Dell PowerConnect W-IAP3WN/P User's Manual
Contents
1. Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt type lt Employee gt lt Voice gt Instant AP SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa tkip wpa2 aes dynamic wep Instant AP SSID Profile lt name gt leap use session key Instant AP SSID Profile lt name gt termination Instant AP SSID Profile lt name gt auth server lt serverl gt Instant AP SSID Profile lt name gt auth server lt server2 gt Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt Instant AP SSID Profile lt name gt auth survivability Instant AP SSID Profile lt name gt exit Instant AP config auth survivability cache time out lt hours gt Instant AP config end Instant AP commit apply Configuring 802 1X Authentication for Wired Profiles You can configure 802 1X authentication for a wired profile in the Instant UI or CLI Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 164 In the Instant Ul To enable 802 1X authentication for a wired profile 1 Click the Wired link under More at the top right corner of the main window The Wired window is displayed 2 Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802 1X authentication and then click Edit 3 Inthe New Wired Network or the Edit Wired Networ2. 2 22 2222 c cece eee eeeeeeeees 279 Alternate Method for Defining Vendor Specific DHCP Options 22222222 2222222 283 Uplink Configuration 285 UE oF a I eT 285 Ethemet Uplink serres cok eee A Gils aula eee al e sazs 285 Configuring PPPoE Uplink Profile ooo ccoo ccoo ccoo 286 Inthe IhstantUl 0220 pido ia doi 286 Mhe e TT 287 Cellular Uplink ooo nono cnn nn cnnncncnnes 287 Configuring Cellular Uplink Profiles 0 ccccocccccccccccccccccccccccccnccccccccccnncnnccccccnnnos 290 InthelnstantUl ccooicorocitaliiis illa ias tatiana leccion iaa dedi lis cd 290 MEC a is ee er 290 Wi Fi Uplink ccoo cece cece cece cece cece ee EDEP eeeceeeeeeceeeseeeseeeeeeeseeeees 291 Configuring a Wi Fi Uplink Profile 22222222222 eee eee eee cece cece eee cece cece cece cece eeeee 291 Uplink Preferences and SWitChinG e sotana catorce aude oss sae nce eggs A 292 22 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Enforcing UDIINKS cn Na a ot 292 AA A A A E E E eeated nee aseas 292 A a yee Sees castes te cee Lace eae ee nee Mae E 293 Setting an Uplink Poni e cece cece cece eeeeeeeeeeeeeeeeeees 293 fin thie stant Ol tot coo ee ge gs eee ne ose a Ast 293 itie CU ect ee mae es e ee Re 293 Enabling Uplink Preemption 2 20 20 e cece cece cece cece eee ce cece cece ceeecececeeeeeeees 293 Inthe Instant UL nn 293 Mihei 2 caeeast geese EREE 293 Switching Uplinks Based on VPN and Inte
3. Timeout Retry count To create a TACACS server profile specify the attributes described in the following table _ _ ___ __ ___z gt _ gt _ ______ e O A eee zz 141 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 29 TACACS Server Configuration Parameters Parameter Description IP address Enter the IP address of the TACACS server Auth Port Enter the TCP IP port used by the server The default port number is 49 Shared Key Enter the secret key of your choice to authenticate communication between the TACACS client and server Retype Key Re enter the secret key you have specified as the Shared Key Timeout Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS requests The default value is 20 seconds Retry Count Enter a number between 1 and 5 to indicate the maximum number of authentication attempts The default value is 3 In the CLI To configure a TACACS server Instant AP config wlan tacacs server lt profile name gt Instant AP TACACS Server lt profile name gt ip lt IP address gt Instant AP TACACS Server lt profile name gt port lt port gt Instant AP TACACS Server lt profile name gt key lt key gt Instant AP TACACS Server lt profile name gt timeout lt seconds gt Instant AP TACACS Server lt profile name gt retry count lt number gt Instant AP TACACS
4. 137 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring Walled Garden Access On the Internet a walled garden typically controls access to Web content and services The Walled garden access is required when an external captive portal is used For example a hotel environment where the unauthenticated users are allowed to navigate to a designated login page for example a hotel website and all its contents The users who do not sign up for the Internet service can view the allowed websites typically hotel property websites The website names must be DNS based and support the option to define wildcards This works for client devices with or without HTTP proxy settings When a user attempts to navigate to other websites which are not in the whitelist of the walled garden profile the user is redirected to the login page In addition a blacklisted walled garden profile can also be configured to explicitly block the unauthenticated users from accessing some websites You can create a walled garden access in Instant UI or CLI In the Instant UI To create a Walled Garden access 1 Click the Security link at the top right corner of the Instant main window and click Walled Garden The Walled Garden tab contents are displayed 2 Toallow users to access a specific domain click New and enter the domain name or URL in the Whitelist section of the window This allows access to a domai
5. Click Next to configure VLAN settings The VLAN tab contents are displayed 7 Select any for the following options for Client IP assignment e Virtual Controller assigned On selecting this option the client obtains the IP address from the Virtual Controller e Network assigned On selecting this option the IP address is obtained from the network 8 Based on the type client IP assignment mode selected you can configure the VLAN assignment for clients as described in the following table 123 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 23 IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Controller assigned is selected for client IP assignment the Virtual Controller creates a private subnet and VLAN on the W IAP for the wireless clients The network address translation for all client traffic that goes out of this interface is carried out at the source This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network On selecting this option the following client VLAN assignment options are displayed e Default When selected the default VLAN as determined by the Virtual Controller is assigned for clients Custom When selected you can specify a custom VLAN assignment option You can select an existing DHCP scope for client IP and VLAN assignment o
6. For more information on the intrusion detection feature see Intrusion Detection on page 296 AirGroup This AirGroup link provides an overall view of your AirGroup configuration Click each field to view or edit the settings MAC Displays the MAC address of the AirGroup servers IP Displays the IP address of the AirGroup servers Host Name Displays the machine name or hostname of the AirGroup servers Service Displays the type of the services such as AirPlay or AirPrint VLAN Displays VLAN details of the AirGroup servers Wired Wireless Displays if the AirGroup server is connected via wired or wireless interface Role Displays the user role if the server is connected through 802 1X authentication If the server is connected through PSK or open authentication this field is blank Group Displays the group CPPM By clicking on this you get details of the registered rules in ClearPass Policy Manager CPPM for this server MDNS Cache By clicking on this you receive MDNS record details of a particular server The following figure shows the AirGroup server details available on clicking the AirGroup link Figure 27 AirGroup Link Configuration The Configuration link provides an overall view of your Virtual Controller Access Points and WLAN SSID configuration The following figure shows the Virtual Controller configuration details displayed on clicking the Configuration link Figure 28 Configurati
7. 2 Click OK 235 Adaptive Radio Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the CLI Instant AP config arm Instant AP ARM client match calc interval lt seconds gt Instant AP ARM T client match calc threshold lt threshold gt Instant AP ARM client match nb matching lt percentage gt Instant AP ARM client match slb mode 1 Instant AP ARM T end Instant AP commit apply Access Point Control You can configure access point control parameters through the Instant UI or CLI In the Instant UI 1 For Access Point Control specify the following parameters in the RF gt ARM gt Show advanced options tab Table 47 Access Point Control Configuration Parameters Parameter Description Customize Valid Select this checkbox to customize valid channels for 2 4 GHz and 5 GHz By default Channels the AP uses valid channels as defined by the Country Code regulatory domain On selecting the Customize Valid Channels checkbox a list of valid channels for both 2 4 GHz and 5 GHz are displayed The valid channel customization feature is disabled by default Minimum Specify the minimum transmission power The value specified for Minimum Transmit Transmit Power Power indicates the minimum Effective Isotropic Radiated Power EIRP from 3 to 33 dBm in 3 dBm increments If the minimum transmission EIRP setting configured on an AP is not supported by the AP model this value is
8. 1 Navigate to Security gt Inbound Firewall tab The Inbound Firewall tab contents are displayed 2 Under Inbound Firewall Rules click New The New Rule window is displayed Figure 54 Inbound Firewall Rules New Rule Window New Rule Action Service Source Destination Allow any v from all sources to all destinations Options Log Classify media DSCP tag Blacklist Disable scanning 802 1p priority Cancel 3 Configure the following parameters 183 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 36 Inbound Firewall Rule Configuration Parameters Parameter Description Action Select any of following actions e Select Allow to allow access users based on the access rule e Select Deny to deny access to users based on the access rule e Select Destination NAT to allow changes to destination IP address e Select Source NAT to allow changes to the source IP address The destination nat and source nat actions apply only to the network services rules Service Select a service from the list of available services You can allow or deny access to any or all of the following services based on your requirement e any Access is allowed or denied to all services e custom Available options are TCP UDP and Other If you select the TCP or UDP options enter appropriate port numbers If the Other option is selected ensure enter the appropriate ID is entered Select any of the following optio
9. IAP VPN Forwarding Modes The following forwarding modes are supported in the IAP VPN scenario Local mode Centralized L2 mode Distributed L2 mode Distributed L3 mode The forwarding modes determine whether the DHCP server and default gateway for clients reside in the branch or at the datacenter These modes do not determine the firewall processing or traffic forwarding behavior The Virtual Controller enables different DHCP pools various assignment modes in addition to allocating IP subnets for each branch The Virtual Controller allows different modes of forwarding of traffic from the clients on a VLAN with a VPN tunnel The forwarding modes are associated with various modes of DHCP address assignment modes Local or NAT Mode In this mode the W IAP cluster at that branch has a local subnet and the master W IAP of the cluster acts as the DHCP server and gateway for clients The local mode provides VPN capabilities using the inner IP of the IAP VPN IPsec tunnel The source IP for all client traffic is translated and the traffic destined for the corporate network is translated using the VPN tunnel IP address of the W IAP and is forwarded through the IPsec VPN tunnel The traffic destined for the non corporate network is translated using the IP address of the IAP and is forwarded through the uplink When the local mode is used for forwarding client traffic hosts on the corporate network cannot establish connections to the clients on the W IA
10. Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role by ssid Instant AP SSID Profile lt name gt end Instant AP commit apply To configure role assignment rules Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role lt attribute gt equals not equals starts with ends with contains matches regular expression lt operator gt lt role gt value of Instant AP SSID Profile lt name gt end Instant AP commit apply To configure a pre authentication role Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role pre auth lt pre authentication role gt Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 105 AP SSID Profile lt name gt end AP commit apply To configure machine and user authentication roles AP config wlan ssid profile lt name gt AP SSID Profile lt name gt set role machine auth lt machine authentication only gt lt user authentication only gt AP SSID Profile lt name gt end AP commit apply To configure unrestricted access Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role unrestricted Instant AP SSID Profile lt name gt end Instant AP commit apply Example The following exam
11. T Condition Forw Y P He services P Network Policy and Access Se 3 185 Local lt D RADIUS Chert and 2 RADIUS Certs S Remote RADIUS E Meath Regstration Auth Y a Routing and Remote aco Web Server 115 195 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication the RADIUS server may return a reply message for authentication If the RADIUS server supports return attributes and sets an attribute value to the reply message the W IAP can analyze the return message and match attributes with a user pre defined VLAN derivation rule If the rule is matched the VLAN value defined by the rule is assigned to the user For a complete list of RADIUS server attributes see RADIUS Server Authentication with VSA on page 150 Figure 59 Configuring RADIUS Attributes on the RADIUS Server jizou Properties Overview Conditions Settings Configure the settinas for this network policy H condao DS Perry aaa To add an she Ke ihe seisme re td wed ewe Enk 44 atti Attribute Information El To add a custe Add Access type Attributes Ferid Attribute values FramedAppk Value FramedAppk FramedApph Framed Coeg Framedirted Expres Ar User Role If the VSA and VLAN derivation rules are not matching then the user VLAN can be derived by a user role VLANs Created for an SSID If
12. The following table describes each type of non Wi Fi interferer detected by the spectrum monitor feature 310 Spectrum Monitor Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 60 Non Wi Fi Interferer Types Non Wi Fi Interferer Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2 4 GHz band is classified as a Bluetooth device Bluetooth uses a frequency hopping protocol Fixed Some audio devices such as wireless speakers and microphones also use fixed frequency Frequency to continuously transmit audio These devices are classified as Fixed Frequency Audio Audio Description Fixed Some cordless phones use a fixed frequency to transmit data much like the fixed frequency Frequency video devices These devices are classified as Fixed Frequency Cordless Phones Cordless Phones Fixed Video transmitters that continuously transmit video on a single frequency are classified as Frequency Fixed Frequency Video These devices typically have close to a 100 duty cycle These Video types of devices may be used for video surveillance TV or other video distribution and similar applications Fixed All other fixed frequency devices that do not fall into one of the above categories are Frequency classified as Fixed Frequency Other Other Note that the RF signatures of the fixed frequency audio video and cordless phone devices are very similar and that some ofthese devices may be
13. admin password lt password gt Instant AP LDAP Server lt profile name gt base dn lt name gt Instant AP LDAP Server lt profile name gt filter lt filter gt Instant AP LDAP Server lt profile name gt key attribute lt key gt Instant AP LDAP Server lt profile name gt timeout lt seconds gt Instant AP LDAP Server lt profile name gt retry count lt number gt Instant AP LDAP Server lt profile name gt deadtime lt minutes gt Instant AP LDAP Server lt profile name gt end Instant AP commit apply To configure a CPPM server used for AirGroup CoA Change of Authorization Instant AP config wlan auth server lt profile name gt Instant AP Auth Server lt profile name gt ip lt IP address gt Instant AP Auth Server lt profile name gt key lt key gt Instant AP Auth Server lt profile name gt cppm rfc3576 port lt port gt Instant AP Auth Server lt profile name gt cppm rfc3576 only Instant AP Auth Server lt profile name gt end Instant AP commit apply Configuring Dynamic RADIUS Proxy Parameters The RADIUS server can be deployed at different locations and VLANs In most cases a centralized RADIUS or local server is used to authenticate users However some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication To ensure that the RADIUS traffic is routed to
14. Blacklist cult and occult travel abused drugs oK Cancel adult and pornography home and garden b Select the categories to which you want to deny or allow access You can also search for a web category and select the required option c Fromthe Action drop down select Allow or Deny as required d Click OK 5 To filter access based on the security ratings of the website a Select Web reputation under Services b Move the slider to the required security rating level Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value The following options are available Trustworthy These are well known sites with strong security practices and may not expose the user to security risks There is a very low probability that the user will be exposed to malicious links or payloads 7 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Deep Packet Inspection and Application Visibility 249 Low risk These are benign sites and may not expose the user to security risks There is a low probability that the user will be exposed to malicious links or payloads Moderate risk These are generally benign sites but may pose a security risk There is some probability that the user will be exposed to malicious links or payloads Susp
15. Broadcast Multicast Share DSCP Mapping 5 Background WMM Broadcast filtering Disabled ___Y Best effort WMM DTIM interval 1 beacon Y Video WMM Multicast transmission optimization Disable Dynamic multicast optimization Disabled v Voice WMM DMO channel utilization threshold Miscellaneous Transmit Rates Content filtering Disabled Y 2 4GHz Min 1 Max 54 Y Band All LG 5GHz Min 6 Y Maw 154 Y Inactivity timeout 1000 sec Y SSID Hide D Disable Disable SSID on uplink failure Zone Max clients threshold Zone Local probe request threshold Hide advanced options Cancel 2 Enter a name that uniquely identifies a wireless network in the Name SSID text box E The SSID Name may contain any special character except for and 3 Based on the type of network profile select any of the following options under Primary usage e Employee e Voice e Guest 4 Click the Show advanced options link The advanced options for configuration are displayed Specify the following parameters as required 94 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 19 WLAN Configuration Parameters Parameter Broadcast filtering DTIM interval Multicast transmission optimization Dynamic multicast optimization DMO channel utilization threshold Transmit Rates Bandwidth Limits Description Select
16. Configuring SNMP This section provides the following information e SNMP Parameters for W IAP on page 327 e Configuring SNMP on page 328 e Configuring SNMP Traps on page 330 SNMP Parameters for W IAP Instant supports SNMPv1 SNMPv2c and SNMPv3 for reporting purposes only A W IAP cannot use SNMP to set values in a Dell system You can configure the following parameters for a W IAP Table 65 SNMP Parameters for W IAP Description Community Strings for SNMPV1 An SNMP Community string is a text string that acts as a password and SNMPV2 and is used to authenticate messages sent between the Virtual Controller and the SNMP agent If you are using SNMPv3 to obtain values from the W IAP you can configure the following parameters A string representing the name of the user Authentication Protocol An indication of whether messages sent on behalf of this user can be authenticated and if so the type of authentication protocol used This can take one of the two values e MD5 HMAC MD5 96 Digest Authentication Protocol e SHA HMAC SHA 96 Digest Authentication Protocol Authentication protocol If messages sent on behalf of this user can be authenticated the password private authentication key for use with the authentication protocol This is a string password for MD5 or SHA depending on the choice above Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure and if so
17. Dell Networking W Series Instant 6 4 0 2 4 1 Dd 5 se S D Y Copyright 2014 Aruba Networks Inc Aruba Networks trademarks include gt AIFWAVE Aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo and Aruba Mobility Management System Dell the DELL logo and PowerConnect are trademarks of Dell Inc All rights reserved Specifications in this manual are subject to change without notice Originated in the USA All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses Includes software from Litech Systems Design The IF MAP client library copyright 2011 Infoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions that might be taken against it with respect to inf
18. Exception route to bypass tunneling of RADIUS and W AirWave traffic which are locally reachable in the branch and the Internet respectively All client DNS queries are tunneled to the controller Distributed L3 and Centralized L2 mode DHCP on all branches L3 is used by the employee network and L2 is used by the guest network with captive portal Wired and wireless users in L2 and L3 modes Access rules defined for wired and wireless networks Topology Figure 136 shows the topology and the IP addressing scheme used in this scenario Figure 136 Scenario 2 IPSec Single Datacenter with Multiple controllers for Redundancy DNS servers 10 1 1 50 and 10 1 1 30 Corporate 12 mode DHCP server in corporate network DMZ Firewall Airwave on Intemet 199 127 104 32 i Branch d WAN Modem L3 mode DHCP server on AP T L Wired client 1 Local Radius serversin branch 10 2 2 1 and 10 2 2 2 WirelessClient The following IP addresses are used in the examples for this scenario 10 0 0 0 8 is the corporate network 10 20 0 0 16 subnet is reserved for L2 mode used for guest network 10 30 0 0 16 subnet is reserved for L3 mode Client count in each branch is 200 360 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide e 10 2 2 0 24 is a branch owned subnet which needs to override global routing profile e 199 127 104 32 is used an example IP address of the W AirWave s
19. authenticate with multiple APs in a cluster Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 107 As part of the 802 11r implementation Instant supports the Fast BSS Transition protocol The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster This minimizes the time required to resume data connectivity when a BSS transition happens Fast BSS Transition is operational only if the wireless client supports 802 11r standard If the client does not support 802 11r standard it falls back to the normal WPA2 authentication method Configuring a W IAP for 802 11r support You can configure 802 11r support fora WLAN SSID by using the Instant UI or CLI In the Instant Ul 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click the Security tab 3 Under Fast Roaming select the 802 1 1r checkbox 4 Click Next and then click Finish In the CLI To enable 802 11r roaming ona WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt dotllir Instant AP config end Instant AP commit apply Example Instant AP config wlan ssid profile dotllr profile Instant AP SSID Profile dotllr profile dotllr Instant AP config end Instant AP commit apply Radio Resource Management 802 11k The 802
20. bia veus yxue veue El 19 Clients Neme PEKR9SVRGLT410S QMENG ARUSA ros veue yxue yxue IP Address 192 158 11 70 192 158 11 227 10 64 103 116 10 64 103 102 10 64 103 112 10 64 103 94 10 64 203 108 0 0 0 0 10 64 103 93 159 254 93 45 10 64 103 121 10 64 103 125 10 64 32 102 10 64 102 27 10 64 102 30 192 160 11 147 10 64 102 10 54 102 10 64 102 10 64 102 10 54 102 10 59 102 41 10 54 102 28 10 54 102 50 0 654 103 0 64 10 169 254 99 45 0 0 0 0 0 64 102 93 0 64 103 121 92 168 11 70 64 102 21 64 102 27 64 102 30 68 11 147 64 102 147 64 102 28 54 102 321 54 102 58 The following table displays a list of alerts that are generated in the W IAP network 69 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 15 Alerts list Type Code o 100102 100103 100104 100105 100206 100307 100308 Description Unknown SSID in association request Mismatched authentication encryption setting Unsupported 802 11 rate Maximum capacity reached on W IAP Invalid MAC Address Client blocked due to repeated authentication failures RADIUS server connection failure Details The W IAP has encountered an internal error for this client The W IAP cannot allow this client to associate because the association request received contains an unknown SSID The W IAP cannot allow this client to associate because its authenticati
21. commit apply Configuring Users for Internal Database of a W IAP The Instant user database consists of a list of guest and employee users The addition of a user involves specifying a login credentials for a user The login credentials for these users are provided outside the Instant system A guest user can be a visitor who is temporarily using the enterprise network to access the Internet However if you do not want to allow access to the internal network and the Intranet you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication encryption and access rules An employee user is the employee who is using the enterprise network for official tasks You can create Employee WLANs specify the required authentication encryption and access rules and allow the employees to use the enterprise network The user database is also used when a W IAP is configured as an internal RADIUS server 3 The local user database of APs can support up to 512 user entries except W IAP9x W IAP9x supports alde only 256 user entries If there are already 512 users W IAP9x will not be able to join the cluster In the Instant Ul To configure users 1 Click the Security at the top right comer of Instant main window 7 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 144 2 Click Users for Internal Server The following figure shows the con
22. e EAP TLS EAP Transport Layer Security EAP TLS is an IETF open standard that uses the Transport Layer Security TLS protocol 155 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide When the authentication survivability feature is enabled the following authentication process is used 1 The client associates to a W IAP and authenticates to the external authentication server The external authentication server can be either CPPM for EAP PEAP or RADIUS server EAP TLS 2 Upon successful authentication the associated W IAP caches the authentication credentials of the connected users for the configured duration The cache expiry duration for authentication survivability can be set within the range of 1 99 hours with 24 hours being the default cache timeout duration 3 If the client roams or tries to reconnect to the W IAP and the remote link fails due to the unavailability of the authentication server the W IAP uses the cached credentials in the internal authentication server to authenticate the user However if the user tries to reconnect after the cache expiry the authentication fails 4 When the authentication server is available and if the client tries to reconnect the W IAP detects the availability of server and allows the client to authenticate to the server Upon successful authentication the W IAP cache details are refreshed Configuring Authentication Survivability You can
23. essid lt ESSID name gt Instant AP SSID Profile lt name gt type lt Guest gt Instant AP SSID Profile lt name gt broadcast filter lt type gt Instant AP SSID Profile lt name gt dtim period lt number of beacons gt Instant AP SSID Profile lt name gt multicast rate optimization Instant AP SSID Profile lt name gt dynamic multicast optimization Instant AP SSID Profile lt name gt dmo channel utilization threshold Instant AP SSID Profile lt name gt a max tx rate lt rate gt Instant AP SSID Profile lt name gt a min tx rate lt rate gt Instant AP SSID Profile lt name gt g max tx rate lt rate gt Instant AP SSID Profile lt name gt g min tx rate lt rate gt Instant AP SSID Profile lt name gt zone lt zone gt Instant AP SSID Profile lt name gt bandwidth limit lt limit gt Instant AP SSID Profile lt name gt per user bandwidth limit lt limit gt Instant AP SSID Profile lt name gt air time limit lt limit gt Instant AP SSID Profile lt name gt wmm background share lt percentage of traffic share gt Instant AP SSID Profile lt name gt wmm best effort share lt percentage of traffic share gt Instant AP SSID Profile lt name gt wmm video share lt percentage of traffic share gt Instant AP SSID Profile lt name gt wmm voice share lt percentage of traffic share gt Dell Networking W Series Instant 6 4 0 2 4
24. hotspot angqp venue name profile lt name gt Instant AP venue name lt name gt venue name lt name gt Instant AP venue name lt name gt venue group lt group name gt Instant AP venue name lt name gt venue type lt type gt Instant AP venue name lt name gt venue lang code lt language gt Instant AP venue name lt name gt enabl Instant AP venue name lt name gt end Instant AP commit apply You can specify any of the following venue groups and the corresponding venue types Table 68 Venue Types Venue Group Associated Venue Type Value unspecified The associated numeric value is 0 assembly unspecified The associated numeric value is 0 arena The associated numeric value is 1 stadium The associated numeric value is 2 passenger terminal The associated numeric value is 3 amphitheater The associated numeric value is 4 amusement park The associated numeric value is 5 place of worship The associated numeric value is 6 convention center The associated numeric value is 7 library The associated numeric value is 8 museum The associated numeric value is 9 restaurant The associated numeric value is 10 theater The associated numeric value is 11 bar The associated numeric value is 12 coffee shop The associated numeric value is 13 zoo or aquarium The associated numeric value is 14 emergency cord center The associated numeric value is 15 The
25. option9 gt Instant AP Access Rule lt Name gt end 248 Deep Packet Inspection and Application Visibility Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP commit apply Example Instant AP config wlan access rul mploy Instant AP Access Rule employee rule any any match app deny throttle downstream 256 throttle up 256 Instant AP Access Rule employee rule any any match appcategory collaboration permit Instant AP Access Rule employee end Instant AP commit apply Configuring Web Policy Enforcement You can configure Web Policy Enforcement on a W IAP to block certain categories of websites based on your organization specifications by defining ACL rules either through the Instant UI or CLI In the Instant Ul 1 Navigate to Security gt Roles 2 Select any WLAN SSID or wired profile role and click New in the Access Rules section The New Rule window appears Select the rule type as Access Control To set an access policy based on the web category a Under Services select Web category and expand the Web categories drop down Figure 84 New Rule Rule type Service Access control Network Application Application category real estate Web category computer and internet security financial services Web reputation business and economy computer and internet info Options Application Throttling auctions Log shopping
26. 802 11k e BSS Transition Management 802 1 1v Opportunistic Key Caching Instant now supports opportunistic key caching OKC based roaming In the OKC based roaming the AP stores one pairwise master key PMK per client which is derived from last 802 1x authentication completed by the client in the network The cached PMK is used when a client roams to a new AP This allows faster roaming of clients between the W IAPs in a cluster without requiring a complete 802 1X authentication OKC roaming when configured in the 802 1x Authentication profile is supported on WPA2 clients If the wireless client the 802 1X supplicant does not support this feature a complete 802 1X authentication is required whenever a client roams to anew AP 106 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring a W IAP for OKC Roaming You can enable OKC roaming for WLAN SSID by using Instant UI or CLI In the Instant Ul 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click the Security tab 3 Slide to Enterprise security level On selecting a security level the authentication options applicable to Enterprise network are displayed New WLAN WLAN Settings VLAN Security Level More Key management WPA 2 Enterprise Secure Termination Disabled Authentication server 1 InternalServer Enterprise Reauth interval lo min Y
27. Chapter 8 Wireless Network Profiles This chapter provides the following information Configuring Wireless Network Profiles on page 93 Configuring Fast Roaming for Wireless Clients on page 106 Editing Status of a WLAN SSID Profile on page 110 Editing a WLAN SSID Profile on page 110 Deleting a WLAN SSID Profile on page 111 Configuring Wireless Network Profiles During start up a wireless client searches for radio signals or beacon frames that originate from the nearest W IAP After locating the W IAP the following transactions take place between the client and the W IAP 1 2 Authentication The W IAP communicates with a RADIUS server to validate or authenticate the client Connection After successful authentication the client establishes a connection with the W IAP Network Types Instant wireless networks are categorized as Employee network An Employee network is a classic Wi Fi network This network type is used by the employees in an organization and it supports passphrase based or 802 1X based authentication methods Employees can access the protected data of an enterprise through the employee network after successful authentication The employee network is selected by default during a network profile configuration Voice network This Voice network type allows you to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic priorit
28. Disabled w Failover mode non Preemptive Failover retry interval leo Failover retry count 5 MTU 1570 b Enterthe primary server IP address Enter the remote end backup tunnel IP address This is an optional field and is required only when backup server is configured Enter the remote end UDP port number The default value is 1701 Enter the interval at which the hello packets are sent through the tunnel The default value is 60 seconds Select the message digest as MD5 or SHA used for message authentication Enter a shared key for the message digest This key should match with the tunnel end point shared key 6 m G If required select the failover mode as Primary or Backup when the backup server is available i Specify a value for the tunnel MTU value if required The default value is 1460 j Click OK 4 Configure the session profile a Enter the session name to be used for session creation Figure 69 Session Configuration Session Configuration Profile name Tunnel profile name Tunnel IP address Tunnel Netmask Tunnel VLAN Cookie Len Cookie Remote end ID Default 12 specific sublayer OK Cancel b Enter the tunnel profile name where the session will be associated c Configure the tunnel IP address with the corresponding network mask and VLAN ID This is required to reach an AP from a corporate network For example SNMP polling 217 VPN Configuration De
29. Low ___ m OO uu e 53 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 11 DS Window Intrusion Protection Detection Protection Specify What Threats to Protect Infrastructure Custom settings High protect ssid rogue containment Low protect adhoc network Off protect ap impersonation Clients Custom settings High protect valid sta protect windows bridge Low Off L how advanced options Back Finish Cancel For more information on wireless intrusion detection and protection see Detecting and Classifying Rogue APs on page 296 Wired The Wired window allows you to configure a wired network profile See Wired Profiles on page 112 for more information The following figure shows the Wired window Figure 12 Wired Window Wired Networks Wired Networks Network assignments wired instant 0 0 wired instant Le 0 4 wired instant 0 1 wired instant wd 0 2 wired instant iw 0 3 wired instant X Wired Users Wired Users Services The Services window allows you to configure services such as AirGroup RTLS and OpenDNS The Services window consists of the following tabs e AirGroup Allows you to configure the AirGroup and AirGroup services For more information see AirGroup Configuration on page 255 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 54 e RTLS Allows you
30. Otherwise go to step 2 Click the System link at the top right corner of the Instant main window The System window is displayed Select the type of key for uplink encryption and authentication from the Key management drop down list If the uplink wireless router uses mixed encryption WPA 2 is recommended for the Wi Fi uplink From the band drop down list Select the band in which the Virtual Controller currently operates The following options are available Select a passphrase format from the Passphrase format drop down list The following options are available Uplink Configuration 291 9 Entera pre shared key PSK passphrase in the Passphrase text box and click OK You can view the W Fi configuration and uplink status in the CLI To view the configuration status in the CLI Instant AP show wifi uplink status configured NO Instant AP show wifi uplink config ESSID Cipher Suite Passphrase Band Instant AP show wifi uplink auth log 1116 2000 01 01 00 00 45 625 Global control interface tmp supp gbl Uplink Preferences and Switching This topic describes the following procedures e Enforcing Uplinks on page 292 e Setting an Uplink Priority on page 293 e Enabling Uplink Preemption on page 293 e Switching Uplinks Based on VPN and Internet Availability on page 294 e Viewing Uplink Status and Configuration on page 295 Enforcing Uplinks The following configuration conditions apply t
31. Personal MAC authentication Perform MAC authentication before 802 1X MAC authentication fail thru Open Internal server No users Users Internal server Default certificate Upload certificate Blacklisting Disabled M Fast Roaming Opportunistic Key Caching OKC 7 802 11r 802 11k 802 11vw Next Cancel 4 Select the WPA 2 Enterprise or Both WPA 2 amp WPA option from the Key management drop down list When any of these encryption types is selected Opportunistic Key Caching OKC is enabled by default 5 Click Next and then click Finish In the CLI To disable OKC roaming ona WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa aes wpa2 tkip wpa2 aes Instant AP SSID Profile lt name gt okc disable Instant AP config end Instant AP commit apply To enable OKC roaming ona WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa aes wpa2 tkip wpa2 aes Instant AP SSID Profile lt name gt no okc disable Instant AP config end Instant AP commit apply Fast BSS Transition 802 11r Roaming 802 11ris a roaming standard defined by IEEE When enabled 802 11r reduces roaming delay by pre authenticating clients with multiple target APs before a client roams to an AP With 802 11r implementation clients pre
32. The assigned bandwidth will be served and shared among all the users You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps If there is no bandwidth contract specified for a traffic direction unlimited bandwidth is allowed In the earlier releases bandwidth contract could be assigned per SSID In the current release the bandwidth contract can also be assigned for each SSID user If the bandwidth contract is assigned for an SSID in the Instant 6 2 1 0 3 4 0 0 image and when the W IAP is upgraded to 6 4 0 2 4 1 release version the bandwidth configuration per SSID will be treated as a per user downstream bandwidth contract for that SSID Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 190 In the Instant Ul 1 Click the Security at the top right corner of Instant main window The Security window is displayed Click the Roles tab The Roles tab contents are displayed Create a new role or select an existing role Under Access Rules click New The New Rule window is displayed a FF M Select Bandwidth Contract from the Rule Type drop down list New Rule Rule type Bandwidth Contrz Y Downstream kbps Peruser Upstream kbps Peruser 6 Specify the downstream and upstream rates in Kbps If the assignment is specific for each user select the Peruser checkbox 7 Click OK 8 Associate the user role to a WLAN SSID or wired prof
33. When the Virtual Controller goes down a new Virtual Controller is elected Provisioning a W IAP as a Master W IAP You can provision a W IAP as a master W IAP by using the Instant UI or CLI In the Instant UI 1 Inthe Access Points tab click the W IAP to modify The edit link is displayed 2 Click the edit link The edit window for modifying W IAP details is displayed 3 Select Enabled from Preferred master drop down This option is disabled by default Figure 31 W AP Settings Provisioning Master W IAP Edit Access Point d8 c7 c8 c4 00 ef General Radio Uplink Name d8 c7 c8 c4 00 ef Preferred master Enabled iso IP address for Access Point 9 Get IP address from DHCP server Specify statically Cancel 4 Click OK In the CLI To provision a W IAP as a master W IAP Instant AP iap master To verify if the W IAP is provisioned as master IAP Instant AP show ap env Antenna Type Internal Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Customizing W IAP Settings 90 lap master 1 Adding a W IAP to the Network To add a W IAP to the Instant network assign an IP address For more information see Assigning an IP address to the W IAP on page 35 After a W IAP is connected to the network if the Auto Join Mode feature is enabled the W IAP inherits the configuration from the Virtual Controller and is listed in the Access Points tab If the Auto Join Mode is disabled per
34. You can also configure source based routing to allow client traffic on one SSID to reach the Internet through the corporate network while the other SSID can be used as an alternate uplink You can create an access rule to perform source NAT by using the Instant UI or CLI In the Instant Ul To configure a source NAT access rule 1 Navigate to the WLAN wizard or Wired settings window To configure access rules for a WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile To configure access rules for a wired profile More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile Click the Access tab 3 To configure access rules for the network slide to Network based To configure access rules for user roles slide to Role based 4 Tocreate a new rule for the network click New To create an access rule for a user role select the user role and then click New The New Rule window is displayed In the New Rule window Select Access control from the Rule type drop down list Select Source NAT from the Action drop down list to allow changes to the source IP address Select a service from the list of available services co No Q Select the required option from the Destination drop down list 10 If required enable other parameters such as Log Blacklist Classify media Disable scanning DSCP tag and
35. internal domains ap domains domain name Centralized L2 profile ap config ip dhcp 12 dhcp ap DHCP Profile 12 dhcp Centralized L2 ap DHCP Profile 12 dhcp Distributed L3 profile ap config ip dhcp 13 dhcp ap DHCP Profile 13 dhcp Distributed L3 ap DHCP Profil ap DHCP Profil 10 230 255 255 ap DHCP Profil 10 4 1 50 101 2 ap DHCP Profil corpdomain com ap DHCP Profil server type server vlan server type 13 dhcp server vlan 13 dhcp ip range 10 13 dhcp dns server 13 dhcp domain name 13 dhcp client count 200 UI Procedure See Configuring an IPSec Tunnel See Configuring Routing Profiles See Configuring Routing Profiles See Configuring Enterprise Domains See Configuring a Centralized DHCP Scope and Configuring Distributed DHCP Scopes Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios 361 Table 73 W AP Configuration for Scenario 2 IPSec Single Datacenter with Multiple controllers for Redundancy Configuration Steps 6 Create authentication servers for user authentication The example in the next column assumes 802 1x SSID Configure wired and wireless SSIDs using the authentication servers and access rules created above and enable authentication survivability 362 IAP VPN Deployment Scenarios CLI Commands UI Procedure NOTE The
36. op lang code eng Instant AP operator friendly name on1 op fr name OperatorFriendlyName Instant AP operator friendly name on1 exit Step 2 Creating a hotspot profile Instant AP configure terminal Instant AP config hotspot hs profile hs1 Instant AP Hotspot2 0 hs1 enable Instant AP Hotspot2 0 hs1 comeback mode Instant AP Hotspot2 0 hs1 gas comeback delay 10 Instant AP Hotspot2 0 hs1 no asra Instant AP Hotspot2 0 hs1 no internet Instant AP Hotspot2 0 hs1 query response length limit 20 Instant AP Hotspot2 0 hs1l access network type chargeable public Instant AP Hotspot2 0 hs1 roam cons len 1 3 Instant AP Hotspot2 0 hs1 roam cons oi 1 123456 Instant AP Hotspot2 0 hs1 roam cons len 2 3 Instant AP Hotspot2 0 hs1 roam cons 01 2 223355 Instant AP Hotspot2 0 hs1 addtl roam cons ois 0 Instant AP Hotspot2 0 hs1 venue group business Instant AP Hotspot2 0 hs1 venue type research and dev facility Instant AP Hotspot2 0 hs1 pame bi Instant AP Hotspot2 0 hs1 group frame block Instant AP Hotspot2 0 hs1 p2p dev mgmt Instant AP Hotspot2 0 hs1 p2p cross connect Instant AP Hotspot2 0 hs1 end Instant AP commit apply Step 3 Associating advertisement profiles with the hotspot profile Instant AP configure terminal Instant AP config hotsp
37. or Edit Wired Network window is displayed You can also customize splash page design in the Security tab of New WLAN and New Wired Network windows when configuring a new profile NOTE Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 138 2 Navigate to the Security tab 3 Select None from the Splash page type drop down list 4 Click Next and then click Finish to apply the changes 139 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 11 Authentication and User Management This chapter provides the following information e Managing W IAP Users on page 140 e Understanding Authentication Methods on page 147 e Supported Authentication Servers on page 149 e Understanding Encryption Types on page 154 e Support for Authentication Survivability on page 155 e Configuring Authentication Servers on page 157 e Configuring 802 1X Authentication for a Network Profile on page 163 e Configuring MAC Authentication for a Network Profile on page 165 e Configuring MAC Authentication with 802 1X Authentication on page 167 e Configuring MAC Authentication with Captive Portal Authentication on page 169 e Configuring WISPr Authentication on page 170 e Blacklisting Clients on page 171 e Uploading Certificates on page 173 Managing W IAP Users The W IAP users can be classified as follows e Administrator An admin user who creates SSIDs w
38. uplink to open PSK CCMP and PSK TKIP SSIDs When the Wi Fi uplink is in use the client IP is assigned by the internal DHCP server P show cellul lar config For single radio W IAPs the radio serves wireless clients and the Wi Fi uplink Configuring a Wi Fi Uplink Profile The following configuration conditions apply to the Wi Fi uplink To bind or unbind the Wi Fi uplink on the 5 GHz band reboot the W IAP If the Wi Fi uplink is used on the 5 GHz band mesh is disabled The two links are mutually exclusive For W IAPs to connect to an ArubaOS based WLAN using Wi Fi uplink the controller must run ArubaOS 6 2 1 0 or later To provision a with the Wi Fi Uplink complete the following steps 1 a EL MM 2 4 GHz default 5 GHz Click the Show advanced options link The advanced options are displayed Click the Uplink tab Under Wi Fi enter the name of the wireless network that is used for the Wi Fi uplink in the Name SSID text box 8 63 alphanumeric characters 64 hexadecimal characters Ensure that the hexadecimal password string is exactly 64 digits in length Dell Networking W Series Instant 6 4 0 2 4 1 User Guide For dual radio W IAPs both radios can be used to serve clients but only one of them can be used for the Wi Fi uplink If you are configuring a Wi Fi uplink after restoring factory settings on a W IAP connect the W IAP to an Ethernet cable to allow the W IAP to get the IP address
39. you can use the image check feature to allow the W IAP to find new software image versions available on a cloud based image server hosted and maintained by Dell The location of the image server is fixed and cannot be changed by the user The image server is loaded with latest versions of Instant software Upgrading a W IAP and Image Server Instant supports mixed AP class instant deployment with all APs as part of the same Virtual Controller cluster Image Management Using W AirWave If the multi class W IAP network is managed by W AirWave image upgrades can only be done through the W AirWave UI The W IAP images for different classes must be uploaded on the AMP server When new W IAPs joining the network need to synchronize their software with the version running on the Virtual Controller and if the new W IAP belongs to a different class the image file for the new W IAP is provided by W AirWave If W AirWave does not have the appropriate image file the new AP will not be able to join the network The Virtual Controller communicates with the W AirWave server if W AirWave is configured If W AirWave is not configured on the W IAP the image is requested from the Image server Image Management Using Cloud Server If the multi class W IAP network is not managed by W AirWave image upgrades can be done through the cloud based image check feature When a new W IAP joining the network needs to synchronize its software version with the version on
40. 150 0 150 E Scope 10 169 151 0 151 Y Scope 10 169 152 0 152 2 Scope 10 169 153 0 153 Scope 10 169 154 0 154 El Scope 10 169 155 0 155 T Address Pool Address Leases D Bi Reservations General Advanced El Scope 10 169 156 0 156 Address Pool j Address Leases D E Reservations EA Scope Options E Scope 10 169 157 0 157 Address Pool Address Leases E Reservations Scope 10 169 158 0 158 Address Pool y Address Leases E E Reservations 2 Scope Options 2 7 Scope 10 169 159 0 159 8 Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field airwave orgn airwave ip airwave key for example Dell 192 0 2 20 12344567 e airwave orgn airwave domain for example Dell dell support com Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Management and Monitoring 281 Figure 103 Instant and DHCP options for W AirWave 043 Vendor Specific Info E Server Manager Fie Action View Help mios Bien J p Roles Scope Options El TY Active Directory Domain Services E Active Directory Users and Computers R E GBS rde aubanetworks com 10 169 145 1 k 10 169 130 4 rde arubanetworks com 4172756261 4966 737461 68 7 General Advanced Vendor class DHCP Standard Options Available Options B Scope 10 169 135 0 135 amp Scope 10 169 137 0 137 O 044 WINS NONS Servers
41. 173 Loading Certificates through Instant UI 0200222022 coco cnc cnn 173 Loading Certificates through Instant CU 174 Loading Certificates through W AirWave 2 020 222 o cece eee cece cece cece eeeeeeeeeeeees 174 os o MMS 176 Firewall Policies 176 Access Control List Rules 2 23 22 2 522220 seers 0 daga casings oa se ieee tedden ds aude Gees Aedes eet 176 Configuring Access Rules for Network Services cece cece ee cece cece cece cece cc cccceeeeeees 177 177 178 Sl A A E ede te aod ee 178 Configuring Network Address Translation Rules 0 2 e cece eee eeeeceeeeeeees 179 Inthe Instant Ola tat scet eto ee a et te on eat we eae ene Ai tee 179 tHE aha Ae ene cee cee II re ea ee oa 179 PP 180 180 inthe lnstant UN conciso sora copo desa sio ah be Narva aa eGeas nae sud 180 Iie NO 180 Configuring ALG Protocols 0000000 cnn nnnnnnncccces 181 181 Configuring Firewall Settings for Protection from ARP Attacks 20 00 0002 ee eee cece cece cece eee eeees 181 182 Managing Inbound Trace c cece cece cece cece ee teeeeeeeteeeeeees 183 Inthe Instantull noose koe dieron ddr rs 183 Mithe CEM icde A AA AA AAA 185 14 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Example dietas ts oi sd lacas 185 Configuring Management Subnets 2 2 e cece ee eeeeeeeeeeee 185 Inthe Instant Ul 2 lt 22 asst ete ica its ta ascee i EE 185 Ne Clair sod tate ee ei sete eee 186 Confi
42. 196 ithe CEI arene eee tad eee enue eeeceeeadts 197 Example toed tosca al AA ig doe he st ee ee eee ea ee 198 Using Advanced Expressions in Role and VLAN Derivation Rules 022222 c cece cece eee ee eee 198 Configuring a User Role for VLAN Derivation 0 02222 c ccc ccc ccc ec cece cece ccc eeceeeeeeeeeeeeees 199 Creating a User VLAN Role 199 nthe lnstant Ul 22 S H oso obs tae alee tae 199 Inthe CLI o oo cece cece nana 199 Assigning User VLAN Roles to a Network Profile 2222 02 22 2 eee cece eeeeee eee 200 Inthe InstantUl ot see esate it iii eee es a ew UN den 200 Iie 200 DHCP ele 201 Configuring DHCP SCOPES L a aa a A 0 00 Misiones 00 0 EASIER EEEE A AAA a aA RR aa ais 201 Configuring Distributed DHCP Scopes 00220000 e cece aaa oaaao aaa anaana aiara 201 WANE WMSTAME see cence oe se ste eee cae ae eee eee so oteees inate ue Aa sae eetee n EEROR 201 WANE GL 22 canna x eenans decree peck ecko see son Eee E Meneses rain 220 203 Configuring a Centralized DHCP Scope 2 20000 e cece cece ee cece ceceeeceeeceeeeeees 204 Inthelastant ON oo se cscs sca cane thse eee acee ees eet seen stc ates aegacueses 2a giseeesecninseeehesceasauceese ss 204 16 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide DM iaa 205 Configuring Local and Local L3 DHCP Scopes 22 0 2 22 cece e eee cee eceeeeceeeeeeeeees 206 minen tant NO oss ccc sees oe eae een eee eee ee es seers aerate A sae setae e
43. 256 appcategory collaboration permit webcategory gambling deny webcategory training and tools webreputation well known sites webreputation safe sites permit webreputation benign sites permit webreputation suspicious sites webreputation high risk sites The following conditions apply to the 802 1X and captive portal authentication configuration e f auser role does not have Captive Portal settings configured the captive portal settings configured for an SSID are applied to the client s profile e Ifthe SSID does not have Captive Portal settings configured the captive portal settings configured for a user role are applied to the client s profile e f captive portal settings are configured for both SSID and user role the captive portal settings configured for a user role are applied to the client s profile You can create a captive portal role for both Internal acknowledged and External Authentication Text splash page types To enforce the Captive Portal role use the Instant UI or CLI In the Instant UI To create a captive portal role 1 Select an SSID profile from the Networks tab The Edit lt WLAN Profile gt window is displayed 2 Inthe Access tab slide to Role based access control by using the scroll bar 3 Select a role or create a new one if required 135 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 4 Click New to add a new rule The New Rule window is dis
44. 30 12 mode DHCP server in corporate network ES lt A TUN DNS servers 10 1 1 50 and Controller DMZ Firewall Branch Wireless Client The following IP addresses are used in the examples for this scenario e 10 0 0 0 8 is the corporate network e 10 20 0 0 16 subnet is reserved for L2 mode AP Configuration This section provides information on configuration steps performed through the CLI or the UI 369 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 75 W AP Configuration for Scenario Configuration Steps CLI Commands Ul Procedure Configure Aruba GRE or manual GRE Aruba GRE uses an IPSec tunnel to facilitate controller configuration and requires VPN to be configured This VPN tunnel is not used for any client traffic Manual GRE uses standard GRE tunnel configuration and requires controller Aruba GRE configuration ap config vpn primary lt controller IP gt ap config vpn gre outside See Enabling Automatic Configuration of GRE Tunnel and Manually Configuring a GRE Tunnel Manual GRE configuration ap config gre primary lt controller IP gt ap config gre type 80 Per AP GRE tunnel configuration Optionally per AP GRE tunnel can also be enabled which causes each W IAP to form an independent GRE tunnel to the GRE end point This requires each W IAP MAC to be present in the controller whitelist if Aruba GRE is use
45. 353 ClearPass Guest Setup Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 132 Local Users Ul Screen Support Hep Logout admin Super Administrator ClearPass Policy Manager Configuration Identity Local Users Local Users 4 Add User Z Import Users User deleted sfully sucos Export Users Filter User ID contains Show 10 x records User n Hame Role Status airgroup admin AirGroup Admin AirGroup Administrator Enabled IB test TestRole Enabled Showing 1 3 of 3 Export Delete 7 Navigate to the ClearPass Guest UI and click Logout The ClearPass Guest Login page is displayed Use the AirGroup admin credentials to log in 8 After logging in click Create Device Figure 133 Create a Device 9 Start Here P Create Device d List Devices The following page is displayed Figure 134 Register Shared Device Register Shared Device Device Name Enter a name to identify the device MAC Address Enter the MAC address of the device Enter a list of location IDs where this device will be shared Shared Locations Use a comma separated list of tag value pairs tag may be AP Name AP Group or FQLN A fully qualified location name is lt ap name gt floor lt N gt lt building name gt lt campus gt Leave blank to share with all locations Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g use
46. 4 eap inner auth The following authentication values apply e Uses EAP inner authentication type e reserved The associated numeric value is 0 e The associated numeric value is 3 pap The associated numeric value is 1 chap The associated numeric value is 2 mschap The associated numeric value is 3 mschapv2 The associated numeric value is 4 exp inner eap Use the exp inner eap authentication value e Uses the expanded inner EAP authentication method e The associated numeric value is 4 credential The following authentication values apply sim The associated numeric value is 1 usim The associated numeric value is 2 nfc secure The associated numeric value is 3 hw token The associated numeric value is 4 softoken The associated numeric value is 5 certificate The associated numeric value is 6 uname passward The associated numeric value is 7 none The associated numeric value is 8 reserved The associated numeric value is 9 vendor specific The associated numeric value is 10 e Uses credential authentication e The associated numeric value is 5 341 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring a Venue Name Profile You configure a venue name profile to send venue information as an ANQP IE in a GAS query response To configure a venue name profile enter the following commands at the command prompt Instant AP config
47. 4 bus stop The associated numeric value is 5 kiosk The associated numeric value is 6 The associated numeric value is 11 Configuring a Network Authentication Profile You can configure a network authentication profile to define the authentication type used by the hotspot network To configure a network authentication profile enter the following commands at the command prompt Instant AP config hotspot angp nwk auth profile lt name gt Instant AP network auth lt name gt nwk auth type lt type gt Instant AP network auth lt name gt url lt URL gt Instant AP network auth lt name gt enable Instant AP network auth lt name gt end Instant AP commit apply You can specify any of the following network authentication type for the nwk auth type lt type gt command e accept term and cond When configured the network requires the user to accept terms and conditions This option requires you to specify a redirection URL string as an IP address FQDN or URL e online enrollment When configured the network supports the online enrollment 343 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide e http redirect When configured additional information on the network is provided through HTTP HTTPS redirection e dns redirect When configured additional information on the network is provided through DNS redirection This option requires you to specify a redirection U
48. Access Rules click New The New Rule window is displayed Select CALEA Click OK Create a role assignment rule if required Click Finish NO oF WN In the CLI To create a CALEA access rule Instant AP config wlan access rule lt name gt Instant AP Access Rule lt name gt calea Instant AP Access Rule lt name gt end Instant AP commit apply To assign the CALEA tule to a user role Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role lt attribute gt equals not equals starts with ends with contains lt operator gt lt role gt value of Instant AP SSID Profile lt name gt end Instant AP SSID Profile lt name gt commit apply To associate the access rule with a wired profile Instant AP config wired port profile lt name gt Instant AP Wired ap profile lt name gt access rule name lt name gt Instant AP Wired ap profile lt name gt end Instant AP commit apply Verifying the configuration To verify the CALEA configuration Instant AP show calea config To view the tunnel encapsulation statistics Instant AP show calea statistics Example To enable CALEA integration Instant AP config calea Instant AP calea ip 192 0 2 7 Instant AP calea ip mtu 1500 Instant AP calea encapsulation type GRE Instant AP calea gre type 255 Instan
49. Administrator Credentials You can assign the read only privilege to an admin user by using the Instant UI or CLI In the Instant UI 1 Click the System link at top right corner of the Instant main window The System window is displayed 2 Click the Admin tab The Admin tab details are displayed 3 Under View Only a Specify a Username and Password b Retype the password to confirm 4 Click OK When the users log in with these credentials the Instant UI is displayed in the read only mode In the CLI To configure a user with read only privilege Instant AP config mgmt user lt username gt password read only Instant AP config end Instant AP commit apply Adding Guest Users through the Guest Management Interface To add guest users through the Guest Management interface 1 Login to Instant UI with the guest management interface administrator credentials The guest management interface is displayed Figure 45 Guest Management Interface D LL VIRTUALCONTROLLER PowerConnect W Series Aruba network El Guest Users 0 created 512 available To add a user click New The New Guest User pop up window is displayed Specify a Username and Password Retype the password to confirm Click OK af wn Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 146 Understanding Authentication Methods Authentication is a process of identifying a user by through a valid u
50. CALEA specifications Instant supports CALEA integration in a hierarchical and flat topology mesh W IAP network the wired and wireless networks Enable this feature only if lawful interception is authorized by a law enforcement agency CALEA Server Integration To support CALEA integration and ensure Ll compliance you can configure the W IAPs to replicate a specific or selected client traffic and send it to a remote CALEA server Traffic Flow from IAP to CALEA Server You can configure a W IAP to send GRE encapsulated packets to the CALEA server and replicate client traffic within the GRE tunnel Each W IAP sends GRE encapsulated packets only for its associated or connected clients The following figure illustrates the traffic flow from the W IAP to the CALEA server Figure 94 AP to CALEA Server 5 ISP post 1 Requests for processes intercept on user data and Law MAC 2 RADIUS sends it to Enforcement LEA Server uses Agency special VSA to 7 15718 inform IAP that traffic replication isneeded fora particular client at the end of its authentication process 0 Always on GRE to CALEA Server 4 Replication of user traffic into tunnel starts DN J ay 3 Receives instru ction tO WL start replication 270 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Traffic Flow from IAP to CALEA Server through VPN You can also deploy the CALEA server with the controller and configure an additional IPSec
51. Code for the WISPr Location ID in the E 164 Country Code text box Enter the SSID Zone section for the WISPr Location ID in the SSID Zone text box Enter the name of the Hotspot location in the Location Name text box If no name is defined the name of the W IAP to which the user is associated is used o WJ U A 10 Click OK to apply the changes The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication Contact your ISP to determine these values You can find a list of ISO and ITU country and area codes at the ISO and ITU websites iso org and itu int A Boingo smart client uses a NAS identifier in the format lt CarrierlD gt _ lt VenuelD gt for location identification To support Boingo clients ensure that you configure the NAS identifier parameter in the Radius server profile for the WISPr server In the CLI Instant AP config wlan wispr profile Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 170 Instant AP WISPr wispr location id ac Instant AP WISPr wispr location id cc Instant AP WISPr wispr location id isocc Instant AP WISPr wispr location id network Instant AP WISPr wispr location name location Instant AP WISPr wispr location name operator name Instant AP WISPr end Instant AP commit apply Blacklisting Clients The client blackli
52. Configuring Authentication Parameters for Management Users 149 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Internal RADIUS Server Each W IAP has an instance of free RADIUS server operating locally When you enable the internal RADIUS server option for the network the client on the W IAP sends a RADIUS packet to the local IP address The internal RADIUS server listens and replies to the RADIUS packet Instant itself serves as a RADIUS server for 802 1X authentication However the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server External RADIUS Server In the external RADIUS server the IP address of the Virtual Controller is configured as the NAS IP address Instant RADIUS is implemented on the Virtual Controller and this eliminates the need to configure multiple NAS clients for every W IAP on the RADIUS server for client authentication Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server The RADIUS server responds to the authentication request with an Access Accept or Access Reject message and the clients are allowed or denied access to the network depending on the response from the RADIUS server When you enable an external RADIUS server for the network the client on the W IAP sends a RADIUS packet to the local IP address The external RADIUS server then responds to the RADIUS pa
53. Containment Methods Prevents unauthorized stations from connecting to your Instant network Each of these options contains several default levels that enable different sets of policies An administrator can customize enable or disable these options accordingly The detection levels can be configured using the IDS window To view the IDS window click More gt IDS link at the top right comer of the Instant main window The following levels of detection can be configured in the WIP Detection page Off Low Medium High 297 Intrusion Detection Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 111 Wireless Intrusion Detection Wireless Intrusion Protection WIP Detection Specify What Threats to Detect Infrastructure Custom settings detect ap spoofing detect windows bridge signature deauth broadcast signature deassociation broadcast detect adhoc using valid ssid detect malformed large duration Clients Custom settings detect valid clientmisassociation detect disconnect sta Medium detect omerta attack detect fatajack detect block ack attack Off detect hotspotter attack High Low The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field Table 55 nfrastructure Detection Policies Detection Level Detection Policy Detect AP Spoofing Detect Windows Bridge IDS Signature Deauthentication Broadcast IDS Signature Deasso
54. Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Enter the duration of the DHCP lease in the Lease time text box 5 Select Minutes Hours or Days for the lease time from the drop down list next to Lease time The default lease time is O 6 Enter the network range for the client IP addresses in the Network field The system generates a network range automatically that is sufficient for 254 addresses If you want to provide simultaneous access to more number of clients specify a larger range 7 Specify the subnet mask details for the network range in the Mask text box The DNS cache function is only enabled when content filtering is disabled 8 Click OK to apply the changes In the CLI To configure a DHCP pool Instant AP config ip dhcp pool Instant AP DHCP domain name lt domain gt Instant AP DHCP dns server lt DNS IP address gt Instant AP DHCP lease time lt lease time gt Instant AP DHCP subnet lt IP address gt Instant AP DHCP subnet mask lt subnet mask gt To view the DHCP database Instant AP show ip dhcp database DHCP Subnet 192 0 2 0 DHCP Netmask 255 255 255 0 DHCP Lease Time m 20 DHCP Domain Name example com DHCP DNS Server 192 0 2 1 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide DHCP Configuration 209 Chapter 14 VPN Configuration This chapter describes the following VPN configuration procedures e Understanding VPN
55. Disabled or Enabled from the Console access drop down list By default the console access is enabled When disabled the W IAP console cannot be accessed through the serial port 3 Click OK In the CLI To enable console access Instant AP config console Instant AP console enable Instant AP console end Instant AP commit apply To disable console access Instant AP config console Instant AP console disable Instant AP console end Instant AP commit apply To view the console settings Instant AP show console settings Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Initial Configuration Tasks 80 Configuring LED Display The LED display is always in the Enabled mode during the a W IAP reboot NOTE You can enable or disable LED Display for a W IAP using the Instant UI or CLI In the Instant Ul To enable or disable LED display for all W IAPs in a cluster perform the following steps 1 Navigate to System gt General gt Show advanced options 2 From the LED Display drop down list select Enabled to enable LED display or Disabled to turn off the LED display 3 Click OK In the CLI To enable LED display Instant AP config led off Instant AP config end Instant AP commit apply To disable LED display Instant AP config no led off Instant AP config end Instant AP commit apply D Configuring Additional WLAN S
56. Features on page 210 e Configuring a Tunnel from a W IAP to Dell Networking W Series Mobility Controller on page 210 e Configuring Routing Profiles on page 221 Understanding VPN Features As W IAPs use a Virtual Controller architecture the W IAP network does not require a physical controller to provide the configured WLAN services However a physical controller is required for terminating Virtual Private Networks VPN tunnels from the W IAP networks at branch locations to datacenters where the Dell controller acts as a VPN concentrator When the VPN is configured the W IAP acting as the Virtual Controller creates a VPN tunnel to a Dell Networking W Series mobility controller in your corporate office The controller acts as a VPN end point and does not supply the W IAP with any configuration The VPN features are recommended for e Enterprises with many branches that do not have a dedicated VPN connection to the corporate office e Branch offices that require multiple APs e Individuals working from home connecting to the VPN The survivability feature of W IAPs with the VPN connectivity of W IAPs allows you to provide corporate connectivity on non corporate networks Configuring a Tunnel from a W IAP to Dell Networking W Series Mobility Controller W IAP supports the configuration of tunneling protocols such as Generic Routing Encapsulation GRE IPsec and L2TPv3 This section describes the procedure for configuring VPN host setting
57. For more information see Configuring User Roles a Create access rules for a specific user role For more information see Configuring Access Rules for Network Services on page 177 You can also configure an access rule to enforce captive portal authentication for an SSID with the 802 1X authentication method For more information see Configuring Captive Portal Roles for an SSID on page 135 Create a role assignment rule For more information see Configuring Derivation Rules on page 192 Instant supports role derivation based on the DHCP option for Captive Portal authentication When the Captive Portal authentication is successful a new user role is assigned to the guest users based on DHCP option configured for the SSID profile instead of the pre authenticated role 2 Click Finish In the CLI To configure access control rules fora WLAN SSID Instant AP config wlan access rule lt name gt Instant AP Access Rule lt name gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt lt end port gt permit deny src nat dst nat lt IP address gt lt port gt lt port gt app lt app gt permit deny appcategory lt appgrp gt webcategory lt webgrp gt permit deny webreputation lt webrep gt lt optionl option9 gt Instant AP Access Rule lt name gt end cr El Instant AP commit apply To configure access control based on the SSID Instant AP con
58. GHz band and that the 5 GHz channels operate in 40MHz while the 2 5 GHz band operates in 20MHz Disabled Select this option if you want to allow the clients to select the band to use 2 Click OK In the CLI To configure band steering Instant AP config arm Instant AP ARM band steering mode lt Prefer 5 GHz gt lt Force 5 GHz gt lt Balance Bands gt lt Disabled gt Instant AP ARM T end Instant AP commit apply Airtime Fairness Mode The airtime fairness feature provides equal access to all clients on the wireless medium regardless of client type capability or operating system thus delivering uniform performance to all clients This feature prevents the clients from monopolizing resources You can configure airtime fairness mode parameters through the Instant UI or CLI 233 Adaptive Radio Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the Instant Ul 1 For Airtime fairness mode configuration specify any of the following values in the RF gt ARM gt Show advanced options tab Table 45 Airtime Faimess Mode Configuration Parameters Parameter Description Default Access Select this option to provide access based on client requests When Air Time Fairness is set to default access per user and per SSID bandwidth limits are not enforced Select this option to allocate Airtime evenly across all the clients Preferred Access Select this option to set a preferenc
59. Include unassociated stations check box to send reports on the stations that are not associated to any W IAP to the Aeroscout RTLS server 4 Click OK In the CLI To configure W AirWave RTLS Instant AP config airwave rtls lt IP address gt lt port gt lt passphrase gt lt seconds gt include unassoc sta Instant AP config end Instant AP commit apply To configure Aeroscout RTLS Instant AP config aeroscout rtls lt IP address gt lt port gt include unassoc sta Instant AP config end Instant AP commit apply 264 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring a W IAP for Analytics and Location Engine Support The Analytics and Location Engine ALE is designed to gather client information from the network process it and Share it through a standard API The client information gathered by ALE can be used for analyzing a client s internet behavior for business such as shopping preferences ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default For every device on the network ALE provides the following information through the Northbound API Client user name IP address MAC address e Device type Application firewall data showing the destinations and applications used by associated devices Current location Historical location ALE requires the AP placement data to be able to calculate locatio
60. Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 152 e Huntgroup Name e Idle Timeout e Location Capable e Location Data e Location Information e Login IP Host e Login IPv6 Host e Login LAT Node e Login LAT Port e Login LAT Service e Login Service e Login TCP Port e Menu e Message Auth e NAS IPv6 Address e NAS Port Type e Operator Name e Password e Password Retry o Port Limit e Prefix e Prompt e Rad Authenticator e Rad Code e Rad ld e Rad Length e Reply Message e Requested Location Info e Revoke Text e Server Group e Server Name e Service Type e Session Timeout e Simultaneous Use e State e Strip User Name e Suffix e Termination Action e Termination Menu e Tunnel Assignment Id e Tunnel Client Auth Id e Tunnel Client Endpoint 153 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Tunnel Connection ld Tunnel Medium Type Tunnel Preference Tunnel Private Group ld Tunnel Server Auth Id Tunnel Server Endpoint Tunnel Type User Category User Name User Vlan Vendor Specific Dynamic Load Balancing between Two Authentication Servers You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and e
61. Obps Obps E vearago Q Mod y Devices 122 al Beene Page iwof i Rese Solis etal Satis eros Dena OR IS AS OPA oni oK 4 mins 4mins Msmatched 284 W IAP Management and Monitoring Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 21 Uplink Configuration This chapter provides the following information e Uplink Interfaces on page 285 e Ethernet Uplink on page 285 e Cellular Uplink on page 287 e Wi Fi Uplink on page 291 e Uplink Preferences and Switching on page 292 Uplink Interfaces Instant network supports Ethernet 3G and 4G USB modems and the Wi Fi uplink to provide access to the corporate Instant network The 3G 4G USB modems and the Wi Fi uplink can be used to extend the connectivity to places where an Ethemet uplink cannot be configured It also provides a reliable backup link for the Ethernet based Instant network The following figure illustrates a scenario in which the W IAPs join the Virtual Controller as slave W IAPs through a wired or mesh Wi Fi uplink Figure 108 Uplink Types 3G 4G Wi Fi Uplin Master IAP The following types of uplinks are supported on Instant e Ethernet Uplink e Cellular Uplink e Wi Fi Uplink Ethernet Uplink The Ethernet 0 port on a W IAP is enabled as an uplink port by default You can view the type of uplink and the status of the uplink in the Instant in the Info tab on selecting a client Dell Networking W Series Instant 6
62. Option name 002 Time Offset y 5cope 10 16 S Delete 5cope 10 16 a J Ee eet Descrip Option Type 2 Eq we Value Class Global 16 16 16 I I U Lom Name Aruba Instant 00 oo Data type Sting y T Angy sie i U I I 16 16 16 a a Descipton arsana SSS Lok Cama C Scope 10 169 158 0 158 E 7 Scope 10 169 159 0 159 E Address Pool 5 Navigate to Server Manager and select Server Options in the IPv4 window This sets the value globally Use options on a per scope basis to override the global options 6 Right click Server Options and select the configuration options 280 W IAP Management and Monitoring Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 101 Instant and DHCP options for W AirWave Server Options Server Manager Fie Action Vew Help es 21m celum ia Server Manager RDE SERVER E E Roles a Active Directory Domain Services E E DHCP Server El 2 rde server rde arubanetworks com E E Pa E gt Scope 10 169 131 0 131 m C Scope 10 169 135 0 135 El C Scope 10 169 137 0 137 El C Scope 10 169 138 0 138 Y gt Scope 10 169 145 0 145 m E Scope 10 169 150 0 150 Y C Scope 10 169 151 0 151 Scope 10 169 152 0 152 Ea Scope 10 169 153 0 153 Y Scope 10 169 154 0 154 E Scope 10 169 155 0 155 Address Poot Address Leases E Scope 10 169 131 0 131 E scope 10 169 135 0 135 E scope 1
63. Provider No modem installed Cellular Signal No modem installed Primary VPN Secondary VPN AirWave The Internet status is available only if the Internet failover feature System gt Show advanced option gt uplink gt Internet failover is enabled The cellular provider and cellular strength information is only available when a 3G or 4G modem is in use Language The Language drop down lists the languages and allows users to select their preferred language before logging in to the Instant Ul A default language is selected based on the language preferences in the client desktop operating system or browser If Instant cannot detect the language then English is used as the default language Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 44 You can also select the required language option from the Languages drop down located at the bottom left corner of the Instant main window Main Window On logging into Instant the Instant Ul Main Window is displayed The following figure shows the Instant main window Figure 4 Instant Main Window System RF Security Maintenance More Help Logout D LL wikTUAL CONTROLLER PowerConnect W Series ore amp 1 Network E 1 Access Point El 0 Clients test New m Instant C4 42 98 Instant C4 42 98 The main window consists of the following elements e Banner e Search e Tabs Links Views Banner The banner is a horizontal rect
64. RF Summary Displays the status and statistics for all channels monitored by the W IAP AP ARM Scan Times Displays channel scanning information for the W IAP AP ARP Table Displays the ARP table of the W IAP AP Association Table Displays information about the W IAP association AP Auth Survivability cache Displays the list of 802 1X cached user s information AP Authentication Frames Displays the authentication trace buffer information of the W IAP AP BSSID Table Displays the Basic Service Set BSS table of the W IAP AP Captive Portal Domains Displays captive portal domains configured on the W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Monitoring Devices and Logs 333 AP Captive Portal Auto White List Displays details about the automatic whitelist configured for a captive portal profile AP Checksum Displays checksum details for a W IAP AP Client Match Action Displays details of the client match action AP Client Match Live Displays the live details of the client match configuration on a W IAP AP Client Match History Displays the historical details of the client match configuration on a W IAP AP Client Match Status Displays information about the client match configuration status AP Client Match Triggers Displays information about the client match triggers AP Client Table Displays the client details AP Client View Displays client details of a W IAP AP Country Codes Display
65. SSID profile The DTIM interval determines how often the W IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode The default value is 1 which means the client checks for buffered data on the W IAP at every beacon You can also configure a higher DTIM value for power saving Multicast transmission Select Enabled if you want the W IAP to select the optimal rate for sending optimization broadcast and multicast frames based on the lowest of unicast rates across all associated clients When this option is enabled multicast traffic can be sent at up to 24 Mbps The default rate for sending frames for 2 4 GHz is 1 Mbps and 5 0 GHzis 6 Mbps This option is disabled by default 121 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Parameters Dynamic multicast optimization DMO channel utilization threshold Transmit Rates Bandwidth Limits Wi Fi Multimedia WMM traffic management Content filtering Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Description Select Enabled to allow W IAP to convert multicast streams into unicast streams over the wireless link Enabling Dynamic Multicast Optimization DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to the non video clients Specify a value to seta threshold for DMO channel utilization With DMO the W IAP converts mul
66. Series Instant 6 4 0 2 4 1 User Guide Preemptive In this mode if the primary comes up when the backup is active the backup tunnel is deleted and the primary tunnel resumes as an active tunnel If you configure the tunnel to be preemptive and when the primary tunnel goes down it starts the persistence timer which tries to bring up the primary tunnel Non Preemptive In this mode when the back tunnel is established after the primary tunnel goes down it does not make the primary tunnel active again e L2TPV3 configuration is supported on the following W IAPs a W IAP108 a W IAP109 a W IAP135 You can configure an L2TPv3 tunnel and session profiles through the Instant UI or CLI In the Instant UI 1 Click the More gt VPN link at the top right corner of the Instant UI The Tunneling window is displayed Figure 67 L3TPv3 Tunneling Tunneling Controller Controller Protocol Tunnel profile Session profile Show advanced options 2 Select L2TPv3 from the Protocol drop down list 3 Configure the tunnel profile a Enterthe tunnel name to be used for tunnel creation Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 216 Figure 68 Tunnel Configuration unnel Configuration Primary Peer address 10 0 0 63 Backup Peer address 10 0 0 65 Peer UDP port 3000 Local UDP port 1701 Hello interval 150 Message digest type MDS w Shared key COLO Checksum
67. Series Instant 6 4 0 2 4 1 User Guide Table 72 W IAP Configuration for Scenario 1 IPSec Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure Configure the primary ap config vpn primary lt public VRRP IP of See host for VPN with the controller gt Configuring an Public VRRP IP address IPSec Tunnel of the controller Configure a routing ap config routing profile See profile to tunnel all ap routing profile route 10 0 0 0 255 0 0 0 lt public VRRP IP of Configuring 10 0 0 0 8 subnet traffic to controller gt Routing controller Profiles Configure Enterprise ap config T internal domains See DNS for split DNS The ap domains domain name corpdomain com Configuring example in the next Enterprise column uses a specific Domains enterprise domain to only tunnel all DNS queries matching that domain to corporate Configure centralized L2 Centralized L2 profile ap config ip dhcp 12 dhcp See and distributed L3 with ap DHCP Profile 12 dhcp server type Configuring a VLAN 20 and 30 Centralized L2 Centralized respectively ap DHCP Profile 12 dhcp server vlan DHCP Scope Distributed L3 profile and ap config ip dhcp 13 dhcp Configuring ap DHCP Profile 13 dhcp server type Distributed Distributed L3 DHCP Scopes ap DHCP Profil 13 dhcp server vlan ap DHCP Profil 13 dhcp ip range 10 1030423094209 ap DHCP Profil 13 dhcp dns
68. Server lt profile name gt deadtime lt minutes gt Instant AP TACACS Server lt profile name gt end Configuring Administrator Credentials for the Virtual Controller Interface You can configure authentication parameters for admin users to enable access to the Virtual Controller management user interface in the Instant UI or CLI In the Instant Ul 1 Click the System link at top right corner of the Instant main window The System window is displayed 2 Click the Admin tab The Admin tab details are displayed The following figure shows the contents of the Admin tab Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 142 Figure 43 Admin Tab Management Authentication Parameters General Admin Local AirWave Authentication Authentication server Organization Auth server 1 test i Airwave server AirWave backup server Shared key Retype Auth server 2 Test123 Load balancing Disabled TACACS accounting View Only Username test123 Password e Retype e Guest Registration Only Username GuestAdmin Password eoccccce Retype eo 3 Under Local select any of the following options from the Authentication drop down list e Internal Select this option to specify a single set of user credentials Enter the Username and Password for accessing the Virtual Controller Management User Interfa
69. Settings for an SSID Profile on page 93 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Customizing W IAP Settings 84 In the Instant Ul 1 Inthe Access Points tab click the W IAP for which you want to set the zone The edit link is displayed 2 Click the edit link The edit window for modifying W IAP details is displayed 3 Specify the AP zone in Zone 4 Click OK In the CLI To change the name Instant AP zone lt name gt Specifying a Method for Obtaining IP Address You can either specify a static IP address or allow the W IAP to obtain an IP address from the DHCP server By default the W IAPs obtain IP address from the DHCP server You can specify a static IP address for the W IAP by using the Instant UI or CLI In the Instant Ul 1 Inthe Access Points tab click the W IAP to modify The edit link is displayed 2 Click the edit link The edit window for modifying the W IAP details is displayed Figure 30 Configuring W IAP Settings Edit Access Point d8 c7 c8 c4 00 ef General Radio Uplink Name d8 c7 c8 c4 00 ef Preferred master Disabled i IP address for Access Point Get IP address from DHCP server 9 Specify statically 1P address Netmask Default gateway DNS server Domain name Cancel 3 Select Specify statically option to specify a static IP address The following fields are displayed a Enter the new IP address for the W IAP in the IP add
70. Signal column Displays the data transfer speed of the client Depending on the data transfer speed of the client the color of the Signal bar changes from Green gt Orange gt Red Green Data transfer speed is more than 50 percent of the maximum speed supported by the client Orange Data transfer speed is between 25 50 percent of the maximum speed supported by the client Red Data transfer speed is less than 25 percent of the maximum speed supported by the client To view the data transfer speed graph of a client click on the speed icon against the client in the Speed column Utilization Displays the radio utilization rate of the W IAPs Depending on the percentage of utilization the icon color of the lines on the Utilization icon changes from Green gt Orange gt Red o Green Utilization is less than 50 percent e Orange Utilization is between 50 75 percent e Red Utilization is more than 75 percent To view the utilization graph of a W IAP click the Utilization icon next to the W IAP in the Utilization column Displays the noise floor details for the W IAPs Noise is measured in decibels meter Depending on the noise floor the color of the lines on the Noise icon changes from Green gt Orange gt Red e Green Noise floor is more than 87 dBm e Orange Noise floor is between 80 dBm 87 dBm e Red Noise floor is less than 80 dBm To view the noise floor graph of a W IAP click the noise icon next to the W IAP in the Nois
71. Specify the gateway to which traffic must be routed This IP address must be the controller IP address on which the VPN connection is terminated If you have a primary and backup host configure two routes with the same destination and netmask but ensure that the gateway is the primary controller IP for one route and the backup controller IP for the second route 4 Repeat step 3 to create the required number of routing profiles 5 Click OK 6 Click Finish In the CLI Instant AP config routing profile Instant AP Routing profile route lt destination gt lt mask gt lt gateway gt Instant AP Routing profile end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 222 Chapter 15 IAP VPN Deployment This section provides the following information e Understanding lAP VPN Architecture on page 223 e Configuring W IAP and Controller for IAP VPN Operations on page 225 Understanding IAP VPN Architecture The IAP VPN architecture includes the following two components e W IAPs at branch sites e Controller at the datacenter The master W IAP at the branch acts as the VPN endpoint and the controller at the datacenter acts as the VPN concentrator When a W IAP is set up for VPN it forms an IPsec tunnel to the controller to secure sensitive corporate data IPsec authentication and authorization between the controller and the W IAPs is based on the RAP whitelist
72. Wireless Network Connection window is displayed b Click on the instant network and then click Connect 4 Ifthe Mac OS system is used a Click the AirPort icon A list of available Wi Fi networks is displayed b Click on the instant network The instant SSIDs are broadcast in 2 4 GHz only W IAP Cluster W IAPs in the same VLAN automatically find each other and form a single functioning network managed by a Virtual Controller Moving a W IAP from one cluster to another requires a factory reset of the W IAP 36 Setting up a W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Disabling the Provisioning Wi Fi Network The provisioning network is enabled by default Instant provides the option to disable the provisioning network through the console port Use this option only when you do not want the default SSID instant to be broadcast in your network To disable the provisioning network 1 Connect a terminal or PC workstation running a terminal emulation program to the Console port on the W IAP 2 Configure the terminal or terminal emulation program to use the following communication settings Table 6 Terminal Communication Settings Baud Rate Data Bits Parity Stop Bits Flow Control 3 Power onthe W IAP An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed 4 Click Enter before the timer expires The W IAP goes into the apboot mode through c
73. a Hotspot Profile aR e cece cece eee cece R R Rd ae N 346 Associating an Advertisement Profile to a Hotspot Profile 348 Creating a WLAN SSID and Associating Hotspot Profile 00000 c cece cece ccc eee cece eeeeeee 349 Sample Configuration 000 000000 Taa 0 aaa eee eee nn 349 ClearPass Guest Setup 352 MOSUUING uri rre ici ti 355 Troubles NOOUING lui rscsssicatas cotas esti dla idiota ads atada 355 IAP VPN Deployment Scenarios coco ccoo coco noo conc cn cono cnc nccncincnnccnos 356 Scenario 1 IPSec Single Datacenter Deployment with No Redundancy 22222222222222222 2022 ee 357 MOPONOGY set tla oe ea Ae te ee ee tt a re AEE EET 357 AP Configuration 2 2 0 0 2 cece cece cece ccc cece cece EEO EERE nnn nn ERES 357 AP Connected Switch Configuration e e eee eeeeeeeeeeeeees 359 Datacenter Configuration 22 00 2c c cece ccc cece cece c cece cece cece eee cece eeceeeeeeeeeeeeeeeeeeeeeeeees 359 Scenario 2 IPSec Single Datacenter with Multiple Controllers for Redundancy 222222222 2 360 TM h cc 360 AP Configuration 2 22 00 a cece ccc cece cece cece cece cece cece eee R R RRR RRR aE 361 AP Connected Switch Configuration 2 0 0 0 cece ccc cece cece e cece cece cece cece cece eeeeecceeeeeeeeees 363 26 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Datacenter Configuration 2 000 200 cee ec cece eee e cece cece eee cece cece eeceeeceee
74. a client threshold sends a broadcast probe request frame to search for all available SSIDs this option controls system response for this network profile and ignores probe requests if required You can specify a Received signal strength indication RSSI value within range of 0 to 100 dB 5 Click Next to configure VLAN settings For more information see Configuring VLAN Settings fora WLAN SSID Profile on page 97 In the CLI To configure WLAN settings for an SSID profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt essid lt ESSID name gt Instant AP SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant AP SSID Profile lt name gt broadcast filter lt type gt Instant AP SSID Profile lt name gt dtim period lt number of beacons gt Instant AP SSID Profile lt name gt multicast rate optimization Instant AP SSID Profile lt name gt dynamic multicast optimization Instant AP SSID Profile lt name gt dmo channel utilization threshold Instant AP SSID Profile lt name gt a max tx rate lt rate gt Instant AP SSID Profile lt name gt a min tx rate lt rate gt Instant AP SSID Profile lt name gt g max tx rate lt rate gt Instant AP SSID Profile lt name gt g min tx rate lt rate gt 96 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 U
