Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series Controller AOS

481

482

483

484

485

486

487

488

489

490

Table Of Contents

Contents
- Revision History
About this Guide
- What's New In ArubaOS 6.5.x
- Fundamentals
- Related Documents
- Conventions
- Contacting Dell
The Basic User-Centric Networks
- Understanding Basic Deployment and Configuration Tasks
- Controller Configuration Workflow
- Connect the Controller to the Network
- W-7000 Series and W-7200 Series Controllers
- Using the LCD Screen
- Configuring a VLAN to Connect to the Network
- Enabling Wireless Connectivity
- Enabling Wireless Connectivity
- Configuring Your User-Centric Network
- Replacing a Controller
Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Managing AP Whitelists
- Managing Whitelists on Master and Local Controllers
- Working in Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
Software Licenses
- Getting Started with ArubaOS Licenses
- License Types and Usage
- Licensing Best Practices and Limitations
- Centralized Licensing Overview
- Configuring Centralized Licensing
- Installing a License
- Deleting a License
- Monitoring and Managing Centralized Licenses
Network Configuration Parameters
- Campus WLAN Workflow
- Understanding VLAN Assignments
- Configuring VLANs
- Configuring Ports
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- Configuring GRE Tunnel Groups
- Jumbo Frame Support
IPv6 Support
- Understanding IPv6 Notation
- Understanding IPv6 Topology
- Enabling IPv6
- Enabling IPv6 Support for Controller and APs
- Filtering an IPv6 Extension Header (EH)
- Configuring a Captive Portal over IPv6
- Working with IPv6 Router Advertisements (RAs)
- RADIUS Over IPv6
- TACACS Over IPv6
- DHCPv6 Server
- Understanding ArubaOS Supported Network Configuration for IPv6 Clients
- Understanding ArubaOS Authentication and Firewall Features that Support IPv6
- Managing IPv6 User Addresses
- Understanding IPv6 Exceptions and Best Practices
Link Aggregation Control Protocol
- Understanding LACP Best Practices and Exceptions
- Configuring LACP
- LACP Sample Configuration
OSPFv2
- Understanding OSPF Deployment Best Practices and Exceptions
- Understanding OSPFv2 by Example using a WLAN Scenario
- Understanding OSPFv2 by Example using a Branch Scenario
- Configuring OSPF
- Sample Topology and Configuration
Tunneled Nodes
- Understanding Tunneled Node Configuration
- Configuring a Wired Tunneled Node Client
- Limitations
Authentication Servers
- Understanding Authentication Server Best Practices and Exceptions
- Understanding Servers and Server Groups
- Configuring Authentication Servers
- Managing the Internal Database
- Configuring Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- Authentication Server Load Balancing
MAC-based Authentication
- Configuring MAC-Based Authentication
- Configuring Clients
Branch Controller Config for Controllers
- Branch Deployment Features
- Scalable Site-to-Site VPN Tunnels
- Layer-3 Redundancy for Branch Controller Masters
- WAN Failure (Authentication) Survivability
- WAN Health Check
- WAN Optimization through IP Payload Compression
- Interface Bandwidth Contracts
- Branch Integration with a Palo Alto Networks (PAN) Portal
- Branch Controller Routing Features
- Cloud Management
- Zero-Touch Provisioning
- Using Smart Config to create a Branch Config Group
- PortFast and BPDU Guard
- Preventing WAN Link Failure on Virtual APs
- Branch WAN Dashboard
802.1X Authentication
- Understanding 802.1X Authentication
- Configuring 802.1X Authentication
- Enabling 802.1X Supplicant Support on an AP
- Sample Configurations
- Performing Advanced Configuration Options for 802.1X
- Application Single Sign-On Using L2 Authentication
- Device Name as User Name for Non-802.1X Authentication
Stateful and WISPr Authentication
- Working With Stateful Authentication
- Working With WISPr Authentication
- Understanding Stateful Authentication Best Practices
- Configuring Stateful 802.1X Authentication
- Configuring Stateful NTLM Authentication
- Configuring Stateful Kerberos Authentication
- Configuring WISPr Authentication
Certificate Revocation
- Understanding OCSP and CRL
- Configuring the Controller as an OCSP Client
- Configuring the Controller as a CRL Client
- Configuring the Controller as an OCSP Responder
- Certificate Revocation Checking for SSH Pubkey Authentication
- OCSP Configuration for VIA
Captive Portal Authentication
- Understanding Captive Portal
- Configuring Captive Portal in the Base Operating System
