Alcatel-Lucent IAP93
Contents
1. Blacklisting Clients The client blacklisting denies connection to the blacklisted clients When a client is blacklisted it is not allowed to associate with an OAW IAP in the network If a client is connected to the network when it is blacklisted a deauthentication message is sent to force client disconnection This section describes the following procedures e Blacklisting Clients Manually on page 159 e Blacklisting Users Dynamically on page 159 AOS W Instant 6 3 1 1 4 0 User Guide Authentication 158 Blacklisting Clients Manually Manual blacklisting adds the MAC address of a client to the blacklist These clients are added into a permanent blacklist These clients are not allowed to connect to the network unless they are removed from the blacklist Adding a Client to the Blacklist You can add a client to the blacklist manually using AOS W Instant UI or CLI In the AOS W Instant UI Click the Security link from the top right comer of the AOS W Instant main window Click the Blacklisting tab Under the Manual Blacklisting click New Enter the MAC address of the client to be blacklisted in the MAC address to add text box Click OK The Blacklisted Since tab displays the time at which the current blacklisting has started for the client og FF Wr To delete a client from the manual blacklist select the MAC Address of the client under the Manual Blacklisting and then click Delete In the CLI To blac2. Configuring VLAN Settings for a WLAN SSID Profile If you are creating a new SSID profile complete the WLAN Settings procedure before configuring VLAN For more information see Configuring WLAN Settings for an SSID Profile on page 86 You can configure VLAN settings for an SSID profile using the AOS W Instant UI or CLI In the AOS W Instant UI To configure VLAN settings for an SSID 1 Inthe VLAN tab of New WLAN window The VLAN tab contents are displayed Figure 33 VLAN Tab WLAN Settings Client IP amp VLAN Assignment Client IP assignment Virtual Controller assigned Network assigned Client VLAN assignment Default D Static Dynamic VLAN Assignment Rules Default VLAN 1 Back Next 2 Select any for the following options for Client IP assignment e Virtual Controller assigned On selecting this option the client obtains the IP address from the Virtual Controller The Virtual Controller creates a private subnet and VLAN on the OAW IAP for the wireless clients The network address translation for all client traffic that goes out of this interface is carried out at the source This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network For more information on DHCP scopes and server configuration see DHCP Configuration on page 231 Network assigned Select this option to obtain the IP address from the network 3 If the Network assigned is
3. Instant Access Poin config hotspot anqp venue name profile vnl vnl vni Instant Access Point venue name venue name venue group business Instant Access Poin venue type business research and development ct Instant Access Poin ct Instant Access Poin venue name vni venue name VenueNam 5 i venue name vnl venue lang code eng E 7 Instant Access Point Y exit venue name vnl Instant Access Poin config hotspot anqp nwk auth profile nal network auth nal 4 nwk auth type accept term and cond network auth nal url www nwkauth com network auth nal exit Instant Access Poin Instant Access Poin Instant Access Poin t E E E Instant Access Poin config hotspot anqp roam cons profile rcl roaming consortium rcl roam cons oi len 3 roaming consortium rcl roam cons oi 888888 roaming consortium rcl exit t Instant Access Point Instant Access Point t Instant Access Poin Instant Access Point config hotspot anqp 3gpp profile 3g Instant Access Point 3gpp 3g 3gpp plmnl 40486 Instant Access Point 3gpp 3g exit Instant Access Poin config hotspot anqp ip addr avail profile ipl Instant Access Poin IP addr avail ip1 no ipv4 addr avail Instant Access Poin IP addr avail ipl 4 ipv6 addr avail IP addr avail ipl 4 exit t E E E Instant Access Poin 298 Hotspot
4. Preferred band All e Show advanced options RF The RF link displays a window for configuring Adaptive Radio Management ARM and Radio features e ARM Allows you to view or configure channel and power settings for all the OAW IAPs in the network For information about ARM configuration see ARM Overview on page 211 e Radio Allows you to view or configure radio settings for 2 4 GHz and the 5 GHz radio profiles For information about Radio see Configuring Radio Settings for an OAW IAP on page 218 The following figure shows the default view of the RF window 43 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Figure 6 RF Window ARM Radio Client Control Band steering mode Prefer 5Ghz Airtime fairness mode Fair Access Client match Enabled CM calculating interval 30 seconds CM neighbor matching 75 CM threshold 7 SLB mode Channel Access Point Control Customize valid channels Min transmit power 18 Max transmit power Max Client aware Enabled Scanning Disabled Wide channel bands 5 GHz 80MHz support Disabled Cancel Security The Security link displays a window with the following tabs e Authentication Servers Use this window to configure an external RADIUS server for a wireless network See Configuring an External Server for Authentication on page 144 for more information e Users for Internal Server Use this window to populate th
5. sssssuuuuusuesesssssssssse ss IRR cece cece sess esses serus 75 Configuring ARM Assigned Radio Profiles for an OAW IAP occ coccion I5 Configuring Radio Profiles Manually for OAW IAP 2 2 2 220 e eee eee eee eee eee eee eee 75 A E E E E 76 Configuring Inter user Bridging and Local Routing 200 0 2 cece eee ec cece ccc ceececcceeeceeeeeeees 76 Inthe AOS W Instant UL cc atrio daiire i ru ti pr ac Aa 76 AP A HR 76 Configuring Uplink VLAN for an OAW IAP ee emer rrr nnnnncnnnns 77 Inthe AOS W Instant Ul 2 2 22 eee cee nes 77 Tat aiae BTT ES Configuring an NTP Beer e 0c conce 77 Inthe AOS WInstantUl 0 e 22 a 04 22 T evened id chee iaa eet EE Tas aia B 78 Mesh OAW IAP Configuration oooooocoocccocccocccoccccocccoccconcconcccnnccnncconcccnnccnnccnn 79 Mesh Network OVOlVIQW 2 sd eihiereeteeniieniicih uie3eeipcetiisiecc AD bosser ni lts bios d i ri Riese 79 Wins iuc 79 Mesh Portals Mm 79 Mesh PONS RR REM 80 Setting up AOS W Instant Mesh Network 2 0 0 2 222222 c eee cece cee cece cece cece es Res Re esee sesso sese 80 VLAN Ese y erii reo ERR I d T 81 VLAN Pooling 22220322203 32221 81 Uplink VLAN Monitoring and Detection on Upstream Devices ccc cece ee eeeeecceeeceeeees 81 6 Contents AOS W Instant 6 3 1 1 4 0 User Guide Virtual Controller Configuration 82 vintual Controller OVSIVIOW acciona saint a pidio 82 Master Election Protocol occ 82 Preference
6. 33 Setting up an OAW IAP AOS W Instant 6 3 1 1 4 0 User Guide Disabling the Provisioning Wi Fi Network The provisioning network is enabled by default AOS W Instant provides the option to disable the provisioning network through the console port Use this option only when you do not want the default SSID instant to be broadcast in your network To disable the provisioning network 1 Connect a terminal or PC workstation running a terminal emulation program to the Console port on the OAW IAP 2 Configure the terminal or terminal emulation program to use the following communication settings Table 5 Terminal Communication Settings Baud Rate Data Bits Parity Stop Bits Flow Control 3 Poweronthe OAW IAP An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed 4 Click Enter before the timer expires The OAW IAP goes into the apboot mode through console 5 Inthe apboot mode use the following commands to disable the provisioning network E apboot gt factory reset apboot gt setenv disable prov ssid 1 E apboot gt saveenv B apboot gt reset Logging in to the AOS W Instant UI Launch a web browser and enter http instant Alcatel Lucentnetworks com In the login screen enter the following credentials e Username admin e Password admin The following figure shows the Login screen Figure 1 Login Screen Welcome to Instant Alcatel Lucent
7. Authentication Internal Organization Username admin AirWave IP Password eo AirWave backup IP Retype COTTI Shared key Retype View Only Username Password Retype Guest Registration Only Username Password Retype Show advanced options 2 Enter the name of your organization in the Organization name text box The name defined for organization will be displayed under the Groups tab in the Omnivista user interface Enter the IP address or domain name of the Omnivista server in the AirWave IP text box Enter the IP address or domain name of a backup Omnivista server in the AirWave backup IP text box The backup server provides connectivity when the primary server is down If the OAW IAP cannot send data to the primary server the Virtual Controller switches to the backup server automatically 5 Enter the shared key in the Shared key text box and reconfirm This shared key is used for configuring the first AP inthe AOS W Instant network 6 Click OK 261 Omnivista Integration and Management AOS W Instant 6 3 1 1 4 0 User Guide In the CLI To configure Omnivista information in AOS W Instant Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point config organization lt name gt config ams ip lt IP address or domain name gt config ams backup ip IP addr
8. Select Administrator assigned in 2 4 GHz and 5 GHz band sections Select appropriate channel number from the Channel drop down list for both 2 4 GHz and 5 GHz band sections Enter appropriate transmit power value in the Transmit power text box in 2 4 GHz and 5 GHz band sections Click OK SN o g In the CLI To configure a radio profile Instant Access Point wifi0 mode lt access gt lt monitor gt lt spectrum monitor gt Instant Access Point wifil mode lt access gt lt monitor gt lt spectrum monitor gt Instant Access Point a channel lt channel gt lt tx power gt Instant Access Point g channel lt channel gt lt tx power gt Configuring Inter user Bridging and Local Routing You can configure inter user bridging and local routing by using the AOS W Instant UI or CLI In the AOS W Instant UI To prevent inter user bridging and local routing 1 Inthe AOS W Instant main window click the System link The System window is displayed 2 Inthe General tab of System window click Show advanced options to display the advanced options e From the Deny inter user bridging drop down menu select Enabled to prevent traffic between two clients connected to the same OAW IAP e From the Deny local routing drop down menu select Enabled to prevent local routing traffic between two clients connected to the same OAW IAP In the CLI To configure inter user bridging and local routing Instant Access Point config
9. host show ip ospf rapng vpn aggregated routes lt net gt lt mask gt show ip ospf rapng vpn aggregate routes 100 100 2 0 255 255 255 0 Contributing routes of RAPNG VPN aggregate route 100 100 2 64 255 255 255 224 5 5 0 10 10 To view all the redistributed routes host show ip ospf database OSPF Database Table Area ID LSA Type Link ID Adv Router Age Seq Checksum 0 0 0 15 ROUTER E S ES E E ES 159 0x80000016 Oxee92 0 0 0 15 ROUTER 10 15 148 12 10 15 148 12 66 0x80000016 0x4c0d 00 0 15 NETWORK 10 15 148 12 10 15 148 12 167 0x80000001 0x9674 0 0 0 15 NSSA 12 124 24 0 95229 4 939 29 0x80000003 0x7b54 0 0 0 15 NSSA 12 12 12 0 9 9 9 9 164 0x80000008 0x63a 0 0 0 15 NSSA 12 12 12 32 9 09 9 9 164 0x80000008 0x 758 00 50 15 NSSA 50 40 40 0 9 9 9 9 164 0x80000007 0x8ed4 0 0 0 15 NSSA 51 41 41 128 E H S 164 0x80000007 0x68f6 0 00 5 NSSA 53 43 43 32 9 9 Di 9 164 0x80000007 0x2633 0020515 NSSA 54 44 44 16 90939 164 0x80000007 0x353 N A AS EXTERNAL 12 12 2 0 9 9 9 9 29 0x80000003 0x8c06 N A AS EXTERNAL 12 12 12 0 9 9 9 9 169 0x80000001 0x25e4 N A AS EXTERNAL 12 12 12 32 9 9 9 9 169 0x80000001 0x2663 N A AS EXTERNAL 50 40 40 0 9 9 9 9 169 0x80000001 0xab80 N A AS EXTERNAL 51 41 41 128 9 9 9 9 169 0x80000001 0x85a2 N A AS EXTERNAL 53 43 43 32 9 9 9 9 169 0x80000001 0x43de N A AS EXTERNAL 54 44 44 16 9 9 9 9 169 0x80000001 0x20fe To verify if the redistribute
10. Discover Add Communication Upload Firmware amp Files Certificate Name NENNEN Certificate File ChooseFile Server p12 passphrase ecscccce Confirm passphrase serere Format PKCS 12_ so Type Server Cert Add 4 After you upload the certificate navigate to Groups click the Instant Group and then select Basic The Group name is displayed only if you have entered the Organization name in the AOS W Instant UI For more information see Configuring Organization String on page 260 for further information AOS W Instant 6 3 1 1 4 0 User Guide Authentication 162 Figure 54 Selecting the Group Home ecules APs Devices Clients Reports System Device Setup AMP Setup RAPIDS VisualRF New Group Compare two groups 1 5 wof6Groups Page 1 wof 1 Choose columns Export CSV Name a SSID TotalDevices Down Mismatched Ignored Clients Usage VPN Sessions Up Down Status Polling Period Duplicate Access Points 2 2 0 0 5 minutes 0 Karth 3 3 2 5 minutes 2500 1 0 0 5 minutes hersphere india 38 38 115 3 17 Mbps 5 minutes 3 0 0 5 minutes 2 0 1 E 5 minutes 1 6 wof 6 Groups Page iw ofi Select All Unselect All The Virtual Controller Certificate section displays the certificates CA cert and Server 5 Click Save to apply the changes only to Omnivista Click Save and Apply to apply the changes to the OAW IAP 6 Toclear the certificate options click Revert 163 Authentication A
11. Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt type Guest Instant Access Point SSID Profile lt name gt mac authentication Instant Access Point SSID Profile lt name gt captive portal type exclude uplink type Instant Access Point SSID Profile lt name gt set role machine auth lt machine authentication gt lt u ser authentication gt Instant Access Point SSID Profile lt name gt set role mac auth lt MAC authentication only gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply To configure MAC authentication with Captive Portal authentication for a wired profile Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt type guest Instant Access Point wired ap profile lt name gt mac authentication Instant Access Point wired ap profile lt name gt captive portal lt type gt Instant Access Point wired ap profile lt name gt captive portal type exclude uplink lt 3G gt lt 4G gt lt Wifi gt Ethernet Instant Access Point wired ap profile lt name gt set role machine auth machine only lt user on ly Instant Access Point wired ap profile lt name gt set role mac auth lt mac only gt Instant Access Point wired ap profile lt name gt end Instant
12. This User Guide describes the features supported by AOS W Instant and provides detailed instructions for setting up and configuring AOS W Instant network Intended Audience This guide is intended for customers who configure and use AOS W Instant Related Documents In addition to this document the AOS W Instant product documentation includes the following e AOS W Instant Installation Guides e AOS W Instant 6 3 1 1 4 0 Quick Start Guide e AOS W Instant 6 3 1 1 4 0 CLI Reference Guide e AOS W Instant 6 3 1 1 4 0 MIB Reference Guide e AOS W Instant 6 3 1 1 4 0 Syslog Messages Reference Guide e AOS W Instant 6 3 1 1 4 0 Release Notes Conventions The following conventions are used throughout this manual to emphasize important concepts Table 1 Typographical Conventions Type Style Description This style is used to emphasize important terms and to mark the titles of books System items This fixed width font depicts the following e Sample screen output e System prompts e Filenames software devices and specific commands when mentioned in the text In the command examples this style depicts the keywords that must be typed exactly as shown lt Arguments gt In the command examples italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation For example send lt text message gt In this example you would type send at the system pro
13. Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt secret key secret k y gt Instant Access Point config end Instant Access Point commit apply To configure a L2TPv3 session Instant Access Point config f 12tpv3 session lt l2tpv3 session profile Instant Access Point L2TPv3 Tunnel Profile lt 2tpv3 session profile gt cookie len cookie len gth gt value lt cookie value gt Instant Access Point L2TPv3 Tunnel Profile lt 2tpv3 session profile gt 12tpv3 tunnel 12tpv3 tunnel name to associate Instant Access Point L2TPv3 Tunnel Profile lt 2tpv3 session profile gt tunnel ip local ip ad dr tunnel mask tunnel mask ip addr vlan vlan ID Instant Access Point config end Instant Access Point commit apply Example Instant Access Point config 12tpv3 tunnel test tunnel Instant Access Point L2TPv3 Tunnel Profile test tunnel primary peer address 10 0 0 65 Instant Access Point L2TPv3 Tunnel Profile test _tunnel backup peer address 10 0 0 63 Instant Access Poin Instant Access Poin Instant Access Poin L2TPv3 Tunnel Profile test tunnel 4 no checksum Instant Access Poin L2TPv3 Tunnel Profile test tunnel failover mode non preemptive C ct ci L2TPv3 Tunnel Profile test tunnel f failover retry count 5 L2TPv3 Tunnel Profile test tunnel f failover retry interval 80 L2TPv3 Tunnel Prof
14. OAW IAP220 Series supports the IEEE 802 11ac standard for high performance WLAN To support maximum traffic port aggregation is required as it increases throughput and enhances reliability To support port aggregation AOS W Instant supports Link Aggregation Control Protocol LACP based on the IEEE 802 3ad standard 802 3ad standard for Ethernet aggregation uses LACP as a method to manage link configuration and balance traffic among aggregated ports LACP provides a standardized means for exchanging information with partner systems to form a dynamic link aggregation group The LACP feature is automatically enabled during OAW IAP boots and it dynamically detects the AP if connected to a partner system with LACP capability by checking if there is any LACP Protocol Data Unit PDU received on either ethO or eth1 port If the switch in the cluster has the LACP capability you can combine ethO and eth1 interfaces into the link aggregation group to form a single logical interface port channel Port channels can be used to provide additional bandwidth or link redundancy between two devices OAW IAP220 Series supports link aggregation using either standard port channel configuration based or Link Aggregation Control Protocol protocol signaling based OAW IAP220 Series can optionally be deployed with LACP configuration to benefit from the higher greater than 1 Gbps aggregate throughput capabilities of the two radios LACP feature is supported onl
15. To configure machine and user authentication roles Ins Ins tan tan lt user a Ins Ins tan tan Access Point config wired port profile lt name gt Access Point wired ap profile lt name gt set role machine auth lt machine auth only gt uth only gt Access Point wired ap profile lt name gt end Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide Wired Profiles 106 To configure unrestricted access Instant Access Point Instant Access Point Instant Access Point Instant Access Point config wired port profile lt name gt wired ap profile lt name gt set role unrestricted wired ap profile lt name gt end commit apply Understanding Hierarchical Deployment An OAW IAP Series or OAW RAP3WN with more than one wired port can be connected to the downlink wired port of another OAW IAP ethX An OAW IAP with a single Ethernet port like OAW IAP90 or OAW IAP 100 series devices can be provisioned to use Ethernet bridging so that Ethernet 0 port is converted to a downlink wired port You can also form an OAW IAP network by connecting the downlink port of an AP to other APs Only one AP in the network uses its downlink port to connect to the other APs This AP called the root AP acts as the wired device for the network provides DHCP service and an L3 connection to the ISP uplink with NAT The root AP is always the master of the Instant network
16. blacklist e lt name gt T mac authentication le lt name gt 12 auth failthrough le lt name gt auth survivability e lt name gt radius accounting le lt name gt le lt name gt le lt name gt e lt name gt le lt name gt exit config auth survivability cache time out config end commit apply To configure personal security settings for the employee and voice users of a WLAN SSID profile Ins Ins sk t Ins Ins Ins Ins Ins Ins Ins Ins tan tan tan tan tan tan tan tan tan tan associa Ins Ins Ins Ins tan tan tan tan kip ct PoE ack rt ct ct Access Access Poin Poin wpa2 psk aes Access Access Access Access Access Access Access Access ion Access Access Access Access Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin config wl SSI D Profil static wep D M M KM M O O U LC D D Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil lan ssid profile lt name gt opmode wpa2 psk aes wpa tkip wpa psk tkip wpa p auth server server name commit apply max authentication failures number radius accounting mode user authentication user radius interim accounting interval minutes radius reauth interval minutes le lt name gt le lt name gt mac authentication e
17. 153 Authentication AOS W Instant 6 3 1 1 4 0 User Guide Configuring MAC Authentication for Wireless Network Profiles You can configure MAC authentication for a wired profile in the AOS W Instant UI or CLI In the AOS W Instant UI To enable MAC Authentication for a wireless network 1 Inthe Network tab click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 Inthe Security tab select Enabled from the MAC authentication drop down list for Personal or Open security level 4 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings fora WLAN SSID Profile on page 90 5 Click Next to define access rules and then click Finish to apply the changes In the CLI To configure a WLAN SSID profile in the CLI Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant Access Point SSID Profile lt name gt mac authentication Instant Access Point SSID Profile lt name gt xternal server Instant Access Point SSID Profile lt name gt auth s
18. For all other OAW IAPs Alcatellnstant Orion 6 3 1 1 4 0 0 0 xxxx Select the Image URL option Select this option to obtain an image file from a TFTP FTP or HTTP URL s HTTP http lt IP address gt lt image file gt For example http IP address Alcatellnstant Orion 6 3 1 1 4 0 0 0 xxxx TFTP tftp lt IP address gt lt image file gt For example tftp IP address Alcatellnstant Orion 6 3 1 1 4 0 0 0 xxxx FTP ftp lt IP address gt lt image file gt For example ftp IP address Alcatellnstant Orion 6 3 1 1 4 0 0 0 xxxx 3 Clearthe Reboot all APs after upgrade check box if required The Reboot all APs after upgrade check box is selected by default to allow the OAW IAPs to reboot automatically after a successful upgrade To reboot the OAW IAP at a later time clear the Reboot all APs after upgrade check box 4 Click Upgrade Now to upgrade the OAW IAP to the newer version Upgrading an Image Using CLI To upgrade an image using a HTTP TFTP or FTP URL Instant Access Point upgrade image lt ftp tftp http URL gt To upgrade an image without rebooting the OAW IAP Instant Access Point upgrade image2 no reboot lt ftp tftp http URL gt To view the upgrade information Instant Access Point show upgrade info Image Upgrade Progress Mac IP Address AP Class Status Image Info Error Detail d8 c7 c8 c4 42 98 10 17 101 1 Orion image ok image file none Auto reboot enable U
19. Instant Access Point Instant Access Point Instant Access Point Instant Access Point roller IP address gt Instant Access Point L3 mobility end Instant Access Point commit apply config 13 mobility L3 mobility home agent load balancing L3 mobility virtual controller lt IP address gt L3 mobility subnet lt IP address gt subnet mask VLAN ID virtual cont AOS W Instant 6 3 1 1 4 0 User Guide Mobility and Client Management 202 Chapter 17 Spectrum Monitor This chapter provides the following information e Understanding Spectrum Data on page 203 e Configuring Spectrum Monitors and Hybrid OAW IAPs on page 208 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications Microwave ovens cordless phones and even adjacent Wi Fi networks are all potential sources of continuous or intermittent interference The spectrum monitor software modules on OAW IAPs that support this feature are able to examine the radio frequency RF environment in which the Wi Fi network is operating identify interference and classify its sources An analysis of the results can then be used to quickly isolate issues with packet transmission channel quality and traffic congestion caused by contention with other devices operating in the same band or channel Spectrum monitors SMs are OAW IAP rad
20. Mn G MM 133 User Management AOS W Instant 6 3 1 1 4 0 User Guide Chapter 13 Authentication This chapter provides the following information e Understanding Authentication Methods on page 134 e Supported Authentication Servers on page 135 e Understanding Encryption Types on page 141 e Understanding Authentication Survivability on page 142 e Configuring Authentication Servers on page 144 e Configuring Authentication Parameters for Virtual Controller Management Interface on page 150 e Configuring 802 1X Authentication for a Network Profile on page 151 e Configuring MAC Authentication for a Network Profile on page 153 e Configuring MAC Authentication with 802 1X Authentication on page 155 e Configuring MAC Authentication with Captive Portal Authentication on page 156 e Configuring WISPr Authentication on page 157 e Blacklisting Clients on page 158 e Uploading Certificates on page 160 Understanding Authentication Methods Authentication is a process of identifying a user by through a valid username and password Clients can also be authenticated based on their MAC addresses The following authentication methods are supported in AOS W Instant e 802 1Xauthentication 802 1X is a method for authenticating the identity of a user before providing network access to the user Remote Authentication Dial In User Service RADIUS is a protocol that provides centralized authentication authorization and accounting management
21. The Master Election Protocol prefers the OAW IAP with a 3G 4G card when electing a Virtual Controller for the AOS W Instant network during the initial setup The Virtual Controller is selected based on the following criteria e If there is more than one OAW IAP with 3G 4G cards one of these OAW IAPs is dynamically elected as the Virtual Controller e When an OAW IAP without 3G 4G card is elected as the Virtual Controller but is up for less than 5 minutes another OAW IAP with 3G 4G card in the network is elected as the Virtual Controller to replace it and the previous Virtual Controller reboots e When an OAW IAP without 3G 4G card is already elected as the Virtual Controller and is up for more than 5 minutes the Virtual Controller will not be replaced until it goes down E OAW IAP 135 is preferred over OAW IAP 105 when a Virtual Controller is elected NOTE Preference to an OAW IAP with Non Default IP The Master Election Protocol prefers an OAW IAP with non default IP when electing a Virtual Controller for the AOS W Instant network during initial startup If there are more than one OAW IAP with non default IPs in the network all OAW IAPs with default IP will automatically reboot and the DHCP process is used to assign new IP addresses Manual Provisioning of Master OAW IAP In most cases the master election process automatically determines the best OAW IAP that can perform the role of Virtual Controller which will apply its image and c
22. coffee shop The associated numeric value is 13 zoo or aquarium The associated numeric value is 14 emergency cord center The associated numeric value is 15 The associated numeric value is 1 unspecified The associated numeric value is 0 doctor The associated numeric value is 1 bank The associated numeric value is 2 fire station The associated numeric value is 3 police station The associated numeric value is 4 post office The associated numeric value is 6 professional office The associated numeric value is 7 research and dev facility The associated numeric value is 8 attorney office The associated numeric value is 9 business The associated numeric value is 2 educational unspecified The associated numeric value is 0 school primary The associated numeric value is 1 school secondary The associated numeric value is 2 univ or college The associated numeric value is 3 The associated numeric value is 3 factory and industrial unspecified The associated numeric value is 0 l factory The associated numeric value is 1 The associated numeric value is 4 unspecified The associated numeric value is 0 hospital The associated numeric value is 1 AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 291 Venue Group Associated Venue Type Value The associated numeric value is 5 long term care The associated numeric value is 2 alc drug rehab The associated numeric value is 3 group
23. configuring a new profile NOTE gunng p 2 Inthe Access tab slide to Network based using the scroll bar to specify access rules for the network 3 Click New to add a new rule The New Rule window is displayed a Select Allow from the Action drop down list b Select Custom from the Service drop down list Select TCP from the Protocol drop down list Enter appropriate port number in the Ports text box c Select to a network from the Destination drop down list Enter appropriate IP address in the IP text box a Enter appropriate netmask in the Netmask text box d Click OK 4 Click Finish Deny FTP Service except to a Particular Server To define deny FTP service access rule except to a particular server 1 Select an existing wireless or wired profile Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wired Network window is displayed You can also configure access rules in the Access tab of the New WLAN and New Wired Network windows when configuring a new profile NOTE guano p 2 Inthe Access tab slide to Network based using the scroll bar to specify access rules for the network AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 174 3 Click New to add a new rule The New Rule window is displayed a Select Deny from the Action drop down list b Select ftp from the Service drop down list c Select except to a particular server from the Destination drop down list and ent
24. 2 Click CALEA The CALEA tab details are displayed 3 Specify the following parameters IP address Specify the IP address of the CALEA server Encapsulation type Specify the encapsulation type The current release of AOS W Instant supports GRE only GRE type Specify the GRE type MTU Specify a size for the maximum transmission unit MTU within the range of 68 1500 After GRE encapsulation if packet length exceeds the configured MTU IP fragmentation occurs The default MTU size is 1500 4 Click OK In the CLI Instant Access Point config calea Instant Access Point calea ip lt IP address gt Instant Access Point calea ip mtu size Instant Access Point calea encapsulation type gre Instant Access Point calea gre type type Instant Access Point calea end Instant Access Point commit apply Creating an Access Rule for CALEA You can create an access rule for CALEA by using the AOS W Instant UI or CLI In the AOS W Instant UI To create an access rule 1 To add the CALEA access rule to an existing profile select an existing wireless Networks tab edit or wired More Wired Edit profile To add the access rule to a new profile click New under Network tab and create a WLAN profile or click More Wired New and create a wired port profile In the Access tab select the role for which you want create the access rule Under Access Rules click New The New Rule window is displayed
25. ALE requires the AP placement data to be able to calculate location for the devices in a network ALE with AOS W Instant AOS W Instant 6 3 1 1 4 0 release supports Analytics and Location Engine ALE The ALE server acts as a primary interface to all third party applications and the OAW IAP sends client information and all status information to the ALE server To integrate OAW IAP with ALE the ALE server address must be configured on an OAW IAP If the ALE sever is configured with a host name the Virtula Controller performs a mutual certificated based authentication with ALE server before sending any information OAW IAP92 and OAW IAP93 do not support ALE integration Enabling ALE Support on an OAW IAP You can configure an OAW IAP for ALE support using AOS W Instant UI or CLI In the AOS W Instant UI 1 Click More gt Services The Services window is displayed 2 Click the RTLS tab The tab details are displayed 3 Select the Analytics amp Location Engine checkbox AOS W Instant 6 3 1 1 4 0 User Guide Integration with Security and Location Services Applications 276 Figure 102 Services Window ALE Integration Services Air Group RTLS OpenDNS CALEA Network Intergration Aruba RTLS Analytics amp Location Engine Server Report interval 3rd party Aeroscout Specify the ALE server name or IP address 5 Specify the reporting interval within the range of 6 60 seconds The OAW IAP sends me
26. AOS W Instant 6 3 1 1 4 0 Alcatel Lucent User Guide Copyright 2013 Alcatel Lucent All rights reserved Specifications in this manual are subject to change without notice Originated in the USA AOS W Alcatel 4302 Alcatel 4304 Alcatel 4306 Alcatel 4308 Alcatel 4324 Alcatel 4504 Alcatel 4604 Alcatel 4704 Alcatel 6000 OAW AP41 OAW AP68 OAW AP60 61 65 OAW AP70 OAW AP80 OAW AP92 93 OAW AP105 OAW AP 120 121 OAW AP 124 125 OAW AP 175 OAW IAP92 93 105 OAW RAP2 OAW RAP5 and Omnivista 3600 Air Manager are trademarks of Alcatel Lucent in the United States and certain other countries Any other trademarks appearing in this manual are the property of their respective companies Includes software from Litech Systems Design The IF MAP client library copyright 2011 Infoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al Legal Notice The use of Alcatel Lucent switching platforms and software by all individuals or corporations to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Alcatel Lucent from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems or Nortel Networks 0511472 01 November 2013 AOS W Instant 6 3 1 1 4 0 User Guide Contents EORUM oio corone aL A 3 About this
27. Description AOS W Instant AP Figure 90 AOS W Instant and DHCP options for Omnivista Predefined Options and Values E server Manager File Action View Help bilal e i9 Hm E ER EM Predefined Options and Values Loanne DHCP Standard Options y AE d 5cope 10 16 Option name 002 Time Offset y scope 10 16 E Delete pcope 10 16 a Descrip Option Type 71 x 0 16 0 16 16 U U Lom Name Aruba Instant 0x0 no Data type Sting y Aray de U U J U 16 16 Code 60 Description Aruba Insatnt AP 16 16 9 ce fori OK raed Scope 10 169 158 0 158 El 7 Scope 10 169 159 0 159 gp Address Pool 5 Navigate to Server Manager and select Server Options in the IPv4 window This sets the value globally Use options on a per scope basis to override the global options 6 Right click Server Options and select the configuration options 263 Omnivista Integration and Management AOS W Instant 6 3 1 1 4 0 User Guide Figure 91 AOS W Instant and DHCP options for Omnivista Server Options Server Manager File Action View Hep emissis ia Server Manager RDE SERVER E S Roles a Active Directory Domain Services E E DHCP Server El Bj rde server rde arubanetworks com E E Pa E Scope 10 169 131 0 131 m 71 Scope 10 169 135 0 135 El Scope 10 169 137 0 137 El C Scope 10 169 138 0 138 Y Scope 10 169 145 0 145 I Scope 10 169 150
28. Dynamic WEP with 802 1X 4 f you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys set Session Key for LEAP to Enabled 5 Toterminate the EAP portion of 802 1X authentication on the OAW IAP instead of the RADIUS server set Termination to Enabled By default for 802 1X authorization the client conducts an EAP exchange with the RADIUS server and the AP acts as a relay for this exchange When Termination is enabled the OAW IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol only relaying the innermost layer to the external RADIUS server 6 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings fora WLAN SSID Profile on page 90 7 Click Next to define access rules and then click Finish to apply the changes In the CLI To configure 802 1X authentication for a wireless network Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt type lt Employee gt lt Voice gt AOS W Instant 6 3 1 1 4 0 User Guide Authentication 152 i Instant Access Point SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa tkip wpa2 aes dynam c wep Instant Access Point SSID Profile lt name gt leap use
29. Figure 11 Detection Custom settings detect ap spoofing detect windows bridge signature deauth broadcast signature deassociation broadcast detect adhoc using valid ssid detect malformed large duration Custom settings detect valid clientmisassociation detect disconnect sta detect omerta attack detect fatajack detect block ack attack detect hotspotter attack IDS Window Intrusion Protection Protection Specify What Threats to Protect Infrastructure High Low Off Clients High Low Off protect ssid rogue containment protect adhoc network protect ap impersonation Custom settings protect valid sta protect windows bridge Show advanced options For more information on wireless intrusion detection and protection see Detecting and Classifying Rogue APs on page 221 Wired The Wired window allows you to configure a wired network profile See Wired Profiles on page 102 for more information The following figure shows the Wired window nmm AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 48 Figure 12 Wired Window Wired Networks Wired Networks Net
30. Figure 29 Configuring OAW IAP Settings Edit Access Point d8 c7 c8 c4 00 ef General Radio Uplink Name Preferred master Disabled IP address for Access Point O Get IP address from DHCP server Specify statically Cancel 3 Select either the Get IP address from DHCP server or Specify statically option If you have selected the Specify statically option perform the following steps a Enter the new IP address for the OAW IAP in the IP address text box b Enter the subnet mask of the network in the Netmask text box c Enter the IP address of the default gateway in the Default gateway text box d Enterthe IP address of the DNS server in the DNS server text box e Enter the domain name in the Domain name text box 4 Click OK and reboot the OAW IAP In the CLI To configure IP address Instant Access Point ip address lt IP address gt lt subnet mask gt lt NextHop IP gt lt DNS IP address gt lt domain name gt Modifying the OAW IAP Name You can change the name of an OAW IAP by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Inthe Access Points tab click the OAW IAP you want to rename The edit link is displayed 2 Click the edit link The edit window for modifying OAW IAP details is displayed 3 Edit the OAW IAP name in the Name text box 4 Click OK 68 Initial Configuration Tasks AOS W Instant 6 3 1 1 4 0 User Guide In the CLI To change the name Instan
31. Info section in Access Point The Info section in the Access Point view displays the following information view e Name Displays the name ofthe selected OAW IAP e IP Address Displays the IP address of the OAW IAP e Mode Displays the mode in which the AP is configured to operate e n Access mode the OAW IAP serves clients while also monitoring for rogue APs in the background In Monitor mode the OAW IAP acts as a dedicated monitor scanning all channels for rogue APs and clients AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 52 Table 7 Contents of the Info Section in the AOS W Instant Main Window Description Spectrum Displays the status of the spectrum monitor Clients Number of clients associated with the OAW IAP Type Displays the model number of the OAW IAP CPU Utilization Displays the CPU utilization in percentage Memory Free Displays the memory availability of the OAW IAP in MB Serial number Displays the serial number of the OAW IAP From Port Displays the port from where the slave OAW IAP is learned in hierarchy mode RF Dashboard The RF Dashboard section lists the OAW IAPs that exceed the utilization noise or error threshold It also shows the clients with low speed or signal strength in the network and the RF information for the OAW IAP to which the client is connected The OAW IAP names are displayed as links When an OAW IAP is clicked the
32. The Speed graph shows the data transfer speed for the client Data transfer is measured in Mbps To see an enlarged view click the graph The enlarged view shows Last Minimum Maximum and Average statistics of the client for the last 15 minutes To see the exact speed ata particular time move the cursor over the graph line The Throughput Graph shows the throughput of the selected client for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown above the median line Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged view click the graph The enlarged view shows Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the client for the last 15 minutes To see the exact throughput at a particular time move the cursor over the graph line Monitoring Procedure To monitor the In and Out frame rate per second and retry frames for the In and Out traffic for the last 15 minutes Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the frames The client view is displayed Study the Frames graph in the RF Trends pane For example the graph shows 4 0 frames per second for the client at
33. User Guide Understanding Encryption Types 00 00 nn 141 WPA and WR AD eco rate hee ets lidia el ees aneoat a Inicie iras 141 Recommended Authentication and Encryption Combinations cee eeeeeeeeees 141 Understanding Authentication Survivability o 000022222 e cece es e cece ee eeeeeeeee 142 Configuring Authentication Servers 2 0 0 0 cece cece e cece cece cece cece eee ceceeeeeeececceeseeeeeeeeeeeeees 144 Configuring an External Server for Authentication 00 220000 c ccc c eee e cece ccc cee cceeeceeeeeeeee 144 Me AOS Instant ON ners can anaces canoas ono rs tt Esc O sta 144 MEE o ceder EI I E e 147 Configuring Dynamic RADIUS Proxy Parameters cece cece ee eee cece eee cece cece eee eeeeeeeeeees 148 Enabling Dynamic RADIUS RG a 6 SZ X 9 922 2022 aR 94202 trat tiros 148 Inthe AOS W InstantUl 2 245 222 202242 6 ee eect Sec eee N debe eee eee evecare H ey ite odes eee ene 148 ISI ete eset O PA 149 Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers Lussuu 149 Inthe AOS WinstantUl i i 2 2 R a R eec I ve bo XX R a NAA a es ai ias 149 PP EEE S EE EEEE EER E R E E EE T 149 Associate the Authentication Servers with an SSID or Wired Profile 149 InurteBmp EE 150 Configuring Authentication Parameters for Virtual Controller Management Interface iusuuuuu 150 In the AOS W Instant U 150 VV UN Gl mE 151 Configuring 802 1X Authentication for a Network
34. VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide 4 Click OK 5 Click Finish In the CLI Instant Access Point config routing profile Instant Access Point Routing profile route lt destination gt lt mask gt lt gateway gt Routing profile end commit apply Instant Access Point Instant Access Point a Ct AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 251 Chapter 23 IAP VPN Configuration Alcatel Lucent switches provide an ability to terminate the IPSec and GRE VPN tunnels from the OAW IAP and provide corporate connectivity to the branch network This section describes the following topics e Overview on page 252 e VPN Configuration on page 255 e Viewing Branch Status on page 256 Overview This section provides a brief summary of the features supported by the switches to allow VPN termination from an OAW IAP Termination of IPSec and GRE VPN Tunnels OAW IAPs can terminate VPN tunnels on Switches The OAW IAP cluster creates an IPSec or GRE VPN tunnel from the Virtual Controller to a OmniAccess WLAN Switch in your corporate office The switch only acts an IPSec or GRE VPN end point and it does not configure the OAW IAP For more information on how to create an IPSec or GRE VPN tunnel see VPN Configuration on page 239 L2 L3 Forwarding Modes The Virtual Controller enables different DHCP pools various assignment modes in addition to allocating IP subnets for e
35. When enabled AOS W Instant Access Points generate ARP packets on the wired network to contain wireless attacks e Wireless containment When enabled the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point None Disables all the containment mechanisms Deauthenticate only With deauthentication containment the Access Point or client is contained by disrupting the client association on the wireless interface Tapit containment With Tapit containment the Access Point is contained by luring clients that are attempting to associate with it to a tarpit The tarpit can be on the same channel or a different channel as the Access Point being contained Figure 75 Containment Methods Wireless Intrusion Protection WIP Protection Specify What Threats to Protect Infrastructure Custom settings High Y protect ssid Y rogue containment protect adhoc network Off protect ap impersonation Low Clients Custom settings High Y protect valid sta protect windows bridge Low Off Containment Methods Wired containment The default containment settings are recommended Restore defaults Wireless containment v Deauthenticate only Tarpit invalid stations Hide advanced options LTarpit all stations Configuring IDS Using CLI To configure IDS using CLI Instant Access Point config ids Instant Access Point IDS
36. deny inter user bridging Instant Access Point config deny local routing Instant Access Point config end Instant Access Point commit apply 76 Initial Configuration Tasks AOS W Instant 6 3 1 1 4 0 User Guide Configuring Uplink VLAN for an OAW IAP Instant supports a management VLAN for the uplink traffic on an OAW IAP After an OAW IAP is provisioned with the uplink management VLAN all management traffic sent from the OAW IAP is tagged with the management VLAN You can configure the uplink management VLAN on an OAW IAP by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure uplink management VLAN Inthe Access Points tab click the OAW IAP to modify The edit link is displayed Click the edit link The edit window for modifying OAW IAP details is displayed Click the Uplink tab Specify the VLAN in the Uplink Management VLAN field Click OK ar wr In the CLI To configure uplink VLAN Instant Access Point uplink vlan lt VLAN ID gt To view the uplink VLAN status Instant Access Point show uplink vlan Uplink Vlan Current 0 Uplink Vlan Provisioned 1 Configuring an NTP Server To facilitate communication between various elements in a network time synchronization between the elements and across the network is critical Time synchronization allows you to Trace and track security gaps network usage and troubleshoot network issues Map event on one network element to a co
37. e OAW IAP175P 175AC e OAW RAP3WN 3WNP e OAW RAP108 e OAW RAP109 e OAW RAP155 155P e OAW IAP224 e OAW IAP225 All APs support an unlimited number of OAW IAPs In a network comprising of OAW IAP92 and OAW IAP93 an AP can support up to 16 OAW IAPs only AOS W Instant 6 3 1 1 4 0 User Guide About AOS W Instant 27 z z All OAW IAPs except OAW IAP224 OAW IAP225 OAW IAP 114 and OAW IAP 115 are available as the following variants OAW IAP US United States OAW IAP JP Japan e OAW IAP IL Israel OAW IAP RW Rest of World The OAW IAP224 OAW IAP225 OAW IAP 114 and OAW IAP 115 are available as the following variants e OAW IAP US United States OAW IAP RW The RW variant also includes IL and JP variants For information on regulatory domains and the list of countries supported by the OAW IAP RW type see Regulatory Domain on page 322 Country Codes List on page 322 AOS W Instant UI The AOS W Instant User Interface UI provides a standard web based interface that allows you to configure and monitor a Wi Fi network AOS W Instant is accessible through a standard web browser from a remote management console or workstation and can be launched using the following browsers Internet Explorer 10 or lower Safari 6 0 or later Google Chrome 23 0 1271 95 or later e Mozilla Firefox 17 0 or later To view the AOS W Instant UI ensure that the JavaScript is enabled on the web browser For more information on AOS W In
38. 1 S Mismatched 3 O Rogue 122 Y Clients 0 B Alerts 0 APs Devices Chents Reports System DeviceSetup AMP Setup RAPIDS VisualRF Templates firmware Group tme store4 SSID Poled for Up Down Status 5 mnutes Current AMP time March 20 2012 3 21 pm POT Current group time March 20 2012 3 21 pm POT Y Toral Deveess2 4Up 2 WOown 0 s Mematched 1 1 arts 0 usage 1 VPN Sossons 0 Maximum Average Show AS A Maximum Average BY sax Cliente O cients 0 cents GY Ave s Per Second in Odes Obps BY Avg Ms Per Second Out Obps Obps B irer ago A Modty Devices Usage Uptime Configuration oefiguratio m K CQ QC Q Q7 m 267 Omnivista Integration and Management AOS W Instant 6 3 1 1 4 0 User Guide Chapter 25 AirGroup Configuration This chapter provides the following information e AirGroup Overview on page 268 e AirGroup with AOS W Instant on page 269 e Configuring AirGroup and AirGroup Services on an OAW IAP on page 273 e Configuring AirGroup and CPPM interface in AOS W Instant on page 275 AirGroup Overview AirGroup is a unique enterprise class capability that leverages zero configuration networking to enable Bonjour services such as Apple AirPrint and AirPlay from mobile devices in an efficient manner Apple AirPlay and
39. 3 Click Edit The Edit Wired Network window is displayed Inthe Wired Settings tab select Enabled from the Content Filtering drop down list and click Next to continue In the CLI To enable content filtering for a wired profile in the CLI Instant Access Point config wired port profile test wired ap profile lt name gt content filtering Instant Access Point wired ap profile name f end Instant Access Point Instant Access Point commit apply Configuring Enterprise Domains The enterprise domain names list displays the DNS domain names that are valid on the enterprise network This list is used to determine how client DNS requests should be routed When Content Filtering is enabled the DNS request of the clients is verified and the domain names that do not match the names in the list are sent to the open DNS server You can configure an enterprise domain using AOS W Instant UI or CLI In the AOS W Instant UI To manually add a domain 1 Navigate to System gt General click Show advanced options gt Enterprise Domains The Enterprise Domain tab contents are displayed 2 Click New and enter a New Domain Name 3 Click OK to apply the changes To delete a domain select the domain and click Delete to remove the domain name from the list In the CLI To configure an enterprise domain Instant Access Point config internal domains Instant Access Point domain domain name lt name g
40. 7 10 15 205 0 10 15 205 250 5 8 10 15 206 1 10 15 206 252 5 5368650 b3c65c 1 10 15 205 0 10 15 205 250 5 2 10 15 206 1 10 15 206 252 5 b3c65c 14 10 15 205 0 10 15 205 250 5 15 10 15 206 1 10 15 206 252 5 The output of this command provides the following information Table 52 Branch Details Parameter Description Displays the name of the branch AOS W Instant 6 3 1 1 4 0 User Guide IAP VPN Configuration 256 Parameter Description Displays the MAC address of the Virtual Controller of the branch Displays the current status of the branch UP DOWN Displays the internal VPN IP of the branch Assigned Subnet Displays the subnet mask assigned to the branch Assigned Vlan Displays the VLAN ID assigned to the branch Key Displays the key for the branch which is unique to each branch Bid Subnet Nam Displays the Branch ID BID of the subnet e e Inthe example above the switch displays bid per subnet per branch i e for LA branch BID 2 for the ip range 10 15 205 0 10 15 205 250 with client count per branch 5 If a branch has multiple subnets it can have multiple BIDs Branches that are in UP state and do not have a Bid Subnet Name means that the OAW IAP is connected to a switch which did not assign any BID for any subnet In the above example Paris CB D3 16 branch is UP and does not have a Bid Subnet Name information This means that either the OAW IAP is connected to a backup Switch or conne