75. a control point joins a network it may multicast a search discovery message searching for interesting devices and services The devices listening on the multicast address respond if they match the search criteria in the search message In a single AP network the W IAP maintains a cache table containing the list of discovered services in the network The W IAP also enforces native policies such as disallowing roles and VLANs and the policies defined on CPPM to determine the devices or services that are allowed and can be discovered in the network Whenever a search request comes the AP looks up its cache table and filters based on configured policies and then builds a search response and unicasts it to the requesting device InaW IAP cluster the W IAPs maintain a list of associated UPnP devices and allow the discovery of the associated devices The following figure illustrates DLNA UPnP Services and AirGroup Architecture Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 257 Figure 87 DLNA UPnP Services and AirGroup Architecture Priver ard Mik Tv serie resp 8 w a a E a a lt z a DLNA Printer DLNA Client For a list of supported DLNA services see AirGroup Services on page 259 AirGroup Features AirGroup supports the following features e Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint e Ensures cross VLAN visibility and availability of AirGrou
76. about radio The following table describes the logging levels in order of severity from the most to the least severe Table 66 Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable Alert Any condition requiring immediate attention and correction Critical Any critical conditions such as a hard drive error Errors Error conditions Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Monitoring Devices and Logs 331 Logging Level Description Warning Warning messages Notice Significant events of a non critical and normal nature The default value for all Syslog facilities Informational Messages of general interest to system users Debug Messages containing information useful for debugging 6 Click OK In the CLI To configure a syslog server Instant AP config syslog server lt IP address gt To configure syslog facility levels Instant AP config syslog level lt logging level gt ap debug network security system user user debug wireless Instant AP config end Instant AP commit apply To view syslog logging levels Instant Access Point show syslog level Logging Level ap debug warn network warn security warn system warn user warn user debug warn wireless error Configuring TFTP Dump Server You can configure a TFTP server for storing core dump files by using the Instant UI or CLI In the Inst
77. advanced options LTarpit all stations Configuring IDS Using CLI To configure IDS using CLI Instant AP config ids Instant AP IDS infrastructure detection level lt type gt Instant AP IDS client detection level lt type gt Instant AP IDS infrastructure protection level lt type gt Instant AP IDS client protection level lt type gt 301 Intrusion Detection Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP IDS wireless containment lt type gt Instant AP IDS f wired containment Instant AP IDS detect ap spoofing Instant AP IDS detect windows bridge Instant AP IDS signature deauth broadcast Instant AP IDS signature deassociation broadcast Instant AP IDS detect adhoc using valid ssid Instant AP IDS detect malformed large duration Instant AP IDS detect ap impersonation Instant AP IDS T detect adhoc network Instant AP IDS detect valid ssid misuse Instant AP IDS detect wireless bridge Instant AP IDS detect ht 40mhz intolerance Instant AP IDS detect ht greenfield Instant AP IDS detect ap flood Instant AP IDS detect client flood Instant AP IDS detect bad wep Instant AP IDS detect cts rate anomaly Instant AP IDS detect rts rate anomaly Instant AP IDS detect invalid addresscombination Instant AP IDS detect malformed htie Instant AP IDS detec
78. and Open l E f PE security levels This option is available only if MAC authentication is enabled Upload Click Upload Certificate and browse to upload a certificate file for the Enterprise Certificate internal server For more information on certificates see Uploading Personal and Open Certificates on page 173 security levels Fast Roaming You can configure the following fast roaming options for the WLAN SSID Enterprise Personal and Open Opportunistic Key Caching When WPA 2 Enterprise and Both WPA2 security levels WPA encryption types are selected and if 802 1x authentication NOTE OKC method is configured the Opportunistic Key Caching OKC is enabled roaming can be by default If OKC is enabled a cached pairwise master key PMK is configured only for used when the client roams to a new AP This allows faster roaming of the Enterprise clients without the need for a complete 802 1x authentication security level 802 11r Selecting this checkbox enables fast BSS transition The Fast BSS Transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster 802 11k Selecting this checkbox enables 802 11k roaming on the SSID profile The 802 11k protocol enables W IAPs and clients to dynamically measure the available radio resources When 802 11k is enabled W IAPs and clients send neighbor reports beacon reports and link measurement reports to each other 802 11v Selecting this
79. apply Configuring External Captive Portal Authentication Using ClearPass Guest You can configure Instant to point to ClearPass Guest as an external Captive Portal server With this configuration the user authentication is performed by matching a string in the server response and RADIUS server either ClearPass Guest or a different RADIUS server Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 132 Creating a Web Login page in ClearPass Guest The ClearPass Guest Visitor Management Appliance provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access With ClearPass Guest the users can have a controlled access to a dedicated visitor management user database Through a customizable Web portal the administrators can easily create an account reset a password or set an expiry time for visitors Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit By defining a Web login page on the ClearPass Guest Visitor Management Appliance you are able to provide a customized graphical login page for visitors accessing the network For information on setting up the RADIUS Web Login feature see the RADIUS Services section in the ClearPass Guest Deployment Guide Configuring RADIUS Server in Instant Ul To configure Instant to point to Cle
80. are using two RADIUS authentication servers so that the load across the two RADIUS servers is balanced For more information on the dynamic load balancing mechanism see Dynamic Load Balancing between Two Authentication Servers on page 154 2 Click Next The Access tab details are displayed In the CLI To configure security settings for an employee network Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt mac authentication Instant AP wired ap profile lt name gt 12 auth failthrough Instant AP wired ap profile lt name gt auth server lt name gt Instant AP wired ap profile lt name gt server load balancing Instant AP wired ap profile lt name gt radius reauth interval lt Minutes gt Instant AP wired ap profile lt name gt end Instant AP commit apply 115 Wired Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring Access Rules for a Wired Profile The Ethernet ports allow third party devices such as VolP phones or printers that support only wired connections to connect to the wireless network You can also configure an Access Control List ACL for additional security on the Ethernet downlink If you are creating a new wired profile complete the Wired Settings and configure VLAN and security parameters before defining access rules For more information see Configuring Wired Settings on page 112 Config
81. associated numeric value is 1 unspecified The associated numeric value is 0 doctor The associated numeric value is 1 bank The associated numeric value is 2 fire station The associated numeric value is 3 police station The associated numeric value is 4 post office The associated numeric value is 6 professional office The associated numeric value is 7 research and dev facility The associated numeric value is 8 attorney office The associated numeric value is 9 business The associated numeric value is 2 educational unspecified The associated numeric value is 0 school primary The associated numeric value is 1 school secondary The associated numeric value is 2 univ or college The associated numeric value is 3 The associated numeric value is 3 factory and industrial unspecified The associated numeric value is 0 l f i factory The associated numeric value is 1 The associated numeric value is 4 unspecified The associated numeric value is 0 hospital The associated numeric value is 1 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 342 Venue Group Associated Venue Type Value The associated numeric value is 5 long term care The associated numeric value is 2 alc drug rehab The associated numeric value is 3 group home The associated numeric value is 4 prison or jail The associated numeric value is 5 mercantile unspecified The associated numeric value
82. can be blacklisted due to an ACL rule trigger You can configure a maximum number of authentication failures by the clients after which a client must be blacklisted For more information on configuring maximum authentication failure attempts see Configuring Security Settings for a WLAN SSID Profile on page 99 NOTE To enable session firewall based blacklisting click New and navigate to WLAN Settings gt VLAN gt Security gt Access window and enable the Blacklist option of the corresponding ACL rule In the CLI To dynamically blacklist clients Instant AP config auth failure blacklist time lt seconds gt Instant AP config blacklist time lt seconds gt Instant AP config end Instant AP commit apply To view the blacklisted clients Instant AP show blacklist client config Blacklist Time 60 Auth Failure Blacklist Time 60 Manually Blacklisted Clients Dyn Blacklist Count 0 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 172 Uploading Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization It is also used to establish your credentials for any Web transactions It contains the organization name a serial number expiration date a copy of the certificate holder s public key and the digital signature of the certificate issuing authority so that a recipient can ensure that the
83. can lead to a high level of broadcasts in the same subnet To manage the broadcast traffic you can partition the network into different subnets and use L3 mobility between those subnets when clients roam However if a large number of clients need to be in the same subnet you can configure VLAN pooling in which each client is randomly assigned a VLAN from a pool of VLANs on the same SSID Thus VLAN pooling allows automatic partitioning of a single broadcast domain of clients into multiple VLANs Uplink VLAN Monitoring and Detection on Upstream Devices If aclient connects to an SSID or wired interface with a VLAN that is not allowed on the upstream device the client will not be assigned an IP address and thus cannot connect to the Internet When a client connects to an SSID ora wired interface with VLAN that is not allowed on the upstream device the Instant UI now displays the following alert message Figure 32 Uplink VLAN Detection Instant CC 42 39 Alert Details x Client Alerts VLAN mismatch between IAP and upstream device Upstream device can be upstream switch or radius Timestamp MAC address Description a server 2013 11 11 11 50 30 b4 b6 76 42 6d 05 Wrong Client VLAN 6c f3 7f 04 42 ce 2013 11 11 11 50 30 b4 b6 76 42 6d 05 DHCP request timed out 6c f3 7f 04 42 ce To resolve this issue ensure that there is no mismatch in the VLAN configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VLAN Configuration 92
84. can upgrade a W IAP by using the automatic image check feature The Automatic image checks are performed once after the AP boots up and every week thereafter If the image check locates a new version of the Instant software on the image server the New version available link is displayed at the top right corner of the UI If W AirWave is configured the automatic image check is disabled To check for a new version on the image server in the cloud 1 Go to Maintenance gt Automatic gt Check for New Version After the image check is completed one of the following messages is displayed No new version available If there is no new version available Image server timed out Connection or session between the image server and the W IAP is timed out Image server failure If the image server does not respond A new image version found If a new image version is found If anew version is found the Upgrade Now button becomes available and the version number is displayed 3 Click Upgrade Now The W IAP downloads the image from the server saves it to flash and reboots Depending on the progress and success of the upgrade one of the following messages is displayed Upgrading While image upgrading is in progress Upgrade successful When the upgrading is successful Upgrade failed When the upgrading fails If the upgrade fails and an error message is displayed retry upgrading the W IAP 318 W IAP Maintenance Del
85. capability SYNC ASYNC bearer capability DIGITAL ANALOG use tiebreaker OFF peer profile NOT SET session profile NOT SET trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI Tunnel profile test_tunnel backup 12tp host name arubal600pop658509 hsb dev4 aus local UDP port 1701 peer IP address 10 13 11 157 peer UDP port 1701 hello timeout 60 retry timeout 1 idle timeout 0 rx window size 10 tx window size 10 max retries 5 use UDP checksums OFF do pmtu discovery OFF mtu 1460 framing capability SYNC ASYNC bearer capability DIGITAL ANALOG Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 220 use tiebreaker OFF peer profile NOT SET session profile NOT SET trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system statistics Instant AP show 12tpv3 system statistics L2TP counters Total messages sent 99 received 194 retransmitted 0 illegal 0 unsupported 0 ignored AVPs 0 vendor AVPs 0 Setup failures tunnels 0 sessions 0 Resource failures control frames 0 peers 0 tunnels 0 sessions 0 Limit exceeded errors tunnels 0 sessions 0 Frame errors short frames 0 wrong version frames 0 unexpected data frames 0 bad frames 0 Internal authentication failures 0 message encode failures 0 no matching tunnel discards 0 mismatched tunnel ids 0 no matching session discards 0 mismatched
86. certificate is real Instant supports the following certificate files e Auth server or captive portal server certificate PEM format with passphrase PSK e CAcertificate PEM or DER format In the current release W IAP supports uploading of a customized certificate for internal captive portal server This section describes the following procedures e Loading Certificates through Instant UI on page 173 e Loading Certificates through Instant CLI e Loading Certificates through W AirWave on page 174 Loading Certificates through Instant Ul To load a certificate in the Instant Ul 1 Click the Maintenance link at the top right corner of the Instant main window 2 Click the Certificates tab The Certificates tab contents are displayed The following figure shows the Certificates window Figure 48 Maintenance Window Certificates Tab Maintenance About Configuration Certificates Firmware Reboot Convert Default Server Certificate Version 3 Serial number 01 DA 52 Issuer C US O GeoTrust Inc OU Domain Validated SSL Subject O0x05S ILUge2fRPkWcle7boLSVdsKOFK8wv3MF C US Issued On 2011 05 11 01 22 10 Expires On 2017 08 11 04 40 59 Signed Using SHAL RSA Key size 2048 bits b New Certificate Certificate file to upload Browse Certificate type CA Certificate format Auth Server Captive portal server Cancel To upload a certificate click Upload New Certificate The New Certificate wind
87. checkbox enables 802 11v based BSS transition 802 11v standard defines mechanisms for wireless network management enhancements and BSS transition management It allows the client devices to exchange information about the network topology and RF environment The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP or suggest a set of preferred APs to a voice client due to network load balancing or BSS termination It also helps the voice client identify the best AP to transition to as they roam 4 Click Next to configure access rules For more information see Configuring Access Rules for a WLAN SSID Profile on page 104 In the CLI To configure enterprise security settings for the employee and voice users of a WLAN SSID profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa2 aes wpa psk tkip wpa2 psk aes dynamic wep Instant AP SSID Profile lt name gt leap use session key Instant AP SSID Profile lt name gt termination Instant AP SSID Profile lt name gt auth server lt server name gt Instant AP SSID Profile lt name gt xternal server Instant AP SSID Profile lt name gt server load balancing Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 103 Instant AP SSID Profile lt n
88. configuration When preemption is enabled and if the current uplink is active the W IAP periodically tries to use a higher priority uplink and switches to a higher priority uplink even if the current uplink is active You can enable uplink preemption using Instant UI or CLI In the Instant UI 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Management ensure that the Enforce Uplink is set to none 3 Select Enabled from the Pre emption drop down list 4 Click OK In the CLI To enable uplink preemption Instant AP config uplink Instant AP uplink preemption Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Uplink Configuration 293 Instant AP uplink end Instant AP commit apply Switching Uplinks Based on VPN and Internet Availability The default priority for uplink switchover is Ethernet and then 3G 4G The W IAP can switch to the lower priority uplink if the current uplink is down Switching Uplinks Based on VPN Status Instant supports switching uplinks based on the VPN status when deploying multiple uplinks Ethernet 3G 4G and Wi Fi When VPN is used with multiple backhaul options the W IAP switches to an uplink connection based on the VPN connection status instead of only using the Ethernet or the physical backhaul link The following configuration conditions apply to uplink switching If the current uplink is Et
89. configuration of the primary and backup RADIUS servers in an enterprise WLAN SSID that has EAP termination enabled In this release a new external server type called TACACS Server is added to support authentication and accounting privileges for management users Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 4 New Features in 6 4 0 2 4 1 Feature Description XML API Integration The Instant UI allows users to integrate an XML API Interface with a W IAP The users can use the XML API interface to add delete authenticate or query a user or a client Support for inbound You can configure firewall rules based on the source subnet for the inbound traffic firewall rules coming through the uplink ports of a W IAP configuration Full tunnel support For Centralized L2 mode SSID you can disable split tunnel to tunnel all packets on the SSID through the VPN tunnel This overrides any global routing profiles and sends all traffic from the client including DNS packets into the VPN tunnel Table 5 New Hardware Platforms introduced in this release ane Description Platform P W IAP270 The W IAP270 Series W IAP274 and W IAP275 are environmentally hardened outdoor rated Series dual radio IEEE 802 11ac wireless access points These access points use MIMO Multiple in Multiple out technology and other high throughput mode techniques to deliver high performance 802 11ac 2 4 GHz and 5 GHz functionality while simultan
90. configure the channel and transmission power by running the following commands Instant AP a channel lt channel gt lt tx power gt Instant AP g channel lt channel gt lt tx power gt Configuring Uplink VLAN for a W IAP Instant supports a management VLAN for the uplink traffic on a W IAP You can configure an uplink VLAN when a W IAP needs to be managed from a non native VLAN After a W IAP is provisioned with the uplink management VLAN all management traffic sent from the W IAP is tagged with the management VLAN Ensure that the native VLAN of the W IAP and uplink are not the same You can configure the uplink management VLAN on a W IAP by using the Instant UI or CLI In the Instant UI To configure uplink management VLAN 1 Inthe Access Points tab click the W IAP to modify The edit link is displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Customizing W IAP Settings 88 Click the edit link The edit window for modifying W IAP details is displayed Click the Uplink tab Specify the VLAN in the Uplink Management VLAN field Click OK Reboot the W IAP oa FF WRN In the CLI To configure uplink VLAN Instant AP uplink vlan lt VLAN ID gt To view the uplink VLAN status Instant AP show uplink vlan Uplink Vlan Current 0 Uplink Vlan Provisioned 1 Master Election and Virtual Controller Instant does not require an external mobility controller to regulate and manage the Wi Fi
91. configured on the controller Only the master AP in a W IAP cluster forms the VPN tunnel From the controller perspective the master W IAPs that form the VPN tunnel are considered as VPN clients The controller terminates VPN tunnels and routes or switches VPN traffic The W IAP cluster creates an IPSec or GRE VPN tunnel from the Virtual Controller to a mobility controller in a branch office The controller only acts an IPSec or GRE VPN end point and it does not configure the W IAP IAP VPN Scalability Limits The controller scalability in AP VPN architecture depends on factors such as IPsec tunnel limit Branch ID limit and datapath route table limit The following table provides the IAP VPN scalability information for various controller platforms Table 42 AP VPN Scalability Platforms Branches Routes L3 Mode Users NAT Users Total L2 Users W 3200 1000 1000 W 3600 8000 8000 e Branches The number of AP VPN branches that can be terminated on a given controller platform e Routes The number of L3 routes supported on the controller Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment 223 L3 mode and NAT mode users The number of trusted users supported on the controller There is no scale impact on the controller They are limited only by the number of clients supported per W IAP L2 mode users The number of L2 mode users are limited to 128000 for W 7220 W 7240 and 64000 across all platforms
92. connect The NAI realm settings on a W IAP as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame Configuring Hotspot Profiles To configure a hotspot profile perform the following steps 1 Create the required ANQP and H2QP advertisement profiles 2 Create a hotspot profile 339 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 3 Associate the required ANQP and H2QP advertisement profiles created in step 1 to the hotspot profile created in step 2 4 Create a SSID Profile with enterprise security and WPA2 encryption settings and associate the SSID with the hotspot profile created in step 2 Creating Advertisement Profiles for Hotspot Configuration A hotspot profile contains one or several advertisement profiles The following advertisement profiles can be configured through the Instant CLI e ANQP advertisement profiles NAI Realm profile Venue Name Profile Network Authentication Profile Roaming Consortium Profile 3GPP Profile IP Address availability Profile Domain Name Profile e H2QP advertisement profiles Configuring an NAI Realm Profile Operator Friendly Name Profile Connection Capability Profile Operating Class Profile WAN Metrics Profile You configure a Network Access Identifier NAI Realm profile to define the NAI realm information which can be sent as an ANQP IE ina GAS query response To configure a
93. default VLAN is not supported with PPPoE uplink You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails Configuring PPPoE Uplink Profile You can configure PPPOE settings from the Instant UI or CLI In the Instant UI 1 Click the System link at the top right corner of the Instant main window The System window is displayed 2 Click the Show advanced options link The advanced options are displayed 3 Inthe Uplink tab perform the following steps in the PPPoE section a Enter the PPPoE service name provided by your service provider in the Service name field b Inthe CHAP secret and Retype fields enter the secret key used for Challenge Handshake Authentication Protocol CHAP authentication You can use a maximum of 34 characters for the CHAP secret key c Enter the user name for the PPPoE connection in the User field d Inthe Password and Retype fields enter a password for the PPPoE connection and confirm it 286 Uplink Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 4 Toseta local interface for the PPPoE uplink connections select a value from the Local interface drop down list The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local L3 DHCP gateway IP address as its local IP address When configured the local interface acts as an unnumbered PPPoE interface and allows the entire Local L3 DHCP subnet to be allocate
94. disable local routing Navigate to System gt General gt Show advanced options 2 From the Deny local routing drop down list select Enabled to prevent local routing traffic between two clients connected to a W IAP on different VLANs 3 Click OK Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Initial Configuration Tasks 82 In the CLI To disable local routing Instant AP config deny local routing Instant AP config end Instant AP commit apply To deny local routing for the WLAN SSID clients Instant AP config wlan ssid profile lt ssid profile gt Instant AP SSID Profile lt ssid profile gt deny local routing Instant AP SSID Profile lt ssid profile gt end Instant AP commit apply Enabling Dynamic CPU Management W IAPs perform various functions such as wireless client connectivity and traffic flows wired client connectivity and traffic flows wireless security network management and location tracking Like with any network element a W IAP can be subject to heavy loads In such a scenario it is important to prioritize the platform resources across different functions Typically the W IAPs manage resources automatically in real time However under special circumstances if dynamic resource management needs to be enforced or disabled altogether the dynamic CPU management feature settings can be modified You can configure the dynamic CPU management feature by using the I
95. dropped DHCP relay If you are configuring a Centralized L2 DHCP profile you can select Enabled to allow the W IAPs to intercept the broadcast packets and relay DHCP requests to centralized DHCP server NOTE The DHCP relay option is not available for centralized L3 profile configuration Helper address Specify the IP address of the DHCP server NOTE For Centralized L2 DHCP profiles the Helper address option is displayed only when DHCP relay is enabled VLAN IP Specify the Centralized L3 DHCP subnet gateway IP VLAN Mask Specify the subnet mask of the Centralized L3 DHCP subnet gateway IP Option82 Select Alcatel to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string The Option 82 string is available only in the Alcatel ALU format The ALU format for the Option 82 string consists of the following e Remote Circuit ID X AP MAC SSID SSID Type e Remote Agent X IDUE MAC NOTE The Option 82 string is specific to Alcatel and is not configurable 4 Click OK The following table describes the behavior of the DHCP Relay Agent and Option 82 in the W IAP Table 40 DHCP Relay and Option 82 DHCP Relay Option 82 Behavior Enabled Enabled DHCP packet relayed with the ALU specific Option 82 string Enabled Disabled DHCP packet relayed without the ALU specific Option 82 string Disabled Enabled DHCP packet not relayed but broadcast with the ALU specific Option 82 string Disabled Disabled DHCP packet
96. during network installation and the ongoing operations when RF conditions change Voice Aware Scanning The Voice Aware scanning feature prevents a W IAP supporting an active voice call from scanning for other channels in the RF spectrum and allows a W IAP to resume scanning when there are no active voice calls This significantly improves the voice quality when a call is in progress and simultaneously delivers the automated RF management functions By default this feature is enabled Load Aware Scanning The Load Aware Scanning feature dynamically adjusts scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold The W IAPs resume complete monitoring scans when the traffic drops to the normal levels By default this feature is enabled Monitoring the Network with ARM When ARM is enabled a W IAP dynamically scans all 802 11 channels within its 802 11 regulatory domain at regular intervals and sends reports to a Virtual Controller on network WLAN coverage interference and intrusion detection ARM Metrics ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each W IAP RF environment Each W IAP gathers other metrics on its ARM assigned channel to provide a snapshot of the current RF health state Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Adapti
97. e ccc cece cece e cece eeeeeeeeeeececeeseeeeeeees 339 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 25 Information Elements IEs and Management Eames 2 2c e ee cece cece cece ccc c eee eeeeeeees 339 NAT Realm List cuota ccaooustt cubo doi dodo chet ao dort dub actu es bi 339 Configuring Hotspot Profiles cnn nnnnnnnnnnnnnnnnnnnnnnns 339 Creating Advertisement Profiles for Hotspot Configuration ccc cece eee eeeeeeeeeeeeeees 340 Configuring an NAI Realm Profile 2222200022222 eee aao adaa anaana oora onarri 340 Configuring a Venue Name Profile 000000 e eee eeeeeee 342 Configuring a Network Authentication Profile 0022222222002 eee ce eee e cece eee eeeeee 343 Configuring a Roaming Consortium Profile 2 022222 e eee e cece eee ceeeeeeeee 344 Configunng a sGPP Profile ar il ota 344 Configuring an IP Address Availability Profile 2202222002222 e eee eee cece ee eeeeee 344 Configuring a Domain Profile 2 22 02 2 22222022 o cee eee cee eee cece cece c eee e cece eeeeeeee 344 Configuring an Operator friendly Profile 2 00 22 22222 eee cece cece cece eeeeeeeeeeee 345 Configuring a Connection Capability Profile 00222222202 cece eee eee eee cece eeeees 345 Configuring an Operating Class Profile 2 2 02 2 2222 c coe 00000 aana c eee e cece eeeeeeee 345 Configuring a WAN Metrics Profile 22222022222 eee cece eee eee cece cece ce eeeeeeeeeee 345 Creating
98. eae eee ee 108 Example 22 hacen A A Boece gees cece snes oe a geeds 108 Radio Resource Management 802 11k 0 000002220 c eee eee eee eee eee eee eee ee eeeeeeeeeee 108 8 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Beacon Report Requests and Probe Responses 22 0 cece eee eee e eee e cece cece cence eee eeeeeeeaes 109 Configuring a WLAN SSID for 802 11k Support _ 222 02 2022 2222 e eee 109 Inthe Instant UL 109 O EE 109 Examples eea A A A 109 BSS Transition Management 802 11V ooooocccccccccocccccccnococccccnnnnoncncnnnnnnnnccn cnn nnnnnncnnnns 109 Configuring a WLAN SSID for 802 11v Support 2 2 002220222222 e ee 110 Inthe Instant UL 110 tHE GL oo oe cece rah abe een ped esee deed anc ceeeecvabucedsdels ir titi assess ca 110 ple hse eet be ites as RU AA eee leeds Beet Sete es ees 110 Editing Status of a WLAN SSID Profile ooooooccccccnncccccccccnncccnncncnnnccnnnoncn conocio 110 AS A AN 110 Inthe CE Soe or ts abssioos 110 Editing a WLAN SSID Profile 110 Deleting a WEAN SSID aT averse it ae Aa ea a ido iii sto 111 Wired Profiles 112 Contigunng a Wired Profile socias actions ondas sirio das 112 Configuring Wired Settings 20 0 0 ccc cece cece cece cece cece cece cece eee eveceeeeeeeeeeeesceeeeeeees 112 me TRISTE oo aes cre oe ccc te eget ee we se eee aprte oe ooegs eee 112 Wi UN GM giao oe neta A EEEE nen AE 113 Configuri
99. enable Air Time Fairness Mode fair access Client Match disable CM NB Matching Percent 75 CM Calculating Interval 30 CM SLB Threshold 2 CM SLB Balancing Mode channel based CM max client match req 5 CM max adoption 5 Custom Channels No 2 4 GHz Channels Minimum Maximum 237 Adaptive Radio Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide e 64 149 153 157 161 165 36 44 52 60 1494 1574 36E 52E 149 Configuring Radio Settings for a W IAP nable disable disable disable disable enable disable disabl enable disabl disabl disabl disabl disabl enable O 00000 00000000 0 e w a E A 0000000 enable E enabl 0 GHz Channels e You can configure 2 4 GHz and 5 GHz radio settings for a W IAP either using the Instant UI or CLI In the Instant Ul To configure radio settings 1 Click the RF link at the top right comer of the Instant main window 2 Click Show advanced options The advanced options are displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Adaptive Radio Management 238 3 Click the Radio tab 4 Under the channel 2 4 GHz or 5GHZ or both configure the following parameters Table 48 Radio Configuration Parameters Parameter Legacy only 802 11d 802 11h Beacon interval Interference immunity level Channel switch announcement count Background spec
100. engine ID that uniquely identifies the agent in the device and is unique to that internal network 3 Click New and update the following fields IP Address Enter the IP Address of the new SNMP Trap receiver Version Select the SNMP version v1 v2c v3 from the drop down list The version specifies the format of traps generated by the access point Community Username Specify the community string for SNMPv1 and SNMPv2c traps and a username for SNMPv3 traps Port Enter the port to which the traps are sent The default value is 162 e Inform When enabled traps are sent as SNMP INFORM messages It is applicable to SNMPv3 only The default value is Yes 4 Click OK to view the trap receiver information in the SNMP Trap Receivers window In the CLI To configure SNMP traps Instant AP config snmp server host lt IP address gt version 1 version 2 version 3 lt name gt udp port lt port gt inform Instant AP config end Instant AP commit apply E Instant supports SNMP Management Information Bases MIBs along with Dell MIBs For information about MIBs a and SNMP traps see Dell Networking W Series Instant MIB Reference Guide Configuring a Syslog Server You can specify a syslog server for sending syslog messages to the external servers either by using the Instant UI or CLI In the Instant Ul 1 Inthe Instant main window click the System link The System window is displayed 2 Click Show advan
101. for For wired profile See wired and wireless ap config wlan access rule wired port Configuring authentication In this ap Access Rule wired port rule any any match Access Rules example the rule permits any any any for Network all traffic For contractor permit SSID role the rule allows only 10 16 0 0 16 network and all other traffic address is translated at the source and the global routing profile definition is bypassed Services For WLAN SSID employee roles ap config wlan access rule wireless ssid ap Access Rule wireless ssid rule any any match any any any permit For WLAN SSID contractor roles ap config wlan access rule wireless ssid contractor ap Access Rule wireless ssid contractor rule 10 16 0 0 255 255 0 0 match any any any permit ap Access Rule wireless ssid contractor rule any any match any any any src nat NOTE Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W IAP cluster Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios 367 AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple AP deployments as client traffic from slave to master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Confi
102. gt end Instant AP commit apply The Public Land Mobile Network PLMN ID is a combination of the mobile country code and network code You can specify up to 6 PLMN IDs for a 3GPP profile Configuring an IP Address Availability Profile You can configure the available IP address types to send information on IP address availability as an ANQP IE ina GAS query response To configure an IP address availability profile enter the following commands at the command prompt Instant AP config hotspot anqp ip addr avail profile lt name gt Instant AP IP addr avail lt name gt ipv4 addr avail Instant AP IP addr avail lt name gt ipv6 addr avail Instant AP IP addr avail lt name gt enable Instant AP IP addr avail lt name gt end Instant AP commit apply Configuring a Domain Profile You can configure a domain profile to send the domain names as an ANQP IE in a GAS query response To configure a domain name profile enter the following commands at the command prompt Instant AP config hotspot anqp domain name profile lt name gt Instant AP domain name lt name gt domain name lt domain name gt Instant AP domain name lt name gt enabl Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 344 Instant AP domain name lt name gt end Instant AP commit apply Configuring an Operator friendly Profile You can configure the operator friendly name p
103. in Radius Access Accept this is ar esponse to a L Time from request 0 000773000 seconds Value 100 5 VSA Aruba User VWlan 1 DAW tetas tsy Save 10 t Filrer 1d 11 H AVEZ 16 tepramed 1P Address 8 1 1 1 1 a AvP l 6 t Service Type 6 Framed 2 23 1 5 tefilrer 14d 11 111 73a 70 20 8 19 07 63 6c 6 73 a 31 31 3 3 4 72 74 08 06 01 01 01 01 06 06 00 00 00 b 05 31 31 31 4f 06 03 OF 00 04 19 2e 94 Of 00 00 01 37 00 01 02 00 Oa 41 Od f9 00 00 85 4 01 cc bf 02 69 82 1 la Oc 00 00 01 37 de 06 01 37 Of 06 00 00 00 78 01 51 41 42 4a 1a 33 00 00 01 37 1a 39 35 37 39 30 43 41 34 35 45 35 44 38 3 6 36 30 33 41 la 3a 00 00 710 c7 24 bd 4d ad 77 10 9 80 Oc 92 2b 07 6b 17 a2 Thy Server Manager QA SERNER Overview Conditions Settings 5 Roles Configure the settings for this matraca policy E Active Owectory Certfxate Sit conditions and cortante maich the connection request and the policy gants acces veltings are eied Active Deectory Doman Serv a Y Active Owectory htm I 3 Z ONS ser R 4 a lender Code Ge gt 3 2 ma To send additional stitutes to RADIUS choris s tae lt LI 3 QASR then cick Edt E you do not configure an sitate n not sent id be ga ces A your RADIUS chert documentation lea required Eie Spec whethes the pb bH 005 Everts vendo spectic ambute y number a D Pormrd Locke D O modes l Te h corkoms E fermei Y 7 abi Ere E 2 arubsnetwort 7 dr a 2 ots a Reverse Lookup
104. in environments with high and constant levels of noise interference Level 5 The AP completely disables PHY error reporting improving performance by eliminating the time the W IAP would spend on PHY processing NOTE Increasing the immunity level makes the AP to lose a small amount of range Specify the count to indicate the number of channel switching announcements that must be sent before switching to a new channel This allows associated clients to recover gracefully from a channel change Select Enabled to allow the APs in access mode to continue with normal access service to clients while performing additional function of monitoring RF interference from both neighboring APs and non Wi Fi sources such as microwaves and cordless phones on the channel they are currently serving clients 5 Reboot the W IAP after configuring the radio profile settings In the CLI To configure 2 4 GHz radio settings Instant AP config rf dotllg radio profile Instant AP RF dot11 g Radio Profile beacon interval lt milliseconds gt Instant AP RF dot11 g Radio Profile legacy mode Instant AP RF dot11 g Radio Profile spectrum monitor Instant AP RF dot11 g Radio Profile dotlilh Instant AP RF dotll g Radio Profile interference immunity lt level gt Instant AP RF dot11 g Radio Profile csa count lt count gt Instant AP RF dotll g Radio Profile max distance lt count gt Instant AP RF dot11 g Radio
105. is 0 retail store The associated numeric value is 1 grocery market The associated numeric value is 2 auto service station The associated numeric value is 3 shopping mall The associated numeric value is 4 gas station The associated numeric value is 5 The associated numeric value is 6 residential unspecified The associated numeric value is 0 private residence The associated numeric value is 1 hotel The associated numeric value is 3 dormitory The associated numeric value is 4 boarding house The associated numeric value is 5 The associated numeric value is 7 storage unspecified The associated numeric value is 0 The associated numeric value is 8 utility misc unspecified The associated numeric value is 0 The associated numeric value is 9 unspecified The associated numeric value is 0 automobile or truck The associated numeric value is 1 airplane The associated numeric value is 2 bus The associated numeric value is 3 ferry The associated numeric value is 4 ship The associated numeric value is 5 train The associated numeric value is 6 motor bike The associated numeric value is 7 vehicular The associated numeric value is 10 outdoor unspecified The associated numeric value is 0 muni mesh network The associated numeric value is 1 city park The associated numeric value is 2 rest area The associated numeric value is 3 traffic control The associated numeric value is
106. is configured to operate e In Access mode the W IAP serves clients while also monitoring for rogue APs in the background In Monitor mode the W IAP acts as a dedicated monitor scanning all channels for rogue APs and clients Spectrum Displays the status of the spectrum monitor Clients Number of clients associated with the W IAP Type Displays the model number of the W IAP Zone Displays AP zone details CPU Utilization Displays the CPU utilization in percentage Memory Free Displays the memory availability of the W IAP in MB Serial number Displays the serial number of the W IAP MAC Displays the MAC address From Port Displays the port from where the slave W IAP is learned in hierarchy mode Info section in Client view The Info section in the Client view displays the following information e Name Displays the name of the client Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 58 Table 9 Contents of the Info Section in the Instant Main Window Description IP Address Displays IP address of the client MAC Address Displays MAC Address of the client OS Displays the Operating System that is running on the client Network Indicates the network to which the client is connected Access Point Indicates the W IAP to which the client is connected Channel Indicates the channel that is currently used by the client Type Displays the channel type on which
107. is directly connected VLAN132 42 42 42 0 24 is directly connected VLAN123 44 44 44 0 24 is directly connected VLAN125 182 82 82 12 32 is an ipsec map 10 15 149 69 182 82 82 12 182 82 82 14 32 is an ipsec map 10 17 87 126 182 82 82 14 NOW 01 LO B UD A 00000 00 20 4343 lt 3 lt 4 VPN Configuration The following VPN configuration steps on the controller enable the W IAPs to terminate their VPN connection on the controller Whitelist Database Configuration The whitelist database is a list of the MAC addresses of the W IAPs that are allowed to establish VPN connections with the controller This list can be either stored in the controller database or on an external server You can use the following CLI command to configure the whitelist database entry if the controller is acting as the whitelist database host whitelist db rap add mac address 00 11 22 33 44 55 ap group test The ap group parameter is not used for any configuration but needs to be configured The parameter can be any valid string If an external server is used as the location for the whitelist database add the MAC addresses of the valid W IAPs in the external database or external directory server and then configure a RADIUS server to authenticate the W IAPs using the entries in the external database or external directory server If you are using the Windows 2003 server perform the following steps to configure the external whitelist database on it There ar
108. is uniformly distributed across the W IAP cluster Configuring a Mobility Domain for Instant You can configure L3 mobility domain by using the Instant UI or CLI In the Instant UI To configure a mobility domain perform the following steps 1 Click the System link at top right corner of the Instant main window The System window is displayed 2 Click the Show advanced options link The advanced options are displayed 3 Click L3 Mobility The L3 Mobility window is displayed 307 Mobility and Client Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 115 L3 Mobility Window Home agent load balancing Disabled Virtual Controller IP Addresses Subnets IP address Subnet mask VLAN ID Virtual controller IP 4 Select Enabled from the Home agent load balancing drop down list By default home agent load balancing is disabled 5 Click New in the Virtual Controller IP Addresses section add the IP address of a Virtual Controller that is part of the mobility domain and click OK Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain Click New in the Subnets section and specify the following a Enter the client subnet in the IP address text box b Enter the mask in the Subnet mask text box c Enter the VLAN ID in the home network in the VLAN ID text box d Enterthe home VC IP address for this subnet in the Virtual Controller IP text box 8 Click OK In th
109. name gt end Instant AP commit apply The configuration parameters for associating an advertisement profile with a hotspot profile are described in the following table Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 348 Table 70 Advertisement Association Parameters Parameter Description advertisement Specify the advertisement profile to associate with this hotspot profile For information on profile advertisement profiles see Creating Advertisement Profiles for Hotspot Configuration on page 340 advertisement Specify the advertisement protocol types as Access Network Query Protocol ANQP as protocol anqp Creating a WLAN SSID and Associating Hotspot Profile To create a WLAN SSID with Enterprise Security and WPA2 Encryption Settings Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt essid lt ESSID name gt Instant AP SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant AP SSID Profile lt name gt vlan lt vlan ID gt Instant AP SSID Profile lt name gt set vlan lt attribute gt equals not equals starts with ends with contains lt operator gt lt VLAN ID gt value of Instant AP SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa2 aes Instant AP SSID Profile lt name gt blacklist Instant AP SSID Profile lt name gt mac authenticati
110. network can be configured with a primary and backup host to provide VPN redundancy You can define VPN host settings through More gt VPN gt Controller in the UI You can configure the following VPN profiles for the IAP VPN operations For more information see Configuring a Tunnel from a W IAP to Dell Networking W Series Mobility Controller on page 210 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment 225 e IPSec e Aruba GRE e Manual GRE Configuring Routing Profiles The routing profile on the W IAP determines whether the traffic destined to a subnet must be tunneled through IPSec or bridged locally If the routing profile is empty the client traffic will always be bridged locally For example if the routing profile is configured to tunnel 10 0 0 0 8 traffic destined to 10 0 0 0 8 will be forwarded through the IPsec tunnel and the traffic to all other destinations is bridged locally You can also configure a routing profile with 0 0 0 0 as gateway to allow both client and IAP traffic to be routed through a non tunnel route If the gateway is in the same subnet as uplink IP address it is used as a static gateway entry A static route can be added on all master and slave W IAPs for these destinations The VPN traffic from the local subnet of W IAP or the virtual controller IP address in the local subnet is not routed to tunnel but will be switched to the relevant VLAN For example when a 0 0 0 0 0 0 0 0 r
111. no configuration required on the AP for enabling LACP support However you can view the status of LACP on W IAPs by using the following command Instant AP show lacp status AP LACP Status Up slow 2 17 1 70 81 05 11 3e 80 Slave Interface Status eth0 6c f3 7f c6 76 6e Up Yes 0 ethl 6c f3 7f c6 76 6f Up Yes 0 Traffic Sent on Enet Ports ST Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wired Profiles 118 Radio Num Enet 0 Tx Count Enet 1 Tx Count 100 non wifi 2 17 Understanding Hierarchical Deployment A W IAP 130 Series or W IAP3WN with more than one wired port can be connected to the downlink wired port of another W IAP ethX A W IAP with a single Ethernet port like W IAP90 or W IAP 100 series devices can be provisioned to use Ethernet bridging so that Ethernet 0 port is converted to a downlink wired port You can also form a W IAP network by connecting the downlink port of an AP to other APs Only one AP in the network uses its downlink port to connect to the other APs This AP called the root AP acts as the wired device for the network provides DHCP service and an L3 connection to the ISP uplink with NAT The root AP is always the master of the Instant network In a single Ethernet port platform deployment the root AP must be configured to use the 3G uplink A typical hierarchical deployment consists of the following e A direct wired ISP connection or a wireless uplink e Oneormore DHCP p
112. not have a RADIUS account but the user is logged in and authenticated When a device does both machine and user authentication the user obtains the default role or the derived role based on the RADIUS attribute You can configure machine authentication with role based access control using the Instant UI or CLI In the Instant UI To configure machine authentication with role based access control perform the following steps 191 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 Inthe Access tab of the WLAN New WLAN or Edit lt WLAN profile gt or Wired Network configuration New Wired Network or Edit Wired Network window under Roles create Machine auth only and User auth only roles 2 Configure access rules forthese roles by selecting the role and applying the rule For more information on configuring access rules see Configuring Access Rules for Network Services on page 177 3 Select Enforce Machine Authentication and select the Machine auth only and User auth only roles 4 Click Finish to apply these changes In the CLI To configure machine and user authentication roles for a WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role machine auth lt machine authentication only gt lt user authentication only gt Instant AP SSID Profile lt name gt end Instant AP commit apply To configure machine and user authen
113. not relayed but broadcast without the ALU specific Option 82 string In the CLI To configure a centralized L2 DHCP profile Instant AP config ip dhcp lt profile name gt Instant AP DHCP Profile lt profile name gt server type lt centralized gt Dell Networking W Series Instant 6 4 0 2 4 1 User Guide DHCP Configuration 205 Instant AP DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant AP DHCP Profile lt profile name gt option82 alu Instant AP DHCP Profile lt profile name gt disable split tunnel Instant AP DHCP Profile lt profile name gt end Instant AP commit apply To configure a centralized L3 DHCP profile Instant AP config ip dhcp lt profile name gt Instant AP DHCP Profile lt profile name gt server type lt centralized gt Instant AP DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant AP DHCP Profile lt profile name gt dhcp relay Instant AP DHCP Profile lt profile name gt dhcp server lt DHCP relay server gt Instant AP DHCP Profile lt profile name gt vlan ip lt DHCP IP address gt mask lt VLAN mask gt Instant AP DHCP Profile lt profile name gt end Instant AP commit apply Configuring Local and Local L3 DHCP Scopes You can configure Local and Local L3 DHCP scopes through the Instant UI or CLI Local In this mode the Virtual Controller acts as both the DHCP
114. ob 56 Pg ie ih ke E ee ee eee eho eee eee eee eee eee 57 Re olob SEEE E EEEN ETAETA EEEIEE A EES E EA ETET 57 MOMOMO 00 rara 57 INIO 2 deterred A tao 57 RF Dashboard siroriesssrsneredaiairers itinere en G Ea E N eie DEn aE ENES R R REAR RR EREDE 59 RFE MENAS 2 cot a did lid E colita 60 Usage TirendSi 3 2 422 2526 225585 ii dt ee cidad td a 61 Mobily Tras rio Da E peor reed 66 4 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide AppRF es 67 IGG THI ropero seemiaweccces iaa 67 ICIS nnn raras da e EAE A rl sitos cia 67 MD dia 71 AMETOUD ses cs ccoo tros See Osea eee 72 Configuration rre 72 WEAIWaVe SGUUD but or ee eee eco de ee ent noe 73 Pause RESUME 22 2 2 2eee eee ee eee nnna nnr REELE RnS nat HERSES SEERE NEER EREEREER EEn REEE EEEE 73 VIEWS oo aca td 73 Initial Configuration TASKS A 74 Basic Configuration Tasks occ cnc 74 Modifying the W IAP Name 74 HEY CMS IVS TAME U canes a ida E ce Seas ees 75 Inthe CU 75 Updating Location Details of a WAAP c cece eee eee ceeeeeeeeeeeeeeeeeees 79 PV ME Stet Uk at e r a a e E e e a 75 PAP E aadiea tase E e E i EEEE 75 Configuring a Preferred Band aa aca caa naa Sro eSEE LEN AENOR SEE A KETELA FALSE ECERS R 75 lAthelnstant mesek en Sc a a e e e aa 75 Ir 75 Configuring Virtual Controller IP Address 76 Inthe Instant TTT 76 Ir A 76 Gonfiguiring TIMEZOMe 000 tcida it bb tadas 76 bey the Instant Ulloa ido dior ri iii 76 Write AAA 76 Configuring an N
115. occasionally classified as Fixed Frequency Other Frequency Frequency hopping cordless phone base units transmit periodic beacon like frames at all Hopper times When the handsets are not transmitting i e no active phone calls the cordless base Cordless Base is classified as Frequency Hopper Cordless Bas Frequency When there is an active phone call and one or more handsets are part of the phone Hopper conversation the device is classified as Frequency Hopper Cordless Network Cordless Cordless phones may operate in 2 4 GHz or 5 GHz bands Some phones use both 2 4 GHz and 5 GHz Network bands for example 5 GHz for Base to handset and 2 4 GHz for Handset to base These phones may be classified as unique Frequency Hopper devices on both bands Frequency The Microsoft Xbox device uses a frequency hopping protocol in the 2 4 GHz band These Hopper Xbox devices are classified as Frequency Hopper Xbox Frequency When the classifier detects a frequency hopper that does not fall into one ofthe above Hopper Other categories itis classified as Frequency Hopper Other Some examples include IEEE 802 11 FHSS devices game consoles and cordless hands free devices that do not use one of the known cordless phone protocols Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Spectrum Monitor 311 Non Wi Fi Interferer Microwave Microwave Inverter Generic Interferer Description Common residential microw
116. on an ongoing basis to ensure that configurations never vary from the enterprise policies It alerts you whenever a violation is detected and automatically repairs the incorrectly configured devices Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Management and Monitoring 275 Figure 96 Template based Configuration DLL AIRWAVE WIRELESS MANAGEMENT SUITE papers Bnew Devices 23 up 77 wired 10 Y Down 44 mismatched 71 Rogue 3183 1 users 7 M Alert Home Helpdesk Lp APs Devices Users Reports System Device Setup AMP Setup RAPIDS _VisualRF Aruba I Aruba In Restrict to this version O Yes No Template firmware version 5 0 4 0_28158 Template Select S Fetch template from device Available Variables ap_include_8 ap_include_1 ap_incude_9 ap_include_10 Trending Reports W AirWave saves up to 14 months of actionable information including network performance data and user roaming patterns so you can analyze how network usage and performance trends have changed over time It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization Intrusion Detection System W AirWave provides advanced rules based rogue classification It automatically detects rogue APs irrespective of their location in the network and prevents authorized W IAPs from being detected as rogue W IAPs It tracks and correlates the IDS even
117. on page 76 Configuring a Preferred Band on page 75 Configuring an NTP Server on page 76 Enabling AppRF Visibility on page 77 The following figure shows an example for the basic configuration settings under the System gt General tab General Admin Name liyer home System location Virtual Controller IP 0 0 0 0 Dynamic RADIUS proxy Disabled MAS integration Disabled NTP server 120 88 46 10 Timezone Pacific Time UTC 08 Daylight Saving Time Preferred band All AppRF visibility Enabled For information on Dynamic RADIUS proxy configuration see Configuring Authentication Servers on page 157 Modifying the W IAP Name You can change the name of a W IAP by using the Instant UI or CLI Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Initial Configuration Tasks 74 In the Instant Ul 1 Navigate to System gt General 2 Specify the name of W IAP in the Name text box 3 Click OK In the CLI To change the name Instant AP name lt name gt Updating Location Details of a W IAP You can update the physical location details of a W IAP by using the Instant UI or CLI The system location details are used for retrieving information through the SNMP sysLocation MIB object In the Instant UI To update location details 1 Navigate to System gt General 2 Specify the location of a W IAP in the System location text box 3 Click OK In the CLI To update location detai
118. packets e Select ARP poison check to enable the W IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs Figure 53 Firewall Settings Protection Against Wired Attacks Application Layer Gateway ALG Algorithms Protection against wired attacks Enabled wl Drop bad ARP Enabled vl Vocera Enabled Fix malformed DHCP Alcatel NOE Enabled E ARP poison check Disabled y Cisco Skinny Enabled lel 4 Click OK In the CLI To configure firewall settings to prevent attacks Instant AP config attack Instant AP ATTACK drop bad arp enable Instant AP ATTACK fix dhcp enable Instant AP ATTACK poison check enable Instant AP ATTACK end Instant AP commit apply To view the configuration status Instant AP show attack config Current Attack drop bad arp Enabled fix dhcp Enabled poison check Enabled To view the attack statistics Instant AP show attack stats attack counters arp packet counter 0 drop bad arp packet counter 0 dhcp response packet counter 0 fixed bad dhcp packet counter 0 send arp attack alert counter 0 send dhcp attack alert counter 0 arp poison check counter 0 garp send check counter 0 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 182 Managing Inbound Traffic Instant now supports an enhanced inbound firewall by allowing the con
119. port auth server server2 ap wired port profile wired port dotlx ap wired port profile wired port exit ap config enetl port profile wired port Configure a wireless SSID to operate in centralized L2 mode and associate VLAN 20 to the WLAN SSID profile ap config wlan ssid profile wireless ssid ap SSID Profile wireless ssid enable ap SSID Profile wireless ssid type employee ap SSID Profile wireless ssid essid wireless ssid ap SSID Profile wireless ssid opmode wpa2 aes ap SSID Profile wireless ssid vlan 20 ap SSID Profile wireless ssid auth server serverl ap SSID Profile wireless ssid auth server server2 ap SSID Profile wireless ssid auth survivability 7 Create access rule for For wired profile See wired and wireless ap config wlan access rule wired port Configuring authentication ap Access Rule wired port rule any any match Access Rules any any any for Network permit Services For WLAN SSID employee roles ap config wlan access rule wireless ssid ap Access Rule wireless ssid rule any any match any any any permit NOTE Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W IAP cluster AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream swi
120. port lt port gt user lt name gt lt password gt end Integrating a W IAP with an XML API interface The XML API interface provides options to create and execute user management operations seamlessly on behalf of the clients or users 268 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Integration with Instant The XML API interface allows users to send specific XML commands to a W IAP from an external server These XML commands can be used to customize W IAP client entries You can use the XML API interface to add delete authenticate query or blacklist a user or a client The user authentication is supported only for users authenticated by Captive Portal authentication and not for the dot1x authentication users NOTE The user add operation performed by the XML API interface is only used to modify the role of an existing user and not to create a new user Users can now use HTTP or HTTPS to post commands to W IAP The communication process using the XML API Interface is as follows An API command is issued in XML format from the Server to the Virtual Controller The Virtual Controller processes the XML request and identifies where the client is and sends the command to the correct slave W IAP Once the operation is completed Virtual Controller sends the XML response to the XML server Users can use the response and take appropriate action that suit their requirements The response from the contro
121. portal lt type gt exclude uplink lt types gt external exclude uplink lt types gt profile lt name gt exclude uplink lt types gt Instant AP SSID Profile lt name gt blacklist Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt max authentication failures lt number gt t AP SSID Profile lt name gt auth server lt server name gt Instant Access Point SSID Profile lt name gt radius accounting Instant Access Point SSID Profile lt name gt radius interim accounting interval Instant Access Point SSID Profile lt name gt radius accounting mode user association user authentication Instant AP SSID Profile lt name gt wpa passphrase lt WPA_key gt Instant AP SSID Profile lt name gt wep key lt WEP key gt lt WEP index gt Instant AP SSID Profile lt name gt end Instant AP commit apply To configure security settings for guest users of the wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt Guest gt Instant AP wired ap profile lt name gt captive portal lt type gt exclude uplink lt types gt external exclude uplink lt types gt profile lt name gt exclude uplink lt types gt Instant AP wired ap profile lt name gt mac authentication Instant AP wired ap profile lt name gt end Instant AP commit
122. presented to the guest users when they try to access the Internet whether in hotels conference centers or Wi Fi hotspots The Web page also prompts the guest users to authenticate or accept the usage policy and terms captive portals are used at many Wi Fi hotspots and can be used to control wired access as well The Instant captive portal solution consists of the following e The captive portal Web login page hosted by an internal or external server e The RADIUS authentication or user authentication against W IAP s internal database e The SSID broadcast by the W IAP With Instant the administrators can create a wired or WLAN guest network based on captive portal authentication for guests visitors contractors and any non employee users who can use the enterprise Wi Fi network The administrators can also create guest accounts and customize the captive portal page with organization specific logo terms and usage policy With captive portal authentication and guest profiles the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses When a guest user tries to access a URL through HTTP or HTTPS the captive portal web page prompting the user to authenticate with a user name and password is displayed Types of Captive Portal Instant supports the following types of captive portal authentication e Internal captive portal For Internal captive portal authentication an internal server is used for ho
123. profile 1 Inthe Networks tab select the network that you want to edit The edit link is displayed 110 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 2 Click the edit link The Edit network window is displayed 3 Modify the required settings Click Next to move to the next tab 4 Click Finish to save the modifications Deleting a WLAN SSID Profile To delete a WLAN SSID profile 1 Inthe Networks tab click the network that you want to delete A x link is displayed against the network to be deleted 2 Click x A delete confirmation window is displayed 3 Click Delete Now Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 111 Chapter 9 Wired Profiles This chapter describes the following procedures e Configuring a Wired Profile on page 112 e Assigning a Profile to Ethernet Ports on page 117 e Editing a Wired Profile on page 117 e Deleting a Wired Profile on page 118 e Link Aggregation Control Protocol for W IAP220 Series on page 118 e Understanding Hierarchical Deployment on page 119 Configuring a Wired Profile The Ethernet ports allow third party devices such as VoIP phones or printers which support only wired connections to connect to the wireless network You can also configure an Access Control List ACL for additional security on the Ethernet downlink The wired profile configuration for employee network involves the followin
124. regular expression is a powerful pattern description language that can be used to perform advanced pattern matching of the above string If the combined device fingerprint string matches the specified regular expression the role or vlan can be set to the WLAN client The following table lists some of the most commonly used regular expressions which can be used in user role and user VLAN derivation rules Operator Description Matches any character For example k matches lack lark link lock look Lync and so on Matches the character that follows the backslash For example 1192 01 matches IP addresses ranges that starting with 192 0 such as 192 0 1 1 The expression looks only for the single characters that match Matches any one character listed between the brackets For example bc lock matches block and clock Matches the words that begin and end with the given expression For example bdown matches downlink linkdown shutdown B Matches the middle of a word For example Bvice matches services devices servicelD devicelD and so on Matches the characters at starting position in a string For example bcd matches bcde or bcdf but not abcd Matches any characters that are not listed between the brackets For example uJlink matches downlink link but not uplink Matches any one occurrence of the pattern For example est matches best nest rest test and so on Matches the end of an input string For
125. rule allows traffic to all destinations To define an access rule a Click New b Select appropriate options in the New Rule window c Click OK e Role based Select Role based to enable access based on user roles For role based access control Create a user role if required For more information see Configuring User Roles Create access rules for a specific user role For more information see Configuring Access Rules for Network Services on page 177 You can also configure an access rule to enforce captive portal authentication for an SSID that is configured to use 802 1X authentication method For more information see Configuring Captive Portal Roles for an SSID on page 135 Create a role assignment rule For more information see Configuring Derivation Rules on page 192 2 Click Finish In the CLI To configure access control rules fora WLAN SSID Instant AP config wlan access rule lt name gt Instant AP Access Rule lt name gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt lt end port gt permit deny src nat dst nat lt IP address gt lt port gt lt port gt app lt app gt permit deny appcategory lt appgrp gt webcategory lt webgrp gt permit deny webreputation lt webrep gt lt optionl option9 gt Instant AP Access Rule lt name gt end PE tt Instant AP commit apply To configure access control based on the SSID
126. server auth survivability For wired profil ap config wl e an access rule wired port See Configuring authentication In this example the rule permits all traffic ap Access Rul any any any permit wired port rule any any match Access Rules for Network Services For WLAN SSID ap config wlan access rul ap Access Rule wireless ssid rule any any match any any any permit wireless ssid NOTE Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W IAP cluster AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multi AP deployments as client traffic from slave to master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Configuring a Controller for AP VPN Operations on page 227 Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN 359 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Scenario 2 IPSec Single Datacenter with Multiple Controllers for Redundancy This scenario includes the following configuration elements A VRRP instance between the master standby master pair which is configured as the primary VPN IP address Tunneling of all traffic to datacenter
127. server T0 1 1 50 10 1 L ap DHCP Profil 13 dhcp domain name corpdomain com ap DHCP Profil 13 dhcp client count 200 NOTE The IP range configuration on each branch will be the same Each W IAP will derive a smaller subnet based on the client count scope using the Branch ID BID allocated by controller 5 Create authentication config wlan auth server serverl See servers for user th Server serverl ip 10 2 2 1 Configuring an authentication The th Server serverl port 1812 External Server example in the next th Server serverl acctport 1813 for column assumes 802 1x th Server serverl k y or sharedk y Authentication SSID th l nfig wlan auth server server2 th Server server2 ip 10 2 2 2 th Server server2 port 1812 th Server server2 acctport 1813 key presharedkey Server serverl XLT th Server server2 Configure wired and Configure wired ports to operate in L2 mode and associate See wireless SSIDs using the centralized L2 mode VLAN 20 to the wired port profile Configuring a authentication servers ap config wired port profile wired port Wired Profile and access rules created and Wireless Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios 358 Table 72 W AP Configuration for Scenario 1 IPSec Single Datacenter Deployment with No Redundancy Configuration Steps above and enable au
128. session ids 0 total control frame send failures 0 event queue fulls 0 Message counters Message RX Good RX Bad TX ILLEGAL 0 SCCRO 0 SCCRP 1 SCCCN 0 STOPCCN RESERVED1 HELLO 95 OCRO D OOOD OooReroro noo Lae ROPOOOO Configuring Routing Profiles W IAPs can terminate a single VPN connection on a Dell Networking W Series mobility controller The routing profile defines the corporate subnets which need to be tunneled through IPSec You can configure routing profiles to specify a policy based on routing into the VPN tunnel using the Instant UI or CLI In the Instant Ul To configure a routing profile 1 Click Routing in the Tunneling window The routing details are displayed 2 Click New The route parameters to configure are displayed 221 VPN Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 70 Tunneling Routing Tunneling Controller Routing Routing Table Routes 0 Destination Netmask Gateway Route Destination 7 Netmask Gateway OK Cancel 3 Update the following parameters e Destination Specify the destination network that is reachable through the VPN tunnel This defines the IP or subnet that must reach through the IPsec tunnel Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel Netmask Specify the subnet mask to the destination defined for Destination e Gateway
129. specify the domain name for the Local and Local L3 scopes Specify a lease time for the client in minutes Specify the type and a value for the DHCP option You can configure the organization specific DHCP options supported by the DHCP server For example 176 242 and 161 To add multiple DHCP options click the icon 4 Click OK In the CLI To configure Local DHCP scope Instant AP config ip dhcp lt profile name gt Instant AP DHCP Profile lt profile name gt server type lt Local gt Instant AP DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant AP DHCP Profile lt profile name gt subnet lt IP address gt Instant AP DHCP Profile lt profile name gt subnet mask lt subnet mask gt Instant AP DHCP Profile lt profile name gt dns server lt name gt Instant AP DHCP Profile lt profile name gt domain name lt domain name gt Instant AP DHCP Profile lt profile name gt lease time lt minutes gt Instant AP DHCP Profile lt profile name gt option lt type gt lt value gt Instant AP DHCP Profile lt profile name gt end Instant AP commit apply To configure Local L3 DHCP scope Instant AP config ip dhcp lt profile name gt Instant AP DHCP Profile lt profile name gt server type lt Local L3 gt Instant AP DHCP Profile lt profile name gt server vlan lt vlan ID gt Dell Netw
130. teens eeees 93 Network Types ces 93 Configuring WLAN Settings for an SSID Profile 0000000000000000 aoaaa ouaaa oaaao 93 MASA e di coa 94 Inte e ti 96 Configuring VLAN Settings fora WLAN SSID Profile 97 MMS tia 97 nn Tae HIHHH 98 Configuring Security Settings for a WLAN SSID Profile 000000000000000 0000000000000 99 Configuring Security Settings for an Employee or Voice Network 222222222 2 99 Inthe Instant UI nes 99 MECL veers co tase ta tit onest A canoes R 103 Configuring Access Rules fora WLAN SSID Profile 0 2 0 02 222 e cece c cece eee eees 104 Per te Stent Ulster neos stops AEE sess suse nee 105 ry UN GUD tata asi tds 105 EXAM PIG 520i Settee setae device denne a owe ee So eee eat nee ie a Sei cee eee 106 Configuring Fast Roaming for Wireless Clients 00 0000200222 c eee e cece cece cece cece cece cece cece eeeeeees 106 Opportunistic Key Caching 2 0 0 0 cece 0 a 04 eee eee eee enna eee RRR NA AN e AAA NARA ANERE ANES 106 Configuring a W IAP for OKC Roaming 2 2 2 2 c eee eee eeeeeeeeeees 107 he IstantUlbeo sii pot eset ase ees ee eed dsoal 107 MEY CN LD eae ps oe cence sss ii se EE e ligada 107 Fast BSS Transition 802 11r Roaming 2 cece ccc e cece cece e cece cece aaa oaaao aaa aana 107 Configuring a W IAP for 802 11r Support 222 cece eee eee ence cece cece cece 108 Inthe lnstantUl wins 884 e aaa a A ce Se be NN a 108 An e een e teat san eue a lette
131. the Instant network are listed in the Networks tab Click the name of the network that you want to monitor Network view for the selected network is displayed Instant Access Point view The Instant Access Point view provides information that is necessary to monitor a selected W IAP All W IAPs in the Instant network are listed in the Access Points tab Click the name of the W IAP that you want to monitor Access Point view for that W IAP is displayed Client view The Client view provides information that is necessary to monitor a selected client In the Client view all the clients in the Instant network are listed in the Clients tab Click the IP address of the client that you want to monitor Client view for that client is displayed For more information on the graphs and the views see Monitoring on page 57 73 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 5 Initial Configuration Tasks This chapter describes the general configuration tasks to perform when a W IAP is set up Basic Configuration Tasks on page 74 Additional Configuration Tasks on page 78 Basic Configuration Tasks This section describes the following basic configuration tasks that can be performed in the System gt General tab after a W IAP is set up Modifying the W IAP Name on page 74 Updating Location Details of a W IAP on page 75 Configuring Virtual Controller IP Address on page 76 Configuring Timezone
132. the VSA and VLAN derivation rules are not matching and the User Role does not contain a VLAN the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile Configuring VLAN Derivation Rules The users are assigned to a VLAN based on the attributes returned by the RADIUS server after the users authenticate You can configure VLAN derivation rules for an SSID profile by using the Instant UI or CLI In the Instant UI 1 Perform the following steps Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 196 To configure VLAN derivation rule for a WLAN SSID profile Click Network gt New gt New WLAN gt VLAN or Network gt edit gt Edit lt WLAN profile gt gt VLAN Select the Dynamic option under the Client VLAN assignment To configure VLAN derivation rule for a wired network profile click Wired gt New gt New Wired Network gt VLAN or Wired gt Edit gt Edit Wired Network gt VLAN 2 Click New to create a VLAN assignment rule The New VLAN Assignment Rule window is displayed In this window you can define a match method by which the string in Operandis matched with the attribute values retumed by the authentication server Figure 60 VLAN Assignment Rule Window VLAN Assignment Rules Default VLAN 1 New VLAN Assignment Rule Attribute Operator AP Group contains 3 Select the attribute from the Attribute drop down list The list of supported attrib
133. the required RADIUS server the dynamic RADIUS proxy feature must be enabled If the W IAP clients need to authenticate to the RADIUS servers through a different IP address and VLAN ensure that the following steps are completed 1 Enable dynamic RADIUS proxy 2 Configure dynamic RADIUS proxy IP VLAN netmask gateway for each authentication server 3 Associate the authentication servers to SSID or a wired profile to which the clients connect After completing the above mentioned configuration steps you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters Enabling Dynamic RADIUS Proxy You can enable RADIUS Server Support using the Instant UI or CLI In the Instant UI To enable RADIUS server support 161 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 Inthe Instant main window click the System link The System window is displayed 2 Inthe General tab of System window select Enabled from the Dynamic RADIUS Proxy drop down list 3 Click OK When dynamic RADIUS proxy is enabled ensure that a static Virtual Controller IP is configured For more information on configuring Virtual Controller IP address see Configuring Virtual Controller IP Address on page 76 When dynamic RADIUS proxy is enabled the Virtual Controller network uses the IP Address of the Virtual Controller for communication with external RADIUS servers Ensure that the Virtual Co
134. this type every client automatically receives a unique encryption key after securely logging on to the network This key is automatically updated at regular intervals WPA uses TKIP and WPA2 uses the AES algorithm Recommended Authentication and Encryption Combinations The following table summarizes the recommendations for authentication and encryption combinations for the Wi Fi networks Table 31 Recommended Authentication and Encryption Combinations Network Type Authentication Encryption Employee 802 1X AES Voice Network or Handheld 802 1X or PSK as AES if possible TKIP or WEP if devices supported by the device necessary combine with security settings assigned for a user role Support for Authentication Survivability The authentication survivability feature supports a survivable authentication framework against the remote link failure when working with the external authentication servers When enabled this feature allows the W IAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost Instant supports the following EAP standards for authentication survivability e EAP PEAP The Protected Extensible Authentication Protocol also known as Protected EAP or PEAP is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security TLS tunnel The EAP PEAP supports the MSCHAPv2 and GTC methods
135. to identify clients that are running on forbidden operating systems e Identifying outdated operating systems Helps to locate outdated and unexpected OS in the company network e Locating and patching vulnerable operating systems Assists in locating and patching specific operating system versions on the network that have known vulnerabilities thereby securing the company network OS Fingerprinting is enabled in the Instant network by default The following operating systems are identified by Instant e Windows 7 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Intrusion Detection 296 e Windows Vista e Windows Server Windows XP Windows ME e OS X iPhone iOS Android Blackberry Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats Like most other security related features of the Instant network the WIP can be configured on the W IAP You can configure the following options Infrastructure Detection Policies Specifies the policy for detecting wireless attacks on access points Client Detection Policies Specifies the policy for detecting wireless attacks on clients Infrastructure Protection Policies Specifies the policy for protecting access points from wireless attacks Client Protection Policies Specifies the policy for protecting clients from wireless attacks
136. to integrate W AirWave Management platform or third party Real Time Location Server such as Aeroscout Real Time Location Server with Instant For more information see Configuring a W IAP for RTLS Support on page 263 The RTLS tab also allows you to integrate W IAP with the Analytics and Location Engine ALE For more information about configuring a W IAP for ALE integration see Configuring a W IAP for Analytics and Location Engine Support on page 265 e OpenDNS Allows you to configure support for OpenDNS business solutions which require an OpenDNS opendns com account The OpenDNS credentials are used by Instant and W AirWave to filter content at the enterprise level For more information see Configuring OpenDNS Credentials on page 266 e CALEA Allows you configure support for Communications Assistance for Law Enforcement Act CALEA server integration thereby ensuring compliance with Lawful Intercept and CALEA specifications For more information see CALEA Integration and Lawful Intercept Compliance on page 270 e Network Integration Allows you to configure a W IAP for integration with Palo Alto Networks PAN Firewall and XML API server For more information about W IAP integration with PAN see Integrating a W IAP with Palo Alto Networks Firewall on page 267and Integrating a W IAP with an XML API interface on page 268 The following figure shows the default view of the Services window Figure 13 Services Window Default View Servi
137. to its connected devices locally In this example the iPad connected to W IAP2 obtains direct response from the same W IAP about the other Bonjour enabled services in the network 256 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 86 Bonjour Services and AirGroup Architecture P1 Air Print P1 Air Print P1 P1 TV1 AirPlay TV1 AirPlay TV1 AirPlay LOCAL AREA NETWORK S Py Z Z y Ed E Q Z MDNS Air Play service query 4 MDNS TV1 service response Air Printer P1 Apple TV TV1 pple For a list of supported Bonjour services see AirGroup Services on page 259 DLNA UPnP Support In addition to the mDNS protocol W IAPs now support Universal Plug and Play UPnP and DLNA Digital Living Network Alliance enabled devices DLNA is a network standard derived from UPnP which enables devices to discover the services available in a network DLNA also provides the ability to share data between the Windows or Android based multimedia devices All the features and policies applicable to mDNS are extended to DLNA to ensure full interoperability between compliant devices In a UPnP based scenario the following types of devices are available in a network Controlled devices servers Control points clients When a controlled device joins a network and acquires IP address it multicasts a number of discovery messages advertising itself its embedded devices and services On the other hand when
138. to prioritize traffic when this rule is triggered Specify a value within the range of 0 to 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority checkbox to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value 8 Click OK to save the rules 9 Click OK in Roles tab to save the changes to the role for which you defined ACL rules In the CLI To control access based on web categories and security ratings Instant AP config wlan access rule lt access rule gt Instant AP Access Rule lt access rule gt rule lt dest gt lt mask gt lt match gt webcategory lt webgrp gt permit deny lt optionl option9 gt Instant AP Access Rule lt access rule gt rule lt dest gt lt mask gt lt match gt webreputation lt webrep gt permit deny lt optionl option9 gt Instant AP Access Rule lt access rule gt end Instant AP commit apply Example Instant AP config wlan access rule URLFilter Instant AP Access Rule URLFilter rule any any match webcategory gambling deny Instant AP Access Rule URLFilter rule any any match webcategory training and tools permit Instant AP Access Rule URLFilter rule any any match webreputation suspicious sites deny Instant AP Access Rule URLFilter end Instant AP commit apply 250 Deep Packet Inspection an
139. to the Internet but cannot communicate with each other and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision You can disable inter user bridging through the Instant UI or CLI In the Instant Ul To prevent inter user bridging Navigate to System gt General gt Show advanced options 2 From the Deny inter user bridging drop down list select Enabled to prevent traffic between two clients connected to a W IAP on the same VLANs 3 Click OK In the CLI To deny inter user bridging Instant AP config deny inter user bridging Instant AP config end Instant AP commit apply To deny inter user bridging for the WLAN SSID clients Instant AP config wlan ssid profile lt ssid profile gt Instant AP SSID Profile lt ssid profile gt deny inter user bridging Instant AP SSID Profile lt ssid profile gt end Instant AP commit apply Preventing Local Routing between Clients If you have security and traffic management policies defined in upstream devices you can disable routing traffic between two clients connected to the same W IAP on different VLANs When local routing is disabled the clients can connect to the Intemet but cannot communicate with each other and the routing traffic between the clients is sent to the upstream device to make the forwarding decision You can disable local routing through the Instant UI or CLI In the Instant UI To
140. tunnel for corporate access When CALEA server is configured with the controller the client traffic is replicated by the slave W IAP and client data is encapsulated by GRE on slave and routed to the master W IAP The master IAP sends the IPsec client traffic to the controller The controller handles the IPSec client traffic while GRE data is routed to the CALEA server The following figure illustrates the traffic flow from W IAP to the CALEA server through VPN Figure 95 AP to CALEA Server through VPN Law 1 Requests for intercept on user MAC Enforcement Agen ial 5 ISP post processes data and sends it to LEA ISP CALEA Server 2 RADIUS Server uses special VSA to inform IAP that traffic replication is needed fora particular client at the end of its authentication process 5 User traffic is sent through GRE to the CALEA Server 4 Sends IPSec traffic to the Controller and sends the replicated user traffic into ITIP the GRE tunnel 3 Receives instruction to start replication iiim Virtual Controller Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN For more information on configuring IPSec see Configuring an IPSec Tunnel on page 210 Client Traffic Replication Client traffic is replicated in the following ways e Through RADIUS VSA In this method the client traffic is replicated by using the RADIUS VSA t
141. verify the configuration Instant AP show calea config calea ip 10 0 0 5 encapsulation type gre gre type 25944 ip mtu 150 Instant AP show calea statistics Rt resolve fail 0 Dst resolve fail 0 Alloc failure 0 Fragged packets 0 Jumbo packets 263 Total Tx fail 0 Total Tx ok 263 274 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 20 W IAP Management and Monitoring This chapter provides information on W IAP management and monitoring from e W AirWave management server Managing a W IAP from W AirWave W AirWave is a powerful tool and easy to use network operations system that manages Dell wireless wired and remote access networks as well as wired and wireless infrastructures from a wide range of third party manufacturers With its easy to use interface W AirWave provides real time monitoring proactive alerts historical reporting and fast efficient troubleshooting It also offers tools that manage RF coverage strengthen wireless security and demonstrate regulatory compliance The W IAPs communicate with W AirWave using the HTTPS protocol This allows a W AirWave server to be deployed in the cloud across a NAT device such as a router The W AirWave features available in the Instant network are described in the following sections Image Management W AirWave allows you to manage firmware updates on WLAN devices by defining a minimum acceptable firmw
142. view the blacklisted clients Instant AP show blacklist client Blacklisted Clients MAC Reason Timestamp Remaining time sec AP name 00 1c b3 09 85 15 user defined 17 21 29 Permanent ee ee 171 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Blacklisting Users Dynamically The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process Authentication Failure Blacklisting When a client takes time to authenticate and exceeds the configured failure threshold it is automatically blacklisted by a W IAP Session Firewall Based Blacklisting In session firewall based blacklisting an ACL rule is used to enable the option for automation blacklisting When the ACL rule is triggered it sends out blacklist information and the client is blacklisted Configuring Blacklist Duration You can set the blacklist duration using the Instant UI or CLI In the Instant UI To set a blacklist duration 1 Click the Security link from the top right comer of the Instant main window 2 Click the Blacklisting tab 3 Under Dynamic Blacklisting 4 For Auth failure blacklist time the duration in seconds after which the clients that exceed the authentication failure threshold must be blacklisted 5 For PEF rule blacklisted time enter the duration in seconds after which the clients
143. vlan gt AP wired ap profile lt name gt native vlan lt guest 1 4095 gt To configure a new VLAN assignment rule Instan Instant ends wit AP config wired port profile lt name gt AP wired ap profile lt name gt set vlan lt attribute gt equals not equals starts with h contains matches regular expression lt operator gt lt VLAN ID gt value of Configuring Internal Captive Portal for Guest Network In the Internal Captive Portal type an internal server is used for hosting the captive portal service You can configure internal captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or CLI 7 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portalfor Guest Access 126 In the Instant Ul 1 Navigate to the WLAN wizard or Wired window e To configure internal captive portal authentication for a WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e To configure internal captive portal authentication for a wired profile click More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile 2 Click the Security tab and assign values for the configuration parameters Table 24 Intemal Captive Portal Configuration Parameters Parameter Description Splash page
144. 0 169 137 0 137 E Scope 10 169 138 0 135 E Scope 10 169 145 0 145 Scope 10 169 150 0 150 E scope 10 169 151 0 151 C Scope 10 169 152 0 152 E Scope 10 169 153 0 153 E Scope 10 169 154 0 154 E Scope 10 169 155 0 155 E Scope 10 169 156 0 156 D scope 10 169 157 0 157 Scope 10 169 158 0 158 Active Active LA LA Active T Active Active LA Active Active LaS Active Active TE LA Active LA ad Active TE Active Active LA LA Active scope 10 169 159 0 159 T Active amp E Reservations Sica E Scope Options E Scope 10 169 156 0 156 E C Scope 10 169 157 0 157 E C Scope 10 169 158 0 158 E Scope 10 169 159 0 159 Address Pool Address Leases E Reservations E Scope Options 53 Server Options 7 Select 060 Dell Instant AP in the Server Options window and enter DelllnstantAP in the String Value Figure 102 Instant and DHCP options for W AirWave 060 W IAP in Server Options E Server Manager Fle Action View Help es amO ai lali 5 Address Leases gt Server Options Reservations 3 Scope Options af lar eter 137 3 006 ONS Servers 10 169 130 4 amp Scope 10 169 138 0 138 3 015 ONS Domain Name rde arubsnetworks com E 3 Scope 10 169 145 0 145 3 060 Aruba Instant AP Arubalnstantap Gy Address Pool 4 Address Leases WB Reservations E Scope Options Server Options E Scope 10 169
145. 0 63 Instant AP L2TPv3 Tunnel Profile test _tunnel no checksum Instant AP L2TPv3 Tunnel Profile test tunnel failover mode non preemptive Instant AP L2TPv3 Tunnel Profile test tunnel failover retry count 5 Instant AP L2TPv3 Tunnel Profile test tunnel failover retry interval 80 Instant AP L2TPv3 Tunnel Profile test tunnel hello timeout 150 Instant AP L2TPv3 Tunnel Profile test tunnel mtu 1570 Instant AP L2TPv3 Tunnel Profile test tunnel peer port 3000 Instant AP L2TPv3 Tunnel Profile test tunnel secret key test123 Instant AP L2TPv3 Tunnel Profile test tunnel end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 218 Instant AP config 12tpv3 session test session Instant AP L2TPv3 Session Profile test session cookie len 4 value 12345678 Instant AP L2TPv3 Session Profile test session 12tpv3 tunnel test tunnel Instant AP L2TPv3 Session Profile test session tunnel ip 1 1 1 1 mask 255 255 255 0 vlan 5 Instant AP L2TPv3 Tunnel Profile test tunnel end Instant AP commit apply To view L2TPv3 configuration Instant AP show 12tpv3 config L2TPV3 Tunnel configuration Tunnel Profile Primary Peer Backup Peer Peer UDP Port Local UDP Port Hello Interval Host Name MTU Message Digest Type secret Key Failover Mode Failover Retry Count Retry Interval Checksum test_tunnel 10 0 0
146. 1 User Guide Captive Portal for Guest Access 124 Instant AP SSID Instant AP SSID Instant AP SSID Instant AP SSID Instant AP SSID Instant AP SSID Instant AP SSID Profil Profil Profil Profil Profil Profil Profil 000000 lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt rf band lt 2 4 gt lt 5 0 gt lt all gt content filtering hide ssid inactivity timeout lt interval gt work without uplink local probe req thresh lt threshold gt max clients threshold lt number of clients gt To manually assign VLANs for WLAN SSID users Instant AP config wl Instant AP SSID Profil lan ssid profile lt name gt le lt name gt vlan lt vlan ID gt To enforce DHCP based VLAN assignment Instant AP config wlan ssid profile lt name gt Instant AP SSID Profil lt name gt To create a new VLAN assignment rule nforce dhcp Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set vlan lt attribute gt equals not equals starts with ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Configuring Wired Profile for Guest Access You can configure wired settings for a wired profile by using the Instant UI or CLI In the Instant UI 1 Click the Wired link under More at the top right comer of the
147. 11k protocol provides mechanisms for APs and clients to dynamically measure the available radio resources and enables stations to query and manage their radio resources In an 802 11k enabled network APs and clients can share radio and link measurement information neighbor reports and beacon reports with each other This allows the WLAN network infrastructural elements and clients to assess resources and make optimal mobility decisions to ensure Quality of Service QoS and seamless continuity Instant supports the following radio resource management information elements with 802 11k support enabled Power Constraint E The power constraint element contains the information necessary to allow a client to determine the local maximum transmit power in the current channel AP Channel Report E The AP channel report element contains a list of channels in a regulatory class where a client is likely to find an AP including the AP transmitting the AP channel report RRM Enabled Capabilities IE The RRM Enabled Capabilities element signals support for radio measurements in a device The clients use this IE to specify their radio measurement capabilities BSS Load Element The BSS Load element contains information on the density of clients and traffic levels in the QBSS Transmit Power Control TPC Report IE The TPC IE contains transmit power and link margin information Quiet IE The Quiet IE defines an interval during which no transmission occurs in the
