Dell PowerConnect W-Airwave 7.4 Configuration manual
Contents
1. MSCHAPV2 CHAP PAP Cache SecurID Token MSCHAP MSCHAPv2 PAP IKE Lifetime Specify the Internet Key Exchange IKE Lifetime in seconds When this period of time 300 85400 secs expires the IKE SA is replaced by a new SA or is terminated The IKE SA specifies values for the IKE exchange the authentication method used the encryption and hash algorithms the Diffie Hellman group used the lifetime of the IKE SA in seconds and the shared secret key values for the encryption algorithms The IKE SA in each peer is bi directional IKE Encryption 168 bit 3DES Select the Internet Key Exchange IKE encryption method from the following two CBC options 168 bit 3DES CBC 56 bit DES CBC IKE Diffie Hellman 1024 bit 1 Select the IPSEC Mode Group that matches the Diffie Hellman Group configured for Group the IPSEC policy The two options are as follows 1024 bit 768 bit The IKE policy selections along with the preshared key need to be reflected in the VPN configuration Set the VPN configuration on clients to match the choices made above In case the Dell PowerConnect W dialer is used these configuration need to be made on the dialer prior to downloading the dialer onto the local client IKE Hash Algorithm Set the IKE Hash Algorithm to either SHA or MD5 to match the IKE policy for IPSEC IKE Authentication Pre Shared IKE Phase 1 authentication can be done with either an IKE preshared key or digital certificates This establishes how t2. Advanced Services This section describes the contents parameters and default settings for all Advanced Services components in Dell PowerConnect W Series Configuration Dell PowerConnect W Series Configuration in AirWave 6 3 156 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide supports advanced services such as IP Mobility and VPN services Future AirWave versions will support additional advanced services For additional information about IP Mobility domains VPN services and additional architecture or concepts refer to your version of the Dell PowerConnect W Series ArubaOS User Guide Overview of IP Mobility Domains Dell PowerConnect W s layer 3 mobility solution is based on the Mobile IP protocol standard as described in RFC 3344 IP Mobility Support for IPv4 This standard addresses users who need both network connectivity and mobility within the work environment Unlike other layer 3 mobility solutions a Dell PowerConnect W Series mobility solution does not require that you install mobility software or perform additional configuration on wireless clients The Dell PowerConnect W Series controllers perform all functions that enable clients to roam within the mobility domain In a mobility domain a mobile client is a wireless client that can change its point of attachment from one network to another within the domain A mobile client receives an IP address a home address on a home network
3. Table 9 Profiles gt AAA gt 802 1x Auth Profile Settings Continued Field Default Description Dynamic WEP Key Message Retry Count 1 3 Define the number of times that failed authentication with a WEP key should be allowed to retry authentication The range is from 0 to 3 attempts A primary means of cracking WEP keys is to capture 802 11 frames over an extended period of time and searching for such weak implementations that are still used by many legacy devices 128 Specify the maximum size of the WEP key in bits The options are 40 or 128 Specify the key message interval in milliseconds Dynamic WEP Key Size bits Interval Between WPA WPA2 Key Messages 10 5000 msec Define EAP for RADIUS server authentication 802 1x uses the Extensible Authentication Protocol EAP to exchange messages during the authentication process The authentication protocols that operate inside the 802 1x framework that are suitable for wireless networks include EAP Transport Layer Security EAP TLS Protected EAP PEAP and EAP Tunneled TLS EAP TTLS These protocols allow the network to authenticate the client while also allowing the client to authenticate the network Display Between EAP Success and WPA2 Unicast Key Exchange 0 2000 msec Delay between WPA WPA2 Unicast Key Exchange 0 2000 msec Specify the delay between processing these two key times during authentication WPA WPA2 Key Message Retry Count 1 10
4. The VPN dialer can be downloaded using Captive Portal For the user role assigned through Captive Portal configure the dialer by the name used to identify the dialer For example if the captive portal client is assigned the guest role after logging on through captive portal and the dialer is called mydialer configure mydialer as the dialer to be used in the guest role Select a dialer from the drop down list and assign it to the user role This dialer will be available for download when a client logs in using captive portal and is assigned this role The Security gt User Roles gt Add New VPN Dialer page contains the following fields as described in Table 68 Table 68 Security gt User Roles gt Add VPN Dialer Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the VPN Dialer is associated The drop down menu displays all folders available for association with the profile Other jotner Settings WMM Ga PPTP Enable PPTP with this setting as desired Point to Point Tunneling Protocol PPTP is an alternative to L2TP IPSec Like L2TP IPSec PPTP provides a logical transport mechanism to send PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network PPTP relies on the PPP connection process to perform user authentication and protocol configuration With PPTP data encryption begins after PPP authentication and connection process
5. All configurations of Dell PowerConnect W AP Groups must be pushed to Dell PowerConnect W controllers to become active on the network Additional dynamics between master standby master and local controllers still apply In this case refer to Using Controllers in Dell PowerConnect W Configuration on page 29 The following pages in AirWave govern the configuration and use of Dell PowerConnect W AP Groups or standard device groups across AirWave The Dell PowerConnect W Configuration navigation pane displays standard AOS components and your custom configured Dell PowerConnect W AP Groups WLANs and AP Overrides You define or modify Dell PowerConnect W AP Groups on the Dell PowerConnect W Configuration page Click Dell PowerConnect W AP Groups from the navigation pane With Global configuration enabled you select Dell PowerConnect W AP Groups to associate with AMP AirWave Groups with the Groups gt Dell PowerConnect W Config page You modify devices in Dell PowerConnect W AP Groups with the APs Devices gt List page clicking Modify Devices This is the page where you assign devices to a given group and Dell PowerConnect W AP Group Dell PowerConnect W AirWave 7 4 Configuration Guide Using Dell PowerConnect W Configuration in Daily Operations 27 Selecting Dell PowerConnect W AP Groups To select Dell PowerConnect W AP Groups navigate to the Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups page This pag
6. Bandwidth Use this control to allow you to set a minimum bandwidth to be allocated to a virtual AP Allocation profile when there is congestion on the wireless network Define this as a percentage 3 Select Add or Save The added or edited profile appears on the Profiles gt QoS gt Traffic Management page Profiles gt QoS gt VoIP Call Admission Control Dell PowerConnect W s Voice Call Admission Control limits the number of active voice calls per AP by load balancing or ignoring excess call requests This profile enables active load balancing and call admission controls and sets limits for the numbers of simultaneous Session Initiated Protocol SIP SpectraLink Voice Priority SVP Cisco Skinny Client Control Protocol SCCP Vocera or New Office Environment NOF calls that can be handled by a single radio VoIP call admission control prevents any single AP from becoming congested with voice calls You configure call admission control options in the VoIP CAC profile which you apply to an AP group or a specific AP In the VoIP Call Admission Control CAC profile you can limit the number of active voice calls allowed on a radio This feature is disabled by detault When the disconnect extra call feature is enabled the system monitors the number of active voice calls and if the defined threshold is reached any new calls are disconnected The AP denies association requests from a device that is on call You enable this feature i
7. Channel 34 165 Set the transmit channel for this radio Secondary Channel Sets a secondary channel in relation to the primary channel defined just above Select an option as follows None no secondary channel Above secondary channel is just above the channel defined in Channel field Below secondary channel is just below the channel defined in the Channel field Beacon Period Sets the Beacon Period for the AP in milliseconds The supported range is from 60 to 30 000 milliseconds Beacon Regulate Enabling this setting introduces randomness in the beacon generation so that multiple APs on the same channel do not send beacons at the same time which causes collisions over the air Transmit Power Sets the maximum transmit power EIRP in dBm from 0 to 30 in 0 5 dBm increments This setting Is limited further by regulatory domain constraints and AP capabilities TPC Power a The transmit power advertised in the TPC IE of beacons and probe responses Range 0 51 dBm Advertise 802 11d Enable or disable the radio to advertise its 802 11d Country Information and 802 11h and 802 11h Transmit Power Control capabilities Capabilities Advertised The maximum transmit power EIRP advertised Regulatory Max EIRP 110 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 51 Profiles gt RF gt 802 11a g Profile Settings Continued Field Spectrum Load Balancing Spectrum Load Balancing
8. Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 39 Table 4 AP Overrides Add or Edit Page Fields Continued Field WLANs Default Description o mm Excluded WLANs This section lists the WLANs currently defined in Dell PowerConnect W Configuration by default You can display selected WLANs or all WLANs Select one or more WLANs for which AP Override is to apply Excluded WLANs Referenced Profiles This section displays WLANs currently defined by default This section can display selected WLANs or all WLANs Use this section to specify which WLANs are notto support AP Override 802 11a Radio Profile 802 11g Radio Profile RF Optimization Profile Event Thresholds Profile 40 Configuration Reference Defines AP radio settings for the 5 GHz frequency band including the Adaptive Radio Management ARM profile and the high throughput 802 11n radio profile Select the pencil icon next to this field to edit or create additional profile settings in the RF gt 802 11a g Radio page Refer to Profiles gt RF gt 802 11a g Radio on page 109 Defines AP radio settings for the 2 4 GHz frequency band including the Adaptive Radio Management ARM profile and the high throughput 802 11n radio profile Each 802 11a and 802 11b radio profile includes a reference to an Adaptive Radio Management ARM profile If you would like the ARM feature to select dynami
9. Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC Transmission Opportunity Slots in 32 psec Units Background Arbitrary Inter frame 7 Space Number Minimum Contention Window Exponent Maximum Contention Window Exponent Transmission Opportunity Slots in 32 psec Units WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC arbitrary inter frame space number AIFSN minimum and maximum contention window CW size For each AC the backoff time is the sum of the AIFSN and a random value between 0 and the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW T
10. Refer to Profiles gt IDS gt Denial of Service gt Rate Threshold on page 89 General Configures general AP attributes Refer to Profiles gt IDS gt General on page 84 Impersonation Configures anomaly settings for impersonation attacks Refer to Profiles gt IDS gt Impersonation on page 90 Signature Matching Configures signatures and signature matching for intrusion detection Refer to Profiles gt IDS gt Signature Matching on page 85 Signature Defines a predefined signature Refer to Profiles gt IDS gt Signature Matching gt Signature on page 86 Unauthorized Device Configures detection for unauthorized devices Also configures rogue AP detection and containment Refer to Profiles gt IDS gt Unauthorized Device on page 92 5 Select Add or Save The added or edited IDS profile appears on the IDS profiles page Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 83 Profiles gt IDS gt General Perform these steps to configure a General IDS profile l Select Profiles gt IDS gt General in the navigation pane The list of current IDS profiles appears on this page 2 Select the Add button to create a new General profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 33 Table 33 Profiles gt IDS gt General Profile Settings Field Default Description General Se
11. Security gt Policies The Security gt Policies page displays all currently configured policies to include the policy name type and cites the groups user roles and folders to which the security policy applies To create a new policy click the Add New Policy button To edit an existing policy click the pencil icon The Security gt Policies gt Add New Policy page contains the following fields as described in Table 69 Table 69 Security gt Policies gt Add New Policy Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the policy is associated The drop down menu displays all folders available for association with the policy IPV6 Select whether to use the IPv6 protocol If you select No AMP displays options for the IPv4 protocol instead NOTE As of AOS 6 0 you can mix IPv4 and IPv6 rules on one policy Source Traffic Match The traffic source which can be one of the following alias After choosing this option specify the network resource from the Source Alias drop down menu that appears Select the pencil icon to edit or the plus icon to add a new alias any match any traffic wildcard host This refers to traffic from a specific host When this option is chosen you must configure the source IP address of the host For example 2002 d81f f9f0 1000 c7e 5d61 585c 3ab localip IPv4 only specify the local IP address to match traffic network This refers to
12. Selects the SNMP profile to associate with this AP group The drop down menu lists all SNMP profiles currently enabled in AirWave Select the pencil icon next to this field to display the Profiles gt AP gt SNMP page and adjust these settings as desired Refer to Profiles gt AP gt SNMP on page 75 Dell PowerConnect W s Voice Call Admission Control limits the number of active voice calls per AP by load balancing or ignoring excess call requests This profile enables active load balancing and call admission controls and sets limits for the numbers of simultaneous Session Initiated Protocol SIP SpectraLink Voice Priority SVP Cisco Skinny Client Control Protocol SCCP Vocera or New Office Environment NOE calls that can be handled by a single radio Select the pencil icon next to this field to display the Profiles gt AP gt Regulatory Domain page and adjust these settings as desired Refer to Profiles gt AP gt SNMP on page 75 Configuration Reference 41 Table 4 AP Overrides Add or Edit Page Fields Continued Field Default Description 802 11g Traffic default Specify the minimum percentage of available bandwidth to be allocated to a specific Management Profile SSID when there is congestion on the wireless network and sets the interval between bandwidth usage reports This setting pertains specifically to 802 11g Refer to Profiles gt QoS gt Traffic Management on page 104 802 11a Traffic
13. Specify the number of times that WPA or WPA2 keys are allowed to retry The supported range Is from 1 to 10 Multicast Key Rotation Enable or disable multicast key rotation and define the related settings on this page for multicast key rotation time and interval if this field is enabled Unicast Key Rotation Enable or disable unicast key rotation and define the related settings on this page for unicast key rotation time and interval if t his field is enabled Reauthentication Enable or disable reauthentication Although reauthentication and rekey timers are configurable on a per SSID basis an 802 1x transaction during a call can affect voice quality If a client is on a call 802 1x reauthentication and rekey are disabled by default until the call is completed You disable or re enable the voice aware feature in the 802 1x authentication profile Opportunistic Key Yes Enable or disable opportunistic key caching also configured in the 802 1x Caching Authentication profile This supports WPA2 clients Define whether PMKID authentication should be validated Specify whether a client session should use a security key The IEEE 802 1x authentication standard allows for the use of keys that are dynamically generated on a per client basis or as a static key that is the same on all devices in the Validate PMKID Use Session Key Use Static Key network Define whether to use a static key with this setting xSec MTU
14. on page 13 Figure 2 Device Setup gt Dell PowerConnect W Configuration Page Illustration Helpdesk APs Devices Reports System Corrir tater Upkad Finn ware amp Fikes RAPIDS V Users ala AMP Setup Home Groups Limit to Folder Top New Dell PowerConnect W AP Group Dell PowerConnect W AP Groups 1 2 of 2 Dell PowerConnect W AP Groups Page 1 ofl Choose Columns CSV Export default Used ae Name a Number of APs Group User Role RAP Whitelist Authorization Controller NoAuthApSroup fw default 16 a 3 z z FAP Overrides Acme Access Points w Nofuth pGroup 0 default 1 2 of 2 Dell PowerConnect W AP Groups Page i of 1 WLANs default Profiles PARA HAP HController HIDS HMesh 4 Qo5 RF SSID HSecrurity HLuocal Config I H Advanced Services Select All Unselect All Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 11 Groups gt Dell PowerConnect W Config Page With Global Configuration Enabled When Use Global Dell PowerConnect W Configuration is enabled in AMP Setup gt General focused submenu page displays and edits all configured Dell PowerConnect W AP groups with the following factors Dell PowerConnect W AP Groups must be defined from the Device Setup gt Dell PowerConnect W Configuration page before they are visible on the Groups gt Dell PowerConnect W Config page Use this page to select the Del
15. 0 Specify the bandwidth allocation to Session Initiated Protocol SIP voice calls when 255 Admission Control is enabled VoIP SVP Call Capacity Specify the bandwidth allocation to SpectraLink Voice Priority SVP voice calls when 0 255 Admission Control is enabled VolP SCCP Call Capacity Specify the bandwidth allocation to Cisco Skinny Client Control Protocol SCCP voice 0 255 calls when Admission Control is enabled VoIP H 323 Call Capacity Specify the bandwidth allocation to H323 protocol traffic when Admission Control is 0 255 enabled VoIP T Spec Call A WMM client can send a Traffic Specification TSPEC signaling request to the AP Capacity 0 255 before sending traffic of a specific AC type such as voice You can configure the controller so that the TSPEC signaling request from a client is ignored if the underlying voice call is not active this feature is disabled by default If you enable this feature you can also configure the number of seconds that a client must wait to start the call after sending the TSPEC request the default is one second You enable TSPEC signaling enforcement in the VoIP Call Admission Control profile This field specifies the bandwidth allocation to T Spec voice calls when Admission Control is enabled VoIP Call Handoff 20 Specify the total bandwidth to be reserved for call handoff This field is a percentage of Reservation 0 100 entire bandwidth VoIP High capacity 20 Specify the threshold
16. As a Managed Sensor the Dell PowerConnect W AP is managed by the controller but sends collected security data about the wireless environment to an RFprotect Server Enable this option if you wish to support an Aeroscout RTLS server Specify whether the Dell PowerConnect W controller uses an Ortonics walljack Ortronics Wi Jack and Wi Jack Duo thin client access points are centrally configured and managed by the Dell PowerConnect W Networks wireless controllers to provide a high performance wireless network that integrates seamlessly into the structured cabling infrastructure When enabled this setting requires an Ortonics Access Point License Ortonics LED Off Time Yes Enable the LED time out function for Ortonics wall jacks when used When enabled Out this setting requires an Ortonics Access Point License Configure Aeroscout RTLS Server Ortonics Walljack Ortonics Low Temp Enter the low and high temperatures in Celsius for Ortonics wall jacks The range is Ortonics High Temp Configure RTLS Server from OC to 255C degrees When Ortonics Is enabled these settings require an Ortonics Access Point License Enable this setting for Real time Locating Systems RTLS server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots traps Remote AP DHCP Server VLAN Specify the VLAN to be associated with the remote AP DHCP server This field requires a remote access points l
17. Mesh Point 01 Up 0 0 109 days 7 hrs 45 mins amp Error Aruba HQ corp1344 mesh 01 amp Mesh Portal 01 Up 0 Q 109 days 7 hrs 47 mins amp Error Aruba HQ corp1344 mesh 01 mesh portal Up 0 0 1 day 20 hrs 41 mins d Error Aruba HQ alpha master 1 amp mesh portal 80 Up 0 0 12 days 15 hrs 45 mins amp Error Aruba HQ alpha master 1 1 6 w of 6 APs Devices Page 1 w of 1 APs Devices gt Manage Page This page configures device level settings including Manage mode that enables pushing configurations to controllers For additional information refer to Pushing Device Configurations to Controllers on page 29 You can create controller overrides for entire profiles or a specific profile setting per profile This allows you to avoid creating new profiles or Dell PowerConnect W AP Groups that differ by one more settings Controller overrides can be added from the controller s APs Devices gt Manage page Figure illustrates an APs Devices gt Manage page with controller overrides Dell PowerConnect W Configuration in AirWave 17 Figure 11 APs Devices gt Manage Page Illustration Partial Display Name Dell Controller Name Dell Controller Status Up OK Location tac lab Configuration Mismatched More Details Contac me Last Contacted 4 7 2011 10 09 PM Latitude Type Longitude Firmware 6 1 0 0 Altitude m Group v3 Group v3 Fog Folder Icor p Folder corp l Management Mode Monitor Only Firmware Auto Detect U
18. TSPEC signaling request to the AP before sending traffic of a specific AC type such as voice You can configure the controller so that the TSPEC signaling request from a client is ignored if the underlying voice call is not active this feature is disabled by default If you enable this feature you can also configure the number of seconds that a client must wait to start the call after sending the TSPEC request the default is one second You enable TSPEC signaling enforcement in the VoIP Call Admission Control profile This field enables or disables TSPEC Enforcement VolP TSPEC Enforcement When TSPEC is enabled this field sets the number of seconds that a client must wait to Period 0 100 start the call after sending the TSPEC request VoIP Drop SIP Invite and 486 The SIP invite call setup message is time sensitive as the originator retries the call as Send Status Code quickly as possible if it does not proceed You can direct the controller to immediately Client reply to the call originator with a SIP 100 trying message to indicate that the call is proceeding and to avoid a possible timeout This is useful in conditions where the SIP invite may be redirected through a number of servers before reaching the controller Use this field to enable or disable SIP call setup keepalive in the VoIP Call Admission Control profile for the client VoIP Drop SIP Invite and 486 The SIP invite call setup message is time sensitive as the
19. and background The 802 1D priority value is contained in a two byte QoS control field in the WMM data frame Refer to Profiles gt QoS gt WMM Traffic Management on page 107 Profiles gt QoS gt Traffic Management Perform these steps to create or edit Traffic Management profiles l Select Profiles gt QoS gt Traffic Management in the navigation pane 2 Select the Add button to create a new Traffic Management profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 48 Table 48 Profiles gt QoS gt Traffic Management Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile 104 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 48 Profiles gt QoS gt Traffic Management Profile Settings Continued Field Default Description Other Settings Report Interval Set the time in minutes between the bandwidth usage report The supported range is from 1 to 9 999 999 minutes Station Shaping default access Select the policy from the drop down menu with these options Policy default access fair access preferred access Name of the threshold profile WLAN Bandwidths WLAN Select the Add button to specify edit or add a WLAN bandwidth allocation and the associated WLAN
20. gt Spectrum Profile Settings Continued Field Default Description Other Settings WIFI 600 seconds Define the ageout time for Wi Fi devices Generic Interferer Define the ageout time for generic devices Define the ageout time for microwave ovens Microwave 15 seconds Define the ageout time for inverter microwave ovens Inverter type Define the ageout time for video devices Define the ageout time for audio devices Cordless Phone 10 seconds Define the ageout time for fixed frequency cordless phones Fixed Frequency Generic Fixed 10 seconds Define the ageout time for generic fixed frequency devices Frequency Define the ageout time for Bluetooth devices Define the ageout time for XBox consoles Cordless Network 60 seconds Define the ageout time for cordless network frequency hopping devices Frequency Hopper Cordless Base 240 seconds Define the ageout time for cordless base frequency hopping devices Frequency Hopper Generic Frequency Define the ageout time for Generic Frequency Hopper devices Hopper Profiles gt RF gt Event Thresholds Perform these steps to create or edit Event Threshold profiles l Select Profiles gt RF gt Event Thresholds in the navigation pane 2 Select the Add button to create a new Event Thresholds profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 56 Table 56 Profiles gt RF gt Event Thresholds Profile Settings Field
21. period of time and searching for such weak implementations that are still used by many legacy devices Detect Bad WEP Detect Misconfigured AP Enable or disable detection of misconfigured APs An AP is classified as misconfigured if it does not meet any of the following configurable parameters Valid channels Encryption type Short preamble List of valid AP MAC OUls Valid SSID list Protect Misconfigured a Enable or disable protection of misconfigured APs AP Detect Valid SSID If an unauthorized AP neighbor or interfering is using the same SSID as an authorized Misuse network a valid client may be tricked into connecting to the wrong network If a client connects to a malicious network security breaches or attacks can occur Enable disable detection of Interfering or Neighbor APs using valid protected SSIDs Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 1 0 0 Protect SSID No Enable or disable use of SSID by only valid APs Privacy JNO Enable or disable encryption as valid AP configuration Require WPA Enable or disable misconfigured flagging of any valid AP that is not using WPA encryption Detect Unencrypted Enable disable detection of unencrypted valid clients Requires a Wireless Intrusion Valid Clients Protection license or an RFprotect license and a minimum version of 6 0 0 0 Unencrypted Valid Client Time to wait in seconds after detecting an unencry
22. 1024 1500 Bytes 1300 bytes Define the maximum transmission unit size in bytes Select this option to terminate 802 1x authentication on the controller Specify if the EAP termination type is TLS 54 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Termination Termination EAP Type TLS Table 9 Profiles gt AAA gt 802 1x Auth Profile Settings Continued Field Default Description Termination EAP Type PEAP Specify EAP PEAP termination 802 1x authentication based on PEAP with MS CHAPv2 provides both computer and user authentication If a user attempts to log in without the computer being authenticated first the user is placed into a more limited guest user role Windows domain credentials are used for computer authentication and the user s Windows login and password are used for user authentication A single user sign on facilitates both authentication to the wireless network and access to the Windows server resources Termination Inner EAP Type MSCHAPv2 Enable or disable this setting You can enable caching of user credentials on the controller as a backup to an external authentication server The EAP Microsoft Challenge Authentication Protocol version 2 MS CHAPv2 described in RFC 2759 is widely supported by Microsoft clients Enable or disable GTC EAP Generic Token Card GTC Described in RFC 2284 this EAP method permits the transfer of unencrypted usernames and
23. 3600 sec Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 159 Table 85 Advanced Services gt IP Mobility Add Edit Fields and Descriptions Continued Default Description Mobility Host Entry Lifetime When 120 Define how long host entries in the IP mobility domain are to be maintained Mobility Cannot Be Provided 30 when they are without mobility 60000 sec Proxy DHCP Maximum Number of BOOTP Define the maximum number of BOOTP packets that can be supported for a Packets Per Transaction 0 65534 given transaction in proxy DHCP All BOOTP packets are at least 300 bytes in size by specification BOOTP packets are used when a host configures itself dynamically at boot time Maximum Time Allowed for a DHCP Set the maximum allowable time for proxy DHCP transactions to complete Transaction to Complete 10 600 sec Proxy DHCP Session Hold Time Specify the length of time a proxy DHCP session is to be supported after DHCP after Completion dangerous 1 processes are complete Longer times are not considered advisable 600 sec Terminate Proxy DHCP on If proxy DHCP is subject aggressive transaction ID change this setting Aggressive Transaction ID Change terminates upon detection dangerous Performs Proxy DHCP for BOOTP Use this setting to support Proxy DHCP for BOOTP packets but without DHCP Packets Without DHCP options options dangerous Revocation Retransmit Interval 100 10000 Set the
24. 4 Configuration Guide Table 58 Profiles gt SSID Profile Settings Continued Field Default Description DSCP Mapping for WMM Best Effort AC Specify DSCP mapping for wireless multimedia best effort admission control The supported range is 0 to 63 DSCP Mapping for WMM Background AC Specify DSCP mapping for wireless multimedia background admission control The supported range is 0 to 63 902il Compatibility Enable or disable support for NEC 902il compatibility Mode Deny Broadcast Probes Deny or accept broadcast probes This setting is used in conjunction with Local Probe Response An AP broadcasts its configured service set identifier SSID which corresponds to a specific wireless local area network WLAN Wireless clients discover APs by listening for broadcast beacons or by sending active probes to search for APs with a specific SSID Local Probe Response For deployments where there are expected to be considerable delays between the controller and APs for example in a remote location where an AP is not in range of another Dell PowerConnect W Series AP it is recommended that youenable the option in the SSID profile Generating probe responses on the Dell PowerConnect W Series controller is an optimization that allows AOS to make better decisions This option is enabled by default Local Probe Request Threshold The threshold in dBm for the bootstrap threshold to minimize the chance of the AP rebooti
25. AAA profiles while an AAA profile can reference an 802 1x authentication profile and server group You can apply the following types of profiles to an AP or AP group Perform these steps to configure AP profiles l Select the Profiles gt AP profile heading in the navigation pane 70 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Figure 23 Profiles gt AP in Dell PowerConnect W Configuration HAP Authorization Ethernet Link Provisioning Regulatory Domain SNMP LSNMP User System Wired Port Wired 2 From the navigation pane you can configure the following profile types The following AP profiles configure AP operation parameters regulatory domain SNMP information and more Authorization Allows you to assign authorization settings to a provisioned but unauthorized AP to an AP group with a restricted configuration profile Refer to Profiles gt AP gt Authorization on page 71 Ethernet Link Sets the duplex mode and speed of AP s Ethernet link The configurable speed is dependent on the port type and you can define a separate Ethernet Interface profile for each Ethernet link Refer to Profiles gt AP gt SNMP on page 75 Provisioning Defines a group of provisioning parameters for an AP or AP group Refer to Profiles gt AP gt Provisioning on page 72 Regulatory Domain Defines an AP s country code and valid channels for both legacy and high throughput 802 11a
26. ACL Select an access control list for user sessions To add a new policy for access control click the plus sign and refer to Security gt Policies on page 141 Corporate DNS Domain DNS Domain Corporate DNS Domain Enter the domain name service DNS domain or domains one per line Image URL If an AP developers license is active enter the image URL in a range from 1 to 1024 This setting requires an AP Developer license Maintenance Mode You can configure APs to suppress traps and syslog messages related to those APs Known as AP maintenance mode this setting in the AP system profile is particularly useful when deploying maintaining or upgrading the network If enabled APs stop flooding unnecessary traps and syslog messages to network management systems or network operations centers during a deployment or scheduled maintenance The controller still generates debug syslog messages If debug logging is enabled After completing the network maintenance disable AP maintenance mode to ensure all traps and syslog messages are sent AP maintenance mode is disabled by default WISPr Location ID ISO The ISO Country Code section of the WISPr Location ID Requires a minimum Country Code version of 5 0 0 0 and a version earlier than 6 0 0 0 WISPr Location ID E 164 Country Code WISPr Location ID E 164 Area Code WISPr Location ID The SSID Zone section of the WISPr Location ID Requires a minimum version of SSID Zone 5 0 0 0 and a version
27. AP group in which this policy and user role Group will apply Refer to General Dell PowerConnect W AP Groups Procedures and Guidelines on page 27 Select Add to complete the configuration of the User Role or click Save to complete the editing of an existing role The new role appears on the Security gt User Roles page Security gt User Roles gt BW Contracts You can manage bandwidth utilization by assigning maximum bandwidth rates or bandwidth contracts to user roles You can configure bandwidth contracts in kilobits per second Kbps or megabits per second Mbps for the following types of traffic from the client to the controller upstream traffic from the controller to the client downstream traffic You can assign different bandwidth contracts to upstream and downstream traffic for the same user role You can also assign a bandwidth contract for only upstream or only downstream traffic for a user role if there is no bandwidth contract specified for a traffic direction unlimited bandwidth is allowed By default all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic You can optionally apply a bandwidth contract on a per user basis each user who belongs to the role is allowed the configured bandwidth rate For example if clients are connected to the controller through a DSL line you may want to restrict the upstream bandwidth rate allowed for each user to
28. APs Devices gt List page for folder inventory and configuration Select Add to create a new Dell PowerConnect W AP Group or click the pencil icon next to an existing Dell PowerConnect W AP Group to edit that group The Add Edit Dell PowerConnect W AP Group page contains the following fields describes in Table 2 Table 2 Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups Details Settings and Default Values Field Default Description General Settings Folder Top Displays the folder with which the AP Group is associated The drop down menu displays all folders available for association with the AP Group Folders provide a way to organize the visibility of device parameters that is separate from the configuration groups of devices Using folders you can view basic statistics about device and define which users have visibility to which device parameters Enter the name of the AP Group WLANs Add a new WLAN Select this link to create a new WLAN to support Dell PowerConnect W Configuration Once created that new WLAN will appear with others on this page Show only selected To set the WLANs that appear on this page select check the desired WLANs then click Show All Show Only Selected WLANs None Displays the WLANs currently present in Dell PowerConnect W Configuration with selected checkboxes You may select as few or as many WLANS as desired for which this AP Group is active To configure additional WLANs th
29. Activates one of four ARM channel power assignment modes disable Disables ARM calibration and reverts APs back to default channel and power settings specified by the AP s radio profile maintain APs maintain their current channel and power settings This setting can be used to maintain AP channel and power levels after ARM has initially selected the best settings multi band For single radio APs this value computes ARM assignments for both 5 GHz 802 11a and 2 4 GHz 802 11b g frequency bands single band For dual radio APs this value enables APs to change transmit power and channels within their same frequency band and to adapt to changing channel conditions Allowed Bands for a only Set the 802 11 radio bands to be supported by this ARM profile The drop down menu supports the following options a only 802 11a radio bands 40MHz Channels g only 802 11g radio bands all both 802 11a and g bands Client Aware Yes If the Client Aware option is enabled the AP does not change channels if there is active client traffic on that AP If Client Aware is disabled the AP may change to a more optimal channel but this change may also disrupt current client traffic Max Tx Power Set the highest transmit power levels for the AP from 0 30 dBm in 3 dBm increments dBm Higher power level settings may be constrained by local regulatory requirements and AP capabilities In the event that an AP is configured for a Max Tx Power sett
30. Add to complete the configuration of the Policies profile or click Save to complete the editing of an existing profile The new policy appears on the Security gt Policies page 142 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Security gt Policies gt Destinations The Security gt Policies gt Destinations page lists the destination names currently configured with the Policy that uses the destination and the folder To create a new destination to be referenced by a security policy click the Add New Net Destination button To edit an existing policy click the pencil icon The Security gt Policies gt Add New Destinations page contains the following fields as described in Table 70 Table 70 Security gt Policies gt Destinations Fields and Descriptions Field Default Description General Settings Folder Set the folder with which the security policy is associated The drop down menu displays all folders available for association with the policy Invert Use this field to invert the destination from one end of the VPN connection to the other IPV6 Select this button to create a new rule for this destination profile Clicking this button displays the Net Destination Rule section for the selected protocol which is comprised of two settings Rule Type Specify whether the rule applies to Host Network or Range IP Address Enter the IP address for the net destination rule Select Add t
31. Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the thresholds profile Other Settings Detect Frame Rate Enables or disables alerts for frame rate anomalies Anomalies 118 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 56 Profiles gt RF gt Event Thresholds Profile Settings Continued Field Default Description Bandwidth Rate Sets a high percentage watermark for bandwidth rate When exceeded this threshold High Watermark triggers a high watermark exceeded alert Defining 0 disables this function Bandwidth Rate Sets a low percentage watermark for bandwidth rate When exceeded this threshold triggers Low Watermark a low watermark exceeded alert Defining 0 disables this function Frame Error Rate Sets a high percentage watermark for frame error rates When frame error rates exceed this High Watermark threshold this setting triggers a high watermark exceeded alert Defining 0 disables this function Frame Error Rate Low Watermark Sets a low percentage watermark for frame error rates When frame error rates exceed this threshold this setting triggers a low watermark exceeded alert Defining 0 disables this function Sets a high percentage watermark for frame fragmentation rates When frame fragmentation rates exceed thi
32. Extension Header profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 59 Table 12 Profiles gt AAA gt IPv6 Extension Header Profile Settings Field Default Description Denied Extension Header Filter Items Match IPv6 Header Type hop by hop Specify one of the following EH types 0 255 authentication Matches the IPv6 authentication header dest option Matches the IPv6 destination option header esp Matches the IPv6 encapsulation security payload header fragment Matches the IPv6 fragment header hop by hop Matches the IPv6 hop by hop header mobility Matches the IPv6 mobility header routing Matches the IPv6 routing header 3 Select Add or Save The added or edited IPv6 Extension Header profile appears on the IPv6 Extension Header details page Profiles gt AAA gt MAC Auth Before configuring MAC based authentication you must configure the following The user role that will be assigned as the default role for the MAC based authenticated clients You configure the default user role for MAC based authentication in the AAA profile If derivation rules exist or if the client configuration in the internal database has a role assignment these values take precedence over the default user role Authentication server group that the controller uses to validate the clients The internal database can be used to configure the clients for MAC based authentication Perform these steps to conf
33. Folders i Add New Folder After initial AOS deployment with the Dell PowerConnect W Series Configuration feature you can make additional configurations or continue with maintenance tasks such as the following examples e Once Dell PowerConnect W Series Configuration is deployed in AirWave you can perform debugging with Telnet SSH Review the telnet_cmds file in the var log folder from the command line interface or Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 25 access this file from the System gt Status page For additional information refer to the Dell PowerConnect W AirWave 7 4 User Guide on support dell com manuals To resolve communication issues review the credentials on the APs Devices gt Manage page Mismatches can occur when importing profiles because AirWave deletes orphaned profiles even if following a new import Additional Capabilities of Dell PowerConnect W Series Configuration AirWave supports many additional ArubaOS configurations and settings Refer to these additional resources for more information on support dell com manuals Dell PowerConnect W AirWave 7 4 User Guide Dell PowerConnect W AirWave 7 4 Best Practices Guide 26 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Chapter 2 Using Dell PowerConnect W Configuration in Daily Operations Introduction This chapter presents common
34. Groups gt TACACS page This server is now available to be used by server groups Security gt Server Groups gt Internal An internal server group configures the internal database with the username password and role student faculty or sysadmin for each user There is a default internal server group that includes the internal database For the internal server group configure a server derivation rule that assigns the role to the authenticated client The Security gt Server Groups gt Add New Internal Server page contains the following fields as described in Table 76 Table 76 Security gt Server Groups gt Add Internal Server Fields and Descriptions Field Default Description General Settings Folder Set the folder with which the server is associated The drop down menu displays all folders available for association with the server group Name Enter the name of the server Other Settings Maximum Expiration mins Set the maximum expiration time in minutes for guest accounts If the guest provisioning user attempt to add a guest account that expires beyond this time period an error message Is displayed and the guest account is created with the maximum time you configured Internal Server Users Add New Internal Server This section displays internal server users currently configured for use on the Internal User Server Select this button to add a new user The Internal Server User section appears with the following
35. Increase Time Number of consecutive seconds over which the client count is more than the threshold Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 0 0 0 Time to wait in seconds after detecting a client flood before continuing the check Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 0 0 0 Client Flood Detection Quiet Time Detect EAP Rate Anomaly EAP Rate Thresholds EAP Rate Time Interval EAP Rate Quiet Time Detect Rate Anomalies Detect 802 11n 40MHz Intolerance Setting Client 40 MHz Intolerance Detection Enables or disables Extensible Authentication Protocol EAP handshake analysis to detect an abnormal number of authentication procedures on a channel and generates an alarm when this condition is detected Sets the number of EAP handshakes that must be received within the EAP Rate Time Interval to trigger an alarm Sets the time in seconds during which the configured number of EAP handshakes must be received to trigger an alarm After an alarm has been triggered sets the time in seconds that must elapse before another identical alarm may be triggered Enables or disables detection of rate anomalies Enables or disables detection of 802 11n 40 MHz intolerance setting which controls whether stations and APs advertising 40 MHz intolerance will be reported Controls the quiet time when to stop reporting
36. Mode Spectrum Load Balancing Domain Spectrum Load Balancing Update Interval RX Sensitivity Tuning Based Channel Reuse RX Sensitivity Threshold dBm Dell PowerConnect W AirWave 7 4 Configuration Guide Default The Spectrum Load Balancing feature helps optimize network resources by balancing clients across channels regardless of whether the AP or the controller is responding to the wireless clients probe requests If enabled the controller compares whether or not an AP has more clients than its neighboring APs on other channels If an AP s client load is at or over a predetermined threshold as compared to its immediate neighbors or if a neighboring Dell AP on another Description channel does not have any clients load balancing will be enabled on that AP This feature is disabled by default Channel SLB Mode allows control over how to balance clients Select one of the following options channel Channel based load balancing balances clients across channels This is the default load balancing mode radio Radio based load balancing balances clients across APs Define a spectrum load balancing domain to manually create RF neighborhoods Use this option to create RF neighborhood information for networks that have disabled Adaptive Radio Management ARM scanning and channel assignment If spectrum load balancing is enabled in a 802 11a radio profile but the spectrum load balancing domain is not defined ArubaO
37. Name Enter the name of the Wired Authentication profile Referenced Profiles AAA From the drop down menu select the AAA profile for wired authentication Select the pencil icon to edit an existing profile or click the add icon to create a new profile 3 Select Add or Save The added or edited Wired Auth profile appears on the AAA Profiles page and on the Wired Auth details page Profiles gt AAA gt Combined VPN Auth A VPN Authentication profile identifies the default role for authenticated VPN clients This profile also references a server group Before you enable VPN authentication you must configure the authentication server s and server group that the controller will use to validate the remote AP When you provision the remote AP you configure PSec settings for the AP including the username and password This username and password must be validated by an authentication server before the remote AP is allowed to establish a VPN tunnel to the controller The authentication server can be any type of server supported by the controller including the controller s internal database 66 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Perform these steps to configure a Combined VPN Auth profile l Select Profiles gt AAA gt Combined VPN Auth in the navigation pane 2 Select the Add button to create a new VPN Auth profile or click the pencil icon next to an existing profile to edit
38. Navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new VLAN profile or select the pencil icon next to an existing profile to edit Complete the settings as described in lable 47 Table 47 Profiles gt Mobility Switch gt VLAN Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Referenced Profiles VLAN AAA profile Assign an AAA profile to a VLAN to enable role based access for wired clients connected to an untrusted VLAN or port on the Mobility Access Switch This parameter applies to wired clients only Note that this profile will only take effect if the VLAN and or the port on the switch is untrusted If both the port and the VLAN are trusted no AAA profile is assigned Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 103 Table 47 Profiles gt Mobility Switch gt VLAN Profile Settings Continued Field Default Description VLAN IGMP Snooping profile Select the VLAN IGMP Snooping profile to reference Refer to Profiles gt Mobility Switch gt IGMP Snooping on page 100 Other Settings Description Specify a description name for the VLAN Static MAC Items MAG Adds the specified MAC address to the MAC address table Ethernet channel of The port channel of
39. Parameter which can be one of the following bssid dst mac frame type payload seq num src mac BSSID Select Add when these signature settings are defined 3 Select Add or Save on the Signature page The added or edited Signature appears on the IDS gt Signature Matching gt Signatures page Profiles gt IDS gt Denial of Service This profile type defines traffic anomaly settings that detect and process denial of service attacks This profile type defines the parameters that are monitored and acted upon when detecting and blacklisting an offending 86 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide client from the Dell PowerConnect W system When a client is blacklisted in the Dell PowerConnect W system the client is not allowed to associate with any AP in the network for a specified amount of time If a client is connected to the network when it is blacklisted a de authentication message is sent to force the client to disconnect While blacklisted the client cannot associate with another SSID in the network Table 36 summarizes the predefined IDS Denial of Service profiles These profiles are viewable with the Profiles gt IDS gt Denial of Service path in the navigation pane Table 36 Predefined IDS DoS Profiles Parameter ids dosdisabled _ ids dos lowsetting ids dosmedium setting ids dos highsetting Detect Disconnect Station disabled enabled enabled enabled Attack Disconnect
40. Privacy Protocol DES vi Telnet SSH Username viewonly Telnet SSH Password eccccccece Confirm Telnet SSH Password eocccccccs 13 Navigate to the APs Devices gt Audit page for the controller to view mismatched settings This page provides links to display additional and current configurations You can display all mismatched devices by navigating to the APs Devices gt Mismatched page 24 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Figure 17 APs Devices gt Audit Page Illustration Partial Display Device Configuration of Aire100 in group Cisco Gear in folder Top This Device is in monitor only with Firmvare upgrades mode Configuration read from device at 10 6 2009 8 21 PM Configuration Error Too Many Errors Fetching Existing Configuration Audit the device s current configuration Show Archived Device Configuration Update group settings based om this device s current configuration Customize Choose settings to ignore during configuration audits Show entire config View Telnet S5H Command log Refresh this page Name Alcatel Lucent 4308 Aruba800 Contact Aire Aire CA Syslocation Sale Sale CA Offload Aruba Alcatel Lucent WMS Database not set No Guest user subhash username not set subhash Guest user subhash email not set fempty string Guest user subhash enabled not set true Guest user subhash expiry not set ne
41. Profile Settings Continued Field Default Description Other Settings Cluster Name aruba mesh Enter the mesh cluster name The name can have a maximum of 32 characters which is used as the MSSID When you create a new cluster profile it is a member of the aruba mesh cluster NOTE Each mesh cluster profile should have a unique MSSID Configure a new MSSID before you apply the mesh cluster profile To view existing mesh cluster profiles use the drop down menu A mesh portal chooses the best cluster profile and provisions it for use A mesh point can have a maximum of 16 cluster profiles RF Band Use this setting to indicate the band for mesh operation for multiband radios Select a or g Important If you create more than one mesh cluster profile for an AP or AP group each mesh cluster profile must use the same band Encryption Open System Use this setting to configure the data encryption which can be either open system no authentication or h or WPA2 PSK AES WPA2 with AES encryption using a preshared key Selecting WPA2 PSK AES and entering a passphrase is recommended Keep the passphrase in a safe place 3 Select Add or Save The added or edited Cluster profile appears on Profiles gt Mesh gt Cluster Profiles gt Mesh gt Radio The mesh radio profile allows you to specify the transmit power and set of rates used to transmit data on the mesh link Perform these steps to create or edit Mesh Radio profiles l
42. Profiles gt IDS gt Denial of Service Rate Threshold Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the rate threshold profile Other Settings Channel Increase Time Set the time in seconds in which the threshold must be exceeded in order to trigger 0 360000 sec an alarm Channel Quiet Time 60 Set the time that must elapse before another identical alarm may be triggered after 360000 sec an alarm has been triggered Use this option to prevent excessive messages in the log file Channel Threshold 0 300 Specify the number of a specific type of frame This number must be exceeded within 100000 a specific interval in an entire channel to trigger an alarm Node Time Interval 1 120 Set the time in seconds in which the threshold must be exceeded in order to trigger sec an alarm Node Quiet Time Set the time that must elapse before another identical alarm may be triggered after 60 360000 sec an alarm has been triggered This option prevents excessive messages in the log file Node Threshold 200 Specify the number of a specific type of frame that must be exceeded within a 0 100000 specific interval for a particular client MAC address to trigger an alarm 3 Select Add or Save The added or edited Rate Threshold appears on the Profiles gt IDS gt Denial
43. Referenced Profiles Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Rate Thresholds for default Assoc Frames Select a profile from the drop down menu or click the edit icon or add icon to edit or create a profile that sets the rate threshold for association frames The IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly checking Rate Thresholds for default Disassoc Frames Select a profile from the drop down menu or click the edit icon or add icon to edit or create a profile that sets the rate threshold for disassociation frames The IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly checking Rate Thresholds for default Deauth Frames Select a profile from the drop down menu or click the edit icon or add icon to edit or create a profile that sets the rate threshold for de authentication frames The IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly checking Rate Thresholds for default Probe Request Frames Select a profile from the drop down menu or click the edit icon or add icon to edit or create a profile that sets the rate threshold for probe request frames The IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly check
