Concept Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series 228 Access Points

241

242

243

244

245

246

247

248

249

250

Table Of Contents

About this Guide
- Intended Audience
- Related Documents
- Conventions
- Contacting Dell
About Instant
- Instant Overview
- What is New in this Release
Setting up a W-IAP
- Setting up Instant Network
- Provisioning a W-IAP
- Logging in to the Instant UI
- Accessing the Instant CLI
Automatic Retrieval of Configuration
- Managed Mode Operations
- Prerequisites
- Configuring Managed Mode Parameters
- Verifying the Configuration
Instant User Interface
- Login Screen
- Main Window
Initial Configuration Tasks
- Configuring System Parameters
- Changing Password
Customizing W-IAP Settings
- Modifying the W-IAP Host Name
- Configuring Zone Settings on a W-IAP
- Specifying a Method for Obtaining IP Address
- Configuring External Antenna
- Configuring Radio Profiles for a W-IAP
- Configuring Uplink VLAN for a W-IAP
- Changing the W-IAP Installation Mode
- Changing USB Port Status
- Master Election and Virtual Controller
- Adding a W-IAP to the Network
- Removing a W-IAP from the Network
VLAN Configuration
- VLAN Pooling
- Uplink VLAN Monitoring and Detection on Upstream Devices
IPv6 Support
- IPv6 Notation
- Enabling IPv6 Support for W-IAP Configuration
- Firewall Support for IPv6
- Debugging Commands
Wireless Network Profiles
- Configuring Wireless Network Profiles
- Configuring Fast Roaming for Wireless Clients
- Configuring Modulation Rates on a WLAN SSID
- Multi-User-MIMO
- Management Frame Protection
- Disabling Short Preamble for Wireless Client
- Editing Status of a WLAN SSID Profile
- Editing a WLAN SSID Profile
- Deleting a WLAN SSID Profile
Wired Profiles
- Configuring a Wired Profile
- Assigning a Profile to Ethernet Ports
- Editing a Wired Profile
- Deleting a Wired Profile
- Link Aggregation Control Protocol
- Understanding Hierarchical Deployment
Captive Portal for Guest Access
- Understanding Captive Portal
- Configuring a WLAN SSID for Guest Access
- Configuring Wired Profile for Guest Access
- Configuring Internal Captive Portal for Guest Network
- Configuring External Captive Portal for a Guest Network
- Configuring Facebook Login
- Configuring Guest Logon Role and Access Rules for Guest Users
- Configuring Captive Portal Roles for an SSID
- Configuring Walled Garden Access
Authentication and User Management
- Managing W-IAP Users
- Supported Authentication Methods
- Supported EAP Authentication Frameworks
- Configuring Authentication Servers
- Understanding Encryption Types
- Configuring Authentication Survivability
- Configuring 802.1X Authentication for a Network Profile
- Enabling 802.1X Supplicant Support
- Configuring MAC Authentication for a Network Profile
- Configuring MAC Authentication with 802.1X Authentication
- Configuring MAC Authentication with Captive Portal Authentication
- Configuring WISPr Authentication
- Blacklisting Clients
- Uploading Certificates
Roles and Policies
- Firewall Policies
- Content Filtering
- Configuring User Roles
- Configuring Derivation Rules
- Using Advanced Expressions in Role and VLAN Derivation Rules
DHCP Configuration
- Configuring DHCP Scopes
- Configuring the Default DHCP Scope for Client IP Assignment
Configuring Time-Based Services
- Time Range Profiles
- Configuring a Time Range Profile
- Applying a Time Range Profile to a WLAN SSID
- Verifying the Configuration
Dynamic DNS Registration
- Enabling Dynamic DNS
- Configuring Dynamic DNS Updates for Clients
- Verifying the Configuration
VPN Configuration
- Understanding VPN Features
- Configuring a Tunnel from a W-IAP to a Mobility Controller
- Configuring Routing Profiles
IAP-VPN Deployment
- Understanding IAP-VPN Architecture
- Configuring W-IAP and Controller for IAP-VPN Operations
Adaptive Radio Management
- ARM Overview
- Configuring ARM Features on a W-IAP
- Configuring Radio Settings
Deep Packet Inspection and Application Visibility
- Deep Packet Inspection
- Enabling Application Visibility
- Application Visibility
- Enabling URL Visibility
- Configuring ACL Rules for Application and Application Categories
- Configuring Web Policy Enforcement Service
Voice and Video
- Wi-Fi Multimedia Traffic Management
- Media Classification for Voice and Video Calls
- Enabling Enhanced Voice Call Tracking
Services
- Configuring AirGroup
- Configuring a W-IAP for RTLS Support
- Configuring a W-IAP for Analytics and Location Engine Support
- Managing BLE Beacons
- Clarity Live
- Configuring OpenDNS Credentials
- Integrating a W-IAP with Palo Alto Networks Firewall
- Integrating a W-IAP with an XML API Interface
- CALEA Integration and Lawful Intercept Compliance
Cluster Security
- Overview
- Enabling Cluster Security
- Cluster Security Debugging Logs
- Verifying the Configuration
W-IAP Management and Monitoring
- Managing a W-IAP from W-AirWave
Uplink Configuration
- Uplink Interfaces
- Uplink Preferences and Switching
Intrusion Detection
- Detecting and Classifying Rogue W-IAPs
- OS Fingerprinting
- Configuring Wireless Intrusion Protection and Detection Levels
- Configuring IDS
Mesh W-IAP Configuration
- Mesh Network Overview
- Setting up Instant Mesh Network
- Configuring Wired Bridging on Ethernet 0 for Mesh Point
Mobility and Client Management
- Layer-3 Mobility Overview
- Configuring L3-Mobility
Spectrum Monitor
- Understanding Spectrum Data
- Configuring Spectrum Monitors and Hybrid W-IAPs
W-IAP Maintenance
- Upgrading a W-IAP
- Backing up and Restoring W-IAP Configuration Data
- Converting a W-IAP to a Remote AP and Campus AP
- Resetting a Remote AP or Campus AP to a W-IAP
- Rebooting the W-IAP
Monitoring Devices and Logs
- Configuring SNMP
- Configuring a Syslog Server
- Configuring TFTP Dump Server
- Running Debug Commands
- Uplink Bandwidth Monitoring
Hotspot Profiles
- Understanding Hotspot Profiles
- Configuring Hotspot Profiles
- Sample Configuration
ClearPass Guest Setup
- Configuring ClearPass Guest
- Verifying ClearPass Guest Setup
- Troubleshooting
IAP-VPN Deployment Scenarios
- Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy
- Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy
- Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Cont...
- Scenario 4—GRE: Single Datacenter Deployment with No Redundancy
- Glossary
Acronyms and Abbreviations
- Glossary