148. 15 206 1 10 15 206 252 5 b3c65c 14 10 15 205 0 10 15 205 250 5 15 10 15 206 1 10 15 206 252 5 The output of this command provides the following information Table 43 Branch Details Parameter Description Displays the name of the branch VC MAC Displays the MAC address of the Virtual Controller of the branch Address Status Displays the current status of the branch UP DOWN Inner IP Displays the internal VPN IP of the branch Assigned Displays the subnet mask assigned to the branch Subnet Assigned Displays the VLAN ID assigned to the branch Vlan Key Displays the key for the branch which is unique to each branch Bid Subnet Displays the Branch ID BID of the subnet Name e Inthe example above the controller displays bid per subnet per branch i e for LA branch BID 2 for the ip range 10 15 205 0 10 15 205 250 with client count per branch 5 Ifa branch has multiple subnets it can have multiple BIDs Ifa branch is in UP state and does not have a Bid Subnet Name it means that the W IAP is connected to a controller which did not assign any BID for any subnet In the above example Paris CB D3 16 branch is UP and does not have a Bid Subnet Name This means that either the W IAP is connected to a backup controller or it is connected to a primary controller without any distributed L2 or L3 subnets The show iap table command output does not display the Key and Bid Subnet Name details NOTE De
149. 1X authentication with Captive Portal Role cnc cnc 148 WISPr authentication ososi irenste uere r AEA ee 148 Supported EAP Authentication Frameworks 2222 02 cece eee ccc cece cece ccc a2 oaaao raana 148 Authentication Termination on WAP 149 Supported Authentication Servers 000 0000 o cece cece cece cece cece cece eee eeeeeeeeeeeeeeseeeeeees 149 Internal RADIUS Seer nne eaae cece es dc 150 External RADIUS Seer 150 DIUS Server Authentication with VSA O eee oe A 190 Dynamic Load Balancing between Two Authentication Servers 2 2 e e e cece cece ceeeeeeeeeeees 154 Understanding Encryption Types cnn 154 WPA sand WPRA2 inepto a a aude ech dees 154 Recommended Authentication and Encryption Combinations 0c eee eee eee 155 Support for Authentication Survivability 0 000000 eee eee cece eee eeeeeeeeeeeees 155 Configuring Authentication Survivability 000 0000000 o occ ccc ccc ccc ccc cece eee cece eeeeeeeeeeeeees 156 Inthe Instant UI ocio A he eee ss OO Important Pointsto Remember 2 2 200 220 cee eee eee cece cece eee ce ccc ec ceeeceeceeeeceesceeececceeseeeesenees 156 Inthe C as eee ees eee a sees _ 156 Contiguring Authentication Servers s22sasecesiiekecseahsocche sec ATE aha Z Z T aaa T Ta d R AE Ra 157 Configuring an External Server for Authentication c cece cece ccc ce cece ee eeeees 157 160 Configuring Dynamic RADIUS Proxy Parameters 000 e cece eeee
150. 2 Inthe Instant Ol 22s oes ee eee oe See E ees 272 MC ea a ee a iiO ee ee ee eee 273 Ventying the Configuration cua latina 273 gt 10 E OE ir RS SCE 273 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 21 W IAP Management and Monitoring 275 Manhagingia WAR from WAI VO tia A A IA 275 Image Management e cece cece ccc cece eee e cece cece cece eect aa oaoaraa 275 W IAP and Client Monitoring 00002022 e ceo e cece ccc cece cece ccc ccc aaea aaraa aonana ranan 275 Template based Configuration nn aa aa raaa aaraa onaran 275 Trending Repos os 276 Intrusion Detection System cece cece cece aa cece cece ce naarn aoran aaen 276 Wireless Intrusion Detection System WIDS Event Reporting to W AirWave 2222 276 RF Visualization Support for Instant c cece cece eee c ccc e cece cececeeeeeeeeees 276 PSK based and Certificate based Authentication 0 0 0 0 cece cece cence eee c cece eee ence eeeneeeeneees 277 Configurable Port for W IAP and W AirWave Management Server Communication 277 Configuring Organization Sind e cee c cece cece aeaa arara raaraa oarra 277 ASA 278 Configuring W AirWave Information ooo 278 ithe InistantUl 22 22 cocinaba pc pr ess pe ee Leg hoe ee id Sy 278 PUD tess tgs ee ce wate sone hee nog ee cate 278 Configuring for W AirWave Discovery through DHCP e eee ee eee 279 Standard DHCP option 60 and 43 on Windows Server 2008
151. 325 Monitoring Devices and LogS 2 2 02 ooo oo coco eee ceccecee cee cee ce eeeeceeeceeeceeceeeeee 327 Comi gumm o NME os cra ect ols geist rn Eso 327 SNMP Parameters for W IAP o 327 GontiGuniniG SNMP 2000 tica fae eho tra oases tacos sti 328 Creating community strings for SNMPv1 and SNMPv2 Using Instant UI occ 328 Creating community strings for SNMPv3 Using Instant UL 2222222222 328 Configuring SNMP Community Strings inthe CLI 22 2 222222 222 e eee ee eee eee 329 Configuring SNMP Traps 0 e 330 AAA E O EEES heees tans t aon E E E A arate sae ac EE EEEa 330 1 A 330 Contigunng a Syslog Server sctuiracanss aria rr ri tl Heese dios dads adbadenitied 330 A A 330 Inthe CLI 2 22 22 22 e eee ect eeeeeeeee eee 332 Configuring TFTP Dump Server 22 0 0 cece ccc ccc c eee c cece cece cece cee eeeceeeeeeeeeeeeeeeeeseeeees 332 liter Stat 222522 2eee eee sacs cece ae eseees season eaten esa caseeesees EEES 332 it n 67 On ee inconsciencia 332 Running Debug Commands fromthe Ul 20 00oionininn tr cia 333 Support Commands nn 333 Hotspot Profiles AAA AI 338 Understanding Hotspot Profes 2 caco calves Stee ra entoces eca 338 Generic Advertisement Service GAS 2 000 e cece cece cece cece cece ce ceceeececeeeeeeeeeceeeeeeeeeees 338 Access Network Query Protocol ANQP 220 0 2 2c cece cece cece c cece cece cece eeeceeeeeceeeeeeseeeees 339 Hotspot 2 0 Query Protocol H2QP 2 22 00
152. 4 0 2 4 1 User Guide Uplink Configuration 285 Figure 109 Uplink Status Info Name Instant C4 01 78 Country code IN Virtual Controller IP 0 0 0 0 Band All Master 10 17 115 1 OpenDNS status Not connected MAS integration Enabled Uplink type Ethernet Uplink status Up Ethernet uplink supports the following types of configuration in this Instant release PPPoE DHCP Static IP You can use PPPoE for your uplink connectivity in both W IAP and IAP VPN deployments PPPoE is supported only in a single AP deployment Uplink redundancy with the PPPoE link is not supported When the Ethernet link is up it is used as a PPPoE or DHCP uplink After the PPPoE settings are configured PPPoE has the highest priority for the uplink connections The W IAP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using Password Authentication Protocol PAP or the Challenge Handshake Authentication Protocol CHAP Depending upon the request from the PPPoE server either the PAP or the CHAP credentials are used for authentication After configuring PPPoE reboot the W IAP for the configuration to affect The PPPoE connection is dialed after the AP comes up The PPPoE configuration is checked during W IAP boot and if the configuration is correct Ethernet is used for the uplink connection When PPPoE is used do not configure Dynamic RADIUS Proxy and IP address of the Virtual Controller An SSID created with
153. 5 3 Connecting to a Provisioning Wi Fi Network on page 36 Connecting a W IAP Based on the type of the power source used perform one of the following steps to connect a W IAP to the power source e PoE switch Connect the ENET 0 port of the W IAP to the appropriate port on the PoE switch e PoE midspan Connect the ENET 0 port of the W IAP to the appropriate port on the PoE midspan e AC to DC power adapter Connect the 12V DC power jack socket to the AC to DC power adapter W IAP 155P supports PSE for 802 3at powered device class 0 4 on one port E1 or E2 or 802 3af powered DC IN Power Socket on two ports E1 and E2 Assigning an IP address to the W IAP The W IAP needs an IP address for network connectivity When you connect a W IAP to a network it receives an IP address from a DHCP server To obtain an IP address for a W IAP 1 Ensure that the DHCP service is enabled on the network 2 Connect the ENET 0 port of W IAP to a switch or router using an Ethernet cable 3 Connect the W IAP to a power source The W IAP receives an IP address provided by the switch or router If there is no DHCP service on the network the W IAP can be assigned a static IP address If a static IP is not assigned the W IAP obtains an IP automatically within the 169 254 subnet Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Setting up a W IAP 35 Assigning a Static IP To assign a static IP to a W IAP Connect a termina
154. 63 10 0 0 65 3000 1701 150 Instant C4 42 98 1570 MD5 625beed39fa4ff3424edb3082ede48fa non preemptive 5 80 Disabled L2TPV3 Session configuration Session Name Tunnel Name Local tunnel IP Tunnel Mask Tunnel Vlan Session Cookie Length Session Cookie Session Remote End ID test session 1 1 1 1 255 255 255 050 0 0 To view L2TP v3 global configuration Instant AP show 12tpv3 global parameter L2TPV3 Global configuration Instant C4 42 98 To view L2TPV3 session status Instant AP show 12tpv3 session status Session 1821009927 on tunnel 858508253 type LAC Incoming Call state ESTABLISHED created at Jul 2 04 58 45 2013 administrative name test session primary created by admin YES peer session id 12382 session profile name test session primary data sequencing required OFF use data sequence numbers OFF Peer configuration data data sequencing required OFF framing types data rx packets 16 rx bytes 1560 rx errors 0 rx cookie error 0 data tx packets 6 tx bytes 588 tx errors 0 To view L2TPV3 tunnel status Instant AP show 12tpv3 tunnel status Tunnel 858508253 from 10 13 11 29 to 10 13 11 157 state ESTABLISHED created at Jul 2 04 58 25 2013 219 VPN Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide administrative name test tunnel primary created by admin YES tunnel mode LAC persist YES local host name Instant C4 42 98 peer tunne
155. 802 1p priority 11 Click OK and then click Finish In the CLI To configure source NAT access rule Instant AP config wlan access rule lt access rule gt Instant AP Access Rule access rule gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt sport gt lt eport gt sre nat Instant AP Access Rule lt access rule gt end Instant AP commit apply 179 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring Source Based Routing To allow different forwarding policies for different SSIDs you can configure source based routing The source based routing configuration overrides the routing profile configuration and allows any destination or service to be configured to have direct access to the Internet bypassing VPN tunnel based on the ACL rule definition When source based routing is enabled the Virtual Controller performs source NAT by using its uplink IP address To configure source based routing 1 Ensure that an L3 subnet with the netmask gateway VLAN and IP address is configured For more information on configuring L3 subnet see Configuring L3 Mobility on page 307 Ensure that the source IP address is associated with the IP address configured for the L3 subnet 3 Create an access rule for the SSID profile with Source NAT action as described in Configuring Source Based Routing on page 180 The source NAT pool is configured and source based routing
156. 9 9 169 0x80000001 0x25e4 N A AS EXTERNAL 12 12 12 32 9 9 9 9 169 0x80000001 0x2663 N A AS EXTERNAL 50 40 40 0 9 9 169 0x80000001 Oxab80 9 9 169 0x80000001 0x85a2 N A AS EXTERNAL 51 41 41 128 N A AS EXTERNAL 53 43 43 32 9 9 9 9 169 0x80000001 0x43de N A AS EXTERNAL 54 44 44 16 9 9 9 9 169 0x80000001 0x20fe 949 9 9 LH aaa Ln Gn Gn a wo OO OGOOGO O Ww N z L a POS OO G O O D SO O OO OO C OO Oo Oo al 949 9 9 To verify if the redistributed routes are installed or not host show ip route Codes C connected O OSPF R RIP S static M mgmt U route usable candidate default V RAPNG VPN Gateway of last resort is Imported from DHCP to network 0 0 0 0 at cost 10 Gateway of last resort is Imported from CELL to network 0 0 0 0 at cost 10 Gateway of last resort is Imported from PPPOE to network 0 0 0 0 at cost 10 Gateway of last resort is 10 15 148 254 to network 0 0 0 0 at cost 1 S 0 0 0 0 0 1 0 via 10 15 148 254 228 IAP VPN Deployment Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 12 12 2 0 24 10 0 ipsec map 12 12 12 0 25 10 0 ipsec map 12 12 12 32 27 10 0 ipsec map 50 40 40 0 24 10 0 ipsec map 51 41 41 128 25 10 0 ipsec map 53 43 43 32 27 10 0 ipsec map 54 44 44 16 28 10 0 ipsec map 9 9 9 0 24 is directly connected VLAN9 10 15 148 0 24 is directly connected VLAN1 43 43 43 0 24
157. AP Conversion W IAP Platform ArubaOS Version Instant Version To convert a W IAP to a RAP perform the following steps 322 W IAP Maintenance Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 Click the Maintenance link in the Instant main window 2 Click the Convert tab The Convert tab is displayed Figure 121 Maintenance Convert Tab Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Hostname or IP Address of Mobility Controller After conversion all Access Points will be managed by the Controller specified above 3 Select Remote APs managed by a Mobility Controller from the drop down list 4 Enter the hostname fully qualified domain name or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box Contact your local network administrator to obtain the IP address E Ensure that the mobility controller IP Address is reachable by the a W IAPs 5 Click Convert Now to complete the conversion The W IAP reboots and begins operating in the Remote AP mode 6 After conversion the W IAP is managed by the Dell Networking W Series mobility controller E For W IAPs to function as Remote APs configure the W IAP in the Remote AP whitelist and enable the FTP service on the controller E If the VPN setup fails and an error message is displayed click OK copy the error logs and share them with your l
158. Access Rule employee rule 192 0 2 1 255 255 255 0 invert 17 67 69 deny Instant AP Access Rule employee nd Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 178 Configuring Network Address Translation Rules Network Address Translation NAT is the process of modifying network address information when packets pass through a routing device The routing device acts as an agent between the public the Internet and private local network which allows translation of private network IP addresses to a public address space Instant supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address so that they appear to originate from the routing device Similarly if the packets are sent to the private IP address the destination address is translated as per the information stored in the translation tables of the routing device Configuring a Source NAT Access Rule The source NAT action in access rules allows the user to override the routing profile entries For example when a routing profile is configured to use 0 0 0 0 0 the client traffic in L3 mode access on an SSID destined to the corporate network is sent to the tunnel When an access rule is configured with Source NAT action the users can specify the service protocol or destination to which the source NAT is applied
159. Certificates Firmware Reboot Convert Convert one or more Access Points to Standalone AP z Access Point to convert 00 24 6c c2 e9 b3 2 After conversion the Access Point specified above will operate in standalone mode Confirm Access Point Conversion The AP 00 24 6c c2 e9 b3 will reboot into standalone mode It will no longer join with other APs to form networks Do you want to continue Convert Now Cancel 3 Select Standalone AP from the drop down list 4 Select the Access Point from the drop down list 5 Click Convert Now to complete the conversion The a W IAP now operates in the standalone mode 324 W IAP Maintenance Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Converting a W IAP using CLI To convert a W IAP Instant AP convert aos ap lt mode gt lt controller IP address gt Resetting a Remote AP or Campus AP to a W IAP The reset button located on the rear of a W IAP can be used to reset the W IAP to factory default settings To reset a W IAP perform the following steps 1 Power off the W IAP Press and hold the reset button using a small and narrow object such as a paperclip Power on the W IAP without releasing the reset button The power LED flashes within 5 seconds indicating that the reset is completed 4 Release the reset button The W IAP reboots with the factory default settings wo N All APs have a reset button except IAP 175P 175AC Contact Dell support for resettin
160. Client Alerts The Client alerts occur when A client alert displays the following fields clients are connected to the e Timestamp Displays the time at which the client alert was Instant network recorded MAC address Displays the MAC address of the client that caused the alert Description Provides a short description of the alert Access Points Displays the IP address of the W IAP to which the client is connected Details Provides complete details of the alert Active Faults The Active Faults occur in the An Active Faults consists of the following fields event of a system fault e Time Displays the system time when an event occurs e Number Indicates the number of sequence e Description Displays the event details Fault History The Fault History alerts occurin The Fault History displays the following information the event of a system fault e Time Displays the system time when an event occurs e Number Indicates the number of sequence e Cleared by Displays the module which cleared this fault e Description Displays the event details The following figures show the client alerts fault history and active faults Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 68 Figure 23 Client Alerts amp 5 Networks Name ARUBA GUEST Aruba Domain swarm sys Aruba swarm system guest ewarm evetse rrn New iLongevity Client Alerts Timestamp Description 15 48 27 DHCP req
161. D profiles ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN Specify a value to seta threshold for DMO channel utilization With DMO the W IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 When the threshold is reached or exceeds the maximum value the W IAP sends multicast traffic over the wireless link Specify the following parameters e 2 4 GHz Ifthe 2 4 GHz band is configured on the W IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps 5 GHz lf the 5 GHz band is configured on the W IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps Specify the zone for the SSID When the zone is defined in SSID profile and if the same zone is defined on a W IAP the SSID is created on that W IAP For more information on configuring zone details on an IAP see Configuring Zone Settings on a W IAP on page 84 The following constraints apply to the zone configuration e AW IAP can belong to only one zone and only one zone can be configured on an SSID e Ifan SSID belongs to a zone all W IAPs in this zone can broadcast this SSID If no W IAP belongs to the zone configured on the SSID
162. DIUS server specify the attributes described in the following table Table 32 RADIUS Server Configuration Parameters Parameter Description Name Enter the name of the new external RADIUS server IP address Enter the IP address of the external RADIUS server Auth port Enter the authorization port number of the external RADIUS server The default port number is 1812 Accounting port Enter the accounting port number This port is used for sending accounting records to the RADIUS server The default port number is 1813 Shared key Enter a shared key for communicating with the external RADIUS server Retype key Re enter the shared key Timeout Specify a timeout value in seconds The value determines the timeout for one RADIUS request The W IAP retries to send the request several times as configured in the Retry count before the user gets disconnected For example if the Timeout is 5 seconds Retry counter is 3 user is disconnected after 20 seconds The default value is 5 seconds Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 158 Parameter Description Retry count Specify a number between 1 and 5 Indicates the maximum number of authentication requests that are sent to the server group and the default value is 3 requests RFC 3576 Select Enabled to allow the APs to process RFC 3576 compliant Change of Authorization CoA and disconnect messages from the RADIUS server Disconne
163. ELESS MANAGEMENT SUITE Buew Devices 47 up 115 wired 3 wireless 112 Woown 95 Wwired 3 Vwireless 92 mismatched 152 Rogue 4975 clients 94 vPN Sessions 15 MAlerts 6777 Msevere Alerts 6777 Home Groups APs Devices Clients Reports System DeviceSetup AMP Setup RAPIDS T Setup Import Audit Log Add Deployed Device R search PSK based and Certificate based Authentication On the DHCP server two formats for option 43 are supported e lt organization gt lt ams ip gt lt ams key gt If you choose this format the W IAP authenticates the W AirWave Management Platform server using the Pre Shared Key PSK login process lt organization gt lt ams domain gt If you choose this format the W IAP resolves the W AirWave domain name into one or two IP addresses as W AirWave Primary or W AirWave Backup and then W IAP starts a certificate based authentication with W AirWave Management platform server instead of the PSK login When the W AirWave Management platform domain name is used the W IAP performs certificate based authentication with the W AirWave Management platform server The W IAP initiates an SSL connection with the W AirWave server The W AirWave server verifies the signature and public key certificate from the W IAP If the signature matches the W AirWave responds to the W IAP with the login request Configurable Port for W IAP and W AirWave Management Server Commun
164. Eaa ie a E ESR Ei EEEREN EEE SEE Ai ai 236 AA O O E E EEA 236 MSCE o E O a e E A E Oe 237 Verifying ARM Configuration 2 22000 c cece cece cece ccc bs isur an aR eana aR 237 Configuring Radio Settings fora W IAP 2 2 2 cece cee cee cece cece cece cece eeceeeeeees 238 Inthe Instant UI _ eesriie aa eee 238 A A eee ea ea eh cena E pee ec ease eee 239 Deep Packet Inspection and Application Visibility 0 000000 o0o 241 Deep Packet Inspection eors erein O E rE aan 241 Enabling Application ViSIDINY ouaosancasalsas aran didaomalcrniciatis rocio it 241 Inthe Instant UL 241 NO soar Skeet sate ere e eae sseckem een a nodes dusyconsieeddoe se dichgeriecccaeess 241 Application VIS IN ItY a sc0 lt 2 cin ccaaeens ane asaina E EN lec eaedonde sieseeE ea AA ceda ida 242 Application Category Charts 2 2000 0 cece cece cece ccc cece eee ee cece cece e cece cece eeeeeeeeeeeseeeeeeeees 242 Application Chate aa R ccc ccc cece cece cece eee Daa cece R A EREL EAE EEEE 243 Web Categories Chats 2 22 2 2 2 c cece cece cece cece cece cece cece cece ADALIA EDLA eannan 245 Web Reputation Charts 20 000000 eee cece cece cece cece cece cece e cece EEEE EERSEL Srde renan ees RaR 245 Configuring Access Rules for Application and Application Categories e e cece eee cece eee ee 246 o lt 2ss25ceees ess cece esas E A E E EEEE 246 A 248 EEE Gece eee een in cease Meee s deee ease ceies 249 Configuring
165. HCP scope and a client count of 9 is configured only a few IP addresses in this example 9 from this range will be used and allocated to a branch The W IAP does not allow the administrators to assign the remaining IP addresses to another branch although a lower value is configured for the client count 6 Click Next The Static IP tab is displayed Specify the number of first and last IP addresses to reserve in the subnet 7 Click Finish In the CLI To configure Distributed L2 DHCP scope Instant AP config ip dhcp lt profile name gt Instant AP DHCP Profile lt profile name gt ip dhcp server type lt Distributed L2 gt Instant AP DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant AP DHCP Profile lt profile name gt subnet mask lt subnet mask gt Instant AP DHCP Profile lt profile name gt default router lt IP address gt Instant AP DHCP Profile lt profile name gt client count lt number gt Instant AP DHCP Profile lt profile name gt dns server lt name gt Instant AP DHCP Profile lt profile name gt domain name lt domain name gt Instant AP DHCP Profile lt profile name gt lease time lt minutes gt Instant AP DHCP Profile lt profile name gt ip range lt start IP gt lt end IP gt Instant AP DHCP Profile lt profile name gt reserve first last lt count gt Instant AP DHCP Profile lt profile name g
166. Huawei GD01 EMOBILE Japan e Huawei EC150 Reliance NetConnect India e KDDIDATAO7 Huawei KDDI Japan e Huawei E353 China Unicom e Huawei EC167 China Telecom e Huawei E367 Vodafone UK e Huawei E352s 5 T Mobile Germany e Huawei D41HW e ZTEAC2726 The following table lists the supported 4G modems e Netgear U340 e Netgear Aircard 341u e Fraklin Wireless u770 e Huawei 3276s 150 e MC551L e Pantech UML295 e Pantech UML290 In the 6 4 0 2 4 1 release all modems are detected automatically by the W IAP based on the signal strength To configure the UML290 for the 3G network only manually set the USB type to NOTE pantech 3g To configure the UML290 for the 4G network only manually set the 4G USB type to pantech lte LA When UML290 runs in auto detect mode the modem can switch from 4G network to 3G network or vice versa Configuring Cellular Uplink Profiles You can configure 3G or 4G uplinks using the Instant UI or CLI In the Instant UI Click the System link at the upper right corner of the Instant main window The System window is displayed Inthe System window click the show advanced settings link The advanced options are displayed Click the Uplink tab To configure a 3G or 4G uplink manually select the Country and ISP Click OK Reboot the W IAP for changes to affect oa FF wn In the CLI To configure 3G 4G uplink manually Instant AP config cellular uplink profi
167. IAPs in an Instant network into hybrid W IAPs by selecting the Background spectrum monitoring option in the 802 11a and 802 11g radio profiles of a W IAP APs in Access mode continue to provide normal access service to clients while providing the additional function of monitoring RF interference If any W IAP in the Instant network does not support the spectrum monitoring feature that AP continues to function as a standard W IAP rather than a hybrid W IAP By default the background spectrum monitoring option is disabled In the hybrid mode spectrum monitoring is performed only on the home channel You can convert W IAPs in a Instant network to hybrid mode using the Instant UI or CLI 314 Spectrum Monitor Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the Instant Ul To convert a W IAP to a hybrid W IAP 1 Click the RF link at the top right corner of the Instant UI 2 Click Show advanced options to view the Radio tab 3 Toenable a spectrum monitor on the 802 11g radio band in the 2 4 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 4 Toenable a spectrum monitor on the 802 11a radio band in the 5 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 5 Click OK In the CLI To configure 2 4 GHz radio settings Instant AP config rf dotllg radio profile Instant AP RF dot11 g Radio Profile spectrum monitor To configure 5 GH
168. ID Profile lt name gt xternal server Instant AP SSID Profile lt name gt server load balancing Instant AP SSID Profile lt name gt blacklist Instant AP SSID Profile lt name gt max authentication failures lt number gt Instant AP SSID Profile lt name gt radius accounting Instant AP SSID Profile lt name gt radius accounting mode user association user authentication Instant AP SSID Profile lt name gt radius interim accounting interval lt minutes gt Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt SSID Profile lt name gt end A 3 n ch ct w 5 d D FU Instant AP To configure open security settings for employee and voice users of a WLAN SSID profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt opmode opensystem Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt auth server lt server name gt Instant AP SSID Profile lt name gt xternal server Instant AP SSID Profile lt name gt server load balancing Instant AP SSID Profile lt name gt blacklist Instant AP SSID Profile lt name gt max authentication failures lt number gt Instant AP SSID Profile lt name gt radius accounting Instant AP SSID Profile lt name gt radius accounting mode user association user authentication Ins
169. IP range configuration on each branch will be the same Each W IAP will derive a smaller subnet based on the client count scope using the Branch ID BID allocated by controller config wlan auth server serverl See th Server serverl ip 10 2 2 1 Configuring an port 1812 External Server th Server serverl acctport 1813 for th Server serverl key presharedkey Authentication th Server serverl th Server serverl xit nfig wlan auth server server2 th Server server2 ip 10 2 2 2 th Server server2 port 1812 th Server server2 acctport 1813 key presharedkey th Server server2 Configure wired ports to operate in L3 mode and associate See distributed L3 mode VLAN 30 to the wired port profile Configuring a ap config wired port profile wired port Wired Profile ap wired port profile wired port switchport and Wireless mode access Network ap wired port profile wired port allowed vlan Profiles all ap wired port profile wired port native vlan 30 ap wired port profile wired port no shutdown ap wired port profile wired port access rule name wired port ap wired port profile wired port type employee ap wired port profile wired port auth server serverl ap wired port profile wired port auth server server2 ap wired port profile wired port dotlx ap wired port profile wired port exit ap config enetl port profi
170. Instant AP config virtual controller ip lt IP address gt Instant AP config end Instant AP commit apply Configuring Timezone You can configure time zone in which the W IAP must operate by using the Instant or the CLI In the Instant Ul To configure time zone 1 Navigate to System gt General 2 Select atime zone from the Timezone drop down list You can enable daylight saving time DST on W IAPs if the time zone you selected supports the daylight saving time If the Time Zone selected does not support DST the Daylight Saving Time option is not displayed When enabled the Daylight saving time ensures that the W IAPs reflect the seasonal time changes in the region they serve 3 To enable daylight saving time select the Daylight Saving Time checkbox 4 Click OK In the CLI To configure time zone Instant AP config clock timezone lt name gt lt hour offset gt lt minute offset gt Instant AP config clock summer time lt timezone gt recurring lt start week gt lt start day gt lt start month gt lt start hour gt lt end week gt lt end day gt lt end month gt lt end hour gt Instant AP config end Instant AP commit apply Configuring an NTP Server To facilitate communication between various elements in a network time synchronization between the elements and across the network is critical Time synchronization allows you to e Trace and track security gaps network usage an
171. Instant main window The Wired window is displayed Click New under Wired Networks The New Wired Network window is displayed Click the Wired Settings tab and enter the following information a Name Specify a name for the profile b Primary Usage Select Employee or Guest c Speed Duplex Ensure that appropriate values are selected for Speed Duplex Contact your network administrator if you need to assign speed and duplex parameters POE Set POE to Enabled to enable Power over Ethernet e Admin Status Ensure that an appropriate value is selected The Admin Status indicates if the port is up or down f Content Filtering To ensure that all DNS requests to non corporate domains on this wired network are sent to OpenDNS select Enabled for Content Filtering g Uplink Select Enabled to configure uplink on this wired profile If Uplink is set to Enabled and this network profile is assigned to a specific port the port will be enabled as Uplink port For more information on assigning a wired network profile to a port see Assigning a Profile to Ethernet Ports on page 117 h Spanning Tree Select the Spanning Tree checkbox to enable Spanning Tree Protocol STP on the wired profile STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports regardless of forwarding mode STP will not operate on the uplink port and is supported only on W IAPs with three or more ports By
172. LE efe e 2 The AppRF dashboard presents four different graph areas with data graphs on all client traffic and content filters based on web category and security ratings Click on each category to view real time client traffic data or usage trend in the last 15 minutes The application charts are not supported on W IAP 104 105 W IAP 134 135 W IAP175P 175AC and W IAP3WN 3WNP platforms Only the web category charts are displayed for these W IAP models Application Category Charts The application category chart displays details on the client traffic towards the application categories On clicking in the rectangle area you can view the following graphs and toggle between the chart and list views Figure 72 Application Categories Chart Client View AppRF Stats for 10 17 128 254 App Categores 3 cloud fle siorage nebwork senfoe mo g un di E E a E nC 242 Deep Packet Inspection and Application Visibility Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 73 Application Categories List Client View AppRF Stats for 10 17 128 254 App Categories 3 Category cloud file storage network service instant messaging Figure 74 Application Category Chart AP View AppRF Stats for 172 16 100 155 App Categories 3 Clients 3 Name 172 16 100 174 MINS 106 80 KB 172 31 98 189 R 45 17 KB 10 17 139 167 2 08 KB encrypted Application Charts The application chart displays
173. M server 1 gt and select New from the drop down list Assign a Server to AirGroup To associate the CPPM server with AirGroup select the CPPM server from the CPPM Server 1 drop down list Iftwo CPPM servers are configured the CPPM server 1 acts as a primary server and the CPPM server 2 acts as a backup server After the configuration is complete this particular server will be displayed in the CoA server option To view this server go to Services gt AirGroup gt ClearPass Settings gt CoA server Configure CPPM to Enforce Registration When CPPM registration is enforced the devices registered with CPPM will be discovered by Bonjour devices based on the CPPM policy Change of Authorization CoA When a RADIUS serveris configured with Change of Authorization CoA with the CPPM server the guest users are allowed to register their devices For more information on configuring RADIUS server with CoA see Configuring an External Server for Authentication on page 157 You can also create a CoA only server in the Services gt AirGroup gt Clear Pass Settings gt CoA server window Configuring a W IAP for RTLS Support Instant supports the real time tracking of devices when integrated with the W AirWave Management Platform ora third party Real Time Location Server such as Aeroscout Real Time Location Server With the help of the RTLS the devices can be monitored in real time or through history You can configure RTLS using the Inst
174. N Tunnel Log Displays VPN tunnel status for the W IAP AP Log Wireless Displays wireless logs of the W IAP AP Management Frames Displays the traced 802 11 management frames for the W IAP AP Memory Allocation State Dumps Displays the memory allocation details for the W IAP AP Memory Utilization Displays memory utilization of the W IAP AP Mesh Counters Displays the mesh counters of the W IAP AP Mesh Link Displays the mesh link of the W IAP AP Mesh Neighbors Displays the mesh link neighbors of the W IAP AP Monitor Active Laser Beams Displays the active laser beam sources for the W IAP AP Monitor AP Table Displays the list of APs monitored by the W IAP AP Monitor ARP Cache Displays ARP cache details for the W IAP AP Monitor Client Table Displays the list of clients monitored by the W IAP AP Monitor Containment Information Displays containment details for the W IAP AP Monitor Potential AP Table Displays the list of potential APs for the W IAP AP Monitor Potential Client Table Displays the list of potential clients for the W IAP AP Monitor Router Displays information about the potential wireless devices AP Monitor Scan Information Displays scanned information for the W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Monitoring Devices and Logs 335 AP Monitor Status Displays the configuration and status of monitor information of the W IAP AP Persistent Clients Displays the
175. N attributes are defined and then click Next 3 Inthe Security tab specify the following parameters for the Enterprise security level a Select any of the following options from the Key management drop down list WPA 2 Enterprise WPA Enterprise Both WPA 2 amp WPA Dynamic WEP with 802 1X 4 If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys set Session Key for LEAP to Enabled 5 Toterminate the EAP portion of 802 1X authentication on the W IAP instead of the RADIUS server set Termination to Enabled By default for 802 1X authorization the client conducts an EAP exchange with the RADIUS server and the AP acts as a relay for this exchange When Termination is enabled the W IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol only relaying the innermost layer to the external RADIUS server 6 Specify the type of authentication server to use and configure other required parameters You can also configure two different authentication servers to function as primary and backup servers when termination is enabled For more information on RADIUS authentication configuration parameters see Configuring an External Server for Authentication on page 157 7 Click Next to define access rules and then click Finish to apply the changes In the CLI To configure 802 1X authentication for a wireless network
176. NAI profile enter the following commands at the command prompt tan tan tan tan tan tan tan tan tan tan tan tan D FU TF LEE oe ET TE E E E Er ee eT PRD PDD Db Dp 5355335553358 hotspot anqp nai realm profile lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt apply nai real nai real nai real m name lt name gt m encoding lt utf8 gt lt rfc4282 gt nai real nai real nai real nai real m eap method lt eap method gt m auth id 1 lt authentication ID gt m auth id 2 lt authentication ID gt m auth value 1 lt authentication value gt m auth value 2 lt authentication value gt nai home realm enable end You can specify any of the following EAP methods for the nai realm eap method lt eap method gt command e identity To use EAP Identity type The associated numeric value is 1 e notification To allow the hotspot realm to use EAP Notification messages for authentication The associated numeric value is 2 e one time password To use Authentication with a single use password The associated numeric value is 5 e generic token card To use EAP Generic Token Card EAP GTC The associated numeric value is 6 e eap tls To use EAP Transport Layer Security The associated numeric value is 13 e eap sim To use EAP for GSM Subscriber Identity Modu
177. Non WiFi Device List SGHz upper Type CFreq KHz Bandwidth KHz Non WiFi Device List 2GHz Type 1D Cordless Network FH 1 CFreq KHz Bandwidth KHz 2444000 80000 Channels affected Channels affected 1234567891011121314 75 5 Signal d8m Monitoring Spectrum OAlerts IDS Configuration Overview 24GHz 5GHz Duty cycle Add time Update time Add time 2000 01 01 00 05 27 Signal dBm Duty cycle Update time 2000 01 01 00 27 45 Device Summary and Channel Information shows the details of the information that is displayed Table 59 Device Summary and Channel Information Column Description Device type This parameter can be any of the following audio FF fixed frequency bluetooth cordless base FH frequency hopper cordless phone FF fixed frequency cordless network FH frequency hopper generic FF fixed frequency generic FH frequency hopper generic interferer microwave microwave inverter video xbox NOTE For additional details about non Wi Fi device types shown in this table see Non Wi Fi Interferer Types ID number assigned to the device by the spectrum monitor or hybrid AP radio Spectrum monitors and hybrid APs assign a unique spectrum ID per device type Duty cycle Device duty cycle This value represents the percent of time the device broadcasts a signal Time at which the device was first detected Time at which the device s status was updated Non Wi Fi Interferers
178. OK In the CLI To disable auto join mode Instant AP config no allow new aps Instant AP config end Instant AP commit apply To enable auto join mode Instant AP config allow new aps 79 Initial Configuration Tasks Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP config end Instant AP commit apply Configuring Terminal Access When terminal access is enabled you can access the Instant CLI through SSH or Telnet server The terminal access is enabled by default You can enable or disable terminal access to a W IAP by using the Instant UI or CLI In the Instant Ul 1 Navigate to System gt General gt Show advanced options 2 Select Disabled or Enabled from the Terminal access drop down list 3 Toenable Telnet server based access select Enabled from the Telnet server drop down list 4 Click OK In the CLI To enable terminal access Instant AP config terminal access Instant AP config end Instant AP commit apply To enable access to the Instant CLI through Telnet Instant AP config telnet server Instant AP config end Instant AP commit apply Configuring Console Access You can access a W IAP console through a serial port to configure or debug system errors You can enable or disable console access to a W IAP through the Instant UI or CLI In the Instant UI 1 Navigate to System gt General gt Show advanced options 2 Select
179. Open security settings Figure 35 Security Tab Enterprise WLAN Settings Security Level More Key management WPA 2 Enterprise Secure Termination Disabled Authentication server 1 InternalServer l Enterprise Reauth interval p min Personal MAC authentication Perform MAC authentication before 802 1X Open MAC authentication fail thru Internal server No users Users Internal server Default certificate Upload certificate Blacklisting Disabled Fast Roaming Opportunistic Key Caching OKC 4 802 11r 802 11k 802 11v Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 99 Figure 36 Security Tab Personal WLAN Settings Security Level More Key management Secure Passphrase format Enterprise Passphrase Retype Personal MAC authentication Open Blacklisting Fast Roaming 802 11r 802 11k 802 11v Figure 37 Security Tab Open WLAN Settings VLAN Security Level More Secure Encryption MAC authentication Enterprise Blacklisting Fast Roaming 802 11r 802 11k 802 11v Personal Open Less Secure WPA 2 Personal 8 63 chars focccccce Disabled Disabled None Disabled Disabled 2 Based on the security level specified specify the following parameters 100 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 21 Co
180. P because the source address of the clients is translated L2 Switching Mode In this mode the traffic destined for the corporate network is bridged through the VPN tunnel to the controller The traffic destined for the non corporate network is translated using the IP address of the W IAP and is forwarded through the uplink When a W IAP registers with the controller and is configured to use the L2 DHCP scope the controller automatically adds the VPN tunnel associated to this W IAP into the VLAN multicast table This allows the clients connecting to the L2 mode VLAN to be part of the same L2 broadcast domain on the controller Distributed L2 Mode In this mode the W IAP assigns an IP address from the configured subnet and forwards traffic to both corporate and non corporate destinations Clients receive the corporate IP with Virtual Controller as the DHCP server The default gateway for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLAN to remote site Either the controller or an upstream router can be the gateway for the clients Client traffic destined to datacenter resources is forwarded by the Master AP through the IPSec tunnel to the client s default gateway in the datacenter Centralized L2 Mode The centralized L2 mode extends the corporate VLAN or broadcast domain to remote branches The DHCP server and the gateway for the clients reside in the datacenter Either the controller or an u
181. P Server e Support VPN The VPN window allows you to define communication settings with a remote Controller See VPN Configuration on page 210 for more information The following figure shows an example of the IPSec configuration options available in the VPN window Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 52 Figure 9 VPN window for IPSec Configuration Tunneling Controller Controller Protocol Aruba IPSec Y Primary host 0 0 0 1 Backup host 10 0 0 2 _ Preemption Enabled Hold time 600 sec Fast failover Enabled Y Reconnect User On Enabled Failover Reconnect Time On Failover Secs between test packets Max allowed test packet loss sec IDS The IDS window allows you to configure wireless intrusion detection and protection levels The following figures show the IDS window Figure 10 DS Window Intrusion Detection Wireless Intrusion Protection WIP Detection Protection Specify What Threats to Detect Infrastructure Custom settings detect ap spoofing detect windows bridge Medium signature deauth broadcast signature deassociation broadcast detect adhoc using valid ssid detect malformed large duration High Clients Custom settings detect valid clientmisassociation detect disconnect sta Medium detect omerta attack detect fatajack detect block ack attack Off detect hotspotter attack High
182. P identifies its subnet when it sends out the first L3 packet If the subnet is not a local subnet and belongs to another Instant network the client is treated as an L3 roamed client and all its traffic is forwarded to the home network through a GRE tunnel Configuring L3 Mobility To configure a mobility domain you have to specify the list of all Instant networks that form the mobility domain To allow clients to roam seamlessly among all the APs specify the Virtual Controller IP for each foreign subnet You may include the local Instant or Virtual Controller IP address so that the same configuration can be used across all Instant networks in the mobility domain It is recommended that you configure all client subnets in the mobility domain When client subnets are configured If aclient is from a local subnet it is identified as a local client When a local client starts using the IP address the L3 roaming is terminated If the client is from a foreign subnet it is identified as a foreign client When a foreign client starts using the IP address the L3 roaming is set up Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it When load balancing is enabled the Virtual Controller assigns the home AP for roamed clients by using a round robin policy With this policy the load for the APs acting as Home Agents for roamed clients
183. Profile end 239 Adaptive Radio Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP commit apply To configure 5 GHz radio settings Instant AP config rf dotlla radio profile Instant AP RF dotlla Radio Profile beacon interval lt milliseconds gt Instant AP RF dotlla Radio Profile legacy mode Instant AP RF dotlla Radio Profile spectrum monitor Instant AP RF dotlla Radio Profile spectrum band lt type gt Instant AP RF dotlla Radio Profile dotllh Instant AP RF dotlla Radio Profile interference immunity lt level gt Instant AP RF dotlla Radio Profile max distance lt count gt Instant AP RF dotlla Radio Profile csa count lt count gt Instant AP RF dot11 g Radio Profile end Instant AP commit apply To view the radio configuration Instant AP show radio config Legacy Mode enable Beacon Interval 100 802 11d 802 11h enable Interference Immunity Level 2 Channel Switch Announcement Count 0 MAX Distance 600 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable 5 0 GHz Legacy Mode enable Beacon Interval 100 802 11d 802 11h enable Interference Immunity Level 2 Channel Switch Announcement Count 2 MAX Distance 600 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable Standalone Spectrum Ba
184. Profile ssidProfilel mac authentication Instant AP SSID Profile ssidProfilel 12 auth failthrough Instant AP SSID Profile ssidProfilel radius accounting Instant AP SSID Profile ssidProfilel radius accounting mode user association Instant AP SSID Profile ssidProfilel radius interim accounting interval 10 Instant AP SSID Profile ssidProfilel radius reauth interval 20 Instant AP SSID Profile ssidProfilel max authentication failures 2 Instant AP SSID Profile ssidProfilel f set role by ssid Instant AP SSID Profile ssidProfilel hotspot profile hs1 Instant AP SSID Profile ssidProfilel end Instant AP commit apply 351 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide ClearPass Guest Setup To configure ClearPass Guest 1 On ClearPass Guest navigate to Administration gt AirGroup Services 2 Click Configure AirGroup Services Figure 128 Configure AirGroup Services AirGroup Services Use the commands below to configure AirGroup services on your network Configure AirGroup Services a Make changes to the AirGroup Services plugin g configuration a Back to administration Back to main 3 Click Add a new controller 4 Update the fields with the appropriate information E Ensure that the port configured matches the CoA port RFC 3576 set on the W IAP configuration NOTE 5 Click Save Configuration In order to de
185. RL string as an IP address FQDN or URL Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response To configure a roaming consortium profile enter the following commands at the command prompt Instant AP config hotspot angp roam cons profile lt name gt Instant AP roaming consortium lt name gt roam cons oi lt roam cons oi gt Instant AP roaming consortium lt name gt roam cons oi len lt roam cons oi len gt Instant AP roaming consortium lt name gt enable Instant AP roaming consortium lt name gt end Instant AP commit apply Specify a hexadecimal string of 3 to 5 octets for roam cons oi lt roam cons oi gt Based on the Ol specified you can specify the following parameters for the length of Ol in roam cons oi len lt roam cons oi len gt e For0 0 Octets in the Ol Null e For 3 Ol length is 24 bit 3 Octets e For5 Ol length is 36 bit 5 Octets Configuring a 3GPP Profile You can configure a 3rd Generation Partnership Project 3GPP profile to define information for the 3G Cellular Network for hotspots To configure a 3GPP profile enter the following commands at the command prompt Instant AP config hotspot angqp 3gpp profile lt name gt Instant AP 3gpp lt name gt 3gpp plmn1 lt plmn ID gt Instant AP 3gpp lt name gt enable Instant AP 3gpp lt name
186. Replay Attack IDS Signature Air Jack IDS Signature ASLEAP The following levels of detection can be configured in the WIP Protection page o Off e Low e High 299 Intrusion Detection Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 112 Wireless Intrusion Protection Wireless Intrusion Protection WIP Detection Protection Specify What Threats to Protect Infrastructure Custom settings High Y protect ssid Y rogue containment protect adhoc network Off protect ap impersonation Low Clients Custom settings High Y protect valid sta tect windows brid paa protect windows bridge Off Show advanced options The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field Table 57 Infrastructure Protection Policies Protection Level Protection Policy a All protection policies are disabled e Protect SSID Valid SSID list should be auto derived from Instant configuration e Rogue Containment High e Protect from Adhoc Networks e Protect AP Impersonation The following table describes the detection policies that are enabled in the Client Protection Custom settings field Table 58 Client Protection Policies Protection Level Protection Policy All protection policies are disabled Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Intrusion Detection 300 Containment Methods You can enable w
187. SIDs The number of SSIDs allowed on each W IAP depends on the W IAP platform The following table describes the number of SSIDs supported on each platform No of SSIDs supported with No of SSIDs supported with W IAP Platform Extended SSID disabled Extended SSID enabled IAP 175P 175AC W IAP104 105 and W IAP108 109 All other W IAPs excluding IAP 175P 175AC 14 16 W IAP104 105 and W IAP108 109 Enabling the Extended SSID Extended SSID is enabled by default in the factory default settings of APs This disables mesh in the factory default settings You can configure additional SSIDs by using the Instant UI or CLI In the Instant UI 1 Navigate to System gt General gt Show advanced options link 2 Inthe General tab select Enabled from the Extended SSID drop down list 3 Click OK 81 Initial Configuration Tasks Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 4 Reboot the W IAP to apply the changes After you enable the option and reboot the W IAP the Wi Fi and mesh links are disabled automatically In the CLI To enable the extended SSIDs Instant AP config extended ssid Instant AP config end Instant AP commit apply Preventing Inter user Bridging If you have security and traffic management policies defined in upstream devices you can disable bridging traffic between two clients connected to the same AP on the same VLAN When inter user bridging is denied the clients can connect
188. SSID Profile lt name gt captive portal lt internal authenticated gt exclude uplink 3G 4G Wifi Ethernet Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt auth server lt serverl gt Instant AP SSID Profile lt name gt radius reauth interval lt Minutes gt Instant AP SSID Profile lt name gt end Instant AP commit apply To configure intemal captive portal for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt guest gt Instant AP wired ap profile lt name gt captive portal lt internal authenticated gt lt internal acknowledged gt exclude uplink 3G 4G Wifi Ethernet Instant AP wired ap profile lt name gt mac authentication Instant AP wired ap profile lt name gt auth server lt serverl gt Instant AP wired ap profile lt name gt radius reauth interval lt Minutes gt Instant AP wired ap profile lt name gt end Instant AP commit apply To customize internal captive portal splash page Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 128 Instant AP config wlan captive portal Instant AP Captive Portal authenticated Instant AP Captive Portal background color lt color indicator gt Instant AP Captive Portal banner color lt color in
189. Secure Shell SSH session 31 About Instant Dell Networking W Series Instant 6 4 0 2 4 1 User Guide SSH access requires that you configure an IP address and a default gateway on the W IAP and connect the W IAP to your network This is typically performed when the Instant network on a W IAP is set up Dell Networking W Series Instant 6 4 0 2 4 1 User Guide About Instant 32 What is New in Instant 6 4 0 2 4 1 The following features are added in the Instant 6 4 0 2 4 1 release Table 4 New Features in 6 4 0 2 4 1 Feature Support for AppRF Support for new 4G modems AirGroup Enhancements DSCP Mapping for WMM Access Categories Fast roaming enhancements Authentication survivability with EAP TLS Supportfor AP zone configuration Configurable port for communication between W IAP and W AirWave management server communication Client match visualization Console access to W IAP Backup RADIUS server with EAP termination Support for TACACS Server 33 About Instant Description In this release Instant supports AppRF comprising of two feature sets On board Deep Packet Inspection DPI and Web Policy Enforcement WPE As part of the AppRF feature support Instant supports the following e Access control based on application and application categories e Access control based on web categories and security ratings assigned to the websites Instant now supports the following 4G modems e Netg
190. Server Configuration Parameters Parameter Description Enter the name of the LDAP server IP address Enter the IP address of the LDAP server Auth port Enter the authorization port number of the LDAP server The default port number is 389 Admin DN Enter a distinguished name for the admin user with read search privileges across all the entries in the LDAP database the user need not have write privileges but the user must be able to search the database and read attributes of other users in the database Admin password Enter a password for administrator Base DN Enter a distinguished name for the node that contains the entire user database 159 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Parameter Description Filter Specify the filter to apply when searching for a user in the LDAP database The default filter string is objectclass Key Attribute Specify the attribute to use as a key while searching for the LDAP server For Active Directory the value is sAMAccountName Enter a value between 1 and 30 seconds The default value is 5 Retry count Enter a value between 1 and 5 The default value is 3 Dead Time Specify a dead time for authentication server in minutes within the range of 1 1440 minutes The default dead time interval is 5 minutes When two or more authentication servers are configured on the W IAP and a server is unavailable the dead time configuration det
191. Server and the default gateway The configured subnet and the corresponding DHCP scope are independent of subnets configured in other W IAP clusters The Virtual Controller assigns an IP address from a local subnet and forwards traffic to both corporate and non corporate destinations The network address is translated appropriately and the packet is forwarded through the IPSec tunnel or through the uplink This DHCP assignment mode is used for the NAT forwarding mode Local L3 This DHCP assignment mode is used with the L3 forwarding mode In this mode the Virtual Controller acts as a DHCP server and the gateway and assigns an IP address from the local subnet The W IAP routes the packets sent by clients on its uplink The Local L3 subnets can now access corporate network through the IPsec tunnel The network address for all traffic generated by clients in Local L3 subnets are translated at the source by using the tunnel inner IP to the corporate subnet However if corporate access to Local L3 is not required you can configure ACL rules to deny access In the Instant UI To configure a Local or Local L3 DHCP scope Click More gt DHCP Server The DHCP Server window is displayed 2 Toconfigure a Local or Local L3 DHCP scopes click New under Local DHCP Scopes The New DHCP Scope window is displayed 3 Based on type of DHCP scope selected configure the following parameters 206 DHCP Configuration Dell Networking W Series Inst
192. Status Displays uplink status for the W IAP AP User Table Displays the list of clients for the W IAP AP Valid Channels Displays valid channels of the W IAP AP Version Displays the version number of the W IAP AP VPN Status Displays VPN status for the W IAP AP Virtual Beacon Report Displays a report on virtual beacons for a W IAP AP Wired Port Settings Displays wired port configuration details for the W IAP AP Wired User Table Displays the list of clients associated with the wired network profile configured on the W IAP VC About Displays information such as AP type build time of image and image version for the Virtual Controller VC Active Configuration Displays the active configuration of Virtual Controller VC Airgroup Service Displays the Bonjour services supported by the Virtual Controller VC Airgroup Status Displays the status of the AirGroup and CPPM server details configured on the Virtual Controller VC Allowed AP Table Displays the list of allowed APs VC AMP Current State Data Displays the current status of W AirWave Management Platform VC AMP Current Stats Data Displays the current W AirWave configuration details VC AMP Data Sent Displays information about the data exchange between W AirWave server and the Virtual Controller VC AMP Events Pending Displays information about the pending events on the W AirWave server VC AMP Last Configuration Received Displays the last configu
193. System gt General gt Show advanced options The advanced options are displayed 2 Enter subnet mask details in Virtual Controller Netmask 3 Entera gateway address in Virtual Controller Gateway 4 Enter Virtual Controller VLAN in Virtual Controller VLAN Ensure that Virtual Controller VLAN is not the same as native VLAN of the W IAP NOTE 5 Click OK In the CLI To configure the Virtual Controller Name and IP address Instant AP config virtual controller vlan lt vcvlan gt lt vcmask gt lt vcgw gt Instant AP config end Instant AP commit apply Configuring Auto Join Mode The auto join mode feature allows W IAPs to automatically discover the Virtual Controller and join the network The Auto Join Mode feature is enabled by default If the auto join mode feature is disabled a New link is displayed in the Access Points tab Click this link to add W IAPs to the network If this feature is disabled the inactive W IAPs are displayed in red as shown in the following figure Figure 29 Inactive W IAPs 3 Access Points 04 c9 62 81 08 04 42 98 c8 07 51 99 Enabling or Disabling Auto Join Mode You can enable or disable auto join mode by using the Instant UI or CLI In the Instant UI To enable or disable auto join mode 1 Navigate to System gt General gt Show advanced options 2 Select Disabled or Enabled from the Auto join mode drop down list to deny or allow APs to join the network 3 Click
194. TP Server conocia dic di 76 NS UL o ee eee 77 Wate ole ss ceeee esse sseens ose se TEET S TETEE AEAEE TET EEEE 77 Enabling AppRP VISIDIIY 2 222 026 cece ced a Ra 0 R daa aaa aA 0 aee dit ita 77 Changing Password ii codec bee cece ene Z eed end cesses Ea O EEEE N a 77 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 5 Melania ito 77 1 eae ae ye eee eee eee eee ee eee eke ee eee 77 Additional Configuration Tasks l 2 0 0 2 220 c ccc cece cece cece cece cece eee ee cece ee ceeeeceececeeececeeeeeseeees 78 Configuring Virtual Controller VLAN 2 222000 0 cece cece ccc cece cece eee e cece cece aooaa oaaao raana 78 UR Ta TT Tn E 1 oes eee eee te ee ed eee et ee eee cate eee ord ee ek 79 MY EIN Ms se se sees A 79 Configuring Auto Join Mode 2 000 e cece cece cece cece cece cece cece cece eeeceeeeeeececeeseeeeeeeeee 79 Enabling or Disabling Auto Join Mode 79 IntheInstantUl o oe 222 cid dira 79 MMC caian Suet aie do 79 Configuring Terminal ACCESS cnn A aaraa 80 AAA ee es ek ee ee ee eee ve eee aes 80 At Oe ee rt ee ee eee eee Rae 80 Configuring Console ACCESS ns 80 AAA en anceheeuee R E e EEEE EE 80 Mihe GEI ee ee e E E E E E a S Ee i 80 Configuring LED Display 0000000000000000000000 000000000000000 ccc cece cece cece ee ceeeeeeeeeeeeeeeeeeeseeeees 81 WMS station cora costo oa hee eee ee en ete oe eee see pesticidas 81 NDS et gt ot o ee eee Re eee ee 81 Configuring Ad
195. W Series Instant 6 4 0 2 4 1 User Guide ta AS 135 IMEI ips 137 Configuring Walled Garden ACCESS o 2 22222 cece cece cece cece cece cece ccc e eee eeeeeeeeeeeees 138 Tn Grae MINS ean ies xs pee ees Ace eee piace cu ete dee dore 138 AAA 138 Disabling Captive Portal Authentication au ra adora iaronn innorari 138 Authentication and User Management 140 Managing W IAP Users cc 140 Configuring Guest Management Interface Administrator Credentials 22 0e 144 Inthe Instant U 144 HEGE iii ga o ti 144 Configuring Users for Internal Database of aW IAP o cccccccccccccccccccccccccccncccconcccconcccnnnos 144 Inthe Instant U 144 Inthe CLI ocio A a POPE 145 Configuring the Read Only Administrator Credentials 00000000 cece cece eeeeeees 146 Inthe Instant U 146 Tone oe ste wage it da 146 Adding Guest Users through the Guest Management Interface 0000 00002022 c cece cece cece e eee 146 Understanding Authentication Methods 2c eee eee eee cece cece ee eeeeceeeeeeceeeees 147 802 1X authentication occ nes 147 MAC aenieei 0 AS 2 7 4 R A44 22 E 4 dA 9 dde IRERE ES EEEN 147 MAC authentication with 802 1X authentication e e 147 Captive Portal Authentication 0000000 e cece cece eeeeeeeeeceeeeeeeeeeees 148 MAC authentication with Captive Portal authentication 222222 e cece eee cececeeeeeeeeee 148 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 11 802
196. Web Policy Enforcement _ e e e KK 249 Inthe Instant Ul 249 1 Aaa 250 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 19 gt A A oe ee ee 250 Voke na WIIG ir a iS 251 Wi Fi Multimedia Traffic Management 000000000 aatia aoaaa rrara r anaana onno na nnan 251 Configuring WMM for Wireless Clients 0000000000000000 000 aaa aaa oaia a aooaa 251 WIVES WINS CAD nerro e taps tet ee Ee ee ceed a dee Ae eee 252 te ul est rs ropero ea 252 Configuring WMM DSCP Mapping 00 2 222 c cece cece cece cece oaaao oaaao aa aaa anaa anaana 252 inthelnstant eo cre ete te ete hare ae deed tee Ak dit 253 MVE Che escrit e aid 253 QoS for Microsoft Office OCS and Apple Facetime 2 e eee eeeeeeeeeeee 253 Microsoft OCS AAA kt eee na eed te Meee eee a 253 Applet acetimie eke toate atte ge eee re nates ote ee eet ets ete ee caietoes 253 NE es EE tg Aalst eo Te Mea etal ala 255 AirGroup Configuratio 256 55 25200 co nateceetace taie e gece era dots oe e Eea 255 Multicast DNS and Bonjour Services 2 2000 e cece cece cece cece cece cece eeeeeeeeceeseeees 256 DENA UPNP SUPPOR aaaea ri tada 257 Air roun AAA ak ese dacs e E Ee E EEEE 258 AirGrOup SEIVICES ii dicta ctas 259 AirGroup Components cnn cnn 260 CPPM and ClearPass Guest Features o oooooooccccccccccccccccccccccocncnnnnncncnnncnnnnnnnnnnnncnnnnnos 260 Configuring AirGroup and AirGroup Services on aW IAP 1 occcccocccccccccccccccc
197. XX 3 Clear the Reboot all APs after upgrade checkbox if required The Reboot all APs after upgrade checkbox is selected by default to allow the W IAPs to reboot automatically after a successful upgrade To reboot the W IAP at a later time clear the Reboot all APs after upgrade checkbox 4 Click Upgrade Now to upgrade the W IAP to the newer version Upgrading an Image Using CLI To upgrade an image using a HTTP TFTP or FTP URL Instant AP upgrade image lt ftp tftp http URL gt To upgrade an image without rebooting the W IAP Instant AP upgrade image2 no reboot lt ftp tftp http URL gt To view the upgrade information Instant AP show upgrade info Image Upgrade Progress Mac IP Address AP Class Status Image Info Error Detail d8 c7 c8 c4 42 98 10 17 101 1 Orion image ok image file none Auto reboot enable Use external URL disable Backing up and Restoring W IAP Configuration Data You can back up the W IAP configuration data and restore the configuration when required Viewing Current Configuration To view the current configuration on the W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Maintenance 319 e Inthe Ul navigate to Maintenance gt Configuration gt Current Configuration e Inthe CLI enter the following command at the command prompt Instant AP show running config Backing up Configuration Data To back up the W IAP configuration data 1 Navi
198. a usually a region with a radius of several kilometers wireless service provider A company that offers transmission services to users of wireless devices through radio frequency RF signals rather than through end to end wire communication WLAN Wireless local area network WLAN is a local area network LAN that the users access through a wireless connection Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Terminology 377
199. able e Perform MAC authentication before 802 1X Select this checkbox to use 802 1X authentication only when the MAC authentication is successful MAC authentication fail thru On selecting this checkbox the 802 1X authentication is attempted when the MAC authentication fails Security Level Type Enterprise Personal and Open security levels Enterprise Personal and Open security levels Enterprise Personal and Open security levels Enterprise Personal and Open security levels Enterprise security level Enterprise Personal and Open security levels 102 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 21 Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Description OA Type Delimiter Specify a character for example colon or dash as a delimiter forthe MAC Enterprise character address string When configured the W IAP will use the delimiter in the Personal and Open MAC authentication request For example ifyou specify the colon as a security levels delimiter MAC addresses in the xx Xx Xx xx xx xx format are used If the delimiter is not specified the MAC address in the xxxxxxxxxxxx format is used This option is available only when MAC authentication is enabled Set to Enabled to allow the W IAP to use uppercase letters in MAC address Enterprise string for MAC authentication Personal
200. adio Channel Spectrum 5 GHz Channel Utilization and Quality Channel Metrics shows the information displayed in the channel metrics graph Table 62 Channel Metrics Column Description A 2 4 GHz or 5 GHz radio channel Quality Current relative quality of selected channels in the 2 4 GHz or 5 GHz radio bands as determined by the percentage of packet retries the current noise floor and the duty cycle for non Wi Fi devices on that channel Availability The percentage of the channel currently available for use Utilization The percentage of the channel being used WiFi Util The percentage of the channel currently being used by Wi Fi devices Interference Util The percentage of the channel currently being used by non Wi Fi interference Wi Fi ACI Adjacent Channel Interference Spectrum Alerts When a new non Wi Fi device is found an alert is reported to the Virtual Controller The spectrum alert messages include the device ID device type IP address of the spectrum monitor or hybrid AP and the timestamp Virtual Controller reports the detailed device information to AMP Configuring Spectrum Monitors and Hybrid W IAPs A W IAP can be provisioned to function as a spectrum monitor or as a hybrid W IAP The radios on groups of APs can be converted to dedicated spectrum monitors or hybrid APs via the AP group s 802 11a and 802 11g radio profiles Converting a W IAP to a Hybrid W IAP You can convert all W
201. advertised in the ANQP IEs from W IAPs associated with this hotspot profile For more information about the supported venue types for each venue group see Table 68 Associating an Advertisement Profile to a Hotspot Profile To associate a hotspot profile with an advertisement profile Instant AP config hotspot hs profile lt name gt Instant AP Hotspot2 0 lt name gt advertisement protocol lt protocol gt Instant AP Hotspot2 0 lt name gt advertisement profile anap 3gpp lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile angop domain name lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile anap ip addr avail lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile angqp nai realm lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile angp nwk auth lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile angqp roam cons lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile angqp venue name lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile h2qp conn cap lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile h2qp oper class lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile h2qp oper name lt name gt Instant AP Hotspot2 0 lt name gt advertisement profile h2qp wan metrics lt name gt Instant AP Hotspot2 0 lt
202. age 138 e External Captive Portal Use this window to configure external captive portal profiles For more information see Configuring External Captive Portal for a Guest Network on page 129 The following figure shows the default view of the Security window Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 50 Figure 7 Security Window Default View Security Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Inbound Firewall Walled Garden External Captive Portal Servers 1 Name Type test RADIUS Cancel Maintenance The Maintenance link displays a window that allows you to maintain the Wi Fi network The Maintenance window consists of the following tabs About Displays the name of the product build time W IAP model name the Instant version website address of Dell and Copyright information e Configuration Displays the following details Current Configuration Displays the current configuration details Clear Configuration Allows you to clear the current configuration details of the network Backup Configuration Allows you to back up local configuration details The backed up configuration data is saved in the file named instant cfg Restore Configuration Allows you to restore the backed up configuration The W IAP must be rebooted after restoring the configuration for the changes to affect e Certificat
203. ame gt blacklist Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt 12 auth failthrough Instant AP SSID Profile lt name gt auth survivability Instant AP SSID Profile lt name gt radius accounting Instant AP SSID Profile lt name gt radius accounting mode user association user authentication Instant AP SSID Profile lt name gt radius interim accounting interval lt minutes gt Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt Instant AP SSID Profile lt name gt max authentication failures lt number gt Instant AP SSID Profile lt name gt no okc disable Instant AP SSID Profile lt name gt dot11r Instant AP SSID Profile lt name gt dot11k Instant AP SSID Profile lt name gt dotllv Instant AP SSID Profile lt name gt exit Instant AP config auth survivability cache time out Instant AP config end Instant AP commit apply To configure personal security settings for the employee and voice users of a WLAN SSID profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt opmode wpa2 psk aes wpa tkip wpa psk tkip wpa psk tkip wpa2 psk aes static wep Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt auth server lt server name gt Instant AP SS
204. angle that appears at the top left corner of the Instant main window It displays the company name logo and Virtual Controller s name Search Administrators can search for a W IAP client or a network in the Search text box When you type a search text the search function suggests matching keywords and allows you to automatically complete the search text entry Tabs The Instant main window consists of the following tabs I Networks Tab Provides information about the network profiles configured in the Instant network Access Points Tab Provides information about the W IAPs configured in the Instant network I Clients Tab Provides information about the clients in the Instant network Each tab appears in a compressed view by default The number of networks W IAPs or clients in the network precedes the tab names The individual tabs can be expanded or collapsed by clicking on the tabs The list items in each tab can be sorted by clicking the triangle icon next to the heading labels 45 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Networks Tab This tab displays a list of Wi Fi networks that are configured in the Instant network The network names are displayed as links The expanded view displays the following information about each WLAN SSID Name SSID Name of the network Clients Number of clients that are connected to the network Type Type of network typ
205. annel seen by the spectrum monitor radio including the maximum AP power interference and the signal to noise and interference Ratio SNIR SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel Spectrum monitors display spectrum data seen on all channels in the selected band and hybrid APs display data from the one channel they are monitoring Figure 117 Channel Details 00 24 6c c8 ec 7f Channel 9 1 sona Quality Utilization WiFi Bluetooth Microwave Cordless Phone Total nonwifi 2 4 GHz Channel Utilization and Quality monitoring Spectrum IDS Configuration Overview 2 4GHz 5GhHz KnownAPs UnknownAPs Noise Floor dBm MaxAPSignal dBm Max AP SSID yihexingye Max AP BSSID 8c 21 0a 9b de 16 Maxinterference d amp m SNIR dB 17 Channel Details Information shows the information that you can view in the channel details graph Table 61 Channel Details Information Column Description An 802 11a or 802 11g radio channel Quality Current relative quality of the channel Utilization The percentage of the channel being used 312 Spectrum Monitor Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Column Description Wi Fi The percentage of the channel currently being used by Wi Fi devices Total nonwifi The percentage of the channel currently being used by non Wi Fi devices Max Interference Signal
206. ant 6 4 0 2 4 1 User Guide Table 41 DHCP Mode Configuration Parameters Name Description hene Enter a name for the DHCP scope Select any of the following options e Local On selecting Local the DHCP server for local branch network is used for keeping the scope of the subnet local to the W IAP In the NAT mode the traffic is forwarded through the IPSec tunnel or the uplink Local L3 On selecting Local L3 the Virtual Controller acts as a DHCP server and gateway In this mode the W IAP routes the packets sent by clients and also adds a route on the controller after the VPN tunnel is set up during the registration of the subnet Specify a VLAN ID To use this subnet ensure that the VLAN ID specified here is assigned to an SSID profile For more information on SSID profile configuration see Configuring VLAN Settings fora WLAN SSID Profile on page 97 and Configuring VLAN for a Wired Profile on page 114 Specify the network to use If Local or Local L3 is selected specify the subnet mask The subnet mask and the network determine the size of subnet Excluded address If Local L3 is selected specify the IP address to exclude The value entered in the field determines the exclusion range of the subnet Based on the size of the subnet the lesser range of IP s before or after the specified IP address will be excluded DNS Server If required specify the IP address of a DNS server for the Local and Local L3 scopes If required
207. ant UI 1 Inthe Instant main window click the System link The System window is displayed Click Show advanced options to display the advanced options Click the Monitoring tab The Monitoring tab details are displayed Enter the IP address of the TFTP server in the TFTP Dump Server text box Click OK ak wn In the CLI To configure a TFTP server Instant AP config tftp dump server lt IP address gt Instant AP config end Instant AP commit apply 332 Monitoring Devices and Logs Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Running Debug Commands from the Ul To run the debugging commands from the UI 1 Navigate to More gt Support at the top right corner of the Instant main window The Support window is displayed 2 Select the required option from the Command drop down list 3 Select All Access Points or Instant Access Point VC from the Target drop down list 4 Click Run When you run debug commands and click Save the output of all the selected commands is displayed in a single page Support Commands You can view the following information for each access point in the cluster using the support window AP 3G 4G Status Displays the cellular status of the W IAP AP 802 1x Certificate Displays the CA certificate and server certificate for the Virtual Controller AP 802 1X Statistics Displays the 802 1X statistics of the W IAP AP Access Rule Table Displays the list of ACL rules confi
208. ant UI or CLI In the Instant Ul To configure Aruba RTLS 1 Click the More gt Services link at the top right corner of the Instant main window The Services window is displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 263 2 Click the RTLS tab The following figure shows the contents of the RTLS tab 3 Under Aruba select the RTLS check box to integrate Instant with the W AirWave Management Platform or Ekahau Real Time Location Server Figure 90 RTLS Window Services Air Group RTLS OpenDNS CALEA Network Intergration Aruba RTLS IP address Port Passphrase Retype Update Include unassociated stations Analytics amp Location Engine 3rd party Aeroscou it Specify the IP address and port to which the location reports must be sent Specify the shared secret key in the Passphrase text box 6 Specify the frequency at which the Virtual Controller can send updates to the server You can specify a value within the range of 5 3600 seconds The default value is 5 seconds 7 Select the Include unassociated stations check box to send reports on the stations that are not associated to any W IAP to the RTLS server 8 Click OK To configure third party RTLS such as Aeroscout Select the Aeroscout check box to send the RFID tag information to an AeroScout RTLS Specify the IP address and port number of the AeroScout server to which location reports must be sent Select the
209. antenna TACACS Family of protocols that handle remote authentication and related services for network access control through a centralized server TACACS Derived from TACACS but an entirely new and separate protocol to handle AAA services TACACS uses TCP and is not compatible with TACACS Because it encrypts password username authorization and accounting itis less vulnerable than RADIUS VPN A Virtual Private Network VPN network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization s network A VPN ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol L2TP Data is encrypted at the sending end and decrypted at the receiving end 376 Terminology Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 77 List of Terms Term Definition W CDMA Officially known as IMT 2000 direct spread ITU standard derived from Code Division Multiple Access CDMA Wideband code division multiple access W CDMA is a third generation 3G mobile wireless technology that promises much higher data speeds to mobile and portable wireless devices than commonly offered in today s market Wi Fi A term for certain types of WLANs Wi Fi can apply to products that use any 802 11 standard Wi Fi has gained acceptance in many businesses agencies schools and homes as an alternati
210. any of the following values All When set to All the W IAP drops all broadcast and multicast frames except DHCP and ARP ARP When set to ARP the W IAP converts ARP requests to unicast and send frames directly to the associated client Disabled When set to Disabled all broadcast and multicast traffic is forwarded The DTIM interval indicates the delivery traffic indication message DTIM period in beacons which can be configured for every WLAN SSID profile The DTIM interval determines how often the W IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode The default value is 1 which means the client checks for buffered data on the W IAP at every beacon You can also configure a higher DTIM value for power saving Select Enabled if you want the W IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients When this option is enabled multicast traffic can be sent at up to 24 Mbps The default rate for sending frames for 2 4 GHz is 1 Mbps and 5 0 GHz is 6 Mbps This option is disabled by default Select Enabled to allow W IAP to convert multicast streams into unicast streams over the wireless link Enabling Dynamic Multicast Optimization DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to the non video clients NOTE When you enable DMO on multicast SSI
211. ap profile lt name gt end P commit apply To configure a pre authentication role Gk CP et igh D D Dp p P config wired port profile lt name gt wired ap profile lt name gt set role pre auth lt pre authentication role gt P wired ap profile lt name gt end P commit apply G To configure machine and user authentication roles Ch oct ek oct gt PP PY P config T wired port profile lt name gt wired ap profile lt name gt set role machine auth lt machine only gt lt user only gt P P wired ap profile lt name gt end D commit apply To configure unrestricted access Cbr UN ct gt Ppp P config wired port profile lt name gt wired ap profile lt name gt set role unrestricted P wired ap profile lt name gt end P commit apply Assigning a Profile to Ethernet Ports You can assign profiles to Ethernet ports using the Instant UI or CLI In the Instant UI To assign profiles to Ethernet ports 1 Click the Wired link under More at the top right comer of the Instant main window The Wired window is displayed 2 Toassign an Ethernet downlink profile to Ethernet 0 port a Ensure that the wired bridging on the port is enabled For more information see Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 304 b Select and assign a profile from the 0 0 drop down list To assign a wire
212. appropriate ID NOTE If TCP and UDP uses the same port ensure that you configure separate access rules to permit or deny access Select any of following actions e Select Allow to allow access users based on the access rule e Select Deny to deny access to users based on the access rule e Select Destination NAT to allow changes to destination IP address e Select Source NAT to allow changes to the source IP address The destination nat and source nat actions apply only to the network services rules Destination Select a destination option for the access rules for network services applications and application categories You can allow or deny access to any the following destinations based on your requirements to all destinations Access is allowed or denied to all destinations e toa particular server Access is allowed or denied to a particular server After selecting this option specify the IP address of the destination server except to a particular server Access is allowed or denied to servers other than the specified server After selecting this option specify the IP address of the destination server to a network Access is allowed or denied to a network After selecting this option specify 177 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 35 Access Rule Configuration Parameters Service Category Description the IP address and netmask for the destination network excep
213. arPass Guest as an external Captive Portal server perform the following steps 1 Select the WLAN SSID for which you want to enable external captive portal authentication with CPPM You can also configure the RADIUS server when configuring a new SSID profile 2 Inthe Security tab select External from the Splash page type 3 Select New from the Captive portal profile drop down list and update the following fields a EnterthelP address of the ClearPass Guest server in the IP or hostname field Obtain the ClearPass Guest IP address from your system administrator b Enter page_name php in the URL field This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page For example if the Page Name is Dell the URL should be Dell php in the Instant UI c Enter the Port number generally should be 80 The ClearPass Guest server uses this port for HTTP services d Click OK 4 Tocreate an external RADIUS server select New from the Authentication server 1 drop down list For information on authentication server configuration parameters see Configuring an External Server for Authentication on page 157 Click Next and then click Finish Click the updated SSID in the Network tab Open any browser and type any URL Instant redirects the URL to ClearPass Guest login page go NO Log in to the network with the user name and password specified used while configuring the RADIUS server Configuring Guest Lo
214. are lt share gt Instant AP SSID Profile lt name gt wmm best effort share lt share gt Instant AP SSID Profile lt name gt wmm video share lt share gt Instant AP SSID Profile lt name gt wmm voice share lt share gt Instant AP SSID Profile lt name gt end Instant AP commit apply Configuring WMM DSCP Mapping The IEEE 802 11e standard defines the mapping between WMM ACs and Differentiated Services Codepoint DSCP tags You can customize the mapping values between WMM ACs and DSCP tags to prioritize various traffic types and apply these changes to a WMM enabled SSID profile DSCP classifies packets based on network policies and rules The following table shows the default WMM AC to DSCP mappings and the recommended WMM AC to DSCP mappings Table 51 WWMM DSCP Mapping DSCP Value WMM Access Category Background Best effort 252 Voice and Video Dell Networking W Series Instant 6 4 0 2 4 1 User Guide By customizing WMM AC mappings all packets received are matched against the entries in the mapping table and prioritized accordingly The mapping table contains information for upstream client to W IAP and downstream W IAP to client traffic You can configure different WMM to DSCP mapping values for each WMM AC when configuring an SSID profile either in the Instant UI or CLI In the Instant Ul 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt
215. are version for each make and model of a device It remotely distributes the firmware image to the WLAN devices that require updates and it schedules the firmware updates such that updating is completed without requiring you to manually monitor the devices The following models can be used to upgrade the firmware e Automatic In this model the Virtual Controller periodically checks for newer updates from a configured URL and automatically initiates upgrade of the network e Manual In this model the user can manually start a firmware upgrade for each Virtual Controller or set the desired firmware preference per group of devices W IAP and Client Monitoring W AirWave allows you to find any W IAP or client on the wireless network and to see real time monitoring views These monitoring views can be used to aggregate critical information and high end monitoring information Inthe W AirWave User Interface UI you can select either Manage Read Write or Monitor only Firmware Upgrades as management modes When the Management level is set to Manage Read Write the Instant UI is in read only mode If W AirWave Management Level is set to Monitor only Firmware Upgrades mode the Instant UI changes to the read write mode Template based Configuration W AirWave automatically creates a configuration template based on any of the existing W IAPs and it applies that template across the network as shown in the following figure It audits every device
216. ash page rectangle and select the required color from the Background Color palette To change the welcome text click the first square box in the splash page type the required text in the Welcome text box and click OK Ensure that the welcome text does not exceed 127 characters To change the policy text click the second square in the splash page type the required text in the Policy text box and click OK Ensure that the policy text does not exceed 255 characters To upload a custom logo click Upload your own custom logo Image browse the image file and click upload image Ensure that the image file size does not exceed 16 KB e To redirect users to another URL specify a URL in Redirect URL e Click Preview to preview the Captive Portal page NOTE You can customize the captive portal page using double byte characters Traditional Chinese Simplified Chinese and Korean are a few languages that use double byte characters Click on the banner term or policy in the Splash Page Visuals to modify the text in the red box These fields accept double byte characters or a combination of English and double byte characters 3 Click Next to configure access rules In the CLI To configure internal captive portal authentication Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt essid lt ESSID name gt Instant AP SSID Profile lt name gt type lt Guest gt Instant AP
217. associated with a particular W IAP The Instant UI shows the client and W IAP association over the last 15 minutes e Access Point The W IAP name with which the client was associated Mobility information about the client is reset each time it roams from one W IAP to another Client Match If client match is enabled the Client Match link provides a graphical representation of radio map view of an AP and the client distribution on an AP radio On clicking an access point in the Access Points tab and the Client Match link a stations map view is displayed and a graph is drawn with real time data points for the AP radio If the AP supports dual band you can toggle between 2 4GHz and 5 GHz links in the client match graph area to view the data When you hover the mouse on the graph details such as RSSI client match status and the client distribution on channels are displayed The following figure shows the client distribution details for an AP radio Figure 20 Client Distribution on AP Radio Client Match 2 4GHz Station Layout RSSI 20 30 E 48 c7 c8 c4 42 98 Client Match 2 4 GHz Station Layout RSSI On clicking a client in the Clients tab and the Client Match link a graph is drawn with real time data points for an AP radio map When you hover the mouse on the graph details such as RSSI channel utilization details and client count on each channel are displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide I
218. at gather spectrum data but do not service clients Each SM scans and analyzes the spectrum band used by the SM s radio 2 4 GHz or 5 GHz An AP radio in hybrid AP mode continues to serve clients as an access point while it analyzes spectrum analysis data for the channel the radio uses to serve clients You can record data for both types of spectrum monitor devices However the recorded spectrum is not reported to the Virtual Controller A spectrum alert is sent to the VC when a non Wi Fi interference device is detected The spectrum monitor is supported on W IAP 103 W IAP 104 105 W IAP 134 135 W IAP 114 115 and W IAP224 225 radios The spectrum data is collected by each W IAP spectrum monitor and hybrid AP The spectrum data is not reported to the VC The Spectrum link is visible in the UI Access Point view only if you have enabled the spectrum monitoring feature You can view the following spectrum data in the UI e Device List e Non Wi Fi Interferers e Channel Metrics e Channel Details e Spectrum Alerts Device List The device list consists of a device summary table and channel information for active non Wi Fi devices currently seen by aspectrum monitor or hybrid AP radio To view the device list click Spectrum in the dashboard The following figure shows an example of the device list details Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Spectrum Monitor 309 Figure 116 Device List E 00 24 6c c8 ad e2
219. at matches the criteria in the rule Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule For example you can configure a rule to explicitly block outbound traffic to an IP address through the firewall The W IAP clients are associated with user roles which determine the client s network privileges and the frequency at which clients re authenticate Instant supports the following types of ACLs e ACLs that permit or deny traffic based on the source IP address of the packet e ACLs that permit or deny traffic based on source or destination IP address source or destination port number e ACLs that permit or deny traffic based on network services application application categories web categories and security ratings You can configure up to 128 access control entries in an ACL for a user role For more information on configuring firewall rules see e Configuring Access Rules for Network Services on page 177 e Configuring Network Address Translation Rules on page 179 e Configuring Inbound Firewall Rules on page 183 e Configuring Access Rules for Application and Application Categories on page 246 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 176 Configuring Web Policy Enforcement on page 249 Configuring Access Rules for Network Services This section describes the procedure for configuring ACLs to control access to network services For information o
220. ate a VLAN assignment rule for WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set vlan lt attribute gt equals not equals starts with ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Instant AP SSID Profile lt name gt end Instant AP commit apply 197 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide To configure a VLAN assignment rule for a wired profile Instant AP config wired port profile lt nname gt Instant AP wired ap profile lt name gt set vlan lt attribute gt equals not equals starts with ends with contains lt operator gt lt VLAN ID gt value of Instant AP wired ap profile lt name gt end Instant AP commit apply Example Instant AP config wlan ssid profile Profilel Instant AP SSID Profile Profilel set vlan mac address and dhcp options matches regular expression link 100 AP SSID Profile Profilel end AP commit apply Using Advanced Expressions in Role and VLAN Derivation Rules For complex policies of role and VLAN derivation using device DHCP fingerprints you can use a regular expression to match against the combined string of the MAC address and the DHCP options The combined string is formed by concatenating the hexadecimal presentation of the MAC address and all of the DHCP options sent by a particular device The