- Using Captive Portal with a PEFNG License
- Sample Authentication with Captive Portal
- Configuring Guest VLANs
- Configuring Captive Portal Authentication Profiles
- Enabling Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating and Installing an Internal Captive Portal
- Creating Walled Garden Access
- Enabling Captive Portal Enhancements
- Netdestination for AAAA Records
Virtual Private Networks
- Planning a VPN Configuration
- Working with VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec
- Configuring a VPN for L2TP/IPsec with IKEv2
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Working with Remote Access VPNs for PPTP
- Working with Site-to-Site VPNs
- Working with VPN Dialer
Roles and Policies
- Configuring Firewall Policies
- User Roles
- Assigning User Roles
- Understanding Global Firewall Parameters
- Using AppRF 2.0
ClearPass Policy Manager Integration
- Introduction
- Important Points to Remember
- Enabling Downloadable Role on a Controller
- Sample Configuration
Virtual APs
- Virtual AP Configuration Workflow
- Virtual AP Profiles
- Changing a Virtual AP Forwarding Mode
- Radio Resource Management (802.11k)
- BSS Transition Management (802.11v)
- Fast BSS Transition ( 802.11r)
- SSID Profiles
- WLAN Authentication
- High-Throughput Virtual APs
- Guest WLANs
- Changing a Virtual AP Forwarding Mode
Adaptive Radio Management
- Understanding ARM
- Client Match
- ARM Coverage and Interference Metrics
- Configuring ARM Profiles
- Assigning an ARM Profile to an AP Group
- Using Multi-Band ARM for 802.11a/802.11g Traffic
- Band Steering
- Dynamic Bandwidth Switch
- Enabling Traffic Shaping
- Spectrum Load Balancing
- Reusing Channels to Control RX Sensitivity Tuning
- Configuring Non-802.11 Noise Interference Immunity
- Troubleshooting ARM
Wireless Intrusion Prevention
- Working with the Reusable Wizard
- Monitoring the Dashboard
- Detecting Rogue APs
- Working with Intrusion Detection
- Configuring Intrusion Protection
- Configuring the WLAN Management System
- Understanding Client Blacklisting
- Working with WIP Advanced Features
- Configuring TotalWatch
- Administering TotalWatch
- Tarpit Shielding Overview
- Configuring Tarpit Shielding
Access Points
- Important Points to Remember
- Basic Functions and Features
- AP Settings Triggering a Radio Restart
- Naming and Grouping APs
- Understanding AP Configuration Profiles
- Before you Deploy an AP
- Enable Controller Discovery
- Enable DHCP to Provide APs with IP Addresses
- AP Provisioning Profiles
- Configuring Installed APs
- Optional AP Configuration Settings
- RF Management
- Optimizing APs Over Low-Speed Links
- AP Scanning Optimization
- Channel Group Scanning
- Configuring AP Channel Assignments
- Managing AP Console Settings
- Link Aggregation Support on W-AP220 Series, W-AP270 Series, and W-AP320 Series
- Recording Consolidated AP-Provisioned Information
- Service Tag
Secure Enterprise Mesh
- Mesh Overview Information
- Mesh Configuration Procedures
- Understanding Mesh Access Points
- Understanding Mesh Links
- Understanding Mesh Profiles
- Understanding Remote Mesh Portals (RMPs)
- Understanding the AP Boot Sequence
- Mesh Deployment Solutions
- Mesh Deployment Planning
- Configuring Mesh Cluster Profiles
- Creating and Editing Mesh Radio Profiles
- Creating and Editing Mesh High-Throughput SSID Profiles
- Configuring Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- Verifying Your Mesh Network
- Configuring Remote Mesh Portals (RMPs)
Increasing Network Uptime Through Redundancy and VRRP
- High Availability
- VRRP-Based Redundancy
- High Availability Deployment Models
- Client State Synchronization
- High Availability Inter-Controller Heartbeats
- High Availability Extended Controller Capacity
- Configuring High Availability
- Migrating from VRRP or Backup-LMS Redundancy
- Configuring VRRP Redundancy
RSTP
- Understanding RSTP Migration and Interoperability
- Working with Rapid Convergence
- Configuring RSTP
- Troubleshooting RSTP
PVST+
- Understanding PVST+ Interoperability and Best Practices
- Enabling PVST+ in the CLI
- Enabling PVST+ in the WebUI
Link Layer Discovery Protocol
- Important Points to Remember
- LLDP Overview
- Configuring LLDP
- Monitoring LLDP Configuration
IP Mobility
- Understanding Dell Mobility Architecture
- Configuring Mobility Domains
- Tracking Mobile Users
- Configuring Advanced Mobility Functions
- Understanding Bridge Mode Mobility Deployments
- Enabling Mobility Multicast
External Firewall Configuration
- Understanding Firewall Port Configuration Among Dell Devices
