (DTIMs) in the beacon. This is the maximum number of

beacon cycles before unacknowledged network broadcasts are flushed. When

using wireless clients that employ power management features to sleep, the client

must revive at least once during the DTIM period to receive broadcasts

802.11g Transmit

Rates

Select the set of 802.11b/g rates at which the AP is allowed to send data. The

actual transmit rate depends on what the client is able to handle, based on

information sent at the time of association and on the current error/loss rate of the

client.

802.11g Basic Rates Select the set of supported 802.11b/g rates that are advertised in beacon frames

and probe responses.

802.11a Transmit

Rates

Select the set of 802.11a rates at which the AP is allowed to send data. The actual

transmit rate depends on what the client is able to handle, based on information

sent at the time of association and on the current error/loss rate of the client.

802.11a Basic Rates Select the set of supported 802.11a rates, in Mbps, that are advertised in beacon

frames and probe responses.

Station Ageout Time Time, in seconds, that a client is allowed to remain idle before being aged out.

Max Transmit

Attempts

Maximum number of retries allowed for the AP to send a frame.

RTS Threshold Wireless clients transmitting frames larger than this threshold must issue Request

to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This helps

prevent mid-air collisions for wireless clients that are not within wireless peer

range and cannot detect when other wireless clients are transmitting.

The default value is 2333 bytes.

Short Preamble Click this checkbox to enable or disable a short preamble for 802.11b/g radios.

Network performance may be higher when short preamble is enabled. In mixed

radio environments, some 802.11b wireless client stations may experience

difficulty associating with the AP using short preamble. To use only long preamble,

disable short preamble. Legacy client devices that use only long preamble

generally can be updated to support short preamble.

Parameter Description

Max Associations Maximum number of wireless clients for the AP.

The supported range is 0-256 clients.

Wireless Multimedia

(WMM)

Enables or disables WMM, also known as IEEE 802.11e Enhanced Distribution

Coordination Function (EDCF). WMM provides prioritization of specific traffic

relative to other traffic in the network.

Wireless Multimedia

U-APSD (WMM-

UAPSD) Powersave

Enable Wireless Multimedia (WMM) UAPSD powersave.

WMM TSPEC Min

Inactivity Interval

Specify the minimum inactivity time-out threshold of WMM traffic. This setting is

useful in environments where low inactivity interval time-outs are advertised,

which may cause unwanted timeouts.

The supported range is 0-3,600,000 milliseconds, and the default value is 0

milliseconds.

Override DSCP

mappings for WMM

clients

Override the default DSCP mappings in the SSID profile with the ToS value. This

setting is useful when you want to set a non-default ToS value for a specific traffic.

DSCP mapping for

WMM voice AC

DSCP used to map WMM voice traffic.

The supported range is 0-63.

DSCP mapping for

WMM video AC

Select the DSCP used to map WMM video traffic.

The supported range is 0-63.

DSCP mapping for

WMM best-effort AC

Select the DSCP value used to map WMM best-effort traffic.

The supported range is 0-63.

DSCP mapping for

WMM background AC

Select the DSCP used to map WMM background traffic.

The supported range is 0-63.

Hide SSID Select this checkbox to enable or disable the hiding of the SSID name in beacon

frames. Note that hiding the SSID does very little to increase security.

Deny_Broadcast

Probes

When a client sends a broadcast probe request frame to search for all available

SSIDs, this option controls whether or not the system responds for this SSID. When

enabled, no response is sent and clients have to know the SSID in order to

associate to the SSID. When disabled, a probe response frame is sent for this SSID.

Local Probe Request

Threshold (dB)

Enter the SNR threshold below which incoming probe requests will get ignored. The

supported range of values is 0-100 dB. A value of 0 disables this feature.

Disable Probe Retry Click this checkbox to enable or disable battery MAC level retries for probe

response frames. By default this parameter is enabled, which mean that MAC level

retries for probe response frames is disabled.

Battery Boost Converts multicast traffic to unicast before delivery to the client, thus allowing you

to set a longer DTIM interval. The longer interval keeps associated wireless clients

from activating their radios for multicast indication and delivery, leaving them in

power-save mode longer and thus lengthening battery life.

This parameter requires the PEFNG license.

WEP Key 1 First static WEP key associated with the key index. Can be 10 or 26 hex characters

in length.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 419

420 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

WEP Key 2 Second static WEP key associated with the key index. Can be 10 or 26 hex

characters in length.

