Aruba Instant User Guide - Airheads Community
Contents
1. 193 Assigning a Profile to the Ethernet Port 196 Uplink Configuration mena sien 197 Uplink Configuration Overview nas ERE lib dti es 197 Ethernet Uplink EEE ERE LEE LEE REELLE ELLE ELLERS 197 GE LED EEE ENE 198 Types of Modems ss 198 Fel ere RE 202 Uplink Switching based on VPN Status ccccccccseceeeseeeeeseeeeeneeeeenees 202 VINK Promp I rein steinnatacan sn aE EEEE resistant 202 Uplink Preferences 203 Fee Oe creed naan st ese aca ptt E O EN oe 203 EN PPT Ear ks 203 7 8 Chapter 25 Chapter 26 Chapter 27 Chapter 28 AirWave Integration and Management nnnnannnnnnnnnnnnnnnnnnnnnvnnnennvnnnenner 205 MENN aisse tata etagea EE E E 205 Image Management viseivederecagierseevesscraeninedcccsvensndeciaredauserseasensdeisibaas dei team deen 205 IAP and Client Monitoring Essen doses ceiaserinsasisavisssteeiniceretenan 205 Template based Configuration LR 205 Trending RODOM REE 206 Intrusion Detection System 206 Wireless Intrusion Detection System WIDS Event Reporting to AirWave 206 RF Visualization Support for Aruba Instant 206 Fords Maga EN EE EE vast 207 Creating your Organization String LS a see oc 207 About Shared Re a ae als ERE ERE ERE RER 207 Entering the Organization String and AMP Information into the IAP 208 AirWave Discovery through DHCP Option 208 Standard DHCP option 60 and 43 on Windows Server 2008 208 Alternate Method for Defining Vendor Specific DHC2. 4vP ef Tel lass EX J AMP 1210 TeFliter ret 411234rt i l EaRraned IP sddress 8 1 1 1 1 l t Sorvice Typal Framedf2 2155 tafilter 1dClL 111 ET i l z TET al Oi met Sth De Hiri j Fa Og s 31 31 31 af p OF Of o O O1 37 OO O1 OG OG HE Del oh pet at Hpg Ket 1 pdg Re 63 da Ff al je 47 46 45 OG OG OG OG O4 af OG OG OG 32 La Ge OG La Od OG OG O1 37 Ga 07 OO l 37 la 2d Cd 53 3d 35 45 J 44 42 31 31 6 JG I0 33 41 43 42 43 22 LAB 03700 Al SESDBLLF ADHS4FDE JACECE POT 327 37 r dl 37 46 30 37 La a OG OG Ci 37 10 34 aiara afat OD ca 89 OF bb 71 Sb 4c 35 cf 24 bd 4d ad 77 10 Sc ar sat Fine MiG bd S 2d 41 a f d S Ge 62 26 07 6h 17 a er ae Haka Frie LC betent Rerrsembled EAP 4 br tes Instant 6 1 3 4 3 1 0 0 User Guide User VLAN Derivation 155 Figure 122 Configure VSA on a RADIUS Server Ja we Alm ler raa Properties it LL TL Server Manager QA ERNER Overview Conditions Settings oie Corine the setingt ka this nb polep z Co pe IE conditions and contente match the conrechon peguei and the pokop ganh sorer nesting ae appded tree D ory Domain Ser F Active Derechory Lighbasih 1 Bettinger DNS Server F E T Method To sired donald to FUADILIS chris select Vane f A NUE Code CEN 3 GASER then cii Edit OF poy doni configure an sibaie it nine pent ty dg Shatoos Authenticatio
3. 1 Maintenance 2 Maintenance About Configuration Certificates Firmware Reboot Convert About Configuration Certificates Firmware Reboot Convert Current Server Certificate Current Server Certificate Version 3 Serial Number 02 Issuer C U5 5T CA L Sunnyvale O Aruba CN Aruba Certificate Authority _ Subject CaUS 5T CA L Sunnyvale O Aruba CN TEST_INSTANT email ddr Issued On 2011 09 28 23 44 27 Expres On 2021 09 25 23 44 27 Signed Using SHAI Version 3 Serial Number 02 Issuer C US ST CA L Sunnyvale O Aruba CN Aruba Certificate Authority Subject C US ST CA L Sunnyvale O Aruba CN TEST INSTANT email ddi 1 Issued On 2011 09 28 23 44 27 Expres On 2021 09 25 23 44 27 IM Signed Using SHA Ci it New Certificate New Certificate Certificate file to upload Browse Certificate file to upload Certificate type CA certificate A g i up Certificate format PEM EEE Certificate format Passphrase Retype Passphrase Select the Certificate type CA certificate and Server certificate from the drop down list The CA certificate is required to validate the client s certificate and the server certificate verifies the server s identity to the client Select the certificate format from the Certificate format drop down list If you have selected Server certificate type then enter a passphrase in Passphrase and reconfirm The default password is whatever Click Browse and select the
4. A Instant Access Point 6 1 3 4 3 1 0 0 networks User Guide Copyright O 2012 Aruba Networks Inc Aruba Networks trademarks include AD Al Wave Aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo Aruba Mobility Management System Mobile Edge Architecture People Move Networks Must Follow RFProtect Green Island All rights reserved All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses Includes software from Litech Systems Design The IF MAP client library copyright 2011 Infoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al The Open Source code used can be found at this site http www arubanetworks com open source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors Warranty This hard
5. You select Network assigned By default the client VLAN is assigned to the native VLAN on the wired network e Default The client gets the IP address in the same subnet as the IAPs e Static Select to specify a VLAN for all clients on this network e Dynamic Select to create rules for per user VLAN assignment See VLAN Derivation Rule on page 156 for more information 6 Click Next to continue 7 Set the appropriate security levels using the slider in the Security tab The default level is Personal The available options are Enterprise Personal and Open which are described in the following tables 56 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Figure 38 Employee Security Tab Enterprise New WLAN WLAN Settings PA VAN Security Level More Fa td EE WPA 2 Enterprise Y Termination Disabled Y Enterprise Authentication server 1 InternalServer Reauth interval PE E Blacklisting Disabled h DE Internal server No users Users Internal server No certificate Upload certificate Less Secure Back Next Cancel Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 57 Table 6 Conditions for Adding an Employee Network Security Tab You select the Enterprise security level Perform the following steps 1 Select the required key options from the Key management drop down list Available options are e WPA 2 Enterprise WPA Enterprise Both WPA 2
6. Background spectrum monitoring When background spectrum monitoring is enabled the APs in access mode continue to provide normal access service to clients while performing additional function of monitoring RF interference from both neigh bo uri ng APs and non WiFi sources such as microwaves and cordless phones on the channel they are currently serving clients on Standalone spectrum band For background spectrum monitoring on the 5 GHz band it is necessary to specify which portion of the channel to monitor upper middle or lower Reboot the IAP after configuring the radio profile settings in order for the changes to take effect Instant 6 1 3 4 3 1 0 0 User Guide Adaptive Radio Management 179 180 Adaptive Radio Management Instant 6 1 3 4 3 1 0 0 User Guide Chapter 20 Intrusion Detection System Intrusion Detection System IDS is a feature that monitors the network for the presence of unauthorized IAPs and clients It also logs information about the unauthorized IAPs and clients and generates reports based on the logged information Rogue AP Detection and Classification The most important IDS functionality offered in the Aruba Instant network is the ability to detect rogue APs interfering APs and other devices that can potentially disrupt network operations An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network An AP is considered to be an interfering
7. TT Amey Code 80 Description fArubsinsatntAP Lok cms og Cancel LU Scope 10 169 158 0 158 LA Scope 10 169 159 0 159 Address Pool 4 Navigate to Server Manager and select Server Options in the IPv4 window This sets the value globally Use options on a per scope basis to override the global options 5 Right click on Server Options and select the configuration options Instant 6 1 3 4 3 1 0 0 User Guide AirWave Integration and Management 209 Figure 165 Instant and DHCP options for AirWave Server Options EL Server Manager File Action View Help as m a alum Server Manager RDE SERVER E amp gt Roles F Active Directory Domain Services E SE DHCP Server S rde server rde arubanetworks com PH 7 Scope 10 169 131 0 131 1 Scope 10 169 135 0 135 Bi 1 Scope 10 169 137 0 137 m 1 Scope 10 169 138 0 138 amp FE Scope 10 169 145 0 145 l 1 Scope 10 169 150 0 150 amp 7 Scope 10 169 151 0 151 1 E Scope 10 169 152 0 152 73 Scope 10 169 153 0 153 1 Scope 10 169 154 0 154 E 1 Scope 10 169 155 0 155 Og Address Pool LA Address Leases B Reservations E Scope Options Scope 10 169 156 0 156 m 1 Scope 10 169 157 0 157 m 1 Scope 10 169 158 0 158 Scope 10 169 159 0 159 Address Pool Address Leases E Reservations TA scope Options Server Options 1 Scope 10 169 131 0 131 E Scope 10 169 135 0 135 F Sco
8. 00 24 6c 07 2b 59 cp radius Interfering 149 AN 40MZ 11 52 40 58 94 6b c5 be 84 IBM Interfering 6 B 11 52 40 00 1a 1e 17 da c0 aruba ap Rogue 11 GN 20MZ 11 52 40 00 1e 65 71 49 2c shobha bridge 65 Interfering 1 GN 20MZ 11 52 40 a 00 24 6c 80 74 01 ARUBA VISITOR Interfering 1 GN 20MZ 11 52 40 08 11 96 76 1d 1c IBM Interfering 6 B 11 52 40 00 24 6c 84 25 e1 msbrem Interfering 1 GN 20MZ 11 52 40 00 26 b0 48 46 20 ARUBA VISITOR Interfering 1 B 11 52 40 00 24 6c 07 2b 5a cp radiusi Interfering 149 AN 40MZ 11 52 40 a0 88 b4 84 ba 04 IBM Interfering 1 B 11 52 40 E 00 24 6c 80 74 02 indiamdns Interfering 1 GN 20MZ 11 52 40 58 94 6b b3 b7 cc IBM Interfering 6 B 11 52 40 00 0b 86 70 4b 60 aruba ap Interfering 1 GN 20MZ 11 52 40 00 27 10 8e 4c 60 IBM Interfering 6 B 11 52 40 00 24 6c 80 6f 28 ethersphere wpa2 Interfering 48 AN 40MZ 11 52 40 78 d6 f0 ca f8 07 ethersphere voip Interfering 1 GN 20MZ 11 52 40 E 00 24 6c 84 21 08 raji aes Interfering 36 AN 40MZ 11 52 40 30 7c 30 5e bc e2 ethersphere voip Interfering 1 B 11 52 40 00 1a 1e 17 dc 60 ipv6 alpha Interfering 1 GN 20MZ 11 52 40 f 58 94 6b 31 cc 48 ethersphere wpa2 Interfering 48 AN 40MZ 11 52 40 00 24 6c 80 4b f0 ethersphere voip Interfering 6 GN 20MZ 11 52 40 a0 88 b4 b9 5e f4 IBM Interfering 1 G 11 52 40 f 00 24 6c 80 4f 88 ethersphere wpa2 Interfering 40 AN 40MZ 11 52 40 08 11 96 76 5b ac IBM Interfering 6 B 11 52 40 00 1a 1e 2d 90 50 Amol CP Interfering 157 AN 40
9. Channel switch announcement count 10 Channel reuse type Disabled lm Channel reuse threshold po dB Background spectrum monitoring Standalone spectrum band Middle v Hide advanced options OK Cancel Instant 6 1 3 4 3 1 0 0 User Guide Spectrum Monitor 113 Spectrum Data The spectrum data is collected by each IAP spectrum monitor and hybrid AP The spectrum data is not reported to the VC The Spectrum link is visible in the Instant WebUI Access Point view only if you have enabled the spectrum monitoring feature You can view the following spectrum data in the Instant WebUI e Overview Device list e Channel metrics e Channel details Overview Device List The device list consists of a device summary table and channel information for active non Wi Fi devices currently seen by a spectrum monitor or hybrid AP radio To view the device list click Spectrum in the dashboard Figure 91 Device List E 00 24 6c c8 ad e2 Monitoring Spectrum Alerts IDS Configuration Spectrum Overview 24GHz 5GHz Interfering Devices Non WiFi Device List 5GHz upper Type ID CFreq KHz Bandwidth KHz Channels affected Signal dBm Duty cycle Add time Update time Non WiFi Device List 2GHz Type ID CFreq KHz Bandwidth KHz Channels affected Signal dBm Duty cycle Add time Update time Cordless Network FH 1 2444000 80000 12345678910111213 14 75 5 2000 01 01 00 05 27 2000 01 01 00 27 45 Table 15 shows the details
10. Enabled TFTP Dump Server 0 0 0 0 NTP server Extended SSID Disabled v Timezone International Date Lind w Deny inter user bridging Disabled v Preferred band MA Deny inter user routing Disabled x DHCP Server Domain name DNS Server s I Lease time minutes v Network Mask FP Hide advanced options OK Cancel 2 Enter a name for the Virtual Controller in the Name text box Instant 6 1 3 4 3 1 0 0 User Guide Virtual Controller 121 3 Enter the appropriate IP address in the Virtual Controller IP text box Configuring the DHCP Server The DHCP Server is the built in server used for networks which have Client IP Assignment set to Virtual Controller Assigned The default size of the IP address pool has been increased to 512 You can customize the DHCP pool s subnet and address range if you need to provide simultaneous access to more number of clients The largest address pool supported is 2048 To configure the domain name DNS server and lease time for the DHCP server network and mask perform the following steps At the top right corner of the Instant UI click the Settings link In the Settings window select the General tab Enter the domain name of the client in the Domain name text box Enter the IP addresses of the DNS servers seperated by comma in the DNS server text box Enter the duration of the DHCP lease in the Lease time text box Select Minutes Hours or Days
11. The Client view has three tabs Networks Access Points and Clients The following sections in the Instant UI provide information about the selected client ry vw e Info RF Dashboard RF Trends Usage Trends 228 Monitoring Instant 6 1 3 4 3 1 0 0 User Guide Figure 191 Client View amp 5 Networks Name Clients ARUBA GUEST 0 Aruba Domain 11 swarm sys Aruba 0 swarm system quest 0 swarm system wmm 7 New El PEKYGUO T410 Info RF Trends Name PEKYGUO T410 Signal dB IP address 10 64 102 89 60 MAC address 00 27 10 d0 1f f4 OS Win 7 p Network Aruba Domain 2 naan nas 1 a D lal Access Point 00 24 6c c8 78 d2 Channel 40 Type AN Role Aruba Domain RF Dashboard Client Signal Speed PEKYGUO T410 at a Access Point Utilization Noise Errors 00 24 6c c8 78 d2 a En Le Info 0 11 E 11 Access Points Name 00 24 6c c8 78 d2 00 24 6c cb a5 16 3F 006 C129 41 51 3F 3 009 73 74 3F C147 ca 42 45 3F Conf1 ca 42 a0 3F Dev C057 cb 30 60 3F Kitchen c8 7b 26 3F 003 41 76 9F 4 Point 41 03 VeriWave3 c0 1a 79 Point 11 35 11 40 Speed mbps El 18 Clients Clients Name IP Address 2 10 64 102 99 0 10 64 102 88 1 10 64 102 51 1 10 64 102 132 0 10 64 102 131 1 10 64 102 126 7 10 64 102 91 0 PEKYGUO T410 1 0 QMENG ARUBA 10 64 102 84 Ixia 10 64 102 129 3 mhe 10 64 102 93 miv 10 64 102 236 LE e e AnD LOE 5 e Frames fps 100 10 10 1
12. To activate the context sensitive help 1 At the top right corner of Instant UI click the Help link Figure 20 Help Link For Help click any text In green italics Done 2 Click any text or term displayed in green italics to view its description or definition 3 To disable the help mode click Done Logout Use this link to logout of the Instant UI Monitoring This link displays the Monitoring pane This pane can be used to monitor the Aruba Instant network Use the down arrow located to the right side of these links to compress or expand the monitoring pane The monitoring pane consists of the following sections Info RF Dashboard Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 43 e Usage Trends Figure 21 Monitoring on Instant Ul gt Instant RP Monitoring O Alerts IDS Configuration v Info RF Dashboard Usage Trends per a ant RP Signal Speed Access Points Utilization Noise Errors Clients Type Employee All Clients me Ll ON d8 c7 c8 c4 01 78 20 IP assignment Default VLAN Access Unrestricte Security level Personal Throughput bps 10 Info Displays the configuration information of the Virtual Controller by default In a Network View this section displays configuration information of the selected network Similarly in an Instant Access Point View or Client View this section displays the configuration information of the selected IAP or the client Figure 22 Info Section in
13. ii PME d Goda to non 09019 a tant ail Up Ox Le 1 a A MS 3 Maraiched mesion 1 2 of 2 APs Dewoes Page Lo off Reset fines Alert Summary 2 3 20 2012 3 21 FM Instant 6 1 3 4 3 1 0 0 User Guide AirWave Integration and Management 213 214 AirWave Integration and Management Instant 6 1 3 4 3 1 0 0 User Guide Chapter 26 Monitoring Monitor the Aruba Instant network IAPs Wi Fi networks and clients in the network using one or all of the following views e Virtual Controller View e Network View e Instant Access Point View e Client View This chapter provides information about the parameters that can be monitored using these views It also provides procedures to monitor these parameters Virtual Controller View The Virtual Controller view is the default view This view allows you to monitor the Aruba Instant network The following Instant UI elements are available in this view e Tabs Contains three tabs Networks Access Points and Clients For detailed information about the tabs see Chapter 3 Instant User Interface e Links Contains three links Monitoring Client Alerts and IDS The Spectrum link is visible if you have configured the IAP as spectrum monitor These links allow you to monitor the Aruba Instant network For detailed information about the sections in these links and how they can be used to monitor the network see Monitoring Link IDS Link Client Alerts Link
14. Channel A 2 4 GHz or 5 GHz radio channel Quality Current relative quality of selected channels in the 2 4 GHz or 5 GHz radio bands as determined by the percentage of packet retries the current noise floor and the duty cycle for non Wi Fi devices on that channel Availability The percentage of the channel currently available for use Utilization The percentage of the channel being used WiFi Util The percentage of the channel currently being used by Wi Fi devices Interference Util The percentage of the channel currently being used by non Wi Fi interference Wi Fi ACI Adjacent Channel Interference Channel Details When you hover your mouse over a channel the channel details or the summary of the 802 11a or 802 11g channels seen by a spectrum monitor is displayed You can view the aggregate data for each channel seen by the spectrum monitor radio including the maximum AP power interference and the signal to noise and interference Ratio SNIR SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel Spectrum monitors display spectrum data seen on all channels in the selected band and hybrid APs display data from the one channel they are monitoring Instant 6 1 3 4 3 1 0 0 User Guide Spectrum Monitor 117 Figure 94 Channel Details E 00 24 6c c8 ec 7f Channel 9 monitoring Spectrum IDS Confiquration Spectrum Quality PES Overvie
15. It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization Intrusion Detection System Air Wave provides advanced rules based rogue classification It automatically detects rogue APs irrespective of their location in the network and prevents authorized IAPs from being detected as rogue IAPs It tracks and correlates the IDS events to provide a complete picture of network security Wireless Intrusion Detection System WIDS Event Reporting to AirWave AirWave supports Wireless Intrusion Detection System WIDS Event Reporting which is provided by Aruba Instant This includes WIDS classification integration with the RAPIDS Rogue Access Point Detection Software module RAPIDS is a powerful and easy to use tool for automatic detection of unauthorized wireless devices It supports multiple methods of rogue detection and uses authorized wireless APs to report other devices within range The WIDS report cites the number of IDS events for devices that have experienced the most instances in the prior 24 hours and provides links to support additional analysis or configuration in response RF Visualization Support for Aruba Instant AirWave supports RF visualization for Aruba Instant The VisualRF module provides a real time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new 206 AirWave Integration and Management
16. Less Control dite Log Classify media DSCP tag Blacklist Disable scanning 802 1p priority OK Cancel 168 Instant Firewall Instant 6 1 3 4 3 1 0 0 User Guide Chapter 17 Content Filtering The Content Filtering feature allows you to create internet access policies that allow or deny user access to websites based on website categories and security ratings This feature is useful to e Prevent known malware hosts from accessing your wireless network e Improve employee productivity by limiting access to certain websites e Reduce bandwidth consumption significantly Content Filtering is based on per SSID and up to four domain names can be configured manually When enabled all DNS requests to non corporate domains on this wireless network are sent to the open DNS server Regardless of whether content filtering is disabled or enabled instant arubanetworks com is always resolved internally on Instant Enabling Content Filtering To enable content filtering per SSID 1 Click New in the Networks tab and then click Show advanced options 2 Select Enabled from the Content Filtering drop down list and click Next to continue When Content Filtering is enabled the internal domains check the DNS request of the clients There are two ways to configure the internal domain 1 Navigate to Settings gt General gt click Show advanced options gt DHCP Server gt Domain name to configure a domain name for a Virtual C
17. Port 80 Blacklisting Redirect URL Max auth failures 0 Encryption Disabled Ly Back Next Cancel Figure 107 External Captive Portal when Adding a Guest Network External Authentication text New WLAN Help WLAN Settings VLAN Security Security Level Splash page type External Authentication Text External splash page Reauth interval 0 min v IP or hostname localhost Blacklisting Disabled v URL Encryption Disabled v Auth text Redirect URL Back Next Cancel 6 Authentication server 1 Select New and update the fields for the external RADIUS server to authenticate user credentials at runtime Refer to Configuring an External RADIUS Server on page 125 for more details on server settings 7 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients 8 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 9 Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 Navigate to PEF gt Blacklisting in the Instant WebUI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window Instant 6 1 3 4 3 1 0 0 User Guide Authentication 137 10 Walled garden Click on the link to op
18. Uplink Mode Access 2 4 GHz band Q Adaptive radio management assigned Administrator assigned 5 GHz band Adaptive radio management assigned Administrator assigned OK Cancel 5 Click OK Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 93 For more information about ARM see Adaptive Radio Management on page 173 Configuring Uplink Management VLAN Instant supports a management VLAN for the uplink traffic on an IAP After an IAP is provisioned with this parameter all management traffic sent from the IAP is tagged with the management VLAN Perform the following steps to configure a uplink management VLAN on an IAP oe ee lS re In the Access Points tab click the IAP Click the edit link An Edit AP window appears In the Edit AP window select the Uplink tab Specify the VLAN in the Uplink Management VLAN field Click OK J This configuration requires an IAP reboot to take effect Configuring Wired Bridging on Ethernet 0 Instant supports wired bridging on the Ethernet 0 port of an Instant AP Perform the following steps to enable wired bridging on the Ethernet 0 port 1 A 3 4 In the Access Points tab click the IAP Click the edit link An Edit AP window appears In the Edit AP window select the Uplink tab Select Enable from the EthO Bridging drop box Figure 67 Configuring Wired Bridging on Ethernet 0 of an IAP Edit Access Point d8 c7 c8 c4 01 78 Ge
19. 1 Navigate to RF which is at the top right corner of the Instant WebUI 2 Click Show advanced options to view the Radio tab Instant 6 1 3 4 3 1 0 0 User Guide Adaptive Radio Management 177 3 Refer to the table below to configure the radio settings for bands 2 4 GHz and 5 GHz Table 25 Radio Profile Configuration Parameters Legacy only 802 11d 802 11h Beacon interval Interference immunity level Channel switch announcement count Channel reuse type Channel reuse threshold 178 Adaptive Radio Management Enable to run the radio in non 802 11n mode This is disabled by default Enable the radio to advertise its 802 11d Country Information and 802 11h Transmit Power Control capabilities This is disabled by default Enter the Beacon period 60ms to 500ms for the IAP in msec This indicates how often the 802 11 beacon management frames are transmitted by the access point The default value is 100 msec Select to increase the immunity level to improve performance in high interference environments The default immunity level is 2 NOTE Increasing the immunity level makes the AP slightly deaf to its Surroundings causing the AP to lose a small amount of range Level O no ANI adaptation Level 1 Noise immunity only This level enables power based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet Level 2 Nois
20. Enter a passphrase in the Passphrase text box and reconfirm 4 Select the required option from the MAC authentication drop down list Available options are Enabled and Disabled When Enabled user must configure at least one RADIUS server for authentication server See MAC Authentication on page 141 for further details 5 Authentication server 1 Select the required Authentication server option from the drop down list Available options are e New If you select this option an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Chapter 12 Authentication 6 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients 7 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 8 Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 9 Internal server If you select this option users who are required to authenticate with the internal RADIUS server must be added Click the Users link to add the users For information on adding a user see Adding a User on page 251 NOTE Navigate to PEF gt Blacklisting in the Instant WebUl to specify the duration of the blackli
21. Figure 169 Vendor Specific DHCP options Ros EG actes beectory Goman Services 2 21 Arten Directory Liners and Computers A es r Eg rede se ubanetvedeks con E j VO 18 LEE 3 TI Guinn E i HD 183130 4 D Computers i ee wor ke Sri i di Corus Corrales Ai bl oie Elde aD Forsanger Press RL Managed Service Ancounts Ci ike 4 pe Actes Crechory tes ard Services z 4 DHCP Ser ver 5 DHCP Standard Options Sj rde server de anbanetoeks com fossiler 2 5 den FDD Scope 16 169 131 0 131 plen EG Score 10 069 135 07 155 i 5 DJ Soupe 10 69 137 0 137 De Wan NBS Servers F LI Score 10 169 138 0 138 Fe kue mase TORE MN OG one 10 169 145 0 145 fy Ares Pool LR Address L a M Reservations D dl 72 75 G2 amp l rubelns DE Scope Cobre Td 61 6E 74 si 2 tant F t p Scope 10 169 150 07 155 6D h 2D 73 7 nestor ue HO Scope 10 169 151 0 151 u a F Scope 10 169 152 0 152 DUR 72 75 62 61 LA Scope 106 169 153 0 153 E OG dopp ui 069 154 0 154 EG Scope 10 160 155 0 155 E OG Scope I0 169 155 0 155 a LE Scone 100 069 157 0 157 M Soe 16 169 198 0 154 a LI Shope 20 068 159 0 159 Upon completion the IAP shows up as a new device in AirWave and a new group called tme store4 is created Navigate to APs Devices gt New gt Group to view this group 212 AirWave Integration and Management Instant 6 1 3 4 3 1 0 0 User Guide Figure 170 AirWave New Group n
22. Gre Eg oa ae EE LEDEREN ERE E 171 Airtime Fairness Mode EEE eee diasbanaciggene REEL EL EEL ELERS 174 Configuring Administrator Assigned Radio Settings for IAP rrrrnnrvnnnnnvnnnnr 176 HU PP 177 Intrusion Detection rrennnnrnnnennnennnnnnnnennnrnnnnnnnnnnnnnnnnrnnnnnnnnrnnnrsnnnennnnnnnennunennne 181 Wireless Intrusion Protection Detection 182 13 14 Figure 141 Figure 142 Figure 143 Figure 144 Figure 145 Figure 146 Figure 147 Figure 148 Figure 149 Figure 150 Figure 151 Figure 152 Figure 153 Figure 154 Figure 155 Figure 156 Figure 157 Figure 158 Figure 159 Figure 160 Figure 161 Figure 162 Figure 163 Figure 164 Figure 165 Figure 166 Figure 167 Figure 168 Figure 169 Figure 170 Figure 171 Figure 172 Figure 173 Figure 174 Figure 175 Figure 176 Figure 177 Figure 178 Figure 179 Figure 180 Figure 181 Figure 182 Figure 183 Figure 184 Figure 185 Figure 186 Figure 187 Figure 188 Figure 189 Wireless Intrusion Protection Protection 184 Containment Methods EEE EE ene ee AMT metre ner sunt einer nit rr yet 185 Creating Community Strings for SNMPV1 and SNMPV2ZN 188 ENN 189 NR kne 189 ge ales AG DO ment EN EE 191 Ethernet Profile Configuration Wired Tab c ccccccssecceseeceseeceeeeeeeeeesaeeesaaes 193 Ethernet Profile Configuration VLAN Tab 194 Ethernet Profile Configuration Security Tab 194 Ethernet Profile Configuration Access Tab 195 Access Rule PAN
23. Instant firewall now supports the ALG Application Layer Gateway functions such as SIP Vocera Alcatel NOE and Cisco Skinny protocols To enable or disable the protocols for ALG in Aruba Instant perform the following steps 1 Select PEF from the top right of the Instant UI Instant 6 1 3 4 3 1 0 0 User Guide Policy Enforcement Firewall 241 2 Select PEF Settings tab 3 Select Enabled from the corresponding drop down list to enable SIP VOCERA Alcatel NOE and Cisco skinny protocols Figure 205 Enabling ALG Protocols Policy Enforcement Firewall PEF Authentication Servers Users for Internal Server Roles Blacklisting PEF Settings Application Layer Gateway ALG Algorithms SIP Enabled Wocera gt aad Alcatel NOE Enabled A Cisco Skinny Enabled OK Cancel 4 Click OK When the protocols for ALG are Disabled the changes do not take effect until the existing user sessions expire Reboot the IAP and the client or wait for few minutes to ensure the changes take effect Firewall based Logging Instant firewall now supports firewall based logging function The firewall logs on the Instant APs are generated as syslog messages 242 Policy Enforcement Firewall Instant 6 1 3 4 3 1 0 0 User Guide Chapter 29 VPN Configuration The I AP supports termination of a VPN tunnel on the Aruba controller VPN features are ideal for e enterprises with many branches that
24. NAS identifier o OK Cancel 6 Click OK after updating the fields ve 8 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 Navigate to PEF gt Blacklisting in the Instant WebUI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window For Internal users Click Users to populate the system s internal authentication server with users For information about adding a user see Adding a User on page 251 10 Click Next to continue and then click Finish Enabling Instant RADIUS To enable Instant RADIUS 1 2 126 Authentication Click Settings at the top right corner of the Instant UI Select Enabled from the Dynamic RADIUS Proxy drop down list When enabled the Virtual Controller network uses the IP Address of the Virtual Controller for communication with external RADIUS servers You must set the Virtual Controller IP address as a NAS client in the RADIUS server if Dynamic RADIUS Proxy is enabled Instant 6 1 3 4 3 1 0 0 User Guide Figure 99 Enabling Instant RADIUS General Admin Name Ins
25. Network View All Wi Fi networks in the Aruba Instant network are listed in the Networks tab Click the network that you want to monitor Network View for the selected network appears Similar to the Virtual Controller view the Network view also has three tabs Networks Access Points and Clients The following sections in the Instant UI provide information about the selected network e Info e Usage Trends Instant 6 1 3 4 3 1 0 0 User Guide Figure 175 Network View amp 3 Networks 1 Access Point El 0 Clients on Guest Name Clients Name Clients Name IP Address Guest 0 edit x d8 c7 c8 c4 01 78 0 Instant RP 0 Test 0 New amp Guest Monitoring QAlerts IDS Configuration Info RF Dashboard Usage Trends cere i Signal Speed Access Points Utilization Noise Errors Clients Type Guest All Clients all d8 c7 c8 c4 01 78 IP assignment Guest Access Unrestricted Security level Open Upload certificate A Internal server has no Guests Users Throughput bps En v Status Not Set Up Set Up Now Pause The Info section displays the following information about the selected network Name Name of the network Band Band in which the network is broadcast 2 4 GHz band 5 4 GHz band or both Type Network type Employee Guest or Voice IP Assignment Source of IP address for the client Access The level of access control for this network Security level The type of user authentication and data encry
26. The user can create GRE tunnels from all of the APs instead of creating tunnels only from the AP that is acting Instant 6 1 3 4 3 1 0 0 User Guide VPN Configuration 243 as the Virtual Controller The traffic going to the corporate is send via L2 GRE tunnel from the AP itself and does not have to be forwarded through the Virtual Controller By default the Per AP tunnel option is disabled 4 Enter the IP address or fully qualified domain name for the main VPN GRE endpoint in the Primary host field 5 Enter the IP address or fully qualified domain name for the backup VPN endpoint in the Backup host field This entry is optional 6 Select Enabled from the Preemption drop down list to switch back to the primary host when and if it becomes available again This step is optional 7 Click Next to continue Routing Profile Configuration Instant can terminate a single VPN connection on an Aruba Mobility Controller The Routing profile defines the corporate subnets which need to be tunneled through the IPSec tunnel Figure 207 Tunneling Routing Tunneling Controller Routing Table Routes 0 Destination Netmask Gateway Route Destination Netmask Gateway Use the Routing Table to specify policy based on routing into the VPN tunnel Each routing table entry has a destination network mask and default gateway 8 Click New and update the following parameters Destination Specify the desti
27. Tunneling DHCP Server uu rsmdiamermudmemmimimgnuiserkusniede 245 NTP PN 246 Distributed L2 DHCP Gonigurauon 35e ee 247 Distributed L3 DHCP Configuration Luasssvoossnnamuemsubmim iebesumtvene 248 Centralized L2 DHCP Con iIQUratiOM indeed 249 OO A 251 Specifying a Country Code rrannrnnnnrnnnnrnnnnrnnnnnnnnnnnnnnnnnnnnrnnnnennnnrnnnnrnnnnrnnnnennnnnen 253 15 16 Instant 6 1 3 4 3 1 0 0 User Guide Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 Table 27 Table 28 Table 29 Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Table 39 Table 40 Table 41 Table 42 Table 43 Table 44 Instant 6 1 3 4 3 1 0 0 User Guide Tables Fa GEO NE di die 20 Terminal Communication LUS a 25 RF BE pe eee ea NS EE EE En REE 44 IEEE iA aan cto ea nace strep denen denne EENE RE EEE ER 53 Conditions for Client IP and VLAN assignment 56 Conditions for Adding an Employee Network Security Tab rrrnnrrrnnnrrnnnnennn 58 Conditions for Adding an Employee Network Security Tab rrrnnrrrnnnrrnnnnennn 61 Conditions for Client IP and VLAN Assignment 0cccceeeceeseeeeeeeeeeeseeeeessaeees 65 Conditions for Adding a Voice Network Security Tab rrrnnnrrnnn
28. Virtual Controller IP Dynamic RADIUS proxy MAS integration NTP server Timezone Preferred band DHCP Server Domain name DNS Server s Lease time Network Mask Hide advanced options iLongevity 10 64 99 200 Enabled Disabled 128 227 205 3 Beijing UTC 08 2 4 GHZ Extended SSID enabled 7 Enabled Enabled 10 64 146 177 Auto join mode Terminal access LED display TFTP Dump Server Deny inter user bridging Disabled v Deny inter user routing Disabled OK Cancel Disabled Lil Deny Inter User Bridging and Deny Local Routing To enable or disable these features navigate to Settings gt General in the Instant UI 88 Managing IAPs Deny inter user bridging This feature allows you to deny traffic between two clients which are directly connected to the same IAP or are on the same Instant network Instant 6 1 3 4 3 1 0 0 User Guide e Deny local routing This feature allows you to deny local routing traffic between clients which are connected to the same IAP or are on the same Instant network Figure 58 Deny Inter User Bridging and Deny Inter User Routing General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Instant C4 01 78 Auto join mode Enabled v Virtual Controlle
29. 1 0 0 User Guide Table 45 Country Codes List Continued AR AU AT BO CL GR KW LI LT MX MA NZ PL PR SK SI TH UY PA RU KW LI LT MX MA Instant 6 1 3 4 3 1 0 0 User Guide Argentina Australia Austria Bolivia Chile Greece Iceland India Ireland Kuwait Liechtenstein Lithuania Mexico Morocco New Zealand Poland Puerto Rico Slovak Republic Slovenia Thailand Uruguay Panama Russia Kuwait Liechtenstein Lithuania Mexico Morocco Regulatory Domain 255 Table 45 Country Codes List Continued NZ PL PR SK SI TH UY PA RU EG TR CR EC HN KE UA VN BG CY EE MU RO CS ID PE VE JM 256 Regulatory Domain New Zealand Poland Puerto Rico Slovak Republic Slovenia Thailand Uruguay Panama Russia Egypt Trinidad and Tobago Turkey Costa Rica Ecuador Honduras Kenya Ukraine Vietnam Bulgaria Cyprus Estonia Mauritius Romania Serbia and Montenegro Indonesia Peru Venezuela Jamaica Instant 6 1 3 4 3 1 0 0 User Guide Table 45 Country Codes List Continued BH OM JO BM CO DO GT PH LK SV TN PK QA DZ Instant 6 1 3 4 3 1 0 0 User Guide Bahrain Oman Jordan Bermuda Colombia Dominican Republic Guatemala Philippines Sri Lanka El Salvador Tunisia Islamic Republic of Pakistan Qatar Algeria Regulatory Domain 257 258 Regulatory Domain Instant 6 1 3 4 3 1 0 0 User Guide App
30. 1 3 4 3 1 0 0 User Guide Managing IAPs 95 Table 13 AP Platforms and Minimal AOS Version for IAP to CAP Conversion Continued IAP Platform AOS Version IAP 104 6 1 4 or later IAP 105 6 1 4 or later IAP 134 6 1 4 or later IAP 135 6 1 4 or later IAP 175AC 6 1 4 or later IAP 175P 6 1 4 or later RAP 3WN 6 1 4 or later RAP 3WNP 6 1 4 or later Table 14 AP platforms and minimal AOS version for IAP to RAP Conversion IAP Platform AOS Version IAP 92 6 1 4 or later IAP 93 6 1 4 or later IAP 104 6 1 4 or later IAP 105 6 1 4 or later IAP 134 6 1 4 or later IAP 135 6 1 4 or later IAP 175AC 6 1 4 or later IAP 175P 6 1 4 or later RAP 3WN 6 1 4 or later RAP 3WNP 6 1 4 or later To convert an IAP to RAP follow the instructions below 1 Navigate to the Maintenance tab in the top right corner of the Instant UI 2 Click the Convert tab 96 Managing IAPs Instant 6 1 3 4 3 1 0 0 User Guide Figure 68 Maintenance Convert Tab Maintenance Help About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Hostname or IP Address of Mobility Controller L O After conversion all Access Points will be managed by the Controller specified above Figure 69 Convert options Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Remote APs managed by a Mobility Controller Remote APs m
31. 101 Figure 78 New Version Available Maintenance Help About Configuration Certificates Firmware Reboot Convert Current Version 6 1 3 4 3 1 0 0 34868 Manual Image file Image URL Image file for new version Close After you confirm the AP downloads the new software image from the server saves it to flash and reboots Depending on the progress and success of the upgrade one of the following messages is displayed Upgrading While image upgrading is in progress Upgrade successful When the upgrading is successful Upgrade fail When the upgrading fails Upgrading to New Version To manually check for a new firmware image version Manual 1 Navigate to Maintenance gt Firmware to select and manually upgrade the image file 102 Managing IAPs Instant 6 1 3 4 3 1 0 0 User Guide Figure 79 Single class or Multi class IAP Networks Firmware Upgrade Maintenance About Configuration Certificates Firmware Reboot Convert Current Version 6 1 3 4 3 1 0 0 34884 Manual Image file Image URL Image file for new version Browse Automatic Check for New Version Close Figure 80 Mixed IAP Network Firmware Upgrade Maintenance Help About Configuration Certificates Firmware Reboot Convert Current Version 6 1 3 4 3 1 0 0 34889 Manual URL for AP134 135 URL for AP23 92 93 104 105 175 Automatic Check for New Versi
32. 43 to give the DHCP clients info about certain services such as PXE to the DHCP clients In such an environment it is not possible to use the standard DHCP options 60 and 43 for Aruba APs Instant 6 1 3 4 3 1 0 0 User Guide AirWave Integration and Management 211 This method describes how to set up a DHCP server to send option 43 with AirWave information to Aruba Instant IAP This section assumes that option 43 is sent per scope because option 60 is being shared by other devices as well This scope should be specific to Instant and the PXE devices that use options 60 and 43 should not connect to the subnet defined by this scope This is because you can specify only one option 43 for a scope and if other devices NOTE that use option 43 connect to this subnet they are presented with Instant specific information dill 1 In server 2008 navigate to Server Manager gt Roles gt DHCP Server gt Domain DHCP Server rde server rde arubanetworks com gt IPv4 2 Select a scope subnet Scope 10 169 145 0 145 is selected in the example shown in Figure below 3 Right click and select Advanced and then specify the following options a Vendor class DHCP Standard Options User class Default User Class a Available options Select 043 Vendor Specific Info m String Value Arubalnstant AP tme store4 10 169 240 8 arubal23 which is the AP description organization string AirWave IP address Pre shared key for AirWave
33. AP if it is seen in the RF environment but is not connected to the wired network While the interfering AP can potentially cause RF interference it is not considered a direct security threat since it is not connected to the wired network However an interfering AP may be reclassified as a rogue AP Navigate to IDS in the Instant UI and click the IDS link The built in IDS scans for access points that are not controller by this Virtual Controller These are listed below and classified as either Interfering or Rogue depending on whether they are on a foreign network or your network Figure 139 ntrusion Detection tc Instant C4 01 78 Monitoring OAlerts IDS Confiquration Foreign Access Points Detected Foreign Clients Detected MAC Address Network Classification Chan Type Last Seena Where MAC Address Network Classification Chan Type Last Seena Where 00 24 6c bd 5f 70 lab open Interfering 161 AN 40MZ 11 52 40 a 00 22 41 0c a9 fc ethersphere voip Interfering 1 B 11 52 40 A 00 24 6c 80 74 00 ethersphere voip Interfering 1 GN 20MZ 11 52 40 00 27 10 5c 78 24 ethersphere voip Interfering 48 AN 40MZ 11 52 40 00 0b 86 50 47 48 vjai test Interfering 64 A 11 52 40 E 00 1e 65 79 bc c6 IBM Interfering 1 B 11 52 40 00 0b 86 21 8a 40 aruba ap Interfering 1 G 11 52 40 00 26 c6 b7 af 1c IBM Interfering 6 B 11 52 40 f 00 0b 86 43 d3 a0 UILab Interfering 11 G 11 52 40 60 33 4b 15 85 f1 ethersphere wpa2 Interfering 40 AN 40MZ 11 52 40
34. Add and click OK The users are listed in the Users list M e o One Instant 6 1 3 4 3 1 0 0 User Guide User Database 251 Editing User Settings To edit user settings 1 At the top right corner of the Instant UI click the Users link The Users window appears 2 In the Users section select the username for which you want to edit the settings and click Edit The user s details appear on the right side 3 Edit as required and click OK Deleting a User To delete a user 1 At the top right corner of the Instant UI click the Users link The Users window appears 2 Inthe Users section select the username that you want to delete and click Delete To delete all users or multiple users at a time select the usernames that you want to delete and click Delete All Lad Deleting a user only removes the user record from the user database and won t disconnect the online user associated with this username 252 User Database Instant 6 1 3 4 3 1 0 0 User Guide Chapter 31 Regulatory Domain The IEEE 802 11 b g n Wi Fi networks operate in the 2 4 GHz spectrum and IEEE 802 11a n operate in the 5 0 GHz spectrum These spectrums are divided into channels The 2 4 GHz spectrum is divided into 14 overlapping staggered 20 MHz wireless carrier channels These channels are spaced 5 MHz apart The 5 GHz spectrum is divided into more channels The channels that can be used in a particular country differ based on the regulations of that
35. Click New in the DHCP Server window and select Local to configure the following parameters for NAT mode DHCP pool Name Name of the subnet must be unique Type Indicates the type of DHCP server Available options are Local Distributed L3 Distributed L2 Centralized L2 Local implies that this is a NAT mode DHCP subnet Instant 6 1 3 4 3 1 0 0 User Guide VPN Configuration 245 VLAN VLAN ID of the subnet This needs to be referenced in the SSID configuration to make use of this subnet Network Network to be used for this subnet Netmask Net mask of the subnet This along with Network determines the size of the subnet DNS server An optional field which defines the DNS server Domain name n optional field which defines the domain name Lease time An optional field which defines the lease time for client Figure 209 NAT DHCP Configuration Tunneling Controller DHCP Server DHCP Server Edit DHCP Scope Name nat Type Local f VLAN 20 Network 172 16 20 0 Netmask 255 255 255 0 DNS server 10 1 1 50 Domain name arubanetworks com Lease time 720 min 2 Click OK to apply these changes Distributed L2 DHCP Configuration In Distributed L2 mode the Virtual Controller acts as the DHCP Server but the default gateway is in the data center Traffic is bridged into VPN tunnel 1 Click New in the DHCP Server window and select Distributed L2 to configure the followi
36. Configuration Link sections For detailed information about spectrum monitoring see Spectrum Monitor on page 111 Figure 172 Virtual Controller View ARTA ta Penner gt Instant C4 01 78 TABS amp 3 Networks 5 1 Access Point Name Clients Name Clients Name IP Address Network Access Point Guest 0 d8 c7 c8 c4 01 78 Instant RP 0 Test 0 New LINKS Instant C4 01 78 Monitoring Info RF Dashboard Usage Trends me ISELE SR LES Signal Speed Access Points Utilization Noise Errors Clients Country code IN 10 Virtual Controller IP 0 0 0 0 All Clients mu aA d8 c7 c8 c4 01 78 Band All Master 10 17 115 1 5 OpenDNS status Not connected MAS integration Enabled Uplink type Ethernet 14 15 14 20 14 25 Uplink status Up Throughput bps 10 0 _ 10 14 15 14 20 14 25 I En e Status Not Set Up Set Up Now Pause Instant 6 1 3 4 3 1 0 0 User Guide Monitoring 215 Monitoring Link This link is selected by default and the following sections are displayed These sections provide information about the Virtual Controller and allow you to monitor the network Info RF Dashboard Usage Trends Info The Info section displays the following information about the Virtual Controller Name Displays the Virtual Controller name Country Code Displays the Country i
37. E Domain name An optional field which defines the domain name Lease time An optional field which defines the lease time for client 2 Click OK to apply these changes Instant 6 1 3 4 3 1 0 0 User Guide VPN Configuration 247 Figure 211 Distributed L3 DHCP Configuration Tunneling Controller DHCP Server DHCP Server Edit DHCP Scope 3 Name Type Distributed L3 VLAN Network Netmask Client count DNS server Domain name arubanetwarks com Lease time min Centralized L2 DHCP Configuration In Centralized L2 mode both the DHCP server and default gateway are in the data center on the other side of the VPN tunnel 1 Click New in the DHCP Server window and select Centralized L2 to configure the following parameters for the Distributed L3 mode DHCP pool Name Name of the subnet must be unique m Type Indicates the type of DHCP server Available options are Local Distributed L3 Distributed L2 Centralized L2 Centralized L2 implies that this is a Centralized mode L2 DHCP subnet a VLAN VLAN ID of the subnet This needs to be referenced in the SSID configuration to make use of this subnet DHCP RelayDHCP Relay Agent and Option 82 Select to enable or disable these features When a DHCP server is configured with a DHCP Relay agent the client s Broadcast DHCP Discover packet is not sent to the corporate network instead the Virtual Controll
38. Employee this is selected by default from the Primary usage options This selection determines whether the network is primarily intended to be used for employee data guest data or voice traffic 3 Click the Show advanced options link and perform the following steps 64 Wireless Network a Broadcast Multicast Broadcast filtering When set to All the IAP drops all broadcast and multicast frames except for DHCP and ARP When set to ARP in addition to the above the IAP converts ARP requests to unicast and send frames directly to the associated client When Disabled all broadcast and multicast traffic is forwarded DTIM interval Indicates the DTIM delivery traffic indication message period in beacons You can configure this option for every WLAN SSID profile The default value is 1 which means the client checks for buffered data on the IAP at every beacon You may choose to configure a larger DTIM value for power saving Multicast transmission optimization When Enabled the IAP chooses the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients The default values are 1 mbps for 2 4 GHz and 6 mbps for 5 0GHz bands Multicast traffic can be sent at upto 24 mbps when this option is enabled This option is disabled by default Dynamic multicast optimization When Enabled the IAP converts multicast streams into unicast streams over the wireless link DMO enha
39. Enterprise Domains Walled Garden Syslog L3 Mobility Name Instant C4 01 78 Auto join mode Enabled l Virtual Controller IP 0 0 0 0 Terminal access Disabled e Dynamic RADIUS proxy Disabled LED display Enabled A MAS integration Enabled E r ED Server NTP server Extended SSID Timezone International Date Line Deny inter user bridging Disabled Freferred band All Deny inter user routing Disabled DHCP Server Domain name i DNS Server s Lease time Minutes Network Mask Hide advanced options OK Cancel Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 79 80 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Chapter 5 Mesh Network The Aruba Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires As traffic traverses across mesh IAPs the mesh network automatically reconfigures around broken or blocked paths This self healing feature provides increased reliability and redundancy the network continues to operate if an IAP stops functioning or a connection fails This chapter describes the Aruba Instant secure enterprise mesh architecture Mesh Instant Access Points An Aruba Instant mesh network requires at least one valid uplink wired or 3G connecti
40. Hierarchical Slave APs ON 15 Vy 1 i Instant 6 1 3 4 3 1 0 0 User Guide Hierarchical Deployment 191 192 Hierarchical Deployment Instant 6 1 3 4 3 1 0 0 User Guide Chapter 23 Ethernet Downlink Ethernet Downlink Overview The Ethernet downlink ports allow third party devices such as VoIP phones or printers which support only wired connections to connect to the wireless network Additionally an Access Control List ACL can be configured for added security on the Ethernet downlink This release of Instant supports only the OpenAuth mechanism Ethernet Downlink Profile Parameters To create a new Ethernet downlink profile 1 Click on the Wired link on the top right corner of the Instant UI 2 Click on the New button below the Wired Networks window and enter the following information in the Wired tab Table 31 Ethernet Downlink Profile Parameters Wired Tab Fea Deserl tln Name Name of the Ethernet downlink profile Primary Usage e Employee Employee access e Guest Guest access Speed Duplex Only experienced network administrators should change the speed and duplex parameters manually POE When enabled the system passes electric power along with the data on the Ethernet cable NOTE The Power Sourcing Equipment PSE functionality is available only for the Ethernet port2 on RAP 3WNP Admin Status Displays the status of the admin The following figure displa
41. If messages sent on behalf of this user can be encrypted decrypted with DES the private privacy key for use with the privacy protocol Follow the steps below to create community strings for SNMPV1 and SNMPV2 1 In the Settings tab click the SNMP tab 2 Click New in the Community Strings for SNMPV1 and SNMPV2 box 3 Enter the string in the New Community String text box 4 Click OK To delete a community string select the string and click Delete Instant 6 1 3 4 3 1 0 0 User Guide SNMP 187 188 SNMP Figure 143 Creating Community Strings for SNMPV1 and SNMPV2 General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Community Strings for SNMPV1 and SNMPV2 New Community String OK Cancel ol Privacy Protocol SNMP Traps SNMP Engine ID SNMP Trap Receivers IP Address version Community Username Port Inform Hide advanced options AAA NSE Follow the procedure below to create edit and delete users for SNMPV3 1 In the Settings tab click the SNMP tab Click New in the Users for SNMPV3 box Enter the name of the user in the Name text box oO fF WO N box P Select the type of authentication protocol from the Auth protocol drop down list Enter the authentication password in the Password tex box and retype the password in the Retype tex Select the type of privacy protocol from the Privacy protocol drop down list T Enter the pr