41. Click Next to move to the next tab PF wn gt Click Finish to save the modifications Deleting a WLAN SSID Profile To delete a WLAN SSID profile 1 Inthe Networks tab click the network which you want to delete A x link is displayed against the network to be deleted 2 Click x A delete confirmation window is displayed 3 Click Delete Now AOS W Instant 6 3 1 1 4 0 User Guide Wireless Network Profiles 101 Chapter 10 Wired Profiles This chapter describes the following procedures e Configuring a Wired Profile on page 102 e Assigning a Profile to Ethernet Ports on page 108 e Understanding Hierarchical Deployment on page 107 e Configuring Wired Bridging on Ethernet 0 on page 107 e Editing a Wired Profile on page 108 e Deleting a Wired Profile on page 109 Configuring a Wired Profile The wired profile configuration for employee network involves the following procedures Configuring Wired Settings on page 102 Configuring VLAN for a Wired Profile on page 103 Configuring Security Settings for a Wired Profile on page 104 Pon Configuring Access Rules for a Wired Profile on page 105 For information on creating a wired profile for guest network see Captive Portal for Guest Access Configuring Wired Settings You can configure wired settings for a wired profile by using the AOS W Instant UI or CLI In the AOS W Instant Ul 1 Click the Wired link under More at the top right comer of the AOS W Instant main wind
42. Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using AOS W Instant UI or CLI In the AOS W Instant Ul To configure WLAN settings 1 Inthe Networks tab of the AOS W Instant main window click the New link The New WLAN window is displayed The following figure shows the contents of WLAN Settings tab Figure 32 WLAN Settings Tab WLAN Settings WLAN Settings Name amp Usage Bandwidth Limits Name SSID ExampleNetwork1 Airtime F Each radio Primary usage Q9 Employee Voice Downstream bos P pe E Guest Upstream kbps E Peruser Background WMM share Broadcast Multicast Best effort WMM share Broadcast filtering Disabled Video WMM share DTIM interval 1beacon Voice WMM share Multicast transmission optimization Disabled Dynamic multicast optimization Disabled DMO channel utilization threshold so Miscellaneous Content filtering Disabled Iz Band a Ie Inactivity timeout 1000 secs 2 4GHz Min 1 e Max ss e Hide SSID 5 GHz Min 6 E Max 54 El Disable SSID Can be used without uplink P Transmit Rates Max chents threshold Local probe request threshold Enter a name that uniquely identifies a wireless network in the Name SSID text box 3 Basedonthe type of network profile select any of the following options under Primary usage e Employee e Voice e Guest 4 Click the Show advanced options link The advanced options for c
43. Enabled Drop bad ARP Enabled gt Vocera Enabled Fix malformed DHCP Enabled X Alcatel NOE Enabled ARP poison check Disabled e Cisco Skinny Enabled Inbound Firewall Configuration Management Subnets Add new management subnet Subnet Mask Subnet Mask Restrict Corporate Access Enabled Delete All Cancel 4 Click OK In the CLI To configure firewall settings to prevent attacks Instant Access Point config attack Instant Access Point ATTACK drop bad arp enable Instant Access Point ATTACK fix dhcp enable Instant Access Point ATTACK poison check enable Instant Access Point ATTACK end Instant Access Point commit apply To view the configuration status Instant Access Point show attack config Current Attack drop bad arp Enabled AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 166 fix dhcp Enabled poison check Enabled To view the attack statistics Instant Access Point show attack stats attack counters arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter E C9 68 C9 C 68 C9 oO garp send check counter Managing Inbound Traffic Instant now supports enhanced inbound firewall by allowing the configuration of management subnets and restricting corporate
44. Enterprise Personal and Open security levels 4 Click Next to configure access rules For more information see Configuring Access Rules fora WLAN SSID Profile on page 95 In the CLI To configure enterprise security settings for the employee and voice users of a WLAN SSID profile Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa2 aes wpa psk tkip w pa2 psk aes dynamic wep Instant Access Point SSID Profil lt name gt leap use session key Instant Access Point SSID Profile lt name gt termination Instant Access Point SSID Profile lt name gt auth server lt server name gt 94 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide ct Cr oct Access Access Access Access Access Access Access Access ion Access Access Access Access Access Access Access Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin SSI VUVUUUO G M G Oo KM Uu D Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil radius accounting mode user authentication user radius interim accounting interval minutes radius reauth interval minutes max authentication failures number le lt name gt xternal server le lt name gt server load balancing le lt name gt
45. Figure 67 Device List E 00 24 6c c8 ad e2 Monitoring Spectrum Alerts IDS Configuration Overview 24GHz SGHz Non WiFi Device List SGHz upper Type 1D CFreq KHz Bandwidth KHz Channels affected signal d8m Duty cyde Add time Update time Non WiFi Device List 2GHz Type ID CFreqiKHz Bandwidth KkHz Channels affected Signal d8m Duty cycle Add time Update time Cordless Network FH E 2444000 80000 1234567891011121314 75 5 2000 01 01 00 05 27 2000 01 01 00 27 45 Device Summary and Channel Information shows the details of the information that is displayed Table 34 Device Summary and Channel Information Column Description Type Device type This parameter can be any of the following audio FF fixed frequency bluetooth cordless base FH frequency hopper cordless phone FF fixed frequency cordless network FH frequency hopper generic FF fixed frequency generic FH frequency hopper generic interferer microwave microwave inverter video xbox NOTE For additional details about non Wi Fi device types shown in this table see Non Wi Fi Interferer Types ID number assigned to the device by the spectrum monitor or hybrid AP radio Spectrum monitors and hybrid APs assign a unique spectrum ID per device type Center frequency of the signal sent from the device Bandwidth Channel bandwidth used by the device Channels affected Radio channels affected by the wireless device Signal strength Strength of the signal sent from the de
46. For PEF rule blacklisted time enter the duration in seconds after which the clients can be blacklisted due to an ACL rule trigger You can configure a maximum number of authentication failures by the clients after which a client must be blacklisted For more information on configuring maximum authentication failure attempts see Configuring Security Settings for a WLAN SSID Profile on page 90 NOTE Toenable session firewall based blacklisting click New and navigate to WLAN Settings gt VLAN gt Security gt Access window and enable the Blacklist option of the corresponding ACL rule In the CLI To dynamically blacklist clients Instant Access Point config auth failure blacklist time seconds Instant Access Point config blacklist time seconds Instant Access Point config end Instant Access Point commit apply To view the blacklisted clients Instant Access Point show blacklist client config Blacklist Time 60 Auth Failure Blacklist Time 60 anually Blacklisted Clients AC Reason Timestamp Remaining time sec AP IP Dyn Blacklist Count 0 Uploading Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization It is also used to establish your credentials for any web transactions It contains the organization name a serial number expiration date a copy of the certificate holder s public key and the digital signature of the c
47. LL enable 1 1 1 2 3 4 5 6 a 5 o disable disable enable disable disable disable F disable disable enable 0 GHz Channels Status WN Channel enable AOS W Instant 6 3 1 1 4 0 User Guide air time fairness mode lt Default Access gt ARM client aware ARM wide bands lt 5GHz gt lt 2GHz gt lt A11 gt lt None gt ARM scanning ARM client match calc interval seconds ARM client match calc threshold threshold ARM client match nb matching percentage ARM client match slb mode 1 ARM 80mhz support ARM end commit apply show arm config 18 127 prefer 5ghz enable enable 5ghz enable fair access disable iTO 230 2 Channel based 3 25 No Fair Access Prefer Adaptive Radio Management 217 40 enable 44 enable 48 enable 52 enable 56 enable 60 enable 64 enable 149 enable 153 enable 157 enable 161 enable 165 enable 36 enable 44 enable 52 disable 60 disable 149 enable 157 enable 36E enable 52E enable 149E enable Configuring Radio Settings for an OAW IAP You can configure 2 4 GHz and 5 GHz radio settings for an OAW IAP either using AOS W Instant Ul or CLI In the AOS W Instant UI To configure radio settings Click the RF link at the top right corner of the AOS W Instant main window Click Show advanced options The advanced options are displayed Click the Radio
48. Last seen Displays the time when the foreign client was last detected in the network s Where Provides information about the OAW IAP that detected the foreign client Click the pushpin icon to view the information The following figure shows an example for the intrusion detection log Figure 26 ntrusion Detection E instant rp Foreign Access Points Detected Foreign Clients Detected add Net For more information on the intrusion detection feature see Intrusion Detection on page 221 Configuration The Configuration link provides an overall view of your Virtual Controller configuration The following figure shows the Virtual Controller configuration details displayed on clicking the Configuration link Figure 27 Configuration Link Virtual Controller Configuration System RF Security VPN IDS Wired Services General Admin DHCP Uplink L3 Mobility Enterprise Domains Monitoring WISPr Basic Advanced Name Instant Controller Virtual Controller Netmask 0 0 0 0 Virtual Controller IP 0 0 0 0 Virtual Controller Gateway 0 0 0 0 Dynamic RADIUS proxy Disabled Virtual Controller VLAN 0 Mobility Access Switch integration Disabled Preferred band All NTP server Auto join mode Enabled Timezone None Terminal access Enabled Edit LED display Enabled Extended SSID Disabled Deny inter user bridging Disabled Deny local routing Disabled Edit Hide advanced options AOS W Instant 6 3 1 1 4 0 User Guide AOS W
49. Matches the declared element at n times For example 2 ink matches downlink but not uplink n Where n is an integer Matches the declared element exactly the n times For example 2 link matches uplink but not downlink For information on how to use regular expressions in role and VLAN derivation rules see the following topics e Configuring VLAN Derivation Rules on page 182 e Creating a Role Derivation Rule on page 179 Configuring a User Role for VLAN Derivation This section describes the following procedures e Creating a User VLAN Role on page 185 e Assigning User VLAN Roles to a Network Profile on page 185 Creating a User VLAN Role You can create a user role for VLAN derivation using the AOS W Instant UI or CLI In the AOS W Instant UI To configure a user role for VLAN derivation Click the Security at the top right comer of AOS W Instant main window Click Roles tab The Roles tab contents are displayed Under Roles click New Enter a name for the new role and click OK Under the Access rules click New Select the Rule type as VLAN assignment Enter the ID of the VLAN in the VLAN ID text box Click OK e NOT F wn In the CLI To create a VLAN role Instant Access Point Instant Access Point Instant Access Point Instant Access Point config wlan access rule lt rule name gt Access Rule lt rule name gt vlan 200 Access Rule rule name 4 end commit apply
50. Personal WLAN Settings Security Security Level More Key management WPA 2 Personal Secure 802 11r roaming Disabled Enterprise Passphrase format 8 63 chars Passphrase Personal Retype Open MAC authentication Enabled Authentication server 1 InternalServer Lass Reauth interval o hrs Secure Internal server No users Users Blacklisting Disabled Next A AOS W Instant 6 3 1 1 4 0 User Guide Wireless Network Profiles 91 Figure 36 Security Tab Open New WLAN WLAN Settings Security Security Level More 7 Secure Encryption None MAC authentication Enabled Authentication server 1 InternalServer Reauth interval E hrs Internal server No users Users Enterprise Personal Open Blacklisting Disabled 802 11r roaming Disabled Less Secure Next Cancel 2 Basedonthe security level specified specify the following parameters Table 18 Configuration Parameters for WLAN Security Settings Parameter Description Sady Xe Type Key For Enterprise security level select any of the following options from the Applicable to Management Key management drop down list Enterprise and e WPA 2 Enterprise Personal security e Both WPA 2 amp WPA levels only e WPA Enterprise For the Open e Dynamic WEP with 802 1X If you do not want to use a session key security level no from the RADIUS Server to derive pair wise unicast keys set Sessi
51. Portal to self register personal leaves Yes AOS W Instant 6 3 1 1 4 0 User Guide AirGroup Configuration 270 Table 53 AirGroup Filtering Options Features AOS W Instant Deployment Models Device owner based policy enforcement Yes Location based policy enforcement Yes Shared user list based policy enforcement Yes Shared role list based policy enforcement ES Yes AirGroup also enables context awareness for services across the network e AirGroup is aware of personal devices For example an Apple TV in a dorm room can be associated with the student who owns it e AirGroup is aware of shared resources This might be an Apple TV in a meeting room or a printer in a supply room that is available to certain users such as the marketing department Or in a classroom teachers can use AirPlay to wirelessly project a laptop screen onto an HDTV monitor using an Apple TV e AirGroup is aware of the location of services when CPPM support is enabled For example depending on proximity an iPad would be presented with the closest printer instead of all the printers in the building e When configured with AOS W Instant AirGroup enables a client to perform a location based discovery For example when a client roams from one AOS W Instant cluster to another it can discover devices available in the new cluster to which the client is currently connected The following figure shows a higher education environment with shared local and persona
52. Role based Allows the users to obtain access based on the roles assigned to them Unrestricted Allows the users to obtain unrestricted access on the port Network based Allows the users to be authenticated based on access rules specified for a network the Role based access control is selected perform the following steps Under Roles select an existing role for which you want apply the access rules or click New and add the required role The list of roles defined for all networks is displayed under Roles Ld The default role with the same name as the network is automatically defined for each network The default roles NOTE E cannot be modified or deleted Select the access rule associated with a specific role and modify if required To add a new access rule click New in the Access Rules window You can configure up to 64 access rules For more information on configuring access rules see Configuring Access Rules on page 169 Configure rules to assign roles for an authenticated client You can also configure rules to derive VLANs for the wired network profile For more information on role assignment rules and VLAN derivation rules see Configuring Derivation Rules on page 178 and Configuring VLAN Derivation Rules on page 182 Select the Assign pre authentication role check box to add a pre authentication role that allows some access to the users before the client authentication Select the Enforce Machine Authentication check b
53. Select CALEA Click OK Create a role assignment rule if required Click Finish Mog FF WD In the CLI To create a CALEA access rule Instant Access Point config wlan access rule lt name gt Access Rule lt name gt calea Access Rule lt name gt end commit apply Instant Access Point Instant Access Point Instant Access Point To assign the CALEA tule to a user role Instant Access Point config wlan ssid profile lt name gt 284 Lawful Intercept and CALEA Integration AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point SSID Profile lt name gt set role lt attribute gt equals not equals starts wit h ends with contains lt operator gt lt role gt value of Instant Access Point SSID Profile lt name gt end Instant Access Point SSID Profile lt name gt commit apply To associate the access rule with a wired profile Instant Access Point config wired port profile lt name gt Wired ap profile lt name gt access rule name lt name gt Wired ap profile lt name gt end commit apply Instant Access Point Instant Access Point Instant Access Point HE Verifying the configuration To verify the CALEA configuration Instant Access Point show calea config To view the tunnel encapsulation statistics Instant Access Point show calea statistics Example To enable CALEA integration Instant Acces
54. Select the Adaptive radio management assigned option under the bands that are applicable to the OAW IAP configuration 6 Click OK Configuring Radio Profiles Manually for OAW IAP To manually configure radio settings Inthe Access Points tab click the AP for which you want to enable ARM The edit link is displayed Click the edit link The Edit Access Point window is displayed Click the Radio tab Ensure that an appropriate mode is selected Pon By default the channel and power for an AP are optimized dynamically using Adaptive Radio Management ARM You can override ARM on the 2 4 GHz and 5 GHz bands and set the channel and power manually if desired The following table describes various configuration modes for an AP Table 16 OAW IAP Radio Modes Mode Description Access In Access mode the AP serves clients while also monitoring for rogue APs in the background Monitor In Monitor mode the AP acts as a dedicated monitor scanning all channels for rogue APs AOS W Instant 6 3 1 1 4 0 User Guide Initial Configuration Tasks 75 Table 16 OAW IAP Radio Modes Mode Description e Spectrum Monitor In Spectrum Monitor mode the AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference whether from the neighboring APs or from non WiFi devices such as microwaves and cordless phones Inthe Monitor and Spectrum Monitor modes the APs do not provide access services to clients
55. Table 18 Configuration Parameters for WLAN Security Settings Description Select an appropriate value for WEP key size from the WEP key size drop down list You can specify 64 bit or 128 bit Select an appropriate value for Tx key from the Tx Key drop down list You can specify 1 2 3 or 4 Enter an appropriate WEP key and reconfirm To enable 802 11r roaming select Enabled from the 802 11r roaming drop down Selecting this checkbox enables fast BSS transition The Fast BSS Transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster To terminate the EAP portion of 802 1X authentication on the OAW IAP instead of the RADIUS server set Termination to Enabled Enabling Termination can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the OAW IAP By default for 802 1X authorization the client conducts an EAP exchange with the RADIUS server and the OAW IAP acts as a relay for this exchange When Termination is enabled the OAW IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol only relaying the innermost layer to the external RADIUS server NOTE If you are using LDAP for authentication ensure that AP termination is configured to support EAP Select any of the following options from the Authentication server 1 drop down list e Select an authentication server from the list if
56. When fast failover is enabled and if the primary tunnel fails the OAW IAP can switch the data stream to the backup tunnel This reduces the total failover time to less than one minute Specify a value in seconds for Secs between test packets Based on the configured frequency the OAW IAP can verify if an active VPN connection is available The default value is 5 seconds which means that the OAW IAP will send one packet to the controller at every 5 seconds e Enter a value for Max allowed test packet loss to define a number for lost packets after which the OAW IAP can determine that the VPN connection is unavailable The default value is 2 f To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary set Reconnect user on failover to Enabled g Toconfigure an interval for which wired and wireless users are disconnected during a VPN tunnel switch specify a value in seconds for Reconnect time on failover within a range of 30 900 seconds By default the reconnection duration is set to 60 seconds Figure 79 Alcatel Lucent IPSec Configuration Tunneling Controller Controller Protocol Primary host Backup host Preemption Hold time Fast failover Reconnect user on failover Reconnect time on failover Secs between test packets Max allowed test packet loss Aruba IPSec y 192 0 2 1 192 0 2 2 Enabled 600 En
57. and maximum transmission rate is 54 Mbps Under Bandwidth Limits Airtime Select this check box to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data Specify the airtime percentage Each radio Select this check box to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients Downstream and Upstream Specify the downstream and upstream rates within a range of 1 to 65535 Kbps for the SSID users If the assignment is specific for each user select the Peruser checkbox Configure the following options for WMM traffic management WMM supports voice video best effort and background access categories You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile Specify a percentage value for the following parameters Background WMM share Allocates bandwidth for background traffic such as file downloads or print jobs Best effort WMM share Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Video WMM share Allocates bandwidth for video traffic generated from video streaming Voice WMM share Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication Wireless Network Profiles 87 Table 17 WLAN Configuration Parameters Paramete
58. e Through RADIUS VSA In this method the client traffic is replicated by using RADIUS VSA to assign clients to a CALEA related user role To enable role assignment to clients you need to create a user role and CALEA access rule and then assign the CALEA rule to the user role Whenever a client that is configured to use a CALEA rule connects a replication role is assigned e Through Change of Authorization CoA In this method a user session can start without replication When the network administrator triggers a CoA from the RADIUS server the user session is replicated The replication is stopped when the user disconnects or by sending a CoA to change the replication role As the client information is shared between multiple OAW IAPs in a cluster the replication rules persist when clients roam within the cluster Configuring OAW IAPs for CALEA Integration To enable CALEA server integration perform the following steps 1 Create a CALEA profile 2 If replication role must be assigned through RADIUS VSA create an access rule and assign the access rule to a WLAN SSID or wired profile 3 Verify the configuration Creating a CALEA Profile You can create a CALEA profile by using the AOS W Instant UI or CLI AOS W Instant 6 3 1 1 4 0 User Guide Lawful Intercept and CALEA Integration 283 In the AOS W Instant UI To configure a CALEA profile 1 Click More gt Services at the top right corner of the AOS W Instant main window
59. every client automatically receives a unique encryption key after securely logging on to the network This key is automatically updated at regular intervals WPA uses TKIP and WPA2 uses the AES algorithm Recommended Authentication and Encryption Combinations The following table summarizes the recommendations for authentication and encryption combinations for the Wi Fi networks 141 Authentication AOS W Instant 6 3 1 1 4 0 User Guide Table 26 Recommended Authentication and Encryption Combinations Network Type Authentication Encryption Employee 802 1X AES Voice Network or Handheld 802 1X or PSK as AES if possible TKIP or WEP if devices supported by the device necessary combine with security settings assigned for a user role Understanding Authentication Survivability The authentication survivability feature supports authorization survivability against remote link failure for OmniAccess WLAN Switches when working with ClearPass Policy Manager CPPM When enabled this feature allows AOS W Instant to authenticate the previously connected clients using EAP PEAP authentication even when connectivity to CPPM is temporarily lost The following figure illustrates the scenario where the OAW IAP offloads EAP method authentication to ClearPass over a remote link connection After authenticating the user against Active Directory and deriving enforcement attributes for the user the CPPM returns additional information in the RA
60. gt Configuration gt page Click Restore Configuration Click Browse to browse your local system and select the configuration file Click Restore Now FP wn Click Restore Configuration to confirm restoration The configuration is restored and the OAW IAP reboots to load the new configuration Converting an OAW IAP to a Remote AP and Campus AP You can provision an OAW IAP as a Campus AP or Remote AP in a Switch based network Before converting an OAW IAP ensure that both the OAW IAP and Switch are configured to operate in the same regulatory domain This section describes the following procedures Converting an OAW IAP to Remote AP on page 305 Converting an OAW IAP to Campus AP on page 308 Converting an OAW IAP to Standalone Mode on page 308 Converting an OAW IAP using CLI on page 309 Converting an OAW IAP to Remote AP For Remote AP conversion the Virtual Controller sends the Remote AP convert command to all the other OAW IAPs The Virtual Controller along with the other slave OAW IAPs set up a VPN tunnel to the remote Switch and download the firmware through FTP The Virtual Controller uses IPsec to communicate to the OmniAccess WLAN Switch over the Internet If the OAW IAP obtains Omnivista information through DHCP Option 43 and Option 60 it establishes an HTTPS connection to the OmniVista server and downloads the configuration and operates in the OAW IAP mode If the OAW IAP does not get OmniVista information through DHCP
61. lt name gt le lt name gt xternal server le lt name gt server load balancing le lt name gt blacklist le lt name gt e lt name gt radius accounting le lt name gt e lt name gt le lt name gt le lt name gt end To configure open security settings for employee and voice users of a WLAN SSID profile tan tan tan tan tan tan tan tan tan tan tan tan Access Access Access Access Access Access Access Access Access Access ion Access Access Access Access Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin C oot ct config wl SSI SSI SSI SSI SSI SSI SSI SSI SSI SSI SSI SSI D VUVUUUUO a J D D D Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil Profil lan ssid profile lt name gt auth server lt server name gt commit apply max authentication failures lt number gt radius accounting mode user authentication usera radius interim accounting interval minutes radius reauth interval minutes le lt name gt opmode opensystem e lt name gt T mac authentication le lt name gt le lt name gt xternal server le lt name gt server load balancing le lt name gt blacklist e lt name gt le lt name gt radius accounting e lt n
62. opmode wpa2 psk aes wpa tkip wpa psk tkip wpa sk tkip wpa2 psk aes t SSID Profile lt name gt dotllr t config end t commit apply To enable 802 11r roaming for open security settings Access Access Access Access Access E 3 n ct w 3 ct ct ct ct ct Poin Poin Poin Poin Poin config 4 wlan ssid profile lt name gt SSID Profile lt name gt opmode opensystem SSID Profile lt name gt dotllr config end commit apply t t t t t Opportunistic Key Caching AOS W Instant now supports opportunistic key caching OKC based roaming In the OKC based roaming the AP stores one pairwise master key PMK per client which is derived from last 802 1x authentication completed by the client in the network The cached PMK is used when a client roams to a new AP This allows faster roaming of clients between the OAW IAPs in a cluster without requiring a complete 802 1X authentication OKC roaming when configured in the 802 1x Authentication profile is supported on WPA2 clients If the wireless client the 802 1X supplicant does not support this feature a complete 802 1X authentication is required NOTE whenever a client roams to anew AP 98 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide Configuring an OAW IAP for OKC Roaming You can enable OKC roaming for WLAN SSID by using AOS W Instant UI or CLI In the AOS W Instant UI 1 Navigate
63. rules to either permit or deny data packets passing through the OAW IAP You can also limit packets or bandwidth available to a set of user roles by defining access rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses You can create access rules to allow or block data packets that match the criteria defined in an access rule You can create rules for either inbound traffic or outbound traffic Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule For example you can configure a rule to explicitly block outbound traffic to an IP address through the firewall The OAW IAP clients are associated with user roles which determine the client s network privileges and the frequency at which clients re authenticate AOS W Instant supports the following types of ACLs e ACLs that permit or deny traffic based on the source IP address of the packet e ACLs that permit or deny traffic based on source or destination IP address source or destination port number You can configure of up to 64 access control rules for a firewall policy Configuring Access Rules You can configure access rules using AOS W Instant UI or CLI In the Instant UI 1 Navigate to the WLAN wizard or Wired settings window e To configure access rules fo
64. wired client Network Assigned Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected On selecting this option the New button to create a VLAN is displayed Create a new VLAN if required C If the Trunk mode is selected e Specify the Allowed VLAN enter a list of comma separated digits or ranges 1 2 5 or 1 4 or all The Allowed VLAN refers to the VLANs carried by the port in Access mode If Client IP Assignment is set the Network Assigned specify a value for Native VLAN A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN You can specify a value within the range of 1 4093 d Ifthe Access mode is selected e e If the Client IP Assignment is set to Virtual Controller Assigned proceed to step 2 If the Client IP Assignment is set the Network Assigned specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode 2 Click Next The Security tab details are displayed 3 Configure security settings for the wired profile For more information see Configuring Security Settings for a Wired Profile on page 104 In the CLI To configure VLAN settings for a wired profile Instan UFU XC OCT ET T Access Point config wired port profile lt name gt Access Poin wired ap profile lt name gt switchport mode lt trunk gt lt access gt wired ap profile lt name gt all
65. 0 Instant Access Point Hotspot2 0 hs1 venue group business Instant Access Point Hotspot2 0 hs1l venue type research and dev facility Instant Access Point Hotspot2 0 hs1 4 pame bi Instant Access Point Hotspot2 0 hs1 4 group frame block Instant Access Point Hotspot2 0 hs1 p2p dev mgmt Instant Access Point Hotspot2 0 hs1 4 p2p cross connect Instant Access Point Hotspot2 0 hs1 4 end Instant Access Point commit apply Step 3 Associating advertisement profiles with the hotspot profile Instant Access Point Instant Access Poin configure terminal config hotspot hs profile hal ct Instant Access Point Hotspot2 0 hs1 advertisement profile angp nai realm nrl Instant Access Point Hotspot2 0 hs1 4 advertisement profile anqp venue name vnl Instant Access Point Hotspot2 0 hs1 advertisement profile angp nwk auth nal Instant Access Point Hotspot2 0 hs1 4 advertisement profile anqp roam cons rcl Instant Access Point Hotspot2 0 hs1 4 advertisement profile anqp 3gpp 201 Instant Access Point Hotspot2 0 hs1 advertisement profile anqp ip addr avail ipl Instant Access Point Hotspot2 0 hs1 advertisement profile anqp domain name dnl Instant Access Point Hotspot2 0 hs1 4 advertisement profile h2qp oper name onl Instant Access Point Hotspot2 0 hs1 4 advertisement profile h2qp wan metrics wml Instant Access Point Hotspot2 0 hs1 4 adv
66. 0 150 Ea C Scope 10 169 151 0 151 m E Scope 10 169 152 0 152 Ea Scope 10 169 153 0 153 Y Scope 10 169 154 0 154 E Scope 10 169 155 0 155 Address Poot Address Leases C Scope 10 169 131 0 131 scope 10 169 135 0 135 E Scope 10 169 137 0 137 E Scope 10 169 138 0 135 E Scope 10 169 145 0 145 Scope 10 169 150 0 150 E Scope 10 169 151 0 151 Scope 10 169 152 0 152 E Scope 10 169 153 0 153 E Scope 10 169 154 0 154 T Scope 10 169 155 0 155 Scope 10 169 156 0 156 Scope 10 169 157 0 157 Scope 10 169 158 0 158 Active Active LA LA Active T Active Tr Active LA Active Active Active Active TE Active LA ad Active Active Active LA LA Active Scope 10 169 159 0 159 Active amp E Reservations iai E Scope Options E Scope 10 169 156 0 156 E Scope 10 169 157 0 157 I E Scope 10 169 158 0 158 E Scope 10 169 159 0 159 Address Pool Address Leases E Reservations E Scope Options 53 Server Options 7 Select 060 Alcatel Lucent Instant AP in the Server Options window and enter Alcatel LucentInstantAP in the String Value Figure 92 AOS W Instant and DHCP options for Omnivista 060 OAW IAP in Server Options E Server Manager Fie Action View Help es amix O ai lam Address Leases Ell Server Options Ua Reservations Scope Options go rore 137 3
67. 1 1 4 0 User Guide L2 L3 Forwarding Modes ii c lt sss acs as 99 x aasa dN Raa RNA RR I IR RR RR RR RR RR RN NR sese ese RRR RRR nns 252 IAP VPN Scalability Limits esse IR s eR sees ls es lle lin 253 OSPF Configuration m ns 253 VPN Configu ratiom NR n 255 Whitelist Database Configuration 00 ec eee cece cece RR RR RR RRIRrRrrrrle 255 255 255 VPN Local Pool Configuration 00 000000 e cece cece ee eeeeeeeeeeeeeeeeeees 255 Role Assignment for the Authenticated OAW IAPS 0 0 0 2 cece cece cece cece eee e cece cece RR Rr ere 255 VPN Profile Configuration n I RR RR RR I ce cece cece cece ceeeeceeeeeeeeees 256 Viewing Branch Status cece cnn 256 gt A We OTE SE Oe ES aT TS 256 Omnivista Integration and Management occ coo ccc coo e cece cece cece eceeceeeeee 258 OMMIVIStal FCANUNGS addict id iaa 258 Image Management 20 22 eee eee cece cece cece cece cece cece cece cece cece cece cece ce e eres rese serere 258 OAW IAP and Client Monitoring ooccccccccccccccccccccccccccccccccccccc cee eee cece eect eeeeeeeeeeeeeeeees 258 Template based Configuration 0000222 e cece cece cece eee cece eee cece ee eeeeeteeeeeeeeees 258 Trending RES ld 259 Intrusion Detection System ooo cece cece cece cece cece cece cece ccc ccececceeeeeeeeeeeeeees 259 Wireless Intrusion Detection System WIDS Event Reporting to OmniVista 259 RF Visualization Support for AOS W Instant 2 2 22 2
68. 11a b g access points do not support the client match feature When client match is enabled on 802 11n capable access points the client match feature overrides any settings configured for the legacy bandsteering station handoff assist or load balancing features 802 11ac capable access points do not support the legacy bandsteering station hand off or load balancing settings so these access points must be managed using client match When the client match feature is enabled on an OAW IAP the OAW IAP measures the RF health of its associated clients If one of the three mismatch conditions described below are met clients are moved from one AP to another for better performance and client experience In the current release the client match feature is supported only within an OAW IAP cluster The following client or OAW IAP mismatch conditions are managed by the client match feature e Dynamic Load Balancing Client match balances clients across OAW IAPs on different channels based upon the client load on the OAW IAPs and the SNR levels the client detects from an underutilized OAW IAP If an OAW IAP radio can support additional clients the OAW IAP will participate in client match load balancing and clients can be directed to that OAW IAP radio subject to predefined SNR thresholds e Sticky Clients The client match feature also helps mobile clients that tend to stay associated to an OAW IAP despite low signal levels OAW IAPs using client match con
69. 12 27 hours To monitor the speed for the client for the last 15 minutes Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the speed The client view is displayed Study the Speed graph in the RF Trends pane For example the graph shows that the data transfer speed at 12 26 hours is 240 Mbps To monitor the errors for the client for the last 15 minutes 1 2 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the throughput The client view is displayed Study the Throughput graph in the RF Trends pane For example the graph shows 1 0 Kbps outgoing traffic throughput for the client at 12 30 hours The Mobility Trail section displays the following mobility trail information for the selected client 59 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Association Time The time at which the selected client was associated with a particular OAW IAP The AOS W Instant UI shows the client and OAW IAP association over the last 15 minutes Access Point The OAW IAP name with which the client was associated Mobility information about the client is reset each time it roams from one OAW IAP to another Spectrum The spectrum link i
70. 1X authentication is successful the client is assigned an 802 1X authentication role If 802 1X authentication fails the client is assigned a deny all role or mac auth only role MAC authentication only role Allows you to create a mac auth only role to allow role based access rules when MAC authentication is enabled for 802 1X authentication The mac auth only role is assigned to a client when the MAC authentication is successful and 802 1X authentication fails If 802 1X authentication is AOS W Instant 6 3 1 1 4 0 User Guide Authentication 134 successful the mac auth only role is overwritten by the final role The mac auth only role is primarily used for wired clients L2 authentication fall through Allows you to enable the I2 authentication fallthrough mode When this option is enabled the 802 1X authentication is allowed even if the MAC authentication fails If this option is disabled 802 1X authentication is not allowed The I2 authentication fallthrough mode is disabled by default For more information on configuring an OAW IAP to use MAC 802 1X Authentication see Configuring MAC Authentication with 802 1X Authentication on page 155 Captive Portal Captive portal authentication is used for authenticating guest users For more information on Captive Portal authentication see Captive Portal for Guest Access on page 110 MAC authentication with Captive Portal authentication This authentication method has the fo
71. 2222 2 00000000000 cece ee eee eee ee eee ccececcceeees 259 PSK based and Certificate based Authentication 22 22 20 2 00 e cece eee ence eee cece e cence eeeees 260 Soi o o AAA eae n Lu TTT 260 Configuring Organization Sind ee RR RR RII aaran nan 260 261 261 Inthe AOS W Instant UL 261 Inthe CE RENE EE 262 Configuring for OmniVista Discovery through DHCP eee cece cece eee eeceeceeeees 262 262 Alternate Method for Defining Vendor Specific DHCP Options Luuuuuuuuuueeeeeeeeeeeeee 265 AOS W Instant 6 3 1 1 4 0 User Guide Contents 19 AirGroup Configuration ene cece cece eeeeee ees 268 ANIGNOUD OVEINIOW socorrer it pica 268 AirGroup with AOS W Instant nn 269 AirGroup Solution RR Ra ccc cece eee cece cece e cece cece e d RR A N aaa Raa a aR n 270 AinGroup a 271 CPPM and ClearPass Guest Features 272 AirGroup Components cnn cnn 272 DXIC OP OIN EAE AREENA ARE ENIE E SEEE 272 Configuring AirGroup and AirGroup Services on an OAW IAP 2 000000 eee eee eee eee ee 273 Inthe AOS W Instant Ul 273 EA a a a a a eaa 274 Configuring AirGroup and CPPM interface in AOS W Instant e cece ee eee 275 Creating aRADIUS Server iesce os Ds vena datada RR es rt tt 275 Assign a Server to AirGroup 2 2 2 222 eee eee c ec ece eee cece eee e cece cence eee eeeeceeeeeeeeeeeeeeeecs 275 Configure CPPM to Enforce Registration 2 0 00 0 cc cece cece eee cece cece cece ceeeeecee
72. Access Point commit apply Configuring WISPr Authentication AOS W Instant supports the following smart clients iPass Boingo These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification GIS redirect authentication and logoff messages within HTML messages that are sent to the OAW IAP WISPr authentication is supported only for the Internal Authenticated and External RADIUS Server captive portal authentication Select the Internal Authenticated or the External RADIUS Server option from the Splash page type drop down menu to configure WISPr authentication for a WLAN profile You can configure WISPr authentication using AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at the top right corner of the AOS W Instant main window The System window is displayed 2 Click Show advanced options 157 Authentication AOS W Instant 6 3 1 1 4 0 User Guide 3 Click WISPr tab The WISPr tab contents are displayed The following figure shows the WISPr tab contents Figure 50 Configuring WISPr Authentication ISO country code E 164 country code E 164 area code SSIO Zone Operator name Location name Enter the ISO Country Code for the WISPr Location ID in the ISO Country Code text box Enter the E 164 Area Code for the WISPr Location ID in the E 164 Area Code text box Enter the operator name of the Hotspot in th
73. CPPM link is available again The OAW IAP sends the RADIUS Request message to the CPPM server directly for client authentication 143 Authentication AOS W Instant 6 3 1 1 4 0 User Guide Figure 47 802 1X Authentication when CPPM is reachable again ClearPass Policy Manager Client Laptop Polling Availability Connectivity Restored EAP Authentication Refresh cache for authentication credentials You can enable authentication survivability for a wireless network profile when configuring enterprise security parameters For more information see Configuring Security Settings fora WLAN SSID Profile on page 90 Configuring Authentication Servers This section describes the following procedures e Configuring an External Server for Authentication on page 144 e Configuring Dynamic RADIUS Proxy Parameters on page 148 Configuring an External Server for Authentication You can add an external RADIUS server LDAP server or CPPM server for AirGroup CoA by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure an authentication server 1 Navigate to Security Authentication Servers The Security window is displayed 2 Tocreate a new server click New A window for specifying details for the new server is displayed The following figure shows the parameters to configure for a new authentication server configuration AOS W Instant 6 3 1 1 4 0 User Guide Authentication 144 Figure 48 New Authentication Serv
74. CR los A A E ee e Met ad 311 SNMP Parameters for OAW IAP suiuuusuusssssusulsssslllssllsislsssss el le esse esse reser lll lls 311 Configuring SNMP 312 Creating community strings for SNMPv1 and SNMPv2 Using AOS W Instant Ul occ 312 Creating community strings for SNMPv3 Using AOS W Instant UL 2222222 312 Configuring SNMP Community Strings in the CU essen es 313 Configuring SNMP Traps L 6 lt tshi 4 aa illie el Kaa R AAA AAR AR AAA AA aA TARA A RA AAA aA a 314 In the AOS W Instant UL 314 Rude ce 314 Configuring a Syslog Serve cesi nsdcretete inar tt pen a ede ge riider ub eril eU Rit deed 314 In the AOS W Instant UU 314 Iu doe ce 316 Configuring TFTP Dump Server 2 0 0 0 cece 9 aa X cece cece cece cee cece esse mere RA RR e llli lll AA 316 In the AOS W Instant UU 316 Digger O P 316 Running Debug Commands from the AOS W Instant Ul seen nnn 317 Support Commands 2 2 22 aaa eee cece cece cece cece s sese eeeeeeeeeeeeeeeeeceeseesereeeeees 317 Regulatory Domain 322 COUNTY Codesilist 2 24 2 22 jesse ta ons onset el soda 322 ClearPass Guest Setup 327 TESIS tt ot ss ds 330 Troubleshooting 2 2222 csesnbse bade tit 330 Terminology ar a tas ao 331 Acronyms and Abbreviations cnn 331 CAE Sates as eet tee ont Er 332 AOS W Instant 6 3 1 1 4 0 User Guide Contents 23 Chapter 1 About this Guide
75. Captive Portal Roles foran SSID on page 123 e Configuring Walled Garden Access on page 126 e Disabling Captive Portal Authentication on page 126 Understanding Captive Portal AOS W Instant supports the Captive portal authentication method where a web page is presented to the guest users when they try to access the Internet whether in hotels conference centers or Wi Fi hotspots The web page also prompts the guest users to authenticate or accept the usage policy and terms Captive portals are used at many Wi Fi hotspots and can be used to control wired access as well The AOS W Instant Captive portal solution consists of the following e The captive portal web login page hosted by an internal or external server e The RADIUS authentication or user authentication against OAW IAP s internal database e The SSID broadcast by the OAW IAP With AOS W Instant the administrators can create a wired or WLAN guest network based on Captive portal authentication for guests visitors contractors and any non employee users who can use the enterprise Wi Fi network The administrators can also create guest accounts and customize the Captive portal page with organization specific logo terms and usage policy With Captive portal authentication and guest profiles the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses When a guest user tries to access a URL through HTTP or HTTPS the Captive portal web page prom
76. Configuring L3 Mobility on page 201 for more information Enterprise Domains Allows you to view or configure the DNS domain names that are valid in the enterprise network See Configuring Enterprise Domains on page 229 for more information Monitoring Allows you to view or configure the following details Syslog Allows you to view or configure Syslog Server details for sending syslog messages to the external servers See Configuring a Syslog Server on page 314 for more information TFTP Dump Allows you to view or configure a TFTP dump server for core dump files See Configuring TFTP Dump Server on page 316 for more information SNMP Allows you to view or configure SNMP agent settings See Configuring SNMP on page 311 for more information WISPr Allows you to view or configure the WISPr settings See Configuring WISPr Authentication on page 157 for more information Proxy Allows you to configure HTTP proxy on an OAW IAP See Configuring HTTP Proxy on an OAW IAP on page 71 for more information The following figure shows the default view of the System window AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 42 Figure 5 System Window General Admin Name Instant C4 42 98 System location Virtual Controller IP 0 0 0 0 Dynamic RADIUS proxy Disabled MAS integration Disabled NTP server Timezone International Date Line 7
77. Configuring Users for Internal Database of an OAW IAP The AOS W Instant user database consists of a list of guest and employee users Addition of a user involves specifying a login credentials for a user The login credentials for these users are provided outside the AOS W Instant system A guest user can be a visitor who is temporarily using the enterprise network to access the Internet However if you do not want to allow access to the intemal network and the Intranet you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication encryption and access rules An employee user is the employee who is using the enterprise network for official tasks You can create Employee WLANS specify the required authentication encryption and access rules and allow the employees to use the enterprise network The user database is also used when an OAW IAP is configured as an internal RADIUS server The local user database of APs can support up to 512 user entries except OAW IAP9x OAW IAP9x Note AX Supports only 256 user entries If there are already 512 users OAW IAP9x will not be able to join the cluster In the AOS W Instant UI To configure users 1 Click the Security at the top right corner of AOS W Instant main window 2 Click Users for Internal Server The following figure shows the contents of the Users for Internal Server tab AOS W Instant 6 3 1 1 4 0 User Guide User
78. Guide 25 menden Aud ende TTT 25 Related Documents esee Lnd Saco ekeene einar elves Er Ena hl ii dee SIU eke eds 29 A o 25 COmacuna SUDO acs ee setae e dl le LLL RAS 26 About AOS W Instant 27 AOS W Instant Overview R 21 Supported Devices neci eese ode e illo it eme gs erberePiibeiYc rri e iR P pelle i Pose ni Eoee oededs han 27 AOS W Instant UL 28 AOS W Instant CU 28 What is New in AOS W Instant 6 3 1 1 4 0 a 0 R aeren T eee eee eee scr ei 28 Setting up an OAW IAP ccoo ccoo cece cece cece ceecceecccecceeecceecceeccenecereceeeeeee 32 Setting up AOS W Instant Network _ 20000 02222 o ooo cece cece cece cece cece ccc nn cnc 32 Connecting an OAW IAP ooo eee cece eee nn 32 Assigning an IP address to the OAW IAP 200 2200 cece ccc cece cece cece cece eee eeeeeeeeeeeeeeeeeeees 32 Assigning a Static 1P 33 Connecting to a Provisioning Wi Fi Network 2 0 220000 cece eee cc cece eeeccccececeeceeeeeeeeeeeees 33 OPW Encii qm 33 Disabling the Provisioning Wi Fi Network 0 2222 02222222 cece ee ee cece ee cece cece RR RR RR RR ce eeeeees 34 Logginginto the AOS W Instant Ul 2 25 2 lt 225 csccse cece sanass osdeseessiecs esneesAan i T DRaa ibada 34 Specifying Country Code _ 2 1 2 0 cece e e ees e ese esse e ser e ser e serre 35 Accessing the AOS W Instant El onde 35 Connecting to a CLI Session 35 Applying Configuration Changes 22 2 2
79. Guide Initial Configuration Tasks 71 2 Enter the HTTP proxy server s IP address and the port number 3 If you do not want the HTTP proxy to be applied for a particular host click New to enter that IP address or domain name of that host under exceptions list In the CLI Instant Access Point config proxy server 192 0 2 1 8080 Instant Access Point config proxy exception 192 0 2 2 Instant Access Point config end Instant Access Point commit apply Upgrading an OAW IAP Using Automatic Image Check You can upgrade an OAW IAP by using the automatic image check feature The Automatic image checks are performed once after the AP boots up and every week thereafter If the image check locates a new version of the AOS W Instant software on the image server the New version available link is displayed at the top right corner of the AOS W Instant UI If OmniVista is configured the automatic image check is disabled To check for a new version on the image server in the cloud 1 Go to Maintenance gt Automatic gt Check for New Version After the image check is completed one of the following messages is displayed No new version available If there is no new version available Image server timed out Connection or session between the image server and the OAW IAP is timed out Image server failure If the image server does not respond Anew image version found If a new image version is found