WEP Key 3 Third Static WEP key associated with the key index. Can be 10 or 26 hex characters

in length.

WEP Key 4 Fourth Static WEP key associated with the key index. Can be 10 or 26 hex

characters in length.

WEP Transmit Key

Index

Key index that specifies which static WEP key is to be used. Can be 1, 2, 3, or 4.

WPA Hexkey WPA pre-shared key (PSK).

WPA Passphrase WPA passphrase with which to generate a pre-shared key (PSK).

Maximum Transmit

Failures

The AP assumes the client has left and should be deauthorized when the AP

detects this number of consecutive frames were not delivered because the

maximum retry threshold as been exceeded.

BC/MC Rate

Optimization

Click this checkbox to enable or disable scanning of all active stations currently

associated to an AP to select the lowest transmission rate for broadcast and

multicast frames. This option only applies to broadcast and multicast data frames;

802.11 management frames are transmitted at the lowest configured rate.

NOTE: Do not enable this parameter unless instructed to do so by your Dell

technical support representative.

Rate Optimization for

delivering EAPOL

frames

Click this checkbox to use a more conservative rate for more reliable delivery of

EAPOL frames.

Strict Spectralink

Voice Protocol (SVP)

Click this checkbox to enable Strict Spectralink Voice Protocol (SVP)

802.11g Beacon Rate Click this drop-down list to select the beacon rate for 802.11g (use for Distributed

Antenna System (DAS) only). Using this parameter in normal operation may cause

connectivity problems.

802.11a Beacon Rate Click this drop-down list to select the beacon rate for 802.11a (use for Distributed

Antenna System (DAS) only). Using this parameter in normal operation may cause

connectivity problems.

Advertise QBSS Load

Click this checkbox to enable the AP to advertise the QBSS load element. The

element includes the following parameters that provide information on the traffic

situation:

lStation count: The total number of stations associated to the QBSS.

lChannel utilization: The percentage of time (normalized to 255) the channel

is sensed to be busy. The access point uses either the physical or the virtual

carrier sense mechanism to sense a busy channel.

lAvailable admission capacity: The remaining amount of medium time

(measured as number of 32us/s) available for a station via explicit admission

control.

The QAP uses these parameters to decide whether to accept an admission control

request. A wireless station uses these parameters to choose the appropriate

access points.

NOTE: Ensure that WMM is enabled for legacy APs to advertise the QBSS load

element. For 802.11n APs, ensure that either wmm or high throughput is enabled.

Parameter Description

Advertise Location

Information

When this option is enabled, APs broadcast their location within a IE carried in

Beacon frames and Probe Response frames. The AP’s latitude, longitude and

altitude can be configured on the Configuration > Wireless> AP Installation

page of the controller WebUI, or using the provision-ap command in the controller

command-line interface.

Advertise AP Name If this parameter enabled, APs will broadcast the AP name configured by the ap-

name command. This option is disabled by default.

Enforce User VLAN for

Open Stations

Select this option to restrict data traffic from open stations to the user's assigned

VLAN. This option is disabled by default.

In the CLI

(host)(config) #wlan ssid-profile <profile>

WLAN Authentication

The AAA profile configures the authentication for a WLAN. The AAA profile defines the type of authentication

(802.1x in this example), the authentication server group, and the default user role for authenticated users.

It is recommended that you assign a unique name to each virtual AP, SSID, and AAA profile that you modify.

Configuring an AAAProfile in the WebUI

1. Navigate to Configuration > Security > Authentication > Profiles, the select the AAA Profiles tab.

2. Scroll down to the bottom of the AAA Profiles Summary pane, then click Add. An entry blank appears.

3. Enter the AAA profile name, then click Add.

4. In the profiles list, and select the AAA profile you just created.

5. Configure the AAA profile parameters (see Table 79),

6. Click Apply.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 421

422 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Initial role Click the Initial Role drop-down list and select a role for

unauthenticated users. The default role for unauthenticated users is

logon.

MAC Authentication Default

Role

Click the MAC Authentication Default Role drop-down list and select

the role assigned to the user when the device is MAC authenticated.

The default role for MAC authentication is the guest user role. If

derivation rules are present, the role assigned to the client through

these rules take precedence over the default role.

NOTE: This feature requires the PEFNG license.