- Enabling Network Access
- Ports Used for Virtual Internet Access (VIA)
- Configuring Ports to Allow Other Traffic Types
Palo Alto Networks Firewall Integration
- Limitation
- Preconfiguration on the PAN Firewall
- Configuring PAN Firewall Integration
Remote Access Points
- About Remote Access Points
- Configuring the Secure Remote Access Point Service
- Deploying a Branch/Home Office Solution
- Enabling Remote AP Advanced Configuration Options
- Understanding Split Tunneling
- Understanding Bridge
- Provisioning Wi-Fi Multimedia
- Reserving Uplink Bandwidth
- Provisioning 4G USB Modems on Remote Access Points
- Provisioning RAPs at Home
- Configuring W-IAP3WN and W-IAP3WNP Access Points
- Converting an IAP to RAP or CAP
- Enabling Bandwidth Contract Support for RAPs
- RAP TFTP Image Upgrade
Virtual Intranet Access
Spectrum Analysis
- Understanding Spectrum Analysis
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Working with Non-Wi-Fi Interferers
- Understanding the Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data
- Recording Spectrum Analysis Data
- Troubleshooting Spectrum Analysis
Dashboard Monitoring
- WAN
- Performance
- Usage
- Potential Issues
- Traffic Analysis
- AirGroup
- Security
- UCC
- Controller
- WLANs
- Access Points
- Clients
- Firewall
Management Access
- Configuring Certificate Authentication for WebUI Access
- Secure Shell (SSH)
- WebUI Session Timer
- Enabling RADIUS Server Authentication
- Connecting to an W-AirWave Server
- Custom Certificate Support for RAP
- Implementing a Specific Management Password Policy
- Configuring AP Image Preload
- Configuring Centralized Image Upgrades
- Managing Certificates
- Configuring SNMP
- Enabling Capacity Alerts
- Configuring Logging
- Enabling Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- ClearPass Profiling with IF-MAP
- Whitelist Synchronization
- Downloadable Regulatory Table
802.11u Hotspots
- Hotspot 2.0 Pre-Deployment Information
- Hotspot Profile Configuration Tasks
- Hotspot 2.0 Overview
- Configuring Hotspot 2.0 Profiles
- Configuring Hotspot Advertisement Profiles
- Configuring ANQP Venue Name Profiles
- Configuring ANQP Network Authentication Profiles
- Configuring ANQP Domain Name Profiles
- Configuring ANQP IP Address Availability Profiles
- Configuring ANQP NAI Realm Profiles
- Configuring ANQP Roaming Consortium Profiles
- Configuring ANQP 3GPP Cellular Network Profiles
- Configuring H2QP Connection Capability Profiles
- Configuring H2QP Operator Friendly Name Profiles
- Configuring H2QP Operating Class Indication Profiles
- Configuring H2QP WAN Metrics Profiles
Adding Local Controllers
- Moving to a Multi-Controller Environment
- Configuring Local Controllers
- Uplink Monitoring and Management
Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- Working with QoS for Voice and Video
- Unified Communication and Collaboration
- Understanding Extended Voice and Video Features
- Advanced Voice Troubleshooting
AirGroup
- Zero Configuration Networking
- AirGroup Solution
- AirGroup Deployment Models
- Features Supported in AirGroup
- ClearPass Policy Manager and ClearPass Guest Features
- Auto-association and Controller-based Policy
- Best Practices and Limitations
- Integrated Deployment Model
- Controller Dashboard Monitoring
- Configuring the AirGroup-CPPM Interface
- Bluetooth-Based Discovery and AirGroup
- AirGroup mDNS Static Records
- mDNS AP VLAN Aggregation
- mDNS Multicast Response Propagation
- Troubleshooting and Log Messages
Instant AP VPN Support
- Overview
- VPN Configuration
- Viewing Branch Status
External Services Interface
- Sample ESI Topology
- Understanding the ESI Syslog Parser
- Configuring ESI
- Sample Route-Mode ESI Topology
- Sample NAT-mode ESI Topology
- Understanding Basic Regular Expression (BRE) Syntax
External User Management
- Overview
- How the ArubaOS XML API Works
- Creating an XML Request
- XML Response
- Using the XML API Server
- Sample Scripts
Behavior and Defaults
- Understanding Mode Support
- Understanding Basic System Defaults
- Understanding Default Management User Roles
- Understanding Default Open Ports
DHCP with Vendor-Specific Options
- Configuring a Windows-Based DHCP Server
- Enabling DHCP Relay Agent Information Option (Option 82)
- Enabling Linux DHCP Servers
802.1X Configuration for IAS and Windows Clients
- Configuring Microsoft IAS
- Configuring Management Authentication using IAS
- Window XP Wireless Client Sample Configuration
Acronyms and Terms
- Acronyms
- Terms