221. ation IP address Encapsulation type GRE type MTU 3 Specify the following parameters IP address Specify the IP address of the CALEA server Encapsulation type Specify the encapsulation type The current release of Instant supports GRE only GRE type Specify the GRE type MTU Specify a size for the maximum transmission unit MTU within the range of 68 1500 After GRE encapsulation if packet length exceeds the configured MTU IP fragmentation occurs The default MTU size is 1500 4 Click OK In the CLI Instant AP config calea Instant AP calea ip lt IP address gt Instant AP calea ip mtu lt size gt Instant AP calea encapsulation type lt gre gt Instant AP calea gre type lt type gt Instant AP calea end Instant AP commit apply Creating an Access Rule for CALEA You can create an access rule for CALEA by using the Instant UI or CLI In the Instant Ul To create an access rule 272 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 To add the CALEA access rule to an existing profile select an existing wireless Networks tab gt edit or wired More gt Wired gt Edit profile To add the access rule to a new profile click New under Network tab and create a WLAN profile or click More gt Wired gt New and create a wired port profile In the Access tab select the role for which you want create the access rule Under
222. ation is enabled both the device and the user must be authenticated for the role assignment rule to apply In the CLI To configure role assignment rules for a WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role lt attribute gt equals not equals starts with ends with contains matches regular expression lt operator gt lt role gt value of Instant AP SSID Profile lt name gt end Instant AP commit apply To configure role assignment rules for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt set role lt attribute gt equals not equal starts with ends with contains lt operator gt lt role gt value of Instant AP wired ap profile lt name gt end Instant AP commit apply Example Instant AP config wlan ssid profile Profilel Instant AP SSID Profile Profilel set role mac address and dhcp options matches regular expression bring b Profilel Instant AP SSID Profile Profilel end Instant AP commit apply Understanding VLAN Assignment You can assign VLANs to a client based on the following configuration conditions The default VLAN configured for the WLAN can be assigned to a client If VLANs are configured fora WLAN SSID or an Ethernet port profile the VLAN for the client can be derived before the authentication from the rules configure
223. ative VLAN A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN You can specify a value within the range of 1 4093 d If the Access mode is selected o e If the Client IP Assignment is set to Virtual Controller Assigned proceed to step 2 If the Client IP Assignment is set to Network Assigned specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode 6 Click Next to configure internal or external captive portal authentication roles and access rules for the guest users In the CLI To configure wired settings for Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt guest gt Instant AP wired ap profile lt name gt speed 10 100 1000 auto Instant AP wired ap profile lt name gt duplex half full auto Instant AP wired ap profile lt name gt no shutdown Instant AP wired ap profile lt name gt po Instant AP wired ap profile lt name gt uplink enable Instant AP wired ap profile lt name gt content filtering Instant AP wired ap profile lt name gt spanning tree To configure VLAN settings for a wired profile Instan ick T Instan Instant Instant AP config wired port profile lt name gt AP wired ap profile lt name gt switchport mode trunk access AP wired ap profile lt name gt allowed vlan lt
224. ave and a new group called tme store4 is created Navigate to APs Devices gt New gt Group to view this group Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Management and Monitoring 283 Figure 106 W AirWave New Group AIRWAVE WIRELESS MANAGEMENT SUITE SY hew Devices 1 4 Up 4 Y Down 1 Mismatched 2 O Rogue 122 Clients 0 MM Alerts 0 APs Devices Chents Reports System Device Setup AMP Setup RAPIDS VisualRf Down Hismatched Ignored To discover more devices vist the Dscover page vof 1 APs Devices Page 1 wof 1 Reset fte EN Dd ES DEA AA SPAN Discovered v Instant C4 43 19 Aruba Instant Virtual Controller 3 20 2012 1 38 PM lw of 1 APs Devices Page Group Access Points Access Points F f older me instant Mor tme nstant store3 Figure 107 W AirWave Monitor AIRWAVE WIRELESS MANAGEMENT SUITE V new Devices 0 4up 6 Y Down 1 mismatched 3 O Rogue 122 4 Chents 0 M Alerts 0 itis APS Devices Cents Reports System Device Setup AMP Setup RAPIDS VisualRf Basic Templates Firmware Group tme store4 SSID Poled for Up Down Status 5 minutes Current AMP time March 20 2012 3 21 pmPDT Current group time March 20 2012 3 21 pm PDT Y Total Devices 2 4 T Down 0 Z Heated 1 1 Cionts 0 Dusage 9 ver Show AR Maximum Average Show All Maximum Average DL Max Clients O clients O clients Avg Dits Per Second In Obes Obps Y V Avg Bits Per Second Cut
225. ave ovens with a single magnetron are classified as a Microwave These types of microwave ovens may be used in cafeterias break rooms dormitories and similar environments Some industrial healthcare or manufacturing environments may also have other equipment that behave like a microwave and may also be classified as a Microwave device Some newer model microwave ovens have the inverter technology to control the power output and these microwave ovens may have a duty cycle close to 100 These microwave ovens are classified as Microwave Inverter Dual magnetron industrial microwave ovens with higher duty cycle may also be classified as Microwave Inverter There may be other equipment that behaves like inverter microwaves in some industrial healthcare or manufacturing environments Those devices may also be classified as Microwave Inverter Any non frequency hopping device that does not fall into one of the other categories described in this table is classified as a Generic Interferer For example a Microwave like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer Similarly wide band interfering devices may be classified as Generic Interferers Channel Details When you move your mouse over a channel the channel details orthe summary of the 5 GHz and 2 4 GHz channels as detected by a spectrum monitor are displayed You can view the aggregate data for each ch
226. b details are displayed 3 Configure security settings for the wired profile For more information see Configuring Security Settings fora Wired Profile on page 115 In the CLI To configure VLAN settings for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt switchport mode trunk access Instant AP wired ap profile lt name gt allowed vlan lt vlan gt Instant AP wired ap profile lt name gt native vlan lt guest 1 4095 gt Instant AP wired ap profile lt name gt end Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wired Profiles 114 Instant AP commit apply To configure a new VLAN assignment rule Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt set vlan lt attribute gt equals not equals starts with ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Instant AP wired ap profile lt name gt end Instant AP commit apply Configuring Security Settings for a Wired Profile If you are creating a new wired profile complete the Wired Settings and VLAN procedures before specifying security settings For more information see Configuring Wired Settings on page 112 and Configuring VLAN Settings for a NOTE WLAN SSID Profile on page 97 Configuring Security Settings for a Wired Employee Network You can configure
227. ba AirGroup Shared Group Aruba AirGroup Shared Role Aruba AirGroup Shared U ser Aruba AirGroup User Name Aruba AirGroup Version Aruba Auth Survivability Aruba CPPM Role Aruba Device Type Aruba Essid Name Aruba Framed IPv6 Address Aruba Location Id Aruba Mdps Device lccid Aruba Mdps Device Imei Aruba Mdps Device Name Aruba Mdps Device Product Aruba Mdps Device Profile Aruba Mdps Device Serial Aruba Mdps Device Udid Aruba Mdps Device Version Aruba Mdps Max Devices Aruba Mdps Provisioning Settings Aruba Named User Vlan Aruba Network SSO Token Aruba No DHCP Fingerprint Aruba Port Id Aruba Priv Admin User Aruba Template User Aruba User Group Aruba User Role 151 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Aruba User Vlan Aruba WorkSpace App Name Authentication Sub Type Authentication Type CHAP Challenge Callback Id Callback Number Chargeable User Identity Class Comnect Info Comnect Rate Crypt Password DB Entry State Digest Response Domain Name EAP Message Error Cause Event Timestamp Exec Program Exec Program Wait Expiration Fall Through Filter Id Framed AppleTalk Link Framed AppleTalk Network Framed AppleTalk Zone Framed Compression Framed IP Address Framed IP Netmask Framed IPX Network Framed IPv6 Pool Framed IPv6 Prefix Framed Pv6 Route Framed Interface Id Framed MTU Framed Protocol Framed Route Framed Routing Full Name Group Group Name Hint Dell
228. bility cache timeout duration when the authentication server is down For EAP PEAP authentication ensure that the CPPM 6 0 2 or later version is used for authentication For EAP TLS authentication any external or third party server can be used For EAP TLS authentication ensure that the server and CA certificates from the authentication servers are uploaded on W IAP For more information see Uploading Certificates on page 173 In the CLI To configure authentication survivability for a wireless network Instant config wlan ssid profile lt name gt Instant SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt AP AP Instant AP SSID Profile lt name gt AP AP auth server lt server namel gt Instant SSID Profile lt name gt auth survivability Instant SSID Profile lt name gt exit Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 156 Instant AP config auth survivability cache time out lt hours gt Instant AP config end Instant AP commit apply To view the cache expiry duration Instant AP show auth survivability time out To view the information cached by the W IAP Instant AP show auth survivability cached info To view logs for debugging Instant AP show auth survivability debug log Configuring Authentication Servers This section describes t
229. bled Dynamic CPU management Automatic Hide advanced options RF The RF link displays a window for configuring Adaptive Radio Management ARM and Radio features e ARM Allows you to view or configure channel and power settings for all the W IAPs in the network For information about ARM configuration see ARM Overview on page 232 e Radio Allows you to view or configure radio settings for 2 4 GHz and the 5 GHz radio profiles For information about Radio see Configuring Radio Settings for a W IAP on page 238 The following figure provides a view of the RF window with the advanced options for ARM configuration 49 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 6 RF Window ARM Radio Client Control Band steering mode Prefer 5Ghz Airtime fairness mode Fair Access Client match Enabled CM calculating interval 30 seconds CM neighbor matching 75 CM threshold 2 SLB mode Channel Access Point Control Customize valid channels Min transmit power 18 Max transmit power Max Client aware Enabled Scanning Enabled Wide channel bands 5 GHz 80MHz support Enabled Hide advanced options OK Cancel Security The Security link displays a window with the following tabs e Authentication Servers Use this tab to configure an external RADIUS server for a wireless network For more information see Configuring an External Server for Authentication on
230. boring APs detected by the W IAP for the last 15 minutes Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the W IAP for which you want to monitor the client association The W IAP view is displayed Study the Neighboring APs graph in the Overview section For example the graph shows that 148 interfering APs are detected by the W IAP at 12 04 hours To check the CPU utilization of the W IAP for the last 15 minutes Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the W IAP for which you want to monitor the client association The W IAP view is displayed Study the CPU Utilization graph in the Overview pane For example the graph shows that the CPU utilization of the W IAP is 30 at 12 09 hours To check the neighboring clients detected by the W IAP for the last 15 minutes 1 2 Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the W IAP for which you want to monitor the client association The W IAP view is displayed Study the Neighboring Clients graph in the Overview pane For example the graph shows that 20 interfering clients were detected by the W IAP at 12 15 hours Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 12 Access Poi
231. cation The th Server serverl port 1812 External Server example in the next th Server serverl acctport 1813 for ae assumes 802 1x th Server serverl key presharedkey Authentication K th j Server serverl Zit nfig wlan auth server server2 th Server serverl ip 10 2 2 2 th Server serverl port 1812 th Server serverl acctport 1813 LTE key presharedkey th Server serverl Configure wired and Configure wired ports to operate in NAT mode and associate VLAN See wireless SSIDs using the 20 Configuring a authentication servers to the wired port profile Wired Profile and access rules and ap config wired port profile wired port and Wireless enable authentication ap wired port profile wired port switchport Network survivability mode access Profiles ap wired port profile wired port allowed vlan all ap wired port profile wired port native vlan 20 ap wired port profile wired port no shutdown ap wired port profile wired port access rule name wired port ap wired port profile wired port type employee ap wired port profile wired port auth server serverl ap wired port profile wired port auth server server2 ap wired port profile wired port dotlx ap wired port profile wired port exit ap config enetl port profile wired port Configure a wireless SSID to operate in L3 mode for employee and associate distr
232. cccccnocccccccnnnncccono 261 inihednstant UI 2 oie ocaso rene ose eee as 261 A 262 Configuring AirGroup and CPPM interface in instant e e unean unaannrre ruren enenennnnnen 263 Creating a RADIUS Server ninio 263 Assign a Server to AirGroup nn nro 263 Configure CPPM to Enforce Registration 2 2222 00 22 222 eee eee eee eee aoaaa anaran onnan 263 Change of Authorization COA 263 Configuring a W IAP for RTLS Support o 0 222222 cece eee cece cece cece cece cece cece eee eeeeeeeeeeeees 263 TIMMS tEAM ceros eee es eee ek eo depp ci eee eee 263 Me CM oo sooo eo a snes eee eu cs scseee soe esee ees A cerns ese eer es amet eute samiaeeee ees E 264 Configuring a W IAP for Analytics and Location Engine Support e e e cece ce cece esse eens 265 20 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide ALE with Instant 2 20 00 0 02 cece ccc cc cece cece cece cnc cccccceccenccaeccanccecccaccensceeccaescucecasccesecneees 265 Enabling ALE Support ona W AP 022 0000 e ce eee cece eee eeceeeeeeeeeeeeeeeeeees 265 inthednstant 2 esse ees ea eset EEE AEE 265 Tas AS 266 Verifying ALE Configuration on a W IAP ence eee eee cece eee e cece ec eeceeees 266 Configuring OpenDNS Credentials 00000 e cece eeeeeeeceeeeeeees 266 A Ree E aes E E eA RRR Enea EEE A 266 ME te eee ee ee ees eee See eee 267 Integrating a W IAP with Palo Alto Networks Firewall 00202022 c cece cece eee cece cece cece eee
233. ccess rules for wired and wireless users with source NAT based rule for contractor roles to bypass global routing profile e OSPF based route propagation on controller Topology Figure 137 shows the topology and the IP addressing scheme used in this scenario Figure 137 Scenario 3 IPSec Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy Corporate DNS Radius servers e Datacenter 1 K Datacenter 2 DMZ Firewall DMZ Firewall Branch LE WAN Modem Wired client e L2 Switch a pa L3 and NAT mode DHCP server on AP Wireless Client Wireless Client Contractor Employee The IP addressing scheme used in this example is as follows e 10 0 0 0 8 is the corporate network e 10 30 0 0 16 subnet is reserved for L3 mode used by Employee SSID e 10 40 0 0 16 subnet is reserved for L3 mode used by Contractor SSID 364 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide AP Configuration This section provides information on configuration steps performed through the CLI or the UI Configuration Steps 1 Configure the primary IP address This IP address is the Public IP address of the controller Fast failover is enabled for fast convergence Configure routing profiles to tunnel traffic through IPSec Configure Enterprise DNS for split DNS The example in the next column uses a specific enterprise domain to tunnel all DNS queries
234. ccessful 802 1X authentication For more information on configuring a W IAP to use 802 1X authentication see Configuring 802 1X Authentication for a Network Profile on page 163 MAC authentication MAC authentication is used for authenticating devices based on their physical MAC addresses MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses This authentication method is not recommended for scalable networks and the networks that require stringent security settings For more information on configuring a W IAP to use MAC authentication see Configuring MAC Authentication for a Network Profile on page 165 MAC authentication with 802 1X authentication This authentication method has the following features e MAC authentication precedes 802 1X authentication The administrators can enable MAC authentication for 802 1X authentication MAC authentication shares all the authentication server configurations with 802 1X authentication If a wireless or wired client connects to the network MAC authentication is performed first If MAC authentication fails 802 1X authentication does not trigger If MAC authentication is successful 802 1X authentication is attempted If 802 1X authentication is successful the client is assigned an 802 1X authentication role If 802 1X authentication fails the client is assigned a deny all role or mac auth only role e MAC authentication only role Allows you t
235. ce e Authentication Server Specify one or two authentication servers to authenticate clients If two servers are configured users can use them in primary or backup mode or load balancing mode To enable load balancing select Enabled from the Load balancing drop down list For more information on load balancing see Dynamic Load Balancing between Two Authentication Servers on page 154 You may also specify a RADIUS Server as one of the authentication servers along with a TACACS server If a TACACS server is selected you can select the TACACS accounting checkbox for reporting management commands La The TACACS accounting option is available only when a TACACS server is specified as one of the authentication servers NOTE e Authentication server w fallback to internal Select this option to use both internal and external servers When enabled the authentication switches to Internal if there is no response from the RADIUS server RADIUS server timeout To complete this configuration perform the following step a To enable load balancing select Enabled from the Load balancing drop down list b Specify a Username and Password c Retype the password to confirm 4 Click OK In the CLI To configure an admin user Instant AP config mgmt user lt username gt password Instant AP config end Instant AP commit apply To configure RADIUS or TACACS authentication parameters Instant AP config mgmt auth ser
236. ceceeeeeeeeeeeees 363 Scenario 3 IPSec Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy 364 DM N AP 364 AP Configuration os aiseanna ce ccc cece E E E aa A E E a EEE A AEE a Ek 365 AP Connected Switch Configuration 22 ce cece cece eee ccc cece cece ee ceeeeeceeececeseeeeeeeees 368 Datacenter Configuration 22 00 ccc cece cece cece cece cece cece cece cece ee eeeeeeeeeeceeeeeeeeeeeeeeeses 368 Scenario 4 GRE Single Datacenter Deployment with No Redundancy 2 22222 369 TODOIOOY ten oot oases ote ne ne net eel ag ee ee ete cee tee Ge 369 AP Configuration eessen enari aa EAAS AARAA APARAS EERI cassie tesossegand eesacagie 369 AP Connected Switch Configuration 2 0 0 0 ccc cece e cece cece cece cece cece 010 001a oada anaiona 371 Datacenter Configuration 2 000 000 2 cece cece cece ccc cece cece cece eee ee cece eeeeeeeeeeeeeeeeeeeeeeeeeeses 371 o AAA 373 Acronyms and Abbreviations 0 0 cuscpissot dls it cid ata 313 E O eee oe ee ats Sg eee ea ee 374 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 27 Chapter 1 About this Guide This User Guide describes the features supported by Dell Networking W Series Instant Access Point W IAP and provides detailed instructions for setting up and configuring the Instant network Intended Audience This guide is intended for customers who configure and use W IAPs Related Docu
237. ced options to display the advanced options 3 Click the Monitoring tab The Monitoring tab details are displayed 330 Monitoring Devices and Logs Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 127 Syslog Server Servers Syslog Facility Levels Syslog server 10 0 0 0 Syslog Warning System Warning TFTP Dump Server 0 0 0 0 Ap Debug Warning User Warning Network Warning User Debug Warning Security Warning Wireless Warning SNMP Community Strings for SNMPV1 and SNMPV2 Users for SNMPV3 Name Authentication Protocol Privacy Protocol New SNMP Traps SNMP Trap Receivers IP Address Version Community Username Hide advanced options In the Syslog server text box enter the IP address of the server to which you want to send system logs Select the required values to configure syslog facility levels Syslog Facility is an information field associated with a syslog message It is an application or operating system component that generates a log message The following seven facilities are supported by Syslog AP Debug Detailed log about the AP device Network Log about change of network for example when a new W IAP is added to a network Security Log about network security for example when a client connects using wrong password System Log about configuration and system status User Important logs about client User Debug Detailed log about client Wireless Log
238. ceed tdo 229 Whitelist Database Configuration L L ec cc eee cee ec eee cece cece e eee 229 VPN Local Pool Configuration _ 22 0 0222 ee ce cee ce eee eee ec eee ec eee cece e eee 230 Role Assignment for the Authenticated W IAPS _ 0 2 oe eee cee cee cee eee eee non 230 VPN Profile Connigurationt gt eso tarotista ete ee alee pons wiser NO Rasen Mens tol 230 Branch ID Allocation 2 22 22 2222 2222 c cece c eee cece cece eee cece cece e ce eeeeeeeeeetteeeetteeeetees 230 Branch Status Verification _ 22 2220 2 0 2 2 22 cece e eee eee eee 230 Example oscars ld eet ee Sts es tie Jet tdt tasca 230 Adaptive Radio Management 232 ARM Overview 2 222200 ee eee eee 232 Channel or Power Assignment nn ccceeececeeeeeeees 232 Voice Aware Scanning nn 232 Load Aware Scanning L cece cece cece cece cece cece ccc eee cece cece cece cette ee eeeeeteeeeeeeeees 232 Monitoring the Network with ARM 232 SN EA O eae OURO RUE Se eek eke Gat ACen cos 232 Configuring ARM Features on a W IAP 2 oo 2 02222 cece ccc ccc cece ccc cnc cnn 233 Band Steed 2 4 hoc ccc cece cate a cant ices ieee o dao eeeueel ee dadas 233 18 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Inthelnstant Ul poserer a rora sidra area 233 e 233 Airtime Fairness Mode 233 AAA RA 234 MESE aio pida 234 Client Match nn 234 AAA II im ie 235 IE id 236 Access Point Control sorsien ccacsnczececotsiceedeoss iaar
239. ces AirGroup RTLS OpenDNS CALEA Network Integration Enable Bonjour Enable Guest Bonjour multicast Enable DLNA Enable AirGroup across mobility domains AirGroup Settings Disallowed VLAN Role AirGroup Service airplay disallowed roles agir airplay disallowed vians airprint Service 1D remotemgmt _airplay _tcp sharing raop _ta chat A appletv w2 _tc Chromecast e bignad DLNA Media DLNA Print New ClearPass Settings CPPM server 1 Select Server Enforce ClearPass registration DHCP Server The DHCP Servers window allows you to configure various DHCP modes The following figure shows the contents of the DHCP Servers window 55 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 14 DHCP Servers Window DHCP Servers Virtual Controller Assigned Networks Default DHCP Scope Domain name DNS Server s Lease time Minutes Network Mask Distributed DHCP Scopes Distributed DHCP Scopes 0 Name Type VLAN Branch Subnet New Centralized DHCP Scopes Centralized DHCP Scopes 0 Name Type New Local DHCP Scopes Local DHCP Scopes 0 Name Type VLAN Network Cancel For more information see DHCP Configuration on page 201 Support The Support consists of the following fields e Command Allows you to select a support command for execution e Target Displays a list of W IAPs in the network Run Allows you to execute t
240. cess network Specify any of the following 802 11u network types type lt type gt e private This network is accessible for authorized users only For example home networks or enterprise networks that require user authentication The corresponding integer value for this network type is 0 private with guest This network is accessible to guest users based on guest authentication methods For example enterprise networks that allow guest users with captive portal authentication The corresponding integer value for this network type is 1 chargeable public This network provides access to the Internet based on payment For example a subscription based Internet access in a coffee shop or a hotel offering chargeable in room Internet access service The corresponding integer value for this network type is 2 free public This network is accessible to all without any charges applied For example a hotspot in airport or other public places that provide Internet access with no additional cost The corresponding integer value for this network type is 3 personal device This network is accessible for personal devices For example a laptop or camera configured with a printer for the purpose of printing The corresponding integer value for this network type is 4 emergency services This network is limited to accessing emergency services only The corresponding integer value for this network type is 5 test This network is used for test purpo
241. ciation Broadcast Medium Detect Adhoc networks using VALID SSID Valid SSID listis auto configured based on Instant AP configuration Detect Malformed Frame Large Duration Detect AP Impersonation Detect Adhoc Networks Detect Valid SSID Misuse Detect Wireless Bridge Detect 802 11 40MHz intolerance settings Detect Active 802 11n Greenfield Mode Detect AP Flood Attack Detect Client Flood Attack Detect Bad WEP Detect CTS Rate Anomaly Detect RTS Rate Anomaly Detect Invalid Address Combination eee eeeeeee Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Intrusion Detection 298 Table 55 Infrastructure Detection Policies Detection Level Detection Policy Detect Malformed Frame HT IE Detect Malformed Frame Association Request Detect Malformed Frame Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies enabled in the Client Detection Custom settings field Table 56 Client Detection Policies Detection Level Detection Policy All detection policies are disabled e Detect Valid Station Misassociation Detect Disconnect Station Attack Detect Omerta Attack Detect FATA Jack Attack Detect Block ACK DOS Detect Hotspotter Attack Detect unencrypted Valid Client Detect Power Save DOS Attack Detect EAP Rate Anomaly Detect Rate Anomaly Detect Chop Chop Attack Detect TKIP
242. cket Instant supports the following external authentication servers RADIUS Remote Authentication Dial In User Service LDAP Lightweight Directory Access Protocol CPPM Server for AirGroup CoA To use an LDAP server for user authentication configure the LDAP server on the Virtual Controller and configure user IDs and passwords To use a RADIUS server for user authentication configure the RADIUS server on the Virtual Controller RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the W IAP the vendor specific attribute VSA that contains the name of the network role for the user The authenticated user is placed into the management role specified by the VSA Instant supports the following VSAs for user role and VLAN derivation rules AP Group AP Name ARAP Features ARAP Security ARAP Security Data ARAP Zone Access Acct Authentic Acct Delay Time Acct Input Gigawords Acct Input Octets Acct Input Packets Acct Interim Interval Acct Link Count Acct Multi Session Id Acct Output Gigawords Acct Output Octets Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 150 Acct Output Packets Acct Session ld Acct Session Time Acct Status Type Acct Terminate Cause Acct Tunnel Packets Lost Add Port To IP Address Aruba AP Group Aruba AP IP Address Aruba AS Credential Hash Aruba AS User Name Aruba Admin Role Aruba AirGroup Device Type Aru
243. client is broadcasting Role Displays the role assigned to the client 000 00 00 RF Dashboard The RF Dashboard section lists the W IAPs that exceed the utilization noise or error threshold It also shows the clients with low speed or signal strength in the network and the RF information for the W IAP to which the client is connected The W IAP names are displayed as links When a W IAP is clicked the W IAP configuration information is displayed in the Info section and the RF Dashboard section is displayed at the bottom left corner of the Instant main window The following figure shows an example of the RF dashboard with Utilization Band frames Noise Floor and Errors details Figure 16 RF Dashboard in the Monitoring Pane RF Dashboard Access Points Utilization Noise All Clients a d8 c7 c8 c4 01 78 El The following table describes the icons available on the RF Dashboard pane 59 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 10 RF Dashboard Icons Description Displays the signal strength of the client Depending on the signal strength of the client the color of the lines on the Signal bar changes from Green gt Orange gt Red e Green Signal strength is more than 20 decibels e Orange Signal strength is between 15 20 decibels e Red Signal strength is less than 15 decibels To view the signal graph for a client click on the signal icon next to the client in the
244. connection capabilities lt name gt udp voip Instant AP connection capabilities lt name gt nabl Instant AP connection capabilities lt name gt end Instant AP commit apply Configuring an Operating Class Profile You can configure an operating class profile to list the channels on which the hotspot is capable of operating To configure an H2QP operating class profile Instant AP config hotspot h2qp oper class profile lt name gt Instant AP operator class lt name gt op class lt class ID gt Instant AP operator class lt name gt enable Instant AP operator class lt name gt end Instant AP commit apply Configuring a WAN Metrics Profile You can configure a WAN metrics profile to define information about access network characteristics such as link status and metrics To configure a WAN metrics profile Instant AP config hotspot h2qp wan metrics profile lt name gt Instant AP WAN metrics lt name gt at capacity Instant AP WAN metrics lt name gt downlink load lt load gt Instant AP WAN metrics lt name gt downlink speed lt speed gt Instant AP WAN metrics lt name gt load duration lt duration gt Instant AP WAN metrics lt name gt symm link Instant AP WAN metrics lt name gt uplink load lt load gt Instant AP WAN metrics lt name gt uplink speed lt speed gt Instant AP WAN metrics lt name gt wan metrics
245. ct messages cause a user session to be terminated immediately whereas the CoA messages modify session authorization attributes such as data filters NAS IP address Enter the Virtual Controller IP address The NAS IP address is the Virtual Controller IP address that is sent in data packets NOTE If you do not enter the IP address the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled NAS identifier Use this to configure strings for RADIUS attribute 32 NAS Identifier to be sent with RADIUS requests to the RADIUS server Dead Time Specify a dead time for authentication server in minutes When two or more authentication servers are configured on the W IAP and a server is unavailable the dead time configuration determines the duration for which the authentication server would be available ifthe server is marked as unavailable Dynamic RADIUS Specify the following dynamic RADIUS proxy parameters proxy Daae SIS DRP IP IP address to be used as source IP for RADIUS packets DRP Mask Subnet mask of the DRP IP address DRP VLAN VLAN in which the RADIUS packets are sent DRP Gateway Gateway IP address of the DRP VLAN For more information on dynamic RADIUS proxy parameters and configuration procedure see Configuring Dynamic RADIUS Proxy Parameters on page 161 e LDAP Server To configure an LDAP server select the LDAP option and specify the attributes described in the following table Table 33 LDAP
246. cted network or W IAP in the last 15 minutes e Throughput In the default view the Throughput graph displays the incoming and outgoing throughput traffic for the Virtual Controller in the last 15 minutes In the Network or Access Points view this graph displays the incoming and outgoing throughput traffic for the selected network or W IAP in the last 15 minutes Figure 19 Usage Trends Graphs in the Default View Usage Trends Clients 11 55 12 00 Throughput bps 1M 10k 100 0 100 10K Pp 1M _ _____LL___ LAA A RR Q QQ 61 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide The following table describes the graphs displayed in the Network view Table 11 Network View Graphs and Monitoring Procedures Graph Name Clients Throughput Description The Clients graph shows the number of clients associated with the network for the last 15 minutes To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the number of clients associated with the Virtual Controller for the last 15 minutes To see the exact number of clients in the Instant network at a particular time move the cursor over the graph line The Throughput graph shows the throughput of the selected network for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown above the median li
247. cts its 191 Configuring Machine and User Authentication Roles 2200 cece ccc c cece c ccc ccceececeeeeeeeeees 191 Inthe Instant Ol coco ncocccondinconcona rason andinos ratita escamas 191 A A 192 Configuring Derivation Rules eee conc cnn cnn aranan annaran 192 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 15 Understanding Role Assignment Rule e cece ccc cee ee eee ce eee cnn nn nn nn n nana 192 RADIUS VSAVAUMDULCSs cocotero 4 ee ee eee od ees 192 MAC Address Attribute eR eee 192 Roles Based on Client Authentication ee c Ka ec Ke 00 e porros ose 193 DHCP Option and DHCP Fingerprinting 000000 anaoa anaana inoa nra 21n 193 Creating a Role Derivation Rule e cece cece cece cece cece ee aoaaa aoaaa aaa 193 Tes 55 STAN ck ees ewes eases she ena sae eee ee eae see ae eee ne 193 ME apa et eee ete i ee tee is 194 Example e foc cae este coed Seon ates ee rs ria 194 Understanding VLAN Assignment L c cece eee c cece cece cece eceeeceeeeeeeeees 194 Vendor Specific Attributes 2 2 e cece aara naaar 195 VLAN Assignment Based on Derivation Rules 2222222 eee eee cece cece cceeeeeeeeee 196 UserRoles orra co aa rg oae eee eee eee eee eee sees one Z e 196 VLANs Created for an SSID cnn 196 Configuring VLAN Derivation Rules 0000 2 ccc cece cece cece cece cece daada aaa aada anaana 196 NntmelnstantUl E E Lae seteeceessceceetitestesseaseceereecedes
248. curity window is displayed Click Roles tab The Roles tab contents are displayed Under Roles click New e wO N Enter a name for the new role and click OK You can also create a user role when configuring wireless or wired network profiles For more information see Configuring Access Rules for a WLAN SSID Profile on page 104 and Configuring Access Rules for a Wired Profile on page 116 In the CLI To configure user roles and access rules Instant AP config wlan access rule lt access rule name gt Instant AP Access Rule lt Name gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt lt end port gt permit deny src nat dst nat lt IP address gt lt port gt lt port gt lt optionl option9 gt Assigning Bandwidth Contracts to User Roles The administrators can manage bandwidth utilization by assigning maximum bandwidth rates or bandwidth contracts to user roles The administrator can assign a bandwidth contract configured in Kbps to upstream client to the W IAP or downstream W IAP to clients traffic for a user role The bandwidth contract will not be applicable to the user traffic on the bridged out same subnet destinations For example if clients are connected to an SSID you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps By default all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic
249. current channel This interval may be used to assist in making channel measurements without interference from other stations in the BSS 108 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide e Extended Capabilities IE The extended capabilities IE carries information about the capabilities of an IEEE 802 11 station Beacon Report Requests and Probe Responses The beacon request frame is sent by an AP to request a client to report the list of beacons heard by the client on all channels e The beacon request is sent using the radio measurement request action frame e Itis sent only to those clients that have the capability to generate beacon reports The clients indicate their capabilities through the RRM enabled capabilities IE sent in the association request frames e By default the beacon request frames are sent at a periodicity of 60 seconds Configuring a WLAN SSID for 802 11k Support You can enable 802 11k support ona WLAN SSID by using the Instant UI or CLI In the Instant UI 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click the Security tab 3 Under Fast Roaming Select the 802 11k checkbox 4 Click Next and then click Finish To allow the AP and clients to exchange neighbor reports ensure that the Client match is enabled through RF gt ARM gt Client match gt Enabled in the UI or by executing the client match command i
250. d Classification Displays the classification of the foreign AP for example Interfering W IAP or Rogue W IAP Channel Displays the channel in which the foreign AP is operating Type Displays the Wi Fi type of the foreign AP Last seen Displays the time when the foreign AP was last detected in the network Where Provides information about the W IAP that detected the foreign AP Click the pushpin icon to view the information e Foreign Clients Detected Lists the clients that are not controlled by the Virtual Controller The following information is displayed for each foreign client MAC address Displays the MAC address of the foreign client Network Displays the name of the network to which the foreign client is connected Classification Displays the classification of the foreign client Interfering client Channel Displays the channel in which the foreign client is operating Type Displays the Wi Fi type of the foreign client Last seen Displays the time when the foreign client was last detected in the network a Where Provides information about the W IAP that detected the foreign client Click the pushpin icon to view the information The following figure shows an example for the intrusion detection log ll 71 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 26 Intrusion Detection E instant rp Foreign Access Points Detected Foreign Clients Detected
251. d or GRE configuration for the IP of the configuration to complete the GRE tunnel Configure routing profiles to tunnel traffic through GRE Configure Enterprise DNS The example in the next column tunnels all DNS queries to the client s original DNS server without proxying on W IAP Configure centralized L2 DHCP profile with VLAN 20 Create authentication servers for user authentication The example in the next column assumes 802 1x SSID Configure wired and wireless SSIDs using the authentication servers Dell Networking W Series Instant 6 4 0 2 4 1 User Guide each W IAP on the controller for Manual GRE ap config gre per ap tunnel NOTE Starting with 6 4 0 2 4 1 if Virtual Controller IP is configured and per AP GRE tunnel is disabled W IAP uses Virtual Controller IP as the GRE source IP For Manual GRE this simplifies configuration on controller since only the Virtual Controller IP destined GRE tunnel interface configuration is required ap config routing profile ap routing profile route 0 0 0 0 0 0 0 0 lt IP of GRE endpoint gt ap config internal domains ap domains domain name Centralized L2 DHCP profile VLAN 20 ap config ip dhcp 12 dhcp ap DHCP profile 12 dhcp server type Centralized L2 ap DHCP profile 12 dhcp server vlan 20 config wlan auth server serverl th Server serverl ip 10 2 2 1 th Server serverl port 1812 acctp
252. d Application Visibility Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 18 Voice and Video This chapter the steps required to configure voice and video services on a W IAP for Voice over IP VoIP devices including Session Initiation Protocol SIP Spectralink Voice Priority SVP H323 SCCP Vocera and Alcatel NOE phones clients running Microsoft OCS and Apple devices running the Facetime application This section includes the following topics e Wi Fi Multimedia Traffic Management on page 251 e QoS for Microsoft Office OCS and Apple Facetime on page 253 Wi Fi Multimedia Traffic Management Wi Fi Multimedia WMM is a Wi Fi Alliance specification based on the IEEE 802 11e wireless Quality of Service QoS standard WMM works with 802 11a b g and n physical layer standards WMM supports the following access categories ACs e Voice e Video e Best effort e Background The following table shows the mapping of the WMM access categories to 802 1p priority values The 802 1p priority value is contained in a two byte QoS control field in the WMM data frame Table 50 WMM AC to 802 1p Priority Mapping 802 1p Priority WMM Access Category Background In a non WMM or hybrid environment where some clients are not WMM capable you can configure an SSID with higher values for best effort and voice ACs to allocate a higher bandwidth to clients transmitting best effort and voice traffic Configuri
253. d for these profiles If a rule derives a specific VLAN it is prioritized over the user roles that may have a VLAN configured Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 194 e The user VLANs can be derived from the default roles configured for 802 1X authentication or MAC authentication e After client authentication the VLAN can be derived from Vendor Specific Attributes VSA for RADIUS server authentication e The DHCP based VLANs can be derived for Captive Portal authentication Instant supports role derivation based on the DHCP option for Captive Portal authentication When the Captive Portal authentication is successful the role derivation based on the DHCP option assigns a new user role to the NOTE guest users instead of the pre authenticated role Vendor Specific Attributes When an external RADIUS server is used the user VLAN can be derived from the Dell User Vlan VSA The VSA is then carried in an Access Accept packet from the RADIUS server The W IAP can analyze the return message and derive the value of the VLAN which it assigns to the user Figure 57 RADIUS Access Accept packets with VSA P Capturing from Broadcom LZ NDIS chent driver not tcp port 3309 Wireshark Ele CR yew Go Capture Aaye Patas Tekphory Joos thb Guugu saxganeroranaaan anase Peeri KR 104520003 AR Destination Length 340 Authenticator d28955c253047Fb41f32073170208921 in fr 281 VSA Aruba User Vian
254. d or denied to the master IP address Log Select this checkbox if you want a log entry to be created when this rule is triggered Instant supports firewall based logging function Firewall logs on the W IAPs are generated as security logs Select the Blacklist checkbox to blacklist the client when this rule is triggered The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window For more information see Blacklisting Clients on page 171 Disable scanning Select Disable scanning checkbox to disable ARM scanning when this rule is triggered The selection of the Disable scanning applies only if ARM scanning is enabled For more information see Configuring Radio Settings for a W IAP on page 238 DSCP tag Select the DSCP tag checkbox to specify a DSCP value to prioritize traffic when this rule is triggered Specify a value within the range of 0 to 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority checkbox to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value 3 Click OK and then click Finish In the CLI To configure access rules Instant AP config wlan access rule lt access rule name gt Instant AP Access Rule lt Name gt rule lt dest gt lt mask gt lt match invert gt app lt app gt permit deny lappcategory lt appgrp gt lt optionl
255. d profile to Ethernet 0 1 port select the profile from the 0 1 drop down list If the W IAP supports E2 E3 and E4 ports assign profiles to other Ethernet ports by selecting a profile from the 0 2 0 3 and 0 4 drop down list In the CLI To assign profiles to Ethernet ports Instan Instan Instan Instan Instan Instan Instan GT DE EEE UE q EY AAA A P config enet0 port profile lt name gt P config enetl port profile lt name gt P config enet2 port profile lt name gt P config T enet3 port profile lt name gt P config T enet4 port profile lt name gt P config end P commit apply Editing a Wired Profile To edit a wired profile 117 Wired Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 Click the Wired link under More at the top right comer of the Instant main window The Wired window is displayed Inthe Wired window select the wired profile to modify Click Edit The Edit Wired Network window is displayed Modify the required settings ark wr Click Finish to save the modifications Deleting a Wired Profile To delete a wired profile 1 Click the Wired link under More at the top right comer of the Instant main window The Wired window is displayed 2 Inthe Wired window select the wired profile to delete 3 Click Delete The wired profile is deleted Link Aggregation Control Protocol for W IAP220 Series W IAP220 Series
256. d to clients The options in the Local interface drop down list are displayed only if a Local L3 DHCP scope is configured on the W IAP 5 Click OK 6 Reboot the W IAP for the configuration to affect In the CLI To configure a PPPoE uplink connection Instant AP config pppoe uplink profile Instant AP pppoe uplink profile pppoe svcname lt service name gt Instant AP pppoe uplink profile pppoe username lt username gt Instant AP pppoe uplink profile pppoe passwd lt password gt Instant AP pppoe uplink profile T pppoe chapsecret lt password gt Instant AP pppoe uplink profile pppoe unnumbered local 13 dhcp profile lt dhcp profile gt Instant AP pppoe uplink profile end Instant AP commit apply To view the PPPoE configuration Instant AP show pppoe config PPPoE Configuration User testUser Password 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c Service name internet03 CHAP secret 8e87644deda9364100719e017f88ebce Unnumbered dhcp profile dhcpProfilel To view the PPPoE status Instant AP show pppoe status pppoe uplink state Suppressed Cellular Uplink Instant supports the use of 3G and 4G USB modems to provide the Internet backhaul to an Instant network The 3G or 4G USB modems can be used to extend client connectivity to places where an Ethernet uplink cannot be configured This enables the W IAPs to automatically choose the availabl
257. d to the Shared With field The OSX Mountain Lion iOS 6 device should once again have access to the AppleTV Troubleshooting Table 71 Troubleshooting Problem Solution Limiting devices has no effect Ensure IPv6 is disabled Apple Macintosh running Mountain Lion can use Ensure IPv6 is disabled AirPlay butiOS devices cannot 355 ClearPass Guest Setup Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios This section describes the most common IAP VPN deployments models and provides information to carry out the necessary configuration procedures The examples in this section refer to more than one DHCP profile and wired port configuration in addition to wireless SSID configuration All these are optional In most networks a single DHCP profile and wireless SSID configuration referring a DHCP profile is sufficient The following scenarios are described in this section e Scenario 1 IPSec Single Datacenter Deployment with No Redundancy on page 357 e Scenario 2 PSec Single Datacenter with Multiple Controllers for Redundancy on page 360 e Scenario 3 PSec Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy on page 364 e Scenario 4 GRE Single Datacenter Deployment with No Redundancy on page 369 _ ___R e o o o uRQ uu hz A eee oo Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios 356 Scenario 1 IPSec Single Datac
258. d troubleshoot network issues e Validate certificates e Map an event on one network element to a corresponding event on another Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Initial Configuration Tasks 76 Maintain accurate time for billing services and similar The Network Time Protocol NTP helps obtain the precise time from a server and regulate the local time in each network element Connectivity to a valid NTP server is required to synchronize the W IAP clock to set the correct time If NTP server is not configured in the W IAP network a W IAP reboot may lead to variation in time data By default the W IAP tries to connect to pool ntp org to synchronize time A different NTP server can be configured either from the UI It can also be provisioned through the DHCP option 42 If the NTP server is configured it takes precedence over the DHCP option 42 provisioned value The NTP server provisioned through the DHCP option 42 is used if no server is configured The default server pool ntp org is used if no NTP server is configured or provisioned through DHCP option 42 Reboot the AP to apply the NTP server configuration You can configure an NTP server by using the Instant UI or the CLI In the Instant UI To configure an NTP server 1 Navigate to System gt General 2 Enter the IP address or the URL domain name of the NTP server in the NTP Server text box 3 Click OK 4 Reboot the W IAP In the CLI To con
259. default Spanning Tree is disabled on wired profiles 4 Click Next The VLAN tab details are displayed 5 Enter the following information a Mode You can specify any of the following modes e Access Select this mode to allow the port to carry a single VLAN specified as the native VLAN 125 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide L Trunk Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs b Specify any of the following values for Client IP Assignment o Virtual Controller Assigned Select this option to allow the Virtual Controller to assign IP addresses to the wired clients When the Virtual Controller assignment is used the source IP address is translated for all client traffic that goes through this interface The Virtual Controller can also assign a guest VLAN toa wired client Network Assigned Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected On selecting this option the New button to create a VLAN is displayed Create a new VLAN if required c If the Trunk mode is selected o Specify the Allowed VLAN enter a list of comma separated digits or ranges 1 2 5 or 1 4 or all The Allowed VLAN refers to the VLANs carried by the port in Access mode If the Client IP Assignment is set to Network Assigned specify a value for N
260. deployment see Understanding Hierarchical Deployment on page 119 Configuring an SSID or Wired Port For a client to connect to the IAP VPN network an SSID or wired port profile on a W IAP must be configured with appropriate AP VPN mode of operation The VLAN configuration in an SSID or wired port profile determines whether an SSID or wired port is configured for the IAP VPN operations To configure an SSID or wired port for a specific IAP VPN mode the VLAN ID defined in the SSID or wired port profile must match the VLAN ID defined in the DHCP profile configuration If the VLAN assignment for an SSID or wired port profile is set to Virtual controller assigned default or a static VLAN ID that does not match the VLAN ID 226 IAP VPN Deployment Dell Networking W Series Instant 6 4 0 2 4 1 User Guide configured in the DHCP profiles the IAP VPN operations are affected For example if a local DHCP profile is configured with a VLAN ID of 200 the VLAN configuration on the SSID must be set to a static VLAN ID 200 For information on how to configure an SSID or wired port profile seeWireless Network Profiles on page 93 and Configuring a Wired Profile on page 112 respectively Enabling Dynamic RADIUS Proxy The RADIUS server can be deployed at different locations and VLANs In most cases a centralized RADIUS or local server is used to authenticate users However some user networks can use a local RADIUS server for employee authentication a
261. details on the client traffic towards the applications On clicking in the rectangle area you can view the following graphs and toggle between the chart and list views Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Deep Packet Inspection and Application Visibility 243 Figure 75 Application Chart Client View AppRF Stats for 10 17 128 61 Applications 75 https skype http S Figure 76 Application List Client View AppRF Stats for 10 17 128 61 xinhuanet Applications 72 Chart Application https 956 04 KB windowslive 926 47 KB amazon 870 90 KB 163com 849 57 KB http 635 73 KB ebay 506 51 KB people 359 27 KB Clients 3 Name Traffic 172 31 99 94 L 172 31 99 172 E 172 31 99 63 244 Deep Packet Inspection and Application Visibility Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Web Categories Charts The web categories chart displays details about the client traffic to the web categories On clicking in the rectangle area you can view the following graphs and toggle between the chart and list views Figure 78 Web Categories Chart Client View AppRF Stats for 172 31 99 172 Web Categories 5 web advertisements business and economy Figure 79 Web Categories List Client View AppRF Stats for 172 31 99 172 Web Categories 5 Chart Category games 35 21 KB business and economy 15 95 KB web advertisements 7 83 KB internet portals 1 12 KB sha
262. dicator gt Instant AP Captive Portal banner text lt text gt Instant AP Captive Portal decoded texts lt text gt Instant AP Captive Portal redirect url lt url gt Instant AP Captive Portal terms of use lt text gt Instant AP Captive Portal use policy lt text gt Instant AP Captive Portal end Instant AP commit apply To upload a customized logo from a TFTP server to the W IAP Instant AP copy config tftp lt ip address gt lt filename gt portal logo Configuring External Captive Portal for a Guest Network This section provides the following information e External Captive Portal Profiles on page 129 e Creating a Captive Portal Profile on page 129 e Configuring an SSID or Wired Profile to Use External Captive Portal Authentication on page 131 External Captive Portal Profiles You can now configure external captive portal profiles and associate these profiles to a user role or SSID You can create a set of captive portal profiles in the Security gt External Captive Portal window and associate these profiles with an SSID or a wired profile You can also create a new captive portal profile underthe Security tab of the WLAN wizard or a Wired Network window In the current release you can configure up to eight external captive portal profiles When the captive portal profile is associated to an SSID it is used before user authentication If the profile is associated to a role it is used o
263. ditional WLAN SSIDs 2 00 0 0000000000000000 e cece c cece cece cece eeceeeeeeeeeeeeeees 81 Enabling the Extended SSID eee eee cece cece cece cece cece cece cece cccceeeeceseeees 81 Inthe lnstantUl 2 2 24 222024 osce 5 seceded debt diese Err ENRE En E rA REENE S E RGE AERE Eeoa dad 81 A O eedaansnecesepesbesseendcegaccues 82 Preventing Inter user Bridging cnn cnn cnn 82 Inthelnstat Ulster rip ee 82 J ete ee ee E a e 82 Preventing Local Routing between Clients 022 cece cece cece cece cece cece cece eececeeeeeeeeeeeeees 82 DEST STE ee se ea cli iran sados cca iras 82 IP cemeemse ser vaccsecetcecaseene 83 Enabling Dynamic CPU Management e ccc cece cece cece e oaaao aaora aaa 83 ag lnstantUl nee eS sn nA Re Ree RN 83 O AA A E A Ee 83 6 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Customizing W IAP Settings ccoo ccccocon ccoo cconcconnccnnnconcconccnnncccns 84 Modifying the W IAP S Le TTT 84 Inthe Instant lima 84 Py TGC eae oes cece ce os yee ees to sis postas 84 Configuring Zone Settings ona W IAP 00 00 2222 c ra aa 0 ee eee EErEE ART ARA 84 Inthe Instant Ulea 85 1 SAA 85 Specifying a Method for Obtaining IP Address 85 Inthe Instant Ul oorner ns 85 T 1 5 te ne a ne ee ee eee 86 Contigunng Extemal TEGEL ozone de edu ae eee 86 EIRP and Antenna Gain eee e ee e 86 Example rra 86 Configuring Antenna Gain conc nnnnccnns 86 Inthe Instant Ul nn 86 IMHE UM
264. e column Displays the errors for the W IAPs Depending on the errors color of the lines on the Errors icon changes from Green gt Yellow gt Red e Green Errors are less than 5000 frames per second e Orange Errors are between 5000 10000 frames per second e Red Errors are more than 10000 frames per second To view the errors graph of a W IAP click the Errors icon next to the W IAP in the Errors column RF Trends The RF Trends section displays the following graphs for the selected AP and the client To view the details on the graphs click the graphs and hover the mouse on a data point Figure 17 RF Trends for Access Point Overview Overview Radio 1 2 4 GHz Chan 6 Radio 2 5 GHz Chan 48 Neighboring APs CPU utilization Clients o 1 220 220 gt AA Amb N PETERT lt a aar aa Eaa Taa aaa E Neighboring Clients Memory free MB Throughput bps 130 60 10 130 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 60 Figure 18 RF Trends for Clients RF Trends Signal dB Frames fps in Out f Speed mbps Throughput bps Usage Trends The Usage Trends displays the following graphs e Clients In the default view the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes In Network or Access Points view this graph displays the number of clients that were associated with the sele
265. e Adaptive Radio Management ARM feature Adaptive Radio Management ARM is enabled on Instant by default It automatically assigns appropriate channel and power settings for the W IAPs For more information on ARM see Adaptive Radio Management on page 232 Configuring ARM Assigned Radio Profiles for a W IAP To enable ARM assigned radio profiles Inthe Access Points tab click the W IAP to modify The edit link is displayed Click the edit link The edit window for modifying W IAP details is displayed Click the Radio tab The Radio tab details are displayed Ensure that an appropriate mode is selected af Wr Select the Adaptive radio management assigned option under the bands that are applicable to the W IAP configuration 6 Click OK Configuring Radio Profiles Manually for W IAP When radio settings are assigned manually by the administrator the ARM is disabled To manually configure radio settings Inthe Access Points tab click the AP for which you want to enable ARM The edit link is displayed Click the edit link The Edit Access Point window is displayed Click the Radio tab Ensure that an appropriate mode is selected Pon By default the channel and power for an AP are optimized dynamically using Adaptive Radio Management ARM You can override ARM on the 2 4 GHz and 5 GHz bands and set the channel and power manually if desired The following table describes various configuration modes for an AP 87 Cus
266. e CLI To configure a mobility domain AP config T 13 mobility Instant AP L3 mobility home agent load balancing Instant AP L3 mobility virtual controller lt IP address gt AP L3 mobility subnet lt IP address gt lt subnet mask gt lt VLAN ID gt lt virtual controller IP Instant Instant address gt Instant AP L3 mobility end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Mobility and Client Management 308 Chapter 25 Spectrum Monitor This chapter provides the following information e Understanding Spectrum Data on page 309 e Configuring Spectrum Monitors and Hybrid W IAPs on page 314 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications Microwave ovens cordless phones and even adjacent Wi Fi networks are all potential sources of continuous or intermittent interference The spectrum monitor software modules on W IAPs that support this feature are able to examine the radio frequency RF environment in which the Wi Fi network is operating identify interference and classify its sources An analysis of the results can then be used to quickly isolate issues with packet transmission channel quality and traffic congestion caused by contention with other devices operating in the same band or channel Spectrum monitors SMs are W IAP radios th
267. e Instant network to which the client first connects is called its home network When the client roams to a foreign network an AP in the home network home AP anchors all traffic to or from this client The AP to which the client is connected in the foreign network foreign AP tunnels all client traffic to or from the home AP through a GRE tunnel Figure 114 Routing of traffic when the client is away from its home network L3 Switch Router Network Home VC HVC Old AP Home AP AP1 New AP Foreign AP AP2 Client C1 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Mobility and Client Management 306 When a client first connects to an Instant network a message is sent to all configured Virtual Controller IP addresses to see if this is an L3 roamed client On receiving an acknowledgement from any of the configured Virtual Controller IP addresses the client is identified as an L3 roamed client If the AP has no GRE tunnel to this home network a new tunnel is formed to an AP home AP from the client s home network Each foreign AP has only one home AP per Instant network to avoid duplication of broadcast traffic Separate GRE tunnels are created for each foreign AP home AP pair If a peer AP is a foreign AP for one client and a home AP for another two separate GRE tunnels are used to handle L3 roaming traffic between these APs If client subnet discovery fails on association due to some reason the foreign A
268. e Virtual Controller is applied on all the slaves in a cluster The changes configured ina CLI session are saved in the CLI context The CLI does not support the configuration data exceeding the 4K buffer size ina CLI session Therefore it is recommended that you configure fewer changes at a time and apply the changes at regular intervals To apply and save the configuration changes at regular intervals use the following command in the privileged mode Instant AP commit apply To apply the configuration changes to the cluster without saving the configuration use the following command in the privileged mode Instant AP commit apply no save To view the changes that are yet to be applied use the following command in the privileged mode Instant AP show uncommitted config To revert to the earlier configuration use the following command in the privileged mode Instant AP commit revert Example Instant AP config rf dotlla radio profile Instant AP RF dotlla Radio Profile beacon interval 200 Instant AP RF dotlla Radio Profile no legacy mode Instant AP RF dotlla Radio Profile dotllh Instant AP RF dotlla Radio Profile interference immunity 3 Instant AP RF dotlla Radio Profile csa count 2 Instant AP RF dotlla Radio Profile spectrum monitor Instant AP RF dotlla Radio Profile end 42 Setting up a W IAP Dell Networking W Series Instant 6 4 0 2 4 1 Use
269. e W IAP the W IAP sends a logout message Configuring a W IAP for PAN integration You can configure a W IAP for PAN firewall integration using the Instant UI or CLI In the Instant UI 1 Click More gt Services The Services window is displayed 2 Click Network Integration The PAN firewall configuration options are displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 267 Figure 92 Services Window Network Integration Tab Services Air Group RTLS OpenDNS CALEA Network Intergration Palo Alto Net Enable Username Password Retype IP address Port Noa w In the CLI work firewall intergration A To enable PAN firewall integration with the W IAP Instan Instan Instan Instan Instan Instan Instan trom Tr a ae tT pp Pp YP PP AF Select the Enable checkbox to enable PAN firewall firewall ext commit apply config firewall external enforcem firewall external enforcement pan firewall external enforcement pan firewall external enforcement pan rnal enforcement pan firewall external enforcement pan Specify the user name and password Ensure that you provide user credentials of the PAN firewall administrator Enter the PAN firewall IP address Enter the port number within the range of 1 65535 The default port is 443 Click OK nt pan enable ip lt ip address gt
270. e and Video Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 19 Services This chapter provides information on how to configure following services on a W IAP e AirGroup e Real Time Location Server RTLS e Analytics and Location Engine ALE e OpenDNS e Communications Assistance for Law Enforcement Act CALEA e Palo Alto Network Firewall e XML API Server AirGroup Configuration AirGroup provides a unique enterprise class capability that leverages zero configuration networking to enable AirGroup services from mobile devices in an efficient manner Zero configuration networking enables service discovery address assignment and name resolution for desktop computers mobile devices and network services It is designed for flat single subnet IP networks such as wireless networking at home The users can register their personal devices and define a group of users who can to share the registered devices Administrators can register and manage an organization s shared devices such as printers and grant global access to each device or restrict access according to the username role or user location In large universities and enterprise networks it is common for devices to connect to the network across VLANs As a result user devices on a specific VLAN cannot discover service that resides on another VLAN As the addresses used by the protocol are link scope multicast addresses each query or advertisement can only be fo
271. e equivalent steps available for the Windows Server 2008 and other RADIUS servers 1 Add the MAC addresses for all the W IAPs in the Active Directory of the RADIUS server a Open the Active Directory and Computers window add a new user and specify the MAC address without the colon delimiter of the W IAP for the user name and password b Right click the user that you have just created and click Properties c Inthe Dial in tab select Allow access in the Remote Access Permission section and click OK d Repeat Step a through Step b for all W IAPs 2 Define the remote access policy in the Internet Authentication Service a Inthe Internet Authentication Service window select Remote Access Policies Launch the wizard to configure a new remote access policy Define filters and select grant remote access permission in the Permissions window Right click the policy that you have just created and select Properties In the Settings tab select the policy condition and Edit Profile In the Advanced tab select Vendor Specific and click Add to add new vendor specific attributes Add new vendor specific attributes and click OK Inthe IP tab provide the IP address of the W IAP and click OK 0 oO 000 5 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment 229 VPN Local Pool Configuration The VPN local pool is used to assign an IP Address to the W IAP after successful XAUTH VPN host ip local pool rapngpool
272. e name gt Instant AP Auth Server lt profile name gt ip lt IP address gt Instant AP Auth Server lt profile name gt key lt key gt Instant AP Auth Server lt profile name gt port lt port gt Instant AP Auth Server lt profile name gt acctport lt port gt Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 160 Instant AP Auth Server lt profile name gt nas id lt NAS ID gt Instant AP Auth Server lt profile name gt nas ip lt NAS IP address gt Instant AP Auth Server lt profile name gt timeout lt seconds gt Instant AP Auth Server lt profile name gt retry count lt number gt Instant AP Auth Server lt profile name gt rfc3576 Instant AP Auth Server lt profile name gt deadtime lt minutes gt Instant AP Auth Server lt profile name gt drp ip lt IP address gt lt mask gt vlan lt vlan gt gateway lt gateway IP address Instant AP Auth Server lt profile name gt end Instant AP commit apply Instant AP commit apply To configure an LDAP server Instant AP config wlan ldap server lt profile name gt Instant AP LDAP Server lt profile name gt ip lt IP address gt Instant AP LDAP Server lt profile name gt port lt port gt Instant AP LDAP Server lt profile name gt admin dn lt name gt Instant AP LDAP Server lt profile name gt
273. e network in a specific region The 3G and 4G LTE USB modems can be provisioned on W IAP3WN 3WNP W IAP 108 109 and W IAP 155 155P The following 3G modems are supported e USBConnect 881 Sierra 881U e Quicksilver Globetrotter ICON 322 e UM100C UTstarcom e Icon 452 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Uplink Configuration 287 Aircard 250U Sierra USB 598 Sierra U300 Franklin wireless U301 Franklin wireless USB U760 for Virgin Novatel USB U720 Novatel Qualcomm UM175 Pantech UM150 Pantech UMW 190 Pantech SXC 1080 Qualcomm Globetrotter ICON 225 UMG181 NTT DoCoMo L 05A LG FOMA L05A NTT DoCoMo L 02A ZTE WCDMA Technologies MSM MF6687 Fivespot ZTE c motech CNU 600 ZTE AC2736 SEC 8089 EpiValley Nokia CS 10 NTT DoCoMo L 08C LG NTT DoCoMo L 02C LG Novatel MC 545 Huawei E220 for Movistar in Spain Huawei E180 for Movistar in Spain ZTE MF820 Huawei E173s 1 Sierra 320 Longcheer WM72 U600 3G mode Sierra USB 306 HK CLS 1010 Hk Sierra 306 308 Telstra Aus Sierra 503 PCle Telstra Aus Sierra 312 Telstra Aus Aircard USB 308 AT amp T s Shockwave Compass 597 Sierra Sprint U597 Sierra Verizon Tstick C597 Sierra Telecom NZ Ovation U727 Novatel Sprint USB U727 Novatel Verizon USB U760 Novatel Sprint USB U760 Novatel Verizon 288 Uplink Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Gu
274. e such as Employee Guest or Voice Band Band in which the network is broadcast 2 4 GHz band 5 GHz band or both Authentication Method Authentication method required to connect to the network Key Management Authentication key type IP Assignment Source of IP address for the client Zone AP zone configured on the SSID To add a wireless network profile click the New link in the Networks tab To edit click the edit link that is displayed on clicking the network name in the Networks tab To delete a network click on the link x For more information on the procedure to add or modify a wireless network see Wireless Network Profiles on page 93 Access Points Tab If the Auto Join Mode feature is enabled a list of enabled and active W IAPs in the Instant network is displayed in the Access Points tab The W IAP names are displayed as links If the Auto Join Mode feature is disabled the New link is displayed Click this link to add a new W IAP to the network If a W IAP is configured and not active its MAC Address is displayed in red The expanded view of the Access Points tab displays the following information about each W IAP Name Name of the W IAP If the W IAP functions as a master W IAP in the network the asterisk sign is displayed next to the W IAP IP Address IP address of the W IAP Mode Mode of the W IAP Access In this mode the AP serves clients and scans the home channel for spectrum analy
275. e where 11n clients are assigned more airtime than 11a 11g The 11a 11g clients get more airtime than 11b The ratio is 16 4 1 2 Click OK In the CLI Instant AP config arm Instant AP ARM T air time fairness mode lt Default Access gt lt Fair Access gt lt Preferred Access gt Instant AP ARM end Instant AP commit apply Client Match The ARM client match feature continually monitors a client s RF neighborhood to provide ongoing client band steering and load balancing and enhanced AP reassignment for roaming mobile clients This feature supersedes the legacy band steering and spectrum load balancing features which unlike client match do not trigger W IAP changes for clients already associated to a W IAP Legacy 802 11a b g access points do not support the client match feature When client match is enabled on 802 11n capable access points the client match feature overrides any settings configured for the legacy band steering station hand off assist or load balancing features 802 11ac capable access points do not support the legacy band steering station hand off or load balancing settings so these access points must be managed using client match When the client match feature is enabled on a W IAP the W IAP measures the RF health of its associated clients In the current release the client match feature is supported only within a W IAP cluster If any of the following trigger conditions is met cl
276. ear Aircard 341u e Pantech UML295 e Franklin Wireless u770 e Huawei 3276s 150 Instant supports Universal Plug and Play UPnP and DLNA Digital Living Network Alliance enabled devices DLNA is a network standard derived from UPnP which enables devices to discover the services available in a network Instant supports customization of Wi Fi Multimedia to DSCP mapping configuration for upstream and downstream traffic Instant supports 802 11k Radio Resource Management and 802 1 1v BSS Transition Management standards to improve Quality of Service QoS and seamless connectivity Instant supports the authentication survivability feature with the EAP TLS authentication protocol The authentication survivability feature supports a survivable authentication framework against the remote link failure when working with the external authentication servers You can configure zone settings on a W IAP and an SSID so that the SSID is created on s specific W IAP in the cluster You can customize the port number of the W AirWave management server through the server_host server_port format for example amp aruba com 4343 The Instant UI provides a graphical representation of the client distribution on an AP the RSSI details and the channel availability and utilization metrics In this release you can allow or restrict access to a W IAP console through the serial port By default the console access to an IAP is enabled Instant supports the
277. ecee eee eeececceeeeeeees 317 Configuring HTTP Proxy onaW IAP 2 2 e cece eeeeeeeeeeeeeee 317 MA A et teat ES 317 A II eeu reeds 318 Upgrading a W IAP Using Automatic Image Check cece cece cece cece cece ceeceeeeeeceeeeeees 318 Upgrading to a New Version Manually 22 222 022 2222 eee e cence ccc ecee cece eee ccceeeeeee 319 Upgrading an Image Using CLI 0 00020 c cece ccc ccc ccc ce eee ns 319 Backing up and Restoring W IAP Configuration Data 0 0000000000 c cece e cece ee ee 319 Viewing Current Configuration 2 20 2 2 220200 e cece cece cece cece cece ee AA aaa oaa aana 319 Backing up Configuration Data 0 e cece eee e cece eee ceeeeeeeeeeeeeceeseeees 320 24 Contents Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Restoring Configuration ooo 0 00 0 an 9 9 N 9 94 C 4 9 aN 04992 EEEE EE PE eee nena nn R dN 320 Converting a W IAP to a Remote AP and Campus AD 000000000000000 a0a0 01010011 320 Regulatory Domain Restrictions for W IAP to RAP or CAP Conversion 320 Converting a W IAP toa Remote AP aaa ooo cece cece cece cece cece cece cece oaoa oada oaaao aana 322 Converting a W IAP to a Campus AP 1 0 2 0 e ce cnn eee ce cece ceeeeeeeeeeeeeeeeees 323 Converting a W IAP to Standalone Mode 324 Converting a W IAP using CU 325 Resetting a Remote AP or Campus AP toaW IAP 22 2 eee cece cece cece cece cece ce cee cee eeeeeees 325 Rebooting the WAP lt a ida
278. ect Enabled to enable blacklisting of the clients with a specific number of authentication failures Applicable for WLAN SSIDs S j only Accounting mode Select an accounting mode from Accounting mode for posting accounting f information at the specified Accounting interval When the accounting mode is set to Applicable for WLAN SSIDs Authentication the accounting starts only after client authentication is successful only and stops when the client logs out of the network If the accounting mode is set to Association the accounting starts when the client associates to the network successfully and stops when the client is disconnected ee R pp o o Q Q_ gt ___ _ ou a Qu 127 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Parameter Description Disable if uplink type is To exclude uplink select an uplink type Encryption Select Enabled to configure encryption parameters Applicable for WLAN SSIDs only Splash Page Design Under Splash Page Visuals use the editor to specify text and colors for the initial page that will be displayed to the users connecting to the network The initial page asks for user credentials or email depending on the splash page type Internal Authenticated or Internal Acknowledged for which you are customizing the splash page design Perform the following steps to customize the splash page design e To change the color of the splash page click the Spl
279. ectrum Monitor 315 Instant AP wifi0 mode lt access gt lt monitor gt lt spectrum monitor gt Instant AP wifil mode lt access gt lt monitor gt lt spectrum monitor gt To enable spectrum monitoring for any other band for the 5 GHz radio Instant AP config rf dotlla radio profile Instant Access Point RF dotlla Radio Profile spectrum band lt type gt To view the radio configuration Instant Access Point show radio config 2 4 GHz Legacy Mode disable Beacon Interval 100 802 11d 802 11h disable Interference Immunity Level 2 Channel Switch Announcement Count 0 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable 5 0 GHz Legacy Mode disable Beacon Interval 100 802 11d 802 11h disable Interference Immunity Level 2 Channel Switch Announcement Count 0 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable Standalone Spectrum Band 5ghz upper 316 Spectrum Monitor Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 26 W IAP Maintenance This section provides information on the following procedures e Upgrading a W IAP on page 317 e Backing up and Restoring W IAP Configuration Data on page 319 e Converting a W IAP to a Remote AP and Campus AP on page 320 e Resetting a Remote AP or Campus AP to a W IAP on page 325 e Rebooting the W IAP on page 325 Upgrading a W IAP While upgrading a W IAP
280. ed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the speed The client view is displayed Study the Speed graph in the RF Trends pane For example the graph shows that the data transfer speed at 12 26 hours is 240 Mbps To monitor the errors for the client for the last 15 minutes Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the throughput The client view is displayed Study the Throughput graph in the RF Trends pane Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 13 Client View RF Trends Graphs and Monitoring Procedures Description Monitoring Procedure incoming traffic is displayed in blue For example the graph shows 1 0 Kbps outgoing Incoming traffic is shown below the traffic throughput for the client at 12 30 hours median line To see an enlarged view click the graph The enlarged view shows Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the client for the last 15 minutes To see the exact throughput ata particular time move the cursor over the graph line Mobility Trail The Mobility Trail section displays the following mobility trail information for the selected client e Association Time The time at which the selected client was
281. edit 2 Click Show advanced options under WLAN Settings 3 Specify the appropriate DSCP mapping value within a range of 0 63 for the following access categories in the DSCP mapping field Background WMM DSCP mapping for the background traffic Best effort WMM DSCP mapping for the best effort traffic Video WMM DSCP mapping for the video traffic Voice WMM DSCP mapping for the voice traffic 4 Click Next and complete the configuration as required In the CLI Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt wmm background dscp lt dscp gt Instant AP SSID Profile lt name gt wmm best effort dscp lt dscp gt Instant AP SSID Profile lt name gt wmm video dscp lt dscp gt Instant AP SSID Profile lt name gt wmm voice dscp lt dscp gt Instant AP SSID Profile lt name gt end Instant AP commit apply You can configure up to 8 DSCP mappings values within the range of 0 63 You can also configure a combination of multiple values separated by a comma for example wmm voice dscp 46 44 42 41 QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish control and terminate voice and video calls These control or signaling sessions are usually permitted using pre defined ACLs If the control signaling packets are encrypted the W IAP cannot determine the dynamic ports are used for voice or video t
282. ee ae eee a 206 Tak AA 207 Configuring the Default DHCP Scope for Client IP Assignment L 208 A ee eee eh steno eee hah AS sap senees eee hanes nese ae 208 A 209 a o MA IS 210 Understanding VPN Features cc cee eee eee cece cece cece cece eeee aaran aanraai 210 Configuring a Tunnel from a W IAP to Dell Networking W Series Mobility Controller 210 Configuring an IPSec Tunnel 2 20 0 aa cece cece eee e eee cece Ea aE Ga R aea ae 210 Inthe Instant U 210 INTO Ce Et eel ee ee E 211 gt A 212 Enabling Automatic Configuration of GRE Tunnel 22 cece eee ee cee cece ccceeeeeceeeeceseeees 212 Inthe Instant Ul occ eee eee eee eee eee 212 Tots niee BTT 214 Manually Configuring a GRE Tunnel l a aaan cece cece ccc eee cece cece eee e cece eee teen eeeeeeees 214 Inthe Instant U 214 Tet nie BTT 215 Configuring an L2TPV3 Tunnel cono cccccc ccoo cece eeeeeeeeeeeeereeeeeeeees 215 Inthe Instant Uli 216 Tet niee BTT 218 Sl A E E A A a A 218 Configuring Routing Profiles lt e cece cece cece cece cece cece eee cece cece eceeeeeeeeeeeeeeeeeeeees 221 the IMS taAMt Ul esos a hae tse sess ee cet eee eee eee eso eee ees 221 MNEC NS ee cs ees oe ase eee ese eee ase ieee a E ae eee amen 222 IAP VPN Deployment 223 Understanding IAP VPN Architecture 2 202222 2 222222 e cece cece cece cece ceceeeceeceeeeeeeeees 223 IAP VPN Scalability Limits 2 2 occ cece eee cee cece ccc cece t oi eee e ec eeeceeeee
283. ee eeceeeeeeenenees 121 Configuring a WLAN SSID for Guest ACCESS o 222 2 cece cece cece eee cece cece eeeeeeeeeees 121 SK aiT tent lo teak EEE leo EEIE ET E cece aeiacceeces suisse ceeeeeiceecseaeneise 121 ERE te sates a 124 Configuring Wired Profile for Guest ACCESS 2 0 2 2 cece cece cece cece cece ccc ccc ccc cece eeeceeeeeeees 125 Inthe Instant UI ns 125 Tat ie BTT 126 Configuring Internal Captive Portal for Guest Network o ccccccccccccccccccccccccccccccccccccccccccccccoos 126 O A 127 EA aceedaete node dessscnsseustee sosoueaeeeeceseeese 128 Configuring External Captive Portal for a Guest Network 1 2 0 0 0 022222 c cece cece cece cece c cece cece eeeeeeeeees 129 External Captive Portal Profiles 129 Creating a Captive Portal Profile 129 A E AR S AA REEERE 129 AA 130 Configuring an SSID or Wired Profile to Use External Captive Portal Authentication 131 o AA e E see scent snecsceess 131 Win CI oe toldos sn elses oe Ad see ideas 132 Configuring External Captive Portal Authentication Using ClearPass Guest 132 Creating a Web Login page in ClearPass Guest 2 002222 222222222 eee eee ecec cece cece cceeeeee 133 Configuring RADIUS Serverin Instant Ul 133 Configuring Guest Logon Role and Access Rules for Guest Users 202022222 e cece cece cece cece e eee 133 InthelnstantUl tanos tt iaa 133 Inthe CU 134 tone EER EEEE Ne ante ee eae eet et ts ee eet 135 10 Contents Dell Networking
284. ee eee ee 167 NECE ee eee A eee Se os eee ot EE Seen eee aes 168 Configuring MAC and 802 1X Authentication for Wired Profiles 0 22 cc0c cece eee eeee eee eeeeee 168 NtmelnstantUl a eet ee cet rere eet est ce ee een ent ia ada 168 fotina e M gt ui cr 220 A A A A REI eaves 168 Configuring MAC Authentication with Captive Portal Authentication 169 Configuring MAC Authentication with Captive Portal Authentication eee eee eee 169 InthelistantUl oriol A Se ee a a es 169 IMthe GLI 22 cease ee sesenseaGore cacnmeeense dase nee a ista EAA 169 Configuring WISPr Authentication 2 000 e eee eeeeeeeeeeeeeeeeee 170 Intmelastant eS ee ee o o Re ee TA 170 UN LD gree ps rotos 170 Blacklisting Clients 0 0 is a E e iia 171 Blacklisting Clients Manual 000000000000000 000000000000000 a 001a a 01an a 171 Adding a Client to the Blacklist o oocccccccccccccccccccccccccccccccccccccccnnnnncccccccncnnnnnncnnccs 171 Inte Mstat Uli posa E Ear a 171 A ae EE Ee 2 E ee 171 Blacklisting Users Dynamically 11 2 0 0 000022 ccc cece ccc ccc e cece cece ee cnn 172 Authentication Failure Blacklisting 222222 222 cece e cece cece cece cece eeceeccceeeeeee 172 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 13 172 172 Inthe Instant UL nes 172 A toe eis cess thet hee cede ae cance thee E EO a eee aaane ete et otee 172 Uploading Certificates conc e cence eee eeeeeeeeeeeeeeeseeeeeees
285. eeeeeeees 161 see 161 A A O 161 cn A A a nes 162 2ADIUS Proxy Parameters for Authentication Servers 162 Inte Instant Ol gezan o ee os ds Sees see if 162 MC e a e at dee 162 Associate the Authentication Servers with an SSID or Wired Profile ooooocccccccccccccccccccco 162 Configuring 802 1X Authentication for a Network Profile oooocccccccccccccccccccccccccccccccccccccccono 163 Configuring 802 1X Authentication for a Wireless Network Profile oooococccccccccccccccccccccccco 164 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide A AAA AA 164 Configuring 802 1X Authentication for Wired Profiles 164 Inte VIS T 0 osos lego errata stress 165 Me GLI yrr arresto jo raro restos 165 Configuring MAC Authentication for a Network Profile ooocccccccccccccccccccccccccccccccccccccccccoos 165 Configuring MAC Authentication for Wireless Network Profiles oooooccoocccccccccccccccccccccccccoo 165 Inthe MStant yc cen neers nssdteis sms ergo II NI Ir arts 165 MEL ie 166 Configuring MAC Authentication for Wired Profiles 0 000000000 cece cece eee cece ee eee ec ee ee eee eeeeeeees 166 INthelhstantUl occrrporcsrrs tag E II ral rin 166 MY ENS EM oe st ae accep se ee hess cee ete 167 Configuring MAC Authentication with 802 1X Authentication 0200 167 Configuring MAC and 802 1X Authentication for a Wireless Network Profile 00000000 167 D RST oe es ee nas es oh ee oe eee
286. eeeeees 267 Integration with Instant occ cece eee eeeeeeeeeceeecccceeseeeeees 267 Configuring a W IAP for PAN integration 1 22 2 2 022020 c cece cece cece eee cece cece cece eeeeeeeeeeeeeeeeees 267 Intmelastant 2 ec dd ests seco eee tan cee hee sec eee ad 267 Tat aie BTT 268 Integrating a W IAP with an XML API interface 000 000ua auaa aao ranra naana 268 Integration with Instant 00 000000 cece eee cece cece ee ceeeeeeeeceeceeseecseeseeeeees 269 Configuring a W IAP for XML API integration 22 000 e cece eee c cece e ccc e cece eee eceeeceeeeeees 269 VTS te es E 269 Tp a Be 269 CALEA Integration and Lawful Intercept Compliance 2 2 222222 e cece cece ee cece eee 270 CALEA Server Integration 2 2 2 2 0000 c cece ccc cece cece cece cece cece cece ee eeeececeeeececeeeeeeeseeeeeeeees 270 Traffic Flow from IAP to CALEA Server ooo 270 Traffic Flow from IAP to CALEA Server through VPN 2 2 22 2222222222222 ee eee cece eee e cece cece 271 Client Traffic Replication 2 0 0 0 02 c ccc ccc cece cece cece eee e cece cece ee eeeeeeceeeeeeeeeeeeeeeees 271 Configuring a W IAP for CALEA Integration c cece ce cece cece cece cece ceceeeeeeeeeeeeeeees 271 Creating a CALEA Profile 272 Inthe lnstantUll 2220 24 seg cseeg act cen O ese ss 272 Ith GU sc a perce ete eye se Saree ace eet odes eae eee tes ie bstee eek cee 272 Creating an Access Rule for CALEA occ ccoo conocen ceeeee cece eceeeeeee 27
287. eesseeeeeeeeees 223 IAP VPN Forwarding Modes 22 222 cece cece cece aaao cece cece ce cecceccececceceeeeeeees 224 Local or NAT Mode 224 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 17 L2 Switching Mode ee veveceuncetsevassssectevececsdeseocacrceverbsssouseceres 224 Distributed L2 MOJE 0000 A Sewn be bd edd wed tebe weber edeiddee en 224 Centralized L2 M dE 222222222 22i222ieee6escedcntccdaesi discs tarados aid ice heP edhe GE i cada 224 Eso 225 Distributed L3 mode ccc ccc esa anna eana en eee Ra dS 225 Centralized E3 Mode lt a a dede eden crios oot ts 225 Configuring W IAP and Controller for AP VPN Operations 225 Configuring a W IAP network for IAP VPN operations 20000 cee ee eeec ccc cceecceceeeeeeeees 225 Defining the VPN host settings 222 222 c cocci ee ccceeeee nn nn eee e eee eeeeeee 225 Configuring Routing Profiles er es wih nd ho iS il este sk aE 226 Configuring DHCP Profiles 2 2 0 2 2222 eee eee ee eee eee ee ee a E EEr Eiaa 226 Configuring an SSID or Wired Port 2 222222 eee enn ee eee cece 2222222 226 Enabling Dynamic RADIUS POX 221 Configuring Enterprise Domains 227 Configuring a Controller for IAP VPN Operations ccc cece cece eee c eee cccceceeeeeeeeeeeees 227 OSPF COnmiGUISLION enc 2 2 e eens tee oe ee eee Soto ese ec E need en Sa eE E 227 VPNCONNgUAHON lt lt 25 52 std ek ont sews fb a ehh aoe henge ditions
288. el details or the summary of the 5 GHz and 2 4 GHz channels as detected by a spectrum monitor are displayed You can view the aggregate data for each channel seen by the spectrum monitor radio including the maximum AP power interference and the Signal to Noise and Interference Ratio SNIR Spectrum monitors display spectrum analysis data seen on all channels in the selected band and hybrid W IAPs display data from the one channel they are monitoring For more information on spectrum monitoring see Spectrum Monitor on page 309 Alerts Alerts are generated when a user encounters problems while accessing or connecting to a network The alerts that are generated can be categorized as follows 802 11 related association and authentication failure alerts 802 1X related mode and key mismatch server and client time out failure alerts IP address related failures Static IP address or DHCP related alerts The following figure shows the contents of details displayed on clicking the Alerts link 67 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 22 Alerts Link Access Points El 22 Clients Name PERRSSVRGLTA1OS QMENG ARUBA irti 10 64 102 69 boa 10 64 102 30 147 10 8 NRM RN N NRB wa gagn NW E The Alerts link displays the following types of alerts e Client Alerts e Active Faults e Fault History Table 14 Types of Alerts Type of Alert Description Information Displayed
289. el mode gre lt ID gt tunnel source lt controller IP gt tunnel destination lt AP IP gt trusted tunnel vlan lt allowed VLAN gt nos hos config tunnel E E t host config tunnel t config tunnel E host config tunnel Configuring an L2TPv3 Tunnel The Layer 2 Tunneling Protocol version 3 L2TPv3 feature allows W IAP to act as L2TP Access Concentrator LAC and tunnel all wireless clients L2 traffic from AP to L2TP Network Server LNS In a centralized L2 model the VLAN on the corporate side are extended to remote branch sites Wireless clients associated with W IAP gets the IP address from the DHCP server running on LNS For this AP has to transparently allow DHCP transactions through the L2TPv3 tunnel In this release L2TPv3 supports the following e Instant supports tunnel and session configuration and uses Control Message Authentication RFC 3931 for tunnel and session establishment Each L2TPv3 tunnel supports one data connection and this connection is termed as an L2TPv3 session e Each W IAP supports tunneling over UDP only e Ifthe primary LNS is down it fails over to the backup LNS L2TPv3 has one tunnel profile and under this one primary peer and a backup peer are configured If the primary tunnel creation fails or if the primary tunnel gets deleted the backup starts The following two failover modes are supported 215 VPN Configuration Dell Networking W
290. el to the original DNS server of clients If you are configuring routing profile with split tunnel disabled you need add to the enterprise domain list 3 Click OK to apply the changes To delete a domain select the domain and click Delete to remove the domain name from the list In the CLI To configure an enterprise domain Instant AP Instant AP Instant AP Instant AP config internal domains domain domain name lt name gt domain end commit apply Configuring URL Filtering Policies You can configure URL filtering policies to block certain categories of websites based on your organization specifications by defining ACL rules either through the Instant UI or CLI In the Instant UI 1 Navigate to Security gt Roles 2 Select any WLAN SSID or wired profile role and click New in the Access Rules section The New Rule window appears 3 Select the rule type as Access Control 4 Toset anaccess policy based on the web category a Under Services select Web category and expand the Web categories drop down Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 188 Figure 56 New Rule Rule type Access control Options Service Network Application Application category Web category Web reputation Application Throttling Log Blacklist real estate computer and internet security financial services business and economy computer and intern
291. ell as the installed certificate and passphrase If the W IAP is using an external RADIUS server check if there are any issues with the RADIUS server and try connecting again Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 70 Table 15 Alerts list Type Code Description Details Corrective Actions 100309 RADIUS server The W IAP cannot Ascertain the correct authentication authentication failure authenticate this client using credentials and log in again 802 1X because the RADIUS server rejected the authentication credentials password and so on provided by the client 100410 Integrity check failure in The W IAP cannot receive Check the encryption setting on the encrypted message data from this client because client and on the W IAP the integrity check of the received message MIC has failed 100511 DHCP request timed out This client did not receive a Check the status of the DHCP server in response to its DHCP request the network in time IDS The IDS link displays a list of foreign APs and foreign clients that are detected in the network It consists of the following sections e Foreign Access Points Detected Lists the APs that are not controlled by the Virtual Controller The following information is displayed for each foreign AP MAC address Displays the MAC address of the foreign AP Network Displays the name of the network to which the foreign AP is connecte
292. enable authentication survivability for a wireless network profile through the UI or CLI In the Instant UI To configure authentication survivability for a wireless network 1 Inthe Network tab click New to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 Inthe Security tab under Enterprise security settings select an existing authentication server or create a new server by clicking New 4 Toenable authentication survivability select Enabled from the Authentication survivability drop down On enabling this the W IAP authenticates the previously connected clients using EAP PEAP and EAP TLS authentication when connection to the external authentication server is temporarily lost 5 Specify the cache timeout duration after which the cached details of the previously authenticated clients expire You can specify a value within the range of 1 99 hours and the default cache timeout duration is 24 hours 6 Click Next and then click Finish to apply the changes Important Points to Remember Any client connected through CPPM and authenticated through W IAP remains authenticated with the W IAP even if the client is removed from the CPPM server during the CPPM downtime Do not make any changes to the authentication surviva
