Concept Guide
Table Of Contents
- About this Guide
- About Instant
- Setting up a W-IAP
- Automatic Retrieval of Configuration
- Instant User Interface
- Initial Configuration Tasks
- Customizing W-IAP Settings
- Modifying the W-IAP Host Name
- Configuring Zone Settings on a W-IAP
- Specifying a Method for Obtaining IP Address
- Configuring External Antenna
- Configuring Radio Profiles for a W-IAP
- Configuring Uplink VLAN for a W-IAP
- Changing the W-IAP Installation Mode
- Changing USB Port Status
- Master Election and Virtual Controller
- Adding a W-IAP to the Network
- Removing a W-IAP from the Network
- VLAN Configuration
- IPv6 Support
- Wireless Network Profiles
- Configuring Wireless Network Profiles
- Configuring Fast Roaming for Wireless Clients
- Configuring Modulation Rates on a WLAN SSID
- Multi-User-MIMO
- Management Frame Protection
- Disabling Short Preamble for Wireless Client
- Editing Status of a WLAN SSID Profile
- Editing a WLAN SSID Profile
- Deleting a WLAN SSID Profile
- Wired Profiles
- Captive Portal for Guest Access
- Understanding Captive Portal
- Configuring a WLAN SSID for Guest Access
- Configuring Wired Profile for Guest Access
- Configuring Internal Captive Portal for Guest Network
- Configuring External Captive Portal for a Guest Network
- Configuring Facebook Login
- Configuring Guest Logon Role and Access Rules for Guest Users
- Configuring Captive Portal Roles for an SSID
- Configuring Walled Garden Access
- Authentication and User Management
- Managing W-IAP Users
- Supported Authentication Methods
- Supported EAP Authentication Frameworks
- Configuring Authentication Servers
- Understanding Encryption Types
- Configuring Authentication Survivability
- Configuring 802.1X Authentication for a Network Profile
- Enabling 802.1X Supplicant Support
- Configuring MAC Authentication for a Network Profile
- Configuring MAC Authentication with 802.1X Authentication
- Configuring MAC Authentication with Captive Portal Authentication
- Configuring WISPr Authentication
- Blacklisting Clients
- Uploading Certificates
- Roles and Policies
- DHCP Configuration
- Configuring Time-Based Services
- Dynamic DNS Registration
- VPN Configuration
- IAP-VPN Deployment
- Adaptive Radio Management
- Deep Packet Inspection and Application Visibility
- Voice and Video
- Services
- Configuring AirGroup
- Configuring a W-IAP for RTLS Support
- Configuring a W-IAP for Analytics and Location Engine Support
- Managing BLE Beacons
- Clarity Live
- Configuring OpenDNS Credentials
- Integrating a W-IAP with Palo Alto Networks Firewall
- Integrating a W-IAP with an XML API Interface
- CALEA Integration and Lawful Intercept Compliance
- Cluster Security
- W-IAP Management and Monitoring
- Uplink Configuration
- Intrusion Detection
- Mesh W-IAP Configuration
- Mobility and Client Management
- Spectrum Monitor
- W-IAP Maintenance
- Monitoring Devices and Logs
- Hotspot Profiles
- ClearPass Guest Setup
- IAP-VPN Deployment Scenarios
- Acronyms and Abbreviations
RADIUS VSA Attributes
The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication. The
role derived from a Dell VSA takes precedence over roles defined by other methods.
MAC-Address Attribute
The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are
purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the
“assignee”) globally and effectively reserves a block of each possible type of derivative identifier (such as MAC
addresses) for the exclusive use of the assignee.
W-IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign
a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can
be derived from the user attributes after a client associates with an W-IAP. You can configure rules to assign a
user role to clients that match a MAC-address-based criteria. For example, you can assign a voice role to any
client with a MAC address starting with a0:a1:a2.
Roles Based on Client Authentication
The user role can be the default user role configured for an authentication method, such as 802.1X
authentication. For each authentication method, you can configure a default role for the clients who are
successfully authenticated using that method.
DHCP Option and DHCP Fingerprinting
The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in
the DHCP frame. Based on the operating system type, a role can be assigned to the device.
For example, to create a role assignment rule with the DHCP option, select equals from the Operator drop-
down list and enter 370103060F77FC in the String text box. Since 370103060F77FC is the fingerprint for
Apple iOS devices such as iPad and iPhone, W-IAP assigns Apple iOS devices to the role that you choose.
Device DHCP Option DHCP Fingerprint
Apple iOS Option 55 370103060F77FC
Android Option 60 3C64686370636420342E302E3135
Blackberry Option 60 3C426C61636B4265727279
Windows 7/Vista Desktop Option 55 37010f03062c2e2f1f2179f92b
Windows XP (SP3, Home,
Professional)
Option 55 37010f03062c2e2f1f21f92b
Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500
Windows 7 Phone Option 55 370103060f2c2e2f
Apple Mac OS X Option 55 370103060f775ffc2c2e2f
Table 41: Validated DHCP Fingerprint
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide Roles and Policies | 198