80. In a single Ethernet port platform deployment the root AP must be configured to use the 3G uplink A typical hierarchical deployment consists of the following e Adirect wired ISP connection or a wireless uplink One or more DHCP pools for private VLANs e One downlink port configured on a private VLAN without authentication for connecting to slave APs Ensure that the downlink port configured in a private VLAN is not used for any wired client connection Other downlink ports can be used for connecting to the wired clients The following figure illustrates a hierarchical deployment scenario Figure 39 Hierarchical Deployment Non Ethernet Uplink n ISP 1 ON ethO k e Root AP eth1 eth2 Private VLAN 1 Private VLAN 2 Hierarchical Slave APs NA Configuring Wired Bridging on Ethernet 0 AOS W Instant supports wired bridging on the Ethernet 0 port of an OAW IAP 107 Wired Profiles AOS W Instant 6 3 1 1 4 0 User Guide Enabling wired bridging on this port of an OAW IAP makes the port available as a downlink wired bridge and allows xp client access through the port You can also use the port to connect a wired device when a 3G uplink is used You can configure support for wired bridging on the Ethernet 0 port of an OAW IAP using AOS W Instant UI or CLI In the AOS W Instant UI To configure Ethernet bridging In the Access Points tab click the OAW IAP to modify The edit link is displayed Click
81. Inactivity timeout Specify a timeout interval If a client session is inactive for the specified duration the session expires and the users are required to log in again The minimum value is set to 60 seconds and the default value is 1000 seconds Select the check box if you do not want the SSID network name to be visible to users AOS W Instant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 112 Parameters Description Disable SSID Select to the checkbox to disable the SSID On selecting this check box the SSID is disabled but not removed from the network By default all SSIDs are enabled Can be used without Uplink Select the checkbox if you do not wantthe SSID users to use uplink Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN in the text box You can specify a value within the range of 0 to 255 The default value is 64 Local probe request threshold Specify a threshold value in the Local probe request threshold text box to limit the number of incoming probe requests When a client sends a broadcast probe request frame to search for all available SSIDs this option controls system response for this network profile and ignores probe requests if required You can specify a Received signal strength indication RSSI value within range of 0 to 100 dB 6 Click Next to configure VLAN settings The VLAN tab contents are displayed 7 Select any for the followin
82. Instant User Interface 64 AirGroup This AirGroup link provides an overall view of your AirGroup configuration Click each field to view or edit the settings MAC Displays the MAC address of the AirGroup servers IP Displays the IP address of the AirGroup servers Host Name Displays the machine name or hostname of the AirGroup servers Service Displays the type of the services such as AirPlay or AirPrint VLAN Displays VLAN details of the AirGroup servers Wired Wireless Displays if the AirGroup server is connected via wired or wireless interface Role Displays the user role if the server is connected through 802 1X authentication If the server is connected through PSK or open authentication this field is blank AP MAC Displays the MAC address of the OAW IAP to which the server is connected Update no hash This is used for debugging issues Use this to identify the internal database of AirGroup CPPM By clicking on this you get details of the registered rules in ClearPass Policy Manager CPPM for this server MDNS Cache By clicking on this you receive MDNS record details of a particular server The following figure shows the AirGroup server details available on clicking the AirGroup link Figure 28 AirGroup Link OmniVista 3600 Setup OmniVista is a solution for managing rapidly changing wireless networks When enabled OmniVista allows you to manage the AOS W Instant network For more information on
83. L2TPv3 tunnel configuration status VC L2TPv3 session status Displays the L2TPv3 session configuration status VC L2TPv3 system wide global statistics Displays the L2TPv3 system statistics VC OpenDNS Configuration and Status Displays configuration details and status of the OpenDNS server VC Radius Attributes Displays information about the RADIUS attributes VC Radius Servers Displays the list of RADIUS servers configured on the OAW IAP VC Saved Configuration Displays the configuration details of the Virtual Controller VC Scanning Statistics Displays the scanned information for the OAW IAP VC SNMP Configuration Displays the SNMP configuration details of the OAW IAP VC Uplink 3G 4G Configuration Displays the 3G 4G cellular configuration information for the OAW IAPs managed by the Virtual Controller VC Uplink Management Configuration Displays uplink configuration details for the Virtual Controller VC WISPr Configuration Displays the WISPr configuration details Use the support commands under the supervision of Alcatel Lucent technical support NOTE AOS W Instant 6 3 1 1 4 0 User Guide Monitoring Devices and Logs 321 Chapter 34 Regulatory Domain The IEEE 802 1 1 b g n Wi Fi networks operate in the 2 4 GHz spectrum and IEEE 802 11a n operate in the 5 0 GHz spectrum The spectrum is divided into channels The 2 4 GHz spectrum is divided into 14 overlapping staggered 20 MHz wireless carrier channels
84. Management 130 Figure 43 Adding a User Security Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Walled Garden Users 0 Type Add new user Username Password Retype Type Enter the username in the Username text box Enter the password in the Password text box and reconfirm Select a type of network from the Type drop down list Click Add and click OK The users are listed in the Users list To edit user settings Mog w a Select the user to modify under Users b Click Edit to modify user settings c Click OK 8 To delete a user a Inthe Users section select the username to delete b Click Delete c Click OK 9 To delete all or multiple users at a time a Select the usernames that you want to delete b Click Delete All c Click OK Cancel Ld Deleting a user only removes the user record from the user database and will not disconnect the online user associated with the username NOTE In the CLI To configure an employee user Instant Access Point config user username password radius Instant Access Point config end Instant Access Point commit apply 131 User Management AOS W Instant 6 3 1 1 4 0 User Guide To configure a guest user Instant Access Point config user lt username gt lt password gt portal Instant Access Point config end Instant Access Point commit apply Configuring the Read Only Administ
85. Profile _ oococccccccccccccccccccccccccccccccccnccccnooo 151 Configuring 802 1X authentication for a Wireless Network Profile 2c cee cece eee ee eee 152 Inthe AOS W Instant Ul aa a essence chlo tees R sche A A Ra R R riirn Ta oe 152 a atea a 152 Configuring 802 1X authentication for Wired Profiles 22202 c ccc cece cece cece ceeececeeeeeeeeee 153 In the AOS W Instant UL a S aaa a heerseres irie r eee eee 153 hy ies 153 Configuring MAC Authentication for a Network Profile coocccccccccccccccccccccccccccccccccccccccccooo 153 Configuring MAC Authentication for Wireless Network Profiles 00020 cece cece eee eee eee ees 154 In the AOS W Instant U 154 lo leBgecr E A A 154 Configuring MAC Authentication for Wired Profiles 00 2 20000 cece cece cece cece eeececeeeeceeeeees 154 AOS W Instant 6 3 1 1 4 0 User Guide Contents 11 Inthe AOS W Instant Ul 154 D 154 Configuring MAC Authentication with 802 1X Authentication 00 155 Configuring MAC and 802 1X Authentication for a Wireless Network Profile 00000000 155 Inthe AOS WeInstantUl oes sehen eet a eso E 155 te e TH HP u 155 Configuring MAC and 802 1X Authentication for Wired Profiles 0 2 00000 e eee e eee eee eeeeee 155 In the AOS W Instant U 155 l0 M 156
86. Protocol drop down list 3 Specify the following parameters A sample configuration is shown in Figure 81 a Enterthe IP address or the FQDN for the main VPN GRE endpoint b Enterthe value for GRE type parameter c Select Enabled or Disabled from the Per AP tunnel drop down list The administrator can enable this option to create a GRE tunnel from each OAW IAP to the VPN GRE Endpoint rather than the tunnels created just from the master OAW IAP When enabled the traffic to the corporate network is sent through a Layer 2 GRE tunnel from the OAW IAP itself and need not be forwarded through the master OAW IAP By default the Per AP tunnel option is disabled NOTE AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 243 Figure 81 Manual GRE Configuration Tunneling Controller Controller Protocol Host 192 0 2 15 GRE type n Per AP tunnel Enabled w 4 Click Nextto continue When the GRE tunnel configuration is completed on both the OAW IAP and Switch the packets sent from and received by an OAW IAP are encapsulated but not encrypted In the CLI To configure a manual GRE VPN tunnel Instant Access Point Instant Access Point config Instant Access Point config gre type lt type gt config gre per ap tunnel gre primary lt name gt Instant Access Point config end Instant Access Point commit apply To view VPN configuration detai
87. RAPIDS Rogue Access Point Detection Software module RAPIDS is a powerful and easy to use tool for automatic detection of unauthorized wireless devices It supports multiple methods of rogue detection and uses authorized wireless APs to report other devices within range The WIDS report cites the number of IDS events for devices that have experienced the most instances in the prior 24 hours and provides links to support additional analysis or configuration in response RF Visualization Support for AOS W Instant Omnivista supports RF visualization for AOS W Instant The VisualRF module provides a real time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new sites VisualRF uses sophisticated RF fingerprinting to accurately display coverage patterns and calculate the location of every Instant device in range VisualRF provides graphical access to floor plans client location and RF visualization for floors buildings and campuses that host your network 259 Omnivista Integration and Management AOS W Instant 6 3 1 1 4 0 User Guide Figure 87 Adding an OAW IAP in VisualRF new Devices 47 Zup 115 wired 3 wireless 112 Wdown 95 Vwired 3 Wwireless 92 Fmismatched 152 Rogue 4975 S clients 94 Opn Sessions 15 MAlerts 6777 Msevere Alerts 6777 Home Groups APs Devices Clients Reports System DeviceSetup AMP Setup RAPIDS EVET Add Deployed
88. The default value is 2 SLB mode Select a mode from the SLB mode drop down The SLB mode determines the balancing strategy for client match The following options are available e Channel e Radio e Channel Radio 6 For Access Point Control specify the following parameters AOS W Instant 6 3 1 1 4 0 User Guide Adaptive Radio Management 215 Table 41 Access Point Control Configuration Parameters Parameter Description Customize Valid Select this check box to customize valid channels for 2 4 GHz and 5 GHz By default Channels the AP uses valid channels as defined by the Country Code regulatory domain On selecting the Customize Valid Channels check box a list of valid channels for both 2 4 GHz and 5 GHz are displayed The valid channel customization feature is disabled by default Minimum Specify the minimum transmission power The value specified for Minimum Transmit Transmit Power Power indicates the minimum Effective Isotropic Radiated Power EIRP from 3 to 33 dBm in 3 dBm increments If the minimum transmission EIRP setting configured on an AP is not supported by the AP model this value is reduced to the highest supported power setting The default value is for minimum transmit power is 18 dBm Maximum Specify the maximum transmission power The value specified for Maximum Transmit Power Transmit Power indicates the maximum Effective Isotropic Radiated Power EIRP from 3 to 33 dBm in 3 dBm increments If the maximum tr
89. These channels are spaced 5 MHz apart The 5 GHz spectrum is divided into more channels The channels that can be used in a particular country differ based on the regulations of that country The initial Wi Fi setup requires you to specify the country code for the country in which the AOS W Instant operates This configuration sets the regulatory domain for the radio frequencies that the OAW IAPs use Within the regulated transmission spectrum a high throughput 802 11a 802 11b g or 802 11n radio setting can be configured The available 20 MHz and 40 MHz channels are dependent on the specified country code You cannot change the country code for the OAW IAPs designated for USJapan and Israel for most of the OAW IAP models Improper country code assignment can disrupt wireless transmissions Most countries impose penalties and sanctions on operators of wireless networks with devices set to improper country codes Country Codes List on page 322 shows the list of country codes Figure 115 Specifying a Country Code Please specify the Country Code Select a country code v i OK Country Codes List The following table provides a list of supported country codes Table 63 Country Codes List Code Country Name LENNL NN gt m m CI AOS W Instant 6 3 1 1 4 0 User Guide Regulatory Domain 322 CH 323 Regulatory Domain Country Name Canada Switzerland Chile China Colombia Costa Rica Serb
90. Virtual Private Networks VPN tunnels from the OAW IAP networks at branch locations or datacenters where the Alcatel Lucent switch acts as a VPN concentrator When VPN is configured the OAW IAP acting as the Virtual Controller creates a VPN tunnel to an OmniAccess WLAN Switch in your corporate office The Switch acts as a VPN end point and does not supply the OAW IAP with any configuration The VPN features are recommended for e Enterprises with many branches that do not have a dedicated VPN connection to the corporate office e Branch offices that require multiple APs e Individuals working from home connecting to the VPN The survivability feature of OAW IAPs with the VPN connectivity of IAP VPNs allows you to provide corporate connectivity to non corporate networks Configuring a Tunnel from an OAW IAP to OmniAccess WLAN Switch OAW IAP supports the configuration of tunneling protocols such as Generic Routing Encapsulation GRE IPsec and L2TPv3 This section describes the procedure for configuring VPN host settings on an OAW IAP to enable communication with a remote Switch e Configuring IPSec Tunnel on page 239 e Enabling Automatic Configuration of GRE Tunnel on page 241 e Manually Configuring a GRE Tunnel on page 243 e Configuring an L2TPv3 Tunnel on page 244 Configuring IPSec Tunnel An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted When configured the IPSec tunnel to the switc
91. W Instant main window 2 Click the Firewall Settings tab The Firewall Settings tab contents are displayed The following figure shows the contents of the Firewall Settings tab A met AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 164 Figure 55 Firewall Settings ALG Protocols Security Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Walled Garden Application Layer Gateway ALG Algorithms Protection against wired attacks SIP Enabled Drop bad ARP Disabled Vocera Enabled Fix malformed DHCP Disabled Alcatel NOE Enabled ARP poison check Disabled Cisco Skinny Disabled e 3 Select Enabled from the corresponding drop down lists to enable SIP VOCERA Alcatel NOE and Cisco skinny protocols 4 Click OK When the protocols for ALG are Disabled the changes do not take effect affect until the existing user sessions are expired Reboot the OAW IAP and the client or wait for few minutes for changes to affect NOTE In the CLI To configure protocols for ALG Instant Access Point config alg Instant Access Point ALG f sccp disable Instant Access Point ALG no sip disable Instant Access Poin
92. access through an uplink switch To allow flexibility in firewall configuration AOS W Instant supports the following features e Configurable Management Subnets e Restricted corporate access Configuring Management Subnets You can configure subnets to ensure that the OAW IAP management is carried out only from these subnets When the management subnets are configured Telnet SSH and UI access is restricted to these subnets only You can configure management subnets by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure management subnets 1 Navigate to Security Firewall Settings The Firewall Settings tab contents are displayed M 167 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide Figure 57 Firewall Settings Management Subnets Security Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Walled Garden External Captive Portal Application Layer Gateway ALG Algorithms Protection against wired attacks SIP Enabled Drop bad ARP Disabled Vocera Enabled Fix malformed DHCP Disabled Alcatel NOE Enabled ARP poison check Disabled Cisco Skinny Enabled Inbound Firewall Configuration Management Subnets Add new management subnet Subnet Mask M Su
93. allows enabling of Spanning Tree Protocol STP on a wired profile STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports regardless of forwarding mode By default Spanning Tree is disabled on wired profiles About AOS W Instant 29 Table 3 New Features in 6 3 1 1 4 0 Feature Description Customizing Internal AOS W Instant now supports uploading of customized internal Captive Portal server Captive Portal Certificate certificates to the OAW IAP database Provisioning an OAW AOS W Instant now allows you to manually provision an OAW IAP as a master OAW IAP IAP as a master OAW based on network specific parameters such as the physical location of the Virtual IAP Controller Support for Automatic AOS W Instant now allows the automatic configuration of GRE tunnel from an OAW IAP Configuration of the GRE to Alcatel Lucent OmniAccess WLAN Switch By using an IPsec connection the OAW Tunnel IAPs can now set up a GRE tunnel with the switch This feature eliminates the need for the manual configuration of tunnel interface on the switch DHCP Relay Support AOS W Instant now supports the Centralized DHCP scope to serve the L3 clients When this feature is enabled the OAW IAP relays all DHCP request packets to the DHCP server and acts as gateway for the centralized DHCP scope serving L3 clients OAW IAP Provisioning For option DHCP 43 besides the old format lt organization gt lt a
94. although uplink switching based on VPN status is enabled NOTE In the CLI To enable uplink switching based on VPN status Instant Access Point Instant Access Point config uplink uplink failover vpn timeout seconds uplink end Instant Access Point commit apply b Instant Access Point To enable uplink switching based on Intemet availability Instant Access Point config uplink Instant Access Point uplink failover internet Instant Access Point uplink failover internet pkt lost cnt count Instant Access Point uplink failover internet pkt send freq frequency Instant Access Point uplink end Instant Access Point commit apply 198 Uplink Configuration AOS W Instant 6 3 1 1 4 0 User Guide Viewing Uplink Status and Configuration To view the uplink status and configuration in the CLI Instant Access Point show uplink status Uplink preemption enable Uplink enforce none Ethernet uplink bond0 DHCP Uplink Table Type State Priority In Use eth0 UP 0 Yes Wifi sta LOAD 6 No 3G 4G INIT 7 No Internet failover disable Max allowed test packet loss 10 Secs between test packets 30 VPN failover timeout secs 180 ICMP pkt sent 20 ICMP pkt lost 20 Continuous pkt lost 0 VPN down time 20 Instant Access Point show uplink config Uplink preemption enable Uplink enforce none Ethernet upli
95. and allows n OAW IAP to resume scanning when there are no active voice calls This significantly improves the voice quality when a call is in progress and simultaneously delivers the automated RF management functions By default this feature is enabled Load Aware Scanning The Load Aware Scanning feature dynamically adjusts scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold The OAW IAPs resume complete monitoring scans when the traffic drops to the normal levels By default this feature is enabled Band Steering Mode The Band Steering feature assigns the dual band capable clients to the 5 GHz band on dual band OAW IAPs This feature reduces co channel interference and increases available bandwidth for dual band clients because there are more channels on the 5 GHz band than on the 2 4 GHz band For more information Configuring ARM Features on an OAW IAP on page 213 Client Match The ARM client match feature continually monitors a client s RF neighborhood to provide ongoing client bandsteering and load balancing and enhanced AP reassignment for roaming mobile clients This feature supersedes the legacy bandsteering and spectrum load balancing features which unlike client match do not trigger OAW IAP changes for clients already associated to an OAW IAP AOS W Instant 6 3 1 1 4 0 User Guide Adaptive Radio Management 211 All Legacy 802
96. and mornings have less Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn EAP Extensible authentication protocol EAP refers to the authentication protocol in wireless networks that expands on methods used by the point to point protocol PPP a protocol often used when connecting a computer to the Internet EAP can support multiple authentication mechanisms such as token cards smart cards certificates one time passwords and public key encryption authentication AOS W Instant 6 3 1 1 4 0 User Guide Terminology 333 Table 66 List of Terms Definition fixed wireless Wireless devices or systems in fixed locations such as homes and offices Fixed wireless devices usually derive their electrical power from the utility mains unlike mobile wireless or portable wireless which tend to be battery powered Although mobile and portable systems can be used in fixed locations efficiency and bandwidth are compromised compared with fixed systems frequency allocation Use of radio frequency spectrum regulated by governments frequency spectrum Part of the electromagnetic spectrum hotspot A WLAN node that provides Internet connection and virtual private network VPN access from a given location A business traveler for example with a laptop equipped for Wi Fi can look up a local hot spot contact it and get connected through its network to reach the Internet and their own com
97. associated numeric value is 1 chap The associated numeric value is 2 mschap The associated numeric value is 3 mschapv2 The associated numeric value is 4 eap inner auth The following authentication values apply e Uses EAP inner authentication type e reserved The associated numeric value is O e The associated numeric value is 3 pap The associated numeric value is 1 chap The associated numeric value is 2 mschap The associated numeric value is 3 mschapv2 The associated numeric value is 4 exp inner eap Use the exp inner eap authentication value e Uses the expanded inner EAP authentication method e The associated numeric value is 4 credential The following authentication values apply sim The associated numeric value is 1 usim The associated numeric value is 2 nfc secure The associated numeric value is 3 hw token The associated numeric value is 4 softoken The associated numeric value is 5 certificate The associated numeric value is 6 uname passward The associated numeric value is 7 none The associated numeric value is 8 reserved The associated numeric value is 9 vendor specific The associated numeric value is 10 e Uses credential authentication e The associated numeric value is 5 290 Hotspot Profiles AOS W Instant 6 3 1 1 4 0 User Guide Configuring a Venue Name Profile You configure venue name profile to send venue information as an ANQP IE ina GAS query response To configure a venu
98. be constrained by local regulatory requirements and AP capabilities If the maximum transmission EIRP configured on an AP is not supported by the AP model the value is reduced to the highest supported power setting The default value for maximum transmit power is 127 dBm Client Aware When Enabled ARM does not change channels for the APs with active clients except for high priority events such as radar or excessive noise This feature must be enabled in most deployments for a stable WLAN If the Client Aware mode is Disabled the OAW IAP may change to a more optimal channel which change may disrupt current client traffic for a while The Client Aware option is Enabled by default When the Client Aware ARM is disabled channels can be changed even when the clients are active ona BSSID NOTE TT Scanning When ARM is enabled the OAW IAP dynamically scans all 802 11 channels within its 802 11 regulatory domain at regular intervals and reports to the OAW IAP This scanning report includes WLAN coverage interference and intrusion detection data Wide Channel Bands This feature allows administrators to configure 40 MHz channels in the 2 4 GHz and 5 0 GHz bands 40 MHz channels are essentially two 20 MHz adjacent channels that are bonded together 40 MHz channel effectively doubles the frequency bandwidth available for data transmission Monitoring the Network with ARM When ARM is enabled an OAW IAP dynamically scans all 802 11 channels w
99. but may also reduce radio sensitivity This level is recommended for environments with a high level of interference related to 2 4 GHz appliances such as cordless phones Level 4 Level 3 settings and FIR immunity At this level the AP adjusts its sensitivity to in band power which can improve performance in environments with high and constant levels of noise interference Level 5 The AP completely disables PHY error reporting improving performance by eliminating the time the OAW IAP would spend on PHY processing NOTE Increasing the immunity level makes the AP to lose a small amount of range Channel switch Specify the count to indicate the number of channel switching announcements that announcement must be sent before switching to a new channel This allows associated clients to count recover gracefully from a channel change Background Select Enabled to allow the APs in access mode to continue with normal access spectrum service to clients while performing additional function of monitoring RF interference monitoring from both neighboring APs and non Wi Fi sources such as microwaves and cordless phones on the channel they are currently serving clients 5 Reboot the OAW IAP after configuring the radio profile settings In the CLI To configure 2 4 GHz radio settings Instant Access Point config rf dotllg radio profile Instant Access Point RF dotll g Radio Profile beacon interval lt m
100. cache time out lt hours gt Instant Access Point config end Instant Access Point commit apply Configuring MAC and 802 1X Authentication for Wired Profiles You can configure MAC and 802 1X authentication for a wired profile in the AOS W Instant UI or CLI In the AOS W Instant UI To enable MAC and 802 1X authentication for a wired profile 155 Authentication AOS W Instant 6 3 1 1 4 0 User Guide 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed 2 Click New under Wired Networks to create a new network or select an existing profile for which for which you want to enable MAC authentication and then click Edit 3 Inthe New Wired Network or the Edit Wired Network window ensure that all the required Wired and VLAN attributes are defined and then click Next 4 Inthe Security tab enable the following options Select Enabled from the MAC authentication drop down list Select Enabled from the 802 1X authentication drop down list Select Enabled from the MAC authentication fail thru drop down list 5 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings for a Wired Profile on page 104 6 Click Next to define access rules and then click Finish to apply the changes In the CLI To enable MAC and 802 1X authentication
101. cece eee ec cece eee cece eeen cence eeeeuees 292 Configuring a Roaming Consortium Profile 2 22 00 2 2222 02 econ e eee cceeeeeeeeees 293 Configuring a SGPP Profile ressora iaie esc de Sot bese ees pi iiri See a Ae sone ete 293 Configuring an IP Address Availability Profile 022 2200 2 ccc eee eee e eee eeeeee eee 293 Configuring a Domain Profile ec ssec eere recs e pes hee EDEN dudxevoecaassdeueetbeetoc 293 Configuring an Operator friendly Profile 2 22 00 22222220 c cece e eee eee cece cceeeeeeeeeee 294 AOS W Instant 6 3 1 1 4 0 User Guide Contents 21 Configuring a Connection Capability Profile 000 e e ccc cece eee ee ee cence mnn 294 Configuring an Operating Class Profile 22 2 2 2 2222 22 c cece eee eee ec e cece cece cesses 294 Configuring a WAN Metrics Profile _ o ooocccccccccccccccccccccccccccccccccccccccncnccnnnncnnnnnnnnnnno 294 Creating a Hotspot Profile 295 Associating an Advertisement Profile to a Hotspot Profile 297 Creating a WLAN SSID and Associating Hotspot Profile 00000 e cece cece cece ee eceeeeee 297 Sample Configuration 0 00000 aeter e esa eee nro 298 Extended Voice arid Video anaes ccoo iodo iii 301 QoS for Microsoft Office OCS and Apple Facetime 2 2 2 2 2 222 noioa naonnana 301 Microsoft OCS ee Se Ar dd a tle te ter e Na 301 Apple Facetime 280 a AS 301 Dynamic CPU Management 302 Dynamic CPU Management cnn 302 Configuring for Dyna
102. cellular uplink profile usb type lt 3G usb type gt Instant Access Point cellular uplink profile modem country lt country gt Instant Access Point cellular uplink profile modem isp lt service provider name gt Instant Access Point cellular uplink profile usb auth type lt usb authentication type gt Instant Access Point cellular uplink profile end Instant Access Point commit apply To configure a 4G cellular uplink profile Instant Access Point config cellular uplink profile Instant Access Point cellular uplink profile 4g usb type lt 4g usb gt Instant Access Point cellular uplink profile modem country lt country gt Instant Access Point cellular uplink profile modem isp lt service provider name gt Instant Access Point cellular uplink profile usb auth type lt usb authentication type gt Instant Access Point cellular uplink profile end Instant Access Point commit apply To switch a modem from the storage mode to modem mode Instant Access Point config cellular uplink profile Instant Access Point cellular uplink profile usb modeswitch lt usb modem gt To configure 3G 4G switch network Instant Access Point config cellular uplink profile Instant Access Point cellular uplink profile usb type lt 3G usb type gt Instant Access Point cellular uplink profile 4g usb type lt 4g usb gt Instant Access Point cellular uplink profi
103. clients can be assigned to the same VLAN Using the same VLAN for multiple clients can lead to a high level of broadcasts in the same subnet To manage the broadcast traffic you can partition the network into different subnets and use L3 mobility between those subnets when clients roam However if a large number of clients need to be in the same subnet you can configure VLAN pooling in which each client is randomly assigned a VLAN from a pool of VLANs on the same SSID Thus VLAN pooling allows automatic partitioning of a single broadcast domain of clients into multiple VLANs Uplink VLAN Monitoring and Detection on Upstream Devices If a client connects to an SSID or wired interface with a VLAN that is not allowed on the upstream device the client will not be assigned an IP address and thus cannot connect to the Internet When a client connects to an SSID ora wired interface with VLAN that is not allowed on the upstream device the AOS W Instant Ul now displays the following alert message Figure 30 Uplink VLAN Detection Instant CC 42 39 Alert Details Client Alerts VLAN mismatch between IAP and upstream device Upstream device can be upstream switch or radius Timestamp MAC address Description 2013 11 11 11 50 30 b4 b6 76 42 6d 05 Wrong Client VLAN 2013 11 11 11 50 30 b4 b6 76 42 6d 05 DHCP request timed out To resolve this issue ensure that there is no mismatch in the VLAN configuration AOS W Instant 6 3 1 1 4 0 User Gui
104. connections in which some of the network devices are part of the network only for the duration of a communications session or in the case of mobile or portable devices while in some close proximity to the rest of the network bad A specified range of frequencies of electromagnetic radiation The Dynamic Host Configuration Protocol DHCP is an auto configuration protocol used on IP networks Computers or any network peripherals that are connected to IP networks must be configured before they can communicate with other computers on the network DHCP allows a computer to be configured automatically eliminating the need for a network administrator DHCP also provides a central database to keep a track of computers connected to the network This database helps in preventing any two computers from being configured with the same IP address DNS Server A Domain Name System DNS server functions as a phonebook for the Internet and Internet users It converts human readable computer hostnames into IP addresses and vice versa A DNS server stores several records for a domain name such as an address A record name server NS and mail exchanger MX records The Address A record is the most important record that is stored in a DNS server because it provides the required IP address for a network peripheral or element Daylight saving time DST also known as summer time is the practice of advancing clocks so that evenings have more daylight
105. corporate domains on this wired network are sent to OpenDNS select Enabled for Content Filtering g Uplink Select Enabled to configure uplink on this wired profile If Uplink is set to Enabled and this network profile is assigned to a specific port the port will be enabled as Uplink port For more information on assigning a wired network profile to a port see Assigning a Profile to Ethernet Ports on page 108 4 Click Next The VLAN tab details are displayed 5 Enter the following information a Mode You can specify any of the following modes Access Select this mode to allow the port to carry a single VLAN specified as the native VLAN Trunk Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs b Specify any of the following values for Client IP Assignment Virtual Controller Assigned Select this option to allow the Virtual Controller to assign IP addresses to the wired clients When the Virtual Controller assignment is used the source IP address is translated for all client traffic that goes through this interface The Virtual Controller can also assign a guest VLAN toa wired client Network Assigned Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected On selecting this option the New button to create a VLAN is displayed Create a new VLAN if required c If the Trunk mode is selected Speci
106. disabled globally across the wireless or wired network profiles You can enable content filtering for an SSID when configuring or modifying a wireless or wired network using AOS W Instant UI or CLI Enabling Content Filtering for a Wireless Profile To enable content filtering for a wireless SSID perform the following steps In the AOS W Instant UI 1 Select a wireless profile in the Networks tab and then click the edit link The window for editing the WLAN SSID profile is displayed 2 Click Show advanced options 3 Select Enabled from the Content Filtering drop down list and click Next to continue You can also enable content filtering while adding a new wireless profile For more information see Configuring WLAN Settings for an SSID Profile on page 86 In the CLI To enable content filtering on a WLAN SSID Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt content filtering AOS W Instant 6 3 1 1 4 0 User Guide Content Filtering 228 Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile perform the following steps In the AOS W Instant Ul 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed Inthe Wired window select the wired profile to modify
107. displays the following information about each client Name User name of the client or guest users if available IP Address IP address of the client MAC Address MAC address of the client OS Operating system that runs on the client Network The network to which the client is connected Access Point OAW IAP to which the client is connected Channel The client operating channel Type Type of the Wi Fi client A G AN or GN Role Role assigned to the client Signal Current signal strength of the client as detected by the AP Speed mbps Current speed at which data is transmitted When the client is associated with an AP it constantly negotiates the speed of data transfer A value of 0 means that the AP has not heard from the client for some time Links The following links allow you to configure various features for the AOS W Instant network New Version Available m System m RF m Security Maintenance More m Help Logout Monitoring Spectrum m Alerts a IDS Configuration m AirGroup m OmniVista Setup m Pause Resume Each of these links is explained in the subsequent sections New Version Available This link is displayed in the top right corner of AOS W Instant main window only if a new image version is available on the image server and OmniVista is not configured For more information about the New version available link and its functions see Upgrading a
108. gt SSID Profile lt name gt end commit apply To enforce DHCP based VLAN assignment Instant Access Point Instant Access Point Instant Access Point Instant Access Point config wlan ssid profile lt name gt SSID Profile lt name gt enforce dhcp SSID Profile lt name gt end commit apply To create a new VLAN assignment rule Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt set vlan lt attribute gt equals not equals starts wi th ends with contains matches regular expression operator lt VLAN ID gt value of Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply Configuring Security Settings for a WLAN SSID Profile This section describes the procedure for configuring security settings for employee and voice network only For information on guest network configuration see Captive Portal for Guest Access If you are creating a new SSID profile configure the WLAN and VLAN settings before defining security settings For more information see Configuring WLAN Settings for an SSID Profile on page 86 and Configuring VLAN Settings fora WLAN SSID Profile on page 89 Configuring Security Settings for an Employee or Voice Network You can configure security settings for an employee or voice network by using the AOS W Instant UI or CLI 9
109. home The associated numeric value is 4 prison or jail The associated numeric value is 5 mercantile unspecified The associated numeric value is 0 retail store The associated numeric value is 1 grocery market The associated numeric value is 2 auto service station The associated numeric value is 3 shopping mall The associated numeric value is 4 gas station The associated numeric value is 5 The associated numeric value is 6 residential unspecified The associated numeric value is 0 private residence The associated numeric value is 1 hotel The associated numeric value is 3 dormitory The associated numeric value is 4 boarding house The associated numeric value is 5 The associated numeric value is 7 storage unspecified The associated numeric value is 0 The associated numeric value is 8 utility misc unspecified The associated numeric value is 0 The associated numeric value is 9 unspecified The associated numeric value is 0 automobile or truck The associated numeric value is 1 airplane The associated numeric value is 2 bus The associated numeric value is 3 ferry The associated numeric value is 4 ship The associated numeric value is 5 train The associated numeric value is 6 motor bike The associated numeric value is 7 vehicular The associated numeric value is 10 outdoor unspecified The associated numeric value is 0 muni mesh network The associated numeric value is 1 city
110. in the PPPoE section a Enterthe PPPoE service name provided by your service provider in the Service name field b Inthe CHAP secret and Retype fields enter the secret key used for Challenge Handshake Authentication Protocol CHAP authentication You can use a maximum of 34 characters for the CHAP secret key c Enterthe user name for the PPPoE connection in the User field d Inthe Password and Retype fields enter a password for the PPPoE connection and confirm it 4 Toseta local interface for the PPPoE uplink connections select a value from the Local Configuration drop down The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local L3 DHCP gateway IP address as its local IP address When configured the local interface acts as an unnumbered PPPoE interface and allows the entire Local L3 DHCP subnet to be allocated to clients The options in the Local Configuration drop down are displayed only if a Local L3 DHCP scope is configured on the OAW IAP 5 Click OK 6 Reboot the OAW IAP for the configuration to affect In the CLI To configure a PPPoE uplink connection Instant Access Point Instant Access Point config pppoe uplink profile pppoe uplink profile pppoe svcname lt service name gt Instant Access Point pppoe uplink profile pppoe username username Instant Access Point pppoe uplink profile pppoe passwd password Instant Access Point pppoe uplink pro
111. limit 0 session count 1 tunnel profile test tunnel primary peer profile default session profile default hello timeout 150 retry timeout 80 idle timeout 0 rx window size 10 tx window size 10 max retries 5 use udp checksums OFF do pmtu discovery OFF mtu 1460 trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI peer vendor name Katalix Systems Ltd Linux 2 6 32 358 2 1 e16 x86 64 x86 64 peer protocol version 1 0 firmware 0 peer rx window size 10 Transport status ns nr 98 97 peer 98 96 cwnd 10 ssthresh 10 congpkt acc 9 Pransport statistics out of sequence control data discards 0 0 ACKs tx txfail rx 0 0 96 retransmits 0 duplicate pkt discards 0 data pkt discards O0 hellos tx txfail rx 94 0 95 control rx packets 193 rx bytes 8506 control tx packets 195 tx bytes 8625 248 VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide data rx packets 0 rx bytes 0 rx errors 0 data tx packets 6 tx bytes 588 tx errors 0 establish retries 0 To view L2TPv3 tunnel config Instant Access Point show 12tpv3 tunnel config Tunnel profile test_tunnel primary 12tp host name Instant C4 42 98 local UDP port 1701 peer IP address 10 0 0 65 peer UDP port 3000 hello timeout 150 retry timeout 80 idle timeout 0 rx window size 10 tx window size 10 max retries 5 use UDP checksums OFF do pmtu discovery OFF mtu 1570 framing capability SYN
112. link of the OAW IAP AP Mesh Neighbors Displays the mesh link neighbors of the OAW IAP AP Monitor Active Laser Beams Displays the active laser beam sources for the OAW IAP AP Monitor AP Table Displays the list of APs monitored by the OAW IAP AP Monitor ARP Cache Displays ARP cache details for the OAW IAP AP Monitor Client Table Displays the list of clients monitored by the OAW IAP AP Monitor Containment Information Displays containment details for the OAW IAP AP Monitor Potential AP Table Displays the list of potential APs for the OAW IAP AP Monitor Potential Client Table Displays the list of potential clients for the OAW IAP AP Monitor Router Displays information about the potential wireless devices AP Monitor Scan Information Displays scanned information for the OAW IAP AP Monitor Status Displays the configuration and status of monitor information of the OAW IAP AP Persistent Clients Displays the list persistent clients for the OAW IAP AP PMK Cache Displays the PMK cache details for the clients associated with the OAW IAP AP PPPoE uplink debug Displays PPPoE debug logs AP PPPoE uplink status Displays PPPoE uplink status AP Processes Displays the processes running on the OAW IAP AP Radio 0 Stats Displays aggregate debug statistics of the OAW IAP Radio 0 AP Radio 1 Stats Displays aggregate debug statistics of the OAW IAP Radio 1 AP Radio 0 Client Match Status Displays informati
113. lt IP address gt port include unassoc sta Instant Access Point config end Instant t Access Point commit apply Integrating an OAW IAP with Palo Alto Networks Firewall Palo Alto Networks PAN next generation firewall offers contextual security for all users for safe enabling of applications Simple firewall beyond basic IP address or TCP port numbers only provides a subset of the enhanced AOS W Instant 6 3 1 1 4 0 User Guide Integration with Security and Location Services Applications 278 security required for enterprises to secure their networks In the context of businesses using social networking sites legacy firewalls are not able to differentiate valid authorized users from casual social networking users The Palo Alto next generation firewall is based on user ID which provides many methods for connecting to sources of identity information and associating them with firewall policy rules For example it provides an option to gather user information from Active Directory or LDAP server Integration with AOS W Instant The functionality provided by the PAN firewall based on user ID requires the collection of information from the network OAW IAP maintains the network Such as mapping IP address and user information for its clients in the network and can provide the required information for the user ID feature on PAN firewall Before sending the user ID mapping information to the PAN firewall the OAW IAP
114. name and password Ensure that you provide user credentials of the PAN firewall administrator 5 Enterthe PAN firewall IP address 6 Enter the port number within the range of 1 65535 The default port is 443 7 Click OK In the CLI To enable PAN firewall integration with the OAW IAP Instant Access Point config firewall external enforcement pan Instant Access Point firewall external enforcement pan enable Instant Access Point firewall external enforcement pan ip lt ip address gt Instant Access Point firewall external enforcement pan port lt port gt Instant Access Point firewall external enforcement pan user lt name gt lt password gt Instant Access Point firewall external enforcement pan end Instant Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide Integration with Security and Location Services Applications 280 Chapter 27 Lawful Intercept and CALEA Integration This chapter provides the following information e CALEA Integration and Lawful Intercept Compliance on page 281 e Configuring OAW IAPs for CALEA Integration on page 283 CALEA Integration and Lawful Intercept Compliance Lawful Intercept LI allows the Law Enforcement Agencies LEA to perform an authorized electronic surveillance Depending on the country of operation the service providers SPs are required to support LI in their respective networks In the United States S
115. on selected antennas antenna gain and feeder Coaxial Cable loss EIRP Tx RF Power dBm GA dB FL dB The following table describes this formula Table 14 Formula Variable Definitions Formula Element Description EIRP Limit specific for each country of deployment Tx RF Power RF power measured at RF connector of the unit A Antenna gain Feeder loss AOS W Instant 6 3 1 1 4 0 User Guide Initial Configuration Tasks 69 The following table lists gain values supported by each type of antenna Table 15 Antenna Types and Maximum Antenna Gains Frequency Band Type Gain dBi EI CA r ITI For information on antenna gain recommended by the manufacturer see Configuring Antenna Gain You can configure antenna gain for APs with external connectors using AOS W Instant UI or CLI In the AOS W Instant UI 1 Navigate to the Access Point tab select the access point to configure and then click edit 2 Inthe Edit Access Point window select External Antenna to configure the antenna gain value This option is available only for access points that support external antennas for example OAW IAP 134 or OAW IAP92 3 Enter the antenna gain values in dBm for the 2 4GHz and 5GHz bands 4 Click OK In the CLI To configure external antenna for 5 GHz frequency Instant Access Point a external antenna lt dBi gt To configure external antenna for 2 4 GHz frequency Instant Access Point g external antenna l
116. out same subnet destinations For example if clients are connected to an SSID you can restrict the upstream bandwidth rate allowed for each userto 512 Kbps By default all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic The assigned bandwidth will be served and shared among all the users You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps If there is no bandwidth contract specified for a traffic direction unlimited bandwidth is allowed In the earlier releases bandwidth contract could be assigned per SSID In the current release the bandwidth contract can also be assigned for each SSID user If the bandwidth contract is assigned for an SSID in AOS W Instant 6 2 1 0 3 4 0 0 image and when the OAW IAP is upgraded to 6 3 1 1 4 0 release version the bandwidth configuration per SSID will be treated as per user downstream bandwidth contract for that SSID Assigning Bandwidth Contracts in the AOS W InstantUl 1 Click the Security at the top right corner of AOS W Instant main window The Security window is displayed Click Roles tab The Roles tab contents are displayed Create a new role or select an existing role Under Access Rules click New The New Rule window is displayed ark wD Select Bandwidth Contract from the Rule Type drop down New Rule Rule type Bandwidth Contrz y Downstream kbps Peruser U
117. packets are sent to the private IP address the destination address is translated as per the information stored the translation tables of the routing device 171 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide Configuring a Source NAT Access Rule The source NAT action in access rules allows the user to override the routing profile entries For example when a routing profile is configured to use 0 0 0 0 0 the client traffic on an SSID in L3 mode access to the corporate network is sent to the tunnel When an access rule is configured with Source NAT action the users can specify the service protocol or destination to which the source NAT is applied You can also configure source based routing to allow client traffic on one SSID to reach the Internet through the corporate network while the other SSID can be used as an alternate uplink You can create an access rule to perform source NAT by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure a source NAT access rule 1 Navigate to the WLAN wizard or Wired settings window To configure access rules fora WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile To configure access rules for a wired profile More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile Click the Access tab 3 Toconfigure access rules for the