devices that are advertising 40MHz intolerance, as this can impact the performance of the network.

Detecting Active 802.11n Greenfield Mode

When 802.11 devices use the HT operating mode, they can not share the same channel as 802.11a/b/g

stations. Not only can they not communicate with legacy devices, the way they use the transmission medium is

different, which would cause collisions, errors, and retransmissions.

Detecting Ad hoc Networks

An ad-hoc network is a collection of wireless clients that form a network amongst themselves without the use

of an AP. As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they do

not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a

wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally, ad-

hoc networks can expose client devices to viruses and other security vulnerabilities. For these reasons, many

administrators choose to prohibit ad-hoc networks.

Detecting an Ad hoc Network Using a Valid SSID

If an unauthorized ad-hoc network is using the same SSID as an authorized network, a valid client may be

tricked into connecting to the wrong network. If a client connects to a malicious ad-hoc network, security

breaches or attacks can occur.

Detecting an AP Flood Attack

Fake AP is a tool that was originally created to thwart wardrivers by flooding beacon frames containing

hundreds of different addresses. This would appear to a wardriver as though there were hundreds of APs in

the area, thus concealing the real AP. An attacker can use this tool to flood an enterprise or public hotspots

with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client

operating systems.

Detecting AP Impersonation

In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP

impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection,

or a honeypot attack.

Detecting AP Spoofing

An AP Spoofing attack involves an intruder sending forged frames that are made to look like they are from a

legitimate AP. It is trivial for an attacker to do this, since tools are readily available to inject wireless frames with

any MAC address that the user desires. Spoofing frames from a legitimate AP is the foundation of many

wireless attacks.

Detecting Bad WEP Initialization

This is the detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP

keys is to capture 802.11 frames over an extended period of time and searching for such weak

implementations that are still used by many legacy devices.

Detecting a Beacon Frame Spoofing Attack

In this type of attack, an intruder spoofs a beacon packet on a channel that is different from that advertised in

the beacon frame of the AP.

Detecting a Client Flood Attack

There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large

number of fake clients that fill internal tables with fake information. If successful, it overwhelms the wireless

Dell Networking W-Series ArubaOS 6.5.x | User Guide Wireless Intrusion Prevention | 485