42. LDAP server on the Virtual Controller and configure user Ds and passwords If you are using a RADIUS server for user authentication you need to configure the RADIUS server on the Virtual Controller 124 Authentication Instant 6 1 3 4 3 1 0 0 User Guide Configuring an External RADIUS Server To configure an external RADIUS server for a wireless network 1 Click New in the Networks tab and select the appropriate Primary usage 2 Click Next to continue 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN 4 5 In the Security tab slide the bar to Enterprise and update the following fields Click Next to continue a Key Management Select the type of key for encryption and authentication b Termination Select Enabled to terminate the EAP portion of 802 1X authentication on the access point instead of RADIUS server c Authentication server 1 Select New from the drop down list to authenticate user credentials for the RADIUS server at run time and update the following fields RADIUS Server Name Enter the name of the new external RADIUS server IP address Enter the IP address of the external RADIUS server Auth port Enter the authorization port number of the external RADIUS server The port number is set to 1812 by default Accounting port Enter the accounting port number This port is used to send accounting records to the RADIUS server The port number is set to 1813
43. Lance Click Finish to configure the new network profile 8 To edit an Ethernet downlink profile select the configured Ethernet downlink profile and click the Edit button below the Wired Networks window 9 To delete an Ethernet downlink profile select the configured Ethernet downlink profile and click the Delete button below the Wired Networks window Instant 6 1 3 4 3 1 0 0 User Guide Ethernet Downlink 195 Assigning a Profile to the Ethernet Port You can assign the configured profiles to the Ethernet ports under the Network Assignments window To assign an Ethernet downlink profile to Ethernet 0 port 1 Enable wired bridging on the port See Configuring Wired Bridging on Ethernet 0 on page 94 2 Select and assign a profile from the 0 0 drop down list Wired bridging must be enable on Ethernet 0 0 0 port before you can assign a Ethernet downlink profile NOTE To assign an Ethernet downlink profile to Ethernet 1 port select the profile from the 0 1 drop down list To assign an Ethernet downlink profile to Ethernet 2 port select the profile from the 0 2 drop down list Figure 152 Assigning a Profile to the Ethernet Ports Sebwaork assignments OO default wired port profile Wired oi PEN O2 default wired port profile Wired Users Wired Users OK Cancel 196 Ethernet Downlink Instant 6 1 3 4 3 1 0 0 User Guide Chapter 24 Uplink Configuration Uplink Configuration Ove
44. Level Detection Policy High Detect AP Impersonation Detect Adhoc Networks Detect Valid SSID Misuse Detect Wireless Bridge Detect 802 11 40MHz intolerance settings Detect Active 802 11n Greenfield Mode Detect AP Flood Attack Detect Client Flood Attack Detect Bad WEP Detect CTS Rate Anomaly Detect RTS Rate Anomaly Detect Invalid Address Combination Detect Malformed Frame HT IE Detect Malformed Frame Association Request Detect Malformed Frame Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies that are enabled in Client Detection Custom settings field Table 27 Client Detection Policies Detection Level Detection Policy Off All detection policies are disabled Low e Detect Valid Station Misassociation Detect Disconnect Station Attack Detect Omerta Attack Detect FATA Jack Attack Detect Block ACK DOS Detect Hotspotter Attack Detect unencrypted Valid Client Detect Power Save DOS Attack Medium High Detect EAP Rate Anomaly Detect Rate Anomaly Detect Chop Chop Attack Detect TKIP Replay Attack IDS Signature Air Jack IDS Signature ASLEAP Three levels of detection can be configured in the WIP Protection page Off Low and High as shown in Figure 141 Instant 6 1 3 4 3 1 0 0 User Guide Intrusion Detection System 183 Figure 141 Wireless Intrusion Protection Prot
45. Network Displays the name of the network to which the foreign client is connected Classification Displays the classification of the foreign client Interfering client Channel Displays the channel in which the foreign client is operating Type Displays the Wi Fi type of the foreign client Last seen Displays the time when the foreign client was last detected in the network Where Provides information about the IAP that detected the foreign client Click the pushpin icon to view the information For more information on the intrusion detection feature see Chapter 20 Intrusion Detection System 50 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Figure 33 Intrusion Detection on Instant Ul Instant C4 01 78 Monitoring OAlerts IDS Configuration Foreign Access Points Detected Foreign Clients Detected MAC Address Network Classification Chan Type Last Seen Where MAC Address Network Classification Chan Type Last Seen Where 00 24 6c bd 5f 70 lab_open Interfering 161 AN 40MZ 11 52 40 00 22 41 0c a9 fc ethersphere voip Interfering 1 B 11 52 40 A 00 24 6c 80 74 00 ethersphere voip Interfering 1 GN 20MZ 11 52 40 bs 00 27 10 5c 78 24 ethersphere voip Interfering 48 AN 40MZ 11 52 40 00 0b 86 50 47 48 vjai test Interfering 64 A 11 52 40 00 1e 65 79 bc c6 IBM Interfering 1 B 11 52 40 00 0b 86 21 8a 40 aruba ap Interfering 1 G 11 52 40 00 26 c6 b7 af 1c IBM Interfering 6 B 11 52 4
46. Network to Mobility Controller Managed Network Changing IAP Name To change the IAP name 1 Inthe Access Points tab click on the IAP that you want to rename Figure 62 Editing IAP Settings 4 1 Access Point Name Clients Instant Access Point 2 Click the edit link Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 91 Figure 63 Changing IAP Name Edit Access Point d8 c7 c8 c4 01 78 General Radio Uplink IP address for Access Point Get IP address from DHCP server Specify statically OK Cancel 3 Edit the IAP name in the Name text box 4 Click OK Changing IP Address of the IAP The Instant UI allows you to change the IP address of the IAP connected to the network To change the IP address of the IAP 1 Inthe Access Points tab click the IAP for which you want to change the IP address The edit link appears 2 Click the edit link The Edit AP window appears Figure 64 Configuring IAP Settings Connectivity Tab Edit Access Point d8 c7 c8 c4 01 78 92 Managing IAPs General Radio Uplink Name d8 c7 c8 c4 01 78 IP address for Access Point Get IP address from DHCP server Specify statically IP address 10 17 115 1 Netmask 255 255 2553 0 Default gateway 10 17 115 254 DNS server 10 13 6 110 Domain name arubanetworks com OK Cancel Select either the Get IP address from DHCP server or Specify statically option If you ha
47. New Network based Unrestricted Less Control Back Finish Cancel 11 Click Finish The network is added and listed in the Networks tab Voice Network Use the Voice network type when you want devices that provide only voice services like handsets or only applications that require voice like prioritization need connectivity Adding a Voice Network This section provides the procedure to add a voice network 1 In the Networks tab click the New link The New Network window appears Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 63 Figure 42 Adding a Voice Network Basic Info Tab New WLAN WLAN Settings WLAN Settings Name amp Usage Name SSID Frimary usage Employee Cc Voice s s Guest Broadcast Multicast Broadcast filtering Disabled rl DTIM interval 1 beacon Multicast transmission optimization Disabled v Dynamic multicast optimization Disabled v DMO channel utilization threshold Ga Hide advanced options Help Bandwidth Limits L Airtime Each user Each radio Transmit Rates 2 4GHz Min 1 Max 54 5GHz Min 6 d Max 54 Y Miscellaneous Content filtering Disabled Band false Inactivity timeout 1000 secs Hide SSID F Next Cancel 2 Inthe WLAN Settings tab perform the following steps a Name SSID Enter a name that uniquely identifies a wireless network b Primary usage Select
48. OL kd hen dace det bashed e 241 Authentication Failure Blacklisting 241 Session Firewall Based Blacklisting ss us ne 241 Instant 6 1 3 4 3 1 0 0 User Guide Chapter 29 Chapter 30 Chapter 31 Appendix A Appendix B Instant 6 1 3 4 3 1 0 0 User Guide PE FN ee E A E EEEE 241 Firewall ALG Configuration sum u evmssssrsesmisernssianeersetniesnkvseskannersenekvnnedvndsdnn 241 Firewall based Logging sis 242 VEN OT mana pa nest 243 PDC OO MAO ae de ee do ds 243 Routing Profile Configuration ss 244 DHCP Server CONGO kn 245 NAT DHCP GoniquretiONh uuesuammueqarmmearmiessmmminnsvmeidge 245 Distributed L2 DHCP Configuration sssseesereerrre kreere kr 246 Distributed L3 DHCP Configuration 2 247 Centralized L2 DHCP Configuration ss 248 User DANSE Luugpssenenmmaebleveagkneerddealv dd kum bansnad 251 PITT Te 251 Editing User S LURQS cri cnamedusietie vient ears ccmenn uate E LEE EEN 252 Pee a US ae sats eared sete atest aad ied ease desea er 252 ge DOMAIN EN 253 County Codes Li EE VO enter te 254 Controller Configuration for VPN an enanxvnnnennnnvnnnnnnnnnnnnnnnnnennnnnnnnennn 259 Whitelist DB Configuration ES Anken 259 VPN Local Pool GO Aa a S 260 IAP VPN Profile CONTIQURAtION ss nee 260 de ER EE 263 Fe 8 ET ET eg EE 263 10 Instant 6 1 3 4 3 1 0 0 User Guide Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure
49. Saeed unatsestntiaaciess 195 Assigning Profile to the Ethernet PONS nue 196 VET inne 197 He LESE EE SE 197 Provisioning 3G 4G Uplink Manually rrernnnonnnnrrnnnrnnnnrnnnnnnnnnnennnnennnnennnnennnne 201 Provisioning 3G Uplink Automatically cccccsscccssecesseeseseeeaseeeeseeeeeeeseaees 201 EEE Fe DE EL 0 siiis aaae Ea nu Eai 202 UDINK FEN uke ci 203 PRE SOS eee Leed 204 Template based Configuration sn 206 Adang AN IAP ANE a en ae 207 Configuring ArWaVe aure dess pisser iles emilie 208 Instant and DHCP options for AirWave Set Predefined Options 209 Instant and DHCP options for AirWave Predefined Options and Values 209 Instant and DHCP options for AirWave Server Options rnnrrnnnnrrnnnrnnnnennnrr 210 Instant and DHCP options for AirWave 060 Aruba Instant AP in Server Options ecivecesacisccsececnsstnsveatesciuvesnnds eneteusee edesatennes 210 Instant and DHCP options for AirWave 043 Vendor Specific Info 211 Instant and DHCP options for AirWave Scope Options nneneoennanneeeeenenn 211 Vendor Specific DHCP OPTIONS in needs 212 AE New Os esis cate sent HEE eirp inen ai cinsaseetepeaasyeniessrearci en 213 AirWave MORE EN 213 Virtual Controller Ne 215 CNS CAD Eee 217 Waie Telge EE EE EE IEEE ERNn 217 Ve ee 219 Clients Graph EEE NE EN ERE 219 Trodon EP CE de de ti A 220 Instant Access Point View nsc iladsdnens havaceuinesiwenwxasatuccssan
50. Service Provider Instant WebUl Instant User Interface LEAP Lightweight Extensible Authentication Protocol MX Mail Exchanger MAC Media Access Control NAS Network Access Server NAT Network Address Translation 7 NS Name Server E Instant 6 1 3 4 3 1 0 0 User Guide Abbreviations 263 Table 46 List of abbreviations Continued Abbreviation Expansion NTP Network Time Protocol PEAP PEM 264 Abbreviations PoE RADIUS Protected Extensible Authentication Protocol Privacy Enhanced Mail Power over Ethernet Remote Authentication Dial In User Service Virtual Controller Vendor Specific Attributes Wireless Local Area Network Instant 6 1 3 4 3 1 0 0 User Guide
51. To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the In and Out frames To see the exact utilization percent at a particular time hover the cursor over the graph line Client View In the Virtual Controller view all clients in the Aruba Instant network are listed in the Clients tab Click the IP address of the client that you want to monitor Client view for that client appears To monitor the rate of management frames in and out of the radio for the last 15 minutes 1 Log in to the Instant WebUI The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the name link of the IAP for which you want to monitor the noise floor The IAP view appears 3 Study the 2 4 GHz Mgmt Frames graph For example the graph shows that 3 management frames were out of the radio at 13 50 hours To monitor the errors for the IAP for the last 15 minutes 1 Log in to the Instant WebUI The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the name link of the IAP for which you want to monitor the errors The IAP view appears 3 Study the Errors graph For example the graph shows that the errors for the IAP at 13 32 hours is 22 frames per second NOTE You can also click the rectangle icon under the Errors column in the RF Dashboard pane to see the Errors graph for the selected IAP
52. User Guide Chapter 21 Aruba Instant supports SNMPv1 SNMPv2c and SNMPv3 for reporting purposes only An IAP cannot use SNMP to set values in an Aruba system SNMP Parameters for IAP You can configure the following parameters for I AP Table 30 SNMP Parameters for AP Feld Deser tln Community Strings for SNMPV1 An SNMP Community string is a text string that acts as a password and SNMPV2 and is used to authenticate messages sent between the Virtual Controller and the SNMP agent If you are using SNMPv3 to obtain values from the Aruba Instant you can configure the following parameters Name A string representing the name of the user Authentication Protocol An indication of whether messages sent on behalf of this user can be authenticated and if so the type of authentication protocol used This can take one of the two values e MD5 HMAC MD5 96 Digest Authentication Protocol e SHA HMAC SHA 96 Digest Authentication Protocol Authentication protocol password If messages sent on behalf of this user can be authenticated the private authentication key for use with the authentication protocol This is a string password for MD5 or SHA depending on the choice above Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure and if so the type of privacy protocol which is used This takes the value DES CBC DES Symmetric Encryption Privacy protocol password
53. Wi Fi devices and 802 11 adjacent channel interference ACI This chart shows the channel availability the percentage of each channel that is available for use or the current relative quality of selected channels in the 2 4 GHz or 5 GHz radio bands While spectrum monitors can display data for all channels in their selected band hybrid APs display data for their one monitored channel only To view this graph click 2 4 GHz in the Spectrum section of the dashboard Figure 92 Channel Metrics for the 2 4 GHz Radio Channel Spectrum Overview 2 4 GHz 2 4 GHz Channel Utilization and Quality 100 80 NE NE S GQ Ne Available NNN WiFi NNN NN Quality SN NN e A Interference Z ne WY EE uJ f f p NN ss WY po Ear N me Os AE I co wo co ui wo i n ren ren en 116 Spectrum Monitor Instant 6 1 3 4 3 1 0 0 User Guide To view this graph click 5 GHz in the Spectrum section of the dashboard Figure 93 Channel Metrics for the 5 GHz Radio Channel Spectrum Overview 2 4GHz 5 GHz 5 GHz Channel Utilization and Quality 40 i i j i Available WiFi 20 Quality SERRE Interference 4 0 od me LD rare 100 104 108 112 116 120 124 128 132 136 1400 408411623122012287 136 Table 17 shows the information displayed in the channel metrics graph Table 17 Channel Metrics
54. Wizard WIP Wizard NETWORK Controller VLANS Ports Cellular Profile IP SECURITY gt Authentication Annnann Canteal Instant 6 1 3 4 3 1 0 0 User Guide k pliva Postal Aulhorkcalion Prolia VPN Authentication Profile gt default iap Reset WISPr Authentication Profile Default Role iaprole X Max Authentication failures 0 E VPN Authentication Profile Check certificate common name against AAA F server M default E default cap E FE Server Group default E default rap Controller Configuration for VPN 261 262 Controller Configuration for VPN Instant 6 1 3 4 3 1 0 0 User Guide Appendix B Abbreviations Abbreviations The following table lists the abbreviations used in this user guide Table 46 List of abbreviations Abbreviation Expansion ARM Adaptive Radio Management ARP Address Resolution Protocol BSS Basic Server Set BSSID Basic Server Set Identifier CA Certification Authority CLI Command Line Interface DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone DNS Domain Name System 7 EAP TLS Extensible Authentication Protocol Transport Layer Security 7 EAP TTLS Extensible Authentication Protocol Tunneled Transport Layer Security IAP Instant Access Point IDS Intrusion Detection System IEEE Institute of Electrical and Electronics Engineers ISP Internet
55. amp WPA Dynamic WEP with 802 1X Use Session Key for LEAP Use the Session Key for LEAP instead of using Session Key from the RADIUS Server to derive pair wise unicast keys This is required for old printers that use dynamic WEP via LEAP authentication This is Disabled by default For more information on encryption and recommended encryption type see Chapter 13 Encryption 2 Termination Enable this option to terminate the EAP portion of 802 1X authentication on the IAP instead of the RADIUS server For more information see External RADIUS Server on page 124 3 Authentication server 1 Select the required Authentication server option from the drop down list Available options are e New If you select this option an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Chapter 12 Authentication e InternalServer If you select this option users who are required to authenticate with the internal RADIUS server must be added Click the Users link to add the users For information on adding a user see Adding a User on page 251 4 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients 5 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 6 Max auth
56. authentication is performed using passwords EAP PEAP MSCHAPv2 Protected Extensible Authentication Protocol PEAP is an 802 1X authentication method that uses server side public key certificates to authenticate clients with server The PEAP authentication creates an encrypted SSL TLS tunnel between the client and the authentication server Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure LEAP Lightweight Extensible Authentication Protocol LEAP uses dynamic WEP keys for authentication between the client and authentication server Lad Aruba does not recommend to use the LEAP authentication method because it does not provide any resistance to network attacks External RADIUS Server In the external RADIUS server the IP address of the Virtual Controller is configured as the NAS IP address Instant RADIUS is implemented on the Virtual Controller and this feature eliminates the need to configure multiple NAS clients for every IAP on the RADIUS server for client authentication Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server The RADIUS server responds to the authentication request with an Access Accept or Access Reject message and users are allowed or denied access to the network depending on the response from the RADIUS server When you enable the external RADIUS server option for the network the authenticator on the IAP s
57. automatically defined for each network These roles cannot be deleted or renamed Access Rules This table lists the permissions for each Role See Chapter 14 Role Derivation for more information 236 Policy Enforcement Firewall Instant 6 1 3 4 3 1 0 0 User Guide Figure 198 Roles Policy Enforcement Firewall PEF Access Rules for default dev rule Allow any to all destinations Instant RF Test Guest New Delete New OK Cancel Extended Voice and Video Functionalities Instant has the added ability to identify and prioritize voice and video traffic from applications like Microsoft Office Communications Server OCS and Apple Facetime Figure 199 Classify Media Policy Enforcement Firewall PEF Authentication Servers Users for Internal Server Roles Blacklisting PEF Settings 5 desse sje ves Dee L de Access Rules for default wired port profile Instant RF default dev r Action Destination Wired1 Allow X anm to all destinations X vlan 200 E Log Ipscr tag E Blacklist E Disable scanning E 802 1p priority OK Cancel QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish control and terminate voice and video calls These control or signaling sessions are usually permitted using pre defined ACLs If however the control signaling packets are encrypte
58. box This name automatically appears in AirWave under Groups list 3 Enter the IP address of the AirWave server in the AirWave IP text box 4 Enter the IP address of a backup AirWave server in the AirWave backup IP text box The backup server provides connectivity when the primary server is down If the IAP cannot send data to the primary server the Virtual Controller switches to the backup server automatically 5 Enter the shared key in the Shared key text box and reconfirm This shared key is used for configuring the first AP in the Aruba Instant network 6 Click OK AirWave Discovery through DHCP Option The AirWave configuration can also be performed on the DHCP option that is configured on the DHCP server You can configure this only if AirWave was not configured earlier or if you have deleted the precedent configuration On the DHCP server the format for option 60 is ArubalnstantAP and the format for option 43 is ams ip ams key Standard DHCP option 60 and 43 on Windows Server 2008 In networks that are not using DHCP option 60 and 43 it is easy to use the standard DHCP options 60 and 43 for Aruba AP or Aruba Instant AP For Aruba APs these options can be used to indicate the master controller or the local controller For IAP this can be used to define the AirWave IP group and password 1 From a server running Windows Server 2008 navigate to Server Manager gt Roles gt DHCP sever gt domain DHCP Server rde ser
59. by default Shared key Enter a shared key for communicating with the external RADIUS server Timeout Indicates the timeout for one RADIUS request The IAP retries to send the request several times as configured in the Retry count before the user gets disconnected e g If the Timeout is 5 sec Retry counter is 3 user is disconnected after 20 sec Timeout x Retry counter 1 The default value is 5 seconds Retry count Specify a number between 1 and 5 Indicates the maximum number of authentication requests that are sent to server group and the default value is 3 requests RFC 3576 When enabled the Access Points process RFC 3576 compliant Change of Authorization CoA and Disconnect messages from the RADIUS server Disconnect messages cause a user session to be terminated immediately whereas CoA messages modify session authorization attributes such as data filters NAS IP address Enter the Virtual Controller IP address The NAS IP address is the Virtual Controller IP address that is sent in data packets Note If you do not enter the IP address the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled NAS identifier Use this to configure strings for RADIUS attribute 32 NAS Identifier to be sent with RADIUS requests to the RADIUS server LDAP Server Name Enter the name of the new external RADIUS server IP address Enter the IP address of the external RADIUS server Auth
60. client is connected Channel Channel that the client is currently broadcasting on Type Wi Fi type of the client A G AN or GN Role Role assigned to the client Signal Indicates Signal strength Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 31 e Speed mbps Data transfer speed Figure 8 Client Tab Compressed View and Expanded View 1 Client Associated with Instant Access Point Name IP Address Network Access Point 10 13 32 59 Emp_Network1 Instant Access Point 1 Client Name IP Address MAC Address OS Network Access Point Channel Type Role Signal Speed mbps 10 13 32 59 58 94 6b 79 73 58 Emp Networki Instant Access Point Emp Networki Links The following links allow you to configure the features and settings for the Instant network Each of these links are explained in the subsequent sections e New Version Available e Settings e RF e PEF e Wired e WIP e VPN e Maintenance e Support e Help e Logout e Monitoring e Spectrum e Alerts e IDS e Configuration e Language e AirWave Setup e Pause Resume New Version Available This link appears in the top right corner of Instant UI only if a new image version is available on the image server and AirWave is not configured For more information about the New version available link and its functions see Firmware Image Server in Cloud Network on page 101 Settings This link displays the Settings windo
61. continue 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Click Next to continue 4 Click Next and slide to set the appropriate security levels in the Security tab Click Next The Access tab appears The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define allow POP3 service access rule to particular server a Click New the New Rule window appears b Select Allow from the Action drop down list c Select pop3 from the Service drop down list Instant 6 1 3 4 3 1 0 0 User Guide Instant Firewall 165 d Select to a particular server from the Destination drop down list and enter appropriate IP address in the IP text box e Click OK 6 Click Finish Figure 130 Defining Rule Allow POP3 Service to a Particular Server New WLAN Help WLAN Settings Access Rules More Control Access Rules 1 Allow any to all destinations Role based New Rule Rule type Action Service Destination 3 Network bas Access control v Allow v pop3 v to particular server v IP Unrestricted FP Options Log E Classify media E DSCP tag Control E Blacklist E Disable scanning E 802 1p priority OK Cancel Deny FTP Service except to a Particular Server 1 Click the New link in the Networks tab To define the access rule to an existing network click the network The edit link appe
62. determined to be a foreign client as soon as it starts using the IP address and L3 roaming is immediately set up Perform the following steps to configure a mobility domain 1 Click the Settings link at the upper right corner of the Instant WebUI 2 Click the Show advanced options link and then click L3 Mobility 3 Click New in the Virtual Controller IP Addresses section add the IP address of a VC that is part of the mobility domain and click OK Figure 84 Add Virtual Controller IP addresses Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Home agent load balancing Disabled y Virtual Controller IP Addresses New IP address LAN ID Virtual contoller IP Hide advanced options 4 Repeat Step 3 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain 5 Click New in the Subnets section and specify the following a Enter the client subnet in the IP address text box b Enter the mask in the Subnet mask text box c Enter the VLAN ID in the home network in the VLAN ID text box d Enter the home VC IP address for this subnet in the Virtual Controller IP text box 108 Layer 3 Mobility Instant 6 1 3 4 3 1 0 0 User Guide Figure 85 Add Subnets Information Settings Help General Admin RTLS SNMP OpenDNS Uplink Walled Garden L3 Mobility Home agent load balancing Disabled Virtual
63. do not have a dedicated VPN connection to the corporate office e branch offices that require multiple APs e individuals working from home connecting to the VPN This new architecture and form factor seamlessly adds the survivability feature of Instant APs with the VPN connectivity of RAPs providing corporate connectivity to non corporates The following VPN features are briefly described VPN Configuration The VPN configuration functionality enables the IAP to create a single VPN tunnel from the Virtual Controller to a Aruba Mobility Controller in your corporate office Here the VPN tunnels from the Instant APs terminate on the Aruba Mobility Controller The controller solely acts as a VPN end point and does not supply the Instant AP with any configuration To create a VPN tunnel from the Virtual Controller to an Aruba Mobility Controller Figure 206 Tunneling Controller Tunneling elp Controller Routing DHCP Server Controller Protocol IPSec Primary host Backup host Preemption Disabled Next Cancel 1 Navigate to the VPN link at the top right corner of the Instant WebUI The Tunneling window appears 2 Select IPSec from the Protocol drop down list 3 If you select GRE from the Protocol drop down list then the packets are sent and received without encryption a GRE type Enter the value for GRE type parameter b Per AP tunnel Select Enabled or Disabled from the Per AP tunnel drop down list
64. entry for the IAP is present in the firmware image cloud server and is provisioned as an IAP gt RAP entry the firmware image cloud server responds with controller IP address AP group and AP type The IAP then contacts the controller establishes certificate based secure communication and gets configuration and image from the controller The IAP then reboots and comes up as a RAP The IAP then establishes an IPSEC connection with the controller and begins operating in RAP mode If an IAP entry for the AP is present in the firmware image cloud server the AP gets AirWave server information from the cloud server and downloads configuration from AirWave to operate in IAP mode If there is no response from the cloud server or AirWave the IAP comes up in Aruba Instant mode A description of the firmware image cloud server can be found in the section named Firmware Image Server in Cloud Network within this chapter All oO m All A mesh point cannot be converted to RAP because mesh does not support VPN connection oO j m An IAP can be converted to an ArubaOS Campus AP and ArubaOS Remote AP only if the controller is running ArubaOS 6 1 4 or later The following table describes the supported IAP platforms and minimal AOS version for IAP to CAP RAP conversion Table 13 AP Platforms and Minimal AOS Version for IAP to CAP Conversion IAP Platform AOS Version IAP 92 6 1 4 or later IAP 93 6 1 4 or later Instant 6
65. everything that does not match this list is sent to the open DNS server Figure 134 Enterprise Domains Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Enterprise Domain Names To manually add or delete a domain perform the following steps 1 Navigate to Settings at the top right corner of the Instant UI and then select Enterprise Domains in the UIL 2 Click New and enter a New Domain Name or select the domain and click Delete to remove the domain name from the list 3 Click OK to apply the changes 170 Content Filtering Instant 6 1 3 4 3 1 0 0 User Guide Chapter 18A OS Fingerprinting The OS Fingerprinting feature gathers information about the client that is connected to the Aruba Instant network to find the operating system that the client is running on The following is a list of advantages of this feature e Identifying rogue clients Helps to identify clients that are running on forbidden operating systems e Identifying outdated operating systems Helps to locate outdated and unexpected OS in the company network e Locating and patching vulnerable operating systems Assists in locating and patching specific operating system versions on the network that have known vulnerabilities thereby securing the company network OS Fingerprinting is enabled in the Aruba Instant network by default The following operating systems a
66. for the lease time from the drop down list next to Lease time Enter the network in the Network text box 2 AP RPR Enter the mask in the Mask text box To provide simultaneous access to more than 512 clients use the Network and Mask fields to specify a larger range While the network or prefix is the common part of the address range the mask suffix specifies how long NOTE the variable part of the address range is alll Figure 97 Configuring the DHCP Server Settings Help General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Instant C4 01 78 Auto join mode Enabled v Virtual Controller IP 0 0 0 0 Terminal access Disabled ty Dynamic RADIUS proxy Disabled l LED display Enabled y MAS integration Enabled v TFTP Dump Server 0 0 0 0 NTP server Extended SSID Disabled Timezone International Date Lind w Deny inter user bridging Disabled v Preferred band Deny inter user routing Disabled pr DHCP Server Domain name DNS Server s Lease time Minutes Le Network Mask Hide advanced options OK Cancel 9 Click Ok to apply the changes 122 Virtual Controller Instant 6 1 3 4 3 1 0 0 User Guide Chapter 12 Authentication Authentication Methods in Aruba Instant Authentication is a process of identifying a user by having them to provide a valid username
67. guest and employee users Addition of a user involves specifying a username and password for the user The login credentials for these users are provided outside the Aruba Instant system A guest user can be a visitor who is temporarily using the enterprise network to access the internet However you may not want to share the internal network and the intranet with them To segregate the guest traffic from the enterprise traffic you can create a Guest WLAN specify the required authentication encryption and access rules and allow the guest user to use the enterprise network An employee user is the employee who is using the enterprise network for various official tasks You can create Employee WLANS specify the required authentication encryption and access rules and allow the employees to use the enterprise network The User Database is also used when Instant is employed as an internal RADIUS server Adding a User To add a user 1 At the top right corner of the Instant UI click the PEF link and click Users for Internal Server Figure 213 Adding a User Policy Enforcement Firewall PEF Authentication Servers Users for Internal Server Blacklisting PEF Settings Users 0 Type Add new user Username Password Retype Type Guest Ea Enter the username in the Username text box Enter the password in the Password text box and reconfirm Select appropriate network type from the Type drop down list Click
68. in to the Instant user interface the Country Code window appears if IAP ROW APs are installed Select the country code for the IAP ROW APs installed For the complete list of the countries that are supported in the IAP ROW variant type see Regulatory Domain on page 253 26 Initial Configuration Instant 6 1 3 4 3 1 0 0 User Guide Figure 4 Specifying the Country Code Welcome to Instant Please specify the Country Code Select country code v IAP Cluster IAPs in the same VLAN automatically find each other and form a single functioning network managed by a Virtual Controller E Moving an IAP from one cluster to another requires a factory reset of the IAP that is being moved See Chapter 6 Managing IAPs on page 85 for more information Instant 6 1 3 4 3 1 0 0 User Guide Initial Configuration 27 28 Initial Configuration Instant 6 1 3 4 3 1 0 0 User Guide Chapter 3 Instant User Interface The Instant User Interface UI provides a standard web based interface that allows you to configure and monitor a Wi Fi network It is accessible through a standard web browser from a remote management console or workstation JavaScript must be enabled on the web browser to view the Instant UI Supported browsers are e Internet Explorer 8 or higher e Safari e Google Chrome e Mozilla Firefox The Instant Ul logs out automatically if the window is inactive for fifteen minutes Understa
69. manually If you cannot view the list of country or ISP from the drop down list then configure the modem parameters manually Provisioning a 3G 4G Switch Network To provision a 3G 4G switch network provide the driver type for the 3G modem in the USB type text box and the driver type for 4G modem in the 4G USB type text box and click OK Figure 157 3G 4G Switch Network 3G 4G 4G USB type USB mode switch Uplink Switchover The default priority for uplink switchover is Ethernet and then 3G 4G The IAP has the ability to switch to the lower priority uplink if the current uplink is down An IAP reboot is not required for uplink switchover process If VPN is configured IAP monitors the VPN status once VPN status is down for 3 minutes the uplink switches over if low priority uplink is detected and the uplink preference is none Uplink Switching based on VPN Status Instant supports switching uplinks based on the VPN status when deploying mixed uplinks Eth0 3G 4G When VPN is used with multiple backhaul options the IAP switches to an uplink connection based on the VPN connection status instead of only using Eth0 the physical backhaul link The behavior of the uplink switching is described as follows If the current uplink is EthO this uplink is used until the VPN connection is down When the VPN connection is down at which point a different uplink 3G is selected If the current uplink is 3G and EthO has a physical lin
70. multiple IAPs could not be deployed An IAP 130 series or RAP 3WN AP with more than one wired port can now be connected to the downlink wired port of another IAP ethX You can provision an IAP with a single Ethernet port like IAP 90 or IAP 100 series devices to use enet0 bridging so that Eth0 is converted do a downlink wired port In such single Ethernet port platform deployments the root AP must use the 3G uplink In this release of Aruba Instant you can form an IAP network by connecting the downlink port of an AP to other APs Only one AP in the network uses its downlink port to connect to the other APs This AP called the root AP acts as the wired device for the network provides DHCP service and an L3 connection to the ISP uplink with NAT The root AP is always the master of the Instant network On a single Ethernet port platform you can use enet0 bridging so that EthO is converted to a downlink wired port and the root AP must have the 3G uplink configured Deployment A typical hierarchical deployment is comprised of the following e Adirect wired ISP connection and or wireless uplink e One or more DHCP pools for private VLANS e One downlink port configured on a private VLAN without authentication for connecting to slave APs This port should not be used for any wired client connection Other downlink ports can be used for connecting to wired clients Figure 146 Hierarchical Deployment HEE eth2 Private VLAN 2
71. not be able to join the network The Virtual Controller in Instant AP communicates with the AirWave server or Image server depending on the user s configuration If AirWave is not configured on the IAP then the image is requested from the Image server See NOTE Configuring AirWave on page 207 for steps on how to configure AirWave El Automatic Firmware Image Check and Upgrade Automatic image check is enabled by default If AirWave is configured then the automatic image check is automatically disabled use the manual image check option to check for the latest image For more information see Upgrading to New Version on page 102 and Configuring AirWave on page 207 for steps on how to configure AirWave If the Automatic image check is enabled then the following actions take place once after every time the AP boots up and once every week thereafter If the image check locates a new version of the ArubaOS software on the image server then a New version available link appears at the top right corner of the Instant UI Figure 77 Automatic Image Check New Version Available Link Settings RF PEF Maintenance Supp New version available After the Automatic image check feature identifies a new version perform the following steps to upgrade to the new version 1 The Maintenance window appears Click Upgrade Now to upgrade the IAP to the newer version Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs
72. of the information that is displayed Table 15 Device Summary and Channel Information Type Device type This parameter can be any of the following audio FF fixed frequency bluetooth cordless base FH frequency hopper cordless phone FF fixed frequency cordless network FH frequency hopper generic FF fixed frequency generic FH frequency hopper generic interferer microwave microwave inverter video xbox NOTE For additional details about non Wi Fi device types shown in this table see Non Wi Fi Interferer Types on page 115 ID ID number assigned to the device by the spectrum monitor or hybrid AP radio Spectrum monitors and hybrid APs assign a unique spectrum ID per device type Cfreq Center frequency of the signal sent from the device Bandwidth Channel bandwidth used by the device 114 Spectrum Monitor Instant 6 1 3 4 3 1 0 0 User Guide Table 15 Device Summary and Channel Information Continued Channels affected Signal strength Duty cycle Add time Update time Radio channels affected by the wireless device Strength of the signal sent from the device in dBm Device duty cycle This value represents the percent of time the device broadcasts a signal Time at which the device was first detected Time at which the device s status was updated Non WiFi Interferers The following table describes each type of non Wi Fi interferer detected by the spectrum monitor feature Tabl
73. port Enter the authorization port number of the external RADIUS server The port number is set to 1812 by default Admin DN Enter a Distinguished Name for the admin user who has read search privileges across all the entries in the LDAP database The user may not have write privileges but is able to search the database and read attributes of the other users in the database Admin password Enter a admin password Base DN Enter a Distinguished Name of the node which contains the entire user database Instant 6 1 3 4 3 1 0 0 User Guide Authentication 125 Filter Indicates the filter that should be applied to search for the user in the LDAP database The default filter string is objectclass Key Attribute Indicates the attribute that should be used as a key in search for the LDAP server For Active Directory the value is sAMAccountName Timeout Enter a value between 1 and 30 seconds The default value is 5 Retry count Enter a value between 1 and 5 The default value is 3 Figure 98 Configuring an External RADIUS Server New WLAN Help Security Level Ramel Key management WPA 2 Enterprise Termination Enabled fv Enterprise Authentication server 1 New New Server Personal E dj RADIUS t LDAP Open Name eo l IP address Auth port 1812 met Accounting port 1813 Shared key ss Retype key ss Timeout ER sec Retry count B RFC 3576 Disabled NAS IP address iti
74. server in the drop down list click New to add RADIUS server For information on configuring external RADIUS server see External RADIUS Server on page 124 7 Click Next and then click Finish Figure 103 Configuring Internal Captive Portal with External RADIUS Server Authentication New WLAN WLAN Settings VLAN Security Level Splash page type Internal Authenticated Splash Page Visuals ie ft ad Welcome to the Guest Network Auth server 2 Select Server Reauth interval lo min ej une mere Max auth failures b ist Disabled rl Click thumbnail above to edit de Encryption Disabled Le Redirect URL http abc com gt Customizing a Splash Page A splash page is a web page that is displayed to a guest user when they are trying to access the internet The appearance of a splash page can be customized as required To customize a splash page perform the following steps The current release does not support per SSID splash page When multiple SSIDs are configured to use customized splash page changes to the page are reflected on all SSIDs 1 Inthe Network tab click the network for which you want to customize the splash page The edit link for the network appears 2 Click the edit link The Edit window for the network appears 3 Navigate to the Security tab and perform the following steps Splash Page Visuals Use the in place editor below to specify text an
75. single AP deployment Uplink redundancy with the PPPoE link is not supported When the Ethernet link is up it is used as a PPPoE or DHCP uplink Once the PPPoE settings are configured PPPoE has the highest priority for the uplink The IAP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using Password Authentication Protocol PAP or the Challenge Handshake Authentication Protocol CHAP Depending upon the request from the PPPoE server either the PAP or the CHAP credentials are used for authentication After you configure PPPoE you have to reboot the IAP for the configuration to take effect The PPPoE connection is dialed after the AP comes up The PPPoE configuration is checked during bootup and if found incorrect Ethernet is used for the uplink connection When you use PPPoE do not use Dynamic RADIUS Proxy NOTE An SSID created with default VLAN is not supported with PPPoE When you use PPPoE do not configure the IP address of the Virtual Controller Configuring PPPoE To configure the PPPOE settings 1 Click the Settings link at the upper right corner of the Instant WebUI 2 Click the Show advanced options link 3 In the Uplink tab perform the following steps in the PPPoE section a Enter the PPPoE service name provided to you by your service provider in the Service name field b Inthe CHAP secret and Retype fields enter the CHAP secret and confirm it c Enter the user name for the PPPoE c
76. the lines on the Noise icon changes from Green gt Orange gt Red Green Noise floor is more than 87dBm Orange Noise floor is between 80dBm 87dBm Red Noise floor is less than 80dBm To view the noise floor graph of an IAP click on the noise icon against the IAP in the Noise column Errors Displays the errors for the IAPs Depending on the errors color of the lines on the Errors icon changes from Green gt Yellow gt Red Green Errors are less than 5000 frames per second Orange Errors are between 5000 10000 frames per second Red Errors are more than 10000 frames per second To view the errors graph of an IAP click on the Errors icon against the IAP in the Errors column Usage Trends Displays the following graphs Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 45 Clients In the default Virtual Controller view the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes In Network or IAP view this graph displays the number of clients that were associated with the selected network or IAP in the last 15 minutes Throughput In the default Virtual Controller view the Throughput graph displays the incoming and outgoing throughput traffic for the Virtual Controller in the last 15 minutes In the Network or IAP view this graph displays the incoming and outgoing throughput traffic for the selected network or IAP in the last 15 minute
77. the number of sequence Description Displays the event details Figure 32 Active Faults DI ME ARUBA V iLongevity amp 5 Networks E 16 Access Points 19 Clients ARUBA GUEST Aruba Domain PEKR96VRGLT410S iLongevity Monitoring 2 Alerts IDS Configuration For more information about alerts see Chapter 27 Alert Types and Management IDS This link displays a list of foreign APs and foreign clients that are detected in the network It consists of the following sections Foreign Access Points Detected Lists the APs that are not controlled by the Virtual Controller The following information is displayed for each foreign AP Mac address Displays the Mac address of the foreign AP Network Displays the name of the network to which the foreign AP is connected Classification Displays the classification of the foreign AP Interfering IAP or Rogue IAP Channel Displays the channel in which the foreign AP is operating Type Displays the Wi Fi type of the foreign AP Last seen Displays the time when the foreign AP was last detected in the network Where Provides information about the IAP that detected the foreign AP Click the pushpin icon to view the information Foreign Clients Detected Lists the clients that are not controlled by the Virtual Controller The following information is displayed for each foreign client Mac address Displays the Mac address of the foreign client
78. this wireless network are sent to OpenDNS Band Set the band at which the network transmits radio signals Available options are 2 4 GHz 5 GHz and All The All option is selected by default It is also the recommended option Inactivity timeout Indicates the time in seconds after which an idle client ages out The minimum value is 60 seconds and the default value is 1000 seconds Hide SSID Select this check box if you do not want the SSID network name to be visible to USETS 4 Click Next to continue Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 55 Figure 37 Adding an Employee Network VLAN Tab WLAN Settings Client IP amp VLAN Assignment Client IP assignment virtual Controller assigned Network assigned Client VLAN assignment Q Default Static Dynamic Rack Newt 5 Select the required Client IP assignment option Virtual Controller assigned or Network assigned Table 5 Conditions for Client IP and VLAN assignment You select Virtual Controller assigned The client gets the IP address from the Virtual Controller The Virtual Controller creates a private subnet and VLAN on the IAP for the wireless clients The Virtual Controller NATs all traffic that passes out of this interface This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network See Chapter 11 Virtual Controller on page 121 for configuring the DHCP server
79. to host the captive portal service Internal captive portal authentication is classified as follows Internal Authenticated To gain access to the wireless network a user must authenticate in the captive portal page If this option is selected then users who are required to authenticate have to be added to the user database Click the Users link to add the users For information about adding users see Adding a User on page 251 Internal Acknowledged To gain access to the wireless network a user must accept the terms and conditions Configuring Internal Captive Portal Authentication when Adding a Guest Network To configure internal captive portal authentication when adding a guest network perform the following steps 1 In the Network tab click the New link The New Network window opens 2 Inthe WLAN Settings tab update the following information 1 Enter a name for the network in the Name SSID text box 2 Click Guest and then click Next 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN 4 Click Next to continue 5 In the Security tab select one of the following options for the splash page type a Internal Authenticated b Internal Acknowledged c External RADIUS Server d External Authentication text e None See Guest Network on page 70 for more information on the splash page type options Instant 6 1 3 4 3 1 0 0 User Guide Authentication 131
80. 0 00 0b 86 43 d3 a0 UILab Interfering 11 G 11 52 40 60 33 4b 15 85 f1 ethersphere wpa2 Interfering 40 AN 40MZ 11 52 40 00 24 6c 07 2 9 cp radius Interfering 149 AN 40MZ 11 52 40 58 94 6b c5 be 84 IBM Interfering 6 B 11 52 40 00 1a 1e aruba ap Rogue 11 GN 20MZ 11 52 40 00 1e 65 71 49 2c shobha bridge 65 Interfering 1 GN 20MZ 11 52 40 00 24 ARUBA VISITOR Interfering 1 GN 20MZ 11 52 40 08 11 96 76 1d 1c IBM Interfering 6 3 11 52 40 00 24 msbrem Interfering 1 GN 20MZ 11 52 40 00 26 b0 48 46 20 ARUBA VISITOR Interfering 1 B 11 52 40 00 24 cp radius1 Interfering 149 AN 40MZ 11 52 40 a0 88 b4 84 ba 04 IBM Interfering 1 B 11 52 40 indiamdns Interfering 1 GN 20MZ 11 52 40 f 58 94 6b b3 b7 cc IBM Interfering 6 B 11 52 40 aruba ap Interfering 1 GN 20MZ 11 52 40 IBM Interfering 6 11 52 40 ethersphere wpa2 Interfering 48 AN 40MZ 11 52 40 ethersphere voip Interfering 1 GN 20MZ 11 52 40 raji aes Interfering 36 AN 40MZ 11 52 40 ethersphere voip Interfering 1 3 11 52 40 ipv6 alpha Interfering 1 GN 20MZ 11 52 40 ethersphere wpa2 Interfering 48 AN 40MZ 11 52 40 ethersphere voip Interfering GN 20MZ 11 52 40 IBM Interfering 1 G 11 52 40 f ethersphere wpa2 Interfering 40 AN 40MZ 11 52 40 IBM Interfering 6 B 11 52 40 00 1a 1e 2d Amol CP Interfering 157 AN 40MZ 11 52 40 ethersphere wpa2 Interfering 40 AN 40MZ 11 52 40 00 1 17 WPA2 Interfering 11 GN 20MZ 11 52 40 f IBM Interfering 1 B 11 52 40 00 2 ethersphere voip Int
81. 0 0 User Guide Dynamic multicast optimization When Enabled the IAP converts multicast streams into unicast streams over the wireless link DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to non video clients DMO channel utilization threshold When dynamic multicast optimization is enabled the IAP converts multicast streams into multicast unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 If the threshold value exceeds the maximum value then the AP sends multicast traffic over the wireless link b Bandwidth Limits You can specify three types of bandwidth limits Airtime Indicates the aggregate amount of airtime that all clients on this Network can use to send receive data Each user Indicates the throughput for any single user on this Network The throughput value is specified in kbps Each radio Indicates the aggregate amount of throughput each radio some AP models have multiple radios is allowed to provide for all clients connected to that radio c Transmit Rates Indicates the ability to configure the basic and supported rates per SSID for Aruba Instant Select to set the minimum and maximum legacy non 802 11n transmit rates for each band 2 4 GHz and 5 GHz d Miscellaneous Content filtering When enabled all DNS requests to non corporate domains on