44. Rotation Time Interval 60 86400 sec Unicast Key Rotation Time Interval 60 864000 sec Authentication Server Retry Interval 5 65535 sec Authentication Server Retry Count 0 3 Framed MTU 500 1500 Number of Times ID Requests are Retried 1 10 Maximum Number of Reauthentication Attempts 1 10 Maximum Number of Times Held State Can Be Bypassed 0 3 Dell PowerConnect W AirWave 7 4 Configuration Guide ap role Authentication Default User Role Description Define whether the user is blacklisted upon authentication failure This setting requires a policy enforcement firewall license Select the default role to be assigned to the user after completing 802 1x authentication This setting requires a policy enforcement firewall license Specify the interval in which identity requests are to be spaced between each other Specify the amount of time in seconds in which failed authentication denies access to a user after failed authentication Select this option to force the client to do a 802 1x re authentication after the expiration of the default timer for re authentication The default value of the timer Reauthentication Interval is 24 hours If the user fails to re authenticate with valid credentials the state of the user is cleared If derivation rules are used to classify 802 1x authenticated users then the Reauthentication timer per role overrides this setting 802 1x re authentication can be
45. STA Detection 900 seconds 900 seconds 900 seconds 900 seconds Quiet Time reine a a or a a Detect 802 11n 40 MHz disabled enabled enabled enabled Intolerance Setting Client 40 MHz Intolerance 900 seconds 900 seconds 900 seconds 900 seconds Detection Quiet Time Rate Thresholds for Assoc default default default default Frames Rate Thresholds for Disassoc default default default default Frames Rate Thresholds for Deauth default default default default Frames Rate Thresholds for Probe default probe request response probe request response probe request response Request Frames thresholds thresholds thresholds Rate Thresholds for Probe default probe request probe request response probe request response Rate Thresholds for Auth Response Frames response thresholds thresholds thresholds Frames Perform these steps to configure or edit an IDS Denial of Service profile and to create or edit profiles that are referenced by a DOC profile l Select Profiles gt IDS gt Denial of Service in the navigation pane Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 87 2 Select the Add button to create a new Signature Matching profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 37 Table 37 Profiles gt IDS gt Denial of Service Profile Settings Field Default Description General Settings Blank Enter the name of the profile
46. Security gt Policies gt Destinations 143 Security gt Policies gt Services 143 Security gt Server Groups 144 Security gt Server Groups gt Internal 150 Security gt Server Groups gt LDAP 147 Security gt Server Groups gt RADIUS 148 Security gt Server Groups gt RFC 3576 151 Security gt Server Groups gt TACACS 149 Security gt Server Groups gt Windows 152 Security gt Server Groups gt XML API 151 Security gt TACACS Accounting 152 Security gt Time Ranges 153 Security gt User Roles 135 Security gt User Roles gt BW Contracts 138 Security gt User Roles gt VPN Dialers 139 Security gt User Rules 154 SSIDs 13 15 23 30 38 43 44 45 121 131 W WLANs 43 defined 14 pages and field descriptions 43 WLANs gt Advanced 45 WLANs gt Basic 44 172 Index Dell PowerConnect W AirWave 7 4 Configuration Guide
47. Services gt VPN Services gt IPSEC gt Dynamic Map This page lists dynamic map names IPSEC profiles that reference them and the folder Select Add to create a new Dynamic Map or click the pencil icon next to an existing map to modify settings The Add Edit Details page contains the fields as described in Table 93 Table 93 Advanced Services gt VPN Services gt IPSEC gt Dynamic Map Add Edit Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the Dynamic Map is associated The drop down menu displays all folders available for association with the Dynamic Map Enter the name of the Dynamic Map Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 167 Table 93 Advanced Services gt VPN Services gt IPSEC gt Dynamic Map Add Edit Fields and Descriptions Continued Field Default Description Other Settings Priority Specify the priority in which this Dynamic Map should be processed in relation to additional Dynamic Maps that may be configured and used by IPSEC profiles Diffie Hellman Group Diffie Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret and is used within IKE to securely establish session keys To set the Diffie Hellman Group for the ISAKMP policy click the Diffie Hellman Group drop down list and select one of the following groups Group 1 768 bit Diffie Hellman prime modulus group Gro
48. To view currently configured RFC 3576 servers and where they are used navigate to the Security gt Server Groups gt RFC3576 page Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 151 Select Add to create a new RFC3576 server or click the pencil icon next to an existing server to edit it The Security gt Server Groups gt Add RFC 3576 Server page contains the following fields as described in Table 78 Table 78 Security gt Server Groups gt Add RFC 3576 Server Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the server is associated The drop down menu displays all folders available for association with the server group Other Settings Key Confirm Key Set the shared secret to authenticate communication between the RFC 3576 client and server Select Add to complete the configuration of the RFC 3576 Server or click Save to complete the editing of an existing server The new server appears on the Security gt Server Groups gt RFC 3576 page This server is now available to be used by server groups Security gt Server Groups gt Windows Perform these steps to configure a Windows profile l Select Security gt Server Groups gt Windows in the navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Windows profile or click the pencil icon next to an existin
49. VIA connection profiles VIA connection profile is always associated to a user role and all users belonging to that role will use the configured settings If you do not assign a VIA connection profile to a user role the default connection profile is used K NOTE This profile depends on the controller having a VPN Server license and a minimum version of 5 0 0 0 Perform these steps to configure a VPN Connection profile l Select Profiles gt AAA gt VPN Connection in the Navigation pane 2 Select the Add button to create a new VPN Connection profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 14 Table 14 Profiles gt AAA gt VPN Connection Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Blank Enter the name of the VPN Connection profile Other Settings Allow user to Yes Enable or disable users to disconnect their VIA sessions disconnect VIA Client auto login Yes Enable or disable VIA client to auto login and establish a secure connection to the controller Allow client to auto Yes Enable or disable VIA client to automatically upgrade when an updated version of the upgrade client is available on the controller Allow client side Yes Enable or disable client side logging If enabled VIA clie
50. W AirWave 7 4 Configuration Guide For additional information about IP Mobility and VPN Services refer to Advanced Services on page 149 APs Devices gt List Page This page supports devices in all of AirWave This page supports controller reboot controller re provisioning and changing Dell PowerConnect W AP groups Select Modify Devices to configure thin AP settings Figure 10 APs Devices List Page Illustration Partial Display Folder Top 24 397 Devices gt Outdoor 6 Expand folders to show all APs Devices Goto folder Outdoor 6 vi lt H Total Devices 6 Up 6 WDown 0 3Mismatched 6 Users 0 Avg Device 0 Bandwidth 0 kbps Users for folder Outdoor Last 2 hours al Bandwidth for folder Outdoor Last 2 hours Bal 12 M 40 M 9 46 9 57 10 08 10 19 10 30 10 41 10 52 11 03 11 14 11 25 11 36 9 46 7 10 08 10 19 10 30 10 41 10 52 11 03 11 14 11 25 11 36 Show All Maximum Average Show All Maximum Average Z Max Users 139 6 users 131 6 users v Avg Bits Per Second In 17 5 Mbps 8 1 Mbps O v Avg Bits Per Second Out 83 Mbps 4 Mbps 1 vear ago sssssssss sf now gS 9 Modify Devices 1 6 w of 6 APs Devices Page 1 w of 1 Edit Columns Device a Status Upstream Device APs Users BWi kbps Uptime Configuration Aruba AP Group Group Controller 8 alpha master 1 Up 2 0 0 12 days 15 hrs 47 mins amp Error Outdoor rcorp mesh 01 Up 2 0 0 450 days 22 hrs 34 mins Error Aruba HQ
51. a traffic that has a source IP from a subnet of IP addresses When this option is chosen you must configure the source address and network mask of the subnet For example 2002 ac10 fe tfff ffff ffff user This refers to traffic from the wireless client Destination Traffic Match any The traffic destination which can be any of the same types as the Source Traffic Match options Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 141 Table 69 Security gt Policies gt Add New Policy Fields and Descriptions Continued Field Default Description Action permit Action if rule is applied which can be one of the following reject deny packets A new field will appear where you can Send Deny Response dst nat perform destination NAT on packets New fields appear to specify the Dual NAT Pool and Dual NAT Port dual nat perform both source and destination NAT on packets permit forward packets redirect specify the location to which packets are redirected which can be one of the following Datapath Destination ID 0 65535 ESI Server Group specify the ESI server group configured with the esi group command Tunnel specify the ID of the tunnel configured with the interface tunnel command src nat perform source NAT on packets Da e aia ea mene enabled and ICMPv6 is selected in the Service Type field td et sn We Verse ao mee free barene O Pause ARM Scanning Whether to pause Adaptive Radio Man
52. allow virtual AP configurations to be deployed on this WLAN This profile defines your WLAN by enabling or disabling the bandsteering fast roaming and DoS prevention features It defines radio band forwarding mode and blacklisting parameters and includes references an AAA Profile an EDCA Parameters AP Profile and a High throughput SSID profile Allowed Band All Select whether this WLAN is to support 802 11a 802 119 or both VLAN Enter the VLAN or range of VLANs to be supported with this WLAN Forward Mode Define whether this WLAN is to support tunnel bridge or split mode IP forwarding Deny Time Range None Define the time range restrictions for the roles in this WLAN if any Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 45 Table 7 WLANs gt Advanced Page Fields Continued Field Default Description Mobile IP Enable or disable mobile IP functions This setting specifies whether the controller is the home agent for a client When enabled this setting detects when a mobile client has moved to a foreign network and determines the home agent for a roaming client Enable or disable HA discovery on Association In normal circumstances a controller performs an HA discovery only when it is aware of the client s IP address which it learns through the ARP or any L3 packet from the client This limitation of learning the client s IP and then performing the HA discovery is not effecti
53. and on the details page Profiles gt AAA gt VPN Connection gt VIA Auth Perform these steps to configure a VPN Authentication profile l Select Profiles gt AAA gt VPN Auth in the Navigation pane 2 Select the Add button to create a new VPN Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in lable 14 Table 15 Profiles gt AAA gt VPN Auth Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the VPN Auth profile Other Settings Default Role The role that will be assigned to the authenticated users Requires a Policy Enforcement Firewall for VPN users license Max Authentication Specifies the maximum authentication failures allowed Requires a Wireless Intrusion Failures 0 10 Protection license or an RFProtect license Server Group SS A user friendly name or description for the authentication profile 3 Select Add or Save The added or edited VPN Auth profile appears on the Profiles gt AAA page and on the details page Profiles gt AAA gt VPN Connection gt VIA Client WLAN Create the VIA client WLAN profiles that needs to be pushed to the client machines that use Windows Zero Config WZC to configure or manage their wireless networks Perform these steps to con
54. and 802 11b g radios Refer to Profiles gt AP gt Regulatory Domain on page 74 Wired Port Allows you to enable or disable the wired port define an AAA profile for wired port devices and associate the port with an ethernet link profile that defines its speed and duplex values Refer to Profiles gt AP gt Wired Port on page 80 Wired Controls whether 802 11 frames are tunneled to the controller using Generic Routing Encapsulation GRE tunnels bridged into the local Ethernet LAN for remote APs or a configured for combination of the two split mode This profile also configures the switching mode characteristics for the port and sets the port as either trusted or untrusted Refer to Profiles gt AP gt System on page 76 SNMP Defines and enables SNMP settings to include community string and SNMP user profiles Profiles gt AP gt SNMP on page 75 SNMP User Sets the SNMP user name and authentication profile to support more general SNMP profiles Refer to Profiles gt AP gt SNMP gt SNMP User on page 75 System Defines administrative options for the controller including the IP addresses of the local backup and master controllers Real time Locating Systems RTLS server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots traps Refer to Protiles gt AP gt System on page 76 Profiles gt AP gt Authorization Remote AP configurations include an
55. and running high throughput SSID profile your changes take affect immediately You do not reboot the controller or the AP Refer to Profiles gt SSID gt HT SSID on page 131 502 1 1k Manages settings for the 802 11k protocol The 802 11k protocol provides mechanisms to APs and clients to dynamically query the radio environment and take appropriate connection actions In a 802 11k enabled network APs and clients can send neighbor reports beacon reports and link measurement reports to each other Refer to Profiles gt SSID gt 802 11K on page 133 Profiles gt SSID Perform these steps to create or edit SSID profiles l Select Profiles gt SSID in the navigation pane This page summarizes the SSID profiles currently configured 2 Select the Add button to create a new SSID profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 55 Table 58 Profiles gt SSID Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Displays the name of the profile SSID Enable Enables disables this SSID Hide SSID Enables or disables hiding of the SSID name in beacon frames Note that hiding the SSID does very little to increase security ao lie that uniquely identifies a wireless network The ESSID can be up to 31 characters I
56. associated The drop down menu displays all folders available for association with the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 85 Table 34 Profiles gt IDS gt Signature Matching Profile Settings Continued Field Default Description Signature Profiles Select Signature Select from signature options as follows Profiles AirJack ASLEAP Deauth Broadcast default Disassoc Broadcast Netstumbler Generic Netstrumbler Version 3 3 0x Null Probe Response Wellenreiter 3 Select Add or Save The added or edited Signature Matching profile appears on the IDS gt Signature Matching profiles page Profiles gt IDS gt Signature Matching gt Signature Perform these steps to create signatures for use with Signature Matching profiles l Select Profiles gt IDS gt Signature Matching gt Signature in the navigation pane 2 Select the Add button to create a new Signature or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 35 Table 35 Profiles gt IDS gt Signature Creation Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Enter the name of the signature IDS Signatures Add Select this button to add a new IDS signature Complete the settings as follows
57. attempted after the expiration of the default timer for re authentication Specify whether this is to be supported from the authentication server Define whether Multicast Key Rotation is enabled or disabled When enabled unicast and multicast keys are updated after each reauthorization It Is a best practice to configure the time intervals for reauthentication multicast key rotation and unicast key rotation to be at least 15 minutes When enabled unicast and multicast keys are updated after each reauthorization It Is a best practice to configure the time intervals for reauthentication multicast key rotation and unicast key rotation to be at least 15 minutes Make sure these intervals are mutually prime and the factor of the unicast key rotation interval and the multicast key rotation interval is less than the reauthentication interval Specify the interface at which reauthentication is supported The supported range Is from 1 to 6 535 seconds Define the number of times that failed authentication should be allowed to retry authentication Define the size in bytes for framed maximum transmission units Define the number of allowable times that failed ID requests are allowed to retry the request Set the number of times that reauthentication is to be attempted if the first authentication attempt fails Define whether a held state can be bypassed and the number of times this Is to be allowed Configuration Reference 53
58. available computer when computer info is available SSID Profile Select an SSID configuration profile to reference Refer to Profiles gt SSID on page 121 3 Select Add or Save The added or edited VPN Client WLAN profile appears on the Profiles gt AAA page and on the details page Profiles gt AAA gt VIA Global The global config option allows to you to enable SSL fallback mode If the SSL fallback mode is enabled the VIA client will use SSL to create a secure connection To configure a VIA Global profile select Profiles gt AAA gt VIA Global in the Navigation pane In the Allow via SSL Fallback field select whether to enable the SSL fallback mode Then select Add or Save The added or edited VIA Global profile appears on the Profiles gt AAA page and on the details page Profiles gt AAA gt Stateful 802 1X Auth This profile type enables or disables 802 1x authentication for clients on non Dell PowerConnect W APs and defines the default role for those users once they are authenticated This profile also references a server group to be used for authentication Perform these steps to configure a Stateful 802 1X Auth profile l Select Profiles gt AAA gt Stateful 802 11 Auth in the navigation pane 2 Select the Add button to create a new Stateful 802 11 Auth profile or click the pencil icon next to an existing profile to edit Complete the settings described in Table 17 Table 17 Profiles gt AAA g
59. be resumed Detect Hotspotter Enable disable detection of the Hotspotter attack to lure away valid clients Attack Hotspotter Quiet Time ut Time to wait in seconds after detecting an attempt to use the Hotspotter tool against clients Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 91 3 Select Add or Save The added or edited Impersonation profile appears on the Profiles gt IDS gt Impersonation page Profiles gt IDS gt Unauthorized Device Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can potentially disrupt network operations The most important IDS functionality offered in the Dell PowerConnect W system is the ability to classify an AP as either a rogue AP or an interfering AP An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network While the interfering AP can potentially cause RF interference it is not considered a direct security threat since it is not connected to the wired network However an interfering AP may be reclassified as a rogue AP Vi NOTE Rogue device classification for WMS Offload infrastructure is also described in the Dell PowerConnect W AirWave 7 4 User Guide found in Home gt Documentation You can enable a policy to automatically disab
60. channels Disabling this option also disables the following scanning features Multi Band Scan Rogue AP Aware VolP Aware Scan Power Save Aware Scan Do not disable Scanning unless you want to disable ARM and manually configure AP channel and transmission power The amount of time in milliseconds an AP will drift out of the current channel to scan another channel The supported range for this setting is 50 to 2 147 483 647 milliseconds A scan time between 50 to 200 msec is recommended VolP Aware Scan VoIP Call Admission Control CAC prevents any single AP from becoming congested with voice calls When you enable CAC you should also enable this ARM profile setting so the AP will not attempt to scan a different channel if one of its clients has an active VoIP call This option requires that Scanning is also enabled as well as a Voice Service Policy Enforcement Firewall license Power Save Aware Yes If enabled the AP will not scan a different channel if it has one or more clients and is in Scan power save mode Ideal Coverage The Dell PowerConnect W coverage index metric is a weighted calculation based on the Index RF coverage for all Dell PowerConnect W Series APs and neighboring APs on a specified channel The Ideal Coverage Index specifies the ideal coverage that an AP should try to achieve on Its channel The denser the AP deployment the lower this value should be The range of possible values is 2 to 20 Acceptable F
61. clicking the add icon or edit an existing role by clicking the pencil icon This setting requires a policy enforcement firewall license 802 1X Authentication Select the 802 1X authentication default role to be referenced by the AAA profile Default Role being configured Add a new role by clicking the add icon or edit an existing role by clicking the pencil icon This setting requires a policy enforcement firewall license User Derivation Rules Select the user derivation rules to be referenced by the AAA profile being configured User derivation rules are executed before client authentication The user role can be derived from attributes from the client s association with an AP You configure the user role to be derived by specifying condition rules when a condition is met the specified user role is assigned to the client You can specify more than one condition rule the order of rules is important as the first matching condition is applied Add a new rule by clicking the add icon or edit an existing rule by clicking the pencil icon Wired to Wireless Enable or disable support for roaming from wired to wireless networks Roaming 50 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 8 Profiles gt AAA gt New AAA Profile Settings Continued Default Description SIP Authentication Role Select the role to function for SIP authentication The controller supports the stateful tracking of session in
62. configure AP names as AP Overrides Values for specific fields may be overwritten for individual controllers on the controller s APs Devices gt Manage page Changes to dependency between the AMP group and folders help customers who want to use the folder structure to manage configuration however users are now able to see but not access group and folder paths for which they do not have permissions For more detailed information about this feature as well as steps to transition from template based configuration to web based configuration refer to additional chapters in this user guide For known issues and details on the AOS version supported by each release refer to the Dell PowerConnect W AirWave 7 4 Release Notes at download dell pcw com Overview of Dell PowerConnect W Configuration in AirWave This section describes the pages in Dell PowerConnect W AirWave 7 4 that support Dell PowerConnect W Configuration AMP can be configured on AMP Setup gt General gt Device Configuration to configure Dell PowerConnect W devices globally in the Device Setup gt Dell PowerConnect W Configuration page or by Device Group in the Groups gt Dell PowerConnect W Config page By default global Dell PowerConnect W Configuration is enabled Figure 1 AMP Setup gt General Setting for Global or Group Dell PowerConnect W Configuration Helpdesk APs Devices Reports System Network Users Roles Guest Users Authentication MDM Server WLSE ACS NMS RADIU
63. default Specify the minimum percentage of available bandwidth to be allocated to a specific Management Profile SSID when there is congestion on the wireless network and sets the interval between bandwidth usage reports This setting pertains specifically to 802 11a Refer to Profiles gt QoS gt Traffic Management on page 104 IDS Profile default Selects the IDS profile to be associated with the new AP Group The drop down menu contains these options ids disabled ids high setting ids low setting the default ids medium setting The IDS profiles configure the AP s Intrusion Detection System features which detect and disable rogue APs and other devices that can potentially disrupt network operations An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network An AP is considered to be an interfering AP if itis seen in the RF environment but is not connected to the wired network Select the pencil icon next to this field to display the Profiles gt IDS page and adjust these settings as desired Refer to Profiles gt IDS on page 82 Mesh Radio Profile default Determines many of the settings used by mesh nodes to establish mesh links and the path to the mesh portal including the maximum number of children a mesh node can accept and transmit rates for the 802 11a and 802 11g radios Refer to Profiles gt Mesh on page 95 AP Authorization Profile AP Provisioning Pro
64. ee Set the Network Access Server NAS identifier to use in RADIUS packets NAS IP Set the NAS IP address to send in RADIUS packets You can configure a global NAS IP address that the controller uses for communications with all RADIUS servers If you do not configure a server specific NAS IP the global NAS IP is used Use MD5 No Enable or disable the use of MD5 hashing for cleartext passwords Enable or disable the RADIUS server Source Interface Enter a VLAN number ID between 1 4094 Allows you to use source IP addresses to differentiate RADIUS requests Associates a VLAN interface with the RADIUS server to allow the server specific source interface to override the global configuration If you associate a Source Interface by entering a VLAN number with a configured server then the source IP address of the packet will be that interface s IP address If you do not associate the Source Interface with a configured server leave the field blank the IP address of the global Source Interface will be used Requires a minimum version of 6 1 0 0 Select Add to complete the configuration of the RADIUS server or click Save to complete the editing of an existing server The new server appears on the Security gt Server Groups gt RADIUS page This server is now available to be used by server groups Security gt Server Groups gt TACACS You can configure TACACS servers for use by a server group The Security gt Server Groups
65. gt IPSEC gt Dynamic Map gt Transform Set 168 Advanced Services gt VPN Services gt L2TP 164 Advanced Services gt VPN Services gt PPTP 165 AP Overrides 39 guidelines 30 pages and field descriptions 39 APs using in groups and folders 32 APs Devices gt List 12 APs Devices gt Manage 17 APs Devices gt Monitor 18 D Dell PowerConnect W AP Groups general procedures and guidelines 27 Dell PowerConnect W Configuration Advanced Services 16 Folders Users and Visibility 20 initial setup 2 I initial setup procedure 2 I navigating 10 prerequisites 2 I Profiles 15 Security 15 WLANs 14 device groups using with APs 32 Device Setup gt Dell PowerConnect W Configuration E Encryption 30 F folders using with APs 32 Dell PowerConnect W AirWave 7 4 Configuration Guide Index G groups using with APs 32 Groups gt Basic 18 IP Mobility Domains 157 p Profiles defined 15 embedded configuration 19 overview 48 pages and field descriptions 48 Profiles gt AAA 48 Profiles gt AAA gt 802 1x Auth 56 Profiles gt AAA gt Captive Portal Auth 57 Profiles gt AAA gt Mac Auth 59 60 Profiles gt AAA gt Management Auth 67 Profiles gt AAA gt Stateful 802 1X Auth 65 Profiles gt AAA gt Stateful NTLM Auth 68 Profiles gt AAA gt VPN Auth 66 Profiles gt AAA gt Wired Auth Profile 66 Profiles gt AAA gt WISPr Auth 69 Profiles gt AP 70 Profiles gt AP gt AP Ethernet Link 75 Prof
66. in the Dell PowerConnect W system the client is not allowed to associate with any AP in the network for a specified amount of time 3600 You can configure a maximum authentication failure threshold in seconds for each of the following authentication methods 802 1x MAC Captive portal VPN When a client exceeds the configured threshold for one of the above methods the client is automatically blacklisted by the controller an eventis logged and an SNMP trap is sent By default the maximum authentication failure threshold is set to 0 for the above authentication methods which means that there is no limit to the number of times a client can attempt to authenticate With 802 1x authentication you can also configure blacklisting of clients who fail machine authentication NOTE This requires that the External Services Interface ESI license be installed in the controller NOTE When clients are blacklisted because they exceed the authentication failure threshold they are blacklisted indefinitely by default You can configure the duration of the blacklisting Authentication Failure Blacklist Time Fast roaming is a component of virtual AP profiles in which client devices are allowed to roam from one access point to another without requiring reauthentication by the main RADIUS server Fast Roaming Define whether clients should have strict adherence to settings on this page for network access Strict Compliance VLAN Mobilit
67. is completed PPTP connections use Microsoft Point to Point Encryption MPPE which uses the Rivest Shamir Aldeman RSA RC 4 encryption algorithm PPTP connections require user level authentication through a PPP based authentication protocol MSCHAPv2 is the currently supported method Enable L2TP Enable L2TP with this setting as desired The combination of Layer 2 Tunneling Protocol and Internet Protocol Security L2TP IPSec is a highly secure technology that enables VPN connections across public networks such as the Internet L2TP IPSec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network L2TP IPSec relies on the PPP connection process to perform user authentication and protocol configuration With L2TP IPSec the user authentication process is encrypted using the Data Encryption Standard DES or Triple DES 3DES algorithm L2TP IPSec requires two levels of authentication Computer level authentication with a preshared key to create the IPSec security associations SAs to protect the L2TP encapsulated data User level authentication through a PPP based authentication protocol using passwords SecurelD digital certificates or smart cards after successful creation of the SAs Send traffic to the Use this setting if no encryption is to be used and packets passing between the direct network in clear wireless client and controlle
68. maps as required Refer to Advanced Services gt VPN Services gt IPSEC gt Dynamic Map on page 167 Select Add to complete the creation of the IPSEC profile or click Save to retain the changes to the IPSEC profile This profile appears on the Advanced Services gt VPN Services gt IPSEC page Advanced Services gt VPN Services gt IPSEG gt Dynamic Map VPN Services may reference IPSEC profiles IPSEC profiles reference Dynamic Maps and Dynamic Maps reference Transform Sets This interrelationship is conveyed in the navigation pane of Device Setup gt Dell PowerConnect W Configuration Dynamic maps establish policy templates that are used during negotiation requests in IPSEC This occurs during security associations from a remote IPSEC peer in the VPN even when all cryptographic map parameters are not known during new security associations from a remote IPSEC peer For instance if you do not know about all the IPSec remote peers in your network a Dynamic Map allows you to accept requests for new security associations from previously unknown peers Note that these requests are not processed until the IKE authentication has completed successfully In short a Dynamic Map isa policy template used by IPSEC profiles Dynamic Maps are not used for initiating IPSEC security associations but for determining whether or not traffic should be protected in the VPN To view Dynamic Maps that are currently configured navigate to Advanced
69. mesh portals or mesh points disable the ARM profile associated with the 802 1 la or 802 11g radio profile by setting the ARM profile s assignment parameter to disable The ARM power adjustment feature does not apply to all ARM enabled Mesh portals Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 113 Indoor mesh portals can take advantage of this feature to adjust power settings according to their ARM profiles but outdoor mesh portals will continue to run at configured power level to maximize their range Vi NOTE Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes You can recover the mesh point if the original cluster profile is still available Creating a new mesh cluster profile is recommended if needed Perform these steps to create or edit an adaptive radio management ARM profile l Select Profiles gt RF gt 802 11a g Radio gt ARM in the navigation pane 2 Select the Add button to create a new ARM profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 53 Table 53 Profiles gt RF gt 802 11a g Radio gt ARM Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Other Settings Assignment single band
70. originator retries the call as Send Status Code quickly as possible if it does not proceed You can direct the controller to immediately Server reply to the call originator with a SIP 100 trying message to indicate that the call is proceeding and to avoid a possible timeout This is useful in conditions where the SIP invite may be redirected through a number of servers before reaching the controller Use this field to enable or disable SIP call setup keepalive in the VoIP Call Admission Control profile for the server 3 Select Add or Save The added or edited protile appears on Profiles gt QoS gt VoIP Call Admission Control Profiles gt QoS gt WMM Traffic Management Wi Fi Multimedia WMM is a Wi Fi Alliance specification based on the IEEE 802 1 le wireless Quality of Service QoS standard WMM works with 802 1 1a b g and n physical layer standards WMM supports four access categories ACs voice video best effort and background The 802 1D priority value is contained in a two byte QoS control field in the WMM data frame Vi NOTE Configure the virtual AP traffic management profile before applying the WMM traffic management profile to the virtual AP profile Perform these steps to configure a WMM Traffic Management profile l Select Profiles gt QoS gt WMM Traffic Management in the navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create anew W
71. page The captive portal authentication profile specifies the captive portal login page and other configurable parameters The initial user role configuration must include the applicable captive portal authentication profile instance Therefore you need to modify the guest logon user role configuration to include the guestnet captive portal authentication profile Profiles gt AAA gt IPv6 Extension Header This profile allows you to edit the packet filter options in the IPv6 Extension Header EH ArubaOS firewall is enhanced to process the EH to enable IPv6 packet filtering You can now filter the incoming IPv6 packets based on the EH type You can edit the packet filter options in the default EH K NOTE This profile depends on the controller having a Policy Enforcement Firewall license and a minimum version of 6 1 0 0 Perform these steps to configure an IPv6 Extension Header profile l Select Profiles gt AAA gt IPv6 Extension Header in the navigation pane 2 Select the Add button to create a new IPv6 Extension Header profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 12 Table 12 Profiles gt AAA gt IPv6 Extension Header Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the IPv6
72. periodically generate a DNS request and cache the IP address returned in the DNS response By default DNS requests are sent every 15 minutes 3 Select Add or Save The added or edited Advanced Authentication profile appears on the Profiles gt AAA page Profiles gt AAA gt Captive Portal Auth In this section you create an instance of the captive portal authentication profile and the AAA profile For the captive portal authentication profile you specify the previously created auth guest user role as the default user role for authenticated captive portal clients and the authentication server group Internal Perform these steps to configure a Captive Portal Authentication profile l Select Profiles gt AAA gt Captive Portal Auth in the navigation pane 2 Select the Add button to create a new Captive Portal Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 11 Table 11 Profiles gt AAA gt Captive Portal Auth Profile Settings Field Default Description General Settings Name Enter the name of the Captive Portal Authentication profile Referenced Profiles Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 57 Table 11 Profiles gt AAA gt Captive Portal Auth Profile Settings Continued Field Default Description Server Group default Enter the name of the internal VPN authentication server group or
73. settings Internal Server User User Name Enter the name of a user or click Generate to create an anonymous ID for this user Enter the password in plain text or click Generate to create a random password for this user User Role guest From the drop down menu select the user role to associate with this user The role establishes read write privileges manage monitor privileges and other settings Email o Enter the email address of the guest user Enabled Specify whether this guest user is enabled or disabled on the internal server 150 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 76 Security gt Server Groups gt Add Internal Server Fields and Descriptions Continued Field Default Description Expire User Specify whether to expire the guest user after a period of time If you click Yes a new field appears with instructions about the date and time in which the guest user Is expired from the internal server Select Add to complete the configuration of the Internal Server or click Save to complete the editing of an existing server The new server appears on the Security gt Server Groups gt Internal Server page This server is now available to be used by server groups Security gt Server Groups gt XML API Dell PowerConnect W Configuration supports server groups that can include XML API servers XML API servers send and accept requests for information XML API servers process s
74. tasks or concepts after initial setup of Dell PowerConnect W Configuration is complete as described in the section Setting Up Initial Dell PowerConnect W Configuration on page 21 This chapter emphasizes frequent procedures as follows Procedures and Guidelines for Dell PowerConnect W AP Groups General WLAN Guidelines General Controller Procedures and Guidelines Supporting APs with Dell PowerConnect W Configuration Visibility in Dell PowerConnect W Configuration Using AirWave to Deploy Dell PowerConnect W APs for the First Time NOTE For a complete reference on all Dell PowerConnect W Configuration pages field descriptions and certain additional procedures that are more specialized refer to Appendix A Configuration Reference on page 37 Procedures and Guidelines for Dell PowerConnect W AP Groups Guidelines and Pages for Dell PowerConnect W AP Groups The fields and default settings for Dell PowerConnect W AP Groups are described in Dell PowerConnect W AP Groups on page 37 in the Appendix The following guidelines govern the configuration and use of Dell PowerConnect W AP Groups across Dell PowerConnect W AirWave 7 4 Dell PowerConnect W AP Groups function with standard AirWave groups that contain them Add Dell PowerConnect W AP Groups to standard AirWave groups Additional procedures in this document explain their interoperability APs can belong to a controller s AirWave group or to an AirWave group by themselves
75. that defines high capacity VoIP This field is a percentage of Threshold 0 100 entire bandwidth VoIP Send SIP 100 Trying The SIP invite call setup message is time sensitive as the originator retries the call as quickly as possible if it does not proceed You can direct the controller to immediately reply to the call originator with a SIP 100 trying message to indicate that the call is proceeding and to avoid a possible timeout This is useful in conditions where the SIP Invite may be redirected through a number of servers before reaching the controller Enable or disable SIP call setup keepalive with this field VolP Disconnect Extra In the VoIP Call Admission Control CAC profile you can limit the number of active Call voice calls allowed on a radio This feature is disabled by default When the disconnect extra call feature is enabled the system monitors the number of active voice calls and if the defined threshold is reached any new calls are disconnected The AP denies association requests from a device that Is on call Enable or disable this feature in this field You also need to enable call admission control which is disabled by default in this profile 106 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 49 Profiles gt QoS gt VoIP Call Admission Control Profile Settings Continued Default Description VoIP TSPEC Enforcement A WMM client can send a Traffic Specification
76. that is to be referenced by the user role Refer to Profiles gt AAA gt Captive Portal Auth on page 57 Select the add icon to create a new profile or click the pencil icon to edit an existing profile Captive Portal Profile Downstream Bandwidth Contract Downstream Contract Applies Per User Upstream Bandwidth Contract Upstream Contract Applies Per User Maximum Number of Datapath Sessions Allowed Reauthentication Interval Time VLAN To Be Assigned Optional You can assign a bandwidth contract to provide an upper limit to upstream or downstream bandwidth utilized by clients in this role You can select the Per User option to apply the bandwidth contracts on a per user basis instead of to all clients in the role Refer to Security gt User Roles gt BW Contracts on page 138 If you selected a DS BW contract in the prior field this gray field becomes active Select Yes or No Optional You can assign a bandwidth contract to provide an upper limit to upstream or downstream bandwidth utilized by clients in this role You can select the Per User option to apply the bandwidth contracts on a per user basis instead of to all clients in the role Refer to Security gt User Roles gt BW Contracts on page 138 If you selected an US BW contract in the prior field this gray field becomes active Select Yes or No Use this field to configure a maximum number of sessions per user in this role You ca
77. the server group that performs 802 1x authentication Other Settings Default Role default Role assigned to the Captive Portal user upon login When both user and guest logon are enabled the default role applies to the user logon users logging in using the guest interface are assigned the guest role The Policy Enforcement Firewall license must be installed Default Guest Role default Role assigned to a guest user upon login Time in seconds that the system remains in the initial welcome page before redirecting the user to the final web URL If set to 0 the welcome page displays until the user clicks on the indicated link Enables Captive Portal with authentication of user credentials Guest Login EN Enables Captive Portal logon without authentication Logout Popup Window Enables a pop up window with the Logout link for the user to logout after logon If this is disabled The user remains logged in until the user timeout period has Use HTTP Authentication elapsed or the station reloads Logon Wait Minimum Use HTTP protocol on redirection to the Captive Portal page If you use this option modify the captive portal policy to allow HTTP traffic Wait 1 10 sec Redirect Pause 0 60 sec Minimum time in seconds the user will have to wait for the logon page to pop up if the CPU load is high This works in conjunction with the Logon wait CPU utilization threshold parameter Logon Wait Maximum Maximum time in seconds
78. the user will have to wait for the logon page to pop Wait up if the CPU load is high This works in conjunction with the Logon wait CPU 0 10 sec utilization threshold parameter Logon Wait CPU Utilization Threshold 0 100 CPU utilization percentage above which the Logon wait interval is applied when presenting the user with the logon page Maximum number of authentication failures before the user is blacklisted The range is 1 10 Requires a Wireless Intrusion Protection license or an RFprotect license Show FODN Allows the user to see and select the fully qualified domain name FODN on the login page Use CHAP Use CHAP protocol You should not use this option unless instructed to do so by Non standard a representative from Dell PowerConnect W Sygate on demand Enables client remediation with Sygate on demand agent SODA Requires a agent Client Integrity license and a version earlier than 6 0 0 0 Login Page auth index html URL of the page that appears for the user logon This can be set to any URL Welcome Page auth URL of the page that appears after logon and before redirection to the web welcome html URL This can be set to any URL Show Welcome Page Yes Enables the display of the welcome page If this option Is disabled redirection to the web URL happens immediately after logon Max Authentication Failures 58 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 11 Profil
79. this high throughput profile will advertise intolerance of 40 MHz operation By default this option is disabled and 40 MHz operation is allowed Legacy Station Use this setting to allow or disallow associations from legacy non HT stations Workaround 3 Select Add or Save The added or edited profile appears on the Profiles gt RF gt HT Radio page Profiles gt RF gt 802 11a g Radio gt Spectrum K NOTE This profile depends on the controller having an RFprotect license and a minimum version of 6 0 0 0 Perform these steps to create or edit Spectrum profiles l Select Profiles gt RF gt Spectrum in the navigation pane 2 Select the Add button to create a new Spectrum profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 55 Table 55 Profiles gt RF gt Spectrum Profile Settings Field Default Description General Settings Spectrum Band 2ghz Define one of the following spectrum bands for the spectrum profile If you do not select a spectrum band the profile will use a default setting of 2GHz 2ghz Scan 2GHz channels 5ghz lower Scan 5GHz channels 36 64 5ghz middle Scan 5GHz channels 100 140 5ghz upper Scan 5GHz channels 149 165 NOTE If it s in use you cannot change the band if it makes it incompatible to the radio profile that uses It Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 117 Table 55 Profiles gt RF
80. to Unicast Deny Inter User Traffic Band Steering Enable or disable band steering on the WLAN Band steering reduces co channel interference and increases available bandwidth for dual band clients because there are more channels on the 5GHz band than on the 2 4GHz band Dual band 802 11n capable clients may see even greater bandwidth improvements because the band steering feature will automatically select between 40 MHz or 20 MHz channels in 802 11n networks This feature is disabled by default and must be enabled in a Virtual AP profile Steering Mode Prefer 5GHz Band steering supports three different band steering modes Force 5GHz When the AP is configured in force 5GHz band steering mode the AP will try to force 5GHz capable APs to use that radio band Prefer 5GHz Default If you configure the AP to use prefer 5GHz band steering mode the AP will try to steer the client to 5GHz band if the client is 5GHz capable but will let the client connect on the 2 4G band if the client persists in 2 4G association attempts Balance bands In this band steering mode the AP tries to balance the clients across the two radios in order to best utilize the available 2 4G bandwidth This feature takes into account the fact that the 5GHz band has more channels than the 2 4 GHz band and that the 5GHz channels operate in 40 MHz while the 2 4GHz band operates in 20MHz NOTE Steering modes do not take effect until the band steering feature has bee
81. use a randomly generated MAC address Enabling MAC OUI checking causes an alarm to be triggered if an unrecognized MAC address is in use MAC OUI Detection Quiet Set the time in seconds that must elapse after an invalid MAC OUI alarm has been Time triggered before another identical alarm may be triggered 60 360000 sec 92 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 40 Profiles gt IDS gt Unauthorized Devices Profile Settings Continued Field Default Description Adhoc Network Detection Quiet Time 60 360000 sec Set the time in seconds that must elapse after an adhoc network detection alarm has been triggered before another identical alarm may be triggered Set the time in seconds that must elapse after a wired bridging alarm has been triggered before another identical alarm may be triggered Wireless Bridge Detection Quiet Time 60 360000 sec Enable or disable rogue AP classification A rogue AP is one that is unauthorized and plugged into the wired side of the network Any other AP seen in the RF environment that is not part of the valid enterprise network is considered to be interfering it has Rogue AP Classification the potential to cause RF interference but it is not connected to the wired network and thus does not represent a direct threat Set Overlay Rogue Classification which is classification through valid rogue APs A controller uses the wired mac
82. user VLAN IP subnet Some network topologies may require multiple home agents It is best to configure the switch IP address to match the AP s local controller or define the Virtual Router Redundancy Protocol VRRP IP address to match the VRRP IP used for controller redundancy Do not configure both a switch IP address and a VRRP IP address as a home agent address or multiple home agent discoveries may be sent to the controller 160 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Configure the HAT with a list of every subnetwork mask VLAN ID VRRP IP and home agent IP address in the mobility domain Include an entry for every home agent and user VLAN to which an IP subnetwork maps If there is more than one controller in the mobility domain providing service for the same user VLAN you must configure an entry for the VLAN for each controller Best practices is to use the the same VRRP IP used by the AP The mobility domain named default is the default active domain for all controllers If you need only one mobility domain you can use this default domain However you also have the flexibility to create one or more user defined domains to meet the unique needs of your network topology Once you assign a controller to a user defined domain it automatically leaves the detault mobility domain If you want a controller to belong to both the default and a user defined mobility domain at the same t
83. visualRF Helpdesk O ves No c s per standard AirWave configuration complete the settings on this page The most important fields with regard to Dell PowerConnect W Configuration device visibility and user rights are as follows Type Specify the type of user Important consideration should be given to whether the user is an administrative user with universal access or an AP Device manager to specialize in device administration or additional users with differing rights and access AP Device Access Level Define the access level that this user is to have in support of Dell PowerConnect W controllers devices and general Dell PowerConnect W Configuration operations Top Folder Specity the folder created earlier in this procedure or specify the Top folder for an administrative user d Click Add to complete the role creation or click Save to retain changes to an existing role The AMP Setup page now displays the new or revised role 4 As required add or edit one or more users to manage and support Dell PowerConnect W Configuration This step creates or edits users to have rights appropriate to Dell PowerConnect W Configuration This user inherits visibility to Dell PowerConnect W Series controllers and Dell PowerConnect W Configuration data based on the role and device folder created earlier in this procedure a Navigate to the AMP Setup gt Users page b Click Add New User or click the pencil manage icon next to an exi
84. which to process the Operand which you specify in the following field ww een S Role VLAN ap role Select the role or VLAN to associate with this new server group rule from the drop down menu Select Add to complete the configuration of the Server Group or click Save to complete the editing of an existing server The new server group appears on the Security gt Server Groups page Security gt Server Groups gt LDAP You can configure Lightweight Directory Access Protocol LDAP servers for use by a server group The Security gt Server Groups gt LDAP page displays current LDAP servers available for inclusion in server groups Select Add to create a new LDAP server or click the pencil icon next to an existing LDAP server to edit the configuration The Security gt Server Groups gt Add LDAP Server page contains the following fields as described in Table 73 Table 73 Security gt Server Groups gt Add LDAP Server Fields and Descriptions Field Default Description displays all folders available for association with the server group ee Other Settings Host IP Address 0 0 0 0 Enter the IP address of the LDAP server Admin DN Enter the distinguished name for the admin user who has read search privileges across all the entries in the LDAP database The user need not have write privileges but the user should be able to search the database and read attributes of other users in the database Admin Password Enter the pas
85. will support guests This setting requires a policy enforcement firewall license Enable or disable this setting EAP authentication starts with a EAPOL start frame that is sent by the wireless client to the AP Upon reception of such a frame the AP responds back to the wireless client with an EAP Identify Request and also does internal resource allocation Attackers can use this vulnerability by sending a lot of EAPOL start frames to the Access point either by spoofing the MAC address or by emulating wireless clients This forces the AP to allocate increasing resource and eventually bringing it down Enable this setting to reduce the risk Specify whether authentication should manage logoff activity Specify whether EAP should be ignored during authentication In the 802 1x Authentication profile the WPA fast handover feature allows certain WPA clients to use a pre authorized PMK significantly reducing handover interruption TLS Guest Role Ignore EAPOL START After Authentication Handle EAPOL Logoff Ignore EAP ID During Negotiation WPA Fast Handover Check with the manufacturer of your handset to see if this feature is supported This feature is disabled by default Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 55 Table 9 Profiles gt AAA gt 802 1x Auth Profile Settings Continued Default Description Disable Rekey and Although reauthentication and rekey timers are configurab
86. 128 Kbps Or you can limit the total downstream bandwidth used by all users in the guest role in Mbps The Details page tor Security gt User Roles gt Add New Bandwidth Contract contains the following fields as described in Table 67 Table 67 Security gt User Roles gt Add New BW Contract Page Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the Bandwidth Contract is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Other Settings Units kbits Configure bandwidth contracts in kilobits per second Kbps or megabits per second Mbps for the following types of traffic from the client to the controller upstream traffic from the controller to the client downstream traffic Bandwidth Specify whether this bandwidth contract is upstream or downstream by typing one of the following terms in lower case upstream downstream Select Add to finish the new BW Contract and to return to the BW Contract page The new contact appears below the Add New BW Contract button 138 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Select Add to complete the configuration of the BW Contract profile or click Save to complete the editing of an existing profile The new BW contract appears on the Security gt User Roles page Security gt User Roles gt VPN Dialers