118. park The associated numeric value is 2 rest area The associated numeric value is 3 traffic control The associated numeric value is 4 bus stop The associated numeric value is 5 kiosk The associated numeric value is 6 The associated numeric value is 11 Configuring a Network Authentication Profile You can configure a network authentication profile to define the authentication type used by the hotspot network To configure a network authentication profile enter the following commands at the command prompt Instant Access Point config hotspot anqp nwk auth profile lt name gt Instant Access Point network auth lt name gt nwk auth type type Instant Access Point network auth lt name gt url lt URL gt Instant Access Point network auth lt name gt enable Instant Access Point network auth lt name gt end Instant Access Point commit apply You can specify any of the following network authentication type for the nwk auth type lt type gt command e accept term and cond When configured the network requires the user to accept terms and conditions This option requires you to specify a redirection URL string as an IP address FQDN or URL e online enrollment When configured the network supports the online enrollment 292 Hotspot Profiles AOS W Instant 6 3 1 1 4 0 User Guide e http redirect When configured additional information on the network is provided through HTTP HTTPS re
119. port platforms such as AP 93 and AP 105 you can convert the EthO uplink port to a downlink port by enabling EthO Bridging For additional information see Configuring Wired Bridging on Ethernet 0 on page 107 Setting up AOS W Instant Mesh Network AOS W Instant mesh can be provisioned in two ways e Over the air provisioning e Over the wire provisioning Over the air provisioning is available when only one OAW IAP mesh network is being advertised The OAW IAP ROW must have a the country code set to transmit or receive therefore over the air provisioning is not supported by the OAW IAP ROW variants To set up a mesh network 1 Connect all the OAW IAPs to a DHCP server so that the OAW IAPs get their IP addresses in the same subnet 2 For over the air provisioning Connect one OAW IAP to the switch to form the mesh portal Ensure that only one Virtual Controller one subnet is available over the air and all the OAW IAPs are connected to a DHCP server and get their IP addresses in the same subnet The OAW IAP mesh point gets an IP address from the same DHCP pool as the portal and the DHCP request goes through the portal Ensure that an open SSID instant is listed Connect a laptop to the default instant SSID Type http instant alcatel lucentnetworks com in a browser Click understand the risks and Add exception to ignore the certificate warnings oa R2 Oo In the login window enter the following credentials e User
120. profile Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt type lt employee gt lt guest gt Instant Access Point wired ap profile lt name gt mac authentication a AOS W Instant 6 3 1 1 4 0 User Guide Authentication 154 Instant Access Point wired ap profile lt name gt auth server lt server 1 gt Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point wired ap profile lt name gt auth server lt server 2 gt wired ap profile lt name gt server load balancing radius reauth interval lt Minutes gt wired ap profile lt name gt end wired ap profile lt name gt commit apply Configuring MAC Authentication with 802 1X Authentication This section describes the following procedures e Configuring MAC and 802 1X Authentication for a Wireless Network Profile on page 155 e Configuring MAC and 802 1X Authentication for Wired Profiles on page 155 Configuring MAC and 802 1X Authentication for a Wireless Network Profile You can configure MAC authentication with 802 1X authentication for wireless network profile using AOS W Instant UI or CLI In the AOS W Instant UI To configure both MAC and 802 1X authentication for a wireless network 1 Inthe Network tab click New to create a new network profile or select an
121. profile lt name gt Instant Access Point SSID Profile name f set role lt attribute gt equals not equals starts wi th ends with contains matches regular expression lt operator gt lt role gt value of Access Point SSID Profile lt name gt end Access Point commit apply Instan Instan To configure a pre authentication role Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt set role pre auth lt pre authentication role gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply To configure machine and user authentication roles Instant Access Point config wlan ssid profile lt name gt 96 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point SSID Profile lt name gt set role machine auth lt machine authentication onl y gt lt user authentication only gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply To configure unrestricted access Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt set role unrestricted Instant Access Point SSID Profile lt name gt end t t Instant Access Poin commit apply Configuring Support for Fast Roaming of Clients AOS W Instant supports the following features
122. protect valid sta DS T protect windows bridge DS end commit apply Hi Hi Hi Hi H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H AOS W Instant 6 3 1 1 4 0 User Guide Intrusion Detection 227 Chapter 20 Content Filtering This chapter provides the following information e Content Filtering on page 228 e Enabling Content Filtering on page 228 e Configuring Enterprise Domains on page 229 e Configuring OpenDNS Credentials on page 229 Content Filtering The Content Filtering feature allows you to create Internet access policies that allow or deny user access to Websites based on Website categories and security ratings With this feature you can e Prevent known malware hosts from accessing your wireless network e Improve employee productivity by limiting access to certain websites e Reduce bandwidth consumption significantly Content Filtering can be configured on an SSID and up to four enterprise domain names can be configured manually When enabled all DNS requests to non corporate domains on this wireless network are sent to the open DNS server Regardless of whether content filtering is disabled or enabled the DNS requests to http instant alcatel TH lucentnetworks com are always resolved internally on AOS W Instant Enabling Content Filtering The content filtering configuration applies to all OAW IAPs in the network and the service is enabled or
123. role session acl iaprole VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the OAW IAP internal or an external server and the role assigned to the IAP after successful authentication host config aaa authentication vpn default iap host VPN Authentication Profile default iap server group default host VPN Authentication Profile default iap default role iaprole For information about the VPN profile configuration on the OAW IAP see VPN Configuration on page 239 Viewing Branch Status To view the details of the branch information connected to the switch execute the show iap table command Example This example shows the details of the branches connected to the switch host show lap table long IAP Branch Table Name vc MAC Address Status Inner IP Assigned Subnet Assigned Vlan Tokyo CB D3 16 6c f3 7f cc 42 f8 DOWN 0 0 0 0 Paris CB D3 16 6c f3 7f cc 3d 04 UP 10 15 207 140 10 15 206 99 29 2 LA 6c f3 7f cc 42 25 UP 10 15 207 111 10 15 206 24 29 2 Munich d8 c7 c8 cb d3 16 DOWN 0 0 0 0 London c0 e1 6c f3 7f c0 e1 b1 UP 10 15 207 120 10 15 206 64 29 2 Instant CB D3 6c f3 7f cc 42 le DOWN 0 0 0 0 Delhi 6c f3 7f cc 42 ca DOWN 0 0 0 0 Singapore 6cif3 7f 00 42 cb UP 10 15 207 122 10 15 206 120 29 2 Key Bid Subnet Name b36656 DICO scr b3c65c 2 10 15 205 0 10 15 205 250 5 1 10 15 206 1 10 15 206 252 5 a2a65c 0 b3c65c
124. selected specify any of the following options for the Client VLAN assignment AOS W Instant 6 3 1 1 4 0 User Guide Wireless Network Profiles 89 e Default On selecting this option the client obtains the IP address in the same subnet as the OAW IAPs By default the client VLAN is assigned to the native VLAN on the wired network e Static On selecting this option you need to specify a single VLAN a comma separated list of VLANS ora range of VLANs for all clients on this network Select this option for configuring VLAN pooling Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configuration Protocol DHCP server To create VLAN assignment rules a Click New to assign the user to a VLAN The New VLAN Assignment Rule window is displayed b Enterthe following information e Attribute Select an attribute returned by the RADIUS server during authentication e Operator Select an operator for matching the string e String Enter the string to match e VLAN Enter the VLAN to be assigned 4 Click Next to configure security settings for the employee network For more information see Configuring Security Settings fora WLAN SSID Profile on page 90 In the CLI To manually assign VLANs for WLAN SSID users Instant Access Point Instant Access Point Instant Access Point Instant Access Point config wlan ssid profile lt name gt SSID Profile lt name gt vlan lt vlan ID
125. server lt server name gt Instant Access Point SSID Profile lt name gt server load balancing Instant Access Point SSID Profile lt name gt radius accounting Instant Access Point SSID Profile lt name gt radius accounting mode user authentication user association Instant Access Point SSID Profile lt name gt radius interim accounting interval lt minutes gt Instant Access Point SSID Profile lt name gt radius reauth interval lt minutes gt Instant Access Point SSID Profile lt name gt set role by ssid Instant Access Point SSID Profile lt name gt hotspot profile lt name gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply Sample Configuration Step 1 Creating ANQP and H2QP Advertisement Profile Instant Access Point configure terminal Instant Access Point config hotspot anqp nai realm profile nrl t nai realm name namel nai realm encoding utf8 nai realm nrl nai realm nrl t t Instant Access Point Instant Access Point Instant Access Point ct nai realm nrl nai realm eap method eap sim nai realm nrl1 Instant Access Poin nai realm auth value 1 mschapv2 C Instant Access Poin nai realm nrl nai home realm Instant Access Point t exit nai realm nrl nai realm nr1 4 nai realm auth id 1 non eap inner auth Instant Access Point
126. session key Instant Access Point SSID Profile lt name gt termination Instant Access Point SSID Profile lt name gt xternal server Instant Access Point SSID Profile lt name gt auth server lt server name gt Instant Access Point SSID Profile lt name gt radius reauth interval lt minutes gt Instant Access Point SSID Profile lt name gt auth survivability Instant Access Point SSID Profile lt name gt exit Instant Access Point config auth survivability cache time out lt hours gt Instant Access Point config end Instant Access Point commit apply Configuring 802 1X authentication for Wired Profiles You can configure 802 1X authentication for a wired profile in the AOS W Instant UI or CLI In the AOS W Instant UI To enable 802 1X authentication for a wired profile 1 Click the Wired link under More at the top right corner of the AOS W Instant main window The Wired window is displayed Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802 1X authentication and then click Edit In the New Wired Network or the Edit Wired Network window ensure that all the required Wired and VLAN attributes are defined and then click Next In the Security tab select Enabled from the 802 1X authentication drop down list Specify the type of authentication server to use and configure other required parameters For more information on config
127. source based routing is enabled the Virtual Controller performs source NAT by using its uplink IP address To configure source based routing 1 Ensure that an L3 subnet with the netmask gateway VLAN and IP address is configured For more information on configuring L3 subnet see Configuring L3 Mobility on page 201 2 Ensure that the source IP address is associated with the IP address configured for the L3 subnet AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 172 3 Create an access rule for the SSID profile with Source NAT action as described in Configuring Source Based Routing on page 172 The source NAT pool is configured and source based routing entry is created Configuring a Destination NAT Access Rule Instant supports configuration of the destination NAT rule which can be used to redirect traffic to the specified IP address and destination port Destination NAT configuration is supported only in the bridge mode without VPN You can configure a destination NAT access rule by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure an destination NAT access rule 1 Navigate to the WLAN wizard or Wired settings window To configure access rules for a WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e To configure access rules for a wired profile More Wired In the Wired window click New under Wired Networks to create a new n
128. specify a value in seconds for Hold time When preemption is enabled and the primary host comes up the VPN tunnel switches to the primary host after the specified hold time The default value for Hold time is 600 seconds c To allow the OAW IAP to create a backup VPN tunnel to the Switch along with the primary tunnel and maintain both the primary and backup tunnels separately select Enabled or Disabled from the Fast failover drop down list If the primary tunnel fails the OAW IAP can switch the data stream to the backup tunnel This reduces the total failover time to less than one minute d To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary set Reconnect user on failover to Enabled e Toconfigure an interval for which wired and wireless users are disconnected during a VPN tunnel switch specify a value in seconds for Reconnect time on failover within the range of 30 900 seconds By default the reconnection duration is set to 60 seconds f Specify a value in seconds for Secs between test packets Based on the configured frequency the OAW IAP can verify if an active VPN connection is available The default value is 5 seconds which means that the OAW IAP will send one packet to the controller at every 5 seconds g Enter a value for Max allowed test packet loss to define a number for lost packets after which the OAW IAP can determine that the VPN conn
129. t 104 Configuring Security Settings for a Wired Profile 000 000 0222 cece eee cece cece ce eeceeeeeeeees 104 Configuring Security Settings for a Wired Employee Network o oooocccccccccccccccccccccccccccccccnoos 104 Inthe AOS W Instant UI 105 uem 105 Configuring Access Rules for a Wired Profile 105 Inthe AOS AW Instant Ul ea 105 ACA NNNM IIIILIJJVJ J 106 Understanding Hierarchical Deployment 2 222 222 eee cece eee e cece ee e duaa ranra rroan 107 Configuring Wired Bridging on Ethernet Q 0 000000000 ccc c cece cece ee cnn esses esses esses essen 107 8 Contents AOS W Instant 6 3 1 1 4 0 User Guide In the AOS W Instant Ul 108 1 ENS 108 Assigning a Profile to Ethernet Pons ee RR RR RR ec eeeeeeeeeeeeees 108 Me AOSAN MSat v E n 108 nies MEME 108 Editing a Wired Profile iiouiuusssssssssssssssssslsslsssssss esses esses aiara iioii 108 Deleting a Wired Profile 109 Captive Portal for Guest Access ooooccoccoccccccccococccnconconcoccoccnccnconconccnconicncnccns 110 Understanding Captive Portal ce cee cece cece cece cece eeceeceeceeeceeeeeeeees 110 Types of Captive Portal n lil llis RA AAA AAA Aah AR AA ARA d AAA ARA AAN AA e e R AAA A AAA L 110 Walled Garden 2 00 222 2 cece cece cece eee eee ee ee eee eee ce eee ee eee ee eeceeeeeeeeneeeee 111 Configuring a WLAN SSID for Guest Access 0 00 22 c cece cece
130. tab Figure 42 Admin Tab Management Authentication Parameters General Admin Local AirWave Authentication Internal Organization AirWave IP Username admin AirWave backup IP Password Retype Shared key Retype View Only Username kest123 Password m Retype mm Guest Registration Only Username GuestAdmin Password mm Retype Show advanced options 3 Under Local select any of the following options from the Authentication drop down list e Internal Select this option to specify a single set of user credentials Enter the Username and Password for accessing the Virtual Controller Management User Interface a Specify a Username and Password b Retype the password to confirm e RADIUS Server Specify one or two RADIUS servers to authenticate clients If two servers are configured users can use them in primary or backup mode or load balancing mode To enable load balancing select Enabled from the Load balancing drop down list e RADIUS server wi fallback to internal Select this option to use both internal and external servers When enabled the authentication switches to Internal if there is no response from the RADIUS server RADIUS server timeout To complete this configuration perform the following steps a To enable load balancing select Enabled from the Load balancing drop down list 4 Click OK In the CLI To configure
131. the USB type text box 192 Uplink Configuration AOS W Instant 6 3 1 1 4 0 User Guide e For4G Enter the type of 4G modem in the 4G USB type text box Enter the device ID of modem in the USB dev text box Enter the TTY port of the modem in the USB tty text box Enter the parameter to initialize the modem in the USB init text box Enter the parameter to dial the cell tower in the USB dial text box Enter the username used to dial the ISP in the USB user text box So 2H Enter the password used to dial the ISP in the USB password text box Enter the parameter used to switch a modem from the storage mode to modem mode in the USB mode switch text box 4 Toconfigure 3G 4G switch network provide the driver type for the 3G modem in the USB type text box and the driver type for 4G modem in the 4G USB type text box Click OK Reboot the OAW IAP for changes to affect In the AOS W Instant UI you can view the list of country and ISP in the Country and ISP drop down lists You can either use the country or ISP to configure the modem or configure the individual modem parameters manually If you cannot view the list of country or ISP from the drop down list configure the modem parameters manually Contact your IT administrator or the manufacturer of your modem to obtain the parameter details In the CLI To configure a 3G cellular uplink profile Instant Access Point config cellular uplink profile Instant Access Point
132. the edit link The edit window for modifying OAW IAP details is displayed Click the Uplink tab Select Enable from the EthO Bridging drop down menu Click OK Reboot the OAW IAP og F wr gt In the CLI To configure Ethernet bridging Instant Access Point enet0 bridging Assigning a Profile to Ethernet Ports You can assign profiles to Ethernet ports using AOS W Instant UI or CLI In the AOS W Instant UI To assign profiles to Ethernet ports 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed 2 Toassign an Ethernet downlink profile to Ethernet O port a Ensurethat the wired bridging on the port is enabled For more information see Configuring Wired Bridging on Ethernet 0 on page 107 b Select and assign a profile from the 0 0 drop down list c Toassign a wired profile to Ethernet 0 1 port select the profile from the 0 1 drop down list d If the OAW IAP supports E2 E3 and E4 ports assign profiles to other Ethernet ports by selecting a profile from the 0 2 0 3 and 0 4 drop down list In the CLI To assign profiles to Ethernet ports Instant Access Point config enetO0 port profile lt name gt Instant Access Point config enetl port profile lt name gt Instant Access Point config enet2 port profile lt name gt Instant Access Point config enet3 port profile lt name gt Instant Access Point config
133. to enable access based on user roles For role based access control a Create a user role if required For more information see Configuring User Roles Create access rules for a specific user role For more information see Configuring Access Rules on page 169 You can also configure an access rule to enforce Captive portal authentication for an SSID that is configured to use 802 1X authentication method For more information see Configuring Captive Portal Roles for an SSID on page 123 Create a role assignment rule For more information see Configuring Derivation Rules on page 178 2 Click Finish In the CLI To configure access control rules for a WLAN SSID Instant Access Point config wlan access rule lt name gt Instant Access Point Access Rule lt name gt rule dest mask match protocol start port lt end port gt permit deny src nat dst nat lt IP address gt port lt port gt lt optionl optio n9 gt Instant Access Point Access Rule lt name gt end Instant Access Point commit apply To configure access control based on the SSID Instant Access Point config wlan ssid profile lt name gt SSID Profile name 4 set role by ssid SSID Profile lt name gt end commit apply Instant Access Poin Instant Access Poin Instant Access Poin t t t t To configure role assignment rules Instant Access Point config wlan ssid
134. to obtain the IP address La Ensure that the mobility Switch IP Address is reachable by the an OAW IAPs NOTE 5 Click Convert Now to complete the conversion The OAW IAP reboots and begins operating in the Remote AP mode 6 After conversion the OAW IAP is managed by the mobility Switch For OAW IAPs to function as Remote APs configure the OAW IAP in the Remote AP white list and enable the FTP service on the Switch ll z o 1 m If the VPN setup fails and an error message is displayed click OK copy the error logs and share them with your local administrator Al z o A m Converting an OAW IAP using CLI To an convert an OAW IAP Instant Access Point convert aos ap mode lt controller IP address gt 307 OAW IAP Management AOS W Instant 6 3 1 1 4 0 User Guide Converting an OAW IAP to Campus AP To convert an OAW IAP to Campus AP do the following 1 Click the Maintenance link in the AOS W Instant main window 2 Click the Convert tab The Convert tab is displayed Figure 109 Converting an OAW IAP to Campus AP Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Hostname or IP Address of Mobility Controller After conversion all Access Points will be managed by the Controller specified above 3 Select Campus APs managed by a Mobility Controller from the drop down list Enter the hostname Fully Qualified Domain Name FQD
135. to the AOS W Instant CLI The AOS W Instant UI will be displayed in the read only mode for these users e Employee users Employees who use the enterprise network for official tasks e Quest users Visiting users who temporarily use the enterprise network to access the Internet The user access privileges are determined by OAW IAP management settings in the OmniVista Management client and the type of the user The following table outlines the access privileges defined for the admin user guest management interface admin and read only users Table 24 User Privileges OAW IAP in monitor mode or without OmniVista administrator Access to local user database only Complete access to the OAW IAP User Category OmniVista in Management Mode read only No write privileges No write privileges administrator guest administrator Access to local user database only Access to local user database only Configuring Administrator Credentials for the Virtual Controller Interface You can configure authentication parameters for admin users to enable access to the Virtual Controller management user interface in the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed AOS W Instant 6 3 1 1 4 0 User Guide User Management 128 2 Click the Admin tab The Admin tab details are displayed The following figure shows the contents of the Admin
136. user is placed into the management role specified by the VSA For a complete list of VSAs supported by AOS W Instant see Understanding VLAN Assignment on page 180 Internal RADIUS Server Each OAW IAP has an instance of free RADIUS server operating locally When you enable the Internal RADIUS server option for the network the client on the OAW IAP sends a RADIUS packet to the local IP address The Internal RADIUS server listens and replies to the RADIUS packet The following authentication methods are supported in AOS W Instant network EAP TLS The Extensible Authentication Protocol Transport Layer Security EAP TLS method supports the termination of EAP TLS security using the internal RADIUS server The EAP TLS requires both server and certification authority CA certificates installed on the OAW IAP The client certificate is verified on the Virtual Controller the client certificate must be signed by a known CA before the usemame is verified on the authentication server EAP TTLS MSCHAPv2 The Extensible Authentication Protocol Tunneled Transport Layer Security EAP TTLS method uses server side certificates to set up authentication between clients and servers However the actual authentication is performed using passwords EAP PEAP MSCHAPv2 EAP PEAP is an 802 1X authentication method that uses server side public key certificates to authenticate clients with server The PEAP authentication creates an encrypted SSL TLS tunnel b
137. wired ap profile lt name gt radius reauth interval Minutes Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply To customize internal captive portal splash page Instant Access Poin config wlan captive portal Instant Access Poin Captive Portal authenticated Instant Access Poin Captive Portal background color lt color indicator gt Instant Access Poin Captive Portal banner color lt color indicator gt Instant Access Poin Captive Portal banner text lt text gt Captive Portal decoded texts lt text gt Captive Portal t t t t t t t t t t Instant Access Point t t t t t t t t t t Instant Access Poin redirect url url Instant Access Poin Captive Portal terms of use text Instant Access Poin Captive Portal use policy text Instant Access Poin Captive Portal end Instant Access Poin commit apply To upload a customized logo from a TFTP server to the OAW IAP Instant Access Point copy config tftp ip address filename portal logo Configuring External Captive Portal for a Guest Network This section provides the following information e External Captive Portal Profiles on page 118 e Creating a Captive Portal Profile on page 118 e Configuring an SSID or Wired Profile to Use External Captive Portal Authentication on page 120 External C
138. wireless Describes telecommunications in which electromagnetic waves rather than some form of wire carry the signal over part or all of the communication path wireless network In a Wireless LAN WLAN laptops desktops PDAs and other computer peripherals are connected to each other without any network cables These network elements or clients use radio signals to communicate with each other Wireless networks are set up based on the IEEE 802 11 standards Wireless ISP WISP refers to an internet service provider ISP that allows subscribers to connect to a server at designated hot spots access points using a wireless connection such as Wi Fi This type of ISP offers broadband service and allows subscriber computers called stations to access the Internet and the Web from anywhere within the zone of coverage provided by the server antenna usually a region with a radius of several kilometers wireless service provider A company that offers transmission services to users of wireless devices through radio frequency RF signals rather than through end to end wire communication Wireless local area network WLAN is a local area network LAN that the users access through a wireless connection AOS W Instant 6 3 1 1 4 0 User Guide Terminology 335
139. you can configure any discontiguous IP ranges The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count NOTE You can allocate multiple branch IDs BID per subnet The OAW IAP generates a subnet name from the DHCP IP configuration which the Switch can use as a subnet identifier If static subnets are configured in each branch all of them are assigned the with BID 0 which is mapped directly to the configured static subnet Specify the type and a value for the DHCP option You can configure the organization specific DHCP options supported by the DHCP server For example 176 242 161 and so on To add multiple DHCP options click the icon You can add up to eight DHCP options 4 Click Next 5 Specify the number of clients to use per branch The client count configured for a branch determines the use of IP addresses from the IP address range defined fora DHCP scope For example if 20 IP addresses are available in an IP address range configured fora DHCP scope and a client count of 9 is configured only a few IP addresses in this example 9 from this range will be used and allocated to a branch The OAW IAP does not allow the administrators to assign the remaining IP addresses to another branch although a lower value is configured for the client count 6 Click Next The Static IP tab is displayed Specify the number of first and last IP addresses to reserve in the sub
140. 0 2202 c cece cece eee eee cence eect ee eeeeeeeeeeeeeeeeeee 36 EXAM DIG NOE eat DX EE 36 Using Sequence Sensitive Commands 22 0 220 e eee cnn 36 AOS W Instant User Interface sse 38 Login Screen ooo i e ccc ccc RR cece cece cee cece cece eee E ENS a aa E E aaa 38 AOS W Instant 6 3 1 1 4 0 User Guide Contents 3 Logging into the AOS W Instant UI ooo cece cece cece cece cece cnn nn once 38 Viewing Connectivity Summa 2200000 c cece cece cece cece cece eee AAI eeeeeeeeeeeceeeceeeeeeeeeees 38 Language DTE 38 Maim WINDOW nissan 39 sz eR CP A 39 Sedlclit teste noc eR EL LE EL A LL dece cii E CEU kta 39 o ACC 9 39 NetWOIKS Tab ce c LLLA EIL LUCI E ite eke ee a 160 40 Access Points Tab 2 2 22 2 22ecce cece eee ce ee eee eee EEn EERE nn n e n I Il e I ItetIMtttt1t333 40 Clients Tab S 41 Bh cg Eccc te eye ae eter an 41 New Version Available 41 SS 42 p CET 43 red d P A he ak eed A ten eee oe ae ake 44 Vise 45 o E E 46 MOIS ooge nie ear cee ese EENE E EEEE A E EE EE 46 VPN seth E eee at ea ea ee ee ee 46 IS 47 Wired TTT 48 Ran lp e RT NE er 2 49 DHCP SEVE ue ss cacoe siete ea tne ae abe cvs e ce aca I usen chin recibe cb E EA UE EE 50 ese C n 50 Logo
141. 0 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide In the AOS W Instant UI To configure security settings for an employee or voice network 1 Inthe Security tab specify any of the following types of security levels by moving the slider to a desired level e Enterprise On selecting enterprise security level the authentication options applicable to the enterprise network are displayed e Personal On selecting personal security level the authentication options applicable to the personalized network are displayed e Open Onselecting Open security level the authentication options applicable to an open network are displayed The default security setting for a network profile is Personal The following figures show the configuration options for Enterprise Personal and Open security settings Figure 34 Security Tab Enterprise New WLAN S WLAN settings Acce Security Level Jer Key management WPA 2 Enterprise opportunistic Key Caching OKC 802 11r roaming Disabled Enterprise Termination Disabled Authentication server 1 InternalServer Personal E o hrs le Reauth interval Open MAC authentication V Perform MAC authentication before 802 1X E MAC authentication fail thru Internal server No users Users Las Internal server Default certificate Upload certificate Secure Blacklisting Disabled Back Next Cancel Figure 35 Security Tab
142. 006 ONS Servers 10 169 130 4 2 D Scope 10 169 138 0 138 3 015 ONS Domain Name rde arubsnetworks com E 7 Scope 10 169 145 0 145 oii 060 Aruba Instant AP Arubstnstantap Es Address Pool 3 Address Leases WB Reservations E Scope Options Server Options 3 Scope 10 169 150 0 150 E Scope 10 169 151 0 151 7 Scope 10 169 152 0 152 8 Scope 10 169 153 0 153 _Avalable Options Description Scope 10 169 154 0 154 ow Gystem Di Array of XW El 7j Scope 10 169 155 0 155 Aruba AP vt T Address Pool i Se The name o Address Leases Ast oL IP y 9 WB Reservations e El Scope 10 169 156 0 156 py Address Pool j Address Leases TC F Reservations Scope Options Ej Scope 10 169 157 0 157 qu Address Pool Address Leases 9 E Reservations Ej Scope 10 169 158 0 158 Address Pool Address Leases E E Reservations E Scope Options S D Scope 10 169 159 0 159 8 Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field e airwave orgn airwave ip airwave key for example Alcatel Lucent 192 0 2 20 12344567 airwave orgn airwave domain for example Alcatel Lucent alcatellucent support com AOS W Instant 6 3 1 1 4 0 User Guide Omnivista Integration and Management 264 Figure 93 AOS W Instant and DHCP options for Omnivista 043 Vendor Specific Info E Server Manager 2 FEF Active Directory Domain Services
143. 1 1 4 0 User Guide Uplink Configuration 187 General Admin DHCP Uplink L3 Mobility Enterprise Domains Monitoring WISPr Proxy 3G 4G Country USB type 4G USB type USB dev USB tty USB init WiFi Name SSID Band Management Enforce uplink None Pre emption Enabled VPN failover timeout 180 Internet failover PPPoE Service name CHAP secret Hide advanced options Ethernet Uplink The Ethernet 0 port on an OAW IAP is enabled as an uplink port by default You can view the type of uplink and the Disabled ISP USB dial USB mode switch USB auth type USB user USB password Key management Passphrase format Passphrase Uplink Priority List Etho Wifi sta 3G 4G User Password status of the uplink in the AOS W Instant in the Info tab Figure 64 Uplink Status Info Name Instant C4 01 78 Country code IN Virtual Controller IP 0 0 0 0 Band All Master 10 17 115 1 OpenDNS status Not connected MAS integration Enabled Uplink type Ethernet Uplink status Up None WPA 2 Personal gt 8 63 chars Ethernet uplink supports the following types of configuration in this Instant release PPPoE DHCP Static IP 188 Uplink Configuration AOS W Instant 6 3 1 1 4 0 User Guide You can use PPPoE for your uplink connectivity in both OAW IAP and IAP VPN deployments PPPoE is supported only in a sing
144. 11 infrastructure before associating clients and allows clients to send queries to multiple 802 11 networks in parallel An AP can include its service provider Organization Identifier Ol indicating the service provider identity in beacons and probe responses to clients When a client recognizes an OAW IAP s OI it attempts to associate to that OAW IAP using the security credentials corresponding to that service provider If the client does not recognize the AP s Ol the client sends a Generic Advertisement Service GAS query to the OAW IAP to request more information about the network before associating A client transmits a GAS Query using a GAS Initial Request frame and the OAW IAP provides the query response or information on how to receive the query response in a GAS Initial Response frame To transmit a GAS query for any advertisement protocol the advertisement protocol ID must include the advertisement protocol information element with information about the advertisement protocol and its corresponding advertisement control AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 287 Access Network Query Protocol ANQP ANQP provides a range of information such as IP address type and availability roaming partners accessible through a hotspot and the Extensible Authentication Protocol EAP method supported for authentication for a query and response protocol The ANQP Information Elements IEs provide additional data that can be sen
145. 1X or PSKs to generate per station keys for all devices AES provides a high level of security like IP Security IPsec clients encryption Alcatel Lucent recommends AES encryption Ensure that all devices that do not support AES are NOTE upgraded or replaced with the devices that support AES encryption LA WEP and TKIP are limited to WLAN connection speed of 54 Mbps The 802 11n connection supports only AES WPA and WPA2 WPA is created based on a draft of 802 11i which allowed users to create more secure WLANs WPA2 encompasses the full implementation of the 802 11i standard WPA2 is a superset that encompasses the full WPA feature set The following table summarizes the differences between the two certifications Table 25 WPA and WPA2 Features Certification Authentication Encryption WPA PSK TKIP with message integrity check MIC IEEE 802 1X with Extensible Authentication Protocol EAP PSK AES Counter Mode with Cipher Block Chaining IEEE 802 1X with Message Authentication Code AESCCMP EAP WPA and WPA2 can be further classified as follows e Personal Personal is also called Pre Shared Key PSK In this type a unique key is shared with each client in the network Users have to use this key to securely log in to the network The key remains the same until it is changed by authorized personnel You can also configure key change intervals e Enterprise Enterprise is more secure than WPA Personal In this type
146. 2 Active Directory Users and Computers LR E Z rde arubanetworks corn t 7j Butin El 10 169 130 4 Y Computers L rde arubanetworks com 0 Domain Controllers E 417275 62 61 49 6e 737461687 E ForeignSecurityPrincipals we a Managed Service Accounts Scope Options T Users pi Active Directory Stes and Services Seal pl 5 Y DHCP Server Vendor class S J rde server rde arubanetworks com E rw Y Scope 10 169 131 0 131 Available Options B Scope 10 169 135 0 135 Y 2 Scope 10 169 137 0 137 LJ 044 WINS NBNS Servers Y D Scope 10 169 138 0 138 El D Scope 10 169 145 0 145 Address Pool 3 Address Leases E di Reservations ArubaIns Z Scope Options tantaP t m D Scope 10 169 150 0 150 ne store amp D Scope 10 169 151 0 151 E Es D Scope 10 169 152 0 152 rubal23 amp amp Scope 10 169 153 0 153 gt Scope 10 169 154 0 154 Scope 10 169 155 0 155 B E Scope 10 169 156 0 156 Scope 10 169 157 0 157 m T Scope 10 169 158 0 158 8 Scope 10 169 159 0 159 This creates a DHCP option 60 and 43 on a global basis You can do the same on a per scope basis The per scope option overrides the global option Figure 94 AOS W Instant and DHCP options for Omnivista Scope Options E Server Manager Fie Action View Hep Alm cs M em S TA Address Leases Scope Options E Reservations EQ Scope Options 7 Scope 10 169 137 0 137 iS 10 169 185 1
147. 2 If anew version is found the Upgrade Now button becomes available and the version number is displayed 3 Click Upgrade Now The OAW IAP downloads the image from the server saves it to flash and reboots Depending on the progress and success of the upgrade one of the following messages is displayed Upgrading While image upgrading is in progress Upgrade successful When the upgrading is successful Upgrade failed When the upgrading fails If the upgrade fails and an error message is displayed retry upgrading the OAW IAP Upgrading to a New Version Manually If the automatic image check feature is disabled you can use obtain an image file from a local file system or from a TFTP or HTTP URL To manually check for a new firmware image version and obtain an image file 1 Navigate to Maintenance gt Firmware The Firmware window is displayed 2 Under Manual section perform the following steps Select the Image file option This method is only available for single class OAW IAPs The following examples describe the image file format for different OAW IAP models For OAW IAP 134 135 Alcatellnstant Cassiopeia 6 3 1 1 4 0 0 0 xxxx For OAW RAP 108 109 and OAW IAP 114 115 Alcatellnstant_Pegasus_6 3 1 1 4 0 0 0_xxxx s ForOAW RAP155 155P Alcatellnstant Aries 6 3 1 1 4 0 0 0 xxxx For OAW IAP220 Series Alcatellnstant Centaurus 6 3 1 1 4 0 0 0 xxxx 72 Initial Configuration Tasks AOS W Instant 6 3 1 1 4 0 User Guide
148. 213 e Configuring Radio Settings for an OAW IAP on page 218 ARM Overview Adaptive Radio Management ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802 11 channel and transmitting power for each OAW IAP in its current RF environment ARM works with all standard clients across all operating systems while remaining in compliance with the IEEE 802 11 standards It does not require any proprietary client software to achieve its performance goals ARM ensures low latency roaming consistently high performance and maximum client compatibility in a multi channel environment By ensuring the fair distribution of available Wi Fi bandwidth to mobile devices ARM ensures that data voice and video applications have sufficient network resources at all times ARM allows mixed 802 11a b g n and ac client types to inter operate at the highest performance levels Channel or Power Assignment The channel or power assignment feature automatically assigns channel and power settings for all the OAW IAPs in the network according to changes in the RF environment This feature automates many setup tasks during network installation and the ongoing operations when RF conditions change Voice Aware Scanning The Voice Aware scanning feature prevents an OAW IAP supporting an active voice call from scanning for other channels in the RF spectrum
149. 3 gt Scope Options 74 6 gt po zc He tantaP t E p 5 2D 73 74 6F 726 ST 180 8 2 31 30 2E 31 36 39 4 10 169 5 S Scope 10 160 153 0 1S1 20 2E 32 34 30 2E 38 2C 61 240 8 5 Y 2 Scope 10 169 152 0 152 2 2 75 62 61 31 32 33 rubal23 3 Scope 10 169 1 3 0 153 3 Scope 10 169 154 0 154 7 Scope 10 169 155 0 155 x 3 Scope 10 169 156 0 156 3 Scope 10 169 157 0 157 Sope 10 169 198 0 158 1 Scope 10 169 159 0 159 J Server Options E Fries ree 3 Z ONS Server z Z os 3 j RDEGERVER D Gods Logs Upon completion the OAW IAP shows up as a new device in Omnivista and a new group called tme store4 is created Navigate to APs Devices gt New gt Group to view this group AOS W Instant 6 3 1 1 4 0 User Guide Omnivista Integration and Management 266 Figure 96 Omnivista New Group 4 Up 4 Y Down 1 Mismatched 2 O Rogue 122 9 Chents 0 B Alerts 0 APs Devices Device Setup AMP Setup RAPIDS _ VisualRF Down Mismatched Ignored To discover more devices vist the Dscover page 1 1 vof 1 APs Devices Page iwof1 Reset filters Choose columns Export CSV L Instant C4 43 19 Aruba Instant Virtual Controller 1 1 vof 1 APs Devices Page i wof 1 Reset fiters 3 20 2012 1 38 PM Select All Unselect Al View Ignored Devices Group Access Ponts Access Points Folder ue instant Mor tme nstant store3 Figure 97 Omnivista Monitor S new Devices 0 4 Up 6 T Down
150. 6 3 1 1 4 0 User Guide Instant Access Point SSID Profile Profilel set vlan mac address and dhcp options matche s regular expression link 100 Instant Access Point SSID Profile Profilel end Instant Access Point commit apply Using Advanced Expressions in Role and VLAN Derivation Rules For complex policies of role and VLAN derivation using device DHCP fingerprints you can use a regular expression to match against the combined string of the MAC address and the DHCP options The combined string is formed by concatenating the hexadecimal presentation of the MAC address and all of the DHCP options sent by a particular device The regular expression is a powerful pattern description language that can be used to perform advanced pattern matching of the above string If the combined device fingerprint string matches the specified regular expression the role or vlan can be set to the WLAN client The following table lists some of the most commonly used regular expressions which can be used in user role and user VLAN derivation rules Operator Description Matches any character For example k matches lack lark link lock look Lync and so on Matches the character that follows the backslash For example 192 0 matches IP addresses ranges that starting with 192 0 such as 192 0 1 1 The expression looks only for the single characters that match Matches any one character listed between the brackets For example b
151. 72 UI Dashboard Interfering G docomo Interfering 11 31 07 7e d8 ethersphere wpa2 Interfering GN 20MZ aruba ap Interfering 11 31 07 p z ethersphere wpa2 Interfering GN 20MZ docomo Interfering G 11 31 07 s ipv6 alpha Interfering GN 20MZ docomo Interfering 11 31 07 El ethersphere voip Interfering GN 20Mz NTT SPOT Interfering 11 31 07 s i akvoicel Interfering G hotspot_sach Interfering AN40MZ 11 31 07 ethersphere wpa2 Interfering GN 20MZ docomo Interfering G 11 31 07 ethersphere voip Interfering B nrvapl Interfering GN20MZ 11 31 07 1351 mdns roaming Interfering GN 20MZ sandip test Interfering GN20MZ 11 31 07 as ethersphere voip Interfering GN 20MZ 7SPOT Interfering GN20MZ 11 31 07 fe ipv6 alpha Interfering GN 20MZ 7SPOT Interfering GN 20MZ 11 31 07 E ethersphere wpa2 Interfering BN 20MZ ARUBA VISITOR Interfering GN20MZ 11 31 07 s mdns roaming Interfering B i 4b 61 san mdns psk Interfering GN20MZ 11 31 07 00 16 UI Dashboard Interfering G 11 18 18 d8 c7 c8 27 33 c2 Milford Staff Interfering GN20MZ 11 31 07 00 26 c6 be 68 b8 ethersphere voip Interfering GN20MZ 11 18 18 OS Fingerprinting The OS Fingerprinting feature gathers information about the client that is connected to the AOS W Instant network to find the operating system that the client is running on The following is a list of advantages of this feature e Identifying rogue clients Helps to identify clients that are running on forbidden operating systems e Identify
152. AI realm to which the clients can connect The NAI realm settings onan OAW IAP as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame Configuring Hotspot Profiles To configure a hotspot profile perform the following steps 1 Create the required ANQP and H2QP advertisement profiles 2 Create a hotspot profile 288 Hotspot Profiles AOS W Instant 6 3 1 1 4 0 User Guide 3 Associate the required ANQP and H2QP advertisement profiles created in step 1 to the hotspot profile created in step 2 hotspot profile created in step 2 Create a SSID Profile with enterprise security and WPA2 encryption settings and associate the SSID with the Creating Advertisement Profiles for Hotspot Configuration A hotspot profile contains one or several advertisement profiles The following advertisement profiles can be configured through the AOS W Instant CLI e ANQP advertisement profiles NAI Realm profile Venue Name Profile Network Authentication Profile Roaming Consortium Profile 3GPP Profile IP Address availability Profile Domain Name Profile e H2QP advertisement profiles Operator Friendly Name Profile Connection Capability Profile Operating Class Profile WAN Metrics Profile Configuring an NAI Realm Profile You configure an Network Access Identifier NAI Realm profile to define the NAI realm information which can be sent as an ANQP IE ina GAS query re
153. AN assignment Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt enforce dhcp To create a new VLAN assignment rule Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt f set vlan lt attribute gt equals not equals starts wi th ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Configuring Wired Profile for Guest Access You can configure wired settings for a wired profile by using the AOS W Instant UI or CLI In the AOS W Instant Ul 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed Click New under Wired Networks The New Wired Network window is displayed Click the Wired Settings tab and enter the following information a Name Specify a name for the profile b Primary Usage Select Employee or Guest c Speed Duplex Ensure that appropriate values are selected for Speed Duplex Contact your network administrator if you need to assign speed and duplex parameters POE Set POE to Enabled to enable Power over Ethernet e Admin Status Ensure that an appropriate value is selected The Admin Status indicates if the port is up or down AOS W Instant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 114 f Content Filtering To ensure that all DNS requests to non
154. Access Point wired ap profile lt name gt mac authentication Instant Access Point wired ap profile lt name gt 12 auth failthrough Instant Access Point wired ap profile lt name gt auth server lt name gt Instant Access Point wired ap profile lt name gt server load balancing Instant Access Point wired ap profile lt name gt radius reauth interval Minutes Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply Configuring Access Rules for a Wired Profile The Ethernet ports allow third party devices such as VoIP phones or printers which support only wired connections to connect to the wireless network You can also configure an Access Control List ACL for additional security on the Ethernet downlink If you are creating a new wired profile complete the Wired Settings and configure VLAN and security parameters before defining access rules For more information see Configuring Wired Settings on page 102 Configuring VLAN NOTE fora Wired Profile on page 103 and Configuring Security Settings for a Wired Profile on page 104 You can configure access rules by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure access rules 1 Inthe Access tab configure the following access rule parameters a Select any of the following types of access control 105 Wired Profiles AOS W Instant 6 3 1 1 4 0 User Guide b e e e If e
155. AirPrint services are based on the Bonjour protocol are essential services in campus Wi Fi networks Zero configuration networking enables service discovery address assignment and name resolution for desktop computers mobile devices and network services It is designed for flat single subnet IP networks such as wireless networking at home Bonjour is the trade name for the zero configuration implementation introduced by Apple It is supported by most of the Apple product lines including the Mac OS X operating system iPhone iPod Touch iPad Apple TV and AirPort Express Bonjour can be installed on computers running Microsoft Windows and is supported by the new network capable printers Bonjour is also included with popular software programs such as Apple iTunes Safari and iPhoto Bonjour uses multicast DNS mDNS to locate devices and the services offered by these devices The AirGroup solution supports both wired and wireless devices Wired devices which support the Bonjour services are made part of AirGroup when the VLANs of the devices are terminated on the Virtual Controller AirGroup also supports ClearPass Policy Manager CPPM e Users can register their personal devices and define a group of users who can to share the registered devices e Administrators can register and manage an organization s shared devices such as printers and conference room Apple TVs An administrator can grant global access to each device or restrict acce
156. Aruba Mdps Device Udid Aruba Mdps Device Version Aruba Mdps Max Devices Aruba Mdps Provisioning Settings Aruba Named User Vlan Aruba No DHCP Fingerprint Aruba Port Id Aruba Priv Admin User Aruba Template User Aruba User Role Aruba User Vlan Aruba WorkSpace App Name Authentication Sub Type Authentication Type CHAP Challenge Callback Id Callback Number Chargeable User Identity Class Connect Info Connect Rate Crypt Password DB Entry State AOS W Instant 6 3 1 1 4 0 User Guide Authentication 138 e Digest Response e Domain Name e EAP Message e Error Cause e Event Timestamp e Exec Program e Exec Program Wait e Expiration e Fall Through e Filter Id e Framed AppleTalk Link e Framed AppleTalk Network e Framed AppleTalk Zone e Framed Compression e Framed IP Address e Framed IP Netmask e Framed IPX Network e Framed IPv6 Pool e Framed IPv6 Prefix e Framed IPv6 Route e Framed Interface Id e Framed MTU e Framed Protocol e Framed Route e Framed Routing e Full Name e Group e Group Name e Hint e Huntgroup Name e ldle Timeout e Location Capable e Location Data e Location Information e Login IP Host e Login IPv6 Host e Login LAT Node e Login LAT Port e Login LAT Service e Login Service e Login TCP Port e Menu 139 Authentication AOS W Instant 6 3 1 1 4 0 User Guide e Message Auth e NAS IPv6 Address e NAS Port Type e Operator Name e Password e Password Retry e