802.1X Authentication Default

Role

Click the 802.1X Authentication Default Role drop-down list and

select the role assigned to the client after 802.1x authentication. The

default role for 802.1x authentication is the guest user role. If

derivation rules are present, the role assigned to the client through

these rules take precedence over the default role.

NOTE: This feature requires the PEFNG license.

User idle timeout Select the Enable checkbox to configure user idle timeout value for

this profile. Specify the idle timeout value for the client in seconds. A

value of 0, deletes the user immediately after disassociation from

the wireless network. Valid range is 30-15300 in multiples of 30

seconds. Enabling this option overrides the global settings con-

figured in the AAA timers. If this is disabled, the global settings are

used.

RADIUS Interim Accounting When this option is enabled, the RADIUS accounting feature allows

the controller to send Interim-Update messages with current user

statistics to the server at regular intervals. This option is disabled by

default, allowing the controller to send only start and stop messages

to the RADIUS accounting server.

User derivation rules Click the User derivation rules drop-down list and specify a user

attribute profile from which the user role or VLAN is derived.

Wired to Wireless Roaming Enable this feature to keep users authenticated when they roam

from the wired side of the network. This feature is enabled by

default.

SIP authentication role Click the SIP authentication role drop-down list and specify the role

assigned to a session initiation protocol (SIP) client upon

registration.

NOTE: This feature requires the PEFNG license.

Table 79: AAA Profile Parameters

Parameter Description

Device Type Classification When you select this option, the controller will parse user-agent

strings and attempt to identify the type of device connecting to the

AP. When the device type classification is enabled, the Global client

table shown in the Monitoring>Network > All WLAN Clients

window shows each client’s device type, if that client device can be

identified.

Enforce DHCP When you select this option, clients must obtain an IP using DHCP

before they are allowed to associate to an AP. Enable this option

when you create a user rule that assigns a specific role or VLAN

based upon the client device’s type. For details, see Working with

User-Derived VLANs on page 373.

NOTE: If a client is removed from the user table by the “Logon user

lifetime” AAA timer, then that client will not be able to send traffic

until it renews it’s DHCP.

PAN firewalls Integration Requires IP mapping at Palo Alto Networks firewalls. For details, see

Palo Alto Networks Firewall Integration on page 620.

7. In the profiles list, select the AAA profile to expand the list of other profiles associated with that AAAprrofile.

8. Click 802.1X Authentication. The 802.1X Authentication Profile appears.

a. Click the 802.1X Authentication Profile drop-down list and select an authentication profile to

associate with your AAAprofile.

b. Click Apply.

9. Click 802.1X Authentication Server Group. The 802.1X Authentication Server Group appears..

a. Click the 802.1X Authentication Server Group drop-down list and select the server group to

associate with your AAA profile.

b. Click Apply.

10.Click MAC Authentication. The MAC Authentication Profile appears.

a. Click the MAC Authentication Profile drop-down list and select a MAC authentication profile to

associate with your AAAprofile.

b. Click Apply.

11.Click MAC Authentication Server Group. The MAC Authentication Server Group appears.

a. Click the MAC Authentication Server Group drop-down list and select the MAC server group to

associate with your AAA profile.

b. Click Apply.

12.Click RADIUS Authentication Server Group. The RADIUS Authentication Server Group appears.

a. Click the RADIUS Authentication Server Group drop-down list and select the MAC server group to

associate with your AAA profile.

b. Click Apply.

Configuring an AAAProfile in the CLI

(host)(config) #aaa authentication dot1x <profile>

(host)(config) #aaa profile <profile>

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 423

424 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

High-Throughput Virtual APs

With the implementation of the IEEE 802.11ac standard, very-high-throughput can be configured to operate

on the 5 GHz frequency band. High-throughput (802.11n) can be configured on both the 5 GHz and 2.5 GHz

frequency bands. High-throughput is enabled by default, and can be enabled or disabled in the 802.11a and

802.11g radio profiles. For details, see 802.11a and 802.11g RF Management Profiles on page 509

Two different profiles define settings specific to high-throughput APs. The high-throughput radio profile

defines settings for 40 MHz tolerance, is associated to an AP through it's 802.11a or 802.11g radio profile. The

high-throughput SSID profile configures the high-throughput SSID settings for 802.11n, and is associated

to an AP through it's virtual AP profile

Stations are not allowed to use high-throughput with TKIP standalone encryption, although TKIP can be

provided in mixed-mode BSSIDs that support high-throughput. High-throughput is disabled on a BSSID if the

encryption mode is standalone TKIP or WEP.