293. end Instant AP commit apply Configuring Security Settings fora WLAN SSID Profile The following procedures are described in this section e Configuring Security Settings for an Employee or Voice Network on page 99 For information on guest network configuration see Captive Portal for Guest Access If you are creating a new SSID profile configure the WLAN and VLAN settings before defining security settings For more information see Configuring WLAN Settings for an SSID Profile on page 93 and Configuring VLAN Settings fora WLAN SSID Profile on page 97 Configuring Security Settings for an Employee or Voice Network You can configure security settings for an employee or voice network by using the Instant UI or CLI In the Instant Ul To configure security settings for an employee or voice network 1 Inthe Security tab specify any of the following types of security levels by moving the slider to a desired level Enterprise On selecting enterprise security level the authentication options applicable to the enterprise network are displayed e Personal On selecting personal security level the authentication options applicable to the personalized network are displayed Open On selecting Open security level the authentication options applicable to an open network are displayed The default security setting for a network profile is Personal The following figures show the configuration options for Enterprise Personal and
294. end mDNS broadcast request to find Apple TV for AirPlay mDNS No match found AirGroup Registers Apple TV using device registration portal r Device Notifies AirGroup event device visibility changed Registration gt Portal Send mDNS broadcast request to find Apple TV for AirPlay AirPlay Responds with Bob s Apple TV AirPlay to Apple TV AirGroup is not supported on a 3G and PPPoE uplinks Multicast DNS and Bonjour Services Bonjour is the trade name for the zero configuration implementation introduced by Apple It is supported by most of the Apple product lines including the Mac OS X operating system iPhone iPod Touch iPad Apple TV and AirPort Express Apple AirPlay and AirPrint services are based on the Bonjour protocol and are essential services in campus Wi Fi networks Bonjour can be installed on computers running Microsoft Windows and is supported by the new network capable printers Bonjour is also included with popular software programs such as Apple iTunes Safari and iPhoto Bonjour uses multicast DNS mDNS to locate devices and the services offered by these devices As shown in the following figure the W IAP 1 discovers AirPrint P 1 and W IAP3 discovers Apple TV TV1 W IAP 1 advertises information about its connected P1 device to the other W IAPs that isW IAP2 and W IAP3 Similarly W IAP3 advertises TV1 device to W IAP1 and W IAP2 This type of distributed architecture allows any W IAP to respond
295. end the control information for setting up a GRE tunnel When automatic GRE configuration is enabled a single IPSec tunnel between the W IAP cluster and the controller and one or several GRE tunnels are created based on the Per AP tunnel configuration on the W IAP When this feature is enabled on the W IAP no manual configuration is required on the controller to create the GRE tunnel Automatic configuration of the GRE tunnel is supported only on Dell controlleres This feature is not supported on controllers running ArubaOS 6 3 x x or lower versions You can configure a W IAP to automatically set up a GRE tunnel from the W IAP to Controller by using the Instant UI or CLI In the Instant Ul 1 Click the More gt VPN link at the top right comer of the Instant UI The Tunneling window is displayed 2 Select Aruba GRE from the Protocol drop down list 3 Enter the IP address or FQDN for the main VPN IPSec endpoint in the Primary host field 4 Enter the IP address or FQDN for the backup VPN IPSec endpoint in the Backup host field This entry is optional When you enter the primary host IP address and backup host IP address other fields are displayed 5 Specify the following parameters A sample configuration is shown in Figure 65 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 212 a To allow the VPN tunnel to switch back to the primary host when it becomes available again select Enabled from the Preempt
296. enter Deployment with No Redundancy This scenario includes the following configuration elements Single VPN primary configuration using IPSec Split tunneling of client traffic Split tunneling of DNS traffic from clients Distributed L3 and Centralized L2 mode DHCP RADIUS server within corporate network and authentication survivability for branch survivability Wired and wireless users in L2 and L3 modes respectively yD AOUN Access rules defined for wired and wireless networks to permit all traffic Topology Figure 135 shows the topology and the IP addressing scheme used in this scenario Figure 135 Scenario 1 IPSec Single datacenter Deployment with No Redundancy Radius servers Corporate 140 2 2 4 and 10 2 2 2 12 mode DHCP server in corporate network Controller DNS kalar 4 1 50 and DMZ Firewall Branch WAN Modem 13 mode DHCP server on AP 1AP WirelessClient WirelessClient The following IP addresses are used in the examples for this scenario e 10 0 0 0 8 is the corporate network e 10 20 0 0 16 subnet is reserved for L2 mode e 10 30 0 0 16 subnet is reserved for L3 mode e Client count in each branch is 200 AP Configuration The following table provides information on the configuration steps performed through the CLI with example values For information on the UI procedures see the topics referenced in the UI Navigation Details column 357 IAP VPN Deployment Scenarios Dell Networking W
297. entry is created Configuring a Destination NAT Access Rule Instant supports configuration of the destination NAT rule which can be used to redirect traffic to the specified IP address and destination port Destination NAT configuration is supported only in the bridge mode without VPN You can configure a destination NAT access rule by using the Instant UI or CLI In the Instant UI To configure a destination NAT access rule 1 Navigate to the WLAN wizard or Wired settings window To configure access rules fora WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile To configure access rules for a wired profile More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile 2 Click the Access tab 3 Toconfigure access rules for the network slide to Network based To configure access rules for user roles slide to Role based 4 Tocreate a new rule for the network click New To create an access rule for a user role select the user role and then click New The New Rule window is displayed Inthe New Rule window Select Access control from the Rule type drop down list Select destination NAT from the Action drop down list to allow changes to the source IP address Specify the IP address and port details oo No Q Select a service from the list of available services 10 Select the required opti
298. eously supporting existing 802 1 1a b g n wireless services For more information about this product visit dell com W IAP103 The W IAP103 wireless access point supports the IEEE 802 11n standard for high performance WLAN This access point uses MIMO Multiple in Multiple out technology and other high throughput mode techniques to deliver high performance 802 11n 2 4 GHz or 5 GHz functionality while simultaneously supporting existing 802 11a b g wireless services For more information about this product visit dell com E Check with your local Dell sales representative on device availability for your region NOTE Dell Networking W Series Instant 6 4 0 2 4 1 User Guide About Instant 34 Chapter 3 Setting up a W IAP This chapter describes the following procedures e Setting up Instant Network on page 35 e Logging in to the Instant UI on page 37 e Accessing the Instant CLI on page 41 Setting up Instant Network Before installing a W IAP e Ensure that you have an Ethernet cable of the required length to connect a W IAP to the home router e Ensure that you have one of the following power sources m IEEE 802 3af at compliant Power over Ethemet PoE source The PoE source can be any power source equipment PSE switch or a midspan PSE device a W IAP power adapter kit Perform the following procedures to set up the Instant network 1 Connecting a W IAP on page 35 2 Assigning an IP address to the W IAP on page 3
299. er in the MAC authentication request specify a character for example colon or dash as a delimiter forthe MAC address string For example if you specify the colon as a delimiter MAC addresses in the xX XX XX XX XX XX format are used If the delimiter is not specified the MAC address in the XXXXXXXXXXXX format is used 0 G D pp 7 To allow the W IAP to use uppercase letters in the MAC address string set Uppercase support to Enabled Configure other parameters as required Click Next to define access rules and then click Finish to apply the changes In the CLI To configure MAC address based authentication with external server Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt mac authentication delimiter lt delim gt Instant AP SSID Profile lt name gt mac authentication upper case Instant AP SSID Profile lt name gt xternal server Instant AP SSID Profile lt name gt auth server lt server namel gt Instant AP SSID Profile lt name gt auth server lt server name2 gt Instant AP SSID Profile lt name gt server load balancing Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt Instant AP SSID Profile lt name gt end Instant AP com
300. eries Instant 6 4 0 2 4 1 User Guide NOTE Instant AP commit apply Configuring WISPr Authentication Instant supports the following smart clients iPass Boingo These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification GIS redirect authentication and logoff messages within HTML messages that are sent to the W IAP WISPr authentication is supported only for the Internal Authenticated and External RADIUS Server captive portal authentication Select the Internal Authenticated or the External RADIUS Server option from the Splash page type drop down list to configure WISPr authentication for a WLAN profile You can configure WISPr authentication using the Instant UI or CLI In the Instant Ul 1 Click the System link at the top right corner of the Instant main window The System window is displayed 2 Click Show advanced options 3 Click WISPr tab The WISPr tab contents are displayed The following figure shows the WISPr tab contents Figure 47 Configuring WISPr Authentication ISO country code E 164 country code E 164 area code SSID Zone Operator name Location name Enter the ISO Country Code for the WISPr Location ID in the ISO Country Code text box Enter the E 164 Area Code for the WISPr Location ID in the E 164 Area Code text box Enter the operator name of the Hotspot in the Operator Name text box Enter the E 164 Country
301. ermines the duration for which the authentication server would be available ifthe server is marked as unavailable e CPPM Server for AirGroup CoA To configure a CPPM server used for AirGroup CoA Change of Authorization select the CoA only checkbox The RADIUS server is automatically selected Table 34 CPPM Server Configuration Parameters for AirGroup CoA Parameter Description Name Enter the name of the server IP address Enter the IP address of the server Air Group CoA port Enter a port number for sending AirGroup CoA on a different port than on the standard CoA port The default value is 5999 Shared key Enter a shared key for communicating with the external RADIUS server Retype key Re enter the shared key 4 Click OK The CPPM server acts as a RADIUS server and asynchronously provides the AirGroup parameters for NATE the client device including shared user role and location To assign the RADIUS authentication server to a network profile select the newly added server when configuring security settings for a wireless or wired network profile You can also add an external RADIUS server by selecting the New option when configuring a WLAN or wired profile For more information see Configuring Security Settings for a WLAN SSID Profile on page NOTE 99 and Configuring Security Settings for a Wired Profile on page 115 In the CLI To configure a RADIUS server Instant AP config wlan auth server lt profil
302. erver e For Centralized L2 clients the Virtual Controller bridges the DHCP traffic to the controller over the VPN GRE tunnel The IP address is obtained from the DHCP server behind the controller serving the VLAN GRE of the client This DHCP assignment mode also allows you to add the DHCP option 82 to the DHCP traffic forwarded to the controller e For Centralized L3 clients the Virtual Controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located either in the corporate or local network The centralized L3 VLAN IP is used as the source IP The IP address is obtained from the DHCP server You can configure a centralized DHCP scope through the Instant UI or CLI In the Instant UI To configure a centralized DHCP scope Click More gt DHCP Server The DHCP Server window is displayed 2 Toconfigure a centralized DHCP scopes click New under Centralized DHCP Scopes The New DHCP Scope window is displayed 3 To configure centralized L2 profile select the profile type as Centralized L2 or Centralized L3 and configure the following parameters Table 39 Centralized DHCP Mode Configuration Parameters Description Name Enter a name for the DHCP scope Set the type as follows e Centralized L2 for the centralized L2 profile e Centralized L3 for the centralized L3 profile Specify a VLAN ID To use this subnet ensure that the VLAN ID specified here is assigned to an SSID profile For more informati
303. erver VC Radius Attributes Displays information about the RADIUS attributes VC Radius Servers Displays the list of RADIUS servers configured on the W IAP VC Saved Configuration Displays the configuration details of the Virtual Controller VC Scanning Statistics Displays the scanned information for the W IAP VC SNMP Configuration Displays the SNMP configuration details of the W IAP VC Uplink 3G 4G Configuration Displays the 3G 4G cellular configuration information for the W IAPs managed by the Virtual Controller VC Uplink Management Configuration Displays uplink configuration details for the Virtual Controller VC WISPr Configuration Displays the WISPr configuration details Use the support commands under the supervision of Dell technical support NOTE Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Monitoring Devices and Logs 337 Chapter 28 Hotspot Profiles This chapter describes the following procedures e Understanding Hotspot Profiles on page 338 e Configuring Hotspot Profiles on page 339 e Sample Configuration on page 349 In the current release Instant supports the hotspot profile configuration only through the CLI Understanding Hotspot Profiles Hotspot 2 0 is a Wi Fi Alliance specification based on the 802 11u protocol which allows wireless clients to discover hotspots using management frames such as beacon association request and association response connect to network
304. erver in the Internet AP Configuration The following table provides information on the configuration steps performed through the CLI with example values For information on the UI procedures see the topics referenced in the UI Navigation Details column Table 73 W IAP Configuration for Scenario 2 IPSec Single Datacenter with Multiple controllers for Redundancy Configuration Steps Configure the primary host for VPN with the Public VRRP IP address of the controller Configure routing profiles to tunnel traffic through IPSec Define routing profile exception RADIUS server and W AirWave IPs since the design requirement for this solution requires local RADIUS authentication even though the IP matches the routing profile destination Configure Enterprise DNS The configuration example in the next column tunnels all DNS queries to the original DNS server of clients without proxying on W IAP Configure centralized L2 and distributed L3 with VLAN 20 and 30 respectively CLI Commands ap config vpn primary lt public VRRP IP of controller gt ap config routing profile ap routing profile route 0 0 0 0 0 0 0 0 lt public VRRP IP of controller gt ap config routing profile ap routing profile route 10 2 2 1 256 255 255 255 0 0 0 0 ap routing profile route 10 2 2 2 255 255 255 255 0 00 00 ap routing profile route 199 127 104 32 255 255 255 255 0 0 0 0 ap config
305. ervices link at the top right corner of the Instant main window 2 Click the Air Group tab The Air Group tab details are displayed Figure 89 AirGroup Configuration Services Air Group RTLS OpenDNS CALEA Network Integration Enable Bonjour Enable Guest Bonjour multicast Enable DLNA Enable AirGroup across mobility domains AirGroup Settings Disallowed VLAN Role AirGroup Service airplay disallowed roles airplay o airplay disallowed vlans airprint Service ID remotemgmt _airplay _tcp sharing _raop _tcp chat i _appletv v2 _tcp Chromecast DLNA Media DLNA Print New ClearPass Settings CPPM server 1 Select Server Y Enforce ClearPass registration Cancel 3 Toenable support for Bonjour services select the Enable Bonjour checkbox and select the AirGroup services related to Bonjour as required 4 Toenable DLNA support select the Enable DLNA checkbox and select the DLNA services 5 To allow the users to use Bonjour services enabled in a guest VLAN select Enable Guest Bonjour multicast When this checkbox is enabled the Bonjour devices are visible only in the guest VLAN and AirGroup will not discover or enforce policies in guest VLAN 6 Select the Enable Air Group across mobility domains checkbox to enable inter cluster mobility When enabled the W IAP shares the mDNS database information with the other clusters The DNS records in the Virtual Controller can be shared with the all the Virt
306. es Displays information about the certificates installed on the W IAP You can also upload new certificates and set a passphrase for the certificates For more information see Uploading Certificates on page 173 e Firmware Displays the current firmware version and provides various options to upgrade to a new firmware version For more information see Upgrading a W IAP on page 317 e Reboot Displays the W IAPs in the network and provides an option to reboot the required access point or all access points For more information see Upgrading a W IAP on page 317 e Convert Provides an option to convert a W IAP to a mobility controller managed Remote AP or Campus AP or to the default Virtual Controller mode For more information see Converting a W IAP to a Remote AP and Campus AP on page 320 The following figure shows the default view of the Maintenance window 51 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 8 Maintenance Window Default View Maintenance About Configuration Certificates Firmware Reboot Convert Name Dell PowerConnect W ArubaOS Controller Software Type W AP105 Build Time 2014 05 29 20 46 14 PDT Version 6 4 0 2 4 1 0 0_44004 Website http www dell com Legal Copyright c 2002 2014 Aruba Networks Inc Cloud Activation Key HBGDSMRT More The More link allows you to select the following options e VPN e IDS e Wired e Services e DHC
307. es legacy firewalls are not able to differentiate valid authorized users from casual social networking users The Palo Alto next generation firewall is based on user ID which provides many methods for connecting to sources of identity information and associating them with firewall policy rules For example it provides an option to gather user information from Active Directory or LDAP server Integration with Instant The functionality provided by the PAN firewall based on user ID requires the collection of information from the network W IAP maintains the network such as mapping IP address and user information for its clients in the network and can provide the required information for the user ID feature on PAN firewall Before sending the user ID mapping information to the PAN firewall the W IAP must retrieve an API key that will be used for authentication for all APIs W IAP and PAN firewall integration can be seamless with the XML API that available with PAN OS 5 0 or later To integrate a W IAP with PAN user ID a global profile is added This profile can be configured on a W IAP with PAN firewall information such as IP address port user name password firewall enabled or disabled status The W IAP sends messages to PAN based on the type of authentication and client status After a client completes the authentication and is assigned an ip address W IAP will send the login message After a client is disconnected or dissociated from th
308. ess rule guest ap Access Rule guest rule any any match any any any permit NOTE Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W IAP cluster AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple AP deployments as client traffic from slave to master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Configuring a Controller for AP VPN Operations on page 227 Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios 363 Scenario 3 IPSec Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy This scenario includes the following configuration elements e Multiple controller deployment model with controllers in different datacenters operating as primary backup VPN with fast failover and pre emption enabled e Split tunneling of traffic e Split tunneling of client DNS traffic e Two Distributed L3 mode DHCPs one each for employee and contractors and one Local mode DHCP server e RADIUS server within corporate network and authentication survivability enabled for branch survivability e Wired and wireless users in L3 and NAT modes respectively e A
309. et info auctions shopping cult and occult travel abused drugs OK Cancel adult and pornography home and garden b Select the categories to which you want to deny or allow access You can also search for a web category and select the required option c From the Action drop down select Allow or Deny as required d Click OK 5 To filter access based on the security ratings of the website a Select Web reputation under Services b Move the slider to the required security rating level c From the Action drop down select Allow or Deny as required 6 To set a bandwidth limit based on web category or web reputation score select Application Throttling checkbox and specify the downstream and upstream rates in Kbps For example you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites Click OK to save the rules Click OK in Roles tab to save the changes to the role for which you defined ACL rules In the CLI To control access based on web categories and security ratings Instant AP config wlan access rul lt access_rule gt Instant AP Access Rule lt access rule gt rule lt dest gt lt mask gt lt match gt webcategory lt webgrp gt permit deny lt optionl option9 gt Instant AP Access Rule lt access rule gt rule lt dest gt lt mask gt lt match gt webreputation lt webrep gt permit deny lt optionl option9
310. etermine the best path to the mesh portal Instant mesh functionality is supported only on dual radio W IAPs only On dual radio W IAPs the 5 GHz radio is always used for both mesh backhaul and client traffic while the 2 4 GHz radio is always used for client traffic Mesh service is automatically enabled on 802 11a band for dual radio W IAP only and this is not configurable For W IAP RW variants the mesh network must be provisioned for the first time by plugging into the wired network After that mesh works on W IAP RWs like any other regulatory domain Mesh Portals A mesh portal MPP is a gateway between the wireless mesh network and the enterprise wired LAN The mesh roles are automatically assigned based on the W IAP configuration A mesh network could have multiple mesh portals to support redundant mesh paths mesh links between neighboring mesh points that establish the best path to the mesh portal from the wireless mesh network to the wired LAN Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Mesh W IAP Configuration 303 The mesh portal broadcasts a mesh services set identifier MSSID mesh cluster name to advertise the mesh network service to other mesh points in that Instant network This is not configurable and is transparent to the user The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard AES encryption The mesh portal reboots after 5 mi
311. eters POE Set POE to Enabled to enable Power over Ethernet The E2 port on W IAP3WNP supports Power Sourcing Equipment PSE to supply power to any compliant 802 3af powered class 0 4 device W IAP 155P supports PSE for 802 3af powered device class 0 4 on one port E1 or NOTE E2 or 802 3at powered DC IN Power Socket on two ports E1 and E2 Admin Status Ensure that an appropriate value is selected The Admin Status indicates if the port is up or down Content Filtering To ensure that all DNS requests to non corporate domains on this wired network are sent to OpenDNS select Enabled for Content Filtering Uplink Select Enabled to configure uplink on this wired profile If Uplink is set to Enabled and this network profile is assigned to a specific port the port will be enabled as Uplink port For more information on assigning a wired network profile to a port see Assigning a Profile to Ethernet Ports on page 117 Spanning Tree Select the Spanning Tree checkbox to enable Spanning Tree Protocol STP on the wired profile STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports regardless of forwarding mode STP will not operate on the uplink port and is supported only on W IAPs with three or more ports By default Spanning Tree is disabled on wired profiles 4 Click Next The VLAN tab details are displayed 5 Configure VLAN for the wired profile For more informati
312. etherlands Norway New Zealand Panama Peru Philippines Islamic Republic of Pakistan Poland Puerto Rico Saudi Arabia Singapore Slovenia Slovak Republic 40 Setting up a W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Code Country Name Specifying Country Code This procedure is applicable to the W IAP RW Rest of World variants only Skip this step if you are installing W IAP in the United States and Japan The Country Code window is displayed for the W IAP RW Rest of World variants when you log in to the UI for the first time You can specify a country code by selecting an appropriate option from the Please Specify the Country Code drop down list Figure 2 Specifying a Country Code Welcome to Instant Please specify the Country Code Select a country code For the complete list of the country codes supported by the W IAP RW variant type see Country Code on page 38 Accessing the Instant CLI Instant supports the use of Command Line Interface CLI for scripting purposes When you make configuration changes on a master W IAP in the CLI all associated W IAPs in the cluster inherit these changes and subsequently update their configurations By default you can access the CLI from the serial port or from an SSH session You must explicitly enable Telnet access on the W IAP to access the CLI through a Telnet session For information on enabling SSH and Telnet acce
313. ets are optional Do not type the brackets Item A In the command examples items within curled braces and separated by a vertical bar Item B represent the available choices Enter only one choice Do not type the braces or bars Dell Networking W Series Instant 6 4 0 2 4 1 User Guide About this Guide 28 The following informational icons are used throughout this guide ll Indicates helpful suggestions pertinent information and important things to remember NOTE Indicates a risk of damage to your hardware or loss of data CAUTION KA Indicates a risk of personal injury or death WARNING Contacting Dell Table 2 Support Information Support Contact Information dell com contactdell Support Website dell com support Documentation Website dell com support manuals 29 About this Guide Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 2 About Instant This chapter provides the following information e Instant Overview e What is New in Instant 6 4 0 2 4 1 Instant Overview Instant virtualizes Dell Networking W Series Mobility Controller capabilities on 802 11 access points APs creating a feature rich enterprise grade wireless LAN WLAN that combines affordability and configuration simplicity Instant is a simple easy to deploy turn key WLAN solution consisting of one or more APs An Ethernet port with routable connectivity to the Internet or a self enclosed network is used for dep
314. example eth matches Eth but not Ethernet Matches the declared element multiple times if it exists For example eth matches all occurrences of eth such as Eth Ethernet Eth0 and so on Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 198 Operator Description Matches the declared element one or more times For example aa matches occurrences of aa and aaa Matches nested characters For example 192 matches any number of the character string 192 Matches the character patterns on either side of the vertical bar You can use this expression to construct a series of options Matches the beginning of the word For example lt wire matches wired wireless and so on Matches the end of the word For example gt list matches blacklist whitelist and so on Where n is an integer Matches the declared element exactly the n times For example 2 link matches uplink but not downlink Where n is an integer Matches the declared element at n times For example 2 ink matches downlink but not uplink For information on how to use regular expressions in role and VLAN derivation rules see the following topics e Configuring VLAN Derivation Rules on page 196 e Creating a Role Derivation Rule on page 193 Configuring a User Role for VLAN Derivation This section describes the following procedures e Creating a User VLAN Role on page 199 e Assigning User VLAN Roles to a Network Profile
315. f Preemption is enabled specify a value in seconds for Hold time When preemption is enabled and the primary host comes up the VPN tunnel switches back to the primary host after the specified hold time The default value for Hold time is 600 seconds c Toallow the W IAP to create a backup VPN tunnel to the controller along with the primary tunnel and maintain both the primary and backup tunnels separately select Enabled from the Fast failover drop down list When fast failover is enabled and if the primary tunnel fails the W IAP can switch the data stream to the backup tunnel This reduces the total failover time to less than one minute d To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary set Reconnect user on failover to Enabled e To configure an interval during which the wired and wireless users are disconnected during a VPN tunnel switch specify a value in seconds for Reconnect time on failover within a range of 30 900 seconds By default the reconnection duration is set to 60 seconds f Specify a value in seconds for Secs between test packets Based on the configured frequency the W IAP can verify if an active VPN connection is available The default value is 5 seconds which means that the W IAP sends one packet to the controller every 5 seconds g Enter a value for Max allowed test packet loss to define a number for lost packets after whic
316. f whether content filtering is disabled or enabled the DNS requests to instant dell pcw com are always resolved internally on Instant The content filtering configuration applies to all W IAPs in the network and the service is enabled or disabled globally across the wireless or wired network profiles Enabling Content Filtering This section describes the following procedures e Enabling Content Filtering for a Wireless Profile on page 187 e Enabling Content Filtering for a Wired Profile Enabling Content Filtering for a Wireless Profile To enable content filtering for a wireless SSID perform the following steps In the Instant UI 1 Select a wireless profile in the Networks tab and then click the edit link The window for editing the WLAN SSID profile is displayed 2 Click Show advanced options 3 Select Enabled from the Content Filtering drop down list and click Next to continue You can also enable content filtering while adding a new wireless profile For more information see Configuring WLAN Settings for an SSID Profile on page 93 In the CLI To enable content filtering ona WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt content filtering Instant AP SSID Profile lt name gt end Instant AP commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile perform the following steps In the Instant UI 1 C
317. fig wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role by ssid Instant AP SSID Profile lt name gt end Instant AP commit apply To configure role assignment rules Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role lt attribute gt equals not equals starts with ends with contains matches regular expression lt operator gt lt role gt value of Instant AP SSID Profile lt name gt end Instant AP commit apply To configure a pre authentication role Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role pre auth lt pre authentication role gt Instant AP SSID Profile lt name gt end Instant AP commit apply To configure machine and user authentication roles Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role machine auth lt machine authentication only gt lt user authentication only gt Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 134 tan tan tan tan tan tan A a CT X Example gt PP YP P SSID Profile lt name gt end P commit apply unrestricted access P Pp config wlan ssid profile lt name gt SSID Profile lt name gt set role unrestricted D commit apply P SSID Profile lt name g
318. figuration of firewall rules and management subnets and restricting corporate access through an uplink switch To allow flexibility in firewall configuration Instant supports the following features e Inbound firewall rules e Configurable management subnets e Restricted corporate access Configuring Inbound Firewall Rules You can now configure firewall rules for the inbound traffic coming through the uplink ports of a W IAP The rules defined for the inbound traffic are applied if the destination is not a user connected to the W IAP If the destination already has a user role assigned the user role overrides the actions or options specified in inbound firewall configuration However if a deny rule is defined for the inbound traffic it is applied irrespective of the destination and user role Unlike the ACL rules ina WLAN SSID or wired profile the inbound firewall rules can be configured based on the source subnet For all subnets a deny rule is created by default as the last rule If at least one rule is configured the deny all rule is applied to the upstream traffic by default Management access to the AP is allowed irrespective of the inbound firewall rule For more information on configuring restricted management access see Configuring Management Subnets on page 185 The inbound firewall is not applied to traffic coming through GRE tunnel You can configure inbound firewall rules through the Instant UI or CLI In the Instant UI
319. figure an NTP server Instant AP config ntp server lt name gt Instant AP config end Instant AP commit apply To check the NTP status and association run the show clock and show process commands Enabling AppRF Visibility If your W IAP supports the AppRF feature you can enable AppRF visibility to view the AppRF statistics for a W IAP or the clients associated with a W IAP For more information on the procedure for enabling AppRF visualization see Enabling Application Visibility on page 241 Changing Password You can update your password details by using the Instant UI or the CLI In the Instant Ul 1 Navigate to System gt Admin 2 Under Local provide a new password that you would like the admin users to use 3 Click OK In the CLI To change password for the admin user Instant AP config mgmt user lt username gt password Instant AP config end Instant AP commit apply 77 Initial Configuration Tasks Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Additional Configuration Tasks This section describes the following additional tasks that can be performed after a W IAP is set up Configuring Virtual Controller VLAN on page 78 Configuring Auto Join Mode on page 79 Configuring Terminal Access on page 80 Configuring Console Access on page 80 Configuring LED Display on page 81 Configuring Additional WLAN SSIDs on page 81 Preventing Inter user Bridging on page 82 Preven
320. for Guest Access 122 Parameters Description Band Select a value to specify the band at which the network transmits radio signals You can set the band to 2 4 GHz 5 GHz or All The All option is selected by default Inactivity timeout Specify a timeout interval If a client session is inactive for the specified duration the session expires and the users are required to log in again The minimum value is setto 60 seconds and the default value is 1000 seconds A Select the checkbox if you do not want the SSID network name to be visible to users Disable SSID Select to the checkbox to disable the SSID On selecting this checkbox the SSID is disabled but not removed from the network By default all SSIDs are enabled Can be used without Uplink Select the checkbox if you do not want the SSID users to use uplink Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN in the text box You can specify a value within the range of 0 to 255 The default value is 64 Local probe request threshold Specify a threshold value in the Local probe request threshold text box to limit the number of incoming probe requests When a client sends a broadcast probe request frame to search for all available SSIDs this option controls system response for this network profile and ignores probe requests if required You can specify a Received signal strength indication RSSI value within range of 0 to 100 cB
321. for a network peripheral or element Daylight saving time DST also known as summer time is the practice of advancing clocks so that evenings have more daylight and mornings have less Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn EAP Extensible authentication protocol EAP refers to the authentication protocol in wireless networks that expands on methods used by the point to point protocol PPP a protocol often used when connecting a computer to the Internet EAP can support multiple authentication mechanisms such as token cards smart cards certificates one time passwords and public key encryption authentication Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Terminology 375 Table 77 List of Terms Definition fixed wireless Wireless devices or systems in fixed locations such as homes and offices Fixed wireless devices usually derive their electrical power from the utility mains unlike mobile wireless or portable wireless which tend to be battery powered Although mobile and portable systems can be used in fixed locations efficiency and bandwidth are compromised compared with fixed systems frequency allocation Use of radio frequency spectrum regulated by governments frequency spectrum Part of the electromagnetic spectrum hotspot A WLAN node that provides Internet connection and virtual private network VPN access from a given location A b
322. form the following steps to add a W IAP to the network 1 Inthe Access Points tab click the New link The New Access Point window is displayed 2 Inthe New Access Point window enter the MAC address for the new W IAP 3 Click OK Removing a W IAP from the Network You can remove a W IAP from the network only if the Auto Join Mode feature is disabled To remove a W IAP from the network 1 Inthe Access Points tab click the W IAP to delete The x icon is displayed against the W IAP 2 Click x to confirm the deletion The deleted W IAPs cannot join the Instant network anymore and no longer are displayed in the Instant UI However the master W IAP details cannot be deleted from the Virtual Controller database NOTE _ ___________ LR oz A nC 91 Customizing W IAP Settings Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 7 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile Based on the network type and its requirements you can configure the VLANs for a WLAN SSID or wired port profile For more information on VLAN configuration for a WLAN SSID and wired port profile see Configuring VLAN Settings fora WLAN SSID Profile on page 97 and Configuring VLAN for a Wired Profile on page 114 VLAN Pooling In a single W IAP cluster a large number of clients can be assigned to the same VLAN Using the same VLAN for multiple clients
323. formation on e Configuring access rules to control access to network services see Configuring Access Rules for Network Services on page 177 e Configuring access rules based on web categories and web reputation see Configuring Web Policy Enforcement on page 249 In the Instant UI To configure ACL rules for a user role 246 Deep Packet Inspection and Application Visibility Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 Navigate to Security gt Roles tab The Roles tab contents are displayed You can also configure access rules for a wired or wireless client through the WLAN wizard Network tab gt WLAN SSID gt Edit gt Edit WLAN gt Access or the Wired profile More gt Wired gt Edit gt Edit Wired Network gt Access window Select the role for which you want to configure access rules In Access rules section click New to add a new rule The New Rule window is displayed Ensure that the rule type is set to Access Control ak WRN To configure access to applications or application category select a service category from the following list e Application e Application category Configuring access rules based on application and application category is not supported on W IAP 104 105 W IAP 134 135 and W IAP3WN 3WNP platforms 6 Based on the selected service category configure the following parameters Table 49 Access Rule Configuration Parameters Service Category Application Select the application
324. g clients and allows clients to send queries to multiple 802 11 networks in parallel An AP can include its service provider Organization Identifier Ol indicating the service provider identity in beacons and probe responses to clients When a client recognizes a W IAP s Ol it attempts to associate to that W IAP using the security credentials corresponding to that service provider If the client does not recognize the AP s Ol the client sends a Generic Advertisement Service GAS query to the W IAP to request more information about the network before associating A client transmits a GAS Query using a GAS Initial Request frame and the W IAP provides the query response or information on how to receive the query response in a GAS Initial Response frame To transmit a GAS query for any advertisement protocol the advertisement protocol ID must include the advertisement protocol information element with information about the advertisement protocol and its corresponding advertisement control Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 338 Access Network Query Protocol ANQP ANQP provides a range of information such as IP address type and availability roaming partners accessible through a hotspot and the Extensible Authentication Protocol EAP method supported for authentication for a query and response protocol The ANQP Information Elements IEs provide additional data that can be sent from a W IAP to the cl
325. g procedures Configuring Wired Settings on page 112 Configuring VLAN for a Wired Profile on page 114 Configuring Security Settings for a Wired Profile on page 115 Pon Configuring Access Rules for a Wired Profile on page 116 For information on creating a wired profile for guest network see Captive Portal for Guest Access Configuring Wired Settings You can configure wired settings for a wired profile by using the Instant UI or CLI In the Instant Ul 1 Click the Wired link under More at the top right comer of the Instant main window The Wired window is displayed 2 Click New under Wired Networks The New Wired Network window is displayed The following figure shows the contents of the Wired Settings tab Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wired Profiles 112 Figure 38 New Wired Network Window Wired Settings Window New Wired Network Wired Settings Wired Settings Name nn Primary usage Employee Speed Duplex Auto e Auto POE Admin status Up Content filtering Disabled Uplink Disabled Spanning tree Disabled Guest Enabled Next Cancel 3 Click the Wired Settings tab and enter the following information a b C d Name Specify a name for the profile Primary Usage Select Employee or Guest Speed Duplex Ensure that appropriate values are selected for Speed Duplex Contact your network administrator if you need to assign speed and duplex param
326. g the Instant UI or CLI In the Instant UI To configure restricted corporate access 1 Navigate to Security gt Inbound Firewall The Inbound Firewall see Figure 55 tab contents are displayed 2 Select Enabled from the Restrict Corporate Access 3 Click OK In the CLI To configure restricted management access Instant AP config restrict corp access Instant AP config end Instant AP commit apply Content Filtering The content filtering feature allows you to route DNS request to the OpenDNS platform and create content filtering policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 186 With content filter you can e Allow all DNS requests to the non corporate domains on a wireless or wired network to be sent to the open DNS server When the OpenDNS credentials are configured the W IAP uses these credentials to access OpenDNS to provide enterprise level content filtering For more information see Configuring OpenDNS Credentials on page 266 e Block certain categories of websites based on your organization policy For example if you block the web based email category clients who are assigned this policy will not be able to visit email based websites such as mail yahoo com e Prevent known malware hosts from accessing your wireless network e Improve employee productivity by limiting access to certain websites e Reduce bandwidth consumption significantly Regardless o
327. g these W IAPs NOTE Rebooting the W IAP If you encounter any problem with the W IAPs you can reboot all W IAPs or a selected W IAP in a network using the Instant UI To reboot a W IAP 1 Click the Maintenance link The Maintenance window is displayed 2 Click the Reboot tab Figure 124 Rebooting the W IAP Maintenance Help About Configuration Certificates Firmware Reboot Convert Select the access point you wish to reboot Reboot selected Access Point Reboot All ee Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Maintenance 325 3 Inthe W IAP list select the W IAP that you want to reboot and click Reboot selected Access Point To reboot all the W IAPs in the network click Reboot All 4 The Confirm Reboot for AP message is displayed Click Reboot Now to proceed The Reboot in Progress message is displayed indicating that the reboot is in progress The Reboot Successful message is displayed after the process is complete If the system fails to boot the Unable to contact Access Points after reboot was initiated message is displayed 5 Click OK 326 W IAP Maintenance Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 27 Monitoring Devices and Logs This chapter provides the following information e Configuring SNMP on page 327 e Configuring a Syslog Server on page 330 e Configuring TFTP Dump Server on page 332 e Running Debug Commands from the UI on page 333
328. gate to the Maintenance gt Configuration gt page 2 Click Backup Configuration 3 Click Continue to confirm the backup The instant cfg containing the W IAP configuration data is saved in your local file system 4 Toview the configuration that is backed up by the W IAP enter the following command at the command prompt Instant AP show backup config Restoring Configuration To restore configuration Navigate to the Maintenance gt Configuration page Click Restore Configuration Click Browse to browse your local system and select the configuration file Click Restore Now PF wn Click Restore Configuration to confirm restoration The configuration is restored and the W IAP reboots to load the new configuration Converting a W IAP to a Remote AP and Campus AP This section provides the following information e Regulatory Domain Restrictions for W IAP to RAP or CAP Conversion on page 320 e Converting a W IAP to a Remote AP on page 322 e Converting a W IAP to a Campus AP on page 323 e Converting a W IAP to Standalone Mode on page 324 e Converting a W IAP using CLI on page 325 Regulatory Domain Restrictions for W IAP to RAP or CAP Conversion You can provision a W IAP as a Campus AP or a Remote AP ina controller based network Before converting a W IAP ensure that there is a regulatory domain match between the W IAP and controller 320 W IAP Maintenance Dell Networking W Series Instant 6 4 0 2 4 1 User Guide The fol
329. gon Role and Access Rules for Guest Users For captive portal profile you can create any the following types of roles e A pre authenticated role This role is assigned before the captive portal authentication The user can only access certain destinations with this role A guest role This role is assigned after user authentication A captive portal role This role can be assigned to any network such as empolyee voice or guest When the user is assigned with this role a splash page is displayed after opening a browser and the users may need to authenticate You can configure up to 128 access rules for guest user roles through the Instant UI or CLI In the Instant Ul To configure roles and access rules for the guest network 133 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 1 Inthe Access Rules tab set the sliderto any of the following types of access control e Unrestricted Select this to set unrestricted access to the network e Network based Set the slider to Network based to set common rules for all users in a network The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define an access rule a Click New b Select appropriate options in the New Rule window c Click OK Role based Select Role based to enable access based on user roles For role based access control Create a user role if required
330. group Instant AP config enable mdns only Instant AP airgroup end Instant AP commit apply To configure AirGroup Service Instant AP config airgroupservice lt airgroup service gt Instant AP airgroup service id lt airgroupservice ID gt Instant AP airgroup service description lt text gt Instant AP airgroup service disallow role lt role gt Instant AP airgroup service disallow vlan lt vlan ID gt Instant AP airgroup service end Instant AP commit apply To verify the AirGroup configuration status Instant AP show airgroup status 262 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring AirGroup and CPPM interface in Instant Configure the Instant and CPPM interface to allow an AirGroup W IAP and CPPM to exchange information regarding device sharing and location The configuration options define the RADIUS server that is used by the AirGroup RADIUS client The AirGroup configuration with CPPM involves the following steps 1 Create a RADIUS service 2 Assign a Server to AirGroup 3 Configure CPPM to Enforce Registration Creating a RADIUS Server You can configure an external RADIUS Security window For more information on the configuring CPPM server see Configuring an External Server for Authentication on page 157 You can also create a RADIUS server in the Air Group window Navigate to Services gt AirGroup gt Clear Pass Settings gt CPP
331. gt Instant AP Access Rule lt access rule gt end Instant AP commit apply Example Instant AP config wlan access rule URLFilter Instant AP Access Rule URLFilter rule any any match webcategory gambling deny Instant AP Access Rule URLFilter rule any any match webcategory training and tools permit Instant AP Access Rule URLFilter rule any any match webreputation trustworthy sites permit Instant AP Access Rule URLFilter rule any any match webreputation suspicious sites deny Instant AP Access Rule URLFilter end Instant AP commit apply 189 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring User Roles Every client in the Instant network is associated with a user role which determines the client s network privileges the frequency of reauthentication and the applicable bandwidth contracts Instant allows you to configuration of up to 32 user roles If the number of roles exceed 32 an error message is displayed The user role configuration on a W IAP involves the following procedures e Creating a User Role on page 190 e Assigning Bandwidth Contracts to User Roles on page 190 e Configuring Machine and User Authentication Roles on page 191 Creating a User Role You can create a user role by using the Instant UI or CLI In the Instant UI To create a user role Click the Security at the top right corner of Instant main window The Se
332. gt Instant AP External Captive Portal https Instant AP External Captive Portal redirect url lt url gt Instant AP External Captive Portal server fail through Instant AP External Captive Portal no auto whitelist disable Instant AP External Captive Portal end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 130 Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication for a network profile when adding or editing a guest network using the Instant UI or CLI In the Instant Ul 1 Navigate to the WLAN wizard or Wired window e Toconfigure external captive portal authentication fora WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e Toconfigure external captive portal authentication for a wired profile click More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile Inthe Security tab select External from the Splash page type drop down list From the captive portal profile drop down list select a profile You can select a default profile or an already existing profile or click New and create a new profile 4 Configure the following parameters based on the type of splash page you selected Table 26 External Ca
333. gured on the W IAP AP Inbound Firewall Rules Displays inbound firewall rules configured on the W IAP AP Active Displays the list of active APs in Instant network AP Airgroup Cache Displays the Bonjour Multicast DNS mDNS records for the W IAP AP Airgroup CPPM Entries Displays the AirGroup CPPM policies of the registered devices AP Airgroup CPPM Servers Displays the AirGroup CPPM server information AP Airgroup Debug Statistics Displays the debug statistics for the W IAP AP Airgroup Servers Displays information about the Bonjour devices which supports AirPrint and AirPlay services for the W IAP AP Airgroup User Displays the IP MAC address device name VLAN type of connection of the Bonjour devices for the W IAP AP Allowed Channels Displays information of the allowed channels for the W IAP AP Allowed MAX EIRP Displays information on the maximum EIRP settings that can be configured on a W IAP serving in a specific regulatory domain AP All Supported Timezones Displays all the supported time zones of Instant AP ARM Bandwidth Management Displays bandwidth management information for the W IAP AP ARM Channels Displays ARM channel details for the W IAP AP ARM Configuration Displays ARM configuration details for the W IAP AP ARM History Displays the channel history and power changes due to Adaptive Radio Management ARM for the W IAP AP ARM Neighbors Displays the ARM neighbors of the W IAP AP ARM
334. guring Restricted Access to Corporate Network 186 Inthe Instant Ul us be ano o rt labo 186 Pt GUM ee eon tae ek toe ke a A 186 Comont WL Te 2245543252 sunns tenses 12 ssa te gta iebee raha sa shea co niece eka saison te tete dyes E 186 Enabling Content Filtering 0 0 0 0 ccc cece cece cece cece eee e cece cece ee cece eeceeeeeeeeeeeeeeeeeeeeeees 187 Enabling Content Filtering for a Wireless Profile 2222 22 20 2222 2 222 eee eee ence cece ce eeeeeee 187 Inthe Instant GU A dec ace Boeke bh A eo Red se A 187 PATHEIGL accio incl ina 187 Enabling Content Filtering for a Wired Profile 222220222222 eee eeee cece eeeeeeeee 187 Inthe Instant OW as 2 22S See it id Jizan s 187 A A tn ete eee ee ete ee ee 188 Configuring Enterprise Domains 2 2 00 e e nono 188 MV te NMS tem GM oe sees soga ates ees ce EEE EEEE E E EEE EEEE 188 PU cece 2 ste ce eee ere olas sacras 188 Configuring URL Filtering Policies 1 2 2 2 00 000 c cece cece cece cece cece aaa ecceeceeeeeeceeeceeeeeeees 188 MEMS ten oe ote E E E E E E N EOE 188 ADEGE asis E EE E EE 189 Example tc e E 189 Configuring USer e source Oana EEI rescatan ide 190 Creating a User Role 190 Imithe Instant Ilias o casco ie SL e caia bso 190 A cee Oe end Oe OES San ee eee E Pen Pee ee Pee Ree eA 190 Assigning Bandwidth Contracts to User Roles 190 VEG Steam oom ooo oe co ee ee oY Seen ate ee naeeaae ace ass r oca ica 191 Inthe Cus os loc teta eens od se
335. guring a Controller for AP VPN Operations on page 227 The following OSPF configuration is required on the controller to redistribute IAP VPN routes to upstream routers host config router ospf host config router ospf router id lt ID gt host config router ospf area 0 0 0 0 host config router ospf redistribute rapng vpn 368 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Scenario 4 GRE Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements e Single VPN primary configuration using GRE Aruba GRE does not require any configuration on the Dell Networking W Series Mobility Controller that acts as a GRE endpoint Manual GRE which requires GRE tunnels to be explicitly configured on the GRE endpoint that can be a Dell Networking W Series Mobility Controller or any device that supports GRE termination e Tunneling of all traffic to datacenter e Centralized L2 mode DHCP profile e RADIUS server within corporate network and authentication survivability for branch survivability e Wired and wireless users in L2 mode e Access rules defined for wired and wireless networks to permit all traffic Topology Figure 138 shows the topology and the IP addressing scheme used in this scenario Figure 138 Scenario 4 GRE Single Datacenter Deployment with No Redundancy Radius servers Corporate 10 2 24 and 10 2 2 2 10 11
336. h Select Enabled to enable the Client match feature on APs When enabled client count will be balanced among all the channels in the same band For more information see ARM Overview on page 232 By default the client match feature is disabled NOTE When client match is enabled ensure that Scanning is enabled CM calculating Specify a value for the calculating interval of Client match The value specified for interval CM calculating interval determines the interval at which client match is calculated The interval is specified in seconds and the default value is 30 seconds You can specify a value within the range of 10 600 CM neighbor Specify a value for CM neighbor matching This number takes into account the matching least similarity percentage to be considered as in the same virtual RF neighborhood of client match You can specify a percentage value within the range of 20 100 The default value is 75 CM threshold Specify a value for CM threshold This number takes acceptance client count difference among all the channels of Client match into account When the client load on an AP reaches or exceeds the threshold in comparison client match is enabled on that AP You can specify a value within range of 1 255 The default value is 2 SLB mode Select a mode from the SLB mode drop down list The SLB mode determines the balancing strategy for client match The following options are available e Channel e Radio e Channel Radio
337. h the W IAP can determine that the VPN connection is unavailable The default value is 2 Figure 64 PSec Configuration Tunneling Controller Controller Protocol Aruba IPSec Primary host 10 0 0 1 Backup host 10 0 0 2 Preemption Enabled Y Hold time 500 sec Fast failover Enabled Y Reconnect User On Enabled Y Failover oe Reconnect Time On Failover Secs between test packets 5 Max allowed test packet loss 60 sec Next Cancel 6 Click Next to create routing profiles When the IPsec tunnel configuration is completed the packets that are sent from and received by a W IAP are encrypted In the CLI To configure an IPSec VPN tunnel Instant AP config vpn primary lt name gt Instant AP config vpn backup lt name gt Instant AP config vpn fast failover Instant AP config vpn hold time lt seconds gt Instant AP config vpn preemption Instant AP config vpn monitor pkt send freq lt frequency gt 211 VPN Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP config vpn monitor pkt lost cnt lt count gt Instant AP config vpn reconnect user on failover Instant AP config vpn reconnect time on failover lt down time gt Instant AP config end Instant AP commit apply Example Instant AP config vpn primary 192 0 2 18 Instant AP config vpn backup 192 0 2 18 Instant AP config vp
338. he Open security level no encryption settings are required Enterprise security level Enterprise Personal and Open security levels Wireless Network Profiles 101 Parameter Load balancing Reauth interval Blacklisting Accounting Authentication survivability MAC authentication Table 21 Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Description e RADIUS Server LDAP Server CPPM Server for AirGroup CoA For information on configuring external servers see Configuring an External Server for Authentication on page 157 To use an internal server select Internal server and add the clients that are required to authenticate with the internal RADIUS server Click the Users link to add the users For information on adding a user see Managing W IAP Users on page 140 Ifan external server is selected you can also configure another authentication server Set this to Enabled if you are using two RADIUS authentication servers so that the load across the two RADIUS servers is balanced For more information on the dynamic load balancing mechanism see Dynamic Load Balancing between Two Authentication Servers on page 154 Specify a value for Reauth interval When set to a value greater than zero APs periodically reauthenticate all associated and authenticated clients To enable blacklisting of the clients with a specific number of authentication failures select Enabled fro
339. he following procedures e Configuring an External Server for Authentication on page 157 e Configuring Dynamic RADIUS Proxy Parameters on page 161 Configuring an External Server for Authentication You can add an external RADIUS server LDAP server CPPM server for AirGroup or CoA through the Instant Ul or CLI In 6 4 0 2 4 1 release you can configure TACACS server for authenticating management users For more E information on management users and TACACS server based authentication see Configuring Authentication NOTE Parameters for Management Users In the Instant Ul To configure an authentication server 1 Navigate to Security gt Authentication Servers The Security window is displayed 2 Tocreate a new server click New A window for specifying details for the new server is displayed The following figure shows the parameters to configure for a new RADIUS authentication server configuration ea 157 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 46 New Authentication Server Window New Authentication Server RADIUS LDAP TACACS CoA only Name IP address Auth port Accounting port Shared key Retype key Timeout Retry count RFC 3576 Disabled NAS IP address NAS identifier Dead time DRP IP DRP Mask DRP VLAN DRP Gateway 3 Configure any of the following types of server e RADIUS Server To configure a RA
340. he selected command for a specific W IAP or all W IAPs and view logs e Auto Run Allows you to configure a schedule for automatic execution of a support command for a specific W IAP or all W IAPs e Filter Allows you to filter the contents of a command output e Clear Clears the command output displayed after a command is executed e Save Allows you to save the support command logs as an HTML or text file For more information on support commands see Running Debug Commands from the Ul on page 333 The following figure shows the Support window Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 56 Figure 15 Support Window Comman d AP 3G 4G Status Target Instant Access Point VC Run Auto Run Instant Access Point Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs To activate the context sensitive help 1 Click the Help link at the top right comer of Instant main window 2 Click any text or term displayed in green italics to view its description or definition 3 To disable the help mode click Done Logout The Logout link allows you to log out of the Instant UI Monitoring The Monitoring link displays the Monitoring pane for the Instant network Use the down arrow located to the right side of these links to compress or expand the monitoring pane The monitoring pane consists of the f
341. hed after every 15 seconds by default When the automatic refreshing is paused the Pause link changes to Resume Click the Resume link to resume automatic refreshing Automatic refreshing allows you to get the latest information about the network and network elements You can use the Pause link when you want to analyze or monitor the network or a network element and therefore do not want the user interface to refresh Views Depending on the link ortab that is clicked the Instant displays information about the Virtual Controller Wi Fi networks W IAPs or the clients in the Info section The views on the Instant main window are classified as follows Virtual Controller view The Virtual Controller view is the default view This view allows you to monitor the Instant network This view allows you to monitor the Instant network The following Instant Ul elements are available in this view Tabs Networks Access Points and Clients For detailed information about the tabs see Tabs on page 45 Links Monitoring Client Alerts and IDS The Spectrum link is visible if you have configured the W IAP as a spectrum monitor These links allow you to monitor the Instant network For more information about these links see Monitoring on page 57 IDS on page 71 Alerts on page 67 and Spectrum Monitor on page 309 Network view The Network view provides information that is necessary to monitor a selected wireless network All Wi Fi networks in
342. her URL Captive Portal failure This field allows you to configure Internet access for the guest clients when the external captive portal server is not available Select Deny Internet to prevent clients from using the network or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available Automatic URL Whitelisting Select Enabled or Disabled to enable or disable automatic whitelisting of URLs On selecting the checkbox for the external captive portal authentication the URLs allowed for the unauthenticated users to access are automatically whitelisted The automatic URL whitelisting is disabled by default Auth Text Indicates the authentication text returned by the external server after a successful user authentication 6 Click OK The enforce captive portal rule is created and listed as an access rule 7 Create a role assignment rule based on the user role to which the captive portal access rule is assigned 8 Click Finish The client can connect to this SSID after authenticating with username and password After a successful user login the captive portal role is assigned to the client In the CLI To create a captive portal role Instant AP config wlan access rule lt Name gt Instant AP Access Rule lt Name gt captive portal external profile lt name gt internal Instant AP Access Rule lt Name gt end Instant AP commit apply
343. hernet and the VPN connection is down the W IAP tries to reconnect to VPN The retry time depends on the fast failover configuration and the primary or backup VPN tunnel If this fails the W IAP waits for the VPN failover timeout and selects a different uplink such as 3G 4G or Wi Fi If the current uplink is 3G or Wi Fi and Ethernet has a physical link the W IAP periodically suspends user traffic to try and connect to the VPN on the Ethemet If the W IAP succeeds the W IAP switches to Ethernet If the W IAP does not succeed it restores the VPN connection to the current uplink Uplink switching based on VPN status is automatically enabled if VPN is configured on the W IAP However you can specify the duration in VPN failover timeout field to wait for an uplink switch By default this duration is set to 180 seconds The W IAP monitors the VPN status and when the VPN connection is not available for 3 minutes the uplink switches to another available connection if a low priority uplink is detected and the uplink preference is set to none When VPN failover timeout is set to 0 uplink does not switch over When uplink switching based on the Internet availability is enabled the uplink switching based on VPN failover is automatically disabled Switching Uplinks Based on Internet Availability You can configure Instant to switch uplinks based on Internet availability When the uplink switchover based on Internet availability is enabled the W IAP co
344. hin the range of 0 to 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority checkbox to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value 6 Click OK and then click Finish In the CLI To configure access rules Instant AP config wlan access rule lt access rule name gt Instant AP Access Rule lt Name gt rule lt dest gt lt mask gt lt match invert gt lt protocol gt lt start port gt lt end port gt permit deny src nat dst nat lt IP address gt lt port gt lt port gt lt optionl option9 gt Instant AP Access Rule lt Name gt end Instant AP commit apply Example Instant AP config wlan access rul mploy Instant AP Access Rule employee rule 10 17 88 59 255 255 255 255 match 6 4343 4343 log classify media Instant AP Access Rule employee rule 192 0 2 8 255 255 255 255 invert 6 110 110 permit Instant AP Access Rule employee rule 192 0 2 2 255 255 255 0 192 0 2 7 255 255 255 0 match tcp 21 21 deny Instant AP Access Rule employee rule 192 0 2 2 255 255 255 0 192 0 2 7 255 255 255 0 match udp 21 21 deny Instant AP Access Rule employee rule 192 0 2 2 255 255 255 0 match 6 631 631 permit Instant AP Access Rule employee rule 192 0 2 8 255 255 255 255 invert 6 21 21 deny Instant AP
345. ibuted L3 mode VLAN 30 to the WLAN SSID profile ap config wlan ssid profile wireless ssid ap SSID Profile wireless ssid enable ap SSID Profile wireless ssid type employee 366 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 74 W IAP Configuration for Scenario 3 IPSec Multiple Datacenter Deployment Configuration Steps CLI Commands Ul Procedure ap SSID Profil less ssid essid wireless ssid ap SSID Profil less ssid opmode wpa2 aes ap SSID Profil less ssid vlan 30 ap SSID Profil less ssid auth server serverl ap SSID Profil less ssid auth server server2 ap SSID Profil less ssid auth survivability Configure a wireless SSID is configured to operate in L3 mode for contractor and associate distributed L3 mode VLAN 40 to the WLAN SSID profile ap config wlan ssid profile wireless ssid contractor ap SSID Profile wireless ssid contractor enable ap SSID Profile wireless ssid contractor employee ap SSID Profile wireless ssid contractor wireless ssid contractor ap SSID Profile wireless ssid con tor opmode wpa2 aes ap SSID Profile wireless ssid con tor 40 ap SSID Profile wireless ssid con con server serverl ap SSID Profile wireless ssid contractor server server2 ap SSID Profile wireless ssid contractor survivability 7 Create access rule
346. ication You can now customize the port number of the W AirWave management server through the server_host server_ port format for example amp aruba com 4343 Configuring Organization String The Organization string is a set of colon separated strings created by the W AirWave administrator to accurately represent the deployment of each W IAP This string is defined by the installation personnel on the site You can use any of the following strings e AMP Role Org Admin initially disabled e AMP User Org Admin assigned to the role Org Admin e Folder Org under the Top folder in AMP e Configuration Group Org You can also assign additional strings to create a hierarchy of sub folders under the folder named Org For example subfolder for a folder under the Org folder subfolder2 for a folder under subfolder Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Management and Monitoring 277 Shared Key The Shared Secret key is an optional field used by the administrator to manually authorize the first Virtual Controller for an organization Any string is acceptable Configuring W AirWave Information You can configure W AirWave information using the Instant UI or CLI In the Instant Ul 1 Click the W AirWave Set Up Now link in the bottom middle region of the main window The System window is displayed with the W AirWave parameters in the Admin tab Figure 98 Configuring W AirWave General Admi
347. ication for wireless network profile using the Instant UI or CLI In the Instant Ul To configure both MAC and 802 1X authentication for a wireless network 1 Inthe Network tab click New to create a new network profile or select an existing profile for which you want to enable MAC and 802 1X authentication and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 Inthe Security tab ensure that the required parameters for MAC authentication and 802 1X authentication are configured 4 Select the Perform MAC authentication before 802 1X checkbox to use 802 1X authentication only when the MAC authentication is successful 167 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 5 Select the checkbox MAC authentication fail thru to use 802 1X authentication even when the MAC authentication fails 6 Click Next and then click Finish to apply the changes In the CLI To configure both MAC and 802 1X authentication for a wireless network Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt 12 auth failthrough Instant AP SSID Profile lt name gt auth server lt
348. ication procedures are completed on the controller e OSPF Configuration e VPN Configuration e Branch ID Allocation e Branch Status Verification This section describes the configuration procedures to perform on the controller for generic use cases For information on specific deployment scenarios see AP VPN Deployment Scenarios on page 356 Ld z o par m ArubaOS 6 3 or later is the recommended version to run on the controllers for the IAP VPN configuration The IAP VPN configuration is not supported on W 600 Series controllers ll z o par m OSPF Configuration Open Shortest Path First OSPF is a dynamic Interior Gateway routing Protocol IGP based on IETF RFC 2328 The premise of OSPF is that the shortest or fastest routing path is used The implementation of OSPFv2 allows controllers to deploy effectively in a Layer 3 topology The controllers can act as the default gateway for all clients and forward user packets to the upstream router Each IAP VPN can be defined a separate subnet derived from the corporate intranet pool to allow IAP VPN devices to work independently For sample topology and configuration see ArubaOS User Guide Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment 227 To redistribute IAP VPN routes into the OSPF process use the following command host config router ospf redistribute rapng vpn To verify if the redistribution of the IAP VPN is enabled use fo
349. icious These are suspicious sites There is a higher than average probability that the user will be exposed to malicious links or payloads High risk These are high risk sites There is a high probability that the user will be exposed to malicious links or payloads c Fromthe Action drop down select Allow or Deny as required 6 To set a bandwidth limit based on web category or web reputation score select Application Throttling checkbox and specify the downstream and upstream rates in Kbps For example you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites 7 If required select the following checkboxes Log Select this checkbox if you want a log entry to be created when this rule is triggered Instant supports firewall based logging function Firewall logs on the W IAPs are generated as security logs Blacklist Select the Blacklist checkbox to blacklist the client when this rule is triggered The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window For more information see Blacklisting Clients on page 171 Disable scanning Select Disable scanning checkbox to disable ARM scanning when this rule is triggered The selection of the Disable scanning applies only if ARM scanning is enabled For more information see Configuring Radio Settings for a W IAP on page 238 DSCP tag Select the DSCP tag checkbox to specify a DSCP value
350. ick OK 7 Configure other parameters as required ooo fF W 8 Click Next to define access rules and then click Finish to apply the changes In the CLI To configure MAC address based authentication with external server Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt employee gt lt guest gt Instant AP wired ap profile lt name gt mac authentication Instant AP wired ap profile lt name gt auth server lt server 1 gt Instant AP wired ap profile lt name gt auth server lt server 2 gt Instant AP wired ap profile lt name gt server load balancing Instant AP wired ap profile lt name gt radius reauth interval lt Minutes gt Instant AP wired ap profile lt name gt end Instant AP commit apply To add users for MAC authentication based on intemal authentication server Instant AP config user lt username gt lt password gt portal radius Instant AP config end Instant AP commit apply Configuring MAC Authentication with 802 1X Authentication This section describes the following procedures e Configuring MAC and 802 1X Authentication for a Wireless Network Profile on page 167 e Configuring MAC and 802 1X Authentication for Wired Profiles on page 168 Configuring MAC and 802 1X Authentication for a Wireless Network Profile You can configure MAC authentication with 802 1X authent
351. ide Alternate Method for Defining Vendor Specific DHCP Options This section describes how to add vendor specific DHCP options for Instant APs in a network that already uses DHCP options 60 and 43 for other services Some networks use DHCP standard options 60 and 43 to provide the DHCP clients information about certain services such as PXE In such an environment the standard DHCP options 60 and 43 cannot be used for W IAPs This method describes how to set up a DHCP server to send option 43 with W AirWave information to the W IAP This section assumes that option 43 is sent per scope because option 60 is being shared by other devices as well the subnet defined by this scope This is because you can specify only one option 43 for a scope and if other LA The DHCP scope must be specific to Instant and the PXE devices that use options 60 and 43 must not connect to NOTE devices that use option 43 connect to this subnet they are presented with the information specific to the W IAP In server 2008 navigate to Server Manager gt Roles gt DHCP Server gt Domain DHCP Server gt Pv4 Select a scope subnet Scope 10 169 145 0 145 is selected in the example shown in the figure below 3 Right click and select Advanced and then specify the following options Vendor class DHCP Standard Options User class Default User Class Available options Select 043 Vendor Specific Info String Value DelllnstantAP tme store4 10 169 240 8 De
352. ide Novatel MiFi 2200 Verizon Mifi 2200 Huawei E272 E170 E220 ATT Huawei E169 E180 E220 E272 Vodafone SmarTone Hk Huawei E160 O2 UK Huawei E160 SFR France Huawei E220 NZ and JP Huawei E176G Telstra Aus Huawei E1553 E176 3 HUTCH Aus Huawei K4505 Vodafone SmarTone HK Huawei K4505 Vodafone UK ZTE MF656 Netcom norway ZTE MF636 HK CSL 1010 ZTE MF633 MF636 Telstra Aus ZTE MF637 Orange in Israel Huawei E180 E1692 E1762 Optus Aus Huawei E1731 Airtel 3G India Huawei E3765 Vodafone Aus Huawei E3765 T Mobile Germany Huawei E1552 SingTel Huawei E1750 T Mobile Germany UGM 1831 TMobile Huawei D33HW EMOBILE Japan Huawei GD01 EMOBILE Japan Huawei EC 150 Reliance NetConnect India KDDI DATAO7 Huawei KDDI Japan Huawei E353 China Unicom Huawei EC 167 China Telecom Huawei E367 Vodafone UK Huawei E352s 5 T Mobile Germany Huawei K4505 Vodafone SmarTone HK Huawei K4505 Vodafone UK ZTE MF656 Netcom norway ZTE MF636 HK CSL 1010 ZTE MF633 MF636 Telstra Aus ZTE MF637 Orange in Israel Huawei E180 E1692 E1762 Optus Aus Huawei E1731 Airtel 3G India Huawei E3765 Vodafone Aus Huawei E3765 T Mobile Germany Huawei E1552 SingTel Huawei E1750 T Mobile Germany UGM 1831 TMobile Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Uplink Configuration 289 e Huawei D33HW EMOBILE Japan e
353. ides the variants supported for each IAP model Table 3 Supported W IAP Variants W IAP RW MERE W IAP Model Reg W IAP U W IAP JP Worldwide Domain US only Japan only Worldwide Scone ane except US Japan W IAP104 105 Yes ne Yes W IAP 134 135 Yes No Yes IAP 175P 175AC Yes No Yes W IAP3WN 3WNP Yes ne Yes W IAP 108 109 Yes Ne Yes W IAP155 155P Yes ne Yes For information on regulatory domains and the list of countries supported by the W IAP RW type see Country Code on page 38 Instant UI The Instant User Interface UI provides a standard Web based interface that allows you to configure and monitor a Wi Fi network Instant is accessible through a standard Web browser from a remote management console or workstation and can be launched using the following browsers e Microsoft Internet Explorer 10 or lower e Apple Safari 6 0 or later e Google Chrome 23 0 1271 95 or later e Mozilla Firefox 17 0 or later If the Instant UI is launched through an unsupported browser a warning message is displayed along with a list of recommended browsers However the users are allowed to login using the Continue login link on the Login page E To view the Instant Ul ensure that the JavaScript is enabled on the Web browser NOTE The Instant UI logs out automatically if the window is inactive for 15 minutes Instant CLI The Instant Command Line Interface CLI is a text based interface accessible through a
354. ient e Network The network to which the client is connected e Access Point W IAP to which the client is connected e Channel The client operating channel e Type Type of the Wi Fi client A G AN or GN e Role Role assigned to the client e Signal Current signal strength of the client as detected by the AP e Speed mbps Current speed at which data is transmitted When the client is associated with an AP it constantly negotiates the speed of data transfer A value of O means that the AP has not heard from the client for some time Links e The following links allow you to configure various features for the Instant network e New Version Available e System e RF e Security e Maintenance e More e Help e Logout e Monitoring e Client Match e AppRF e Spectrum e Alerts e IDS e Configuration e AirGroup e W AirWave Setup e Pause Resume Each of these links is explained in the subsequent sections New Version Available This link is displayed in the top right corner of the Instant main window only if a new image version is available on the image server and W AirWave is not configured For more information about the New version available link and its functions see Upgrading a W IAP on page 317 47 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide System This link displays the System window The System window consists of the following tabs Usethe Sho
355. ient to identify the W IAP s network and service provider If a client requests this information through a GAS query the hotspot AP sends the ANQP capability list in the GAS Initial Response frame indicating support for the following lEs Venue Name Domain Name Network Authentication Type Roaming Consortium List Network Access Identifier Realm 3GPP Cellular Network Data Hotspot 2 0 Query Protocol H2QP The H2QP profiles provide a range of information on hotspot 2 0 elements such as hotspot protocol and port operating class operator names WAN status and uplink and downlink metrics Information Elements IEs and Management Frames The hotspot 2 0 configuration supports the following lEs Interworking E Provides information about the Interworking service capabilities such as the Internet availability in a specific service provider network Advertisement Protocol E Provides information about the advertisement protocol that a client can use for communication with the advertisement servers in a network Roaming Consortium IE Provides information about the service provider network for roaming clients which can be used to authenticate with the AP The IEs are included in the following Management Frames when 802 11u is enabled Beacon Frame Probe Request Frame Probe response frame Association Request Re Association request NAI Realm List An NAI Realm profile identifies and describes a NAI realm to which the clients can
356. ients Client traffic destined to datacenter resources is routed to the Dell controller through the IPsec tunnel which then routes the traffic to the appropriate corporate destinations Centralized L3 Mode For centralized L3 clients the virtual controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located behind the controller in the corporate network and reachable through the IPSec tunnel The centralized L3 VLAN IP is used as the source IP The IP address is obtained from the DHCP server Configuring W IAP and Controller for AP VPN Operations This section describes the configuration procedures to perform on the W IAP and controller for generic use cases For information on specific deployment scenarios see l AP VPN Deployment Scenarios on page 356 Configuring a W IAP network for AP VPN operations This section describes the configuration procedures to perform on the W IAP for generic use cases For information on specific deployment scenarios see lAP VPN Deployment Scenarios on page 356 A W IAP network requires the following configuration for IAP VPN operations Defining the VPN host settings Configuring Routing Profiles Configuring DHCP Profiles Configuring an SSID or Wired Port Enabling Dynamic RADIUS Proxy Configuring Enterprise Domains DIAN Defining the VPN host settings The VPN endpoint on which a master W IAP terminates its VPN tunnel is considered as the host A master AP ina W IAP
357. ients are moved from one AP to another for better performance and client experience e Dynamic Load Balancing Client match balances clients across W IAPs on different channels based on the client load on the W IAPs and the SNR levels the client detects from an underutilized W IAP If a W IAP radio can support additional clients the W IAP will participate in client match load balancing and clients can be directed to that W IAP radio subject to the predefined SNR thresholds For better load balancing clients are steered from busy channels to idle channels e Sticky Clients The client match feature also helps mobile clients that tend to stay associated to a W IAP despite low signal levels W IAPs using client match continually monitor the client s RSSI as it roams between W IAPs and move the client to a W IAP when a better radio match can be found This prevents mobile clients from remaining associated to an APs with less than ideal RSSI which can cause poor connectivity and reduce performance for other clients associated with that W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Adaptive Radio Management 234 e Band Steering W IAPs using the client match feature monitor the RSSI for clients that advertise a dual band capability If a client is currently associated to a 2 4 GHz radio and the AP detects that the client has a good RSSI from the 5 GHz radio the W IAP steers the client to the 5 GHz radio as long as the 5 GHz RSSI
358. ile You can also create a user role and assign bandwidth contracts while configuring an SSID or wired profile In the CLI To assign a bandwidth contract in the CLI Instant AP config wlan access rule lt name gt Instant AP Access Rule lt name gt bandwidth limit downstream lt kbps gt upstream lt kbps gt peruser downstream lt kbps gt upstream lt kbps gt Instant AP Access Rule lt name gt end Instant AP commit apply To associate the access rule to a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt access rule name lt access rule name gt Instant AP wired ap profile lt name gt end Instant AP commit apply Configuring Machine and User Authentication Roles You can assign different rights to clients based on whether their hardware device supports machine authentication Machine Authentication is only supported on Windows devices so this can be used to distinguish between Windows devices and other devices such as iPads You can create any of the following types of rules Machine Auth only role This indicates a Windows machine with no user logged in The device supports machine authentication and has a valid RADIUS account but a user has not yet logged in and authenticated e User Auth only role This indicates a known user or a non Windows device The device does not support machine auth or does
359. ility o 0022222 c cece eee cee corre 307 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 23 Home Agent Load Balancing 0 c cece cece cece cece cece eee cece ee eeeeeeeceeeeeceeeeeeeeeeeees 307 Configuring a Mobility Domain for Instant 0 022000000 cece cece eee c ee eee cece aooaa 307 MV TRG Stent 2 sees L caencsesacnensentesey puseeuutuercatabeeeeds S E 307 ItHE GLI Lernen E AE E EEE EAA sa neg erario Atenvansenes 308 Spec MONO A A A ona ane TEP EPPS 309 Understanding Spectrum Data a000 adadad Aaaa Aa a aa aaora naarn onnon 309 AAA IS IE 309 Non Wi Fi Interferers cnn 310 Channel Details 312 Channel 0 0cccta dci tada 313 Spectrum Alerts occ nos 314 Configuring Spectrum Monitors and Hybrid W IAPS 000000 e cece eeeeeeeee 314 Converting a W IAP to a Hybrid W IAP ooo ccc cc cece cece oaaao cece ce ceeeeeeeeeeeeees 314 Irv the instant Ul ooo ten tddi titi eos a 315 Inthe CU 315 Converting a W IAP to a Spectrum Monitor 2 222220 0 00 cece cece cece eee e cece cece oaan oaao 315 Tal aiT 1 pr id didas siii 315 Ii AA PP o E see ee E EA E E ETE 315 W IAP Maintenance nn beet ninio 317 Upgrading a VV EVAR ate 2s 2554 orde so meee ida ies 317 Upgrading a W IAP and Image Server 202 2222 2 eee cece cece cece cece ccc cece cece cece cece ceeeeeeeeeeeees 317 Image Management Using W AirWave ccoo coco cnc 317 Image Management Using Cloud Server cnn ccccccccnn e cee c
360. ing Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring for W AirWave Discovery through DHCP The W AirWave can be discovered through DHCP server You can configure this only if W AirWave was not configured earlier or if you have deleted the precedent configuration On the DHCP server the format for option 60 is InstantAP and the two formats for option 43 are lt organization gt lt ams ip gt lt ams key gt and lt organization gt lt ams domain gt If you use the lt organization gt lt ams ip gt lt ams key gt format the PSK based authentication is used to access the W AirWave Management Platform server If you use the lt organization gt lt ams domain gt format the W IAP resolves the domain name into two IP address as W AirWave Primary W AirWave Backup and then W IAP starts a certificate based authentication with W AirWave Management platform server instead of the PSK login For option 43 when you choose to enter the domain name the IP address and key are not available Standard DHCP option 60 and 43 on Windows Server 2008 In networks that are not using DHCP option 60 and 43 it is easy to use the standard DHCP options 60 and 43 for an AP or W IAP For APs these options can be used to indicate the master controller or the local controller For W IAPs these options can be used to define the W AirWave IP group password and domain name 1 From a server running Windows Server 2008 na
361. ing that the network allows Internet access p2p cross Specify this parameter to advertise support for P2P Cross Connections connect p2p dev mgmt Specify this parameter to advertise support for P2P device management pame bi Specify this parameter to enable Pre Association Message Exchange BSSID Independent PAME BI bit with which the W IAP can indicate that the Advertisement Server can return a query response independent of the BSSID used in the GAS Frame exchange 347 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 69 Hotspot Configuration Parameters Parameter Description query Specify this parameter to set the maximum length of the GAS query response in octets You can response specify a value within the range of 1 127 The default value is 127 length limit roam cons len Specify the length of the organization identifier The value of the roam cons len 1 roam cons 1 len 2 or roam cons len 3 The roaming consortium Ol is based on the following parameters roam cons len e Q Zero Octets in the Ol Null 2 e 3 Ol length is 24 bit 3 Octets roam cons len e 5 Ollength is 36 bit 5 Octets 3 venue group Specify one of the following venue groups assembly business educational factory and industrial institutional mercantile outdoor residential storage utility and misc vehicular By default the business venue group is used venue type Specify a venue type to be
362. ing through a firmware image server in the cloud by sending a serial number MAC address If an entry for the W IAP is present in the firmware image cloud server and is provisioned as a W IAP gt Remote AP the firmware image cloud server responds with mobility controller IP address AP group and AP type The W IAP then contacts the controller establishes certificate based secure communication and obtains configuration and image from the controller The W IAP reboots and comes up as a Remote AP The W IAP then establishes an IPSEC connection with the controller and begins operating in the Remote AP mode e If a W IAP entry for the AP is present in the firmware image cloud server the W IAP obtains W AirWave server information from the cloud server and downloads configuration from W AirWave to operate in the W IAP mode elf there is no response from the cloud server or AirGroup is received the W IAP comes up in Instant mode e For more information on firmware image cloud server see Upgrading a W IAP on page 317 A mesh point cannot be converted to Remote AP because mesh access points do not support VPN connection NOTE A W IAP can be converted to a Campus AP and Remote AP only if the controller is running ArubaOS 6 1 4 or later The following table describes the supported W IAP platforms and minimal ArubaOS version required for the Campus AP or Remote AP conversion Table 64 W AP Platforms and Minimum ArubaOS Versions for W IAP to Remote
363. ion drop down list This step is optional b If Preemption is enabled specify a value in seconds for Hold time When preemption is enabled and the primary host comes up the VPN tunnel switches to the primary host after the specified hold time The default value for Hold time is 600 seconds c Toallow the W IAP to create a backup VPN tunnel to the controller along with the primary tunnel and maintain both the primary and backup tunnels separately select Enabled or Disabled from the Fast failover drop down list If the primary tunnel fails the W IAP can switch the data stream to the backup tunnel This reduces the total failover time to less than one minute d To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary set Reconnect user on failover to Enabled e To configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch specify a value in seconds for Reconnect time on failover within the range of 30 900 seconds By default the reconnection duration is set to 60 seconds f Specify a value in seconds for Secs between test packets Based on the configured frequency the W IAP can verify if an active VPN connection is available The default value is 5 seconds which means that the W IAP sends one packet to the controller every 5 seconds g Enter a value for Max allowed test packet loss to define a number for lost pac
364. ion in a specific ISP and a client attempts to access the Internet at that hotspot the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network If the client only has an account with a partner ISP the WISPr AAA server forwards the client s credentials to the partner ISP s WISPr AAA server for authentication When the client is authenticated on the partner ISP it is also authenticated on your hotspot s own ISP as per their service agreements The W IAP assigns the default WISPr user role to the client when your ISP sends an authentication message to the W IAP For more information on WISPr authentication see Configuring WISPr Authentication on page 170 Supported EAP Authentication Frameworks The following EAP authentication frameworks are supported in the Instant network EAP TLS The Extensible Authentication Protocol Transport Layer Security EAP TLS method supports the termination of EAP TLS security using the internal RADIUS server The EAP TLS requires both server and certification authority CA certificates installed on the W IAP The client certificate is verified on the Virtual Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 148 Controller the client certificate must be signed by a known CA before the username is verified on the authentication server EAP TTLS MSCHAPv2 The Extensible Authentication Protocol Tu