82. 00 11 30 11 35 11 40 In Out Retries In Retries Out Throughput bps 1M 100 0 100 10 1M 44 20 11 25 11 40 in Out Status Not Connected The Info section provides the following information about the selected I AP Name Name of the selected client IP Address IP address of the client MAC Address MAC Address of the client OS Operating System that is running on the client Network Network to which the client is connected to Access Point IAP to which the client is connected to Channel Channel that the client is using Type Channel type that the client is broadcasting on RF Dashboard Network swarm system w swarm system w swarm system w swarm system w swarm system w swarm system w swarm system w Aruba Domain Aruba Domain Aruba Domain Aruba Domain Aruba Domain Access Point 3F Confi ca 42 a0 a 9F 4 Point 41 03 9F 4 Point 41 03 9F 4 Point 41 03 3F Dev C057 cb 30 3F Dev C057 cb 30 3F Dev C057 cb 30 00 24 6c c8 78 x 3F Dev C057 cb 30 3F Dev C057 cb 30 9F 4 Point 41 03 VeriWave3 c0 1a 79 aA 4 m Monitoring IDS Configuration Mobility Trail Association Time Access Point 10 25 22 00 24 6c c8 78 d2 Pause In the Client view the RF Dashboard section is moved below the Info section The RF Dashboard section in the client view shows the speed and the signal information for the client and the RF information for
83. 1 which allowed people to move forward quickly to create more secure WLANs WPA2 encompasses the full implementation of the 802 11i standard Table 19 summarizes the differences between the two certifications WPA2 is a superset that encompasses the full WPA feature set WPA and WPA2 can be further classified as follows Instant 6 1 3 4 3 1 0 0 User Guide Encryption 149 150 Encryption e Personal Personal is also called Pre Shared Key PSK In this type a unique key is shared with each client in the network Users have to use this key to securely log in to the network The key remains the same until it is changed by authorized personnel Key change intervals can also be configured e Enterprise Enterprise is more secure than WPA Personal In this type every client automatically receives a unique encryption key after securely logging on to the network This key is long and automatically updated regularly While WPA uses TKIP WPA2 uses AES algorithm Table 19 WPA and WPA Features Certification Authentication Encryption WPA e PSK Temporal Key Integrity Protocol IEEE 802 1X with Extensible TKIP with message integrity Authentication Protocol EAP check MIC WPA2 e PSK Advanced Encryption Standard IEEE 802 1X with EAP Counter Mode with Cipher Block Chaining Message Authentication Code AESCCMP Recommended Authentication and Encryption Combinations Table 20 summarizes the recommendations for authenticatio
84. 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Instant 6 1 3 4 3 1 0 0 User Guide Connecting to a provisioning Wi Fi Network Microsoft Windows 0 25 Connecting to a provisioning Wi Fi Network Mac OS 25 Instant User Interface Login Screen Luse 26 Specifying the Country cect recat cosa Arenas concedes arch tagei areata ceemiasereeciauins 27 Bee ge Gar EEE SE NE 29 Networks Tab Compressed View and Expanded View rrrnnnrnnnnennnnrnnnnennnnene 30 Access Points Tab Compressed View and Expanded View 31 Client Tab Compressed View and Expanded View rrrrrnnnennnnrnnnnrnnnnvnnnnnennn 32 OS PR EEE EN ET PER 33 D UNE ER NE NE EE RA SEEREN 34 FN 35 ELEN ENE NE E E E A 36 PPU 44144744 36 TE EE MM 37 Pl 38 MOC EE EE NT EE 38 Maintenance Link Default View rannrnnnnrnnnnvnnnnnnnnrnnnnnnnnnnnnrnnnnnnnnnnnnnnnnnnnnnnnn 39 SUPPO WINOOW REE derniere 40 SUDDO CN Mands PE EEE it in 43 eo AE EE EE ET 43 MC tre ae ON TASTE TI EE E 44 Info Section in the Monitoring Pane arrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnrnnnnnnnnnnnnnnene 44 RF Dashboard in the Monitori
85. 11 Conditions for Adding a Guest Network Security Tab Splash Page Type Description and steps to set up Internal Authenticated The user has to accept the terms and conditions and enter a username and password on the captive portal page If this option is selected then add the users who are required to use the captive portal authentication to the user database Click the Users link to add the users For information about adding a user see Adding a User on page 251 For information on customizing the splash page see Customizing a Splash Page on page 134 1 Instant 6 1 3 4 3 1 0 0 User Guide Select the required Authentication server 1 option from the drop down list Available options are New If you select this option then an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Configuring an External RADIUS Server on page 125 Internal Server If you select this option then users who are required to authenticate with the internal RADIUS server must be added Click the Users link to add the users For information on adding a user see Adding a User on page 251 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authen
86. 3 VeriWave3 c0 1a 79 10 64 99 13 Access 0 105 Point 6 22 88 B1 44 23 16 91 VeriWaved c8 78 d2 10 64 99 17 Monitor 105 N A xl iLongevity Monitoring O lerts IDS Configuration w Info RF Dashboard Usage Trends came Pungsi Clients Signal Speed Access Points Utilization Noise Errors Clients Country code US ne Virtual Controller IP 10 64 99 200 peklshu t410s all ih 9F 5 West 40 ad 2 sis si si s pektquo t410s all 9F 3 Front door 73 74 H si Master 10 64 99 15 9F 7 South east 41 7 E E OpenDNS status Not connected 9F 8 Aisle middle ca 42 45 Z a Uplink type Ethernet T IT NG Uplink status UP 00 24 60 0a 41 51 Z 14 30 14 35 14 40 00 24 60 08 7b 26 T z ER Throughput bps 10floor 3 SW El w eriWaved c8 78 d al E IM 1K 10F 1 cb 30 60 Fa VeriWave2 c8 ad e2 Portal ey al 1K 9F 2 North east ad b7 FA El y veriWavel ca 42 a0 Fed SB ee Ra o oe SENDER PS TO a ve mn Out me fi Status Connected Pause The IAPs in US JP or IL regulatory domain which are in factory default state scans for several minutes after booting An IAP mesh point in factory default state automatically join the portal if only a single Instant mesh network is found In addition the auto join feature must be enabled in the existing network NOTE The IAP mesh point gets an IP address from the same DHCP pool as the portal and this DHCP request goes through the portal 84 Mes
87. 3 Front door 73 74 3 10 64 103 116 9F 4 cb bd 80 135 point 1 10 64 103 93 9F 5 West 40 ad 10 64 103 102 9F 7 South east 41 76 3 192 168 11 70 9F 8 Aisle middle ca 42 45 4 10 64 103 94 VeriWavel ca 42 a0 o 10 64 103 121 VeriWave2 c8 ad e2 Portal 0 10 64 103 131 VeriWave3 c0 1a 79 Point 0 PEKR96VRGLT410S 10 64 102 21 VeriWave4 c8 78 d2 QMENG ARUBA 10 64 102 27 VeriWave5 cb a5 11 AP93 0 gwang 192 168 11 147 s sys linli 10 64 102 69 Aruba Domain Ixia 10 64 102 30 Aruba Domain yxue 10 64 1 14 Aruba Domain yxue 10 64 102 41 Aruba Dorr yxue 10 64 10 Aruba Dom zwu 10 64 102 5 Aruba Dorr iLongevity Monitoring 2 Alerts IDS Configuration Info RF Dashboard Usage Trends per Ei Fc Clients Signal Speed Access Points Utilization Noise Errors cients Virtual Controller IP 10 64 99 200 10 64 103 121 LI q 24 6c c8 7b f 60 nt IP Er linli atl A Master 10 64 99 15 192 168 11 92 A n VeriWave2 c8 ad e2 Portal aa OpenDNS status Not connected 0 0 0 0 a EN VeriWave3 c0 1a 79 Point Uplink type Ethernet Uplink status uP 9F 5 West 40 ad E 9F 2 North east ad b7 p Fe Throughput bps VeriWavel ca 42 a0 E 1G 00 24 6c ca 41 51 5j 9F 8 Aisle middle ca 42 45 1M 0 HEER 1G 15 55 16 00 167 Client Alerts These alerts occur when clients are connected to the Instant network A client alert consists of the following fields Timestamp Displays the time at which the client ale
88. 4 GHz radio band The data displayed includes percentage of Quality Availability Wi Fi utilization and Interference utilization Figure 26 Channel Metrics for the 2 4 GHz Radio Channel Spectrum Overview 2 4 Gi 2 4 GHz Channel Utilization and Quality p p 4 j Y f Z ZY f G 2 Yj f Z Y G OG 7 7 OG 4 ii 7 pe UG Y G labl p p 7 G 5 GHz This graph shows channel utilization information such as channel quality availability and utilization metrics as seen by a spectrum monitor for the 5 GHz radio band The data displayed includes percentage of Quality Availability Wi Fi utilization and Interference utilization Figure 27 Channel Metrics for the 5 GHz Radio Channel Spectrum Overview 2 4GHz 5 GHz 5 GHz Channel Utilization and Quality A OL Available 40 se ba E W te be 50 Qua lilt l no MG paun tte paun ma ne P 773 ri 100 104 108 112 116 120 124 128 132 136 1400 40841162122494 5287 136 Channel Details SS When you hover your mouse over a channel the channel details or the summary of the 802 11a or 802 11g channels seen by a spectrum monitor is displayed You can view the aggregate data for each channel seen by the spectrum monitor radio including the maximum AP power interference and the signal to noise and interference Ratio SNIR Spectrum monitors display spectrum analysis data seen on all channels in the selecte
89. 5 ACCESS Rule PATOS Lee lee 195 List of Supported SG Modems 199 Virtual Controller View Graphs and Monitoring Procedures rrrnnrrnnnnvnnnr 217 Network View Graphs and Monitoring Procedures rrrrrnnrrennnrrenvnrrennnnnvennn 220 Instant Access Point View Usage Trends and Monitoring Procedures 223 Instant Access Point View RF Trends Graphs and Monitoring Procedures 226 Client View RF Trends Graphs and Monitoring Procedures 00008 231 EE EE EN EIN PETER 233 Ports used by the Apple Facetime Application 238 BG Relay and OPHOR BER RER EE NE EE EE 248 Table 45 Country Codes List EEE EEE 254 Table 46 LAS EO hey SU 6 SEEREN E ia a aiii 263 18 Instant 6 1 3 4 3 1 0 0 User Guide About this Guide Aruba Instant Overview Aruba Instant virtualizes Aruba Mobility Controller capabilities on 802 11n access points APs creating a feature rich enterprise grade wireless LAN WLAN that combines affordability and configuration simplicity Aruba Instant is a simple easy to deploy turn key WLAN solution consisting of one or more access points An Ethernet port with routable connectivity to the internet or a self enclosed network is used to deploy an Instant Wireless Network An Instant Access Point IAP can be installed at a single site or deployed across multiple geographically dispersed locations Designed specifically for easy deployment and proactive management of networks Inst
90. 52 i 32 33 FH OG Scope 10 169 153 0 153 L Scope 10 169 154 0 154 1 Scope 10 169 155 0 155 CA Scope 10 169 156 0 156 1 Scope 10 169 157 0 157 1 Scope 10 169 158 0 158 1 Scope 10 169 159 0 159 OG Server Options Fiters This creates a DHCP option 60 and 43 on a global basis You can do the same on a per scope basis The per scope option overrides the global option Figure 168 Instant and DHCP options for AirWave Scope Options B Server Manager Fie Action View Help ed m celum _ Address Leases Scope Options T Reservations E Scope Options 3 LA Scope 10 169 137 0 137 10 169 155 1 7 Scope 10 169 138 0 138 10 169 130 4 1 Scope 10 169 145 0 145 rde arubanetworks com Og Address Pool Arubalnstant AP TA Address Leases FF GB Reservations EA Scope Options amp C Scope 10 169 150 0 150 5 Scope 10 169 151 0 151 S 11 Scope 10 169 152 0 152 Scope 10 169 153 0 153 Configure Options CS Scope 10 169 155 0 155 Address Pool 5 Address Leases E Reservations ER Scope Options L Scope 10 169 157 0 157 Address Pool gt Address Leases amp BB Reservations ER Scope Options E FI Scope 10 169 158 0 153 Alternate Method for Defining Vendor Specific DHCP Options This section describes how to add vendor specific DHCP options for Aruba Instant APs in a network that already uses DHCP options 60 and 43 for other services Some networks use DHCP standard options 60 and
91. 6 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Adding a Guest Network Basic Info Tab rrnannrnnnronnnrennnnennnnrnnnnrnnnnrnnnnennnnenn 71 Adding a Guest Network Splash Page Settings cccccsscecseseeeeeeeeeeeeeeeenees 76 Configuring a Splash Page Encryption Settings cccccccssscecseseeeseeeeesseeees 77 Adding a Guest Network Access Rules Tab 78 EDEN PN teat wate 79 PENNE Nu 82 Untrusted Connection Window L umjmssrsmesmessen senstavanrausiicasiatenisedersesauessicicdancss 83 OO E EEE EE EEE E EE A 83 SLAG go ET EE NE EE e eee ere 84 Disabling Auto Join Mode EE EE NR 86 et 86 EEDI A a EL ErESE 87 TFTP Dump Server as siaveccterccesesuibnsccuunsens sesacansaveessabedivevestici SELER adda deucrsnsesecseuacdsedees 88 Deny Inter User Bridging and Deny Inter User Routing 89 SNE 818 EG EE EE SE 89 Adding an IAP to the Instant Network rrnnnrnnnrnnnrnnnrnnnnnnnnrnnnnnnnnnnnnnnnnnennnnnnnnnnn 90 Entering the MAC Address for the New AP 91 EP MN 91 Changing IAP Name scceetieatincsstiveradinxiecciocessicateeentorcaeseaeslaniestisiedi bom AnNa RSSra 92 Configuring IAP Settings Connectivity Tab rrrrnnrennnnnvrnnnnrvnnnnnvnnnnnennnnnrennnnee 92 Configuring IAP Connectivity Settings Specifying Static Settings 93 Configuring IAP
92. 8 15 2012 23 20 53 PM Target d8 c7 c8 c4 01 78 Command show ap debug dotlx statistics de he he dde de de de de de de che dde dde de de de de de che che dde dde de de de de de che dde dde de de de de HHH Eee HHH HHH de de de che cd dde de de HHH HHH de de de Mac Name AP Auth Succs Auth Fails Auth Tmout Re Auths Supp Naks UKeyRot MKeyRot 802 1x Counters To view the log information 1 2 3 At the top right corner of Instant UI click Support The Support window appears Select the required option from the Command drop down list For example AP ARM Configuration Select All Access Points or a specific IAP from the Target drop down list for which you want to view the AP ARM Configuration Click Run Use the support commands under the supervision of Aruba technical support You can view the following information for each access point in the Aruba Instant network using the support window AP Access Rule Table Displays all the ACL rules of the selected IAP AP Active Displays all the APs of Instant AP All Supported Timezones Displays all the supported time zones of Instant AP ARM Channels Displays channels of ARM in the selected IAP AP ARM Configuration Displays configuration of ARM in the selected IAP AP Country Codes Displays country code for the selected LAP 40 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide AP CPU Utilization Displays utilization of CPU for the selected IAP AP Cu
93. 9F 5 West 40 ad VeriWave3 c0 1a 79 Point 0 QMENG ARUBA Aruba Domain Aisle middle ca VeriWave4 c8 78 d2 Ixia Aruba Domain VeriWaveS cb a5 11 AP93 0 XXXX swarm system guest yxue Aruba Domain yxue 10 64 102 41 Aruba Domain yxue 10 64 102 28 Aruba Domain ZWU 10 64 102 58 Aruba Domain iLongevity Monitoring 2Alerts IDS Configuration client Alerts Active Faults 1 Fault History Timestamp MAC Address Description a Point Details 40 5f be df c5 ce DHCP request timed out 9F 5 West 40 ad more Fault History These alerts occur in the event of a system fault A Fault History consists of the following fields Time Displays the system time when an event occurs Number Indicates the number of sequence Cleared by Displays the module which cleared this fault Description Displays the event details Figure 31 Fault History ARUDA Ge iLongevity l networks Virtual Controller amp 5 Networks amp 16 Access Points El 20 Clients Name Clients Name Clients Name IP Address Network Access Point ARUBA GUEST 0 00 24 6c c8 7b 26 2 192 168 11 70 swarm system guest 9F 8 Aisle middle ca Aruba Domain 9 00 24 6c ca 41 51 0 192 168 11 227 m guest 9F 5 West 40 ad swarm sys Aruba 0 10F 1 cb 30 60 0 10 64 103 125 swarm system wmm 9F 8 Aisle middle ca swarm system guest 3 10floor 3 SW 0 10 64 103 116 swarm system wmm 9F 5 West 40 ad swarm system wmm 8 9F 1 Point 40 c0 0 10 64 103 102 swarm system wmm 9F 2 North east ad b7 New 9F 2 North
94. A 2 Personal Secure Passphrase format 8 63 chars En DIE Passphrase Retype O Personal MAC authentication Disabled Disabled Open Enabled Less Secure 5 Click Next and then click Finish to apply the changes Instant 6 1 3 4 3 1 0 0 User Guide Authentication 141 Walled Garden Access On the internet a walled garden typically controls a user s access to web content and services The walled garden directs the user s navigation within particular areas to allow access to a selection of websites or prevent access to other websites Creating a Walled Garden Access Walled garden access is needed when an external captive portal is used A common example could be a hotel environment where unauthenticated users are allowed to navigate to a designated login page for example a hotel website and all its contents Users who do not sign up for internet service can view allowed websites typically hotel property websites The website names must be DNS based not IP address based and support the option to define wildcards This works for client devices with or without HTTP proxy settings When a user attempts to navigate to other websites not configured in the white list walled garden profile the user is redirected back to the login page In addition the black listed walled garden profile is configured to explicitly block navigation to websites from unauthenticated users Figure 110 Walled Garden
95. A client associated to any AP and is not valid To see the number of different types of neighboring clients for the last 15 minutes hover the cursor over the respective graph lines The memory free graph displays the memory availability of the IAP in Mega Bytes MB To see the free memory of the IAP hover the cursor over the graph line The Clients graph shows the number of clients associated with the selected IAP for the last 15 minutes To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the number of clients associated with the IAP for the last 15 minutes To see the exact number of clients associated with the selected IAP at a particular time hover the cursor over the graph line The Throughput graph shows the throughput for the selected IAP for the last 15 minutes Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown about the median line Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the IAP for the last 15 minutes To see the exact throughput of the selected IAP at a particular time hover the cursor over the graph line To check the neighboring clie
96. A new image version found If a new image version is found 2 fa new version is found the Upgrade Now button becomes available and displays the version number 3 Click Upgrade Now The IAP downloads the image from the server saves it to flash and reboots Depending on the progress and success of the upgrade one of the following messages is displayed Upgrading While image upgrading is in progress Upgrade successful When the upgrading is successful Upgrade fail When the upgrading fails 104 Managing IAPs Instant 6 1 3 4 3 1 0 0 User Guide Chapter 7 Mobility Access Switch Integration Mobility Access Switch MAS Overview The ArubaOS Mobility Access Switch enables secure role based network access for wired users and devices independent of their location or application Installed in wiring closets the MAS delivers up to 384 wire speed Gigabit Ethernet switch ports and operates as a wired access point when deployed with an Aruba Mobility Controller AS a wired access point users and their devices are authenticated and assigned a unique role by the Mobility Controller These roles are consistently applied whether the user is a Wi Fi client or connects to a port on the Mobility Access Switch The result is an enterprise workforce that has consistent secure access to network resources based on who they are no matter where they are what device they re using or how they connect Two models of the Mobility Acc
97. AN Derivation Rule on page 156 for more information 6 Click Next to continue Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 65 7 Slide and select the appropriate security levels in the Security tab The default level is Personal The available options are Enterprise Personal and Open which are described in the following tables Figure 43 Voice Security Tab Enterprise New WLAN WLAN Settings Security Security Level More ee Secure KE managemen WPA 2 Enterprise Termination Disabled h Enterprise Authentication server 1 InternalServer h Reauth interval oe min Personal min am Blacklisting Disabled h LiL Internal server No users Users Internal server No certificate Upload certificate Less Secure 66 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Table 9 Conditions for Adding a Voice Network Security Tab You select the Enterprise security level Perform the following steps 1 Select the required key options from the Key management drop down list Available options are e WPA 2 Enterprise WPA Enterprise Both WPA 2 amp WPA Dynamic WEP with 802 1X Use Session Key for LEAP Use the Session Key for LEAP instead of using Session Key from the RADIUS Server to derive pair wise unicast keys This is required for old printers that use dynamic WEP via LEAP authentication This is Disabled by default For more information on encryption and recommend
98. AP that is plugged association The IAP view appears into the wired side of the network 3 Study the Neighboring APs graph in the To see the number of different types of Overview section For example the neighboring APs for the last 15 minutes hover graph shows that 148 interfering APs are the cursor over the respective graph lines detected by the IAP at 12 04 hours CPU Utilization The CPU Utilization graph displays the utilization To check the CPU utilization of the IAP for the of CPU for the selected IAP last 15 minutes To see the CPU utilization of the IAP hover the 1 Log in to the Instant Ul The Virtual cursor over the graph line Controller view appears This is the default view 2 Inthe Access Points tab click the IAP for which you want to monitor the client association The IAP view appears 3 Study the CPU Utilization graph in the Overview pane For example the graph shows that the CPU utilization of the IAP is 30 at 12 09 hours Instant 6 1 3 4 3 1 0 0 User Guide Monitoring 223 224 Monitoring Table 39 Instant Access Point View Usage Trends and Monitoring Procedures Continued Neighboring Clients Memory free MB Clients Throughput The Neighboring Clients graph shows the number of clients not connected to the selected AP but heard by it Valid Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client Interfering
99. Access Point View on page 220 Usage Trends The Usage Trends section displays the following graphs for the Virtual Controller Clients Graph 216 Monitoring Instant 6 1 3 4 3 1 0 0 User Guide Figure 173 Clients Graph Clients Last 1 Min 1 Max 1 Avg 1 e Throughput Graph Figure 174 Throughput Graph Throughput kbps zu Out In 0 0 0 0 0 2 2 1 1 10 11 30 11 53 12 00 For more information about the graphs in the Virtual Controller view and for monitoring procedures see Table 37 Table 37 Virtual Controller View Graphs and Monitoring Procedures Clients The Clients graph shows the number of clients To check the number of clients associated associated with the Virtual Controller for the last with the Virtual Controller for the last 15 15 minutes minutes To see an enlarged view click the graph 1 Log in to the Instant Ul The Virtual e The enlarged view provides Last Minimum Controller view appears This is the Maximum and Average statistics for the default view number of clients associated with the Virtual 2 Study the Clients graph in the Usage Controller for the last 15 minutes Trends pane For example the graph e To see the exact number of clients in the shows that one client is associated with Aruba Instant network at a particular time the Virtual Controller at 11 43 hours hover the cursor over the graph line Instant 6 1 3 4 3 1 0 0 User Guide Monitoring 217 218 Monito
100. Access Points periodically reauthenticate all associated and authenticated clients 7 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 8 Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 NOTE Navigate to PEF gt Blacklisting in the Instant WebUl to specify the duration of the blacklisting on the Blacklisting tab of the PEF window 9 InternalServer If you select this option then users who are required to authenticate with the internal RADIUS server must be added Click the Users link to add the users For information on adding a user see Adding a User on page 251 10 Click Upload Certificate and browse to upload a certificate file for the internal server See Certificates on page 143 for more information 68 58 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Table 9 Conditions for Adding a Voice Network Security Tab Continued You select the Open security level 1 Select the required MAC authentication from the MAC authentication drop down list Available options are Enabled and Disabled When Enabled user must configure at least one RADIUS server for authentication server See MAC Authentication on page 141 for further details Authentication server 1 Select the required Authentication serv
101. Allow http to all destinations classify media TCP 80 Allow any to all destinations Network based Unrestricted Edit Rule Allow UDP on ports 16393 16402 to all destinations classify media Less Rule type Action Service Destination Contra Access control Custom te al destinations Protocol Port s 16393 16402 Fl Log EF Classify media Eloscp tag Blacklist Disable scanning Ej 802 1p priority Back Finish Cancel Client Blacklisting The client blacklisting denies connectivity to the blacklisted clients When a client is blacklisted in an Aruba IAP the client is not allowed to associate with the IAP in the network If a client is connected to the network when it is blacklisted a deauthentication message is sent to force the client to disconnect Instant 6 1 3 4 3 1 0 0 User Guide Policy Enforcement Firewall 239 Figure 202 Client Blacklisting Policy Enforcement Firewall PEF Help Authentication Servers Users for Internal Server Roles Blacklisting PEF Settings Manual Blacklisting Manual Blacklist MAC Address Blacklisted Since New Dynamic Blacklisting Auth failure blacklist time a Hours PEF rule blacklist time 1 Hours Currently no clients are dynamically blacklisted OK Cancel Types of Client Blacklisting The following types of client blacklisting can be generated in an Instant Manual Blacklisting Dynamic Black
102. Aruba Mobility Controller managed network For more information see Migrating to a Mobility Controller Managed Network on page 95 Figure 17 Maintenance Link Default View Maintenance About Configuration Certificates Firmware Reboot Convert Name Aruba Operating System Software Type 93 Build Time 2012 08 12 17 37 31 PDT Version 6 1 3 4 3 1 0 0 34868 Website http www arubanetworks com Legal Copyright c 2002 2012 Aruba Networks Inc Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 39 Support This link displays the Support window It consists of the following fields Command Provides various options for which you can generate support logs Target Provides a list of IAPs in the network Run Click this to generate the support log for the selected option and IAP Auto Run The selected commands run on the selected APs according to the specified time schedule Filter Enter a string and click to display the filtered content of any command Clear Click to clear the text box Save Results Click to open the results in another window and save it as an HTML or text file Figure 18 Support Window Support Help Command AP 802 1X Statistics v Target All Access Points v Run Auto Run Filter Clear Save d8 c7 c8 c4 01 78 de de de de de de de We de We de We de We te te de che te te We te We he We te We te te te te te We He te te de de che HHH HHH HHH HHH HHH
103. Basic Service Set BSS table of the selected IAP IDS Status Displays WLAN Interface Data Structures WLAN Interface Switch Status and RTLS Configuration tables for the selected IAP IDS AP Table Displays the Monitored IAP Table which lists all the IAPs monitored by the selected IAP 42 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide ARM Bandwidth Management Displays bandwidth management information for the selected I AP ARM History Displays the channel history and power changes due to Adaptive Radio Management ARM for the selected IAP ARM Neighbors Displays the ARM settings for the selected IAP s neighbors ARM RF Summary Displays the state and statistics for all channels being monitored by the selected IAP ARM Scan Times Displays AM channel scan times for the selected IAP OpenDNS Configuration and Status Displays configuration and status about open dns server Figure 19 Support commands Support Help Comman d AP 802 1X Statistics Te Target All Access Points Ly Run Filter Clear Save Results IAP 9 21 2011 15 10 11 PM Target IAP Command show ap debug dotlx statistics gt gt gt 802 1X Statistics Mac Name AP Auth Succ Auth Fails Auth Tmou Re Auths Supp Neks UKeyRot MKeyRot Total o o o o o is 802 1x Counters Close The Help link at the top right corner of the Instant UI allows you to view a short description or definition of selected terms and fields in the Instant UI
104. Controller IP Addresses Subnet mask VLAN ID Virtual contoller IP New Subnet IP address Subnet mask VLAN ID Virtual Controller 1P Hide advanced options OK Cancel 6 Click OK Figure 86 Example Layer 3 Configuration Settings Home agent load balancing Enabled T Virtual Controller IP Addresses 10 15 197 80 10 15 73 80 New Et Dette Subnet mask VLAN ID Virtual contoller IF 10 15 73 0 255 255 255 0 1 10 15 197 0 10 15 73 80 255 255 255 0 1 10 15 197 80 New Edt Delete Instant 6 1 3 4 3 1 0 0 User Guide Layer 3 Mobility 109 Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it When load balancing is enabled the VC assigns the home AP for roamed clients by using a round robin policy With this policy the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the Instant cluster By default home agent load balancing is disabled To enable home agent load balancing by performing the following steps 1 Click the Settings link at the upper right corner of the Instant WebUI 2 Click the Show advanced options link and then click L3 Mobility 3 Select Enabled from the Home agent load balancing drop down list Figure 87 Home Agent Load Bala
105. Distributed L2 In this mode the VC assigns an IP address from a configured subnet and forwards traffic to both corporate and non corporate destinations The VC adds the VLAN configured in this subnet to the controller VLAN multicast table enabling the L2 subnet to act as an extension of the VLAN on the controller Corporate traffic is sent on the IPSec tunnel and non corporate traffic is sent on the uplink Centralized L2 In this mode the VC does not assign an IP address to the client but the DHCP traffic is directly forwarded to the controller over the IPSec tunnel and gets an IP address from either the controller or a DHCP server behind the controller serving the VLAN of the client However Instant AP does forward client traffic in the same way as the Distributed L2 mode L3 Routing Mode In this mode Instant supports L3 routing mode of connection to corporate VC assigns an IP addresses from the configured subnet and forwards traffic to both corporate and non corporate destinations Instant AP takes care of routing on the subnet and also adds a route on the controller after the VPN tunnel is set up during the registration of the subnet Figure 208 Tunneling DHCP Server Controller DHCP Server DHCP Server DHCP Scopes 0 Name Type VLAN Network Back Finish Cancel NAT DHCP Configuration In NAT mode the scope of the subnet is local to the IAP and forwards traffic through the IPSec tunnel or through the uplink 1
106. Distributed L2 DHCP Configuration Tunneling Help Controller DHCP Server DHCP Server Edit DHCP Scope Name 1 Type Distributed L2 A WLAN z Network 10 15 201 0 Netmask Excluded address 10 15 201 20 Default router 10 15 201 10 Client count la E DNS server Domain name arubanetworks com Lease time 720 Distributed L3 DHCP Configuration In Distributed L3 mode the Virtual Controller acts as both DHCP Server and default gateway Traffic is routed into the VPN tunnel 1 Click New in the DHCP Server window and select Distributed L3 to configure the following parameters for Distributed L3 mode DHCP pool m Name Name of the subnet must be unique m Type Indicates the type of DHCP server Available options are Local Distributed L3 Distributed L2 Centralized L2 Distributed L3 implies that this is a Distributed mode L3 DHCP subnet VLAN VLAN ID of the subnet This needs to be referenced in the SSID configuration to make use of this subnet m Network Network to be used for this subnet m Netmask Net mask of the subnet This along with Network determines the size of the subnet m Client count This along with network and mask determines how many branches can be supported For the current phase of IAP it is important that this value is configured consistent across all branches DNS server An optional field which defines the DNS server E
107. Extended SSID Deny inter user bridging Deny inter user routing A Disabled Enabled 0 0 0 0 Disabled Disabled Disabled HM EP Help OK The LED display is always in Enabled mode while rebooting the IAP Managing IAPs 87 Settings Figure 57 TFTP Dump Server General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Virtual Controller IP Dynamic RADIUS proxy MAS integration NTP server Timezone Preferred band Instant C4 01 78 DHCP Server Disabled Auto join mode Domain name DNS Server s Lease time Network Mask 0 0 0 0 Terminal access Disabled gt Disabled Fa LED display Enabled x Enabled FTP Dump Server 0 0 0 0 Extended SSID Disabled E International Date Lind w Deny inter user bridging Disabled All EJ Deny inter user routing Disabled v Minutes v Hide advanced options Extended SSID OK Cancel You can increase the number of SSIDs or networks that can be created by enabling the extended SSID option To enable this feature navigate to Settings gt General and click Show advanced options in the Instant UI General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name
108. Figure 101 Configuring Captive Portal when Adding A Guest Network New WLAN Help WLAN Settings VLAN Security Security Level Splash page type Internal Authenticated IEA Splash Page Visuals Paith server 1 InternalServer z Welcome to the Guest Network Reauth interval 0 min Blacklisting Disabled v mot toe memes Internal server 1 User Internal server No certificate Upload certificate Va DEV SSE Click thumbnail above to edit Preview Redirect URL http abc com Back Next Cancel The appearance of a splash page can be customized as required For information on customizing a splash page see Customizing a Splash Page on page 134 6 Select InternalServer from the Auth server 1 drop down list to authenticate user credentials at run time 7 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients 8 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 9 Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 10 Internal server Click User to populate the system s internal authentication server with users For information about adding a user see Adding a User on page 251 Click Upload Certificate and browse to
109. Hz band Legacy only Disabled l 802 11d 802 11h Disabled x Beacon interval 100 ms Interference immunity level 2 e Channel switch announcement count lo Channel reuse type Disabled x Channel reuse threshold el dB 5 GHz band Legacy only Disa bled 802 11d 802 11h Disabled Beacon interval 100 ms Interference immunity level 2 e Channel switch announcement count lo Channel reuse type Disabled x Channel reuse threshold 0 dB Background spectrum monitoring Enabled Hide advanced options OK Cancel 3 To enable a spectrum monitor on the 802 11g radio band in the 2 4 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 4 To enable a spectrum monitor on the 802 1 la radio band in the 5 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 5 Click OK Converting an IAP to a Spectrum Monitor You can configure an IAP to function as a standalone spectrum monitor In spectrum mode spectrum monitoring is performed on entire bands However for the 5 GHz radio spectrum monitoring is performed on only one of the three bands 5 GHz lower 5 GHz middle or 5 GHz higher By default spectrum monitoring is performed on the 5 GHz higher band Follow the procedure below to convert an IAP to a spectrum monitor 1 Inthe Access Points tab click the AP that you want to convert
110. IAP for which you want to monitor the throughput The IAP view appears 3 Study the Throughput graph For example the graph shows 44 03 kbps incoming traffic throughput at 12 08 hours Instant 6 1 3 4 3 1 0 0 User Guide The Overview section also has two links 2 4 GHz and 5 GHz The following graphs are displayed for each band e Utilization Figure 185 Utilization Graph Utilization 24 12 13 12 20 12 23 e 2 4 GHz Frames fps Figure 186 2 4 GHz Frames fos Graph 2 4 GHz Frames fps 13 25 13 30 13 35 Qut In e Drops fps Figure 187 Drops fos Graph Drops fps e Noise Floor dBm Figure 188 Noise Floor dBm Graph Noise Floor dBm Instant 6 1 3 4 3 1 0 0 User Guide Monitoring 225 226 Monitoring e 2 4 GHz Mgmt Frames Figure 189 2 4 GHz Mgmt Frames fps Graph 2 4 GHz Mgmt Frames fps 13 40 13 50 13 45 jm Ont e Errors fps Graph Figure 190 Errors fps Graph Errors fps To see the graphs for the 5 GHz band click the 5 GHz link For more information about the graphs in the instant access point view and for monitoring procedures see Table 40 Table 40 nstant Access Point View RF Trends Graphs and Monitoring Procedures Utilization The Utilization graph shows the radio utilization percentage of the access point for the last 15 minutes To see an enlarged view click the graph The enlarg
111. IUS attributes a DHCP option and 802 1X authentication type the first matching rule in the rule list is applied 154 Role Derivation Instant 6 1 3 4 3 1 0 0 User Guide Chapter 15 User VLAN Derivation User VLAN Derivation Instant allows you to assign a user VLAN based on user attributes When an external RADIUS authentication server is used for authentication the user VLAN can be derived from Vendor Specific Attributes VSAs The user VLAN can be derived in 802 1X authentication or MAC authentication using the following rules e Vendor Specific Attributes VSA e VLAN derivation rule e User role e SSID Profile The user VLAN cannot be derived in the following scenarios e Captive Portal authentication e Guest SSID network Vendor Specific Attributes VSA When an external RADIUS server is used the user VLAN can be derived from the Aruba User Vlan VSA The VSA is then carried in an Access Accept packet from the RADIUS server The LAP can analyze the return message and derive the value of the VLAN which it assigns to the user Figure 121 RADIUS Access Accept packets with VSA MEI ES Capturing From broadoom LZ KOLS chent driver nat bop port 209 Wireshark de Edk ye Go Capture drake Gtatittcs Tebphory Jeh be Ae oF2ljloalaaan DRK E Gwaoul Saxe authenticator dteeSicttsed Sf bli siersaro2ogeal YSA Arnuba User Vlan in Radius Access Accept Time from request 0 000773000 seconds Value 100
112. Instant 6 1 3 4 3 1 0 0 User Guide sites VisualRF uses sophisticated RF fingerprinting to accurately display coverage patterns and calculate the location of every Instant device in range VisualRF provides graphical access to floor plans client location and RF visualization for floors buildings and campuses that host your network Figure 161 Adding an IAP in VisualRF APUDA New Devices 47 up 115 wired 3 4wireless 112 Wdown 95 Wwired 3 Wwireless 92 mismatched 152 Rogue 4975 EE clients 94 VPN Sessions 15 M Alerts 6777 severe Alerts 6777 Search a Home Groups APs Devices Clients Reports System Device Setup AMP Setup RAPIDS RATE NS Setup Import Audit Log z a e amp OU Ve B B 86 gt Editing Unlocked Draw Walls Draw Region Resize Building Orientation Set Origin Add Deployed Device Add Planned Device Delete Deployed Devices Delete Planned Devices Delete Surveys Add Deployed Device i View By Group gt zhiyuan gt corvina gt Cisco gt test gt RAP gt VPN Y amp kmat IAP Configuring AirWave This section describes how to configure AirWave integration Before configuring the AirWave you need the following e IP address of the AirWave server e Shared key for service authorization This is assigned by the AirWave administrator Creating your Organization String The Organization String is
113. It consists of the following tabs e About Displays the Build Time IAP model name Aruba OS version Web address of Aruba Networks and Copyright information e Configuration Displays the current configuration of the network m Clear Configuration Click to delete or clear the current configuration of the network and reset to provisioning configuration Backup Configuration Use this feature to create local Instant configuration backup Click Backup Configuration to save the configuration file named instant cfg 38 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Restore Configuration Click Restore Configuration to browse and locate the backup file to restore Reboot the IAP for the changes to take effect Certificates Displays information about the current certificate installed in the network Provides an interface to upload new certificates and to set a passphrase for the certificates For more information see Certificates on page 143 Firmware Displays the current firmware version and provides options to upgrade to a new firmware version For more information see Upgrading to New Version on page 102 Reboot Displays the IAPSs in the network and provides an option to reboot the required access point or all access points For more information see Rebooting the IAP on page 99 Convert Provides an option to change the network from a Virtual Controller managed network to an
114. MZ 11 52 40 00 26 c6 4a aa e8 ethersphere wpa2 Interfering 40 AN 40MZ 11 52 40 00 1a 1e 17 da c2 WPA2 Interfering 11 GN 20MZ 11 52 40 00 27 10 45 4a 34 IBM Interfering 1 B 11 52 40 00 24 6c 80 6c 60 ethersphere voip Interfering 1 GN 20MZ 11 52 40 w 00 27 10 8e 6a f4 IBM Interfering 6 B 11 52 40 ri N0 0h 86 70 4h 61 Sandin wlan nnen Interferina 1 GN 20M7 11 52 40 bd 1R 3d 22 77 ac 3r TRM Interferina 6 R 11 57 40 Wireless Intrusion Protection WIP WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats Like most other security related features of the Aruba network the WIP configuration can be done on the IAP An administrator can configure the following five main options e Infrastructure Detection Policies Specifies which wireless attacks on access points to detect e Client Detection Policies Specifies which wireless attacks on clients to detect e Infrastructure Protection Policies Specifies which wireless attacks on access points to protect against e Client Protection Policies Specifies which wireless attacks on clients to protect against e Containment Methods Prevents unauthorized stations from connecting to your Instant network In each of these options there are several default levels that enable different sets of policies An administrator can customize enable disable these options accordingly Instant 6 1 3 4 3 1 0 0 User Gui
115. P Options 211 ee EE EEE Na SE 215 Virtual Controller VIEW EEE niinniin 215 Monitoring LINK sites eve cceveccunetestetantecsverennebervenesneteutecaulsiuaxsamesoouexepeeterssdeescans 216 EST TT E 216 RF ASO AN EEE EE EE 216 Usage Trends EE a 216 Client Alerts EI enue st cedennseisretaansidesksavacsnetesawesiaxdeasenctekeriawecbeesdasiesens 218 DE EE EN ere 218 KES SG a a 218 go no on ER 219 Usage Trends r arernarnrnnnnrnnnrnnnnnnnnnvennnvnnnnnennnvnnnenennenennenernenernenernnnernnnennnenee 219 selg ee PONT VCW sisir FEBER ne dde nn 220 MOY EET A E 221 RE SIO Oa 0 PEN EEE 221 Overview EEE ERR 221 GS ET EE EE EE EEE 228 EE EE OE 229 ED 1 105 EEE ern ee eee 229 AS OS EE ements pi 229 Men Trall sses ds 232 Alert Types and Management arnarnnnnannnnnannnnnnnennnnnennnnnnnnnnnnnnnnnnnnnnnne 233 OR NS ne RERRTE SEND 233 Policy Enforcement Firewall nnranrnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnnnnnnnnnnnnnnnnnne 235 FUN HG STON ele ETNE SEE ac 235 Users for Internal Server iii 235 GO REE ET PEUR ENE OE AET 236 Extended Voice and Video Functionalities ss 237 QoS for Microsoft Office OCS and Apple Facetime 237 Ga eee ge reen esserne aN E an 239 Types of Client Blacklisting ss nn esta sante Lee tete 240 MAS CRISE sane old a Ge ed eee SEN RE bre blade 240 Adding a Client to the Manual Blacklist 240 VRAIS DAC STUNG EN ele
116. Radio Settings Mode ACCESS rrennnnrnnnnrnnnnrnnnnrnnnnrnnnnrnnnnnennn 93 Configuring Wired Bridging on Ethernet 0 of an APN 94 Maintenance Convert Tab EE EE 97 Convert OptionS EEE EEE 97 Confirm Access Point Conversion essentiels kernen kk teten heindvd 97 ETP NN Pee 98 Standalone AP Conversion ea abekr nn 99 FEN ee 100 Se eh Taig ee GS SA ee ore Ea 100 RODOOL IN PrO EE eee 100 Reboot Successful EEE EE a 100 Automatic Image Check New Version Available Link 101 New Version Available ne 102 Single class or Multi class IAP Networks Firmware Upgrade 103 Mixed IAP Network Firmware Upgrade 103 Enabling MAS Integration with an IAP 106 MAS 910519 2 10 Stalis eee nee ea 106 Shows the routing of traffic when the client is away from its home network 107 Add Virtual Controller IP addresses VV 108 eee Me iets 915 a me tan 109 Example Layer 3 Configuration NE icones 109 Home Agent Load Balancing Enabled 110 OO ao a AN EEE NE rere vert 112 KONIG CII a Spectrum MOD pusse os 113 Monitor Middle Band for 5 GHz Radio 113 Ce VASE NE NN 114 Channel Metrics for the 2 4 GHz Radio Channel 116 Channel Metrics for the 5 GHz Radio Channel 117 channel De NE NN ON 118 Instant 6 1 3 4 3 1 0 0 User Guide Figure 95 Figure 96 Figure 97 Figure 98 Figure 99 Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 Figur
117. S server has to be configured to authenticate the users For information on configuring an external RADIUS server see Chapter 12 Authentication 3 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients 4 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 5 Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 NOTE Navigate to PEF gt Blacklisting in the Instant WebUl to specify the duration of the blacklisting on the Blacklisting tab of the PEF window 6 Internal server If you select this option users who are required to authenticate with the internal RADIUS server must be added Click the Users link to add the users For information on adding a user see Adding a User on page 251 7 Click Upload Certificate and browse to upload a certificate file for the internal server See Certificates on page 143 for more information Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 61 Figure 40 Employee Security Tab Open New WLAN WLAN Settings Security Level More i Secure Encryption MAC authentication Enterprise Authentication server 1 Reauth interval Fersonal Blacklisting 3 Open 7 Max authe
118. Settings Help General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Blacklist New regular expression for Blacklist Hide advanced options To create a Walled Garden access 1 Click the Settings at the top right corner of the Instant UI and select Walled Garden 2 To allow users access to a domain click New and enter the domain name or URL in the Whitelist section of the window This allows access to a domain while the user remains unauthenticated Specify a POSIX regular expression regex 7 for example yahoo com matches various domains such as news yahoo com travel yahoo com and finance yahoo com www apple com library test is only allow a subset of www apple com site corresponding to path library test favicon ico allows access to favicon ico from all domains 142 Authentication Instant 6 1 3 4 3 1 0 0 User Guide 3 To deny users access to a domain click New and enter the domain name or URL in the Blacklist section of the window This prevents unauthenticated users from viewing specific websites When a URL specified in blacklist is accessed by an unauthenticated user Instant AP sends an HTTP 403 response to the client with simple error message If the requested URL neither appears on the blacklist or whitelist list then the request is redirected to the external captive portal 4 Select the domain name URL and click Edit to modify or Delete to
119. The IAP is temporarily blocking the 802 1X authentication request from this client because the credentials provided have been rejected by the RADIUS server too many times Corrective Actions Contact the Aruba customer support team Identify the client and check its Wi Fi driver and manager software Ascertain the correct authentication or encryption settings and try to associate again Check the configuration on the IAP to see if the desired rate can be supported if not consider replacing the IAP with another model that can support the rate Consider expanding capacity by installing additional IAPs or balance load by relocating IAPs This condition may be indicative of a misbehaving client Try to locate the client device and check its hardware and software Identify the client and check its 802 1X credentials Alert Types and Management 233 Table 42 Alerts List Continued Type Code Description 100308 RADIUS server connection failure 100309 RADIUS server authentication failure 100410 Integrity check failure in encrypted message 100511 DHCP request timed out 234 Alert Types and Management The IAP cannot authenticate this client using 802 1X because the RADIUS server did not respond to the authentication request The IAP cannot authenticate this client using 802 1X because the RADIUS server rejected the authentication credentials password etc provided by the client The IAP cann
120. a Particular Network 1 Click the New link in the Networks tab To define the access rule to an existing network click the network The edit link appears Click the edit link and navigate to the Access tab 2 In the Basic Info tab enter the appropriate information and click Next to continue 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Click Next to continue 4 Click Next and set appropriate security levels using the slider bar in the Security tab Click Next The Access tab appears The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define deny bootp service access rule except to a network a Click New the New Rule window appears b Select Deny from the Action drop down list Select bootp from the Service drop down list d Select except to a network from the Destination drop down list Enter the appropriate IP address in the IP text box Enter the appropriate netmask in the Netmask text box e Click OK 6 Click Finish Instant 6 1 3 4 3 1 0 0 User Guide Instant Firewall 167 Figure 132 Defining Rule Deny bootp Service Except to a Network New WLAN WLAN Settings L Security Access Rules More Control Access Rules 1 Allow any to all destinations PTE New Rule Rule type Action Service Destination Network bas boop ecepto a network r IP Unrestricted L Netmask
121. a set of colon separated strings created by the AirWave administrator to accurately represent the deployment of each Aruba Instant system This string is entered into the Aruba Instant UI by the on site installer AMP Role Org Admin initially disabled AMP User Org Admin assigned to the role Org Admin e Folder Org under the Top folder in AMP e Configuration Group Org Additional strings in the Organization String are used to create a hierarchy of sub folders under the folder named Org subfolder1 would be a folder under the Org folder subfolder2 would be a folder under subfolder1 About Shared Key The Shared Secret key is used by the administrator to manually authorize the first Virtual Controller for an organization Any string is acceptable Instant 6 1 3 4 3 1 0 0 User Guide AirWave Integration and Management 207 Entering the Organization String and AMP Information into the IAP 1 Click the AirWave Set Up Now link in the bottom middle region of the Instant UI window The Settings window with the AirWave tab selected appears Figure 162 Configuring AirWave Settings Help General Admin Local Authentication Internal Ly Username admin Password seeren Retype 00000 AirWave Organization AirWave IP AirWave backup IP Shared key Retype Show advanced options OK Cancel 2 Enter the name of your organization in the Organization name text
122. ac operating system click the AirPort icon A list of available Wi Fi networks is displayed Click on the instant network wll While connecting to the provisioning Wi Fi network ensure that the client is not connected to any wired network 24 Initial Configuration Instant 6 1 3 4 3 1 0 0 User Guide Figure 1 Connecting to a provisioning Wi Fi Network Microsoft Windows Currently connected to office Internet access Wireless Network Connection Open Network and Sharing Center 6 59 PM ES La al Ej 12 27 7010 12 27 2010 Click here to see the list of wireless networks Select instant from the list Figure 2 Connecting to a provisioning Wi Fi Network Mac OS Click here to see the list of wireless networks Select instant from the list Airport On Turn Airport Off Disabling the Provisioning Wi Fi Network The provisioning network is enabled by default Instant provides the option to disable the provisioning network in apboot Use this option when you do not want the default SSID instant to appear in your network To disable the provisioning network 1 Connect a terminal or PC workstation running a terminal emulation program to the Console port on the IAP 2 Configure the terminal or terminal emulation program to use the following communication settings 3 Power on the IAP You see an autoboot countdown prompt that allows you to interrupt the normal startup process and access apboo