De-aggregation of MAC Service Data Units (A-MSDUs) is supported on the W-3000 Series, W-7220, and the W-

6000M3 controllers with a maximum frame transmission size of 4k bytes; however, this feature is always enabled

and is not configurable. Aggregation is not currently supported.

Configuring the High-Throughput Radio Profile

You can configure high-throughput radio profile settings using the WebUI or CLI interfaces

In the WebUI

1. Navigate to Advanced Services > All Profile Management.

2. In the Profiles list, expand the RF Management menu, then select High-throughput radio.

3. Select an existing profile from the Profile Details pane, or enter create a new profile by entering a new

name into the entry blank, then clicking Add.

The configuration settings in this profile are divided into two tabs, Basic and Advanced. The Basic tab

displays only those configuration settings that often need to be adjusted to suit a specific network. The

Advanced tab shows all configuration settings, including settings that do not need frequent adjustment or

should be kept at their default values. If you change a setting on one tab then click and display the other

tab without saving your configuration, that setting will revert to its previous value.

Parameter Description

Basic

40MHz intolerance This parameter controls whether or not APs using this radio profile will

advertise intolerance of 40 MHz operation. By default, this option is disabled,

and 40 MHz operation is allowed. If you do not want to use 40 Mhz operation,

select the 40MHz intolerance checkbox to enable this feature.

Advanced

Table 80: High-Throughput Radio Profile Configuration Parameters

Parameter Description

honor 40MHz

intolerance

When enabled, the radio will stop using the 40 MHz channels if the 40 MHz

intolerance indication is received from another AP or station. Uncheck the

Honor 40 Mhz intolerance checkbox to disable this feature.

Default: Enabled

CSD override Most transmissions to high throughput (HT) stations are sent through

multiple antennas using cyclic shift diversity (CSD). When you enable the CSD

Override parameter, CSD is disabled and only one antenna transmits data,

even if they are being sent to high-throughput stations. This enables

interoperability for legacy or high-throughput stations that cannot decode

802.11n CDD data. This option is disabled by default, and should only be

enabled under the supervision of Dell technical support.

Use this feature to turn off antenna diversity when the AP must support

legacy clients such as Cisco 7921g VoIP phones, or older 802.11g clients (e.g.

Intel Centrino clients). Note, however, that enabling this feature can reduce

overall throughput rates.

4. Click Apply.

In order for the settings in this profile to take effect, the profile must be associated with an AP's 802.11a or

802.11g radio profile. For details, see the Associated Profiles section of , 802.11a/802.11g RF Management

Configuration Parameters.

In the CLI

(host) (config) rf ht-radio-profile <profile>

40MHz-intolerance

clone <profile>

diversity-spreading-workaround

honor-40MHz-intolerance

no...

(host) (config) rf dot11a-radio-profile <profile>

high-throughput-enable

ht-radio-profile <profile>

(host) (config) rf dot11g-radio-profile <profile>

high-throughput-enable

ht-radio-profile <profile>

Configuring the High-Throughput SSID Profile

You can configure high-throughput SSID profile settings using the WebUI or CLI interfaces

In the WebUI

1. Navigate to Advanced Services > All Profile Management.

2. In the Profiles list, expand the Wireless LAN menu, then select High-throughput radio.

3. Select an existing profile from the Profile Details pane, or enter create a new profile by entering a new

name into the entry blank, then clicking Add.

4. Configure the high-throughput SSID profile settings described in Table 81 .

The High-Throughput SSID profile configuration settings are divided into two tabs, Basic and

Advanced. The Basic tab displays only those configuration settings that often need to be adjusted to

suit a specific network. The Advanced tab shows all configuration settings, including settings that do not

need frequent adjustment or should be kept at their default values. If you change a setting on one tab

then click and display the other tab without saving your configuration, that setting will revert to its

previous value. Both basic and advanced settings are described in Table 54.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 425

426 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Basic High-Throughput SSID Profile Settings

High throughput enable (SSID) Determines if this high-throughput SSID allows high-throughput (802.11n)

stations to associate. Enabling high-throughput in an WLANhigh-through-

put SSID profile enables Wi-Fi Multimedia (WMM) base features for the

associated SSID.