87. 20 MHz channels available in the regulatory domain profile for your country When ARM is configured for a dual band AP it will dynamically select the primary and secondary channels for these devices It can however continue to scan all changes in the a b g bands to calculate interference and detect rogue APs Valid 802 11a 40MHz Channels Valid 802 11g 40 MHz Channels Specify the valid channels for 40 MHz channel pairing in 802 11a Specify the valid channels for 40 MHz channel pairing in 802 11g 74 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Valid 802 11g 40 MHz Select a 40 MHz channel pair for 802 11g Channel Pairs 3 Select Add or Save The added or edited Regulatory Domain profile appears on the Regulatory Domain Profiles page Profiles gt AP gt SNMP Dell PowerConnect W Series controllers and APs support versions 1 2c and 3 of Simple Network Management Protocol SNMP for reporting purposes only In other words SNMP cannot be used for setting values in a system in the current AOS version Perform these steps to configure a SNMP profile l Select Profiles gt AP gt SNMP in the navigation pane 2 Select the Add button to create a new SNMP profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 27 Table 27 Profiles gt AP gt SNMP Profile Settings Field Default Description General Settings Folder Set the folde
88. 8 07 8 16 8 25 8 34 8 43 6 46 6 55 7 04 7 13 7 22 7 31 7 40 7 49 7 58 8 07 8 16 8 25 8 34 8 43 Show All Maximum Average Show All Maximum Average v Max Users 0 users 0 users vi Avg Bits Per Second In 0 bps 0 bps V Avg Bits Per Second Out 0 bps 0 bps GB 1 year ago pf now Ls 2 Add Dell PowerConnect W Series controller devices to that folder as required Use the Device Setup gt Add page following instructions available in the Dell PowerConnect W AirWave 7 4 User Guide in Home gt Documentation 3 As required create or edit a user role that is to have rights and manage privileges required to support their function in Dell PowerConnect W Configuration Dell PowerConnect W AirWave 7 4 Configuration Guide Using Dell PowerConnect W Configuration in Daily Operations 33 a Atleast one user must have administrative privileges but several additional users may be required with less rights and visibility to support Dell PowerConnect W Configuration without access to the most sensitive information such as SSIDs or other security related data b Navigate to the AMP Setup gt Roles page and click Add New Role to create a new role with appropriate rights or click the pencil manage icon next to an existing role to adjust rights as required The Role page appears illustrated in Figure 21 Figure 21 AMP Setup gt Roles gt Add Edit Role Page Illustration Role Enabled ves No Type 2P Device Access Level Top Folder RAPIDS
89. A mobile client can detach at any time from its home network and reconnect to a foreign network any network other than the mobile client s home network within the mobility domain When a mobile client is connected to a foreign network it is bound to a care of address that reflects its current point of attachment A care of address is the IP address of the Dell PowerConnect W Series controller in the foreign network with which the mobile client is associated The home agent for the client is the controller where the client appears for the first time when it joins the mobility domain The home agent is the single point of contact for the client when the client roams The foreign agent for the client is the controller which handles all Mobile IP communication with the home agent on behalf of the client Traffic sent to a client s home address is intercepted by the home agent and tunneled for delivery to the client on the foreign network On the foreign network the foreign agent delivers the tunneled data to the mobile client A mobility domain is a group of Dell PowerConnect W Series controllers among which a wireless user can roam without losing their IP address Mobility domains are not tied with the master controller thus it is possible for a user to roam between controllers managed by different master controllers as long as all of the controllers belong to the same mobility domain You enable and configure mobility domains only on Dell PowerConn
90. A parameters affect traffic from the client to the AP Perform these steps to create or edit Event Station profiles Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 129 l Select Profiles gt SSID gt EDCA Station in the navigation pane 2 Select the Add button to create a new EDCA Station profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 34 Table 62 Profiles gt SSID gt EDCA Station Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Blank Name of the EDCA STA profile Best Effort Arbitrary Inter frame 3 Space Number 1 15 Minimum Contention Window Exponent 0 15 Maximum Contention Window Exponent 1 15 Name WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC arbitrary inter frame space number AIFSN minimum and maximum contention window CW size For each AC the backoff time is the sum of the AIFSN and a random value between 0 and the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP
91. AOS 6 0 0 0 Ad hoc IBSS AP Inactivity Timeout 5 36000 sec Ad hoc IBSS AP inactivity timeout in number of scans NOTE This setting requires a minimum of AOS 6 0 0 0 IDS Event Generation on AP Enable or disable IDS event generation from the AP Event generation from the AP can be enabled for syslogs traps or both This does not affect generation of IDS correlated events on the switch Send Ad hoc Info to Yes Enable or disable sending Ad hoc information to the controller from the AP Controller NOTE This setting requires a WIPS or RFprotect license and a minimum of AOS 6 0 0 0 3 Select Add or Save The added or edited General profile appears on the IDS gt General profiles page Profiles gt IDS gt Signature Matching The IDS signature matching profile contains signatures for intrusion detection This profile can include predefined or custom signatures Table 34 describes the predefined signatures that you can add to the profile Perform these steps to configure a Signature Matching profile l Select Profiles gt IDS gt Signature Matching in the navigation pane 2 Select the Add button to create a new Signature Matching profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 34 Table 34 Profiles gt IDS gt Signature Matching Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is
92. AP Groups on page 37 Profiles gt RF gt 802 11a g Radio gt ARM on page 105 in the Appendix Changing SSID and Encryption Settings You can adjust SSID and Encryption parameters for devices by adjusting the profiles that define these settings then applying those profiles to Dell PowerConnect W AP Groups and WLANs that support them To do so refer to the following topics that describe relevant steps and configuration pages Configuring Dell PowerConnect W AP Groups on page 28 Guidelines and Pages for Dell PowerConnect W AP Groups on page 27 Profiles gt SSID on page 113 and related profiles in the Appendix Changing the Dell PowerConnect W AP Group for an AP Device You can change the Dell PowerConnect W AP Group to which an AP device is associated Perform the following steps to change the Dell PowerConnect W AP Group for an AP device l As required review the Dell PowerConnect W AP Groups currently configured in AirWave Navigate to the Dell PowerConnect W Configuration page and click Dell PowerConnect W AP Groups from the navigation pane This page displays and allows editing for all Dell PowerConnect W AP Groups that are currently configured in AirWave 2 Navigate to the APs Devices gt List page to view all devices currently seen by AirWave 3 If necessary add the device to AirWave using the APs Devices gt New page To discover additional devices ensure that the controller is set to perform a
93. APs as interfering APs thereby the controller attempts to reclassify them as rogue APs By default suspected rogue APs are not automatically contained In combination with the suspected rogue containment confidence level this option automatically shuts down suspected rogue APs When this option is enabled clients attempting to associate to a suspected rogue AP will be disconnected from the suspected rogue AP through a denial of service attack Suspected Rogue Containment Set the confidence level When an AP is classified as a suspected rogue AP it Is assigned a 50 confidence level If multiple APs trigger the same events that classify the AP as a suspected rogue the confidence level increases by 5 up to 95 In combination with suspected rogue containment this option configures the threshold by which containment should occur Suspected rogue containment occurs only when the configured confidence level is met Suspected Rogue Containment Confidence Level 50 100 Protect Valid Stations Use this setting to disallow valid stations from connecting to a non valid AP Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 93 Table 40 Profiles gt IDS gt Unauthorized Devices Profile Settings Continued Field Default Description Enable or disable detection of WEP initialization vectors that are known to be weak primary means of cracking WEP keys is to capture 802 11 frames over an extended
94. Auth on page 63 VIA Client WLAN Sets up a VIA Client WLAN profile Refer to Profiles gt AAA gt VPN Connection gt VIA Client WLAN on page 63 VIA Global Profiles gt AAA gt VIA Global on page 65 Wired Auth This profile merely references an AAA profile to be used for wired authentication Refer to Profiles gt AAA gt Wired Auth on page 66 WISPr Auth The Wireless Internet Service Provider roaming WISPr protocol allows users to roam between service providers A RADIUS server is used to authenticate subscriber credentials Refer to Profiles gt AAA gt WISPr Auth on page 69 Profiles gt AAA Perform these steps to configure a AAA profile l Select Profiles gt AAA in the navigation pane Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 49 2 Select the Add button to create a new AAA profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 8 Table 8 Profiles gt AAA gt New AAA Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the AAA profile Referenced Profiles MAC Authentication Profile Select a MAC Authentication profile to be referenced by the AAA profile being configured If necessary clic
95. CA defines four access categories ACs to prioritize traffic voice video best effort and background These ACs correspond to 802 1d priority tags as shown in Table 59 Table 59 WMM Access Categories and 802 1d Tags WMM Access Category Description 802 1d Tag Prioritize video traffic above other data traffic A Best Effort Traffic from legacy devices or traffic from applications or devices thatdo 0 3 not support QoS Background Low priority traffic file downloads print jobs While the WMM ACs designate specific types of traffic you can determine the priority of the ACs For example you can choose to give video traffic the highest priority With WMM applications assign data packets to an AC In the client the data packets are then added to one of the transmit queues for voice video best effort or background WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC 126 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide arbitrary inter frame space number AIFSN minimum and maximum contention window CW size For each AC the backoff time is the sum of the AIFSN and a random value between 0 and the CW value The AC with the lowest backoff time is granted the opportunity t
96. Complete the settings as described in Table 19 Table 19 Dell PowerConnect W Configuration gt Profiles gt AAA gt VPN Auth Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Referenced Profiles Server Group Select the AAA authentication server group Select the pencil icon to edit an existing server group or click the add icon to create a new Server group Other Settings Default Role default vpn role Select the role to be associated with this authentication profile Max Authentication Enter the number of times a station can fail to authenticate before it is blacklisted A failures 0 10 value of 0 disables blacklisting Check Certificate This field appears if you are adding or modifying a RAP VPN Authentication Profile Common Name against If you use client certificates for user authentication enable this option to verify that AAA Server the certificate s common name exists in the server This parameter is enabled by default in the default cap and default rap VPN profiles and disabled by default on all other VPN profiles Requires a minimum version of 6 1 0 0 3 Select Add or Save The added or edited Combined VPN Auth profile appears on the AAA Profiles page and on the VPN Auth details page Profiles gt AAA gt Management Auth Users who need to access the con
97. Configuration Guide Profiles gt RF gt 802 11a g Radio gt AM Scanning Air Monitor AM devices establish and monitor RF activity on the network This profile depends on the controller having a minimum version of 6 0 0 0 Perform these steps to create or edit an Air Monitor Scanning profile l Select Profiles gt RF gt 802 11a g Radio gt AM Scanning in the navigation pane 2 Select the Add button to create a new AM Scanning profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 52 Table 52 Profiles gt RF gt 802 11a g Radio gt AM Scanning Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the AM scanning profile Scan Mode all reg Set the scanning mode for the radio domain all reg domain Scan channels in all regulatory domain rare Scan all channels all regulatory domains and rare channels reg domain Scan channels in the APs regulatory domain Dwell Time Settings Regulatory Domain Dwell time in ms for AP s Regulatory domain channels Channels 100 32768 Rare Channels 100 Dwell time in ms for rare channels 32768 Active Channels Dwell time in ms for channels where there is wireless activity 100 32768 Non regulatory Dwell time in ms for channels not in the APs reg
98. Dell PowerConnect W AirWave 7 4 Configuration Guide Copyright 2011 Dell PowerConnect W Networks Inc Dell PowerConnect W Networks trademarks include 4 AI FVWAVE Dell PowerConnect W Networks Dell PowerConnect W Wireless Networks the registered Dell PowerConnect W the Mobile Edge Company logo and Dell PowerConnect W Mobility Management System Dell the DELL logo and PowerConnect are trademarks of Dell Inc All rights reserved Specifications in this manual are subject to change without notice Originated in the USA All other trademarks are the property of their respective owners Open Source Code Certain Dell PowerConnect W products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Dell PowerConnect W Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Dell PowerConnect W Networks Inc from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors Dell PowerConnect W Air
99. Description Controls the maximum number of spatial streams usable for STBC transmission 0 disables STBC transmission 1 uses STBC for MCS 0 7 Higher MCS values are not supported Maximum Number of Spatial Streams Usable for STBC Transmission t Maximum Number of E Controls the maximum number of spatial streams usable for STBC reception 0 disables STBC reception 1 uses STBC for MCS 0 7 Higher MCS values are not supported Allow or disallow associations from legacy non HT stations This parameter is enabled by default legacy stations are allowed Max Transmitted A 65535 Sets maximum size of a transmitted aggregate MPDU in bytes MPDU Size Specify size in the supported range of 1576 to 65535 bytes 3 Select Add or Save The added or edited profile appears on the Mesh HT SSID page Spatial Streams Usable for STBC Reception Legacy Stations Profiles gt Mobility Switch Use the following profiles to configure an Dell switch IGMP Snooping Create and configure the IGMP snooping profiles for VLANs Refer to Profiles gt Mobility Switch gt IGMP Snooping on page 100 for more information Ethernet Link Configure autonegotiation duplex speed and flow control for the port Refer to Profiles gt Mobility Switch gt Ethernet Link on page 101 for more information Port Switching Create a switching profile that can be applied to any interface interface group or a port channel Refer to Profil
100. Enter the name of the profile Other Settings Max Authentication Failures Enforce Machine Authentication Machine Authentication Default Machine Role Machine Authentication Cache Timeout 1 1000 hrs 52 Configuration Reference Number of times a user can try to login with wrong credentials after which the user will be blacklisted as a security threat Set to 0 to disable blacklisting otherwise enter a non zero integer to blacklist the user after the specified number of failures This setting requires a wireless intrusion protection license For Windows environments only Select this option to enforce machine authentication before user authentication If selected either the Machine Authentication Default Role or the User Authentication Default Role is assigned to the user depending on which authentication is successful This setting requires a policy enforcement firewall license Select the default role to be assigned to the user after completing machine authentication When a Windows device boots it logs onto the network domain using a machine account Within the domain the device is authenticated before computer group policies and software settings can be executed this process is known as machine authentication Machine authentication ensures that only authorized devices are allowed on the network You can configure 802 1x for both user and machine authentication select the Enforce Machine Authentic
101. ID Profile Settings Field ons Description General Settings Folder Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile This profile name can have a maximum of 32 characters Other Settings 40 MHz Channel Usage Enable or disable the use of 40 MHz channels This parameter is enabled by default 98 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 43 Mesh gt Radio gt Mesh HT SSID Profile Settings Continued Defaul Field Description Low density Parity Check If enabled the AP will advertise Low density Parity Check LDPC support LDPC improves data transmission over radio channels with high levels of background noise Requires a minimum version of 6 1 0 0 t MPDU Aggregation E Enable or disable MAC protocol data unit MPDU aggregation High throughput mesh APs are able to send aggregated MAC protocol data units MDPUs which allow an AP to receive a single block acknowledgment instead of multiple ACK signals This option which is enabled by default reduces network traffic overhead by effectively eliminating the need to initiate a new transfer for every MPDU Max Received A MPDU 65535 Set the maximum size of a received aggregate MAC Protocol Data Unit A MPDU in Size bytes bytes Min MPCU Start Setthe minimum time between the start of adjacent MPDUs
102. MM Traftic Management profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 50 Table 50 Profiles gt QoS gt WMM Traffic Management Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 107 Table 50 Profiles gt QoS gt WMM Traffic Management Profile Settings Continued Field Default Description Enter the name of the profile Other Settings Enable Shaping Policy Enable or disable Quality of Service with the WMM Traffic Management profile Define the percentage of QoS for each type of service to be supported in WMM NOTE If you enable this profile with Yes ensure that the four percentage values you specify immediately below this field do not exceed 100 Voice Share 25 Set the total bandwidth share to be reserved for voice traffic in this field Supported range is 1 to 100 Best effort Share 25 Set the total bandwidth share to be reserved for best effort traffic in this field Supported range is 1 to 100 Video Share 25 Set the total bandwidth share to be reserved for video traffic in this field Supported range is 1 to 100 Background Share 25 Set the total bandwidth share to be reserved for background traffic in this f
103. Monitoring Reports and Events pages in the WebUl You can log in however you can only use a subset of commands to monitor the controller read only Permits access to monitoring pages only root Permits access to all management functions on the controller Enable mo When enabled this setting activates the authentication server 3 Select Add or Save The added or edited Management Auth profile appears on the AAA Profiles page and on the Management Auth details page Profiles gt AAA gt Stateful NTLM Auth When the user logs off or shuts down the client machine this profile allows the user to remain in the authenticated role until the user ages out Aging out means the user has sent no traffic for the amount of time specified for the Timeout parameter of this profile The Stateful NT LAN Manager NTLM Authentication profile requires that you specify the following components a server group that includes the servers performing NTLM authentication a default role to be assigned to authenticated users The Wireless Internet Service Provider roaming WISPr protocol allows users to roam between service providers A RADIUS server is used to authenticate subscriber credentials For details on defining a Windows server used for NTLM authentication refer to Security gt Server Groups gt Windows on page 152 Perform these steps to configure a Stateful NTLM Auth profile l Select Profiles gt AAA gt Stateful NTLM A
104. N Referenced Profiles SSID Profile AAA Profile 802 11k Profile Select the SSID profile that defines encryption EDCA or high throughput SSID parameters Access these SSID profiles by clicking Profiles gt SSID in the navigation pane Refer to Profiles gt SSID on page 122 Select the AAA profile that defines RADIUS TACACS or other AAA server configurations for this WLAN Access these SSID profiles by clicking Profiles gt AAA in the navigation pane Refer to Profiles gt AAA Overview on page 48 Manages settings for the 802 11k protocol The 802 11k protocol allows APs and clients to dynamically query their radio environment and take appropriate connection actions For example in a 802 11k network if the AP with the strongest signal reaches its CAC Call Admission Control limits for voice calls then on hook voice clients may connect to an under utilized AP with a weaker signal You can configure the following options in 802 11k profile Enable or disable 802 11K support on the AP Forceful disassociation of on hook voice clients Measurement mode for beacon reports For more details see the Configuring 802 11k Protocol topic in the ArubaOS User Guide Manages settings for the bandwidth management profile for Wi Fi Multimedia WMM Refer to Profiles gt QoS gt Traffic Management on page 104 WMM Traffic Management Profile Other Settings Virtual AP Enable Yes Enable this setting to
105. OTE WPA Hexkey overrides WPA passphrase when both are set DTIM Interval 1 255 beacon Enter the Delivery Traffic Indication Message that informs wireless clients about the presence of buffered multicast or broadcast data on the AP The DTIM interval specifies the beacon frequency that synchronizes the AP to the network This setting supports 1 to 255 milliseconds Station Ageout Enter the amount of time in minutes that a client is unseen by any probes before it is deleted Time from the database Enter 0 to disable ageout Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 123 periods Table 58 Profiles gt SSID Profile Settings Continued Field Default Description 802 11g Transmit All selected Specify the total transmit rates for the 802 11g radio The AP attempts to use the highest Rates transmission rate to establish a mesh link If a rate is unavailable the AP goes through the list and uses the next highest rate All transmission rates are selected and used If you do not select 802 11a or 802 11g transmit rates all rates are selected by default when you click Apply 802 119 Basic 1 and 2 Specify the basic rates for the 802 11g radio Rates selected 802 11a Transmit All selected Specify the transmit rates for the 802 11a radio The AP attempts to use the highest Rates transmission rate to establish a mesh link If a rate is unavailable the AP goes through the list and uses the ne
106. On the Groups gt Basic page enable device preferences for Dell PowerConnect W Series devices This configuration defines optional group display options This step is not critical to setup and default settings will support groups appropriate for Dell PowerConnect W Configuration One important setting on this page is the Dell PowerConnect W GUI Config option Ensure that setting is Yes which is the default setting 3 Authorize Dell PowerConnect W controllers into the device group in Monitor Only mode CAUTION When authorizing the first controller onto a device group you must add the device in monitor only mode Otherwise rae AirWave removes the configuration of the controller before you have a chance to import the configuration and this would remove critical network configuration and status K NOTE Dell PowerConnect W Configuration is enabled by default in AirWave 4 Navigate to the AP s Devices gt Audit page for the first controller to prepare for importing an existing Dell PowerConnect W Series controller configuration file Figure 14 illustrates the information available on this page if the device is mismatched Figure 14 APs Devices gt Audit Page Illustration Device Configuration of ethersphere Ims3 in group amp 0C HO in folder Top This Device is in monitor only with Firmware upgrades mode Configuration read from device at 8 29 2010 8 55 PM Configuration Mismatched Audit the device s current configuration Show Arc
107. P Management The Local Config component introduced in AMP 7 2 is used for local configuration of Dell PowerConnect W Series controllers Locally configured settings are not pushed to local controllers by master controllers SNMP trap settings for controllers are managed locally Trap settings for the AP are managed by group or global configuration in Profiles gt AP gt SNMP Refer to Profiles gt AP gt SNMP on page 75 if you want to manage AP settings CAUTION If you push configuration to a controller without having imported the contents of this profile it will stop responding to the AMP because the default profile has no community strings To configure SNMP trap settings on a controller navigate to the Local Config gt SNMP Management page Select Add to create a new SNMP Management profile or click the pencil icon to edit an existing profile Table 83 describes the fields that appear in the Details page for this profile Table 83 Local Config gt SNMP Management Profile Settings Field Description General Settings Folder Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile SNMP Settings Community Strings Community strings used to authenticate requests for SNMP versions before version 3 NOTE This is needed only if using SNMP v2c and is not needed if using version 3 Dell PowerConnect W AirW
108. RRP IP address to ensure that APs always have an active IP address with which to terminate sessions For those APs that need to boot off the local controller configure the LMS IP address to point to the new local controller The IPv6 address of the local management switch LMS the Dell controller which is responsible for terminating user traffic from the APs and processing and forwarding the traffic to the wired network Requires a minimum version of 6 1 0 0 In multi controller networks specify the IPv4 address of a backupto the IP address specified with the LMS IP field For multi controller networks specify the IPv6 address of a backup to the IP address specified with the LMS IPv6 field The AP fallback feature allows an AP associated with the backup controller backup LMS to fail back to the primary controller primary LMS if it becomes available Enable LMS preemption with this field Enter the amount of time the remote AP must wait before moving back to the primary controller Number of times the AP will try to create an IPsec tunnel with the master controller Retries before the AP will reboot If you specify a value of 0 and AP will not reboot if it cannot create the IPsec tunnel The supported range of values is 0 1000 retries and the default value is 360 retries Master controller IP Enter the IP address of the master controller Address LED Operating Mode normal The operating mode for the AP LEDs Options are n
109. S 3DES algorithm L2TP IPSec requires two levels of authentication Computer level authentication with a preshared key to create the IPSec security associations SAs to protect the L2TP encapsulated data User level authentication through a PPP based authentication protocol using passwords SecurelD digital certificates or smart cards after successful creation of the SAs Navigate to Advanced Services gt VPN Services gt IPSEC from the navigation pane This page displays the IPSEC profile name the VPN services that use the IPSEC profile and the folder associated with the IPSEC Profile 166 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Select Add to create a new IPSEC profile or click the pencil icon next to an existing profile to modify settings The Add Edit Details page contains the following fields as described in Table 92 Table 92 Advanced Services gt VPN Services gt IPSEC Add Edit Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the IPSEG profile is associated The drop down menu displays all folders available for association with the IPSEC profile Enter the name of the IPSEC profile Other Settings Maximum MTU Size Define the Maximum transmission unit MTU size in bytes 1034 1500 bytes Dynamic Maps Dynamic Maps Select one or more dynamic maps that the IPSEG profile is to reference You can add or edit dynamic
110. S 15 NNN 15 Local Coning 0 EEE EE EN 16 Advanced Services Section cccceccscssssesssscsessssesesececsesecsesececsesesassesesaesesassusesanseeasenss 16 APs Devices gt List Page nrnrnnrnronenrnnvnvonvnnrnvnrenrrnenvennrnrnrnnenvnnennsnnnnsnnnnennanennsnnnnssnnvennsnennsnnnnsnenn 17 PPS DEVICES gt Manage Pag Lugamuanammenusnssnmernossgajevinnendenbrits nd 17 APs Devices gt Monitor Page rnrnvnnonvnnrnvorenvonvrvenvnnrnvsnenvrnrnnennnnennsnennenennannnnssnnvesnsnennsnnnnsnenn 18 Groups gt Basie re a 18 Additional Concepts and Components of Dell PowerConnect W Configuration 19 Global Configuration and SCOpe ccccsssesesssscscssssesesecscsesseseseceesuseesesesesseseeasesessesesateneesens 19 Referenced Profile Setup in Dell PowerConnect W Configuration esrenrvrnorerrenenennn 19 Save Save and Apply and Revert Buttons sesnrnrnrrnorenrrronvrverenesvrnesvnvenesvnnsnvnvevennensnennns 20 Additional Concepts and Benefits c cccsssssssscssssssesssscsesesscssseceesesecsssesessusecaesesesaesesasenss 20 Scheduling Configuration CHANGES cccsceccccssssesesssscsssscsesesecseseeaeeecessesesassnsesaeseees 20 Auditing and Reviewing Configurations sranenvnnonvrnorenrsvrnrnvnrenrsrenrsvrvenesnrnsnvrnevennennne 20 Licensing and Dependencies in Dell PowerConnect W Configuration 20 Setting Up Initial Dell PowerConnect W Configuration mresrsvrnrevrnorrsrrnrsv
111. S Accounti Device Configuration The default priority is Low You can also tune yo Enabled for devies in Ma m system performance by changing group poll peri Users Device Setup Eau ET Home Groups Guest User Configuration Allow WMS offload configuration in monitor only e O Yes Ol No Allow disconnecting users while in monitor only mode Yes No Allow non UTF8 characters C Yes No bal Dell PowerConnect W Configuration l l Changing this setting may require importing configuration 9 Yes 0 No on your devices AirWave supports Dell PowerConnect W Configuration with the following pages Device Setup gt Dell PowerConnect W Configuration Page deploys and maintains global Dell PowerConnect W Configuration in AirWave You can limit the view to a folder 10 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Groups gt Dell PowerConnect W Config Page With Global Configuration Enabled the way this page displays depends on whether global or group configuration is enabled in AMP Setup gt General gt Device Configuration If global configuration is enabled the Groups gt Dell PowerConnect W Config page manages Dell PowerConnect W AP group and other controller wide settings defined on the Device Setup gt Dell PowerConnect W Configuration page If global configuration is disabled the Groups gt Dell PowerConnect W Config page resembles the Devic
112. S uses the ARM feature to calculate RF neighborhoods If spectrum load balancing is enabled in a 802 11a radio profile and a spectrum load balancing domain s a so defined AP radios belonging to the same spectrum load balancing domain will be considered part of the same RF neighborhood for load balancing and will not recognize RF neighborhoods defined by the ARM feature Specify how often spectrum load balancing calculations are made in seconds The range is 1 2147483647 seconds E In some dense deployments it is possible for APs to hear other APs on the same channel This creates co channel interference and reduces the overall utilization of the channel in a given area Channel reuse enables dynamic control over the receive Rx sensitivity in order to improve spatial reuse of the channel This feature is disabled by default To enable this feature click the drop down list and select either static or dynamic To disable this feature click the drop down list and select disable For details on each of these modes see the RX Sensitivity Tuning Based Channel Reuse topic in the Dell PowerConnect W Series ArubaOS 6 0 User Guide at support dell com manuals RX sensitivity tuning based channel reuse threshold in dBm If the Rx Sensitivity Tuning Based Channel reuse feature is set to static mode this parameter manually sets the AP s Rx sensitivity threshold in dBm The AP will filter out and ignore weak signals that are below the
113. SI deems coverage to be poor Interference Sets the maximum allowable interference to be tolerated by APs that are configured with Threshold this optimization profile as a percentage 0 100 Interference Threshold Exceed Time 0 360000 sec Sets the amount of time in seconds during which interference is allowed to exceed the threshold percentage When interference exceeds the threshold percentage longer than the amount of time specified in this field the threshold has been exceeded Interference Baseline Time 0 360000 sec RSSI Falloff Wait Time 0 8 sec Low RSSI Threshold 0 255 Sets the period of time in seconds during which interference levels are to be monitored This setting governs the deployment of the interference percentage threshold and the threshold exceed time Sets the maximum time to wait with decreasing received signal strength indication RSSI before de authorization is sent to the client Sets the low threshold for received signal strength indication RSSI If the RSSI for a specific client falls below this threshold and continues to fall for the RSSI Falloff Wait Time then the AP sends a de authorization command to the client Such de authorization removes the client from the current AP and forces it to re authentication on a nearby AP RSSI Check Frequency aa Sets the amount of time in seconds between RSSI coverage checks 0 255 3 Select Add or Save The added or edited profile a
114. Security gt Server Groups gt Add Edit TACACS Accounting Profile Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Other Settings Enabled Enable or disable the TACACS Accounting profile If enabled additional field appear in which to define additional parameters as follows Server Group Default From the drop down menu select the server group that is to reference the TACACS Accounting profile You can create a new group by clicking the add icon or edit an existing group by clicking the pencil icon once you are done adding or editing the AirWave interface returns you to the TACACS Accounting Profile page to complete the configuration Action Select this option to have Action commands monitored and reported by the TACACS Accounting profile Configuration Select this option to have Configuration commands monitored and reported by the TACACS Accounting profile Show Select this option to have Show commands monitored and reported by the TACACS Accounting profile Select Add to complete the new TACACS Accounting profile or click Save to complete the editing of an existing profile Security gt Time Ranges A time range profile establishes the boundaries by which users and guest users are to be supported on the network This is a security and access related prof
115. Select Profiles gt Mesh gt Radio in the navigation pane 2 Select the Add button to create a new Radio profile or click the pencil icon to edit an existing profile Complete the settings as described in lable 42 Table 42 Profiles gt Mesh gt Radio Profile Settings Field Default Description General Settings Folder Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Other Settings Maximum Children 1 Use this field to indicate the maximum number of children a mesh node can accept 64 The supported range is from 1 to 64 Maximum Hop Count 1 Use this field to indicate the maximum hop count from the mesh portal The 32 supported range is from 1 to 32 Heartbeat Threshold 1 Use this field to indicate the maximum number of heartbeat messages that can be lost between neighboring mesh nodes The supported range is from 1 to 255 255 96 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 42 Profiles gt Mesh gt Radio Profile Settings Continued Field Default Description Link Threshold 12 Use this setting to optimize operation of the link metric algorithm 1 255 Indicates the minimal RSSI value If the RSSI value is below this threshold the link may be considered a subthreshold link A sub threshold link is one whose average RSSI value falls below the configured link threshold If this occurs t
116. TE The IKE profile requires the controller to have a Remote Access Points license or a VPN Server license Select Add to create a new IKE profile or click the pencil icon next to an existing profile to edit Table 88 describes the fields on the Advanced Services gt VPN Services gt IKE Add Edit Detail page Table 88 Advanced Services gt VPN Services gt IKE Add Edit Detail Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the IKE profile is associated The drop down menu displays all folders available for association with the IKE services profile Enter the name of the IKE profile Other Settings IKE Aggressive Group Enter the authentication group name for aggressive mode Make sure that the group Name name matches the group name configured in the VPN client software Aggressive Mode condenses the IKE SA negotiations into three packets versus six packets for Main Mode A group associates the same set of attributes to multiple clients Enable IKE RAP PSKL Use this setting to enable refresh and caching for IKE on remote APs Refresh Caching IKE Shared Secrets Add Select this button to add an IKE shared secret The following settings appear Complete these settings and click Add in this section Subnet Enter the subnet for the shared secret Subnet Mask Enter the subnet mask for the shared secret IKE Shared Secret Type the shared secret and confirm Select Add to
117. Use Windows Enable or disable the use of the Windows credentials to login to VIA If enabled the credentials SSO Single Sign on feature can be utilized by remote users to connect to internal resources VIA IPSEC CryptoMap Default IPsec Crypto Map that the VIA client uses to connect to the controller dynamicmap 20 AE256 Select from a list of IKE policies that the VIA Client has to use to connect to the VIA IKE Policy SHA controller Enable IKEv2 i Whether to enable IKE V2 Requires a minimum version of 6 1 0 0 IKEv2 Authentication User Set the IKEv2 authentication method By default user certificate is used for Method Certificate authentication The other supported methods are EAP MSCHAPv2 EAP TLS The EAP authentication is done on an external RADIUS server VIA IPSECv2 CryptoMap ee IPSec V2 crypto maps that the VIA client uses to connect to the controller VIA IKEv2 Policy 20 AE256 IKE V2 policies that the VIA Client has to use to connect to the controller SHA Use Suite B Use this option to enable Suite B cryptography Cryptography VIA Tunneled Networks A list of network destination IP address and netmask that the VIA client will tunnel through the controller All other network destinations will be reachable directly by the VIA client Enable Content Security Use this option to enable the content security service Services Content Security Specify the content security service providers URL here You must p
118. Wave 7 4 Configuration Guide 0510904 05 December 2011 Contents 1 Vo EEE Document Audience and Organization cccccssssesssssscssssssssececscsesseseseceesesecseseseesusecatsesesseseeasenss Note Caution and Warning ICONS rsesvarervenvrvenrnnervavervenesvenrsnervevervenesvensssesvevesvenesvesssvesvevesvenesvenenne 7 ENN 8 Chapter 1 Dell PowerConnect W Configuration in Air Wave rersnrnvrnorrnvsvorenvrverenesverenesvevenesverenns 9 f GILG CON p PAPEN EE EEO N E AE A E 9 Requirements Restrictions and ArubaOS Support in AirWave rerrorenononrsvrnrrvrroresvrrenvrverenrvnnnne 9 FF 9 KE EA EEE EE Eaa aaa Aa anaE a ANTE 9 ArubaOS Support in Air Wave mmsenovoesvrronvrvorenrerenerverenrsnenesnsvennsvsnesvsrsvesvnnsnvsnevensensnennevennensne 9 Overview of Dell PowerConnect W Configuration in Air Wave ravavasrsvnnrvrvavenvnnrnvrvavenvensne 10 Device Setup gt Dell PowerConnect W Configuration Page raranrnrnrnnrnvnvarenvrnrnvrvevenvennne 11 Groups gt Dell PowerConnect W Config Page With Global Configuration Enabled 12 Groups gt Dell PowerConnect W Config When Global Configuration is Disabled 12 Dell PowerConnect W Configuration Sections in the Tree View rmservevvrrervrvervrnervens 13 Dell PowerConnect W AP Groups Section ccccceeseseseeecsesesseseseceesesecatsesesseseeatenss 13 AP OVerues SecliLuuasennsusanegelemelmddvteelraddedst 14 AN EE EN EEEE EA aE EKA EEE 14 FOS
119. a System DAS only CAUTION Using this parameter in normal operation may cause connectivity problems Rate Optimization for Delivering EAPOL Frames Enable rate optimization for delivering EAPOL frames Requires a minimum version of 6 1 0 0 Advertise OBSS Enabled the advertising of Quality of service BSS in the load element The element Load IE includes the following parameters that provide information on the traffic situation Station count The total number of stations associated to the QBSS Channel utilization The percentage of time normalized to 255 the channel is sensed to be busy The access point uses either the physical or the virtual carrier sense mechanism to sense a busy channel Available admission capacity The remaining amount of medium time measured as number of 32us s available for a station via explicit admission control The QAP uses these parameters to decide whether to accept an admission control request A wireless station uses these parameters to choose the appropriate access points NOTE Ensure that wmm is enabled for legacy APs to advertise the OBSS load element For 802 11n APs ensure that either wmm or high throughput is enabled Requires a minimum version of 6 1 0 0 3 Select Add or Save The added or edited profile appears on the Profiles gt SSID page Profiles gt SSID gt EDCA AP Wireless Multimedia WMM provides media access prioritization through Enhanced Distributed Channel Access EDCA ED
120. acceptable coverage levels transmission power and noise thresholds In most network environments ARM does not need any adjustments from its factory configured settings However if you are using VoIP or have unusually high security requirements you may want to manually adjust the ARM thresholds Refer to Profiles gt RF gt 802 11a g Radio gt ARM on page 113 HT Radio Manages high throughput 802 11n radio settings for 802 1 1n capable APs A high throughput profile determines 40 MHz tolerance settings and controls whether or not APs using this profile will advertise 108 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide intolerance of 40 MHz operation This option is disabled by default allowing 40 MHz operation Refer to Profiles gt RF gt 802 11a g Radio gt HT Radio on page 116 Spectrum Defines AP radio settings for spectrum analysis on specific Dell PowerConnect W AP models that can examine the RF environment in which the Wi Fi network is operating identify interference and classify its sources Refer to Profiles gt RF gt 802 11a g Radio gt Spectrum on page 117 Event Thresholds Deftines error event conditions based on a customizable percentage of low speed frames non unicast frames or fragmented retry or error frames Profiles gt RF gt Event Thresholds on page 118 Optimization Enables or disables load balancing based on a user defined number of client
121. acons or probe response with the requested SSID and BSSID into a measurement report NOTE If a station does not support the selected measurement mode it returns a Beacon Measurement Report with the Incapable bit set in the Measurement Report Mode field Advertise 802 11K Capability Select this option to allow Virtual APs using this profile to advertise 802 11K capability This feature is disabled by default Forcefully Disassociate On Select this option to allow the AP to forcefully disassociate on hook voice hook Voice Clients clients clients that are not on a call after period of inactivity Without the forced disassociation feature if an AP has reached its call admission control limits and an on hook voice client wants to start a new call that client may be denied If forced disassociation is enabled those clients can associate to a neighboring AP that can fulfil their QoS requirements This feature is disabled by default 3 Select Add or Save The added or edited profile appears on the 802 11K page and on the details page Security Dell PowerConnect W Series Configuration supports user roles policies server groups and additional security parameters with profiles that are listed in the Security portion of the navigation pane on the Dell PowerConnect W Configuration page as illustrated in Figure 25 134 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Figure 25 Security Components in Del
122. age 57 802 1X Auth Displays the 802 1X Auth profiles that are referenced by the user role Refer to Profiles gt AAA gt Advanced Authentication on page 56 Stateful 802 1X Auth Displays the Stateful 802 1X Auth profiles that are referenced by the user role Refer to Profiles gt AAA gt Stateful 802 1X Auth on page 65 VPN Auth Displays the VPN Auth profiles that are referenced by the user role Refer to Profiles gt AAA gt Combined VPN Auth on page 66 Folder Displays the folder that is associated with this User Role A Top viewable folder for the role is able to view all devices and groups contained by the top folder The top folder and its subfolders must contain all of the devices in any of the groups It can view Clicking any folder name takes you to the APs Devices gt List page for folder inventory and configuration 136 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide The Security gt User Roles gt Add New User Role page contains the following fields as described in Table 66 Table 66 Security gt User Roles gt Add New User Role Fields and Descriptions Field Default Description General Settings Blank Enter the name of the user role Other Settings Set the folder with which the User Role is associated The drop down menu displays all folders available for association with the profile Optional Select the Captive Portal Auth profile if any
123. agement scan activity when traffic is present Note that the Scanning setting in the ARM profile should be activated in Type of traffic which can be one of the following any This option specifies that this rule applies to any type of traffic tcp Using this option configure a range of TCP port s to match for the rule to be applied udp Using this option configure a range of UDP port s to match for the rule to be applied service Selecting this option creates a new field called Service underneath Service Type with a drop down list of pre defined services common protocols such as HTTPS HTTP and others as the protocol to match for the rule to be applied Select the pencil icon to edit the Netservice Profile refer to Security gt Policies gt Services on page 143 or the plus sign to create a new Netservice profile protocol Using this option specify a different layer 4 protocol other than TCP UDP by configuring the IP protocol value icmpv6 Use this option to configure ICMPv6 Requires IPv6 enabled order to be paused Refer to Profiles gt RF gt 802 11a g Radio gt ARM Profile Settings on page 114 for this setting Blacklist user if ACL is Whether to blacklist any user applied TOS Value Value of type of service TOS bits to be marked in the IP header of a packet matching this rule when it leaves the controller 802 1p Priority None Specify 802 1p priority 0 7 Select
124. anage Page Illustration Partial Display General Settings Name ethersphere Ims3 Name ethersphere Ims3 Status Up OK Location Networks Configuration Mismatched More Details Contact Last Contacted 10 7 2009 11 03 AM Latitude Type Aruba 6000 Longitude Firmware 3 4 0 2 vowifi Altitude m Group HQ Group HQ SSID aruba ap Folder Top Folder Top vi Management Mode Monitor Only Firmware Auto Detect Upstream Device ves O No pe eS Read Write Upstream device will automatically be updated when the device is polled Notes Automatically clear Down Status Message when O ves No device comes back up Down Status Message Device Communication If this device is down because its IP address or management ports have changed update the fields below with the correct information Network Settings IP Address 10 254 254 254 Gateway 110 254 254 254 SNMP Port 161 If this device is down because the credentials on the device have changed update the fields below with the correct information This device is currently using SNMP version 2c Community String eocccccccs Confirm Community String eoccccccce SNMPv3 Username Auth Password Confirm Auth Password SNMPv3 Auth Protocol SHA 1 v Privacy Password Confirm Privacy Password SNMPv3
125. as desired usage reports This setting pertains specifically to 802 119 802 11a Traffic default Specify the minimum percentage of available bandwidth to be allocated to a specific SSID Management Profile when there Is congestion on the wireless network and sets the interval between bandwidth 802 119 Traffic default Specify the minimum percentage of available bandwidth to be allocated to a specific SSID Management Profile when there Is congestion on the wireless network and sets the interval between bandwidth usage reports This setting pertains specifically to 802 11a IDS Profile default Selects the IDS profile to be associated with the new AP Group The drop down menu contains these options ids disabled ids high setting ids low setting ids medium setting The IDS profiles configure the AP s Intrusion Detection System features which detect and disable rogue APs and other devices that can potentially disrupt network operations An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network Select the pencil icon next to this field to display the Profiles gt IDS page and adjust these settings as desired Mesh Radio Profile default Determines many of the settings used by mesh nodes to establish mesh links and the path to the mesh portal including the maxim
126. at appear in this section click Add a new WLAN or navigate to the WLANs section in the navigation pane on the left 36 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table2 Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups Details Settings and Default Values Continued Field Default Description Referenced Profiles 802 11a Radio Profile 802 11g Radio Profile RF Optimization Profile Event Thresholds Profile Wired AP Profile Ethernet Interface 0 Link Profile Ethernet Interface 1 Link Profile 2 4 am Defines AP radio settings for the 5 GHz frequency band including the Adaptive Radio Management ARM profile and the high throughput 802 11n radio profile Select the pencil icon next to this field to edit or create additional profile settings in the RF gt 802 11a g Radio page of Dell PowerConnect W Configuration Defines AP radio settings for the 2 4 GHz frequency band including the Adaptive Radio Management ARM profile and the high throughput 802 11n radio profile Each 802 11a and 802 11b radio profile includes a reference to an Adaptive Radio Management ARM profile If you would like the ARM feature to select dynamically the best channel and transmission power for the radio verify that the 802 11a 802 11g radio profile references an active and enabled ARM profile If you want to manually select a channel for each AP group create separ
127. ate 802 11a and 802 11g profiles for each AP group and assign a different transmission channel for each profile The drop down menu displays these options default nchannel too high nchannel too low Select the pencil icon next to this field to edit profile settings in the RF gt 802 11a g Radio page Enables or disables load balancing based on a user defined number of clients or degree of AP utilization on an AP Use this profile to detect coverage holes radio interference and STA association failures and configure Received signal strength indication RSSI metrics Select the pencil icon next to this field to display the Profiles gt RF section and edit these settings as desired Defines error event conditions based on a customizable percentage of low speed frames non unicast frames or fragmented retry or error frames The drop down menu displays these options default all additional RF profiles currently configured in Dell PowerConnect W Configuration Select the pencil icon next to this field to display the Profiles gt RF gt Events Threshold section and edit these settings as desired Controls whether 802 11 frames are tunneled to the controller using Generic Routing Encapsulation GRE tunnels bridged into the local Ethernet LAN for remote APs or are configured for combination of the two split mode This profile also configures the switching mode characteristics for the port and sets the port as either trusted or un
128. ated The drop down menu displays all folders available for association with the profile Enter the name of the profile Other Settings Server Group default Select the AAA authentication server group Select the pencil icon to edit an existing server group or click the add icon to create a new server group Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 69 Table 22 Profiles gt AAA gt WISPr Auth Profile Settings Continued Field Default Description Default Role Select the default role assigned to users that complete WISPr authentication Max Authentication Number of times a user can try to login with wrong credentials after which the user will be Failures blacklisted as a security threat Set to 0 to disable blacklisting otherwise enter a non zero integer to blacklist the user after the specified number of failures This setting requires a wireless intrusion protection license Define the minimum wait time for additional logon attempts If the controller s CPU utilization has surpassed the Logon Wait CPU utilization threshold value this wait parameter defines the minimum number of seconds a user will have to wait prior to retrying a login attempt The supported range is 1 to 10 seconds Logon Wait Minimum Wait Define the maximum wait time for additional logon attempts If the controller s CPU utilization has surpassed the Login wait CPU utilization threshold value this wait parameter def
129. ation option described in Table 51 on page 272 This tightens the authentication process further since both the device and user need to be authenticated When you enable machine authentication there are two additional roles you can define in the 802 1x authentication profile Machine authentication default machine role Machine authentication default user role While you can select the same role for both options you should define the roles as per the polices that need to be enforced Also these roles can be different from the 802 1x authentication default role configured in the AAA profile With machine authentication enabled the assigned role depends upon the success or failure of the machine and user authentications In certain cases the role that is ultimately assigned to a client can also depend upon attributes returned by the authentication server or server derivation rules configured on the controller This setting requires a policy enforcement firewall license Dell PowerConnect W AirWave 7 4 Configuration Guide Table 9 Profiles gt AAA gt 802 1x Auth Profile Settings Continued Field Default Blacklist on Machine Authentication Failure Machine Interval Between Identity Requests 1 65535 sec Quiet Period after Failed Authentication 1 65535 sec 86 400 seconds Reauthentication Interval 60 864000 sec Use Server Provided Reauthentication Interval Multicast Key Rotation 60 864000 sec Multicast Key