157. Assigning User VLAN Roles to a Network Profile You can configure user VLAN roles for a network profile using AOS W Instant UI or CLI In the AOS W Instant UI To assign a user VLAN role 1 Click Network gt New gt New WLAN gt Access or Network gt edit gt Edit lt WLAN profile gt gt Access 2 Ensure that the slider is at the Role based option 185 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide 3 Click New under the New Role Assignment and configure the following parameters a Select the attribute from the Attribute drop down list b Select the operator to match from the Operator drop down list c Enter the string to match in the String text box d Select the role to be assigned from the Role text box The following figure shows an example for the VLAN role assignment Figure 62 User VLAN Role Assignment Access Rules More Control Roles Access Rules wired instant Guest Network Role based Instant 3 New Network based Unrestricted Role Assignment Rules Default role test2345 Less Control New Role Assignment Rule Attribute Operator String Role AP Group gt contains 7 VLAN200 gt OK Cancel 7 Assign pre authentication role 7 Enforce Machine Authentication 4 Click OK In the CLI To assign VLAN role to a WLAN profile Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt set role
158. Auth Text If the External Authentication splash page is selected specify the authentication text that must be returned by the external server after successful authentication Available only if Authentication Text is selected Redirect URL Specify a redirect URL if you want to redirect the users to another URL In the CLI To configure an external Captive Portal profile Instant Access Point config wlan external captive portal profile name Instant Access Point External Captive Portal server server Instant Access Point External Captive Portal port port Instant Access Point External Captive Portal url url Instant Access Point External Captive Portal https Instant Access Point External Captive Portal redirect url lt url gt Instant Access Point External Captive Portal server fail through Instant Access Point External Captive Portal no auto whitelist disable Instant Access Point External Captive Portal end Instant Access Point commit apply 119 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication for a network profile when adding or editing a guest network using AOS W Instant UI or CLI In the AOS W Instant UI 1 Navigate to the WLAN wizard or Wired window e Toconfig
159. C ASYNC bearer capability DIGITAL ANALOG use tiebreaker OFF peer profile NOT SET session profile NOT SET trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI Tunnel profile test tunnel backup l2tp host name arubal600pop658509 hsb dev4 aus local UDP port 1701 peer IP address 10 13 11 157 peer UDP port 1701 hello timeout 60 retry timeout 1 idle timeout O0 rx window size 10 tx window size 10 max retries 5 use UDP checksums OFF do pmtu discovery OFF mtu 1460 framing capability SYNC ASYNC bearer capability DIGITAL ANALOG use tiebreaker OFF peer profile NOT SET session profile NOT S trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI m d To view L2TPv3 system statistics Instant Access Point show 12tpv3 system statistics L2TP counters Total messages sent 99 received 194 retransmitted 0 illegal 0 unsupported 0 ignored AVPs 0 vendor AVPs 0 Setup failures tunnels 0 sessions 0 Resource failures control frames 0 peers 0 tunnels 0 sessions 0 Limit exceeded errors tunnels 0 sessions 0 Frame errors short frames 0 wrong version frames 0 unexpected data frames 0 bad frames 0 Internal authentication failures 0 message encode failures 0 no matching tunnel discards 0 mismatched tunnel ids 0 no matching session discards 0 mismatched session ids 0 total control frame send failures 0 event queue fulls 0 Message
160. CA Certificate format Auth Server Captive portal server Cancel To upload a certificate click Upload New Certificate The New Certificate window is displayed Browse and select the file to upload ak o Select any of the following types of certificate from the Certificate type drop down list e CACA certificates validate the client s certificate Auth Server The authentication server certificate verifies the server s identity to the client Captive portal server Captive portal server certificate verifies internal Captive portal server s identity to the client Select the certificate format from the Certificate format drop down list If you have selected Auth Server or Captive portal server type enter a passphrase in Passphrase and reconfirm The default password is whatever If the certificate does not include a passphrase there is no passphrase required 8 Click Browse and select the appropriate certificate file and click Upload Certificate The Certificate Successfully Installed message is displayed Loading Certificates using AOS W Instant CLI To upload a certificate Instant Access Point copy tftp lt ip address gt lt filename gt cpserver cert lt password gt format pl2 pem system lxca format der pem lxcert lt passsword gt format p12 pem Loading Certificates using Omnivista You can manage certificates using the OmniVista The AMP directly provisions the certificates and performs basic
161. CP option 82 to the DHCP traffic forwarded to the controller e ForL3clients the Virtual Controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located behind the switch in the corporate network and reachable through the IPSec tunnel The centralized L3 VLAN IP is used as the source IP The IP address is obtained from the DHCP server You can configure Centralized DHCP scope by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure a centralized DHCP scope 1 Click More DHCP Server The DHCP Server window is displayed 2 Toconfigure a Centralized DHCP scopes click New under Centralized DHCP Scopes The New DHCP Scope window is displayed The following figure shows the contents of the New DHCP Scope window Figure 77 New DHCP Scope Centralized DHCP Scope New DHCP Scope we C VLAN DHCP relay Disabled v Option 82 None OK Cancel 3 Based on type of DHCP scope configure the following parameters Table 48 DHCP Mode Configuration Parameters Name Description Name Enter a name for the DHCP scope Specify a VLAN ID To use this subnet ensure that the VLAN ID specified here is assigned to an SSID profile For more information on SSID profile configuration see Configuring VLAN Settings fora WLAN SSID Profile on page 89 and Configuring VLAN for a Wired Profile on page 103 DHCP relay Select Enabled to allow the OAW IAPs to intercept the broadcast packe
162. CP scope Select any of the following options e Local On selecting Local the DHCP server for local branch network is used for keeping the scope of the subnetlocal to the OAW IAP In the NAT mode the traffic is forwarded through the IPSec tunnel or the uplink Local L3 On selecting Local L3 the Virtual Controller acts as a DHCP server and gateway In this mode the OAW IAP routes the packets sent by clients and also adds a route on the Switch after the VPN tunnel is set up during the registration of the subnet 236 DHCP Configuration AOS W Instant 6 3 1 1 4 0 User Guide Table 50 DHCP Mode Configuration Parameters Description Specify a VLAN ID To use this subnet ensure that the VLAN ID specified here is assigned to an SSID profile For more information on SSID profile configuration see Configuring VLAN Settings fora WLAN SSID Profile on page 89 and Configuring VLAN for a Wired Profile on page 103 Specify the network to use If Local or Local L3 is selected specify the subnet mask The subnet mask and the network determine the size of subnet Excluded address If Local L3 is selected specify the IP address to exclude The value entered in the field determines the exclusion range of the subnet Based on the size of the subnet the IP addresses that come before or after the IP address value specified in this field are excluded nesne If required specify the IP address of a DNS server for the Local and Local L3
163. Client IP Assignment L e cece cece cece ee eeeeeeeee 238 In the AOS W Instant U 238 the GU 238 VPN Configuration 239 Understanding VPN Features stop TTT 239 Configuring a Tunnel from an OAW IAP to OmniAccess WLAN Switch 239 Configuring IPSec Tinel ceci aaa 0 4 a 0 KAR a rede RR does caida ida 239 In the AOS W Instant UU 239 Inthe CLI 2222 22 eee eee 222222222222 222 2222222 22222222222 240 gt CHERCHER 241 Enabling Automatic Configuration of GRE Tunnel 22 cc cece cece cece cc ccceceeceeeeceeseeees 241 lathe AOS W Instant WW PNE 241 A 243 Manually Configuring a GRE Tunnel 220 2200 c eee cece ccc ec cece cece cece ceceeeeeeeeeeeeeeseeess 243 inthe L aR instant Wl 243 ni ze 9 244 Configuring an L2TPv3 Tunnel e cece ee cece eee cece eeeeeeeeeeeeceeeeeeeees 244 mthe AOS AW instant Ul M 245 n A 246 IIIS NERIS ERREUR EE 247 Configuring ROUTING PIOUS cn nese rcc edem a aono rris sereni beeen Dno ADU EDI DPOFUreE Le ocuUs 250 In the AOS W Instant U 250 115 251 IAP VPN Configuration A A AA AAA AAA A 252 OVOIVIGW i nce 3s dolor an nda nd nde a ola ocaso de ate cojo seat e a 252 Termination of IPSec and GRE VPN Tunnels 2 22 2 2 2 20 2222 022 e cece cece cee ence ence eee eeeeeee 252 18 Contents AOS W Instant 6 3
164. Configuring MAC Authentication with Captive Portal Authentication 20222222 e cece ee eee eee e ee 156 Configuring MAC Authentication with Captive Portal Authentication 2000002 e cece eee eee 156 Inthe AOS W Instant UL eee 156 WPS Gel eo 157 Configuring WISPr Authentication 2 2000 e IR RR RR ceeeeeeeeees 157 In the AOS W Instant Ul a d 3 cece cee ence nee ens esI Ra R Ca A T 157 AA 158 Blacklisting Le nT 158 Blacklisting Clients Manually 2200 00 00 cc cece cece cece cece eee c cece cece eeeeceeececeeceeeeveeesseeeees 159 Adding a Client to the Blacklist 2 22 22 2 22 2022 2 22 cc cnc cccccc aaan aaa ec eeeeeee 159 Inthe AOS W Instant U 159 WY UG el mM 159 Blacklisting Users Dynamically uuuuuuuuusuesessesssssssIII cece cece cece cnn 159 Authentication Failure Blacklisting 0222222220222 cece eee cece cece cece ccc ceeeeeceeccceeeeeee 159 Session Firewall Based Blacklisting 0 2222222 e eee e cece cc ceeeeeeeeees 159 Configuring Blacklist Duration ssuelluuleleeelllle e I RII cece eeeeeeeeeeeeeeeeeeees 159 Inthe AOS W Instant UL 159 A ae ade te yada os ai een one betes ee eget ake 160 Uploading Gettificates 20 ira ci ao nite 160 Loading Certificates using AOS W Instant UL cece eee cece Ress eR rri 161 Loading Certificates using AOS W Instant CLU e cece ccc eeeeeeeeeeeeeees 161 Loa
165. Configuring Walled Garden ACCESS 22 2222 eee eee eee ee eee cece cece cece eee ce cece cece cece eeeeeeeeeeeees 126 Its AOS VV Instant HT 126 Tai e BTT 126 Disabling Captive Portal Authentication e eee II ee ee eeeeeeeeees 126 User Management 128 AWWA AR US Clit scare Bo ts 128 Configuring Administrator Credentials for the Virtual Controller Interface eee 128 Inthe AOS W Instant UL 128 AAA 129 Configuring Guest Management Interface Administrator Credentials 130 Inthe AOS W Instant UL 130 AE a ae a A 130 Configuring Users for Internal Database of an OAW IAP 1 eee cece cece cece cece cece RR Rennen 130 Inthe AOS W Instant UL 130 DI NUD ges coos io side 131 Configuring the Read Only Administrator Credentials 000020022 e cece cece cece cece cece eee eeeee 132 Inthe AOS W Instant UL 132 AAA a 132 Adding Guest Users through the Guest Management Interface 132 Authentication 134 Understanding Authentication Methods 22 2 2 22 cee cece cece cece cece eee RR cceceeeeeeeeees 134 Supported Authentication Servers oocccccccccccccccccccccnnnnnnnnnn eee eee essere menn rrr 135 External RADIUS Server ns 136 RADIUS Server Authentication with VSA 2 136 Internal RADIUS Server ne 136 Authentication Termination on OAW IAP 2 0 00 220 22 e eee cece eee eee ence e ss Rs le eeeeeeee 137 Supponed VSAS ote oc err Iu ME been dodo ae obese ae e TE 137 10 Contents AOS W Instant 6 3 1 1 4 0
166. DIUS Access Accept message which the OAW IAP caches to support authentication survivability As shown in the following figure the information sent by the CPPM varies depending on the authentication method used Figure 45 802 1X Authentication when CPPM is reachable Active Directory ClearPass Policy Manager Instant Client Laptop EAP method Authentication Authentication Evaluate Policy and derive enforcement attributes Cache authentication RADIUS Accept credentials information and enforcement attributes Authentication Credentials against username MAC Information sent as Aruba VSAs Address along with enforcement attriutes The following figure illustrates a scenario where when the remote link is not available and the OAW IAP is no longer able to reach the CPPM Here the OAW IAP terminates and completes the EAP authentication using the cached credentials AOS W Instant 6 3 1 1 4 0 User Guide Authentication 142 If both the OAW IAP to which the client was associated and the CPPM are not available the client will be not be able to reauthenticate until the CPPM server is available again Figure 46 802 1X Authentication using cached credentials Active Directory ClearPass Policy Manager Instant Connectivity Failure ssociation EAP Authentication Use cached information to complete authentication Accept Accept with cached enforcement attributes The following figure illustrates a scenario where the
167. DIUS users Internal Guest Users Displays the number of internal guest users Internal User Open Slots Displays the available slots for user configuration as supported by the OAW IAP model Info section in Client view The Info section in the Client view displays the following information Name Displays the name ofthe client IP Address Displays IP address ofthe client MAC Address Displays MAC Address of the client OS Displays the Operating System that is running on the client Network Indicates the network to which the client is connected Access Point Indicates the OAW IAP to which the client is connected Channel Indicates the channel that is currently used by the client Type Displays the channel type on which client is broadcasting Info section in Network view The Info section in the Network view displays the following information Name Displays Name of the network Status Displays the status of network Band Displays the band in which the network is broadcast For example 2 4 GHz band 5 GHz band or both Type Displays the type of network For example Employee Guest or Voice IP Assignment Displays the source of IP address for the client Access Indicates the level of access control configured for the network Security level Indicates the type of user authentication and data encryption configured for the network The info section for WLAN SSIDs also indicates status of Captive Portal and CALEA ACLs
168. Device Add Planned Device Delete Deployed Devices Delete Planned Devices Delete Surveys PSK based and Certificate based Authentication On the DHCP server two formats for option 43 are supported e lt organization gt lt ams ip gt lt ams key gt If you choose this format the OAW IAP authenticates the OmniVista Management Platform server using the Pre Shared Key PSK login process e lt organization gt lt ams domain gt If you choose this format the OAW IAP resolves the OmniVista domain name into one or two IP address as OmniVista Primary or OmniVista Backup and then OAW IAP will start a certificate based authentication with OmniVista Management platform server instead of the PSK login When the OmniVista Management platform domain name is used the OAW IAP performs certificate based authentication with OmniVista Management platform server The OAW IAP initiates an SSL connection with the OmniVista server The OmniVista server verifies the signature and public key certificate from the OAW IAP If the signature matches the OmniVista responds to the OAW IAP with the login request Configuring Omnivista Before configuring the Omnivista ensure that you have the following information e IP address of the Omnivista server e Shared key for service authorization assigned by the Omnivista administrator This section describes the following procedures e Configuring Organization String on page 260 e Configuring for OmniVista Di
169. For authentication purpose the wireless client can associate to a network access server NAS or RADIUS client such as a wireless OAW IAP The wireless client can pass data traffic only after successful 802 1X authentication For more information on configuring an OAW IAP to use 802 1X authentication see Configuring 802 1X Authentication for a Network Profile on page 151 e MAC authentication Media Access Control MAC authentication is used for authenticating devices based on their physical MAC addresses MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses This authentication method is not recommended for scalable networks and the networks that require stringent security settings For more information on configuring an OAW IAP to use MAC authentication see Configuring MAC Authentication for a Network Profile on page 153 e MAC authentication with 802 1X authentication This authentication method has the following features MAC authentication precedes 802 1X authentication The administrators can enable MAC authentication for 802 1X authentication MAC authentication shares all the authentication server configurations with 802 1X authentication If a wireless or wired client connects to the network MAC authentication is performed first If MAC authentication fails 802 1X authentication does not trigger If MAC authentication is successful 802 1X authentication is attempted If 802
170. HCP Profile lt profile name gt server type Local L3 Instant Access Point DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant Access Point DHCP Profile lt profile name gt subnet lt IP address gt Instant Access Point DHCP Profile lt profile name gt subnet mask lt subnet mask gt Instant Access Point DHCP Profile lt profile name gt xclude address lt IP address gt Instant Access Point DHCP Profile lt profile name gt dns server lt name gt Instant Access Point DHCP Profile lt profile name gt domain name domain name Instant Access Point DHCP Profile lt profile name gt lease time minutes Instant Access Point DHCP Profile lt profile name gt option type value Instant Access Point DHCP Profile lt profile name gt end Instant Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide DHCP Configuration 237 NOTE Configuring DHCP Server for Client IP Assignment The DHCP server is a built in server used for networks in which clients are assigned IP address by the Virtual Controller You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients The largest address pool supported is 2048 The default size of the IP address pool is 512 When the DHCP server is configured and if the Client IP assignment parameter for an SSID profile is set to Virtual Controller Assigned the Virtual Control
171. Instant UI 1 Navigate to the WLAN wizard or Wired settings window e To configure access rules for a WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e To configure access rules for a wired profile More Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile 2 Click the Access tab 3 Under Role Assignment Rules click New The New Role Assignment window allows you to define a match method by which the string in Operand is matched with the attribute value returned by the authentication server 4 Select the attribute from the Attribute drop down list that the rule it matches against The list of supported attributes includes RADIUS attributes dhcp option dot 1x authentication type mac address and mac address and dhcp options For information on a list of RADIUS attributes see RADIUS Server Authentication with VSA on page 136 5 Select the operator from the Operator drop down list The following types of operators are supported e contains The rule is applied only if the attribute value contains the string specified in Operand e stherole The rule is applied if the attribute value is the role equals The rule is applied only if the attribute value is equal to the string specified in Operand e not equals The rule is applied only if the attribute value is not equal to the string specified in Oper
172. Mode To disable Auto Join Mode In the AOS W Instant main window click the System link The System window is displayed In the General tab of System window click Show advanced options Select Disabled from the Auto join mode drop down list Click OK PF wn Adding an OAW IAP to the Network To add an OAW IAP to the Instant network assign an IP address For more information see Assigning an IP address to the OAW IAP on page 32 After an OAW IAP is connected to the network if the Auto Join Mode feature is enabled the OAW IAP inherits the configuration from the Virtual Controller and is listed in the Access Points tab If the Auto Join Mode is disabled perform the following steps to add an OAW IAP to the network 1 Inthe Access Points tab click the New link The New Access Point window is displayed 2 Inthe New Access Point window enter the MAC address for the new OAW IAP 3 Click OK Removing an OAW IAP from the Network You can remove an OAW IAP from the network only if the Auto Join Mode feature is disabled To remove an OAW IAP from the network 1 Inthe Access Points tab click the OAW IAP to delete The x icon is displayed against the OAW IAP 2 Click x to confirm the deletion The deleted OAW IAPs cannot join the Instant network anymore and no longer are displayed in the AOS W Instant UI However the master OAW IAP details cannot be deleted from the Virtual Controller database Configuring a Preferred Band Yo
173. N or the IP address of the Switch in the Hostname or IP Address of Mobility Controller text box Contact your local administrator to obtain these details Ensure that the OAW IAPs access the mobility Switch IP Address 6 Click Convert Now to complete the conversion Converting an OAW IAP to Standalone Mode This feature allows you to deploy an OAW IAP as an autonomous AP which is a separate entity from the existing Virtual Controller cluster in the Layer 2 domain To convert an OAW IAP to a standalone AP 1 Click the Maintenance link in the AOS W Instant main window 2 Click the Convert tab The Convert tab is displayed Figure 110 Standalone AP Conversion Maintenance Help About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Standalone AP z Access Point to convert 00 24 6c c2 e9 b3 zl After conversion the Access Point specified above will operate in standalone mode Confirm Access Point Conversion A The AP 00 24 6c c2 e9 b3 will reboot into standalone mode It will no longer join with other APs to form networks Do you want to continue Convert Now Cancel L AOS W Instant 6 3 1 1 4 0 User Guide OAW IAP Management 308 3 Select Standalone AP from the drop down list 4 Select the Access Point from the drop down list 5 Click Convert Now to complete the conversion The an OAW IAP now operates in the standalone mode Converting an OAW IAP using CLI To
174. OAW IAP configuration information is displayed in the Info section and the RF Dashboard section is displayed at the bottom left corner of the AOS W Instant main window The following figure shows an example of the RF dashboard with Utilization Band frames Noise Floor and Errors details Figure 16 RF Dashboard in the Monitoring Pane RF Dashboard Access Points Utilization Noise All Clients al d8 c7 c8 c4 01 78 m The following table describes the icons available on the RF Dashboard pane Table 8 RF Dashboard Icons Description Displays the signal strength of the client Depending on the signal strength of the client the color of the lines on the Signal bar changes from Green gt Orange gt Red e Green Signal strength is more than 20 decibels e Orange Signal strength is between 15 20 decibels e Red Signal strength is less than 15 decibels To view the signal graph for a client click on the signal icon next to the client in the Signal column Displays the data transfer speed of the client Depending on the data transfer speed of the client the color of the Signal bar changes from Green gt Orange gt Red Green Data transfer speed is more than 50 percent of the maximum speed supported by the client Orange Data transfer speed is between 25 50 percent of the maximum speed supported by the client Red Data transfer speed is less than 25 percent of the maximum speed supported by the client To view the
175. OKC roaming ona WLAN SSID Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa aes wpa2 tkip wpa 2 aes Instant Access Point SSID Profile lt name gt no okc disable Instant Access Point config end Instant Access Point commit apply Editing Status of a WLAN SSID Profile You can enable or disable an SSID profile in the AOS W Instant UI or CLI AOS W Instant 6 3 1 1 4 0 User Guide Wireless Network Profiles 99 In the AOS W Instant UI To modify the status of a WLAN SSID profile ar wr Inthe Networks tab select the network that you want to edit The edit link is displayed Click the edit link The Edit network window is displayed Select or clear the Disable SSID check box to disable or enable the SSID The SSID is enabled by default Click Next or the tab name to move to the next tab Click Finish to save the modifications In the CLI To disable an SSID Instant Access Point Instant Access Point To enable an SSID Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point config wlan ssid profile lt name gt SSID Profile lt name gt disable SSID Profile lt name gt end commit apply config wlan ssid profile lt name gt SSID Profile lt name gt en
176. OS W Instant 6 3 1 1 4 0 User Guide Chapter 14 Roles and Policies This chapter describes the procedures for configuring user roles role assignment and firewall policies e Firewall Configuration on page 164 e Access Control List Rules on page 169 e Configuring User Roles on page 175 e Configuring Derivation Rules on page 178 Firewall Configuration AOS W Instant firewall provides identity based controls to enforce application layer security prioritization traffic forwarding and network performance policies for wired and wireless networks Using AOS W Instant firewall you can enforce network access policies that define access to the network areas of the network that users may access and the performance thresholds of various applications AOS W Instant supports a role based stateful firewall AOS W Instant firewall recognizes flows in a network and keeps track of the state of sessions Instant firewall manages packets according to the first rule that matches packet The firewall logs on the OAW IAPs are generated as syslog messages Instant firewall also supports the Application Layer Gateway ALG functions such as SIP Vocera Alcatel NOE and Cisco Skinny protocols Configuring ALG Protocols You can enable or disable protocols for Application Layer Gateway ALG in AOS W Instant using AOS W Instant UI or CLI In the AOS W Instant UI To configure protocols for ALG 1 Click the Security link at the top right corner of AOS
177. OS W Instant UL eee eee eee eee eee ee 185 iue mc ener eee ONE ee A 186 Uplink Configuration 187 Uplink Interfaces ood tr ta ita I nde 187 Ethemet Uplink illliinilkiink lidad 188 189 Inthe AOS WiInstantUl 2 222002 5 cc eee lps lbs d dak eee eo 3 HR R K cd RRR IR A erbaa gu 189 jte eee en See ee Sete pe eae eee oneview ene ee eos eee rece eee cos 189 sche Wm 190 190 Cellular Uplink Profiles lll m HR 192 Inthe AOS W Instant UL ce cee ce eee I he eI e hah eI err erem 192 TT TTT 193 WI FI UpliDk oi eri 194 Uplink Preferences and Switching 0000002 c cece cece cece cece ccc ccccececcceceeeeeeeees 196 Enforcing O 0 n CMEEEEENNNJJ ii 196 Inthe AOS WilnstantUl 222 onm ncrieccm Lie sk eee asked lara iaa 196 Mihec ics ees Ace 0 E 196 Setting an Uplink Priority iisuuuuususssssssessssssssssI I cece eee cnn 196 Inthe AOS W InstantUl a cece eee A exer ite ieee sae a RER R S 196 An eee sae de ge a eee ete 197 Enabling Uplink Preemption 2222 cece cee cece cece cece RR RR RR ceeccccecececeeeeeeees 197 Inthe AOS W Instant UI 2 2 2 2 eee ence eee eens 197 A A ee ee ER 197 Switching Uplinks Based on VPN and Internet Availability Luuuuuuuuuuuuuuuuueeeeeeseeese 197 198 Inthe AOS W lnstantUl 0 121 6 2 905 0 220 0 amp 212900 ph 0800 sedi eee bt leeches
178. OmniVista image upgrades can be done through the cloud based image check feature When a new OAW IAP joining the network needs to synchronize its software version with the version on the Virtual Controller and if the new OAW IAP belongs to a different class the image file for the new OAW IAP is provided by the cloud server Configuring HTTP Proxy on an OAW IAP If your network requires a proxy server for internet access you must first configure the HTTP proxy on the OAW IAP to download the image from the cloud server After you setup the HTTP proxy settings the OAW IAP connects to the Activate server OmniVista Management platform or OpenDNS server through a secure HTTP connection You can also exempt certain applications from using the HTTP proxy configured on an OAW IAP by providing their hostname or IP address under exceptions In the AOS W Instant UI Perform these steps to configure the HTTP proxy settings 1 Navigate to System gt Proxy General Admin DHCP Uplink L3 Mobility Enterprise Domains Monitoring WISPr Proxy Proxy Server 192 0 2 0 Port 8080 Exceptions Exceptions Hide advanced options m Q AOS W Instant 6 3 1 1 4 0 User
179. OmniVista see Omnivista Integration and Management on page 258 The OmniVista status is displayed at the bottom of the AOS W Instant main window If the OmniVista status is Not Set Up click the Set Up Now link to configure OmniVista The System window is displayed with Admin tab selected For information to configure OmniVista see Configuring Omnivista on page 260 Pause Resume The Pause Resume link is located at the bottom right corner of the AOS W Instant main window Click the Pause link to pause the automatic refreshing of the AOS W Instant UI is automatically refreshed after every 15 seconds by default The AOS W Instant UI is automatically refreshed after every 15 seconds by default When the automatic refreshing is paused the Pause link changes to Resume Click the Resume link to resume automatic refreshing Automatic refreshing allows you to get the latest information about the network and network elements You can use the Pause link when you want to analyze or monitor the network or a network element and therefore do not want the user interface to refresh Views Depending on the link or tab that is clicked the AOS W Instant displays information about the Virtual Controller Wi Fi networks OAW IAPs or the clients in the Info section The views on the AOS W Instant main window are classified as follows Virtual Controller view The Virtual Controller view is the default view This view allows you to monitor the AOS W Instant ne
180. P Parameters for OAW IAP Description Community Strings for SNMPV1 An SNMP Community string is a text string that acts as a password and SNMPV2 and is used to authenticate messages sent between the Virtual Controller and the SNMP agent If you are using SNMPv3 to obtain values from the AOS W Instant you can configure the following parameters Name A string representing the name of the user Authentication Protocol An indication of whether messages sent on behalf of this user can be authenticated and if so the type of authentication protocol used This can take one of the two values e MD5 HMAC MD5 96 Digest Authentication Protocol e SHA HMAC SHA 96 Digest Authentication Protocol Authentication protocol If messages sent on behalf of this user can be authenticated the password private authentication key for use with the authentication protocol This is a string password for MD5 or SHA depending on the choice above Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure and if so the type of privacy protocol which is used This takes the value DES CBC DES Symmetric Encryption Privacy protocol password If messages sent on behalf of this user can be encrypted decrypted with DES the private privacy key for use with the privacy protocol AOS W Instant 6 3 1 1 4 0 User Guide Monitoring Devices and Logs 311 Configuring SNMP This section describes the pro
181. P value to prioritize traffic when this rule is triggered Specify a value within the range of 0 to 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority check box to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value 6 Click OK and then click Finish In the CLI To configure access rules Instant Access Point config wlan access rule lt access rule name gt Instant Access Point Access Rule lt Name gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt lt end port gt permit deny src nat dst nat lt IP address gt port lt port gt lt optionl option 9 gt Instant Access Point Access Rule lt Name gt end Instant Access Point commit apply Configuring Network Address Translation Network Address Translation NAT is the process of modifying network address information when packets pass through a routing device The routing device acts as an agent between the public the Internet and private local network which allows translation of private network IP addresses to a public address space AOS W Instant supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address so that they appear to originate from the routing device Similarly if the
182. Port Limit e Prefix e Prompt e Rad Authenticator e Rad Code e Rad ld e Rad Length e Reply Message e Requested Location Info e Revoke Text e Server Group e Server Name e Service Type e Session Timeout e Simultaneous Use e State e Strip User Name e Suffix e Termination Action e Termination Menu e Tunnel Assignment ld e Tunnel Client Auth Id e Tunnel Client Endpoint e Tunnel Connection Id e Tunnel Medium Type e Tunnel Preference e Tunnel Private Group Id e Tunnel Server Auth ld e Tunnel Server Endpoint e Tunnel Type e User Category e User Name e User Vlan e Vendor Specific AOS W Instant 6 3 1 1 4 0 User Guide Authentication 140 Understanding Encryption Types Encryption is the process of converting data into a cryptic format or code when it is transmitted on a network Encryption prevents unauthorized use of the data AOS W Instant supports the following types of encryption e WEP Wired Equivalent Privacy WEP is an authentication method where all users share the same key WEP is not secure as other encryption types such as TKIP e TKIP Temporal Key Integrity Protocol TKIP uses the same encryption algorithm as WEP However TKIP is more secure and has an additional message integrity check MIC e AES The Advanced Encryption Standard AES encryption algorithm a widely supported encryption type for all wireless networks that contain any confidential data AES in Wi Fi leverages 802
183. Profiles AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point config hotspot anqp domain name profile dnl Instant Access Point domain name dn1 domain name DomainName Instant Access Point domain name dnl exit Instant Access Point Instant Access Point Instant Access Point config hotspot h2qp oper name profile onl operator friendly name on1 4 op lang code eng operator friendly name on1 4 op fr name OperatorFriendlyName operator friendly name on1 4 exit Instant Access Point Step 2 Creating a hotspot profile Instant Access Point Instant Access Poin configure terminal config hotspot hs profile hal ct Instant Access Point Hotspot2 0 hs1 4 enable Instant Access Point Hotspot2 0 hs1 4 comeback mode Instant Access Point Hotspot2 0 hs1 4 gas comeback delay 10 Instant Access Point Hotspot2 0 hs1 4 no asra Instant Access Point Hotspot2 0 hs1 no internet Instant Access Point Hotspot2 0 hs1 query response length limit 20 Instant Access Point Hotspot2 0 hs1l access network type chargeable public Instant Access Point Hotspot2 0 hs1 roam cons len 1 3 Instant Access Point Hotspot2 0 hs1 roam cons oi 1 123456 Instant Access Point Hotspot2 0 hs1 4 roam cons len 2 3 Instant Access Point Hotspot2 0 hs1 roam cons oi 2 223355 Instant Access Point Hotspot2 0 hs1 4 addtl roam cons ois
184. Protocol sips Session Initiation Protocol sip tcp Session Initiation Protocol Transmission Control Protocol sip udp Session Initiation Protocol User Datagram Protocol smb tcp Server Message Block Transmission Control Protocol smb udp Server Message Block User Datagram Protocol smtp Simple mail transfer protocol snmp Simple network management protocol snmp trap Simple network management protocol trap svp Software Validation Protocol syslog Syslog telnet Telnet network protocol tftp Trivial file transfer protocol vocera VOCERA service e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e Select a destination option You can allow or deny access to any the following destinations based on your requirements e To all destinations Access is allowed or denied to all destinations e Toa particular server Access is allowed or denied to a particular server After selecting this option specify the IP address of the destination server Except to a particular server Access is allowed or denied to servers other than the specified server After selecting this option specify the IP address of the destination server AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 170 Table 30 Access Rule Configuration Parameters Description To a network Access is allowed or denied to a network After selecting this option specify th
185. Ps are required to ensure LI compliance based on Communications Assistance for Law Enforcement Act CALEA specifications Instant supports CALEA integration in a hierarchical and flat topology mesh OAW IAP network wired and wireless networks Enable this feature only if lawful interception is authorized by a Law enforcement agency CALEA Server Integration To support CALEA integration and ensure LI compliance you can configure the OAW IAPs to replicate a specific or selected client traffic and send it to a remote CALEA server Traffic Flow from IAP to CALEA Server You can configure an OAW IAP to send GRE encapsulated packets to the CALEA server and replicate client traffic within the GRE tunnel Each OAW IAP sends GRE encapsulated packets only for its associated or connected clients The following figure illustrates the traffic flow from the OAW IAP to the CALEA server AOS W Instant 6 3 1 1 4 0 User Guide Lawful Intercept and CALEA Integration 281 Figure 105 AP to CALEA Server 5 ISP post 1 Requests for processes Law intercept on user data and a MAC 2 RADIUS sends it to Enforcement LEA Server uses Agency special VSA to INDIA inform IAP that traffic replication is needed for a particular client at the end of its authentication process 0 Always on GRE to CALEA Server 4 Replication of user traffic into tunnel starts I 3 Receives instruction start replication Traffic Flow from IAP
186. Qt zo EE Do praes Controller Username admin Password AOS W Instant 6 3 1 1 4 0 User Guide Setting up an OAW IAP 34 When you use a provisioning Wi Fi network to connect to the Internet all browser requests are directed to the AOS W Instant UI For example if you enter www example com in the address field you are directed to the AOS W Instant UI You can change the default login credentials after the first login Specifying Country Code This procedure is applicable to the OAW IAP ROW Rest of World variants only Skip this step if you are installing OAW IAP in the United States Japan or Israel The Country Code window is displayed for the OAW IAP ROW Rest of World variants when you log in to the AOS W Instant UI for the first time You can specify a country code by selecting an appropriate option from the Please Specify the Country Code drop down list Figure 2 Specifying a Country Code Please specify the Country Code Select a country code y For the complete list of the country codes supported by the OAW IAP ROW variant type see Regulatory Domain on page 322 Accessing the AOS W Instant CLI AOS W Instant supports the use of Command Line Interface CLI for scripting purposes When you make configuration changes on a master OAW IAP in the CLI all associated OAW IAPs in the cluster inherit these changes and subsequently update their configurations By default you can access the CLI
187. Register Shared Device Register Shared Device Device Name Enter a name to identify the device i MAC Address Enter the MAC address of the device Enter a list of location IDs where this device will be shared Shared Locations Use a comma separated list of tag value pairs tag may be AP Name AP Group or FQLN A fully qualified location name is lt ap name gt floor lt N gt lt building name gt lt campus gt Leave blank to share with all locations Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g userl user2 user3 or blank for all users Shared Roles List the user roles that will be able to use this device Use a comma separated list e g rolei role2 role3 or blank for all roles Z Register Shared Device For this test add your AppleTV device name and MAC address but leave all other fields empty AOS W Instant 6 3 1 1 4 0 User Guide ClearPass Guest Setup 329 9 Click Register Shared Device Testing To verify the setup 1 Disconnect your AppleTV and OSX Mountain Lion iOS 6 devices if they were previously connected to the wireless network Remove their entries from the controller s user table using these commands m Findthe MAC address show user table Delete the address from the table aaa user delete mac 00 aa 22 bb 33 cc 2 Reconnect both devices To limit access to the AppleTV access the ClearPass Guest UI using either the Ai
188. SID Profile lt name gt dmo channel utilization threshold Instant Access Point SSID Profile lt name gt a max tx rate lt rate gt Instant Access Point SSID Profile lt name gt a min tx rate lt rate gt Instant Access Point SSID Profile lt name gt g max tx rate lt rate gt Instant Access Point SSID Profile lt name gt g min tx rate lt rate gt Instant Access Point SSID Profile lt name gt bandwidth limit lt limit gt Instant Access Point SSID Profile lt name gt per user bandwidth limit lt limit gt Instant Access Point SSID Profile lt name gt air time limit lt limit gt Instant Access Point SSID Profile lt name gt wmm background share percentage of traffic share Instant Access Point SSID Profile lt name gt wmm best effort share lt percentage of traffic share gt Instant Access Point SSID Profile lt name gt wmm video share percentage of traffic share Instant Access Point SSID Profile lt name gt wmm voice share percentage of traffic share Instant Access Point SSID Profile lt name gt rf band lt 2 4 gt lt 5 0 gt lt all gt Instant Access Point SSID Profile lt name gt content filtering D D D D D To manually assign VLANs for WLAN SSID users Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt vlan lt vlan ID gt To enforce DHCP based VL
189. SSID used in the GAS Frame exchange query response le Specify this parameter to set the maximum length of the GAS query response in octets You can ngth limit specify a value within the range of 1 127 The default value is 127 roam cons len 1 Specify the length of the organization identifier The value of the roam cons len 1 roam cons roam cons len 2 len 2 or roam cons len 3 The roaming consortium Ol is based on the following parameters roam cons len 3 e 0 Zero Octets in the OI Null e 3 Ollength is 24 bit 3 Octets e b Ollength is 36 bit 5 Octets venue group Specify one ofthe following venue groups e assembly e business e educational 296 Hotspot Profiles AOS W Instant 6 3 1 1 4 0 User Guide Table 57 Hotspot Configuration Parameters Parameter Description factory and industrial institutional mercantile outdoor residential storage utility and misc vehicular By default the business venue group is used venue type Specify a venue type to be advertised in the ANQP IEs from OAW IAPs associated with this hotspot profile For more information about the supported venue types for each venue group see Table 56 Associating an Advertisement Profile to a Hotspot Profile To associate a hotspot profile with an advertisement profile Instant Access Point config hotspot hs profile lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement protocol proto
190. Scope 10 169 138 0 138 dE 10 169 130 4 E 7 Scope 10 169 145 0 145 rde arubanetworks com iz Address Pool ES ArubalnstantaP LG Address Leases I El Reservations CX Scope Options Y Scope 10 169 150 0 150 E Scope 10 169 151 0 151 J Scope 10 169 152 0 152 C Scope 10 169 153 0 153 7 Scope 10 169 194 0 154 CS Scope 10 169 155 0 155 gt i Address Pool amp a aa E B B Reservations ER Scope Options El Scope 10 169 157 0 157 Address Pool Address Leases E E Reservations TA Scope Options E Scope 10 169 158 0 158 Alternate Method for Defining Vendor Specific DHCP Options This section describes how to add vendor specific DHCP options for AOS W Instant APs in a network that already uses DHCP options 60 and 43 for other services Some networks use DHCP standard options 60 and 43 to provide 265 Omnivista Integration and Management AOS W Instant 6 3 1 1 4 0 User Guide the DHCP clients information about certain services such as PXE In such an environment the standard DHCP options 60 and 43 cannot be used for Alcatel Lucent APs This method describes how to set up a DHCP server to send option 43 with Omnivista information to AOS W Instant OAW IAP This section assumes that option 43 is sent per scope because option 60 is being shared by other devices as well The DHCP scope must be specific to Instant and the PXE devices that use options 60 and 43 must not co
191. Server through VPN ccoo cccccccccccccccnncnnccccccccncnnnnnoos 282 Client Traffic Replication II I IRI Iss RIlllere errllllllllllil 283 Configuring OAW IAPs for CALEA Integration 22 0 essen nes 283 Creating a CALEA Profile 283 In the AOS W Instant U 284 mel digas 284 Creating an Access Rule for CALE 284 In the AOS W Instant U 284 A 284 Verifying the configuration cnn nncn cnc AL aa oaaao 285 Example ns 285 Hotspot Profiles sl ii ai td 287 Understanding Hotspot Profiles tocados itecto dicto ais 287 Generic Advertisement Service GAS 222 000 c cece eee c ccc e cece cece eee cece aada aa aoaaa aa aaa 287 Access Network Query Protocol ANQP 0 000 0 cece cece cee eee ee eee cece e es snm rrr lr terrre 288 Hotspot 2 0 Query Protocol H2QP 2 22000 c eee cece cece cece eee ceeeeeeeeeeeeeeseeeeeeees 288 Information Elements IEs and Management Frames 0 2 2200 ccec cece cece c cee cceceeeceeeeeeeees 288 NA Realmilist eec coco die Meet Liu eee each sz dite c del alice teas did 288 Gonfiguiing Hotspot Profes natin ze oae td si Dt 288 Creating Advertisement Profiles for Hotspot Configuration sese 289 Configuring an NAI Realm Profile 2 222 222 2 222 ee cece ss IIIIIlllllllllllllllll 289 Configuring a Venue Name Profile 00000000 cece eee eee eee sess essere ens 291 Configuring a Network Authentication Profile 0000 c
192. Servers Name Type Cancel Maintenance The Maintenance link displays a window that allows you to maintain the Wi Fi network The Maintenance window consists of the following tabs e About Displays the name of the product build time OAW IAP model name the AOS W Instant version Website address of Alcatel Lucent and Copyright information e Configuration Displays the following details Current Configuration Displays the current configuration details Clear Configuration Allows you to clear the current configuration details of the network Factory Reset Allows you to reset an OAW IAP to the default factory configuration settings Backup Configuration Allows you to back up local configuration details The backed up configuration data is saved in the file named instant cfg Restore Configuration Allows you to restore the backed up configuration The OAW IAP must be rebooted after restoring the configuration for the changes to affect e Certificates Displays information about the certificates installed in the AOS W Instant network You can also upload new certificates and set a passphrase for the certificates For more information see Uploading Certificates on page 160 e Firmware Displays the current firmware version and provides various options to upgrade to a new firmware version For more information see Upgrading an OAW IAP on page 70 e Reboot Displays the OAW IAPs in the network and provid
193. US server w fallback to internal Select this option to use both internal and external servers When enabled the authentication switches to Internal if there is no response from the RADIUS server RADIUS server timeout To complete this configuration perform the following steps a To enable load balancing select Enabled from the Load balancing drop down list b Specify a Username and Password c Retype the password to confirm 4 Click OK In the CLI To configure management authentication settings Instant Access Point config mgmt auth server lt serverl gt Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point config mgmt auth server lt server2 gt config mgmt auth server load balancing config mgmt auth server local backup config end commit apply Configuring 802 1X Authentication for a Network Profile The AOS W Instant network supports internal RADIUS server and external RADIUS server for 802 1X authentication 151 Authentication AOS W Instant 6 3 1 1 4 0 User Guide The steps involved in 802 1X authentication are as follows 1 The NAS requests authentication credentials from a wireless client 2 Thewireless client sends authentication credentials to the NAS 3 4 The RADIUS server checks the user identity and authenticates the client if the user details are available in its The NAS s
194. When you move your mouse over a channel the channel details orthe summary of the 5 GHz and 2 4 GHz channels as detected by a spectrum monitor are displayed You can view the aggregate data for each channel seen by the spectrum monitor radio including the maximum AP power interference and the signal to noise and interference Ratio SNIR SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel Spectrum monitors display spectrum data seen on all channels in the selected band and hybrid APs display data from the one channel they are monitoring Figure 68 Channel Details E 00 24 6c c8 ec 7f Channel 9 monitoring Spectrum IDS Configuration Spectrum Overview 2 4GHz 5 GHz Quality KnownAPs ae Rw UnknownAPs 2 4 GHz Channel Utilization and Quality eae atan WiFi Bluetooth Microwave Cordless Phone Total nonwifi MaxAPSignal dBm Max AP SSID yihexingye Max AP BSSID 8c 21 0a 9b de 16 MaxInterference dBm SNIR dB 17 Channel Details Information shows the information that you can view in the channel details graph Table 36 Channel Details Information Column Description An 802 11a or 802 11g radio channel Quality Current relative quality of the channel Utilization The percentage of the channel being used Wi Fi The percentage of the channel currently being used by Wi Fi devices 206 Spectrum Monitor AOS W Instant 6 3 1 1 4 0 User Gu
195. a classic Wi Fi network This network type is used by the employees in an organization and it supports passphrase based or 802 1X based authentication methods Employees can access the protected data of an enterprise through the employee network after successful authentication The employee network is selected by default during a network profile configuration e Voice network This Voice network type allows you to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization e Guest network The Guest wireless network is created for guests visitors contractors and any non employee users who use the enterprise Wi Fi network The Virtual Controller assigns the IP address for the guest clients Captive portal or passphrase based authentication methods can be set for this wireless network Typically a guest network is an un encrypted network However you can specify the encryption settings when configuring a guest network When a client is associated to the Voice network all data traffic is marked and placed into the high priority queue in DID QoS Quality of Service To configure a new wireless network profile complete the following procedures 1 Configuring WLAN Settings 2 Configuring VLAN Settings 3 Configuring Security Settings 4 Configuring Access Rules for a Network AOS W Instant 6 3 1 1 4 0 User Guide Wireless Network Profiles 85