365. ired and wireless containments to prevent unauthorized stations from connecting to your Instant network Instant supports the following types of containment mechanisms e Wired containment When enabled W IAPs generate ARP packets on the wired network to contain wireless attacks e Wireless containment When enabled the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point None Disables all the containment mechanisms Deauthenticate only With deauthentication containment the Access Point or client is contained by disrupting the client association on the wireless interface a Tapit containment With Tapit containment the Access Point is contained by luring clients that are attempting to associate with it to a tarpit The tarpit can be on the same channel or a different channel as the Access Point being contained Figure 113 Containment Methods Wireless Intrusion Protection WIP Protection Specify What Threats to Protect Infrastructure Custom settings High Y protect ssid Y rogue containment protect adhoc network Off protect ap impersonation Low Clients Custom settings High Y protect valid sta protect windows bridge Low Off Containment Methods Wired containment The default containment settings are recommended Restore defaults Wireless containment l Lx Deauthenticate only Tarpit invalid stations Hide
366. ired profiles DHCP server configuration parameters and manages the local user database The admin users can access to the Virtual Controller Management User Interface e Guest administrator A guest interface management user who manages guest users added in the local user database e Administrator with read only access The read only admin user does not have access to the Instant CLI The Instant Ul will be displayed in the read only mode for these users e Employee users Employees who use the enterprise network for official tasks e Guest users Visiting users who temporarily use the enterprise network to access the Internet The user access privileges are determined by W IAP management settings in the W AirWave Management client and the type of the user The following table outlines the access privileges defined for the admin user guest management interface admin and read only users Table 28 User Privileges W AirWave Management Platform in W IAP in monitor mode or without W Management Mode AirWave Management Platform administrator Access to local user database only Complete access to the W IAP User Category read only No write privileges No write privileges administrator guest administrator Access to local user database only Access to local user database only Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 140 Configuring Authentication Parameters for Management User
367. irewall policies e Firewall Policies on page 176 e Content Filtering on page 186 e Configuring User Roles on page 190 e Configuring Derivation Rules on page 192 Firewall Policies Instant firewall provides identity based controls to enforce application layer security prioritization traffic forwarding and network performance policies for wired and wireless networks Using Instant firewall you can enforce network access policies that define access to the network areas of the network that users may access and the performance thresholds of various applications Instant supports a role based stateful firewall Instant firewall recognizes flows in a network and keeps track of the state of sessions Instant firewall manages packets according to the first rule that matches packet The firewall logs on the W IAPs are generated as syslog messages Access Control List Rules You can use Access Control List ACL rules to either permit or deny data packets passing through the W IAP You can also limit packets or bandwidth available to a set of user roles by defining access rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses You can create access rules to allow or block data packets that match the criteria defined in an access rule You can create rules for either inbound traffic or outbound traffic Inbound rules explicitly allow or block the inbound network traffic th
368. irst square box in the splash page type the required text in the Welcome text box and click OK Ensure that the welcome text does not exceed 127 characters Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 136 Description To change the policy text click the second square in the splash page type the required text in the Policy text box and click OK Ensure that the policy text does notexceed 255 characters Specify the URL to which you want to redirect the guest users To upload a custom logo click Upload your own custom logo Image browse the image file and click upload image Click Preview to preview the Captive Portal page External If External is selected perform the following steps e Select a profile from the Captive portal profile drop down list e f you want to edit the profile click Edit and update the following parameters e Type Select either Radius Authentication to enable user authentication against a RADIUS server or Authentication Text to specify the authentication text to returned by the external server after a successful user authentication IP or hostname Enter the IP address or the hostname of the external splash page server URL Enter the URL for the external splash page server Port Enter the number of the port to use for communicating with the external splash page server Redirect URL Specify a redirect URL if you want to redirect the users to anot
369. is allowed denied or the IP address is translated at the source or destination as defined in the rule After selecting this option specify the IP address and netmask for the destination network except to a network Access is allowed or denied to networks other than the specified network After selecting this option specify the IP address and netmask of the destination network to domain name Traffic to the specified domain is allowed denied or the IP address is translated at the source or destination as defined in the rule After selecting this option specify the domain name in the Domain Name text box Log Select this checkbox if you want a log entry to be created when this rule is triggered Instant supports firewall based logging function Firewall logs on the W IAPs are generated as security logs Blacklist Select the Blacklist checkbox to blacklist the client when this rule is triggered The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window For more information see Blacklisting Clients on page 171 Classify media Select the Classify media checkbox to prioritize video and voice traffic When enabled a packet inspection is performed on all non NAT traffic and the traffic is marked as follows e Video Priority 5 Critical Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 184 Table 36 Inbound Firewall Rule Configuration Para
370. is not significantly worse than the 2 4 GHz RSSI and the W IAP retains a suitable distribution of clients on each of its radios e Channel Utilization Based on the percentage of channel utilization clients are steered from a busy channel to an idle channel e Client Capability Match Based on the client capability match clients are steered to appropriate channel for example HT20 HT40 or VHT80 Inthe Instant 6 3 1 1 4 0 release spectrum load balancing is integrated with the client match feature Client match allows the APs in a cluster to be divided into several logical AP RF neighborhood called domains which share the same clients The Virtual Controller determines the distribution of clients and balances client load across channels regardless of whether the AP is responding to the probe requests of wireless clients You can configure client match parameters in Instant UI or CLI When client match is enabled the dashboard in the main window displays the Client Match link on selecting an AP in the Access Points tab or a client in the Clients tab Clicking this link provides a graphical representation of radio map view of an AP and the client distribution on an AP radio For more information see Client Match on page 66 In the Instant Ul 1 For client match configuration specify the following parameters the RF gt ARM gt Show advanced options tab Table 46 Client Match Configuration Parameters Parameter Description Client matc
371. ish In the CLI To enable 802 11v profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt dotllv Instant AP config end Instant AP commit apply Example Instant AP config wlan ssid profile dotllv profile Instant AP SSID Profile dotllv profile dotllv Instant AP config end Instant AP commit apply Editing Status of a WLAN SSID Profile You can enable or disable an SSID profile in the Instant UI or CLI In the Instant UI To modify the status of a WLAN SSID profile In the Networks tab select the network that you want to edit The edit link is displayed Click the edit link The Edit network window is displayed Select or clear the Disable SSID checkbox to disable or enable the SSID The SSID is enabled by default Click Next or the tab name to move to the next tab ak Wn Click Finish to save the modifications In the CLI To disable an SSID Instant AP config wlan ssid profile lt name gt AP SSID Profile lt name gt disable AP SSID Profile lt name gt end AP commit apply an SSID AP config wlan ssid profile lt name gt P SSID Profile lt name gt enabl SSID Profile lt name gt end commit apply Instan Instan Instan ET E EEE To enabl Instan D Instan Instan Instan B D GP CP CP oct D Pp p Editing a WLAN SSID Profile To edit a WLAN SSID
372. istration Portal wi ClearPass CoA Request AirGroup Guest and Updates olicy Manager gt E 3 o a 3 2 o lt AirGroup Enabled Y AirGroup Database AirGroup Operators mDNS DLNA_ Lookup A A y A a When AirGroup discovers a new device it interacts with CPPM to obtain the shared attributes such as shared location and role However the current versions of W IAPs do not support the enforcement of shared location policy AirGroup Services AirGroup supports zero configuration services The services are pre configured and are available as part of the factory default configuration The administrator can also enable or disable any or all services by using the Instant UI or CLI The following services are available for W IAP clients e AirPlay Apple AirPlay allows wireless streaming of music video and slideshows from your iOS device to Apple TV and other devices that support the AirPlay feature o AirPrint Apple AirPrint allows you to print from an iPad iPhone or iPod Touch directly to any AirPrint compatible printers e Tunes The iTunes service is used by iTunes Wi Fi sync and iTunes home sharing applications across all Apple devices e RemoteMgmt The RemoteMgmt service allows remote login remote management and FTP utilities on Apple devices e Sharing The Sharing service allows applications such as disk sharing and file sharing among Apple devices e Chat The iChat Instan
373. ization Guest network The Guest wireless network is created for guests visitors contractors and any non employee users who use the enterprise Wi Fi network The Virtual Controller assigns the IP address for the guest clients captive portal or passphrase based authentication methods can be set for this wireless network Typically a guest network is an un encrypted network However you can specify the encryption settings when configuring a guest network When a client is associated to the Voice network all data traffic is marked and placed into the high priority queue in NOTE QoS Quality of Service To configure a new wireless network profile complete the following procedures G M Configuring WLAN Settings Configuring VLAN Settings Configuring Security Settings Configuring Access Rules for a Network Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using the Instant UI or CLI Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 93 In the Instant Ul To configure WLAN settings 1 Inthe Networks tab of the Instant main window click the New link The New WLAN window is displayed The following figure shows the contents of the WLAN Settings tab Figure 33 WLAN Settings Tab WLAN Settings Name Usage Bandwidth Limits Name SSID C S Each radio Primary usage Employee Downstream kbps Per user Voice Upstream kbps Per user Guest WMM
374. k enforce none Ethernet uplink bond0 DHCP Internet failover disable ax allowed test packet loss 10 Secs between test packets 30 VPN failover timeout secs 180 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Uplink Configuration 295 Chapter 22 Intrusion Detection The Intrusion Detection System IDS is a feature that monitors the network for the presence of unauthorized W IAPs and clients It also logs information about the unauthorized W IAPs and clients and generates reports based on the logged information The IDS feature in the Instant network enables you to detect rogue APs interfering APs and other devices that can potentially disrupt network operations This chapter describes the following procedures e Detecting and Classifying Rogue APs on page 296 e OS Fingerprinting on page 296 e Configuring Wireless Intrusion Protection and Detection Levels on page 297 e Configuring IDS Using CLI on page 301 Detecting and Classifying Rogue APs A rogue AP is an unauthorized AP plugged into the wired side of the network An interfering AP is an AP seen in the RF environment but it is not connected to the wired network While the interfering AP can potentially cause RF interference it is not considered a direct security threat because it is not connected to the wired network However an interfering AP may be reclassified as a rogue AP To detect the rogue APs click the IDS link in the Instant main wi
375. k profile For more information on role assignment rules and VLAN derivation rules see Configuring Derivation Rules on page 192 and Configuring VLAN Derivation Rules on page 196 e Select the Assign pre authentication role checkbox to add a pre authentication role that allows some access to the users before the client authentication e Select the Enforce Machine Authentication checkbox to configure access rights to clients based on whether the client device supports machine authentication Select the Machine auth only and User auth only rules Machine Authentication is only supported on Windows devices and devices such as iPads If Enforce Machine Authentication is enabled both the device and the user must be authenticated for ore the role assignment rule to apply 2 Click Finish In the CLI To configure access rules for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt access rule name lt name gt Instant AP wired ap profile lt name gt end Instant AP commit apply To configure role assignment rules Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wired Profiles 116 4 dt od Iet gt PT H P config T wired port profile lt name gt P wired ap profile lt name gt set role lt attribute gt equals not equal starts with contains matches regular expression lt operator gt lt role gt value of P wired
376. k window ensure that all the required Wired and VLAN attributes are defined and then click Next 4 Inthe Security tab select Enabled from the 802 1X authentication drop down list 5 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings for a Wired Profile on page 115 6 Click Next to define access rules and then click Finish to apply the changes 7 Assign the profile to an Ethernet port For more information see Assigning a Profile to Ethernet Ports on page 117 In the CLI To enable 802 1X authentication for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt employee gt lt guest gt Instant AP wired ap profile lt name gt dotl1x Instant AP wired ap profile lt name gt auth server lt serverl gt Instant AP wired ap profile lt name gt auth server lt server2 gt Instant AP wired ap profile lt name gt server load balancing Instant AP wired ap profile lt name gt radius reauth interval lt Minutes gt Instant AP wired ap profile lt name gt end Instant AP commit apply Configuring MAC Authentication for a Network Profile MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication However it is recom
377. ke IP Security IPsec clients WEP and TKIP are limited to WLAN connection speed of 54 Mbps The 802 11n connection supports only AES encryption Delllt is recommended to use AES encryption Ensure that all devices that do not support AES are NOTE upgraded or replaced with the devices that support AES encryption WPA and WPA2 WPA is created based on a draft of 802 11i which allowed users to create more secure WLANs WPA2 encompasses the full implementation of the 802 11i standard WPA2 is a superset that encompasses the full WPA feature set The following table summarizes the differences between the two certifications Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 154 Table 30 WPA and WPA2 Features Certification Authentication Encryption WPA PSK TKIP with message integrity check MIC IEEE 802 1X with Extensible Authentication Protocol EAP PSK AES Counter Mode with Cipher Block Chaining IEEE 802 1X with Message Authentication Code AESCCMP EAP WPA and WPA2 can be further classified as follows e Personal Personal is also called Pre Shared Key PSK In this type a unique key is shared with each client in the network Users have to use this key to securely log in to the network The key remains the same until it is changed by authorized personnel You can also configure key change intervals e Enterprise Enterprise is more secure than WPA Personal In
378. kets after which the W IAP can determine that the VPN connection is unavailable The default value is 2 h Select Enabled or Disabled from the Per AP tunnel drop down list The administrator can enable this option to create a GRE tunnel from each W IAP to the VPN GRE Endpoint rather than the tunnels created just from the master W IAP When enabled the traffic to the corporate network is sent through a Layer 2 GRE tunnel from the W IAP itself and need not be forwarded through the master W IAP Figure 65 Dell GRE Configuration Tunneling Controller Controller Protocol Primary host Backup host Preemption Hold time Fast failover Reconnect user on failover Reconnect time on failover Secs between test packets Max allowed test packet loss Per AP tunnel 6 Click Next to continue 213 VPN Configuration Aruba GRE a 192 0 2 2 192 0 2 4 Enabled y 600 sec Enabled y Enabled lt 60 sec 5 2 Enabled Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the CLI To enable automatic configuration of the GRE tunnel Instant AP config vpn gre outside Instant AP config vpn primary lt name IP address gt Instant AP config vpn backup lt lt name IP address gt gt Instant AP config vpn fast failover Instant AP config vpn hold time lt seconds gt Instant AP config vpn preemption Instant AP config vpn m
379. l PC or workstation running a terminal emulation program to the Console port on the W IAP 2 Power on the W IAP An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed 3 Click Enter before the timer expires The W IAP goes into the apboot mode Inthe apboot mode use the following commands to assign a static IP to the W IAP Hit lt Enter gt to stop autoboot 0 apboot gt apboot gt setenv ipaddr 192 0 2 0 apboot gt setenv netmask 255 255 255 0 apboot gt setenv gatewayip 192 0 2 2 apboot gt save Saving Environment to Flash Un Protected 1 sectors done Erased 1 sectors Writing 5 Use the printenv command to view the configuration apboot gt printenv Connecting to a Provisioning Wi Fi Network The W IAPs boot with factory default configuration and try to provision automatically If the automatic provisioning is successful the instant SSID will not be available If W AirWave and Activate are not reachable and the automatic provisioning fails the instant SSID becomes available and the users can connect to a provisioning network by using the instant SSID To connect to a provisioning Wi Fi network Ensure that the client is not connected to any wired network Connect a wireless enabled client to a provisioning Wi Fi network for example instant 3 Ifthe Windows OS system is used a Click the wireless network connection icon in the system tray The
380. l Networking W Series Instant 6 4 0 2 4 1 User Guide Upgrading to a New Version Manually If the automatic image check feature is disabled you can use obtain an image file from a local file system or from a TFTP or HTTP URL To manually check for a new firmware image version and obtain an image file 1 Navigate to Maintenance gt Firmware The Firmware window is displayed 2 Under Manual section perform the following steps e Select the Image file option This method is only available for single class W IAPs The following examples describe the image file format for different W IAP models ForW IAP134 135 Delllnstant_Cassiopeia_6 4 0 2 4 1 0 0_xxxx ForW IAP 108 109 W IAP 103 and W IAP114 115 Delllnstant_Pegasus_6 4 0 2 4 1 0 0_xxxx For W IAP155 155P Delllnstant_Aries_6 4 0 2 4 1 0 0_xxxx For W IAP220 Series and W IAP270 Series Delllnstant_Centaurus_6 4 0 2 4 1 0 0_xxxx For all other W IAPs Delllnstant_Orion_6 4 0 2 4 1 0 0_xxxx e Select the Image URL option Select this option to obtain an image file from a TFTP FTP or HTTP URL HTTP http lt IP address gt lt image file gt For example http lt IP address gt Delllnstant_Orion_6 4 0 2 4 1 0 0 _xxxx TFTP tftp lt IP address gt lt image file gt For example tftp lt IP address gt Delllnstant_Orion_6 4 0 2 4 1 0 0 _xxxx FTP ftp lt IP address gt lt image file gt For example ftp lt IP address gt Delllnstant_Orion_6 4 0 2 4 1 0 0_ XX
381. l id 1842732147 host name arubal600pop636635 hsbtst2 aus UDP ports local 1701 peer 3000 session limit 0 session count 1 tunnel profile test tunnel primary peer profile default session profile default hello timeout 150 retry timeout 80 idle timeout 0 rx window size 10 tx window size 10 max retries 5 use udp checksums OFF do pmtu discovery OFF mtu 1460 trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI peer vendor name Katalix Systems Ltd Linux 2 6 32 358 2 1 e16 x86 64 x86 64 peer protocol version 1 0 firmware 0 peer rx window size 10 Transport status ns nr 98 97 peer 98 96 cwnd 10 ssthresh 10 congpkt_acc 9 Transport statistics out of sequence control data discards 0 0 ACKs tx txfail rx 0 0 96 retransmits 0 duplicate pkt discards 0 data pkt discards 0 hellos tx txfail rx 94 0 95 control rx packets 193 rx bytes 8506 control tx packets 195 tx bytes 8625 data rx packets 0 rx bytes 0 rx errors 0 data tx packets 6 tx bytes 588 tx errors 0 establish retries 0 To view L2TPv3 tunnel config Instant AP show 12tpv3 tunnel config Tunnel profile test_tunnel primary 12tp host name Instant C4 42 98 local UDP port 1701 peer IP address 10 0 0 65 peer UDP port 3000 hello timeout 150 retry timeout 80 idle timeout 0 rx window size 10 tx window size 10 max retries 5 use UDP checksums OFF do pmtu discovery OFF mtu 1570 framing
382. le Instant AP cellular uplink profile usb type lt 3G usb type gt Instant AP cellular uplink profile 4g usb type lt 4g usb gt Instant AP cellular uplink profile modem country lt country gt Instant AP cellular uplink profile modem isp lt service provider name gt Instant AP cellular uplink profile usb auth type lt usb authentication type gt Instant AP cellular uplink profile usb user lt username gt Instant AP cellular uplink profile usb passwd lt password gt Instant AP cellular uplink profile usb dev lt device ID gt Instant AP cellular uplink profile usb tty lt tty port gt Instant AP cellular uplink profile usb init lt Initialization parameter gt 290 Uplink Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide To switch a modem from the s Instant A Instant A Instant AP Instant AP Instant AP Instant AP cellular upl cellular upl cellular upl P commit appl P config cel P cellular upl link profile usb dial lt dial parameter gt link profile T usb modeswitch lt usb modem gt link profile end y torage mode to modem mode llular uplink profile link profile T usb modeswitch lt usb modem gt To view the cellular configuration Instant A Wi Fi Uplink The Wi Fi uplink is supported for all the W IAP models but only the master W IAP uses this uplink The Wi Fi allows
383. le wired port Configure a wireless SSID to operate in L2 mode and associate Centralized L2 mode VLAN 20 to the WLAN SSID profile ap config wlan ssid profile guest SSID Profile guest nabl Profile guest type guest essid guest opmode opensystem Profile gues Profile gues auth server serverl Profile gues Profile gues Profile gues auth server server2 captive portal internal D t D t D t D Profile guest vlan 20 D t D t D E NOTE This example uses internal captive portal use case using external authentication server You can also use an external captive portal example NOTE The SSID type guest is used in this example to enable configuration of captive portal However corporate access through VPN tunnel is still allowed for this SSID because the VLAN associated to this SSID is a VPN enabled VLAN 20 in this example Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 73 W IAP Configuration for Scenario 2 IPSec Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure 8 Create access rule for For wired profile See wired and wireless ap config wlan access rule wired port Configuring authentication In this ap Access Rule wired port rule any any match Access Rules example the rule permits any any any for Network all traffic permit Services For WLAN SSID ap config wlan acc
384. led You can also create a new server with RADIUS and RADIUS proxy parameters by selecting New 6 Click Next and then click Finish 7 Toassign the RADIUS authentication server to a network profile select the newly added server when configuring security settings for a wireless or wired network profile You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile For more information see Configuring Security Settings for a WLAN NOTE SSID Profile on page 99 and Configuring Security Settings for a Wired Profile on page 115 In the CLI To associate an authentication server to a WLAN SSID Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt auth server lt server name gt Instant AP SSID Profile lt name gt end Instant AP commit apply To associate an authentication server to a wired profile Instant AP Instant AP Instant AP Instant AP config wired port profile lt name gt wired ap profile lt name gt auth server lt name gt wired ap profile lt name gt end commit apply Configuring 802 1X Authentication for a Network Profile The Instant network supports internal RADIUS server and external RADIUS server for 802 1X authentication The steps involved in 802 1X authentication are as follows 1 The NAS requests authentication credentials from a wireless client 2 The wireless clien
385. les The associated numeric value is 18 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 340 e eap ttlis To use EAP Tunneled Transport Layer Security The associated numeric value is 21 e peap To use protected Extensible Authentication Protocol The associated numeric value is 25 e crypto card To use crypto card authentication The associated numeric value is 28 e peapmschapv2 To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 MSCHAPV2 The associated numeric value is 29 e eap aka To use EAP for UMTS Authentication and Key Agreement The associated numeric value is 50 The following table lists the possible authentication IDs and their respective values Table 67 NAI Realm Profile Configuration Parameters Authentication ID Authentication Value reserved e Uses the reserved authentication method e The associated numeric value is 0 expanded eap Use expanded eap as the authentication value e Uses the expanded EAP authentication method e The associated numeric value is 1 non eap inner auth The following authentication values apply e Uses non EAP inner authentication type c b ri Th iated numeric value is 0 e The associated numeric value is 2 eserved e associated numeric value is 0 pap The associated numeric value is 1 chap The associated numeric value is 2 mschap The associated numeric value is 3 mschapv2 The associated numeric value is
386. lick the Wired link under More at the top right comer of the main window The Wired window is displayed 2 Inthe Wired window select the wired profile to modify 187 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 3 Click Edit The Edit Wired Network window is displayed 4 Inthe Wired Settings tab select Enabled from the Content Filtering drop down list and click Next to continue In the CLI To enable content filtering for a wired profile in the CLI Instant AP config wired port profile test Instant AP wired ap profile lt name gt content filtering wired ap profile lt name gt end commit apply Instant AP Instant AP Configuring Enterprise Domains The enterprise domain names list displays the DNS domain names that are valid on the enterprise network This list is used to determine how client DNS requests must be routed When Content Filtering is enabled the DNS request of the clients is verified and the domain names that do not match the names in the list are sent to the open DNS server You can configure an enterprise domain through the Instant UI or CLI In the Instant UI To manually add a domain 1 Navigate to System gt General click Show advanced options gt Enterprise Domains The Enterprise Domain tab contents are displayed 2 Click New and enter a New Domain Name Using as an enterprise domain causes all DNS traffic to go through the tunn
387. link status lt status gt Instant AP WAN metrics lt name gt end Instant AP commit apply You can specify the following WAN downlink and uplink parameters 345 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide e Downlink load Indicates the percentage of the WAN downlink currently utilized The default value of 0 indicates that the downlink speed is unknown or unspecified e Downlink speed Indicates the WAN downlink speed in Kbps e Uplink load Indicates the percentage of the WAN uplink currently utilized The default value of O indicates that the downlink speed is unknown or unspecified Uplink speed Indicates the WAN uplink speed in Kbps e Load duration Indicates the duration in seconds during which the downlink utilization is measured e Symmetric links Indicates if the uplink and downlink have the same speed e WAN Link Status Indicates if the WAN is down link down up link up or in test state link under test Creating a Hotspot Profile To create a hotspot profile Instant AP config Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspo
388. list persistent clients for the W IAP AP PMK Cache Displays the PMK cache details for the clients associated with the W IAP AP PPPoE uplink debug Displays PPPoE debug logs AP PPPoE uplink status Displays PPPoE uplink status AP Processes Displays the processes running on the W IAP AP Radio 0 Stats Displays aggregate debug statistics of the W IAP Radio 0 AP Radio 1 Stats Displays aggregate debug statistics of the W IAP Radio 1 AP Radio 0 Client Probe Report Displays a report on the AP clients connected to W IAP Radio 0 AP Radio 1 Client Probe Report Displays a report on the AP clients connected to W IAP Radio 1 AP RADIUS Statistics Displays the RADIUS server statistics for the W IAP AP Shaping Table Displays shaping information for clients associated with the W IAP AP Sockets Displays information sockets of the W IAP AP STM Configuration Displays STM configuration details for each SSID profile configured on the W IAP AP System Status Displays detailed system status information for the W IAP AP System Summary Displays the W IAP configuration AP Swarm State Displays details of the W IAP cluster to which the AP is connected AP Tech Support Dump Displays the logs with complete W IAP configuration information required for debugging by technical support AP Tech Support Dump Advanced Displays the logs with advanced configuration details and logs required for debugging by technical support AP Uplink
389. ll Networking W Series Instant 6 4 0 2 4 1 User Guide d Select the cookie length and enter a cookie value corresponding to the length By default the cookie length is not set e Specify the remote end ID f If required enable default 12 specific sublayer in the L2TP session g Click OK 5 Click Next to continue In the CLI To configure an L2TPv3 VPN tunnel profile Instant AP config 12tpv3 tunnel lt l2tpv3 tunnel profile gt Instant AP L2TPv3 Tunnel Profile lt l12tpv3 tunnel profile gt primary peer address lt peer ip addr tunnel 7 o o Instant AP L2TPv3 Tunnel Profile lt l2tpv3 tunnel profile gt backup peer address lt peer ip_ addr tunnel N Instant AP Instant AP Instant AP count gt L2TPv3 Tunnel Profile lt l2tpv3_ tunnel profile gt checksum L2TPv3 Tunnel Profile lt l2tpv3_ tunnel profile gt failover mode lt mode gt L2TPv3 Tunnel Profile lt l2tpv3_ tunnel profile gt failover retry count lt retry_ rY vrYvryrnr Instant lt interval in gt E L2TPv3 Tunnel Profile lt l12tpv3_tunnel profile gt failover retry interval Y s Instant AP L2TPv3 Tunnel Profile lt l12tpv3 tunnel profile gt hello timeout lt interval in sec gt Instant AP L2TPv3 Tunnel Profile lt l12tpv3 tunnel profile gt local port lt local udp port gt Instant AP L2TPv3 Tunnel Profile lt l12tpv3 tunnel profile gt pee
390. ll Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment 231 Chapter 16 Adaptive Radio Management This chapter provides the following information e ARM Overview on page 232 e Configuring ARM Features on a W IAP on page 233 e Configuring Radio Settings fora W IAP on page 238 ARM Overview Adaptive Radio Management ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802 11 channel and transmitting power for each W IAP in its current RF environment ARM works with all standard clients across all operating systems while remaining in compliance with the IEEE 802 11 standards It does not require any proprietary client software to achieve its performance goals ARM ensures low latency roaming consistently high performance and maximum client compatibility in a multi channel environment By ensuring the fair distribution of available Wi Fi bandwidth to mobile devices ARM ensures that data voice and video applications have sufficient network resources at all times ARM allows mixed 802 1 1a b g n and ac client types to inter operate at the highest performance levels Channel or Power Assignment The channel or power assignment feature automatically assigns channel and power settings for all the W IAPs in the network according to changes in the RF environment This feature automates many setup tasks
391. ll123 which is the AP description organization string W AirWave IP address or domain name Pre shared key for W AirWave Figure 105 Vendor Specific DHCP options 3 p Roles E actove Directory Doman Services lt I Active Orectory Users and Computers A BE auand L 009 Router 10 169 145 1 7 bn E 006 DNS Servers 10 169 130 4 T Computers 1 015 DNS Doman Name E rde arubanetworks com Z Domain Cortrobers 4172756261 4960 737461 te 7 7 Poe trer 1 Managed Service Accounts I Users 3 ER Active Owectory Stes and Services 2 Y OHO Server OCP Standard Optone 3 de ver de abate com aa User Class 3 uv T Scope DR 169 131 0 131 Uen a 7 Sope 10 169 135 0 135 7 ope 10 169 137 0 137 O 044 WANS NBNS Servers 1 Scope 10 169 138 0 138 F BrE CIN aver TEODAD MONT 1 Scope 10 169 145 0 145 AAR esn Pook T ASh oss LEE dl Reservations O 41 72 7S 62 61 49 6E 73 Arubalns T Sope Options 74 61 6E 74 41 SO 2C 74 tant P t 3 T scope 10 169 150 0 190 6D 65 2D 73 74 6F 72 65 nme store 17 Scope 10 169 151 0 151 34 2C 31 30 2E 31 36 39 1 10 169 pp 20 2E 32 34 30 2E 38 2C 61 240 8 a m 2 Scope 10 169 252 0 152 28 72 7S 62 61 31 32 33 ruba123 1 Scope 10 169 153 0 153 1 Scope 10 169 194 0 194 2 7 Scope 10 169 155 0 155 7 Scope 10 169 156 0 156 7 Scope 10 169 157 0 157 1 Scope 10 169 198 0 150 D Scope 10 169 159 0 159 Upon completion the W IAP shows up as a new device in W AirW
392. ller assigned is selected for client IP assignment the Virtual Controller creates a private subnet and VLAN on the W IAP for the wireless clients The network address translation for all client traffic that goes out of this interface is carried out at the source This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network On selecting this option the following client VLAN assignment options are displayed e Default When selected the default VLAN as determined by the Virtual Controller is assigned for clients Custom When selected you can specify a custom VLAN assignment option You can select an existing DHCP scope for client IP and VLAN assignment or you can create a new DHCP scope by selecting New For more information on DHCP scopes see Configuring DHCP Scopes on page 201 Network assigned If the Network assigned is selected you can specify any of the following options for the Client VLAN assignment e Default On selecting this option the client obtains the IP address in the same subnet as the W IAPs By default the client VLAN is assigned to the native VLAN on the wired network Static On selecting this option you need to specify a single VLAN a comma separated list of VLANS or a range of VLANs for all clients on this network Select this option for configuring VLAN pooling Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configurati
393. ller is returned using predefined formats Configuring a W IAP for XML API integration You can configure a W IAP for XML API integration using the Instant UI or CLI In the Instant UI 1 Click More gt Services The Services window is displayed 2 Click Network Integration The XML API Server configuration options are displayed Figure 93 XML API Server Configuration XML API Server Configuration IP address Passphrase Retype Enter the IP address of the XML API Server Enter the Passphrase required to authenticate and access the XML API Server Re enter the Passphrase in the Retype box Click OK oa Fw In the CLI To enable XML API integration with the W IAP Instant AP config xml api server Instant AP xml api server ip lt ip address gt Instant AP xml api server key lt shared key gt Instant AP xml api server no lt delete command gt Instant AP xml api server end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 269 CALEA Integration and Lawful Intercept Compliance Lawful Intercept LI allows the Law Enforcement Agencies LEA to perform an authorized electronic surveillance Depending on the country of operation the service providers SPs are required to support LI in their respective networks In the United States SPs are required to ensure Ll compliance based on Communications Assistance for Law Enforcement Act
394. llowing command host show ip ospf redistribute Redistribute RAPNG To configure aggregate route for IAP VPN routes use the following command host config router ospf aggregate route rapng vpn To view the aggregated routes for IAP VPN routes use the following command host show ip ospf rapng vpn aggregate routes RAPNG VPN aggregate routes 201 201 200 0 255 255 252 0 5 268779624 100 100 2 0 255 255 255 0 1 10 To verify the details of configured aggregated route use the following command host show ip ospf rapng vpn aggregated routes lt net gt lt mask gt host show ip ospf rapng vpn aggregate routes 100 100 2 0 255 255 255 0 Contributing routes of RAPNG VPN aggregate route 100 100 2 64 255 255 255 224 5 5 0 10 10 To view all the redistributed routes host show ip ospf database OSPF Database Table Area ID LSA Type Link ID Adv Router Age Seq Checksum ROUTER 9 9 9 9 9 9 9 9 159 0x80000016 Oxee92 ROUTER 10 15 148 12 10 15 148 12 166 0x80000016 0x4c0d NETWORK 10 15 148 12 10 15 148 12 167 0x80000001 0x9674 NSSA 12 12 2 0 9 9 9 9 29 0x80000003 0x7b54 NSSA 12 12 12 0 9 9 9 9 164 0x80000008 Ox63a NSSA 12 12 12 32 9 9 9 9 164 0x80000008 0x7b8 NSSA 50 40 40 0 9 9 164 0x80000007 0x8ed4 NSSA 51 41 41 128 9 9 164 0x80000007 0x68 6 NSSA 53 43 43 9 9 9 9 164 0x80000007 0x2633 15 NSSA 54 44 44 16 9 9 9 9 164 0x80000007 0x353 AS EXTERNAL 12 12 2 0 9 9 9 9 29 0x80000003 0x8c06 N A AS EXTERNAL 12 12 12 0 9 9
395. lobally and effectively reserves a block of each possible type of derivative identifier such as MAC addresses for the exclusive use of the assignee W IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configures to assign a desired role for users who have completed 802 1X authentication and MAC authentication The user role can be derived from the user attributes after a client associates with an AP You can configure rules that assign a user role to clients that match a MAC address based criteria For example you can assign a voice role to any client witha MAC address starting a0 a1 a2 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 192 Roles Based on Client Authentication The user role can be the default user role configured for an authentication method such as 802 1x authentication For each authentication method you can configure a default role for clients who are successfully authenticated using that method DHCP Option and DHCP Fingerprinting The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame Based on the operating system type a role can be assigned to the device For example to create a role assignment rule with the DHCP option select equals from the Operator drop down list and enter 370103060F77FC in the String text box Since 370103060F77FC is the fingerprint for Apple OS device
396. lowing table describes the regulatory domain restrictions that apply for the W IAP to ArubaOS AP conversion Table 63 W AP to ArubaOS AP Conversion ArubaOS Controller IAP 22x IAP 27x W IAP11x W IAP103 All other W IAPs version on Regulatory Controller Domain Unrestricted JP Versions lower than 6 3 0 Unrestricted i JP country Ea Unrestricted Valid Valid for JP country CN eae country code Unrestricted Valid Valid Valid Valid for JP country code Valid Valid Valid Valid Valid Valid for JP country code NOTE indicates not supported and X indicates invalid configuration NOTE The minimum Instant version for W IAP103 and W IAP274 275 is 6 4 0 2 4 1 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Maintenance 321 Converting a W IAP to a Remote AP For Remote AP conversion the Virtual Controller sends the Remote AP convert command to all the other W IAPs The Virtual Controller along with the other slave W IAPs set up a VPN tunnel to the remote controller and download the firmware through FTP The Virtual Controller uses IPsec to communicate to the mobility controller over the Internet e If the W IAP obtains W AirWave information through DHCP Option 43 and Option 60 it establishes an HTTPS connection to the W AirWave server and downloads the configuration and operates in the W IAP mode e Ifthe W IAP does not get W AirWave information through DHCP provisioning it tries provision
397. loying an Instant Wireless Network A Dell Networking W Series Instant Access Point W IAP can be installed at a single site or deployed across multiple geographically dispersed locations Designed specifically for easy deployment and proactive management of networks Instant is ideal for small customers or remote locations without any on site IT administrator Instant consists of a W IAP and a Virtual Controller The Virtual Controller resides within one of the APs In a Instant deployment scenario only the first W IAP needs to be configured After the first W IAP is configured the other W IAPs inherit all the required configuration information from the Virtual Controller Instant continually monitors the network to determine the W IAP that should function as the Virtual Controller at any time and the Virtual Controller will move from one W IAP to another as necessary without impacting network performance Supported Devices The following devices are supported in Instant 6 4 0 2 4 1 e W IAP103 e W IAP104 105 e W IAP114 115 o W 1AP134 135 e IAP 175P 175AC e W IAP3WN 3WNP e W IAP108 109 e W IAP155 155P e W IAP224 225 e W IAP274 275 As of Instant 4 1 release it is recommended that networks with more than 128 APs should be designed as multiple smaller virtual controller networks with Layer 3 mobility enabled between them nnn Dell Networking W Series Instant 6 4 0 2 4 1 User Guide About Instant 30 The following table prov
398. ls of a W IAP Instant AP config syslocation lt location name gt Instant AP config end Instant AP commit apply Configuring a Preferred Band You can configure a preferred band for a W IAP by using the Instant UI or the CLI In the Instant UI 1 Navigate to System gt General 2 Select 2 4 GHz 5 GHz or All from the Preferred band drop down list for single radio access points 3 Click OK Reboot the W IAP after configuring the radio profile for the changes to affect In the CLI To configure a preferred band Instant AP config rf band lt band gt Instant AP config end Instant AP commit apply 75 Initial Configuration Tasks Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring Virtual Controller IP Address You can specify a single static IP address that can be used to manage a multi AP Instant network This IP address is automatically provisioned on a shadow interface on the W IAP that takes the role of a Virtual Controller When a W IAP becomes a Virtual Controller it sends three Address Resolution Protocol ARP messages with the static IP address and its MAC address to update the network ARP cache You can configure the Virtual Controller name and IP address using the Instant UI or CLI In the Instant Ul 1 Navigate to System gt General 2 Enter the IP address in Virtual Controller IP 3 Click OK In the CLI To configure the Virtual Controller Name and IP address
399. lt startip gt lt endip gt Role Assignment for the Authenticated W IAPs Define a role that includes a src nat rule to allow connections to the RADIUS server and for the Dynamic Radius Proxy inthe W IAP to work This role is assigned to W IAPs after successful authentication host config ip access list session iaprole host config sess iaprole any host lt radius server ip gt any src nat host config sess iaprole tany any any permit host config sess iaprole host config user role iaprole host config role session acl iaprole VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the W IAP internal or an external server and the role assigned to the IAP after successful authentication host config aaa authentication vpn default iap host VPN Authentication Profile default iap server group default host VPN Authentication Profile default iap default role iaprole Branch ID Allocation For branches deployed in distributed L3 and distributed L2 mode the master AP in the branch and the controller should agree upon a subnet IP addresses to be used for DHCP services in the branch The process or protocol used by the master AP and the controller to determine the subnet IP addresses used in a branch is called BID allocation The BID allocation process is not essential for branches deployed in local or centralized L2 mode The following are some of the key functi
400. m T Scope 10 169 138 0 138 MEMARIOS auar TODAP NANN El T Scope 10 169 145 0 145 Address Pool 3 Address Leases B Reservations 49 6E 73 Arubalns gt Scope Options 50 2C 74 tant P t amp Scope 10 169 150 0 150 6F 72 65 ne store 7 Scope 10 169 151 0 151 Se eater m E Scope 10 169 152 0 152 32 33 Scope 10 169 153 0 153 7 Scope 10 169 154 0 154 O Scope 10 169 155 0 155 5 Scope 10 169 156 0 156 Scope 10 169 157 0 157 m Scope 10 169 158 0 158 T Scope 10 169 159 0 159 This creates a DHCP option 60 and 43 on a global basis You can do the same on a per scope basis The per scope option overrides the global option Figure 104 nstant and DHCP options for W AirWave Scope Options E Server Manager e9 Alm ois Elen TA Address Leases Scope Options E Reservations D Scope Options Scope 10 169 137 0 137 10 169 155 1 10 169 130 4 Scope 10 169 145 0 145 rde arubanetworks com iz Address Pool ArubalnstantaP TO Address Leases El Reservations 7 Scope Options E E Scope 10 169 150 0 150 E M Scope 10 169 151 0 151 S E Scope 10 169 152 0 152 E 5 Scope 10 169 153 0 153 E Scope 10 169 155 0 155 gt 2 Scope Options E 7 Scope 10 169 157 0 157 Address Pool Address Leases Y BB Reservations TA Scope Options E E Scope 10 169 158 0 158 282 W IAP Management and Monitoring Dell Networking W Series Instant 6 4 0 2 4 1 User Gu
401. m the Blacklisting drop down list and specify a value for Max authentication failures The users who fail to authenticate the number of times specified in Max authentication failures field are dynamically blacklisted To enable accounting select Enabled from the Accounting drop down list On setting this option to Enabled APs post accounting information to the RADIUS server at the specified Accounting interval To enable authentication survivability set Authentication survivability to Enabled Specify a value in hours for Cache timeout global to set the duration after which the authenticated credentials in the cache must expire When the cache expires the clients are required to authenticate again You can specify a value within range of 1 to 99 hours and the default value is 24 hours NOTE The authentication survivability feature requires ClearPass Policy Manager 6 0 2 or later and is available only when the New server option is selected authentication On setting this parameter to Enabled Instant authenticates the previously connected clients using EAP PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost The Authentication survivability feature is not applicable when a RADIUS server is configured as an internal server To enable MAC address based authentication for Personal and Open security levels set MAC authentication to Enabled For Enterprise security level the following options are avail
402. matching that domain to corporate Configure distributed L3 DHCP profiles with VLAN 30 and 40 CLI Commands ap config vpn controller gt ap config vpn controlleres gt ap config vpn ap config vpn ap config rou ap routing profile route 0 0 0 0 0 0 0 0 lt public IP of primary controller gt ap routing profile route 10 0 0 0 255 0 0 0 lt public IP of backup controller gt ap config internal domains ap domains domain name corpdomain com Distributed L3 profile with VLAN 30 ap config ip ap DHCP profile Distributed L3 ap DHCP profile ap DHCP profile 10 30 255 255 ap DHCP profile TO LL 50 1051 Ls ap DHCP profile corpdomain com ap DHCP profile Contractors are only permitted to reach 10 16 0 0 16 network Table 74 W AP Configuration for Scenario 3 IPSec Multiple Datacenter Deployment primary lt public IP of primary backup lt public IP of backup preemption 172 16 20 0 24 subnet is used for NAT mode used for wired network Client count in each branch is 200 Ul Procedure See Configuring an IPSec Tunnel fast failover ting profile dhcp 13 dhcp 13 dhcp 13 dhcp 13 dhcp 13 dhcp 30 13 dhcp 13 dhcp See Configuring Routing Profiles See Configuring Enterprise Domains See Configuring Distributed DHCP Scopes and Configuring Local and Local L3 DHCP Scopes Sse
403. mended that you do not use the MAC based authentication This section describes the following procedures e Configuring MAC Authentication for Wireless Network Profiles on page 165 e Configuring MAC Authentication for Wired Profiles on page 166 Configuring MAC Authentication for Wireless Network Profiles You can configure MAC authentication for a wired profile in the Instant UI or CLI In the Instant Ul To enable MAC Authentication for a wireless network 1 Inthe Network tab click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 Inthe Security tab select Enabled from the MAC authentication drop down list for Personal or Open security level 4 Specify the type of authentication server to use 165 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 5 If the internal authentication server is used perform the following steps to allow MAC address based authentication Click the Users link against the Internal server field The Users window is displayed Specify the client MAC address as the user name and password Specify the type of the user employee or guest Click Add Repeat the steps to add more users Click OK 6 To allow the W IAP to use a delimit
404. ments In addition to this document the Dell W IAP product documentation includes the following e Dell Networking W Series Instant Access Point Installation Guides e Dell Networking W Series Instant 6 4 0 2 4 1 Quick Start Guide e Dell Networking W Series Instant 6 4 0 2 4 1 CLI Reference Guide e Dell Networking W Series Instant 6 4 0 2 4 1 MIB Reference Guide e Dell Networking W Series Instant 6 4 0 2 4 1 Syslog Messages Reference Guide e Dell Networking W Series Instant 6 4 0 2 4 1 Release Notes Conventions The following conventions are used throughout this manual to emphasize important concepts Table 1 Typographical Conventions Type Style Description This style is used to emphasize important terms and to mark the titles of books System items This fixed width font depicts the following e Sample screen output e System prompts e Filenames software devices and specific commands when mentioned in the text In the command examples this style depicts the keywords that must be typed exactly as shown lt Arguments gt In the command examples italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation For example send lt text message gt In this example you would type send at the system prompt exactly as shown followed by the text of the message you wish to send Do not type the angle brackets Optional Command examples enclosed in brack
405. meters Parameter Description A e Voice Priority 6 Internetwork Control Disable scanning Select Disable scanning checkbox to disable ARM scanning when this rule is triggered The selection of the Disable scanning applies only if ARM scanning is enabled For more information see Configuring Radio Settings for a W IAP on page 238 DSCP tag Select the DSCP tag checkbox to specify a DSCP value to prioritize traffic when this rule is triggered Specify a value within the range of 0 to 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority checkbox to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value 4 Click OK and then click Finish In the CLI To configure inbound firewall rules Instant AP config inbound firewall Instant AP inbound firewall rule lt subnet gt lt smask gt lt dest gt lt mask gt lt protocol gt lt sport gt lt eport gt permit deny src nat dst nat lt IP address gt lt port gt lt optionl option9 gt Instant AP inbound firewall end Instant AP commit apply Example Instant AP config inbound firewall Instant AP inbound firewall rule 192 0 2 1 255 255 255 255 any any match 6 631 631 permit Instant AP inbound firewall end Instant AP commit apply Configuring Management Subnets You can configure subnets to ensure that the W IAP manageme
406. mit apply To add users for MAC authentication based on internal authentication server Instant AP config user lt username gt lt password gt portal radius Instant AP config end Instant AP commit apply Configuring MAC Authentication for Wired Profiles You can configure MAC authentication for a wired profile in the Instant UI or CLI In the Instant UI To enable MAC authentication for a wired profile Click the Wired link under More at the top right comer of the main window The Wired window is displayed 2 Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit 3 Inthe New Wired Network or the Edit Wired Network window ensure that all the required Wired and VLAN attributes are defined and then click Next 4 Inthe Security tab select Enabled from the MAC authentication drop down list 5 Specify the type of authentication server to use Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 166 6 If the internal authentication server is used perform the following steps to allow MAC address based authentication Click the Users link against the Internal server field The Users window is displayed Specify the client MAC address as the user name and password Specify the type of the user employee or guest Click Add Repeat the steps to add more users f Cl
407. mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs b Specify any of the following values for Client IP Assignment Virtual Controller Assigned Select this option to allow the Virtual Controller to assign IP addresses to the wired clients When the Virtual Controller assignment is used the source IP address is translated for all client traffic that goes through this interface The Virtual Controller can also assign a guest VLAN toa wired client Network Assigned Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected On selecting this option the New button to create a VLAN is displayed Create a new VLAN if required c If the Trunk mode is selected Specify the Allowed VLAN enter a list of comma separated digits or ranges 1 2 5 or 1 4 or all The Allowed VLAN refers to the VLANs carried by the port in Access mode If the Client IP Assignment is set to Network Assigned specify a value for Native VLAN A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN You can specify a value within the range of 1 4093 d If the Access mode is selected If the Client IP Assignment is set to Virtual Controller Assigned proceed to step 2 e If the Client IP Assignment is set to Network Assigned specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode 2 Click Next The Security ta
408. monstrate AirGroup either an AirGroup Administrator or an AirGroup Operator account must be created 1 Navigate to the ClearPass Policy Manager Ul and navigate to Configuration gt Identity gt Local Users Figure 129 Configuration gt Identity gt Local Users Selection Dashboard g2 Monitoring Start Here x Services amp Authentication lt x Methods Sources Q Identity em MENTES qm 2 Click Add User 3 Create an AirGroup Administrator Dell Networking W Series Instant 6 4 0 2 4 1 User Guide ClearPass Guest Setup 352 Figure 130 Create an AirGroup Administrator Add Local User 2 User ID airgroup admin Name AirGroup Admin Password eoecrrrrcr Verify Password eoercsrsssr Enable User Y Check to enable local user Role AirGroup Administrator Attributes Attribute Value 1 Click to add Cancel 4 Inthis example the password used is test123 Click Add 5 Now click Add User and create an AirGroup Operator Figure 131 Create an AirGroup Operator Add Local User User ID airgroup oper Name AirGroup Operator Password voerssssccnn Verify Password serrer Enable User Y Check to enable local user q AirGroup Operator Attribute 1 Click to add Faas conce 6 Click Add to save the user with an AirGroup Operator role The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen ll
409. mula Variable Definitions Formula Element Description EIRP Limit specific for each country of deployment o Example Tx RF Power RF power measured at RF connector of the unit For example the maximum gain that can be configured on a W IAP 134 with AP ANT 1F dual band and omni directional antenna is as follows Table 17 Maximum Antenna Gains Frequency Band Gain dBi 2 4 2 5 GHZ 2 0dBi 4 9 5 875GHz 5 0dBi For information on antenna gain recommended by the manufacturer see dell com support Configuring Antenna Gain You can configure antenna gain for APs with external connectors using Instant UI or CLI In the Instant UI 1 Navigate to the Access Point tab select the access point to configure and then click edit Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Customizing W IAP Settings 86 2 Inthe Edit Access Point window select External Antenna to configure the antenna gain value This option is available only for access points that support external antennas for example W IAP 134 3 Enter the antenna gain values in dBm for the 2 4GHz and 5GHz bands 4 Click OK In the CLI To configure external antenna for 5 GHz frequency Instant AP a external antenna lt dBi gt To configure external antenna for 2 4 GHz frequency Instant AP g external antenna lt dBi gt Configuring Radio Profiles for a W IAP You can configure a radio profile on a W IAP either manually or by using th
410. n Configuring access rules based on application and application categories see Configuring Access Rules for Application and Application Categories on page 246 Configuring access rules based on web categories and web reputation see Configuring Web Policy Enforcement on page 249 In the Instant Ul To configure ACL rules for a user role 1 a fF M Navigate to Security gt Roles tab The Roles tab contents are displayed You can also configure access rules for a wired or wireless client through the WLAN wizard Network tab gt WLAN SSID gt Edit gt Edit WLAN gt Access or the Wired profile More gt Wired gt Edit gt Edit Wired Network gt Access window Select the role for which you want to configure access rules In Access rules section click New to add a new rule The New Rule window is displayed Ensure that the rule type is set to Access Control To configure a rule to control access to network services select Network under service category and specify the following parameters Table 35 Access Rule Configuration Parameters Service Category Description Select a service from the list of available services You can allow or deny access to any or all ofthe following services based on your requirement e any Access is allowed or denied to all services e custom Available options are TCP UDP and Other If you select the TCP or UDP options enter appropriate port numbers If you select the Other option enter the
411. n Local AirWave Authentication Internal Orcanization Username adnin Airwave server AirWave backup server Shared key Retype Password e Retype e View Only Username Password Retype Guest Registration Only Username Password Retype Show advanced options 2 Enter the name of your organization in the Organization name text box The name defined for organization is displayed under the Groups tab in the W AirWave user interface Enter the IP address or domain name of the W AirWave server in the AirWave server text box Enter the IP address or domain name of a backup W AirWave server in the AirWave backup server text box The backup server provides connectivity when the primary server is down If the W IAP cannot send data to the primary server the Virtual Controller switches to the backup server automatically 5 Enter the shared key in the Shared key text box and reconfirm This shared key is used for configuring the first AP in the Instant network 6 Click OK In the CLI To configure W AirWave information in Instant Instant AP config organization lt name gt Instant AP config ams ip lt IP address or domain name gt Instant AP config ams backup ip lt IP address or domain name gt Instant AP config ams key lt key gt Instant AP config end Instant AP commit apply 278 W IAP Management and Monitor
412. n allows authorization against an Lightweight Directory Access Protocol LDAP server and external RADIUS server while PEAP MSCHAV2 allows authorization against an external RADIUS server This allows the users to run PEAP GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication EAP Generic Token Card GTC This EAP method permits the transfer of unencrypted usernames and passwords from client to server The main uses for EAP GTC are one time token cards such as SecurelD and the use of LDAP or RADIUS as the user authentication server You can also enable caching of user credentials on the W IAP to an external authentication server for user data backup e EAP Microsoft Challenge Authentication Protocol version 2 MS CHAPv2 This EAP method is widely supported by Microsoft clients ARADIUS server must be used as the back end authentication server Supported Authentication Servers Based on the security requirements you can configure internal or external authentication servers This section describes the types of servers that can be configured for client authentication e Internal RADIUS Server on page 150 External RADIUS Server on page 150 Dynamic Load Balancing between Two Authentication Servers on page 154 In 6 4 0 2 4 1 release you can configure TACACS server for authenticating management users For more information on management users and TACACS server based authentication see
413. n fast failover Instant AP config vpn preemption Instant AP config ip dhcp dist12 Instant AP DHCP Profile distL2 server type Distributed L2 Instant AP DHCP Profile distL2 server vlan 2 Instant AP DHCP Profile distL2 ip range 10 15 205 0 10 15 205 255 Instant AP DHCP Profile distL2 subnet mask 255 255 255 0 Instant AP DHCP Profile distL2 lease time 86400 Instant AP DHCP Profile distL2 default router 10 15 205 254 Instant AP DHCP Profile distL2 dns server 10 13 6 110 10 1 1 50 Instant AP DHCP Profile distL2 domain name dell com Instant AP DHCP Profile distL2 client count 5 Instant AP config ip dhcp local Instant AP DHCP Profile local server type Local Instant AP DHCP Profile local server vlan 200 Instant AP DHCP Profile local subnet 172 16 200 1 Instant AP DHCP Profile local subnet mask 255 255 255 0 Instant AP DHCP Profile local lease time 86400 Instant AP DHCP Profile local dns server 10 13 6 110 10 1 1 50 Instant AP DHCP Profile local domain name dell com To view VPN configuration Instant Access Point show vpn config Enabling Automatic Configuration of GRE Tunnel GRE is a tunnel protocol for encapsulating multicast broadcast and L2 packets between a controller and the W IAPs The automatic GRE feature uses the IPSec connection between the W IAP and controller to s
414. n for the devices in a network ALE with Instant The Instant 6 3 1 1 4 0 release supports Analytics and Location Engine ALE The ALE server acts as a primary interface to all third party applications and the W IAP sends client information and all status information to the ALE server To integrate W IAP with ALE the ALE server address must be configured on a W IAP If the ALE sever is configured with a host name the Virtual Controller performs a mutual certificated based authentication with ALE server before sending any information Enabling ALE Support on a W IAP You can configure a W IAP for ALE support using the Instant UI or CLI In the Instant Ul 1 Click More gt Services The Services window is displayed 2 Click the RTLS tab The tab details are displayed 3 Select the Analytics amp Location Engine checkbox Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 265 Figure 91 Services Window ALE Integration Air Group RTLS OpenDNS CALEA Network Intergration Aruba RTLS Analytics amp Location Engine El Server Report interval 30 seconds 3rd party Aeroscout 4 Specify the ALE server name or IP address 5 Specify the reporting interval within the range of 6 60 seconds The W IAP sends messages to the ALE server at the specified interval The default interval is 30 seconds 6 Click OK In the CLI To enable W IAP integration with the ALE server Instan
415. n the arm configuration NOTE sub mode In the CLI To enable 802 11k profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt dot11k Instant AP config end Instant AP commit apply To view the beacon report details show ap dot11k beacon report lt mac gt To view the neighbor details show ap dotllk nbrs Example Instant AP config wlan ssid profile dot11k profile Instant AP SSID Profile dot11k profile dot11k Instant AP config end Instant AP commit apply BSS Transition Management 802 11v The 802 11v standard provides Wireless Network Management enhancements to the IEEE 802 11 MAC and PHY It extends radio measurements to define mechanisms for wireless network management of stations including BSS transition management W IAPs support the generation of the BSS transition management request frames to the 802 11k clients when a suitable AP is identified for a client through client match Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 109 Configuring a WLAN SSID for 802 11v Support You can enable 802 11v support ona WLAN SSID by using the Instant UI or CLI In the Instant UI 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click the Security tab 3 Under Fast Roaming Select the 802 11v checkbox 4 Click Next and then click Fin
416. n while the user remains unauthenticated Specify a POSIX regular expression regex 7 For example yahoo com matches various domains such as news yahoo com travel yahoo com and finance yahoo com www apple com library test is a subset of apple com site corresponding to path library test favicon ico allows access to favicon ico from all domains 3 Todeny users access to a domain click New and enter the domain name or URL in the Blacklist section of the window This prevents the unauthenticated users from viewing specific websites When a URL specified in the blacklist is accessed by an unauthenticated user W IAP sends an HTTP 403 response to the client with a simple error message If the requested URL does not appear on the blacklist or whitelist list the request is redirected to the external captive portal 4 Select the domain name URL and click Edit to modify or Delete to remove the entry from the list 5 Click OK to apply the changes In the CLI To create a Walled Garden access Instant AP config wlan walled garden Instant AP Walled Garden white list lt domain gt Instant AP Walled Garden black list lt domain gt Instant AP Walled Garden end Instant AP commit apply Disabling Captive Portal Authentication To disable captive portal authentication perform the following steps 1 Select an existing wireless or wired profile Depending on the network profile selected the Edit lt WLAN Profile gt
417. nabled Wide Channel Select a band to allow the APs to be placed in 40Mhz wide band channels The Bands Wide channel band allows administrators to configure 40 MHz channels in the 2 4 GHz and 5 0 GHz bands 40 MHz channels are two 20 MHz adjacent channels that are bonded together 40 MHz channel effectively doubles the frequency bandwidth available for data transmission 80 MHz Support Enables or disables the use of 80 MHz channels on APs This feature allows ARM to assign 80 MHz channels on APs with 5GHz radios which support a very high throughput This setting is enabled by default NOTE Only the APs that support 802 11ac can be configured with 80 MHz channels 2 Reboot the W IAP 3 Click OK In the CLI To configure access point control parameters Instant AP config arm Instant AP ARM a channels lt 5GHz channels gt Instant AP ARM min tx power lt power gt Instant AP ARM max tx power lt power gt Instant AP ARM client aware Instant AP ARM wide bands lt 5GHz gt lt 2GHz gt lt A11 gt lt None gt Instant AP ARM scanning Instant AP ARM 80mhz support Instant AP ARM end Instant AP commit apply Verifying ARM Configuration To view ARM configuration Instant AP show arm config Transmit Power 18 Transmit Power 127 Band Steering Mode prefer 5ghz Client Aware enable Scanning enable Wide Channel Bands 5ghz 80Mhz Support
418. nables the W IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP The load balancing in W IAP is performed based on outstanding authentication sessions If there are no outstanding sessions and if the rate of authentication is low only primary server will be used The secondary is used only if there are outstanding authentication sessions on the primary server With this the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators Understanding Encryption Types Encryption is the process of converting data into a cryptic format or code when it is transmitted on a network Encryption prevents unauthorized use of the data Instant supports the following types of encryption WEP Wired Equivalent Privacy WEP is an authentication method where all users share the same key WEP is not secure as other encryption types such as TKIP TKIP Temporal Key Integrity Protocol TKIP uses the same encryption algorithm as WEP However TKIP is more secure and has an additional message integrity check MIC AES The Advanced Encryption Standard AES encryption algorithm a widely supported encryption type for all wireless networks that contain any confidential data AES in Wi Fi leverages 802 1X or PSKs to generate per station keys for all devices AES provides a high level of security li
419. name gt end Instant AP commit apply Configuring VLAN Settings for a WLAN SSID Profile If you are creating a new SSID profile complete the WLAN Settings procedure before configuring VLAN For more information see Configuring WLAN Settings for an SSID Profile on page 93 You can configure VLAN settings for an SSID profile using the Instant UI or CLI In the Instant UI To configure VLAN settings for an SSID 1 Inthe VLAN tab of the New WLAN window The VLAN tab contents are displayed Figure 34 VLAN Tab WLAN Settings Client IP amp VLAN Assignment Client IP assignment Virtual Controller assigned Network assigned Client VLAN assignment Default 5 Static Dynamic VLAN Assignment Rules Default VLAN 1 Next Cancel E E KK ee ee Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 97 2 Select any forthe following options for Client IP assignment e Virtual Controller assigned On selecting this option the client obtains the IP address from the Virtual Controller e Network assigned On selecting this option the IP address is obtained from the network 3 Based on the type client IP assignment mode selected you can configure the VLAN assignment for clients as described in the following table Table 20 P and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Contro
420. nd 5ghz upper Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Adaptive Radio Management 240 Chapter 17 Deep Packet Inspection and Application Visibility This chapter provides the following information e Deep Packet Inspection on page 241 e Enabling Application Visibility on page 241 e Application Visibility on page 242 e Configuring Access Rules for Application and Application Categories on page 246 e Configuring Web Policy Enforcement on page 249 Deep Packet Inspection AppRF is Dell s custom built Layer 7 firewall capability It comprises of an on board deep packet inspection and a cloud based Web Policy Enforcement service that allows creating firewall policies based on types of application The web policy enforcement capabilities require the W IAP to have a web policy enforcement subscription Please contact the Dell Sales Team W IAPs with DPI capability analyze data packets to identify applications in use and allow you to create access rules to determine client access to applications application categories web categories and website URLs based on security ratings You can also define traffic shaping policies such as bandwidth control and QoS per application for client roles For example you can block bandwidth monopolizing applications on a guest role within an enterprise The AppRF feature provides application visibility for analyzing client traffic flow W IAPs support both the power of in device packet fl
421. nd a centralized RADIUS based captive portal server for guest authentication To ensure that the RADIUS traffic is routed to the required RADIUS server the dynamic RADIUS proxy feature must be enabled When enabled dynamic RADIUS proxy ensures that all the RADIUS traffic is sourced from the Virtual Controller IP or inner IP of the W IAP IPsec tunnel depending on the RADIUS server IP and routing profile Ensure that a static Virtual Controller IP is configured before enabling dynamic RADIUS proxy in order to tunnel the RADIUS traffic to the central RADIUS server in the datacenter For information on enabling dynamic RADIUS proxy see Configuring Dynamic RADIUS Proxy Parameters on page 161 Configuring Enterprise Domains By default all the DNS requests from a client are forwarded to the clients DNS server In atypical W IAP deployment without VPN configuration client DNS requests are resolved by the DNS server of clients For the IAP VPN scenario the enterprise domain settings on the W IAP are used for determining how client DNS requests are routed For information on how to configure enterprise domains see Configuring Enterprise Domains on page 188 Configuring a Controller for IAP VPN Operations Dell Networking W Series controllers provide an ability to terminate the IPSec and GRE VPN tunnels from the W IAP and provide corporate connectivity to the branch network For IAP VPN operations ensure that the following configuration and verif
422. ndow The built in IDS scans for access points that are not controlled by the Virtual Controller These are listed and classified as either Interfering or Rogue depending on whether they are on a foreign network or your network Figure 110 ntrusion Detection amp instant rp Monitoring Configuration Foreign Access Points Detected s Network Clas 2 docomo Interfering re NTT SPOT Interfering 107 ethersphere wpa2 2 docomo Interfering 8 38 ethersphere wpa2 Interfering docomo Interfering 2 UL Dashboard Interfering docomo Interfering G E ethersphere wpa2 Interfering aruba ap Interfering 0 o ethersphere wpa2 Interfering docomo Interfering G 2 ipv6 alpha Interfering docomo Interfering G ib2 ethersphere voip Interfering NTT SPOT Interfering b b7 Interfering hotspot_sach Interfering 2 b pa2 Interfering 2 docomo Interfering thersphere voip Interfering nrvap1 Interfering 8 3 ni Interfering sandip test Interfering 1 1 31 07 c voip Interfering 7SPOT Interferin 31 2 Interfering 7SPOT 1 rin 31 07 re wpa2 Interfering ARUBA VISITOR Interferin 3 Y n Interfering s psk G 7 Interfering san mdns psi GN 20M 8 Milford_Staff Interferin 31 07 ethersphere voip Interfering OS Fingerprinting The OS Fingerprinting feature gathers information about the client that is connected to the Instant network to find the operating system that the client is running on The following is a list of advantages of this feature e Identifying rogue clients Helps
423. ne e Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the network for the last 15 minutes To see the exact throughput of the selected network ata particular time move the cursor over the graph line Monitoring Procedure To check the number of clients associated with the network for the last 15 minutes 1 Log in to the Instant UI The Virtual Controller view appears This is the default view In the Networks tab click the network for which you want to check the client association The Network view is displayed Study the Clients graph in the Usage Trends pane For example the graph shows that one client is associated with the selected network at 12 00 hours To check the throughput of the selected network for the last 15 minutes 1 Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Networks tab click the network for which you want to check the client association The Network view is displayed Study the Throughput graph in the Usage Trends pane For example the graph shows 22 0 Kbps incoming traffic throughput for the selected network at 12 03 hours _ ____ zz rn QQ hn OOO Dell Networking W Series Instan
424. ne all W IAPs can broadcast this SSID Select any of the following checkboxes to specify the bandwidth limit e Airtime Select this checkbox to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data Specify the airtime percentage Each user Select this checkbox to specify a throughput for any single user in this network Specify the throughput value in Kbps Each radio Select this checkbox to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients Configure the following options for WMM traffic management WMM supports voice video best effort and background access categories To allocate bandwidth for the following types of traffic specify a percentage value under Share To configure DSCP mapping specify a value under DSCP Mapping e Background WMM For background traffic such as file downloads or print jobs Best effort WMM For best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Video WMM For video traffic generated from video streaming Voice WMM For voice traffic generated from the incoming and outgoing voice communication For more information on WMM traffic and DSCP mapping see Wi Fi Multimedia Traffic Management on page 251 Set to Enabled to route all DNS requests for the non corporate domains to OpenDNS on this network Captive Portal
425. network Instead one W IAP in every network assumes the role of Virtual Controller It coordinates stores and distributes the settings required to provide a centralized functionality to regulate and manage the Wi Fi network The Virtual Controller is the single point of configuration and firmware management When configured the Virtual Controller sets up and manages the VPN tunnel to a Mobility Controller in the data center The Virtual Controller also functions like any other AP with full RF scalability It also acts as a node coordinating DHCP address allocation for network address translated clients ensuring mobility of the clients when they roam between different W IAPs Master Election Protocol The Master Election Protocol enables the Instant network to dynamically elect a W IAP to take on a Virtual Controller role and allow graceful failover to a new Virtual Controller when the existing Virtual Controller is not available This protocol ensures stability of the network during initial startup or when the Virtual Controller goes down by allowing only one W IAP to self elect as a Virtual Controller Preference to a W IAP with 3G 4G Card The Master Election Protocol prefers the W IAP with a 3G 4G card when electing a Virtual Controller for the Instant network during the initial setup The Virtual Controller is selected based on the following criteria If there is more than one W IAP with 3G 4G cards one of these W IAPs is dynamically elec
426. nfig snmp server engine id lt engine ID gt Instant AP config host lt ipaddr gt version 1 lt name gt udp port lt port gt 2c 3 lt name gt inform udp port lt port gt To configure SNMPv1 and SNMPv2 community strings Instant AP config snmp server community lt password gt To configure SNMPv3 community strings Instant AP config snmp server user lt name gt lt auth protocol gt lt password gt lt privacy protocol gt lt password gt To view SNMP configuration Instant AP show snmp configuration Engine ID D8C7C8C44298 Community Strings Name SNMPv3 Users Name Authentication Type Encryption Type Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Monitoring Devices and Logs 329 Configuring SNMP Traps Instant supports the configuration of external trap receivers Only the W IAP acting as the Virtual Controller generates traps The traps for W IAP cluster are generated with Virtual Controller IP as the source IP if Virtual Controller IP is configured The OID of the traps is 1 3 6 1 4 1 14823 2 3 3 1 200 2 X You can configure SNMP traps using the Instant UI or CLI In the Instant UI To configure an SNMP trap receiver 1 Navigate to System gt Show advanced options gt Monitoring The Monitoring window is displayed 2 Under SNMP Traps enter a name in the SNMP Engine ID text box It indicates the name of the SNMP agent on the access point The SNMPV3 agent has an
427. nfiguration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Key Management Termination Authentication server 1 and Authentication server 2 Description For Enterprise security level select any of the following options from the Key management drop down list e WPA 2 Enterprise Both WPA 2 amp WPA o o WPA Enterprise o Dynamic WEP with 802 1X If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys set Session Key for LEAP to Enabled This is required for old printers that use dynamic WEP through Lightweight Extensible Authentication Protocol LEAP authentication The Session Key for LEAP feature is Disabled by default For Personal security level select an encryption key from the Key management drop down list e For WPA 2 Personal WPA Personal and Both WPA 2 amp WPA keys specify the following parameters 1 Passphrase format Select a passphrase format from the Passphrase format drop down list The options are available are 8 63 alphanumeric characters and 64 hexadecimal characters 2 Entera passphrase in the Passphrase text box and reconfirm NOTE The Passphrase may contain any special character except for e For Static WEP specify the following parameters Select an appropriate value for WEP key size from the WEP key size drop down list You can specify 64 bit or 128 bit Select an appropriate value f
428. ng VLAN for a Wired Profile 22 ccc ccc c ccc cece cece ccc eeceeeceeeeeceseceeeeeeees 114 me UTS TAH ocr ace eee eg ee eee see ee ee eee eke nde eee ees ae ys eee eae e eee 114 ME eee ee se ee ee eee 114 Configuring Security Settings for a Wired Profile 2 0 0 0 ccc ccc cece cece eee c cece ce ceceeeeeeeees 115 Configuring Security Settings for a Wired Employee Network u 0 2 22000cceeceeceeceeeeeeees 115 MA A tee ees ss 115 A A Ae oe SR een te 115 Configuring Access Rules for a Wired Profile 116 O sorte ee ook eae sees A ssa see ate eens oc tee aN tek anne O 116 1 AAA 116 Assigning a Profile to Ethemet Ports conocio 117 Inthelnstant a osstaciatoisco cos blas poo Ia 117 In the CLI 117 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 9 Editing a Wired Profile ooocccccccccccccccccncnncnnnnnnnnnnnnnnnnnnn EEE EEEE EEEE EEEE EE 117 Deleting a Wired Profile 118 Link Aggregation Control Protocol for W IAP220 Series o ooococcccccccccccccccccccccccccococccccccccccccccos 118 Understanding Hierarchical Deployment o cccccccccccccccccccocooooccocoocococococcccccccccncccccncccncccos 119 Captive Portal for Guest ACCeSS ooo ccocccocococcocconcconconccncconccnccnnccnccnniss 120 Understanding Captive Portal 0010000000 ad adadad oaao aana raara n aonni nnan 120 Types of Captive Portal 120 Walled Garden 220 22 ccc cece eee eee eee eee eee en eee ee eee eee eee
429. ng WMM for Wireless Clients You can configure WMM for wireless clients by using the UI or CLI Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Voice and Video 251 In the Instant Ul 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click Show advanced options under WLAN Settings 3 Specify a percentage value for the following WMM access categories in the corresponding Share field You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile e Background WMM Allocates bandwidth for background traffic such as file downloads or print jobs e Best effort WMM Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS e Video WMM Allocates bandwidth for video traffic generated from video streaming e Voice WMM Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication In a non WMM or hybrid environment where some clients are not WMM capable you can allocate higher values for Best effort WMM and Voice WMM to allocate a higher bandwidth to clients transmitting best effort and voice traffic 4 Click Next and complete the configuration as required In the CLI Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt wmm background sh
430. nication Upload Firmware Files Certificate Name Certificate File passphrase Pr Confirm passphrase serrer Format PKCS 12 Type Server Cert Add 4 After you upload the certificate navigate to Groups click the Instant Group and then select Basic The Group name is displayed only if you have entered the Organization name in the Instant UI For more information see Configuring Organization String on page 277 for further information Figure 51 Selecting the Group Home WOLT APs Devices Clients Reports System Device Setup AMP Setup RAPIDS VisualRF New Group Compare two groups 1 5 wof 6 Groups Page 1wof1 Choose columns Export CS Name a SSID Total Devices Down Mismatched Ignored Clients Usage VPN Sessions Up Down Status Polling Period Duplicate Access Points 2 2 0 0 5 minutes 0 2 5 minutes 0 5 minutes 115 3 17 Mbps 5 minutes 0 5 minutes 5 minutes 1 5 wof 6 Groups Page 1 wof 1 Select All Unselect All The Virtual Controller Certificate section displays the certificates CA cert and Server 5 Click Save to apply the changes only to W AirWave Click Save and Apply to apply the changes to the W IAP 6 To clear the certificate options click Revert 175 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 12 Roles and Policies This chapter describes the procedures for configuring user roles role assignment and f
431. nly after the user authentication When a captive portal profile is applied to an SSID or wired profile the users connecting to the SSID or wired network are assigned a role with the captive portal rule The guest user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted Creating a Captive Portal Profile You can create a captive portal profile using the Instant UI or CLI In the Instant UI 1 Click Security gt External Captive Portal 2 Click New The New pop up window is displayed 3 Specify values for the following parameters 129 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 25 Captive Portal Profile Configuration Parameters Parameter Description Enter a name for the profile Select any one of the following types of authentication e Radius Authentication Select this option to enable user authentication against a RADIUS server Authentication Text Select this option to specify an authentication text The specified text will be returned by the external server after a successful user authentication IP or hostname Enter the IP address or the hostname of the external splash page server Enter the URL for the external captive portal server pan Enter the number of the portto use for communicating with the external captive portal server Use https Select Enabled to enf
432. nneled Transport Layer Security EAP TTLS method uses server side certificates to set up authentication between clients and servers However the actual authentication is performed using passwords EAP PEAP MSCHAPv2 EAP PEAP is an 802 1X authentication method that uses server side public key certificates to authenticate clients with server The PEAP authentication creates an encrypted SSL TLS tunnel between the client and the authentication server Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure LEAP Lightweight Extensible Authentication Protocol LEAP uses dynamic WEP keys for authentication between the client and authentication server To use the W IAP s internal database for user authentication add the names and passwords of the users to be authenticated Dell does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks NOTE Authentication Termination on W IAP W IAPs support EAP termination for enterprise WLAN SSIDs The EAP termination can reduce the number of exchange packets between the W IAP and the authentication servers Instant allows Extensible Authentication Protocol EAP termination for Protected Extensible Authentication Protocol PEAP Generic Token Card PEAP GTC and Protected Extensible Authentication Protocol Microsoft Challenge Authentication Protocol version 2 PEAP MSCHAV2 PEAP GTC terminatio
433. ns e from all sources Traffic from all sources is either allowed denied or the IP address is translated at the source or destination as defined in the rule from a host Traffic from a particular host is either allowed denied or the IP address is translated at the source or destination as defined in the rule After selecting this option specify the IP address of the host from a network Traffic from a particular network is either allowed denied or the IP address is translated at the source or destination as defined in the rule After selecting this option specify the IP address and netmask of the source network Destination Select a destination option for the access rules for network services applications and application categories You can allow or deny access to any the following destinations based on your requirements e to all destinations Traffic for all destinations is allowed denied or the IP address is translated at the source or destination as defined in the rule to a particular server Traffic to a specific server is allowed denied or the IP address is translated at the source or destination as defined in the rule After selecting this option specify the IP address of the destination server except to a particular server Access is allowed or denied to servers other than the specified server After selecting this option specify the IP address of the destination server to a network Traffic to the specified network
434. nstant UI or CLI In the Instant UI To enable or disable the management plane protection 1 Click System gt General gt Show Advanced Options 2 Select any of the following options from the Dynamic CPU Management drop down list Automatic When selected the CPU management is enabled or disabled automatically during run time This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform This is the default and recommended option Always disabled on all APs When selected this setting manually disables CPU management on all APs typically for small networks This setting protects user experience Always enabled on APs When selected the client and network management functions are protected This setting helps in large networks with high client density 3 Click OK In the CLI Instant AP config dynamic cpu mgmt auto enable disable 83 Initial Configuration Tasks Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 6 Customizing W IAP Settings This chapter describes the procedures for configuring settings that are specific to a W IAP in the cluster e Modifying the W IAP Hostname on page 84 e Configuring Zone Settings on a W IAP on page 84 e Specifying a Method for Obtaining IP Address on page 85 e Configuring External Antenna on page 86 e Configuring Radio Profiles fora W IAP on page 87 e Configuring Uplink VLAN fo
435. nstant User Interface 66 The following figure shows the client view heatmap for an AP radio Figure 21 Channel Availability Map for Clients AppRF The AppRF link displays the application traffic summary for W IAPs and client devices The AppRF link in the activity panel is displayed only if AppRF visibility is enabled in the System window For more information on application visibility and AppRF charts see Application Visibility on page 242 Spectrum The spectrum link in the Access Point view displays the spectrum data that is collected by a hybrid AP or by a W IAP that has enabled spectrum monitor The spectrum data is not reported to the Virtual Controller The spectrum link displays the following Device list The device list display consists of a device summary table and channel information for active non Wi Fi devices currently seen by a spectrum monitor or hybrid AP radio Channel Utilization and Monitoring This chart provides an overview of channel quality across the spectrum It shows channel utilization information such as channel quality availability and utilization metrics as seen by a spectrum monitor for the 2 4 GHz and 5 GHz radio bands The first bar for each channel represents the percentage of air time used by non Wi Fi interference and Wi Fi devices The second bar indicates the channel quality A higher percentage value indicates better quality Channel Details When you move your mouse over a channel the chann
436. nt View Usage Trends and Monitoring Procedures Description Monitoring Procedure To check the free memory of the W IAP for the last 15 minutes Memory free The memory free graph displays the MB Clients Throughput memory availability of the W IAP in MB To see the free memory of the W IAP move the cursor over the graph line The Clients graph shows the number of clients associated with the selected W IAP for the last 15 minutes To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the number of clients associated with the W IAP for the last 15 minutes To see the exact number of clients associated with the selected W IAP ata particular time move the cursor over the graph line The Throughput graph shows the throughput for the selected W IAP for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown about the median line e Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the W IAP for the last 15 minutes To see the exact throughput of the selected W IAP ata particular time move the cursor over the graph line Dell Netw
437. nt is carried out only from these subnets When the management subnets are configured Telnet SSH and UI access is restricted to these subnets only You can configure management subnets by using the Instant UI or CLI In the Instant UI To configure management subnets 1 Navigate to Security gt Inbound Firewall The Inbound Firewall tab contents are displayed 185 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 55 Firewall Settings Management Subnets Inbound Firewall Rules New Inbound Firewall Configuration Management Subnets Add new management subnet Subnet Mask Subnet Mask Add Restrict Corporate Access Disabled Delete All 2 Toadd anew management subnet e Enter the subnet address in Subnet e Enter tne subnet mask in Mask e Click Add 3 Toadd multiple subnets repeat step 2 4 Click OK In the CLI To configure a management subnet Instant AP config restricted mgmt access lt subnet IP address gt lt subnet mask gt Instant AP config end Instant AP commit apply Configuring Restricted Access to Corporate Network You can configure restricted corporate access to block unauthorized users from accessing the corporate network When restricted corporate access is enabled corporate access is blocked from the uplink port of master W IAP including clients connected to a slave W IAP You can configure restricted corporate access by usin