123. adio Uplink 2 4 GHz band Adaptive radio management assigned H Administrator assigned 5 GHz band Adaptive radio management assigned H Administrator assigned 4 Select the Mode from the drop down list Access Mode In Access mode the AP serves clients while also monitoring for rogue APs in the background Monitor Mode In Monitor mode the AP acts as a dedicated monitor scanning all channels for rogue APs and clients Spectrum Monitor In the Spectrum Monitor mode the AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference whether from neighboring APs or from non WiFi devices such as microwaves and cordless phones By default the access point s channel and power are optimized dynamically using Adaptive Radio Management ARM You can override ARM on the 2 4 GHz and 5 GHz bands and set the channel and power manually if desired Table 24 Mode Spectrum and AP Operation Access Disabled AP serves clients while also monitoring for rogue APs in the background Access Enabled AP monitors all RF interference on its current channel while simultaneously providing normal access services to clients 176 Adaptive Radio Management Instant 6 1 3 4 3 1 0 0 User Guide Table 24 Mode Spectrum and AP Operation Continued Monitor Disabled AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference whether from neighbo
124. ally a guest network is an un encrypted network However you can specify encryption settings in the Security tab see step of the following procedure Adding a Guest Network This section provides the procedure to add a guest network 70 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Figure 45 Adding a Guest Network Basic Info Tab New WLAN WLAN Settings WLAN Settings Name amp Usage Name SSID Primary usage EY Employee Voice Broadcast Multicast Broadcast filtering Disabled DTIM interval 1 beacon Multicast transmission optimization Disabled v Dynamic multicast optimization Disabled DMO channel utilization threshold BE Hide advanced options Help Bandwidth Limits P L Airtime L Each user Each radio Transmit Rates 3 4GHz Min 1 v Max 54 v SGHz Min 6 Max 54 y Miscellaneous Content filtering Disabled Band All Inactivity timeout 1000 secs Hide SSID Next Cancel 1 In the Networks tab click the New link The WLAN Settings window appears 2 Inthe WLAN Settings tab perform the following steps a Name SSID Enter a name that uniquely identifies a wireless network b Primary usage Select Employee this is selected by default from the Primary usage options This selection determines whether the network is primarily intended to be used for employee data guest data or voice traffic 3 Clic
125. althcare or manufacturing environments may also have other equipment that behave like a microwave and may also be classified as a Microwave device Microwave Some newer model microwave ovens have the inverter technology to control the power output Inverter and these microwave ovens may have a duty cycle close to 100 These microwave ovens are classified as Microwave Inverter Dual magnetron industrial microwave ovens with higher duty cycle may also be classified as Microwave Inverter As in the Microwave category described above there may be other equipment that behave like inverter microwaves in some industrial healthcare or manufacturing environments Those devices may also be classified as Microwave Inverter Generic Interferer Any non frequency hopping device that does not fall into one of the other categories described in this table is classified as a Generic Interferer For example a Microwave like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer Similarly wide band interfering devices may be classified as Generic Interferers Channel Metrics The channel metrics graph displays channel quality availability and utilization metrics as seen by a spectrum monitor or hybrid AP You can view the channel utilization data for the percentage of each channel that is currently being used by Wi Fi devices and the percentage of each channel being used by non
126. anaged by a Mobility Controller Campus APs managed by a Mobility Controller Standalone AP After conversion all Access Points will be managed by the Controller specified above Select Remote APs managed by a Mobility Controller from the drop down list 4 Enter the hostname fully qualified domain name or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box This information is provided by your network administrator J Ensure the Mobility Controller IP Address is reachable by the IAPs 5 Click Convert Now to complete the conversion Figure 70 Confirm Access Point Conversion Confirm Access Point Conversion points are configured by the Mobility i Service will be interrupted until the access Controller at 10 17 78 2 Do you want to continue Convert How Cancel 6 The IAP reboots and begins operating in RAP mode Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 97 7 After conversion the IAP is managed by the Aruba Mobility Controller which has been specified in the Instant UI In order for the RAP conversion to work ensure that you configure the Instant AP in the RAP white list and enable the FTP service on the controller o m ll If the VPN setup fails and an error message pops up please click OK copy the error logs and share them with your Aruba support engineer oO m dill Converting an IAP to CAP To c
127. and password Clients can also be authenticated based on their MAC addresses The following authentication methods are supported in Aruba Instant e 802 1X Authentication e Captive Portal e MAC Authentication 802 1X Authentication 802 1X is a method for authenticating the identity of a user before providing network access to the user Remote Authentication Dial In User Service RADIUS is a protocol that provides centralized authentication authorization and accounting management For authentication purpose the wireless client can associate to a network access server NAS or RADIUS client such as a wireless IAP The wireless client can pass data traffic only after successful 802 1X authentication The steps involved in 802 1X authentication are 1 The NAS requests authentication credentials from the wireless client 2 The wireless client sends the authentication credentials to the NAS 3 The NAS sends these credentials to a RADIUS server 4 The RADIUS server checks the user identity and begins authentication with the client if the user identity is present in its database The RADIUS server sends an Access Accept message to the NAS If the RADIUS server cannot identify the user it stops the authentication process and sends an Access Reject message to the NAS The NAS forwards this message to the client and the client must re authenticate with correct credentials 5 After the client is authenticated the RADIUS server forwards th
128. ant is ideal for small customers or remote locations without any on site IT administrator Aruba Instant consists of an Instant Access Point IAP and a Virtual Controller VC The Virtual Controller resides within one of the access points In an Aruba Instant deployment only the first IAP needs to be configured After the first IAP is deployed the subsequent IAPs inherit all the required information from the Virtual Controller Supported Devices The following is a list of Instant devices supported by Aruba IAP 92 e IAP 93 e IAP 104 e IAP 105 e IAP 134 e IAP 135 e JAP 175P 175AC e RAP 3WN 3WN US 3WNP 3WNP US IAP 104 IAP 105 IAP 134 IAP 135 and IAP 175 support an unlimited number of IAPs on Layer 2 networks IAP 92 93 supports 16 IAPs j m fi Objective This user guide describes the various features supported by Aruba Instant and provides detailed instructions for setting up and configuring an Aruba Instant network Intended Audience This guide is intended for customers who configure and use Aruba Instant Instant 6 1 3 4 3 1 0 0 User Guide About this Guide 19 Conventions The following conventions are used throughout this manual to emphasize important concepts Table 1 Conventions Italics This style is used to emphasize important terms and provide cross references to other books Screen input and output This style is used to illustrate e Screen output e On screen system pro
129. antech UML 290 4G card and is a True Auto Detect modem S Enter the identifier of the modem device in the USB dev text box Enter the TTY port of the modem in the USB tty text box a p Enter the parameter to initialize the modem in the USB init text box Enter the parameter to dial the cell tower in the USB dial text box Enter the username used to dial the ISP in the USB user text box Enter the password used to dial the ISP in the USB password text box Sog mo Enter the parameter used to switch modem from storage mode to modem mode in the USB switch mode text box The parameter details are available from the manufacturer of your modem or from your IT administrator Figure 155 Provisioning 3G 4G Uplink Manually 3G 4G Country sussie USB mode owtchs USB tty USB init dill You must reboot the IAP after manually provisioning the IAP Provisioning 3G Uplink Automatically To provision a 3G uplink automatically select only the Country and ISP The IAP finds the parameters automatically Figure 156 Provisioning 3G Uplink Automatically 3G 4G Instant 6 1 3 4 3 1 0 0 User Guide Uplink Configuration 201 3 ll oO m ll oO m ll Ul 202 Uplink Configuration In the Instant Ul you can view the list of country or ISP in the country and ISP drop down lists You can either use the country or ISP to configure the modem or configure the individual modem parameters
130. apabilities In the event that an AP is configured for a Min Tx EIRP setting it cannot support this value is reduced to the highest supported power setting The default value is18 dBm Max Transmit Power This indicates the maximum effective isotropic radiated power EIRP from 3 to 33 dBm in 3 dBm increments Higher power level settings may be constrained by local regulatory requirements and AP capabilities In the event that an AP is configured for a Max Tx EIRP setting it cannot support this value is reduced to the highest supported power setting Default value 127 dBm Client Aware When Enabled Adaptive Radio Management ARM does not change channels for the Access points when the clients are active except for high priority events such as radar or excessive noise This should be enabled in most deployments for a stable WLAN If the Client Aware mode is Disabled the IAP may change to a more optimal channel but this change may also disrupt current client traffic The Client Aware option is Enabled by default When the Client Aware ARM is disabled channels can be changed even when the clients are active on BSSID Scanning When ARM is enabled the IAP dynamically scans all 802 11 channels within its 802 11 regulatory domain at regular intervals and reports everything it sees to the IAP on each channel it scans This includes but is not limited to data regarding WLAN coverage interference and intrusion detection Wide Cha
131. appropriate certificate file and click Upload Certificate The Certificate Successfully Installed window appears Instant 6 1 3 4 3 1 0 0 User Guide Loading Certificates using AirWave You can now manage Instant AP certificates using the AirWave Management server AMP The AMP directly provision the certificates for basic certificate verification i e certificate type format version serial number etc before accepting the certificate and uploading to an IAP network The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller of the IAP network Once the Virtual Controller receives this message it draws the certificate content from the message converts it to the right format and saves it on the RADIUS server To load a certificate in AirWave 1 Navigate to Device Setup gt Certificate and then click Add to add a new certificate The Certificate window appears 2 Enter the certificate Name and click Choose File to browse and upload the certificate Figure 113 Loading Certificate via AirWave Home Clients Groups APs Devices Reports System AMP Setup Discover Add Communication Upload Firmware amp Files Certificate Certificate Name E Certificate File Mo file chosen passphrase Confirm passphrase Format DER FA Type Server cert Add Cancel 3 Select the appropriate Format that matches the certificate file name Select Serv
132. ars Click the edit link and navigate to the Access tab 2 Inthe Basic Info tab enter the appropriate information and click Next to continue 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Click Next to continue 4 Click Next and set appropriate security levels using the slider bar in the Security tab 5 Click Next The Access tab appears The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define deny FTP service access rule except to a particular server a Click New the New Rule window appears b Select Deny from the Action drop down list c Select ftp from the Service drop down list d Select except to a particular server from the Destination drop down list and enter appropriate IP address in the IP text box e Click OK 6 Click Finish 166 Instant Firewall Instant 6 1 3 4 3 1 0 0 User Guide Figure 131 Defining Rule Deny FTP Service Except to a Particular Server New WLAN Help WLAN Settings Access Rules More Control Access Rules 1 Allow any to all destinations Role based New Rule Rule type Action Service Destination Network bas Access control except to particular server IP Unrestricted a Options E Log F classify media L oscp tag Control Fleece pisable scanning E 802 1p priority OK Cancel Deny bootp Service except to
133. ation Figure 14 W P Wireless Intrusion Protection WIP Specify What Threats to Detect Infrastructure Custom settings detect ap spoofing detect windows bridge signature deauth broadcast High signature deassociation broadcast detect adhoc using valid ssid detect malformed large duration Clients Custom settings detect valid clientmisassociation detect disconnect sta detect omerta attack detect fatajack detect block ack attack detect hotspotter attack High Next Cancel VPN Use this window to define how the IAP communicates with the remote controller See Chapter 29 VPN Configuration on page 245 for more information Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 37 Figure 15 VPN Tunneling Controller Controller Protocol IPSec Primary host Backup host Freemption Disabled Next Cancel Wired Specify the desired profile for each port of the IAP See Chapter 23 Ethernet Downlink for more information Figure 16 Wired Wired Help Wired Networks Wired Networks Network assignments default_wired_port_profile 0 0 default wired port profile v Wired1 0 1 default wired port profile gt 0 2 default_wired_port_profile y Wired Users Wired Users OK Cancel Maintenance This link displays the Maintenance window The Maintenance window allows you to maintain the Wi Fi network
134. be provisioned for the first time by plugging into the wired network After that mesh works on ROW IAP like any other regulatory domain Mesh Portals The mesh portal MPP is the gateway between the wireless mesh network and the enterprise wired LAN The mesh roles are automatically assigned based on the IAP configuration A mesh network could have multiple mesh portals to support redundant mesh paths mesh links between neighboring mesh points that establish the best path to the mesh portal from the wireless mesh network to the wired LAN The mesh portal broadcasts a mesh services set identifier MSSID mesh cluster name to advertise the mesh network service to other IAP mesh points in that instant network This is not configurable and is Instant 6 1 3 4 3 1 0 0 User Guide Mesh Network 81 ll oO m dill Oo m i l 82 Mesh Network transparent to the user The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard AES encryption The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network Mesh Points The mesh point MP is an IAP that establishes an all wireless path to the mesh portal The mesh point provides traditional WLAN services such as client connectivity intrusion detection system IDS capabilities user role association and Quality of Service QoS for LAN to mesh communication to clients an
135. bled the IAP converts multicast streams into multicast unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 Wireless Network 71 72 Wireless Network If the threshold value exceeds the maximum value then the IAP sends multicast traffic over the wireless link Bandwidth Limits You can specify three types of bandwidth limits Airtime Indicates the aggregate amount of airtime that all clients on this Network can use to send receive data Each user Indicates the throughput for any single user on this Network The throughput value is specified in kbps Each radio Indicates the aggregate amount of throughput each radio some AP models have multiple radios is allowed to provide for all clients connected to that radio Transmit Rates Indicates the ability to configure the basic and supported rates per SSID for Aruba Instant Select to set the minimum and maximum legacy non 802 11n transmit rates for each band 2 4 GHz and 5 GHz d Miscellaneous Content filtering When enabled all DNS requests to non corporate domains on this wireless network are sent to OpenDNS Band Set the band at which the network transmits radio signals Available options are 2 4 GHz 5 GHz and All The All option is selected by default It is also the recommended option Inactivity timeout Indicates the time in seconds after which an id
136. blocks data that does not satisfy the specified security policies Aruba Instant implements a Instant Firewall feature that uses a simplified firewall policy language An administrator can define the firewall policies on an SSID or wireless LAN such as the Guest network or an Employee network At the end of the authentication process these policies are uniformly applied to users connected to that network The Instant Firewall gives you the flexibility to limit packets or bandwidth available to a particular class of users Instant Firewall manages packets according to the first rule the packet matches 1 In the Networks tab click the New link The New WLAN window appears 2 Navigate to Access tab to specify the access rules for the network 3 Slide to Network based using the scroll bar and click New to add a new rule The New Rule window consists of the following options e Rule type Select the rule type Access control VLAN assignment from the drop down list e Action Select Allow or Deny from the drop down list to allow or deny traffic with the specified service type and destination e Log Select this checkbox if you want a log entry to be created when this rule is triggered Instant firewall supports firewall based logging function Firewall logs on IAP are generated as syslog messages Blacklist Select this checkbox if you want the client to be blacklisted when this rule is triggered The blacklisting lasts for the durat
137. ccess based on the client request When Air Time Fairness is set to default access per user and per SSID bandwidth limits are not enforced Fair Access Allocates Airtime evenly across all the clients Preferred Access 11n clients get more airtime than 1la 11g which get more airtime than 11b The ratio is 16 4 1 Figure 136 Airtime Fairness Mode RF Help ARM Radio Client Control Band steering mode Prefer 5Ghz Airtime fairness mode Fair Access Access Point Control Customize valid channels E Min transmit power 18 Max transmit power Max Client aware Enabled Scanning Enabled Wide channel bands 5GHz Hide advanced options OK Cancel Access Point Control Customize Valid Channels You can customize Valid 5 GHz channels and Valid 2 4 GHz channels for 20MHz and 40MHz channels in the IAP Here the administrator can configure the ARM channels in the channel width window The valid channels automatically show in the static channel assignment window 174 Adaptive Radio Management Instant 6 1 3 4 3 1 0 0 User Guide Min Transmit Power This indicates the minimum effective isotropic radiated power EIRP from 3 to 33 dBm in 3 dBm increments You may also specify a special value of 127 dBm for regulatory maximum to disable power adjustments for environments such as outdoor mesh links Higher power level settings may be constrained by local regulatory requirements and AP c
138. ccess point IP Address IP address of the I AP Mode Mode of the IAP Spectrum Enabled if the IAP is configured as dedicated full spectrum RF monitor Clients Number of clients that are connected to the IAP Type Model number of the IAP Mesh Role Role of the mesh IAP Channel Channel the IAP is currently broadcasting on Power dB Maximum transmit EIRP of the radio Utilization Utilization percentage of the IAP radios Noise dBm Noise floor of the IAP An edit link appears on clicking the IAP name For details about editing IAP settings see Editing AP Settings on page 91 Figure 7 Access Points Tab Compressed View and Expanded View w 1 Access Point Name Clients Instant Access Point W 1 access point Name IP Address Mode Spectrum Clients Type Mesh Role hanne Power dB Utilization Noise dBm From Port Channe Power dB Utilization Noise dBm none d8 c7 08 04 01 78 10 17 115 1 Monitor Disabled 93 N A j Clients Tab This tab displays a list of clients that are connected to the Aruba Instant network The client names appear as links The expanded view displays the following information about each client Name Name of the client IP Address IP address of the client MAC Address Mac address of the client OS Operating system that the client is running on Network Network that the client is connected to Access Point IAP to which the
139. com Icon 452 Aircard 250U Sierra USB 598 Sierra U300 Franklin wireless U301 Franklin wireless USB U760 for Virgin Novatel USB U720 Novatel Qualcomm UM175 Pantech UM150 Pantech UMW190 Pantech SXC 1080 Qualcomm Globetrotter ICON 225 UMG181 NTT DoCoMo L 05A LG FOMA LO5A NTT DoCoMo L 02A ZTE WCDMA Technologies MSM MF6687 Fivespot ZTE c motech CNU 600 ZTE AC2736 SEC 8089 EpiValley Nokia CS 10 NTT DoCoMo L 08C LG NTT DoCoMo L 02C LG Novatel MC545 Huawei E220 for Movistar in Spain Huawei E180 for Movistar in Spain ZTE MF820 Huawei E173s 1 Sierra 320 Longcheer WM72 U600 3G mode Uplink Configuration 199 Table 36 List of Supported 3G Modems Continued Modem Type Supported 3G Modems Sierra USB 306 HK CLS 1010 HK Sierra 306 308 Telstra Aus Sierra 503 PCIe Telstra Aus Sierra 312 Telstra Aus Aircard USB 308 AT amp T s Shockwave Compass 597 Sierra Sprint U597 Sierra Verizon Tstick C597 Sierra Telecom NZ Ovation U727 Novatel Sprint USB U727 Novatel Verizon USB U760 Novatel Sprint USB U760 Novatel Verizon Novatel MiFi 2200 Verizon Mifi 2200 Huawei E272 E170 E220 ATT Huawei E169 E180 E220 E272 Vodafone SmarTone HK Huawei E160 O2 Uk Huawei E160 SFR France Huawei E220 NZ and JP Huawei E176G Telstra Aus Huawei E1553 E176 8 HUTCH Aus Huawei K4505 Vodafone SmarTone HK Huawei K4505 Voda
140. cope 10 169 159 0 159 Server Options 7 Select 043 Vendor Specific Info and enter a value for airwave orgn airwave ip airwave key in the ASCII field for example tme instant storel 10 169 240 8 aruba123 210 AirWave Integration and Management Instant 6 1 3 4 3 1 0 0 User Guide Figure 167 Instant and DHCP options for AirWave 043 Vendor Specific Info E Server Manager E pe Roles Scope Options Active Directory Domain Services JJ Active Directory Users and Computers R ae 3 rde arubanetworks corn 22 003 Router 10 169 145 1 E LE Butin 15 006 DNS Servers 10 169 130 4 a 1 Computers E 015 ONS Domain Hane lan rde srubanetvorks com E Domain Controllers 043 Vendor Specific Info 41 7275 62 61 49 68 73 74 61 68 7 E D ForeignsecurktyPrindipsls repars 4 01 Managed Service Accounts Scope Options Users General Advanced E pg Active Directory Sites and Services Verdor class DHCP Standard Options Detaut User Class 1 Scope 10 169 131 0 131 ON Scope 10 169 135 0 135 043 Vendor Specific Info Embedded 1 Scope 10 169 137 0 137 HENS Addn FH LA Scope 10 169 138 0 138 Hanne DNS E OG Scope 10 169 145 0 145 i Address Fool gt re Address Leases i Reservations 79 6E 73 TA Scope Options 50 2C 74 11 Scope 10 169 150 0 150 5 2D 6F 72 65 LM Scope 10 169 151 0 151 E 31 36 39 38 2C 61 LM Scope 10 169 152 0 1
141. country The initial Wi Fi setup requires you to specify the country code for the country in which the Aruba Instant operates This configuration sets the regulatory domain for the radio frequencies that the IAPs use Within the regulated transmission spectrum a high throughput 802 11a 802 11b g or 802 11n radio setting can be configured The available 20 MHz and 40 MHz channels are dependent on the specified country code You cannot change the country code for the IAPs designated for US Japan and Israel Improper country code assignment can disrupt wireless transmissions Most countries impose penalties and sanctions on operators of wireless networks with devices set to improper country codes Table 45 shows the list of country codes Figure 214 Specifying a Country Code Welcome to Instant Please specify the Country Code Select country code Instant 6 1 3 4 3 1 0 0 User Guide Regulatory Domain 253 Country Codes List Table 45 Country Codes List US CA JP3 DE NL PT LU NO FI DK CH CZ ES GB KR CN FR HK SG TW BR SA LB AE ZA 254 Regulatory Domain United States Canada Japan Germany Netherlands Italy Portugal Luxembourg Norway Finland Denmark Switzerland Czech Republic Spain United Kingdom Republic of Korea South Korea China France Hong Kong Singapore Taiwan Brazil Israel Saudi Arabia Lebanon United Arab Emirates South Africa Instant 6 1 3 4 3
142. ct the timezone from the Timezone drop down list This indicates the time returned by the NTP server Figure 95 Configuring NTP Server Settings Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Auto join mode Virtual Controller IP Terminal access Dynamic RADIUS proxy LED display Enabled sw MAS integration Enabled sw TFTP Dump Server Timezone International Date Li LA Deny inter user bridging Disabled Preferred band Deny inter user routing Disabled DHCP Server DNS servers Sd Lease time Minutes Instant 6 1 3 4 3 1 0 0 User Guide NTP Server 119 120 NTP Server Instant 6 1 3 4 3 1 0 0 User Guide Chapter 11 Virtual Controller Aruba Instant does not require an external controller to regulate and manage the Wi Fi network Any IAP in the Aruba Instant network dynamically takes up the role of a Virtual Controller VC without impacting the network It coordinates stores and distributes all the settings required to provide a centralized functionality to regulate and manage the Wi Fi network The Virtual Controller also functions like any other AP with full RF scalability It also acts as a node coordinating DHCP address allocation for network address translated clients ensuring mobility of the clients when they roam between different IAPs Master Election Protocol The Master Election Protocol enables the Aruba Instant network t
143. curity User Roles amp bitpt 10 15 204 253 4343 screens switch config sec role nI mode user amp role iaprole Dashboard WIZARDS AP Wizard Controller Wizard WLAN LAN Wizard License Wizard WIP Wizard NETWORK Controller VLANs Ports Cellular Profile IP SECURITY Authentication gt Access Control WIRELESS AP Configuration AP Installation Aruba3400 Aruba3400 Aruba3400 Aruba3400 Aruba3400 L3 Authentication Monitoring Configuration Diagnostics Maintenance Plan Save Configuration Logout admin Security gt User Roles gt Edit Role iaprole User Roles System Roles Policies Time Ranges Guest Access Back Firewall Policies Name Rule Count Location Action Add Choose From Configured Policies iaprole session l Location Create New Policy From Existing Policy validuser session Create Create New Policy Create Done Cancel config aaa authentication vpn default iap VPN Authentication Profile default iap server group default VPN Authentication Profile default iap default role iaprole VPN Authentication Profile default iap config Dashboard Monitoring Configuration Diagnostics Maintenance Plan Save Configuration EN WIZARDS Security gt Authentication gt L3 Authentication AP Wizard Servers vers AAA Profiles L2 Authentication L3 Authentication User Rules Advanced Controller Wizard WLAN LAN Wizard License
144. d the IAP cannot determine which dynamic ports are used for voice or video traffic In these cases the IAP has to use an ACL with the classify media option enabled to identify the voice or video flow based on a deep packet inspection and analysis of the actual traffic Instant 6 1 3 4 3 1 0 0 User Guide Policy Enforcement Firewall 237 Microsoft OCS Microsoft Office Communications Server OCS uses Session Initiation Protocol SIP over TLS to establish control and terminate voice and video calls Apple Facetime When an Apple device starts a Facetime video call it initiates a TCP session to the Apple Facetime server over port 5223 then sends SIP signaling messages over a non default port When media traffic starts flowing audio and video data are sent through that same port using RTP The audio and video packets are interleaved in the air though individual the sessions can be uniquely identified using their payload type and sequence numbers The RTP header and payload also get encapsulated under the TURN ChannelData Messages The Facetime call is terminated with a SIP BYE message that can be sent by either party The following table lists the ports used by Apple Facetime Facetime users need to be assigned a role where traffic is allowed on these ports Table 43 Ports used by the Apple Facetime Application 53 TCP UDP 443 TCP 3478 3497 UDP 5223 TCP 16384 16387 UDP 16393 16402 UDP The following screenshots are configurati
145. d band and hybrid IAPs display data from the one channel they are monitoring Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 47 Figure 28 Channel Details Information Channel 10 Quality 61 KnownaPrs 2 Litilization TE Unknown Ps 62 WIFI 39 Bluetoothi a 1 helo aye eh Noise FlooridBm 67 Ma lt AFSignalidBrmi 26 Max AP SSID Tenda_hbchen kl r AP BSD 8 3 4 35 2b 14 48 Cordless Phones 0 T tal nomite 39 kadnterference dBm 56 SMIF dE 30 For more information on spectrum monitoring see Spectrum Monitor on page 111 Alerts Alerts are generated when a user faces problems while accessing or connecting to the Wi Fi network The Alerts link appears in red if there are any Client Alerts or Active Faults J New alerts are generated for an incomplete DHCP transaction of a client Figure 29 Alerts Link 9F 7 South east 41 76 VeriWave4 c8 78 d2 10floor 3 SW amp 5 Networks amp 16 Access Points El 22 Clients Name Clients Name Clients Name IP Address Network Access Point ARUBA GUEST 0 00 24 6c c8 7b 26 1 10 64 103 108 warm syst wm 9F 4 cb bd 80 135 p Aruba Domain 10 00 24 6c ca 41 51 0 192 168 11 227 swarm system guest 9F 5 West 40 ad swarm sys Aruba 0 10F 1 cb 30 60 1 0 0 0 0 Aruba Domain 9F 1 Point 40 c0 swarm system guest 4 10floor 3 SW o 192 168 11 9 swarm system wmm 8 9F 1 Point 40 c0 i 0 0 0 0 New 9F 2 North east ad b7 10 64 103 125 9F
146. d colors for the initial page that users connecting to the network see This page asks for user credentials or email depending on the splash page type Internal Authenticated or Internal Acknowledged you set a To change the color of the splash page click the Splash page rectangle and select the required color from the Background Color palette b To change the welcome text click the first square in the splash page type the required text in the Welcome text box and click OK The welcome text should not exceed 127 characters 134 Authentication Instant 6 1 3 4 3 1 0 0 User Guide c To change the policy text click the second square in the splash page type the required text in the Policy text box and click OK The policy text should not exceed 255 characters Figure 104 Customizing a Splash Page Edit Guest Help WLAN Settings VLAN Security Access Security Level Splash page type Internal Authenticated v Splash Page Visuals Auth server 1 InternalServer fr Ke ee Reauth interval 0 Blacklisting Disabled ly rs Internal server i User Welcome Text Internal server No certificate Upload certificate Encryption Disabled v Please read and accept terms and conditions and then loain Click thumbnail Redirect URL fhi 4 Click Next and then click Finish You can customize the captive portal page using double byte characters Traditional Chinese Simplif
147. d performs mesh backhaul network connectivity Any provisioned IAP that has a valid uplink wired or 3G is a mesh portal and the IAP without an Ethernet link is a mesh point Mesh point also supports LAN bridging You can connect any wired device to the downlink port of the mesh point In the case of single Ethernet port platforms like AP 93 and AP 105 you can convert the EthO uplink port to a downlink port by enabling EthO Bridging For additional information refer to Configuring Wired Bridging on Ethernet 0 on page 94 Instant Mesh Setup Instant mesh can be provisioned in two ways Over the air provisioning and over the wire provisioning Over the air provisioning is available when only one Aruba Instant mesh network is being advertised and it does not work for ROW version of IAPs The ROW IAP must have a the country code set in order to transmit receive Hence over the air provisioning is not supported on ROW IAPs at this time This section provides instructions on how to create a simple mesh network on Instant To setup a mesh network 1 Connect all the IAPs to a DHCP server so that the IAPs get their IP addresses in the same subnet 2 For over the air provisioning Connect one IAP to the switch to form the mesh portal All the other IAPs are provisioned over the air Ensure that only one Virtual Controller one subnet is available over the air and all the IAPs are connected to a DHCP server and get their IP addresses i
148. de Intrusion Detection System 181 Four levels of detection can be configured in the WIP Detection page Off Low Medium and High as shown in Figure 140 Figure 140 Wireless Intrusion Protection Detection Wireless Intrusion Protection WIP Ef Detection PR Specify What Threats to Detect Infrastructure Custom settings a detect ap spoofing High S R detect windows bridge Medium signature deauth broadcast signature deassociation broadcast detect adhoc using valid ssid Off detect malformed large duration Clients Custom settings T detect valid clientmisassociation High detect disconnect sta Medium detect omerta attack detect fatajack detect block ack attack Off detect hotspotter attack am Next Cancel The following table describes the detection policies that are enabled in Infrastructure Detection Custom settings field Table 26 nfrastructure Detection Policies Detection Level Detection Policy Off Rogue Classification Low e Detect AP Spoofing e Detect Windows Bridge e IDS Signature Deauthentication Broadcast e IDS Signature Disassociation Broadcast Medium e Detect Adhoc networks using VALID SSID Valid SSID list is auto configured based on Instant AP configuration e Detect Malformed Frame Large Duration 182 Intrusion Detection System Instant 6 1 3 4 3 1 0 0 User Guide Table 26 Infrastructure Detection Policies Continued Detection
149. des Last Minimum Maximum and Average statistics for the incoming and outgoing frames To see the exact utilization percent at a particular time hover the cursor over the graph line The Drops graph shows dropped frames over the last 15 minutes To see the number of frames dropped at a particular time hover the cursor over the graph line The Noise Floor graph shows the signals created by all the noise sources and unwanted signals in the network Noise floor is measured in decibels metre Too many unwanted signals hamper the performance of the IAP Monitor the noise floor regularly for optimal performance of the IAP To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the In and Out frames To see the exact utilization percent at a particular time hover the cursor over the graph line To monitor the In and Out frame rate per second for the radio in 2 4 GHz band for the last 15 minutes 1 Log in to the Instant WebUI The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the name link of the IAP for which you want to monitor the frame rate The IAP view appears 3 Study the 2 4 GHz Frames graph For example the graph shows 42 incoming frames at 13 29 hours To monitor the number of frames dropped for the last 15 minutes 1 Log in to the Instant WebUI The Virtual Controller view appears This is
150. e SSID text box Example ECP b Select Guest from the Primary usage options Click Next to continue Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Click Next to continue o PU ee In the Security tab select External RADIUS Server and update the following fields a Enter the IP address of the ClearPass Guest server in the IP or hostname field The IP address is 10 65 77 245 b Enter page name php in the URL field This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page For example if the Page Name is aruba then the URL should be aruba php in the Instant UI c Enter the Port number generally should be 80 The ClearPass Guest server uses this port for HTTP services d To create an external RADIUS server select New from the Authentication server 1 drop down list Refer to Configuring an External RADIUS Server on page 125 for information on the new RADIUS server parameters 140 Authentication Instant 6 1 3 4 3 1 0 0 User Guide 7 The new network appears in the Networks tab Click the wireless network icon on your desktop and select the new network 8 Open any browser and type any URL Instant redirects the URL to ClearPass Guest login page 9 Log in to the network with the username and password specified used while configuring the RADIUS server in step d MAC Authentication Media Access Control MAC authentication i
151. e 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Figure 124 Figure 125 Figure 126 Figure 127 Figure 128 Figure 129 Figure 130 Figure 131 Figure 132 Figure 133 Figure 134 Figure 135 Figure 136 Figure 137 Figure 138 Figure 139 Figure 140 Instant 6 1 3 4 3 1 0 0 User Guide Configuring NTP Server rrannnnnennnnnvnnnnnnnnnnnnnnnnnnnnnnnnennnnnennnnnennnnnvnnnnnennnnnsennnnee 119 Specifying Virtual Controller Name and IP Address rrnnnnernnnennnnennnnrnnnnennnnnrn 121 Configuring the DHCP Server EEE EE EE 122 Configuring an External RADIUS Server LR 126 ERA Metan RDS Rae a AE ad E 127 Management Authentication Settings rrrnnarnvrvnnnrrnnnnrvrnnnnvrnnnnrnnnnnrennnnnennnnneen 130 Configuring Captive Portal when Adding A Guest Network rrrnnrrrnnnennnnrnnnnnr 132 Configuring Captive Portal when Editing a Guest Network 133 Configuring Internal Captive Portal with External RADIUS Server Authentication cccccceseeeseeeeeeeesseeeeseeeesaeeees 134 C stomizng SE De EAR ences 135 Disabling Captive Portal Authentication eu aus 136 External Captive Portal when Adding a Guest Network External RADIUS Server 137 External Captive Portal when Adding a Guest Network External Authentication text 137 Configuring External Captive Portal Authentication w
152. e 16 Non Wi Fi Interferer Types Non Wi Fi Interferer Description Bluetooth Fixed Frequency Audio Fixed Frequency Cordless Phones Fixed Frequency Video Fixed Frequency Other Frequency Hopper Cordless Base Frequency Hopper Cordless Network Frequency Hopper Xbox Frequency Hopper Other Instant 6 1 3 4 3 1 0 0 User Guide Any device that uses the Bluetooth protocol to communicate in the 2 4 GHz band is classified as a Bluetooth device Bluetooth uses a frequency hopping protocol Some audio devices such as wireless speakers and microphones also use fixed frequency to continuously transmit audio These devices are classified as Fixed Frequency Audio Some cordless phones use a fixed frequency to transmit data much like the fixed frequency video devices These devices are classified as Fixed Frequency Cordless Phones Video transmitters that continuously transmit video on a single frequency are classified as Fixed Frequency Video These devices typically have close to a 100 duty cycle These types of devices may be used for video surveillance TV or other video distribution and similar applications All other fixed frequency devices that do not fall into one of the above categories are classified as Fixed Frequency Other Note that the RF signatures of the fixed frequency audio video and cordless phone devices are very similar and that some of these devices may be occasionally c
153. e Auto Join Mode feature is enabled it is listed in the Access Points tab in the Instant UI The IAP inherits the configuration and image from the Virtual Controller If the Auto Join Mode is not enabled then perform the following steps to add an IAP to the network 1 Inthe Access Points tab click the New link Figure 60 Adding an IAP to the Instant Network 2 1 Access Point Name Clients Instant Access Point 0 New 90 Managing IAPs Instant 6 1 3 4 3 1 0 0 User Guide 2 Inthe New Access Point window enter the MAC address for the new IAP Figure 61 Entering the MAC Address for the New IAP New Access Point MAC address for new Access Point lt lt OK Cancel 3 Click OK Removing an IAP from the Network An IAP can be manually removed from the network only if the Auto Join Mode feature is disabled To manually remove an IAP from the network 1 Inthe Access Points tab click the IAP which you want to delete An x appears against the IAP 2 Click x to confirm the deletion The deleted IAP s cannot join the Instant network anymore and no longer appear in the Instant WebUI However the master IAP cannot be deleted from the Virtual Controller Editing IAP Settings This section explains the following IAP settings e Name e IP Address e Adaptive Radio Management ARM Configuration e Wired Bridging on Ethernet 0 Port e Uplink Management VLAN e Migrating from a Virtual Controller Managed
154. e and spur immunity This level also controls the detection of OFDM packets and is the default setting for the Noise Immunity feature Level 3 Level 2 settings and weak OFDM immunity This level minimizes false detects on the radio due to interference but may also reduce radio sensitivity This level is recommended for environments with a high level of interference related to 2 4 GHz appliances such as cordless phones Level 4 Level 3 settings and FIR immunity At this level the AP adjusts its sensitivity to in band power which can improve performance in environments with high and constant levels of noise interference Level 5 The AP completely disables PHY error reporting improving performance by eliminating the time the IAP would spend on PHY processing Indicates the number of channel switching announcements that must be sent prior to switching to a new channel This allows associated clients to recover gracefully from a channel change When set to Dynamic the access point when busy automatically adjust its Clear Channel Assessment CCA threshold to accommodate transmissions to the most distant associated client When set to Static the access point sets its CCA threshold to the value specified in Channel reuse threshold When set to Static this value specifies the tolerable interference that must be maintained Instant 6 1 3 4 3 1 0 0 User Guide Table 25 Radio Profile Configuration Parameters Continued
155. e encryption key to the NAS The encryption key is used to encrypt or decrypt traffic sent to and from the client NAS acts as a gateway to guard access to a protected resource A client connecting to the wireless network first connects to the NAS The Aruba Instant network supports internal RADIUS server and external RADIUS server for 802 1X authentication Internal RADIUS Server Each IAP has an instance of Free RADIUS server operating locally When you enable the Internal RADIUS server option for the network the authenticator on the IAP sends a RADIUS packet to the local IP address The Internal RADIUS server listens and replies to the RADIUS packet The following authentication methods are supported in Aruba Instant network e EAP TLS The Extensible Authentication Protocol Transport Layer Security method supports the termination of EAP TLS security using the internal RADIUS server The EAP TLS requires both server Instant 6 1 3 4 3 1 0 0 User Guide Authentication 123 and certification authority CA certificates installed onto the IAP The client certificate is verified on the Virtual Controller the client certificate must be signed by a known CA before the user name is checked on the authentication server EAP TTLS MSCHAPv2 The Extensible Authentication Protocol Tunneled Transport Layer Security EAP TTLS method uses server side certificates to set up authentication between clients and servers However the actual
156. e flash after the AP reboots AP 802 1X Statistics Displays the 802 1X statistics of the selected IAP AP RADIUS Statistics Displays the RADIUS statistics of the selected LAP AP System Status Displays the system status of the selected IAP AP Client Table Displays information of the client connected to the selected IAP AP Association Table Displays information of the selected IAP association AP Allowed Channels Displays information of the allowed channels for the selected IAP AP Radio 0 Stats Displays aggregate debug statistics of the selected IAP Radio 0 AP Radio 1 Stats Displays aggregate debug statistics of the selected IAP Radio 1 Bridge Table Displays bridge table entry statistics including Mac address VLAN assigned VLAN Destination and flag information for the selected IAP User Table Displays datapath user statistics such as current entries pending deletes high water mark maximum entries total entries allocation failures invalid users and maximum link length for the selected IAP Session Table Displays the datapath session table statistics for the selected LAP Route Table Displays datapath route table statistics for the selected IAP Datapath Statistics Displays the hardware packet statistics for the selected IAP VLAN Table Displays the VLAN table information such as VLAN memberships inside the datapath including L2 tunnels for the selected IAP BSSID Table Displays the
157. east ad b7 6 10 64 103 94 swarm system wmm 9F 3 Front door 73 74 9F 3 Front door 73 74 3 10 64 103 108 swarm system wmm 9F 4 cb bd 80 135 p 9F 4 cb bd 80 135 point 1 0 0 0 0 Aruba Domain 9F 2 North east ad b7 9F 5 West 40 ad 3 10 64 103 93 swarm system wmm 9F 8 Aisle middle ca 9F 7 South east 41 76 1 169 254 99 45 S m wmm 9F 3 Front door 7 9F 8 Aisle middle ca 42 45 4 10 64 103 121 swarm system wmm 9F 3 Front door 7 VeriWavel ca 42 a0 0 PEKR96VRGLT410S 10 64 102 21 Aruba Domain 9F 5 West 40 ad VeriWave2 c8 ad e2 Portal 0 QMENG ARUBA 10 64 102 27 Aruba Domain 9F 8 Aisle middle ca VeriWave3 c0 1a 79 Point 0 gwang 192 168 11 147 swarm system guest 9F 2 North east ad b7 VeriWave4 c8 78 d2 linli 10 64 102 69 Aruba Domain 9F 2 North east ad b7 VeriWave5 cb a5 11 AP93 0 Ixia 10 64 102 30 Aruba Domain 9F 7 Sout st 41 76 yxue 10 64 102 147 Aruba Domain 00 24 6 6 yxue 10 64 102 41 Aruba Domain 00 24 6c c8 7b 26 yxue 10 64 102 28 Aruba Domain 9F 2 North east ad b7 ZWU 10 64 102 58 Aruba Domain 9F 2 North east ad b7 iLongevity Monitoring 2Alerts IDS Configuration Fault History Client Alerts 1 Active Faults 1 point 00 24 6c c0 1a 79 is down ccess point 00 24 6c c0 1a 79 is down Active Faults These alerts occur in the event of a system fault An Active Fault consists of the following fields Time Displays the system time when an event occurs Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 49 Number Indicates
158. eboot an IAP 1 Click the Maintenance link The Maintenance window appears 2 Click the Reboot tab Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 99 Figure 73 Rebooting the IAP Maintenance About Configuration Certificates Firmware Reboot Convert Select the access point you wish to reboot Reboot selected Access Point Reboot Al Close 3 In the IAP list select the IAP that you want to reboot and click Reboot selected Access Point To reboot all the IAPs in the network click Reboot All 4 The Confirm Reboot for AP window appears Click Reboot Now to proceed Figure 74 Confirm Reboot message Confirm Reboot for LAP Service will be interrupted during A the Reboot process Do you want to continue Reboot Now Cancel 5 The Reboot in Progress message appears indicating that the reboot is in progress Figure 75 Reboot In Progress Reboot In Progress Access Points are rebooting 6 The Reboot Successful message appears once the process is complete If the system fails to boot then the Unable to contact Access Points after reboot was initiated message appears Figure 76 Reboot Successful Reboot Successful The Access Points have successfully rebooted After clicking OK you will need to re login to the system OK 7 Click OK to close the window and re login to the system 100 Managing IAPs Instant 6 1 3 4 3 1 0 0 User Guide F
159. ect Disabled from the Auto join mode drop down list Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 85 Figure 54 Disabling Auto Join Mode 3 Click OK Terminal Access To enable or disable the telnet access to the IAP s CLI navigate to Settings gt Advanced gt Terminal access Figure 55 Terminal Access NOTE 86 Managing IAPs Settings Help General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name nstant c4 0178 Disabled Te Virtual Controller IP 0 000 Terminal access Dynamic RADIUS proxy Disabled v LED display Enabled v MAS integration enabled v TFTP Dump Server 0 000 NTP server E Extended SSID Disabled v Timezone International Date Lind w Deny inter user bridging Disabled v Preferred band All Deny inter user routing Disabled v DHCP Server Domain name DNS Server s ma Lease time Minutes w Network Mask HM Hide advanced options OK Cancel Instant does not support configuration using CLI Settings Help General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Instant C4 01 78 Auto join mode Virtual Controller IP 0 0 0 0 Disabled v Dynamic RADIUS p
160. ection Wireless Intrusion Protection WIP Specify What Threats to Protect Infrastructure Custom settings High protect ssid rogu ntainment ee rogue containmen protect adhoc network OfF protect ap impersonation Clients Custom settings le High protect valid sta 5 i PERA otect wind bridg ER pr windows bridge Show advanced options Back Finish Cancel The following table describes the detection policies that are enabled in Infrastructure Protection Custom settings field Table 28 nfrastructure Protection Policies Detection Level Detection Policy Off All detection policies are disabled Low e Protect SSID Valid SSID list should be auto derived from Instant configuration e Rogue Containment High e Protect from Adhoc Networks Protect AP Impersonation The following table describes the detection policies that are enabled in Client Protection Custom settings field Table 29 Client Protection Policies Detection Level Detection Policy Off All detection policies are disabled Low e Protect Valid Station High e Protect Windows Bridge Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network Instant supports the following types of containment mechanisms 184 Intrusion Detection System Instant 6 1 3 4 3 1 0 0 User Guide e Wired containment When enabled Aruba Access Points generate ARP packets on the wi
161. ed encryption type see Chapter 13 Encryption 2 Termination Enable this option to terminate the EAP portion of 802 1X authentication on the IAP instead of the RADIUS server For more information see External RADIUS Server on page 124 3 Authentication server 1 and 2 Select the required Authentication server option from the drop down list Available options are e New If you select this option then an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Chapter 12 Authentication 4 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients 5 Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures 6 Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 NOTE Navigate to PEF gt Blacklisting in the Instant WebUl to specify the duration of the blacklisting on the Blacklisting tab of the PEF window Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 67 Table 9 Conditions for Adding a Voice Network Security Tab Continued You want to use the default security level Personal Perform the following steps 1 Select the required key options from the K