130. ation server is typically an EAP compliant Remote Access Dial In User Service RADIUS server which can authenticate either users through passwords or certificates or the client computer An example of an 802 1x authentication server is the Internet Authentication Service IAS in Windows see http technet2 microsoft com windowsserver en technologies ias mspx Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 51 In Dell PowerConnect W user centric networks you can terminate the 802 1x authentication on the controller The controller passes user authentication to its internal database or to a backend non 802 1x server This feature also called AAA FastConnect is useful for deployments where an 802 1x EAP compliant RADIUS server is not available or required for authentication Perform these steps to configure an 802 1X Auth profile p lt profiles of this type a Select Profiles gt AAA gt 802 1x Auth in the navigation pane The details page summarizes the current Select the Add button to create a new 802 1x Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 9 Table 9 Profiles gt AAA gt 802 1x Auth Profile Settings Field General Settings Description Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile
131. authorization profile that specifies which profile settings should be assigned to a remote AP that has been provisioned but not yet authenticated at the remote site By default these yet unauthorized APs are assigned the pre defined profile NoAuthApGroup This configuration allows the user to connect to an unauthorized remote AP via a wired port then enter a corporate username and password Once a valid user has authorized the AP and the remote AP will be marked as authorized on the network The remote AP will then download the configuration assigned to that AP by its permanent AP group Perform these steps to configure an Authorization profile l Select Profiles gt AP gt Authorization in the navigation pane Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 71 2 Select the Add button to create a new profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 23 Table 23 Profiles gt AP gt Authorization Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Enter the name of the profile Referenced Profiles AP Authorization Group ul Designates the profile to reference Refer to Dell PowerConnect W AP Groups on page 35 3 Select Add or Save The added or edited profile appea
132. ave 7 4 Configuration Guide Configuration Reference 155 Table 83 Local Config gt SNMP Management Profile Settings Continued Field Description Enable Trap Generation Enables generation of SNMP traps to configured SNMP trap receivers EnginelD Sets the SNMP server engine ID as a hexadecimal number 24 character maximum Inform Queue Inform Queue Length 100 350 100 350 Specify the length for the SNMP inform queue Defaultis 250 the length for the SNMP inform queue Default is 250 use the controller s IP helenae whether to use the IP address of the controller as the trap source address as source address Trap Source IP Address Source IP Address Enter the source IP address for Enter the source IP address for sending traps traps SNMP pe Hosts IP Address Enter the IP address of the trap host SNMP Version Configures the SNMP version as 1 2c or 3 If 2c is selected the Send Inform field appears at the bottom of this section If3 is selected the SNMP User field will appear as a drop down menu containing any configured v3 users Select the plus icon to add them via the SNMP Management gt SNMPvs User profile Community String Configure the security string for notification messages Does not appear if SNMP Version is set to 3 UDP Port UDP Port 1 68535 65535 The The port number to which trap notification messages are sent Defaultis162 number to which trap notification The port number to which trap notificat
133. c reply Should this require more time than specified in this field the PPTP session times out PPP Authentication Enable or disable the MSCHAP authentication protocol for this PPTP profile MSCHAP PPP Authentication Yes Enable or disable the MSCHAPv2 authentication protocol for this PPTP profile MSCHAPv2 Name Primary DNS Server Enter the IP address of the primary DNS server Secondary DNS Server Enter the IP address of the secondary DNS server Primary WINS Server Enter the IP address of the primary Windows Internet Naming Service WINS server Secondary WINS Server Enter the IP address of the secondary WINS server Select Add to create the PPTP profile or click Save to preserve changes to an existing profile The PPTP profile appears on the Advanced Services gt VPN Services gt PPTP page Advanced Services gt VPN Services gt IPSEC The combination of Layer 2 Tunneling Protocol and Internet Protocol Security L2TP IPSec is a highly secure technology that enables VPN connections across public networks such as the Internet L2TP IPSec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network L2TP IPSec relies on the PPP connection process to perform user authentication and protocol configuration With L2TP IPSec the user authentication process is encrypted using the Data Encryption Standard DES or Triple DE
134. cal controllers Local controllers retain settings such as the interfaces and global VLANs AirWave is aware of differences in what is pushed to master controllers and local controllers and automatically pushes all configurations to the appropriate controllers Thin AP provisioning is pushed to the controller to which a thin AP is connected You can determine additional details about what is specific to each controller by reviewing information on the Groups gt Dell PowerConnect W Config page and the Groups gt Monitor page for any specific AP that lists its master and standby master controller Pushing Device Configurations to Controllers When you add or edit device configurations you can push device configurations to controllers as follows Make device changes on the Dell PowerConnect W Configuration page and click Save and Apply If global configuration is enabled also make devices changes on the Groups gt Dell PowerConnect W Config page and click Save and Apply A device must be in Manage mode to push configurations in this way NOTE If you click Save and Apply when a device is in Monitor mode this initiates a verification process in which AirWave K advises you of the latest mismatches Mismatches are viewable from the APs Devices gt Mismatched page Additional Audit and Group pages list mismatched statuses for devices Normally devices are in Monitor mode It may be advisable in some circumstances to accumulate several c
135. cally the best channel and transmission power for the radio verify that the 802 11a 802 11g radio profile references an active and enabled ARM profile If you want to manually select a channel for each AP group create separate 802 11a and 802 119 profiles for each AP group and assign a different transmission channel for each profile The drop down menu displays these options default nchannel too high nchannel too low Select the pencil icon next to this field to edit or create additional profile settings in the RF gt 802 11a g Radio page of Dell PowerConnect W Configuration Refer to Profiles gt RF gt 802 11a g Radio on page 109 Enables or disables load balancing based on a user defined number of clients or degree of AP utilization on an AP Use this profile to detect coverage holes radio interference and STA association failures and configure Received signal strength indication RSSI metrics Select the pencil icon next to this field to display the Profiles gt RF section and edit these settings as desired Refer to Profiles gt RF gt 802 11a g Radio on page 109 Defines error event conditions based on a customizable percentage of low speed frames non unicast frames or fragmented retry or error frames The drop down menu displays these options default all additional RF profiles currently configured in Dell PowerConnect W Configuration Select the pencil icon next to this field to display the Profile
136. channel threshold signal strength If the value for this parameter is set to zero the feature will automatically determine an appropriate threshold Configuration Reference 111 Table 51 Profiles gt RF gt 802 11a g Profile Settings Continued Field Default Description Non 802 11 Level 2 When an AP attempts to decode a non 802 11 signal that attempt can momentarily Interference interrupt its ability to receive traffic The noise immunity feature can help improve network Immunity performance in environments with a high level of non 802 11 noise from devices such as Bluetooth headsets video monitors and cordless phones You can configure the noise immunity feature for any one of the following levels of noise sensitivity Note that increasing the level makes the AP slightly deaf to its surroundings causing the AP to lose a small amount of range Level 0 no ANI adaptation Level 1 Noise immunity only This level enables power based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet Level 2 Noise and spur immunity This level also controls the detection of OFDM packets and is the default setting for the Noise Immunity feature Level 3 Level 2 settings and weak OFDM immunity This level minimizes false detects on the radio due to interference but may also reduce radio sensitivity This level is recommended for environments with a high level of interfer
137. configuration as follows Set Type Select whether the rule is based on role or VLAN 154 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 82 Security gt User Rules gt Add Edit User Rules Fields and Descriptions Continued Field Default Description Rule Type Select one of the following options from the drop down menu Your selection in this field changes an ensuing field that must be completed as follows bssid Selecting this option displays the BSSID field below Specify the BSSID in text dhcp option 77 Selecting this option displays the DHCP Option 77 field below Enter this information in text encryption type Selecting this option displays the Encryption Type field below in which you must select the encryption type from the drop down menu Select open static wep or another other encryption type from the drop down menu essid Selecting this option displays ESSID field below in which you enter the ESSID in text location Selecting this option displays the Location field below in which you enter the location in text macaddr Selecting this option displays the MAC Address field below in which you must enter the MAC address User Role VLAN If you selected role for the Set Type field above then select the specific user role from this drop down menu If you selected VLAN for the Set Type field above then select the specific VLAN from this drop down menu Local Config of SNM
138. controller on the configured Native VLAN Packets received from the controller and sent out the port remain tagged unless the tag value in the packet Is the Native VLAN in which case the tag is removed Define the Native VLAN in the Trunk mode native VLAN field and the other allowed VLANs in the Trunk mode allowed VLANs field Trunk Mode Allowed VLANs Define whether the trunk mode settings defined in additional fields of this profile are to allow VLANs The VLAN range is from 1 to 4094 Enter a list or a range of numbers The VLAN range Is from 1 to 4096 You can enter a range of numbers specific numbers or a combination of range and specific VLAN numbers as desired Use this option if the wired port Is a trusted port Yes Use this option if the wired port is a broadcast port 3 Select Add or Save The added or edited Wired profile appears on the Profiles page and on the Wired details page Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 81 Profiles gt IDS The IDS profiles configure the AP s Intrusion Detection System features which detect and disable rogue APs and other devices that can potentially disrupt network operations An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network The top level IDS profile assigned t
139. create the VPN Services gt IKE profile or click Save to retain the changes to an existing IKE profile The protile appears on the Advanced Services gt VPN Services gt IKE page Advanced Services gt VPN Services gt IKE gt IKE Policy Navigate to Advanced Services gt VPN Services gt IKE gt IKE Policy page to add a new IKE policy as follows Table 89 Advanced Services gt VPN Services gt IKE gt IKE Policy Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the IKE policy profile is associated The drop down menu displays all folders available for association with the IKE Policy profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 163 Table 89 Advanced Services gt VPN Services gt IKE gt IKE Policy Fields and Descriptions Continued Field Default Description Enter the priority number of this IKE policy Other Settings From the drop down menu select the encryption type to be supported in the IKE policy DES 3DES AES128 AES192 AES256 Encryption Hash Algorithm Select the hash algorithm for this IKE policy MD5 SHA SHA1 96 SHA2 256 128 SHA2 384 192 NOTE SHA2 256 128 and SHA2 384 192 require an Advanced Cryptography license and a minimum version of 6 1 0 0 Authentication ArubaOS VPNs support client authentication using pre shared keys RSA digital certificates or Elliptic Curve Di
140. ct access or trunk These options only apply to bridge mode configurations Access mode forwards untagged packets received on the port to the controller and they appear on the configured access mode VLAN Tagged packets are dropped All packets received from the controller and sent via this port are untagged Define the access mode VLAN in the Access mode VLAN field Trunk mode contains a list of allowed VLANs Any packet received on the port that is tagged with an allowed VLAN is forwarded to the controller Untagged packets are forwarded to the controller on the configured Native VLAN Packets received from the controller and sent out the port remain tagged unless the tag value in the packet is the Native VLAN in which case the tag is removed Define the Native VLAN in the Trunk mode native VLAN field and the other allowed VLANs in the Trunk mode allowed VLANs field Name Access Mode VLAN 1 4096 Access mode forwards untagged packets received on the port to the controller and they appear on the configured access mode VLAN Tagged packets are dropped All packets received from the controller and sent via this port are untagged Define the access mode VLAN inthe Access mode VLAN field The VLAN range Is from 1 to 4096 Trunk Mode Native VLAN 1 4096 Trunk mode contains a list of allowed VLANs Any packet received on the port that is tagged with an allowed VLAN is forwarded to the controller Untagged packets are forwarded to the
141. d Default Description General Settings Folder Top Set the folder with which the L2TP profile is associated The drop down menu displays all folders available for association with the L2TP profile Name Enter the name of the L2TP profile Other Settings Enable L2TP Enable or disable this L2TP profile Select one or more authentication modes to support this L2TP profile PPP Authentication Modes Secondary DNS Server Enter the IP address of the secondary DNS server Enter the IP address of the primary Windows Internet Naming Service WINS server Secondary WINS Server I Enter the IP address of the secondary WINS server Hello Timeout Enter the time in seconds at which L2TP authentication times out 10 1440 secs SecurlD Token Persistence Enter the time in minutes at which the SecurlD Token expires requiring Timeout 15 10080 Mins reauthentication Select Add to complete the L2TP profile or click Save to retain changes to an existing L2TP profile Primary WINS Server Primary DNS Server oo Enter the IP address of the primary DNS server Advanced Services gt VPN Services gt PPTP Point to Point Tunneling Protocol PPTP is an alternative to L2TP IPSec Like L2TP IPSec PPTP provides a logical transport mechanism to send PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network PPTP relies on the PPP connection process to perform user authentication and protocol configu
142. d on APs configured with this EDCA profile 3 Select Add or Save The added or edited profile appears on the Profiles gt SSID gt EDCA Station page ACM Profiles gt SSID gt HT SSID High throughput HT APs support additional settings not available in legacy APs A mesh high throughput SSID profile can enable or disable high throughput 802 11n features and 40 MHz channel usage and define values for aggregated MAC protocol data units MDPUs and Modulation and Coding Scheme MCS ranges Dell PowerConnect W provides a default version of the mesh high throughput SSID profile You can use the detault version or create a new instance of a profile which you can then edit as you need High throughput Mesh nodes operating in different cluster profiles can share the same high throughput SSID radio profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 131 The mesh high throughput SSID profile defines settings unique to 802 11n capable high throughput APs If none of the APs in your mesh deployment are 802 1 1n capable APs you do not need to configure a high throughput SSID profile If you modify a currently provisioned and running high throughput SSID profile your changes take affect immediately You do not reboot the controller or the AP Perform these steps to create or edit HT SSID profiles l Select Profiles gt SSID gt HT SSID in the navigation pane 2 Select the Add but
143. default role You can create groups of servers for specific types of authentication For example you can specify one or more RADIUS servers to be used for 802 1x authentication The list of servers in a server group is an ordered list This means that the first server in the list is always used unless it is unavailable in which case the next server in the list is used You can configure servers of different types in one group for example you can include the internal database as a backup to a RADIUS server Server names are unique You can configure the same server in multiple server groups You must configure the server before you can add it to a server group Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 145 Adding a New Server Group The server group is assigned to the server group for 802 1x authentication To create a new server group click the Add button or to edit an existing group click the pencil icon next to that group The Add New Server Group page appears and contains the following fields as described in Table 72 Table 72 Security gt Server Groups gt Add or Edit Server Group Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the server is associated The drop down menu displays all folders available for association with the server group Blank Enter the name of the server group Fail Through Enable or disable a fa
144. dered idle if there is no user traffic from the client The timeout period is reset if there Is a user traffic After this timeout period has elapsed the controller sends probe packets to the client if the client responds to the probe it is considered active and the User Idle Timeout is reset an active client that is not initiating new sessions is not removed If the client does not respond to the probe it is removed from the system Range 30 to 15300 seconds User Stats Timeout Set the timeout value for user stats reporting in seconds The supported range is 300 600 seconds or 5 10 minutes and the default value is 600 seconds Requires a minimum version of 6 1 0 0 Fast Aging of Multiple When this feature is enabled the controller actively sends probe packets to all users Instances of User with the same MAC address but different IP addresses The users that fail to respond are purged from the system This command enables quick detection of multiple instances of the same MAC address in the user table and removal of an old IP address This can occur when a client or an AP connected to an untrusted port on the controller changes its IP address 56 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 10 Profiles gt AAA gt Advanced Authentication Profile Settings Continued Default Description Dead Time for down 10 minutes Maximum period in minutes that the controller considers an un
145. des a summary of topics supporting these settings Table 95 Information Resources for the Groups gt List gt Dell PowerConnect W Contig Page Section Additional Information Available In These Locations Dell PowerConnect W AP Groups Section Dell PowerConnect W AP Groups on page 35 General Dell PowerConnect W AP Groups Procedures and Guidelines on page 2 Setting Up Initial Dell PowerConnect W Configuration on page 21 AP Overrides AP Overrides on page 39 AP Overrides Guidelines on page 30 Dell PowerConnect W User Roles Security gt User Roles on page 135 Visibility in Dell PowerConnect W Configuration on page 33 Dell PowerConnect W Policies Security gt Policies on page 141 Visibility in Dell PowerConnect W Configuration on page 33 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 169 170 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide A Adaptive Radio Management ARM 30 Advanced Services defined 16 pages and field descriptions 155 Advanced Services gt IP Mobility 158 Advanced Services gt IP Mobility gt Mobility Domain 160 Advanced Services gt IP Mobility page 158 Advanced Services gt VPN Services 161 Advanced Services gt VPN Services gt IKE 163 Advanced Services gt VPN Services gt IPSEC 166 Advanced Services gt VPN Services gt IPSEC gt Dynamic Map 167 Advanced Services gt VPN Services
146. desk personnel who deploy ArubaOS on the network and wish to manage it with Dell PowerConnect W AirWave 7 4 Dell PowerConnect W AirWave 7 4 versions 6 3 and later support Dell PowerConnect Configuration 2 NOTE Dell PowerConnect W Series AirWave Wireless Management Suite AWMS AirWave and AirWave Management Platform AMP refer to the same product set and are used interchangeably This document provides instructions for using Dell PowerConnect W Configuration and contains the following chapters Table 1 Document Organization and Purposes Chapter Description Chapter 1 Dell PowerConnect W Introduces the concepts components navigation and initial setup of Dell Configuration in AirWave on page 9 Configuration Chapter 2 Using Dell PowerConnect W Provides a series of procedures for configuring modifying and using Dell Configuration in Daily Operations on Configuration once initial setup is complete This chapter is oriented around the page 2 most common tasks in Dell Configuration Appendix A Configuration Reference on Provides an encyclopedic reference to the fields settings and default values of page 37 all Dell Configuration components to include a few additional procedures Supporting more advanced configurations Note Caution and Warning Icons This document uses the following note caution and warning icons to emphasize advisories for certain actions configurations or concepts K NOTE Indicat
147. devices connecting the AP s Authentication To wired port The supported range is 1 65535 seconds Bridge Role Succeed 3 Select Add or Save The added or edited Wired Port profile appears on the Profiles page and on the Wired Port details page Profiles gt AP gt Wired The wired AP profile controls the configuration of the Ethernet port s on your AP You can use the wired AP profile to configure Ethernet ports for bridging or secure jack operation using the wired AP profile 80 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Perform these steps to configure a Wired profile l Select Profiles gt AP gt Wired in the navigation pane This page summarizes the current profiles of this type 2 Select the Add button to create a new Wired profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 31 Table 31 Profiles gt AP gt Wired Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Blank Enter the name of the profile Other Settings Wired AP Enable Designate whether Wired APs are to be enabled or disabled Forward Mode tunnel If Wired AP is enabled designate whether forwarding Is to be bridge based or tunnel based or split tunnel Switchport Mode Access Sele
148. ds the configured low watermark the system generates an alert Defining 0 disables this function Sets a high percentage watermark for frame receive errors When the percentage of errors in received frames exceeds the configured high watermark the system generates an alert Defining 0 disables this function Frame Receive Error Rate High Watermark Sets a low percentage watermark for frame receive errors When the percentage of errors in received frames exceeds the configured low watermark the system generates an alert Defining 0 disables this function Frame Receive Error Rate Low Watermark Frame Retry Rate Sets a high percentage watermark for frame retry levels When the percentage of frame retries exceeds the configured high watermark the system generates an alert Defining 0 disables this function High Watermark Frame Retry Rate Low Watermark Sets a low percentage watermark for frame retry levels When the percentage of frame retries exceeds the configured low watermark the system generates an alert Defining 0 disables this function 3 Select Add or Save The added or edited profile appears on the Profiles gt RF gt Event Thresholds page Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 119 Profiles gt RF gt Optimization The RF Optimization profile enables or disables load balancing based on a user defined number of clients or degree of AP utilization on an AP Use this
149. e Profiles gt AAA gt WISPr Auth The Wireless Internet Service Provider roaming WISPr protocol allows users to roam between service providers A RADIUS server is used to authenticate subscriber credentials AOS supports stateful 802 1x authentication stateful NTLM authentication and authentication for Wireless Internet Service Provider roaming WISPr Stateful authentication differs from 802 1x authentication in that the controller does not manage the authentication process directly but monitors the authentication messages between a user and an external authentication server and then assigns a role to that user based upon the information in those authentication messages WISPr authentication allows clients to roam between hotspots using different ISPs Refer to the Dell PowerConnect W Series ArubaOS User Guide at support dell com manuals for additional information about stateful NTLM and WISPr authentication Perform these steps to configure a WISPr Auth profile l Select Profiles gt AAA gt WISPr Auth in the navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Stateful NTLM Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 22 Table 22 Profiles gt AAA gt WISPr Auth Profile Settings Field Default Description General Settings Folder Set the folder with which the profile is associ
150. e Note You have unapplied Dell PowerConnect W Configuration changes You must click Save and Apply to make them take effect Save and Apply This button saves and applies the configuration with reference to Manage and Monitor modes For example you must click Save and Apply for a configuration profile to propagate to all controllers in Manage mode If you have controllers in Monitor Only mode AMP audits them comparing their current configuration with the new desired configuration For additional information and instructions about using Manage and Monitor Only modes refer to Pushing Device Configurations to Controllers on page 29 Revert This button cancels out of a new configuration or reverts back to the last saved configuration Additional Concepts and Benefits Scheduling Configuration Changes You can schedule deployment of Dell PowerConnect W Configuration to minimize impact on network performance For example configuration changes can be accumulated over time by using Save and Apply for devices in Monitor Only mode then pushing all configuration changes at one time by putting devices in Manage mode Refer to Pushing Device Configurations to Controllers on page 29 Vi NOTE If your controllers are already in Manage mode you can also schedule the application of a single set of changes when clicking Save and Apply just enter the date time under Scheduling Options and click Schedule Dell PowerConnect W AirWave 7 4 pus
151. e 4 AP Overrides Add or Edit Page Fields Continued Field Default Description Excluded Mesh Cluster Profiles Excluded Mesh Cluster If required select one or more Mesh Cluster profiles from this field This field can Profiles display all Mesh Cluster profiles or can display only selected Mesh Cluster profiles For additional information about Mesh Cluster profiles refer to Profiles gt QoS on page 104 Select Add to complete the creation of the new AP Overrides profile or click Save to preserve changes to an existing AP Overrides profile The AP Overrides page and the navigation pane display the name of the AP Overrides profile WLANs Overview of WLANs Configuration You have a wide variety of options for authentication encryption access management and user rights when you configure a WLAN However you must configure the following basic elements An SSID that uniquely identifies the WLAN Layer 2 authentication to protect against unauthorized access to the WLAN Layer 2 encryption to ensure the privacy and confidentiality of the data transmitted to and from the network A user role and virtual local area network VLAN for the authenticated client For more information refer to the Dell PowerConnect W Series ArubaOS User Guide at support dell com manuals Use the following guidelines when configuring and using WLANs in Dell PowerConnect W Configuration The Device Setup gt Dell PowerConnect W Configuration navigati
152. e Agent Replay Protection Time Value 0 300 sec Define the time period over which message replay is to be detected Message replay detects if a message that Is intended for a client has been intercepted and replayed This setting defines how long replay detection is to monitor for replay Maximum Number of Active Bindings 0 5000 Define the maximum number of bindings in which the home agent network Is to support a client when the client is out of range of the network or otherwise disconnected La Proxy Mobile IP Trigger Mobility on Station Yes Enable this setting to trigger client mobility processing on the network once a Association client has associated to the network in mobile fashion The proxy mobile IP module in a mobility enabled controller detects when a mobile client has moved to a foreign network and determines the home agent for a roaming client The proxy mobile IP module performs the following functions Derives the address of the home agent for a mobile client from the HAT using the mobile client s IP address If there is more than one possible home agent for a mobile client in the HAT the proxy mobile IP module uses a discovery mechanism to find the current home agent for the client Detects when a mobile client has moved Client moves are detected based on ingress port and VLAN changes and mobility is triggered accordingly For faster roaming convergence between AP s on the same controller it is reco
153. e Setup gt Dell PowerConnect W Configuration tree navigation the same sections listed in the previous bullet are available but the Groups gt Dell PowerConnect W Config pages do not display the Folder as a column in the list tables or as a field in the individual profiles Groups gt Dell PowerConnect W Config When Global Configuration is Disabled this page modifies or reboots all devices when Global Dell PowerConnect W Configuration is enabled APs Devices gt Manage Page supports device level settings and changes in AirWave APs Devices gt Monitor Page supports device level monitoring in AirWave APs Devices gt Audit Page supports device level configuration importing in AMP Groups gt Basic Page For device groups containing Dell PowerConnect W devices basic information such as the group s name regulatory domain the use of Global Groups SNMP Polling periods and turning on the Dell PowerConnect W GUI Config are managed here Device Setup gt Dell PowerConnect W Configuration Page K NOTE This page is not available if Use Global Dell PowerConnect W Configuration is disabled in AMP Setup gt General The Device Setup gt Dell PowerConnect W Configuration page uses an expandable navigation pane to support Dell PowerConnect W AP Groups AP Overrides WLANs Profiles Security Local Config and Advanced Services Each of these sections is summarized in Dell PowerConnect W Configuration Sections in the Tree View
154. e bootstrap threshold to 30 if the network experiences packet loss This makes the AP recover more slowly in the event of a failure but it will be more tolerant to heartbeat packet loss The default maximum request retries and bootstrap threshold settings are recommended for most mesh networks however if you must keep your mesh network alive you can modify the settings as described in this section The modified settings are not applicable if mesh portals are directly connected to the controller Request Retry Interval Enter in seconds the amount of time for retries The supported range is from 1 to 65 535 seconds Maximum Request Maximum number of times to retry AP generated requests The default is 10 times Retries If you must modify this setting the recommended value is 10 000 The supported range is from 1 to 65 535 Keepalive Interval 30 oa Define the keepalive interval in a range of 30 to 65 535 seconds 65535 Dump Server Enter the IP address for the dump server Tenet f Enables Telnet in this system profile SNMP Sys contact Enter an IP address to the value for SNMP sys_ contact the SNMP system Sys location RFprotect Server IP Enter the IP address of the RFprotect server RFprotect Backup Enter an IP address Server IP When a Dell PowerConnect W controller is present in a Dell PowerConnect W RFprotect system a Dell PowerConnect W AP that is acting as an RFprotect sensor can be configured and managed from the controller
155. e is central to defining Dell PowerConnect W AP Groups to viewing the AMP groups with which an Dell PowerConnect W AP Group is associated changing or deleting Dell PowerConnect W AP Groups and assigning AP devices to an Dell PowerConnect W AP Group Configuring Dell PowerConnect W AP Groups Perform the following steps to display add edit or delete Dell PowerConnect W AP Groups in Dell PowerConnect W Configuration l Browse to the Dell PowerConnect W Configuration page and click the AP Groups heading in the navigation pane on the left The Groups Summary page appears and displays all current Dell PowerConnect W AP Groups 2 To add a new group click the Add AP Group button To edit an existing group click the pencil icon next to the group name The Details page appears with current or default configurations The settings on this page are described in Dell PowerConnect W AP Groups on page 37 3 Click Add or Save to finish creating or editing the Dell PowerConnect W AP Group Click Cancel to exit this screen and to cancel the AP Group configurations 4 New AP groups appear in the AP Groups section of the Dell PowerConnect W Configuration navigation pane and clicking the group name takes you to the Details page for that group 5 When this and other procedures are completed push the configuration to the Dell PowerConnect W controllers by clicking Save and Apply The principles of Monitor and Manage mode still apply For addi
156. e message Enable Fast Leave Enable or disables fast leave You can enable this setting to improve bandwidth ae management Enable Igmp Snooping Proxy No Enable or disable the IGMP Snooping proxy Last member query count 1 5 Specify the number of IGMP queries in response to host leave message Startup query count 1 10 Specify the number of queries to be sent at startup Query response interval 1 25 sec Specify the maximum query response time Query interval 1 18000 sec Specify the periodic interval at which queries are sent Startup query interval 1 18000 Specify the interval at which startup queries should be sent sec Enable Igmp Snooping Enable or disable IGMP snooping Robustness variable 1 7 Specify the expected IGMP packet loss on a congested network 3 Select Add or Save The added or edited profile appears on the Mobility Switch page and on the details page Profiles gt Mobility Switch gt Ethernet Link Use the Ethernet Link profile to configure autonegotiation duplex speed and flow control for the port Creating an Ethernet Link profile does not apply the configuration to any interface or interface group Perform these steps to configure a Mobility Switch gt Ethernet Link profile l Select Profiles gt Mobility Switch gt Ethernet Link in the Navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Ethernet Link profile or sel
157. e name of the Dell PowerConnect W AP Group to view and edit and navigate to the Dell PowerConnect W Config page illustrated in Figure 26 Figure 26 Groups gt List gt Dell PowerConnect W Config Page Illustration for a Dell PowerConnect W AP Group Aruba AP Groups Aruba User Roles Select the Aruba AP Groups to apply to devices aon Select additional Roles to apply to devices in this chow all in this Group Group default ap role Select All Unselect Al stateful dotix sys ap role Meme Jenas trusted ap Select the AP Overrides to apply to devices in 379 Only Selecte this Group 10 10 6 Select All Unselect Al Select All Unselect All Additional Aruba Profiles Aruba Policies Stateful 802 1 Authentication Profile defaut 2 9 celect additional Policies to apply to devices in this ay VPN Authentication Profile default cup MD TS stateful dotl Management Authentication Profile default ere Wired Authentication Profile default y 3 oP sys contral Internal Server Profile default v oF validuser TACACS Accounting Profile default v T Select All Unselect Al IP Mobility Profile default y oF VPN Services Profile default v T Save and Apply Management Password Policy Profile default vila oF Control Plane Security Profile default oop Configure Campus AP Whitelist Ol ves No 3 Complete the profile assignments on this page referring to additional topics in this appendix for additional information Table 95 provi
158. e settings as described in Table 51 Table 51 Profiles gt RF gt 802 11a g Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the threshold profile Referenced Profiles Adaptive Radio Default Select an ARM profile from the drop down menu to define ARM settings for your 802 11a g Management ARM radio profile Select the pencil icon to edit an existing ARM profile or click the plus sign to Profile create a new ARM profile You are directed to the ARM Profile setup page Once you have configured this referenced ARM profile AirWave returns you to the 802 11a g radio profile page For additional ARM profile information refer to Profiles gt RF gt 802 11a g Radio gt ARM on page 113 Spectrum Profile Select a profile to define settings for Spectrum scanning Select the pencil icon to edit an existing Spectrum profile or click the plus sign to create a new AM Scanning profile You are directed to the Spectrum Profile setup page NOTE AMP displays an error message if you try to select an incompatible spectrum profile A 2ghz spectrum band profile cannot be referenced by an 802 11a profile and vice versa Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 109 Table 51 Profiles gt RF gt 802 11a g Profile Settings Co
159. earlier than 6 0 0 0 Remote AP DHCP Lease Time The E 164 Country Code section of the WISPr Location ID Requires a minimum version of 5 0 0 0 and a version earlier than 6 0 0 0 The E 164 Area Code section of the WISPr Location ID Requires a minimum version of 5 0 0 0 and a version earlier than 6 0 0 0 WISPr Operator Name A name identifying the hotspot operator Requires a minimum version of 5 0 0 0 and a version earlier than 6 0 0 0 WISPr Location Name A name identifying the hotspot location If no name is defined the parameter will use the name of the AP to which the user has associated Requires a minimum version of 5 0 0 0 and a version earlier than 6 0 0 0 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 79 3 Select Add or Save The added or edited System profile appears on the System profiles list page Profiles gt AP gt Wired Port APs with multiple wired Ethernet ports include a wired port profile that can enable or disable the wired port define an AAA profile for wired port devices and associate the port with an ethernet link profile that defines its speed and duplex values Perform these steps to configure a Wired Port profile l Select Profiles gt AP gt Wired Port in the navigation pane This page summarizes the current profiles of this type 2 Select the Add button to create a new Wired Port profile or click the pencil icon next to an existing profile to
160. ec is a highly secure technology that enables VPN connections across public networks such as the Internet L2TP IPSec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network L2TP IPSec relies on the PPP connection process to perform user authentication and protocol configuration With L2TP IPSec the user authentication process is encrypted using the Data Encryption Standard DES or Triple DES 3DES algorithm L2TP IPSec requires two levels of authentication 164 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Computer level authentication with a preshared key to create the IPSec security associations SAs to protect the L2TP encapsulated data User level authentication through a PPP based authentication protocol using passwords SecurelD digital certificates or smart cards after successful creation of the SAs Navigate to Advanced Services gt VPN Services gt L2TP from the navigation page This page lists all L2TP profiles that are currently available Select Add to create a new L2TP profile or click the pencil icon next to an existing profile to modify settings The Advanced Services gt VPN Services gt L2TP Add Edit Details page contains the following fields as described in Table 90 Table 90 Advanced Services gt VPN Services gt L2TP Add Edit Details Fields and Descriptions Fiel
161. ect Add to create a new Transform Set or click the pencil icon next to an existing Transform Set to modify settings The Add Edit Details page contains the following fields as described in Table 94 Table 94 Advanced Services gt VPN Services gt IPSEC gt Dynamic Map gt Transform Set Add Edit Details Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the Transform Set is associated The drop down menu displays all folders available for association with the Transform Set Other Settings 168 bit 3DES CBC Select the encryption for the transform set from the drop down menu Hash Algorithm SHA HMAC Variant Select the hash algorithm from the drop down menu 168 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Select Add to create the new Transform Set or click Save if editing an existing Transform Set The Transform Set is available for reference by Dynamic Maps in support of IPSEC profiles and VPN services Groups gt Dell PowerConnect W Config Page and Section Information With Global Dell PowerConnect W Configuration enabled in AMP Setup gt General create Dell PowerConnect W AP Groups with the Device Setup gt Dell PowerConnect W Configuration page as described in earlier in this document To view and edit profile assignments for Dell PowerConnect W AP Groups perform these steps l Navigate to the Groups gt List page 2 Select th
162. ect W AP Groups Traffic Traffic Management Lists Traffic Lists Traffic Management profiles that are currently configured and deployed on the WLAN profiles that are currently configured and deployed on the WLAN in ke tr the folder for the WLAN You can create new WLANs from this page by clicking the Add button You can edit an existing WLAN by clicking the pencil icon for that WLAN You have two pages by which to create or edit WLANs the Basic page and the Advanced page The remainder of this section describes these two pages WLANSs gt Basic From the Dell PowerConnect W Configuration gt WLANs page click Add to create a new WLAN or click the pencil icon to edit an existing WLAN then click Basic This page provides a streamlined way to create or edit a WLAN Table 6 describes the fields for this page Table 6 WLANs gt Basic Page Fields and Descriptions Field Default Description Folder Top Displays the folder with which the WLAN is associated The drop down menu displays all folders available for association with the WLAN SSID Select the SSID profile that defines encryption EDCA or high throughput SSID parameters Access these SSID profiles by clicking Profiles gt SSID in the navigation pane Refer to Profiles gt SSID on page 122 or mm fl espen Use Captive Portal Select whether this WLAN will use captive portal authentication Captive portal authentication directs clients to a special web page that t
163. ect W Series controllers No additional software or configuration is required on wireless clients to allow roaming within the domain Before configuring a mobility domain you should determine the user VLAN s for which mobility is required For example you may want to allow employees to be able to roam from one subnetwork to another All controllers that support the VLANs into which employee users can be placed should be part of the same mobility domain A controller can be part of multiple mobility domains although it is recommended that a controller belong to only one domain The controllers in a mobility domain do not need to be managed by the same master controller You configure a mobility domain on a master controller the mobility domain information is pushed to all local controllers that are managed by the same master controller On each controller you must specify the active domain the domain to which the controller belongs If you do not specify the active domain the controller will be assigned to a predefined default domain Although you configure a mobility domain on a master controller the master controller does not need to be a member of the mobility domain For example you could set up a mobility domain that contains only local controllers you still need to configure the mobility domain on the master controller that manages the local Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 157 c
164. ect the pencil icon next to an existing profile to edit Complete the settings as described in Table 45 Table 45 Profiles gt Mobility Switch gt Ethernet Link Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Other Settings Autonegotiation Disabled Enables auto negotiation of port speed Enter the name of the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 101 Table 45 Profiles gt Mobility Switch gt Ethernet Link Profile Settings Continued Default Description Auto Sets the duplex to one of the following parameters Auto Configures auto mode full Configures full duplex mode half Configures half duplex mode Speed Mbps Sets the speed to one of the following parameters Auto Negotiates bandwidth dynamically between 10 and 1000 10000 10 10 Mbps 100 100 Mbps 10m_100m 10 to 100 Mbps 1000 1 Gbps 10000 10 Gbps Flow Control Sets the flowcontrol to one of the following parameters Auto Configures auto mode lossless configures lossless mode on configures on mode off configures off mode 3 Select Add or Save The added or edited profile appears on the Mobility Switch page and on the details page Profiles gt Mobility Switch gt Port Switching Port Switching creates a switch
165. ed Beacon Period Define the beacon period supporting mesh profiles as described for the fields 60 999999 msec immediately above Transmit Power Define the transmission power supporting mesh profiles as described for the portal 0 30 dBm channel settings immediately above This setting supports a range from 0 to 30 dBm Retry Limit 0 15 Indicate the number of times a mesh node can re send a packet This setting supports a range from 0 to 15 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 97 Table 42 Profiles gt Mesh gt Radio Profile Settings Continued Default Description RTS Threshold 2333 Define the packet size sent by mesh nodes Mesh nodes transmitting frames larger 256 2346 bytes than this threshold must issue request to send RTS and wait for other mesh nodes to respond with clear to send CTS to begin transmission This helps prevent mid air collisions The supported range is from 256 to 2346 bytes 802 11a Transmit Rates All selected Indicate the transmit rates for the 802 11a radio The AP attempts to use the highest transmission rate to establish a mesh link If a rate is unavailable the AP goes through the list and uses the next highest rate 802 11g Transmit Rates All selected Indicate the transmit rates for the 802 119 radio The AP attempts to use the highest transmission rate to establish a mesh link If a rate is unavailable the AP goes through the list and
166. edia WLAN client power The WLAN client transmits frames that trigger the forwarding of data U ASPD frames for a client that has been buffered at the AP for power saving purposes Powersave WMM TSPEC A WMM client can send a Traffic Specification TSPEC signaling request to the AP before Min Inactivity sending traffic of a specific AC type such as voice You can configure the controller so that Interval the TSPEC signaling request from a client is ignored if the underlying voice call is not active this feature is disabled by default If you enable this feature you can also configure the number of seconds that a client must wait to start the call after sending the TSPEG request the default is one second You enable TSPEC signaling enforcement in the VoIP Call Admission Control profile The supported range is 0 to 3 600 000 milliseconds DSCP Mapping Specify Differentiated Services Code Point DSCP mapping for wireless multimedia voice for WMM Voice admission control The supported range is 0 to 63 AC The IEEE 802 11e standard defines the mapping between WMM ACs and DSCP tags The WMM AC mapping setting allows you to customize the mapping between WMM ACs and DSCP tags to prioritize various traffic types voice video best effort and background DSCP Mapping Specify DSCP mapping for wireless multimedia video admission control The supported for WMM Video range is 0 to 63 AC 124 Configuration Reference Dell PowerConnect W AirWave 7
167. edit Complete the settings as described in Table 30 Table 30 Profiles gt AP gt Wired Port Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile es Name Enter the name of the profile Referenced Profiles Wired AP Profile default Profile that defines wired port settings for APs assigned to the AP group Refer to Profiles gt AP gt Wired on page 80 Ethernet Interface Link default Specify an ethernet link profile to be used by devices connecting to the AP s wired port Profile profile This profile defines the duplex value and speed to be used by the port AAA Profile Name of an AAA profile to be used by devices connecting to the AP s wired port Refer to Profiles gt AAA Overview on page 48 Other Settings Shut down No Whether to disable the wired AP port Remote AP Backup Y Select the Remote AP Backup checkbox to use the wired port on a Remote AP for local connectivity and troubleshooting when the AP cannot reach the controller If the AP is not connected to the controller no firewall policies will be applied when this option is enabled The AAA profile will only be applied when the AP is connected to controller Role that is assigned to a user if split tunnel authentication fails Time To Wait for 20 Authentication timeout value in seconds for
168. en 0 and Opportunity Slots in 32 the CW value The AC with the lowest backoff time is granted the opportunity to transmit usec Units TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC ACM Define whether or not admission control mandatory ACM is to be supported on APs configured with this EDCA profile 3 Select Add or Save The added or edited profile appears on the Profiles gt SSID gt EDCA AP page Profiles gt SSID gt EDCA Station Wireless Multimedia WMM provides media access prioritization through Enhanced Distributed Channel Access EDCA EDCA defines four access categories ACs to prioritize traffic voice video best effort and background These ACs correspond to 802 1d priority tags as shown in Table 61 Table 61 WMM Access Categories and 802 1d Tags WMM Access Category Description 802 1d Tag Prioritize video traffic above other data traffic Ba Best Effort Traffic from legacy devices or traffic from applications or devices that do not 0 3 support QoS Background Low priority traffic file downloads print jobs While the WMM ACs designate specific types
169. ence related to 2 4GHz appliances such as cordless phones Level 4 Level 3 settings and FIR immunity At this level the AP adjusts its sensitivity to in band power which can improve performance in environments with high and constant levels of noise interference Level 5 The AP completely disables PHY error reporting improving performance by eliminating the time the controller would spend on PHY processing You can manage Non 802 11 Noise Immunity settings through the 802 11g RF management profile Do not raise the noise immunity feature s default setting if the RX Sensitivity Tuning Based Channel Reuse feature is also enabled A level 3 to level 5 Noise Immunity setting is not compatible with the Channel Reuse feature Requires a minimum version of 6 1 0 0 Enable CSA Enable or disable Channel Switch Announcements CSAs as defined by IEEE 802 11h This setting enables an AP to announce that it is switching to a new channel before it begins transmitting on that channel This allows clients that support CSA to transition to the new channel with minimal downtime CSA Count Set the number of channel switch announcements that must be sent prior to switching to a 1 16 new channel ManagementFrame Set the averaging interval for rate limiting management frames from this radio in seconds Throttle Interval A management frame throttle interval of 0 seconds disables rate limiting ManagementFrame 20 Set the maximum number of management frames t
170. envenesvesvesvensenensen 118 Profiles gt RF gt Optimization ccccccsessssscssssesecsssecececseceeeessesecseseesesaesesauseseesessesaseesausesensens 120 FE ae e E E E E E E 121 LA SS EE EE 122 Profiles gt SSID gt EDCA AP i rnrsveavrnrsvnnvsvnvnvanennesennesvnnenvenennesesnenvssenvenennenesnennssenvesennenesnennsnen 126 Profiles gt SSID gt EDCA Station mmusresereseiereservesersosesservnsenvesennesvsnessesenvesensesessennesen 129 Profiles gt SOLD gt HT SSID siasierdcievecauneamariedinsnetusinsevensduboneiunsenpsteeaiteonacsinivesastausatennastiienduiaswetns 131 Fe gt SSID IN jr 133 SEE EEE nenaeeniteneiaemiesatens 134 Security NN 135 Security gt User Roles gt BW Contracts cccccsssscsssscssceescssseesesecseseeeessssessesessesenensanees 138 Security gt User Roles gt VPN Dialers Lununedmeienmssedsmsedeeustedsmneienensvd 139 FT Pl tert cee tenet pases aE EEn Eaa ENDTE 141 Security gt Policies gt Destinations rrserasvrrenvrnervererresvsvesvsvervevervesesvessssesvevesvesesvesvssenvenns 143 Security gt Policies gt Services mrrunrmemnnnmmmnmmmmmmmnmnmnmmnennsnenmsnnenenien 143 Securty NNN 144 Server Groups Page OVErVvieW sescscccccsssscsssssscsessesseececseseesseesessesesassesesseseeaseeeeeas 144 Supported Servers sins ceeecnieacebanstecsecesiucepnarearordsentubesinvessvantounnsitheoesmackbeineasuneimumntaaeos 145 Adding a New Server Group nrsvrsvrnrnvrnorenvrnenvrvorenvrnenvsnere
171. equire a longer guard interval If the short guard interval does not allow enough time for reflections to settle in your mesh deployment inter symbol interference values may increase and degrade throughput This parameter is enabled by default Legacy Stations Allow or disallow associations from legacy non HT stations By default this parameter is enabled legacy stations are allowed Allow Weak Encryption Use this setting to define TKIP or WEP encryption for unicast traffic which forces legacy transmission rates on high throughput APs This option is disabled by default preventing clients using TKIP or WEP for unicast traffic from associating with the mesh node Requires a version earlier than 6 1 0 0 3 Select Add or Save The added or edited profile appears on the Profiles gt SSID gt HT SSID page Profiles gt SSID gt 802 11K The 802 11k protocol provides mechanisms to APs and clients to dynamically measure the available radio resources In a 802 11k enabled network APs and clients can send neighbor reports beacon reports and link measurement reports to each other This allows the APs and clients to take appropriate connection actions This profile is disabled by default Perform these steps to configure an 802 11K profile l Select Profiles gt SSID gt 802 11K in the navigation pane 2 Select the Add button to create a new 802 11K profile or click the pencil icon next to an existing profile to edit Comple
172. erence Dell PowerConnect W AirWave 7 4 Configuration Guide 2 Select the Add button to create a new System profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 25 Table 25 Profiles gt AP gt Provisioning Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Blank Enter the name of the profile Other Settings Whether the AP you are provisioning is a remote AP Set or Clear Master IP Whether to specify or clear the definition for the Master IP or fully qualified domain FODN name of the AP Fully qualified domain name FQDN for the AP Requires a version earlier than 6 1 0 0 USB TTY Device Control Requires a minimum version of 6 1 0 0 Path Set the priority of the cellular uplink By default the cellular uplink is a lower priority than the wired uplink making the wired link the primary link and the cellular link the secondary or backup link Configuring the cellular link with a higher priority than your wired link priority will set your cellular link as the primary controller link Link Priority Ethernet 0 255 Set the priority of the wired uplink Each uplink type has an associated priority wired ports having the highest priority by default Link Priority Cellular 0 255 Upl