438. nt to restrict access By default an AirGroup service is accessible by all user roles configured in your W IAP cluster To select VLANs from allowing access to an AirGroup service click the corresponding edit link and select the VLANs to exclude By default the AirGroup services are accessible by users or devices in all VLANs configured in your W IAP cluster 9 ClearPass Settings Use this section to configure the CPPM server CoA server and enforce ClearPass registering CPPM server 1 Indicates the ClearPass Policy Manager server information for AirGroup policy Enforce ClearPass registering When enabled only devices registered with CPPM will be discovered by Bonjour devices based on the CPPM policy In the CLI To configure AirGroup Instant AP config airgroup Instant AP airgroup enable dlna only mdns only Instant AP airgroup T cppm enforce registration Instant AP airgroup cppm server lt server gt Instant AP airgroup T cppm query interval lt interval gt Instant AP airgroup T disallow vlan lt vlan ID gt Instant AP airgroup T enable guest multicast Instant AP airgroup T multi swarm Instant AP airgroup end Instant AP commit apply To enable DLNA support Instant AP config airgroup Instant AP airgroup enable dlna only Instant AP airgroup end Instant AP commit apply To enable support for Bonjour services Instant AP config air
439. ntinuously sends ICMP packets to some well known Internet servers If the request is timed out due to a bad uplink connection or uplink interface failure and the public Internet is not reachable from the current uplink the W IAP switches to a different connection You can set preferences for uplink switching using the Instant UI and CLI In the Instant Ul To configure uplink switching 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Management configure the following parameters VPN failover timeout To configure uplink switching based on VPN status specify the duration to wait for an uplink switch The default duration is set to 180 seconds Internet failover To configure uplink switching based on Internet availability perform the following steps a Select Enabled from the Internet failover drop down list b Specify the required values for the following fields Max allowed test packet loss The maximum number of ICMP test packets that are allowed to be lost to determine if the W IAP must switch to a different uplink connection You can specify a value within the range of 1 1000 294 Uplink Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide a Secs between test packets The frequency at which ICMP test packets are sent You can specify a value within the range of 1 3600 seconds a Internet check time Internet check timeou
440. ntroller IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled For more information on configuring RADIUS server attributes see Configuring an External Server for Authentication on page 157 In the CLI To enable the dynamic RADIUS proxy feature Instant AP config dynamic radius proxy Instant AP config end Instant AP commit apply Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers You can configure DRP parameters for the authentication server by using the Instant UI or CLI In the Instant UI 1 Click the Security gt Authentication Servers 2 Tocreate a new server click New and configure the required RADIUS server parameters as described in Table 32 3 Ensure that the following dynamic RADIUS proxy parameters are configured e DRP IP IP address to be used as source IP for RADIUS packets DRP Mask Subnet mask of the DRP IP address DRP VLAN VLAN in which the RADIUS packets are sent e DRP Gateway Gateway IP address of the DRP VLAN 4 Click OK In the CLI To configure dynamic RADIUS proxy parameters Instant AP config wlan auth server lt profile name gt Instant AP Auth Server lt profile name gt ip lt IP address gt Instant AP Auth Server lt profile name gt key lt key gt Instant AP Auth Server lt profile name gt port lt port gt Instant AP Auth Server lt profile name gt acc
441. nutes when it loses its uplink connectivity to a wired network Mesh Points The mesh point establishes an all wireless path to the mesh portal The mesh point provides traditional WLAN services such as client connectivity intrusion detection system IDS capabilities user role association and Quality of Service QoS for LAN to mesh communication to clients and performs mesh backhaul network connectivity Mesh point also supports LAN bridging You can connect any wired device to the downlink port of the mesh point In the case of single Ethernet port platforms such as AP 93 and AP 105 you can convert the EthO uplink port to a downlink port by enabling EthO Bridging For additional information see Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 304 Setting up Instant Mesh Network Starting from Instant 6 4 0 2 4 1 release mesh functionality is disabled by default because of which over the air provisioning of mesh W IAPs is not supported To provision W IAPs as mesh W IAPs Connect the W IAPs to a wired switch Ensure that the Virtual Controller key is synchronized and the country code is configured Ensure that a valid SSID is configured on the W IAP If the IAP has a factory default SSID instant SSID delete the SSID If an extended SSID is enabled on the virtual controller disable it and reboot the W IAP cluster oa W M gt Disconnect the W IAPs that you want to deploy as mesh points from the switch and place
442. o a single platform AirGroup maintains seamless connectivity between clients and services across VLANs and SSIDs The following table summarizes the filtering options supported by Instant Table 54 AirGroup Filtering Options Features Instant Deployment Models Allow mDNS and DLNA traffic to propagate Yes Yes across subnets VLANs Limit mDNS and DLNA traffic on the network Yes Yes VLAN based AirGroup service policy enforcement Yes User role based AirGroup service policy Yes Yes enforcement Portal to self register personal leaves A Yes Device owner based policy enforcement Na Yes Location based policy enforcement AN Yes Shared user list based policy enforcement NO Yes Shared role list based policy enforcement Na Yes CPPM and ClearPass Guest Features CPPM and ClearPass Guest support the following features e Registration portal for WLAN users to register their personal devices e Registration portal for WLAN administrators to register shared devices e Operator defined personal AirGroup to specify a list of other users who can share devices with the operator e Administrator defined username user role and location attributes for shared devices 260 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring AirGroup and AirGroup Services on a W IAP You can configure AirGroup services using the Instant UI or CLI In the Instant Ul To enable AirGroup and its services 1 Click the More gt S
443. o assign clients to a CALEA related user role To enable role assignment to clients you need to create a user role and a CALEA access rule and then assign the CALEA rule to the user role Whenever a client that is configured to use a CALEA rule connects a replication role is assigned e Through Change of Authorization CoA In this method a user session can start without replication When the network administrator triggers a CoA from the RADIUS server the user session is replicated The replication is stopped when the user disconnects or by sending a CoA to change the replication role As the client information is shared between multiple W IAPs in a cluster the replication rules persist when clients roam within the cluster Configuring a W IAP for CALEA Integration To enable CALEA server integration perform the following steps 1 Create a CALEA profile Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 271 2 Ifa replication role must be assigned through the RADIUS VSA create an access rule and assign the access rule to a WLAN SSID or wired profile 3 Verify the configuration Creating a CALEA Profile You can create a CALEA profile by using the Instant UI or CLI In the Instant Ul To configure a CALEA profile 1 Click More gt Services at the top right corner of the Instant main window 2 Click CALEA The CALEA tab details are displayed Services Air Group RTLS OpenDNS CALEA CALEA Configur
444. o create a mac auth only role to allow role based access rules when MAC authentication is enabled for 802 1X authentication The mac auth only role is assigned to a client when the MAC authentication is successful and 802 1X authentication fails If 802 1X authentication is successful the mac auth only role is overwritten by the final role The mac auth only role is primarily used for wired clients 147 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide L2 authentication fall through Allows you to enable the I2 authentication fallthrough mode When this option is enabled the 802 1X authentication is allowed even if the MAC authentication fails If this option is disabled 802 1X authentication is not allowed The I2 authentication fallthrough mode is disabled by default For more information on configuring a W IAP to use MAC 802 1X Authentication see Configuring MAC Authentication with 802 1X Authentication on page 167 Captive Portal Authentication Captive portal authentication is used for authenticating guest users For more information on Captive Portal authentication see Captive Portal for Guest Access on page 120 MAC authentication with Captive Portal authentication This authentication method has the following features If the captive portal splash page type is Internal Authenticated or External RADIUS Server MAC authentication reuses the server configurations If the captive por
445. o enforce an uplink Instant AP Instant AP Instant AP Instant AP config uplink uplink enforce cellular ethernet wifi none uplink end commit apply Setting an Uplink Priority You can set an uplink priority by using the Instant UI or CLI In the Instant UI 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Priority List select the uplink and click the icons at the bottom of the Uplink Priority List section to increase or decrease the priority By default the EthO uplink is set as a high priority uplink 3 Click OK The selected uplink is prioritized over other uplinks In the CLI To set an uplink priority Instant AP config uplink Instant AP uplink uplink priority cellular lt priority gt ethernet lt priority gt port lt Interface number gt lt priority gt wifi lt priority gt Instant AP uplink end Instant AP commit apply For example to set a priority for Ethernet uplink Instant AP uplink uplink priority ethernet port 0 1 Instant AP uplink end Instant AP commit apply Enabling Uplink Preemption The following configuration conditions apply to uplink preemption Preemption can be enabled only when no uplink is enforced When preemption is disabled and the current uplink goes down the W IAP tries to find an available uplink based on the uplink priority
446. o the uplink enforcement e When an uplink is enforced the W IAP uses the specified uplink regardless of uplink preemption configuration and the current uplink status e When an uplink is enforced and multiple Ethernet ports are configured and uplink is enabled on the wired profiles the W IAP tries to find an alternate Ethernet link based on the priority configured e When no uplink is enforced and preemption is not enabled and if the current uplink fails the W IAP tries to find an available uplink based on the priority configured e When no uplink is enforced and preemption is enabled and if the current uplink fails the W IAP tries to find an available uplink based on the priority configured If current uplink is active the W IAP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active You can enforce a specific uplink on a W IAP by using the Instant UI or CLI In the Instant UI To enforce an uplink 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Management select the type of uplink from the Enforce Uplink drop down list If Ethernet uplink is selected the Port field is displayed 3 Specify the Ethemet interface port number 292 Uplink Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 4 Click OK The selected uplink is enforced on the W IAP In the CLI T
447. ocal administrator Converting a W IAP to a Campus AP To convert a W IAP to a Campus AP do the following 1 Click the Maintenance link in the Instant main window 2 Click the Convert tab The Convert tab is displayed nnn nnn nnn Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Maintenance 323 Figure 122 Converting a W IAP to Campus AP Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Hostname or IP Address of Mobility Controller After conversion all Access Points will be managed by the Controller specified above 3 Select Campus APs managed by a Mobility Controller from the drop down list Enter the hostname Fully Qualified Domain Name FQDN or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box Contact your local administrator to obtain these details Ensure that the W IAPs access the mobility controller IP Address 6 Click Convert Now to complete the conversion Converting a W IAP to Standalone Mode This feature allows you to deploy a W IAP as an autonomous AP which is a separate entity from the existing Virtual Controller cluster in the Layer 2 domain To convert a W IAP to a standalone AP 1 Click the Maintenance link in the Instant main window 2 Click the Convert tab The Convert tab is displayed Figure 123 Standalone AP Conversion Maintenance About Configuration
448. oe catorce co da rada boa ios deta 87 Configuring Radio Profiles fora V AR aan S Z 29 a aT cece cece cece cece cece Rae AAA i 87 Configuring ARM Assigned Radio Profiles fora W IAP e 87 Configuring Radio Profiles Manually for W IAP 2 0 0 0 2 220 2 e eee e eee eee eee eee ee eee eee eeeeee 87 Tat e BTT 88 Configuring Uplink VLAN fora WelAP o ooocccccccccccccccccccccccnnccnnnnnnn cnn cnn cece ee eeeeeeeeeeeecceeees 88 n aT A 88 Tai sie lt td aes cadets eee ca 89 Master Election and Virtual Controller ee 89 Master Election Protocol 2 22 S 02ss 28d cogecodaoo diosss dd ri eie ESES ERES 89 Preference to a W IAP with 3G 4G Card 89 Preference to a W IAP with Non Default IP 20 2 002002220 eee eee eee eee eee 90 Viewing Master Election Details 90 Manual Provisioning of Master WAD 90 Provisioning a W IAP as a Master W IAP _ o 2 0 ccc cece cece cece een c cece eee cceeeeeeeeeeeeeeeees 90 Inthe Instant Ol io DR ee ee ad 90 Irth CL the tenes ee ee ele dd as 90 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 7 Addingia W IAP to the NetWork costos rn enn 91 Removing a W IAP from the Network 2 20 22 cnn adaa naaraan arneo nnana nanan 91 LAN COM JU INON RRA 92 VLAN Pooling ces 92 Uplink VLAN Monitoring and Detection on Upstream Devices 222222222 92 Wireless Network Profiles 93 Configuring Wireless Network Profiles 0200 22 2c cece cece eee ee eee eee e ee eee
449. of supported attributes includes RADIUS attributes dhcp option dot1x authentication type mac address and mac address and dhcp options For information on a list of RADIUS attributes see RADIUS Server Authentication with VSA on page 150 5 Select the operator from the Operator drop down list The following types of operators are supported contains The rule is applied only if the attribute value contains the string specified in Operand Is the role The rule is applied if the attribute value is the role equals The rule is applied only if the attribute value is equal to the string specified in Operand not equals The rule is applied only if the attribute value is not equal to the string specified in Operana starts with The rule is applied only if the attribute value starts with the string specified in Operand ends with The rule is applied only if the attribute value ends with string specified in Operand matches regular expression The rule is applied only if the attribute value matches the regular expression pattern specified in Operand This operator is available only if the mac address and dhcp options attribute is selected in the Attribute drop down The mac address and dhcp options attribute and matches regular expression are applicable only forthe WLAN clients 6 Enterthe string to match in the String text box 7 Select the appropriate role from the Role drop down list 8 Click OK When Enforce Machine Authentic
450. ollowing sections Info RF Dashboard RF Trends Usage Trends Mobility Trail Info The Info section displays the configuration information of the Virtual Controller by default On selecting the Network View tab the monitoring pane displays configuration information of the selected network Similarly in the Access Point or the Client view this section displays the configuration information of the selected W IAP or the client 57 Instant User Interface Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 9 Contents of the Info Section in the Instant Main Window Description Info section in Virtual The Info section in the Virtual Controller view displays the following information Controller view Name Displays the Virtual Controller name Country Code Displays the Country in which the Virtual Controller is operating Virtual Controller IP address Displays the IP address of the Virtual Controller Management Indicates if the W IAP is managed locally or through W AirWave Master Displays the IP address of the Access Point acting as Virtual Controller OpenDNS Status Displays the OpenDNS status If the OpenDNS status indicates Not Connected ensure that the network connection is up and appropriate credentials are configured for OpenDNS Uplink type Displays the type of uplink configured on the W IAP for example Ethernet or 3G Uplink status Indicates the uplink status Blacklisted clients Displays the numbe
451. on TFTP Dump Allows you to view or configure a TFTP dump server for core dump files See Configuring TFTP Dump Server on page 332 for more information SNMP Allows you to view or configure SNMP agent settings See Configuring SNMP on page 327 for more information WISPr Allows you to view or configure the WISPr settings See Configuring WISPr Authentication on page 170 for more information Proxy Allows you to configure HTTP proxy on a W IAP See Configuring HTTP Proxy on a W IAP on page 317 for more information The following figure provides a view of the System window with the advanced options ee Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 48 Figure 5 System Window General Admin Uplink L3 Mobility Enterprise Domains Monitoring WISPr Proxy Name Instant C4 42 98 System location Virtual Controller IP 0 0 0 0 Dynamic RADIUS proxy Disabled MAS integration Disabled NTP server Timezone International Date Line Preferred band All AppRF visibility Disabled Virtual Controller Netmask 255 255 255 255 Virtual Controller Gateway Virtual Controller VLAN Auto join mode Enabled Terminal access Enabled Console access Enabled Telnet server Disabled LED display Enabled Extended SSID Disabled Deny inter user bridging Disabled Deny local routing Disa
452. on Instant AP SSID Profile lt name gt 12 auth failthrough Instant AP SSID Profile lt name gt termination Instant AP SSID Profile lt name gt xternal server Instant AP SSID Profile lt name gt auth server lt server name gt Instant AP SSID Profile lt name gt server load balancing Instant AP SSID Profile lt name gt radius accounting Instant AP SSID Profile lt name gt radius accounting mode user authentication user association Instant AP SSID Profile lt name gt radius interim accounting interval lt minutes gt Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt Instant AP SSID Profile lt name gt set role by ssid Instant AP SSID Profile lt name gt hotspot profile lt name gt Instant AP SSID Profile lt name gt end Instant AP commit apply Sample Configuration Step 1 Creating ANQP and H2QP Advertisement Profile Instant AP configure terminal Instant AP config hotspot anqp nai realm profile nrl Instant AP nai realm nr1 nai realm name namel Instant AP nai realm nr1 nai realm encoding utf8 Instant AP nai realm nr1 f nai realm eap method eap sim Instant AP nai realm nr1l nai realm auth id 1 non eap inner auth Instant AP nai realm nr1 nai realm auth value 1 mschapv2 Instant AP nai realm nr1 nai home realm Instant AP nai realm nr1 exit In
453. on see Configuring VLAN for a Wired Profile on page 114 In the CLI To configure wired settings for Instant Instant Instant Instant Instant AP AP AP Instant AP wired ap profile lt name gt AP AP config wired port profile lt name gt wired ap profile lt name gt type lt employee gt lt guest gt wired ap profile lt name gt speed 10 100 1000 auto duplex half full auto no shutdown po wired ap profile lt name gt wired ap profile lt name gt 113 Wired Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP wired ap profile lt name gt uplink enable Instant AP wired ap profile lt name gt content filtering wired ap profile lt name gt spanning tree Instant AP end Instant AP wired ap profile lt name gt Instant AP commit apply Configuring VLAN for a Wired Profile If you are creating a new wired profile complete the Wired Settings procedure before configuring VLAN For more nore information see Configuring Wired Settings on page 112 You can configure VLAN using the Instant UI or CLI In the Instant UI To configure VLAN 1 Inthe VLAN tab enter the following information a Mode You can specify any of the following modes Access Select this mode to allow the port to carry a single VLAN specified as the native VLAN Trunk Select this
454. on Link Virtual Controller Configuration System RF Security VPN IDS Wir Services DHCP Server General Admin DHCP Uplink L3 Mobility Basic Advanced Name Instant C 4 42 98 Virtual Controller Netmask 0 0 0 0 Virtual Controller IP 0 0 0 0 Virtual Controller Gateway 0 0 0 0 Dynamic RADIUS proxy Disabled Virtual Controller VLAN 0 Mobility Access Switch integration Disabled Preferred band All NTP server Auto join mode Enabled Timezone None Terminal access Enabled Edit Console access Enabled LED display Enabled Extended SSID Disabled Deny inter user bridging Disabled Deny local routing Disabled Dynamic CPU management Automatic Edit Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 72 W AirWave Setup W AirWave is a solution for managing rapidly changing wireless networks When enabled W AirWave allows you to manage the Instant network For more information on W AirWave see Managing a W IAP from W AirWave on page 275 The W AirWave status is displayed at the bottom of the Instant main window If the W AirWave status is Not Set Up click the Set Up Now link to configure W AirWave The System window is displayed with Admin tab selected Pause Resume The Pause Resume link is located at the bottom right corner of the Instant main window Click the Pause link to pause the automatic refreshing of the Instant U after every 15 seconds by default The Instant Ul is automatically refres
455. on Protocol DHCP server To create VLAN assignment rules click New to assign the user to a VLAN In the New VLAN Assignment Rule window enter the following information e Attribute Select an attribute returned by the RADIUS server during authentication Operator Select an operator for matching the string String Enter the string to match VLAN Enter the VLAN to be assigned 4 Click Next to configure security settings for the employee network For more information see Configuring Security Settings for a WLAN SSID Profile on page 99 In the CLI To manually assign VLANs for WLAN SSID users Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt vlan lt vlan ID gt Instant AP SSID Profile lt name gt end Instant AP commit apply To enforce DHCP based VLAN assignment Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt enforce dhcp Instant AP SSID Profile lt name gt end 98 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP commit apply To create a new VLAN assignment rule Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set vlan lt attribute gt contains ends with equals matches regular expression not equals starts with lt operand gt lt vlan gt value of Instant AP SSID Profile lt name gt
456. on from the Destination drop down list 11 If required enable other parameters such as Log Blacklist Classify media Disable scanning DSCP tag and 802 1p priority 12 Click OK and then click Finish In the CLI To configure destination NAT access rule Instant AP config wlan access rule lt access rule gt Instant AP Access Rule lt access rule gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt sport gt lt eport gt dst nat ip lt IP address gt lt port gt Instant AP Access Rule lt access rule gt end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 180 181 Roles and Policies Configuring ALG Protocols You can enable or disable protocols for Application Layer Gateway ALG using the Instant UI or CLI In the Instant Ul To configure protocols for ALG 1 Click the Security link at the top right comer of Instant main window 2 Click the Firewall Settings tab The Firewall Settings tab contents are displayed The following figure shows the contents of the Firewall Settings tab Figure 52 Firewall Settings ALG Protocols Application Layer Gateway ALG Algorithms Protection against wired attacks SIP Enabled y Drop bad ARP Disabled l Vocera Enabled y Fix malformed DHCP Disabled l Alcatel NOE Enabled m ARP poison check Disabled Cisco Skinny Disabled x 3 Select Enabled from
457. on on SSID profile configuration see Configuring VLAN Settings for a WLAN SSID Profile on page 97 and Configuring VLAN for a Wired Profile on page 114 Splittunnet Set this to Enabled or Disabled for split tunnel functionality for the centralized L2 subnet 204 DHCP Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 39 Centralized DHCP Mode Configuration Parameters Description Enabling split tunnel allows a VPN user to access a public network and a local LAN or WAN network at the same time through the same physical network connection For example a user can use a remote access VPN software client connecting to a corporate network using a home wireless network The user with split tunneling enabled is able to connect to file servers database servers mail servers and other servers on the corporate network through the VPN connection When the user connects to Internet resources Web sites FTP sites and so on the connection request goes directly outthe gateway provided by the home network The split DNS functionality intercepts DNS requests from clients for non corporate domains as configured in Enterprise Domains list and forwards to AP s own DNS server When split tunnel is disabled all the traffic including the corporate and Internet traffic is tunneled irrespective of the routing profile specifications If the GRE tunnel is down and when the corporate network is not reachable the client traffic is
458. on or encryption settings do not match W IAP s configuration The W IAP cannot allow this client to associate because it does not support the 802 11 rate requested by this client The W IAP has reached maximum capacity and cannot accommodate any more clients The W IAP cannot authenticate this client because the client s MAC address is not valid The W IAP is temporarily blocking the 802 1X authentication request from this client because the credentials provided are rejected by the RADIUS server too many times The W IAP cannot authenticate this client using 802 1X because the RADIUS server did not respond to the authentication request Corrective Actions Contact the Dell customer support team Identify the client and check its Wi Fi driver and manager software Ascertain the correct authentication or encryption settings and try to associate again Check the configuration on the W IAP to see if the desired rate can be supported if not consider replacing the W IAP with another model that can support the rate Consider expanding capacity by installing additional W IAPs or balance load by relocating W IAPs This condition may be indicative of a misbehaving client Try to locate the client device and check its hardware and software Identify the client and check its 802 1X credentials If the W IAP is using the internal RADIUS server it is recommended that you check the related configuration as w
459. on page 200 Creating a User VLAN Role You can create a user role for VLAN derivation using the Instant UI or CLI In the Instant UI To configure a user role for VLAN derivation Click the Security at the top right comer of Instant main window Click the Roles tab The Roles tab contents are displayed Under Roles click New Enter a name for the new role and click OK Under the Access rules click New Select the Rule type as VLAN assignment Enter the ID of the VLAN in the VLAN ID text box Click OK eNO AF WD SB In the CLI To create a VLAN role Instant AP config wlan access rule lt rule name gt Instant AP Access Rule lt rule name gt vlan 200 Instant AP Access Rule lt rule name gt end Instant AP commit apply 199 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Assigning User VLAN Roles to a Network Profile You can configure user VLAN roles for a network profile using Instant UI or CLI In the Instant UI To assign a user VLAN role 1 Click Network gt New gt New WLAN gt Access or Network gt edit gt Edit lt WLAN profile gt gt Access 2 Ensure that the slider is at the Role based option 3 Click New under the New Role Assignment and configure the following parameters a Select the attribute from the Attribute drop down list b Select the operator to match from the Operator drop down list c Enter the string to match in the String tex
460. onitor pkt send freq lt frequency gt Instant AP config vpn monitor pkt lost cnt lt count gt Instant AP config vpn reconnect user on failover Instant AP config vpn reconnect time on failover lt down_time gt Instant AP config end Instant AP commit apply To view VPN configuration details Instant AP show vpn config Manually Configuring a GRE Tunnel You can also manually configure a GRE tunnel by configuring the GRE tunnel parameters on the W IAP and controller This procedure describes the steps involved in the manual configuration of a GRE tunnel from Virtual Controller by using the Instant UI or CLI During the manual GRE setup you can either use the Virtual Controller IP or the W IAP IP to create the GRE tunnel at the controller side depending upon the following W IAP settings If a Virtual Controller IP is configured and if Per AP tunnel is disabled the Virtual Controller IP is used to create the GRE tunnel If a Virtual Controller IP is not configured or if Per AP tunnel is enabled the W IAP IP is used to create the GRE tunnel For information on the GRE tunnel configuration on controller see ArubaOS User Guide In the Instant UI 1 Click the More gt VPN link at the top right comer of the Instant UI The Tunneling window is displayed 2 Select Manual GRE from the Protocol drop down list 3 Specify the following parameters A sample configuration is shown in Figure 66 a Enter an IP address or
461. ons of the BID allocation process e Determines the IP addresses used in a branch for distributed L2 mode e Determines the subnet used in a branch for distributed L3 mode e Avoids IP address or subnet overlap that is avoids IP conflict e Ensures that a branch is allocated the same subnet or range of IP addresses irrespective of which AP in the branch becomes the master in the IAP cluster Branch Status Verification To view the details of the branch information connected to the controller execute the show iap table command Example This example shows the details of the branches connected to the controller host show lap table long IAP Branch Table Tokyo CB D3 16 6c 3 7f cc 42 8 DOWN 0 0 0 0 Paris CB D3 16 6c f3 7f cc 3d 04 UP 10 15 207 140 10 15 206 99 29 2 LA 6c f3 7f cc 42 25 UP 10 15 207 111 10 15 206 24 29 2 Munich d8 c7 c8 cb d3 16 DOWN 0 0 0 0 London c0 el 6c f3 7f c0 e1l b1 UP 10 15 207 120 10 15 206 64 29 2 Instant CB D3 6c f 3 7f cc 42 le DOWN 0 0 0 0 Delhi 6c f3 7f cc 42 ca DOWN 0 0 0 0 Singapore 6c f3 7f cc 42 cb UP 10 15 207 122 10 15 206 120 29 2 230 IAP VPN Deployment Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Key Bid Subnet Name b3c65c b3c65c b3c65c 2 10 15 205 0 10 15 205 250 5 1 10 15 206 1 10 15 206 252 5 a2a65c 0 b3c65c 7 10 15 205 0 10 15 205 250 5 8 10 15 206 1 10 15 206 252 5 b3c65 BICI ace 1 10 15 205 0 10 15 205 250 5 2 10
462. onsole 5 Inthe apboot mode use the following commands to disable the provisioning network E apboot gt factory reset E apboot gt setenv disable prov ssid 1 E apboot gt saveenv Mm apboot gt reset Logging in to the Instant UI Launch a Web browser and enter instant dell pcw com In the login screen enter the following credentials e Username admin e Password admin The following figure shows the Login screen Figure 1 Login Screen Welcome to Instant VIRTUAL DLL CONTROLLER Username admin Password Log In Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Setting up a W IAP 37 When you use a provisioning Wi Fi network to connect to the Internet all browser requests are directed to the Instant UI For example if you enter example com in the address field you are directed to the Instant UI You can change the default login credentials after the first login Regulatory Domains The IEEE 802 11 b g n Wi Fi networks operate in the 2 4 GHz spectrum and IEEE 802 11a n operates in the 5 0 GHz spectrum The spectrum is divided into channels The 2 4 GHz spectrum is divided into 14 overlapping staggered 20 MHz wireless carrier channels These channels are spaced 5 MHz apart The 5 GHz spectrum is divided into more channels The channels that can be used in a particular country differ based on the regulations of that country The initial Wi Fi setup requires you to specify the country code fo
463. ools for private VLANs e One downlink port configured on a private VLAN without authentication for connecting to slave APs Ensure that the downlink port configured in a private VLAN is not used for any wired client connection Other downlink ports can be used for connecting to the wired clients The following figure illustrates a hierarchical deployment scenario Figure 39 Hierarchical Deployment Non Ethernet Uplink ISP 1 N eth0 _ Zs Root AP eth eth 2 Private VLAN 1 Private VLAN 2 Hierarchical Slave APs 119 Wired Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Chapter 10 Captive Portal for Guest Access This chapter provides the following information e Understanding Captive Portal on page 120 e Configuring a WLAN SSID for Guest Access on page 121 e Configuring Wired Profile for Guest Access on page 125 e Configuring Internal Captive Portal for Guest Network on page 126 e Configuring External Captive Portal for a Guest Network on page 129 e Configuring External Captive Portal Authentication Using ClearPass Guest on page 132 e Configuring Guest Logon Role and Access Rules for Guest Users on page 133 e Configuring Captive Portal Roles for an SSID on page 135 e Configuring Walled Garden Access on page 138 e Disabling Captive Portal Authentication on page 138 Understanding Captive Portal Instant supports the captive portal authentication method where a Web page is
464. or Tx key from the Tx Key drop down list You can specify 1 2 3 or 4 Enter an appropriate WEP key and reconfirm To terminate the EAP portion of 802 1X authentication on the W IAP instead of the RADIUS server set Termination to Enabled Enabling Termination can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the W IAP By default for 802 1X authorization the client conducts an EAP exchange with the RADIUS server and the W IAP acts as a relay for this exchange When Termination is enabled the W IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol only relaying the innermost layer to the external RADIUS server It can also reduce the number of exchange packets between the W IAP and authentication server NOTE Instant supports the configuration of primary and backup authentication servers in an EAP termination enabled SSID NOTE If you are using LDAP for authentication ensure that AP termination is configured to support EAP Select any of the following options from the Authentication server 1 drop down list e Select an authentication server from the list if an external servers are already configured e Select New to configure any of the following servers as an external server Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Security Level Type Applicable to Enterprise and Personal security levels only For t
465. orce clients to use HTTPS to communicate with the captive portal server Available only if RADIUS Authentication is selected Captive Portal failure This field allows you to configure Internet access for the guest clients when the external captive portal server is not available Select Deny Internet to prevent clients from using the network or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available Automatic URL Select Enabled or Disabled to enable or disable automatic whitelisting of URLs On selecting Whitelisting the checkbox for the external captive portal authentication the URLs that are allowed for the unauthenticated users to access are automatically whitelisted The automatic URL whitelisting is disabled by default Auth Text If the External Authentication splash page is selected specify the authentication text that must be returned by the external server after successful authentication Available only if Authentication Textis selected Redirect URL Specify a redirect URL if you want to redirect the users to another URL In the CLI To configure an external Captive Portal profile Instant AP config wlan external captive portal profile name Instant AP External Captive Portal server lt server gt Instant AP External Captive Portal port lt port gt Instant AP External Captive Portal url lt url
466. orking W Series Instant 6 4 0 2 4 1 User Guide Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the W IAP for which you want to monitor the client association The W IAP view is displayed Study the Memory free graph in the Overview pane For example the graph shows that the free memory of the W IAP is 64 MB at 12 13 hours To check the number of clients associated with the W IAP for the last 15 minutes Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the W IAP for which you want to monitor the client association The W IAP view is displayed Study the Clients graph For example the graph shows that six clients are associated with the W IAP at 12 11 hours To check the throughput of the selected W IAP for the last 15 minutes Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the W IAP for which you want to monitor the throughput The W IAP view is displayed Study the Throughput graph For example the graph shows 44 03 Kbps incoming traffic throughput at 12 08 hours Instant User Interface 64 The following table describes the RF trends graphs available in the client view Table 13 Client View RF Trends Graphs and Monitoring Procedures G
467. orking W Series Instant 6 4 0 2 4 1 User Guide DHCP Configuration 207 Instant AP DHCP Profile lt profile name gt subnet lt IP address gt Instant AP DHCP Profile lt profile name gt subnet mask lt subnet mask gt Instant AP DHCP Profile lt profile name gt xclude address lt IP address gt Instant AP DHCP Profile lt profile name gt dns server lt name gt Instant AP DHCP Profile lt profile name gt domain name lt domain name gt Instant AP DHCP Profile lt profile name gt lease time lt minutes gt Instant AP DHCP Profile lt profile name gt option lt type gt lt value gt Instant AP DHCP Profile lt profile name gt end Instant AP commit apply Configuring the Default DHCP Scope for Client IP Assignment The DHCP server is a built in server used for networks in which clients are assigned IP address by the Virtual Controller You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients The largest address pool supported is 2048 The default size of the IP address pool is 512 When the DHCP server is configured and if the Client IP assignment parameter for an SSID profile is set to Virtual Controller Assigned the Virtual Controller assigns the IP addresses to the WLAN or wired clients By default the W IAP automatically determines a suitable DHCP pool for Virtual Controller Assigned netwo
468. ort 1813 key presharedkey xit D Dp p Gag th Server serverl D C th Server serverl th Server serverl Q O nfig wlan auth server server2 th Server serverl ip 10 2 2 2 th Server serverl port 1812 th Server serverl acctport 1813 key presharedkey D e oO O S PO O S OS O S D E D C SOPA A G 0 00 0 0 0 0 0 09 0 0 0 D E O th Server serverl Configure wired ports to operate in centralized L2 mode and associate VLAN 20 to the wired port profile ap config wired port profile wired port See Configuring Routing Profiles See Configuring Enterprise Domains See Configuring a Centralized DHCP Scope See Configuring an External Server for Authentication See Configuring a Wired Profile IAP VPN Deployment Scenarios 370 Table 75 W AP Configuration for Scenario Configuration Steps CLI Commands Ul Procedure and access rules and ap wired port profile wired por switchport and Wireless enable authentication mode access Network survivability ap wired port profile wired por allowed vlan Profiles all ap wired port profile wired port native vlan 20 ap wired port profile wired port no shutdown ap wired port profile wired port access rule name wired port ap wired port profile wired port type employee ap wired port profile wired port auth server serverl ap wired port profile wired
469. ort status for the W IAP AP Internal DHCP Status Displays details on DHCP allocation AP IP Interface Displays a summary of all P related information for Ethernet interfaces configured on the W IAP AP IP Route Table Displays information about IP routes for the W IAP AP L3 Mobility Datapath Display L3 mobility details AP L3 Mobility Events Log Displays a log with L3 client roaming details AP L3 Mobility Status Displays the status of L3 roaming clients AP LACP Status Displays the Link Aggregation Control Protocol LACP configuration status AP Log All Displays all logs for the W IAP AP Log AP Debug Displays logs with debugging information for the W IAP AP Log Conversion Displays image conversion details for the W IAP AP Log Driver Displays the status of drivers configured on the W IAP AP Log KerneHDisplays logs for AP s kernel AP Log Network Displays network logs for the W IAP AP Log PPPd Displays the Point to Point Protocol daemon PPPd network connection details AP Log Rapper Displays rapper information AP Log Sapd Displays SAPd logs AP Log Security Displays security logs of the W IAP AP Log System Displays system logs of the W IAP AP Log Tunnel Status Management Displays tunnel status AP Log Upgrade Displays image download and upgrade details for the W IAP AP Log User Debug Displays user debug logs of the W IAP AP Log User Displays user logs of the W IAP AP Log VP
470. ot equals starts with ends with of contains lt operator gt value of no set role set vlan lt attribute gt equals not equals starts no set vlan lt attribute gt equals with ends with contains lt operator gt lt VLAN ID gt not equals starts with ends with value of contains lt operator gt value of no set vlan auth server lt name gt no auth server lt name gt eC __ it Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Setting up a W IAP 43 Chapter 4 Instant User Interface This chapter describes the following Instant Ul elements e Login Screen e Main Window Login Screen The Instant login page allows you to e Login to ihe Instant UI e View Instant Network Connectivity summary e View the Instant UI in a specific language Logging into the Instant UI To log in to the Instant UI enter the following credentials e Username admin e Password admin The Instant Ul main window is displayed Viewing Connectivity Summary The Login page also displays the connectivity status to the Instant network The users can view a summary that indicates the status of the Internet availability uplink cellular modem and signal strength VPN and W AirWave configuration details before logging in to the Instant UI The following figure shows the information displayed in the connectivity summary Figure 3 Connectivity Summary Internet Reachable Active uplink etho Cellular
471. ot hs profile hs1 Instant AP Hotspot2 0 hs1 advertisement profile angqp nai realm nrl Instant AP Hotspot2 0 hs1 advertisement profile anqp venue name vnl Instant AP Hotspot2 0 hs1 advertisement profile anqp nwk auth nal Instant AP Hotspot2 0 hs1l advertisement profile anqp roam cons rcl Instant AP Hotspot2 0 hs1 advertisement profile anqp 3gpp 331 Instant AP Hotspot2 0 hs1 advertisement profile angqp ip addr avail ipl Instant AP Hotspot2 0 hsl advertisement profile angqp domain name dnl Instant AP Hotspot2 0 hs1l advertisement profile h2qp oper name onl Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 350 Instant AP Hotspot2 0 hs1 advertisement profile h2qp wan metrics wml Instant AP Hotspot2 0 hs1 advertisement profile h2qp conn cap ccl Instant AP Hotspot2 0 hs1 advertisement profile h2qp oper class ocl Instant AP Hotspot2 0 hs1 exit Step 4 Associate the hotspot profile with WLAN SSID Instant AP configure terminal Instant AP wlan ssid profile ssidProfilel Instant AP SSID Profile ssidProfilel essid hsProf Instant AP SSID Profile ssidProfilel type employee Instant AP SSID Profile ssidProfilel vlan 200 Instant AP SSID Profile ssidProfilel opmode wpa2 aes Instant AP SSID Profile ssidProfilel blacklist Instant AP SSID
472. outing profile is defined to bypass certain IPs you can add a route to the IP by defining 0 0 0 0 as the destination thereby forcing the traffic to be routed through the default gateway of the W IAP You can configure routing profiles through More gt VPN gt Controller UI For step by step procedural information on configuring routing profile see Configuring Routing Profiles on page 221 The W IAP network has only one active tunnel even when fast failover enabled At any given time traffic can be tunneled only to one VPN host Configuring DHCP Profiles You can create DHCP profiles to determine the IAP VPN mode of operation A W IAP network can have multiple DHCP profiles configured for different modes of IAP VPN You can configure up to eight DHCP profiles For more information on the IAP VPN modes of operation see AP VPN Forwarding Modes on page 224 You can create any of the following types of DHCP profiles for the IAP VPN operations e Local e LocalL3 e Distributed L2 e Distributed L3 e Centralized For more information on configuring DHCP profiles see Configuring DHCP Scopes on page 201 A centralized L2 or distributed L2 VLAN or subnet cannot be used to serve APs in a hierarchical mode of deployment Ensure that the physical IP of the APs connecting to the master AP in hierarchical mode of deployment is not on a VLAN or subnet that is in centralized or distributed L2 mode of operation For information on hierarchical mode of
473. ow identification and dynamically updated cloud based web categorization To view the graphs set the AppRF visibility option in the System window to Enabled For more information on DPI ACLs and AppRF visibility see the following topics Enabling Application Visibility Enabling AppRF visibility allows you to view the AppRF statistics for a W IAP or the clients associated with a W IAP When visibility is enabled the AppRF link appears on the dashboard area of the main window On clicking this link you can view the client traffic flow based on the enforcements You can enable AppRF visibility through the Instant UI or CLI In the Instant Ul 1 Navigate to System gt General 2 Select Enabled from the AppRF visibility drop down 3 Click OK In the CLI To enable AppRF visibility Instant AP config dpi Instant AP config end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Deep Packet Inspection and Application Visibility 241 Application Visibility The AppRF graphs are based on Deep Packet Inspection DPI application and Web Policy Enforcement service which provides application traffic summary for the client devices associated with a W IAP The AppRF link above the activity panel of the dashboard is displayed only if AppRF visibility is enabled in the System window The following figure provides a view of the AppRF dashboard Figure 71 AppRF Dashboard web T mga i AS
474. ow is displayed Browse and select the file to upload a Fw Select any of the following types of certificates from the Certificate type drop down list CACA certificates validate the client s certificate e Auth Server The authentication server certificate verifies the server s identity to the client e Captive portal server Captive portal server certificate verifies internal captive portal server s identity to the client Select the certificate format from the Certificate format drop down list If you have selected Auth Server or Captive portal server type enter a passphrase in Passphrase and reconfirm The default password is whatever If the certificate does not include a passphrase there is no passphrase required 173 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 8 Click Browse and select the appropriate certificate file and click Upload Certificate The Certificate Successfully Installed message is displayed Loading Certificates through Instant CLI To upload a certificate Instant AP copy tftp lt ip address gt lt filename gt cpserver cert lt password gt format p12 pem system lxca format der pem lxcert lt passsword gt format p12 pem Loading Certificates through W AirWave You can manage certificates using the W AirWave The AMP directly provisions the certificates and performs basic certificate verification Such as certificate type format ver
475. p devices and services e Allows or blocks AirGroup services for all users e Allows or blocks AirGroup services based on user roles e Allows or blocks AirGroup services based on VLANs e Matches devices to their closest services such as printers AirGroup also enables context awareness for services across the network e AirGroup is aware of personal and shared devices For example an Apple TV in a dorm room can be associated with the student who owns it or an Apple TV in a meeting room or a printer in a supply room that is available to certain users such as the marketing department e AirGroup is aware of the location of services when CPPM support is enabled For example depending on proximity a user would be presented with the closest printer instead of all the printers in the building e When configured AirGroup enables a client to perform a location based discovery For example when a client roams from one Instant cluster to another it can discover devices available in the new cluster to which the client is currently connected The following figure shows an example of a higher education environment with shared local and personal services available to mobile devices _ __ gt OOOO a lt 258 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 88 AirGroup in a Higher Education Environment Shared Device Registration Portal AirGroup Device Information AirGroup Administrator e Personal Device Reg
476. page 157 e Users for Internal Server Use this tab to populate the system s internal authentication server with users This list is used by networks for which per user authorization is specified using the Virtual Controller s internal authentication server For more information about users see Managing W IAP Users on page 140 e Roles Use this tab to view the roles defined for all the Networks The Access Rules part allows you to configure permissions for each role For more information see Configuring User Roles on page 190 and Configuring Access Rules for Network Services on page 177 o Blacklisting Use this tab to blacklist clients For more information see Blacklisting Clients on page 171 e Firewall Settings Use this tab to enable or disable Application Layer Gateway ALG supporting address and port translation for various protocols and to configure protection against wired attacks For more information see Configuring ALG Protocols on page 181 and Configuring Firewall Settings for Protection from ARP Attacks on page 181 e Inbound Firewall Use this tab to enhance the inbound firewall by allowing configuration of inbound firewall rules management subnets and restricted corporate access through an uplink switch For more information see Managing Inbound Traffic on page 183 e Walled Garden Use this window to allow or prevent access to a selected list of websites For more information see Configuring Walled Garden Access on p
477. played 5 Inthe New Rule window specify the following parameters The following figures show the parameters for Captive Portal role configuration Figure 40 Captive Portal Rule for Internal Acknowledged Splash Page New Rule Rule type Splash page type Captive portal Internal Splash Page Visuals Upload your own custom logo image Click thumbnail above to edit Preview Redirect URL Figure 41 Captive Portal Rule for External Captive portal profile New Rule Rule type Splash page type Captive portal profile Captive portal External m Select Profile w Table 27 New Access Rule Configuration Parameters Field Description Rule type Select Captive Portal from the drop down list Splash Page Select any of following attributes Type e Select Internal to configure a rule for internal captive portal authentication e Select External to configure a rule for external captive portal authentication If Internal is selected as splash page type perform the following steps e Under Splash Page Visuals use the editor to specify text and colors for the initial page that would be displayed to users connecting to the network The initial page asks for user credentials or email depending on the splash page type configured To change the color of the splash page click the Splash page rectangle and select the required color from the Background Color palette To change the welcome text click the f
478. ple configures access rules for the wireless network Instant AP config wlan access rule WirelessRul Instant AP Access Rule WirelessRule rule 192 0 2 2 255 255 255 0 match 6 4343 4343 log classify media Instant AP Access Rule WirelessRule rule any any match app deny throttle downstream 256 throttle up 256 Instant AP Access Rule WirelessRule rule any any match appcategory collaboration permit Instant AP Access Rule WirelessRule rule any any match webcategory gambling deny Instant AP Access Rule WirelessRule rule any any match webcategory training and tools permit Instant AP Access Rule WirelessRule rule any any match webreputation well known sites permit Instant AP Access Rule WirelessRule rule any any match webreputation safe sites permit Instant AP Access Rule WirelessRule rule any any match webreputation benign sites permit Instant AP Access Rule WirelessRule rule any any match webreputation suspicious sites deny Instant AP Access Rule WirelessRule rule any any match webreputation high risk sites deny Instant AP Access Rule WirelessRule nd Instant AP commit apply Configuring Fast Roaming for Wireless Clients Instant supports the following features that enable fast roaming of clients e Opportunistic Key Caching e Fast BSS Transition 802 11r Roaming e Radio Resource Management
479. pstream router can be the gateway for the clients For DHCP services in centralized L2 mode it is recommended that you use an external 224 IAP VPN Deployment Dell Networking W Series Instant 6 4 0 2 4 1 User Guide DHCP server and not the DHCP server on the controller Client traffic destined to datacenter resources is forwarded by the master W IAP through the IPsec tunnel to the client s default gateway in the datacenter L3 Routing Mode In this mode the traffic destined for the corporate network is routed through the VPN tunnel to the controller The traffic destined for the non corporate network is translated using the IP address of the W IAP and is forwarded through the uplink When a W IAP registers with the controller and is configured to use the L3 DHCP scope the Controller adds a route to enable the routing of traffic from the corporate network to clients on this subnet in the branch Distributed L3 mode The distributed L3 mode contains all broadcast and multicast traffic to a branch The distributed L3 mode reduces the cost and eliminates the complexity associated with the classic site site VPN However this mode is very similar to a classic site site IPsec VPN where two VPN endpoints connect individual networks together over a public network In distributed L3 mode each branch location is assigned a dedicated subnet The master AP in the branch manages the dedicated subnet and acts as the DHCP server and gateway for cl
480. ptive Portal Configuration Parameters Parameter Description WISPr Select Enabled if you want to enable WISPr authentication For more information on WISPr authentication see Configuring WISPr Authentication on page 170 NOTE The WISPr authentication is applicable only for the External RADIUS Server and Internal Authenticated splash pages and is not applicable for wired profiles MAC authentication Select Enabled if you want to enable MAC authentication For information on MAC authentication see Configuring MAC Authentication for a Network Profile on page 165 Authentication To configure an authentication server select any of the following options server e Ifthe server is already configured select the server from the list e To create new external RADIUS server select New For more information see Configuring an External Server for Authentication on page 157 Specify a value for the reauthentication interval at which the APs periodically reauthenticate all Reauth interval associated and authenticated clients Accounting mode Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval When the accounting mode is set to Authentication the accounting starts only after client authentication is successful and stops when the client logs out of the network If the accounting mode is set to Association the accounting starts when the client associates to the network successfully and
481. r Guide Instant AP show uncommitted config rf dotlla radio profile no legacy mode beacon interval 200 no dotilh interference immunity 3 csa count 1 no spectrum monitor Instant Access Point commit apply Using Sequence Sensitive Commands The Instant CLI does not support positioning or precedence of sequence sensitive commands Therefore it is recommended that you remove the existing configuration before adding or modifying the configuration details for sequence sensitive commands You can either delete an existing profile or remove a specific configuration by using the no commands The following table lists the sequence sensitive commands and the corresponding no command to remove the configuration Table 8 Sequence Sensitive Commands Sequence Sensitive Command Corresponding no command opendns lt username lt password gt no opendns rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt no rule lt dest gt lt mask gt lt match gt lt end port gt permit deny src nat dst nat lt IP lt protocol gt lt start port gt lt end port gt address gt lt port gt lt port gt lt optionl option9 gt permit deny src nat dst nat mgmt auth server lt auth profile name gt no mgmt auth server lt auth profile name gt set role lt attribute gt equals not equals starts no set role lt attribute gt equals with ends with contains lt operator gt lt role gt value n
482. r Mesh Point on page 304 Mesh Network Overview The Dell Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires As traffic traverses across mesh W IAPs the mesh network automatically reconfigures around broken or blocked paths This self healing feature provides increased reliability and redundancy and allows the network to continue operation even when a W IAP stops functioning or if a connection fails Mesh W IAPs Mesh network requires at least one valid uplink wired or 3G connection Any provisioned W IAP that has a valid uplink wired or 3G functions as a mesh portal and the W IAP without an Ethernet link functions as a mesh point The mesh portal can also act as a Virtual Controller Mesh portals and mesh points are also known as mesh nodes a generic term used to describe W IAPs configured for mesh If two W IAPs have valid uplink connections there is redundancy in the mesh network and most mesh points try to mesh directly with one of the two portals However depending on the actual deployment and RF environment some mesh points may mesh through other intermediate mesh points In a Instant mesh network the maximum hop count is two nodes point gt point gt portal and the maximum number of mesh points per mesh portal is eight Mesh W IAPs detect the environment when they boot up locate and associate with their nearest neighbor to d
483. r a W IAP on page 88 e Master Election and Virtual Controller on page 89 e Adding a W IAP to the Network on page 91 e Removing a W IAP from the Network on page 91 Modifying the W IAP Hostname You can change the hostname of a W IAP through the Instant UI or CLI In the Instant UI 1 Inthe Access Points tab click the W IAP you want to rename The edit link is displayed 2 Click the edit link The edit window for modifying W IAP details is displayed 3 Edit the W IAP name in Name You can specify a name of up to 32 ASCII characters 4 Click OK In the CLI To change the name Instant AP hostname lt name gt Configuring Zone Settings on a W IAP All APs in a cluster use the same SSID configuration including master and slave W IAPs However if you want to assign an SSID to a specific W IAP you can configure zone settings for a W IAP The following constraints apply to the AP zone configuration e AW IAP can belong to only one zone and only one zone can be configured on an SSID e Ifan SSID belongs to a zone all W IAPs in this zone can broadcast this SSID If no W IAP belongs to the zone configured on the SSID the SSID is not broadcast e Ifan SSID does not belong to any zone all W IAPs can broadcast this SSID You can add an AP zone by through the UI or CLI For the SSID to be assigned to a W IAP the same zone details must be configured on the SSID For more information on SSID configuration see Configuring WLAN
484. r of blacklisted clients Internal RADIUS Users Displays the number of internal RADIUS users Internal Guest Users Displays the number of internal guest users Internal User Open Slots Displays the available slots for user configuration as supported by the W IAP model Info section in Network view The Info section in the Network view displays the following information e Name Displays the name of the network e Status Displays the status of the network e Type Displays the type of network for example Employee Guest or Voice o IP Assignment Indicates if the W IAP clients are assigned IP address from the network that the Virtual Controller is connected to or from an internal auto generated IP scope from the Virtual Controller Access Indicates the level of access control configured for the network WMM DSCP Displays WMM DSCP mapping details Security level Indicates the type of user authentication and data encryption configured for the network The info section for WLAN SSIDs also indicates status of Captive Portal and CALEA ACLs and provides a link to upload certificates for internal server For more information see Uploading Certificates on page 173 Info section in Access Point The Info section in the Access Point view displays the following information view e Name Displays the name of the selected W IAP e IP Address Displays the IP address of the W IAP e Mode Displays the mode in which the AP
485. r port lt peer udp port gt Instant AP L2TPv3 Tunnel Profile lt l12tpv3 tunnel profile gt message digest type lt digest algo gt 7 7 E Instant AP L2TPv3 Tunnel Profile lt l2tpv3_tunnel profile gt secret key lt key gt Instant AP L2TPv3 Tunnel Profile lt l12tpv3 tunnel profile gt mtu lt tunnel MTU gt Instant AP L2TPv3 Tunnel Profile lt l2tpv3 tunnel profile gt end Instant AP commit apply To configure an L2TPv3 session profile Instant AP config 12tpv3 session lt l12tpv3 session profile gt Instant AP L2TPv3 Tunnel Profile lt l2tpv3 session profile gt cookie len lt len of cookie gt value lt cookie val gt Instant AP L2TPv3 Tunnel Profile lt l12tpv3_session profile gt 12tpv3 tunnel lt 1l2tpv3_tunnel _ name to associate gt Instant AP L2TPv3 Tunnel Profile lt l2tpv3 session profile gt tunnel ip lt local ip addr tunnel gt mask lt tunnel_mask gt vlan lt tunnel_mgmt_vlan gt o o 7 Instant AP L2TPv3 Tunnel Profile lt l2tpv3_ session profile gt default 12 specific sublayer Instant AP L2TPv3 Tunnel Profile lt l12tpv3 session profile gt end Instant AP commit apply Example Instant AP config 12tpv3 tunnel test tunnel Instant AP L2TPv3 Tunnel Profile test tunnel primary peer address 10 0 0 65 Instant AP L2TPv3 Tunnel Profile test tunnel backup peer address 10 0
486. r you can create a new DHCP scope by selecting New For more information on DHCP scopes see Configuring DHCP Scopes on page 201 Network assigned If the Network assigned is selected you can specify any of the following options for the Client VLAN assignment e Default On selecting this option the client obtains the IP address in the same subnet as the W IAPs By default the client VLAN is assigned to the native VLAN on the wired network Static On selecting this option you need to specify a single VLAN a comma separated list of VLANS or a range of VLANs for all clients on this network Select this option for configuring VLAN pooling Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configuration Protocol DHCP server To create VLAN assignment rules click New to assign the user to a VLAN In the New VLAN Assignment Rule window enter the following information Attribute Select an attribute returned by the RADIUS server during authentication Operator Select an operator for matching the string String Enter the string to match VLAN Enter the VLAN to be assigned 9 Click Next to configure internal or external captive portal authentication roles and access rules for the guest users In the CLI To configure WLAN settings for an SSID profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt
487. raffic In these cases the W IAP has to use an ACL with the classify media option enabled to identify the voice or video flow based on a deep packet inspection and analysis of the actual traffic Instant identifies and prioritizes voice and video traffic from applications such as Microsoft Office Communications Server OCS and Apple Facetime Microsoft OCS Microsoft Office Communications Server OCS uses Session Initiation Protocol SIP over TLS to establish control and terminate voice and video calls Apple Facetime When an Apple device starts a Facetime video call it initiates a TCP session to the Apple Facetime server over port 5223 then sends SIP signaling messages over a non default port When media traffic starts flowing audio and video data are sent through that same port using RTP The audio and video packets are interleaved in the air though individual the sessions can be uniquely identified using their payload type and sequence numbers The RTP header and payload also get encapsulated under the TURN ChannelData Messages The Facetime call is terminated with a SIP BYE message that can be sent by either party Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Voice and Video 253 The following table lists the ports used by Apple Facetime Facetime users need to be assigned a role where traffic is allowed on these ports Table 52 Ports Used by the Apple Facetime Application Port Packet Type 254 Voic
488. raph Description Monitoring Procedure Name To monitor the signal strength of the selected client for the last 15 minutes Signal The Signal graph shows the signal strength of the client for the last 15 minutes Itis measured in decibels To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average signal statistics of the client for the last 15 minutes To see the exact signal strength ata particular time move the cursor over the graph line Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the signal strength The client view is displayed Study the Signal graph in the RF Trends pane For example the graph shows that signal strength for the client is 54 0 dB at 12 23 hours To monitor the In and Out frame rate per second and retry frames for the In and Out traffic for the last 15 minutes Frames The Frames Graph shows the In and Out frame rate per second of the client for the last 15 minutes It also shows data for the Retry In and Retry Out frames e Outgoing frames Outgoing frame traffic is displayed in green Itis shown above the median line Incoming frames Incoming frame traffic is displayed in blue Itis shown below the median line Retry Out Retries for the outgoing frames are displayed above the median line in black Ret
489. ration details received from W AirWave 336 Monitoring Devices and Logs Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VC AMP Single Sign on Key Displays single sign on key details for W AirWave VC Application Services Displays the details of application services which includes protocol number port number VC DHCP Option 43 Received Displays information about the current activities for the DHCP scope with Option 43 VC Global Alerts Displays the list of alerts for all W IAPs managed by the Virtual Controller VC Global Statistics Displays the flow information and signal strength of the Virtual Controller VC IDS AP List Displays the list of W IAPs monitored by the Virtual Controller VC IDS Client List Displays the list of clients detected by IDS for the Virtual Controller VC Internal DHCP Server Configuration Displays the configuration details of the internal DHCP server VC L2TPv3 config Displays the L2TPv3 configuration status VC L2TPv3 tunnel status Displays the L2TPv3 tunnel status VC L2TPv3 tunnel configuration Displays the L2TPv3 tunnel configuration status VC L2TPv3 session status Displays the L2TPv3 session configuration status VC L2TPv3 system wide global statistics Displays the L2TPv3 system statistics VC Local User Database Displays the list of users configured for the W IAP VC OpenDNS Configuration and Status Displays configuration details and status of the OpenDNS s
490. reduced to the highest supported power setting The default value is for minimum transmit power is 18 dBm Maximum Specify the maximum transmission power The value specified for Maximum Transmit Power Transmit Power indicates the maximum Effective Isotropic Radiated Power EIRP from 3 to 33 dBm in 3 dBm increments If the maximum transmission EIRP configured on an AP is not supported by the AP model the value is reduced to the highest supported power setting The default value for maximum transmit power is 127 dBm Client aware When Enabled ARM does not change channels for the APs with active clients except for high priority events such as radar or excessive noise This feature must be enabled in most deployments for a stable WLAN If the Client Aware mode is Disabled the W IAP may change to a more optimal channel which change may disrupt current client traffic for a while The Client aware option is Enabled by default NOTE When Client aware is disabled channels can be changed even when the clients are active on a BSSID Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Adaptive Radio Management 236 Parameter Description Select Enabled so that the W IAP dynamically scans all 802 11 channels within its 802 11 regulatory domain at regular intervals and reports to the W IAP This scanning report includes WLAN coverage interference and intrusion detection data NOTE For client match configuration ensure that scanning is e
491. ress text box b Enter the subnet mask of the network in the Netmask text box c Enterthe IP address of the default gateway in the Default gateway text box d Enterthe IP address of the DNS server in the DNS server text box e Enter the domain name in the Domain name text box 4 Click OK and reboot the W IAP 85 Customizing W IAP Settings Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the CLI To configure a static IP address Instant AP ip address lt IP address gt lt subnet mask gt lt NextHop IP gt lt DNS IP address gt lt domain name gt Configuring External Antenna If your W IAP has external antenna connectors you need to configure the transmit power of the system The configuration must ensure that the system s Equivalent Isotropically Radiated Power EIRP is in compliance with the limit specified by the regulatory authority of the country in which the W IAP is deployed You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain To know if your AP device supports external antenna connectors see the Install Guide that is shipped along with the AP device EIRP and Antenna Gain The following formula can be used to calculate the EIRP limit related RF power based on selected antennas antenna gain and feeder Coaxial Cable loss EIRP Tx RF Power dBm GA dB FL dB The following table describes this formula Table 16 For
492. reware and freeware 0 89 KB Figure 80 Web Categories Chart AP View AppRF Stats for 10 17 128 254 Web Categories 6 Clients 1 Name Traffic 172 31 99 172 MINI business and economy Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs with that are assigned a security score On clicking in the rectangle area you can view the following graphs and toggle between the chart and list views Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Deep Packet Inspection and Application Visibility 245 Figure 81 Web Reputation Chart Client View AppRF Stats for 172 31 99 172 Web Reputation 4 trustworthy sites moderate risk sites high risk sites Figure 82 Web Reputation List Client View AppRF Stats for 172 31 99 172 Web Reputation 4 can Reputation trustworthy sites O A 38 40 KB moderate risk sites Ea 17 64 KB high risk sites I 1 63 KB low risk sites 0 09 KB Figure 83 Web Reputation Chart AP View AppRF Stats for 10 17 128 254 Web Reputation 5 i Clients 1 Name Traffic 172 31 99 172 low risk sites suspicious sites trustworthy sites Configuring Access Rules for Application and Application Categories This section describes the procedure for configuring access rules based on application and application categories The Application and Application rules utilize the on board DPI engine For in
493. ri user2 user3 or blank for all users Shared Roles List the user roles that will be able to use this device Use a comma separated list e g rolei role2 role3 or blank for all roles Z Register Shared Device For this test add your AppleTV device name and MAC address but leave all other fields empty Dell Networking W Series Instant 6 4 0 2 4 1 User Guide ClearPass Guest Setup 354 9 Click Register Shared Device Testing To verify the setup 1 Disconnect your AppleTV and OSX Mountain Lion OS 6 devices if they were previously connected to the wireless network Remove their entries from the controller s user table using these commands m Findthe MAC address show user table Delete the address from the table aaa user delete mac 00 aa 22 bb 33 cc 2 Reconnect both devices To limit access to the AppleTV access the ClearPass Guest Ul using either the AirGroup admin or the AirGroup operator credentials Next navigate to List Devices gt Test Apple TV gt Edit Add a username that is not used to log in to the Apple devices in the Shared With field 3 Disconnect and remove the OSX Mountain Lion OS 6 device from the controller s user table Reconnect the device by not using the username that you added to the Shared With field The AppleTV should not be available to this device 4 Disconnect the OSX Mountain Lion iOS 6 device and delete it from the controllers user table Reconnect using the username that was adde
494. ringement of copyright on behalf of those vendors 0511581 01 June 2014 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents ASA A 3 O MAA RDE EREDE N AEEA ARENE 28 intended Audience Z c E 42 SS R a eea A E 28 Related DOCUIMEMN S533 cotas ist cas eaten psa sna se eee cna Seeders 28 CONVENTIONS cece cccanaceesicidsce aiexeeeecccdeaceeeewsesceuabansoud seGeee es peseekes REEE EEEE R asare 28 Contacting Dell a ek tehhs babe 9 a tas els ete ie as etter eed 29 PRE UO AR A E E 30 I nae cocida tatoo E teeny ceed 30 Supported Devices ns 30 stant Ul gt ccoo odiada 31 Instant C eenei See aes suse da ias ita oe diia 31 What is New in Instant 6 4 0 2 4 1 a 0 E oiie L Raa RER ARR e ence eeeeeeeeeeeeenes 33 Setting Up a WelAP occ ccoo ccoo con cece conc cece nn cnnncnnnnnnnnncnncnnnccnccnnccnns 35 Setting up Instant Network 222 2 2 2220 ooo cece ce cece cece eee eee cece eee cnnncnnnnns 35 Conmecting a WAPA irc 35 Assigning an IP address to the WAD 35 Assigningia Static lP 2 2 trios 36 Connecting to a Provisioning Wi Fi Network 00 0 2220000 c cece cece cece cece eee eecceeeeeeeeeeeeeeees 36 WAP Cluster 2 0252 lt 0scdsgo5 bid detewe cht cepa EAE AAE ASEE A ARRENE E AERE a EE mE a NEE 36 Disabling the Provisioning Wi Fi Network 2 22220000 c 0000000000000000 0000000200122211 37 Logging nta The lnstan UI scr Ai ata 37 Regulatory Domains cnn 38 RA AEREA A 38 Specifying Country Code ns 41 Acce
495. rks In the current release the W IAP typically selects the 172 31 98 0 23 subnet If the IP address of the W IAP is within the 172 31 98 0 23 subnet the W IAP selects the 10 254 98 0 23 subnet However this mechanism does NOTE not guarantee that it would avoid all possible conflicts with the wired network If your wired network uses either 172 31 98 0 23 or 10 254 98 0 23 and you experience problems with the Virtual Controller Assigned networks after upgrading to Dell Networking W Series Instant 6 2 1 0 3 4 or later manually configure the DHCP pool by following the steps described in this section You can configure a domain name DNS server and DHCP server for client IP assignment using the Instant UI or CLI In the Instant UI 1 Navigate to More gt DHCP Server tab The DHCP Server tab contents are displayed Figure 63 DHCP Servers Window DHCP Servers Virtual Controller Assigned Networks Default DHCP Scope saran name DNS Server s Lease time Minutes Network Mask Distributed DHCP Scopes Distributed DHCP Scopes 0 Name Type VLAN Branch Subnet New Centralized DHCP Scopes Centralized DHCP Scopes 0 Name Type New Local DHCP Scopes Local DHCP Scopes 0 Name Type VLAN Network oK Cancel Enter the domain name of the client in the Domain name text box Enter the IP addresses of the DNS servers separated by a comma in the DNS server s text box 208 DHCP Configuration
496. rnet Availability 22 0 0000 2000000 c cece eeeee 294 Switching Uplinks Based on VPN Status 1 20 00 0222 ee eee cece cece ee ee cece cence eens eeeenaes 294 Switching Uplinks Based on Internet Availability 2222220222222 eee cece eee ee eee cess 294 Inthe Instant UI e ett E EN eee eo eee 294 mne Ci ea ad at eee oh se eee os ase dota ees 295 Viewing Uplink Status and Configuration 2 2 2 200000 e cece cece cece eee eeceeeeeeeeeeees 295 Intrusion Detection MAR aaaea a aea 296 Detecting and Classifying Rogue APS nn nnnn cnn cnn eee eeeeeeeees 296 SS E S 296 Configuring Wireless Intrusion Protection and Detection Levels o oocccccccccccccccccccccccccccccccccccos 297 Containment Methods 20 2 2 oscri ipere cece cee nn 301 Configuring IDS Using CLI ic e eee eee eeeeeeeeeeeseeeeeees 301 Mesh W IAP Configuration 303 Mesh Network Overview 1010000001001000 deen eecedsnceeecesesscdentessaaasceseseessseeseessaageceueecsansdess 303 Mesh WARS 4 212 222 E cid lod ii etc okt ceeee cee 303 Mesh Portals 22 2220 20 2 200222 rn eeeeeeeees 303 Mesh Points nn EE EErEE 304 setting up instant MESH NGIWONG cuasiidicas aii taa 304 Configuring Wired Bridging on Ethernet O for Mesh Point 304 LEMS WAS TAME NON o se oe a ee ee ene aos 305 A A A Pate eaensoeetees 305 Mobility and Client Management 306 Layer 3 Mobility Overview cnc e cece cece eee eceeceeceecececeeeceeeeeeeees 306 Configuring L3 Mob
497. rofile to define the identify the operator To configure an H2QP operator friendly name profile Instant AP config hotspot h2qp oper name profile lt name gt Instant AP operator friendly name lt name gt op fr name lt op fr name gt Instant AP operator friendly name lt name gt op lang code lt op lang code gt Instant AP operator friendly name lt name gt enabl Instant AP operator friendly name lt name gt end Instant AP commit apply Configuring a Connection Capability Profile You can configure a Connection Capability profile to define information such as the hotspot IP protocols and associated port numbers that are available for communication To configure an H2QP connection capability profile Instant AP config hotspot h2qp conn cap profile Instant AP connection capabilities lt name gt esp port Instant AP connection capabilities lt name gt icmp Instant AP connection capabilities lt name gt tcp ftp Instant AP connection capabilities lt name gt tcp http Instant AP connection capabilities lt name gt tcp pptp vpn Instant AP connection capabilities lt name gt tcp ssh Instant AP connection capabilities lt name gt tcp tls vpn Instant AP connection capabilities lt name gt tcp voip Instant AP connection capabilities lt name gt udp ike2 Instant AP connection capabilities lt name gt udp ipsec vpn Instant AP
498. rom the incoming and outgoing voice communication For more information on WMM traffic and DSCP mapping see Wi Fi Multimedia Traffic Management on page 251 Content filtering Select Enabled to route all DNS requests for the non corporate domains to OpenDNS on this network Band Select a value to specify the band at which the network transmits radio signals You can set the band to 2 4 GHz 5 GHz or All The All option is selected by default Inactivity timeout Specify an interval for session timeout in seconds minutes or hours If a client session is inactive for the specified duration the session expires and the users are required to log in again You can specify a value within the range of 60 86400 seconds or up to 24 hours for a client session The default value is 1000 seconds Hide SSID Select this checkbox if you do not want the SSID network name to be visible to users Disable SSID Select this checkbox if you want to disable the SSID On selecting this the SSID will be disabled but will not be removed from the network By default all SSIDs are enabled Can be used without Select the checkbox if you do not want to SSID profile to use uplink Uplink Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN You can specify a value within the range of 0 to 255 The default value is 64 Local probe request Specify a threshold value to limit the number of incoming probe requests When
499. rthe country in which the Instant operates This configuration sets the regulatory domain for the radio frequencies that the W IAPs use Within the regulated transmission spectrum a high throughput 802 11ac 802 11a 802 11b g or 802 11n radio setting can be configured The available 20 MHz 40 MHz or 80MHz channels are dependent on the specified country code You cannot change the country code for the W IAPs in the restricted regulatory domains such as US or Japan for most of the W IAP models Improper country code assignments can disrupt wireless transmissions Most countries impose penalties and sanctions on operators of wireless networks with devices set to improper country codes Country Code The following table provides a list of supported country codes Table 7 Country Codes List Code Country Name o o pee e pm soo e 38 Setting up a W IAP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Country Name Serbia and Montenegro CY Cyprus Czech Republic Germany Denmark Dominican Republic Algeria Ecuador Estonia Egypt Spain Finland France United Kingdom Greece Guatemala Hong Kong Honduras Indonesia Ireland India Iceland Italy Jamaica Jordan Japan Kenya Republic of Korea South Korea Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Setting up a W IAP 39 Country Name Kuwait Lebanon Liechtenstein Liechtenstein Sri Lanka Lithuania Luxembourg N
500. rver in the Virtual Controller controls a scope that is a subset of the complete IP Address range for the subnet distributed across all the branches This DHCP Assignment mode is used with the L2 forwarding mode e Distributed L3 In this mode the Virtual Controller acts as the DHCP server and the default gateway Based on the number of clients specified for each branch the range of IP addresses is divided Based on the IP address range and client count configuration the DHCP server in the Virtual Controller is configured with a unique subnet and a corresponding scope You can configure distributed DHCP scopes such as Distributed L2 or Distributed L3 by using the Instant UI or CLI In the Instant UI To configure distributed DHCP scopes such as Distributed L2 or Distributed L3 1 Click More gt DHCP Server The DHCP Server window is displayed 2 Toconfigure a distributed DHCP mode click New under Distributed DHCP Scopes The New DHCP Scope window is displayed The following figure shows the contents of the New DHCP Scope window Dell Networking W Series Instant 6 4 0 2 4 1 User Guide DHCP Configuration 201 Figure 62 New DHCP Scope Distributed DHCP Mode New DHCP Scope Network Settings wae C 1P Address Range Type Distributed L2 gt to VLAN Netmask Default router DNS server Domain name Lease time 3 Based on the type of distributed DHCP scope configure the following parameters Table 38 Distrib
501. rver type server vlan ip range 10 dns server domain name client count 200 Distributed L3 profile with VLAN 40 ap config ip ap DHCP profile Distributed L3 ap DHCP profile ap DHCP profile 10 40 255 255 ap DHCP profile L0w LL 50 L10 LL ap DHCP profile corpdomain com ap DHCP profile dhcp 13 dhcp 13 dhcp 13 dhcp 13 dhcp 13 dhcp 30 13 dhcp 13 dhcp Local profile with VLAN 20 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide server type server vlan ip range 10 dns server domain name client count 200 IAP VPN Deployment Scenarios 365 Table 74 W IAP Configuration for Scenario 3 IPSec Multiple Datacenter Deployment Configuration Steps CLI Commands Ul Procedure config ip dhcp local DHCP profil local server type Local DHCP profil local server vlan 20 DHCP profil local subnet 172 16 20 1 DHCP profil local subnet mask 593295110 DHCP profil 1 1 lease time 86400 DHCP profile 1 1 dns server 30710 Lo L 30 DHCP profile 1 1 domain name arubanetworks com NOTE The IP range configuration on each branch will be the same Each W IAP will derive a smaller subnet based on the client count scope using the Branch ID BID allocated by controller 5 Create authentication config wlan auth server serverl See servers for user th Server serverl ip 10 2 2 1 Configuring an authenti
502. rwarded on its respective VLAN but not across different VLANs Broadcast and multicast traffic are usually filtered out from a wireless LAN network to preserve the airtime and battery life This inhibits the performance of AirGroup services that rely on multicast traffic Dell addresses this challenge with AirGroup technology The distributed AirGroup architecture allows each W IAP to handle mDNS and DLNA queries and responses individually instead of overloading a Virtual Controller with these tasks This results in a scalable AirGroup solution The AirGroup solution supports both wired and wireless devices An AirGroup device can be registered by an administrator or a guest user 1 The AirGroup administrator gives an end user the AirGroup operator role which authorizes the user to register the client devices on the CPPM platform 2 W IAPs maintain information for all AirGroup services W IAP queries CPPM to map each device s access privileges to the available services and responds to the query made by a device based on contextual data such as user role username and location Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 255 The following figure illustrates how AirGroup enables personal sharing of Apple devices Figure 85 AirGroup Enables Personal Device Sharing Bob owns 2 devices ClearPass Guest Q Associates to WLAN AirGroup Network lt want to show this Layer video on my Apple TV S
503. ry In Retries for the incoming frames are displayed below the median line in red To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the In Out Retries In and Retries Out frames To see the exact frames ata particular time move the cursor over the graph line Throughput 65 Instant User Interface The Speed graph shows the data transfer speed for the client Data transfer is measured in Mbps To see an enlarged view click the graph The enlarged view shows Last Minimum Maximum and Average statistics of the client for the last 15 minutes To see the exact speed ata particular time move the cursor over the graph line The Throughput Graph shows the throughput of the selected client for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown above the median line e Incoming traffic Throughput for Log in to the Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the frames The client view is displayed Study the Frames graph in the RF Trends pane For example the graph shows 4 0 frames per second for the client at 12 27 hours To monitor the speed for the client for the last 15 minutes Log in to the Instant UI The Virtual Controller view is display
504. s Instant now allows you to configure a TACACS Server as the authentication server to support authentication and accounting privileges for management users TACACS server allows a remote access server to communicate with an authentication server to determine if the user has access to the network In Instant the users can create several TACACS server profiles out of which one or two of the servers can be specified to authenticate management Users TACACS supports the following types of authentication for management users in Instant e ASCII e PAP e CHAP e ARAP e MSCHAP The TACACS server cannot be attributed to any SSID or wired profile in general as the authentication server and is configured only for management users You can also enable TACACS accounting when the TAC AC ST server is used for authentication Configuring a TACACS Server Profile for Management User Authentication To configure a TACACS authentication server In the Instant UI 1 Navigate to Security gt Authentication Servers The Security window is displayed 2 Tocreate a new server click New A window for configuring server details for the new server is displayed The following figure shows the parameters to configure for a new authentication server configuration Figure 42 New Authentication Server Window New Authentication Server RADIUS LDAP TACACS CoA only Name O Enter a name IP address Auth port 49 Shared key Retype key
505. s and roam between networks without additional authentication The Hotspot 2 0 provides the following services e Network discovery and selection Allows the clients to discover suitable and available networks by advertising the access network type roaming consortium and venue information through the management frames For network discovery and selection Generic Advertisement Service GAS and Access Network Query Protocol ANQP are used e QOS Mapping Provides a mapping between the network layer QoS packet marking and over the air QoS frame marking based on user priority When a hotspot is configured in a network e The clients search for available hotspots using the beacon management frame e When a hotspot is found the client sends queries to obtain information about the type of network authentication and IP address and IP address availability using the Generic Advertisement Service GAS action frames e Based onthe response of the advertisement Server response to the GAS Action Frames the relevant hotspot is selected and the client attempts to associate with it e Based on the authentication mode used for mobility clients the client authenticates to access the network Generic Advertisement Service GAS GAS is a request response protocol which provides L2 transport mechanism between a wireless client and a server in the network prior to authentication It helps in determining an 802 11 infrastructure before associatin
506. s country code details for the W IAP AP CPU Details Displays detailed information about memory utilization and CPU load for system processes AP CPU Utilization Displays utilization of CPU for the W IAP AP Crash Info Displays crash log information if it exists for the W IAP The stored information is cleared from the flash after the AP reboots AP Current Time Displays the current time configured on the W IAP AP Current Timezone Displays the current time zone configured on the W IAP AP Datapath ACL Table Allocation Displays ACL table allocation details for the W IAP AP Datapath ACL Tables Displays the list of ACL rules configured for the SSID and Ethernet port profiles AP Datapath Bridge Table Displays bridge table entry statistics including MAC address VLAN assigned VLAN Destination and flag information for the W IAP AP Datapath DMO Session Displays details of a DMO session AP Datapath Dns Id Map Displays the mapping details for the DNS ID AP Datapath DPI Session Table and AP Datapath DPI Session Table Verbose Display the datapath session table entries AP Datapath Multicast Table Displays multicast table statistics for the W IAP AP Datapath Nat Pool Displays NAT pool details configured in the datapath AP Datapath Route Table Displays route table statistics for the W IAP AP Datapath Session Table Displays the datapath session table statistics for the W IAP AP Datapath Statistics Display
507. s on a W IAP to enable communication with a controller in a remote location e Configuring an IPSec Tunnel on page 210 e Enabling Automatic Configuration of GRE Tunnel on page 212 e Manually Configuring a GRE Tunnel on page 214 e Configuring an L2TPv3 Tunnel on page 215 Configuring an IPSec Tunnel An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted When configured the IPSec tunnel to the controller secures corporate data You can configure an IPSec tunnel from Virtual Controller using the Instant UI or CLI In the Instant UI To configure a tunnel using the IPSec protocol 1 Click the More gt VPN link at the top right corner of the Instant Ul The Tunneling window is displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 210 Select Aruba IPSec from the Protocol drop down list 3 Enter the IP address or fully qualified domain name FQDN for the primary VPN IPSec endpoint in the Primary host field 4 Enter the IP address or FQDN for the backup VPN IPSec endpoint in the Backup host field This entry is optional When you specify the primary and backup host details the other fields are displayed 5 Specify the following parameters A sample configuration is shown in Figure 64 a To allow the VPN tunnel to switch back to the primary host when it becomes available again select Enabled from the Preemption drop down list This step is optional b I
508. s such as iPad and iPhone W IAP assigns Apple OS devices to the role that you choose Table 37 Validated DHCP Fingerprint Device DHCP Option DHCP Fingerprint Professional Windows Mobile 3c4d6963726f736f66742057696e646f77 7320434500 Windows 7 Phone 370103060f2c2e2f Apple Mac OSX 370103060f775ffc2c2e2f Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client When creating more than one role assignment rule the first matching rule in the rule list is applied NOTE You can create a role assignment rules by using the Instant UI or CLI In the Instant Ul 1 Navigate to the WLAN wizard or Wired settings window e To configure access rules for a WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e To configure access rules for a wired profile More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile 2 Click the Access tab 3 Under Role Assignment Rules click New The New Role Assignment window allows you to define a match method by which the string in Operand is matched with the attribute value returned by the authentication server 193 Roles and Policies Dell Networking W Series Instant 6 4 0 2 4 1 User Guide 4 Select the attribute from the Attribute drop down list that the rule it matches against The list
509. s the hardware packet statistics for the W IAP AP Datapath User Table Displays datapath user statistics such as current entries pending deletes high water mark maximum entries total entries allocation failures invalid users and maximum link length for the W IAP AP Datapath VLAN Table Displays the VLAN table information such as VLAN memberships inside the datapath including L2 tunnels for the W IAP AP Daylight Saving Time Displays the Daylight Saving Time configured on the W IAP AP Derivation Rules Displays the role and VLAN derivation rules configured on a W IAP AP DPI Debug statistics Displays DPI statistics that can be used for debugging DPI issues AP Driver Configuration Displays driver configuration details of the W IAP AP Election and AP Election Statistics Display the master election statistics AP Environment Variable Displays information about the type of antenna used by the W IAP AP ESSID Table Displays the SSID profiles configured on the W IAP AP Flash Configuration Displays statistics of the W IAP configuration stored in flash memory AP IGMP Group Table Displays IGMP group information 334 Monitoring Devices and Logs Dell Networking W Series Instant 6 4 0 2 4 1 User Guide AP IAP VPN Retry Counters Displays lAP VPN tunnel details AP Interface Counters Displays information about the Ethernet interface packet counters for the W IAP AP Interface Status Displays the Ethernet p