196. abl SSID Profile lt name gt end commit apply Configuring Additional WLAN SSIDs By default you can create up to six WLAN SSIDs With the Extended SSID option enabled you can create up to 16 WLANs The OAW IAPs that support 16 WLANs are as follows OAW RAP3WN OAW IAP92 OAW IAP93 OAW IAP 134 OAW IAP 135 The number of SSIDs that become active on each OAW IAP depends on the OAW IAP platform Enabling the Extended SSID E Enabling the Extended SSID option disables mesh NOTE You can configure additional SSIDs by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 c9 RON Click the System link at top right corner of the AOS W Instant main window Click the Show advanced options link In the General tab select Enabled from the Extended SSID drop down list Click OK Reboot the OAW IAP for the changes to take effect After you enable the option and reboot the OAW IAP the Wi Fi and mesh links are disabled automatically 100 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide In the CLI To enable the extended SSIDs Instant Access Point config extended ssid Instant Access Point config end Instant Access Point commit apply Editing a WLAN SSID Profile To edit a WLAN SSID profile In the Networks tab select the network that you want to edit The edit link is displayed Click the edit link The Edit network window is displayed Modify the required settings
197. abled Enabled 60 sec 5 2 6 Click Next to continue When the IPsec tunnel configuration is completed the packets that are sent from and received by an OAW IAP are encrypted In the CLI To configure an Alcatel Lucent IPSec VPN tunnel Instant Access Point config vpn primary lt name gt Instant Access Point config vpn backup lt name gt Instant Access Point config vpn fast failover Instant Access Point config vpn hold time seconds Instant Access Point config vpn preemption Instant Access Point config vpn monitor pkt send freq frequency Instant Access Point config vpn monitor pkt lost cnt count 240 VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point config vpn reconnect user on failover Instant Access Point Instant Access Point config vpn reconnect time on failover lt down_time gt config end Instant Access Point commit apply Example Instant Access Point config vpn primary 192 0 2 18 Instant Access Point config vpn backup 192 0 2 18 Instant Access Point config vpn fast failover Instant Access Point config vpn preemption Instant Access Point config ip dhcp distl12 Instant Access Point DHCP Profile distL2 server type Distributed L2 Instant Access Point DHCP Profile distL2
198. abling Uplink Preemption The following configuration conditions apply to uplink preemption Preemption can be enabled only when no uplink is enforced When preemption is disabled and the current uplink goes down the OAW IAP tries to find an available uplink based on the uplink priority configuration When preemption is enabled and if the current uplink is active the OAW IAP periodically tries to use a higher priority uplink and switches to a higher priority uplink even if the current uplink is active You can enable uplink preemption using AOS W Instant UI or CLI In the AOS W Instant UI Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed Under Uplink Management ensure that the Enforce Uplink is set to none Select Enabled from the Pre emption drop down list Click OK M M In the CLI To enable uplink preemption Instant Access Point config uplink Instant Access Point uplink preemption uplink end commit apply Instant Access Point Instant Access Point Switching Uplinks Based on VPN and Internet Availability The default priority for uplink switchover is Ethernet and then 3G 4G The OAW IAP can switch to the lower priority uplink if the current uplink is down Switching Uplinks Based on VPN Status AOS W Instant supports switching uplinks based on the VPN status when deploying multiple uplinks Ethemet 3G 4G and Wi Fi When VPN is used wi
199. ach branch The Virtual Controller allows different modes of forwarding of traffic from the clients on a VLAN with a VPN tunnel The forwarding modes are associated with various modes of DHCP address assignment modes For more information on DHCP assignment modes and configuring DHCP scope for IAP VPN see Configuring DHCP Scopes on page 231 The following DHCP modes are supported e NAT Mode In this mode the source IP for all client traffic is translated The traffic destined for the corporate network is translated using the VPN tunnel IP address of the OAW IAP and is forwarded through the IPsec VPN tunnel The traffic destined for the non corporate network is translated using the IP address of the IAP and is forwarded through the uplink When the NAT mode is used for forwarding client traffic hosts on the corporate network cannot establish connections to the clients on the OAW IAP because the source address of the clients is translated e L2Switching Mode In this mode the traffic destined for the corporate network is bridged through the VPN tunnel to the Switch and the destined for the non corporate network is translated using the IP address of the OAW IAP and is forwarded through the uplink When an OAW IAP registers with the Switch and is configured to use the L2 DHCP address assignment mode the Switch automatically adds the VPN tunnel associated to this OAW IAP into the VLAN multicast table This allows the clients connecting to the L2 m
200. ailability for your region NOTE AOS W Instant 6 3 1 1 4 0 User Guide About AOS W Instant 31 Chapter 3 Setting up an OAW IAP This chapter describes the following procedures e Setting up AOS W Instant Network on page 32 e Logging in to the AOS W Instant Ul on page 34 e Accessing the AOS W Instant CLI on page 35 Setting up AOS W Instant Network Before installing an OAW IAP e Ensure that you have an Ethernet cable of the required length to connect an OAW IAP to the home router e Ensure that you have one of the following power sources s IEEE 802 3af at compliant Power over Ethernet PoE source The PoE source can be any power source equipment PSE switch or a midspan PSE device OAW IAP power adapter kit Perform the following procedures to set up the AOS W Instant network 1 Connecting an OAW IAP on page 32 2 Assigning an IP address to the OAW IAP on page 32 3 Connecting to a Provisioning Wi Fi Network on page 33 Connecting an OAW IAP Based on the type of the power source used perform one of the following steps to connect an OAW IAP to the power source e PoE switch Connect the ENET 0 port of the OAW IAP to the appropriate port on the PoE switch e PoE midspan Connect the ENET 0 port of the OAW IAP to the appropriate port on the PoE midspan AC to DC power adapter Connect the 12V DC power jack socket to the AC to DC power adapter OAW RAP155P supports PSE for 802 3at powered device class 0 4 on
201. al L3 and Centralized L2 DHCP scopes using the AOS W Instant UI or CLI This section describes the following procedures e Configuring Distributed DHCP Scopes on page 231 e Configuring Centralized DHCP Scope on page 234 e Configuring Local and Local L3 DHCP Scopes on page 236 Configuring Distributed DHCP Scopes AOS W Instant allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch You can also specify the IP addresses that must be excluded from those assigned to clients so that they are assigned statically AOS W Instant supports the following distributed DHCP scopes e Distributed L2 In this mode the Virtual Controller acts as the DHCP server but the default gateway is in the data center Based on the number of clients specified for each branch the range of IP addresses is divided Based on the IP address range and client count configuration the DHCP server in the Virtual Controller controls a scope that is a subset of the complete IP Address range for the subnet distributed across all the branches This DHCP Assignment mode is used with the L2 forwarding mode o Distributed L3 In this mode the Virtual Controller acts as the DHCP server and the default gateway Based on the number of clients specified for each branch the range of IP addresses is
202. al controller vlan lt vcvlan gt vcmask lt vcgw gt config end commit apply Instant Access Point Instant Access Point AOS W Instant 6 3 1 1 4 0 User Guide Virtual Controller Configuration 84 Chapter 9 Wireless Network Profiles This chapter provides the following information e Understanding Wireless Network Profiles on page 85 e Configuring WLAN Settings for an SSID Profile on page 86 e Configuring VLAN Settings fora WLAN SSID Profile on page 89 e Configuring Security Settings fora WLAN SSID Profile on page 90 e Configuring Access Rules fora WLAN SSID Profile on page 95 e Configuring Support for Fast Roaming of Clients on page 97 e Editing Status of a WLAN SSID Profile on page 99 e Configuring Additional WLAN SSIDs on page 100 e Editing a WLAN SSID Profile on page 101 e Deleting a WLAN SSID Profile on page 101 Understanding Wireless Network Profiles During start up a wireless client searches for radio signals or beacon frames that originate from the nearest OAW IAP After locating the OAW IAP the following transactions take place between the client and the OAW IAP 1 Authentication The OAW IAP communicates with a RADIUS server to validate or authenticate the client 2 Connection After successful authentication the client establishes a connection with the OAW IAP Network Types AOS W Instant wireless networks are categorized as e Employee network An Employee network is
203. alea Test f broadcast filter none Instant Access Point SSID Profile Calea Test dmo channel utilization threshold 90 Instant Access Point SSID Profile Calea Test local probe req thresh 0 Instant Access Point SSID Profile Calea Test max clients threshold 64 Instant Access Point SSID Profile Calea Test nd Instant Access Point SSID Profile Calea Test commit apply To verify the configuration Instant Access Point show calea config calea ip 10 0 0 5 encapsulation type gre gre type 25944 AOS W Instant 6 3 1 1 4 0 User Guide Lawful Intercept and CALEA Integration 285 ip mtu 150 Instant Access Point show calea statistics Rt resolve fail 0 Dst resolve fail 0 Alloc failure 0 Fragged packets 0 Jumbo packets 2 Total Tx fail 0 Total Tx ok 263 63 Cl 286 Lawful Intercept and CALEA Integration AOS W Instant 6 3 1 1 4 0 User Guide Chapter 28 Hotspot Profiles This chapter describes the following procedures e Understanding Hotspot Profiles on page 287 e Configuring Hotspot Profiles on page 288 e Sample Configuration on page 298 In the current release AOS W Instant supports the hotspot profile configuration only through the CLI Understanding Hotspot Profiles Hotspot 2 0 is a Wi Fi Alliance specification based on the 802 11u protocol which allows wireless clients to discover hotspots using management frames such as beacon association request and a
204. alue is 5 Retry count Enter a value between 1 and 5 The default value is 3 e CPPM Server for AirGroup CoA To configure a CPPM server used for AirGroup CoA Change of Authorization select the CoA only check box The RADIUS server is automatically selected Table 29 CPPM Server Configuration Parameters for AirGroupCoA Parameter Description Name Enter the name of the server IP address Enter the IP address of the server Air Group CoA port Enter a port number for sending AirGroup CoA on a different port than on the standard CoA port The default value is 5999 Shared key Enter a shared key for communicating with the external RADIUS server Retype key Re enter the shared key 4 Click OK The CPPM server acts as a RADIUS server and asynchronously provides the AirGroup parameters for YT the client device including shared user role and location To assign the RADIUS authentication server to a network profile select the newly added server when configuring security settings for a wireless or wired network profile You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile For more information see Configuring Security Settings for a WLAN NOTE SSID Profile on page 90 and Configuring Security Settings for a Wired Profile on page 104 In the CLI To configure a RADIUS server Instant Access Point config wlan auth se
205. ame gt le lt name gt le lt name gt e lt name gt end Configuring Access Rules for a WLAN SSID Profile This section describes the procedure for configuring security settings for employee and voice network only For information on guest network configuration see Captive Portal for Guest Access If you are creating a new SSID profile complete the WLAN Settings and configure VLAN and security parameters SSID Profile on page 90 before defining access rules For more information see Configuring WLAN Settings for an SSID Profile on page 86 Configuring VLAN Settings fora WLAN SSID Profile on page 89 and Configuring Security Settings for a WLAN AOS W Instant 6 3 1 1 4 0 User Guide Wireless Network Profiles 95 You can configure up to 64 access rules for an employee voice or guest network using the AOS W Instant UI or CLI In the AOS W Instant UI To configure access rules for an employee or voice network 1 Inthe Access Rules tab set slider to any of the following types of access control e Unrestricted Select this to set unrestricted access to the network e Network based Set the slider to Network based to set common rules for all users in a network The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define an access rule a Click New b Select appropriate options in the New Rule window c Click OK e Role based Select Role based
206. an admin user Instant Access Point config T mgmt user username password Instant Access Point config end Instant Access Point commit apply To configure RADIUS authentication parameters Instant Access Point config mgmt auth server authentication serverl gt Instant Access Point config mgmt auth server authentication server2 gt Instant Access Point config T mgmt auth server load balancing Instant Access Point config T mgmt auth server local backup Instant Access Point config end 129 User Management AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point commit apply Configuring Guest Management Interface Administrator Credentials You can configure guest administrator credentials in the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed 2 Click the Admin tab The Admin tab details are displayed 3 Under Guest Registration Only a Specify a Username and Password b Retype the password to confirm 4 Click OK When the guest management administrator logs in with these credentials the guest management interface is displayed In the CLI To configure guest management administrator credentials Instant Access Point config T mgmt user username password guest mgmt Instant Access Point config end Instant Access Point commit apply
207. an external servers are already configured Select New to configure any ofthe following servers as an external server e RADIUS Server e LDAP Server e CPPM Server for AirGroup CoA For information on configuring external servers see Configuring an External Server for Authentication on page 144 To use an internal server select Internal server and add the clients that are required to authenticate with the internal RADIUS server Click the Users link to add the users For information on adding a user see User Management on page 128 If an external server is selected you can also configure another authentication server Set this to Enabled if you are using two RADIUS authentication servers so thatthe load across the two RADIUS servers is balanced Specify a value for Reauth interval When set to a value greater than zero APs periodically reauthenticate all associated and authenticated clients To enable blacklisting of the clients with a specific number of authentication failures select Enabled from the Blacklisting drop down list and specify a value for Max authentication failures The users who fail to authenticate the number of times specified in Max authentication failures field are dynamically blacklisted Security Level Type Enterprise Personal and Open security levels Enterprise security level Enterprise Personal and Open security levels Enterprise Personal and Open security levels Enterprise P
208. and e starts with The rule is applied only if the attribute value starts with the string specified in Operand ends with The rule is applied only if the attribute value ends with string specified in Operand matches regular expression The rule is applied only if the attribute value matches the regular expression pattern specified in Operand This operator is available only if the mac address and dhcp options attribute is selected in the Attribute drop down The mac address and dhcp options attribute and matches regular expression are applicable only for the WLAN clients 6 Enterthe string to match in the String text box 7 Select the appropriate role from the Role drop down list 8 Click OK 179 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide When Enforce Machine Authentication is enabled both the device and the user must be authenticated for the role NOTE assignment rule to apply In the CLI To configure role assignment rules fora WLAN SSID Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt set role lt attribute gt equals not equals starts wi th ends with contains matches regular expression lt operator gt lt role gt value of Instan Instan Access Point SSID Profile lt name gt end Access Point commit apply To configure role assignment rules for a wired profile Instant Access Point config wired port
209. andwidth contracts to the user roles The administrator can assign a bandwidth contract configured in Kbps to upstream client to the OAW IAP or downstream OAW IAP to clients traffic for a user role All users in that role will be part of that bandwidth contract The administrators can also set per user bandwidth to provide a specific bandwidth for each user connecting to the SSID or wired profile AOS W Instant supports 802 11r roaming standard As part of the 802 11r implementation AOS W Instant supports the Fast BSS Transition protocol The Fast BSS Transition mechanism minimizes the time required to resume data connectivity when a BSS transition happens AOS W Instant also supports opportunistic key caching OKC based roaming In the OKC based roaming the 802 1X authentication profile enables a cached pairwise master key PMk which is used when a client roams to a new OAW IAP This allows faster roaming of clients between the OAW IAPs in a cluster without the need for a complete 802 1X authentication OAW IAP220 Series supports link aggregation using either standard port channel configuration based or Link Aggregation Control Protocol protocol signaling based AOS W Instant now supports a guest management interface for managing guest users AOS W Instant supports integration with Application and Location Engine ALE The ALE server acts as a primary interface to all third party applications and the OAW IAP sends client informat
210. ane For example the graph shows that the free memory of the OAW IAP is 64 MB at 12 13 hours 57 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Table 10 Access Point View Usage Trends and Monitoring Procedures Graph Name Clients Throughput Description The Clients graph shows the number of clients associated with the selected OAW IAP for the last 15 minutes To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the number of clients associated with the OAW IAP for the last 15 minutes To see the exact number of clients associated with the selected OAW IAP ata particular time hover the cursor over the graph line The Throughput graph shows the throughput for the selected OAW IAP for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown about the median line e Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the OAW IAP for the last 15 minutes To see the exact throughput of the selected OAW IAP at a particular time hover the cursor over the graph line Monitoring Procedure To check the num
211. ansmission EIRP configured on an AP is not supported by the AP model the value is reduced to the highest supported power setting The default value for maximum transmit power is 127 dBm Client aware Select Enabled to allow ARM to control channel assignments for the APs with active clients When the Client aware mode is set to Disabled the OAW IAP may change to a more optimal channel which change may disrupt current client traffic The Client aware option is Enabled by default Select Enabled so that the OAW IAP dynamically scans all 802 11 channels within its 802 11 regulatory domain at regular intervals and reports to the OAW IAP This scanning report includes WLAN coverage interference and intrusion detection data NOTE For client match configuration ensure that scanning is enabled Wide Channel Select a band to allow the APs to be placed in 40Mhz wide band channels The Bands Wide channel band allows administrators to configure 40 MHz channels in the 2 4 GHz and 5 0 GHz bands 40 MHz channels are two 20 MHz adjacent channels that are bonded together 40 MHz channel effectively doubles the frequency bandwidth available for data transmission For high performance you can select 5GHz If the AP density is low enable in the 2 4GHz band 80 MHz Support Enables or disables the use of 80 MHz channels on APs This feature allows ARM to assign 80 MHz channels on APs with 5GHz radios which support a very high throughput This setting is
212. ant Main Window Arcatelucent Fee Instant C4 42 98 gt Tabs amp 1 Network 2 1 Access Point E 0 Clients Name Name Clients Name test deic7icic4i42 98 o New Instant C4 42 98 Instant C4 42 98 N E ler IP 0 0 0 0 The main window consists of the following elements Banner Search Tabs Links Views Banner The banner is a horizontal rectangle that appears at the top left commer of the AOS W Instant main window It displays the company name logo and Virtual Controller s name Search Administrators can search for an OAW IAP client or a network in the Search text box When you type a search text the search function suggests matching keywords and allows you to automatically complete the search text entry Tabs The AOS W Instant main window consists of the following tabs Networks Tab Provides information about the network profiles configured in the Instant network Access Points Tab Provides information about the OAW IAPs configured in the Instant network Clients Tab Provides information about the clients in the Instant network 39 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Each tab appears in a compressed view by default The number of networks OAW IAPs or clients in the network precedes the tab names The individual tabs can be expanded or collapsed by clicking on the tabs The list items in each tab can be sorted by clicking the triangle icon next to
213. ant UI or CLI In the AOS W Instant UI To configure a mobility domain perform the following steps 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed 2 Click the Show advanced options link The advanced options are displayed 3 Click L3 Mobility The L3 Mobility window is displayed 201 Mobility and Client Management AOS W Instant 6 3 1 1 4 0 User Guide Figure 66 L3 Mobility Window General Admin DHCP Uplink L3 Mobility Enterprise Domains Monitoring WISPr Proxy Home agent load balancing Disabled z Virtual Controller IP Addresses Subnets IP address Subnet mask VLAN ID Virtual controller IP Hide advanced options 1 Select Enabled from the Home agent load balancing drop down list By default home agent load balancing is disabled 2 Click New in the Virtual Controller IP Addresses section add the IP address of a Virtual Controller that is part of the mobility domain and click OK 3 Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain Click New in the Subnets section and specify the following a Enter the client subnet in the IP address text box b Enter the mask in the Subnet mask text box c Enter the VLAN ID in the home network in the VLAN ID text box d Enter the home VC IP address for this subnet in the Virtual Controller IP text box 5 Click OK In the CLI To configure a mobility domain
214. aptive Portal Profiles You can now configure external Captive portal profiles and associate these profiles to a user role or SSID You can create a set of Captive portal profiles in the Security External Captive Portal window and associate these profiles with an SSID or a wired profile You can also create a new Captive portal profile under the Security tab of the WLAN wizard or a Wired Network window In the current release you can configure up to eight external Captive portal profiles When the Captive portal profile is associated to an SSID it is used before user authentication If the profile is associated to a role it is used only after the user authentication When a Captive portal profile is applied to an SSID or wired profile the users connecting to the SSID or wired network are assigned a role with the Captive portal rule The guest user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the Captive portal unless explicitly permitted Creating a Captive Portal Profile You can create a Captive portal profile using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click Security External Captive Portal 2 Click New The New pop up window is displayed 3 Specify values for the following parameters AOS W Instant 6 3 1 1 4 0 User Guide Captive Portalfor Guest Access 118 Table 21 Captive Portal Profile Configuration Parameters Parameter Description En
215. are one time token cards such as SecurelD and the use of LDAP or RADIUS as the user authentication server You can also enable caching of user credentials on the OAW IAP to an external authentication server for user data backup EAP Microsoft Challenge Authentication Protocol version 2 MS CHAPv2 This EAP method is widely supported by Microsoft clients ARADIUS server must be used as the back end authentication server Supported VSAs AOS W Instant supports the following VSAs for user role and VLAN derivation rules AP Group AP Name ARAP Features ARAP Security ARAP Security Data ARAP Zone Access Acct Authentic Acct Delay Time Acct Input Gigawords Acct Input Octets Acct Input Packets Acct Interim Interval Acct Link Count Acct Multi Session ld Acct Output Gigawords Acct Output Octets Acct Output Packets Acct Session ld Acct Session Time Acct Status Type Acct Terminate Cause Acct Tunnel Packets Lost Add Port To IP Address Aruba AP Group 137 Authentication AOS W Instant 6 3 1 1 4 0 User Guide Aruba AP Name Aruba AS Credential Hash Aruba AS User Name Aruba Admin Role Aruba AirGroup Device Type Aruba AirGroup Shared Role Aruba AirGroup Shared U ser Aruba AirGroup User Name Aruba Auth Survivability Aruba CPPM Role Aruba Device Type Aruba Essid Name Aruba Framed IPv6 Address Aruba Location Id Aruba Mdps Device lccid Aruba Mdps Device Imei Aruba Mdps Device Name Aruba Mdps Device Product Aruba Mdps Device Serial
216. ary that indicates the status of the Internet availability uplink cellular modem and signal strength VPN and OmniVista configuration details before logging in to the AOS W Instant UI The following figure shows the information displayed in the connectivity summary Figure 3 Connectivity Summary Reachable Active uplink Cellular Provider No modem installed Cellular Signal No modem installed Primary VPN Down Secondary VPN Down AirWave Not configured The Internet status is available only if the Internet failover feature System gt Show advanced option gt uplink gt Internet failover is enabled The cellular provider and cellular strength information is only available when a 3G or 4G modem is in use Language The Language drop down lists the languages and allow users to select their preferred language before logging in to the AOS W Instant UI A default language is selected based on the language preferences in the client desktop operating system or browser If AOS W Instant cannot detect the language then English is used as the default language AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 38 You can also select the required language option from the Languages drop down located at the bottom left corner of the AOS W Instant main window Main Window On logging into Instant the Instant UI Main Window is displayed The following figure shows the AOS W Instant main window Figure 4 AOS W Inst
217. as both DHCP Server and default gateway Traffic is routed into the VPN tunnel VLAN Specify a VLAN ID To use this subnet ensure that the VLAN ID specified here is assigned to an SSID profile For more information on SSID profile configuration see Configuring VLAN Settings for a WLAN SSID Profile on page 89 and Configuring VLAN for a Wired Profile on page 103 If Distributed L2 is selected for type of DHCP scope specify the subnet mask The subnet mask and the network determine the size of subnet Default router If Distributed L2 is selected for type of DHCP scope specify the IP address ofthe default router DNSSever If required specify the IP address of a DNS server If required specify the domain name Specify a lease time for the client in minutes IP Address Range Specify a range of IP addresses to use To add another range click the icon You can specify up to four different ranges of IP addresses e For Distributed L2 mode ensure that all IP ranges are in the same subnet as the default router On specifying the IP address ranges a subnet validation is 232 DHCP Configuration AOS W Instant 6 3 1 1 4 0 User Guide Table 47 Distributed DHCP Mode Configuration Parameters Description performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask The configured IP range is divided into blocks based on the configured client count For Distributed L3 mode
218. ased Captive portal server for guest authentication To ensure that the RADIUS traffic is routed to the required RADIUS server the dynamic RADIUS proxy feature must be enabled If the OAW IAP clients need to authenticate to the RADIUS servers through a different IP address and VLAN ensure that the following steps are completed 1 Enable dynamic RADIUS proxy 2 Configure dynamic RADIUS proxy IP VLAN netmask gateway for each authentication server 3 Associate the authentication servers to SSID or a wired profile to which the clients connect After completing the above mentioned configuration steps you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters Enabling Dynamic RADIUS Proxy You can enable RADIUS Server Support using AOS W Instant UI or CLI In the AOS W Instant UI To enable RADIUS server support 1 In the AOS W Instant main window click the System link The System window is displayed 2 Inthe General tab of System window select Enabled from the Dynamic RADIUS Proxy drop down list 3 Click OK When dynamic RADIUS proxy is enabled ensure that a static Virtual Controller IP is configured For more information on configuring Virtual Controller IP address see Virtual Controller IP Address Configuration on page 83 When dynamic RADIUS proxy is enabled the Virtual Controller network uses the IP Address of the Virtual AOS W Instant 6 3 1 1 4 0 User Guide Authentication 148 Co
219. assword and domain name 1 From a server running Windows Server 2008 navigate to Server Manager Roles DHCP sever gt domain DHCP Server gt IPv4 2 Right click IPv4 and select Set Predefined Options Figure 89 Instant and DHCP options for Omnivista Set Predefined Options EL Server Manager File Action View Help 2m 0 a sl Bm0 d y Server Manager RDE SERVER p Roles s Active Directory Domain Services Contents of DHCP Server status Description DHCP Server 7 Scope 10 169 131 0 131 T Scope 10 169 135 0 135 T Scope 10 169 137 0 137 2 rde server rde arubanetworks com 2D 5 Display Statistics E Scope 10 169 138 0 138 22 NES E Scope 10 169 145 0 145 s T Scope 10 169 150 0 150 New Superscope 9 2 ew Molicast a E Scope 10 169 151 0 151 2 T Scope 10 169 152 0 152 Define User Classes E Scope 10 169 153 0 153 gt Define Vendor Classes T Scope 10 169 154 0 154 l T scope 10 169 155 0 155 Reconcile All 2 Spes T Scope 10 169 156 0 156 X 2 Set Predefined Options T Scope 10 169 157 0 157 2 Scope 10 169 158 0 158 Toon E scope j Refresh Export List 272 a a 22 a 3 AOS W Instant 6 3 1 1 4 0 User Guide Omnivista Integration and Management 262 3 Select DHCP Standard Options in the Option class drop down list and then click Add 4 Enter the following information Name AOS W Instant Data Type String Code 60
220. be registered by an administrator or a guest user 1 The AirGroup administrator gives an end user the AirGroup operator role which authorizes the user to register the users device such as an Apple TV on the CPPM platform 2 AOS W Instant maintains information for all mDNS services AOS W Instant queries CPPM to map each device s access privileges to available services 3 AOS W Instant responds back to the query made by a device based on contextual data such as user role username and location A O J 8 qQnget 269 AirGroup Configuration AOS W Instant 6 3 1 1 4 0 User Guide Figure 99 AirGroup Enables Personal Device Sharing Bob owns 2 devices ClearPass Instant Guest m Associates to WLAN AirGroup Network want to show this Layer video on my Apple TV Send mDNS broadcast request to find Apple TV for AirPlay mDNS No match found AirGroup Registers Apple TV using device registration portal Device Notifies AirGroup event device visibility changed Registration Portal Send mDNS broadcast request to find Apple TV for AirPlay AirPlay lt Responds with Bob s Apple TV AirPlay to Apple TV AirGroup Solution In large universities and enterprise networks it i
221. ber of clients associated with the OAW IAP for the last 15 minutes Ws Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view Inthe Access Points tab click the OAW IAP for which you want to monitor the client association The OAW IAP view is displayed Study the Clients graph For example the graph shows that six clients are associated with the OAW IAP at 12 11 hours To check the throughput of the selected OAW IAP for the last 15 minutes 1 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view Inthe Access Points tab click the OAW IAP for which you want to monitor the throughput The OAW IAP view is displayed Study the Throughput graph For example the graph shows 44 03 Kbps incoming traffic throughput at 12 08 hours The following table describes the RF trends graphs available in the client view Table 11 Client View RF Trends Graphs and Monitoring Procedures Description The Signal graph shows the signal strength of the client for the last 15 minutes Itis measured in decibels To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average signal statistics of the client for the last 15 minutes To see the exact signal strength ata particular time move the cursor over the graph line Monitoring Procedure To monitor the signal strength of t
222. bnet Mask Restrict Corporate Access Disabled Delete All Cancel 2 Toadd anew management subnet e Enter the subnet address in Subnet e Enter the subnet mask in Mask e Click Add 3 Toadd multiple subnets repeat step 2 Click OK In the CLI To configure a management subnet Instant Access Point config restricted mgmt access lt subnet IP address gt lt subnet mask gt Instant Access Point config end Instant Access Point commit apply Configuring Restricted Access to Corporate Network You can configure restricted corporate access to block unauthorized users from accessing the corporate network When restricted corporate access is enabled corporate access is blocked from the uplink port of master OAW IAP including clients connected to a slave OAW IAP You can configure restricted corporate access by using the AOS W Instant UI or CLI In the AOS W Instant UI To configure restricted corporate access 1 Navigate to Security gt Firewall Settings The Firewall Settings see Figure 57 tab contents are displayed 2 Select Enabled from the Restrict Corporate Access 3 Click OK In the CLI To configure restricted management access Instant Access Point config restrict corp access Instant Access Point config end Instant Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 168 Access Control List Rules You can use Access Control List ACL
223. c This network provides access to the Internet based on payment For example a subscription based Internet access in a coffee shop or a hotel offering chargeable in room Internet access service The corresponding integer value for this network type is 2 e free public This network is accessible to all without any charges applied For example a hotspot in airport or other public places that provide Internet access with no additional cost The corresponding integer value for this network type is 3 AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 295 Table 57 Hotspot Configuration Parameters Parameter Description e personal device This network is accessible for personal devices For example a laptop or camera configured with a printer for the purpose of printing The corresponding integer value for this network type is 4 emergency services This network is limited to accessing emergency services only The corresponding integer value for this network type is 5 test This network is used for test purposes only The corresponding integer value for this network type is 14 wildcard This network indicates a wildcard network The corresponding integer value for this network type is 15 addtl roam cons Specify the number of additional roaming consortium Organization Identifiers Ols advertised by i the AP You can specify up to three additional Ols asra Enable the Additional Steps Required for Access asra to i
224. c lock matches block and clock Matches the words that begin and end with the given expression For example bdown matches downlink linkdown shutdown Matches the middle of a word For example Bvice matches services devices servicelD devicelD and so on Matches the characters at starting position in a string For example bcd matches bcde or bcdf but not abcd Matches any characters that are not listed between the brackets For example u link matches downlink link but not uplink Matches any one occurrence of the pattern For example est matches best nest rest test and so on Matches the end of an input string For example eth matches Eth but not Ethernet Matches the declared element multiple times if it exists For example eth matches all occurrences of eth such as Eth Ethernet Eth0 and so on Matches the declared element one or more times For example aa matches occurrences of aa and aaa Matches nested characters For example 192 matches any number of the character string 192 Matches the character patterns on either side ofthe vertical bar You can use this expression to construct a series of options Matches the beginning of the word For example wire matches wired wireless and so on AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 184 Operator Description Matches the end of the word For example gt list matches blacklist whitelist and so on Where n is an integer
225. cece eee c cece cece ee sees sss sse lines 111 Inthe AOS W Instant UL 111 PAR so diuchensseccceeess 113 Configuring Wired Profile for Guest Access 22 2 2222 e eee eens ees 114 Inthe AOS W Instant UL 114 Tos ie HTH 115 Configuring Internal Captive Portal for Guest Network 2 000 222 cece eee eee eee cece cece cee I RR RR RR rene 116 Inthe Instant UI 22 2222 ns 116 Tet ie BTT 117 Configuring External Captive Portal for a Guest Network Luusuuuuusussssssssssses cece cece cece 118 External Captive Portal Profiles 118 Creating a Captive Portal Profile 118 inthe AOSAN instant UI 2222 222 55422 222 Z 2372724442299 4742222222424 2509 55 022444220 074 sacas 118 AA 119 Configuring an SSID or Wired Profile to Use External Captive Portal Authentication 120 IMmheAOS W instant Ul MM 120 Ie esa EE PEE 121 Configuring External Captive Portal Authentication Using ClearPass Guest 121 Creating a Web Login page in the ClearPass Guest 22 22 2222 e cece eee cece cece ecceceeceeeeceees 121 Configuring the RADIUS Server in AOS W Instant cece eee cece eee cee cceeeeee 121 Configuring Guest Logon Role and Access Rules for Guest Users 122 AOS W Instant 6 3 1 1 4 0 User Guide Contents 9 Inthe AOS W Instant Ul 122 1 A 122 Configuring Captive Portal Roles for an SSD 123 mth AOSV Instant Whe T 124 1 T 125
226. cedure for configuring SNMPv1 SNMPv2 and SNMPv3 community strings using AOS W Instant UI or CLI Creating community strings for SNMPv1 and SNMPv2 Using AOS W Instant UI To create community strings for SNMPv1 and SNMP v2 1 Click System link at the top right corner of the AOS W Instant main window The system window is displayed 2 Click the Monitoring tab The following figure shows the SNMP configuration parameters displayed in the Monitoring tab Figure 112 Monitoring Tab SNMP Configuration Parameters Servers Syslog Facility Levels Syslog server 0 0 0 0 Syslog Warning System Warning TFTP Dump Server 0 0 0 0 Ap Debug Warning User Warning Network Warning User Debug Warning Security Warning Wireless Warning SNMP Community Strings for SNMPV1 and SNMPV2 Users for SNMPV3 Name Authentication Protocol Privacy Protocol New SNMP Traps SNMP Trap Receivers IP Address Version Community Username Inform Hide advanced options Cancel Click New in the Community Strings for SNMPV1 and SNMPV2 box Enter the string in the New Community String text box Click OK To delete a community string select the string and click Delete oa 2 0o Creating community strings for SNMPv3 Using AOS W Instant UI To create community strings for SNMP v3 1 Click System link at the top right corner of the AOS W Instant main window The system window is displayed 2 Click the Monitoring tab The SNMP configura
227. certificate verification Such as certificate type format version serial number and so on before accepting the certificate and uploading to an OAW IAP network The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller After the VC receives this message it draws the certificate content from the message converts it to the right format and saves it on the RADIUS server To load a certificate in Omnivista 161 Authentication AOS W Instant 6 3 1 1 4 0 User Guide 1 Navigate to Device Setup gt Certificate and then click Add to add a new certificate The Certificate window is displayed 2 Enter the certificate Name and click Choose File to browse and upload the certificate Figure 52 Loading Certificate via Omnivista Home Groups APs Devices Clients Reports System WSL AMP Setup Discover Add Communication Upload Firmware amp Files Certificate Certificate Name Certificate File Choose File No file chosen passphrase Confirm passphrase Format DER Type Server Cert 3 Select the appropriate Format that matches the certificate file name Select Server Cert for certificate Type and provide the passphrase if you want to upload a Server certificate Select either Intermediate CA or Trusted CA certificate Type if you want to upload a CA certificate Figure 53 Server Certificate Home Groups X APs Devices Clients Reports System Mr
228. cess to their organization s network A VPN ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol L2TP Data is encrypted at the sending end and decrypted atthe receiving end Officially known as IMT 2000 direct spread ITU standard derived from Code Division Multiple Access CDMA Wideband code division multiple access W CDMA is a third generation 3G mobile wireless technology that promises much higher data speeds to mobile and portable wireless devices than commonly offered in today s market 334 Terminology AOS W Instant 6 3 1 1 4 0 User Guide Table 66 List of Terms Term Definition Wi Fi A term for certain types of WLANs Wi Fi can apply to products that use any 802 11 standard Wi Fi has gained acceptance in many businesses agencies schools and homes as an alternative to a wired LAN Many airports hotels and fast food facilities offer public access to Wi Fi networks WEP Wired equivalent privacy WEP is a security protocol specified in 802 11b designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN Data encryption protects the vulnerable wireless link between clients and access points once this measure has been taken other typical LAN security mechanisms such as password protection end to end encryption virtual private networks VPNs and authentication can be putin place to ensure privacy
229. cified in Operand This operator is available only if the mac address and dhcp options attribute is selected in the Attribute drop down The mac address and dhcp options attribute and matches regular expression are applicable only for the WLAN clients Click OK Oo No Q In the CLI Enter the string to match in the String field Select the appropriate VLAN ID from the VLAN drop down list Ensure that all other required parameters are configured Click Finish to apply the changes To create a VLAN assignment rule for WLAN SSID Instant Access Instant Access Point config wlan ssid profile lt name gt Point SSID Profile lt name gt set vlan lt attribute gt equals not equals starts wit h ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Instant Access Instant Access Point SSID Profile lt name gt end Point commit apply To configure a VLAN assignment rule for a wired profile Instant Access Instant Access s with ends with Instant Access Instant Access Example Instant Access 183 Roles and Policies Point config wired port profile lt nname gt contains lt operator gt lt VLAN ID gt value of Point wired ap profile lt name gt end Point commit apply Point config wlan ssid profile Profilel Point wired ap profile lt name gt set vlan lt attribute gt equals not equals start AOS W Instant
230. clients are assigned more airtime than 11a 11g The 11a 11g clients get more airtime than 11b The ratio is 16 4 1 5 For Spectrum load balancing specify the following parameters Table 40 Spectrum Load Balancing Configuration Parameters Parameter Description Client match Select Enabled to enable the Client match feature on APs When enabled client count will be balanced among all the channels in the same band For more information see Client Match on page 211 When client match is enabled ensure that Scanning is enabled CM calculating Specify a value for the calculating interval of Client match The value specified for interval CM calculating interval determines the interval at which client match is calculated The interval is specified in seconds and the default value is 30 seconds You can specify a value within the range of 10 600 CM neighbor Specify a value for CM neighbor matching This number takes into account the matching least similarity percentage to be considered as in the same virtual RF neighborhood of client match You can specify a percentage value within the range of 20 100 The default value is 75 CM threshold Specify a value for CM threshold This number takes acceptance client count difference among all the channels of Client match into account When the client load on an AP reaches or exceeds the threshold in comparison client match is enabled on that AP You can specify a value within range of 1 20
231. col Instant Access Point Hotspot2 0 lt name gt advertisement profile anqp 3gpp lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile anqp domain name lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile anqp ip addr avail lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile anqp nai realm lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile anqp nwk auth lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile anqp roam cons lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile angqp venue name lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile h2qp conn cap lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile h2qp oper class lt name gt Instant Access Point Hotspot2 0 name f advertisement profile h2qp oper name lt name gt Instant Access Point Hotspot2 0 lt name gt advertisement profile h2qp wan metrics lt name gt Instant Access Point Hotspot2 0 lt name gt end Instant Access Point commit apply The configuration parameters for associating an advertisement profile with a hotspot profile are described in the following table Table 58 Advertisement Association Parameters Parameter Description advertisement profile Specify the advertisement pro
232. convert an OAW IAP Instant Access Point convert aos ap lt mode gt lt controller IP address gt Resetting a Remote AP or Campus AP to an OAW IAP The reset button located on the rear of an OAW IAP can be used to reset the OAW IAP to factory default settings To reset an OAW IAP perform the following steps 1 Power off the OAW IAP 2 Press and hold the reset button using a small and narrow object such as a paperclip 3 Power onthe OAW IAP without releasing the reset button The power LED flashes within 5 seconds indicating that the reset is completed 4 Release the reset button The OAW IAP reboots with the factory default settings E All APs have a reset button except OAW IAP 175P 175AC Contact Alcatel Lucent support for resetting these OAW IAPs NOTE Rebooting the OAW IAP If you encounter any problem with the OAW IAPs you can reboot all OAW IAPs or a selected OAW IAPs in a network using the AOS W Instant Ul To reboot an OAW IAP 1 Click the Maintenance link The Maintenance window is displayed 2 Click the Reboot tab 309 OAW IAP Management AOS W Instant 6 3 1 1 4 0 User Guide Figure 111 Rebooting the OAW IAP Maintenance Help About Configuration Certificates Firmware Reboot Convert Select the access point you wish to reboot Reboot selected Access Point Reboot All Close In the OAW IAP list select the OAW IAP that you want to reboot and click Reboot selected Access Point To reboot all t
233. count Specify a number between 1 and 5 Indicates the maximum number of authentication requests that are sent to the server group and the default value is 3 requests 145 Authentication AOS W Instant 6 3 1 1 4 0 User Guide Parameter Description RFC 3576 Select Enabled to allow the APs to process RFC 3576 compliant Change of Authorization CoA and disconnect messages from the RADIUS server Disconnect messages cause a user session to be terminated immediately whereas the CoA messages modify session authorization attributes such as data filters NAS IP address Enter the Virtual Controller IP address The NAS IP address is the Virtual Controller IP address that is sent in data packets NOTE If you do not enter the IP address the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled NAS identifier Use this to configure strings for RADIUS attribute 32 NAS Identifier to be sent with RADIUS requests to the RADIUS server Dead Time Specify a dead time for authentication server in minutes When two or more authentication servers are configured on the OAW IAP and a server is unavailable the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable Dynamic RADIUS Specify the following dynamic RADIUS proxy parameters proxy parameters DRP IP IP address to be used as source IP for RADIUS packets DRP Mask Subnet ma
234. counters Message RX Good RX Bad TX ILLEGAL 0 0 0 SCCRO 0 0 1 AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 249 SCCRP SCCCN STOPCCN RESERVED1 HELLO OCRQ OCRP OCCN ICRO ICRP ICCN RESERVED2 CDN WEN SLI LO OGO OOOK RKR 9 G 9 G L OOO ba G 39 C9 69 C O C9 O 69 CO C9 C OGO C9 69 ba 9 ed 9 69 C9 LH OOF O Configuring Routing Profiles AOS W Instant can terminate a single VPN connection on an OmniAccess WLAN Switch The Routing profile defines the corporate subnets which need to be tunneled through IPSec You can configure routing profiles to specify a policy based on routing into the VPN tunnel using AOS W Instant UI or CLI In the AOS W Instant UI To configure a routing profile 1 Click Routing in the Tunneling window The routing details are displayed 2 Click New The route parameters to configure are displayed Figure 85 Tunneling Routing Tunneling Controller Routing Routing Table Routes 0 Destination Netmask Gateway Route Destination OO O Netmask Gateway OK Cancel 3 Update the following parameters e Destination Specify the destination network that is reachable through the VPN tunnel e Netmask Specify the subnet mask of network that is reachable through the VPN tunnel e Gateway Specify the gateway to which traffic must be routed This IP address must be the Switch IP address on which the VPN connection is terminated 250