245 | IAP-VPN Deployment Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide

0.0.0.15 ROUTER 10.15.148.12 10.15.148.12 166 0x80000016 0x4c0d

0.0.0.15 NETWORK 10.15.148.12 10.15.148.12 167 0x80000001 0x9674

0.0.0.15 NSSA 12.12.2.0 9.9.9.9 29 0x80000003 0x7b54

0.0.0.15 NSSA 12.12.12.0 9.9.9.9 164 0x80000008 0x63a

0.0.0.15 NSSA 12.12.12.32 9.9.9.9 164 0x80000008 0x7b8

0.0.0.15 NSSA 50.40.40.0 9.9.9.9 164 0x80000007 0x8ed4

0.0.0.15 NSSA 51.41.41.128 9.9.9.9 164 0x80000007 0x68f6

0.0.0.15 NSSA 53.43.43.32 9.9.9.9 164 0x80000007 0x2633

0.0.0.15 NSSA 54.44.44.16 9.9.9.9 164 0x80000007 0x353

N/A AS_EXTERNAL 12.12.2.0 9.9.9.9 29 0x80000003 0x8c06

N/A AS_EXTERNAL 12.12.12.0 9.9.9.9 169 0x80000001 0x25e4

N/A AS_EXTERNAL 12.12.12.32 9.9.9.9 169 0x80000001 0x2663

N/A AS_EXTERNAL 50.40.40.0 9.9.9.9 169 0x80000001 0xab80

N/A AS_EXTERNAL 51.41.41.128 9.9.9.9 169 0x80000001 0x85a2

N/A AS_EXTERNAL 53.43.43.32 9.9.9.9 169 0x80000001 0x43de

N/A AS_EXTERNAL 54.44.44.16 9.9.9.9 169 0x80000001 0x20fe

To verify if the redistributed routes are installed or not:

(Instant AP)# show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static

M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10

Gateway of last resort is 10.15.148.254 to network 0.0.0.0 at cost 1

S* 0.0.0.0/0 [1/0] via 10.15.148.254*

V 12.12.2.0/24 [10/0] ipsec map

V 12.12.12.0/25 [10/0] ipsec map

V 12.12.12.32/27 [10/0] ipsec map

V 50.40.40.0/24 [10/0] ipsec map

V 51.41.41.128/25 [10/0] ipsec map

V 53.43.43.32/27 [10/0] ipsec map

V 54.44.44.16/28 [10/0] ipsec map

C 9.9.9.0/24 is directly connected, VLAN9

C 10.15.148.0/24 is directly connected, VLAN1

C 43.43.43.0/24 is directly connected, VLAN132

C 42.42.42.0/24 is directly connected, VLAN123

C 44.44.44.0/24 is directly connected, VLAN125

C 182.82.82.12/32 is an ipsec map 10.15.149.69-182.82.82.12

C 182.82.82.14/32 is an ipsec map 10.17.87.126-182.82.82.14

VPN Configuration

The following VPN configuration steps on the controller enable the W-IAPs to terminate their VPN connection

on the controller:

Whitelist Database Configuration

The whitelist database is a list of the MAC addresses of the W-IAPs that are allowed to establish VPN

connections with the controller. This list can be either stored in the controller database or on an external

server.

You can use the following CLI command to configure the whitelist database entries if the controller is acting as

the whitelist database:

(host)# whitelist-db rap add mac-address 00:11:22:33:44:55 ap-group test

The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be

any valid string.

If an external server is used as the location for the whitelist database, add the MAC addresses of the valid W-

IAPs in the external database or external directory server and then configure a RADIUS server to authenticate

the W-IAPs using the entries in the external database or external directory server.