510. s to which you want to allow or deny access Application Select any of the following application categories to which you want to allow or deny access category Description antivirus authentication cloud file storage collaboration encrypted enterprise apps gaming im file transfer instant messaging mail protocols mobile app store network service peer to peer social networking standard streaming thin client tunneling unified communications web Webmail e O o o o e o O O o O O e e e O e o o e o Application Application throttling allows you to set a bandwidth limit for an application application Throttling category web category or for sites based on their web reputation For example you can limit the bandwidth rate for video streaming applications such as Youtube or Netflix or assign a low bandwidth to high risk sites If your W IAP model does not support configuring access rules based on application or application category you can create a rule based on web category or website reputation and assign bandwidth rates To specify a bandwidth limit Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Deep Packet Inspection and Application Visibility 247 Table 49 Access Rule Configuration Parameters Service Category 1 Selectthe Application Throttling checkbox 2 Specify the downstream and upstream rates in Kbps Select any of following actions e Select Allow to allow access users ba
511. security parameters for an employee network by using the Instant UI or CLI In the Instant Ul To configure security parameters for an employee network 1 Configure the following parameters in the Security tab e MAC authentication To enable MAC authentication select Enabled The MAC authentication is disabled by default e 802 1X authentication To enable 802 1X authentication select Enabled e MAC authentication fail thru To enable authentication fail thru select Enabled When this feature is enabled 802 1X authentication is attempted when MAC authentication fails The MAC authentication fail thru checkbox is displayed only when both MAC authentication and 802 1X authentication are Enabled e Select any of the following options for Authentication server 1 New On selecting this option an external RADIUS server must be configured to authenticate the users For information on configuring an external server see Configuring an External Server for Authentication on page 157 Authentication and User Management on page 140 Internal server If an internal server is selected add the clients that are required to authenticate with the internal RADIUS server Click the Users link to add the users For information on adding a user see Managing W IAP Users on page 140 e Reauth interval Specify the interval at which all associated and authenticated clients must be reauthenticated e Load balancing Set this to Enabled if you
512. sed on the access rule e Select Deny to deny access to users based on the access rule e Select Destination NAT to allow changes to destination IP address e Select Source NAT to allow changes to the source IP address The destination nat and source nat actions apply only to the network services rules Destination Select a destination option for the access rules for network services applications and application categories You can allow or deny access to any the following destinations based on your requirements to all destinations Access is allowed or denied to all destinations to a particular server Access is allowed or denied to a particular server After selecting this option specify the IP address of the destination server except to a particular server Access is allowed or denied to servers other than the specified server After selecting this option specify the IP address of the destination server to a network Access is allowed or denied to a network After selecting this option specify the IP address and netmask for the destination network except to a network Access is allowed or denied to networks other than the specified network After selecting this option specify the IP address and netmask of the destination network to domain name Access is allowed or denied to the specified domains After selecting this option specify the domain name in the Domain Name text box Description to master P Access is allowe
513. ser Guide Instant AP SSID Profile lt name gt zone lt zone gt Instant AP SSID Profile lt name gt bandwidth limit lt limit gt Instant AP SSID Profile lt name gt per user bandwidth limit lt limit gt Instant AP SSID Profile lt name gt air time limit lt limit gt Instant AP SSID Profile lt name gt wmm background dscp lt dscp gt Instant AP SSID Profile lt name gt wmm background share lt share gt Instant AP SSID Profile lt name gt wmm best effort dscp lt dscp gt Instant AP SSID Profile lt name gt wmm best effort share lt share gt Instant AP SSID Profile lt name gt wmm video dscp lt dscp gt Instant AP SSID Profile lt name gt wmm video share lt share gt Instant AP SSID Profile lt name gt wmm voice dscp lt dscp gt Instant AP SSID Profile lt name gt wmm voice share lt share gt Instant AP SSID Profile lt name gt rf band lt 2 4 gt lt 5 0 gt lt all gt Instant AP SSID Profile lt name gt content filtering Instant AP SSID Profile lt name gt hide ssid Instant AP SSID Profile lt name gt inactivity timeout lt interval gt Instant AP SSID Profile lt name gt work without uplink Instant AP SSID Profile lt name gt local probe reg thresh lt threshold gt Instant AP SSID Profile lt name gt max clients threshold lt number of clients gt Instant AP SSID Profile lt
514. sername and password or based on their MAC addresses The following authentication methods are supported in Instant 802 1X authentication MAC authentication MAC authentication with 802 1X authentication e Captive Portal Authentication e MAC authentication with Captive Portal authentication 802 1X authentication with Captive Portal Role WISPr authentication 802 1X authentication 802 1X is an IEEE standard that provides an authentication framework for WLANs 802 1x uses the Extensible Authentication Protocol EAP to exchange messages during the authentication process The authentication protocols that operate inside the 802 1X framework include EAP Transport Layer Security EAP TLS Protected EAP PEAP and EAP Tunneled TLS EAP TTLS These protocols allow the network to authenticate the client while also allowing the client to authenticate the network For more information on EAP authentication framework supported by the W IAP see Supported EAP Authentication Frameworks on page 148 802 1X authentication method allows a W IAP to authenticate the identity of a user before providing network access to the user The Remote Authentication Dial In User Service RADIUS protocol provides centralized authentication authorization and accounting management For authentication purpose the wireless client can associate to a network access server NAS or RADIUS client such as a wireless W IAP The wireless client can pass data traffic only after su
515. server namel gt Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt Instant AP SSID Profile lt name gt auth survivability Instant AP SSID Profile lt name gt exit Instant AP config auth survivability cache time out lt hours gt Instant AP config end Instant AP commit apply Configuring MAC and 802 1X Authentication for Wired Profiles You can configure MAC and 802 1X authentication for a wired profile in the Instant UI or CLI In the Instant UI To enable MAC and 802 1X authentication for a wired profile Click the Wired link under More at the top right corner of the main window The Wired window is displayed 2 Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit 3 Inthe New Wired Network or the Edit Wired Network window ensure that all the required Wired and VLAN attributes are defined and then click Next 4 Inthe Security tab enable the following options Select Enabled from the MAC authentication drop down list e Select Enabled from the 802 1X authentication drop down list Select Enabled from the MAC authentication fail thru drop down list 5 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings for a Wired Profile on page 115 6 Click Nex
516. ses only The corresponding integer value for this network type is 14 wildcard This network indicates a wildcard network The corresponding integer value for this network type is 15 addtl roam cons Specify the number of additional roaming consortium Organization Identifiers Ols advertised by i the AP You can specify up to three additional Ols ois asra Enable the Additional Steps Required for Access asra to indicate if additional steps are required for authentication When enabled the following information is sent to the clientin response to an ANQP query For ASRA ensure that the network authentication type is associated comeback mode Enable this parameter to allow the client to obtain a GAS Request and Response as a Comeback Request and Comeback Response By default this comeback mode is disabled gas comeback Specify a GAS come back delay interval in milliseconds to allow the client to retrieve the query delay response using a comeback request action frame when the GAS response is delayed You can specify a value within the range of 100 2000 milliseconds and the default value is 500 milliseconds group frame Enable this parameter if you want to stop the AP from sending forward downstream group block addressed frames hessid Specify a Homogenous Extended Service Set Identifier HESSID in a hexadecimal format separated by colons internet Specify this parameter to allow the W IAP to send an Information Element IE indicat
517. sion serial number and so on before accepting the certificate and uploading to a W IAP network The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller After the VC receives this message it draws the certificate content from the message converts it to the right format and saves it on the RADIUS server To load a certificate in W AirWave 1 Navigate to Device Setup gt Certificate and then click Add to add a new certificate The Certificate window is displayed 2 Enter the certificate Name and click Choose File to browse and upload the certificate Figure 49 Loading Certificate via W AirWave Home Groups APs Devices Clients Reports System Mit AMP Setup Discover Add Communication Upload Firmware amp Files Certificate Certificate Name Certificate File No file chosen passphrase Confirm passphrase Format DER iv Type Server Cert Ly Add l Cancel 3 Select the appropriate Format that matches the certificate file name Select Server Cert for certificate Type and provide the passphrase if you want to upload a Server certificate Select either Intermediate CA or Trusted CA certificate Type if you want to upload a CA certificate Essen EE EEE sE a a Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 174 Figure 50 Server Certificate Home Groups APs Devices Clients Reports System My B Discover Add Commu
518. sis while monitoring channels for rogue APs in the background Monitor In this mode the AP acts as a dedicated Air Monitor AM scanning all channels for rogue APs and clients Spectrum When enabled the AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference from neighboring APs or non Wi Fi devices such as microwaves and cordless phones When Spectrum is enabled the AP does not provide access services to clients Clients Number of clients that are currently associated to the W IAP Type Model number of the W IAP Zone AP zone Channel Channel on which the W IAP is currently broadcast Power dB Maximum transmission EIRP of the radio Utilization Percentage of time that the channel is utilized Noise dBm Noise floor of the channel An edit link is displayed on clicking the W IAP name For details about editing W IAP settings see Customizing W IAP Settings on page 84 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant User Interface 46 Clients Tab This tab displays a list of clients that are connected to the Instant network The client names are displayed as links The expanded view displays the following information about each client e Name User name of the client or guest users if available e IP Address IP address of the client e MAC Address MAC address of the client e OS Operating system that runs on the cl
519. ss to the W IAP CLI see Configuring Terminal Access on page 80 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Setting up a W IAP 41 Connecting to a CLI Session On connecting to a CLI session the system displays its host name followed by the login prompt Use the administrator credentials to start a CLI session For example Instant AP User admin If the login is successful the privileged command mode is enabled and a command prompt is displayed For example Instant AP The privileged mode provides access to show clear ping traceroute and commit commands The configuration commands are available in config mode To move from privileged mode to the configuration mode enter the following command at the command prompt Instant AP configure terminal The configure terminal command allows you to enter the basic configuration mode and the command prompt is displayed as follows Instant AP config The Instant CLI allows CLI scripting in several other sub command modes to allow the users to configure individual interfaces SSIDs access rules and security settings You can use the question mark to view the commands available in a privileged mode configuration mode or sub mode Although automatic completion is supported for some commands such as configure terminal the complete exit and end commands must be entered at command prompt Applying Configuration Changes Each command processed by th
520. ssing the Instant CU 41 Connecting toa CLI Session 42 Applying Configuration Changes 20ccc cece cece cee ee cee e eee e ence eeenceeeeneeeenceeeenseeeneeenaes 42 Using Sequence Sensitive Commands cnn 43 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Contents 3 Instant User Interface cnn LLALL LLALL LLALL LLL aLaaa 44 EQU SOOO ito eee E EA E A N 44 Logging into the Instant Ul 44 Viewing Connectivity Summa 2000000 e cece cece cece cece cece eee 0AA nncncnnnns 44 Eae T T 44 Main Window 2 222 200 eee 45 Banh 25 2 snes Sisto ee cect es ate A ake WS tab ce od 45 e Ms 5 ie O ede peu ane Ansonia tebe rer OA EAA 45 TE E AAA ih ete e echoes eet hee cus aor EIA Geo eae O AEE eee teu ee sit 45 Networks Wa onc ee cczeasen aiseciksueen lt tsee nceae pig asec dc ise 46 Access Ponts TaD 2 2 2 2 2 222005 desni recita 46 Clients Tab rro 47 ONKS eoe a E E e a a a e E a OE 47 New Version Available _ 2 2 2 2 2222 22 R ee eee Ke R cece RAR RR KR RRR KKR 47 SISMO es 48 A o sera ndo asa dd 49 SECUI sc cdi d 50 WMaltenance gt sedasa n ea ccteteegons toc heseerentcareauccueseeacenaad wetedeces tt lt toco steeds nel 51 More noo 52 N 52 ISS 53 Wired 2 25204252 tesco Lebo ah is Coo e eee eee bee Loe Nee OSS SU OD eG bh oe 54 SIMIO e ces A coed Seed eee Se ee eee SRR i a e ea 54 DHCP Serv r sii s occa ons caicce sies denen dci dd da is dio 55 SUpport sica cr Alena ee te too tii a tao eh eis
521. stant AP config hotspot anqp venue name profile vnl Instant AP venue name vnl venue group business Instant AP venue name vnl venue type research and dev facility Instant AP venue name vn1 venue lang code eng Instant AP venue name vnl venue name VenueNam Instant AP venue name vnl exit Instant AP config hotspot angqp nwk auth profile nal 349 Hotspot Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP network auth nal nwk auth type accept term and cond Instant AP network auth nal url www nwkauth com Instant AP network auth nal exit Instant AP config hotspot anqp roam cons profile rcl Instant AP roaming consortium rc1 roam cons oi len 3 Instant AP roaming consortium rcl roam cons oi 888888 Instant AP roaming consortium rc1 exit Instant AP config hotspot anap 3gpp profile 3g Instant AP 3gpp 3g 3gpp plmn1 40486 Instant AP 3gpp 3g exit Instant AP config hotspot anqp ip addr avail profile ipl Instant AP IP addr avail ipl no ipv4 addr avail Instant AP IP addr avail ipl ipv6 addr avail Instant AP IP addr avail ip1 f exit Instant AP config hotspot angqp domain name profile dnl Instant AP domain name dn1 domain name DomainName Instant AP domain name dn1 exit Instant AP config hotspot h2qp oper name profile onl Instant AP operator friendly name on1
522. sting denies connection to the blacklisted clients When a client is blacklisted it is not allowed to associate with a W IAP in the network If a client is connected to the network when it is blacklisted a deauthentication message is sent to force client disconnection This section describes the following procedures e Blacklisting Clients Manually on page 171 e Blacklisting Users Dynamically on page 172 Blacklisting Clients Manually Manual blacklisting adds the MAC address of a client to the blacklist These clients are added into a permanent blacklist These clients are not allowed to connect to the network unless they are removed from the blacklist Adding a Client to the Blacklist You can add a client to the blacklist manually using the Instant UI or CLI In the Instant UI Click the Security link from the top right comer of the Instant main window Click the Blacklisting tab Under the Manual Blacklisting click New Enter the MAC address of the client to be blacklisted in the MAC address to add text box Click OK The Blacklisted Since tab displays the time at which the current blacklisting has started for the client oa F WN gt To delete a client from the manual blacklist select the MAC Address of the client under the Manual Blacklisting and then click Delete In the CLI To blacklist a client Instant AP config blacklist client lt MAC Address gt Instant AP config end Instant AP commit apply To
523. sting the captive portal service It supports the following types of authentication Internal Authenticated When Internal Authenticated is enabled a guest user must authenticate in the captive portal page to access the Internet The guest users who are required to authenticate must already be added to the user database Internal Acknowledged When Internal Acknowledged is enabled a guest user must accept the terms and conditions to access the Internet Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Captive Portal for Guest Access 120 e External captive portal For external captive portal authentication an external portal on the cloud or on a server outside the enterprise network is used Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time When an external captive portal is used the administrators can configure a walled garden which determines access to the URLs requested by the guest users For example a hotel environment where the unauthenticated users are allowed to navigate to a designated login page for example a hotel website and all its contents The users who do nat sign up for the Internet service can view only the allowed websites typically hotel property websites The administrators can allow or block access to specific URLs by creating a whitelist and blacklist When the users a
524. stops when the client is disconnected Blacklisting If you are configuring a wireless network profile select Enabled to enable blacklisting of the clients with a specific number of authentication failures Max authentication If you are configuring a wireless network profile and the Blacklisting is enabled specify a failures maximum number of authentication failures after which users who fail to authenticate must be dynamically blacklisted i ee gt amo q __ gt r ne Q qu qm hu QQ 2 131 Captive Portal for Guest Access Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 26 External Captive Portal Configuration Parameters Parameter Description Click the link to open the Walled Garden window The walled garden configuration determines Walled garden access to the websites For more information see Configuring Walled Garden Access on page 138 Disable if uplink type Select the type of the uplink to exclude is Encryption Select Enabled to configure encryption settings and specify the encryption parameters 5 Click Next to continue and then click Finish to apply the changes In the CLI To configure security settings for guest users of the WLAN SSID profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt essid lt ESSID name gt Instant AP SSID Profile lt name gt type lt Guest gt Instant AP SSID Profile lt name gt captive
525. strength of the non Wi Fi device that has the highest signal strength dBm SNIR db The ratio of signal strength to the combined levels of interference and noise on that channel This value is calculated by determining the maximum noise floor and interference signal levels and then calculating how strong the desired signal is above this maximum Channel Metrics The channel metrics graph displays channel quality availability and utilization metrics as seen by a spectrum monitor or hybrid AP You can view the channel utilization data for the percentage of each channel that is currently being used by Wi Fi devices and the percentage of each channel being used by non Wi Fi devices and 802 11 adjacent channel interference ACI This chart shows the channel availability the percentage of each channel that is available for use or the current relative quality of selected channels in the 2 4 GHz or 5 GHz radio bands While spectrum monitors can display data for all channels in their selected band hybrid APs display data for their one monitored channel only To view this graph click 2 4 GHz in the Spectrum section of the dashboard Figure 118 Channel Metrics for the 2 4 GHz Radio Channel Spectrum 2 4 GHz Channel Utilization and Quality To view this graph click 5 GHz in the Spectrum section of the dashboard Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Spectrum Monitor 313 Figure 119 Channel Metrics forthe 5 GHz R
526. supports the IEEE 802 11ac standard for high performance WLAN To support maximum traffic port aggregation is required as it increases throughput and enhances reliability To support port aggregation Instant supports Link Aggregation Control Protocol ACP based on the IEEE 802 3ad standard 802 3ad standard for Ethernet aggregation uses LACP as a method to manage link configuration and balance traffic among aggregated ports LACP provides a standardized means for exchanging information with partner systems to form a dynamic link aggregation group The LACP feature is automatically enabled during W IAP boots and it dynamically detects the AP if connected to a partner system with LACP capability by checking if there is any LACP Protocol Data Unit PDU received on either eth0 or eth1 port If the switch in the cluster has the LACP capability you can combine ethO and eth1 interfaces into the link aggregation group to form a single logical interface port channel Port channels can be used to provide additional bandwidth or link redundancy between two devices W IAP220 Series supports link aggregation using either standard port channel configuration based or Link Aggregation Control Protocol protocol signaling based W IAP220 Series can optionally be deployed with LACP configuration to benefit from the higher greater than 1 Gbps aggregate throughput capabilities of the two radios The LACP feature is supported only on W IAP220 Series There is
527. t option lt type gt lt value gt Instant AP DHCP Profile lt profile name gt end Instant AP commit apply To configure Distributed L3 DHCP scope Instant AP config ip dhcp lt profile name gt Instant AP DHCP Profile lt profile name gt ip dhcp server type lt Distributed L3 gt Dell Networking W Series Instant 6 4 0 2 4 1 User Guide DHCP Configuration 203 Instant AP DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant AP DHCP Profile lt profile name gt client count lt number gt Instant AP DHCP Profile lt profile name gt dns server lt name gt Instant AP DHCP Profile lt profile name gt domain name lt domain name gt Instant AP DHCP Profile lt profile name gt lease time lt minutes gt Instant AP DHCP Profile lt profile name gt ip range lt start IP gt lt end IP gt Instant AP DHCP Profile lt profile name gt reserve first last lt count gt Instant AP DHCP Profile lt profile name gt option lt type gt lt value gt Instant AP DHCP Profile lt profile name gt end Instant AP commit apply Configuring a Centralized DHCP Scope You can configure centralized L2 and centralized L3 DHCP profiles When a centralized DHCP scope is configured e The Virtual Controller does not assign an IP address to the client and the DHCP traffic is directly forwarded to the DHCP S
528. t end The following example configures access rules for the wireless network Ins Ins tan tan classif Ins thro Ins Ins Ins tan ttl tan tan tan permit Ins tan permit Ins Ins Ins deny Ins deny Ins Ins tan tan tan tan tan tan Gor CT 6 Te CT 0 GE CP ict CP rt AP config wlan access rule WirelessRul AP Access Rule WirelessRule rule 192 0 2 2 255 media AP Access Rule WirelessRule rule any any match p 256 AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule rule any any match AP Access Rule WirelessRule nd AP commit apply Configuring Captive Portal Roles for an SSID You can configure an access rule to enforce captive portal authentication for SSIDs with 802 1X authentication enabled You can configure rules to provide access to an external captive portal internal captive portal so that some of the clients using this SSID can derive the captive portal role 255 255 0 match 6 4343 4343 log app deny throttle downstream
529. t With each DHCP address assignment mode various client traffic forwarding modes are associated For more information on client traffic forwarding modes for IAP VPN see lAP VPN Forwarding Modes on page 224 You can configure the default DHCP scope for virtual controller assigned networks Distributed L2 Distributed L3 Local or NAT DHCP Local L3 and Centralized DHCP scopes through the Instant UI or CLI This section describes the following procedures e Configuring the Default DHCP Scope for Client IP Assignment on page 208 e Configuring Distributed DHCP Scopes on page 201 e Configuring a Centralized DHCP Scope on page 204 e Configuring Local and Local L3 DHCP Scopes on page 206 Configuring Distributed DHCP Scopes Instant allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch You can also specify the IP addresses that must be excluded from those assigned to clients so that they are assigned statically Instant supports the following distributed DHCP scopes e Distributed L2 In this mode the Virtual Controller acts as the DHCP server but the default gateway is in the data center Based on the number of clients specified for each branch the range of IP addresses is divided Based on the IP address range and client count configuration the DHCP se
530. t 6 4 0 2 4 1 User Guide Instant User Interface 62 The following table describes the graphs displayed in the Access Point view Table 12 Access Point View Usage Trends and Monitoring Procedures Neighboring APs CPU Utilization Neighboring Clients 63 Instant User Interface Description The Neighboring APs graph shows the number of APs heard by the selected W IAP e Valid APs An AP thatis part of the enterprise providing WLAN service Interfering APs An AP thatis seen in the RF environment but is not connected to the network Rogue APs An unauthorized AP that is plugged into the wired side of the network To see the number of different types of neighboring APs for the last 15 minutes move the cursor over the respective graph lines The CPU Utilization graph displays the utilization of CPU for the selected W IAP To see the CPU utilization of the W IAP move the cursor over the graph line The Neighboring Clients graph shows the number of clients not connected to the selected AP but heard by it e Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client Interfering A client associated to any AP and is not valid is classified as an interfering client To see the number of different types of neighboring clients for the last 15 minutes move the cursor over the respective graph lines Monitoring Procedure To check the neigh
531. t AP calea end Instant AP config wlan access rule ProfileCalea Instant AP Access Rule ProfileCalea calea Instant AP Access Rule ProfileCalea end Instant AP commit apply Instant AP config wlan ssid profile Calea Test Instant AP SSID Profile Calea Test enabl Instant AP SSID Profile Calea Test index 0 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 273 Instant AP SSID Profile Calea Test type employee Instant AP SSID Profile Calea Test ssid QA Calea Test Instant AP SSID Profile Calea Test opmode wpa2 aes Instant AP SSID Profile Calea Test max authentication failures 0 Instant AP SSID Profile Calea Test auth server serverl Instant AP SSID Profile Calea Test set role Filter Id equals 123456 calea test Instant AP SSID Profile Calea Test rf band 5 0 Instant AP SSID Profile Calea Test captive portal disable Instant AP SSID Profile Calea Test dtim period 1 Instant AP SSID Profile Calea Test inactivity timeout 1000 Instant AP SSID Profile Calea Test broadcast filter none Instant AP SSID Profile Calea Test dmo channel utilization threshold 90 Instant AP SSID Profile Calea Test local probe req thresh 0 Instant AP SSID Profile Calea Test max clients threshold 64 Instant AP SSID Profile Calea Test nd Instant AP SSID Profile Calea Test commit apply To
532. t AP config ale server lt server name IP address gt Instant AP config ale report interval lt seconds gt Instant AP config end Instant AP commit apply Verifying ALE Configuration on a W IAP To view the configuration details Instant AP show ale config To verify the configuration status Instant AP show ale status Configuring OpenDNS Credentials When configured the OpenDNS credentials are used by Instant to access OpenDNS to provide enterprise level content filtering You can configure OpenDNS credentials using the Instant UI or CLI In the Instant UI To configure OpenDNS credentials 1 Click More gt Services gt OpenDNS The OpenDNS tab contents are displayed 2 Enter the Username and Password to enable access to OpenDNS 3 Click OK to apply the changes 266 Services Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the CLI To configure OpenDNS credentials Instant AP config opendns lt username lt password gt Instant AP config end Instant AP commit apply Integrating a W IAP with Palo Alto Networks Firewall Palo Alto Networks PAN next generation firewall offers contextual security for all users for safe enabling of applications A simple firewall beyond basic IP address or TCP port numbers only provides a subset of the enhanced security required for enterprises to secure their networks In the context of businesses using social networking sit
533. t Messenger application on Apple devices uses this service e ChromeCast ChromeCast service allows you to use a ChromeCast device to play audio or video content on a high definition television by streaming content through Wi Fi from the Internet or local network e DLNA Media Applications such as Windows Media Player use this service to browse and play media content on a remote device e DLNA Print This service is used by printers that support DLNA Inthe Instant 6 4 0 2 4 1 release it is recommended to have a maximum of upto 80 AirGroup servers in the network For more information on configuring AirGroup services see Configuring AirGroup and AirGroup Services on a W IAP on page 261 Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 259 ia AirGroup Components AirGroup leverages key elements of the Dell solution portfolio including operating system software for Instant CPPM and the VLAN based or role based filtering options offered by the AirGroup services The components that make up the AirGroup solution include the Instant CPPM and ClearPass Guest The version requirements are described in the following table Table 53 Instant CPPM and ClearPass Guest Requirements Minimum Version for mDNS Minimum Version for DLNA Services Services Component ClearPass Guest Services plugin 6 2 0 Starting from ClearPass version 6 0 the ClearPass Guest and the AirGroup Services plug in are integrated int
534. t box d Select the role to be assigned from the Role text box The following figure shows an example for the VLAN role assignment Figure 61 User VLAN Role Assignment Access Rules More Control Roles wired instant Guest_Network gt Role based Instant 3 New Network based Unrestricted Role Assignment Rules Default role test2345 Less Control New Role Assignment Rule Attribute Operator String Role ap Group__ y contains y vianzoo y oK Cancel E Assign pre authentication role E Enforce Machine Authentication 4 Click OK In the CLI To assign VLAN role to a WLAN profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt set role lt attribute gt equals lt operator gt lt role gt not equals lt operator gt lt role gt starts with lt operator gt lt role gt ends with lt operator gt lt role gt contains lt operator gt lt role gt value of Instant AP SSID Profile lt name gt end Instant AP commit apply ee Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Roles and Policies 200 Chapter 13 DHCP Configuration This chapter provides the following information e Configuring DHCP Scopes on page 201 e Configuring the Default DHCP Scope for Client IP Assignment on page 208 Configuring DHCP Scopes The virtual controller supports different modes of DHCP address assignmen
535. t is the duration for the test packet timeout You can specify a value within the range of 0 3600 seconds and the default value is 10 seconds c Click OK When Internet failover is enabled the W IAP ignores the VPN status although uplink switching based on VPN status is enabled NOTE In the CLI To enable uplink switching based on VPN status Instant AP config uplink AP uplink failover vpn timeout lt seconds gt AP uplink end AP Instan Instan ar eh oer oct commit apply To enable uplink switching based on Intemet availability Instant AP config uplink Instant AP uplink failover internet Instant AP uplink failover internet pkt lost cnt lt count gt Instant AP uplink failover internet pkt send freq lt frequency gt Instant AP uplink end Instant AP commit apply Viewing Uplink Status and Configuration To view the uplink status and configuration in the CLI Instant Access Point show uplink status Uplink preemption enable Uplink enforce none Ethernet uplink bond0 DHCP Uplink Table eth0 UP 0 Yes Wifi sta LOAD 6 No 3G 4G INIT 7 No Internet failover disable Max allowed test packet loss 10 Secs between test packets 30 VPN failover timeout secs 180 ICMP pkt sent 0 ICMP pkt lost 0 Continuous pkt lost 0 VPN down time 0 Instant Access Point show uplink config Uplink preemption enable Uplin
536. t malformed assoc req Instant AP IDS detect malformed frame auth Instant AP IDS detect overflow ie Instant AP IDS detect overflow eapol key Instant AP IDS detect beacon wrong channel Instant AP IDS detect invalid mac oui Instant AP IDS detect valid clientmisassociation Instant AP IDS detect disconnect sta Instant AP IDS T detect omerta attack Instant AP IDS detect fatajack Instant AP IDS detect block ack attack Instant AP IDS detect hotspotter attack Instant AP IDS detect unencrypted valid Instant AP IDS detect power save dos attack Instant AP IDS detect eap rate anomaly Instant AP IDS detect rate anomalies Instant AP IDS detect chopchop attack Instant AP IDS detect tkip replay attack Instant AP IDS signature airjack Instant AP IDS signature asleap Instant AP IDS protect ssid Instant AP IDS rogue containment Instant AP IDS protect adhoc network Instant AP IDS protect ap impersonation Instant AP IDS protect valid sta Instant AP IDS protect windows bridge Instant AP IDS end Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Intrusion Detection 302 Chapter 23 Mesh W IAP Configuration This chapter provides the following information e Mesh Network Overview on page 303 e Setting up Instant Mesh Network on page 304 e Configuring Wired Bridging on Ethernet 0 fo
537. t sends authentication credentials to the NAS 3 The NAS sends these credentials toa RADIUS server 4 The RADIUS server checks the user identity and authenticates the client if the user details are available in its database The RADIUS server sends an Access Accept message to the NAS If the RADIUS server cannot identify the user it stops the authentication process and sends an Access Reject message to the NAS The NAS forwards this message to the client and the client must re authenticate with appropriate credentials 5 After the client is authenticated the RADIUS server forwards the encryption key to the NAS The encryption key is used for encrypting or decrypting traffic sent to and from the client The NAS acts as a gateway to guard access to a protected resource A client connecting to the wireless network first connects to the NAS NOTE 163 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Configuring 802 1X Authentication for a Wireless Network Profile You can configure 802 1X authentication for a wireless network profile in the Instant UI or CLI In the Instant Ul To enable 802 1X authentication for a wireless network 1 In the Network tab click New to create a new network profile or select an existing profile for which you want to enable 802 1X authentication and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLA
538. t to a network Access is allowed or denied to networks other than the specified network After selecting this option specify the IP address and netmask of the destination network to domain name Access is allowed or denied to the specified domains After selecting this option specify the domain name in the Domain Name text box Select this checkbox if you want a log entry to be created when this rule is triggered Instant supports firewall based logging function Firewall logs on the W IAPs are generated as security logs Select the Blacklist checkbox to blacklist the client when this rule is triggered The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window For more information see Blacklisting Clients on page 171 Classify media Select the Classify media checkbox to prioritize video and voice traffic When enabled a packet inspection is performed on all non NAT traffic and the traffic is marked as follows e Video Priority 5 Critical e Voice Priority 6 Internetwork Control Disable scanning Select Disable scanning checkbox to disable ARM scanning when this rule is triggered The selection of the Disable scanning applies only if ARM scanning is enabled For more information see Configuring Radio Settings for a W IAP on page 238 DSCP tag Select the DSCP tag checkbox to specify a DSCP value to prioritize traffic when this rule is triggered Specify a value wit
539. t to define access rules and then click Finish to apply the changes In the CLI To enable MAC and 802 1X authentication for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt employee gt lt guest gt Instant AP wired ap profile lt name gt mac authentication Instant AP wired ap profile lt name gt dotlx Instant AP wired ap profile lt name gt 12 auth failthrough Instant AP wired ap profile lt name gt auth server lt name gt Instant AP wired ap profile lt name gt server load balancing Instant AP wired ap profile lt name gt radius reauth interval lt Minutes gt Instant AP wired ap profile lt name gt nd Instant AP commit apply Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 168 Configuring MAC Authentication with Captive Portal Authentication This authentication method has the following features e Ifthe captive portal splash page type is Internal Authenticated or External RADIUS Server MAC authentication reuses the server configurations e Ifthe captive portal splash page type is Internal Acknowledged or External Authentication Text and MAC authentication is enabled a server configuration page is displayed e Ifthe captive portal splash page type is none MAC authentication is disabled e MAC authentication onl
540. t2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP Hotspot2 Instant AP hotspot hs profile lt name gt O O Oo Oo Oo Oo 0 00 OO Oo 00 OO 0 lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt asra access network type lt type gt addtl roam cons ois lt roam consortium OIs gt comeback mode gas comeback lt delay interval gt group frame block hessid lt hotspot essid gt internet p2p cross connect p2p dev mgmt pame bi lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt query response length limit lt integer gt roam cons len 1 lt integer gt roam cons len 2 lt integer gt roam cons len 3 lt integer gt roam cons oi 1 lt integer gt roam cons oi 2 lt integer gt roam cons oi 3 lt integer gt venue group lt group gt lt name gt lt name gt lt name gt commit apply venue type lt type gt enable end The hotspot profile configuration parameters are described in the following table Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Hotspot Profiles 346 Table 69 Hotspot Configuration Parameters Parameter Description ac
541. tal splash page type is Internal Acknowledged or External Authentication Text and MAC authentication is enabled a server configuration page is displayed If the captive portal splash page type is none MAC authentication is disabled You can configure the mac auth only role when MAC authentication is enabled with captive portal authentication For more information configuring a W IAP to use MAC and Captive Portal authentication see Configuring MAC Authentication with Captive Portal Authentication on page 169 802 1X authentication with Captive Portal Role This authentication mechanism allows you to configure different captive portal settings for clients on the same SSID For example you can configure an 802 1x SSID and create a role for captive portal access so that some of the clients using the SSID derive the captive portal role You can configure rules to indicate access to external or internal captive portal or none For more information on configuring captive portal roles for an SSID with 802 1x authentication see Configuring Captive Portal Roles for an SSID on page 135 WISPr authentication Wireless Internet Service Provider roaming WISPr authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers even if the wireless hotspot uses an Internet Service Provider ISP with whom the client may not have an account If a hotspot is configured to use WISPr authenticat
542. tant AP SSID Profile lt name gt radius interim accounting interval lt minutes gt Instant AP SSID Profile lt name gt radius reauth interval lt minutes gt Instant AP SSID Profile lt name gt end Instant AP commit apply Configuring Access Rules for a WLAN SSID Profile This section describes the procedure for configuring security settings for employee and voice network only For information on guest network configuration see Captive Portal for Guest Access If you are creating a new SSID profile complete the WLAN Settings and configure VLAN and security parameters NOTE 104 Wireless Network Profiles Dell Networking W Series Instant 6 4 0 2 4 1 User Guide before defining access rules For more information see Configuring WLAN Settings for an SSID Profile on page 93 Configuring VLAN Settings for a WLAN SSID Profile on page 97 and Configuring Security Settings for a WLAN SSID Profile on page 99 You can configure up to 128 access rules for an employee voice or guest network using the Instant UI or CLI In the Instant Ul To configure access rules for an employee or voice network 1 Inthe Access Rules tab set sliderto any of the following types of access control e Unrestricted Select this to set unrestricted access to the network Network based Set the slider to Network based to set common rules for all users in a network The Allow any to all destinations access rule is enabled by default This
543. tches in multiple AP deployments as client traffic from slave to master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Configuring a Controller for IAP VPN Operations on page 227 The following GRE configuration is required on the controller host config interface tunnel lt Number gt 371 IAP VPN Deployment Scenarios Dell Networking W Series Instant 6 4 0 2 4 1 User Guide host config tunnel description lt Description gt host config tunnel tunnel mode gre lt ID gt host config tunnel tunnel source lt controller IP gt host config tunnel tunnel destination lt AP IP gt host config tunnel trusted host config tunnel tunnel vlan lt allowed VLAN gt Dell Networking W Series Instant 6 4 0 2 4 1 User Guide IAP VPN Deployment Scenarios 372 Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this document Table 76 List of abbreviations Abbreviation Expansion EAP TTLS Extensible Authentication Protocol Tunneled Transport Layer Security W IAP Instant Access Point Intrusion Detection System EE Institute of Electrical and Electronics Engineers ID RM RP S A LI MZ NS S P x AC AS AT S TP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Terminology 373 Table 76 List of abbreviations Abbreviation Expansion PEAP Protected Extensible Authen
544. ted as the Virtual Controller When a W IAP without 3G 4G card is elected as the Virtual Controller but is up for less than 5 minutes another W IAP with 3G 4G card in the network is elected as the Virtual Controller to replace it and the previous Virtual Controller reboots When a W IAP without 3G 4G card is already elected as the Virtual Controller and is up for more than 5 minutes the Virtual Controller will not be replaced until it goes down W IAP 135 is preferred over W IAP 105 when a Virtual Controller is elected NOTE So 89 Customizing W IAP Settings Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Preference to a W IAP with Non Default IP The Master Election Protocol prefers a W IAP with non default IP when electing a Virtual Controller for the Instant network during initial startup If there are more than one W IAP with non default IPs in the network all W IAPs with default IP will automatically reboot and the DHCP process is used to assign new IP addresses Viewing Master Election Details To verify the status of a W IAP and master election details use the following commands Instant AP show election statistics Instant AP show summary support Manual Provisioning of Master W IAP In most cases the master election process automatically determines the best W IAP that can perform the role of Virtual Controller which will apply its image and configuration to all other W IAPs in the same AP management VLAN
545. tents of the Users for Internal Server tab Figure 44 Adding a User Security Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Walled Garden Users 0 Type Add new user Username Password Retype Type Cancel Enter the username in the Username text box Enter the password in the Password text box and reconfirm Select a type of network from the Type drop down list Click Add and click OK The users are listed in the Users list To edit user settings NO ao FP Ww a Select the user to modify under Users b Click Edit to modify user settings c Click OK 8 To delete a user a Inthe Users section select the username to delete b Click Delete c Click OK 9 To delete all or multiple users at a time a Select the usernames that you want to delete b Click Delete All c Click OK E Deleting a user only removes the user record from the user database and will not disconnect the online user associated with the username NOTE In the CLI To configure an employee user Instant AP config user lt username gt lt password gt radius Instant AP config end 145 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP commit apply To configure a guest user Instant AP config user lt username gt lt password gt portal Instant AP config end Instant AP commit apply Configuring the Read Only
546. the Configuring a Wired Profile on page 112 _ ___ Ze QQRQrmmnmpr A Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Mesh W IAP Configuration 305 Chapter 24 Mobility and Client Management This chapter provides the following information e Layer 3 Mobility Overview on page 306 e Configuring L3 Mobility on page 307 Layer 3 Mobility Overview W IAPs form a single Instant network when they are in the same Layer 2 L2 domain As the number of clients increase multiple subnets are required to avoid broadcast overhead In such a scenario a client must be allowed to roam away from the Instant network to which it first connected home network to another network supporting the same WLAN access parameters foreign network and continue its existing sessions Layer 3 L3 mobility allows a client to roam without losing its IP address and sessions If WLAN access parameters are the same across these networks clients connected to W IAPs in a given Instant network can roam to APs ina foreign Instant network and continue their existing sessions Clients roaming across these networks are able to continue using their IP addresses after roaming You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported The Dell Networking W Series Instant Layer 3 mobility solution defines a Mobility Domain as a set of Instant networks with the same WLAN access parameters across which client roaming is supported Th
547. the FQDN for the main VPN GRE endpoint b Enter a value for the GRE type parameter c Select Enabled or Disabled from the Per AP tunnel drop down list The administrator can enable this option to create a GRE tunnel from each W IAP to the VPN GRE Endpoint rather than the tunnels created just from the master W IAP When enabled the traffic to the corporate network is sent through a Layer 2 GRE tunnel from the W IAP itself and need not be forwarded through the master W IAP By default the Per AP tunnel option is disabled NOTE Dell Networking W Series Instant 6 4 0 2 4 1 User Guide VPN Configuration 214 Figure 66 Manual GRE Configuration Tunneling Controller Controller Protocol Host 192 0 2 15 GRE type 1 Per AP tunnel Enabled lt 4 Click Next to continue When the GRE tunnel configuration is completed on both the W IAP and Controller the packets sent from and received by a W IAP are encapsulated but not encrypted In the CLI To configure a manual GRE VPN tunnel Instant AP config gre primary lt name gt Instant AP config gre type lt type gt Instant AP config gre per ap tunnel Instant AP config end Instant AP commit apply To view VPN configuration details Instant Access Point show vpn config To configure GRE tunnel on the controller nos hos config interface tunnel lt Number gt config tunnel description lt Description gt hos config tunnel tunn
548. the SSID is not broadcast e Ifan SSID does not belong to any zone all W IAPs can broadcast this SSID Under Bandwidth Limits Airtime Select this checkbox to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data Specify the airtime percentage Each radio Select this checkbox to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients Downstream and Upstream Specify the downstream and upstream rates within a range of 1 to 65535 Kbps for the SSID users If the assignment is specific for each user select the Peruser checkbox Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Wireless Network Profiles 95 Table 19 WLAN Configuration Parameters Parameter Description Wi Fi Multimedia Configure the following options for WMM traffic management WMM supports voice video WMM traffic best effort and background access categories To allocate bandwidth for the following types management of traffic specify a percentage value under Share To configure DSCP mapping specify a value under DSCP Mapping e Background WMM For background traffic such as file downloads or print jobs e Best effort WMM For best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Video WMM For video traffic generated from video streaming e Voice WMM For voice traffic generated f
549. the Virtual Controller and if the new W IAP belongs to a different class the image file for the new W IAP is provided by the cloud server Configuring HTTP Proxy on a W IAP If your network requires a proxy server for internet access you must first configure the HTTP proxy on the W IAP to download the image from the cloud server After you setup the HTTP proxy settings the W IAP connects to the Activate server W AirWave Management platform or OpenDNS server through a secure HTTP connection You can also exempt certain applications from using the HTTP proxy configured on a W IAP by providing their hostname or IP address under exceptions In the Instant Ul Perform these steps to configure the HTTP proxy settings 1 Navigate to System gt Proxy The proxy configuration window is displayed Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Maintenance 317 Figure 120 Proxy Configuration Window Proxy Server 192 0 2 0 Port 8080 Exceptions Exceptions 2 Enter the HTTP proxy server s IP address and the port number 3 If you do not want the HTTP proxy to be applied for a particular host click New to enter that IP address or domain name of that host under exceptions list In the CLI Instant AP config proxy server 192 0 2 1 8080 Instant AP config proxy exception 192 0 2 2 Instant AP config end Instant AP commit apply Upgrading a W IAP Using Automatic Image Check You
550. the W IAPs at a remote location The W IAPs power on without any wired uplink connection and function as mesh points and the W IAPs with valid uplink connections function as the mesh portal Instant does not support the topology in which the W IAPs are connected to the downlink ethernet port of a mesh point Configuring Wired Bridging on Ethernet 0 for Mesh Point Instant supports wired bridging on the Ethernet 0 port of a W IAP If W IAP is configured to function as a mesh point you can configure wired bridging Enabling wired bridging on this port of a W IAP makes the port available as a downlink wired bridge and allows client access through the port When using 3G uplink the wired port will be used as downlink You can configure support for wired bridging on the Ethernet 0 port of a W IAP using the Instant UI or CLI 304 Mesh W IAP Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the Instant UI To configure Ethernet bridging In the Access Points tab click the W IAP to modify The edit link is displayed Click the edit link The edit window for modifying W IAP details is displayed Click the Uplink tab Select Enable from the EthO Bridging drop down list Click OK Reboot the W IAP oa FF wn In the CLI To configure Ethernet bridging Instant Access Point enet0 bridging E Make the necessary changes to the wired profile when ethO is used as the downlink port For more information see
551. the corresponding drop down lists to enable SIP VOCERA Alcatel NOE and Cisco skinny protocols 4 Click OK When the protocols for ALG are Disabled the changes do not take effect affect until the existing user sessions are expired Reboot the W IAP and the client or wait for few minutes for changes to affect In the CLI To configure protocols for ALG AP config alg LG sccp disable LG no sip disable ALG no ua disable Instan P D Instan Instan gt D Instan LG no vocera disable LG end commit apply D Instan Instan ET EF eT CE E er ET AP AP AP AP AP Instant AP To view the ALG configuration Instant AP show alg Current ALG sccp Disabled sip Enabled ua Enabled vocera Enabled Configuring Firewall Settings for Protection from ARP Attacks You can configure firewall settings to protect the network against attacks using the Instant UI or CLI Dell Networking W Series Instant 6 4 0 2 4 1 User Guide In the Instant Ul To configure firewall settings 1 Click the Security link at the top right comer of Instant main window 2 Click the Firewall Settings tab The Firewall Settings tab contents are displayed 3 Toconfigure protection against security attacks select the following checkboxes e Select Drop bad ARP to enable the W IAP to drop the fake ARP packets e Select Fix malformed DHCP to the W IAP to fix the malformed DHCP
552. the type of privacy protocol which is used This takes the value DES CBC DES Symmetric Encryption Privacy protocol password If messages sent on behalf of this user can be encrypted decrypted with DES the private privacy key for use with the privacy protocol Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Monitoring Devices and Logs 327 Configuring SNMP This section describes the procedure for configuring SNMPv1 SNMPv2 and SNMPv3 community strings using the Instant UI or CLI Creating community strings for SNMPv1 and SNMPv2 Using Instant UI To create community strings for SNMPv1 and SNMPv2 1 Click the System link at the top right corner of the Instant main window The system window is displayed 2 Click the Monitoring tab The following figure shows the SNMP configuration parameters displayed in the Monitoring tab Figure 125 Monitoring Tab SNMP Configuration Parameters Servers Syslog Facility Levels Syslog server 0 0 0 0 Syslog Warning System Warning TFTP Dump Server 0 0 0 0 Ap Debug Warning User Warning Network Warning User Debug Warning Security Warning Wireless Warning SNMP Community Strings for SNMPV1 and SNMPV2 5 Users for SNMPV3 Name Authentication Protocol Privacy Protocol New SNMP Traps SNMP Trap Receivers IP Address Version Community Username Port Inform Hide advanced options Cancel Click New Enter the string in the New Community String te
553. thentication survivability CLI Commands ap wired port mode access ap wired port all ap wired port 20 ap wired port ap wired port name wired port ap wired port ap wired port serverl ap wired port server2 ap wired port ap wired port profile wired por profile wired por profile wired por profil profil wired por wired por profile wired por profile wired por profile wired por profile wired por profile wired por t t t EN t Ul Procedure Network Profiles switchport allowed vlan native vlan no shutdown access rule type employee auth server auth server dot1x exit ap config enetl port profile wired port Configure a wireless SSID to operate in L3 mode and associate distributed L3 mode VLAN 30 to the WLAN SSID profile ap config SSID Profil e wirel wlan ssid profile wireless ssid ess ssidt enable ap 7 Create access rule for wired and wireless ap SSI ap SSI ssid ap SST ap SST ap SST serverl ap SST server2 ap SSI D D D Profil Profil Profil Profil Profil Profil Profil e wirel e wirel wirel wirel wirel wirel wirel ess ssid ess ssid ess ssid ess ssid ess ssid ess ssid ess ssid type employee essid wireless opmode wpa2 aes vlan 30 auth server auth
554. ticast streams into unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 When the threshold is reached or exceeds the maximum value the W IAP sends multicast traffic over the wireless link NOTE When you enable DMO on multicast SSID profiles ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN Specify the following parameters e 2 4 GHz If the 2 4 GHz band is configured on the W IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps 5 GHz Ifthe 5 GHz band is configured on the W IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps Specify the zone for the SSID When the zone is defined in SSID profile and if the same zone is defined on a W IAP the SSID is created on that W IAP For more information on configuring zone details on an IAP see Configuring Zone Settings on a W IAP on page 84 The following constraints apply to the zone configuration e AW IAP can belong to only one zone and only one zone can be configured onan SSID Ifan SSID belongs to a zone all W IAPs in this zone can broadcast this SSID Ifno W IAP belongs to the zone configured on the SSID the SSID is not broadcast Ifan SSID does not belong to any zo
555. tication Protocol CN e PEM RADIUS Remote Authentication Dial In User Service WLAN Wireless Local Area Network Glossary The following table lists the terms and their definitions used in this document Table 77 List of Terms Term Definition 802 11 An evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers IEEE 802 11 standards use the Ethernet protocol and CSMA CA carrier sense multiple access with collision avoidance for path sharing 802 11a Provides specifications for wireless systems Networks using 802 11a operate at radio frequencies in the 5GHz band The specification uses a modulation scheme known as orthogonal frequency division multiplexing OFDM that is especially well suited to use in office settings The maximum data transfer rate is 54 Mbps 802 11b WLAN standard often called Wi Fi backward compatible with 802 11 Instead of the phase shift keying PSK modulation method historically used in 802 11 standards 802 11b uses complementary code keying CCK which allows higher data speeds and is less susceptible to multipath propagation interference 802 11b operates in the 2 4 GHz band and the maximum data transfer rate is 11 Mbps 802 11g Offers transmission over relatively short distances at up to 54 Mbps compared with the 11 Mbps theoretical maximum of 802 11b 802 11g operates in the 2 4 GHz band and employs orthogonal frequenc
556. tication for a wireless profile Instant AP config wlan ssid profile lt name gt Instant AP SSID Profile lt name gt type lt Guest gt Instant AP SSID Profile lt name gt mac authentication Instant AP SSID Profile lt name gt captive portal lt type gt exclude uplink lt type gt Instant AP SSID Profile lt name gt set role machine auth lt machine authentication gt lt user authentication gt Instant AP SSID Profile lt name gt set role mac auth lt MAC authentication only gt Instant AP SSID Profile lt name gt end Instant AP commit apply To configure MAC authentication with Captive Portal authentication for a wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt type lt guest gt Instant AP wired ap profile lt name gt mac authentication Instant AP wired ap profile lt name gt captive portal lt type gt Instant AP wired ap profile lt name gt captive portal lt type gt exclude uplink lt 3G gt lt 4G gt lt Wifi gt Ethernet Instant AP wired ap profile lt name gt set role machine auth lt machine only gt lt user only gt Instant AP wired ap profile lt name gt set role mac auth lt mac only gt Instant AP wired ap profile lt name gt end e 169 Authentication and User Management Dell Networking W S
557. tication roles for wired profile Instant AP config wired port profile lt name gt Instant AP wired ap profile lt name gt set role machine auth lt machine authentication only gt lt user authentication only gt Instant AP wired ap profile lt name gt end Instant AP commit apply Configuring Derivation Rules Instant allows you to configure role and VLAN derivation rules You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile Understanding Role Assignment Rule When an SSID or wired profile is created a default role for the clients connecting this SSID or wired profile is assigned You can assign a user role to the clients connecting to an SSID by any of the following methods The role assigned by some methods may take precedence over the roles assigned by the other methods RADIUS VSA Attributes The user role can be derived from Dell Vendor Specific Attributes VSA for RADIUS server authentication The role derived from a Dell VSA takes precedence over roles defined by other methods MAC Address Attribute The first three octets in a MAC address are known as Organizationally Unique Identifier OUI and are purchased from the Institute of Electrical and Electronics Engineers Incorporated IEEE Registration Authority This identifier uniquely identifies a vendor manufacturer or other organization referred to by the IEEE as the assignee g
558. ting Local Routing between Clients on page 82 Enabling Dynamic CPU Management on page 83 The following figure shows the additional configuration options available under the System gt General tab General Admin DHCP Uplink L3 Mobility Enterprise Domains Monitoring WISPr Proxy Name Instant C 4 42 98 System location Virtual Controller IP 0 0 0 0 Dynamic RADIUS proxy Disabled NTP server Timezone International Date Line B MAS integration Disabled 7 x Ie Preferred band All Virtual Controller Netmask 255 255 255 255 Virtual Controller Gateway Virtual Controller VLAN Auto join mode Disabled Terminal access Enabled Telnet server Disabled LED display Enabled Extended SSID Disabled Deny inter user bridging Disabled Deny local routing Disabled Dynamic CPU management Automatic Hide advanced options Configuring Virtual Controller VLAN The IP configured for the Virtual Controller can be in the same subnet as W IAP or can be in a different subnet Ensure that you configure the Virtual Controller VLAN gateway and subnet mask details only NOTE if the Virtual Controller IP is in a different subnet You can configure the Virtual Controller VLAN by using Instant UI or CLI Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Initial Configuration Tasks 78 In the Instant Ul 1 Navigate to
559. tion and possibly gain access to company records and other resources ad hoc network ALAN or other small network especially one with wireless or temporary plug in connections in which some of the network devices are part of the network only for the duration of a communications session or in the case of mobile or portable devices while in some close proximity to the rest of the network bad A specified range of frequencies of electromagnetic radiation The Dynamic Host Configuration Protocol DHCP is an auto configuration protocol used on IP networks Computers or any network peripherals that are connected to IP networks must be configured before they can communicate with other computers on the network DHCP allows a computer to be configured automatically eliminating the need for a network administrator DHCP also provides a central database to keep track of computers connected to the network This database helps in preventing any two computers from being configured with the same IP address DNS Server A Domain Name System DNS server functions as a phonebook for the Internet and Internet users It converts human readable computer hostnames into IP addresses and vice versa A DNS server stores several records for a domain name such as an address A record name server NS and mail exchanger MX records The Address A record is the most important record that is stored ina DNS server because it provides the required IP address
560. tomizing W IAP Settings Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 18 W AP Radio Modes Mode Description Access In Access mode the AP serves clients while also monitoring for rogue APs in the background If the Access mode is selected perform the following actions 1 Select Administrator assigned in 2 4 GHz and 5 GHz band sections 2 Select appropriate channel number from the Channel drop down list for both 2 4 GHz and 5 GHz band sections 3 Enter appropriate transmit power value in the Transmit power text box in 2 4 GHz and 5 GHz band sections Monitor In Monitor mode the AP acts as a dedicated monitor scanning all channels for rogue APs and clients You can set one radio on the Monitor mode and the other radio on access mode so that the clients can use one radio when the other one is in the Air Monitor mode Spectrum Monitor In Spectrum Monitor mode the AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference whether from the neighboring APs or from non WiFi devices such as microwaves and cordless phones In the Spectrum Monitor mode the APs do not provide access services to clients NOTE 4 Click OK In the CLI To configure a radio profile Instant AP wifi0 mode lt access gt lt monitor gt lt spectrum monitor gt Instant AP wifil mode lt access gt lt monitor gt lt spectrum monitor gt If the access mode is configured you can
561. tport lt port gt Instant AP Auth Server lt profile name gt nas id lt NAS ID gt Instant AP Auth Server lt profile name gt nas ip lt NAS IP address gt Instant AP Auth Server lt profile name gt timeout lt seconds gt Instant AP Auth Server lt profile name gt retry count lt number gt Instant AP Auth Server lt profile name gt deadtime lt minutes gt Instant AP Auth Server lt profile name gt drp ip lt IP address gt lt mask gt vlan lt vlan gt gateway lt gateway IP address gt Instant AP Auth Server lt profile name gt end Instant AP commit apply Associate the Authentication Servers with an SSID or Wired Profile 1 Access the WLAN wizard or Wired Settings window Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Authentication and User Management 162 e Toopen the WLAN wizard select an existing SSID in the Network tab and click edit e To open the wired settings window click More gt Wired In the Wired window select a profile and click Edit You can also associate the authentication servers when creating a new WLAN or wired profile 2 Click the Security tab If you are configuring the authentication serverfor a WLAN SSID under Security tab slide to Enterprise security level 4 Ensure that an authentication type is enabled 5 From the Authentication Server 1 drop down list select the server name on which dynamic RADIUS proxy parameters are enab
562. trum monitoring Description Select Enabled to run the radio in non 802 11n mode This option is set to Disabled by default Select Enabled to allow the radio to advertise its 802 11d Country Information and 802 11h Transmit Power Control capabilities This option is set to Disabled by default Enter the Beacon period for the W IAP in milliseconds This indicates how often the 802 11 beacon management frames are transmitted by the access point You can specify a value within the range of 60 500 The default value is 100 milliseconds Select to increase the immunity level to improve performance in high interference environments The default immunity level is 2 Level 0 no ANI adaptation Level 1 Noise immunity only This level enables power based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet Level 2 Noise and spur immunity This level also controls the detection of OFDM packets and is the default setting for the Noise Immunity feature Level 3 Level 2 settings and weak OFDM immunity This level minimizes false detects on the radio due to interference but may also reduce radio sensitivity This level is recommended for environments with a high level of interference related to 2 4 GHz appliances such as cordless phones Level 4 Level 3 settings and FIR immunity At this level the AP adjusts its sensitivity to in band power which can improve performance
563. ts to provide a complete picture of network security Wireless Intrusion Detection System WIDS Event Reporting to W AirWave W AirWave supports Wireless Intrusion Detection System WIDS Event Reporting which is provided by Instant This includes WIDS classification integration with the RAPIDS Rogue Access Point Detection Software module RAPIDS is a powerful and easy to use tool for automatic detection of unauthorized wireless devices It supports multiple methods of rogue detection and uses authorized wireless APs to report other devices within range The WIDS report cites the number of IDS events for devices that have experienced the most instances in the prior 24 hours and provides links to support additional analysis or configuration in response RF Visualization Support for Instant W AirWave supports RF visualization for Instant The VisualRF module provides a real time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new sites VisualRF uses sophisticated RF fingerprinting to accurately display coverage patterns and calculate the location of every Instant device in range VisualRF provides graphical access to floor plans client location and RF visualization for floors buildings and campuses that host your network 276 W IAP Management and Monitoring Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 97 Adding a W IAP in VisualRF DLL AIRWAVE WIR
564. ttempt to navigate to other websites which are not in the whitelist of the walled garden profile the users are redirected to the login page If the requested URL is on the blacklist it is blocked If it appears on neither list the request is redirected to the external captive portal Configuring a WLAN SSID for Guest Access You create an SSID for guest access by using the Instant UI or CLI In the Instant Ul 1 Inthe Networks tab of the Instant main window click the New link The New WLAN window is displayed Enter a name that uniquely identifies a wireless network in the Name SSID text box Based on the type of network profile specify the Primary usage as Guest Click the Show advanced options link The advanced options for configuration are displayed ark wD Enter the required values for the following configuration parameters Table 22 WLAS SSID Configuration Parameters for Guest Network Parameters Description Broadcast Multicast Select any of the following values under Broadcast filtering All When set to All the W IAP drops all broadcast and multicast frames except DHCP and ARP ARP When set to ARP the W IAP converts ARP requests to unicast and send frames directly to the associated client Disabled When set to Disabled all broadcast and multicast traffic is forwarded DTIM interval The DTIM interval indicates the delivery traffic indication message DTIM period in beacons which can be configured for every WLAN
565. type Select any of the following from the drop down list e internal Authenticated When Internal Authenticated is enabled the guest users are required to authenticate in the captive portal page to access the Internet The guest users who are required to authenticate must already be added to the user database Internal Acknowledged When Internal Acknowledged is enabled the guest users are required to accept the terms and conditions to access the Internet MAC authentication Select Enabled from the drop down list to enable the MAC authentication WISPr Select Enabled if you want to enable WISPr authentication For more information on l WISPr authentication see Configuring WISPr Authentication on page 170 Applicable for WLAN SSIDs only NOTE The WISPr authentication is applicable only for Internal Authenticated splash pages and is not applicable for wired profiles Auth server 1 Select any one of the following e A server from the list of servers if the server is already configured e Internal Server to authenticate user credentials at run time e Select New for configuring a new external RADIUS or LDAP server for authentication Load balancing Select Enabled to enable load balancing if two authentication servers are used Reauth interval Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients Auth server 2 Blacklisting If you are configuring a wireless network profile sel
566. ual Controllers configured for L3 Mobility By default this feature is disabled To define clusters go to System gt L3 Mobility tab 7 Ensure that the required AirGroup services are selected To add any service click New and add To allow all services select allowall If a custom service is added you can add a corresponding service ID by clicking New under Service ID If the W IAP is upgraded to current release and if Bonjour is enabled ensure that the corresponding Bonjour services are selected Instant supports the use of upto 6 custom services 8 Based on the services configured you can block any user roles from accessing an AirGroup service and restrict the AirGroup servers connected to a specific set of VLANs from being discovered The user roles and VLANs Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Services 261 marked as disallowed are prevented from accessing the corresponding AirGroup service You can create a list of disallowed user roles and VLANs for all AirGroup services configured on the W IAP For example If the AirPlay service is selected the edit links forthe airplay disallowed roles and airplay disallowed vlans are displayed Similarly if sharing service is selected the edit links for the sharing disallowed roles and sharing disallowed vians are displayed To select block user roles from accessing an AirGroup service click the corresponding edit link and select the user roles for which you wa
567. uest timed out Figure 24 Fault History dE 5 Networks Name ARUBA GUEST Aruba Domain swarm sys Aruba swarm system guest swarm eystem wmm Maw m iLongevity Fault History Time Cleared By 35 47 System 14 36 System 08 27 System 08 26 System amp 5 Networks Name ARUSA GUEST Arube Domein m ILongevity Active Faults Time Number Description De 22 03 1 Access point 00 24 E 16 Access Points Name 00 24 60 08 7b 26 00 24 60 c8241 51 10F 1 cb 30 60 10Floor 3 SW 9F 1 Point 40 20 9F 2 North sast ad b7 DF 3 Front door 79 74 9 4 cb bd 60 135 paint 9 5 West 40 ad 97 7 South east 41 76 9 8 Ajsle middle 03 42 45 VeriWavel ca 42 a0 VeriWave2 c8 ad e2 Portal VeriWave3 c0 13170 Point VeriWaved c8 70 d2 VeriWoveS cb 03 11 AP93 Access Point 9F 5 West 40 ad 16 Access Points Name 00 24 6c ca 41 51 10F 1 eb 30 60 9F 5 West 40 ad 9F 7 Southfeast 41 76 9F 6 Aisle rmiddle ca 42 45 WeriWavet ca VeriWaveS cb a5 11 AP93 Description Access point 00 Access point ds Access point 00 Access point 00 SF 1 Point 40 c0 9F 2 North east adib7 9F 3 Front door 73 74 9F 4 cbibd 9F S West at 9F 7 South eact a1 75 OF 8 Aisle middle ca 42 45 VenWavel ca 42 30 VeriWavez cs ad 2 Portal Verave3 c0 18 72 Point ver Wave a c H ooonmunumnoooon El 20 Clients Name PEKRSEVRGLT4105 QMENG ARUBA bia mue vxue vas El 20 Clients Name PEKROGVRGLT410S QMENG ARUBA gwang linli
568. ur different ranges of IP addresses e For Distributed L2 mode ensure that all IP ranges are in the same subnet as the default router On specifying the IP address ranges a subnet validation is performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask The configured IP range is divided into blocks based on the configured client count For Distributed L3 mode you can configure any discontiguous IP ranges The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count NOTE You can allocate multiple branch IDs BID per subnet The W IAP generates a subnet name from the DHCP IP configuration which the controller can use as a subnet identifier If static subnets are configured in each branch all of them are assigned the with BID 0 which is mapped directly to the configured static subnet Specify the type and a value for the DHCP option You can configure the organization specific DHCP options supported by the DHCP server For example 176 242 161 and so on To add multiple DHCP options click the icon You can add up to eight DHCP options Click Next 5 Specify the number of clients to use per branch The client count configured for a branch determines the use of IP addresses from the IP address range defined fora DHCP scope For example if 20 IP addresses are available in an IP address range configured fora D
569. uring VLAN NOTE fora Wired Profile on page 114 and Configuring Security Settings for a Wired Profile on page 115 You can configure access rules by using the Instant UI or CLI In the Instant Ul To configure access rules 1 Inthe Access tab configure the following access rule parameters a Select any of the following types of access control e Role based Allows the users to obtain access based on the roles assigned to them e Unrestricted Allows the users to obtain unrestricted access on the port e Network based Allows the users to be authenticated based on access rules specified for a network b Ifthe Role based access control is selected perform the following steps e Under Roles select an existing role for which you want to apply the access rules or click New and add the required role The list of roles defined for all networks is displayed under Roles E The default role with the same name as the network is automatically defined for each network The default roles cannot be modified or deleted NOTE e Select the access rule associated with a specific role and modify if required To add a new access rule click New in the Access Rules window You can configure up to 64 access rules For more information on configuring access rules see Configuring Access Rules for Network Services on page 177 e Configure rules to assign roles for an authenticated client You can also configure rules to derive VLANs for the wired networ
570. usiness traveler for example with a laptop equipped for Wi Fi can look up a local hot spot contact it and get connected through its network to reach the Internet and their own company remotely with a secure connection Increasingly public places such as airports hotels and coffee shops are providing free wireless access for customers IEEE 802 11 standards The IEEE 802 11 is a set of standards that are categorized based on the radio wave frequency and the data transfer rate Power over Ethernet PoE is a method of delivering power on the same physical Ethernet wire used for data communication Power for devices is provided in one ofthe following two ways e Endspan The switch that an AP is connected for power supply e Midspan A device can sit between the switch and APs The choice of endspan or midspan depends on the capabilities of the switch to which the W IAP is connected Typically if a switch is in place and does not support PoE midspan power injectors are used Point to Point Protocol over Ethernet PPPoE is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem Quality of Service QoS refers to the capability of a network to provide better service to a specific network traffic over various technologies Radio Frequency RF refers to the portion of electromagnetic spectrum in which electromagnetic waves are generated by feeding alternating current to an
571. uted DHCP Mode Configuration Parameters Name Description Name Enter a name for the DHCP scope Select any of the following options e Distributed L2 On selecting Distributed L2 the Virtual Controller acts as the DHCP Server but the default gateway is in the data center Traffic is bridged into VPN tunnel Distributed L3 On selecting Distributed L3 the Virtual Controller acts as both DHCP Server and default gateway Traffic is routed into the VPN tunnel If Distributed L2 is selected for type of DHCP scope specify the subnet mask The subnet mask and the network determine the size of subnet Default router If Distributed L2 is selected for type of DHCP scope specify the IP address of the default router DNS Server If required specify the IP address of a DNS server If required specify the domain name VLAN Specify a VLAN ID To use this subnet ensure that the VLAN ID specified here is assigned to an SSID profile For more information on SSID profile configuration see Configuring VLAN Settings for a WLAN SSID Profile on page 97 and Configuring VLAN for a Wired Profile on page 114 202 DHCP Configuration Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 38 Distributed DHCP Mode Configuration Parameters Name Description Specify a lease time for the client in minutes IP Address Range Specify a range of IP addresses to use To add another range click the icon You can specify up to fo
572. utes includes RADIUS attributes dhcp option dot1x authentication type mac address and mac address and dhcp options For information on alist of RADIUS attributes see RADIUS Server Authentication with VSA on page 150 4 Select the operator from the Operator drop down list The following types of operators are supported contains The rule is applied only if the attribute value contains the string specified in Operand equals The rule is applied only if the attribute value is equal to the string specified in Operand not equals The rule is applied only if the attribute value is not equal to the string specified in Operand starts with The rule is applied only if the attribute value starts with the string specified in Operand ends with The rule is applied only if the attribute value ends with string specified in Operand matches regular expression The rule is applied only if the attribute value matches the regular expression pattern specified in Operand This operator is available only if the mac address and dhcp options attribute is selected in the Attribute drop down The mac address and dhcp options attribute and matches regular expression are applicable only for the WLAN clients Enter the string to match in the String field Select the appropriate VLAN ID from the VLAN drop down list Click OK Ensure that all other required parameters are configured coo No Q Click Finish to apply the changes In the CLI To cre
573. ve Radio Management 232 Configuring ARM Features on a W IAP This section describes the following procedures for configuring ARM features e Band Steering on page 233 e Airtime Fairness Mode on page 233 e Client Match on page 234 e Access Point Control on page 236 Band Steering The band steering feature assigns the dual band capable clients to the 5 GHz band on dual band W IAPs This feature reduces co channel interference and increases available bandwidth for dual band clients because there are more channels on the 5 GHz band than on the 2 4 GHz band You can configure band steering parameters through the Instant UI or CLI In the Instant UI To configure band steering 1 Inthe RF gt ARM gt Show advanced options view configure the following parameters Table 44 Band Steering Mode Configuration Parameters Parameter Description Prefer 5 GHz Select this option to use band steering in the 5 GHz mode On selecting this the W IAP steers the client to the 5 GHz band if the client is 5 GHz capable but allows the client connection on the 2 4 GHz band if the client persistently attempts for 2 4 GHz association Force 5 GHz Select this option to enforce 5 GHz band steering mode on the W IAPs Balance Bands Select this option to allow the W IAP to balance the clients across the two radios to best utilize the available 2 4 GHz bandwidth This feature takes into account the fact that the 5 GHz band has more channels than the 2 4
574. ve to a wired LAN Many airports hotels and fast food facilities offer public access to Wi Fi networks WEP Wired equivalent privacy WEP is a security protocol specified in 802 11b designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN Data encryption protects the vulnerable wireless link between clients and access points once this measure has been taken other typical LAN security mechanisms such as password protection end to end encryption virtual private networks VPNs and authentication can be put in place to ensure privacy wireless Describes telecommunications in which electromagnetic waves rather than some form of wire carry the signal over part or all of the communication path wireless network In a Wireless LAN WLAN laptops desktops PDAs and other computer peripherals are connected to each other without any network cables These network elements or clients use radio signals to communicate with each other Wireless networks are set up based on the IEEE 802 11 standards Wireless ISP WISP refers to an internet service provider ISP that allows subscribers to connect to a server at designated hot spots access points using a wireless connection such as Wi Fi This type of ISP offers broadband service and allows subscriber computers called stations to access the Internet and the Web from anywhere within the zone of coverage provided by the server antenn
575. ver lt authentication serverl gt 143 Authentication and User Management Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Instant AP config mgmt auth server lt authentication server2 gt Instant AP config mgmt auth server load balancing Instant AP config mgmt auth server local backup Instant AP config end Instant AP commit apply To configure management authentication settings Instant AP config mgmt auth server lt serverl gt Instant AP config mgmt auth server lt server2 gt Instant AP config mgmt auth server load balancing Instant AP config mgmt auth server local backup Instant AP config end Instant AP commit apply Configuring Guest Management Interface Administrator Credentials You can configure guest administrator credentials in the Instant UI or CLI In the Instant UI 1 Click the System link at top right corner of the Instant main window The System window is displayed 2 Click the Admin tab The Admin tab details are displayed 3 Under Guest Registration Only a Specify a Username and Password b Retype the password to confirm 4 Click OK When the guest management administrator logs in with these credentials the guest management interface is displayed In the CLI To configure guest management administrator credentials Instant AP config mgmt user lt username gt password guest mgmt Instant AP config end Instant AP
576. vigate to Server Manager gt Roles gt DHCP sever gt domain DHCP Server gt IPv4 2 Right click IPv4 and select Set Predefined Options Figure 99 Instant and DHCP options for W AirWave Set Predefined Options EL Server Manager File Action View Help LL Eal a s lt ledet Ty Server Manager RDE SERVER 2 J Roles Active Directory Domain Services Y DHCP Server 7 Scope 10 169 131 0 131 2 rde server rde arubanetworks com T Scope 10 169 135 0 135 Sb E Scope 10 169 137 0 137 Display Statistics T Scope 10 169 138 0 138 E Scope 10 169 145 0 145 T Scope 10 169 150 0 150 T scope 10 169 151 0 151 T Scope 10 169 152 0 152 E Scope 10 169 153 0 153 T scope 10 169 154 0 154 E scope 10 169 155 0 155 DD scope 10 169 156 0 156 E Scope 10 169 157 0 157 T Scope 10 169 158 0 158 E scope 10 169 159 0 159 T Server Options T Fiters ONO DE AAA 3 Select DHCP Standard Options in the Option class drop down list and then click Add 4 Enterthe following information Name Instant Data Type String Code 60 Description Instant AP Dell Networking W Series Instant 6 4 0 2 4 1 User Guide W IAP Management and Monitoring 279 Figure 100 Instant and DHCP options for W AirWave Predefined Options and Values E Server Manager File Action View Help AN Hm uag EM E Predefined Options and Values EDI ST DHCP Standard Options ents stou 5cope 10 16
577. w Hide Advanced option at the bottom of the System window to view or hide the advanced options General Allows you to configure view or edit the Name IP address NTP Server and other W IAP settings for the Virtual Controller For more information on the basic and additional configuration settings that can be performed on this tab see Basic Configuration Tasks on page 74 and Additional Configuration Tasks on page 78 Admin Allows you to configure administrator credentials for access to the Virtual Controller Management User Interface You can also configure W AirWave in this tab For more information on management interface and W AirWave configuration see Managing W IAP Users on page 140 and Managing a W IAP from W AirWave on page 275 respectively Uplink Allows you to view or configure uplink settings See Uplink Configuration on page 285 for more information L3 Mobility Allows you to view or configure the Layer 3 mobility settings See Configuring L3 Mobility on page 307 for more information Enterprise Domains Allows you to view or configure the DNS domain names that are valid in the enterprise network See Configuring Enterprise Domains on page 188 for more information Monitoring Allows you to view or configure the following details Syslog Allows you to view or configure Syslog Server details for sending syslog messages to the external servers See Configuring a Syslog Server on page 330 for more informati
578. xt box Click OK To delete a community string select the string and click Delete oa Fw Creating community strings for SNMPv3 Using Instant UI To create community strings for SNMPv3 1 Click System link at the top right corner of the Instant main window The system window is displayed 2 Click the Monitoring tab The SNMP configuration parameters displayed in the Monitoring tab 3 Click New in the Users for SNMPV3 box A window for specifying SNMPv3 user information is displayed 328 Monitoring Devices and Logs Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Figure 126 SNMPv3 User New SNMPV3 User Name Auth protocol SHA x Privacy protocol DES Password Password Retype Retype OK Cancel Enter the name of the user in the Name text box Select the type of authentication protocol from the Auth protocol drop down list Enter the authentication password in the Password text box and retype the password in the Retype text box Select the type of privacy protocol from the Privacy protocol drop down list Enter the privacy protocol password in the Password text box and retype the password in the Retype text box Click OK 10 To edit the details for a particular user select the user and click Edit oman oun A 11 To delete a particular user select the user and click Delete Configuring SNMP Community Strings in the CLI To configure an SNMP engine ID and host Instant AP co
579. y division multiplexing OFDM the modulation scheme used in 802 1 1a to obtain higher data speed Computers or terminals set up for 802 11g can fall back to speeds of 11 Mbps so that 802 11b and 802 11g devices can be compatible within a single network 802 11n Wireless networking standard to improve network throughput over the two previous standards 802 11a and 802 11g with a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams ata channel width of 40 MHz 802 11n operates in the 2 4 and 5 0 bands 374 Terminology Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Table 77 List of Terms Definition AP An access point AP connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network The number of access points a WLAN needs is determined by the number of users and the size ofthe network access point mapping The act of locating and possibly exploiting connections to WLANs while driving around a city or elsewhere To do war driving you need a vehicle a computer which can be a laptop a wireless Ethernet card set to work in promiscuous mode and some kind of an antenna which can be mounted on top of or positioned inside the car Because a WLAN may have a range that extends beyond an office building an outside user may be able to intrude into the network obtain a free Internet connec
580. y role You can use the WLAN wizard to configure the mac auth only role in the role based access rule configuration section when MAC authentication is enabled with captive portal authentication Configuring MAC Authentication with Captive Portal Authentication You can configure the MAC authentication with Captive Portal authentication for a network profile using the Instant Ul or CLI In the Instant UI 1 Select an existing wireless or wired profile for which you want to enable MAC with Captive Portal authentication Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wired Network window is displayed You can configure MAC authentication with Captive Portal authentication in the Access tab of the New WLAN and NOTE New Wired Network windows when configuring a new profile 2 Inthe Access tab specify the following parameters for a network with Role Based rules a Select the Enforce Machine Authentication checkbox when MAC authentication is enabled for Captive Portal If the MAC authentication fails the Captive Portal authentication role is assigned to the client b For wireless network profile select Enforce MAC Auth Only Role checkbox when MAC authentication is enabled for Captive Portal After successful MAC authentication MAC auth only role is assigned to the client 3 Click Next and then click Finish to apply the changes In the CLI To configure MAC authentication with Captive Portal authen
581. z radio settings Instant AP config rf dotlla radio profile Instant AP RF dotlla Radio Profile spectrum monitor Converting a W IAP to a Spectrum Monitor In spectrum mode spectrum monitoring is performed on entire bands However for the 5 GHz radio spectrum monitoring is performed on only one of the three bands 5 GHz lower 5 GHz middle 5 GHz higher By default spectrum monitoring is performed on a higher band of the 5 GHz radio You can configure a W IAP to function as a standalone spectrum monitor using the Instant UI or CLI In the Instant UI To convert a W IAP to a spectrum monitor Inthe Access Points tab click the AP that you want to convert to a spectrum monitor The edit link is displayed Click the edit link The Edit Access Point window is displayed Click the Radio tab From the Access Mode drop down list select Spectrum Monitor Click OK Reboot the W IAP for the changes to affect Toenable spectrum monitoring for any other band for the 5 GHz radio N OO FB WD a Click the RF link at the upper right corner of the Instant UI b Click Show advanced options to view the Radio tab c Forthe 5 GHz radio specify the spectrum band you want that radio to monitor by selecting Lower Middle or Higher from the Standalone spectrum band drop down list d Click OK In the CLI To convert a W IAP to a spectrum monitor Dell Networking W Series Instant 6 4 0 2 4 1 User Guide Sp
Download Pdf Manuals
Related Search