235. ct any of the following options e Ifthe server is already configured select the server from the list e To create new external RADIUS server select New For more information see Configuring an External Server for Authentication on page 144 Specify a value for reauthentication interval at which the APs periodically reauthenticate all associated and authenticated clients Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval When the accounting mode is set to Authentication the accounting starts only after client authentication is successful and stops when the client logs out of the network If the accounting mode is set to Association the accounting starts when the client associates to the network successfully and stops when the client is disconnected If you are configuring a wireless network profile select Enabled to enable blacklisting of the clients with a specific number of authentication failures If you are configuring a wireless network profile and the Blacklisting is enabled specify a maximum number of authentication failures after which users who fail to authenticate must be dynamically blacklisted Click the link to open the Walled Garden window The walled garden configuration determines access to the Websites For more information see Configuring Walled Garden Access on page 126 Disable if uplink type Select the type of the uplink to exclude AOS W In
236. ct ap flood DS T detect client flood DS detect bad wep DS detect cts rate anomal y DS detect rts rate anomal y DS T detect invalid addresscombination DS T detect malformed htie DS T detect malformed assoc req DS detect malformed frame auth DS T detect overflow ie DS detect overflow eapol key DS T detect beacon wrong channel DS T detect invalid mac oui DS T detect valid clientmisassociation DS detect disconnect sta DS detect omerta attack DS detect fatajack DS detect block ack attack DS detect hotspotter attack DS T detect unencrypted valid DS T detect power save dos attack DS detect eap rate anomal y DS detect rate anomalies DS detect chopchop attack DS T detect tkip replay attack DS T signature airjack Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point DS T signature asleap DS T protect ssid DS rogue containment DS T protect adhoc network DS T protect ap impersonation DS
237. cted to a primary switch without any distributed L2 or L3 subnets The show iap table command output does not display the Key and Bid Subnet Name details NOTE ll 257 IAP VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide Chapter 24 Omnivista Integration and Management This chapter provides the following information e Omnivista Features on page 258 e Configuring Omnivista on page 260 Omnivista Features Omnivista is a powerful tool and easy to use network operations system that manages Alcatel Lucent wireless wired and remote access networks as well as wired and wireless infrastructures from a wide range of third party manufacturers With its easy to use interface Omnivista provides real time monitoring proactive alerts historical reporting and fast efficient troubleshooting It also offers tools that manage RF coverage strengthen wireless security and demonstrate regulatory compliance The OAW IAPs communicate with Omnivista using the using the HTTPS protocol This allows an Omnivista server to be deployed in the cloud across a NAT device such as a router This Omnivista features available in the AOS W Instant network are described in the following sections Image Management Omnivista allows you to manage firmware updates on WLAN devices by defining a minimum acceptable firmware version for each make and model of a device It remotely distributes the firmware image to the WLAN devices that require up
238. d L2TPV3 Session configuration Session Nam Tunnel Nam Local tunnel IP Tunnel Mask Tunnel Vlan Session Cookie Length Session Cookie Session Remote End ID test session 1 1 1 1 255 255 255 0 5 0 0 0 AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 247 To view L2TP v3 global configuration Instant Access Point show 12tpv3 global parameter L2TPV3 Global configuration Instant C4 42 98 To view L2TPV3 session status Instant Access Point show l2tpv3 session status Session 1821009927 on tunnel 858508253 type LAC Incoming Call state ESTABLISHED created at Jul 2 04 58 45 2013 administrative name test session primary created by admin YES peer session id 12382 session profile name test session primary data sequencing required OFF use data sequence numbers OFF Peer configuration data data sequencing required OFF framing types data rx packets 16 rx bytes 1560 rx errors 0 rx cookie error 0 data tx packets 6 tx bytes 588 tx errors 0 To view L2TPV3 tunnel status Instant Access Point show 12tpv3 tunnel status Tunnel 858508253 from 10 13 11 29 to 10 13 11 157 State ESTABLISHED created at Jul 2 04 58 25 2013 administrative name test tunnel primary created by admin YES tunnel mode LAC persist YES local host name Instant C4 42 98 peer tunnel id 1842732147 host name arubal600pop636635 hsbtst2 aus UDP ports local 1701 peer 3000 session
239. d client and all its traffic is forwarded to the home network through a GRE tunnel Configuring L3 Mobility To configure a mobility domain you have to specify the list of all AOS W Instant networks that form the mobility domain To allow clients to ream seamlessly among all the APs specify the Virtual Controller IP for each foreign subnet You may include the local Instant or Virtual Controller IP address so that the same configuration can be used across all AOS W Instant networks in the mobility domain It is recommended that you configure all client subnets in the mobility domain When client subnets are configured If a client is from a local subnet it is identified as a local client When a local client starts using the IP address the L3 roaming is terminated If the client is from a foreign subnet it is identified as a foreign client When a foreign client starts using the IP address the L3 roaming is set up Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it When load balancing is enabled the Virtual Controller assigns the home AP for roamed clients by using a round robin policy With this policy the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the OAW IAP cluster Configuring a Mobility Domain for AOS W Instant You can configure L3 mobility domain by using AOS W Inst
240. d routes are installed or not host show ip route Codes C connected O OSPF R RIP S static M mgmt U route usable candidate default V RAPNG VPN Gateway of last resort is Imported from DHCP to network 0 0 0 0 at cost 10 Gateway of last resort is Imported from CELL to network 0 0 0 0 at cost 10 Gateway of last resort is Imported from PPPOE to network 0 0 0 0 at cost 10 Gateway of last resort is 10 15 148 254 to network 0 0 0 0 at cost 1 S 0 0 0 0 0 1 0 via 10 15 148 254 V 12 12 2 0 24 10 0 ipsec map V 12 12 12 0 25 10 0 ipsec map V 12 12 12 32 27 10 0 ipsec map V 50 40 40 0 24 10 0 ipsec map V 51 41 41 128 25 10 0 ipsec map V 53 43 43 32 27 10 0 ipsec map V 54 44 44 16 28 10 0 ipsec map e 9 9 9 0 24 is directly connected VLAN9 C 10 15 148 0 24 is directly connected VLAN1 e 43 43 43 0 24 is directly connected VLAN132 C 42 42 42 0 24 is directly connected VLAN123 c 44 44 44 0 24 is directly connected VLAN125 C 182 82 82 12 32 is an ipsec map 10 15 149 69 182 82 82 12 E 182 82 82 14 32 is an ipsec map 10 17 87 126 182 82 82 14 AOS W Instant 6 3 1 1 4 0 User Guide IAP VPN Configuration 254 VPN Configuration The following VPN configuration steps on the switch enable OAW IAPs to terminate their VPN connection on the switch Whitelist Database Configuration The whitelist database is a list of the MAC addresses of the OAW IAPs that are allowed to establish VPN connectio
241. data transfer speed graph ofa client click on the speed icon againstthe client in the Speed column 53 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Description Utilization Displays the radio utilization rate of the OAW IAPs Depending on the percentage of utilization icon the color of the lines on the Utilization icon changes from Green gt Orange gt Red e Green Utilization is less than 50 percent e Orange Utilization is between 50 75 percent o Red Utilization is more than 75 percent To view the utilization graph of an OAW IAP click the Utilization icon next to the OAW IAP in the Utilization column 4 Noise icon Displays the noise floor details for the OAW IAPs Noise is measured in decibels meter Depending on the noise floor the color of the lines on the Noise icon changes from Green gt Orange gt Red e Green Noise floor is more than 87 dBm e Orange Noise floor is between 80 dBm 87 dBm e Red Noise floor is less than 80 dBm To view the noise floor graph of an OAW IAP click the noise icon next to the OAW IAP in the Noise column 5 Errors Displays the errors for the OAW IAPs Depending on the errors color ofthe lines on the Errors icon icon changes from Green Yellow Red e Green Errors are less than 5000 frames per second e Orange Errors are between 5000 10000 frames per second e Red Errors are more than 10000 frames per second To view the errors graph of an OAW IAP clic
242. dates and it schedules the firmware updates such that updating is completed without requiring you to manually monitor the devices The following models can be used to upgrade the firmware e Automatic In this model the Virtual Controller periodically checks for newer updates from a configured URL and automatically initiates upgrade of the network e Manual In this model the user can manually start a firmware upgrade for each Virtual Controller or set the desired firmware preference per group of devices OAW IAP and Client Monitoring Omnivista allows you to find any OAW IAP or client on the wireless network and to see real time monitoring views These monitoring views can be used to aggregate critical information and high end monitoring information In the OmniVista User Interface UI you can select either Manage Read Write or Monitor only Firmware Upgrades as management modes When the Management level is set to Manage Read Write the AOS W Instant UI is in read only mode If OmniVista Management Level is set to Monitor only Firmware Upgrades mode the Instant UI changes to the read write mode Template based Configuration Omnivista automatically creates a configuration template based on any of the existing OAW IAPs and it applies that template across the network as shown in the following figure It audits every device on an ongoing basis to ensure that configurations never vary from the enterprise policies It alerts you whenever a
243. de VLAN Configuration 81 Chapter 8 Virtual Controller Configuration This chapter provides the following information e Virtual Controller Overview e Virtual Controller IP Address Configuration Virtual Controller Overview AOS W Instant does not require an external to regulate and manage the Wi Fi network Instead one OAW IAP in every network assumes the role of Virtual Controller It coordinates stores and distributes the settings required to provide a centralized functionality to regulate and manage the Wi Fi network The Virtual Controller is the single point of configuration and firmware management When configured the Virtual Controller sets up and manages the VPN tunnel to a in the data center The Virtual Controller also functions like any other AP with full RF scalability It also acts as a node coordinating DHCP address allocation for network address translated clients ensuring mobility of the clients when they roam between different OAW IAPs Master Election Protocol The Master Election Protocol enables the AOS W Instant network to dynamically elect an OAW IAP to take on a Virtual Controller role and allow graceful failover to a new Virtual Controller when the existing Virtual Controller is not available This protocol ensures stability of the network during initial startup or when the Virtual Controller goes down by allowing only one OAW IAP to self elect as a Virtual Controller Preference to an OAW IAP with 3G 4G Card
244. de users are limited to 128000 for 7220 7240 and 64000 across all platforms OSPF Configuration OSPF Open Shortest Path First is a dynamic Interior Gateway routing Protocol IGP based on IETF RFC 2328 The premise of OSPF is that the shortest or fastest routing path is used The implementation of OSPFv2 allows switches to deploy effectively in a Layer 3 topology The switches can act as default gateway for all clients and forward user packets to the upstream router Each IAP VPN can be defined a separate subnet derived from corporate intranet pool to allow IAP VPN devices to work independently For sample topology and configuration see AOS W Instant User Guide To redistribute IAP VPN routes into the OSPF process use the following command host config router ospf redistribute rapng vpn To verify if the redistribution of the IAP VPN is enabled use following command host show ip ospf redistribute Redistribute RAPNG To configure aggregate route for IAP VPN routes use the following command host config router ospf aggregate route rapng vpn To view the aggregated routes for IAP VPN routes use the following command host show ip ospf rapng vpn aggregate routes RAPNG VPN aggregate routes 201 201 200 0 255 255 252 0 5 268779624 100 100 2 0 255 255 255 0 1 10 253 IAP VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide To verify the details of configured aggregated route use the following command host
245. ding Certificates using Omnivista e e ee cece eee eee ees Ie e ee eee eeeeeee eens 161 12 Contents AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 164 Firewall Coni guano TTT 164 Configuring ALG Protocols 2 0000 c cece cece cece eee c cece cece e s esse AADA LE aaa aana 164 In the AOS W Instant U 164 L6 Dx C eae coa 165 Configuring Firewall Settings for Protection from ARP AaS 2 220200 e cece cece cece eeeeee eee 166 In the AOS W Instant Ul iiiiiiiuuuuuussuuuuuullllsllllllllllslllll s ll el aaraa aaae 222222222 166 hne EE 166 Managing Inbound Traffic lsssssssssssssssssssssssssssssssssss ee ess ese oaao llle e llli ll aani 167 Configuring Management Subnets ex e ee e e e e e e ee KK K 167 Inthe AOS WilnstantU ls osos ri at tit ads 167 IMC PENNE HET 168 Configuring Restricted Access to Corporate Network 22 22 22 2222222 e cece ee eee eeeeeeeeeeeee 168 Inthe AOS W InstantUl condon oca dado 168 A O L 168 ACCESS roja uo sd RUGS ap od E 169 Configuring Access Rules 202 000 0 22 c cece cece ccc c cece cece cece cece eeeeeeceeeeeeeeeceeeceeseeeeeeeeeees 169 Inthe Instant U 169 A 171 Configuring Network Address Translation 220 c cece cece cece cece cee ceceeecccceeeeeeeeeeeeeees 171 Configuring a Source NAT Access Rule 2 222 222222222 e cee e eee eee cece cece s ll llli 172 Inthe AOS WilnstantUl 2 22 EE te tri rte 172 uen ERE 172 Config
246. dio Profile interference immunity 3 Instant Access Point RF dotlla Radio Profile csa count 2 Instant Access Point RF dotlla Radio Profile spectrum monitor Instant Access Point RF dotlla Radio Profile end Instant Access Point show uncommitted config rf dotlla radio profile no legacy mode beacon interval 200 no dotllh interference immunity 3 csa count 1 no spectrum monitor Instant Access Point commit apply Using Sequence Sensitive Commands The AOS W Instant CLI does not support positioning or precedence of sequence sensitive commands Therefore Alcatel Lucent recommends that you remove the existing configuration before adding or modifying the configuration details for sequence sensitive commands You can either delete an existing profile or remove a specific configuration by using the no commands The following table lists the sequence sensitive commands and the corresponding no command to remove the configuration AOS W Instant 6 3 1 1 4 0 User Guide Setting up an OAW IAP 36 Table 6 Sequence Sensitive Commands Sequence Sensitive Command Corresponding no command opendns lt username lt password gt no opendns rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt lt e no rule lt dest gt lt mask gt lt match gt lt prot nd port gt permit deny src nat dst nat lt IP addre ocol gt lt start port gt lt end port gt permi Ss lt port gt l
247. direction e dns redirect When configured additional information on the network is provided through DNS redirection This option requires you to specify a redirection URL string as an IP address FQDN or URL Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response To configure a roaming consortium profile enter the following commands at the command prompt Instant Access Point config hotspot anqp roam cons profile lt name gt Instant Access Point roaming consortium lt name gt roam cons oi lt roam cons oi gt Instant Access Point roaming consortium lt name gt roam cons oi len roam cons oi len Instant Access Point end Instant Access Point T roaming consortium lt name gt T enable roaming consortium lt name gt Instant Access Point commit apply Specify a hexadecimal string of 3 to 5 octets for roam cons oi lt roam cons oi gt Based on the Ol specified you can specify the following parameters for the length of Ol in roam cons oi len lt roam cons oi len gt e For0 0 Octets in the OI Null e For 3 Ol length is 24 bit 3 Octets e For5 Ol length is 36 bit 5 Octets Configuring a 3GPP Profile You can configure a 3rd Generation Partnership Project 3GPP profile to define information for the 3G Cellular Network for hotspots To c
248. divided Based on the IP address range and client count configuration the DHCP server in the Virtual Controller is configured with a unique subnet and a corresponding scope You can configure distributed DHCP scopes such as Distributed L2 or Distributed L3 by using the AOS W Instant Ul or CLI In the AOS W Instant UI To configure distributed DHCP scopes such as Distributed L2 or Distributed L3 1 Click More gt DHCP The DHCP Server window is displayed 2 Toconfigure a distributed DHCP mode click New under Distributed DHCP Scopes The New DHCP Scope window is displayed The following figure shows the contents of the New DHCP Scope window AOS W Instant 6 3 1 1 4 0 User Guide DHCP Configuration 231 Figure 76 New DHCP Scope Distributed DHCP Mode New DHCP Scope Network Settings Name AAN IP Address Range Type Distributed L2 lt to VLAN m Netmask Default router ONS server Domain name Lease time 3 Based on type of distributed DHCP scope configure the following parameters Table 47 Distributed DHCP Mode Configuration Parameters Name Description Name 0000 Enter a name for the DHCP scope Select any of the following options e Distributed L2 On selecting Distributed L2 the Virtual Controller acts as the DHCP Server but the default gateway is in the data center Traffic is bridged into VPN tunnel Distributed L3 On selecting Distributed L3 the Virtual Controller acts
249. e Monitoring Procedure To check the number of clients associated with the network for the last 15 minutes 1 Log in to the AOS W Instant Ul The Virtual Controller view appears This is the default view In the Networks tab click the network for which you want to check the client association The Network view is displayed Study the Clients graph in the Usage Trends pane For example the graph shows that one client is associated with the selected network at 12 00 hours To check the throughput of the selected network for the last 15 minutes 1 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view In the Networks tab click the network for which you want to check the client association The Network view is displayed Study the Throughput graph in the Usage Trends pane For example the graph shows 22 0 Kbps incoming traffic throughput for the selected network at 12 03 hours The following table describes the graphs displayed in the Access Point view AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 56 Table 10 Access Point View Usage Trends and Monitoring Procedures Neighboring APs CPU Utilization Neighboring Clients Memory free MB Description The Neighboring APs graph shows the number of APs heard by the selected OAW IAP e Valid APs An AP thatis part of the enterprise providing WLAN service Interfering AP
250. e rate Instant Access Point SSID Profile lt name gt bandwidth limit limit Instant Access Point SSID Profile lt name gt per user bandwidth limit limit Instant Access Point SSID Profile lt name gt air time limit lt limit gt Instant Access Point SSID Profile lt name gt wmm background share lt percentage of traffic shar e gt i Instant Access Point SSID Profile lt name gt wmm best effort share percentage of traffic shar e Instant Access Point SSID Profile lt name gt wmm video share percentage of traffic share Instant Access Point SSID Profile lt name gt wmm voice share percentage of traffic share Instant Access Point SSID Profile lt name gt rf band lt 2 4 gt lt 5 0 gt lt all gt 88 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point SSID Profile lt name gt content filtering Instant Access Point SSID Profile lt name gt hide ssid Instant Access Point SSID Profile lt name gt inactivity timeout interval Instant Access Point SSID Profile lt name gt work without uplink Instant Access Point SSID Profile lt name gt local probe req thresh threshold Instant Access Point SSID Profile lt name gt max clients threshold lt number of clients gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply
251. e allowed to register their devices For more information on configuring RADIUS server with CoA see Configuring an External Server for Authentication on page 144 You can also create a CoA only server in the Services gt AirGroup gt Clear Pass Settings gt CoA server window 275 AirGroup Configuration AOS W Instant 6 3 1 1 4 0 User Guide Chapter 26 Integration with Security and Location Services Applications This chapter describes the following procedures e Configuring an OAW IAP for Analytics and Location Engine Support on page 276 e Integrating an OAW IAP with Palo Alto Networks Firewall on page 278 e Configuring an OAW IAP for RTLS Support on page 277 Configuring an OAW IAP for Analytics and Location Engine Support The Analytics and Location Engine ALE is designed to gather client information from the network process it and share it through a standard API The client information gathered by ALE can be used for analyzing a client s internet behavior for business such as shopping preferences ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default For every device on the network ALE provides the following information through the Northbound API e Client user name e P address e MAC address e Device type e Application firewall data showing the destinations and applications used by associated devices e Current location e Historical location
252. e lt name gt content filtering To configure VLAN settings for a wired profile Instant Access Point config 4 wired port profile lt name gt wired ap profile name 4 switchport mode lt trunk gt lt access gt wired ap profile name 4 allowed vlan lt vlan gt wired ap profile lt name gt native vlan guest 1 4095 Instant Access Point Instant Access Point Instant Access Point To configure a new VLAN assignment rule 115 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt set vlan lt attribute gt equals not equals star ts with ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Configuring Internal Captive Portal for Guest Network In the Internal Captive Portal type an internal server is used for hosting the Captive portal service You can configure internal Captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or CLI In the Instant Ul 1 Navigate to the WLAN wizard or Wired window e To configure internal captive portal authentication for a WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e To configure internal captive portal authentication fo
253. e Ethemet interface port number 4 Click OK The selected uplink is enforced on the OAW IAP In the CLI To enforce an uplink config f uplink uplink 4 enforce cellular ethernet wifi none uplink end commit apply Instant Access Point Instant Access Point Instant Access Point Instant Access Point Setting an Uplink Priority You can set an uplink priority by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Priority List select the uplink and click the icons at the bottom of the Uplink Priority List section to increase or decrease the priority By default the EthO uplink is set as a high priority uplink 3 Click OK The selected uplink is prioritized over other uplinks 196 Uplink Configuration AOS W Instant 6 3 1 1 4 0 User Guide In the CLI To set an uplink priority Instant Access Point config uplink Instant Access Point uplink uplink priority cellular priority ethernet lt priority gt po rt lt Interface number gt priority wifi lt priority gt Instant Access Point uplink end Instant Access Point commit apply For example to set a priority for Ethernet uplink Instant Access Point uplink uplink priority ethernet port 0 1 Instant Access Point uplink end Instant Access Point commit apply En
254. e IP address and netmask for the destination network Except to a network Access is allowed or denied to networks other than the specified network After selecting this option specify the IP address and netmask of the destination network To domain name Access is allowed or denied to the specified domains After selecting this option specify the domain name in the Domain Name text box Select this check box if you want a log entry to be created when this rule is triggered Instant firewall supports firewall based logging function Firewall logs on the OAW IAPs are generated as syslog messages Select the Blacklist check box to blacklist the client when this rule is triggered The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window For more information see Blacklisting Clients on page 158 Classify media Select the Classify media check box to prioritize video and voice traffic When enabled a packet inspection is performed on all non NAT traffic and the traffic is marked as follows e Video Priority 5 Critical e Voice Priority 6 Internetwork Control Disable scanning Select Disable scanning check box to disable ARM scanning when this rule is triggered The selection of the Disable scanning applies only if ARM scanning is enabled For more information see Configuring Radio Settings for an OAW IAP on page 218 DSCP tag Select the DSCP tag check box to specify a DSC
255. e OAW IAP without an Ethernet link functions as a mesh point The mesh portal can also act as a Virtual Controller A Mesh portal MPP uses its uplink connection to reach the switch a mesh point or establishes an all wireless path to the mesh portal Mesh portals and mesh points are also known as mesh nodes a generic term used to describe OAW IAPs configured for mesh If two OAW IAPs have valid uplink connections there is redundancy in the mesh network and most mesh points try to mesh directly with one of the two portals However depending on the actual deployment and RF environment some mesh points may mesh through other intermediate mesh points In an AOS W Instant mesh network the maximum hop count is two nodes point gt point gt portal and the maximum number of mesh points per mesh portal is eight Mesh OAW IAPs detect the environment when they boot up locate and associate with their nearest neighbor to determine the best path to the mesh portal AOS W Instant mesh functionality is supported only on dual radio OAW IAPs only On dual radio OAW IAPs the 5 GHz radio is always used for both mesh backhaul and client traffic while the 2 4 GHz radio is always used for client traffic Mesh service is automatically enabled on 802 11a band for dual radio OAW IAP only and this is not configurable The mesh network must be provisioned for the first time by plugging into the wired network After that mesh works on OAW IAP ROWS like any
256. e Operator Name text box Enter the E 164 Country Code for the WISPr Location ID in the E 164 Country Code text box Enter the SSID Zone section for the WISPr Location ID in the SSID Zone text box Enter the name of the Hotspot location in the Location Name text box If no name is defined the name of the OAW IAP to which the user is associated is used oman ons 10 Click OK to apply the changes The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication Contact your ISP to determine these values You can find a list of ISO and ITU country and area codes at the ISO and ITU Websites www iso org and http www itu int support Boingo clients ensure that you configure the NAS identifier parameter in the Radius server profile for the NOTE WISPr server Ld A Boingo smart client uses a NAS identifier in the format CarrierlD VenuelD for location identification To In the CLI Instant Access Point config wlan wispr profile Instant Access Point WISPr wispr location id ac Instant Access Point WISPr wispr location id cc Instant Access Point WISPr wispr location id isocc Instant Access Point WISPr wispr location id network Instant Access Point WISPr wispr location name location Instant Access Point WISPr wispr location name operator name Instant Access Point WISPr 4 end Instant Access Point commit apply
257. e categories are Frequency classified as Fixed Frequency Other Other Note that the RF signatures of the fixed frequency audio video and cordless phone devices are very similar and that some ofthese devices may be occasionally classified as Fixed Frequency Other Frequency Frequency hopping cordless phone base units transmit periodic beacon like frames at all Hopper times When the handsets are not transmitting i e no active phone calls the cordless base Cordless Base is classified as Frequency Hopper Cordless Bas Frequency When there is an active phone call and one or more handsets are part of the phone Hopper conversation the device is classified as Frequency Hopper Cordless Network Cordless Cordless phones may operate in 2 4 GHz or 5 GHz bands Some phones use both 2 4 GHz and 5 GHz Network bands for example 5 GHz for Base to handset and 2 4 GHz for Handset to base These phones may be classified as unique Frequency Hopper devices on both bands Frequency The Microsoft Xbox device uses a frequency hopping protocol in the 2 4 GHz band These Hopper Xbox devices are classified as Frequency Hopper Xbox Frequency When the classifier detects a frequency hopper that does not fall into one ofthe above Hopper Other categories it is classified as Frequency Hopper Other Some examples include IEEE 802 11 FHSS devices game consoles and cordless hands free devices that do not use one of the known cordless phone p
258. e cnn 178 RADIUS VSA Attributes o 6 22 2222 teens 178 MAC s e eT 178 Roles Based on Client Authentication ccoo 178 DHCP Option and DHCP Fingerprinting 2222 2 cee eee eee eee eee ee eeeeeeeeeeeceeeee 178 Creating a Role Derivation Rule ccc cece cece ccc cece cece cece cece oaaao aoaaa aoaaa 179 niue acsi suero dais EE 179 MECE m c EE 180 zug mE u H 180 Understanding VLAN Assignment L e RR RR RR RR cccecececeeceeeees 180 Vendor Specific Attributes VSA 180 VLAN Assignment Based on Derivation Rules 2222 2 2 022222 eee eee cece cece cece cceeeeeeeees 181 EE cc egestas ee es we ene eee ep eek ees se sepa 182 VLANs Created for an SSID 2222 ccc cece cee ce eee Ra Reg cece cece i preki Erase Treenari iaa 182 Configuring VLAN Derivation Rules 20000 00 cc cece cece cece cece cece cece eee aa oaaao aaarnas 182 Inthe AOS W Instant UL 182 MN ESS ks espe etek ter deh ete ne aig E deter ena ee toe tea DLL rece eee 183 A D 183 Using Advanced Expressions in Role and VLAN Derivation Rules Lssssseeeseesessesss 184 Configuring a User Role for VLAN Derivation 220000 cece cece cc cece cece cece cecceeeceeeeeeeees 185 Creating a User VLAN Role e 185 Inthe AOS W Instant UL 185 14 Contents AOS W Instant 6 3 1 1 4 0 User Guide A O 185 185 Inthe A
259. e commands such as configure terminal the complete exit and end commands must be entered at command prompt NOTE Applying Configuration Changes Each command processed by the Virtual Controller is applied on all the slaves in a cluster The changes configured in a CLI session are saved in the CLI context The CLI does not support the configuration data exceeding the 4K buffer size in a CLI session Therefore Alcatel Lucent recommends that you configure fewer changes at a time and apply the changes at regular intervals To apply and save the configuration changes at regular intervals use the following command in the privileged mode Instant Access Point commit apply To apply the configuration changes to the cluster without saving the configuration use the following command in the privileged mode Instant Access Point commit apply no save To view the changes that are yet to be applied use the following command in the privileged mode Instant Access Point show uncommitted config To revert to the earlier configuration use the following command in the privileged mode Instant Access Point commit revert Example Instant Access Point config rf dotlla radio profile Instant Access Point RF dotlla Radio Profile beacon interval 200 Instant Access Point RF dotlla Radio Profile no legacy mode Instant Access Point RF dotlla Radio Profile dotllh Instant Access Point RF dotlla Ra
260. e name profile enter the following commands at the command prompt Instant Access Point config hotspot anqp venue name profile lt name gt Instant Access Point venue name lt name gt venue name lt name gt Instant Access Point venue name lt name gt venue group lt group name gt Instant Access Point venue name lt name gt venue type type Instant Access Point venue name lt name gt venue lang code language Instant Access Point venue name lt name gt enabl Instant Access Point venue name lt name gt end Instant Access Point commit apply You can specify any of the following venue groups and the corresponding venue types Table 56 Venue Types Venue Group Associated Venue Type Value unspecified The associated numeric value is 0 assembly unspecified The associated numeric value is 0 arena The associated numeric value is 1 stadium The associated numeric value is 2 passenger terminal The associated numeric value is 3 amphitheater The associated numeric value is 4 amusement park The associated numeric value is 5 place of worship The associated numeric value is 6 convention center The associated numeric value is 7 library The associated numeric value is 8 museum The associated numeric value is 9 restaurant The associated numeric value is 10 theater The associated numeric value is 11 bar The associated numeric value is 12
261. e parameters for Captive Portal role configuration Figure 40 Captive Portal Rule for Internal Acknowledged Splash Page New Rule Rule type Splash page type Captive portal Internal Splash Page Visuals Upload your own custom logo image Click thumbnail above to edit Preview Redirect URL OK Cancel Figure 41 Captive Portal Rule for Extemal Captive portal profile New Rule Rule type Splash page type Captive portal profile Captive portal X External w Select Profile e Table 23 New Access Rule Configuration Parameters Field Description Rule type Select Captive Portal from the drop down list Splash Page Select any of following attributes Type e Select Internal to configure a rule for internal captive portal authentication e Select External to configure a rule for external captive portal authentication If Internal is selected as splash page type perform the following steps e Under Splash Page Visuals use the editor to specify text and colors for the initial AOS W Instant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 124 Description page that would be displayed to users connecting to the network The initial page asks for user credentials or email depending on the splash page type configured To change the color ofthe splash page click the Splash page rectangle and select the required color from the Background Color palette To change the welcome tex
262. e status of L3 roaming clients AP Log All Displays all logs for the OAW IAP AP Log AP Debug Displays logs with debugging information for the OAW IAP AP Log Conversion Displays image conversion details for the OAW IAP AP Log Driver Displays the status of drivers configured on the OAW IAP AP Log Kernel Displays logs for AP s kernel AP Log Network Displays network logs for the OAW IAP AP Log PPPd Displays the Point to Point Protocol daemon PPPd network connection details AP Log Rapper Displays rapper information 318 Monitoring Devices and Logs AOS W Instant 6 3 1 1 4 0 User Guide AP Log Sapd Displays SAPd logs AP Log Security Displays security logs of the OAW IAP AP Log System Displays system logs of the OAW IAP AP Log Tunnel Status Management Displays tunnel status AP Log Upgrade Displays image download and upgrade details for the OAW IAP AP Log User Debug Displays user debug logs of the OAW IAP AP Log User Displays user logs of the OAW IAP AP Log VPN Tunnel Log Displays VPN tunnel status for the OAW IAP AP Log Wireless Displays wireless logs of the OAW IAP AP Management Frames Displays the traced 802 11 management frames for the OAW IAP AP Memory Allocation State Dumps Displays the memory allocation details for the OAW IAP AP Memory Utilization Displays memory utilization of the OAW IAP AP Mesh Counters Displays the mesh counters of the OAW IAP AP Mesh Link Displays the mesh
263. e system s internal authentication server with users This list is used by networks for which per user authorization is specified using the Virtual Controller s internal authentication server For more information about users see User Management on page 128 e Roles Use this window to view the roles defined for all the Networks The Access Rules part allows you to configure permissions for each role For more information see Configuring User Roles on page 175 e Blacklisting Use this window to blacklist clients For more information see Blacklisting Clients on page 158 e Firewall Settings Use this window to enable or disable Application Layer Gateway ALG supporting address and port translation for various protocols For more information see Roles and Policies on page 164 e Walled Garden Use this window to allow or prevent access to a selected list of Websites For more information see Configuring Walled Garden Access on page 126 e External Captive Portal Use this window to configure external Captive portal profiles For more information see Configuring External Captive Portal for a Guest Network on page 118 The following figure shows the default view of the Security window AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 44 Figure 7 Security Window Default View Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Walled Garden External Captive Portal
264. e wireless network that is used for the Wi Fi uplink in the Name SSID text box 6 Select the type of key for uplink encryption and authentication from the Key management drop down list If the uplink wireless router uses mixed encryption WPA 2 is recommended for the Wi Fi uplink 7 From the band drop down list Select the band in which the Virtual Controller currently operates The following options are available 2 4GHz default 5 GHz 8 Select a passphrase format from the Passphrase format drop down list The following options are available 8 63 alphanumeric characters 64 hexadecimal characters Ensure that the hexadecimal password string is exactly 64 digits in length 9 Enter a pre shared key PSK passphrase in the Passphrase text box and click OK You can view the W Fi configuration and uplink status in the CLI To view the configuration status in the CLI Instant Access Point show wifi uplink status configured NO Instant Access Point show wifi uplink config ESSID Cipher Suite Passphrase Band Instant Access Point show wifi uplink auth log 1116 2000 01 01 00 00 45 625 Global control interface tmp supp gbl AOS W Instant 6 3 1 1 4 0 User Guide Uplink Configuration 195 Uplink Preferences and Switching This topic describes the following procedures Enforcing Uplinks on page 196 Setting an Uplink Priority on page 196 Enabling Uplink Preemption on page 197 Switching Upl
265. eate a user role by using AOS W Instant UI or CLI In the AOS W Instant UI To create a user role Click the Security at the top right corner of AOS W Instant main window The Security window is displayed Click Roles tab The Roles tab contents are displayed Under Roles click New PF wn gt Enter a name for the new role and click OK 175 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide NOTE You can also create a user role when configuring wireless or wired network profiles For more information see Configuring Access Rules fora WLAN SSID Profile on page 95 and Configuring Access Rules for a Wired Profile on page 105 In the CLI To configure user roles and access rules Instant Access Point config wlan access rule lt access rule name gt Instant Access Point Access Rule lt Name gt rule lt dest gt lt mask gt lt match gt lt protocol gt lt start port gt lt end port gt permit deny src nat dst nat lt IP address gt port lt port gt lt optionl option 9 gt Assigning Bandwidth Contracts to User Roles The administrators can manage bandwidth utilization by assigning maximum bandwidth rates or bandwidth contracts to user roles The administrator can assign a bandwidth contract configured in Kbps to upstream client to the OAW IAP or downstream OAW IAP to clients traffic for a user role The bandwidth contract will not be applicable to the user traffic on the bridged
266. ection is unavailable The default value is 2 h Select Enabled or Disabled from the Per AP tunnel drop down list The administrator can enable this option to create a GRE tunnel from each OAW IAP to the VPN GRE Endpoint rather than the tunnels created just from the master OAW IAP When enabled the traffic to the corporate network is sent through a Layer 2 GRE tunnel from the OAW IAP itself and need not be forwarded through the master OAW IAP Figure 80 Alcatel Lucent GRE Configuration Tunneling Controller Controller Protocol Aruba GRE Primary host 192 0 2 2 Backup host 192 0 2 4 Preemption Enabled y Hold time 600 sec Fast failover Enabled y Reconnect user on failover Enabled x Reconnect time on failover 60 sec Secs between test packets Max allowed test packet loss Per AP tunnel 6 Click Next to continue 242 VPN Configuration 5 2 Enabled AOS W Instant 6 3 1 1 4 0 User Guide In the CLI To enable automatic configuration of the GRE tunnel Instant Access Point config vpn gre outside Instant Access Point config vpn primary lt name IP address gt Instant Access Point config vpn backup lt lt name IP address gt gt Instant Access Point config vpn fast failover Instant Access Point config vpn hold time lt seconds gt Instant Access Point config vpn preemption Instant Access Point config config vpn monitor pkt lost cnt lt count
267. ed ap profile lt name gt po Instant Access Point wired ap profile lt name gt uplink enable Instant Access Point wired ap profile lt name gt content filtering Instant Access Point wired ap profile lt name gt spanning tree Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply Configuring VLAN for a Wired Profile Ld If you are creating a new wired profile complete the Wired Settings procedure before configuring VLAN For more prp information see Configuring Wired Settings on page 102 You can configure VLAN using AOS W Instant UI or CLI In the AOS W Instant UI To configure VLAN 1 Inthe VLAN tab enter the following information a Mode You can specify any of the following modes 103 Wired Profiles AOS W Instant 6 3 1 1 4 0 User Guide e e Access Select this mode to allow the port to carry a single VLAN specified as the native VLAN Trunk Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs b Specify any of the following values for Client IP Assignment e Virtual Controller Assigned Select this option to allow the Virtual Controller to assign IP addresses to the wired clients When the Virtual Controller assignment is used the source IP address is translated for all client traffic that goes through this interface The Virtual Controller can also assign a guest VLAN to a
268. ed its home network When the client roams to a foreign network an AP in the home network home AP anchors all traffic to or from this client The AP to which the client is connected in the foreign network foreign AP tunnels all client traffic to or from the home AP through a GRE tunnel Figure 65 Routing of traffic when the client is away from its home network Client C1 When a client first connects to an AOS W Instant network a message is sent to all configured Virtual Controller IP addresses to see if this is an L3 roamed client On receiving an acknowledgement from any of the configured Virtual Controller IP addresses the client is identified as an L3 roamed client If the AP has no GRE tunnel to this home network a new tunnel is formed to an AP home AP from the client s home network AOS W Instant 6 3 1 1 4 0 User Guide Mobility and Client Management 200 Each foreign AP has only one home AP per AOS W Instant network to avoid duplication of broadcast traffic Separate GRE tunnels are created for each foreign AP home AP pair If a peer AP is a foreign AP for one client and a home AP for another two separate GRE tunnels are used to handle L3 roaming traffic between these APs If client subnet discovery fails on association due to some reason the foreign AP identifies its subnet when it sends out the first L3 packet If the subnet is not a local subnet and belongs to another Instant network the client is treated as an L3 roame
269. edirects the URL to ClearPass Guest login page Log in to the network with the username and password specified used while configuring the RADIUS server Configuring Guest Logon Role and Access Rules for Guest Users You can configure up to 64 access rules for guest network using the AOS W Instant UI or CLI In the AOS W Instant UI To configure access rules for guest network 1 Inthe Access Rules tab set slider to any of the following types of access control Unrestricted Select this to set unrestricted access to the network Network based Set the slider to Network based to set common rules for all users in a network The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define an access rule a Click New b Select appropriate options in the New Rule window c Click OK Role based Select Role based to enable access based on user roles For role based access control Create a user role if required For more information see Configuring User Roles Create access rules for a specific user role For more information see Configuring Access Rules on page 169 You can also configure an access rule to enforce Captive portal authentication for an SSID that is configured to use 802 1X authentication method For more information see Configuring Captive Portal Roles for an SSID on page 123 s Create a role assignment rule For more information see Configuring Derivati
270. ee eeeeeeeeeecereeeeeeeeeeeee 97 Configuring an OAW IAP for 802 1 1r support occ cnn nc cnn Ille lll 97 AOS W Instant 6 3 1 1 4 0 User Guide Contents 7 Inthe AOS W Instant UL 97 Pte CEM oat c EEUU MEE M 98 Opportunistic Key Caching 200 2220 c cece cece nani 98 Configuring an OAW IAP for OKC Roaming eee cceccccecccceceeceeeeseeeeees 99 Inthe AOS WinstantUl oscar td teeta ack aise ay salto vee LESE 99 tesi sa aiii diosas ciao 99 Editing Status or a WLAN SSID Profile 0 00 ico oros soporte sr iodo iia 99 Inthe AOS W Instant UL 100 AA 100 Configuring Additional WLAN SSIDS 2 0 css52 vec cece dS ele ra ercer dot 100 Enabling the Extended SSID cece cece cece cece eee c e ee RR I cece ececeeececeeeeeeeeees 100 Inthe AOS W Instant U 100 AAA A aig eee ee A oe tee ee ener 101 Editing a WLAN SSID Profile a oottcissitananc tiara titan 101 Deleting a WLAN SSID Profile 101 pics MAA 102 Configuring a Wired Profile 000000000 ooo ccc ccc ccc eee cece cece cece nn eeeeeeeeeeeeeseeeeeees 102 Configuring Wired Settings 20 00 2c cece ccc ccc cece eee e cece eee RR Ress rrr leere rell lll 102 In the AOS W Instant UL eee 102 To n Ge Hrs 103 Configuring VLAN for a Wired Profile 2 00 00 222 ccc cece cece cece cece cece eee ceeecceeeeeeeeceeeeeeees 103 Inthe AOS W Instant UL eee 103 liuic MM e
271. eee beeen eee eee tenes 70 AAA 70 Upgrading am OAV VAP ooo sonoridad tds 70 Upgrading an OAW IAP and Image Server 22 20 220 s se sss eeeeeeeee 70 Image Management Using OmniVista 20 0 0 0 0 22022 c cece ccc cece cece cece cc cccecectteeeteteeeceeeeeees 70 Image Management Using Cloud Server 2 ieee eee eee eee eee eee cece eee ss se cece RR serre 71 Configuring HTTP Proxy on an OAW IAP o o oo eee eee ec cece cece eee cece eee e rre esee 71 Inthe AOS W Instant UL 71 Sn ane te ae ls 72 Upgrading an OAW IAP Using Automatic Image Check 220 2 cece cece ce eee e cence eeeee 72 Upgrading to a New Version Manually 0 00000000 e cece nannan 72 Upgrading an Image Using CU 73 Enabling Terminal ACCESS A RO E En Z duel 73 AOS W Instant 6 3 1 1 4 0 User Guide Contents 5 Inthe AOS W Instant Ul 73 A 73 Enabling Auto Join Mode cnn cece ee eee eee cece nnnnonccccccccco 74 Disabling Auto Join Mode occ cen c cen n cece cece IIR cece cece eee ee cece ecseeeeteeeeseseees 74 Adding an OAW IAP to the Network 000000 c ccc ccc ccc ee daadaa raaa raano araar ranana 74 Removing an OAW IAP from the Network 20 00 2222 2222 e cece ee eee cece cece cece cece cece cece cece cece ee aoran anan 74 Configuring a Preferred Band 74 Inthe AOS W Instant UL 74 VTE a e MMC M 75 Configuring Radio Profiles for an OAW IAP
272. eeececeseeeees 275 Change of Authorization COA 275 Integration with Security and Location Services Applications 276 Configuring an OAW IAP for Analytics and Location Engine Support 222 0 276 ALE with AOS W Instant 276 Enabling ALE Support on an OAW IAP 2 22 22 ooo ccc ccc cece cece eee e cece cece eeeeeeeeeeceeeeeeseeeees 276 IDe AOS VV ISTOER 276 1 277 Verifying ALE Configuration on an OAW IAP _ 2 2222222222 eee eee ccec cece cece eceeeeee 277 Configuring an OAW IAP for RTLS Support 000202 c ec cece ccc esses esses esses sers nn 277 In the AOS W Instant UL as a c RR e a Rag ee 277 DU MUS Ms mc EIE 278 Integrating an OAW IAP with Palo Alto Networks Firewall 00 200022222 e cece cece e eee eee e cece ee eeeeeees 278 Integration with AOS W Instant sss sse e RI aaa Aaaa aa aaa 279 Configuring an OAW IAP for PAN integration 0 222 c cece cece c eee ccc c cece eee Is e eren nel 279 Inthe AOS W Instant Ul 279 MEN a oe ERES 280 20 Contents AOS W Instant 6 3 1 1 4 0 User Guide Lawful Intercept and CALEA Integration ooo coco cece cece eect 281 CALEA Integration and Lawful Intercept Compliance sss e ccc cc e e c e c c c e c e e e e e ee eee 281 CALEA Server Integration 0 2 0 00 ccc cece cece cece cece cece cece cece ee eeeeeeeeeeeeeeeeeeeeeceeeeerees 281 Traffic Flow from IAP to CALEA Server noo 281 Traffic Flow from IAP to CALEA