40 MHz channel usage Enable or disable the use of 40 MHz channels. This parameter is enabled

by default.

Very High throughput enable

(SSID)

Enable/Disable support for Very High Throughput (802.11ac ) on the SSID.

80 MHz channel usage (VHT) Enables or disables the use of 80 MHz channels on Very High Throughput

(VHT) APs.

VHT - Explicit Transmit Beam-

forming

Enable or disable VHT Explicit Transmit Beamforming for the W-AP220 Ser-

ies. When this parameter is enabled, the AP requests information about

the Multiple-Input and Multiple-Output (MIMO) channel and uses that

information to transmit data over multiple transmit streams using a cal-

culated steering matrix. The result is higher throughput due to improved

signal at the beamforming (the receiving client). If this parameter is dis-

abled, all other transmit beamforming settings will not take effect.

Advanced High-Throughput SSID Profile Settings

VHT - Supported MCS Map Allows you to set the supported Modulation and Coding Scheme (MCS)

map for spatial streams 1 through 3. Each drop down list corresponds to a

spatial beginning with 1 on the left and ending with 3 on the right. Default

values are set to 9 for each spatial stream.

VHT - Transmit Beamforming

Sounding Interval

Time interval in seconds between channel information updates between

the AP and the beamformee client. (W-AP220 Series only)

BA AMSDU Enable Enable/Disable Receive AMSDU in BA negotiation.

Legacy stations Allow or disallow associations from legacy (non-HT) stations. By default,

this parameter is enabled (legacy stations are allowed).

Low-density Parity Check If enabled, the AP will advertise Low-density Parity Check (LDPC) support.

LDPC improves data transmission over radio channels with high levels of

background noise.

Maximum number of spatial

streams usable for STBC

reception

Controls the maximum number of spatial streams usable for STBC

reception. 0 disables STBC reception, 1 uses STBC for MCS 0-7. Higher

MCS values are not supported. (Supported on the W-AP90 series, W-

AP130 Series, W-AP68, W-AP175 and W-AP105 only. The configured value

will be adjusted based on AP capabilities.)

Table 81: High-Throughput SSID Profile Parameters

Parameter Description

Maximum number of spatial

streams usable for STBC

transmission.

Controls the maximum number of spatial streams usable for STBC

transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7.

Higher MCS values are not supported. (Supported on W-AP90 series, W-

AP175, W-AP130 Seriesand W-AP105 only. The configured value will be

adjusted based on AP capabilities.)

MPDU Aggregation Enable or disable MAC protocol data unit (MPDU) aggregation.

High-throughput APs are able to send aggregated MAC protocol data units

(MDPUs), which allow an AP to receive a single block acknowledgment

instead of multiple ACK signals. This option, which is enabled by default,

reduces network traffic overhead by effectively eliminating the need to

initiate a new transfer for every MPDU.

Max received A-MPDU size Maximum size of a received aggregate MPDU, in bytes. Allowed values:

8191, 16383, 32767, 65535.

Max transmitted A-MPDU size Maximum size of a transmitted aggregate MPDU, in bytes.

Range: 1576–65535

Min MPDU start spacing Minimum time between the start of adjacent MPDUs within an aggregate

MPDU, in microseconds. Allowed values: 0 (No restriction on MDPU start

spacing), .25 µsec, .5 µsec, 1 µsec, 2 µsec, 4 µsec.

Short guard interval in 20 MHz

mode

Enable or disable use of short (400ns) guard interval in 20 MHz mode. This

parameter is enabled by default.

A guard interval is a period of time between transmissions that allows

reflections from the previous data transmission to settle before an AP

transmits data again. An AP identifies any signal content received inside

this interval as unwanted inter-symbol interference, and rejects that data.

The 802.11n standard specifies two guard intervals: 400ns (short) and

800ns (long). Enabling a short guard interval can decrease network

overhead by reducing unnecessary idle time on each AP. Some outdoor

deployments, may, however require a longer guard interval. If the short

guard interval does not allow enough time for reflections to settle in your

mesh deployment, inter-symbol interference values may increase and

degrade throughput.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual APs | 427

428 | Virtual APs Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description

Short guard interval in 40 MHz

mode

Enable or disable use of short (400ns) guard interval in 40 MHz mode. This