Concept Guide
Table Of Contents
- About this Guide
- About Instant
- Setting up a W-IAP
- Automatic Retrieval of Configuration
- Instant User Interface
- Initial Configuration Tasks
- Basic Configuration Tasks
- Additional Configuration Tasks
- Customizing W-IAP Settings
- Modifying the W-IAP Hostname
- Configuring Zone Settings on a W-IAP
- Specifying a Method for Obtaining IP Address
- Configuring External Antenna
- Configuring Radio Profiles for a W-IAP
- Configuring Uplink VLAN for a W-IAP
- Changing USB Port Status
- Master Election and Virtual Controller
- Adding a W-IAP to the Network
- Removing a W-IAP from the Network
- VLAN Configuration
- Wireless Network Profiles
- Configuring Wireless Network Profiles
- Configuring Fast Roaming for Wireless Clients
- Editing Status of a WLAN SSID Profile
- Editing a WLAN SSID Profile
- Deleting a WLAN SSID Profile
- Wired Profiles
- Configuring a Wired Profile
- Assigning a Profile to Ethernet Ports
- Editing a Wired Profile
- Deleting a Wired Profile
- Link Aggregation Control Protocol
- Understanding Hierarchical Deployment
- Captive Portal for Guest Access
- Understanding Captive Portal
- Configuring a WLAN SSID for Guest Access
- Configuring Wired Profile for Guest Access
- Configuring Internal Captive Portal for Guest Network
- wConfiguring External Captive Portal for a Guest Network
- Configuring Facebook Login
- Configuring Guest Logon Role and Access Rules for Guest Users
- Configuring Captive Portal Roles for an SSID
- Configuring Walled Garden Access
- Authentication and User Management
- Managing W-IAP Users
- Supported Authentication Methods
- Supported EAP Authentication Frameworks
- Configuring Authentication Servers
- Understanding Encryption Types
- Configuring Authentication Survivability
- Configuring 802.1X Authentication for a Network Profile
- Configuring MAC Authentication for a Network Profile
- FConfiguring MAC Authentication with 802.1X Authentication
- hConfiguring MAC Authentication with Captive Portal Authentication
- Configuring WISPr Authentication
- Blacklisting Clients
- Uploading Certificates
- Roles and Policies
- Firewall Policies
- Content Filtering
- Configuring User Roles
- Configuring Derivation Rules
- Using Advanced Expressions in Role and VLAN Derivation Rules
- DHCP Configuration
- VPN Configuration
- IAP-VPN Deployment
- Adaptive Radio Management
- Deep Packet Inspection and Application Visibility
- Voice and Video
- Services
- AirGroup Configuration
- Configuring a W-IAP for RTLS Support
- Configuring a W-IAP for Analytics and Location Engine Support
- Configuring OpenDNS Credentials
- Integrating a W-IAP with Palo Alto Networks Firewall
- Integrating a W-IAP with an XML API interface
- CALEA Integration and Lawful Intercept Compliance
- W-IAP Management and Monitoring
- Managing a W-IAP from W-AirWave
- Image Management
- Resetting a W-IAP
- W-IAP and Client Monitoring
- Template-based Configuration
- Trending Reports
- Intrusion Detection System
- Wireless Intrusion Detection System (WIDS) Event Reporting to W-AirWave
- RF Visualization Support for Instant
- PSK-based and Certificate-based Authentication
- Configurable Port for W-IAP and W-AirWave Management Server Communication
- Configuring Organization String
- Managing a W-IAP from W-AirWave
- Uplink Configuration
- Intrusion Detection
- Mesh W-IAP Configuration
- Mobility and Client Management
- Spectrum Monitor
- W-IAP Maintenance
- Monitoring Devices and Logs
- Hotspot Profiles
- Understanding Hotspot Profiles
- Configuring Hotspot Profiles
- Creating Advertisement Profiles for Hotspot Configuration
- Configuring an NAI Realm Profile
- Configuring a Venue Name Profile
- Configuring a Network Authentication Profile
- Configuring a Roaming Consortium Profile
- Configuring a 3GPP Profile
- Configuring an IP Address Availability Profile
- Configuring a Domain Profile
- Configuring an Operator-friendly Profile
- Configuring a Connection Capability Profile
- Configuring an Operating Class Profile
- Configuring a WAN Metrics Profile
- Creating a Hotspot Profile
- Associating an Advertisement Profile to a Hotspot Profile
- Creating a WLAN SSID and Associating Hotspot Profile
- Creating Advertisement Profiles for Hotspot Configuration
- Sample Configuration
- ClearPass Guest Setup
- IAP-VPN Deployment Scenarios
- Terminology
244 | IAP-VPN Deployment Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide
deployment is not on a VLAN or subnet that is in centralized or distributed L2 mode of operation. For
information on hierarchical mode of deployment, see Understanding Hierarchical Deployment on page 126.
Configuring an SSID or Wired Port
For a client to connect to the IAP-VPNnetwork, an SSID or wired port profile on a W-IAP must be configured
with appropriate IAP-VPN mode of operation. The VLAN configuration in an SSID or wired port profile
determines whether an SSID or wired port is configured for the IAP-VPN operations.
To configure an SSID or wired port for a specific IAP-VPNmode, the VLAN ID defined in the SSID or wired port
profile must match the VLAN ID defined in the DHCP profile configuration. If the VLAN assignment for an SSID
or wired port profile is set to Virtual controller assigned, custom, or a static VLAN ID that does not match the
VLAN ID configured in the DHCP profiles, the IAP-VPN operations are affected. For example, if a local DHCP
profile is configured with a VLAN ID of 200, the VLAN configuration on the SSID must be set to a static VLAN ID
200.
Ensure that the VLAN assignment for an SSID or wired port profile is not set to default as the VPN tunnel is
not supported on the default VLAN.
For information on how to configure an SSID or wired port profile, see Wireless Network Profiles on page 97
and Configuring a Wired Profile on page 119 respectively.
Enabling Dynamic RADIUS Proxy
The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUSor
local server is used to authenticate users. However, some user networks can use a local RADIUS server for
employee authentication and a centralized RADIUS based captive portal server for guest authentication. To
ensure that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUSproxy feature
must be enabled. When enabled, dynamic RADIUSproxy ensures that all the RADIUS traffic is sourced from
the Virtual Controller IP or inner IP of the W-IAP IPsec tunnel depending on the RADIUS server IP and routing
profile.
Ensure that a static Virtual Controller IP is configured before enabling dynamic RADIUS proxy, in order to
tunnel the RADIUS traffic to the central RADIUS server in the datacenter.
For information on enabling dynamic RADIUS proxy, see Configuring Dynamic RADIUSProxy Parameters on
page 171.
Configuring Enterprise Domains
By default, all the DNS requests from a client are forwarded to the clients DNS server. In a typical W-IAP
deployment without VPN configuration, client DNS requests are resolved by the DNS server of clients. For the
IAP-VPN scenario, the enterprise domain settings on the W-IAP are used for determining how client DNS
requests are routed. For information on how to configure enterprise domains, see Configuring Enterprise
Domains on page 201.
Configuring a Controller for IAP-VPN Operations
Dell Networking W-Series controllers provide an ability to terminate the IPSec and GRE VPNtunnels from the
W-IAP and provide corporate connectivity to the branch network. For IAP-VPN operations, ensure that the
following configuration and verification procedures are completed on the controller:
l OSPF Configuration
l VPN Configuration
l Branch-ID Allocation