162. ed view provides Last Minimum Maximum and Average radio utilization statistics for the IAP for the last 15 minutes To see the exact utilization percent at a particular time hover the cursor over the graph line To monitor the utilization of the selected IAP for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the IAP for which you want to monitor the utilization The IAP view appears 3 Study the Utilization graph in the RF Trends pane For example the graph shows 84 IAP radio utilization for the 2 4 GHz band at 12 15 hours NOTE You can also click the rectangle icon under the Utilization column in the RF Dashboard pane to see the Utilization graph for the selected IAP The rectangle icon is seen as follows Hi Instant 6 1 3 4 3 1 0 0 User Guide Table 40 Instant Access Point View RF Trends Graphs and Monitoring Procedures Continued 2 4 GHz Frames Drops Noise Floor Instant 6 1 3 4 3 1 0 0 User Guide The 2 4 GHz Frames graph shows the In and Out frame rate per second for the radio in 2 4 GHz band for the last 15 minutes Outgoing frames Outgoing frame traffic is displayed in green It is shown above the median line Incoming frames Incoming frame traffic is displayed in blue It is shown below the median line To see an enlarged view click the graph The enlarged view provi
163. edtuGeseaecets 221 Neighboring APS FAN nn tn den lens 222 GTA ra a TO ee cas a E E E ES 222 N ighbornng Clients Graph EE annida eE iiini inian 222 Memory free Graph EEE Te 222 FEE a REE EE E E NE EE A E catia a 223 Hae ela o DAE E e a aE E ae A E E ci S E 223 CZ A Sal UO EEE EE NE 225 PRE P Frames fps Graph EE ER 225 DOS DE LE S p E ERE ERE Een EG 225 Noise Floor dBm Graph 225 2 4 GHz Mgmt Frames fps Graph inner 226 Instant 6 1 3 4 3 1 0 0 User Guide Figure 190 Figure 191 Figure 192 Figure 193 Figure 194 Figure 195 Figure 196 Figure 197 Figure 198 Figure 199 Figure 200 Figure 201 Figure 202 Figure 203 Figure 204 Figure 205 Figure 206 Figure 207 Figure 208 Figure 209 Figure 210 Figure 211 Figure 212 Figure 213 Figure 214 Instant 6 1 3 4 3 1 0 0 User Guide Errors fps Graph EEE ENN 226 EEE EE NE on 229 0 ge LE Go EE NE EE EE 230 Tr Nr 230 PETN 230 late ea eg NE EE EE NE EEE EN 230 ae ee ee EEE 235 Users for IM MAlSRNeE nn dede 236 AO EE NE ENE 237 ESME gt EEE TO RE TE TS 237 Classify Media Microsoft OCS nn anis menrhesne rater 239 Classify Media Apple Facelime uarutmmuskandemunmimieke dvninon 239 Client Blacklisting ummesarsenssrikeeisnser v nidrdavbeskerkb vsansraakarsnesvekdnenns anda el 240 Vanya Blackie ti EE e a ere eders 240 Dynamic BE NE eee ee eee ae 241 Enabling ALG Pa 242 Tonneing 8 elg ET EE rea ieai eee 243 Tunneling FM eesse rninn En E RERE EE EE EEEE 244
164. eep 10 15 207 204 WIRELESS 00 24 6c c9 18 1a naveen test test2 10 15 207 208 AP Configuration 00 1a 1e 08 23 f4 default 00 1a 1e 08 23 f4 0 0 0 0 AP Installation T 00 24 6c c0 41 f2 default 00 24 6c c0 41 f2 0 0 0 0 MANAGEMENT d8 c7 c8 c0 01 6c naveen test tests 0 0 0 0 SE 00 11 22 33 44 55 66 default 2 test IAP whitelist ent og gt 11 22 33 44 55 rap user efau whitelist en EN Administration P y Certificates Add _ Cancel SNMP Logging Clock Guest Provisioning Captive Portal SMTP Bandwidth Calculator ADVANCED SERVICES Instant 6 1 3 4 3 1 0 0 User Guide Controller Configuration for VPN 259 VPN Local Pool Configuration This pool is used to assign an IP Address to the IAP after successful VPN authentication Aruba3400 f ip local pool rapngpool lt startip gt lt endip gt Aruba3400 Security VPN amp bitps 10 15 204 253 4343 screens switch config sec La ARUBA networks Dashboard Monitoring Configuration Diagnostics Maintenance Plan Save Configuration WIZARDS Advanced Services gt VPN Services gt IPSEC gt Add Address Pool AP Wizard Controller Wizard WLAN LAN Wizard License Wizard WIP Wizard Pool Name Start Address End Address rapngpool 172 15 10 1 172 15 10 100 NETWORK Controller VLANs Ports Cellular Profile IP SECURITY Authentication Access Control WIRELESS AP Configuration AP Installation MANAGEMENT IAP VPN Profile C
165. en the Walled Garden window The walled garden directs the user s navigation within particular areas to allow access to a selection of websites or prevent access to other websites For more information see Walled Garden Access on page 142 11 Click Next to continue and then click Finish Configuring External Captive Portal Authentication when Editing a Guest Network To configure external captive portal authentication when editing a guest network perform the following steps 1 In the Network tab click the network for which you want to configure the external captive portal authentication The edit link for the network appears 2 Click the edit link The Edit window for the network appears 3 Navigate to the Security tab and perform the following steps 4 Select External RADIUS Server or External Authentication Text from the Splash page type drop down list 5 Use the fields below to specify edit the server for this guest network s splash page Splash page type External Authentication Text a Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients b Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures c Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entr
166. endix A Controller Configuration for VPN On the controller the following configuration is needed to setup an IAP Whitelist DB Configuration If you decide to use the Controller as the whitelist entry to configure the whitelist database use the following CLI command Aruba3400 local userdb ap add mac address 00 11 22 33 44 55 ap group test Aruba3400 The ap group parameter is not used for any configuration but needs to be configured The parameter can be any valid string If an external whitelist is being used the AP MAC address needs to be saved in the RADIUS server as a lower case entry without any delimiter Dashboard Monitoring Configuration WIZARDS AP Wizard Controller Wizard Diagnostics Maintenance Plan Wireless gt AP Installation gt RAP Whitelist Provisioning Provisioning Profile RAP Whitelist Campus AP Whitelist WLAN LAN Wizard Search License Wizard i i i DE NETWORK d8 c7 c8 c0 b8 d0 naveen naveen 10 15 207 200 Controller d8 c7 c8 c0 b8 da naveen naveen2 10 15 207 201 VLANs C d8 c7 08 0c0 b8 d6 santa santa 10 15 207 202 Ports d8 c7 c8 c0 b8 de santa santa2 10 15 207 203 Cellular Profile 00 24 6c c9 27 c5 anupam anupam 10 15 207 205 00 24 6c c9 27 cf anupam anupam2 10 15 207 206 SECURITY Authentication _ 00 24 6c c9 18 64 naveen test test1 10 15 207 207 Access Control d8 c7 c8 c0 b8 d8 sandeep sand
167. ends a RADIUS packet to the local IP address The external RADIUS server then listens and responds to the RADIUS packet The following authentication methods are supported in Aruba Instant network Authentication Terminated on IAP Aruba Instant allows EAP termination for PEAP GTC and PEAP MSCHAV2 PEAP GTC termination allows authorization against an LDAP server and external RADIUS server while PEAP MSCHAV2 allows authorization against an external RADIUS server This allows users to run PEAP GTC termination with their own username and password to a local Microsoft Active Directory server with LDAP authentication The following EAP Type methods are described below EAP Generic Token Card GTC This EAP method permits the transfer of unencrypted usernames and passwords from client to server The main uses for EAP GTC are one time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server You can also enable caching of user credentials on the IAP as a backup to an external authentication server EAP Microsoft Challenge Authentication Protocol version 2 MS CHAPv2 This EAP method is widely supported by Microsoft clients A RADIUS server must be used as the backend authentication server If you are using the IAP s internal database for user authentication you need to add the names and passwords of the users to be authenticated If you are using an LDAP server for user authentication you need to configure the
168. entication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 NOTE Navigate to PEF gt Blacklisting in the Instant WebUl to specify the duration of the blacklisting on the Blacklisting tab of the PEF window 7 Click Upload Certificate and browse to upload a certificate file for the internal server See Certificates on page 143 for more information 58 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Table 6 Conditions for Adding an Employee Network Security Tab Continued You want to use the default security level Personal Perform the following steps 1 Select the required key options from the Key management drop down list Available options are e WPA 2 Personal e WPA Personal e Both WPA 2 amp WPA Static WEP If you have selected Static WEP do the following Select appropriate WEP key size from the WEP key size drop down list Available options are 64 bit and 128 bit Select appropriate Tx key from the Tx Key drop down list Available options are 1 2 3 and 4 e Enter an appropriate WEP key and reconfirm For more information on encryption and recommended encryption type see Chapter 13 Encryption 2 WPA 2 Personal e Select a passphrase format from the Passphrase format drop down list Available options are e 8 63 alphanumeric chars e 64 hexadecimal chars 3
169. er Cert certificate Type and provide the passphrase if you want to upload a Server certificate Select either Intermediate CA or Trusted CA certificate Type if you want to upload a CA certificate Instant 6 1 3 4 3 1 0 0 User Guide Authentication 145 Figure 114 CA Certificate Chents Home Groups APs Devices Discover Add Communication Name Certificate File passphrase Confirm passphrase Format Type Figure 115 Server Certificate Chents Home Groups APs Devices Discover Add Communication Upload Firmware amp Files Upload Firmware amp Files Reports System Certificate Root der PF DER ae Intermediate CA M Reports Certificate Certificate Name Certificate File passphrase Confirm passphrase Format Type Testi Choose File Server p12 PKCS 12 iw Server Cert Ed System Bustnes 4 After you upload the certificate navigate to Groups click on the Instant Group and then select Basic The Group name appears only if you have entered the Organization name in the Instant WebUI Refer Entering the Organization String and AMP Information into the IAP for further information Figure 116 Selecting the Group Home APs Devices Clients List New Group Compare two groups Reports System 1 6 w of 6 Groups Page 1wof 1 Choose columns Export CSV Name a amp Access Points z 2 N Karthi 3 A 2500 1 N SA e
170. er acts as the DHCP Relay and unicasts DHCP packets to the corporate DHCP server Enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string The Option 82 string is available only in the Alcatel ALU format The ALU format for the Option 82 string consists of the following m Remote Circuit ID X AP MAC SSID SSID Type Remote Agent X IDUE MAC The Option 82 is specific to Alcatel and is not configurable in this version of Instant The following table describes the behavior of DHCP Relay Agent and Option 82 in the IAP Table 44 DHCP Relay and Option 82 Enabled Enabled DHCP packet relayed with the ALU specific Option 82 string 248 VPN Configuration Instant 6 1 3 4 3 1 0 0 User Guide Table 44 DHCP Relay and Option 82 Continued Enabled Disabled DHCP packet Mi without the ALU specific Option 82 string Disabled Enabled DHCP ae not relayed but broadcasted Fer ihe ALU specific Option 82 string Disabled Disabled DHCP packet not relayed but broadcasted without the ALU specific Option 82 string 2 Click OK to apply these changes Figure 212 Centralized L2 DHCP Configuration Tunneling Controller DHCP Server DHCP Server DHCP relay DHCP server Option 82 Instant 6 1 3 4 3 1 0 0 User Guide VPN Configuration 249 250 VPN Configuration Instant 6 1 3 4 3 1 0 0 User Guide Chapter 30 User Database In Aruba Instant the user database consists of a list of
171. er option from the drop down list Available options are New If you select this option then an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Chapter 12 Authentication Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 NOTE Navigate to PEF gt Blacklisting in the Instant WebUl to specify the duration of the blacklisting on the Blacklisting tab of the PEF window 6 InternalServer If you select this option then users who are required to authenticate with the internal RADIUS server must be added Click the Users link to add the users For information on adding a user see Adding a User on page 251 Click Upload Certificate and browse to upload a certificate file for the internal server See Certificates on page 143 for more information 8 Use the Access Rules page to specify optional access rules for this network a Network based Set the slider to Network based if you want the same rules to apply to all users The Allow any to all d
172. erfering 1 GN 20MZ 11 52 40 f IBM Interfering 6 B 11 52 40 NnN Nh Sandin wlan nnen Interferina 1 GN 20M7 11 52 40 bd TRM Tnterferinn 6 R 11 52 40 f Configuration This link provides an overall view of your Virtual Controller configuration Click on each of the features to view or edit the settings Figure 34 Configuration Instant C4 01 78 Monitoring IDS Configuration Virtual Controller Configuration Settings RF PEF WIP VPN Wired General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Basic Advanced DHCP Server Name Instant C4 01 78 Preferred band All Domain name Virtual Controller IP 0 0 0 0 Auto join mode Enabled DNS Server s Dynamic RADIUS proxy Disabled Terminal access Disabled Lease time Mobility Access Switch integration Enabled LED display Enabled Network NTP server TFTP Dump Server 0 0 0 0 Mask Timezone None Extended SSID Disabled Edit Edit Deny inter user bridging Disabled Deny inter user routing Disabled Edit Hide advanced options Language The language links are provided in the login screen to allow users to select the preferred language before logging in to the Instant UI In addition this link is also located at the bottom left corner of the Instant UI A default language is selected based on the language preferences in the client desktop operating system or browser If Aruba Instant cannot detect the language then English En i
173. es Firmware Group KMart Aruba Instant Virtual Controller Name Aruba Instant Virtual Controller 6 Device Type Aruba Instant Virtual Controller Restrict to this version Yes No Template Select Fetch template from device Select Device A Fetch Template version 6 1 3 0 3 0 0 i The following variables may ed in the template virtual controller country US e folowing variables may be used in the templat The value of each variable is configured on the virtual controller key guid APs Devices Manage page for each device in the group Kif ip address Each variable must be surrounded by percent signs virtual controller ip ip address hostname The if 9 statements must be Kendif terminated by endif and cannot be nested 1if organizations organization organization Available Variables Kendif ams ip manager ip address allowed aps ip address a b c ams key Xpassword a_cert_checksun mager Ip Xserver cert checksumX psk organizatio ca cert checksumX password per ap settings cert psk gt address name Xhostname ip address 3 p clock timezone none 00 00 ip address a b rf band all allow new aps allowed aps arm wide bands Sghz Le min tx power 18 Trending Reports Air Wave saves up to 14 months of actionable information including network performance data and user roaming patterns so you can analyze how network usage and performance trends have changed over time
174. es of the selected IAP which includes protocol number port number VC Global Alerts Displays all the alerts about client of the selected IAP VC Global Statistics Displays the flow information and signal strength of the selected I AP VC Local User Database Displays the user configuration of the selected I AP VC Radius Attributes Displays the RADIUS attributes of the selected IAP VC Radius Servers Displays the RADIUS servers configuration of the selected IAP VC Saved Configuration Displays the saved configuration information of the selected LAP VC SNMP Configuration Displays the SNMP configuration of the selected IAP AP Summary Displays the IAP configuration Debug Logs Displays debug logs of the selected IAP Driver Logs Displays the driver logs of the selected IAP Tech Support Dump Displays the technical support dump logs of the selected IAP Active Configuration Displays the active configuration of Virtual Controller Saved Configuration Displays the saved configuration of Virtual Controller AP Management Frames Displays the traced 802 11 management frames for the selected IAP AP Authentication Frames Displays the authentication trace buffer information of the selected IAP AP System Status Displays detailed system status information for the selected IAP AP Crash Info Displays crash log information if it exists for the selected IAP The stored information is cleared from th
175. es where an Ethernet uplink is not feasible This enables the RAP 3 to choose the available network in an area automatically For 4G LTE modem 4G takes precedence over 3G when the RAP tries to auto select the network The 3G and 4G LTE USB modems can be provisioned only on RAP 3 Types of Modems Instant supports the following three types of 3G modems True Auto Detect Modems of this type can be used only in one country and for a specific ISP The parameters are configured automatically and hence no configuration is necessary Plug and Play Auto detect ISP country Modems of this type require the user to specify the Country and ISP The same modem is used for different ISPs with different parameters configured for each of them No Auto detect Modems of this type are used where the modems share the same Device ID Country and ISP but need to configure different parameters for each of them These modems work with Instant provided the correct parameters are configured All the new auto detected modems falls under this category as the parameter necessary to automatically configure them are unknown The following table lists the types of supported 3G modems 198 Uplink Configuration Instant 6 1 3 4 3 1 0 0 User Guide Table 36 List of Supported 3G Modems Modem Type Supported 3G Modems True Auto Detect Instant 6 1 3 4 3 1 0 0 User Guide USBConnect 881 Sierra 881U Quicksilver Globetrotter ICON 322 UM100C UTstar
176. ess Authentication Failure Blacklisting When the time taken by a client fails to authenticate exceeds the configured threshold the client is automatically blacklisted by an IAP Session Firewall Based Blacklisting In session firewall based blacklisting an ACL rule is used to enable the option for automation blacklisting when the ACL rule is hit it would send out blacklist information and the client would be blacklisted To set the blacklist duration 1 Select the PEF link and then select Blacklisting tab Auth failure blacklist time Enter the duration since the blacklisting has been triggered when the authentication failure threshold is exceeded PEF rule blacklisted time Enter the duration since the blacklisting has been triggered when a blacklisting rule has been triggered In the Networks tab click the New link and navigate to New WLAN gt VLAN gt Security page to enable Blacklisting Set a value between 1 to 10 in the max authentication failures field for the selected ssi NOTE To enable session firewall based blacklisting click New and navigate to WLAN Settings gt VLAN gt Security gt Access window and enable the Blacklist option of the corresponding ACL rule Figure 204 Dynamic Blacklisting Dynamic Blacklisting Auth failure blacklist time 1 Hours A PEF rule blacklist time a Hours A Currently no clients are dynamically blacklisted OK Cancel PEF Settings Firewall ALG Configuration
177. ess Switch are available the S3500 and S2500 For more information on MAS see the ArubaOS 7 1 3 User Guide MAS Integration with an IAP The Instant AP can be integrated with a MAS by plugging the Instant AP directly to the MAS port This section describes two main Mobility Access Switch MAS integration features e Rogue AP containment e PoE prioritization Rogue AP Containment When a rogue AP is detected by Instant it sends the MAC Address of the rogue AP to the MAS The MAS blacklists the MAC address of the rogue AP and turns off the PoE on the port PoE Prioritization When an Instant AP is plugged directly into the MAS port the MAS should increase the PoE priority of the port This is done only if the PoE priority is set by default in the MAS The PoE Prioritization and Rogue AP Containment features is available for ArubaOS 7 2 release on Aruba s Mobility Access Switches Enabling MAS Integration This functionality enables the LLDP for the MAS integration Using this protocol the IAPs instructs the MAS to turn off the ports where rogue APs are connected and to take actions such as increasing the PoE priority and to automatically configure the VLANs on the ports where the IAPs are connected To enable the MAS integration functionality perform the following steps in the Instant UI 1 Navigate to Settings at the top right corner of the Instant UI 2 Navigate to General tab and select Enabled from the MAS integration dro
178. estinations access rule is enabled by default This rule allows traffic to all destinations Instant Firewall treats packets based on the first rule matched For more information see Chapter 16 Instant Firewall To edit the default rule a Select the rule and then click Edit b Select appropriate options in the Edit Rule window and click OK To define an access rule a b C m wi Instant 6 1 3 4 3 1 0 0 User Guide Click New Select appropriate options in the New Rule window Click OK Role based Select Role based if you want to specify per user access rules See Creating a New User Role on page 151 for more information Unrestricted Select this to set no restrictions on access based on destination or type of traffic Wireless Network 69 Figure 44 Adding a Voice Network Access Rules Tab WLAN Settings security Access Rules More Control Access Rules 1 Allow any to all destinations Role based New Network based Unrestricted Less Control Back Finish Cancel 9 Click Finish The network is added and listed in the Networks tab Guest Network The Guest wireless network is created for guests visitors contractors and any non employee users who use the enterprise Wi Fi network The Virtual Controller assigns the IP address for the guest clients Captive portal or passphrase based authentication methods can be set for this wireless network Typic
179. ettings tab perform the following steps a Name SSID Enter a name that uniquely identifies a wireless network b Primary usage Select Employee this is selected by default from the Primary usage options This selection determines whether the network is primarily intended to be used for employee data guest data or voice traffic Click the Show advanced options link and perform the following steps a Broadcast Multicast Broadcast filtering When set to All the IAP drops all broadcast and multicast frames except for DHCP and ARP When set to ARP in addition to the above the IAP converts ARP requests to unicast and send frames directly to the associated client When Disabled all broadcast and multicast traffic is forwarded DTIM interval Indicates the DTIM delivery traffic indication message period in beacons You can configure this option for every WLAN SSID profile The default value is 1 which means the client checks for buffered data on the IAP at every beacon You may choose to configure a larger DTIM value for power saving Multicast transmission optimization When Enabled the IAP chooses the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients The default values are 1 mbps for 2 4 GHz and 6 mbps for 5 0GHz bands Multicast traffic can be sent at upto 24 mbps when this option is enabled This option is disabled by default Instant 6 1 3 4 3 1
180. etwork These alerts enable you to troubleshoot the problems The alerts that are generated on Aruba Instant can be categorized as follows e 802 11 related association and authentication failure alerts e 802 1X related mode and key mismatch server and client time out failure alerts e IP address related failure Static IP address or DHCP related alerts Table 42 displays a list of alerts that are generated on the Aruba Instant network Table 42 Alerts List Type Code 100101 100102 100103 100104 100105 100206 100307 Description Internal error Unknown SSID in association request Mismatched authentication encryption setting Unsupported 802 11 rate Maximum capacity reached on IAP Invalid MAC Address Client blocked due to repeated authentication failures Instant 6 1 3 4 3 1 0 0 User Guide The IAP has encountered an internal error for this client The IAP cannot allow this client to associate because the association request received contains an unknown SSID The IAP cannot allow this client to associate because its authentication or encryption settings do not match IAP s configuration The IAP cannot allow this client to associate because it does not support the 802 11 rate requested by this client The IAP has reached maximum capacity and cannot accommodate any more clients The IAP cannot authenticate this client because the client s MAC address is not valid
181. etwork based Unrestricted Role Assignment Rules Default role Test Less Control New Role Assignment Rule Attribute Operator String Role AP Group contains Ly vlan 200 b l OK Cancel 158 User VLAN Derivation Instant 6 1 3 4 3 1 0 0 User Guide SSID Profile If the VSA VLAN derivation rules are not matching and the User Role does not contain VLAN then the user VLAN can be derived by the SSID profile Configuring VLAN Derivation Rules Using an SSID Profile To configure VLAN derivation rules on an I AP 1 Select a network on the Instant UI and click on the edit link 2 Select the VLAN tab and check the static radio button under the client VLAN assignment 3 Enter the ID of the VLAN in the VLAN ID text box 4 Click OK Figure 127 Configuring VLAN Derivation Rules Using an SSID Profile Fdit Test WLAN Settings Security Access Client IP amp VLAN Assignment Client IP assignment virtual Controller assigned Qi Network assigned Client VLAN assignment Default Static Dynamic VLAN ID Instant 6 1 3 4 3 1 0 0 User Guide User VLAN Derivation 159 160 User VLAN Derivation Instant 6 1 3 4 3 1 0 0 User Guide Chapter 16 Instant Firewall A firewall is a system designed to prevent unauthorized internet users from accessing a private network connected to the internet It defines access rules and monitors all data entering or leaving the network and
182. ew click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the network for the last 15 minutes To see the exact throughput of the selected network at a particular time hover the cursor over the graph line Instant Access Point View To check the number of clients associated with the network for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Networks tab click the network for which you want to check the client association The Network view appears 3 Study the Clients graph in the Usage Trends pane For example the graph shows that one client is associated with the selected network at 12 00 hours To check the throughput of the selected network for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Networks tab click the network for which you want to check the client association The Network view appears 3 Study the Throughput graph in the Usage Trends pane For example the graph shows 22 0 kbps incoming traffic throughput for the selected network at 12 03 hours All IAPs in the Aruba Instant network are listed in the Access Points tab Click the LAP that you want to monitor Access Point view for that IAP appears Similar to the Virtual Controller view the Access Point vi
183. ew Devices 1 Up 4 Down 1 Mismatched 2 Rogue 122 Clients 0 QUES Cfents Reports System Device Setup AMP Setup RAPIDS VisualRf Down Mismatched Ignored To discover more devices vist the Decover page 1 1 vof 1 APsDevices Page 1 w of 1 Reset filters Choose columns Export CSV Instant C4 43 19 Aruba Instant Virtual Controler 1 1 vof 1APs Devices Page 1 w of 1 Reset filters Select All Unselect Al View Ignored Devices Group Access Points Access Points Folder TME Instant Mor tme nstant store3 Figure 171 AirWave Monitor APURA Bnew Devices 0 4 upc F Down 1 ttismatched 3 Roque 122 Clients I nderts 0 FES OAS Devices Cents lt Reports System Devre setup AMP Setup Barsk Tompea un cle RAPIDS WiswalRF Group restore SSEe Polad for U Bavn Statue Srimutes Current AMP tres March 20 2012 3 21 pm POT Current group tre March 20 2012 3 21 am FOT Total Devices 2 Upc 2 Found JEksmatched GOents Guage VPN S ssons Clients for group tmenstored Last 2 hours Bel Drega fer greip tmerstores Lost 2 hours 105 ic mo faa a Show AN Maximum Average Spee AT Maximum Average E EJ h s Cllonts D asia amis E iw Avg Bra Par Second In Sees oO bps BB iv Avo 35 Par Second Out Spa Gbps Sy rear age s no AN Hodiy Devices v of 2 Ahes Page 19 0f 1 Raset Geers Chess opens Lx esel he er dT dkak ihe OK
184. ew also has three tabs Networks Access Points and Clients 220 Monitoring Instant 6 1 3 4 3 1 0 0 User Guide The following sections in the Instant UI provide information about the selected IAP Info RF Dashboard Overview Figure 178 Instant Access Point View amp 5 Networks 11 Access Points El 4 Clients Associated with 9F 4 Point 41 03 Name Clients Name Clients Name IP Address Network Access Point ARUBA GUEST 0 00 24 6c c8 78 d2 2 10 64 102 88 swarm system w 9F 4 Point 41 03 Aruba Domain 11 00 24 6c cb a5 16 0 10 64 102 51 swarm system w 9F 4 Point 41 03 swarm sys Aruba 1 3F 006 C129 41 51 1 10 64 102 132 swarm system w 9F 4 Point 41 03 swarm system guest 0 3F 3 009 73 74 2 mhe 10 64 102 93 Aruba Domain 9F 4 Point 41 03 swarm system wmm 7 3F C147 ca 42 45 0 New 3F Confi ca 42 a0 3F Dev C057 cb 30 60 3F Kitchen c8 7b 26 3F 003 41 76 1 9F 4 Point 41 03 4 edit VeriWave3 c0 1a 79 Point 3 CPU utilization 27 E 9F 4 Point 41 03 Monitoring Spectrum 1 Alert IDS Configuration Info Overview Overview Radio 1 2 4 GHz Chan 11 Radio 2 5 GHz Chan 36 Name 9F 4 Point 41 03 Neighboring APs CPU utilization Clients IP address 10 64 99 8 150 oe se ee Mode Access Spectrum Enabled Clients 4 75 50 Type 105 I ELA ll Als Memory free 64 MB Serial number AL0188831 Valid Interfering Roque From Port none Neighboring Clients Memory free MB Throughput bps RF Da
185. ey management drop down list Available options are e WPA 2 Personal e WPA Personal e Both WPA 2 amp WPA 1 Static WEP If you have selected Static WEP then do the following Select appropriate WEP key size from the WEP key size drop down list Available options are 64 bit and 128 bit Select appropriate Tx key from the Tx Key drop down list Available options are 1 2 3 and 4 e Enter an appropriate WEP key and reconfirm Foi more information on encryption and recommended encryption type see Chapter 13 Encryption 2 WPA 2 Personal Select a passphrase format from the Passphrase format drop down list Available options are 8 63 alphanumeric chars e 64 hexadecimal chars 3 Enter a passphrase in the Passphrase text box and reconfirm 4 Select the required option from the MAC authentication drop down list Available options are Enabled and Disabled When Enabled user must configure at least one RADIUS server for authentication server See MAC Authentication on page 141 for further details 5 Authentication server 1 Select the required Authentication server option from the drop down list Available options are e New If you select this option then an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Chapter 12 Authentication 6 Reauth interval When set to a value greater than zero the
186. fone UK ZTE MF656 Netcom norway ZTE MF636 HK CSL 1010 ZTE MF633 MF636 Telstra Aus ZTE MF637 Orange in Israel Huawei E180 E1692 E1762 Optus Aus Huawei E1731 Airtel 3G India Huawei E3765 Vodafone Aus Huawei E3765 T Mobile Germany Huawei E1552 SingTel Huawei E1750 T Mobile Germany UGM 1831 TMobile Huawei D33HW EMOBILE Japan Huawei GD01 EMOBILE Japan Huawei EC150 Reliance NetConnect India KDDI DATAO7 Huawei KDDI Japan Huawei E353 China Unicom Huawei EC167 China Telecom Huawei E367 Vodafone UK Huawei E352s 5 T Mobile Germany Auto detect ISP country 00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00000000 00060 No auto detect e Huawei D41HW e ZTEAC2726 Provisioning 3G 4G Uplink Manually To provision a 3G 4G uplink manually configure the modem parameters The IAP has to be rebooted if you configure USB modem parameter from the Instant WebUI Use the following procedure to provision 3G 4G uplink manually 1 Inthe settings tab click the show advanced settings hyperlink 2 Select the Uplink tab Under 3G 4G tab enter the parameters 200 Uplink Configuration Instant 6 1 3 4 3 1 0 0 User Guide a Enter the type of the 3G 4G modem driver type To provision 3G modem enter the type of 3G modem in the USB type text box To provision 4G modem enter the type of 4G modem in the 4G USB type text box dill This release of Instant supports only the P
187. h Network Instant 6 1 3 4 3 1 0 0 User Guide Chapter 6 Managing IAPs This chapter describes the Preferred band Auto join mode Terminal Access LED display and Syslog server features in Aruba Instant In addition the chapter provides procedures for adding and removing IAPSs editing the IAP settings and upgrading the firmware on the IAP using the Instant UI Preferred Band At the top right corner of Instant UI click the Settings link The Settings window appears 1 In the Settings window click the General tab 2 Select the Preferred band 2 4 GHz 5 GHz All from the drop down list for single radio access points Reboot the IAP after configuring the radio profile settings in order for the changes to take effect Auto Join Mode The Auto Join Mode feature allows IAPs to automatically 1 Discover the Virtual Controller 2 Join the network 3 Begin functioning The Auto Join Mode feature is enabled by default When the Auto Join Mode feature is disabled a New link appears in the Access Points tab Click this link to add IAPs to the network For more information see Adding an IAP to the Network on page 90 In addition when this feature is disabled APs that are configured but not active appear in red Disabling Auto Join Mode To disable Auto Join Mode At the top right corner of Instant UI click the Settings link The Settings window appears 1 In the Settings window click the General tab 2 Sel
188. han 50 percent of the maximum speed supported by the client Orange Data transfer speed is between 25 50 percent of the maximum speed supported by the client Red Data transfer speed is less than 25 percent of the maximum speed supported by the client To view the data transfer speed graph of a client click on the speed icon against the client in the Speed column Access Points Lists the IAPs whose utilization noise or errors are not within the specified threshold The IAP names appear as links When the IAP is clicked the IAP configuration information is displayed in the Info section The RF Dashboard section is pushed to the bottom left corner of the Instant UI The RF Trends section appears in its place This section consists of the Utilization Band frames Noise Floor and Errors graphs For more information on the graphs see Chapter 26 Monitoring Utilization Displays the radio utilization rate of the IAPs Depending on the percentage of utilization the color of the lines on the Utilization icon changes from Green gt Orange gt Red Green Utilization is less than 50 percent Orange Utilization is between 50 75 percent Red Utilization is more than 75 percent To view the utilization graph of an IAP click on the Utilization icon against the IAP in the Utilization column Noise Displays the noise floor of the IAPs Noise is measured in decibels meter Depending on the noise floor the color of
189. hbor Data Polling Period Thin AP Discovery Polling Period Device to Device Link Polling Period 802 11 Counters Polling Period 30 minutes Add New Controllers and Autonomous Devices actor Use Global Setting we Current Global Setting for Controllers New Device List Add New Thin APs Location Use Global Setting vi Current Global Setting for Thin APs New Device List New AP Group Maintenance Window CA Cert Test Server Cert Testi 6 Click Save to apply the changes only to AirWave Click Save and Apply to apply the changes to the Instant AP To unselect the certificate options click Revert Instant 6 1 3 4 3 1 0 0 User Guide Authentication 147 148 Authentication Instant 6 1 3 4 3 1 0 0 User Guide Chapter 13 Encryption Encryption Types Supported in Aruba Instant Encryption is the process of converting data into an undecipherable format or code when it is transmitted on a network Encryption prevents unauthorized use of the data The following encryption types are supported in Aruba Instant WEP Though WEP is an authentication method it is also an encryption algorithm where all users typically share the same key WEP is easily broken with automated tools and should be considered no more secure than an open network Aruba recommends against deploying WEP encryption Organizations that use WEP are strongly encouraged to move to Advanced Encrypti
190. he edit link The Edit network window appears 2 3 Make the required changes in any of the tabs Click Next or the tab name to move to the next tab 4 Click Finish Deleting a Network To delete a network 1 In the Networks tab click the network which you want to delete x link appears against the network to be deleted 2 Click x A delete confirmation window appears 3 Click Delete Now Number of WLAN SSIDs supported By default you can create up to six networks or WLANs You can enable the Extended SSID option and create up to 16 WLANs IAP 175 IAP 104 and IAP 105 devices support up to 8 SSIDs and RAP 3WN IAP 92 78 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide IAP 93 IAP 134 and IAP 135 devices support up to 16 SSIDs After you enable this option the number of SSIDs that become active on each IAP depends on the IAP platform Enabling the Extended SSID option disables mesh Ull Enabling the Extended SSID option To enable the extended SSID option 1 Click the Settings link at the upper right corner of the Instant WebUI 2 Clickthe Show advanced options link 3 Inthe General tab select Enabled from the Extended SSID drop down list 4 Click OK 5 Reboot the AP for the changes to take effect After you enable the option and reboot the Wi Fi link and mesh are disabled automatically Figure 49 Enabling Extended SSID Settings General Admin RTLS SNMP OpenDNS Uplink
191. hen SEERE ss So OE EEE 139 Configuring MAC Authentication Le 141 PE EEE NE NE EE 142 Loading KE gil ers ERE EE 144 EEG LUS EEE EN dere 144 Loading Certificate via AMVAVE Lu nu deceas ccvetenucnecavisnedseccdasmnatnseteceodecauereondse 145 SADE i EE EEE 146 Server Certificate cccccescccssccceeccccececceeccueesueccceeecaueesaeeeeeeeesseesseseeseeesseeeess 146 ENTEN 146 Kg EE ae EG EEE NE 147 Access Tab Instant User Role Settings 151 C SAR ON eee 152 Creating Role Assignment Rules 2 252 222 nee 153 RADIUS Access Accept packets with VSA 155 Configure VSA on a RADIUS Server sn 156 Configuring RADIUS Attributes on the RADIUS Server 156 Configuring VLAN Derivation Rules on an IAP NL 157 Configuring VLAN Derivation using the User Role rrrnnnvnnnnnvnnnnnvnnnnnrnnnnnnennnnn 158 To use a Defined User VLAN AO Sn dene 158 Configuring VLAN Derivation Rules Using an SSID Profile 159 Access Tab Instant Firewall Settings rrernnnrvrnnnnrrrnnnrernnnnernnnnrnnnnnnennnnnennnnneen 162 Defining Rule Allow TCP Service to a Particular Network rrrrrnnnrrvvnnnnvennn 165 Defining Rule Allow POPS Service to a Particular Server 1 166 Defining Rule Deny FTP Service Except to a Particular Server 06 167 Defining Rule Deny bootp Service Except to a Network ccccseeeeeeees 168 Enabling Content FITNESS esse ideas taacieees 170 SVS DOMAS a stances 170 G
192. icates the type of the authentication server RADIUS or LDAP 1 Click New to configure an external RADIUS server for a wireless network See Configuring an External RADIUS Server on page 125 for more information 2 Click OK to apply the changes Figure 196 Authentication Server Policy Enforcement Firewall PEF Authentication Servers Users for Internal Server Blacklisting PEF Settings ee Users for Internal Server This section displays the currently defined users for the internal authentication server Instant 6 1 3 4 3 1 0 0 User Guide Policy Enforcement Firewall 235 Figure 197 Users for Internal Server Policy Enforcement Firewall PEF Authentication Servers Users for Internal Server Roles Blacklisting PEF Settings Add new user Username Password fs Retype fd Type Guest v OK Cancel To add a user 1 Enter the username in the Username text box 2 Enter the password in the Password text box and reconfirm 3 Select appropriate network type from the Type drop down list 4 Click Add and click OK The users are listed in the Users list See User Database on page 251 for more information Roles This window consists of the following options Roles This table displays all the roles defined for all the networks See User Role on page 157 for more information A special default role with the same name as the network is
193. ication method required to connect to the network Key Management Authentication key type IP Assignment Source of IP address for the client To add a Wi Fi network click the New link in the Networks tab For more information about a wireless network and the procedure to add a wireless network see Chapter 4 Wireless Network on page 53 An edit link appears on clicking the network name in the Networks tab For information about editing a wireless network see Editing a Network on page 78 To delete a network click on the link x located next to the edit link Figure 6 Networks Tab Compressed View and Expanded View es 2 Networks Marne Clients Emp Networki 0 Guest _Networkl i amp 2 Networks Name Clients ype Band Authenticatio ethoc Key Management IP Assignme Emp Network1 0 Employee All None WPA2 AES Default VLAN Guest_Network1 0 Guest All None None NAT Mode New 30 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Access Points Tab If the Auto Join Mode feature is enabled a list of enabled and active APs in the Aruba Instant network is displayed in the Access Points tab The IAP names are displayed as links If the Auto Join Mode feature is disabled a New link appears Click on this link to add a new IAP to the network If an IAP is configured and not active its MAC Address is displayed in red The expanded view displays the following information about each IAP Name Name of the a
194. ide advanced options OK Cancel e SNMP View or specify SNMP agent settings See Chapter 21 SNMP for more information e OpenDNS Instant supports OpenDNS business solutions which requires an OpenDNS http www opendns com account comprising a username and a password These credentials are used by Instant to access OpenDNS to provide enterprise level content filtering 34 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Figure 11 OpenDNS Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Credentials for Connecting to OpenDNS Username Password Hide advanced options OK Cancel La For OpenDNS to work enable Content Filtering feature while creating a new network Click New in the Networks tab and then select Enabled from the Content filtering drop down list Uplink View or configure uplink settings See Chapter 24 Uplink Configuration for more information Enterprise Domains This tab indicates all the DNS domain names valid on the enterprise network which is used to determine how client DNS requests should be routed When Content Filtering is enabled for the wireless network the names that do not match this list are sent to OpenDNS server Walled Garden The Walled Garden directs the user s navigation within particular areas to allow access to a selection of websites and
195. ied Chinese and Korean are a few languages that use double byte characters Click on the banner term or policy in the Splash Page Visuals to modify the text in the red box These fields accept double byte characters or a combination of English and double byte characters Disabling Captive Portal Authentication To disable captive portal authentication perform the following steps 1 Inthe Network tab click the guest network for which you want to disable captive portal authentication The edit link for the network appears Click the edit link The Edit window for the network appears 3 Navigate to Security tab and select None from the Splash page type drop down list Instant 6 1 3 4 3 1 0 0 User Guide Authentication 135 Figure 105 Disabling Captive Portal Authentication Edit Guest Help Security Level Splash page type Encryption Disabled ha Back Next Cancel 4 Click Next and then click Finish External Captive Portal Aruba Instant supports external captive portal authentication The external portal can be on the cloud or on a server outside the enterprise network Configuring External Captive Portal Authentication when Adding a Guest Network To configure external captive portal authentication when adding a guest network perform the following steps 1 In the Network tab click the New link The New WLAN window appears 2 Inthe WLAN Settings tab perform the following 1 Enter a name for the netw
196. io signals Available options are 2 4 GHz 5 GHz and All The All option is selected by default It is also the recommended option e Inactivity timeout Indicates the time in seconds after which an idle client ages out The minimum value is 60 seconds and the default value is 1000 seconds e Hide SSID Select this check box if you do not want the SSID network name to be visible to users The Airtime Fairness and Bandwidth limits do not apply for voice traffic 4 Click Next to continue 5 Select the required Client IP assignment option Virtual Controller assigned and Network assigned Table 8 Conditions for Client IP and VLAN Assignment You select Virtual Controller assigned The client gets the IP address from the Virtual Controller The Virtual Controller creates a private subnet and VLAN on the IAP for the wireless clients The Virtual Controller NATs all traffic that passes out of this interface This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network See Chapter 11 Virtual Controller on page 121 for configuring the DHCP server You select Network assigned By default the client VLAN is assigned to the native VLAN on the wired network e Default The client gets the IP address in the same subnet as the IAPs e Static Select to specify a VLAN for all clients on this network e Dynamic Select to create rules for per user VLAN assignment See VL
197. ion from the Key management drop down list Available options are m WPA 2 Personal WPA Personal m Both WPA 2 amp WPA Passphrase format Specify either an alphanumeric or a hexadecimal string Ensure that the hexadecimal string must be exactly 64 digits in length c Passphrase Enter a pre shared key PSK passphrase Instant 6 1 3 4 3 1 0 0 User Guide Figure 47 Configuring a Splash Page Encryption Settings WLAN Settings Security Security Level Splash page type Internal Authenticated Splash Page Visuals Auth server 1 Internalserver Welcome to the Guest Network Reauth interval D min M Blacklisting Disabled v i i I i if JEF LE xl tt Internal server i User Internal server No certificate Upload certificate Encryption Enabled i v ge i Click thumbnail above to edit Preview Key management WPA 2 Personal h Passphrase format 6 63 chars Redirect URL http abe com Optional Passphrase You can customize the captive portal page using double byte characters Traditional Chinese Simplified Chinese and Korean are a few languages that use double byte characters Click on the banner term or policy in the Splash Page Visuals to modify the text in the red box These fields accept double byte characters or a combination of English and double byte characters 6 Use the Acce
198. ion specified as Auth failure blacklist time on the Blacklisting tab of the PEF window See Client Blacklisting on page 239 for more information e Classify media Select this checkbox if you want to prioritize video and voice traffic When enabled deep packet inspection is performed on all non NATed traffic and the traffic is marked as follows e Video Priority 5 Critical e Voice Priority 6 Internetwork Control e Disable scanning Select this checkbox if you want ARM scanning to be paused when this rule is triggered to optimize performance This feature only takes effect if ARM scanning is enabled from the ARM tab of the RF dialog e DSCP tag Select this checkbox if you want to specify a DSCP value to prioritize traffic when this rule is triggered Specify a value between 0 and 63 The higher the value the higher the priority e 802 1p priority Select this checkbox if you want to specify an 802 1p priority Specify a value between 0 and 7 The higher the value the higher the priority Instant 6 1 3 4 3 1 0 0 User Guide Instant Firewall 161 Figure 128 Access Tab Instant Firewall Settings neip WLAN Settings Access Rules 3 More Control Access Rules 1 Allow any to all destinations New Rule Role based Rule type Action Unrestricted Options Log Less Control Service Options Service Destination Network bas Access control x any to all destinat
199. ions p Classify media DSCP tag Blacklist Disable scanning 1802 1p priority Table 22 lists the set of service options available in the Instant UI You can allow or deny access to any or all of these services depending on your requirements Table 22 Network Service Options any custom adp bootp dhcp dns esp ftp gre h323 tcp h323 udp http proxy2 162 Instant Firewall Service Deseripton Access is allowed or denied to all services Available options are TCP UDP and Other If you select the TCP or UDP options enter appropriate port numbers If you select the Other option enter the appropriate ID Application Distribution Protocol Bootstrap Protocol Dynamic Host Configuration Protocol Domain Name Server Encapsulating Security Payload File Transfer Protocol Generic Routing Encapsulation H 323 Transmission Control Protocol H 323 User Datagram Protocol Hypertext Transfer Protocol proxy2 Instant 6 1 3 4 3 1 0 0 User Guide Table 22 Network Service Options Continued Service Description http proxy3 http https icmp ike kerberos I2tp Ipd tcp Ipd udp msrpc tcp msrpc udp netbios dgm netbios ns netbios ssn ntp papi pop3 pptp rtsp SCCP sip sip tcp sip udp smb tcp smb udp smtp snmp snmp trap Instant 6 1 3 4 3 1 0 0 User Guide Hypertext Transfer Protocol proxy3 Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Co
200. irmware Image Server in Cloud Network The image check feature allows the IAP to discover new software image versions on a cloud based image server hosted by Aruba Networks The location of the image server is fixed and cannot be changed by the user Aruba takes care of managing the image server and ensures that the image server is loaded with latest versions of ArubaOS software for its products Upgrade using AirWave and Image Server Aruba Instant supports mixed AP class instant deployment with RAP 3WN 3WNP IAP 104 IAP 175P 175AC IAP 92 93 IAP 105 and IAP 134 135 as part of the same Virtual Controller cluster Image management using Cloud Server If the multi class IAP network is not managed by AirWave image upgrades can be done through the cloud based image check feature When new IAPs joining the network need to synchronize its software with that of the Virtual Controller and the new IAP is of a different class the image file for the new IAP is provided by the cloud server Image management using AirWave If the multi class IAP network is managed by AirWave image upgrades can only be done through the AirWave UI Users must upload IAP images for both classes on the AMP server When new IAPs joining the network need to synchronize its software with that of the Virtual Controller and the new IAP is of a different class the image file for the new IAP is provided by AirWave If the AMP does not have the proper image file the new AP is
201. is formed to an AP home AP from the client s home network Each foreign AP has only one home AP per Instant network to avoid duplication of broadcast traffic Separate GRE tunnels are created for each foreign AP home AP pair If a peer AP is a foreign AP for one client and a home AP for another two separate GRE tunnels are used to handle L3 roaming traffic between these APs If client subnet discovery fails on association due to some reason the foreign AP identifies its subnet when it sends out the first L3 packet If the subnet is not a local subnet and belongs to another Instant network Instant 6 1 3 4 3 1 0 0 User Guide Layer 3 Mobility 107 the client is treated as an L3 roamed client and all its traffic is forwarded to the home network via a GRE tunnel Configuring a mobility domain To configure a mobility domain you have to specify the list of all Instant networks that form the mobility domain In order to allow clients to roam seamlessly among all the APs specify the Virtual Controller IP for each foreign subnet You may include the local Instant VC IP address so that the same configuration can be used across all Instant networks in the mobility domain Best practice is to configure all client subnets in the mobility domain so that If the client is from the local subnet it is determined to be a local client as soon as it starts using the IP address and L3 roaming is aborted If the client is from a foreign subnet it is