173. erface 0 Link Profile oop Ethernet Interface 1 Link Profile 3o op AP System Profile op Regulatory Domain Profile oF SNMP Profile ad GE VoIP Call Admission Control Profile Requires voice Service Policy Enforcement Firewall op license 802 114 Traffic Management Profile or 802 119 Traffic Management Profile Sp IDS Profile op Hed le Mesh Access Points license Sir Click the Add icon the plus symbol on the right to add a referenced profile Once you Save or Save and Apply that profile AirWave automatically returns you to the original Dell PowerConnect W AP Group configuration page This embedded configuration is also supported on the Additional Dell PowerConnect W Profiles section of the Groups gt Dell PowerConnect W Config page Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 19 Save Save and Apply and Revert Buttons Several Add or Detail pages in Dell PowerConnect W Configuration include the Save Save and Apply and Revert buttons These buttons function as follows Save T his button saves a configuration but does not apply it allowing you to return to complete or apply the configuration at a later time If you use this button you may see the following alert on other Dell PowerConnect W Configuration pages You can apply the configuration when all changes are complete at a later time Figure 13 Unapplied Dell PowerConnect W Configuration Changes Messag
174. es and in turn links to multiple WLANs To access them navigate to the Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups page Dell PowerConnect W AP Groups are not to be confused with conventional Air Wave device groups Dell PowerConnect W AirWave 7 4 supports both group types and both are viewable on the Groups gt List page when so configured Dell PowerConnect W AP Groups have the following characteristics Any Dell PowerConnect W controller can support multiple Dell PowerConnect W AP Groups Dell PowerConnect W AP Groups are assigned to folders and folders define visibility Using conventional AirWave folders to define visibility Dell PowerConnect W AP Groups can provide visibility to some or many components while blocking visibility to other users for more sensitive components such as SSIDs Navigate to the Clients pages to define folder visibility and refer to Visibility in Dell PowerConnect W Configuration on page 33 Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 13 You can import a controller configuration file from AOS for Dell PowerConnect W AP Group deployment in AirWave For additional information refer to the following sections in this document Setting Up Initial Dell PowerConnect W Configuration on page 21 General Dell PowerConnect W AP Groups Procedures and Guidelines on page 27 AP Overrides Section The second major com
175. es gt AAA gt Captive Portal Auth Profile Settings Continued Default Description Add switch IP Sends the switch IP address in the redirection URL when external captive address in portal servers are used An external captive portal server can determine the adresin UAL controller from which a request originated by parsing the switchip variable in the URL Allow Only One Active Allows only one active user session at a time User Session Add a Controller Select this option to send the controller s IP address in the redirection URL Interface in Redirection when external captive portal servers are used An external captive portal URL server can determine the controller from which a request originated by parsing the controllerip variable in the URL Requires a Public Wi Fi Access license Show the Acceptable Show the acceptable use policy page before the logon page Use Policy Page Add User VLAN in Enable this option to send the user VLAN in the redirection URL when external Redirection URL Captive portal servers are used Requires a Public Wi Fi Access license White List Net This setting allows you to select net destinations for your whitelist Requires a Destinations Public Wi Fi Access license Black List Net This setting allows you to select net destinations for your blacklist Requires a Destinations Public Wi Fi Access license 3 Select Add or Save The added or edited Captive Portal Auth profile appears on the AAA Profiles
176. es gt Mobility Switch gt Port Switching on page 102 for more information VLAN Create a VLAN with the specified configuration parameters Refer to Profiles gt Mobility Switch gt VLAN on page 103 for more information Profiles gt Mobility Switch gt IGMP Snooping IGMP snooping allows a network switch to listen in on the Internet Group Management Protocol IGMP interaction between hosts and routers in order to map links to IP multicast streams Perform these steps to configure a Mobility Switch gt IGMP Snooping profile l Select Profiles gt Mobility Switch gt IGMP Snooping in the Navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new IGMP Snooping profile or select the pencil icon next to an existing profile to edit Complete the settings as described in Table 44 Table 44 Profiles gt Mobility Switch gt IGMP Snooping Profile Settings Field Default Description General Settings Folder Top Specify the folder with which the profile is associated The drop down menu displays all folders available for association with the profile 100 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 44 Profiles gt Mobility Switch gt IGMP Snooping Profile Settings Continued Default Description Other Settings Last member query interval 1 25 sec Specify the IGMP query interval in response to host leav
177. es helpful suggestions pertinent information and important things to remember AN CAUTION Indicates a risk of damage to your hardware or loss of data AN WARNING Indicates a risk of personal injury or death Dell PowerConnect W AirWave 7 4 Configuration Guide Preface 7 8 Preface Contacting Support Table 2 Web Support Web Support Main Website Support Website Documentation Website dell com support dell com support dell com manuals Dell PowerConnect W AirWave 7 4 Configuration Guide Chapter 1 Dell PowerConnect W Configuration in AirWave Introduction ArubaOS AOS is the operating system software suite and application engine that operates Dell PowerConnect W Series mobility controllers and centralizes control over the entire mobile environment The AOS wizards command line interface CLI and the AOS WebUI are the primary means used to configure and deploy AOS For a complete description of AOS refer to the Dell PowerConnect W Series ArubaOS User Guide at support dell com manuals for your release The Dell PowerConnect W Configuration feature in AMP consolidates AOS configuration and pushes global Dell PowerConnect W configurations from one utility This chapter introduces the components and initial setup of Dell PowerConnect W Configuration with the following topics Requirements Restrictions and ArubaOS Support in AirWave Additional Concepts and Components of Dell PowerConnect W Conf
178. esa r E A EE 82 Dell PowerConnect W AirWave 7 4 Configuration Guide Profiles gt IDS gt GO MCL Alaisicuiscosavcinesesnssnstingapensiecsandavesstinasatuasegesiiditansudeiwulserasibuednsiuiahetieguudseinsseunins 84 Profiles gt IDS gt Signature Matching cccssssesecssssesssecscssssesssesecsesecsesesessesesassesessesesasenes 85 Profiles gt IDS gt Signature Matching gt Signature rurennennenmnmenmenieie 86 Profiles gt IDS gt Denial of Service m urnrnnmnmemmemmmmmnmmnenenmmnnemenieinie 86 Profiles gt IDS gt Denial of Service gt Rate Threshold reserrrsvrrervrnvrrenvrrervrvervenervenernenen 89 Profiles gt IDS gt mpersonation seeisicanicessavinbcaibiensnndasstovarparecnuninndstacahevensnssptvdtvandnnecediessdeinsincsed 90 Profiles gt IDS gt Unauthorized Device mumnenmenmenmmemenmnmmnmnnennenmnim 92 Profiles NN 95 Profiles gt Mesh gt Cluster mrurruemnnmemmemmmmmmemmmemnmemnnensnenmnimemeniiien 95 Profiles gt Mesh gt Radio sctpes stnaassuuducunincannaxiedebunensneaceatgion iniedisiubastashvtshacsecegupiistinap stnenitedsvecmstgents 96 Profiles gt Mesh gt Radio gt Mesh HT SSID resrerenvrnerverervrnervenvrnesvsvesvsnervenesvesesvesseservesesvenen 98 Profiles gt Mobility SwitCh wsrsrrnrnvarenvrnvnvenenvesvavenvenenvenesvesvsvesvenesvensssesvevesvenesvensssesvevesvenen 100 Profiles gt Mobility Switch gt IGMP Snooping msesvrsrvrvrrenrrvrnr
179. f a ESSID includes spaces you must enclose it in quotation marks Referenced Profiles EDCA The drop down menu allows you to select any EDCA Station profile that has already been Parameters configured The referenced EDCA Station profile defines several settings that are used in the Station Profile SSID profile Select the Plus sign to create a new EDCA Station profile as required For additional information about this profile type refer to Profiles gt SSID gt EDCA Station on page 129 Referencing an EDCA Station profile requires a Voice Service license 122 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 58 Profiles gt SSID Profile Settings Continued Field Default Description EDCA The drop down menu allows you to select any EDCA AP profile that has already been Parameters AP configured The referenced EDCA AP profile defines several settings that are used in the Profile SSID profile Select the Plus sign to create a new EDCA AP profile as required For additional information about this profile type refer to Profiles gt SSID gt EDCA AP on page 126 Referencing an EDCA Station profile requires a Voice Service license High throughput default The drop down menu allows you to select any High throughput SSID profile that has already SSID Profile been configured The referenced HT profile defines several settings that are used in the SSID profile Select the Plus sign
180. fault user role for unauthenticated users This profile type references additional profiles Refer to Profiles gt AAA on page 49 802 1x Auth Manages settings for the 802 1 1k protocol In a 802 1k network if the AP with the strongest signal is reaches its maximum capacity clients may connect to an under utilized AP with a weaker signal under utilized APs Refer to Profiles gt AAA gt Advanced Authentication on page 56 Advanced Authentication Manages timers to apply to all clients and servers Refer to Profiles gt AAA gt Advanced Authentication on page 56 Captive Portal Auth Captive portal authentication directs clients to a special web page that typically requires them to enter a username and password before accessing the network This profile defines login wait times and the URLs for login and welcome pages and manages the default user role for authenticated captive portal clients You can also use this profile to set the maximum number of authentication failures allowed per user before that user is blacklisted This profile includes a reference to a Server group profile Refer to Profiles gt AAA gt Captive Portal Auth on page 57 Combined VPN Auth ldentifies the default role for authenticated VPN clients This profile also references a server group Refer to Profiles gt AAA gt Combined VPN Auth on page 66 IPy6 Extension Header This profile allows you to edit the packet filter option
181. ffered unicast traffic for each sleeping client With battery boost enabled the DTIM is increased but multicast traffic is buffered and delivered as unicast Increasing the LI can further increase battery life but can also decrease client responsiveness Maximum Transmit Failures BC MC Rate Optimization Specify the maximum number of transmit failures to be supported before a radio is considered to be down A setting of 0 disables this feature Enables or disables scanning of all active stations currently associated to a mesh point to select the lowest transmission rate based on the slowest connected mesh child When enabled this setting dynamically adjusts the multicast rate to that of the slowest connected mesh child Multicast frames are not sent if there are no mesh children NOTE The default value is recommended Strict Spectra link Voice Protocol SVP Use this setting for SpectraLink VoIP devices This setting automatically permits and prioritizes the SpectraLink Voice Protocol SVP Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 125 Table 58 Profiles gt SSID Profile Settings Continued Default Description 802 11g Beacon Rate Sets the beacon rate for 802 11a use for Distributed Antenna System DAS only CAUTION Using this parameter in normal operation may cause connectivity problems 802 11a Beacon Rate Sets the beacon rate for 802 11g use for Distributed Antenn
182. figure a VIA Client WLAN profile l Select Profiles gt AAA gt VIA Client WLAN in the Navigation pane 2 Select the Add button to create a new VIA Client WLAN profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 14 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 63 Table 16 Profiles gt AAA gt VIA Client WLAN Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the VIA Client WLAN profile EAP PEAP EAP PEAP options Select the following options if the EAP type is PEAP Protected EAP validate server certificate Select this option to validate server certificates enable fast reconnect Select this option to allow fast reconnect enable quarantine checks Select this option to perform quarantine checks disconnect if no cryptobinding tlv Select this option to disconnect if server does not present cryptobinding TLV dont allow user authorization Select this to disable prompts to user for authorizing new servers or trusted certification authorities EAP Type Select an EAP type used by client to connect to wireless network Connect only to these Comma separated list of servers servers EAP Certificate EAP Certificate options If you select EAP
183. file a Ethernet Interface 0 4 Selects the Ethernet port configuration to be associated with the new AP Group This Port Configuration profile allows you to configure all AP wired port profiles and their status The drop Selects the AP Authorization profile to be associated with the new AP Group This profile requires a Remote Access Points license Refer to Profiles gt AP gt Authorization on page 71 Selects the AP Provisioning profile to be associated with the new AP Group Refer to Profiles gt AP gt Provisioning on page 72 down menu contains these options default NoWiredAuthPort shutdown Refer to Select Add or Save The added or edited Wired Port profile appears on the Profiles page and on the Wired Port details page on page 80 Mesh Cluster Profiles Add New Mesh Cluster Hidden by Clicking this Add button displays a new Mesh Cluster Profile field The drop down Profile default until menu displays all supported profiles Select one from the menu the Add Complete this field click the Add button and the profile displays as an option in the button is Mesh Cluster Profile section which may be selected for the AP Group to be added or clicked edited For additional information about Mesh Cluster profiles refer to these sections Profiles gt Mesh on page 95 Profiles gt QoS on page 104 42 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Tabl
184. g profile to edit Complete the settings as described in Table 79 Table 79 Security gt Server Groups gt Windows Profile Settings Field Default Description General Settings Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Other Settings Host Enter the IP address of the Windows server Enable No Enable or disable the Windows server Windows Domain f 00 The domain of the Windows server Requires a minimum of AOS 6 0 3 Select Add or Save The added or edited profile appears on the Windows page and on the details page Security gt TACACS Accounting TACACS accounting allows commands issued on the controller to be reported to TACACS servers You can specify the types of commands that are reported and these are action configuration or show commands You can 152 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide have all commands reported as desired Dell PowerConnect W Configuration supports TACACS Accounting servers that can be referenced by server groups To view currently configured TACACS Accounting profiles and where they are used navigate to the Security gt TACACS Accounting page Select Add to create a new TACACS Accounting profile or click the pencil icon to edit an existing profile The Add Edit TACACS Accounting Profile page contains the following fields as described in Table 80 Table 80
185. gital Signature Algorithm ECDSA certificates To set the authentication type for the IKE rule click the Authentication drop down list and select one of the following types Pre Share for IKEv1 clients using pre shared keys RSA for clients using certificates ECDSA 256 for clients using certificates ECDSA 384 for clients using certificates NOTE ECDSA 256 and ECDSA 384 require an Advanced Cryptography license and a minimum version of 6 1 0 0 Diffie Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret and is used within IKE to securely establish session keys To set the Diffie Hellman Group for the ISAKMP policy click the Diffie Hellman Group drop down list and select one of the following groups Group 1 768 bit Diffie Hellman prime modulus group Group 2 1024 bit Diffie Hellman prime modulus group Group 19 256 bit random Diffie Hellman ECP modulus group Group 20 384 bit random Diffie Hellman ECP modulus group NOTE EC 256 bit 19 and EC 384 bit 20 require an Advanced Cryptography license and a minimum version of 6 1 0 0 Diffie Hellman Group Lifetime empty Set the Security Association Lifetime to define the lifetime of the security association in seconds Version Jt Select 1 to configure the VPN for IKEv1 or 2 for IKEv2 Advanced Services gt VPN Services gt L2TP The combination of Layer 2 Tunneling Protocol and Internet Protocol Security L2TP IPS
186. group is exhausted This feature is useful in environments where there are multiple independent authentication servers users may fail authentication on one server but can be authenticated on another server Before enabling fail through authentication note the following This feature is not supported for 802 1x authentication with a server group that consists of external EAP compliant RADIUS servers You can however use fail through authentication when the 802 1x authentication is terminated on the controller AAA FastConnect Enabling this feature for a large server group list may cause excess processing load on the controller Use server selection based on domain matching whenever possible Certain servers such as the RSA RADIUS server lock out the controller if there are multiple authentication failures Therefore you should not enable fail through authentication with these servers When fail through authentication is enabled users that fail authentication on the first server in the server list should be authenticated with the second server Supported Servers ArubaOS supports the following external authentication servers RADIUS Remote Authentication Dial In User Service LDAP Lightweight Directory Access Protocol TACACS Terminal Access Controller Access Control System Additionally you can use the controller s internal database to authenticate users You create entries in the database for users and their passwords and
187. gt TACACS page displays current TTACACS servers available for inclusion in server groups Select Add to create a new RADIUS server or click the pencil icon next to an existing TACACS server to edit the configuration The Security gt Server Groups gt Add New TACACS Server page contains the following fields as described in Table 75 Table 75 Security gt Server Groups gt TACACS Field Default Description General Settings Folder Top Set the folder with which the server is associated The drop down menu displays all folders available for association with the server group Other Settings Key Confirm Key mm Set the shared secret to authenticate communication between the TACACS client and server TCP Port DE Set the TCP port to be used by the server Retransmits 0 3 Set the maximum number of times a request is retried Tmeout 1 30 sec Set the timeout period for TACACS requests in seconds Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 149 Table 75 Security gt Server Groups gt TACACS Continued Field Default Description Enabl orvisablethe TACACS server Session Authorization Enables or disables session authoriaztion Session authorization turns on the optional authorization session for admin users Select Add to complete the configuration of the TACACS Server or click Save to complete the editing of an existing server The new server appears on the Security gt Server
188. h Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC arbitrary inter frame space number AIFSN minimum and maximum contention window CW size Minimum Contention Window Exponent 0 15 For each AC the backoff time is the sum of the AIFSN and a random value between 0 and the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC Transmission Opportunity Slots in 32 usec Units Maximum Contention Window Exponent 1 15 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 127 Table 60 Dell PowerConnect W Configuration gt Profiles gt SSID gt EDCA AP Profile Settings Continued Field Default Description Arbitrary Inter frame 7 WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance Space Number CSMA CA protocol s Distributed Coordination Function DCF The collisi
189. hat can come in from this radio in each Throttle Limit throttle interval ARM WIDS If selected this option disables Adaptive Radio Management ARM and Wireless IDS Override functions and slightly increases packet processing performance If a radio is configured to operate in Air Monitor mode then the ARM WIDS override functions are always enabled regardless of whether or not this check box is selected Maximum Distance Maximum client distance in meters This value is used to derive ACK and CTS timeout times A value of 0 specifies default settings for this parameter where timeouts are only modified for outdoor mesh radios which use a distance of 16km The upper limit for this parameter varies from 24 58km depending on the radio s band a g and 20 40 MHz mode Note that if you configure a value above the supported maximum the maximum supported value will be used instead Values below 600m will use default settings Spectrum Select this option to convert APs using this radio profile to a hybrid APs that will continue Monitoring to serve clients as an Access Point but will also scan and analyze spectrum analysis data for a single radio channel Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 1 0 0 3 Select Add or Save The added or edited 802 11a g profile appears on the Profiles gt RF gt 802 1 la g page 112 Configuration Reference Dell PowerConnect W AirWave 7 4
190. he CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC Define whether or not admission control mandatory ACM is to be supported on APs configured with this EDCA profile ACM 130 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 62 Profiles gt SSID gt EDCA Station Profile Settings Continued Field Default Description Video Arbitrary Inter frame 2 Space Number Minimum Contention Window Exponent Maximum Contention Window Exponent WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC arbitrary inter frame space number AIFSN minimum and maximum contention window CW size For each AC the backoff time is the sum of the AIFSN and a random value between 0 and the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful tra
191. he client is authenticated with the internal database on the controller The options are Pre Shared Keys or RSA Signatures IPSEC Lifetime 7200 Define the IPSEC lifetime in seconds after which a new IPSEC key is required IPSEC Diffie Hellman 1024 bit 1 Select the IPSEC Mode Group that matches the Diffie Hellman Group configured for Group the IKE policy The two options are as follows 1024 bit 768 bit The IPSEC policy selections along with the preshared key need to be reflected in the VPN configuration Set the VPN configuration on clients to match the choices made above In case the Dell PowerConnect W dialer is used these configuration need to be made on the dialer prior to downloading the dialer onto the local client 140 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 68 Security gt User Roles gt Add VPN Dialer Fields and Descriptions Continued Default Description IPSEC Encryption 168 bit 3DES Specify the type of IPSEC encryption to support for the VPN Options are as follows Encapsulating Security Payload ESP with 168 bit 3DES ESP with 56 bit DES IPSEC Hash Algorithm Set the IKE Hash Algorithm to either SHA or MD5 to match the IKE policy for IKE Hash Algorithm Select Add to finish the new VPN Dialers profile or click Save to complete the editing of an existing profile You return to the VPN Dialers page The new profile appears below the Add New VPN Dialer button
192. he mesh node may try to find a better link on the same channel and cluster only neighbors on the same channel are considered The supported threshold is hardware dependent with a practical range of 1 to 255 Reselection Mode startup Use this setting to optimize operation of the link metric algorithm subthreshold Specify the method a mesh node uses to find a better uplink to create a path to the mesh portal Only neighbors on the same channel in the same mesh cluster are considered Available options are reselect anytime Connected mesh nodes evaluate mesh links every 30 seconds If a mesh node finds a better uplink the mesh node connects to the new parent to create an improved path to the mesh portal reselect never Connected mesh nodes do not evaluate other mesh links to create an improved path to the mesh portal startup subthreshold When bringing up the mesh network mesh nodes have 3 minutes to find a better uplink After that time each mesh node evaluates alternative links only if the existing uplink falls below the configured threshold level the link becomes a sub threshold link The reselection process is cancelled if the average RSSI on the existing uplink rises above the configured link threshold subthreshold only Connected mesh nodes evaluate alternative links only if the existing uplink becomes a sub threshold link NOTE The default value is recommended Metric Algorithm distributed Use this setting to optimize o
193. he scanning mode for the radio domain all reg domain Scan channels in all regulatory domain reg domain Scan channels in the APs regulatory domain Select Add or Save The added or edited profile appears on the Profiles gt RF gt 802 1 1la g Radio gt ARM page 4 Repeat this procedure or continue to additional procedures to complete profile configuration then reference this profile as desired Profiles gt RF gt 802 11a g Radio gt HT Radio Perform these steps to create or edit High Throughput HT Radio profiles l Select Profiles gt RF gt HT Radio in the navigation pane 116 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide 2 Select the Add button to create a new HT Radio profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 54 Table 54 Profiles gt RF gt HT Radio Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Other Settings 40 MHz Intolerance Allows a radio using this profile to stop using the 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station Honor 40MHz Yes Select 40 MHz intolerance if you want to enable 40 MHz intolerance This Intolerance parameter controls whether or not APs using
194. he start of adjacent MPDUs within an aggregate MPDU in microseconds Allowed values 0 No restriction on MDPU start spacing 0 25 usec 0 5 usec 1 usec 2 usec 4 usec Set a list of Modulation Coding Scheme MCS values or ranges of values to be supported on this SSID The MCS you choose determines the channel width 20MHz vs 40MHz and the number of spatial streams used by the mesh node The default value is 1 15 the complete set of supported values To specify a smaller range of values enter a hyphen between the lower and upper values To specify a series of different values separate each value with a comma Examples 2 10 1 3 6 9 12 Range 0 15 Dell PowerConnect W AirWave 7 4 Configuration Guide Table 63 Profiles gt SSID gt HT SSID Profile Settings Continued Default Description Short Guard Interval in Yes Enable or disable use of short 400ns guard interval in 40 MHz mode 40 MHz Mode A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again An AP identifies any signal content received inside this interval as unwanted inter symbol interference and rejects that data The 802 11n standard specifies two guard intervals 400ns short and 800ns long Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP Some outdoor deployments may however r
195. herwise comply with most settings in the Dell PowerConnect W AP Group in which it is managed AP Overrides The AP Overrides page displays all AP overrides that are currently configured These overrides also appear in the navigation pane at left The name of any override matches the AP device name Table 3 describes the fields on this page Table 3 AP Overrides Fields and Descriptions Field Description Displays the name of the AP Overrides profile This name matches the name of the specific AP device that it defines Used By Group Displays the name of and link to the Dell PowerConnect W AP Group in which this AP Override applies Additional details about the Dell PowerConnect W AP Group appear on the Groups gt Dell PowerConnect W Config page when you click the name of the group Folder Displays the folder associated with the AP Overrides profile The folder establishes the visibility of this profile to users Select Add on the AP Overrides page to create a new AP Override or click the pencil icon next to an existing override to edit that override Table 4 describes the fields on the AP Overrides gt Add Edit Details page Table 4 AP Overrides Add or Edit Page Fields Field Default Description Blank Name of the AP Override Use the name of the AP device to which it applies Folder Top Displays the folder with which the WLAN is associated The drop down menu displays all folders available for association with the WLAN
196. hes configuration settings that are defined in the GUI to the Dell PowerConnect W Series controllers as a set of CLI commands using Secure Shell SSH No controller reboot is required Auditing and Reviewing Configurations AirWave supports auditing or reviewing in these ways l You can review the AOS running configuration file This is configuration information that AirWave reads from the device In template based configuration you can review the running configuration file when working on a related template 2 You can use the APs Devices gt Audit page for device specific auditing 3 Once you audit your controller you can click Import from the APs Devices gt Audit page to import the controller s current settings into its AMP Group s desired settings Licensing and Dependencies in Dell PowerConnect W Configuration You can review your current licensing status with the Licenses link on the APs Devices gt Monitor page Dell PowerConnect W AirWave 7 4 requires that you have a policy enforcement firewall license always installed on all Dell PowerConnect W controllers If you push a policy to a controller without this license a Good configuration will not result and the controller will show as Mismatched on AirWave pages that reflect device configuration status 20 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration includes several settings or functi
197. hived Device Configuration Lpdate group settings based on this device s current configuration Include unreferenced profiles Choose settings to ignore during configuration audits Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 21 If the page reports a device mismatch the page will display an Import button that allows you to import the Dell PowerConnect W Series controller settings from a Dell PowerConnect W Series controller that has already been configured To import the complete configuration from the controller including any unreferenced profiles select the Include unreferenced profiles checkbox If you deselect the checkbox AMP will delete the unreferenced profiles AP Groups on the controller when that configuration is pushed later and they will not be imported In Global Configuration Importing this configuration creates all the Profiles and Dell PowerConnect W AP Groups on the Device Setup gt Dell PowerConnect W Configuration page This action also adds and selects the Dell PowerConnect W AP Groups that appear on the Groups gt Dell PowerConnect W Config page The folder for all the Profiles and Dell PowerConnect W AP Groups is set to the top folder of the AirWave user who imports the configuration This folder is Top in the case of managing administrators with read write privileges In Group Configuration Importing this configuration creates Profiles and Dell Powe
198. icense when used 1 4094 78 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 29 Profiles gt AP gt System Profile Settings Continued Field Default Description Remote AP DHCP Specify the IP address of the remote AP DHCP server Server ID Remote AP DHCP Specify the IP address of the remote AP DHCP default router This field requires a Default Router remote AP license This field requires a remote access points license when used Remote AP DHCP DNS Enter the IP address or addresses of one or more remote AP DHCP DNS servers Server Remote AP DHCP Pool Specify the DHCP IP address pool This configures the pool of IP addresses from Start which the remote AP uses to assign IP addresses At the Remote AP DHCP Pool Start and End fields enter the first and last IP Remote AP DHCP Pool addresses of the pool These fields require a remote access point license when End used Remote AP DHCP Pool 255 255 255 0 Enter the subnet mask This field requires a remote access points license when Netmask used Specify the amount of time that the IP address of the DHCP server is valid The supported range is from 0 to 30 days A value of 0 disables this function This field 0 30 days requires a remote access points license when used Heartbeat DSCP This setting defines DSCP for low speed networks The supported range is from 0 0 63 to 63 To enable this function enter a value greater than 0 Session
199. ield Supported range is 1 to 100 Select Add or Save The added or edited profile appears on the WMM Traffic Management page and on the details page Profiles gt RF The RF management profiles configure radio tuning and calibration AP load balancing coverage hole detection and RSSI metrics 502 1 la Radio Defines AP radio settings for the 5 GHz frequency band including the Adaptive Radio Management ARM profile and the high throughput 802 11n radio profile Refer to Profiles gt RF gt 802 1 1la g Radio on page 109 502 1 1g Radio Detines AP radio settings for the 2 4 GHz frequency band including the Adaptive Radio Management ARM profile and the high throughput 802 1 1n radio profile Each 802 1 la and 802 1 1b radio profile includes a reference to an Adaptive Radio Management ARM profile If you would like the ARM feature to dynamically select the best channel and transmission power for the radio verify that the 802 1 1a 802 11g radio profile references an active and enabled ARM profile If you want to manually select a channel for each AP group create separate 802 1 la and 802 11g profiles for each AP group and assign a different transmission channel for each profile Refer to Profiles gt RF gt 802 1 1a g Radio on page 109 AM Scanning Defines AP radio settings for Air Monitor network and radio frequency RF monitoring ARM Defines the Adaptive Radio Management ARM settings for scanning
200. iew The Server gt Server Groups page displays all server groups currently configured and the profiles and folders that are used by each server group to include the following 144 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide AAA Captive Portal Auth Management Auth Stateful 802 1X Auth TACACS Accounting VPN Auth Folder The list of servers in a server group is an ordered list By default the first server in the list is always used unless it is unavailable in which case the next server in the list is used You can configure the order of servers in the server group In the Web UI use the up or down arrows to order the servers the top server is the first server in the list In the CLI use the position parameter to specify the relative order of servers in the list the lowest value denotes the first server in the list The first available server in the list is used for authentication If the server responds with an authentication failure there is no further processing for the user or client for which the authentication request failed You can optionally enable fail through authentication for the server group so that if the first server in the list returns an authentication deny the controller attempts authentication with the next server in the ordered list The controller attempts authentication with each server in the list until either there is a successful authentication or the list of servers in the
201. iguration Setting Up Initial Dell PowerConnect W Configuration NOTE AirWave supports Dell PowerConnect W AP Groups which should not be confused with standard AirWave Device Groups K This document provides information about the configuration and use of Dell PowerConnect W AP Groups and describes how Dell PowerConnect W AP Groups interoperate with standard AirWave Device Groups Requirements Restrictions and ArubaOS Support in AirWave Requirements Dell PowerConnect W Configuration has the following requirements in AirWave AirWave 6 3 or a later AirWave version must be installed and operational on the network Dell PowerConnect W Series controllers on the network must have AOS installed and operational For access to all monitoring features you must provide Telnet SSH credentials for a user with minimum access level of read only In order to perform configuration the credentials must be for a root level user In either case the enable password must be provided Restrictions Dell PowerConnect W Configuration has the following restrictions in AirWave At present Dell PowerConnect W Configuration in AirWave does not support every AOS network component For example AirWave supports only IP Mobility and VLANs in the Advanced Services section AOS Configuration is not supported in either Global Groups or the Master Console Appropriate options will be available in the Subscriber Groups containing the controller s ArubaOS Suppor
202. igure a MAC Auth profile l Select Profiles gt AAA gt MAC Auth in the navigation pane 2 Select the Add button to create a new MAC Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 13 Table 13 Profiles gt AAA gt MAC Auth Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the MAC Auth profile Other Settings Delimiter Delimiter used in the MAC string colon specifies the format Xx Xx XX XX XX XX dash specifies the format Xx xX XX XX XX XX none specifies the format XXXXXXXXXXXX oui nic specifies the format xxxxxx xxxxxx use the client device s QUI as a delimiter for 6 1 0 0 versions or later The case upper or lower used in the MAC string Max Authentication Number of times a station can fail to authenticate before it is blacklisted A value of 0 Failures 0 10 disables blacklisting 60 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide 3 Select Add or Save The added or edited MAC Auth profile appears on the Profiles gt AAA page and on the MAC Auth details page Profiles gt AAA gt VPN Connection A VIA connection profile contains settings required by VIA to establish a secure connection to the controller You can configure multiple
203. il through server When fail through authentication is enabled users that fail authentication on the first server in the server list should be authenticated with the second server The controller attempts authentication with each server in the list until either there is a successful authentication or the list of servers in the group is exhausted This feature is useful in environments where there are multiple independent authentication servers users may fail authentication on one server but can be authenticated on another server Name Other Settings Add New Server Select this button to add a new server to the Server Group being configured A new Server section and Server Group Server Rules section appear with the following settings to be defined Server Section Trim FODN Default setting is No Change to Yes to enable You can use the match FQDN option for a server match rule With a match FQDN rule the server is selected if the lt domain gt portion of the user information in the formats lt domain gt lt user gt or lt user gt lt domain gt exactly matches a specified string This rule does not support client information in the host lt pc name gt lt domain gt format so it is not useful for 802 1x machine authentication The match FQDN option performs matches on only the lt domain gt portion of the user information sent in an authentication request The match authstring option described previously allows y
204. ile and several time range profiles can be configured to enable absolute or periodic access The Security gt Time Ranges page displays all time ranges that are currently available in Dell PowerConnect W Configuration time range profile type the policy and WLAN that use time range profiles and the folder in which each profile is visible Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 153 To create a new time range profile click the Add New Time Range button or click the pencil icon next to an existing time range profile to adjust settings The Security gt Time Range gt Add Edit New Time Range page contains the following fields as described in Table 81 Table 81 Security gt Time Range gt Add Edit Time Range Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Other Settings Type Absolute Specify whether the time range is Absolute meaning a very specific range of time or Periodic meaning regularly occurring time ranges that occur repeatedly over time If you select Absolutely specify the Start Date and End Date and time as instructed If you select Periodic the Add New Time Period button appears Select this button then complete the three settings that follow Period Specify whether
205. iles gt AP gt AP Wired 76 Profiles gt AP gt Regulatory Domain 74 Profiles gt AP gt SNMP 75 Profiles gt AP gt SNMP gt SNMP User 75 Profiles gt AP gt System 75 76 Profiles gt IDS 82 Profiles gt IDS gt Denial of Service 86 Profiles gt IDS gt Denial of Service gt Rate Threshold 89 Profiles gt IDS gt General 84 Profiles gt IDS gt Impersonation 90 Profiles gt IDS gt Signature Matching 85 Profiles gt IDS gt Signature Matching gt Signatures 86 Profiles gt IDS gt Unauthorized Device 92 Profiles gt Mesh 95 Profiles gt Mesh gt Cluster 104 Profiles gt Mesh gt Radio 96 Profiles gt Mesh gt Radio gt Mesh HT SSID 98 Profiles gt OoS 104 Profiles gt QoS gt Traffic Management 104 Profiles gt QoS gt VolP Call Admission Control 105 Profiles gt QoS gt WMM Traffic Management 107 Profiles gt RF 108 Profiles gt RF gt 802 11a g Radio 109 Profiles gt RF gt 802 11a g Radio gt ARM 113 Profiles gt RF gt 802 11a g Radio gt High Throughput HT Radio 116 Index 171 Profiles gt RF gt Event Thresholds 118 Profiles gt RF gt Optimization Profiles 120 Profiles gt SSID 121 122 Profiles gt SSID gt 802 11K 133 Profiles gt SSID gt EDCA AP 126 Profiles gt SSID gt EDCA Station 129 Profiles gt SSID gt HT SSID 131 S Save Save and Apply and Revert buttons 20 Security defined 15 pages and field descriptions 134 Security gt Policies 141
206. ime you must explicitly configure the default domain as an active domain for the controller Navigate to Advanced Services gt IP Mobility gt Mobility Domain in the navigation pane This page displays all currently configured IP Mobility domains Select Add to create a new IP Mobility Domain or click the pencil icon next to an existing profile to modify an existing domain The Advanced Services gt IP Mobility gt Add Edit IP Mobility Domain page contains the following fields as described in Table 86 Table 86 Advanced Services gt IP Mobility gt Add Edit IP Mobility Domain Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the domain is associated The drop down menu displays all folders available for association with the domain Enter the name of the domain Other Settings Active No Define whether the IP Mobility Domain is active or inactive Description Add a description for the domain requires AOS 6 0 0 0 or later Mobile IP Home Agents Add Use this button to create new home agents Once you click Add the following additional fields appear in the Mobile IP Home Agent section Complete these settings Subnet Define the subnet mask for the IP Mobility Domain Netmask Define the net mas for the IP Mobility Domain VLAN ID 1 4094 Set the VLAN to be supported on the IP Mobility Domain Home Agent Set the home agent for the IP Mobility Domain When
207. impersonation event is generated Beacon Diff Threshold 0 100 Beacon Increase Wait Time 0 360000 sec Enable or disable detection of anomalies between sequence numbers seen in 802 11 frames During an impersonation attack the attacker may spoof the MAC address of a client or AP if two devices are active on the network with the same MAC address the sequence numbers in the frames will not match since the sequence number Is generated by NIC firmware Detect Sequence Anomaly D o a Setthe maximum allowable tolerance between sequence numbers within the Sequence Number Time Tolerance period Sequence Number of Difference 0 100000 300 Time in seconds during which sequence numbers must exceed the Sequence Number Difference value for an alarm to be triggered Sequence Number Time Tolerance 0 360000 sec After an alarm has been triggered the time in seconds that must elapse before another identical alarm may be triggered Sequence Number Quiet Time 60 360000 sec Detect AP Spoofing Yes Whether to detect AP Spoofing NOTE Requires a WIDS license AP Spoofing Quiet Time Time to wait in seconds after a spoofing attempt to resume the check Detect Beacon Wrong Enable disable detection of beacons advertising the incorrect channel Channel Beacon Wrong Channel Time to wait in seconds after detecting an attempt of beacons advertising the incorrect Detection Quiet Time channel after which the check can
208. in AMP 7 2 is used for local configuration of Dell PowerConnect W controllers Locally configured settings are not pushed to local controllers by master controllers SNMP trap settings for controllers are managed locally Figure 8 Dell PowerConnect W Configuration gt Local Config Navigation Limit to Folder Top Add New SNMP Management Profile HDell PowerConnect W AP Groups le pe ad 1 1 of 1 SNMP Management Profiles Page 1 of 1 Choose Columns CSV Export AP Overrides LAR Used By Te Name Group Controller Folder Profiles default East Top P Security Acme gt Local Config Access Points 1 1 of 1 SNMP Management Profiles Page 1 of 1 SNMP Management CHP Pw User hAdvanced Services Select All Unselect All For complete details on the Local Config section refer to Local Config of SNMP Management on page 147 Advanced Services Section Navigate to Advanced Services with the Dell PowerConnect W Configuration gt Advanced Services path The Advanced Services section includes IP Mobility and VPN Services Figure 9 illustrates this navigation and the components Figure 9 Dell PowerConnect W Configuration gt Advanced Services Navigation EFAdvanced Services HIP Mobility Lmob lity Domain VPN Services IKE L2TP PPTP IPSEC EHD ynamic Map transform Set 16 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect
209. ines the maximum number of seconds a user will have to wait prior to retrying a login attempt The supported range is form 1 to 10 seconds Logon Wait Maximum Wait times are enforced The supported range is from 1 to 100 Enter the ISO Country Code section of the WISPr Location ID Enter the E 164 Area Code section of the WISPr Location ID Enter the SSID Zone section of the WISPr Location ID Enter a name identifying the hotspot operator Enter a name identifying the hotspot location If no name is defined the parameter will use the name of the AP to which the user has associated Utilization Threshold WISPr Location ID ISO Country Code WISPr Location ID E 164 Area Code WISPr Location ID SSID zone WISPr Operator Name WISPr Location Name Logon Wait CPU ut Set the percentage of CPU utilization at which the maximum and minimum logon wait 3 Select Add or Save The added or edited profile appears on the Stateful NTLM Auth page and on the details page Profiles gt AP Display the currently configured AP profiles by navigating to Device Setup gt Profiles gt AP In AOS related configuration parameters are grouped into a profile that you can apply as needed to an AP group or to individual APs This section lists each category of AP profiles that you can configure and apply to an AP group or to an individual AP Note that some profiles reference other profiles For example a virtual AP profile references SSID and
210. ing Rate Thresholds for default Probe Response Frames Select a profile from the drop down menu or click the edit icon or add icon to edit or create a profile that sets the rate threshold for probe response frames The IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly checking Rate Thresholds for default Auth Frames Select a profile from the drop down menu or click the edit icon or add icon to edit or create a profile that sets the rate threshold for authentication frames The IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly checking Yes Enables or disables detection of station disconnection attacks The number of successful Association Response or Reassociation response frames seen in an interval of 10 seconds that should trigger this event Requires a minimum Other Settings Detect Disconnect Station Attack Disconnect STA Assoc Response Threshold version of 6 0 0 0 Disconnect STA Deauth and Disassoc Threshold Disconnect STA Detection Quiet Time After a station disconnection attack is detected sets the time in seconds that must elapse before another identical alarm can be generated Enables or disables automatic client blacklisting of spoofed de authentication 88 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Rate thresholds for Disassociate frames Require
211. ing it cannot support this value will be reduced to the highest supported power setting NOTE Power settings will not change if the Assignment option is set to disabled or maintain Min Tx Power dBm Set the lowest transmit power levels for the AP from 0 30 dBm in 3 dBm increments Note that power settings will not change if the Assignment option is set to disabled or maintain NOTE Consider configuring a Min Tx Power setting higher than the default value if most of your APs are placed on the ceiling APs on a ceiling often have good line of sight between them which will cause ARM to decrease their power to prevent interference However if the wireless clients down on the floor do not have such a clear line back to the AP you could end up with coverage gaps 114 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 53 Profiles gt RF gt 802 11a g Radio gt ARM Profile Settings Continued Field Default Description Multi Band Scan Yes If enabled single radio channel APs scans for rogue APs across multiple channels This option requires that Scanning is also enabled The Multi Band Scan option does not apply to APs that have two radios as these devices already scan across multiple channels If one of these dual radio devices are assigned an ARM profile with Multi Band enabled that device will ignore this setting Rogue AP Aware If you have enabled both the Scanning and Rogue AP options Dell PowerCo
212. ing profile that can be applied to any interface interface group or a port channel Perform these steps to configure a Mobility Switch gt Port Switching profile l Select Profiles gt Mobility Switch gt Port Switching in the Navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Port Switching profile or select the pencil icon next to an existing profile to edit Complete the settings as described in Table 46 Table 46 Profiles gt Mobility Switch gt Port Switching Profile Settings Field Default Description General Settings Folder Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Other Settings Access Mode VLAN 1 4094 2 Specify the VLAN ID for the port when the switch port mode is access Native VLAN Mode 1 4094 Specify the VLAN for incoming untagged packets when the switch port mode Is trunk When a packet goes out of a trunk interface in native VLAN it will be untagged By default VLAN 1 is the native VLAN The native VLAN should be part of the trunk allowed VLANs Max Bandwidth Rate Limit Specify the storm control bandwidth 50 100 102 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 46 Profiles gt Mobility Switch gt Port Switching Profile Settings Continued Field Default Description Enable Broadcast T
213. ink VLAN 0 4095 If you configure an uplink VLAN on an AP connected to a port in trunk mode the AP sends and receives frames tagged with this VLAN on its Ethernet uplink By default an AP has an uplink VLAN of 0 which disables this feature NOTE If an AP is provisioned with an uplink VLAN it must be connected to a trunk mode port or the AP s frames will be dropped Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 73 Profiles gt AP gt Regulatory Domain This profile type defines an AP s country code and valid channels for both legacy and high throughput 802 114 and 802 1 1b g radios With the implementation of the high throughput IEEE 802 11n draft standard 40 MHz channels were added in addition to the existing 20 MHz channel options Available 20 MHz and 40 MHz channels are dependent on the country code entered in the regulatory domain profile The following channel configurations are now available in AOS A 20 MHz channel assignment consists of a single 20 MHz channel assignment This channel assignment is valid for 802 1 1a b g and for 802 11n 20 MHz mode of operation A 40 MHz channel assignment consists of two 20 MHz channels bonded together a bonded pair This channel assignment is valid for 802 11n 40 MHz mode of operation and is most often utilized on the 5 GHz frequency band If high throughput is disabled a 40 MHz channel assignment can be configured but only the primary channel a
214. interval in milliseconds in which to retransmit in revocation msec A home agent or foreign agent can send a registration revocation message which revokes registration service for the mobile client For example when a mobile client roams from one foreign agent to another the home agent can send a registration revocation message to the first foreign agent so that the foreign agent can free any resources held for the client Maximum Number of Request Use this setting to define how many retransmits are supported before Retransmits 0 5 revocation Is enacted Select Add to create this IP Mobility Profile or click Save to retain changes to an edited IP Mobility Profile Advanced Services gt IP Mobility gt Mobility Domain You configure mobility domains on master controllers All local controllers managed by the master controller share the list of mobility domains configured on the master Mobility is disabled by default and must be explicitly enabled on all controllers that will support client mobility Disabling mobility does not delete any mobility related configuration The home agent table HAT maps a user VLAN IP subnet to potential home agent addresses The mobility feature uses the HAT table to locate a potential home agent for each mobile client and then uses this information to perform home agent discovery To configure a mobility domain you must assign a home agent address to at least one controller with direct access to the
215. intolerant STAs if they have not been detected in seconds for detection of 802 11n 40 MHz intolerance setting Quiet Time 3 Select Add or Save The added or edited Denial of Service protile appears on the IDS gt Denial of Service profiles page Profiles gt IDS gt Denial of Service gt Rate Threshold The IDS rate threshold profile defines thresholds assigned to the ditterent frame types for rate anomaly checking A profile of this type is attached to each of the following 802 11 frame types in the IDS Denial of Service profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 89 Association frames Disassociation frames Deauthentication frames Probe Request frames Probe Response frames Authentication frames A channel threshold applies to an entire channel while a node threshold applies to a particular client MAC address Dell PowerConnect W provides predefined default IDS rate thresholds profiles tor each of these types of frames Default values depend upon the frame type Perform these steps to create Rate Threshold Profiles for use with Denial of Service profiles l Select Profiles gt IDS gt Denial of Service gt Rate Thresholds in the navigation pane This page summarizes the current thresholds available 2 Select the Add button to create a new Rate Threshold or click the pencil icon next to an existing threshold to edit Complete the settings as described in Table 35 Table 38