202. ivacy protocol password in the Password text box and retype the password in the Retype text box 8 Click OK To edit the details for a particular user select the user and click Edit To delete a particular user select the user and click Delete Instant 6 1 3 4 3 1 0 0 User Guide Figure 144 Creating Users for SNMPV3 Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Community Strings for SNMPV1 and SNMPV2 New SNMPV3 User Name Auth protocol SHA Privacy protocol DES password password retype retype Hide advanced options ANNNN NE rer LL a CO 000 COR ee COCO OC un CO 000 LAR COR 0 000 RR SNMP Traps Aruba Instant supports the configuration of external trap receivers in the Instant UI Only the IAP acting as the Virtual Controller generates traps The OID of the traps is 1 8 6 1 4 1 14823 2 3 9 1 200 2 X Figure 145 SNMP Traps Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility sn Strings for SNMFV1 and SNMPV2 Users for SNMPV3 Name Authentication Protocol Privacy Protocol New SNMP Trap Receiver IP Address version Community Username Inform Port H Inform To configure an SNMP trap receiver 1 Ente
203. k the IAP periodically suspends user traffic to try and connect to the VPN on the Eth0 If the IAP succeeds then the IAP switches to Eth0 If the IAP does not succeed then the IAP restores the VPN connection to the current uplink This feature is automatically enabled when a VPN is configured in the IAP Uplink Preemption With this feature the IAP tries to get a higher priority link every ten minutes even if the current uplink is up This does not affect the current uplink connection If the higher uplink is usable the IAP switches over to that uplink Preemption is enabled by default and the user can disable it by configuration Instant 6 1 3 4 3 1 0 0 User Guide Uplink Preference Select the type of uplink from the uplink preference drop down list under Management To use a 3G 4G uplink select 3G 4G from the Uplink preference drop down list Figure 158 Uplink Preference Management Pre emption Disabled Enforce uplink PPPOE 4 None Service name User Uplink preferences can be set manually This forces the IAP to use that uplink Switchover and preemption do not work in this configuration PPPoE Point to Point Protocol over Ethernet PPPoE is a method of connecting to the internet typically used with DSL services where the client connects to the DSL modem You can use PPPoE for your uplink connectivity in both normal IAP and VPN IAP deployments PPPoE is supported only in a
204. k the Show advanced options link and perform the following steps Instant 6 1 3 4 3 1 0 0 User Guide a Broadcast Multicast Broadcast filtering When set to All the AP drops all broadcast and multicast frames except for DHCP and ARP When set to ARP in addition to the above the IAP converts ARP requests to unicast and send frames directly to the associated client When Disabled all broadcast and multicast traffic is forwarded DTIM interval Indicates the DTIM delivery traffic indication message period in beacons You can configure this option for every WLAN SSID profile The default value is 1 which means the client checks for buffered data on the IAP at every beacon You may choose to configure a larger DTIM value for power saving Multicast transmission optimization When Enabled the IAP chooses the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients The default values are 1 mbps for 2 4 GHz and 6 mbps for 5 0GHz bands Multicast traffic can be sent at upto 24 mbps when this option is enabled This option is disabled by default Dynamic multicast optimization When Enabled the IAP converts multicast streams into unicast streams over the wireless link DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to non video clients DMO channel utilization threshold When dynamic multicast optimization is ena
205. lassified as Fixed Frequency Other Frequency hopping cordless phone base units transmit periodic beacon like frames at all times When the handsets are not transmitting i e no active phone calls the cordless base is classified as Frequency Hopper Cordless Base When there is an active phone call and one or more handsets are part of the phone conversation the device is classified as Frequency Hopper Cordless Network Cordless phones may operate in 2 4 GHz or 5 GHz bands Some phones use both 2 4 GHz and 5 GHz bands for example 5 GHz for Base to handset and 2 4 GHz for Handset to base These phones may be classified as unique Frequency Hopper devices on both bands The Microsoft Xbox device uses a frequency hopping protocol in the 2 4 GHz band These devices are classified as Frequency Hopper Xbox When the classifier detects a frequency hopper that does not fall into one of the above categories it is classified as Frequency Hopper Other Some examples include IEEE 802 11 FHSS devices game consoles and cordless hands free devices that do not use one of the known cordless phone protocols Spectrum Monitor 115 Table 16 Non Wi Fi Interferer Types Continued Non Wi Fi Interferer Description Microwave Common residential microwave ovens with a single magnetron are classified as a Microwave These types of microwave ovens may be used in cafeterias break rooms dormitories and similar environments Some industrial he
206. le client ages out The minimum value is 60 seconds and the default value is 1000 seconds Hide SSID Select this check box if you do not want the SSID network name to be visible to users 4 Click Next to continue 5 Select the required Client IP assignment option Virtual Controller assigned or Network assigned Table 10 Conditions for Client IP and VLAN assignment You select Virtual Controller assigned The client gets the IP address from the Virtual Controller The Virtual Controller creates a private subnet and VLAN on the IAP for the wireless clients The Virtual Controller NATs all traffic that passes out of this interface This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network See Chapter 11 Virtual Controller on page 121 for configuring the DHCP server You select Network assigned By default the client VLAN is assigned to the native VLAN on the wired network e Default The client gets the IP address in the same subnet as the IAPs Static Select to specify a VLAN for all clients on this network e Dynamic Select to create rules for per user VLAN assignment See VLAN Derivation Rule on page 156 for more information 6 Click Next to continue Instant 6 1 3 4 3 1 0 0 User Guide 7 This tab allows you to configure the captive portal page and encryption for the Guest network Select one of the following splash page type Table
207. le configuration Figure 149 Ethernet Profile Configuration Security Tab New Wired Network Wired Settin gs Security A 8 194 Ethernet Downlink Instant 6 1 3 4 3 1 0 0 User Guide 5 Click the Access tab and configure the access rule for the profile Table 34 Ethernet Downlink Profile Parameters Access Tab Feld Desertion Access Rules e Unrestricted User gets unrestricted access on the port e Network based User is authenticated using the access rules defined here The following figure displays the access parameters of the Ethernet profile configuration Figure 150 Ethernet Profile Configuration Access Tab New Wired Network Wired Settings Access Rules Mowe Conbral Access Rules 1 M Allow any to all destinations Hew Ect Network based Unmestricted Less Contral Back Finish Cancel 6 Click New in the Access Rules window to create a new rule and enter the following Table 35 Access Rule Parameters Fea Desertion Rule type Access Control Action e Allow Allow users based on the access rule e Deny Deny users based on the access rule Service Type of service Destination Specify the destination Options Disable or enable logging The following figure displays the parameters of the access rule configuration Figure 151 Access Rule Parameters Hew Rule Rule type Destination Action Service access correi 3 Options H tog DK
208. led by default This rule allows traffic to all destinations To define allow TCP service access rule to a particular network a Click New the New Rule window appears 164 Instant Firewall Instant 6 1 3 4 3 1 0 0 User Guide b Select Allow from the Action drop down list c Select custom from the Service drop down list Select TCP from the Protocol drop down list Enter appropriate port number in the Port s text box d Select to a network from the Destination drop down list Enter appropriate IP address in the IP text box Enter appropriate netmask in the Netmask text box Figure 129 Defining Rule Allow TCP Service to a Particular Network New WLAN Help WLAN Settings VLAN Access Rules More Control Access Rules 1 Allow any to all destinations Role based New Rule Rule type Action Service Destination Network bas Access control v Allow M CUSTOM M to a network v Protocol IP Unrestricted TCP v Port s Netmask Less Control Options E Log E Classify media I lpser tag E Blacklist E Disable scanning E 802 1p priority OK Cancel e Click OK 6 Click Finish Allow PoP3 Service to a Particular Server 1 Click the New link in the Networks tab To define the access rule to an existing network click the network The edit link appears Click the edit link and navigate to the Access tab 2 Inthe Basic Info tab enter the appropriate information and click Next to
209. lients Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 Walled Garden The walled garden directs the user s navigation within particular areas to allow access to a selection of websites or prevent access to other websites For more information see Valled Garden Access on page 142 None Select this option if you do not want to set the captive portal authentication Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 75 Figure 46 Adding a Guest Network Splash Page Settings New WLAN WLAN Settings Security Level Splash page type Internal Authenticated Auth servert Intemnalsever x Reauth interval Blacklisting Disabled fr Internal server 1 User Internal server No certificate Upload certificate croyons Enabled a Key management WPA 2 Personal w Passphrase format 8 63 chars mm n e m ee Redirect URL http abc com Splash Page Visuals Welcome to the Guest Network Click thumbnail above to edit Preview Optional Back Next Cancel 5 Select Enabled from the Encryption drop down list and perform the following steps these steps are 76 Wireless Network optional a Select the required key management opt
210. listing Authentication Failure Blacklisting Session Firewall Based Blacklisting Manual Blacklisting Manual blacklisting is the simplest way to add a client to the blacklist In manual blacklisting the MAC address of the client has to be known to the user These clients would be added into a permanent blacklist These clients are not allowed to connect to the network unless they are removed from the blacklist Adding a Client to the Manual Blacklist To add a client to the blacklist manually using the MAC address of the client 1 Click on the PEF link and then select Blacklisting tab 2 Click on the New button under the Manual Blacklisting window 3 Enter the MAC address of the client to be blacklisted in the MAC address to add text box Figure 203 Manual Blacklisting Manual Blacklisting Manual Blacklist MAC Address Blacklisted Since MAC address to add 11 23 45 67 89 ab OK Cancel 240 Policy Enforcement Firewall Instant 6 1 3 4 3 1 0 0 User Guide 4 Click OK The Blacklisted Since tab displays the time at which the current blacklisting started for the client 5 To delete a client from the manual blacklist select the MAC Address of the client under the Manual Blacklisting window and then click Delete Dynamic Blacklisting The clients can be blacklisted dynamically when they exceed the authentication failure threshold or blacklisting rule was triggered as part of the authentication proc
211. lity Levels Aruba Instant supports facility based logging levels Syslog Facility is an information field associated with a syslog message It is an application or operating system component that generates a log message The following seven facilities are supported by Syslog e AP Debug Detailed log about AP device e Network Log about change of network for example when a new IAP is added to a network e Security Log about network security for example when a client connects using wrong password e System Log about configuration and system status e User Important logs about client e User Debug Detailed log about client e Wireless Log about radio Table 12 describes the logging levels in order of severity from most to least severe Table 12 Logging Levels Emergency Panic conditions that occur when the system becomes unusable Alert Any condition requiring immediate attention and correction Gritical Any critical conditions such as a hard drive error Errors Error conditions Warning Warning messages Notice Significant events of a non critical and normal nature Informational Messages of general interest to system users Debug Messages containing information useful for debugging Adding an IAP to the Network To add an IAP to the Aruba Instant network assign an IP address For more information see Assigning an IP Address to the IAP on page 24 After an IAP is connected to the network if th
212. lures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 Walled Garden The walled garden directs the user s navigation within particular areas to allow access to a selection of websites or prevent access to other websites For more information see Walled Garden Access on page 142 Instant 6 1 3 4 3 1 0 0 User Guide Table 11 Conditions for Adding a Guest Network Security Tab Continued Splash Page Type Description and steps to set up External Authentication Text An external splash page returns a specified string to indicate successful authentication IP or hostname Enter the IP or hostname of the external server in the IP or hostname text box URL Enter the URL of the captive portal page in the URL text box Port Enter the number of the port to be used for communicating with the external server in the Port text box Auth text Indicates the text string returned by the external server after a successful authentication Redirect URL By default after entering the requested info at the splash page the user is redirected to the URL that was originally requested Specify a redirect URL if you want to override the user s original request and redirect them to another URL Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated c
213. mation and click Next to continue Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Click Next to continue Sad Click Next and set appropriate values in the Security tab Click Next The Access tab appears Slide to Role based using the scroll bar on the left a oS OS Click New The New Rule window appears Enter the name of the new user role To delete a user role select the user role and click Delete Instant 6 1 3 4 3 1 0 0 User Guide Role Derivation 151 Figure 119 Creating a New User Role Edit Test Help WLAN Settings Access Rules More Sars TE Control Roles Access Rules default wired port profil Instant RP 4 Role based AT gt Network based EE OK Cancel Unrestricted Role Assignment Rules Default role Test New Less Control Enforce Machine Authentication Machine auth only default wired pm User auth only default wired pl 8 Click OK The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To create new access rules see Examples for Access Rules on page 164 9 Assign pre authentication role Use this option if you want to allow some access to users even before they are authenticated 10 Enforce Machine Authentication You can assign different rights to clients based on whether their hardware device supports machine authentication Machine A
214. mpt e Filenames software devices and specific commands Bold This style is used to emphasize Instant UI elements For example name of a text box or the name of a drop down list The following informational icons are used throughout this guide Indicates helpful suggestions pertinent information and important things to remember Indicates a risk of damage to your hardware or loss of data CAUTION EA Indicates a risk of personal injury or death WARNING 20 About this Guide Instant User Guide Contacting Support Main Site Support Site Airheads Social Forums and Knowledge Base North American Telephone International Telephones Software Licensing Site Wireless Security Incident Response Team WSIRT Support Email Addresses Americas and APAC EMEA WSIRT Email Please email details of any security problem found in an Aruba product Instant User Guide arubanetworks com support arubanetworks com community arubanetworks com 1 800 943 4526 Toll Free 1 408 754 1200 arubanetworks com support services aruba support program contact support licensing arubanetworks com login php arubanetworks com support wsirt php supportQarubanetworks com emea supportQarubanetworks com wsirtQarubanetworks com About this Guide 21 22 About this Guide Instant User Guide Chapter 2 Initial Configuration This chapter provides information required to setup Aruba Instant and access the Instan
215. n 170 OS FINOO DT VIG ia 171 Adaptive Radio Management nnnnnnnnvnnvnnnnnnnnnnnnnennnnnnvnnnnnnvnnvnnnennvnnnnnner 173 FRF erste 173 Channel or Power ASslonNnenlLuuuuarvevearerpenmmnseemevuinin 173 Voice Aware Scanning rrvnnnnnvnnnnnvvnnnnnrnnnnvrnnnnnennnnnnrnnnnnennnnnernnnnnrnnnuvennnuuenene 173 Load Ps seters aa a a 173 Band Steering Mode ss 173 Arme Fairness NOTE a ae et sien 174 Airtime Fairness Modes Vs 174 ACCESS Point COIN ON ao 174 Customize Valid Channels 174 Min ET AEPS EE aicoeue 175 Max Transmit POWER dnnwdsdasesvenxcutsaneesondadaeendsaavuaneseaetiwnes 175 SETE SEE 175 AO SEE A A 175 wide Channel BACS a a ae a a ur 175 Monitoring the Network with ARM varrennerennnrennnvennnvrnnnerennerennnnennnvennneennnnen 175 ARN SORTE PP esken 175 Configuring Administrator Assigned Radio Settings for IAP 00 176 Configuring Radio Profiles in Instant sn aies 177 Intrusion Detection System an anrnannnnnnnnnnnnnnnnnnnnnnennnnnnnnnnnnnennennnnnnennne 181 Rogue AP Detection and Classification 181 Wireless Intrusion Protection WIP 181 Folden EEE MOIS A a OE 184 EE EE EA A A REESE 187 SNMP Parameters for AP rrnnnnnnnnnnrnnnnvnnnnrnnnnvnnnnvnnnnsnnnnnnnnnnennvnnnnnnvnnvannnnnnnnnne 187 MIP en 189 Hierarchical Deployment scenen ERE ERE veik 191 BE 9 ET EE 191 ETEN DOWN vassere keel oesdmnkdanadder 193 Ethernet Downlink Overview 193 Ethernet Downlink Profile Parameters
216. n Method yout RADILIS chert decumentahon bat round but i CAES Events Forsanding Correction i E D Porewd lookup 5 aquest a Gl reksi Authenticate TI hemed EE aamankare TO Accor ee EEN anbenebeert Spacity afasia Name tante eecte PADUS Saded 109 2 PES D Bree Loop FADE Aster E O Sondtiaral Form D hinds ES Fie Services new Poker and Access 5 ae igh HS Local RADIUS Charis and Add _ F En aent Chen ES DER HE E 1 dj Remote Rano al F a Connection Regu OT Mebeork Polos OG Heath Polos OE Mebvork Acte Prat STEL E Bh Templates Manage al Heath Hegron Auth fey Boing and emote nce Wy Web Sener 115 met er VLAN Derivation Rule When an external RADIUS server is used for authentication the RADIUS server may return a reply message for authentication If the RADIUS server supports return attributes and sets an attribute value to the reply message IAP can analyze the return message and match attributes with a user pre defined VLAN derivation rule If the rule is matched the VLAN value defined by the rule is assigned to the user Figure 123 Configuring RADIUS Attributes on the RADIUS Server ou Properties Overview Conditions Settings Configure the settinas for this network policy If condita Add Standard RADIUS Attribute Atbribute Information Lx i bite name Fikerdd Se EG Altius format OcterSinng Erie the atinbube value i
217. n and encryption combinations that should be used in Wi Fi networks Table 20 Recommended Authentication and Encryption Combinations Network Type Authentication Encryption Employee 802 1X AES Guest Network Captive Portal None Voice Network or Handheld 802 1X or PSK as supported by AES if possible TKIP or WEP if devices the device necessary combine with restricted policy enforcement firewall PEF user role Instant 6 1 3 4 3 1 0 0 User Guide Chapter 14 Role Derivation Every client in an Aruba Instant network is associated with a user role which determines the client s network privileges how often it must re authenticate and which bandwidth contracts are applicable This chapter describes creating and assigning roles using the Instant UI User Roles This section describes how to create a new user role Figure 118 Access Tab Instant User Role Settings New WLAN Help WLAN Settings Access Rules More Control Roles Access Rules default_wired_port_profi Instant_RP Role based is gt New Network based Unrestricted Role Assignment Rules Default role Test 2 Less Control New Creating a New User Role To create a new user role 1 Click the New link in the Networks tab To define the access rule to an existing network click the network The edit link appears Click the edit link and navigate to the Access tab 2 Inthe Basic Info tab enter the appropriate infor
218. n green Outgoing traffic Controller view appears This is the is shown above the median line default view e Incoming traffic Throughput for incoming 2 Inthe Clients tab click the IP address of traffic is displayed in blue Incoming traffic is the client for which you want to monitor shown below the median line the throughput The client view appears To see an enlarged view click the graph The 3 Study the Throughput graph in the RF enlarged view shows Last Minimum Maximum Trends pane For example the graph and Average statistics for the incoming and shows 1 0 kbps outgoing traffic outgoing traffic throughput of the client for the throughput for the client at 12 30 hours last 15 minutes To see the exact throughput at a particular time hover the cursor over the graph line Mobility Trail The Mobility Trail section displays the following mobility trail information for the selected client e Association Time The time at which the selected client was associated with a particular LAP The Instant WebUI shows the client IAP association over the last 15 minutes e Access Point IAP name with which the client was associated Mobility information about the client is reset each time it roams from one IAP to another 232 Monitoring Instant 6 1 3 4 3 1 0 0 User Guide Chapter 27 Alert Types and Management Alert Types Alerts are generated when a user encounters problems accessing or connecting to the Wi Fi n
219. n the same subnet 3 An open SSID instant is listed Connect a laptop to the default and open the instant SSID Figure 50 Open Instant SSID Curent connected tcc See instant amp me Intemet access urelers Pete Oonnaectiuzn em ployer 55 ethersphere spa2 ethersphere voip ehertphere voc era test rde tunnel F dero test corp laptop Instant 6 1 3 4 3 1 0 0 User Guide 4 Type instant arubanetworks comin the browser 5 Click I understand the risks and Add exception to ignore the certificate warnings that the client does not recognize the certificate authority Figure 51 Untrusted Connection Window This Connection is Untrusted ipa Furor s rd Farben he command be J ASP bud ar art cordes Val yraa ee oa Les r Fup pie pud prag pasien prisar Gri mma cai o hart Technical Detalle Undentand the Aiiki 6 In the login screen as shown in Figure 52 enter the following credentials Username admin Password admin Figure 52 Login Window Welcome to Instant amma networks Virtual Controller Username ladmin Password eseee Log In 7 Create a new SSID and wpa 2 personal keys with unrestricted or network based access rules Select any permit for basic connectivity Connect a client to the new SSID and disconnect from the instant SSID 9 All the IAPs shows up on the Virtual Controller as shown in Figure 53 Disconnect the IAPs that you want to deploy a
220. n which the Virtual Controller is operating Virtual Controller IP address Displays the IP address of the Virtual Controller AirWave IP Displays the IP address of the AirWave server Band Displays the band in which the Virtual Controller is operating 2 4 GHz band 5 4 GHz band or both Master Displays the IP address of the Access Point acting as a Virtual Controller OpenDNS Status Displays the OpenDNS status If the OpenDNS is Not connected make sure you have provided the correct credentials on the OpenDNS tab of the Settings window In addition please check if the internet connection is up MAS integration Displays the status of the MAS integration feature Uplink type Displays the type of uplink Ethernet and 3G Uplink status Displays whether the uplink is up or down RF Dashboard The RF Dashboard section displays the following information IP address Signal and Speed information about the clients in the Aruba Instant network If the speed or signal strength of a client is low IP address of the client appears as a link Click the link to monitor the client For more information see Client View on page 228 Instant Access Points Utilization Noise and Errors information about the IAPs in the Aruba Instant network If utilization noise or errors of an IAP are not within the specified threshold the IAP name appears as a link Click the link to monitor the IAP For more information see Instant
221. nation network to be routed into the VPN tunnel Netmask Specify the network mask of the network to be routed into the VPN tunnel Gateway Specify the default gateway to which traffic should be routed This IP address should be the controller ip of the controller on which the VPN connection is terminated See Controller Configuration for VPN on page 259 for more information In the example above 10 0 0 0 8 network is configured as the corporate destination and is routed through the controller ip of the primary controller 9 Click Next to continue 10 The DHCP Server window appears Use this table to define DHCP pools of different types based on your deployment modes as described in the following section 244 VPN Configuration Instant 6 1 3 4 3 1 0 0 User Guide DHCP Server Configuration The Virtual Controller VC on an Instant AP enables different DHCP pools various deployment models in addition to allocating IP subnets to each branch The following modes of DHCP server are supported Local Subnet In this mode the VC assigns an IP address from a configured subnet and forwards traffic to both corporate and non corporate destinations This is achieved by appropriately translating the network address NAT and forwarding the packet through the IPSec tunnel or through the uplink L2 Switching Mode In this mode Instant supports the following two types to support L2 switching mode of connection to corporate
222. nces the quality and reliability of streaming video while preserving the bandwidth available to non video clients DMO channel utilization threshold When dynamic multicast optimization is enabled the IAP converts multicast streams into multicast unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 Instant 6 1 3 4 3 1 0 0 User Guide If the threshold value exceeds the maximum value then the IAP sends multicast traffic over the wireless link b Bandwidth Limits You can specify three types of bandwidth limits e Airtime Indicates the aggregate amount of airtime that all clients on this Network can use to send receive data Each user Indicates the throughput for any single user on this Network The throughput value is specified in kbps e Each radio Indicates the aggregate amount of throughput each radio some AP models have multiple radios is allowed to provide for all clients connected to that radio c Transmit Rates Indicates the ability to configure the basic and supported rates per SSID for Aruba Instant Select to set the minimum and maximum legacy non 802 11n transmit rates for each band 2 4 GHz and 5 GHz d Miscellaneous e Content filtering When enabled all DNS requests to non corporate domains on this wireless network are sent to OpenDNS e Band Set the band at which the network transmits rad
223. ncing Enabled Virtual Controller IP Addresses New Subnets IP address Subnet mask VLAN ID Virtual contoller IP New Hide advanced options OK Cancel 110 Layer 3 Mobility Instant 6 1 3 4 3 1 0 0 User Guide Chapter 9 Spectrum Monitor Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications Microwave ovens cordless phones and even adjacent Wi Fi networks are all potential sources of continuous or intermittent interference The spectrum monitor software modules on IAPs that support this feature are able to examine the radio frequency RF environment in which the Wi Fi network is operating identify interference and classify its sources n analysis of the results can then be used to quickly isolate issues with packet transmission channel quality and traffic congestion caused by contention with other devices operating in the same band or channel Spectrum monitors SMs are IAP radios that gather spectrum data but do not service clients Each SM scans and analyzes the spectrum band used by the SM s radio 2 4 GHz or 5 GHz An AP radio in hybrid AP mode continues to serve clients as an access point while it analyzes spectrum analysis data for the channel the radio uses to serve clients You can record data for both types of spectrum monitor devices However the recorded spectrum is not reported to the Virtual Controller A spectrum aler
224. nding the Instant UI Layout The Instant UI consists of the following elements e Banner e Search e Tabs e Links e Views These elements are explained in the following sections Figure 5 Instant Ul Interface Settings RF PEF WIP VEN Wired Maintenance Support Help Logout DE IDA ARGEN Bin Instant C4 01 78 Virtual Controller Name Clients Name Clients Name IP Address Network Access Point Instant RP 0 d8 c7 c8 c4 01 78 New Instant C4 01 78 Monitoring IDS Configuration v Info RF Dashboard Usage Trends Name Instant C4 01 78 Pr Clients ver 1 Signal Speed Utilization Noise Errors Er Virtual Controller IP 0 0 0 0 All Clients atl a All Access Points 3 F E Band All Master 10 17 115 1 5 OpenDNS status Not connected MAS integration Enabled Uplink type Ethernet Uplink status Up 18 30 18 35 18 40 Throughput bps rar o 10U 18 30 18 35 18 40 Out I Status Not Set Up Set Up Now Pause Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 29 Banner The banner is horizontal grey rectangle that appears at the top left corner of the Instant UI It displays the company name logo and Virtual Controller s name Search Administrators can search an I AP client or a network using a simple Search window in the Instant UI This Search opti
225. neral Radio Uplink 5 94 Managing IAPs Uplink Management WLAN lo Eth Bndging piss bled Ed OK Cancel Click OK Instant 6 1 3 4 3 1 0 0 User Guide Enabling wired bridging on this port of the IAP makes the port available as a downlink wired bridge and allows client access via the port You can also use the port to connect a wired device when a 3G uplink is used Lad Reboot the IAP after the bridging is set for the configuration to take effect Migrating to a Mobility Controller Managed Network An IAP can be provisioned as a Campus AP CAP or Remote AP RAP in a controller based network Before converting the IAP ensure that both the IAP and controller are configured to operate in the same regulatory domain Converting an IAP to RAP Mode For RAP conversion the Virtual Controller sends the RAP convert command to all the other IAPs The Virtual Controller along with the other slave IAPs then setup a VPN tunnel to the remote controller and download the firmware by FTP The Virtual Controller uses IPsec to communicate to the Mobility Controller over the internet If the IAP gets AirWave information via DHCP Option 43 and Option 60 it establishes an HTTPS connection to the AirWave server and downloads the configuration and operates in IAP mode If the IAP does not get AirWave information via DHCP provisioning it tries provisioning via a firmware image server in the cloud sends serial number MAC address If an
226. netsirsuseriaereseviactees 131 Configuring Internal Captive Portal Authentication when Adding a Guest Network 131 Configuring Internal Captive Portal Authentication when Editing a Guest Network 133 Configuring Internal Captive Portal with External RADIUS Server Authentication when Adding a Guest Network 133 5 Customizing a Splash Page 134 Disabling Captive Portal Authentication rerrnnnrvvrrnnvrrvvnnnvrrennnnnereennnn 135 External Captive Portal Re 136 Configuring External Captive Portal Authentication when Adding a Guest Network ss 136 Configuring External Captive Portal Authentication when Editing a Guest Network ss 138 External Captive Portal Authentication using ClearPass Guest 140 Creating a Web Login page in the ClearPass Guest 140 Configuring the RADIUS Server in Instant 140 MAC Ende 141 Configuring MAC Authentication ES sr crsete ne 141 Walled Garden ACCESS EE ERE EL ELE LEES 142 Creating a Walled Garden Access LR 142 Wired Authenticatiorsonsan AR re neti a ae ENEE 143 EL 1651 EEE EEE SE EE onacemeeinuesecmeceanacds 143 Loading Certificates using Instant WebUI 144 Loading Certificates using AirWave ss 145 Chapter 13 Eeg EE I ER 149 Encryption Types Supported in Aruba Instant rrrnnnnnnnnnnnrnnnrnnnrnnnnnnnnrnnnnennnen 149 WEP n 149 DR E E 149 PE EEE 149 Ener ption Recommendations Se i cseecdsdccsceces debienedeceepancedaneetedentsctveaneesss 149 Unders
227. ng parameters for Distributed L2 mode DHCP pool 246 VPN Configuration Name Name of the subnet must be unique Type Indicates the type of DHCP server Available options are Local Distributed L3 Distributed L2 Centralized L2 Distributed L2 implies that this is a Distributed mode L2 DHCP subnet VLAN VLAN ID of the subnet This needs to be referenced in the SSID configuration to make use of this subnet Network Network to be used for this subnet Netmask Net mask of the subnet This along with Network determines the size of the subnet Excluded address This determines the exclusion range of the subnet Based on the size of the subnet and value configured here location within the subnet scope this is used to either exclude IP addresses before this IP or after this IP This is an optional field Default router Default router for the subnet This is an IP address on behind the controller in the same subnet Client count This along with network and mask determines how many branches can be supported For the current phase of IAP it is important that this value is configured consistent across all branches Instant 6 1 3 4 3 1 0 0 User Guide DNS server An optional field which defines the DNS server Domain name An optional field which defines the domain name Lease time An optional field which defines the lease time for client 2 Click OK to apply these changes Figure 210
228. ng Pane 3 2 4 44 Usage Trends Section in the Monitoring Pane ssssssssssssssssrnresrrrnsnresrnrrsrnreennes 46 UN 46 Channel Metrics for the 2 4 GHz Radio Channel 47 Channel Metrics for the 5 GHz Radio Channel 47 Channel Details Information EE 48 PEN HEE AT cl ate tape ete aren et sss oD omen an eee OA EE er ite 48 GJE EE EE SEN Cerrar neta NE 49 FT Needs 49 ASS EN EN 50 guia Vee D tecthion on Metant 6 EN mn at cre tes aetna mere Seine 51 Son SS EEE E E D I ELDER 51 AirWave Setup Link AirWave Configuration ss 52 Adding an Employee Network Basic Info Tab rrrrnrennnrnnnrnnnnnnnnrnnnrnnnnnnnnennne 54 Adding an Employee Network VLAN Tab 56 Employee Security Tab Enterpnise se unten sind 57 Employee Security Tab Personal rrnnnnrnnnnnnnnnnrnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnen 60 Employee Security Tab Open RL 62 Adding an Employee Network Access Rules Tab 63 Adding a Voice NetworkK Basic Info Tab immense 64 Voice Security Tab Enterprise 66 Adding a Voice Network Access Rules Tab 70 11 12 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 7
229. nnel Bands This feature allows administrators to configure 40 MHz channels in the 2 4 GHz and 5 0 GHz bands 40 MHz channels are essentially two 20 MHz adjacent channels that are bonded together 40 MHz channel effectively doubles the frequency bandwidth available for data transmission Monitoring the Network with ARM When ARM is enabled an IAP dynamically scans all 802 11 channels within its 802 11 regulatory domain at regular intervals and provides reports for network WLAN coverage interference and intrusion detection to a Virtual Controller ARM Metrics ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each JAP RF environment Each IAP gathers other metrics on its ARM assigned channel to provide a snapshot of the current RF health state Instant 6 1 3 4 3 1 0 0 User Guide Adaptive Radio Management 175 Configuring Administrator Assigned Radio Settings for IAP Adaptive Radio Management ARM is enabled on Aruba Instant by default It automatically assigns appropriate channel and power settings for the IAPs To manually configure radio settings 1 Inthe Access Points tab click the AP for which you want to enable ARM The edit link appears 2 Click the edit link The Edit AP window appears 3 Click the Radio tab Figure 137 Configuring Administrator Assigned Radio Settings for IAP Edit Access Point d8 c7 c8 c4 01 78 General R
230. nnnnnnnnvnnnnnnnrrnnnrnnnvnnnrnnnnnnnnnnnnnnnnnnnnnnnnn 32 Settings EEE EE EE 32 ES ete E E A 35 Pen 36 EEE NE 37 PNL 37 UE OO EE EP 38 Maintenance PER 38 5 8 51010 ES VE E 40 DS SAR meine iestoies 43 LO EEE 43 Ve 00 EE DEERE 43 SPECO EE entrees 46 Alerts sms E E E ERE ELLER E E E ET 48 ETE EE le 50 Sela 15 Ve 1 ON EEE EEE EE 51 ET US GE EEE EEE 51 AirWave Setup EE 51 Pause Resume rnnnnnrnnnnnnnnnennnnnnnnnsnnnnennnnnnnnnrnnnnssnnnsnnnnrnnnnsennnnennnnennnsennnne 52 Instant 6 1 3 4 3 1 0 0 User Guide 3 Chapter 4 Wireless Network rannnnunnnnnnunnnnnnunnnnnnnnnnnnnunnnnnnnnnnnnnnnnnnnnunnnnnnnnnnnnnvnnnnnnunn 53 NTT vr 53 Employee Network 53 Adding an Employee Network 53 VNR kven 63 Adding a Voice Network saa sense 63 Guest Network saksa LEE E LEE LEE EELEEEEEEE LEE EEE LEE 70 Adding a Guest Network savnede 70 ENN EG 78 Deleting NEVER a de 78 Number of WLAN SSIDs sove nain 78 Enabling the Extended SSID option 79 Chapter 5 Mosh Eg EE EE 81 Mesh INSTANT ACCESS POMS RS penere 81 Mesh Portals EE EE 81 MeSH POINTS EE ET 82 ETEN 82 Chapter 6 AEE LE La EE eesti 85 PA E EEE 85 AUO JONM MOQO EE de ae eo 85 Disabling Auto Join Mode siennes 85 FANA ee 86 KE LNS DIY EEE EN ET 87 TEER DUMP v rres 87 gt 411118 10 Eee DEE 88 Deny Inter User Bridging and Deny Local Routing 88 SEL 0 ee EE EE ee 89 Syslog Facility Levels naannannnannoannnannonennnnnnnennnrnnnrnnrennrrnnrrnnernnrrnn
231. nsure that the hexadecimal string must be exactly 64 digits in length Passphrase Enter a pre shared key PSK passphrase An external server is used to display the splash page to the Ext user If this option is selected then do the following ernal splash page IP or hostname Enter the IP or hostname of the external server in the IP or hostname text box URL Enter the URL of the captive portal page in the URL text box Port Enter the number of the port to be used for communicating with the external server in the Port text box Redirect URL By default after entering the requested info at the splash page the user is redirected to the URL that was originally requested Specify a redirect URL if you want to override the user s original request and redirect them to another URL Auth server 1 Select the required Authentication server 1 option from the drop down list Available options are New If you select this option then an external RADIUS server has to be configured to authenticate the users For information on configuring an external RADIUS server see Configuring an External RADIUS Server on page 125 Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures Max authentication fai
232. ntication failures lo Internal server Internal server Less Secure 8 Click Next to continue Enabled v No certificate Upload certificate Help Back Next Cancel 9 Use the Access Rules page to specify optional access rules for this network 1 Network based Set the slider to Network based if you want the same rules to apply to all users The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations Instant Firewall treats packets based on the first rule matched For more information see Chapter 16 Instant Firewall To edit the default rule a Select the rule and then click Edit b Select appropriate options in the Edit Rule window and click OK To define an access rule a Click New b Select appropriate options in the New Rule window Click OK 2 Role based Select Role based if you want to specify per user access rules See Creating a New User Role on page 151 for more information 3 Unrestricted Select this to set no restrictions on access based on destination or type of traffic 10 Click Finish The network is added and listed in the Networks tab 62 Wireless Network Instant 6 1 3 4 3 1 0 0 User Guide Figure 41 Adding an Employee Network Access Rules Tab New WLAN WLAN Settings Security Access Rules More Control Access Rules 1 Allow any to all destinations Role based
233. ntrol Message Protocol Internet Key Exchange Computer network authentication protocol Layer 2 Tunneling Protocol Line Printer Daemon protocol Transmission Control Protocol Line Printer Daemon protocol User Datagram Protocol Microsoft Remote Procedure Call Transmission Control Protocol Microsoft Remote Procedure Call User Datagram Protocol Network Basic Input Output System Datagram Service Network Basic Input Output System Name Service Network Basic Input Output System Session Service Network Time Protocol Point of Access for Providers of Information Post Office Protocol 3 Point to Point Tunneling Protocol Real Time Streaming Protocol Skinny Call Control Protocol Session Initiation Protocol Session Initiation Protocol Transmission Control Protocol Session Initiation Protocol User Datagram Protocol Server Message Block Transmission Control Protocol Server Message Block User Datagram Protocol Simple mail transfer protocol Simple network management protocol Simple network management protocol trap Instant Firewall 163 Table 22 Network Service Options Continued Service Deseripton svp Software Validation Protocol tftp Trivial file transfer protocol Destination Options Table 25 lists the destination options available in the Instant UI You can allow or deny access to any or all of these destinations depending on your requirements Table 23 Destination Options To all destinations Access is allowed or denied
234. nts detected by the IAP for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the IAP for which you want to monitor the client association The IAP view appears 3 Study the Neighboring Clients graph in the Overview pane For example the graph shows that 20 interfering clients were detected by the IAP at 12 15 hours To check the free memory of the IAP for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the IAP for which you want to monitor the client association The IAP view appears 3 Study the Memory free graph in the Overview pane For example the graph shows that the free memory of the IAP is 64 MB at 12 13 hours To check the number of clients associated with the IAP for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the IAP for which you want to monitor the client association The IAP view appears 3 Study the Clients graph For example the graph shows that six clients are associated with the IAP at 12 11 hours To check the throughput of the selected IAP for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the
235. nversion The AP 00 24 6c c2 e9 b3 will reboot into standalone mode It will no longer join with other APs to form networks Do you want to continue Convert Now Cancel Select Standalone AP from the drop down list 3 4 Select the Access Point from the drop down list 5 Click Convert Now to complete the conversion 6 After the conversion the Access Point specified in the Instant UI operates in standalone mode Converting back to an IAP The reset button located on the rear of an IAP can be used to reset the IAP to factory default settings If you have converted your IAP to a campus AP or a Remote AP pressing the reset button converts it back to an IAP To reset an IAP follow the instructions below 1 Power off the IAP 2 Press and hold the reset button using a small narrow object such as a paperclip 3 Power on the IAP without releasing the reset button The power LED flashes within 5 seconds indicating that the reset is completed 4 Release the reset button The IAP then boots with the factory default settings IAP 92 IAP 93 IAP 104 IAP 105 IAP 134 IAP 135 RAP 3WN RAP 3WNP These IAP platforms support Lad reset button IAP 175P and IAP 175AC do not have reset buttons Please contact Aruba support for the NOTE backward conversion process on these IAPs Rebooting the IAP If you encounter any problem with the IAPs you can reboot all IAPs or selected IAPs in a network using the Instant UI To r
236. o dynamically elect an IAP to take on VC role allow graceful failover to a new Virtual Controller when the existing VC is down and avoid race conditions This protocol ensures stability of the network during initial startup or when the VC goes down by allowing only one IAP to self elect as a VC Virtual Controller IP Address You can specify a single static IP address that can be used to manage a multi AP Aruba Instant network This IP address is automatically provisioned on shadow interface on the IAP that takes the role of Virtual Controller When an IAP becomes a Virtual Controller it sends three Address Resolution Protocol ARP messages with the static IP address and its own MAC address to update the network ARP cache Specifying Name and IP Address for the Virtual Controller To specify name and IP address for the Virtual Controller 1 At the top right corner of the Instant WebUI click the Settings link The Settings window appears Figure 96 Specifying Virtual Controller Name and IP Address Settings Help General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Instant C4 01 78 Auto join mode Enabled v Virtual Controller IP 0 0 0 0 Terminal access Disabled x Dynamic RADIUS proxy Disabled v LED display Enabled v MAS integration
237. on Close Image file Select to directly upload an image file This method is only available for single class IAPS Example Arubalnstant Orion 6 1 3 4 3 1 0 0 xxxx a Example Arubalnstant Cassiopeia 6 1 3 4 3 1 0 0 xxxx Image URL Select obtain the image file from a TFTP FTP and HTTP URL 3 The following examples describe the image file format for two different classes of IAPs TFTP URL for IAP 135 134 tftp 10 64 147 8 Arubalnstant Cassiopeia 6 1 3 4 3 1 0 0 xxxx URL for IAP 105 92 93 tftp 10 64 147 8 Arubalnstant Orion 6 1 3 4 3 1 0 0 xxxx m E ftp 10 64 147 8 Arubalnstant Cassiopeia 6 1 3 4 3 1 0 0 xxxx E Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 103 ftp 10 64 147 8 Arubalnstant Orion 6 1 3 4 3 1 0 0 xxxx HTTP http 10 64 160 42 Arubalnstant Cassiopeia 6 1 3 4 3 1 0 0 xxxx http 10 64 160 42 Arubalnstant Orion 6 1 8 4 3 1 0 0 xxxx 2 Click Upgrade Now to upgrade the IAP to the newer version Automatic 1 Click Check for New Version to automatically check for images on the Aruba image server in the cloud The field is replaced with the Image Check in Progress message After the image check is completed one of the following messages appears No new version available If there is no new version available Image server timed out Connection or session between the image server and the IAP is timed out Image server failure If the image server does not respond
238. on The IAP with the valid uplink connection is the mesh portal The mesh portal may also act as a Virtual Controller The un wired IAPs are mesh points If two IAPs have valid uplink connections there is redundancy in the mesh network and most mesh points try to mesh directly with one of the two portals However depending on actual deployment and RF environment some mesh points may mesh through other intermediate mesh points In an Instant mesh network the maximum hop count is two nodes point gt point gt portal and the maximum number of mesh points per mesh portal is eight Mesh IAPs learn about their environment when they boot up Mesh IAPs can act as a mesh portal MPP an IAP that uses its uplink connection to reach the controller a mesh point MP or an IAP that establishes an all wireless path to the mesh portal Mesh IAPs locate and associate with their nearest neighbor which provides the best path to the mesh portal Mesh portals and mesh points are also known as mesh nodes a generic term used to describe IAPs configured for mesh Instant mesh functionality is supported only on dual radio IAPs and not on single radio IAPs On dual radio IAPs the 5 GHz radio is always used for both mesh backhaul and client traffic while the 2 4 GHz radio is always used for client traffic only Mesh service is automatically enabled on 802 11a band for dual radio IAP only and this is not configurable The only limitation is that it has to
239. on Standard AES encryption TKIP TKIP uses the same encryption algorithm as WEP but TKIP is much more secure and has an additional message integrity check MIC Recently some cracks have begun to appear in the TKIP encryption methods Aruba recommends that all users migrate from TKIP to AES as soon as possible AES The Advanced Encryption Standard AES encryption algorithm is now widely supported and is the recommended encryption type for all wireless networks that contain any confidential data AES in Wi Fi leverages 802 1X or PSKs to generate per station Keys for all devices AES provides a high level of security similar to what is used by IP Security IPsec clients Aruba recommends that all devices that cannot support AES be upgraded or replaced so that they are capable of AES encryption WEP and TKIP are limited to WLAN connection speed of 54 Mbps For 802 11n connection only AES encryption is supported Encryption Recommendations Aruba recommendations for encryption on Wi Fi networks are as follows e WEP Not recommended e TKIP Not recommended e AES Recommended for all deployments Understanding WPA and WPA2 The Wi Fi Alliance created the Wi Fi Protected Access WPA and WPA2 certifications to describe the 802 111 standard The standard was written to replace WEP which was found to have numerous security flaws It took longer than expected to complete the standard so WPA was created based on a draft of 802 11
240. on examples for Microsoft OCS and Apple Facetime applications 238 Policy Enforcement Firewall Instant 6 1 3 4 3 1 0 0 User Guide Figure 200 Classify Media Microsoft OCS Fdit Lync Help WLAN Settings Access Rules More Lync port Control Access Rules 6 Allow dhcp to all destinations classify media Allow https to all destinations classify media OG Allow http to all destinations classify media Allow UDP on port 5061 to all destinations classify media UDP 5061 UDP 67 68 TCP 443 Role based TCP 80 Network based Allow any to all destinations Unrestricted p FE I Edit Rule Allow sips to all destinations classify media Rule type Action Destination Service Less Access control Taj Allow sips to all destinations Control Options Cl kog Classify media DSCP tag C Blacklist Disable scanning 1802 ip priority Finish Cancel Figure 201 Classify Media Apple Facetime Edit facetime WLAN Settings VLAN KA Security Access Rules Facetime port More Baran RSI JDP 16393 16402 i JDP 16384 16402 Allow UDP on ports 16384 16387 to all destinations classify media Role based CP 5223 Allow TCP on port 5223 to all destinations classify media Allow UDP on ports 3478 3497 to all destinations classify media UDP 3478 3497 Allow https to all destinations classify media TCP 443
241. on helps fill in the blank when you type in word and suggested matches are automatically displayed in dynamic list The list is more relevant and detailed when more number of keywords are typed in This is similar to the auto complete feature of Google Search Tabs The Instant UI consists of the following tabs Networks Provides information about the Wi Fi networks in the Aruba Instant network Access Points Provides information about the IAPSs in the Instant network Clients Provides information about the clients in the Instant network Each tab appears in a compressed view by default A number specifying the number of networks IAPs or clients in the network precedes the tab names Click on the tabs to see the expanded view and click again to compress the expanded view Items in each tab are associated with a triangle icon Click on the triangle icon to sort the data in increasing or decreasing order Each tab is explained in the following sections Networks Tab This tab displays a list of Wi Fi networks that are configured in the Aruba Instant network The network names appear as links The expanded view displays the following information about each Wi Fi network Name Name of the network Clients Number of clients that are connected to the network Type Network type Employee Guest or Voice Band Band in which the network is broadcast 2 4 GHz band 5 4 GHz band or both Authentication Method Authent
242. onfiguration This defines the server used to authenticate the IAP internal or an external server and the role for IAP user This role is used to define the src nat rule to RADIUS server to allow Dynamic RADIUS proxy Aruba3400 config ip access list session iaprole Aruba3400 config sess iaprole fany host lt radius server ip gt any src nat Aruba3400 config sess iaprole any any any permit Aruba3400 config sess iaprole Dashboard Monitoring Configuration Diagnostics Maintenance Plan Save Configuration WIZARDS Security gt User Roles gt Edit Role iaprole gt Edit Session iaprole AP Wizard User Roles System Roles Policies Time Ranges Guest Access Controller Wizard WLAN LAN Wizard Back License Wizard er nd IP Version Source Destination Service Action Log Mirror Queue Time Range Pause ARM Scanning BlackList Classify Media Tos 802 1p Priority Action grins IPv4 any host 10 13 6 110 any src nat Low Delete a v une iz IPv4 any host 10 15 72 10 any src nat Low Delete v Ports IPv4 any any any permit Low Delete Cellular Profile _Add IP SECURITY _Done Authentication gt Access Control WIRELESS AP Configuration AP Installation MANAGEMENT General Administration Certificates Aruba3400 config user role iaprole Aruba3400 config role fsession acl iaprole Aruba3400 config role 260 Controller Configuration for VPN Instant 6 1 3 4 3 1 0 0 User Guide Se
243. onnection in the User field d Inthe Password and Retype fields enter the PPPoE password and confirm it 4 Click OK 5 Reboot the IAP for the configuration to take effect Instant 6 1 3 4 3 1 0 0 User Guide Uplink Configuration 203 Figure 159 PPPoE Settings PPPoE pote Ty rame 204 Uplink Configuration Instant 6 1 3 4 3 1 0 0 User Guide Chapter 25 AirWave Integration and Management AirWave is a powerful and easy to use network operations system that manages Aruba wireless wired and remote access networks as well as wired and wireless infrastructures from a wide range of third party manufacturers With its easy to use interface AirWave provides real time monitoring proactive alerts historical reporting and fast efficient troubleshooting It also offers tools that manage RF coverage strengthen wireless security and demonstrate regulatory compliance Aruba IAPs communicate with AirWave using the HTTPS protocol This allows an AirWave server to be deployed in the cloud across a NAT device such as a router AirWave Features This section describes the AirWave features that are available in the Aruba Instant network Image Management AirWave allows you to manage firmware updates on WLAN devices by defining a minimum acceptable firmware version for each make and model of a device It remotely distributes the firmware image to the WLAN devices that require updates and it schedules the firmware updates
244. ontroller assigned network This domain name applies for Content Filtering 2 Navigate to Settings gt General gt click Show advanced options gt Enterprise Domains to configure a domain name for Content Filtering Instant 6 1 3 4 3 1 0 0 User Guide Content Filtering 169 Figure 133 Enabling Content Filtering New WLAN Help WLAN Settings WLAN Settings Name amp Usage Bandwidth Limits Name SSID Test 2 Airtime L Each user Primary usage Q Employee Each sudo i Voice Guest Transmit Rates 2 4GHz Min 1 f Max 54 iv Broadcast Multicast 5GHz Min 6 v Max 54 v Broadcast filtering Disabled v DTIM interval 1 beacon v Miscellaneous Multicast transmission optimization Disabled v Content filtering Dynamic multicast optimization Disabled x Band DMO client threshold Inactivity timeout 1000 secs DMO channel utilization threshold Hide SSID FI Hide advanced options Net Cancel The content filtering configuration applies to all the IAPs in the Aruba Instant network and the service is enabled or disabled globally across all the wireless networks that are configured in the Aruba Instant WebUIL Enterprise Domains The Enterprise Domain Names list displays all the DNS domain names that are valid on the enterprise network This list is used to determine how client DNS requests should be routed When Content Filtering is enabled for the wireless network
245. onvert an IAP to Campus AP do the following 1 Navigate to the Maintenance tab in the top right corner of the Instant UI 2 Click the Convert tab Figure 71 Converting an IAP to CAP Maintenance Hostname or IP Address of Mobility Controller After conversion all Access Points will be managed by the Controller specified above 3 Select Campus APs managed by a Mobility Controller from the drop down list 4 Enter the hostname fully qualified domain name or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box This is provided by your network administrator Ensure the Mobility Controller IP Address is reachable by the IAPs 5 Click Convert Now to complete the conversion Converting an IAP to Standalone Mode This feature allows you to deploy an Instant AP as an autonomous AP which is a separate entity from the existing Virtual Controller cluster in the same Layer 2 domain 1 Navigate to the Maintenance tab in the top right corner of the Instant UI 2 Click the Convert tab 98 Managing IAPs Instant 6 1 3 4 3 1 0 0 User Guide Figure 72 Standalone AP Conversion Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Standalone AP Access Point to convert 00 24 6c c2 e9 b3 m After conversion the Access Point specified above will operate in standalone mode Confirm Access Point Co
246. opriate port on the PoE midspan AC to DC power adapter Connect the 12V DC power jack socket to the AC to DC power adapter Assigning an IP Address to the IAP The IAP needs an IP address for network connectivity When you connect the IAP to a network the IAP receives an IP address from a DHCP server To get an IP address for an IAP 1 Connect the ENET port of IAP to a switch or router using an Ethernet cable Ensure that the DHCP service is enabled on the network 2 Connect the LAP to a power source The IAP receives an IP address provided by the switch or router After the IAP starts up the IAP tries to connect to the DHCP server if the static IP configuration is not available If DHCP times out a default IP within 169 254 x y 16 subnet is configured on the IAP The DHCP client still continues to run so that when the DHCP service recovers the IAP gets a valid IP address and reboots In addition you can manually assign a static IP without the support of DHCP after the IAP comes up with the 169 254 x y 16 subnet mW Connecting to a Provisioning Wi Fi Network To connect to a provisioning Wi Fi network 1 Connect a wireless enabled client to a provisioning Wi Fi network The provisioning network is called instant 2 Inthe Microsoft Windows operating system click the wireless network connection icon in the system tray The Wireless Network Connection window appears Click on the instant network and click Connect 4 Inthe M
247. or information on MAS integration see Chapter 7 Mobility Access Switch Integration Admin View or edit the admin credentials for access to the Virtual Controller Management User Interface See Management Authentication Settings on page 130 for more information You can also configure AirWave in this tab See Configuring AirWave on page 207 for more information RTLS View or edit the RTLS server settings Aruba RTLS Enable this to integrate with AirWave Management platform Ekahau Real Time Location Server and Nearbuy Real Time Location Server Specify the IP address and port number of the server to which location reports are sent a shared secret key and the frequency at which packets are sent to the server Update indicates how frequently the Virtual Controller updates the RTLS server Aeroscout Enables the AP to send RFID tag information to an AeroScout real time asset location RTLS server Specify the IP address and port number of the AeroScout server to which location reports should be sent Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 33 Figure 10 RTLS Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Aruba RTLS IP address 0 0 0 0 Port j Passphrase Retype Update Every 30 seconds Aeroscout IP address 0 0 0 0 Port H
248. or PKCS 12 format with passphrase PSK CA certificate PEM or DER format There are two ways to upload the certificates 1 Instant WebUI Navigate to Maintenance gt Certificates and then click Upload New Certificate to directly upload the certificate Refer Loading Certificates using Instant WebUl for further instructions 2 AirWave Navigate to Device Setup gt Certificate and then click Add New Certificate Refer Loading Certificates using AirWave for further instructions Instant 6 1 3 4 3 1 0 0 User Guide Authentication 143 Loading Certificates using Instant WebUI To load a certificate in the Instant UI 1 Navigate to the Maintenance gt Certificates page Figure 111 Loading Certificates Maintenance About Configuration Certificates Firmware Reboot Convert Default Server Certificate Version 3 Serial Number 01 DA 52 Issuer C US O GeoTrust Inc OU Domain Validated SSL CN GeoTrust Subject 0x05 ILUge2fRPkWcle7boLSVdsKOFKSwv3MF C US O securelogil Issued On 2011 05 11 01 22 10 Expires On 2017 08 11 04 40 59 Signed Using SHA1 MOA Mees wie NAD Libre 4 II I Upload New Certificate Certificates affect which authentification protocols are used No cert LEAP Server cert PEAP TTLS Server and CA certs TLS Close 2 Click Upload New Certificate and the New Certificate window appears Figure 112 New Certificate 144 Authentication
249. or prevent access to other websites For more information see Walled Garden Access on page 142 Syslog View or specify a Syslog Server for sending syslog messages to the external servers See Syslog Server on page 89 for more information L3 Mobility View or configure the Layer 3 mobility settings See Layer 3 Mobility on page 107 for more information RF This link displays the configuration parameters Adaptive Radio Management ARM and Radio features Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 35 Figure 12 RF RF Help ARM Radio steen Client Control Band steering mode Prefer 5Ghz Airtime fairness mode Fair Access Y Access Point Control Customize valid channels E Min transmit power 18 Y Max transmit power Max Client aware Enabled v Scanning Enabled Y Wide channel bands 5GHz Y Hide advanced options OK Cancel ARM View or assign channel and power settings for all the IAPs in the network For information about ARM Adaptive Radio Management see ARM Features on page 173 Radio View or configure radio settings for 2 4 GHz and the 5 GHz radio profiles For information about Radio see Configuring Radio Profiles in Instant on page 177 PEF This link displays the following features Figure 13 PEF Policy Enforcement Firewall PEF Authentication Servers Users for Internal Serve
250. ork in the Name SSID text box 2 Select Guest and click Next to continue 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN 4 Click Next to continue 5 In the Security tab select External Authentication Text from the Splash page type drop down list and enter the Auth text This entry is not mandatory The Authentication text indicates the text string returned by the external server after a successful authentication Or Select External RADIUS Server from the Splash page type drop down list and select New from the Auth server 1 and Auth server 2 to add a RADIUS server 1 IP or hostname Enter the IP address or the hostname of the external splash page server 2 URL Enter the URL for the external splash page server 3 Port Enter the number of the port to be used for communicating with the external splash page server 4 Redirect URL Specify a redirect URL if you want to override the user s original request and redirect them to another URL 136 Authentication Instant 6 1 3 4 3 1 0 0 User Guide Figure 106 External Captive Portal when Adding a Guest Network External RADIUS Server New WLAN Help WLAN Settings VLAN Security 5s Security Level Splash page type External RADIUS Server iy External splash page Auth server 1 Select Server v IP or hostname localhost Auth server 2 Select Server x URL Reauth interval 0
251. ot receive data from this client because the integrity check of the received message MIC has failed This client did not receive a response to its DHCP request in time Corrective Actions If the IAP is using the internal RADIUS server recommend checking the related configuration as well as the installed certificate and passphrase If the IAP is using an external RADIUS server check if there are any issues with the RADIUS server and try connecting again Ascertain the correct authentication credentials and log in again Check the encryption setting on the client and on the IAP Check the status of the DHCP server in the network Instant 6 1 3 4 3 1 0 0 User Guide Chapter 28 Policy Enforcement Firewall Aruba s Policy Enforcement Firewall PEF module for Aruba Instant provides identity based controls to enforce application layer security prioritization traffic forwarding and network performance policies for wired and wireless networks The PEF window displays the external internal authentication servers currently defined roles for all the networks blacklisted clients and to enable or disable the protocols for ALG Navigate to the PEF link at the top right corner of the Instant WebUI to view the following features Authentication Servers This section displays the currently defined external authentication servers e Name Indicates the name of the external authentication server e Type Ind
252. p down list Instant 6 1 3 4 3 1 0 0 User Guide Mobility Access Switch Integration 105 Figure 81 Enabling MAS Integration with an IAP Settings Help General Admin Name I nsta nt C4 O1 78 Virtual Controller IP 0 0 0 0 Dynamic RADIUS proxy Disabled NTF server Timezone International Date Line Preferred band All Show advanced options OK Cancel Viewing the MAS Integration Status The user can view the current status of the MAS integration in the Instant UI under Info tab Figure 82 MAS Integration Status Info Name Instant C4 01 78 Country code IN Virtual Controller IP 0 0 0 0 AirWave IP 0 0 0 0 Airwave backup IF 0 0 0 0 Band All Master 10 17 115 1 OpenDNs status Not connected MAS integration Uplink type Ethernet Uplink status Up 106 Mobility Access Switch Integration Instant 6 1 3 4 3 1 0 0 User Guide Chapter 8 Layer 3 Mobility IAPs form a single Instant network when they are in the same L2 domain s the number of clients increase multiple subnets are required to avoid broadcast overhead In such scenario a client should be allowed to roam away from the Instant network to which it first connected home network to another Instant network supporting the same WLAN access parameters foreign network and continue its existing sessions Layer 3 mobility allows a client to roam without losing its IP address and sessions If WLAN access paramete
253. pe 10 169 137 0 137 C Scope 10 169 138 0 138 C Scope 10 169 145 0 145 C Scope 10 169 150 0 150 FI Scope 10 169 151 0 151 C Scope 10 169 152 0 152 1 Scope 10 169 153 0 153 C Scope 10 169 154 0 154 C Scope 10 169 155 0 155 CJ Scope 10 169 156 0 156 D Scope 10 169 157 0 157 E Scope 10 169 158 0 158 I Scope 10 169 159 0 159 I EG ver Options td Active Active LA Active Active Active Active Active Active Active Active Active Active Active Active Active 6 Select 060 Aruba Instant AP in the Server Options window and enter ArubaInstantAP in the String Value Figure 166 Instant and DHCP options for AirWave 060 Aruba Instant AP in Server Options E Server Manager File Action es 2m Xo is is lel View Help LA Address Leases Reservations LA Scope Options W 7 Scope 10 169 137 0 137 EF 1 Scope 10 169 150 0 150 3 1 Scope 10 169 151 0 151 f 1 Scope 10 169 152 0 152 amp 7 Scope 10 169 153 0 153 amp 1 Scope 10 169 154 0 154 E 53 Scope 10 169 155 0 155 Address Pool Address Leases D Bi Reservations E 1 Scope 10 169 156 0 156 Address Pool gt Address Leases D Reservations A Scope Options 7 Scope 10 169 157 0 157 Address Pool 1 Address Leases Reservations FJ Scope 10 169 158 0 158 OG Address Pool LA Address Leases D lia Reservations 1 S
254. pes to inter operate at the highest performance levels ARM Features This section describes ARM features that are available in Aruba Instant Channel or Power Assignment This feature automatically assigns channel and power settings for all the IAPs in the network according to changes in the RF environment This feature automates many setup tasks during network installation and during ongoing operations when RF conditions change Voice Aware Scanning This feature stops an IAP supporting an active voice call from scanning for other channels in the RF spectrum The IAP resumes scanning when no more active voice calls are present on that IAP This significantly improves the voice quality when a call is in progress while simultaneously delivering automated RF management functions Load Aware Scanning This feature dynamically adjusts scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold The APs resume complete monitoring scans when the traffic drops to the normal levels Band Steering Mode This feature moves dual band capable clients to stay on the 5 GHz band on dual band IAPs This feature reduces co channel interference and increases available bandwidth for dual band clients because there are more channels on the 5 GHz band than on the 2 4 GHz band Band steering supports the following three different band steering modes e Prefer 5 GHz If yo
255. ption for this network Usage Trends The Usage Trends section displays the following graphs for the selected network Clients Figure 176 Clients Graph Clients 10 g Last 1 Min 1 Max 1 4 Avg 1 5 12 00 38 11 55 12 00 12 05 Throughput Instant 6 1 3 4 3 1 0 0 User Guide Monitoring 219 Figure 177 Throughput Graph Throughput kbps 100 10 100 12 00 12 10 Out In Last 0 0 Min 0 0 Max 26 24 AVG 13 12 For more information about the graphs in the network view and for monitoring procedures see Table 38 Table 38 Network View Graphs and Monitoring Procedures Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the number of clients associated with the Virtual Controller for the last 15 minutes e To see the exact number of clients in the Aruba Instant network at a particular time hover the cursor over the graph line Throughput The Throughput graph shows the throughput of the selected network for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown above the median line e Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged vi
256. r Roles Blacklisting PEF Settings li L Name Type New OK Cancel Authentication Servers Use this window to configure an external RADIUS server for a wireless network See Configuring an External RADIUS Server on page 125 for more information Users for Internal Server Use this window to populate the system s internal authentication server with users This list is used by networks for which per user authorization is specified using the Virtual 36 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Controller s internal authentication server For more information about users see Chapter 30 User Database Roles This window displays all the roles defined for all the Networks and the Access Rules lists the permissions for each role For more information see User Roles on page 151 Blacklisting Use this window to manually blacklist clients See Client Blacklisting on page 239 for more information PEF Settings Use this window to enable disable gateway filters supporting address and port translation for various protocols See Chapter 28 Policy Enforcement Firewall on page 235 for more information WIP WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats Use this window to specify desired levels of threat detection See Wireless Intrusion Protection WIP on page 181 for more inform
257. r IP 0 0 0 0 Terminal access Disabled v Dynamic RADIUS proxy Disabled x LED display Enabled v MAS integration Enabled ca TFTP Dump Server 0 0 0 0 NTP server Extended SSID Disabled x Timezone International Date Lind w Deny inter user bridging Disabled ca Preferred band All v Deny local routing Disabled DHCP Server Domain name DNS Server s Lease time Minutes px Network Mask Hide advanced options OK Cancel Syslog Server To specify a Syslog Server for sending syslog messages to the external servers navigate to Settings gt click Show advanced options gt Syslog Server in the UI and update the following fields e Syslog server Enter the IP address of the server to send system logs to e Syslog level For a global level configuration select one of the logging levels from the standard list of syslog levels The default value is Notice Figure 59 Syslog Server settings Help General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Syslog E Syslog server 0 0 0 0 Syslog level Warning v Syslog Facility Levels z Ap Debug Warning v Network Warning 7 Security warning Le System Warning 7 User Warning v User Debug Warning Wireless Warning Y Instant 6 1 3 4 3 1 0 0 User Guide Managing IAPs 89 Syslog Faci
258. r a name in the SNMP Engine ID text box It indicates the name of the SNMP agent on the access point SNMPV3 agent has an engine ID that uniquely identifies the agent in the device and is unique to that internal network 2 Click New and update the following fields Instant 6 1 3 4 3 1 0 0 User Guide SNMP 189 1 IP Address Enter the IP Address of the new SNMP Trap receiver 2 Version Select the SNMP version v1 v2c v3 from the drop down list The version specifies the format of traps generated by the access point 3 Community Username Specify the community string for SNMPV1 and SNMPV2c traps and a username for SNMPV3 traps 4 Port Enter the port to which the traps are sent The default value is 162 5 Inform When enabled traps are sent as SNMP INFORM messages It is applicable to SNMPV3 only The default value is Yes 3 Click OK to view the trap receiver information in the SNMP Trap Receivers window Aruba specific management information bases MIBs describe the objects that can be managed using SNMP See the Aruba Instant 6 1 3 4 3 1 0 0 MIB Reference Guide for information about the Aruba MIBs and SNMP traps 190 SNMP Instant 6 1 3 4 3 1 0 0 User Guide Chapter 22 Hierarchical Deployment In earlier releases of Aruba Instant an IAP could be connected to another IAP via the uplink port through a wired switch If there is no wired infrastructure Ethernet connection with a L3 NAT router then
259. r the USername and Password for accessing the Virtual Controller Management User Interface RADIUS Server Specify one or two RADIUS servers to authenticate UI If two servers are configured users can use them in primary backup mode or load balancing mode this is identical to the RADIUS server configuration for SSIDs For information on configuring external RADIUS server see External RADIUS Server on page 124 RADIUS server w fallback to internal Specify the RADIUS servers as well as a Username and Password If there is no response from the RADIUS server RADIUS server timeout the authentication switches to Internal 4 Click OK Figure 100 Management Authentication Settings General Admin Local Authentication Internal v Username admin Password e TIT Retype essre AirWave Organization AirWave IP AirWave backup IF Shared key Retype Captive Portal Aruba Instant network supports captive portal authentication method for a Guest network type In this method a web page is displayed to a guest user who tries to access the internet The user has to authenticate or accept company s network usage policy in the web page Two types of captive portal authentication are supported on Aruba Instant Instant 6 1 3 4 3 1 0 0 User Guide Internal Captive Portal External Captive Portal Internal Captive Portal In the Internal Captive Portal type an internal server is used
260. raph line The Frames Graph shows the In and Out frame rate per second for the client for the last 15 minutes It also shows data for the Retry In and Retry Out frames Outgoing frames Outgoing frame traffic is displayed in green It is shown above the median line Incoming frames Incoming frame traffic is displayed in blue It is shown below the median line Retry Out Retries for the outgoing frames is displayed in black and is show above the median line Retry In Retries for the incoming frames is displayed in red and is shown below the median line To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the In Out Retries In and Retries Out frames To see the exact frames at a particular time hover the cursor over the graph line The Speed graph shows the data transfer speed for the client Data transfer is measured in Mega bits per second mbps To see an enlarged view click the graph The enlarged view shows Last Minimum Maximum and Average statistics for the client for the last 15 minutes To see the exact speed at a particular time hover the cursor over the graph line To monitor the signal strength of the selected client for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Clients tab click the IP address of the client for which you want to moni
261. ration Fall Through Filter Id Framed AppleTalk Link Framed AppleTalk Network Framed AppleTalk Zone Framed Compression Framed IP Address Framed IP Netmask Framed IPX Network Framed MTU Framed Protocol Framed Route Framed Routing Instant 6 1 3 4 3 1 0 0 User Guide Full Name Group Group Name Hint Huntgroup Name Idle Timeout Login IP Host Login LAT Node Login LAT Port Login LAT Service Login Service Login TCP Port Menu Message Auth NAS Port Type Password Password Retry Port Limit Prefix Prompt Rad Authenticator Rad Code Rad Id Rad Length Reply Message Revoke Text Server Group Server Name Service Type Session Timeout Simultaneous Use State Strip User Name Suffix Termination Action Termination Menu Tunnel Assignment Id Tunnel Client Auth Id Tunnel Client Endpoint Tunnel Connection Id Tunnel Medium Type Instant 6 1 3 4 3 1 0 0 User Guide Authentication 129 130 Authentication Tunnel Preference Tunnel Private Group Id Tunnel Server Auth Id Tunnel Server Endpoint Tunnel Type User Category User Name User Vlan Vendor Specific Management Authentication Settings Use this page to specify authentication for access to the Virtual Controller Management user interface 1 Navigate to the Settings link in the Instant UI 2 Select the Admin tab 3 Inthe Authentication drop down list select any one of the following Internal Select to specify a single set of user credentials Ente
262. rc f String Hexadecimal 1234 Configuring VLAN Derivation Rules on an IAP The rule assigns the user to a VLAN based on the attributes returned by the RADIUS server when the user is authenticated To configure VLAN derivation rules on an IAP 1 Select a network on the Instant UI and click on the edit link 2 Select the VLAN tab and check the Dynamic radio button under the client VLAN assignment 3 Click New to assign the user to a VLAN The New VLAN Assignment Rule window appears Enter the following information 156 User VLAN Derivation Instant 6 1 3 4 3 1 0 0 User Guide e Attribute Select the attribute returned by the RADIUS server during authentication e Operator Select an operator for matching the string e String Enter the string to match e VLAN Enter the VLAN to be assigned 4 Click OK Figure 124 Configuring VLAN Derivation Rules on an IAP Edit Test Help WLAN Settings VLAN Client IP amp VLAN Assignment Client IP assignment i Virtual Controller assigned Q Network assigned Client VLAN assignment Default static Dynamic VLAN Assignment Rules Default VLAN 1 New VLAN Assignment Rule Attribute Operator String VLAN AP Group x contains User Role If the VSA and VLAN derivation rules are not matching then the user VLAN can be derived by a user role Configuring a User Role Click the PEF link at the top right corner of Instan
263. re identified by Aruba Instant e Windows 7 e Windows Vista e Windows Server e Windows XP e Windows ME e OSX e iPhone e iOS e Android e Blackberry e Linux In the following image the OS of the client is Windows 7 Figure 135 OS Fingerprinting Info Name IP Address 10 13 32 59 MAC Address 58 94 6b 79 73 58 Network Emp Networki Access Point Instant Access Point Channel 157 Type AN Role Emp Network1i Instant 6 1 3 4 3 1 0 0 User Guide OS Fingerprinting 171 172 OS Fingerprinting Instant 6 1 3 4 3 1 0 0 User Guide Chapter 19 Adaptive Radio Management Adaptive Radio Management ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802 11 channel and transmitting power for each IAP in its current RF environment ARM works with all standard clients across all operating systems while remaining in compliance with the IEEE 802 11 standards It does not require any proprietary client software to achieve its performance goals ARM ensures low latency roaming consistently high performance and maximum client compatibility in a multi channel environment By ensuring the fair distribution of available Wi Fi bandwidth to mobile devices ARM ensures that data voice and video applications have sufficient network resources at all times ARM allows mixed 802 11a b g and n client ty
264. red network to contain wireless attacks e Wireless containment When enabled the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point None Disables all the containment mechanisms Deauthenticate only With deauthentication containment the Access Point or client is contained by disrupting the client association on the wireless interface Tarpit containment With Tarpit containment the Access Point is contained by luring clients that are attempting to associate with it to a tarpit The tarpit can be on the same channel or a different channel as the Access Point being contained Figure 142 Containment Methods Wireless Intrusion Protection WIP Detection E Protection Specify What Threats to Protect Infrastructure Custom settings High protect ssid rogue containment Low protect adhoc network Off protect ap impersonation Clients Custom settings High 4 protect valid sta protect windows bridge Low OF Containment Methods Wired containment off The default containment settings are recommended Wireless containment None Y Restore defaults Deauthenticate only Tarpit invalid stations Tarpit all stations Hide adwanced options Back Finish Cancel Instant 6 1 3 4 3 1 0 0 User Guide Intrusion Detection System 185 186 Intrusion Detection System Instant 6 1 3 4 3 1 0 0
265. red signal is above this maximum Spectrum Alerts When new non Wi Fi device is found an alert is reported to the Virtual Controller The spectrum alert messages include the device ID device type IP address of the spectrum monitor or hybrid AP and the timestamp Virtual Controller reports the detailed device information to AMP 118 Spectrum Monitor Instant 6 1 3 4 3 1 0 0 User Guide Chapter 10 NTP Server For successful and proper communication between various elements in a network time synchronization between the elements and across the network is critical Following are the uses of time synchronization e Trace and track security gaps network usage and troubleshoot network issues e Map event on one network element to a corresponding event on another e Maintain accurate time for billing services and similar Network Time Protocol NTP is required to obtain the precise time from a server and to regulate the local time in each network element If NTP server is not configured in the Aruba Instant network an IAP reboot may lead to variation in time and data Configuring an NTP Server The NTP server is set to pool ntp org by default To configure the NTP server on Aruba Instant perform the following steps 1 Navigate to the Settings tab in the top right corner of the Instant UI 2 In the General tab enter the IP address or the URL domain name of the NTP server in the NTP Server text box and click OK 3 Sele
266. red_ x OK Cancel DHCP Option and DHCP Fingerprinting The DHCP fingerprinting feature allows you to identify the operating system of a device by looking at the options in the DHCP frame Based on the operating system type a role can be assigned to the device For example in order to create a role assignment rule with DHCP option select equals from the Operator drop down list and enter 370103060F77FC in the String text box Since 370103060F77FC is the fingerprint for Apple iOS devices such as iPad and iPhone IAP assigns Apple iOS devices to the role that you choose Table 21 Validated DHCP Fingerprint Device DHCP Option DHCP Fingerprint Apple iOS Option 55 3 0103060F77FC Instant 6 1 3 4 3 1 0 0 User Guide Role Derivation 153 Table 21 Validated DHCP Fingerprint Continued Device DHCP Option DHCP Fingerprint Android Option 60 3C64686370636420342E302E3135 Blackberry Option 60 3C426C61636B4265727279 Windows 7 Vista Desktop Option 55 3 010f03062c2e2f1f2179f92b Windows XP SP3 Home Option 55 3 010f03062c2e2f1f21f92b Professional Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500 Windows 7 Phone Option 55 3 0103060f2c2e2f Apple Mac OSX Option 55 370103060f7 75ffc2c2e2f 802 1X Authentication Type IAP allows you to use client 802 1X authentication to assign a desired role for users who have completed 802 1X authentication When creating more than one role assignment rule based on RAD
267. remove the entry from the list 5 Click OK to apply the changes Wired Authentication on an IAP Instant supports wired authentication on the Ethernet uplink Ethernet 0 and downlink Ethernet 1 Ethernet 2 ports of an Instant AP The following wired authentication methods are supported MAC Authentication Captive Portal Authentication To configure wired authentication on an IAP 1 Click the Wired link on the upper right corner of the Instant WebUI 2 Click on the Network assignments drop down lists to apply an existing Ethernet downlink profile to the Ethernet ports Configure bridging on the Ethernet uplink Ethernet 0 port before you apply a profile The devices SIP phone printer connected to the wired ports are now authenticated using the profile that is applied to the port A list of all the wired users is available in the Wired window E Wired authentication does not support WEP WPA and WPA2 encryption Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization It is also used to establish your credentials for any web transactions It contains the organization name a serial number expiration date a copy of the certificate holder s public key and the digital signature of the certificate issuing authority so that a recipient can ensure that the certificate is real Aruba Instant supports the following certificate files Server certificate PEM
268. ring Table 37 Virtual Controller View Graphs and Monitoring Procedures Continued Throughput The Throughput graph shows the throughput of To check the throughput of the networks and all networks and IAPs associated with the Virtual IAPs associated with the Virtual Controller for Controller for the last 15 minutes the last 15 minutes e Outgoing traffic Throughput for outgoing 1 Log in to the Instant Ul The Virtual traffic is displayed in green Outgoing traffic Controller view appears This is the is shown above the median line default view e Incoming traffic Throughput for incoming 2 Study the Throughput graph in the Usage traffic is displayed in blue Incoming traffic is Trends pane For example the graph shown below the median line shows 2 0 kbps outgoing traffic To see an enlarged view click the graph throughput at 12 00 hours It also shows some incoming traffic throughput at the e The enlarged view provides Last Minimum i same time Maximum and Average statistics for the incoming and outgoing traffic throughput of the Virtual Controller for the last 15 Minutes To see the exact throughput of the Aruba Instant network at a particular time hover the cursor over the graph line Client Alerts Link For information about the Client Alerts link see Clients Tab on page 31 and Chapter 27 Alert Types and Management chapters IDS Link For information about the IDS link see IDS on page 50
269. ring APs or from non WiFi devices such as microwaves and cordless phones Monitor Enabled AP does not provide access service to clients 5 Select Administrator assigned in 2 4 GHz and 5 GHz band sections 6 Select appropriate channel number from the Channel drop down list for both 2 4 GHz and 5 GHz band sections 7 Enter appropriate transmit power value in the Transmit power text box in 2 4 GHz and 5 GHz band sections 8 Click OK Configuring Radio Profiles in Instant Aruba Instant supports radio profile configuration The radio settings are available for both the 2 4 GHz and the 5 GHz radio profiles You can configure the radios separately using the parameters described in table on each radio Use the following procedure to configure Instant s radio attributes for the 2 4 GHz and 5 GHz frequency bands Figure 138 Radio Profile 2 4 GHz band Legacy only Disabled 802 11d 802 11h Disabled Beacon interval ms Interference immunity level 2 fm Channel switch announcement count Channel reuse type Disabled Channel reuse threshold dB Background spectrum monitoring Disabled 5 GHz band Legacy only Disabled 802 11d 802 11h Disabled Beacon interval ms Interference immunity level 2 Le Channel switch announcement count Channel reuse type Disabled Channel reuse threshold dB Background spectrum monitoring Disabled Standalone spectrum band Hide advanced options OK Cancel
270. rivation Instant 6 1 3 4 3 1 0 0 User Guide 1 Click New in the Role Assignment Rules section of the window The default user role is the newly created user role 2 Select the attribute from the Attribute drop down list that the rule it matches against The list of supported attributes includes RADIUS attributes see List of supported VSA on page 127 DHCP Option and 802 1X Authentication Type 3 Select the operator from the Operator drop down list The following types of operators are supported e contains To check if the attribute contains the operand value e Is the role To check if the role is same as the operand value e equals To check if the attribute is equal to the operand value e not equals To check if the attribute is not equal to the operand value e starts with To check if the attribute the starts with the operand value e ends with To check if the attribute ends with the operand value 4 Enter the string to match in the String text box 5 Select the appropriate role from the Role drop down list 6 Click OK Figure 120 Creating Role Assignment Rules WLAN Settings Access Rules More Control Roles Access Rules default_wired_port_profile Instant_RP Role based 4 II j New Network based Unrestricted Role Assignment Rules Default role Test 2 Less Control New Role Assignment Rule Attribute Operator String Role AP Group contains x default_wi
271. rnnnnrnnnnrnnnnnennn 67 Conditions for Client IP and VLAN assignment 72 Conditions for Adding a Guest Network Security Tab 73 Eee 91110 EEE ene 90 IAP Platforms and Minimal AOS Version for IAP to CAP Conversion 95 IAP platforms and minimal AOS version for IAP to RAP Conversion 96 Device Summary and Channel Information 114 Non Wi Fi Interferer Types vassere ali eb danestesenaees 115 SE EE NN NE 117 Channel Details IONA NON SAS Na seine rene 118 WPA and WPA2 Features Laminert judann 150 Recommended Authentication and Encryption Combinations 150 TAPPE 153 Network Service Options cccccsscccsseeceseecceeeccaeeecaueecageesausessueessueesseeeesaeeesaaes 162 Ke de OD HOS dd EE EE 164 Mode Spectrum and AP Operation 176 Radio Profile Configuration Parameters ccccccccsseccssecceseeseeeesaueeseaeesseeesaaes 178 infrastructure Detection POUCISS os ee 182 Client Detection POlIGIBSS casse 183 Infrastructure Protection PONCISS astres amer rer 184 Client Protection POIICISS nn olubsannnsdnceeaieds Garsountonmertusevdaiereunnsts 184 SNMP Parameters for IAP Lanseres cie diode aile 187 Ethernet Downlink Profile Parameters Wired Tab 193 Ethernet Downlink Profile Parameters VLAN Tab rannnnnnonnnnnnnnnnnnnnnnennnennnnrnn 194 Ethernet Downlink Profile Parameters Security Tab 194 Ethernet Downlink Profile Parameters Access Tab 19
272. roxy Disabed v LED display Enabled v MAS integration Enabled TFTP Dump Server 0 0 0 0 NTP server Extended SSID Disabled Timezone International Date Lind w Deny inter user bridging Disabled I Preferred band All EJ Deny inter user routing Disabled v DHCP Server Domain name DNS Server s E Lease time Minutes Network Mask gj Hide advanced options OK Cancel Instant 6 1 3 4 3 1 0 0 User Guide LED Display Administrators have the ability to turn off LED for all IAPs in an Instant network Navigate to Settings gt Advanced gt LED Display to enable or disable the LEDs When Disabled all the LEDs are turned off Use this option in environments where LEDs can be a distraction Figure 56 LED Display Settings General Admin RTLS SNMP OpenDNS Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Virtual Controller IP Dynamic RADIUS proxy MAS integration NTP server Timezone Preferred band DHCP Server Domain name DNS Server s Lease time Network Mask EET gl 0 0 0 0 Disabled iy Enabled px International Date Ling w al F Minutes gt Hide advanced options TFTP Dump Server Enter the IP address of a TFTP server to store core dump files Instant 6 1 3 4 3 1 0 0 User Guide Auto join mode Terminal access TFTP Dump Server
273. rrent Time Displays current time of the selected IAP AP Current Timezone Displays current time zone of the selected IAP AP Log All Displays all logs of the selected IAP AP Log Debug Displays logs about the selected IAP AP Log Network Displays network logs of the selected IAP AP Log Security Displays security logs of the selected IAP AP Log System Displays system logs of the selected IAP AP Log User Debug Displays user debug logs of the selected IAP AP Log User Displays user logs of the selected IAP AP Log Wireless Displays wireless logs of the selected IAP AP Driver Configuration Displays driver configuration details of the selected IAP AP Essid Table Displays networks of the selected IAP AP Flash Configuration Displays statistics of the selected IAP in flash AP Memory Utilization Displays memory utilization of the selected IAP AP Mesh Counters Displays the mesh counters of the selected IAP AP Mesh Link Displays the mesh link of the selected IAP AP Mesh Neighbors Displays the mesh link neighbors of the selected IAP AP Monitor AP Table Displays the list of monitored APs of the selected IAP AP Monitor Client Table Displays the list of monitored clients of the selected IAP AP Monitor Potential AP Table Displays the list of potential AP of the selected IAP AP Monitor Potential Client Table Displays the list of potential AP of the selected IAP AP Monitor Stat
274. rrnrennnenne 90 PTE 90 Removing an IAP from the Network ss 91 EPP ee geodetic e a alten KEE ke E e e E enei 91 changing NE EE 91 Changing IP Address of the IAP ssnssnnossnnnsnnnnnnnnenrnssnnnsrnrsnnrrrrrrernrrnsrnrrnnnenne 92 Configuring Adaptive Radio Management 93 Configuring Uplink Management VLAN 94 Configuring Wired Bridging on Ethernet 0 94 Migrating to a Mobility Controller Managed Network 95 Converting an JAP to RAP Mode sacesisincieveendactacvencseaonterscnacisdenntaciinenssias 95 Converting an IAP to CAP rrennnnnennnnnrennnnnennnnnennnnnrennnnnennnnsennnnnsennnnnennnnn 98 Converting an IAP to Standalone Mode 98 Converting back to an IA 99 NPE 99 Firmware Image Server in Cloud Network 101 Upgrade using AirWave and Image Server 101 Image management using Cloud Server 101 Image management using AirWave ss 101 Automatic Firmware Image Check and Upgrade 101 Upgrading to New Version ire 102 EE LO E PA AAA E NN A 102 4 Instant 6 1 3 4 3 1 0 0 User Guide Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Instant 6 1 3 4 3 1 0 0 User Guide PO e a EE E AEA E ANE 104 Mobility Access Switch Integration an ennvvnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnene 105 Mobility Access Switch MAS Overview 105 MAS Integration with an AP rennes 105 Rogue AP Containment ene 105 POE Prioritization ns EN EINER EET RG 105 Enabling MAS EAN ee aksen 105 Viewing the MAS In
275. rs are same across these networks clients connected to APs in a given Instant network can roam to APs in a foreign Instant network and continue their existing sessions Clients roaming across these networks are able to continue using their IP addresses after roaming You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported Overview Aruba Instant layer 3 mobility solution defines a Mobility Domain as a set of Instant networks with same WLAN access parameters across which client roaming is supported The Instant network to which the client first connects is called its home network When the client roams to a foreign network an AP in the home network home AP anchors all traffic to or from this client The AP to which the client is connected in the foreign network foreign AP tunnels all client traffic to or from the home AP through a GRE tunnel Figure 83 Shows the routing of traffic when the client is away from its home network L3 Switch Router Network Home VC HVC Old AP Home AP AP1 New AP Foreign AP AP2 Client C1 When a client first connects to an Instant network a message is sent to all configured Virtual Controller IP addresses to see if this is an L3 roamed client On receiving an acknowledgement from any of the configured Virtual Controller IP addresses the client is identified as an L3 roamed client If the AP has no GRE tunnel to this home network a new tunnel
276. rt was recorded Mac address Displays the Mac address of the client which caused the alert Description Provides a short description of the alert Access Points Displays the IP address of the IAP to which the client is connected Details Provides complete details of the alert 48 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Figure 30 Client Alerts ARULA Fu networks Virtual Controller iLongevity 5 Networks W 16 Access Points El 20 Clients ame Clients Name Clients Name IP Address Network RUBA GUEST 0 00 24 6c c8 7b 26 2 192 168 11 70 swarm system guest 9F 8 Aisle middle ca ruba Domain 8 00 24 6c ca 41 51 0 192 168 11 227 tem guest 9F 5 West 40 ad warm sys Aruba 0 10F 1 cb 30 60 0 10 64 103 116 tem wmm 9F 5 West 40 ad warm system guest 3 10floor 3 SW 0 10 64 103 102 tem wmm 9F 2 North east ad b7 warm system wmm 9 9F 1 Point 40 c0 0 10 64 103 112 tem wmm 9F 8 Aisle middle ca lew 9F 2 North east ad b7 5 10 64 103 94 tem wmm 9F 3 Front door 73 74 9F 3 Front door 73 74 3 10 64 103 108 tem wmm 9F 4 cb bd 80 135 p 9F 4 cb bd 80 135 point 1 0 0 0 0 Aruba Domain 9F 2 North east ad b7 9F 5 West 40 ad 3 10 64 103 93 tem wmm 9F 8 Aisle middle c 9F 7 South east 41 76 1 169 254 99 45 tem wmm 9F 3 Front door 7 9F 8 Aisle middle ca 42 45 5 tem wmm 9F 3 Front door 73 7 VeriWave1 ca 42 a0 0 swarm system wmm 9F 8 Aisle middle VeriWave2 c8 ad e2 Portal 0 PEKR96VRGLT410S Aruba Domain
277. rview The Aruba Instant network supports Ethernet and 3G 4G USB modems for the corporate Instant network The 3G 4G USB modems can be used to extend the connectivity to places where an Ethernet uplink cannot be configured allowing the client traffic to reach the internet and the corporate network It also provides a reliable backup link for the Ethernet based Instant network The following figure describes the IAP when the Ethernet connection is not configurable on an IAP network The other IAPs also join the Virtual Controller as slave IAPs via a wired uplink Figure 153 Uplink Types 3G 4G uplink Master IAP The following types of uplinks are supported on Instant e Ethernet PPPoE m DHCP Static IP e 3G 4G LTE modem Ethernet Uplink The Ethernet 0 port on an IAP is enabled as an uplink port by default Instant does not support configuration of an EthO uplink View the type of uplink and the status of the uplink in the Instant UI in the Info tab Figure 154 Uplink Status Info Name Instant C4 01 78 Country code IN Virtual Controller IP 0 0 0 0 Band All Master 10 17 115 1 OpenDNs status Not connected MAS integration Enabled Uplink type Ethernet Uplink status Up Instant 6 1 3 4 3 1 0 0 User Guide Uplink Configuration 197 3G 4G Uplink Instant now supports the use of 3G 4G USB modems to provide internet backhaul to an Instant network The 3G 4G USB modems extend client connectivity to plac
278. s Figure 24 Usage Trends Section in the Monitoring Pane Usage Trends Clients 10 0 11 55 12 00 12 05 Throughput bps 1M 10K 100 O 100 LOK 1M 11 55 12 00 12 05 Cut In For more information about the graphs and monitoring procedures see Chapter 26 Monitoring Spectrum The spectrum link in the Access Point view displays the spectrum data that is collected by a hybrid AP or by an IAP that has enabled spectrum monitor The spectrum data is not reported to the VC The spectrum link displays the following Overview Device list The device list display consists of a device summary table and channel information for active non Wi Fi devices currently seen by a spectrum monitor or hybrid AP radio Figure 25 Device List 4 00 24 6c c8 ad e2 Monitoring Spectrum Alerts IDS C Spectrum Overview Interfering Devices Non WiFi Device List SGHz upper Type ID CFreq KHz Bandwidth KHz Channels affected Signal dBm Duty cycle Add time Update time Non WiFi Device List 2GHz Type ID CFreq KHz Bandwidth KHz Channels affected Signal dBm Duty cycle Add time Update time Cordless Network FH 1 2444000 80000 1234567891011121314 75 5 2000 01 01 00 05 27 2000 01 01 00 27 45 46 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide 2 4 GHz This graph shows channel utilization information such as channel quality availability and utilization metrics as seen by a spectrum monitor for the 2
279. s Mesh Points from the switch and place the IAPs at the desired location The IAPs with valid uplink connections are the mesh portal Instant 6 1 3 4 3 1 0 0 User Guide Mesh Network 83 Figure 53 Mesh Portal 4 16 Access Points _ 2 4 GH2 ioe 50 OH em rc Name IP Address Mode Clients Type Mesh Role Channel Power dB Utilization Noise dBm Channel Power dB Utilization Noise dBrn 00 24 6c c8 7b 26 10 64 99 24 Access 0 105 Portal 1 22 88 Bd 36 21 50 91 a 00 24 6c cai41 51 10 64 99 22 Access 1 105 Portal 11 21 70 72 36 21 46 91 10F 1 ch 30 60 10 64 99 21 Access 1 105 Portal 11 22 57 61 44 21 31 92 10floor 3 SW 10 64 99 23 Access 1 105 Portal 11 21 63 54 36 21 48 91 9F 1 Point 40 c0 10 64 99 2 Access 5 105 Point 1 21 85 82 40 23 48 91 9F 2 North east ad b7 10 64 99 8 Access 2 105 Portal 6 21 88 81 48 21 20 93 9F 3 Front door 73 74 10 64 99 9 Access 0 105 Portal 6 21 78 79 44 23 17 96 9F 4 cb bd 80 135 po 10 64 99 48 Access 0 135 Point 1 20 80 84 36 16 29 92 9F 5 West 40 ad 10 64 99 7 Access 2 105 Portal li 21 61 67 48 21 22 92 9F 7 South east 41 76 10 64 99 6 Access 2 105 Portal 6 21 84 79 36 23 18 92 9F 8 Aisle middle ca 10 64 99 5 Access 5 105 Portal ii 21 88 82 40 23 52 96 VeriWavel cai42 a0 10 64 99 18 Access 0 105 Point ii 21 82 96 44 23 16 92 VeriWave2 c8 ad e2 10 64 99 16 Access 0 105 Portal 1 22 82 96 44 23 17 9
280. s used as the default language AirWave Setup AirWave is a Solution for managing rapidly changing wireless networks When enabled AirWave allows you to manage the Instant network For more information on AirWave see Chapter 25 AirWave Integration and Management The AirWave status is displayed on the right side of the language links in the Instant UI If the AirWave status is Not Set Up click the Set Up Now link to set up the AirWave The Settings window appears with Admin tab selected For information to configure AirWave see Configuring AirWave on page 207 Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 51 Figure 35 AirWave Setup Link AirWave Configuration settings Help General Admin Local Authentication Internal v Username ladmin Password l nnen Retype ss AirWave Organization AirWave IP AirWave backup IP Shared key Retype Show advanced options OK Cancel Pause Resume The Pause Resume link is located at the bottom right corner of the Instant UI The Instant UI is automatically refreshed after every 15 seconds by default Click the Pause link to pause the automatic refreshing of the Instant UI When the automatic Instant UI refreshing is paused the Pause link changes to Resume Click the Resume link to resume automatic refreshing The Pause link is useful when you want to analyze or monitor the network or a network element and therefore do not want the u
281. s used to authenticate devices based on their physical MAC addresses It is an early form of filtering MAC authentication requires that the MAC address of a machine must match a manually defined list of addresses This form of authentication does not scale past a handful of devices because it is difficult to maintain the list of MAC addresses Additionally it is easy to change the MAC address of a station to match one on the accepted list This spoofing is trivial to perform with built in driver tools and it should not be relied upon to provide security MAC authentication can be used alone but typically it is combined with other forms of authentication such as WEP authentication Because MAC addresses are easily observed during transmission and easily changed on the client this form of authentication should be considered nothing more than a minor hurdle Aruba recommends against the use of MAC based authentication Configuring MAC Authentication To enable MAC Authentication for a wireless network 1 In the Network tab click the network for which you want to enable MAC authentication The edit link for the network appears 2 Click the edit link and navigate to the Security tab 3 For a network with Personal or Open security level select Enabled from the MAC authentication drop down list 4 Click OK to continue Figure 109 Configuring MAC Authentication Edit Test WLAN Settings VLAN Security Level More Key management WP