216. ion vas p Group v3 default NoAuthApGroup New Aruba AP Group AP Overrides 1 2 vw of 2 Aruba AP Groups Page 1w of 1 Choose Columns CSV Export WLANs Used By L default Name Number of APs User Role RAP Whitelist Authorization Controller default 0 2 z 3 Pries NoAuthApGroup 0 default AAA 1 2 wof2 Aruba AP Groups Page iwofi AP i Con a oe Select All Unselect All PDs pas Mesh RF a Security ipg Config Advanced Services Dell PowerConnect W Configuration Sections in the Tree View Whether you are using global or group configuration the Dell PowerConnect W Configuration tree view page supports several sections as follows Dell PowerConnect W AP Groups Section AP Overrides Section WLANSs Section Profiles Section Security Section Local Config Section Advanced Services Section K NOTE Only Dell PowerConnect W AP Groups AP Overrides and WLANs contain custom created items in the navigation pane For the remainder of this document the navigation Dell PowerConnect W Configuration gt refers to the tree view in Device Setup or Groups tabs depending on whether global or group configuration is enabled Dell PowerConnect W AP Groups Section A Dell PowerConnect W AP Group is a collection of configuration profiles that define specific settings on Dell PowerConnect W controllers and the devices that they govern A Dell PowerConnect W AP Group references multiple configuration profil
217. ion messages are sent Defaultis162 are sent Default is 162 dn Informs Whether to send SNMP inform messages to the configured host Displays when 2c is selected in SNMP Version SNMPv3 Users If you are using SNMPv3 to obtain values from the Dell PowerConnect W Series controller navigate to Local Config gt SNMP Management gt SNMPv3 User to configure the following parameters A string representing the name of the user Authentication protocol An indication of whether messages sent on behalf of this user can be authenticated and if so the type of authentication protocol used This can take one of the two values MD5 HMAC MD5 96 Digest Authentication Protocol SHA HMAC SHA 96 Digest Authentication Protocol Authentication protocol password If messages sent on behalf of this user can be authenticated the private authentication key for use with the authentication protocol This is a string password for MD5 or SHA depending on the choice above Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure and if so the type of privacy protocol which is used This takes the value DES CBC DES Symmetric Encryption Protocol Privacy protocol password If messages sent on behalf of this user can be encrypted decrypted with DES the private privacy key for use with the privacy protocol Select Add to create this profile or click Save to retain changes to an edited profile
218. itiation protocol SIP authentication between a SIP client and a SIP registry server Upon successful registration a user role is assigned to the SIP client Select the add icon to create a new role or click the pencil icon to edit an existing role This setting requires a voice service license Enforce DHCP When you select this option clients must obtain an IP using DHCP before they are allowed to associate to an AP Enable this option when you create a user rule that assigns a specific role or VLAN based upon the client device s type NOTE If a client is removed from the user table by the Logon user lifetime AAA timer then that client will not be able to send traffic until it renews its DHCP Radius Interim E By default the RADIUS accounting feature sends only start and stop messages to the Accounting RADIUS accounting server Issue the interim radius accounting command to allow the controller to send Interim Update messages with current user statistics to the server at regular intervals Requires a minimum version of 6 1 0 0 Device Type Classification When you select this option the controller will parse user agent strings and attempt to identify the type of device connecting to the AP When the device type classification is enabled the Global client table shown in the Monitoring gt Network gt All WLAN Clients window shows each client s device type if that client device can be identified Requires a minimum version
219. k the pencil or add icon to add or edit a MAC Authentication profile Refer to Profiles gt AAA gt MAC Auth on page 60 if required NOTE Not supported with WLAN RAP Operation always after version 6 0 0 0 MAC Authentication default Select a MAC Authentication server group You can add a new server group by Server Group clicking the add icon or edit an existing server group by clicking the pencil icon 802 1X Authentication Select the 802 1X Authentication Profile to be referenced by the AAA profile being Profile configured You can add a new profile by clicking the add icon or edit an existing profile by clicking the pencil icon Refer to Profiles gt AAA gt Advanced Authentication on page 56 802 1X Authentication Select the 802 1X Authentication server group You can add a new Server group by Server Group clicking the add icon or edit an existing server group by clicking the pencil icon RADIUS Accounting Select the RADIUS accounting server group to be referenced by the AAA profile being Server Group configured Select the add icon to create a new RADIUS server group Other Settings Initial Role Select the initial role to be referenced by the AAA profile being configured Add a new role by clicking the add icon or edit an existing role by clicking the pencil icon MAC Authentication Select the MAC authentication default role to be referenced by the AAA profile being Default Role configured Add a new role by
220. l PowerConnect W AP Groups that you push to controllers Use this page to associate a device group to one or more Dell PowerConnect W AP Groups From this page you can select other profiles that are defined on the controller like an internal server Figure 3 Groups gt Dell PowerConnect W Config Page Illustration Partial Display Home Helpdesk WICIE APs Devices Users Reports System Device Setup AMP Setup RAPIDS VisualRF List Monitor Basic Templates Security SSIDs AAA Servers Radio Dell PowerConnect W Config Cisco WLC Config MAC ACL Firmware Dell PowerConnect W AP Groups Dell PowerConnect W User Roles Select the Dell PowerConnect W AP Groups to apply Sh Select additional Roles to apply to devices in this oe ow All Show All to devices in this Group Group V default Iv ap role Iv Select All Unselect All as Iv sys ap role AP Overrides Select All Unselect All Select the AP Overrides to apply to devices in this Siow tiie Sciecies Group PowerConnect W Policies Select All Unselect All Select additional Policies to apply to devices in this Group Show All Additional Dell PowerConnect W Profiles IV stateful dotlx Stateful 802 1X Authentication Profile defaut s gt Iv sys ap acl v sys control VPN Authentication Profile defaut HAA SP Qs Management Authentication Profile default T Select All Unselect All Wired Authentication Profile defaut s Internal Server Profile defaut HA Sr Save Save and Apply Re
221. l PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 35 The Dell PowerConnect W AP Groups page displays the following information for every group currently configured Table 1 Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups Page Column Description Displays the name of the Dell PowerConnect W AP Group Select the pencil icon next to any group to edit Used by Displays the AirWave device groups that define this Dell PowerConnect W AP Group Select the name of Group any group in this column to display the detailed Groups gt Dell PowerConnect W Config page The device groups in this column receive the profile configurations from the associated Dell PowerConnect W AP Group Any Dell PowerConnect W AP Group profiles can define device groups Used by Displays the number of APs in this Dell PowerConnect W AP Group A detailed list of each AP by name can Number of AP be displayed by navigating to the Groups gt List page and selecting that group Used By Displays the user role or roles that support the respective Dell PowerConnect W AP Group when defined User Role Folder Displays the folder that is associated with this Dell PowerConnect W AP Group when defined A Top viewable folder for the role is able to view all devices and groups contained by the top folder The top folder and its subfolders must contain all the devices in any groups It can view Clicking any folder name takes you to the
222. l PowerConnect W Configuration EFSecurity User Roles Contracts VPN Dialers Policies kiea Services Server Groups LDAP RADIUS TACACS Internal XML API RFC 3576 TACACS Accounting Time Ranges User Rules This section describes the profiles pages parameters and default settings for all Security components components in Dell PowerConnect W Configuration as follows e Security gt User Roles Security gt User Roles gt BW Contracts Security gt User Roles gt VPN Dialers Security gt Policies Security gt Policies gt Destinations Security gt Policies gt Services Security gt Server Groups Security gt Server Groups gt LDAP Security gt Server Groups gt RADIUS Security gt Server Groups gt TACACS Security gt Server Groups gt Internal Security gt Server Groups gt XML API Security gt Server Groups gt RFC 3576 Security gt TACACS Accounting Security gt Time Ranges Security gt User Rules Security gt User Roles A client is assigned a user role by one of several methods A user role assigned by one method may take precedence over a user role assigned by a different method The methods of assigning user roles are from lowest to highest precedence I The initial user role for unauthenticated clients is configured in the AAA profile for a virtual AP Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 135 2 The user role can be de
223. le APs that are classified as a rogue APs by the Dell PowerConnect W system When a rogue AP is disabled no wireless stations are allowed to associate to that AP Perform these steps to create IDS Unauthorized Device profiles l Select Profiles gt IDS gt Unauthorized Devices in the navigation pane 2 Select the Add button to create a new Unauthorized Devices profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 40 Table 40 Profiles gt IDS gt Unauthorized Devices Profile Settings Field Default Description Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Other Settings Detect Adhoc Networks Enable or disable detection of adhoc networks Protect from Adhoc Enable or disable protection from adhoc networks When adhoc networks are detected Networks they are disabled using a denial of service attack Detect Windows Bridge Enable or disable detection of Windows station bridging Detect Wireless Bridge Enable or disable detection of wireless bridging Detect Devices with An Enable or disable the checking of the first three bytes of a MAC address known as the Invalid MAC OUI MAC organizationally unique identifier OUI assigned by the IEEE to known manufacturers Often clients using a spoofed MAC address do not use a valid OUI and instead
224. le on a per SSID basis an Reauthentication for 802 1x transaction during a call can affect voice quality If a client is on a call 802 1x Clients on Call reauthentication and rekey are disabled by default until the call is completed You disable or re enable the voice aware feature in the 802 1x authentication profile This setting requires a voice service license Select Add or Save The added or edited 802 1x Auth profile appears on the AAA Profiles page and on the 802 1x Auth details page Profiles gt AAA gt Advanced Authentication In Advanced Authentication you can apply timers and DNS query intervals Follow these steps to configure an Advanced Authentication profile l Select Profiles gt AAA gt Advanced Authentication in the navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Advanced Authentication profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 10 Table 10 Profiles gt AAA gt Advanced Authentication Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the Advanced Authentication profile Authentication Timers User Idle Timeout 300 seconds Maximum period in seconds after which a client is consi
225. ll traffic for the other network is sent and received through a VPN gateway that encapsulates and encrypts the traffic Before enabling VPN authentication you must configure the following The default user role for authenticated VPN clients this is configured with roles and policies The authentication server group the controller will use to validate the clients this is configured with server groups You then specify the default user role and authentication server group in the VPN authentication profile The Advanced Services gt VPN Services page displays all VPN service profiles that are currently configured and allows you to add VPN service profiles or to edit existing profiles Select the Add button to add a new VPN Service profile or click the pencil icon next to an existing profile to change its configuration The VPN Services detail page appears with settings defined in Table 87 Table 87 Advanced Services gt VPN Services gt Add Edit VPN Service Profiles Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the VPN service profile is associated The drop down menu displays all folders available for association with the VPN services profile Name Blank Enter the name of the VPN services profile Other Settings IKE Profile Select an IKE profile from the drop down menu Select the add icon to add a new profile of this type or click the pencil icon to edit an e
226. mmended that you keep the on station association option enabled This helps trigger mobility as soon as 802 11 association packets are received from the mobile client Select this option to support standalone APs on the IP Mobility domain Enable this option to log client movement in the IP Mobility domain This setting is derived from station association in a foreign network Enable Support for Standalone APs Log User Moves Yes Allow Roaming for Authenticated Yes Enable this setting to require authentication for roaming stations Stations Only Filter out DHCP Release from Enable or disable the filtering of DHCP information when a client is released Stations from a station Re home Idle Voice Capable Client Enable or disable re homing for idle voice capable clients This setting reassigns the home network in relation to a voice capable client that is idle non roaming Set the maximum number of events per second that station mobility events can be supported Maximum Number of Station Mobility Events Per Second 1 65535 Maximum Interval Mobility Will Hold Inactive Host Trail 120 3600 sec Define how long inactive host trails are to be supported in IP mobility Define how many events are to be logged in IP mobility Define how long IP mobility is to support hosts should there be a disconnection Maximum Entries in User Mobility Trail 1 30 Mobility Host Entry Hold Time After Connectivity Loss 30
227. mum time in seconds the error rate has to exceed the Error Rate Threshold Time before it triggers a channel change Noise Threshold Sets the maximum level of noise in channel that triggers a channel change The range of dBm possible values is 0 to 2 147 483 647 dBm Noise Wait Time Sets the minimum time in seconds the noise level has to exceed the Noise Threshold before it triggers a channel change The range of possible values is 120 3600 seconds Minimum Scan Time Sets the minimum number of times a channel must be scanned before it is considered for assignment The supported range for this setting is 0 to 2 147 483 647 scans The recommended Scan Time is between 1 to 20 scans Load Aware Scan 1 250 000 Sets the traffic throughput level an AP must reach before it stops scanning Load aware Thresholds ARM preserves network resources during periods of high traffic by temporarily halting ARM scanning if the load for the AP gets too high The supported range for this setting is 0 to 20000000 bytes second Specify 0 to disable this feature Mode Aware Arm Sets mode aware functions on the APs If enabled ARM turns APs into Air Monitors AMs if it detects higher coverage levels than necessary This helps avoid higher levels of interference on the WLAN Although this setting is disabled by default you may want to enable this feature if your APs are deployed in close proximity for example less than 60 feet apart Scan Mode all reg Set t
228. n enabled Dynamic Multicast If enabled DMO techniques will be used to reliably transmit video data Optimization DMO Dynamic Multicast Maximum number of high throughput stations in a multicast group beyond which Optimization DMO dynamic multicast optimization stops Threshold 2 255 Select Add to create the WLAN or click Save to finish reconfiguring an existing WLAN The WLAN appears on the WLANs page in the navigation pane Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 47 Profiles Understanding Dell PowerConnect W Configuration Profiles In AOS related configuration parameters are grouped into a profile that you can apply as needed to an AP group or to individual APs This section lists each category of AP profiles that you can configure and then apply to an AP group or to an individual AP Note that some profiles reference other profiles For example a virtual AP profile references SSID and AAA profiles while an AAA profile can reference an 802 1x authentication profile and server group You can apply the following types of profiles to an AP or AP group For additional details and configuration instructions continue to the related procedures in this section Browse to the Device Setup gt Dell PowerConnect W Configuration page and click the Profiles heading in the navigation pane on the left Expand the Profiles menu by clicking the plus sign next to it Several profile optio
229. n including the following sections e Status information e Controller s License link see Licensing and Dependencies in Dell PowerConnect W Configuration on page 20 e Radio Statistics of some Dell PowerConnect W thin APs e User and Bandwidth interactive graphs e CPU Utilization and Memory Utilization interactive graphs e APs Managed by this Controller list when viewing a controller e Alert Summary e Recent Events e Audit Log For additional information refer to Pushing Device Configurations to Controllers on page 29 Groups gt Basic Page The Groups gt Basic page deploys the following aspects of Dell PowerConnect W Configuration e Use this page to control which device settings appear on the Groups pages e Ifyou want to configure your controllers using templates instead you should disable Dell PowerConnect W GUI configuration from the Groups gt Basic page and use template based configuration For more information on templates see the Templates chapter of the Dell PowerConnect W AirWave 7 4 User Guide 18 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Additional Concepts and Components of Dell PowerConnect W Configuration Dell PowerConnect W Configuration emphasizes the tollowing components and network management concepts Global Configuration and Scope Dell PowerConnect W Configuration supports ArubaOS as follows AirWave supports gl
230. n configure any value between 0 65535 Optional Set the time in minutes after which the client is required to re authenticate Enter a value between 0 4096 0 disables reauthentication Blank Optional By default a client is assigned a VLAN on the basis of the ingress VLAN for the client to the controller Use this field to override this assignment and configure the VLAN ID that is to be assigned to the user role VPN Dialer Profile Optional Use this field to assign a VPN dialer to a user role Select a dialer from the drop down list and assign it to the user role This dialer will be available for download when a client logs in using captive portal and is assigned this role For additional VPN information refer to Security gt User Roles gt VPN Dialers On page 139 Add New Policy Select this button to add a new policy to the user role The following two columns appear Policy Dell PowerConnect W AP Group Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 137 Table 66 Security gt User Roles gt Add New User Role Fields and Descriptions Continued Default Description Allowdiskservices Select the policy to apply to this user role Once any policy is selected you can edit the policy by clicking the pencil icon You can create a new policy by clicking the add icon Refer to Security gt Policies on page 141 Dell PowerConnect W AP Select the Dell PowerConnect W
231. n the VoIP CAC profile You also need to enable call admission control which is disabled by default in this profile Perform these steps to create or edit VoIP Call Admission Control profiles l Select Profiles gt QoS gt VoIP Call Admission Control in the navigation pane 2 Select the Add button to create a new VoIP Call Admission Control profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 49 Table 49 Profiles gt QoS gt VoIP Call Admission Control Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the threshold profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 105 Table 49 Profiles gt QoS gt VoIP Call Admission Control Profile Settings Continued Field Default Description Other Settings VoIP Call Admission Enable or disable VoIP Call Admission Control in this profile Control VoIP Active Load Enable or disable load balancing in this profile Balancing VoIP Vocera Call 20 Specify the bandwidth allocation to Vocera voice calls when Admission Control is Capacity 0 255 enabled VoIP NOE Call Capacity Specify the bandwidth allocation to New Office Environment NOE voice calls when 0 255 Admission Control is enabled VoIP SIP Call Capacity
232. nable wireless containment including Tarpit Shielding Tarpit shielding works by steering a client to a tarpit so that the client associates with it instead of the AP that is being contained deauth only Containment using deauthentication only none Disable wireless containment tarpit all sta Wireless containment by tarpit of all stations tarpit non valid sta Wireless containment by tarpit of non valid clients NOTE Tarpit requires a minimum version of 6 0 0 0 Debug Wireless Enable disable debug of containment from the wireless side Containment Note Enabling this debug option will cause containment to not function properly Wired Containment No Enable containment from the wired side 84 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 33 Profiles gt IDS gt General Profile Settings Continued Field Default Description Wired Containment of AP s Adj MACs Enable disable wired containment of MACs offset by one from APs BSSID NOTE This setting requires a minimum of AOS 6 0 0 0 Monitored Device Stats Update Interval 0 36000 sec Time interval in seconds for AP to update the switch with stats for monitored devices Minimum is 60 Mobility Manager RTLS Enable disable RTLS communication with the configured mobility manager Ad hoc AP Max Unseen Ageout time in seconds since ad hoc IBSS AP was last seen Timeout 5 36000 sec NOTE This setting requires a minimum of
233. nd WLANs and Dell PowerConnect W Configuration supports many diverse profile types Some profiles provide the configurations for additional profiles that reference them When this is the case this document describes the interrelationship of such profiles to each other Profiles can be configured in standalone fashion using the procedures in this chapter then applied elsewhere as desired Otherwise you can define referenced profiles as you progress through Dell PowerConnect W AP 28 Using Dell PowerConnect W Configuration in Daily Operations Dell PowerConnect W AirWave 7 4 Configuration Guide Group or WLAN setup In the latter case AirWave takes you to profile setup on separate pages then returns to the Dell PowerConnect W AP Group or WLAN setup For complete Profiles inventory and field descriptions refer to Profiles on page 50 in the Appendix General Controller Procedures and Guidelines Using Controllers in Dell PowerConnect W Configuration AirWave implements the following general approaches to controllers Master Controller This controller maintains and pushes all global configurations AirWave pushes configurations only to a master controller Standby Controller The master controller synchronizes with the standby master controller which remains ready to govern global configurations for all controllers should the active master controller fail Local Controller Master controllers push local configurations to lo
234. nect W Configuration Profiles rraresvrnrnvrrorenrrrenenn 48 Profiles gt AAA Overview 48 MS Au 49 Profiles gt AAA gt 802 1x Auth eenevrvrrerrervenrrnerververvsnrrserververvsnessenvervesvsvensenvervenssversesvesvenesnenee 51 Profiles gt AAA gt Advanced Authentication mmeeroerervervrvvrerververvrsrrnerververvsverservervesvsnenne 56 Profiles gt AAA gt Captive Portal Auth s memeserervrrerveervvverevvrrervrrerrrserveserrerervereserresersenen 57 Profiles gt AAA gt IPV6 Extension Header merrevevrvvrervervrvrserververvenernerververvsverservervesvsnenne 59 Profiles gt AAA gt MAC Auth emneresvrvvrvervrrervavervenerveservesvsvesvssesvevessesesvesvsvesvevesvesesvessssesvevesvenen 60 Profiles gt AAA gt VPN Connection mennenmenemnmmmemmmmnemnenmnmmnmenmenieiie 61 Profiles gt AAA gt VPN Connection gt VIA Auth mmmervrevvrrerveervrerervrirvierenieen 63 Profiles gt AAA gt VPN Connection gt VIA Client WLAN secsec 63 Profiles gt AAA gt VIA Global m mmemeenemmemmmmmmmememeemnmmmmensnenmnenenmenieinien 65 Profiles gt AAA gt Stateful 802 1X Auth s merrsvrrervrrervrvervrnervenvrresvsvervenervenervesesvesssservesersenen 65 Profiles gt AAA gt Wired Auth m emvrvrerververvrvrrerverrenvrservervesvssvrservervesvssensenversessssensenvesvenesvenne 66 Profiles gt AAA gt Combined VPN Auth inmemesrvvrrervrrerverervrnervenerresvsvervenervenersesesvesssse
235. nfiguration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 32 Profiles gt IDS gt General Profile Settings Continued Field Default Description Other Settings and AP SNMP User Profiles IDS Unauthorized default Select the IDS Unauthorized Device Profile from the drop down menu This profile is Device Profile referenced by the overriding IDS profile currently being configured The drop down menu contains any profiles that you have configured To create a new profile of this type click the add icon To edit an existing profile select that profile then click the pencil icon For additional information about configuring IDS Unauthorized Device Profiles refer to Profiles gt IDS gt Unauthorized Device on page 92 IDS Signature default Select the IDS Signature Matching Profile from the drop down menu The drop down menu Matching Profile lists all signature matching profiles that are currently configured and available To create a new profile of this type click the add icon To edit an existing profile select that profile then click the pencil icon For additional information about configuring IDS Unauthorized Device Profiles refer to Profiles gt IDS gt Signature Matching on page 85 IDS General Profile default Select the IDS General Profile from the drop down menu The drop down menu lists all General IDS profiles that are currently configured and available To create a new profile of this t
236. ng due to temporary loss of connectivity with the Dell PowerConnect W controller Disable Probe Retry Prevent disable Yes or accept disable No the resending of packets in local probe operations NOTE This setting requires a voice service license Battery Boost i Battery boost converts all multicast traffic to unicast before delivery to the client This feature is disabled by default Enabling this feature on an SSID allows you to set the DTIM interval from 10 100 the previous allowed values were 1 or 2 equating to 1 000 10 000 milliseconds This longer interval keeps associated wireless clients from activating their radios for multicast indication and delivery leaving them in powersave mode longer and thus lengthening battery life The DI IM configuration is performed on the WLAN so no configuration is necessary on the client NOTE This setting requires a voice service license NOTE Although you can enable battery boost on a per virtual AP basis it must be enabled for any SSIDs that support voice traffic Although the multicast to unicast conversion generates more traffic that traffic is buffered by the AP and delivered to the client when the client emerges from power save mode An associated parameter available on some clients is the Listening Interval LI This defines the interval in number of beacons after which the client must wake to read the Traffic Indication Map TIM The TIM indicates whether there is bu
237. ng the priority that every type of traffic to or from the client receives in the wireless network Thus QoS for voice applications is configured when you configure firewall roles and policies You can configure roles for clients that use mostly data traffic such as laptop computers and roles for clients that use mostly voice traffic such as VoIP phones Although there are different ways for a client to derive a user role in most cases the clients using data traffic will be assigned a role after they are authenticated through a method such as 802 1x VPN or captive portal The user role for VoIP phones can be derived from the OUI of their MAC addresses or the SSID to which they associate This user role will typically be configured to have access allowed only for the voice protocol being used for example SIP or SVP K NOTE You must install the Policy Enforcement Firewall license in the controller This page displays the current user roles in Dell PowerConnect W Configuration and where they are used This page contains the columns described in Table 65 Table 65 Security gt User Roles Page Contents Column Description Name of the user role AAA Displays the AAA profile or profiles that are referenced by the user role Refer to Profiles gt AAA on page 49 Captive Portal Profile Displays the Captive Portal Auth profiles if any that are referenced by the user role Refer to Profiles gt AAA gt Captive Portal Auth on p
238. nnect W APs may change channels to contain off channel rogue APs with active clients This security feature allows APs to change channels even if the Client Aware setting is disabled This setting is disabled by default and should only be enabled in high security environments where security requirements are allowed to consume higher levels of network resources You may prefer to receive Rogue AP alerts via SNMP traps or syslog events Scan Interval sec If Scanning is enabled the Scan Interval defines how often the AP will leave its current channel to scan other channels in the band Off channel scanning can impact client performance Typically the shorter the scan interval the higher the impact on performance If you are deploying a large number of new APs on the network you may want to lower the Scan Interval to help those APs find their optimal settings more quickly Raise the Scan Interval back to its default setting after the APs are functioning as desired The supported range for this setting is 0 to 2 147 483 647 seconds Active Scan When the Active Scan checkbox is selected an AP initiates active scanning via probe request This option elicits more information from nearby APs but also creates additional management traffic on the network Active Scan is disabled by default and should not be enabled except under the direct supervision of Dell Support Scanning Yes The Scanning field enables or disables AP scanning across multiple
239. nnsvenesvsvenesvenssvsvevensensnenvenenns 146 Security gt Server Groups gt LDAP Lugssasassaasesdememmnnsdanddnnmnennein 147 Security gt Server Groups gt RADIUS rnnenrsvrnrnvrnenesvenenvrvaresvenenvsveresvenenesveresnensnesverensenenenens 148 Security gt Server Groups gt TACAGS rnresrsvrnrvrvonesvrnrnvrveresvrnenvsveresvensnesverensrnsnesvevenserenenens 149 Security gt Server Groups gt Internal m errreernrrrvreerrvrvreerrervrvererrrererrererrrresernns 150 Security gt Server Groups gt XML APL rnrnnrnrnnrnvrnonesvrnrnvrvarenvrnenvrverenvenenennevennrnenesrerensenenenens 151 Security gt Server Groups gt RFC 3576 nrrnrnrnnrnvnnonenvonrnvrvarenvenenvrverenvenenenverennrnsnesnerensenenennns 151 Security gt Server Groups gt Windows wasnrnnnanesvnnnnvnvavenvrnenvnverenvenenernarennrnenesverennenenenens 152 Security gt TACAGS Accounting ervrveservrnrvrronesvenenvrvaresnenenvrverennrnsnennevennrnenesnerensenenenens 152 EUT MENN oscar cesses cpg se cceceerics seu mannecuceorhig oeevsctevans supeeunseaorustoctocmisacenmapusamnanaon 153 SC CU Us 154 Local Config of SNMP Management mmmmemseresvrerrververerreserverrrserveversesesvesssservesersesesvessssesvenns 155 Advanced EEE Sr agiriari eacedenevangssesiuausninascosans uatetettatapenca EEE ENEE OEE NE ARAR 156 Dell PowerConnect W AirWave 7 4 Configuration Guide 5 6 Overview of IP Mobility Domains rrsssrrnarenvnnonvrnerenrs
240. ns appear This document section describes the profiles and settings supported in Dell PowerConnect W Configuration in the following sections Profiles gt AAA Overview Profiles gt AP Profiles gt IDS Profiles gt Mesh Profiles gt Mobility Switch Profiles gt QoS Profiles gt RF Profiles gt SSID Profiles gt AAA Overview This profile type defines authentication settings for the WLAN users including the role for unauthenticated users and the different roles that should be assigned to users authenticated via 802 1x MAC or SIP authentication Perform these steps to determine the need for and to configure AAA profiles l To view and configure AAA profiles click the Profiles gt AAA profile heading in the navigation pane The AAA Profiles page appears and lists the current profiles Figure 22 illustrates this page Figure 22 AAA Profiles Navigation of Dell PowerConnect W Configuration Profiles AAA 802 1 Auth Advanced Authentication i Captive Portal Auth Combined VPN Auth IPv Extension Header MAC Auth Management Auth Stateful 802 1 Auth Stateful Kerberos Auth teful NTLM Auth E VIA Connection VIA Global VIA Web Authentication Wired Auth WISPr Auth 48 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide 2 From the navigation pane you can configure the following profile types AAA Profile The AAA profile defines the authentication method and the de
241. nsmission In addition you can configure the TXOP duration for each AC Transmission Opportunity Slots in 32 psec Units ACM Define whether or not admission control mandatory ACM is to be supported on APs configured with this EDCA profile Voice WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC arbitrary inter frame space number AIFSN minimum and maximum contention window CW size Arbitrary Inter frame 2 Space Number Minimum Contention 2 Window Exponent Maximum Contention 3 Window Exponent Transmission Opportunity 47 For each AC the backoff time is the sum of the AIFSN and a random value between 0 Slots in 32 psec Units and the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC Define whether or not admission control mandatory ACM is to be supporte
242. nt will collect logs that can be logging sent to the support email address for troubleshooting VIA client network 255 255 255 2 The network mask that has to be set on the client after the VPN connection is mask 55 established VIA client DNS suffix The DNS suffix list comma separated that has be set on the client once the VPN list connection is established VIA external download End users will use this URL to download VIA on their computers URL Maximum reconnection 3 The maximum number of re connection attempts by the VIA client due to authentication attempts 0 10 failures VIA max session The maximum time minutes allowed before the VIA session is disconnected timeout 5 65535 min Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 61 Table 14 Profiles gt AAA gt VPN Connection Profile Settings Continued Field Default Description Allow user to save Yes Enable or disable users to save passwords entered in VIA passwords Enable or disable split tunneling If enabled all traffic to the VIA tunneled networks will go through the controller and Enable split tunneling the rest is just bridged directly on the client If disabled all traffic will flow through the controller VIA Support E Mail The support e mail address to which VIA users will send client logs Address Co a Enable or disable VIA from validating the server certificate presented by the controller certificate
243. ntinued Field Default Description AM Scanning Profile Select a profile to define settings for Air Monitor Scanning Select the pencil icon to edit an existing AM Scanning profile or click the plus sign to create a new AM Scanning profile High throughput Default a Select a high throughput HT profile from the drop down menu to define HT settings for your 802 11a g radio profile Select the pencil icon to edit an existing HT Radio profile or click the plus sign to create a new HT Radio profile You are directed to the HT Radio Profile setup page Once you have configured this referenced profile AirWave returns you to the Radio Profile 802 11a g Profile page For additional HT radio profile information refer to Profiles gt RF gt 802 11a g Radio gt HT Radio on page 116 Other Settings Radio Enable Enable transmissions on this radio band Ap mode Set the access Point operating mode Available options are as follows am mode Device behaves as an air monitor to collect statistics monitor traffic detect intrusions enforce security policies balance traffic load self heal coverage gaps etc ap mode Access Point mode sensor mode RF protect sensor mode spectrum mode Spectrum sensor mode Device operates as an spectrum monitor and can send spectrum analysis data to a desktop or laptop client High Throughput Yes Enable or disable high throughput 802 11n features on the radio Enable Radio
244. o a Dell PowerConnect W AP group or AP name references additional IDS profiles that are also described in this section ArubaOS includes predefined top level IDS profiles that provide different levels of sensitivity The following are predefined IDS profiles ids disabled ids high setting ids low setting the default setting ids medium setting You apply the top level IDS profile to an AP group or specific AP To view IDS profiles click Profiles gt IDS in the navigation pane Figure 24 DS Profiles HDS Denial of Service Lrate Thresholds General Impersonation Signature Matching Lsignature Unauthorized Device Vi NOTE A predefined IDS profile refers to specific instances of the other IDS profiles You cannot create new instances of a profile within a predefined IDS profile You can modify parameters within the other IDS profiles IDS profiles reference other profiles These additional profiles can be created before during or after the configuration of the IDS profile Select the Add button to create a new IDS profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 32 Table 32 Profiles gt IDS gt General Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile 82 Co
245. o complete the configuration of the Destination policy profile or click Save to complete the editing of an existing profile The new destination appears on the Security gt Policies gt Destinations page Security gt Policies gt Services The Security gt Policies gt Services page displays all Netservice profiles that are available tor reference by Security policies This page displays Netservice profile names the protocol associated with it the policy that uses this Netservice profile and the folder Select Add to create a new Netservice profile or click the pencil icon next to an existing Netservice profile to edit it The Security gt Policies gt Services page contains the following fields as described in Table 71 Table 71 Security gt Policies gt Services Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the security policy service is associated The drop down menu displays all folders available for association with the service Enter the name of the destination Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 143 Table 71 Security gt Policies gt Services Fields and Descriptions Continued Field Default Description Other Settings Protocol TCP Specify the protocol that is to support the security policy service being configured The service options are TCP UDP IP The remaining fields on this page change acco
246. o transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC On the controller you configure the AC priorities in the WLAN EDCA parameters profile There are two sets of EDCA profiles you can configure AP parameters affect traffic from the AP to the client STA parameters affect traffic from the client to the AP Perform these steps to create or edit EDCA AP profiles l Select Profiles gt SSID gt EDCA AP in the navigation pane This page summarizes the current profiles of this type 2 Select the Add button to create a new EDCA AP profile or click the pencil icon to edit an existing profile Complete the settings as described in lable 60 Table 60 Dell PowerConnect W Configuration gt Profiles gt SSID gt EDCA AP Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Name of the EADC AP profile Best Effort Arbitrary Inter frame Space Number 1 15 WMM is an extension to the Carrier Sense Multiple Access wit
247. obal configuration from both a master local controller deployment and an all master controller deployment In a master local controller deployment ArubaOS is the agent that pushes global configurations from master controllers to local controllers AirWave supports this AOS functionality In an all master controller scenario every master controller operates independent of other master controllers AirWave provides the ability to push configuration to all master controllers in this scenario AirWave Dell PowerConnect W Configuration supports ArubaOS profiles Dell PowerConnect W AP Profiles Servers and User Roles For additional information about these and additional functions refer to General Controller Procedures and Guidelines on page 29 Referenced Profile Setup in Dell PowerConnect W Configuration AirWave allows you to add or reconfigure many configuration profiles while guiding you through a larger configuration sequence for a Dell PowerConnect W AP Group or WLAN Consider the following example When you create a new Dell PowerConnect W AP Group from the Device Setup gt Dell PowerConnect W Configuration page the Referenced Profile section appears as shown in Figure 12 Figure 12 Referenced Profile Configuration for a Dell PowerConnect W AP Group Referenced Profiles 802 11a Radio Profile 802 11g Radio Profile as AS RF Optimization Profile op Event Thresholds Profile op Wired AP Profile oop Ethernet Int
248. of 6 0 1 0 L2 Authentication Fail through When MAC authentication fails enable this option to perform 802 1x authentication Requires a minimum version of 6 1 0 0 XML API Servers XML API Servers Select the XML API server to support the AAA profile being configured if required This section is blank if there are no XML API servers RFC 3576 Servers RFC 3576 Servers Select the RFC 3576 RADIUS server to support the AAA profile being configured if required This section is blank if there are no such servers 3 Select Add or Save The added or edited AAA profile appears on the AAA Profiles page Profiles gt AAA gt 802 1x Auth 802 1x authentication consists of three components The supplicant or client is the device attempting to gain access to the network You can configure the Dell PowerConnect W user centric network to support 802 1x authentication for wired users as well as wireless USETS The authenticator is the gatekeeper to the network and permits or denies access to the supplicants The Dell PowerConnect W controller acts as the authenticator relaying information between the authentication server and supplicant The EAP type must be consistent between the authentication server and supplicant and is transparent to the controller The authentication server provides a database of information required for authentication and informs the authenticator to deny or permit access to the supplicant The 802 1x authentic
249. of Service gt Rate Thresholds page Profiles gt IDS gt Impersonation Perform these steps to create IDS Impersonation profiles l Select Profiles gt IDS gt Impersonation in the navigation pane 90 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide 2 Select the Add button to create a new Impersonation profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 39 Table 39 Profiles gt IDS gt Impersonation Settings Field Default Description General Settings Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Blank Enter the name of the impersonation profile Other Settings Yes Enable or disable detection of AP impersonation In AP impersonation attacks the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP AP impersonation attacks can be done for man in the middle attacks a rogue AP attempting to bypass detection or a honeypot attack Detect AP Impersonation Protect from AP Impersonation When AP impersonation is detected use this control to set both the legitimate and impersonating AP to be disabled using a denial of service attack Set the percentage increase in beacon rate that triggers an AP impersonation alert Set the time in seconds after the Beacon Diff Threshold is crossed before an AP
250. of traffic you can determine the priority of the ACs For example you can choose to give video traffic the highest priority With WMM applications assign data packets to an AC In the client the data packets are then added to one of the transmit queues for voice video best effort or background WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC arbitrary inter frame space number AIFSN minimum and maximum contention window CW size For each AC the backoff time is the sum of the AIFSN and a random value between 0 and the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC On the controller you configure the AC priorities in the WLAN EDCA parameters profile There are two sets of EDCA profiles you can configure AP parameters affect traffic from the AP to the client ST
251. ofiles are assigned to folders this establishes visibility to Dell PowerConnect W AP Groups and WLAN settings Access Profiles with Dell PowerConnect W Configuration gt Profiles illustrated in Figure 6 Figure 6 Dell PowerConnect W Configuration gt Profiles Navigation Limit to Folder Top Add New IDS Profile HDell PowerConnect VW AP Groups LAP Overrides 1 5 of SIDS Profiles Page i 0f1 Choose Columns CSV Export ALAN Used By FE Name a Dell PowerConnect WAP Group AP Owerride Controller Folder Profiles default 7 Top HAMA w ids disabled Top 7 AP ids high setting Top Controller sa ids low setting default Top IDS NoAuth pGroup Denial of Service i ids medium setting 7 Top General 1 5 of 5 IDS Profiles Page i of 1 Impersonation Select All Unselect All HSignature Matching Unauthorized Device Mesh Qos RF i i SSID Security Local Config E Advanced Services Profiles are organized by type Custom named profiles do not appear in the navigation pane as do custom named Dell PowerConnect W AP Groups WLANs and AP Overrides For additional information about profile procedures and guidelines refer to the following sections in this document Setting Up Initial Dell PowerConnect W Configuration on page 21 General Profiles Guidelines on page 28 Profiles on page 50 in the Appendix Security Section The Security section displays adds edits or delete
252. on Transmission For each AC the backoff time is the sum of the AIFSN and a random value between 0 and Opportunity Slots in 32 the CW value The AC with the lowest backoff time is granted the opportunity to transmit usec Units TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC ME Meme ER configured with this EDCA profile Fe WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance Space Number CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable Minimum Contention 2 parameters for each AC Window Exponent arbitrary inter frame space number AIFSN minimum and maximum contention window CW size Maximum Contention 3 128 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 60 Dell PowerConnect W Configuration gt Profiles gt SSID gt EDCA AP Profile Settings Continued Default Description Transmission 47 For each AC the backoff time is the sum of the AIFSN and a random value betwe
253. on Guide Figure 15 Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups gt Add Edit Details Page Partial View Limit to Folder Top Adding Dell PowerConnect W AP Group Dell PowerConnect W AP General Settings Groups Folder Top E default SNoAuth pGSroup EE AP Overrides WLANs EHWLANS WLANs HProfiles Add a new WLAN i said Show Onhy Selected Local Config t dvanced Services 1 default Select All Unselect All Referenced Profiles 802 112 Radio Profile default Mea ci 802 11g Radio Profile default oF RF Optimization Profile default Or Event Thresholds Profile default mee i Wired AP Profile default lg Or Ethernet Interface 0 Link Profile default me or Ethernet Interface 1 Link Profile default B SF The following section of this configuration guide provides additional information about configuring Dell PowerConnect W AP Groups General Dell PowerConnect W AP Groups Procedures and Guidelines on page 27 8 Add or edit WLANs in Dell PowerConnect W Configuration as required a Navigate to the Dell PowerConnect W Configuration gt WLANs page This page can display all WLANs currently configured or can display only selected WLANs b Click Add to create a new WLAN or click the pencil icon to edit an existing WLAN You can add or edit WLANs in one of two ways as follows Basic This display is essentially the same as the AOS Wizard View on the Dell PowerConnect W controller This
254. on pane displays custom configured WLANs and Dell PowerConnect W AP Groups All other components of the navigation pane are standard across all deployments of Dell PowerConnect Configuration You define or modify WLANs on the Device Setup gt Dell PowerConnect W Configuration page Select WLANs from the navigation pane You can create or edit any profile in an WLAN as you define or modify that WLAN If you digress to profile setup from a different page AirWave returns you to your place on the WLAN setup page once you are done with profile setup WLANs The WLANs page displays all configured WLANs and enables you to add or edit WLANs For additional information about using this page refer to General WLAN Guidelines on page 28 The Dell PowerConnect W Configuration gt WLANs page contains additional information as described in Table 5 Table 5 Dell PowerConnect W Configuration gt WLANs Page Fields and Descriptions Description Lists the name of the WLAN SSID Lists the SSID currently defined for the WLAN Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 43 Table 5 Dell PowerConnect W Configuration gt WLANs Page Fields and Descriptions Continued Field Description Dell PowerConnect W Lists the Dell PowerConnect W AP Group or Groups that use the associated WLAN AP Group AP Override Lists any AP Override configurations for specific APs on the WLAN and in the respective Dell PowerConn
255. on resolution algorithm responsible for traffic prioritization depends on the following configurable Minimum Contention parameters for each AC Window Exponent arbitrary inter frame space number AIFSN minimum and maximum contention window CW size Maximum Contention old Transmission Set the transmission opportunity slots in 32 micro second intervals Opportunity Slots in 32 For each AC the backoff time is the sum of the AIFSN and a random value between 0 and usec Units the CW value The AC with the lowest backoff time is granted the opportunity to transmit TXOP Frames with the highest priority AC are more likely to get TXOP as they tend to have the lowest backoff times a result of having smaller AIFSN and CW parameter values The value of the CW varies through time as the CW doubles after each collision up to the maximum CW The CW is reset to the minimum value after successful transmission In addition you can configure the TXOP duration for each AC ee a configured with this EDCA profile Fe WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance Space Number CSMA CA protocol s Distributed Coordination Function DCF The collision resolution algorithm responsible for traffic prioritization depends on the following configurable Minimum Contention 3 parameters for each AC Window Exponent arbitrary inter frame space number AIFSN minimum and maximum contention window CW size Maximum Contenti
256. onfiguration changes in Monitor mode prior to pushing an entire set of changes to controllers Follow these general steps when implementing configuration changes for devices in Monitor mode 1 Make all device changes using the Dell PowerConnect W Configuration pages Click Save and Apply as you complete device level changes This builds an inventory of pending configuration changes that have not been pushed to the controller and APs 2 Review the entire set of newly mismatched devices on the APs Devices gt Mismatched page 3 For each mismatched device navigate to the APs Devices gt Audit page to audit recent configuration changes as desired 4 Once all mismatched device configurations are verified to be correct from the APs Devices gt Audit page use the Modify Devices link on the Groups gt Monitor page to place these devices into Manage mode This instructs AirWave to push the device configurations to the controller 5 As desired return devices to Monitor mode until the next set of configuration changes is ready to push to controllers Dell PowerConnect W AirWave 7 4 Configuration Guide Using Dell PowerConnect W Configuration in Daily Operations 29 Supporting APs with Dell PowerConnect W Configuration AP Overrides Guidelines The AP Override component of Dell PowerConnect W Configuration operates with the following principles AP devices function within groups that define operational parameters for groups of APs This is s
257. ons that are dependent on special licenses The user interface conveys that a special license is required for any such setting function or profile AirWave does not push such configurations when a license related to those configurations is unavailable For details on the licenses required by a specific version of AOS refer to the Dell PowerConnect W AirWave User Guide on support dell com manuals for that release Setting Up Initial Dell PowerConnect W Configuration This section describes how to deploy an initial setup of Dell PowerConnect W Configuration in AirWave Prerequisites Complete the Dell PowerConnect W AirWave 7 4 upgrade to AirWave 6 4 or later Upon upgrade to AirWave version 6 4 or later global Dell PowerConnect W Configuration is enabled by default in groups with devices in monitor only mode Back up your AOS controller configuration file Information about backing AirWave is available in the Dell PowerConnect W Air Wave 7 4 User Guide on support dell com manuals in the Performing Daily Operations in AirWave chapter Procedure Perform the following steps to deploy Dell PowerConnect W Configuration when at least one Dell PowerConnect W AP Group currently exists on at least one Dell PowerConnect W Series controller on the network l Determine whether you are using global or group configuration and set AMP Setup gt General gt Device Configuration gt Use Global Dell PowerConnect W Configuration accordingly 2
258. ontrollers You can also configure a mobility domain that contains multiple master controllers you need to configure the mobility domain on each master controller Table 84 Controllers in a Mobility Domain On a master controller On all controllers in the mobility domain Configure the mobility domain including the entries in Enable mobility disabled by default the home agent table HAT Join a specified mobility domain not required for default mobility domain You can enable or disable IP mobility in a virtual AP profile IP mobility is enabled by default When IP mobility is enabled in a virtual AP profile the ESSID that is configured for the virtual AP supports layer 3 mobility If you disable IP mobility for a virtual AP any clients that associate to the virtual AP will not have mobility service Advanced Services gt IP Mobility Navigate to Advanced Services gt IP Mobility in the navigation pane This page displays all currently configured profiles supporting IP Mobility each group that uses each IP Mobility profile and the folder for each IP Mobility profile Select Add to create a new IP Mobility profile or click the pencil icon next to an existing profile to modify settings on an existing profile The Advanced Services gt IP Mobility Profile Details page contains the following fields as described in Table 85 Table 85 Advanced Services gt IP Mobility Add Edit Fields and Descriptions Field Default De
259. or multi band implementations the Acceptable Coverage Index specifies the minimal Coverage Index coverage an AP it should achieve on its channel The denser the AP deployment the lower this value should be The range of possible values is 1 to 6 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 115 Table 53 Profiles gt RF gt 802 11a g Radio gt ARM Profile Settings Continued Default Description Free Channel Index 25 The Dell PowerConnect W Interference index metric measures interference for a specified channel and its surrounding channels This value is calculated and weighted for all APs on those channels including 3rd party APs An AP will only move to a new channel if the new channel has a lower interference index value than the current channel Free Channel Index specifies the required difference between the two interference index values before the AP moves to the new channel The lower this value the more likely it is that the AP will move to the new channel The range of possible values Is 10 to 40 Backoff Time 240 Sets the backoff time in seconds After an AP changes channel or power settings it waits for the backoff time interval before it asks for a new channel power setting The range of possible values is 120 to 3 600 seconds Error Rate Sets the minimum percentage of PHY errors and MAC errors in the channel that will trigger Threshold a channel change Error Rate Wait 30 Sets the mini
260. ormal and off RF Band Indicates the band for mesh operation for multiband radios Select a or g Important If you create more than one mesh cluster profile for an AP or AP group each mesh cluster profile must use the same band RF Band for AM mode scanning LMS Hold down Period 1 3600 sec Number of IPSEC oO ep a Scanning band for multiple RF radios Options are all a or g Requires a minimum of 6 0 0 0 The double encryption feature applies only for traffic to and from a wireless client that is connected to a tunneled SSID When this feature is enabled all traffic which is already encrypted using Layer 2 encryption is re encrypted in the IPSec tunnel When this feature is disabled the wireless frame is only encapsulated inside the IPSec tunnel All other types of data traffic between the controller and the AP wired traffic and traffic from a split tunneled SSID are always encrypted in the IPSec tunnel Double Encrypt Native VLAN ID 0 4094 SAP MTU Enter the ID of the native VLAN The supported range is from 0 to 4094 Specify the Service Access Point SAP maximum transmission unit MTU in bytes The range is 1024 to 1578 bytes Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 77 Table 29 Profiles gt AP gt System Profile Settings Continued Field Default Description Bootstrap Threshold 1 Enter a threshold value from 0 to 65 535 65535 Adjust th
261. ou to match all or a portion of the user information sent in an authentication request Server Type Select the server type for the new server being added Options are RADIUS default LDAP TACACS and Internal RADIUS Server Select the RADIUS server from the drop down menu that the new server is to use You can edit an existing RADIUS server or create a new server Server Group Server Rules Section Select the Add button to add a new rules section The page that appears contains the following settings to define Match Type From the drop down menu select Authstring or FODN The following settings complete the configuration Operator For Authstring only specify how to process the string contains equals starts with Match String Enter the string or string fragment Finish by clicking the Add New Server Group Server Rules button 146 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 72 Security gt Server Groups gt Add or Edit Server Group Fields and Descriptions Continued Field Default Description Server Group Rule Field to set role Specify whether the server group rule is a role or a VLAN The Role VLAN field at the bottom of the page changes in response to your selection here Attribute ARAP From the drop down menu click the attribute that defines the server group rule being Features configured Many options are supported Operation contains Select the criteria by
262. page does not require in depth knowledge of the profiles that define the Dell PowerConnect W AP Group Advanced This display allows you to select individual profiles that define the WLAN and associated Dell PowerConnect W AP Group This page requires in depth knowledge of all profiles and their respective settings The following sections of this configuration guide provide additional information and illustrations for configuring WLANs General WLAN Guidelines on page 28 WLANs on page 45 in the Appendix for details on all WLAN settings 9 Add or edit Dell PowerConnect W Configuration Profiles as required a Navigate to Dell PowerConnect W Configuration gt Profiles section of the navigation pane b Select the type of profile in the navigation pane to configure AAA AP Controller IDS Mesh QoS RF or SSID c Click Add from any of these specific profile pages to create a new profile or click the pencil icon to edit an existing profile Most profiles in AirWave are similar to the All Profiles display in the Dell PowerConnect W controller WebUI The primary difference in AirWave is that AAA and SSID profiles are not listed under the WLAN column but under Profiles d Save changes to each element as you proceed through profile and WLAN configuration All other settings supported on Dell PowerConnect W Series controllers can be defined on the Dell PowerConnect W Configuration page The following section in this document
263. passwords from client to server The main uses for EAP GTC are one time token cards such as SecurelD and the use of LDAP or RADIUS as the user authentication server You can also enable caching of user credentials on the controller as a backup to an external authentication server Token Caching Disabled Specify whether EAP token caching is enabled or disabled Token Caching Period 24 Specify token caching in hours The supported range is from 1 to 240 hours 1 240 hrs CA Certificate Type the CA certificate imported into the controller Server Certificate Specify a server certificate The list of available certificates is taken from the computer certificate store on which IAS is running In this case a self signed certificate was generated by the local certificate authority and installed on the IAS system On each wireless client device the local certificate authority is added as a trusted certificate authority thus allowing this certificate to be trusted Termination Inner EAP Type GTC TLS Guest Access Specify if TLS authentication supports guest users User level authentication is performed by an external RADIUS server using PPP EAP TLS In this scenario client and server certificates are mutually authenticated during the EAP TLS exchange During the authentication the controller encapsulates EAP TLS messages from the client into RADIUS messages and forwards them to the server ap role Specify the TLS authentication role that
264. peration of folders users and user roles as described in the Dell PowerConnect W AirWave 7 4 User Guide in Home gt Documentation Defining Visibility for Dell PowerConnect W Configuration Perform these steps to define or adjust visibility for users to manage and support Dell PowerConnect W Configuration l As required create a new AirWave device folder with management access a Navigate to the APs Device gt List page scroll to the bottom of the page An alternate page supporting new folders is Users gt Connected page b Click the Add New Folder link The Folder detail page appears as illustrated in Figure 19 Figure 19 APs Devices gt Add New Folder gt Folders Page Illustration Folder Parent Folder Top vw c Click Add The APs Devices gt List page reappears You can view your new folder by selecting it from the Go to folder drop down list at the top right of this page Figure 20 illustrates an unpopulated device page for an example folder Figure 20 APs Devices gt List Page With No Devices Folder Top 16 487 Devices gt A_Config 0 Expand folders to show all APs Devices Go to folder A_Config 0 vi lt Total Devices 0 4Up 0 WDown 0 Mismatched 0 Users 0 Avg Device 0 Q Bandwidth 0 kbps Users for folder Aruba Config Last 2 hours mal Bandwidth for folder Aruba Config Last 2 hours Bal 100 100 80 80 60 60 40 40 20 20 0 0 6 46 6 55 7 04 7 13 7 22 7 31 7 40 7 49 7 58
265. peration of the link metric algorithm tree rssi Specify the algorithm used by a mesh node to select its parent Available options are best link rssi Selects the parent with the strongest RSSI regardless of the number of children a potential parent has distributed tree rssi Selects the parent based on link RSSI and node cost based on the number of children This option evenly distributes the mesh points over high quality uplinks Low quality uplinks are selected as a last resort NOTE The default value is recommended 802 11g Portal Channel Blank Each 802 11a and 802 119 radio profile references an Adaptive Radio Management 1 14 ARM profile When you assign an active ARM profile to a mesh radio ARM s automatic power assignment and channel assignment features automatically 802 11a Portal Channel Blank select the radio channel with the least amount of interference for each mesh portal 34 165 maximizing end user performance In earlier versions of this software an AP with a mesh radio received its beacon period transmission power and 11a 11g portal channel settings from its mesh radio profile Mesh access AP portals now inherit these radio settings from their doti1a or doti1g radio profiles NOTE Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes You can recover the mesh point if the original cluster profile is still available Creating a new mesh cluster profile is recommended if need
266. ponent of Dell PowerConnect W Configuration is the AP Overrides page appearing immediately below Dell PowerConnect W AP Groups in the Navigation Pane Figure 5 illustrates this location and access Figure 5 Dell PowerConnect W Configuration gt AP Overrides Navigation Limit to Folder Top Add New AP Override Dell PowerConnect VW AP Groups SAP Overrides 1 10 of 10 AP Ovwerides Pageleofl Choose Columns CSV Export p00 la le 0l 55 45 Hame a Group Controller Folder F10 10 6 PM Se O0 da te c0 55 46 Top i Pr 10 105 i Top PM 1155 Top ALS F w TAC gt Top PALS Fl ALO z Top APZ3 i P AL39 i _ Top bi ap70 I kena upaa O ti paia idh oft mumbei ap 0 HO RemoteAP Top a 1 25 iiai a jbuswel 70 HQ RemoteAP Top WLANs I dani RFI AP125 5 Top 1 10 of 10 AP Ovemides Page iw of 1 Security EE HLocal Config Select All Unselect All ry TE GhAdvanced Services i Dela AP Overrides operate as follows in Dell PowerConnect W Configuration Custom created AP Overrides appear in the Dell PowerConnect W Configuration navigation pane as illustrated in Figure 5 Dell PowerConnect W controllers and AP devices operate in Dell PowerConnect W AP Groups that define shared parameters for all devices in those groups The Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups page displays all current Dell Powe
267. ppears on the Profiles gt RF gt Optimization page Profiles gt SSID Configures network authentication and encryption types This profile also includes references an EDCA Parameters Station Profile an EDCA Parameters AP Profile and a High throughput 9HT SSID profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 121 SSID Configures network authentication and encryption types The SSID profile defines SSID settings and references additional EDCA and HT profiles Refer to Profiles gt SSID on page 122 EDCA AP AP to client traffic prioritization including EDCA parameters for background best effort voice and video queues Refer to Profiles gt SSID gt EDCA AP on page 126 EDCA Station Client to AP traffic prioritization parameters including Enhanced Distributed Channel Access EDCA parameters for background best effort voice and video queues Refer to Profiles gt SSID gt EDCA Station on page 129 HT SSID High throughput APs support additional settings not available in legacy APs A High throughput SSID profile can enable or disable high throughput 802 1 1n features and 40 MHz channel usage and define values tor aggregated MAC protocol data units MDPUs and Modulation and Coding Scheme MCS ranges If none of the APs in your mesh deployment are 802 1 1n capable APs you do not need to configure a high throughput SSID profile If you modify a currently provisioned
268. profile to detect coverage holes radio interference and STA association failures and configure Received signal strength indication RSSI metrics Perform these steps to create or edit Optimization profiles l Select Profiles gt RF gt Optimization in the navigation pane This page summarizes the current cluster profiles 2 Select the Add button to create a new Optimization profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 57 Table 57 Profiles gt RF gt Optimization Profile Settings Field Default Description Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile AP Load Balancing Enable or disable AP load balancing based on a user defined number of clients or the degree of AP utilization on an AP AP Load Balancing Set the maximum number of times that an AP attempts load balancing before timing out Max Retries 0 100 000 Set the high watermark level for the number of users that AP load balancing is to support The supported range is 0 to 100 000 users and setting this field to 0 users disables this function When the number of users exceeds the high watermark it triggers an alert AP Load Balancing User High Watermark 0 100 000 Set the low watermark level for the number of users that AP load balancing Is to support The supported range is 0 to 100 000 users and set
269. provides additional information about configuring profiles Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 23 General Profiles Guidelines on page 28 10 Provision multiple Dell PowerConnect W AP Groups on one or more controllers by putting the controllers into an AMP group and configuring that group to use the selected Dell PowerConnect W AP Groups With global configuration enabled configure such Dell PowerConnect W AP Groups settings on the Group gt Dell PowerConnect W Config page With group configuration use the Dell PowerConnect W AP Groups The following section of this document provides additional information General Dell PowerConnect W AP Groups Procedures and Guidelines on page 27 11 As required add or edit AP devices The following section of this document has additional information Supporting APs with Dell PowerConnect W Configuration on page 30 12 Fach AP can be assigned to a single Dell PowerConnect W AP Group Make sure to choose an AP Group that has been configured on that controller using that controller s AMP Group Use the APs Devices gt List Modify Devices field and the APs Devices gt Manage page You can create or edit settings such as the AP name syslocation and syscontact on the APs Devices gt Manage page For additional information refer to Supporting APs with Dell PowerConnect W Configuration on page 30 Figure 16 APs Devices gt M
270. ps gt LDAP Server page This server is now available to be used by server groups Security gt Server Groups gt RADIUS You can configure RADIUS servers for use by a server group The Security gt Server Groups gt RADIUS page displays current RADIUS servers available for inclusion in server groups Select Add to create a new RADIUS server or click the pencil icon next to an existing RADIUS server to edit the configuration The Security gt Server Groups gt Add New RADIUS Server page contains the following fields as described in Table 74 Table 74 Security gt Server Groups gt RADIUS Field Default Description General Settings all folders available for association with the server group Other Settings Host IP Address mm Set the IP address of the authentication server Key Confirm Key Set the shared secret between the controller and the authentication server The maximum length is 48 bytes 1812 Set the authentication port on the server 1813 Set the accounting port on the server Retransmits 0 3 3 Set the Maximum number of retries sent to the server by the controller before the server is marked as down Timeout 1 30 sec Set the maximum time in seconds that the controller waits before timing out the request and resending It 148 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 74 Security gt Server Groups gt RADIUS Continued Field Default Description NAS ID
271. pstream Device Yes No es i Upstream device will automatically be updated when the device is polled Automatically clear Down Status Message when device comes back up Yes O No Down Status Message View Device Credentials 0 Dell PowerConnect W Overrides If this device is down because its IP address or management ports have changed update the fields below with the correct information Add New Dell PowerConnect W Controller Override IP Address 14 of6 L PowerConnect W Controller Overrides Page 1 v of 1 Choose Columns SNMP Port 1 65535 Value P pp ee airwave inform test Trap Source IP Address 10 51 3 117 datapath PEER stash ee ee OE IPSEC Transform Set default boc bm transform SSID Profile SSID_wpa_psk ESSID 3600_117_wpa_psk ee ee a de SSID Profile SSID_wpa2_psk ESSID 3600_117_wpa2_psk nee SSID Profile SSID static wep ESSID 3600 117 static wep Commun String sesessenen SSID Profile SSID super secure compatable ESSID 3600 117 super secure compatable Confirm Community String ffeeveneeeee 1 6 w of 6 Dell PowerConnect W Controller Overrides Page 1 of 1 SNMPv3 Username Select All Unselect All Mah Pemwords ne C De Confirm Auth Password ss sssssee APs Devices gt Monitor Page Used in conjunction with the Manage page the Monitor page enables review of device level settings This page is large and often contains a great amount of informatio
272. pted valid client after which the Detection Quiet Time check can be resumed Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 0 0 0 Valid 802 11g Channel for Enter the list of valid 802 11g channels that third party APs are allowed to use Policy Enforcement Valid 802 11a Channel for Enter the list of valid 802 11a channels that third party APs are allowed to use Policy Enforcement Valid MAC OUls Enter the list of MAC OUls of wired devices in the network typically gateways or servers Valid and Protected Enter the list of valid and protected SSIDs SSIDs Protect 802 11n High Enable or disable protection of high throughput 802 11n devices not operating in 40 MHz Throughput Devices mode Protect 40MHz 802 11n Enable or disable protection of high throughput 802 11n devices operating in 40 MHz High Throughput Devices mode Detect Active 802 11 Yes Enable or disable detection of high throughput devices advertising greenfield preamble Greenfield Mode capability 3 Select Add or Save The added or edited profile appears on the Profiles gt IDS gt Unauthorized Devices page 94 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Profiles gt Mesh Mesh profiles help define and bring up the mesh network This section describes the mesh radio and mesh cluster profiles in more detail Cluster Mesh clusters are grouped and defined by a mesh cl
273. r are to be in clear text Use this setting to disable wireless clients when a wired device is known to be on the VPN Disable wireless devices when client is wired Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 139 Table 68 Security gt User Roles gt Add VPN Dialer Fields and Descriptions Continued Field Default Description Enable SecurlD New Use this setting to enable or disable SecurlD PIN modes and Next Pin Mode The SecurlD authentication scheme authenticates the user on a RSA ACE Server When challenged the user has to enter a password that is a combination of two numbers a personal identification number PIN supplied by RSA combined with a token code which is the number displayed on the RSA SecurlD authenticator New PIN mode is applied in cases where the authentication process requires additional verification of the PIN In this case the user is required to use a new PIN The new PIN is derived from one of the following two sources depending on the configuration of the RSA ACE Server The user is prompted to select and enter a new PIN The server supplies the user with a new PIN The user is then required to re authenticate with the new PIN The use of the New PIN mode is optional and can be enabled or disabled PPP Authentication CHAP Use this section to select the authentication modes to be supported for PPP in the Modes MSCHAP VPN The following options are available
274. r with which the profile is associated The drop down menu displays all folders available for association with the profile SNMP Enable Enable or disable SNMP in this profile Enter Community String Text field allows you to type one or multiple SNMP community strings applied to this profile Select SNMP User Profile Select SNMP User If SNMP is enabled in this profile and one or more profiles have been configured select Profile the corresponding SNMP profile from this list 3 Select Add or Save The added or edited SNMP profile appears on the SNMP profiles page Profiles gt AP gt SNMP gt SNMP User Perform these steps to configure a SNMP profile l Select Profiles gt AP gt SNMP gt SNMP User in the navigation pane 2 Select the Add button to create a new user or click the pencil icon next to an existing user to edit that user Complete the settings as described in lable 28 Table 28 Profiles gt AP gt SNMP gt SNMP User Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Blank Name of the SNMP user profile This is the name by which the SNMP user is managed and accessed when cited by SNMP profiles Other Settings Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 75 Table 28 Profiles gt AP gt SNMP gt SNMP User Se
275. rConnect W AP Groups in the controller s Groups gt Dell PowerConnect W Config page 5 After configuration file import is complete refresh the page to verify the results of the import and add or edit as required 6 Navigate to the Dell PowerConnect W Configuration page This page displays a list of APs authorized on the AMP that are using the Dell PowerConnect W AP Group The User Role is the Dell PowerConnect W User Role used in firewall settings For additional information refer to Security gt User Roles on page 127 Global Configuration only The Folder column cites the visibility level to devices in each Dell PowerConnect W AP Group For additional information refer to Visibility in Dell PowerConnect W Configuration on page 33 7 Add or modify Dell PowerConnect W AP Groups as required a Navigate to the Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups page b Click Add from the Dell PowerConnect W AP Groups page to create a new Dell PowerConnect W AP Group To edit a Dell PowerConnect W AP Group click the pencil icon next to the group The Details page for the Dell PowerConnect W AP Group appears This page allows you to select the profiles to apply to the Dell PowerConnect W AP Group and to select one or more WLANs that support that Dell PowerConnect W AP Group Figure 15 illustrates this page 22 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configurati
276. rConnect W AP groups AP Override allows you to change some parameters for any specific device without having to create a Dell PowerConnect W AP group per AP The name of any AP Override should be the same as the name of the device to which it applies This establishes the basis of all linking to that device Once you have created an AP Override for a device in a group you specify the WLANs to be included and excluded For additional information about how to configure and use AP Overrides refer to these topics AP Overrides Guidelines on page 30 AP Overrides on page 41 in the Appendix WLANs Section Access WLANs with Dell PowerConnect W Configuration gt WLANs The following concepts govern the use of WLANSs in Dell PowerConnect W Configuration WLANs are the same as virtual AP configuration profiles 14 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide WLAN profiles contain several diverse settings including SSIDs referenced Dell PowerConnect W AP Groups Traffic Management profiles and device Folders This document describes WLAN configuration in the following section and chapter Setting Up Initial Dell PowerConnect W Configuration on page 21 General WLAN Guidelines on page 28 WLANs on page 45 Profiles Section Profiles provide a way to organize and deploy groups of configurations for Dell PowerConnect W AP Groups WLANs and other profiles Pr
277. raffic vm storm control for broadcast Rate Limit Enable Multicast Traffic Rate storm control for multicast Limit Enable Unicast Rate Limit ull Enables storm control for unicast Switchport Mode Access Specify whether the port is an access port connected to an end device or a trunk port for uplink connectivity access Configures the port to be an access port trunk Configures the port to be a trunk port NOTE Trunk mode and UnTrusted Port mode cannot be configured simultaneously Trunk Mode Allowed VLANs 1 Identifies the VLAN IDs for which the trunk carries the traffic Enter a list or range of vlan tags and pools e g pool1 pool2 1 5 20 40 or all or none NOTE Trunk mode and UnTrusted Port mode cannot be configured simultaneously 3 Select Add or Save The added or edited profile appears on the Mobility Switch page and on the details page Profiles gt Mobility Switch gt VLAN This profile creates a VLAN with the specified configuration parameters To enable role based access for wired clients connected to an untrusted VLAN and or port on the switch you must specify the wired AAA profile you would like to apply to that VLAN If you do not specify a per VLAN AAA profile traffic from clients connected to an untrusted wired port or VLAN will use the global AAA profile if configured Perform these steps to configure a Mobility Switch gt VLAN profile l Select Profiles gt Mobility Switch gt VLAN in the
278. ration With PPTP data encryption begins after PPP authentication and connection process is completed PPTP connections use Microsoft Point to Point Encryption MPPE which uses the Rivest Shamir Aldeman RSA RC 4 encryption algorithm PPTP connections require user level authentication through a PPP based authentication protocol MSCHAPV2 is the currently supported method The PPTP page displays all PPTP profiles that are currently configured for use by VPN services This page lists the PPTP profile names the VPN Services that reference these PPTP profiles and the folder for each PPTP profile Select Add to create a new PPTP profile or click the pencil icon next to an existing profile to edit The Add Edit Details page appears Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 165 The Advanced Services gt VPN Services gt PPTP Add Edit Details page contains the following fields as described in Table 91 Table 91 Advanced Services gt VPN Services gt PPTP Add Edit Details Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the PPTP profile is associated The menu displays all folders available for association with the PPTP profile Blank Enter the name of the PPTP profile Other Settings Enable PPTP Yes Enable or disable this PPTP profile Echo Timeout Define the PPTP echo timeout which is the time between request and sending echo 10 300 se
279. rding to which protocol you have selected Port Selection Range Choose whether to list ports by Range which causes the Port and Max Port fields to appear below or List which introduces a Port List field and requires a minimum version of 6 0 0 0 TCP UDP Port Appears if Range Is specified in Port Selection Specify the TCP UDP port or range of ports to support the service being configured TCP UDP Max Port Appears if Range Is specified in Port Selection Specify the highest port that will support the TCP UDP service being configured Port List Appears if List is specified in Port Selection Enter a comma separated list of ports Requires a minimum version of 6 0 0 0 IP Protocol Number Specify the numeric identifier of the upper layer IP protocol that an IP packet should 0 255 use Configure Application Level Specify whether to create an application level gateway which filters incoming and Gateway outgoing information packets before copying and forwarding across the gateway If you select Yes in this field you are prompted with a new drop down menu in which to select the Application Level Gateway type Application Level Gateway If you select Yes for Configure Application Level Gateway then specify the gateway type from this drop down menu The following application level gateway types are supported dhcp dns ftp h323 noe rtsp sccp sip sips SVp tftp vocera Security gt Server Groups Server Groups Page Overv
280. responsive Authentication Server authentication server to be out of service 0 60 min This timer is only applicable if there are two or more authentication servers configured on the controller If there is only one authentication server configured the server is never considered out of service and all requests are sent to the server If one or more backup servers are configured and a server is unresponsive it is marked as out of service for the dead time subsequent requests are sent to the next server on the priority list for the duration of the dead time If the server is responsive after the dead time has elapsed it can take over servicing requests from a lower priority server if the server continues to be unresponsive It is marked as down for the dead time Range 0 50 Unauthenticated User 5 minutes Maximum time in minutes unauthenticated clients are allowed to remain Lifetime logged on 0 255 min Range 0 255 RADIUS Client RFC 3576 Server UDP 3799 Configures the UDP port to receive requests from a RADIUS server that can send Port user disconnect and change of authorization messages as described in RFC 3576 1 65535 Dynamic Authorization Extensions to Remote Dial In User Service RADIUS NOTE This parameter can only be used on the master controller DNS Query Interval DNS Query Interval 1 If you define a RADIUS server using the FODN of the server rather than its IP 1440 min address the controller will
281. rived from user attributes upon the client s association with an AP this is known as a user derived role You can configure rules that assign a user role to clients that match a certain set of criteria For example you can configure a rule to assign the role Vol P Phone to any client that has a MAC address that starts with bytes xx yy zz User derivation rules are executed before client authentication 3 The user role can be the default user role configured for an authentication method such as 802 1x or VPN For each authentication method you can configure a default role for clients who are successfully authenticated using that method 4 The user role can be derived from attributes returned by the authentication server and certain client attributes this is known as a server derived role If the client is authenticated via an authentication server the user role for the client can be based on one or more attributes returned by the server during authentication or on client attributes such as SSID even if the attribute is not returned by the server Server derivation rules are executed after client authentication 5 The user role can be derived from Dell PowerConnect Vendor Specific Attributes VSA for RADIUS server authentication A role derived from a Dell PowerConnect VSA takes precedence over any other user roles In the Dell PowerConnect W user centric network the user role of a wireless client determines its privileges includi
282. rovide a fully Gateway URL qualified domain name Comma Seperated List Specify the ports separated by comma that will be monitored by the content security of HTTP Ports to Be service provider Inspected Apart from Do not add space before or after the comma Default Port 80 Keep VIA Window Use this option to keep the VIA client on a Microsoft WIndows operating system Minimized minimized to system tray Via Logoff Script Specify the name of the log off script that must be executed the VIA is disconnected The log off script must reside in the client computer Via Logon Script Specify the name of the logon script that must be executed after VIA establishes a secure connection The logon script must reside in the client computer 62 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 14 Profiles gt AAA gt VPN Connection Profile Settings Continued Field Default Description VIA Authentication Select a VIA Authentication Profile to reference Refer to Profiles gt AAA gt VPN Profile Connection gt VIA Auth on page 63 VIA Client WLAN Profile Select a VIA Client WLAN Profile to reference Refer to Profiles gt AAA gt VPN Connection gt VIA Client WLAN on page 63 VIA Controller mn Enter the Hostname IP address internal IP address and description of the VIA Controller 3 Select Add or Save The added or edited VPN Connection profile appears on the Profiles gt AAA page
283. rs and type Be aware of the following additional factors Configuration audits are done at the AirWave group level AirWave folders support multiple sublevels Therefore unless there is a compelling reason to use the folders by device type approach use groups for AP type and folders strictly for AP location Visibility in Dell PowerConnect W Configuration Visibility Overview Dell PowerConnect W Configuration supports device configuration and user information in the following ways User roles AP Device access level Folders in global configuration 32 Using Dell PowerConnect W Configuration in Daily Operations Dell PowerConnect W AirWave 7 4 Configuration Guide Additional factors for visibility are as follows Administrative and Management users in AirWave can view the Dell PowerConnect W Configuration page and the APs Devices gt Manage pages Administrative users are enabled to view all configurations Management users have access to all profiles and Dell PowerConnect W AP groups for their respective folders The Device Setup gt Dell PowerConnect W Configuration page has a limit to folder drop down options for customers that manage different accounts and different types of users Dell PowerConnect W Configuration entails specific user role and security profiles that define some components of visibility as follows Security gt User Roles Security gt Policies AirWave continues to support the standard o
284. rs on the AP Authorization page and on the details page Profiles gt AP gt Ethernet Link The configurable speed defined in this profile is dependent on the port type and you can define a separate Ethernet Interface profile for each Ethernet link Perform these steps to configure a Ethernet Link profile l Select Profiles gt AP gt Ethernet Link in the navigation pane 2 Select the Add button to create a new profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 24 Table 24 Profiles gt AP gt Ethernet Link Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Enter the name of the profile Other Settings Speed Mbps auto Designates the speed of the Ethernet link for this profile Options are 10 100 or 1000 Mbits Duplex Defines this profile to support duplex Ethernet Options are full half or auto 3 Select Add or Save The added or edited Ethernet Link profile appears on the AAA Profiles page and on the 802 1x Auth details page Profiles gt AP gt Provisioning Perform these steps to define a provisioning profile for an AP or group of APs l Select Profiles gt AP gt System in the navigation pane This page summarizes the current profiles of this type 72 Configuration Ref
285. rt guard interval can decrease network overhead by reducing unnecessary idle time on each AP Some outdoor deployments may however require a longer guard interval If the short guard interval does not allow enough time for reflections to settle in your mesh deployment inter symbol interference values may increase and degrade throughput This parameter is enabled by default Short Guard Interval in 20 MHz Mode Enable or disable use of short 400ns guard interval in 20 MHz mode This parameter is enabled by default A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again An AP identifies any signal content received inside this interval as unwanted inter symbol interference and rejects that data The 802 11n standard specifies two guard intervals 400ns short and 800ns long Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP Some outdoor deployments may however require a longer guard interval If the short guard interval does not allow enough time for reflections to settle in your mesh deployment inter symbol interference values may increase and degrade throughput Requires a minimum version of 6 1 0 0 Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 99 Table 43 Mesh gt Radio gt Mesh HT SSID Profile Settings Continued Defaul
286. rvarervrnenvrverenvrnenenen 21 FE NN 21 FEL 21 Additional Capabilities of Dell PowerConnect W Series Configuration avanenrnnn 26 Chapter 2 Using Dell PowerConnect W Configuration in Daily Operations cece 21 Mol 21 Procedures and Guidelines for Dell PowerConnect W AP Groups resvrnrvrnarenvenrnvrverenvennne 21 Guidelines and Pages for Dell PowerConnect W AP Groups rnrvrvarervrnrnvrvorervrrenenens 21 Selecting Dell PowerConnect W AP Groups nenrvrnrrvrronrsronrsvrvenrnvenenvrveresvrnsnvnrerenvrnsnenenn 28 Configuring Dell PowerConnect W AP Groups rsvrnrsvrvorervenrnvrvarenvenenvrveresvrnsnerverenvensnennnn 28 General WLAN Guidelines wrssscatonassicnesegescatedencannteenaaddaansidsde exaussvincmiaigantagsaazaspbstvaidndtneonseeunentdiaens 28 Dell PowerConnect W AirWave 7 4 Configuration Guide 3 4 Appendix A General Profiles Guidelines ccccccccccceccccessccececeeccccesscscccccensscseuecsueeceusescntaceuscceuuecentuceerseenneeees 28 General Controller Procedures and Guidelines rrseresvrvrvrrervenervenvrvervevervenesverssnesvevervesesvenesne 29 Using Controllers in Dell PowerConnect W Configuration n mrovrveervrrvvrrerervrrrnernns 29 Pushing Device Configurations to Controllers urrvrervrerevvrevvrrervrerevererereren 29 Supporting APs with Dell PowerConnect W Configuration essees 30 AP Overrides Guidelines Luske 30 Changing Adaptive Radio Managemen
287. rvesesvenen 66 Profiles gt AAA gt Management Auth rsmosesvrnvrrenrrronvrrenrrnvrvenrrnenvsnenvrnernenrnnsnrnvennenennsnnnnenenn 67 Profiles gt AAA gt Stateful NTLM Auth uuu ccc cscscsscecssceseecessesseeessssesseseesesesseeseserensens 68 Profiles gt AAA gt WISPr Auth enesrrnvrvenervervsvervenervenervesvsvesssvervevesvesesvesssnesvevesvesesvessssenvevesvenen 69 Proe AN 70 Profiles gt AP gt AUthOriZation ccccescescssssesscsscsscessesecsessessuseesecseseeseusesseseeseuseusassesensensansases 71 Profiles gt AP gt Ethernet Link e correrrererrvvrerververvrerverervssrrservervesrssenserversessssensesvesvensssenne 72 Profiles gt AP gt Provisioning c ccccsessessssssesssscssssssecsesessesecsesaeseseesesesessesecseseesesaseesaesessnsess 72 Profiles gt AP gt Regulatory Domain ssssananenvnnvrvonvrnrnvnrenvonenvenrnnenvnrenvenennannsnsnvsvennsnennsnnnnsnenn 74 Prones gt AP gt SNMP succenstserovigsiinadusinsilsdbisdairwnessntestounions iniosbsiusiidesinastendecatltvunangaveesuswedhaiegersusaustivinns 75 Profiles gt AP gt SNMP gt SNMP User rnnesnrrervrnervenervesvsvesvsnervesersesvsvesssservevesvesesvessssesvevesvenen 75 Profiles gt AP gt System n narenaseavsnrnrsvsvenvsrenrsvnrenvsrenrsvnvsnesssnssvnssnesssnssvnssnesssnssvnrsnesssnssvnssnenssnsn 76 Fess Ar ETNA 80 Profiles gt AP gt Wired m mernernernemvemememmmmmmemmemmmmemnenmimnenenivisererervisierernen 80 Fl gt D Sapr
288. s gt RF gt Events Threshold section and edit these settings as desired Refer to Profiles gt RF gt Event Thresholds on page 118 Dell PowerConnect W AirWave 7 4 Configuration Guide Table 4 AP Overrides Add or Edit Page Fields Continued Field Default Wired AP Profile Ethernet Interface 0 default Link Profile Ethernet Interface 1 default Link Profile AP System Profile Regulatory Domain default Profile SNMP Profile VolP Call Admission default Control Profile Dell PowerConnect W AirWave 7 4 Configuration Guide Description Controls whether 802 11 frames are tunneled to the controller using Generic Routing Encapsulation GRE tunnels bridged into the local Ethernet LAN for remote APs or a configured for combination of the two split mode This profile also configures the switching mode characteristics for the port and sets the port as either trusted or untrusted Select the pencil icon next to this field to display the Profiles gt AP gt Wired page and adjust these settings as desired Refer to Profiles gt AP gt System on page 76 Sets the duplex mode and speed of AP s Ethernet link for ethernet interface 0 The configurable speed is dependent on the port type and you can define a separate Ethernet Interface profile for each Ethernet link Select the pencil icon next to this field to display the Profiles gt AP gt Ethernet Link details page and adjust these setting
289. s a minimum version of 6 0 0 0 Spoofed Deauth Blacklist Table 37 Profiles gt IDS gt Denial of Service Profile Settings Continued Field Default Description Detect AP Flood Attack AP Flood Threshold AP Flood Increase Time AP Flood Detection Quiet Time Enables or disables the detection of flooding with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client operating systems Sets the number of Fake AP beacons that must be received within the Flood Increase Time to trigger an alarm Sets the time in seconds during which a configured number of Fake AP beacons must be received to trigger an alarm After an alarm has been triggered by a Fake AP flood the time in seconds that must elapse before an identical alarm may be triggered Enable disable detection of client flood attack There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large number of fake clients that fill internal tables with fake information If successful it overwhelms the wireless intrusion system resulting in a DoS Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 0 0 0 Detect Client Flood Attack Threshold for the number of spurious clients in the system Requires a Wireless Intrusion Protection license or an RFprotect license and a minimum version of 6 0 0 0 Client Flood Threshold Client Flood
290. s as desired Refer to Profiles gt AP gt SNMP on page 75 Sets the duplex mode and speed of AP s Ethernet link for ethernet interface 1 The configurable speed is dependent on the port type and you can define a separate Ethernet Interface profile for each Ethernet link Select the pencil icon next to this field to display the Profiles gt AP gt Ethernet Link details page and adjust these settings as desired Refer to Profiles gt AP gt SNMP on page 75 Defines administrative options for the controller including the IP addresses of the local backup and master controllers Real time Locating Systems RTLS server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots traps This field is a drop down menu with the following options Non integer RTLS Server Station Message Frequency Too high RTLS Server Port Too low AeroScout RTLS Server Port Too low RTLS Server Port Select the pencil icon next to this field to display the Profiles gt AP gt System details page and adjust these settings as desired Refer to Profiles gt AP gt System on page 76 Defines an AP s country code and valid channels for both legacy and high throughput 802 11a and 802 11b g radios Select the pencil icon next to this field to display the Profiles gt AP gt Regulatory Domain page and adjust these settings as desired Refer to Profiles gt AP gt Regulatory Domain on page 74
291. s in the IPv6 Extension Header EH Refer to Profiles gt AAA gt IPv6 Extension Header on page 59 MAC Auth Defines parameters for MAC address authentication including the case of MAC string upper or lower case the format of the diameters in the string and the maximum number of authentication failures before a user is blacklisted Refer to Profiles gt AAA gt MAC Auth on page 60 Management Auth Enables or disables management authentication and identifies the default role for authenticated management clients This profile also references a server group Refer to Profiles gt AAA gt Management Auth on page 67 Stateful 802 1x Auth Enables or disables 802 1x authentication for clients on non Dell PowerConnect W APs and defines the default role for those users once they are authenticated This profile also references a server group to be used for authentication Refer to Profiles gt AAA gt Stateful 802 1X Auth on page 65 Stateful NTLM Auth Requires that you specify a server group which includes the servers performing NTLM authentication and a default role to be assigned to authenticated users Refer to Profiles gt AAA gt Stateful NTLM Auth on page 68 VPN Connection Allows you to create a VPN Connection profile Refer to Profiles gt AAA gt VPN Connection on page 61 VIA Auth Creates a VPN Authentication profile Profiles gt AAA gt VPN Connection gt VIA
292. s or degree of AP utilization on an AP Use this profile to detect coverage holes radio interference and STA association failures and configure Received signal strength indication RSSI metrics Profiles gt RF gt Optimization on page 120 Profiles gt RF gt 802 11a g Radio The two 802 11a and 802 11g RF management profiles for an AP configure its 802 11a 5 GHz and 802 11b g 2 4 GHz radio settings Use these profile settings to determine the channel beacon period transmit power and ARM profile for a mesh AP s 5 GHz and 2 5 GHz frequency bands You can either use the default version of each profile or create a new 802 1 1a or 802 1 1g profile which you can then configure as necessary Each RF management profile also has a radio enable parameter that allows you to enable or disable the AP s ability to simultaneously carry WLAN client traffic and mesh backhaul traffic on that radio Radios are enabled by default Perform these steps to create or edit radio profiles for 802 1 1a or g This type of radio profile references additional profiles such as ARM and High throughput Radio profiles You have the chance to add or edit supporting profiles as you define 802 1 1a g Radio profiles l Select Profiles gt RF gt 802 1 1a g in the Dell PowerConnect W Configuration navigation pane 2 Select the appropriate Add button to create a new 802 1 la or g profile or click the pencil icon to edit an existing profile Complete th
293. s security profiles in multiple categories including user roles policies rules and servers such as RADIUS TACACS and LDAP servers Navigate to Security with the Dell PowerConnect W Configuration gt Security path illustrated in Figure 7 Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 15 Figure 7 Dell PowerConnect W Configuration gt Security Navigation Limit to Folder To ver j Note This profile depends on the controller having a minimum version of 5 0 0 0 HDell PowerConnect W AP Groups a ee ee FAP Overrides hAVLANS 1 1 of 1 Campus AP Whitelsts Page 1 of 1 Choose Columns CSV Export Profiles Used By L Name a Group Controller Folder peer a default East Top Campus AP Whitelist Acme Dolicies Aocess Points 1 1 of 1 Campus AP Whitelists FP leo 1 RAP Whitelist Kad Server Groups Select All Unselect All CTACACS Accounting Time Ranges L ser Roles LUser Rules HLocal Config ehAdvanced Services The following general guidelines apply to Security profiles in Dell PowerConnect W configuration Roles can have multiple policies each policy can have numerous roles Server groups are comprised of servers and rules Security rules apply in Dell PowerConnect W Configuration in the same way as deployed in AOS For additional information about Security refer to Security on page 126 Local Config Section The Local Config section introduced
294. s threshold this setting triggers a high watermark exceeded alert Defining 0 disables this function Frame Fragmentation Rate High Watermark Sets a low percentage watermark for frame fragmentation rates When frame fragmentation rates exceed this threshold this setting triggers a low watermark exceeded alert Defining 0 disables this function Frame Fragmentation Rate Low Watermark Sets a high percentage watermark for low speed rates When the percentage of received and transmitted frames at low speed less that 5 5Mbps for 802 11b and less than 24 Mbps for 802 11a exceeds the configured high watermark the system generates an alert Defining 0 disables this function Frame Low Speed Rate High Watermark Sets a low percentage watermark for low speed rates When the percentage of received and transmitted frames at low speed less that 5 5Mbps for 802 11b and less than 24 Mbps for 802 11a exceeds the configured Low Watermark the system generates an alert Defining 0 disables this function Frame Non Unicast C Sets a high percentage watermark for non Unicast frame rate When the percentage of non Frame Low Speed Rate Low Watermark Rate High Watermark Unicast frames exceeds the configured high watermark the system generates an alert Defining 0 disables this function Frame Non Unicast Rate Low Watermark Sets a low percentage watermark for non Unicast frame rate When the percentage of non Unicast frames excee
295. scription General Settings Folder Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Mobility Domains None This section displays all domains that are available for association with this IP selected mobility profile You can show all or show only selected domains Select one or more mobility domains to associate with this IP Mobility profile Foreign Agent Specify the client registration time on the foreign network A foreign agent receives traffic that is intercepted by the home agent on the home network and forwards to the client on the foreign network This setting defines the registration time of a client on the foreign network Maximum Number of Active Set the maximum number of users to be supported by the foreign network Visitors 0 5000 Registration Lifetime Requested by Proxy 10 65 534 sec Maximum Number of Requests Set the maximum number of times that a retransmit is to be supported on the foreign network by proxy Retransmits 0 5 Set the foreign agent retransmit time in milliseconds The retransmit interval defines retransmission between the home agent and the foreign agent Retransmit Interval 100 10000 msec 158 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 85 Advanced Services gt IP Mobility Add Edit Fields and Descriptions Continued Field Default Description Hom
296. sion or create a new instance of a profile which you can then edit as you need The mesh radio profile allows you to specify the set of rates used to transmit data on the mesh link Refer to Profiles gt Mesh gt Radio on page 96 Radio gt Mesh HT SSID The mesh high throughput SSID profile enables or disables high throughput 802 11n features for the SSID specified in the profile Refer to Profiles gt Mesh gt Radio gt Mesh HT SSID on page 98 Profiles gt Mesh gt Cluster AirWave provides a default version of the mesh cluster profile You can use the default version or create a new instance of a profile which you can then edit as you need You can configure a maximum of 16 mesh cluster profiles on a mesh node Perform these steps to create or edit Mesh Cluster profiles l Select Profiles gt Mesh gt Cluster in the navigation pane 2 Select the Add button to create a new Cluster profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 41 Table 41 Profiles gt Mesh gt Cluster Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 95 Table 41 Profiles gt Mesh gt Cluster
297. ssignment will be utilized 20 MHz clients can also associate using this configuration but only the primary channel will be utilized A high throughput HT AP can use a 40 MHz channel pair comprised of two adjacent 20 MHz channels available in the regulatory domain profile for your country When ARM is configured for a dual band AP it will dynamically select the primary and secondary channels for these devices It can however continue to scan all changes in the a b g bands to calculate interference and detect rogue APs Perform these steps to configure a Regulatory Domain profile l Select Profiles gt AP gt Regulatory Domain in the navigation pane This page summarizes the current profiles of this type 2 Select the Add button to create a new Regulatory Domain profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 26 Table 26 Profiles gt AP gt Regulatory Domain Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Enter the name of the profile Other Settings Country Code Designate the country with the 802 1X regulatory standard relevant to this WLAN Valid 802 11a 40MHz Select a 40 MHz channel pair for 802 11a Channel pairs A high throughput HT AP can use a 40 MHz channel pair comprised of two adjacent
298. sting user to edit that user c Select the user role created with the prior step and complete the remainder of this page as per standard AirWave configuration Refer to the Dell PowerConnect W AirWave 7 4 User Guide at support dell com manuals as required 5 Observe visibility created or edited with this procedure The user role and device folder created with this procedure are now available to configure manage and support Dell PowerConnect W Configuration and associated devices according to the visibility defined in this procedure Any component of this setup can be adjusted or revised by referring to the steps and AirWave pages in this procedure 6 Add or discover devices for the device folder defined during step 1 of this procedure Information about devices is available in the Dell PowerConnect W AirWave 7 4 User Guide 7 Continue to other elements of Dell PowerConnect W Configuration described in this document 34 Using Dell PowerConnect W Configuration in Daily Operations Dell PowerConnect W AirWave 7 4 Configuration Guide Appendix Configuration Reference Introduction This appendix describes the pages field level settings and interdependencies of Dell PowerConnect W Configuration profiles Additional information is available as follows Dell PowerConnect W Configuration components are summarized in Additional Concepts and Components of Dell PowerConnect W Configuration on page 19 For procedures
299. svrvenervnnenvrverenvrnenenvenenns 100 Profiles gt Mobility Switch gt Ethernet Link serervrnerrenvrnervererveservenvrnervevervesesvesvsvesvevervenen 101 Profiles gt Mobility Switch gt Port Switching rrooronorenrrnnrvrrenrsvrnrsvrrenesvnnsnvrvavenvrnenenvevenns 102 Profiles gt Mobility Switch gt VLAN esesvsvenvrververervenervenvnsesvevesvesesvesssvesvsvesvenesvesssvesvevesvenen 103 FE vvs ment 104 Profiles gt QoS gt Traffic Manageme nt cccceccscscssessssescssssssesssecseseseessseseesesesaseneesaeseeas 104 Profiles gt QoS gt VoIP Call Admission Control m memrereeremvrermemmmememenmne 105 Profiles gt QoS gt WMM Traffic Manageme nt c cccccscscssesesssscscssseesesesssseseessseeeeaeseees 107 FR 2 WI E A E N E 108 Profiles gt RF gt 802 11a g Radio ugnmmamdmminndenemesnaheensrindtiritandde 109 Profiles gt RF gt 802 11a g Radio gt AM Scanning ssesnsnonvsnanennsvnnrsvevenesvnnenvrvavenvsnenenvevenns 113 Profiles gt RF gt 802 11a g Radio gt ARM erovrnvrververvsnvnnervervenvsvennervesvenvsververvenvsnesvessesvenssnensen 113 Profiles gt RF gt 802 11a g Radio gt HT Radio rsnenrrnvoronrrnrorororronvrvenrrnervanrrrenvrrenvrnrrnennrnenenn 116 Profiles gt RF gt 802 11a g Radio gt Spe Ctrum cccccesssssescscssssesssecsesesseseeeseesesecasseeesseseees 117 Profiles gt RF gt Event Thresholds essesrrnvrnvrvenrenvenvnnervervenvsnernervesvenvsververv
300. sword for the admin user Allow Clear text Enable this setting to allows clear text unencrypted communication with the LDAP server Auth Port Enter the port number used for authentication on the LDAP server Base DN Enter the distinguished name of the node which contains the entire user database to use Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 147 Table 73 Security gt Server Groups gt Add LDAP Server Fields and Descriptions Continued Field Default Description Filter objectclass Select the filter that should be applied to any search of the user in the LDAP database Key Attribute sAMAccountName Enter the attribute that should be used as a key in search for the LDAP server For Active Directory the value is sAMAccountName Timeout 1030 sec Define the timeout period of a LDAP request in seconds Enable Yes Use this field to enable or disable the LDAP server being configured You can configure the LDAP server as disabled but return later to enable it Preferred Connection Type Select the connection type for the LDAP server from the drop down menu LDAP servers support the following connection types clear text No encryption Is used Idap s Uses SSL encryption start tls Uses TLS encryption Select Add to complete the configuration of the LDAP Server or click Save to complete the editing of an existing server The new LDAP server appears on the Security gt Server Grou
301. t Discover page Click New Devices In the Status section at the top of any AirWave page or navigate to the APs Devices gt New page Select check the box next to any AP you want to provision 5 Rename all new APs Type in the new device name in the Device column Scroll to the bottom of the page and put APs in the appropriate AirWave group and folder Set the devices to Manage Read Write mode Click Add Wait approximately five to ten minutes You can observe that the APs have been renamed not only in AMP but also on the Dell PowerConnect W AP Group and Dell PowerConnect W Series controller with the show ap database command To set the appropriate Dell PowerConnect W AP Group select the AP Devices or Groups page and locate your APs Dell PowerConnect W AirWave 7 4 Configuration Guide Using Dell PowerConnect W Configuration in Daily Operations 31 9 Click Modify Devices 10 Select the APs you want to re group 11 In the field that states Move to Dell PowerConnect W AP Group below the list of the devices select the appropriate group and click Move NOTE If the list of Dell PowerConnect W AP Groups are not there ensure you either create these Dell PowerConnect W AP K groups manually on the Device Setup gt Dell PowerConnect W Configuration page wherein you merely need the device names and not the settings or import the configuration from one of your controllers to learn the groups 12 Wait another five to 10 minu