282. ser interface to refresh Automatic refreshing allows you to get the latest information about the network and network elements Views Depending on the link or tab that is clicked the Instant UI displays information about the Virtual Controller Wi Fi networks IAPs or the clients in the Info section The views on the Instant UI are classified as follows Virtual Controller view The Virtual Controller view is the default view This view allows you to monitor the Aruba Instant network Network view The Network view provides information that is necessary to monitor a selected wireless network All Wi Fi networks in the Aruba Instant network are listed in the Networks tab Click the name of the network that you want to monitor Network view for the selected network appears Instant Access Point view The Instant Access Point view provides information that is necessary to monitor a selected IAP All IAPs in the Aruba Instant network are listed in the Access Points tab Click the name of the IAP that you want to monitor Access Point view for that IAP appears Client view The Client view provides information that is necessary to monitor a selected client In the Client view all the clients in the Aruba Instant network are listed in the Clients tab Click the IP address of the client that you want to monitor Client view for that client appears For more information on the graphs and the views see Chapter 26 Monitoring 52 Ins
283. server because it provides the required IP address for a network peripheral or element The Dynamic Host Configuration Protocol DHCP is an auto configuration protocol used on IP networks Computers or any network peripherals that are connected to IP networks must be configured before they can communicate with other computers on the network DHCP allows a computer to be configured automatically eliminating the need for a network administrator DHCP also provides a central database to keep a track of computers connected to the network This database helps in preventing any two computers from being configured with the same IP address To complete the initial setup perform the following tasks in the given order 1 Connecting the IAP to a Power Source on page 24 2 Assigning an IP Address to the IAP on page 24 3 Connecting to a Provisioning Wi Fi Network on page 24 4 Log in to the Instant User Interface on page 26 Instant 6 1 3 4 3 1 0 0 User Guide Initial Configuration 23 5 Specifying the Country Code on page 26 Skip this step if you are installing the IAP in United States Japan or Israel Connecting the IAP to a Power Source Based on the type of the power source that is used perform one of the following steps to connect the IAP to the power source PoE switch Connect the ENET port of the IAP to the appropriate port on the PoE switch PoE midspan Connect the ENET port of IAP to the appr
284. shboard T we Signal Speed All Clients aa a ERE FREDE sm EAR ES i FE renn i En F Status Not Connected Pau Info The Info section provides the following information about the selected IAP Name Displays the name of the selected IAP IP Address Displays the IP address of the IAP Mode Displays the mode type In Access mode the IAP serves clients while also monitoring for rogue APs in the background In Monitor mode the IAP acts as a dedicated monitor scanning all channels for rogue APs and clients Spectrum Displays the status of the spectrum monitor Clients Number of clients associated with the IAP Type Displays the model number of the IAP CPU Utilization Displays the CPU utilization in percentage Memory Free Displays the memory availability of the IAP in Mega Bytes MB Serial number Displays the serial number of the IAP From Port Displays the port from where the slave IAP is learned in hierarchy mode RF Dashboard In the Instant Access Point view the RF Dashboard section is moved below the Info section It lists the IP address of the clients that are associated with the selected IAP if the signal strength or the data transfer speed of the client is low Overview The Overview section displays the common RF metrics for the selected access point over the last 15 minutes The following graphs are displayed for the selected IAP Instant 6 1 3 4 3 1 0 0 User Guide Moni
285. ss Rules page to specify optional access rules for this network m Network based Set the slider Network based if you want the same rules to apply to all users The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations Instant Firewall treats packets based on the first rule matched For more information see Chapter 16 Instant Firewall To edit the default rule a Select the rule and then click Edit b Select appropriate options in the Edit Rule window and click OK To define an access rule a Click New b Select appropriate options in the New Rule window c Click OK Role based Select Role based if you want to specify per user access rules See Creating a New User Role on page 151 for more information m Unrestricted Select this to set no restrictions on access based on destination or type of traffic Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 77 Figure 48 Adding a Guest Network Access Rules Tab New WLAN WLAN Settings Security Access Rules More Control Access Rules 1 Allow any to all destinations Role based New Network based Unrestricted Less Control Back Finish Cancel 7 Click Finish The network is added and listed in the Networks tab Editing a Network To edit a network 1 In the Networks tab select the network that you want to edit The edit link appears Click t
286. sting on the Blacklisting tab of the PEF window 10 Click Upload Certificate and browse to upload a certificate file for the internal server See Certificates on page 143 for more information Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 59 Figure 39 Employee Security Tab Personal New WLAN WLAN Settings Security Level More Secure Enterprise Personal Open Less Secure 60 Wireless Network WPA 2 Personal 8 63 chars Key management Passphrase format Passphrase ee MAC authentication Enabled h Authentication server 1 iInternalservr sw Enae Max authentication failures Internal server No users Users Reauth interval Blacklisting Internal server No certificate Upload certificate Access Back Ned Cancel Instant 6 1 3 4 3 1 0 0 User Guide Table 7 Conditions for Adding an Employee Network Security Tab You select the Open security level 1 Select the required MAC authentication from the MAC authentication drop down list Available options are Enabled and Disabled e When Enabled user must configure at least one RADIUS server for authentication server See MAC Authentication on page 141 for further details 2 Authentication server 1 Select the required Authentication server option from the drop down list Available options are e New If you select this option an external RADIU
287. sting tab of the PEF window Walled Garden Click on the link to open the Walled Garden window The walled garden directs the user s navigation within particular areas to allow access to a selection of websites or prevent access to other websites For more information see Walled Garden Access on page 142 Encryption Select Enabled from the drop down list and perform the following steps these steps are optional Select the required key management option from the Key management drop down list Available options are WPA 2 Personal WPA Personal Both WPA 2 amp WPA Passphrase format Specify either an alphanumeric or a hexadecimal string Ensure that the hexadecimal string must be exactly 64 digits in length Passphrase Enter a pre shared key PSK passphrase External splash page a IP or hostname Enter the IP address or the hostname of the external splash page server b URL Enter the URL for the external splash page server Instant 6 1 3 4 3 1 0 0 User Guide Authentication 139 c Port Enter the number of the port to be used for communicating with the external splash page server d Redirect URL Specify a redirect URL if you want to override the user s original request and redirect them to another URL 6 Click Next and click Finish External Captive Portal Authentication using ClearPass Guest You can configure Instant to point to ClearPass Guest formerly known as Amigopod as an e
288. such that updating is completed without requiring you to manually monitor the devices The following models can be used to upgrade the firmware e Automatic In this model the Virtual Controller VC periodically checks for newer updates from a configured URL and automatically initiates upgrade of the network e Manual In this model the user can manually start a firmware upgrade on a VC by VC basis or set the desired firmware preference per group of devices IAP and Client Monitoring AirWave allows you to find any IAP or client on the wireless network and to see real time monitoring views These monitoring views can be used to aggregate critical information and high end monitoring information Template based Configuration AirWave automatically creates a configuration template based on any of the existing IAPs and it applies that template across the network as shown in Figure 160 It audits every device on an ongoing basis to ensure that configurations never vary from the enterprise policies It alerts you whenever a violation is detected and automatically repairs the misconfigured device Instant 6 1 3 4 3 1 0 0 User Guide AirWave Integration and Management 205 Figure 160 Template based Configuration AP DA amp New Devices 0 4 Up 3 Down 0 Mismatched 0 Rogue 209 Clients 0 M Alerts 0 Home WANIE APs Devices Clients Reports System Device Setup AMP Setup RAPIDS VisualRF List Monitor Basic Templat
289. t 4 Click Enter before the timer expires The IAP goes into apboot mode Table 2 Terminal Communication Settings Baud Rate Data Bits Stop Bits Flow Control 8 1 9600 None None 5 In the apboot mode use the following commands to disable the provisioning network Instant 6 1 3 4 3 1 0 0 User Guide Initial Configuration 25 apboot gt factory reset mE apboot gt setenv disable prov ssid 1 apboot gt saveenv E apboot gt reset Log in to the Instant User Interface Launch a web browser and enter http instant Arubanetworks com or any URL or web address In the login screen enter the following credentials Username admin Password admin Figure 3 nstant User Interface Login Screen Welcome to Instant amma V networks Virtual Controller Username admin Password Z Log In When you use a provisioning Wi Fi network to connect to the internet all browser requests are directed to the Instant user interface For example if you enter www example com in the address field you are directed to the Instant user interface You can change the default login credentials after you log in for the first time Specifying the Country Code Skip this section if you are installing the IAP in United States Japan or Israel Aruba Instant Access Points are shipped in four variants IAP US United States JAP JP Japan IAP IL Israel JAP ROW Rest of World After you successfully log
290. t UI Select Roles tab Click the New button under roles Enter the new role in the text box and click OK Click the New button under the Access rules Select the Rule type as VLAN assignment Enter the ID of the VLAN in the VLAN id text box Click OK Sr m pe pa JE eS Instant 6 1 3 4 3 1 0 0 User Guide User VLAN Derivation 157 Figure 125 Configuring VLAN Derivation using the User Role Policy Enforcement Firewall PEF Authentication Servers Users for Internal Server Roles Blacklisting PEF Settings Roles Access Rules for vlan 200 New Rule default_dev_rule Instant RF Rule type VLAN ID Test gt New Delete To use a defined user VLAN role Select a network on the Instant UI and click on the edit link Select the Access tab Under role based select the defined role Select the access rule for the defined role from the list of Access rules Click the New button under the New Role Assignment window Select the attribute from the Attribute drop down list Select the operator to match from the Operator drop down list Enter the string to match in the String text box O eA eS eS YS LY Pe Select the role to be assigned from the Role text box 10 Click OK Figure 126 Jo use a Defined User VLAN Role Edit Test WLAN Settings Security Access Rules More Assign to VLAN 200 Allow any to all destinations Role based Mew Edit Delete N
291. t User Interface Initial Setup This section provides a pre installation checklist and describes the initial procedures required to set up Aruba Instant Pre Installation Checklist Before installing the Instant Access Point IAP make sure that you have the following e Ethernet cable of required length to connect the IAP to the home router e One of the following power sources m IEEE 802 3af compliant Power over Ethernet PoE source The PoE source can be any power source equipment PSE switch or a midspan PSE device Aruba power adapter kit this kit is sold separately PoE is a method of delivering power on the same physical Ethernet wire that is used for data communication Power for devices is provided in one of the following two ways Endspan The switch that the IAP is connected to can provide power Midspan A device can sit between the switch and the IAP The choice of endspan or midspan depends on the capabilities of the switch to which the IAP is connected Typically if a switch is in place and does not support PoE midspan power injectors are used A DNS server functions as a phonebook for the internet and internet users It converts human readable computer hostnames into IP addresses and vice versa A DNS server stores several records for a domain name such as an address A record name server NS and mail exchanger MX records The Address record is the most important record that is stored in a DNS
292. t is sent to the VC when a non Wi Fi interference device is detected The spectrum monitor is supported on IAP 104 IAP 105 IAP 134 and IAP 135 radios Creating Spectrum Monitors and Hybrid APs An IAP can be provisioned to function as a spectrum monitor or as a hybrid IAP The radios on groups of APs can be converted to dedicated spectrum monitors or hybrid APs via the AP group s 802 11a and 802 11g radio profiles Converting IAPs into Hybrid IAPs You can convert all IAPs in an Instant network into a hybrid IAPs by selecting the Background spectrum monitoring option in the Aruba Instant network s 802 11a and 802 11g radio profiles APs in Access Mode continue to provide normal access service to clients while providing the additional function of monitoring RF interference If any IAP in the Instant network does not support the spectrum monitoring feature that AP continues to function as a standard IAP rather than a hybrid IAP By default the background spectrum monitoring option is disabled In the hybrid mode spectrum monitoring is performed only on the home channel Follow the procedure below to convert IAPs in an Aruba Instant network to hybrid mode 1 Click the RF link at the top right corner of the Instant WebUI 2 Click Show advanced options to view the Radio tab Instant 6 1 3 4 3 1 0 0 User Guide Spectrum Monitor 111 Figure 88 Configuring a Hybrid IAP ed M om Mom Mn IE km T E lem km RF ARM Radio 2 4 G
293. tanding WPA and WPA2 Lumaisinsenieasmemsers iedariadinestebidane trees 149 Recommended Authentication and Encryption Combinations 0 150 Chapter 14 Role DerivatiOn n ananannnannnannnnnnnnnnnnnnnnnennnennnennnennnennnennnnnnnnnnnnnnnnnnnnnnene 151 L EE EEE EE El E E 151 Creating a New User Role 151 Creating Role Assignment Rules LR 152 DHCP Option and DHCP Fingerprinting cccsescecsseeeesseeeeeeeseeesaeeeesauees 153 802 1X AUMENLICATION IVDE sieste 154 Chapter 15 User VLAN Derivation n on 155 VE VEAN DENVANOR osise inire AEE aa EEE EEO E E EEEE 155 Vendor Specific Attributes VSA 155 VLAN Derivation RUIG avse a A 156 Configuring VLAN Derivation Rules on an APN 156 GT EE E NE 157 Configuring a User Role Rs 157 OD 10 il E E NE E TOEREN 159 Configuring VLAN Derivation Rules Using an SSID Profile 159 Chapter 16 Instant FireW EEE NE EE 161 IC SOOM EEE EE ne 162 BES gr JEG 6 UNS EEE 164 Examples for Access AUS 164 Allow TCP Service to Particular Network 164 Allow PoP3 Service to a Particular Server 165 Deny FTP Service except to a Particular Server 166 Deny bootp Service except to a Particular Network 167 6 Instant 6 1 3 4 3 1 0 0 User Guide Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Instant 6 1 3 4 3 1 0 0 User Guide Content FIItering nn NR ce 169 FANN 169 Enterpise Oi NE den ot o
294. tant C4 01 78 Virtual Controller IF 0 0 0 0 Dynamic RADIUS proxy f Enabled MAS integration Enabled NTF server Timezone International Date Lin Preferred band All 3 Click OK RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the IAP the vendor specific attribute VSA that contains the name of the network role for the user The authenticated user is placed into the management role specified by the VSA List of supported VSA Instant supports the following types of VSA s AP Group AP Name ARAP Features ARAP Security ARAP Security Data ARAP Zone Access Acct Authentic Acct Delay Time Acct Input Gigawords Acct Input Octets Acct Input Packets Acct Link Count Acct Multi Session Id Acct Output Gigawords Acct Output Octets Acct Output Packets Acct Session Id Acct Session Time Acct Status Type Acct Terminate Cause Instant 6 1 3 4 3 1 0 0 User Guide Authentication 127 128 Authentication Acct Tunnel Packets Lost Add Port To IP Address Aruba AP Group Aruba Admin Role Aruba Essid Name Aruba Location Id Aruba Named User Vlan Aruba Port Id Aruba Priv Admin User Aruba Template User Aruba User Role Aruba User Vlan CHAP Challenge Callback Id Callback Number Class Connect Info Connect Rate Crypt Password DB Entry State Digest Response Domain Name EAP Message Error Cause Event Timestamp Exec Program Exec Program Wait Expi
295. tant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Chapter 4 Wireless Network In Wireless LAN WLAN laptops desktops PDAs and other computer peripherals are connected to each other without any network cables These network elements or clients use radio signals to communicate with each other Wireless networks are set up based on the IEEE 802 11 standards The IEEE 802 11 is a set of standards that are categorized based on the radio wave frequency and the data transfer rate For more information about the IEEE 802 11 standards see Table 4 Table 4 EEE 802 11 Standards IEEE Network Standard Frequency Used in GHz Maximum Data Transfer Rate in Mbps 802 112 5 0 54 802 11b 24 11 802 119 24 54 802 11n 2 4 or 5 0 300 During start up a wireless client searches for radio signals or beacon frames that originate from the nearest IAP After locating the IAP the following transactions take place between the client and the I AP 1 Authentication The IAP communicates with a RADIUS server to validate or authenticate the client 2 Connection After successful authentication the client establishes a connection with the LAP Network Types Aruba Instant wireless networks are categorized as e Employee Network e Voice Network e Guest Network When a client is associated to the Voice network all data traffic is marked and placed into the high priority queue in QoS Quality of Service QoS refers to the capabilit
296. tegration Status Rs 106 BT EE EE NE 107 ES EN come E 107 Configuring a Mobility SOMA Smet etienne 108 Home AGENT Load B S TN Gre 110 NNN 111 Creating Spectrum Monitors and Hybrid APS 111 Converning IAPs into Hybrid IAPS SSSR ni tu 111 Converting an IAP to a Spectrum Monitor 112 STOL Og TEGE EE NE ENE EN ERE REE 114 Overview Device List 114 Non WiFi Interferers ss 115 CHAN EEE 116 Channel Details EE EE EEE KNE ERE LEE 117 ENN Serre 118 ET NE EN tm moe cn 119 Conig rng an NTP ve 119 Vr EE EEE SEES SERENE REESE SS ENES ESTER 121 Master Election ad 50 0 EE ser trent seer ne eet ee er aerate eee 121 Virtual Controller IP Address cccccssecceseecessesceeeeceeeecaeeesaueeseueesaneesseeesaueeseas 121 Specifying Name and IP Address for the Virtual Controller 121 Configuring the DHCP Server 122 ge Rss mms menaces 123 Authentication Methods in Aruba Instant 123 JER A RO s aa iea iaa 123 Internal RADIUS Server rrnnnrnnnnrnnnnnnrnnnnrnnnnrnnsnrnnnnrnnnnvnnnnnnnnnnsnnnnsnnnnsnnen 123 External RADIUS SMF US SEEREN ERR REESE ESKE EN SENERE ace 124 Authentication Terminated on IAP 124 Configuring an External RADIUS Server 125 Enabling Instant RADIUS 22 126 RADIUS Server Authentication with VESA 127 List of SUPPOSE nd as 127 Management Authentication Settings ccccccsscccssseeeesseeeeesseeeeeeeeens 130 Captive PNL 130 Internal Captive POA scuessiinicewnneneovnCineteneverersrirsuernivestvecunde
297. the IAP to which the client is connected to RF Trends The RF Trends section displays the following graphs for the selected client Signal Instant 6 1 3 4 3 1 0 0 User Guide Monitoring 229 230 Monitoring Figure 192 Signal Graph Signal dB 60 40 20 e Frames 12 20 12 25 Figure 193 Frames Graph Frames fps 10 0 12 20 e Speed Figure 194 Speed Graph Speed mbps 300 200 100 12 25 e Throughput 12 25 12 30 Figure 195 Throughput Graph Errors fps 10K SK 12 30 Last 55 Min 50 Max 57 Avg 54 12 30 In Out Last 0 1 Min 0 1 Max 0 4 Avg 0 3 12439 22 50 Last 216 Min 6 Max 270 Avg 138 Last 2851 Min 1182 Max 12842 Avg 7012 Retries In Retries Out 0 0 0 0 0 0 0 0 Instant 6 1 3 4 3 1 0 0 User Guide For more information about RF trends graphs in the client view and for monitoring procedures see Table 41 Table 41 Client View RF Trends Graphs and Monitoring Procedures Signal Frames Speed Instant 6 1 3 4 3 1 0 0 User Guide The Signal graph shows the signal strength of the client for the last 15 minutes It is measured in decibels To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average signal statistics for the client fr the last 15 minutes To see the exact signal strength at a particular time hover the cursor over the g
298. the default view 2 Inthe Access Points tab click the name link of the IAP for which you want to monitor the frame rate The IAP view appears 3 Study the Drops graph For example the graph shows that 6 frames per second were dropped at 13 34 hours To monitor the noise floor for the IAP for the last 15 minutes 1 Log in to the Instant WebUI The Virtual Controller view appears This is the default view 2 Inthe Access Points tab click the name link of the IAP for which you want to monitor the noise floor The IAP view appears 3 Study the Noise Floor graph For example the graph shows that the noise floor for the IAP at 22 38 hours is 82 0 dBm NOTE You can also click the rectangle icon the Noise column in the RF Dashboard pane to see the Noise graph for the selected IAP The rectangle icon is seen as follows Monitoring 227 Table 40 Instant Access Point View RF Trends Graphs and Monitoring Procedures Continued 2 4 GHz Mgmt Frames Errors The 2 4 GHz Mgmt Frames graph shows the rate for management frames in and out of the radio in the 2 4 GHz band for the last 15 minutes Note that the scale for the Y axis is logarithmic To see the exact number of management frames per second at a particular time hover the cursor over the graph lines The Errors graph shows the errors that occurred while receiving the frames for the last 15 minutes The errors are measured in frames per second
299. the Monitoring Pane Ee Instant C4 01 78 Info Name Instant C4 01 78 Country code IN Virtual Controller IP 0 0 0 0 Band All Master 10 17 115 1 OpenDNs status Not connected MAS integration Enabled Uplink type Ethernet Uplink status Up RF Dashboard Allows you to view trouble spots in the network It displays the following information Figure 23 RF Dashboard in the Monitoring Pane RF Dashboard Access Points Utilization Noise All Clients d8 c7 cB cd 01 78 The following table lists the icons in the RF Dashboard Table 3 RF Dashboard icons 1 Signal bar 2 Speed icon 3 Utilization icon 4 Noise icon 5 Errors icon 44 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Clients Lists the clients with low speed or signal strength in the network Signal Displays the signal strength of the client Depending on the signal strength of the client the color of the lines on the Signal bar changes from Green gt Orange gt Red Green Signal strength is more than 20 decibels Orange Signal strength is between 15 20 decibels Red Signal strength is less than 15 decibels To view the signal graph for a client click on the signal bar against the client in the Signal column Speed Displays the data transfer speed of the client Depending on the data transfer speed of the client the color of the Signal bar changes from Green gt Orange gt Red Green Data transfer speed is more t
300. thersphere india 38 amp fest 3 N Test 2 x 2 16 wof6 Groups Page 1 w of 1 Select All Unselect All 0 2 0 0 3 0 1 0 0 0 38 0 0 0 0 0 0 Device Setup 0 2 0 115 0 1 AMP Setup SSID TotalDevices Down Mismatched Ignored Clients Usage 3 17 Mbps RAPIDS VisualRF VPN Sessions Up Down Status Polling Period Duplicate 0 5 minutes 0 5 minutes 0 5 minutes Ai 0 5 minutes dy 0 5 minutes 0 5 minutes YW 5 The Virtual Controller Certificate section displays the certificates CA cert and Server as highlighted in the figure below 146 Authentication Instant 6 1 3 4 3 1 0 0 User Guide Figure 117 Virtual Controller Certificate Home Kam APs Devices Clients Reports System Device Setup AMP Setup RAPIDS VisualRF List Monitor Basic Templates Firmware Group Test_2 Name ne Test 2 Missed SNMP Poll Threshold 1 100 Regulatory Domain United States iw Timezone i AMP iv For scheduling group configuration changes PE Allow One to One NAT Yes No Audit Configuration on Devices Toggling this will set all devices in this group to Monitor Yes O No Only Up Down Status Polling Period 5 minutes iv Override Polling Period for Other Services Yes No AP Interface Polling Period 10 minutes Client Data Polling Period 10 minutes 15 minutes 5 minutes 15 minutes Rogue AP and Device Location Data Polling Period CDP Neig
301. tication failures Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 For Internal users Click Users to populate the system s internal authentication server with users For information about adding a user see Adding a User on page 161 Click Upload Certificate and browse to upload a certificate file for the internal server See Certificates on page 143 for more information Redirect URL Users can be redirected to a specific URL instead of the original URL after successful captive portal authentication This entry is optional Wireless Network 73 Table 11 Conditions for Adding a Guest Network Security Tab Continued Splash Page Type Description and steps to set up Internal Acknowledged External RADIUS Server 74 Wireless Network The user has to accept the terms and conditions for this splash page type For information on customizing the splash page see Customizing a Splash Page on page 134 1 Encryption Select Enabled from the Encryption drop down list and perform the following steps these steps are optional a Select the required key management option from the Key management drop down list Available options are WPA 2 Personal WPA Personal Both WPA 2 amp WPA Passphrase format Specify either an alphanumeric or a hexadecimal string E
302. tication when Editing a Guest Network gt ETT TE Ez Bal fr m Edit SYSTEM AMIGOPOD VLAN Security Level Splash page type External External splash page Auth server 1 AMIGOPOD Le Edit IP or hostname 10 65 50 245 AMIGOPOD aruba php IP address 80 Auth port 1812 ntication text Accounting port 1813 Shared key ee0000 Retype key 000000 Timeout 5 sec Retry count 3 RFC 3576 Enabled NAS IP address 10 64 146 174 NAS identifier OK Cancel c Redirect URL Specify a redirect URL if you want to override the user s original request and redirect them to another URL Splash page type External RADIUS Server a Authentication server 1 Click Edit to modify the external RADIUS servers settings Refer to Configuring an External RADIUS Server on page 125 for more details on server settings Reauth interval When set to a value greater than zero the Access Points periodically reauthenticate all associated and authenticated clients Blacklisting Select Enabled if you want clients to be blacklisted after a certain number of authentication failures Max authentication failures Users who fail to authenticate the number of times specified here are dynamically blacklisted The maximum value for this entry is 10 Navigate to PEF gt Blacklisting in the Instant WebUI to specify the duration of the blacklisting on the Blackli
303. to a spectrum monitor The edit link appears Click the edit link The Edit Access Point window appears Click the Radio tab From the Access Mode drop down list select Spectrum Monitor Click OK Reboot the IAP for the changes to take effect SS pE oe oe Of 112 Spectrum Monitor Instant 6 1 3 4 3 1 0 0 User Guide Edit Access Point d8 c7 c8 c4 01 78 Help General Radio Uplink Mode Spectrum Monitor OK Cancel By default spectrum monitoring is perfomed on the 5 GHz higher band 7 To enable spectrum monitoring for any other band for the 5 GHz radio a Click the RF link at the upper right corner of the Instant WebUI b Click Show advanced options to view the Radio tab c For the 5 GHz radio specify the spectrum band you want that radio to monitor by selecting Lower Middle or Higher from the Standalone spectrum band drop down list d Click OK Figure 90 Monitor Middle Band for 5 GHz Radio RF Help ARM Radio 2 4 GHz band Legacy only Disabled 802 11d 802 11h Disabled Beacon interval 100 ms Interference immunity level 2 Channel switch announcement count 0 Channel reuse type Disabled Channel reuse threshold fo dB Background spectrum monitoring Disabled Im 5 GHz band Legacy only Disabled 802 11d 802 11h Disabled Beacon interval 100 ms Interference immunity level 2 f
304. to all destinations To a particular server Access is allowed or denied to a particular server You have to specify the IP address of the server Except to a particular server Access is allowed or denied to servers other than the specified server You have to specify the IP address of the server To a network Access is allowed or denied to a network You have to specify the IP address and netmask for the network Except to a network Access is allowed or denied to networks other than the specified network You have to specify the IP address and netmask for the network Examples for Access Rules This section provides procedures to create the following access rules e Allow TCP Service to a Particular Network e Allow PoP3 Service to a Particular Server e Deny FTP Service except to a Particular Server e Deny bootp Service except to a Particular Network Allow TCP Service to a Particular Network 1 Click the New link in the Networks tab To define the access rule to an existing network click the network The edit link appears Click the edit link and navigate to the Access tab 2 In the Basic Info tab enter the appropriate information and click Next to continue 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Click Next to continue 4 Click Next and set appropriate values in the Security tab 5 Click Next The Access tab appears The Allow any to all destinations access rule is enab
305. tor the signal strength The client view appears 3 Study the Signal graph in the RF Trends pane For example the graph shows that signal strength for the client is 54 0 dB at 12 23 hours To monitor the In and Out frame rate per second and retry frames for the In and Out traffic for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Clients tab click the IP address of the client for which you want to monitor the frames The client view appears 3 Study the Frames graph in the RF Trends pane For example the graph shows 4 0 frames per second for the client at 12 27 hours To monitor the speed for the client for the last 15 minutes 1 Log in to the Instant Ul The Virtual Controller view appears This is the default view 2 Inthe Clients tab click the IP address of the client for which you want to monitor the speed The client view appears 3 Study the Speed graph in the RF Trends pane For example the graph shows that the data transfer speed at 12 26 hours is 240 mbps Monitoring 231 Table 41 Client View RF Trends Graphs and Monitoring Procedures Continued Throughput The Throughput Graph shows the throughput for To monitor the errors for the client for the last the selected client for the last 15 minutes 15 minutes e Outgoing traffic Throughput for outgoing 1 Log in to the Instant Ul The Virtual traffic is displayed i
306. toring 221 e Neighboring APs Figure 179 Neighboring APs Graph Neighboring APs 12 00 12 05 12 10 Valid Interfering Rogue e CPU Utilization Figure 180 CPU Utilization Graph CPU utilization 0 12 00 12 05 12 10 12 15 e Neighboring Clients Figure 181 Neighboring Clients Graph Neighboring Clients 12 10 12 15 12 20 Valid Interfering e Memory Free MB Figure 182 Memory free Graph Memory free MB 222 Monitoring Instant 6 1 3 4 3 1 0 0 User Guide e Clients Figure 183 Clients Graph Clients 10 6 i 12 11 13 12 05 12 10 12 1 e Throughput bps Figure 184 Throughput Graph iM 11 50 11 55 12 00 12 05 Out In For more information about the graphs in the instant access point view and or monitoring procedures see Table 39 Table 39 nstant Access Point View Usage Trends and Monitoring Procedures Neighboring APs The Neighboring APs graph shows the number To check the neighboring APs detected by of APs heard by the selected IAP the IAP for the last 15 minutes Valid APs An AP that is part of the enterprise 1 Log in to the Instant UI The Virtual providing WLAN service Controller view appears This is the Interfering APs An AP that is seen in the RF default view environment but is not connected to the 2 Inthe Access Points tab click the IAP for network which you want to monitor the client Rogue APs An unauthorized
307. u configure the IAP to use prefer 5 GHz band steering mode the IAP steers the client to 5 GHz band if the client is 5 GHz capable but lets the client connect on the 2 4 GHz band if the client persists in 2 4 GHz association attempts e Force 5 GHz When the IAP is configured in force 5 GHz band steering mode the IAP forces 5 GHz capable IAPs to use that radio band e Balance Bands In this band steering mode the IAP tries to balance the clients across the two radios in order to best utilize the available 2 4 GHz bandwidth This feature takes into account the fact that the Instant 6 1 3 4 3 1 0 0 User Guide Adaptive Radio Management 173 5 GHz band has more channels than the 2 4 GHz band and that the 5 GHz channels operate in 40MHz while the 2 5 Ghz band operates in 20MHz Disabled Disabled means that the clients selects which band to use Airtime Fairness Mode This feature provides equal access to all clients on the wireless medium regardless of client type capability or operating system thus delivering uniform performance to all clients This feature prevents some clients from monopolizing resources at the expense of other clients Reboot the IAP after configuring the radio profile settings in order for the changes to take effect Airtime Fairness Modes Navigate to RF which is at the top right corner of the Instant UI and click ARM The Airtime fairness consists of the following modes Default Access Provides a
308. upload a certificate file for the internal server 11 Encryption Select Enabled from the drop down list and perform the following steps these steps are optional a Select the required key management option from the Key management drop down list Available options are WPA 2 Personal WPA Personal Both WPA 2 amp WPA b Passphrase format Specify either an alphanumeric or a hexadecimal string Ensure that the hexadecimal string must be exactly 64 digits in length c Passphrase Enter a pre shared key PSK passphrase 12 Click Next and click Finish 132 Authentication Instant 6 1 3 4 3 1 0 0 User Guide Configuring Internal Captive Portal Authentication when Editing a Guest Network To configure internal captive portal authentication when editing a guest network perform the following steps 1 In the Network tab click the network for which you want to configure internal captive portal authentication The edit link for the network appears Click the edit link The Edit window for the network appears 3 Navigate to the Security tab and select one of the following options for the splash page type a Internal Authenticated b Internal Acknowledged c External RADIUS Server d External Authentication Text e None See Guest Network on page 70 for more information Figure 102 Configuring Captive Portal when Editing a Guest Network Edit Guest Help WLAN Settings VLAN Sec
309. urity Security Level Splash page type Internal Authenticated v Splash Page Visuals Auth server 1 InternalServer Le Welcome to the Guest Network Reauth interval o hrs Blacklisting Disabled Ly ore mure Internal server 1 User Internal server No certificate Upload certificate Encryption Disabled ly Click thumbnail above to edit Preview Redirect URL http abc com Back Next Cancel The appearance of a splash page can be customized as required For information on customizing a splash page see Customizing a Splash Page on page 134 4 Click Next and click Finish Configuring Internal Captive Portal with External RADIUS Server Authentication when Adding a Guest Network To configure internal captive portal with external RADIUS server authentication perform the following steps 1 In the Network tab click the New link The New WLAN window opens 2 Inthe WLAN Settings tab perform the following a Enter a name for the network in the Name SSID text box b Select Guest and then click Next 3 Use the VLAN tab to specify how the clients on this network get their IP address and VLAN Instant 6 1 3 4 3 1 0 0 User Guide Authentication 133 4 Click Next to continue 5 Inthe Security tab select Internal Authenticated under the splash page type Select an external RADIUS server from the Authentication server drop down list to authenticate user credentials at run time If there is no external RADIUS
310. us Displays the configuration and status of monitor information of the selected IAP AP Persistent Clients Displays the persistent clients of the selected IAP AP Process Displays the processes of the selected IAP AP Shaping Table Displays the VAP statistics of the selected IAP AP Sockets Displays the using sockets of the selected IAP AP STM Configuration Displays the SSID configuration in STM of the selected IAP AP Valid Channels Displays valid channels of the selected IAP AP Version Displays the version number of the selected LAP IDS Client List Displays the IDS detected client list of the selected LAP Interface Counters Displays the package counters of bond0 of the selected IAP Interface Port Status Displays the status of br0 of the selected IAP IP ARP Table Displays the ARP table of the selected IAP IP DHCP Database Displays the configuration of internal DHCP server of the selected IAP IP Route Table Displays the route table of the selected IAP VC 802 1X Certificate Displays the CA certificate and server certificate of the selected IAP VC About Displays some info of the selected IAP including AP type build time of image image version VC Allowed AP Table Displays allowed AP enable disable status and allowed AP list of the selected IAP Instant 6 1 3 4 3 1 0 0 User Guide Instant User Interface 41 VC Application Services Displays the details of application servic
311. uthentication is only supported on Windows devices so this can be used to distinguish between Windows devices and other devices such as iPads Machine Auth only role This indicates a Windows machine with no user logged in The device supports machine authentication and has a valid RADIUS account but a user has not yet logged in and authenticated User Auth only role This indicates a known user or a non Windows device The device does not support machine auth or does not have a RADIUS account but the user is logged in and authenticates When a device does both Machine and User authentication the user gets the default role or the derived role based on the RADIUS attribute To configure Machine Authentication do the following 1 Inthe Roles window create a role for Machine auth only and User auth only 2 Configure Access Rules for these roles by selecting the role and applying the rule Refer to Examples for Access Rules on page 164 for procedures to create access rules Select Enforce Machine Authentication and specify these two roles 4 Click Finish to apply these changes Creating Role Assignment Rules This section describes the rules for determining the role that is assigned for each authenticated client When Enforce Machine Authentication is enabled both the device and the user must be authenticated for the role assignment rule to apply El To create role assignment rules for the user role 152 Role De
312. ve selected the Specify statically option then perform the following steps l Enter the new IP address for the IAP in the IP address text box 2 Enter the netmask of the network in the Netmask text box 3 4 Enter the IP address of the DNS server in the DNS server text box Enter the IP address of the default gateway in the Default gateway text box Instant 6 1 3 4 3 1 0 0 User Guide 5 Enter the domain name in the Domain name text box Figure 65 Configuring IAP Connectivity Settings Specifying Static Settings Edit Access Point d8 c7 c8 c4 01 78 General Radio Uplink IP address for Access Point Get IP address from DHCP server 2 Specify statically IP address 10 17 115 1 Netmask 253 253 23 0 Default gateway 10 17 115 254 DNS server 10 13 6 110 Domain name arubanetworks com OK Cancel 4 Click OK and reboot the IAP Configuring Adaptive Radio Management Adaptive Radio Management ARM is enabled in Aruba Instant by default However if ARM is disabled perform the following steps to enable it 1 Inthe Access Points tab click the IAP for which you want to configure ARM 2 Click the edit link An Edit AP window appears 3 Inthe Edit AP window select the Radio tab 4 Select Adaptive radio management assigned Figure 66 Configuring IAP Radio Settings Mode Access Edit Access Point d8 c7 c8 c4 01 78 General Radio
313. ver rde arubanetworks com gt IPv4 2 Right click on IPv4 and select Set Predefined Options 208 AirWave Integration and Management Instant 6 1 3 4 3 1 0 0 User Guide Figure 163 Instant and DHCP options for AirWave Set Predefined Options E Server Manager Fie Action View Help LIEGE QE En Server Manager RDE SERVER gt Roles Active Directory Domain Services E DHCP Server Scope 10 169 131 0 131 E rde server rde arubanetworks com D Scope 10 169 135 0 135 E scope 10 169 137 0 137 E Scope 10 169 138 0 138 Ti Scope 10 169 145 0 145 E Scope 10 169 150 0 150 F Scope 10 169 151 0 151 E Scope 10 169 152 0 152 T scope 10 169 153 0 153 E Scope 10 169 154 0 154 LI Scope 10 169 155 0 155 E Scope 10 169 156 0 156 E Scope 10 169 157 0 157 Ti Scope 10 169 156 0 158 E Scope 10 169 159 0 159 Eg HHH K Bee Li 3 Select DHCP Standard Options in the Option class drop down list and then click Add Enter the following information Name Aruba Instant m Data Type String Code 60 Description Aruba Instant AP Figure 164 Instant and DHCP options for AirWave Predefined Options and Values 2 Server Manager File Action View Help e 2D aol umag E 4 Predefined Options and Values DHCP Standard Options v bcope 10 16 AER Time Offset Hf Descrip Option Type Value Class Global Lom Name Aruba Instant a Data type sting
314. w The Settings consists of the following tabs 32 Instant User Interface Instant 6 1 3 4 3 1 0 0 User Guide Figure 9 Settings Link Settings Help General Admin RTLS SNMP OpenDNs Uplink Enterprise Domains Walled Garden Syslog L3 Mobility Name Instant C4 01 78 Auto join mode Enabled 7 Virtual Controller IF 0 000 Terminal access Disabled Dynamic RADIUS proxy Disabled v LED display Enabled 7 MAS integration Enabled v TFTP Dump Server j o00 NTP server Extended SSID Disabled Timezone International Date Lin Deny inter user bridging Disabled Preferred band All Deny inter user routing Disabled x DHCP Server Domain name DNS Server s Lease time Minutes w Network Mask lt c0 O Hide advanced options OK Cancel Use the Show Hide Advanced option on the bottom left of the Settings window to view or hide the advanced options NOTE General View or edit the Name IP address NTP Server and DHCP server settings of the Virtual Controller For information about Virtual Controller settings and NTP Server see Chapter 11 Virtual Controller and Chapter 10 NTP Server For information about Auto join mode Terminal Access LED display TFTP Dump Server and Deny inter user bridging see Chapter 6 Managing IAPs F
315. w 2 4 GHz 2 4 GHz Channel Utilization and Quality Meon nerea ee WiFi z MaxAPSignal dBm 64 eo SE Max AP SSID yihexingye a pr A eee Sad 2 Max AP BSSID 8c 21 0a 9b de 16 Zz en dn er MaxInterference dBm OG p Total nonwifi 80 SNIR dB 17 P 40 OG Y Z UY Z Z Z Z OG Z Z Available p g g g g Y g G 4 A Interference E Table 18 shows the information that you can view in the channel details graph Table 18 Channel Details Information Channel An 802 11a or 802 11g radio channel Quality Current relative quality of the channel Utilization The percentage of the channel being used Wi Fi The percentage of the channel currently being used by Wi Fi devices Type Device type Total nonwifi The percentage of the channel currently being used by non Wi Fi devices Known APs Number of valid APs identified on the radio channel UnKnown APs Number of invalid or rogue APs identified on the radio channel Channel Util Percentage of the channel currently in use Max AP Signal dBm Signal strength of the AP that has the maximum signal strength on a channel Max Interference dBm Signal strength of the non Wi Fi device that has the highest signal strength SNIR db The ratio of signal strength to the combined levels of interference and noise on that channel This value is calculated by determining the maximum noise floor and interference signal levels and then calculating how strong the desi
316. ware product is protected by the standard Aruba warranty of one year parts labor For more information refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS Altering this device such as painting it voids the warranty Ava networks www arubanetworks com 1344 Crossman Avenue Sunnyvale California 94089 Phone 408 227 4500 Fax 408 227 4550 Instant 6 1 3 4 3 1 0 0 User Guide 0511100 02 Rev A October 2012 Contents are Eg EET EEE EE 19 Re ES EN RSE 19 Supported Devices ea ue nue 19 NNN 19 intended AUdience EE EE eter bedres kb 19 NNN 20 Ge le ae SUB d AIA EA E OE EE HEE a den 21 Chapter 2 al ERE EEE iestaasnencienadianees 23 MAN 23 Pre Installation CHRIS ion 23 Connecting the IAP to a Power Source 24 Assigning an IP Address to the AP 24 Connecting to a Provisioning Wi Fi Network ss 24 Disabling the Provisioning Wi Fi Network ss 25 Log in to the Instant User IMErACE 2 400dobesesssestestestesutiem site tsar 26 Specifying the Country Code rrrrrrrnnnnvnannvnnnrennnnennnnnnnnnrnnnnrnnnnrnnnnrnnnnrnnnnrennnsennn 26 PROS OR ee a tee dr 27 Chapter 3 Instant User Ne arevavamsnanssnsdsmmnaudtmumnsaenmisdddnn 29 Understanding the Instant Ul Layouts 29 Banner OEP I nenne 30 S e GE erent en ee ease cleave et EEN are men vie wpe erected 30 LEE ER E A ES 30 Networks TaD EE E EE ETSE 30 Access Points Tab 31 310 EE EEE Ve eee 31 Ce TA 32 New Version Available rrnnnennnr
317. xternal Captive Portal server User authentication is performed by Matching a string in the server response RADIUS server either ClearPass Guest or a different RADIUS server Creating a Web Login page in the ClearPass Guest The ClearPass Guest Visitor Management Appliance provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access With ClearPass Guest your non technical staff have controlled access to a dedicated visitor management user database Through a customizable web portal your staff can easily create an account reset a password or set an expiry time for visitors Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit By defining a web login page on the ClearPass Guest Visitor Management Appliance you are able to provide a customized graphical login page for visitors accessing the network Refer to the RADIUS Services chapter in the ClearPass Guest Deployment Guide for information on setting up the RADIUS Web Login feature Configuring the RADIUS Server in Instant To configure Instant to point to ClearPass Guest as an external Captive Portal server perform the following steps 1 Navigate to the Networks tab in the Instant WebUI click the New link The New WLAN window appears 2 Inthe WLAN Settings tab a Enter a name for the network in the Nam
318. y is 10 Navigate to PEF gt Blacklisting in the Instant WebUI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window d Walled Garden Click on the link to open the Walled Garden window The walled garden directs the user s navigation within particular areas to allow access to a selection of websites or prevent access to other websites For more information see Walled Garden Access on page 142 e Encryption Select Enabled from the drop down list and perform the following steps these steps are optional Select the required key management option from the Key management drop down list Available options are WPA 2 Personal WPA Personal Both WPA 2 amp WPA Passphrase format Specify either an alphanumeric or a hexadecimal string Ensure that the hexadecimal string must be exactly 64 digits in length Passphrase Enter a pre shared key PSK passphrase External splash page a IP or hostname Enter the IP address or the hostname of the external splash page server b URL Enter the URL for the external splash page server c Port Enter the number of the port to be used for communicating with the external splash page server d Auth text Enter the autentication text This indicates the text string returned by the external server after a successful authentication 138 Authentication Instant 6 1 3 4 3 1 0 0 User Guide Figure 108 Configuring External Captive Portal Authen
319. y of a network to provide better service to selected network traffic over various technologies Employee Network An Employee network is a classic Wi Fi network This network type is supported with full customization on Aruba Instant It is used by the employees in the organization Passphrase based or 802 1X based authentication methods are supported on this network type Employees can access the protected data of an enterprise through the employee network after successful authentication Adding an Employee Network This section provides the procedure to add an employee network Instant 6 1 3 4 3 1 0 0 User Guide Wireless Network 53 1 In the Networks tab click the New link The New WLAN window appears Figure 36 Adding an Employee Network Basic Info Tab New WLAN Help WLAN Settings WLAN Settings 2 3 54 Wireless Network Name amp Usage Bandwidth Limits Name SSID fo ia Airtime E Each user Primary usage Employee E eee Voice Guest Transmit Rates 2 4GHz Min 11 Lx Max 154 Broadcast Multicast 5GHz Min 6 w Max 54 x Broadcast filtering Disabled DTIM interval 1 beacon v Miscellaneous Multicast transmission optimization Disabled Content filtering Disabled Dynamic multicast optimization Disabled Rand lal Le DMO channel utilization threshold LA D Serre 1000 ER Hide SSID El Hide adwanced options Next Cancel In the WLAN S
320. ys the wired parameters of the Ethernet profile configuration Figure 147 Ethernet Profile Configuration Wired Tab New Wired Network Wired Settings Wired Settings Mame instans 1 Primary usage Employee C Guest Speed uplex POE Enabled Admin status Up rl Instant 6 1 3 4 3 1 0 0 User Guide Ethernet Downlink 193 3 Click the VLAN tab or click Next and enter the following information Table 32 Ethernet Downlink Profile Parameters VLAN Tab Fea Besenlon Mode e In Access mode the port carries a single VLAN specified as the Native VLAN e In Trunk mode the port carries packets for multiple VLANs specified as the Allowed VALN Native VLAN Specifies the VLAN carried by the port in Access mode Allowed VLANs Specifies the VLAN carried by the port in Trunk mode The following figure displays the VLAN parameters of the Ethernet profile configuration Figure 148 Ethernet Profile Configuration VLAN Tab New Wired Network Wired Settings VLAN Management Made Trunk Native VLAN 1 Allowed VLANs fall 4 Click on Security tab or click on Next and enter the following information Table 33 Ethernet Downlink Profile Parameters Security Tab Feld Deseripton MAC authentication e Disable Disable MAC Authentication on the profile default e Enable Enable MAC Authentication on the profile The following figure displays the security parameters of the Ethernet profi
Download Pdf Manuals
Related Search