302. t ARM Settings servrvrrerervnrerenesvrrevesesesvevevenenns 30 Changing SSID and Encryption Settings rmsranrnevrnvnnrnvnvarenvenrnvnvavenvnnsnvnvevennrnsnennerennersnennns 30 Changing the Dell PowerConnect W AP Group for an AP Device mmserevrervrrervevervesns 30 Using AirWave to Deploy Dell PowerConnect W APs for the First TiM sesse 31 Using General AirWave Device Groups and Folders resvrvvrrenvrnrrvnvervrnervevervesvsvesvrnervenes 32 Visibility in Dell PowerConnect W Configuration eeeovrrvrverervrrrrrvrrerrrvrrrsvrreresvensnerverenns 32 Visibility VOT oW sospes E EEE E r EEEE 32 Defining Visibility for Dell PowerConnect W Configuration eesse 33 Configuration Reference viicoinetacscucsacstadisnsiantncsivondecthcvaderacunzeadseisiansinandenisasheinnduucmacscausean 35 FUE TCU 10 g PNRA EE EN OEE EE EEE E OE E 35 Dell PowerConnect W AP Groups ceceesescsssseseseeecsesessesesececsesecsesececsesesaesesessusesassesesanseeasenss 35 Dell PowerConnect W AP Groups ssnnrvvrvorenvrrenvrvorenrsrenesvsrennsvenesvnnsnesvensnvnnevesssnsnesnevennensne 35 Fl enna awe ence ctpcahiee cuteestataameca geen canat nosetafacaneencestucaaceonaenteoneeuaentieunnates 39 PIG 39 EN E a 43 Overview of WLANs Configuration mravnsvrnrvrverrrvonrnvnvorenvenenvrverennenenerverennrnenernerennenenennns 43 WEAN oa N A EE E EEE AAA EA 43 WLANS gt Basi ES a i 44 VEN SNE 45 FO ae 48 Understanding Dell PowerCon
303. t Stateful 802 1X Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 65 Table 17 Profiles gt AAA gt Stateful 802 1X Profile Settings Continued Field Default Description Referenced Profiles Server Group Selectthe AAA authentication server group Select the pencil icon to edit an existing server group or click the add icon to create a new server group 3 Select Add or Save The added or edited Stateful 802 11 Auth profile appears on the AAA Profiles page and on the Stateful 802 11 Auth details page Profiles gt AAA gt Wired Auth This profile type references an AAA profile to be used for wired authentication Perform these steps to configure a Wired Auth profile l Select Profiles gt AAA gt Wired Auth in the navigation pane 2 Select the Add button to create a new Wired Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 18 Table 18 Profiles gt AAA gt Wired Auth Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile
304. t W access points APs from ArubaOS oriented administration to AirWave administration you can use AirWave to deploy Dell PowerConnect W Series APs for the first time without separate AOS configuration Be aware of the following dynamics in this scenario AirWave can manage all wireless network management functions including the first time provisioning of Dell PowerConnect W Series APs managing Dell PowerConnect W Series controllers with AirWave In this scenario when a new Dell PowerConnect W Series AP boots up AirWave may discover the AP before you have a chance to configure and launch it through AOS configuration on the Dell PowerConnect W Series controller In this case the AP appears in AirWave with a device name based on the MAC address When you provision the AP through the Dell PowerConnect W Series controller and then rename the AP the new AP name is not updated in AirWave An efficient and robust approach to update a Dell PowerConnect W Series AP device name is to deploy Dell PowerConnect W Series APs in AirWave with the following steps l Define communication settings for Dell PowerConnect W Series APs pending discovery in the Device Setup gt Communication page This assigns communication settings to multiple devices at the time of discovery and prevents having to define such settings manually for each device after discovery Discover new Dell PowerConnect W Series APs with AirWave You can do so with the Device Setup g
305. t in AirWave AMP provides three options for configuring Dell PowerConnect W Series devices Global GUI config for organizations who have near identical deployments on all of their controllers Group level GUI config for organizations who have two or more configuration strategies Dell PowerConnect W AirWave 7 4 Configuration Guide Dell PowerConnect W Configuration in AirWave 9 Configuration changes are pushed to the controller via SSH with no reboot required AMP only supports configuration of the settings which a master controller would push to the standby local controllers global features AMP supports all master master standby and master local deployments All settings for Profiles Dell PowerConnect W AP Groups Servers and Roles are supported as is the AOS WLAN Wizard Controller IP addresses VLANs and interfaces are not supported nor are Advanced Services with the exception of VPN and IP Mobility Other features of Dell PowerConnect W Configuration in AMP include the following Dell PowerConnect W AirWave 7 4 understands AOS license dependencies AMP supports a variety of Dell PowerConnect W firmware versions so profiles fields which are not supported by an older version will not be configured on controllers running that version You can provision thin APs from the AP Devices gt Manage page You can move APs into Dell PowerConnect W AP Groups from the Modify Devices option on the APs Devices gt List page You can
306. table of other valid and rogue APs as equivalents of the wired MACs that it sees on our network When this match Is triggered it makes a note of the AP that helped in this process and this info will be displayed as the Helper AP Set a list of MAC addresses of wired devices in the network typically gateways or servers By default rogue APs are only detected but are not automatically disabled This option automatically shuts down rogue APs When this option is enabled clients attempting to associate to a rogue AP will be disconnected from the rogue AP through a denial of service attack Allow Well Known MAC Allow devices with known MAC addresses to classify rogues APs Depending on your network configure one or more of the following options for classifying rogue APs hsrp Routers configured for HSRP a Cisco proprietary redundancy protocol with Overlay Rogue AP Classification Valid Wired MACs Rogue Containment the HSRP MAC OUI 00 00 0c iana Routers using the IANA MAC QUI 00 00 5e local mac Devices with locally administered MAC addresses starting with 02 vmware Devices with any of the following VMWare OUls 00 0c 29 00 05 69 or 00 50 56 vmware1 Devices with VMWare QUI 00 0c 29 vmware2 Devices with VMWare OUI 00 05 69 vmware3 Devices with VMWare OUI 00 50 56 If you modify an existing configuration the new configuration overrides the original configuration Use this setting to treat suspected rogue
307. tandard across all of Dell PowerConnect W AirWave 7 4 AP Overrides allows you to change some parameters of any given AP without having to remove that AP from the configuration group in which it operates The name of any AP Override that you create should be the same as the name of the AP device to which it applies This establishes the basis of all linking to that AP device Once you have created an AP Override you select the WLANs in which it applies Once you have created the AP Override you can go one step further with the Exclude WLANs option of AP Override which allows you to exclude certain SSIDs from the AP override For example if you have a set of WLANs with several SSIDs available the Exclude WLANs option allows you to specify which SSIDs to exclude from the AP Override You can also exclude mesh clusters from the AP Override In summary the AP Override feature prevents you from having to create a new AP group for customized APs that otherwise share parameters with other APs in a group AP Override allows you to have less total AP groups than you might otherwise require Changing Adaptive Radio Management ARM Settings You can adjust ARM settings for the radios of a particular Dell PowerConnect W AP Group To do so refer to the following topics that describe ARM in relation to Dell PowerConnect W AP groups and device level radio settings Configuring Dell PowerConnect W AP Groups on page 28 Dell PowerConnect W
308. te the settings as described in Table 64 Table 64 Profiles gt SSID gt 802 11K Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 133 Table 64 Profiles gt SSID gt 802 11K Profile Settings Continued Field Default Description Other Settings Measurement Mode for beacon table Select the Measurement Mode for Beacon Reports drop down menu and Beacon Reports specify one of the following measurement modes active Enables active beacon measurement mode In this mode the client sends a probe request to the broadcast destination address on all supported channels sets a measurement duration timer and at the end of the measurement duration compiles all received beacons or probe response with the requested SSID and BSSID into a measurement report beacon table Enables beacon table beacon measurement mode In this mode the client measures beacons and returns a report with stored beacon information for any supported channel with the requested SSID and BSSID The client does not perform any additional measurements passive Enables passive beacon measurement mode In this mode the client sets a measurement duration timer and at the end of the measurement duration compiles all received be
309. tes to observe the changes on AMP The changes should be observable within one or two minutes on the controller Using General AirWave Device Groups and Folders AirWave only allows any given AP to belong to one AirWave device group at a time Supporting one AP in two or more AirWave device groups would create at least two possible issues including the following Data collection for such an AP device would have two or more sources and two or more related processes multi group AP would be counted several times and that would change the value calculations for AirWave graphs As a result some users may wish to evaluate how they deploy the group or folder for any given AP Ki NOTE Dell PowerConnect W Series APs can also belong to Dell PowerConnect W AP Groups but each AP is still limited to one general AirWave device group You can organize and manage any group of APs by type and by location Use groups and folders with either of the following two approaches Organize AP device groups by device type and device folders by device location In this setup similar devices are in the same device group and operate from a similar configuration or template Once this is established create and maintain device folders by location Organize AP device groups by location and device folders by type In this setup you can organize all devices according to location in the device groups but for viewing you organize the device hierarchy by folde
310. that use several of these components refer to earlier chapters in this document For architectural information about AOS refer to the Dell PowerConnect W Series ArubaOS User Guide at support dell com manuals K NOTE The default values of profile parameters or functions may differ slightly between AOS releases Access all pages and field descriptions in this appendix from the Device Setup gt Dell PowerConnect W Configuration page using the navigation pane on the left hand side The one exception is the additional Groups gt Dell PowerConnect W Config page that you access from the standard AirWave navigation menu This appendix describes Dell PowerConnect W Configuration components with the following organization and topics Dell PowerConnect W AP Groups AP Overrides WLANs Profiles Security Local Config of SNMP Management Advanced Services Groups gt Dell PowerConnect W Config Page and Section Information Dell PowerConnect W AP Groups Dell PowerConnect W AP Groups appear at the top of the navigation pane This section describes the configuration pages and fields of Dell PowerConnect W AP Groups Dell PowerConnect W AP Groups The Dell PowerConnect W AP Groups page displays all configured Dell PowerConnect W AP Groups and enables you to add or edit Dell PowerConnect W AP Groups For additional information about using this page refer to General Dell PowerConnect W AP Groups Procedures and Guidelines on page 27 Del
311. the MAC item interfaces 0 7 3 Select Add or Save The added or edited profile appears on the Mobility Switch page and on the details page Mac Aging Time in Minutes Specify the MAC aging time in minutes 1 44640 Profiles gt QoS The following QoS profiles configure traffic management and VoIP functions Traffic Management S pecifies the minimum percentage of available bandwidth to be allocated to a specific SSID when there is congestion on the wireless network and sets the interval between bandwidth usage reports Refer to Profiles gt QoS gt Traffic Management on page 104 VoIP Call Admission Control Dell PowerConnect W s Voice Call Admission Control limits the number of active voice calls per AP by load balancing or ignoring excess call requests This profile enables active load balancing and call admission controls and sets limits for the numbers of simultaneous Session Initiated Protocol SIP SpectraLink Voice Priority SVP Cisco Skinny Client Control Protocol SCCP Vocera or New Oftice Environment NOE calls that can be handled by a single radio Refer to Profiles gt QoS gt VoIP Call Admission Control on page 105 WMM Traffic Management Wi Fi Multimedia WMM is a Wi Fi Alliance specification based on the IEEE 802 1 le wireless Quality of Service QoS standard WMM works with 802 11a b g and n physical layer standards WMM supports four access categories ACs voice video best effort
312. the time period is daily weekday weekend or day Start Time Specify the hour and minute that the time period is to be begin End Time Specify the hour and minute that the time period is to end Select Add to complete the Time Period profile or click Save to complete the editing of an existing profile Security gt User Rules The user role is a user derivation profile User Rules can be derived from attributes from the client s association with an AP For VoIP phones you can configure the devices to be placed in their user role based on the SSID or the Organizational Unit Identifier OUI of the client s MAC address Navigate to the Security gt User Rules page in the navigation pane This page displays user rules that are currently configured the AAA profile that references these rules and the folder To add a new user rule which is a derivation profile click Add New User Derivation Profile To edit an existing user rule click the pencil icon next to an existing rule Table 82 describes the contents of this page Table 82 Security gt User Rules gt Add Edit User Rules Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the rule set is associated The drop down menu displays all folders available for association with the rule set User Derivation Rules Add New User Derivation Select this button to create a new rule Additional fields appear that require Rule
313. thin AP poll period 30 Using Dell PowerConnect W Configuration in Daily Operations Dell PowerConnect W AirWave 7 4 Configuration Guide 4 Ts On the APs Devices gt List page you can specify the Group and Folder to which a device belongs Click Modify Devices to change more than one device or click the Wrench icon associated with any specific device to make changes The APs Devices gt Manage page appears In the Settings section of the APs Devices gt Manage page select the new Dell PowerConnect W AP Group to assign to the device Change or adjust any additional settings as desired Click Save and Apply to retain these settings and to propagate them throughout AirWave or click one of the alternate buttons as follows for an alternative change Click Revert to cancel out of all changes on this page Click Delete to remove this device from AirWave Click Ignore to keep the device in AirWave but to ignore it Click Import Settings to define device settings from previously created configurations Click Replace Hardware to replace the AP device with a new AP device Click Update Firmware to update the Firmware that operates this device Push this configuration change to the AP controller that is to support this AP device For additional information refer to Pushing Device Configurations to Controllers on page 29 Using AirWave to Deploy Dell PowerConnect W APs for the First Time In addition to migrating Dell PowerConnec
314. ting this field to 0 users disables this function When the number of users exceeds the low watermark it triggers an alert AP Load Balancing User Low Watermark 0 100 000 AP Load Balancing Util High Watermark 0 100 AP Load Balancing Util Set the low watermark level as a percentage of load balancing utilization The supported Low Watermark range is 0 to 100 and a value of 0 disables this function When this watermark is 0 100 exceeded it triggers an alert or wait time Set the high watermark level as a percentage of load balancing utilization The supported range is 0 to 100 and a value of 0 disables this function When this watermark is exceeded it triggers an alert or wait time AP Load Balancing Util Wait Time 0 360 000 sec Set the wait time for the AP when AP load balancing is enabled When load balancing thresholds are exceeded this setting defines the length of time before AP load balancing restarts on the AP The supported range is 0 to 360 000 seconds and defining a value of 0 disables this function Enable or disable the ability of APs to hand users over to another adjacent AP as available in order to optimize or improve general network load Enable or disable an AP s ability to detect failures in wireless user associations Enable or disable an AP s ability to detect areas where an otherwise good RF signal is not reaching wireless clients to an adequate level Station Handoff Assist Detect Associa
315. tion Failure Coverage Hole Detection NOTE This setting requires a Wireless Intrusion Protection license 120 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 57 Profiles gt RF gt Optimization Profile Settings Continued Field Default Description Hole Good RSSI Threshold 0 65 535 Set the amount of time in seconds during which Received Signal Strength Indication RSSI is to check coverage holes NOTE This setting requires a Wireless Intrusion Protection license Hole Good Station Ageout sec Set the amount of time in seconds that an AP is unseen by any probes before it is deleted from the database Enter 0 to disable ageout NOTE This setting requires a Wireless Intrusion Protection license Sets the amount of time in seconds in which automatic hole detection should check for coverage holes Enter 0 to disable this function NOTE This setting requires a Wireless Intrusion Protection license Hole Detection Interval sec Hole Idle Station Timeout sec Sets the amount of time in seconds before which an idle AP is deleted from the database once it has become idle Enter 0 to disable this function NOTE This setting requires a Wireless Intrusion Protection license Hole Poor RSSI Threshold 0 65 535 Detect Interference Enables or disables interference detection for the APs to be configured with this optimization profile Sets the threshold at which RS
316. tional information refer to Pushing Device Configurations to Controllers on page 29 Once Dell PowerConnect W AP groups are defined ensure that all desired WLANs are referenced in Dell PowerConnect W AP Groups as required Repeat the above procedure to revise WLANs as required You can add or edit AP devices in Dell PowerConnect W AP Groups and you can configure AP Override settings that allow for custom AP configuration within the larger group in which it operates General WLAN Guidelines The Dell PowerConnect W Configuration navigation pane displays custom configured WLANs and Dell PowerConnect W AP Groups You define or modify WLANs on the Dell PowerConnect W Configuration page Click WLANs from the navigation pane You can create or edit any profile in an WLAN as you define or modify that WLAN If you digress to profile setup from a different page AirWave returns you to the WLAN setup page once you are done with profile setup All configurations must be pushed to Dell PowerConnect W controllers to become active on the network General Profiles Guidelines AOS elements can be added or edited after an AOS configuration file is imported to AirWave and pushed to controllers with the steps described in Setting Up Initial Dell PowerConnect W Configuration on page 21 Profiles in Dell PowerConnect W configuration entail the following concepts or dynamics Profiles detine nearly all parameters for Dell PowerConnect W AP Groups a
317. to create a new HT SSID profile as required For additional information about this profile type refer to Profiles gt SSID gt HT SSID on page 131 Security Settings Encryption opensystem Select any encryption type to be supported in this SSID profile The supported encryption types are as follows xSec Encrypts an original Layer 2 data frame inside a Layer 2 xSec frame the contents of which are defined by the protocol xSec relies on 256 bit Advanced Encryption Standard AES encryption opensystem No information sent to the client in plain text static wep Static Wired Equivalent Privacy dynamic wep Dynamic WEP with a key management service wpa tkip Wi Fi Protected Access with Temporal Key Integrity Protocol wpa aes Wi Fi Protected Access Advanced Encryption Standard wpa psk tkip Wi Fi Protected Access Preshared Key Temporal Key Integrity Protocol wpa psk aes Wi Fi Protected Access Preshared Key Advanced Encryption Standard wpa2 aes Wi Fi Protected Access that adds AES and CCMP wpa2 psk aes Wi Fi Protected Access that adds Preshared Key and Advanced Encryption Standard wpa2 psk tkip Wi Fi Protected Access that adds Preshared Key and Temporal Key Integrity Protocol wpa2 tkip Wi Fi Protected Access that adds Temporary Key Integrity Protocol dd Key Index 4 meen eenen mee eero mee eeo mee eero WPAHexkey Enter the hex key to be used with Wi Fi Protected Access a feieiiettrcgranmn se N
318. ton to create a new HT SSID profile or click the pencil icon to edit an existing profile Complete the settings as described in Table 63 Table 63 Profiles gt SSID gt HT SSID Profile Settings Field Description General Settings Set the folder with which the profile is associated The drop down menu displays all Folder Other Settings folders available for association with the profile High Throughput Enable SSID Yes Enable or disable high throughput 802 11n features on this SSID This parameter is enabled by default 40 MHz Channel Usage gt Enable or disable the use of 40 MHz channels This parameter is enabled by default MPDU Aggregation Enable or disable MAC protocol data unit MPDU aggregation High throughput mesh APs are able to send aggregated MAC protocol data units MDPUs which allow an AP to receive a single block acknowledgment instead of multiple ACK signals This option which is enabled by default reduces network traffic overhead by effectively eliminating the need to initiate a new transfer for every MPDU Max Transmitted A 65535 Setthe maximum size of a transmitted aggregate MPDU in bytes MPCU Size Range 1576 65535 Max Received A MPDU 65535 Set the maximum size of a received aggregate MPDU in bytes Allowed values 8191 Size bytes 16383 32767 65535 Min MPDU Start Spacing usec Supported MCS Set 132 Configuration Reference Setthe minimum time between t
319. troller to monitor manage or configure the Dell PowerConnect W user centric network can be authenticated with RADIUS TACACS or LDAP servers or the internal database Perform these steps to configure a Management Auth profile l Select Profiles gt AAA gt Management Auth in the navigation pane 2 Select the Add button to create a new Management Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 20 Table 20 Profiles gt AAA gt Management Auth Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Enter the name of the profile Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 67 Table 20 Profiles gt AAA gt Management Auth Profile Settings Continued Field Default Description Referenced Profiles Server Group Select the AAA authentication server group Select the pencil icon to edit an existing server group or click the add icon to create a new server group Other Settings Default Role root The role to be associated with this authentication profile guest provisioning Allows the user to create guest accounts location api mgmt Permits access to location API information You can log in however you cannot use any commands network operations Permits access to
320. trusted Select the pencil icon next to this field to display the Profiles gt AP gt Wired page and adjust these settings as desired Sets the duplex mode and speed of AP s Ethernet link for ethernet interface 0 The configurable speed is dependent on the port type and you can define a separate Ethernet Interface profile for each Ethernet link Select the pencil icon next to this field to display the Profiles gt AP gt Ethernet Link details page and adjust these settings as desired Sets the duplex mode and speed of AP s Ethernet link for ethernet interface 1 The configurable speed is dependent on the port type and you can define a separate Ethernet Interface profile for each Ethernet link Select the pencil icon next to this field to display the Profiles gt AP gt Ethernet Link details page and adjust these settings as desired Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 37 Table2 Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups Details Settings and Default Values Continued Field Default Description Too low AeroScout RTLS Server Port Too low RTLS Server Port Select the pencil icon next to this field to display the Profiles gt AP gt System details page and adjust these settings as desired AP System Profile default Defines administrative options for the controller including the IP addresses of the local backup and master controllers Real time Locating S
321. ttings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Other Settings and AP SNMP User Profiles Stats Update Interval Set the time interval in seconds for the AP to update the controller with 60 36000 sec statistics NOTE This setting takes effect only if the Dell PowerConnect W Mobility Manager is configured Otherwise statistics update to the controller is disabled AP Max Unseen Timeout Sets the time in seconds after which an AP is aged out 5 36000 sec NOTE This setting requires a minimum of AOS 6 0 0 0 AP Inactivity Timeout Set the time in seconds after which an AP is aged out 5 36000 sec STA Max Unseen Sets the time in seconds after which a station is aged out Timeout 5 36000 sec NOTE This setting requires a minimum of AOS 6 0 0 0 STA Inactivity Timeout Set the time in seconds after which a station is aged out 30 36000 sec Min Potential AP Beacon Set the minimum beacon rate acceptable from a potential AP in percentage of the Rate advertised beacon interval 0 100 Min Potential AP Monitor Set the minimum time in seconds a potential AP has to be up before it is classified Time as areal AP 0 36000 sec Signature Quiet Time 60 Set the time to wait in seconds after which the check can be resumed when 360000 sec detecting a signature match Wireless Containment Deauth only E
322. ttings Continued Field Default Description User Name Blank Actual name of the network user to be supported by this SNMP profile in Dell PowerConnect W Configuration Authentication Profile Select a protocol from the drop down menu Options are as follows none Uses no authentication type for the user being defined md5 Sets the MD5 hashing algorithm for the user that hashes a cleartext password sha Sets the SHA hashing algorithm for the user that hashes a cleartext password 3 Select Add or Save The added or edited SNMP user appears on the SNMP User page This user can now be referenced in SNMP profiles For additional information about SNMP traps refer to the Dell PowerConnect W Series ArubaOS MIB Guide at support dell com manuals Profiles gt AP gt System Using DNS the remote AP receives multiple IP addresses in response to a host name lookup Known as the backup controller list remote APs go through this list to associate with a controller If the primary controller is unavailable or does not respond the remote AP continues through the list until it finds an available controller This provides redundancy and failover protection If the remote AP loses connectivity on the IPSec tunnel to the controller the remote AP establishes connectivity with a backup controller from the list and automatically reboots Network connectivity is lost during this time You can also configure a remote AP to revert back to the primar
323. type as certificate you can select one of the following options mschapv2 use windows credentials use smartcard simple certificate selection use different name validate server certificate Connect only to these servers Inner EAP mschapv2 use windows credentials Automatically use the Windows logon name authentication options and password and domain if any use smartcard Use a smart card simple certificate selection Use a certificate on the user s computer or use a simple certificate selection method recommended validate server certificate Validate the server certificate use different name Use a different user name for the connection and not the CN on the certificate Inner EAP Type Connect only to these servers Other Settings Automatically connect Select this option if you want WZC Microsoft Windows Wireless Zero Config tool to when this WLAN is in connect when this network SSID is available range 64 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 16 Profiles gt AAA gt VIA Client WLAN Profile Settings Continued Default Description Enable IEEE 802 1x authentication for this network Select this option to enable 802 1x authentication for this network Connect even if this Whether to connect even if this WLAN is not broadcasting WLAN is not broadcasting Authenticate as Yes Select this option to authenticate as a computer when computer information is
324. uch requests and act on these requests by performing requested actions Such a server also compiles necessary reporting data and sends it back to requesting source The Security gt Server Groups gt Server page lists any XML API servers currently available for use by server groups From this page click Add to create a new XML API server or click the pencil icon next to an existing server to edit The Security gt Server Groups gt Add New XML API Server page contains the following fields as described in Table 77 Table 77 Security gt Server Groups gt Add New XML API Server Fields and Descriptions Field Default Description General Settings Folder Top Set the folder with which the server is associated The drop down menu displays all folders available for association with the server group Other Settings Key Confirm Key Set the shared secret to authenticate communication between the XML API client and server Select Add to complete the configuration of the XML API Server or click Save to complete the editing of an existing server The new server appears on the Security gt Server Groups gt XML API page This server is now available to be used by server groups Security gt Server Groups gt RFC 3576 RFC 3576 servers support dynamic authorization extensions to Remote Authentication Dial In User Service RADIUS Dell PowerConnect W Configuration supports RFC 3576 servers that can be referenced by server groups
325. ulatory domain Domain Channels 100 32768 Profiles gt RF gt 802 11a g Radio gt ARM Each 802 11a and 802 11g radio profile references an Adaptive Radio Management ARM profile When you assign an active ARM profile to a mesh radio ARM s automatic power assignment and channel assignment features will automatically select the radio channel with the least amount of interference for each mesh portal maximizing end user performance In earlier versions of this software an AP with a mesh radio received its beacon period transmission power and I la 11g portal channel settings from its mesh radio profile Mesh access AP portals now inherit these radio settings from their dotlla or dot 1g radio profiles Each ARM enabled mesh portal monitors defined thresholds for interference noise errors rogue APs and radar settings then calculates interference and coverage values and selects the best channel for its radio band s The mesh portal communicates its channel selection to its mesh points via Channel Switch Announcements CSAs and the mesh points will change their channel to match their mesh portal Although channel settings can still be defined for a mesh point via that mesh point s 802 1 1a and 802 1 lg radio profiles these settings will be overridden by any channel changes from the mesh portal A mesh point will take the same channel setting as its mesh portal regardless of its associated clients If you want to manually assign channels to
326. um number of children a mesh node can accept and transmit rates for the 802 11a and 802 11g radios 38 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table2 Dell PowerConnect W Configuration gt Dell PowerConnect W AP Groups Details Settings and Default Values Continued Field Default Description Mesh Cluster Profiles Add New Mesh Select to display a new Mesh Cluster Profile section to this page This section has two Cluster Profile fields as follows Mesh Cluster Profile Drop down menu displays all supported profiles Select one from the menu Priority 1 16 Type in the priority number for this profile The priority may be any integer from 1 to 16 incusive Complete these fields click the Add button and the profile displays as an option in the Mesh Cluster Profile section which may be selected for the AP Group to be added or edited Select Add to complete the creation or click Save to complete the editing of the Dell PowerConnect W AP Group This group now appears in the navigation pane of the Dell PowerConnect W Configuration page AP Overrides The AP Overrides component of Dell PowerConnect W Series Configuration allow you to define device specific settings for an AP device without having to remove that device from an existing Dell PowerConnect W AP Group or create a new Dell PowerConnect W AP Group specifically for that device The AP Overrides page is for custom AP devices that ot
327. up 2 1024 bit Diffie Hellman prime modulus group Group 19 256 bit random Diffie Hellman ECP modulus group Group 20 384 bit random Diffie Hellman ECP modulus group NOTE EC 256 bit 19 and EC 384 bit 20 require an Advanced Cryptography license and a minimum version of 6 1 0 0 Lifetime Define the lifetime in seconds for the dynamic map when deployed in IPSEC profiles 300 86400 sec Transform Set 1 4 From the drop down menu select up to four transform sets in the sequence in which they should be referenced by the Dynamic Map You can add a new Transform Set by clicking the add icon or you can edit an existing Transform Set by clicking the pencil icon Refer to Advanced Services gt VPN Services gt IPSEC gt Dynamic Map gt Transform Set on page 168 Version JT Select 1 to configure the VPN for IKEv1 or 2 for IKEv2 Select Add to complete the creation of the Dynamic Map or click Save to retain changes to an existing Dynamic Map Advanced Services gt VPN Services gt IPSEC gt Dynamic Map gt Transform Set VPN Services may reference IPSEC profiles Transform sets define the encryption and hash algorithm to be used by a dynamic map in an IPSEC profile that supports VPN Services Navigate to Advanced Services gt VPN Services gt IPSEC gt Dynamic Map gt Transform Set from the navigation pane This page displays all currently configured Transform Sets and which Dynamic Maps reference them Sel
328. uses the next highest rate Mesh Private VLAN 0 4094 Enter a VLAN ID for control traffic between an remote mesh portal and mesh nodes This VLAN ID must not be used for user traffic Range 0 4094 Default 0 disabled BC MC Rate Yes Enable or disable scanning of all active stations currently associated to a mesh Optimization point to select the lowest transmission rate based on the slowest connected mesh child When enabled this setting dynamically adjusts the multicast rate to that of the slowest connected mesh child Multicast frames are not sent if there are no mesh children NOTE The default value is recommended 3 Select Add or Save The added or edited Radio profile appears on the Profiles gt Mesh gt Radio page Profiles gt Mesh gt Radio gt Mesh HT SSID The mesh high throughput SSID profile enables or disables high throughput 802 1 1n features for the SSID specified in the profile This parameter is enabled by default The mesh high throughput profile can have a maximum of 32 characters Perform these steps to configure a Mesh HT SSID profile l Select Profiles gt Mesh gt Radio gt Mesh HT SSID in the navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Mesh HT SSID profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 43 Table 43 Mesh gt Radio gt Mesh HT SS
329. uster profile which provides the framework of the mesh network Similar to virtual AP profiles the mesh cluster profile contains the MSSID mesh cluster name authentication methods security credentials and cluster priority required for mesh nodes to associate with their neighbors and join the cluster Associated mesh nodes store this information in flash memory Although most mesh deployments will require only a single mesh cluster profile you can configure and apply multiple mesh cluster profiles to an AP group or an individual AP If you have multiple cluster profiles the mesh portal uses the profile with the highest priority to bring up the mesh network Mesh points in contrast go through the list of mesh cluster profiles in order of priority to decide which profile to use to associate themselves with the network The mesh cluster priority determines the order by which the mesh cluster profiles are used This allows you rather than the link metric algorithm to explicitly segment the network by defining multiple cluster profiles AirWave provides a default version of the mesh cluster profile You can use the default version or create a new instance of a profile which you can then edit as you need You can configure a maximum of 16 mesh cluster profiles on a mesh node Refer to Profiles gt QoS on page 104 Radio Dell PowerConnect W provides a default version of the mesh radio profile You can use the default ver
330. uth in the navigation pane The details page summarizes the current profiles of this type 2 Select the Add button to create a new Stateful NTLM Auth profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 21 Table 21 Profiles gt AAA gt Stateful NTLM Auth Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile 68 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 21 Profiles gt AAA gt Stateful NTLM Auth Profile Settings Continued Field Default Description Other Settings Timeout Set the aging out or timeout period which is the amount of time for which the user sends no traffic The user s role remains authenticated unless this period of time is exceeded Server Group default Select a server from the drop down menu You can edit servers with the Pencil icon or add additional servers with the Add icon Default Role guest Select a user role to associate with the user from the drop down menu You can edit roles with the Pencil icon or add additional roles with the Add icon Indicates whether this profile is enabled or disabled A minimum of AOS 6 0 0 0 is required 3 Select Add or Save The added or edited profile appears on the Statetul NTLM Auth page and on the details pag
331. ve when the client performs an inter switch move silently does not send any data packet when in power save mode This behavior is commonly seen with various handheld devices Wi Fi phones etc This delays HA discovery and eventually resulting in loss of downstream traffic if any meant for the mobile client With HA discovery on association a controller can perform a HA discovery as soon as the client is associated By default this feature is disabled You can enable this on virtual APs with devices in power save mode and requiring mobility This option will also poll for all potential HAs Enable or disable DoS prevention functions as defined in virtual AP profiles Station Blacklisting Yes Enable or disable DoS prevention functions as defined in virtual AP profiles The blacklisting option can be used to prevent access to clients that are attempting to breach the security When a client is blacklisted in the Dell PowerConnect W system the client is not allowed to associate with any AP in the network for a specified amount of time If a client is connected to the network when it is blacklisted a de authentication message is sent to force the client to disconnect While blacklisted the client cannot associate with another SSID in the network HA Discovery on Association yf 92 N Blacklist Time 3600 If station blacklisting is enabled specify the time in seconds for which blacklisting is enabled When a client is blacklisted
332. venrsverenrsvrnenvrvenesvnnenvnnavessensnesnevensennne 157 Advanced Services gt IP Mobility rwsnrnrnvrnarenvnvonvrvorenvnrrnvnvevenrsvnnenvrvenesvnnenvnvevensnnsnenvenenn 158 Advanced Services gt IP Mobility gt Mobility Domain smarenvsvrnrrvrvonosvrnrnvrverenvrnenerverenns 160 Advanced Services gt VPN Services m rurmnmennenmmenmnmnemenmmnenemeniminin 161 Advanced Services gt VPN Services gt IKE nmrmnrervrsvrvervrrervererveservesvsvervevervesesvesvssesvevesvenen 163 Advanced Services gt VPN Services gt IKE gt IKE Policy rrrnrnrrnronrnononvrnrnvrvarenvrnenvrverenns 163 Advanced Services gt VPN Services gt L2TP 1 rnrrenrrnvrvenvnvervarervenervenvrvernevervesesverrssesvenervenen 164 Advanced Services gt VPN Services gt PPTP nnnnnrrnvrvenvnnervaverveservesvnnervevervesesvesvsservenesvenen 165 Advanced Services gt VPN Services gt IPSEG rmnsvrvervrervarerveservesvrvervevervesesvesvsnesvevesvenen 166 Advanced Services gt VPN Services gt IPSEC gt Dynamic Map rrrnrnrrnrvrvorervrnrnvrverenns 167 Advanced Services gt VPN Services gt IPSEC gt Dynamic Map gt Transform Set 168 Groups gt Dell PowerConnect W Config Page and Section Information 169 MOOK REE abet opie sa eect aren NE 171 Dell PowerConnect W AirWave 7 4 Configuration Guide Preface Document Audience and Organization This configuration guide is intended for wireless network administrators and help
333. ver Guest user subhash status not set Create Figure 18 APs Devices gt Mismatched Page Illustration Folder Top 6 88 Mismatched Devices gt Sale HQ 3 74 Expand folders to show all APs Devices Go to folder Sale HQ 3 74 v amp Total Devices 3 Users 132 Avg Device 2 81 Bandwidth 3689 kbps 120 6M 80 0 6 M 40 i 12 M 0 18 M 9 46 9 57 10 08 10 19 10 30 10 41 10 52 11 03 11 14 11 25 11 36 9 46 9 57 10 08 10 19 10 30 10 41 10 52 11 03 11 14 11 25 11 36 Show All Maximum Average Show All Maximum Average o v Max Users 139 6 users 131 6 users O v Awg Bits Per Second In 17 5 Mbps 8 1 Mbps O V Avg Bits Per Second Out 83 Mbps 4 Mbps 1 year ago pet ow RI 9 Modify Devices a wof3 ren 1 wof 1 Edit Columns x AL16 Up alal 810 11 hrs 9 mins Mismatched corp Ethersphere Ims3 ethersphere Ims3 AL25 Up 8 101 11 hrs 8 mins Mismatched corp Ethersphere Ims3 ethersphere Ims3 amp ethersphere Ims4 Up il 0 0 11 hrs 14 mins Mismatched Aruba HQ 1 3 w of 3 APs Devices Page 1 wof 1 Sale gt HQ 802 11bgn 1 802 11an 36 Aruba AP 125 Sale gt HQ No 802 11b9n 6 802 11an 48 Aruba AP 125 Aruba 5000 3 4 0 2 vowif 10 6 1228 O00 14 1E 00 1A 1E 00 14 1E 00 14 1E 3 4 0 2 vowifi 10 6 1 240 O0 14 16 00 14 1E 00 14 16 00 14 1E HO CiscoLWAPP 4 3 4 0 2 vowifi 10 6 2 253 00 08 86 00 08 86 amp HO RAP 42 amp Lab 14 amp Demo RAP 11 4
334. vert TACACS Accounting Profile defaut op IP Mobility Profile defaut a F VPN Services Profile defaut a gt TF Management Password Policy Profile default T Control Plane Security Profile defaut Pp Configure Campus AP Whitelist Yes No Campus AP Whitelist defaut PF op RAP Whitelist defaut Valid OUI Profile defaut T PAPI Security Profile default vj gt T VIA Web Authentication defaut H FP P Voice SIP Profile defaut A F VIA Global Configuration defaut P op SNMP Management Profile defaut HA ap Advanced Authentication Profile defaut HA oP IPv6 Next Extension Header Filter Profile default vj gt T Real Time Voice Analysis Profile defaut s gt VoIP Logging Profile defaut P P Groups gt Dell PowerConnect W Config When Global Configuration is Disabled If Use Global Dell PowerConnect W Configuration in AMP Setup gt General is set to No the Groups gt Dell PowerConnect W Config page can be used to manage two or more distinctive configuration strategies using the same tree navigation as the Device Setup gt Dell PowerConnect W Configuration page as shown in Figure 4 Each of the sections is explained in Dell PowerConnect W Configuration Sections in the Tree View on page 13 12 Dell PowerConnect W Configuration in AirWave Dell PowerConnect W AirWave 7 4 Configuration Guide Figure 4 Groups gt Dell PowerConnect W Config with Group Level Configurat
335. within an aggregate MPDU in Spacing usec microseconds The allowed values are 0 No restriction on MDPU start spacing 25 usec 5 usec 1 usec 2 usec 4 usec 8 usec and 16 usec High Throughput Enable Yes Enable or disable high throughput 802 11n features on this SSID This parameter is SSID enabled by default Supported MCS Set Set a list of Modulation Coding Scheme MCS values or ranges of values to be supported on this SSID The MCS you choose determines the channel width 20MHz vs 40MHz and the number of spatial streams used by the mesh node The default value is 1 15 the complete set of supported values To specify a smaller range of values enter a hyphen between the lower and upper values To specify a series of different values separate each value with a comma Enter a list or range of numbers The overall supported range is from 0 15 The following are two potential examples of supported ranges 2 10 1 3 6 9 12 Short Guard Intervalin Yes Enable or disable use of short 400ns guard interval in 40 MHz mode A guard interval is a 40 MHz Mode period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again An AP identifies any signal content received inside this interval as unwanted inter symbol interference and rejects that data The 802 11n standard specifies two guard intervals 400ns short and 800ns long Enabling a sho
336. xisting IKE profile Refer to Advanced Services gt VPN Services gt IKE on page 163 PPTP Profile Select a PPTK profile from the drop down menu Select the add icon to add a new profile of this type or click the pencil icon to edit an existing PPTP profile Refer to Advanced Services gt VPN Services gt L2TP on page 164 L2TP Profile Select an L2TP profile from the drop down menu Select the add icon to add a new profile of this type or click the pencil icon to edit an existing L2TP profile Refer to Advanced Services gt VPN Services gt L2TP on page 164 IPSEC Profile Select an IPSEC profile from the drop down menu Select the add icon to add a new profile of this type or click the pencil icon to edit an existing IPSEC profile Refer to Advanced Services gt VPN Services gt IPSEC on page 166 162 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Select Add to create the VPN Services profile or click Save to change an existing profile The new VPN Service profile appears on the VPN Services page Advanced Services gt VPN Services gt IKE Navigate to Advanced Services gt VPN Services gt IKE from the navigation pane This page displays all Internet Key Exchange IKE profiles currently available for VPN Services IKE is a part of the IPSEC protocol suite supporting security for VPNs with a shared session secret that produces security keys K NO
337. xt highest rate All transmission rates are selected and used by default If you do not select 802 11a or 802 119 transmit rates all rates are selected by default when you click Apply 802 11a Basic 6 12 and 24 Specify the basic rates for the 802 11a radio Rates selected ee fh Specify the maximum number of transmit attempts The supported range is 1 to 15 Attempts RTS Threshold 2333 Specify the Request to Send parameter that defines the packet size sent by mesh nodes bytes Mesh nodes transmitting frames larger than this threshold must issue request to send RTS and wait for other mesh nodes to respond with clear to send CTS to begin transmission This helps prevent mid air collisions A smaller value causes more RTS packets to be sent more often possibly impacting bandwidth However a smaller value may help the system recover more quickly from interference or data packet collisions Specify the size in bytes Short Preamble Yes Instructs the AP to use short preambles in packets Short preambles are often standard in AP configuration Max Define the maximum associations to be supported by devices configured with this SSID Associations profile The range is from 0 to 255 Wireless Specify whether the devices are to support wireless multimedia WMM voice video best Multimedia effort BE or background WMM Wireless Yes Enable or disable unscheduled automatic power save delivery U ASPD allows the saving of Multim
338. y Define whether clients in the WLAN and VLAN should have mobility or roaming privileges 46 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 7 WLANs gt Advanced Page Fields Continued Field Default Description Remote AP Operation Standard Define the rights for remote APs in this WLAN Options are as follows standard persistent backup always Remote APs connect to a controller using Layer 2 Tunneling Protocol and Internet Protocol Security L2TP IPSec AP control and 802 11 data traffic are carried through this tunnel Secure Remote Access Point Service extends the corporate office to the remote site Remote users can use the same features as corporate office users Secure Remote Access Point Service can also be used to secure control traffic between an AP and the controller in a corporate environment In this case both the AP and controller are in the company s private address space Specify whether the WLAN should drop broadcast and multicast mesh network advertising on the WLAN Specify whether ARP table information should be distributed in broadcast default or unicast fashion If enabled this setting disables traffic between all untrusted users You can configure user role policies that prevent Layer 3 traffic between users or networks but this does not block Layer 2 traffic Requires a minimum version of 6 1 0 0 Drop Broadcast and Multicast Convert Broadcast ARP Requests
339. y controller when it becomes available To complete this scenario you must also configure the LMS IP address and the backup LMS IP address Perform these steps to configure a System profile l Select Profiles gt AP gt System in the navigation pane This page summarizes the current profiles of this type 2 Select the Add button to create a new System profile or click the pencil icon next to an existing profile to edit Complete the settings as described in Table 29 Table 29 Profiles gt AP gt System Profile Settings Field Default Description General Settings Folder Top Set the folder with which the profile is associated The drop down menu displays all folders available for association with the profile Name Enter the name of the profile Other Settings 76 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide Table 29 Profiles gt AP gt System Profile Settings Continued Field LMS IP LMS IPv6 Backup LMS IP Backup LMS IPv6 LMS Preemption Default Description In multi controller networks this parameter specifies the IP address of the local management switch LMS the Dell PowerConnect W Series controller which is responsible for terminating user traffic from the APs and processing and forwarding the traffic to the wired network This can be the IP address of the local or master controller When using redundant controllers as the LMS set this parameter to be the V
340. you enable IP mobility in a mobility domain the proxy mobile IP module determines the home agent for a roaming client Select Add to create the home agent Select Add to create the new IP Mobility Domain or click Save to save changes to a recon figured IP Mobility Domain The domain is now available for use in IP Mobility profiles Advanced Services gt VPN Services For wireless networks virtual private network VPN connections can be used to further secure the wireless data from attackers The Dell PowerConnect W controller can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients You can configure the controller for the following types of VPNs Dell PowerConnect W AirWave 7 4 Configuration Guide Configuration Reference 161 Remote access VPNs allow hosts such as telecommuters or traveling employees to connect to private networks such as a corporate network over the Internet Each host must run VPN client software that encapsulates and encrypts traffic and sends it to a VPN gateway at the destination network The controller supports the following remote access VPN protocols Layer 2 Tunneling Protocol over IPSec L2TP IPSec Point to Point Tunneling Protocol PPTP Site to site VPNs allow networks such as a branch office network to connect to other networks such as a corporate network Unlike a remote access VPN hosts in a site to site VPN do not run VPN client software A
341. ype click the add icon To edit an existing profile select that profile then click the pencil icon For additional information about configuring IDS Unauthorized Device Profiles refer to Profiles gt IDS gt General on page 84 IDS Impersonation default Select the IDS Impersonation Profile from the drop down menu The drop down menu lists Profile all such profiles that are currently configured and available To create a new profile of this type click the add icon To edit an existing profile select that profile then click the pencil icon For additional information about configuring IDS Impersonation Profiles refer to Profiles gt IDS gt Impersonation on page 90 IDS DoS Profile default Select the IDS Impersonation Profile from the drop down menu The drop down menu lists all such profiles that are currently configured and available To create a new profile of this type click the add icon To edit an existing profile select that profile then click the pencil icon For additional information about configuring IDS Impersonation Profiles refer to Profiles gt IDS gt Denial of Service on page 86 4 Select the profile type to view or configure Denial of Service Configures traffic anomaly settings for Denial of Service DoS attacks Refer to Profiles gt IDS gt Denial of Service on page 86 Rate Thresholds Defines thresholds assigned to the different frame types for rate anomaly checking
342. ypically requires them to enter a username and password before accessing the network For additional information about this profile type refer to Profiles gt AAA gt Captive Portal Auth on page 57 Authenticated User For the captive portal authentication profile you specify the previously created Role authguest user role as the default user role for authenticated captive portal clients and the authentication server group Internal Refer to Security gt User Roles on page 135 Select Add to create the WLAN or click Save to finish reconfiguring an existing WLAN The WLAN appears on the WLANs page in the navigation pane 44 Configuration Reference Dell PowerConnect W AirWave 7 4 Configuration Guide The alternate way to create or edit WLANs is from the Advanced page Refer to WLANs gt Advanced on page 45 WLANs gt Advanced From the Dell PowerConnect W Configuration gt WLANs page click Add to create a new WLAN or click the pencil icon to edit an existing WLAN then click Advanced The Advanced page allows you to configure many more sophisticated settings when creating or editing WLANs Table 7 describes the fields for this page Table 7 WLANs gt Advanced Page Fields Field Default Description General Settings Folder Top Displays the folder with which the WLAN is associated The drop down menu displays all folders available for association with the WLAN Name Blank Name of the WLA
343. ystems RTLS server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots traps This field is a drop down menu with the following options Non integer RTLS Server Station Message Frequency Too high RTLS Server Port Regulatory Domain default Defines an AP s country code and valid channels for both legacy and high throughput Profile 802 11a and 802 11b g radios Select the pencil icon next to this field to display the Profiles gt AP gt Regulatory Domain page and adjust these settings as desired SNMP Profile default Selects the SNMP profile to associate with this AP group The drop down menu lists all SNMP profiles currently enabled in AirWave Select the pencil icon next to this field to display the Profiles gt AP gt SNMP page and adjust these settings as desired VoIP Call Admission default Dell PowerConnect W s Voice Call Admission Control limits the number of active voice calls Control Profile per AP by load balancing or ignoring excess call requests This profile enables active load balancing and call admission controls and sets limits for the numbers of simultaneous Session Initiated Protocol SIP SpectraLink Voice Priority SVP Cisco Skinny Client Control Protocol SCCP Vocera or New Office Environment NOE calls that can be handled by a single radio Select the pencil icon next to this field to display the Profiles gt AP gt Regulatory Domain page and adjust these settings
Download Pdf Manuals
Related Search