273. eeeeeeeeeeeceeeceeeeeeees 211 Voice Aware Scanning 000002 c cece cece nes 211 Load Aware Saigon 211 Band Stecning Mode 0000 o ltd Sestak se eee ER tte is 211 Chen MAC ace IA A hace ean bow wel ee eae 211 Airtime Fairness Mode ooo ranar rana rnanan ranio ra rran cnare nenn 212 Access Point COMO lt lt lt 0 derer re eE EE EEEE R EEE EREET cen ARE EE otto 212 Monitoring the Network with ARM 213 PEOR IE E ne ae sh aaah at ds edo sed 213 16 Contents AOS W Instant 6 3 1 1 4 0 User Guide Configuring ARM Features on an OAW IAP oo e 213 In the AOS W Instant UL 213 Miel a 216 Configuring Radio Settings for an OAW IAP ssuuuuuuuueueeeeeeleleessee ee e RR RR RR cece eeeeeeeeeees 218 In the AOS W Instant UL 218 nores EPE 219 Intrusion Detection 221 Detecting and Classifying Rogue APS aa aa 0 0 9 4 a 6 Z aa cece eee cence eee cece nn nn 221 OS Fingerprinting 22 ccc cece cece ccc cece cece cece eee RIRs cece EDDA EDDIE DDAL aED aa naa 221 Configuring Wireless Intrusion Protection and Detection Levels 20 2022 2 eee cece cece cece ee eee ee eees 222 Containment Methods 226 Configuring IDS Using CLI ocios 226 Content Filtering 0 00 00 seen ene sensn esses ncc 228 Content FIMterngi ossis paste o A 228 Enabling Content Filtering 6 e tra
274. eighboring APs graph in the Overview section For example the graph shows that 148 interfering APs are detected by the OAW IAP at 12 04 hours To check the CPU utilization of the OAW IAP for the last 15 minutes 1 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view In the Access Points tab click the OAW IAP for which you want to monitor the client association The OAW IAP view is displayed Study the CPU Utilization graph in the Overview pane For example the graph shows that the CPU utilization of the OAW IAP is 30 at 12 09 hours To check the neighboring clients detected by the OAW IAP for the last 15 minutes 1 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view Inthe Access Points tab click the OAW IAP for which you want to monitor the client association The OAW IAP view is displayed Study the Neighboring Clients graph in the Overview pane For example the graph shows that 20 interfering clients were detected by the OAW IAP at 12 15 hours To check the free memory of the OAW IAP for the last 15 minutes ib Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view Inthe Access Points tab click the OAW IAP for which you want to monitor the client association The OAW IAP view is displayed Study the Memory free graph in the Overview p
275. en wireless Internet service providers even if the wireless hotspot uses an Internet Service Provider ISP with whom the client may not have an account If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet at that hotspot the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network If the client only has an account with a partner SP the WISPr AAA server forwards the client s credentials to the partner ISP s WISPr AAA server for authentication When the client is authenticated on the partner ISP it is also authenticated on your hotspot s own ISP as per their service agreements The OAW IAP assigns the default WISPr user role to the client when your ISP sends an authentication message to the OAW IAP For more information on WISPr authentication see Configuring WISPr Authentication on page 157 Supported Authentication Servers Based on the security requirements you can configure internal or external RADIUS servers This section describes the following types of authentication servers and authentication termination which can be configured for a network profile External RADIUS Server on page 136 Internal RADIUS Server on page 136 Authentication Termination on OAW IAP on page 137 Supported VSAs on page 137 135 Authentication AOS W Instant 6 3 1 1 4 0 User Guide External RADIUS Server In the externa
276. enabled by default NOTE Only the APs that support 802 11ac can be configured with 80 MHz channels 7 Reboot the OAW IAP 8 Click OK In the CLI To configure ARM features on an OAW IAP with 5 GHz radio Instant Access Point config arm Instant Access Point ARM a channels lt 5GHz channels gt Instant Access Point ARM min tx power power Instant Access Point ARM max tx power power Instant Access Point ARM T band steering mode Prefer 5 GHz gt Force 5 GHz gt lt Balance Bands lt Disabled gt 216 Adaptive Radio Management AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point red Access gt Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point To view ARM configuration Instant Access Point Minimum Transmit Power Maximum Transmit Power Band Steering Mode Client Aware Scanning Wide Channel Bands 80Mhz Support Air Time Fairness Mod Client Match CM NB Matching Percent CM Calculating Interval CM SLB Threshold CM SLB Balancing Mode CM max client match req CM max adoption Custom Channels 2 4 GHz Channels Status Channel 1 enable 2 disable 3 disable 4 disable 5 disable 6 enable 7 disable 8 disable 9 disable 1 disable
277. ends these credentials toa RADIUS server database The RADIUS server sends an Access Accept message to the NAS If the RADIUS server cannot identify the user it stops the authentication process and sends an Access Reject message to the NAS The NAS forwards this message to the client and the client must re authenticate with appropriate credentials After the client is authenticated the RADIUS server forwards the encryption key to the NAS The encryption key is used for encrypting or decrypting traffic sent to and from the client The NAS acts as a gateway to guard access to a protected resource A client connecting to the wireless network first connects to the NAS NOTE Configuring 802 1X authentication for a Wireless Network Profile You can configure 802 1X authentication for a wireless network profile in the AOS W Instant UI or CLI In the AOS W Instant UI To enable 802 1X authentication for a wireless network 1 In the Network tab click New to create a new network profile or select an existing profile for which you want to enable 802 1X authentication and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 Inthe Security tab specify the following parameters for the Enterprise security level a Select any of the following options from the Key management drop down list WPA 2 Enterprise WPA Enterprise Both WPA 2 amp WPA
278. enet4 port profile lt name gt Instant Access Point config end Instant Access Point commit apply Editing a Wired Profile To edit a wired profile AOS W Instant 6 3 1 1 4 0 User Guide Wired Profiles 108 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed In the Wired window select the wired profile to modify Click Edit The Edit Wired Network window is displayed Modify the required settings af wr Click Finish to save the modifications Deleting a Wired Profile To delete a wired profile 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed 2 Inthe Wired window select the wired profile to delete 3 Click Delete The wired profile is deleted 109 Wired Profiles AOS W Instant 6 3 1 1 4 0 User Guide Chapter 11 Captive Portal for Guest Access This chapter provides the following information e Understanding Captive Portal on page 110 e Configuring a WLAN SSID for Guest Access on page 111 e Configuring Wired Profile for Guest Access on page 114 e Configuring Internal Captive Portal for Guest Network on page 116 e Configuring External Captive Portal fora Guest Network on page 118 e Configuring External Captive Portal Authentication Using ClearPass Guest on page 121 e Configuring Guest Logon Role and Access Rules for Guest Users on page 122 e Configuring
279. env gatewayip 192 0 2 2 apboot gt save Saving Environment to Flash Un Protected 1 sectors done Erased 1 sectors Writing 5 Use the printenv command to view the configuration apboot gt printenv Connecting to a Provisioning Wi Fi Network The OAW IAPs boot with factory default configuration and try to provision automatically If the automatic provisioning is successful the instant SSID will not be available If OmniVista and Activate are not reachable and the automatic provisioning fails the instant SSID becomes available and the users can connect to a provisioning network by using the instant SSID To connect to a provisioning Wi Fi network Ensure that the client is not connected to any wired network Connect a wireless enabled client to a provisioning Wi Fi network for example instant If the Windows OS system is used a Click the wireless network connection icon in the system tray The Wireless Network Connection window is displayed b Click on the instant network and then click Connect 4 Ifthe Mac OS system is used a Click the AirPort icon A list of available Wi Fi networks is displayed b Click on the instant network The instant SSIDs are broadcast in 2 4 GHz only OAW IAP Cluster OAW IAPs in the same VLAN automatically find each other and form a single functioning network managed by a Virtual Controller Moving an OAW IAP from one cluster to another requires a factory reset of the OAW IAP
280. er Window New Authentication Server RADIUS Name IP address Auth port Accounting port Shared key Retype key Timeout Retry count RFC 3576 NAS IP address NAS identifier Dead time DRP IP DRP Mask DRP VLAN DRP Gateway D LDAP 7 CoA only 3 Disabled 3 Configure any of the following types of server e RADIUS Server To configure a RADIUS server specify the attributes described in the following table Table 27 RADIUS Server Configuration Parameters Parameter Description Enter the name of the new external RADIUS server IP address Enter the IP address of the external RADIUS server Auth port Enter the authorization port number of the external RADIUS server The default port number is 1812 Accounting port Enter the accounting port number This port is used for sending accounting records to the RADIUS server The default port number is 1813 Shared key Enter a shared key for communicating with the external RADIUS server Retype key Re enter the shared key Timeout Specify a timeout value in seconds The value determines the timeout for one RADIUS request The OAW IAP retries to send the request several times as configured in the Retry count before the user gets disconnected For example if the Timeout is 5 seconds Retry counter is 3 user is disconnected after 20 seconds The default value is 5 seconds Retry
281. er appropriate IP address in the IP text box d Click OK 4 Click Finish Deny bootp Service except to a Particular Network To define deny bootp service access rule except to a network 1 Select an existing wireless or wired profile Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wired Network window is displayed E You can also configure access rules in the Access tab of the New WLAN and New Wired Network windows when configuring a new profile NOTE gung p 2 Inthe Access tab slide to Network based using the scroll bar to specify access rules for the network 3 Click New to add a new rule The New Rule window is displayed a Select Deny from the Action drop down list b Select bootp from the Service drop down list c Select except to a network from the Destination drop down list e Enter the appropriate IP address in the IP text box e Enter the appropriate netmask in the Netmask text box d Click OK 4 Click Finish Configuring User Roles Every client in the AOS W Instant network is associated with a user role which determines the client s network privileges the frequency of reauthentication and the applicable bandwidth contracts The user role configuration on anOAW IAP involves the following procedures e Creating a User Role on page 175 e Assigning Bandwidth Contracts to User Roles e Configuring Machine and User Authentication Roles on page 177 Creating a User Role You can cr
282. ernal error for this client The OAW IAP cannot allow this client to associate because the association request received contains an unknown SSID The OAW IAP cannot allow this client to associate because its authentication or encryption settings do not match OAW IAP s configuration The OAW IAP cannot allow this client to associate because it does not support the 802 11 rate requested by this client Corrective Actions Contact the Alcatel Lucent customer support team Identify the client and check its Wi Fi driver and manager software Ascertain the correct authentication or encryption settings and try to associate again Check the configuration on the OAW IAP to see if the desired rate can be supported if not consider replacing the OAW IAP with another model that can support the rate AOS W Instant User Interface 62 Table 13 Alerts list Type Code 100105 Maximum capacity reached on OAW IAP 100206 Invalid MAC Address 100307 Client blocked due to repeated authentication failures Description 100308 RADIUS server connection failure 100309 RADIUS server authentication failure 100410 Integrity check failure in encrypted message 100511 DHCP request timed out IDS Details The OAW IAP has reached maximum capacity and cannot accommodate any more clients The OAW IAP cannot authenticate this client because the clients MAC address is not valid The OAW IAP is temporarily blocki
283. ers Displays information about the Bonjour devices which supports AirPrint and AirPlay services for the OAW IAP AP Airgroup User Displays the IP MAC address device name VLAN type of connection of the Bonjour devices for the OAW IAP AP Allowed Channels Displays information of the allowed channels for the OAW IAP AP Allowed MAX EIRP Displays information on the maximum EIRP settings that can be configured on an OAW IAP serving in a specific regulatory domain AP All Supported Timezones Displays all the supported time zones of Instant AP ARM Bandwidth Management Displays bandwidth management information for the OAW IAP AP ARM Channels Displays ARM channel details for the OAW IAP AP ARM Configuration Displays ARM configuration details for the OAW IAP AP ARM History Displays the channel history and power changes due to Adaptive Radio Management ARM for the OAW IAP AP ARM Neighbors Displays the ARM neighbors of the OAW IAP AP ARM RF Summary Displays the status and statistics for all channels monitored by the OAW IAP AP ARM Scan Times Displays channel scanning information for the OAW IAP AP ARP Table Displays the ARP table of the OAW IAP AP Association Table Displays information about the OAW IAP association AP Authentication Frames Displays the authentication trace buffer information of the OAW IAP AP BSSID Table Displays the Basic Service Set BSS table of the OAW IAP AP Country Codes Displays coun
284. ersonal and Open security levels Enterprise Personal and Open security levels Wireless Network Profiles 93 Parameter Accounting Authentication survivability MAC authentication Delimiter character Uppercase support Upload Certificate Table 18 Configuration Parameters for WLAN Security Settings Description To enable accounting select Enabled from the Accounting drop down list On setting this option to Enabled APs post accounting information to the RADIUS server at the specified Accounting interval To enable authentication survivability set Authentication survivability to Enabled Specify a value in hours for Cache timeout global to set the duration after which the authenticated credentials in the cache must expire When the cache expires the clients are required to authenticate again You can specify a value within range of 1 to 99 hours and the default value is 24 hours NOTE The authentication survivability feature requires ClearPass Policy Manager 6 0 2 or later and is available only when the New server option is selected authentication On setting this parameter to Enabled AOS W Instant authenticates the previously connected clients using EAP PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost The Authentication survivability feature is not applicable when a RADIUS server is configured as an internal server To enable MAC address based authenticati
285. ertificate issuing authority so that a recipient can ensure that the certificate is real AOS W Instant supports the following certificate files e Auth server or Captive portal server certificate PEM format with passphrase PSK e CA certificate PEM or DER format In the current release OAW IAP supports uploading of a customized certificate for internal Captive portal server This section describes the following procedures e Loading Certificates using AOS W Instant UI on page 161 e Loading Certificates using AOS W Instant CLI e Loading Certificates using Omnivista on page 161 AOS W Instant 6 3 1 1 4 0 User Guide Authentication 160 Loading Certificates using AOS W Instant UI To load a certificate in the AOS W Instant UI 1 Click the Maintenance link at the top right corner of the AOS W Instant main window 2 Click the Certificates tab The Certificates tab contents are displayed The following figure shows the Certificates window Figure 51 Maintenance Window Certificates Tab Maintenance About Configuration Certificates Firmware Reboot Convert Default Server Certificate Version 3 Serial number 01 DA 52 F Issuer C US O GeoTrust Inc OU Domain Validated SSL Subject 0x05 LUge2fRPkWcle7boLSVdsKOFK8wv3MF C US Issued On 2011 05 11 01 22 10 Expires On 2017 08 11 04 40 59 Signed Using SHA1 RSA Key size 2048 bits New Certificate Certificate file to upload Browse Certificate type
286. ertisement profile h2qp conn cap ccl Instant Access Point Hotspot2 0 hs1 4 advertisement profile h2qp oper class ocl Instant Access Point Hotspot2 0 hs1 4 exit Step 4 Associate the hotspot profile with WLAN SSID Instant Access Point configure terminal Instant Access Point wlan ssid profile ssidProfilel Instant Access Point SSID Profile ssidProfilel essid hsProf Instant Access Point SSID Profile ssidProfilel type employee Instant Access Point SSID Profile ssidProfilel vlan 200 Instant Access Point SSID Profile ssidProfilel opmode wpa2 aes Instant Access Point SSID Profile ssidProfilel blacklist Instant Access Point SSID Profile ssidProfilel mac authentication Instant Access Point SSID Profile ssidProfilel 12 auth failthrough Instant Access Point SSID Profile ssidProfilel radius accounting Instant Access Point SSID Profile ssidProfilel radius accounting mode user association Instant Access Point SSID Profile ssidProfilel radius interim accounting interval 10 AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 299 SSID Profile ssidProfilel radius reauth interval 20 SSID Profile ssidProfilel max authentication failures 2 SSID Profile ssidProfilel set role by ssid Instant Access Point SSID Profile ssidProfilel hotspot profile hsl Instant Access Po
287. erver lt server namel gt Instant Access Point SSID Profile lt name gt auth server lt server name2 gt Instant Access Point SSID Profile lt name gt server load balancing Instant Access Point SSID Profile lt name gt radius reauth interval lt minutes gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply Configuring MAC Authentication for Wired Profiles You can configure MAC authentication for a wired profile in the AOS W Instant UI or CLI In the AOS W Instant Ul To enable MAC authentication for a wired profile 1 Click the Wired link under More at the top right comer of the AOS W Instant main window The Wired window is displayed 2 Click New under Wired Networks to create a new network or select an existing profile for which for which you want to enable MAC authentication and then click Edit 3 Inthe New Wired Network or the Edit Wired Network window ensure that all the required Wired and VLAN attributes are defined and then click Next In the Security tab select Enabled from the MAC authentication drop down list 5 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings for a Wired Profile on page 104 6 Click Next to define access rules and then click Finish to apply the changes In the CLI To enable MAC authentication for a wired
288. es an option to reboot the required access point or all access points For more information see Upgrading an OAW IAP on page 70 e Convert Provides an option to convert an OAW IAP to a mobility Switches managed Remote AP or Campus AP ora standalone AP For more information see Converting an OAW IAP to a Remote AP and Campus AP on page 305 The following figure shows the default view of the Maintenance window 45 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Figure 8 Maintenance Window Default View Maintenance About Configuration Certificates Firmware Reboot Convert Name Alcatel Lucent Operating System Wireless Type OAW AP93 Build Time 2013 11 18 08 19 52 PST Version 6 3 1 1 4 0 0 0_40933 Website http enterprise alcatel lucent com Legal All Rights Reserved c 2005 2013 Alcatel Lucent Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs To activate the context sensitive help 1 Click the Help link at the top right comer of AOS W Instant main window 2 Click any text or term displayed in green italics to view its description or definition 3 To disable the help mode click Done More The More link allows you to select the following options e VPN e IDS e Wired e Services e DHCP Server e Support VPN The VPN window allows you to define communication settings with a remote Switc
289. es equal access to all clients on the wireless medium regardless of client type capability or operating system thus delivering uniform performance to all clients This feature prevents the clients from monopolizing resources Access Point Control The following access point control features are supported e Customize Valid Channels You can customize Valid 5 GHz channels and Valid 2 4 GHz channels for 20MHz and 40MHz channels in the OAW IAP The administrators can configure the ARM channels in the channel width window The valid channels automatically show in the static channel assignment window e Minimum Transmit Power This indicates the minimum Effective Isotropic Radiated Power EIRP from 3 to 33 dBm in 3 dBm increments You may also specify a special value of 127 dBm for regulatory maximum to disable power adjustments for environments such as outdoor mesh links A higher power level setting may be constrained by the local regulatory requirements and AP capabilities If the minimum transmission EIRP setting i 212 Adaptive Radio Management AOS W Instant 6 3 1 1 4 0 User Guide configured on an AP is not supported by the AP model this value is reduced to the highest supported power setting The default value is for minimum transmit power is 18 dBm Maximum Transmit Power This indicates the maximum Effective Isotropic Radiated Power EIRP from 3 to 33 dBm in 3 dBm increments Higher power level settings may
290. ess Point LDAP Server lt profile name gt admin password lt password gt Instant Access Point LDAP Server lt profile name gt base dn lt name gt Instant Access Point LDAP Server lt profile name gt filter lt filter gt Instant Access Point LDAP Server lt profile name gt key attribute lt key gt Instant Access Point LDAP Server lt profile name gt timeout seconds Instant Access Point LDAP Server lt profile name gt retry count lt number gt Instant Access Point LDAP Server lt profile name gt end Instant Access Point commit apply To configure a CPPM server used for AirGroup CoA Change of Authorization Instant Access Point config wlan auth server lt profile name gt Instant Access Point Auth Server lt profile name gt ip lt IP address gt Instant Access Point Auth Server lt profile name gt key key Instant Access Point Auth Server profile name cppm rfc3576 port port Instant Access Point Auth Server profile name 4 cppm rfc3576 only Instant Access Point Auth Server lt profile name gt end Instant Access Point commit apply Configuring Dynamic RADIUS Proxy Parameters The RADIUS server can be deployed at different locations and VLANs In most cases a centralized RADIUS or local server is used to authenticate users However some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS b
291. ess or domain name gt config ams key key config end commit apply Configuring for OmniVista Discovery through DHCP The Omnivista can be discovered through DHCP server You can configure this only if Omnivista was not configured earlier or if you have deleted the precedent configuration On the DHCP server the format for option 60 is InstantAP and the two formats for option 43 are lt organization gt lt ams ip gt lt ams key gt and lt organization gt lt ams domain gt If you use the lt organization gt lt ams ip gt lt ams key gt format the PSK based authentication is used to access the OmniVista Management Platform server If you use the lt organization gt lt ams domain gt format the OAW IAP resolves the domain name into two IP address as OmniVista Primary OmniVista Backup and then OAW IAP will start a certificate based authentication with OmniVista Management platform server instead of the PSK login For option 43 when you choose to enter the domain name the IP address and key will not be available Standard DHCP option 60 and 43 on Windows Server 2008 In networks that are not using DHCP option 60 and 43 it is easy to use the standard DHCP options 60 and 43 for an AP or OAW IAP For APs these options can be used to indicate the master controller or the local controller For OAW IAPs these options can be used to define the Omnivista IP group p
292. etween the client and the authentication server Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure LEAP Lightweight Extensible Authentication Protocol LEAP uses dynamic WEP keys for authentication between the client and authentication server To use OAW IAP s internal database for user authentication add the names and passwords of the users to be authenticated AOS W Instant 6 3 1 1 4 0 User Guide Authentication 136 Alcatel Lucent does not recommend the use of LEAP authentication method because it does not provide any resistance to network attacks NOTE Authentication Termination on OAW IAP AOS W Instant allows Extensible Authentication Protocol EAP termination for Protected Extensible Authentication Protocol PEAP Generic Token Card PEAP GTC and Protected Extensible Authentication Protocol Microsoft Challenge Authentication Protocol version 2 PEAP MSCHAV2 PEAP GTC termination allows authorization against an Lightweight Directory Access Protocol LDAP server and external RADIUS server while PEAP MSCHAV2 allows authorization against an external RADIUS server This allows the users to run PEAP GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication EAP Generic Token Card GTC This EAP method permits the transfer of unencrypted usernames and passwords from client to server The main uses for EAP GTC
293. etwork or click Edit to select an existing profile 2 Click the Access tab 3 Toconfigure access rules for the network slide to Network based To configure access rules for user roles slide to Role based 4 Tocreate a new rule for the network click New To create an access rule for a user role select the user role and then click New The New Rule window is displayed In the New Rule window Select Access control from the Rule type drop down list Select destination NAT from the Action drop down list to allow changes to the source IP address Specify the IP address and port details oo No sg Select a service from the list of available services 10 Select the required option from the Destination drop down 11 If required enable other parameters such as Log Blacklist Classify media Disable scanning DSCP tag and 802 1p priority 12 Click OK and then click Finish In the CLI To configure destination NAT access rule Instant Access Point config f wlan access rule access rule Instant Access Point Access Rule access rule gt rule dest mask match protocol sp ort lt eport gt dst nat ip IP address lt port gt Instant Access Point Access Rule access rule f end Instant Access Point commit apply Configuration Examples for Access Rules This section provides procedures to create the following access rules e Allow POP3 Service to a Particular Server on pa
294. ex 7 For example yahoo com matches various domains such as news yahoo com travel yahoo com and finance yahoo com www apple com library test is a subset of www apple com site corresponding to path library test favicon ico allows access to favicon ico from all domains 3 Todeny users access to a domain click New and enter the domain name or URL in the Blacklist section of the window This prevents the unauthenticated users from viewing specific Websites When a URL specified in the blacklist is accessed by an unauthenticated user OAW IAP sends an HTTP 403 response to the client with a simple error message If the requested URL does not appear on the blacklist or whitelist list the request is redirected to the external Captive portal 4 Select the domain name URL and click Edit to modify or Delete to remove the entry from the list 5 Click OK to apply the changes In the CLI To create a Walled Garden access config 4 wlan walled garden Walled Garden white list domain Walled Garden black list domain Walled Garden end commit apply Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Disabling Captive Portal Authentication To disable captive portal authentication perform the following steps 1 Select an existing wireless or wired profile Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wi
295. existing profile for which you want to enable MAC and 802 1X authentication and click edit 2 Inthe Edit lt profile name gt or New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 Inthe Security tab ensure that the required parameters for MAC authentication and 802 1X authentication are configured 4 Select the Perform MAC authentication before 802 1X check box to use 802 1X authentication only when the MAC authentication is successful 5 Select the check box MAC authentication fail thru to use 802 1X authentication even when the MAC authentication fails 6 Click Next and then click Finish to apply the changes In the CLI To configure both MAC and 802 1X authentication for a wireless network Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant Access Point SSID Profile lt name gt mac authentication Instant Access Point SSID Profile lt name gt 12 auth failthrough Instant Access Point SSID Profile lt name gt auth server lt server namel gt Instant Access Point SSID Profile lt name gt radius reauth interval lt minutes gt Instant Access Point SSID Profile lt name gt auth survivability Instant Access Point SSID Profile lt name gt exit Instant Access Point config auth survivability
296. f System window click Show advanced options to display the advanced options 3 From the LED Display drop down menu select Enabled to enable LED display or Disabled to turn off the LED display 4 Click OK In the CLI To enable or disable LED display Instant Access Point config led off Instant Access Point config no led off Instant Access Point config end Instant Access Point commit apply Backing up and Restoring OAW IAP Configuration Data You can back up the OAW IAP configuration data and restore the configuration when required Viewing Current Configuration To view the current configuration on the OAW IAP e Inthe AOS W Instant UI navigate to Maintenance gt Configuration gt Current Configuration e Inthe CLI enter the following command at the command prompt Instant Access Point show running config Backing up Configuration Data To back up the OAW IAP configuration data AOS W Instant 6 3 1 1 4 0 User Guide OAW IAP Management 304 1 Navigate to the Maintenance gt Configuration gt page 2 Click Backup Configuration 3 Click Continue to confirm the backup The instant cfg containing the OAW IAP configuration data is saved in your local file system 4 Toview the configuration that is backed up by the OAW IAP enter the following command at the command prompt Instant Access Point show backup config Restoring Configuration To restore configuration Navigate to the Maintenance
297. ff e Low e High 224 Intrusion Detection AOS W Instant 6 3 1 1 4 0 User Guide Figure 74 Wireless Intrusion Protection Wireless Intrusion Protection WIP Detection Protection Specify What Threats to Protect Infrastructure Custom settings High Y protect ssid Y rogue containment protect adhoc network Off protect ap impersonation Low Clients Custom settings High Y protect valid sta dm protect windows bridge Off Show advanced options The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field Table 45 nfrastructure Protection Policies Protection Level Protection Policy E All protection policies are disabled e Protect SSID Valid SSID list should be auto derived from Instant configuration e Rogue Containment High e Protect from Adhoc Networks e Protect AP Impersonation The following table describes the detection policies that are enabled in the Client Protection Custom settings field Table 46 Client Protection Policies Protection Level Protection Policy OF All protection policies are disabled AOS W Instant 6 3 1 1 4 0 User Guide Intrusion Detection 225 Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your AOS W Instant network AOS W Instant supports the following types of containment mechanisms e Wired containment
298. figuration Detect Malformed Frame Large Duration Detect AP Impersonation Detect Adhoc Networks Detect Valid SSID Misuse Detect Wireless Bridge Detect 802 11 40MHz intolerance settings Detect Active 802 11n Greenfield Mode Detect AP Flood Attack Detect Client Flood Attack Detect Bad WEP Detect CTS Rate Anomaly Detect RTS Rate Anomaly Detect Invalid Address Combination AOS W Instant 6 3 1 1 4 0 User Guide Intrusion Detection 223 Table 43 Infrastructure Detection Policies Detection Level Detection Policy Detect Malformed Frame HT IE Detect Malformed Frame Association Request Detect Malformed Frame Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies enabled in the Client Detection Custom settings field Table 44 Client Detection Policies Detection Level Detection Policy All detection policies are disabled e Detect Valid Station Misassociation Detect Disconnect Station Attack Detect Omerta Attack Detect FATA Jack Attack Detect Block ACK DOS Detect Hotspotter Attack Detect unencrypted Valid Client Detect Power Save DOS Attack Detect EAP Rate Anomaly Detect Rate Anomaly Detect Chop Chop Attack Detect TKIP Replay Attack IDS Signature Air Jack IDS Signature ASLEAP The following levels of detection can be configured in the WIP Protection page e O
299. figuring a WAN Metrics Profile You can configure a WAN metrics profile to define information about access network characteristics such as link status and metrics To configure a WAN metrics profile Instant Access Point config hotspot h2qp wan metrics profile lt name gt Instant Access Point WAN metrics lt name gt at capacity Instant Access Point WAN metrics lt name gt downlink load lt load gt Instant Access Point WAN metrics lt name gt downlink speed speed Instant Access Point WAN metrics lt name gt load duration duration Instant Access Point WAN metrics lt name gt T symm link Instant Access Point WAN metrics lt name gt uplink load load Instant Access Point WAN metrics lt name gt uplink speed speed Instant Access Point WAN metrics lt name gt wan metrics link status status Instant Access Point WAN metrics lt name gt end Instant Access Point commit apply You can specify the following WAN downlink and uplink parameters 294 Hotspot Profiles AOS W Instant 6 3 1 1 4 0 User Guide Downlink load Indicates the percentage of the WAN downlink currently utilized The default value of O indicates that the downlink speed is unknown or unspecified e Downlink speed Indicates the WAN downlink speed in Kbps e Uplink load Indicates the percentage of the WAN uplink currently utilized The default value of 0
300. file pppoe chapsecret password AOS W Instant 6 3 1 1 4 0 User Guide Uplink Configuration 189 Instant Access Point pppoe uplink profile pppoe unnumbered local 13 dhcp profile lt dhcp pro file gt Instant Access Point pppoe uplink profile end Instant Access Point commit apply To view the PPPoE configuration Instant Access Point show pppoe config PPPoE Configuration Type Value User testUser Password 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c Service name internet03 CHAP secret 8e87644deda93641007196e017 88ebce Unnumbered dhcp profile dhcpProfilel To view the PPPoE status Instant Access Point show pppoe status pppoe uplink state Suppressed 3G 4G Uplink AOS W Instant supports the use of 3G 4G USB modems to provide the Internet backhaul to an Instant network The 3G 4G USB modems can be used to extend client connectivity to places where an Ethernet uplink cannot be configured This enables the RAPs to automatically choose the available network in a specific region E The 3G and 4G LTE USB modems can be provisioned on OAW RAP3WN 3WNP OAW RAP108 and OAW RAP155 155P NOTE Types of Modems AOS W Instant supports the following three types of 3G modems e True Auto Detect Modems of this type can be used only in one country and for a specific ISP The parameters are configured automatically and hence no configuration is necessary e Auto detect ISP co
301. file to associate with this hotspot profile For information on advertisement profiles see Creating Advertisement Profiles for Hotspot Configuration on page 289 advertisement protocol Specify the advertisement protocol types as Access Network Query Protocol ANQP as angp Creating a WLAN SSID and Associating Hotspot Profile To create a WLAN SSID with Enterprise Security and WPA2 Encryption Settings Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt essid ESSID name Instant Access Point SSID Profile lt name gt type lt Employee gt Voice lt Guest gt AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 297 Instant Access Point SSID Profile lt name gt vlan lt vlan ID gt Instant Access Point SSID Profile lt name gt set vlan lt attribute gt equals not equals starts wit h ends with contains lt operator gt lt VLAN ID gt value of Instant Access Point SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa2 aes Instant Access Point SSID Profile lt name gt blacklist Instant Access Point SSID Profile lt name gt mac authentication Instant Access Point SSID Profile lt name gt 12 auth failthrough Instant Access Point SSID Profile lt name gt termination Instant Access Point SSID Profile lt name gt xternal server Instant Access Point SSID Profile lt name gt auth
302. for a wired profile Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt type lt employee gt lt guest gt Instant Access Point wired ap profile lt name gt mac authentication Instant Access Point wired ap profile lt name gt dotlx Instant Access Point wired ap profile lt name gt 12 auth failthrough Instant Access Point wired ap profile lt name gt auth server lt name gt Instant Access Point wired ap profile lt name gt server load balancing Instant Access Point wired ap profile lt name gt radius reauth interval lt Minutes gt Instant Access Point wired ap profile lt name gt nd Instant Access Point commit apply Configuring MAC Authentication with Captive Portal Authentication This authentication method has the following features If the captive portal splash page type is Internal Authenticated or External RADIUS Server MAC authentication reuses the server configurations If the captive portal splash page type is Internal Acknowledged or External Authentication Text and MAC authentication is enabled a server configuration page is displayed If the captive portal splash page type is none MAC authentication is disabled MAC authentication only role You can use the WLAN wizard to configure the mac auth only role in the role based access rule configuration section when MAC authe
303. from the serial port or from an SSH session You must explicitly enable Telnet access on the OAW IAP to access the CLI through a Telnet session For information on enabling SSH and Telnet access to the OAW IAP CLI see Enabling Terminal Access on page 73 Connecting to a CLI Session On connecting to a CLI session the system displays its host name followed by the login prompt Use the administrator credentials to start a CLI session For example Instant Access Point User admin ode is enabled and a command prompt is displayed For example Instant Access Point The privileged mode provides access to show clear ping traceroute and commit commands The configuration commands are available in config mode To move from privileged mode to the configuration mode enter the following command at the command prompt Instant Access Point configure terminal The configure terminal command allows you to enter the basic configuration mode and the command prompt is displayed as follows Instant Access Point config 35 Setting up an OAW IAP AOS W Instant 6 3 1 1 4 0 User Guide The AOS W Instant CLI allows CLI scripting in several other sub command modes to allow the users to configure individual interfaces SSIDs access rules and security settings You can use the question mark to view the commands available in a privileged mode configuration mode or sub mode Although automatic completion is supported for som
304. fy the Allowed VLAN enter a list of comma separated digits or ranges 1 2 5 or 1 4 or all The Allowed VLAN refers to the VLANs carried by the port in Access mode If Client IP Assignment is set the Network Assigned specify a value for Native VLAN A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN You can specify a value within the range of 1 4093 d Ifthe Access mode is selected If the Client IP Assignment is set to Virtual Controller Assigned proceed to step 2 If the Client IP Assignment is set the Network Assigned specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode 6 Click Next to configure internal or external Captive portal authentication roles and access rules for the guest users In the CLI To configure wired settings for Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt type guest speed 10 100 1000 auto duplex lt half gt lt full gt lt auto gt Instant Access Point wired ap profile lt name gt Instant Access Point wired ap profile lt name gt no shutdown Instant Access Point wired ap profile lt name gt po Instant Access Point wired ap profile lt name gt uplink enable Instant Access Point wired ap profile lt name gt LA Instant Access Point wired ap profil
305. g options for Client IP assignment e Virtual Controller assigned On selecting this option the client obtains the IP address from the Virtual Controller The Virtual Controller creates a private subnet and VLAN on the OAW IAP for the wireless clients The network address translation for all client traffic that goes out of this interface is carried out at the source This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network For more information on DHCP scopes and server configuration see DHCP Configuration on page 231 Network assigned Select this option to obtain the IP address from the network 8 If the Network assigned is selected specify any of the following options for the Client VLAN assignment e Default On selecting this option the client obtains the IP address in the same subnet as the OAW IAPs By default the client VLAN is assigned to the native VLAN on the wired network e Static On selecting this option you need to specify a single VLAN a comma separated list of VLANS ora range of VLANs for all clients on this network Select this option for configuring VLAN pooling Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configuration Protocol DHCP server To create VLAN assignment rules a Click New to assign the user to a VLAN The New VLAN Assignment Rule window is displayed b Enterthe following information e Attribu
306. g procedures e Detecting and Classifying Rogue APs on page 221 e OS Fingerprinting on page 221 e Configuring Wireless Intrusion Protection and Detection Levels on page 222 e Configuring IDS Using CLI on page 226 Detecting and Classifying Rogue APs A rogue AP is an unauthorized AP plugged into the wired side of the network An interfering AP is an AP seen in the RF environment but is not connected to the wired network While the interfering AP can potentially cause RF interference it is not considered a direct security threat because it is not connected to the wired network However an interfering AP may be reclassified as a rogue AP To detect the rogue APs click the IDS link in the AOS W Instant main window The built in IDS scans for access points that are not controlled by the Virtual Controller These are listed and classified as either Interfering or Rogue depending on whether they are on a foreign network or your network Figure 72 Intrusion Detection E instant rp Monitoring IDS Configuration AirGroup Foreign Access Points Detected Foreign Clients Detected Network Classification Chan Last Seen Where MAC address Network Classification Chan Type Last Seen Where E docomo Interfering 11 31 07 00 26 c6 b7 7a 76 ethersphere voip Interfering GN 20MZ NTT SPOT Interfering 11 31 07 ethersphere wpa2 Interfering GN 20MZ docomo Interfering 11 31 07 0 38 ethersphere wpa2 Interfering GN 20MZ docomo Interfering 11 31 07 E 36
307. ge 174 e Allow TCP Service to a Particular Network on page 174 e Deny FTP Service except to a Particular Server on page 174 e Deny bootp Service except to a Particular Network on page 175 173 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide Allow POP3 Service to a Particular Server To configure POP3 service to a particular server 1 Select an existing wireless or wired profile Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wired Network window is displayed Ld Youcan also configure access rules in the Access tab of the New WLAN and New Wired Network windows when configuring a new profile NOTE gunng p 2 Inthe Access tab slide to Network based using the scroll bar to specify access rules for the network 3 Click New to add a new rule The New Rule window is displayed a Select Allow from the Action drop down list b Select pop3 from the Service drop down list c Selectto a particular server from the Destination drop down list and enter appropriate IP address in the IP text box d Click OK 4 Click Finish Allow TCP Service to a Particular Network To allow TCP service to a particular server 1 Select an existing wireless or wired profile Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wired Network window is displayed E You can also configure access rules in the Access tab of the New WLAN and New Wired Network windows when
308. gt vpn reconnect user on failover Instant Access Point Instant Access Point config Instant Access Point vpn reconnect time on failover lt down_time gt config end config vpn monitor pkt send freq frequency Instant Access Point t Instant Access Point commit apply To view VPN configuration details Instant Access Point 4 show vpn config Manually Configuring a GRE Tunnel You can also manually configure a GRE tunnel by configuring the GRE tunnel parameters on the OAW IAP and switch This procedure describes the steps involved in manual configuration of GRE tunnel from Virtual Controller by using AOS W Instant UI or CLI During the manual GRE setup you can either use the Virtual Controller IP or the OAW IAP IP to create the GRE tunnel at the controller side depending upon the following OAW IAP settings If a Virtual Controller IP is configured and if Per AP tunnel is disabled then the Virtual Controller IP is used to create the GRE tunnel If a Virtual Controller IP is not configured or if Per AP tunnel is enabled then the OAW IAP IP is used to create the GRE tunnel For information on the GRE tunnel configuration on Switch see AOS W Instant User Guide In the AOS W Instant UI 1 Click the More VPN link at the top right corner of the AOS W Instant UI The Tunneling window is displayed 2 Select Manual GRE from the
309. h See VPN Configuration on page 239 for more information The following figure shows the an example of the IPSec configuration options available in the VPN window AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 46 Figure 9 VPN window for IPSec Configuration Tunneling Controller Controller Protocol Aruba IPSec y Primary host 192 0 0 1 Backup host f Secs between test packets 5 Max allowed test packet 2 loss E Next Cancel IDS The IDS window allows you to configure wireless intrusion detection and protection levels The following figures show the IDS window Figure 10 DS Window Intrusion Detection Wireless Intrusion Protection WIP Detection Specify What Threats to Detect Infrastructure Custom settings detect ap spoofing detect windows bridge Medium signature deauth broadcast signature deassociation broadcast detect adhoc using valid ssid i off detect malformed large duration High Low Clients Custom settings detect valid clientmisassociation High 3 detect disconnect sta Medium detect omerta attack detect fatajack detect block ack attack t off detect hotspotter attack Low 47 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Wireless Intrusion Protection WIP Detection Specify What Threats to Detect Infrastructure High Medium Low Off Clients c High Medium Low Off
310. h Step b for all OAW IAPs 2 Define the remote access policy in the Internet Authentication Service In the Internet Authentication Service window select Remote Access Policies Launch the wizard to configure a new remote access policy Define filters and select grant remote access permission in the Permissions window Right click the policy that you have just created and select Properties In the Settings tab select the policy condition and Edit Profile In the Advanced tab select Vendor Specific and click Add to add new vendor specific attributes Add new vendor specific attributes and click OK Inthe IP tab provide the IP address of the OAW IAP and click OK TO op a2 9 FD VPN Local Pool Configuration The VPN local pool is used to assign an IP Address to the OAW IAP after successful XAUTH VPN host ip local pool rapngpool lt startip gt lt endip gt Role Assignment for the Authenticated OAW IAPs Define a role that includes a src nat rule to allow connections to the RADIUS server and for the Dynamic Radius Proxy in the OAW IAP to work This role is assigned to OAW IAPs after successful authentication host config ip access list session iaprole 255 IAP VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide host config sess iaprole any host lt radius server ip gt any src nat host config sess iaprole fany any any permit host config sess iaprole host config user role iaprole host config
311. h secures corporate data You can configure an IPSec tunnel from Virtual Controller using AOS W Instant UI or CLI In the AOS W Instant UI To configure a tunnel using IPSec Protocol 1 Click the More VPN link at the top right corner of the AOS W Instant UI The Tunneling window is displayed 2 Select Aruba IPSec from the Protocol drop down list AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 239 3 Enter the IP address or fully qualified domain name FQDN for the main VPN IPSec endpoint in the Primary host field 4 Enter the IP address or FQDN for the backup VPN IPSec endpoint in the Backup host field This entry is optional When you specify the primary and backup host details the other fields are displayed 5 Specify the following parameters A sample configuration is shown in Figure 79 a To allow the VPN tunnel to switch back to the primary host when it becomes available again select Enabled from the Preemption drop down list This step is optional If Preemption is enabled specify a value in seconds for Hold time When preemption is enabled and the primary host comes up the VPN tunnel switches to the primary host after the specified hold time The default value for Hold time is 600 seconds To allow the OAW IAP to create a backup VPN tunnel to the Switch along with the primary tunnel and maintain both the primary and backup tunnels separately select Enabled from the Fast failover drop down list
312. hange information regarding device sharing and location The configuration options define the RADIUS server that is used by the AirGroup RADIUS client The AirGroup configuration with CPPM involves the following steps 1 Create a RADIUS service 2 Assign a Server to AirGroup 3 Configure CPPM to Enforce Registration Creating a RADIUS Server You can configure an external RADIUS Security window For more information on the configuring CPPM server see Configuring an External Server for Authentication on page 144 You can also create a RADIUS server in the Air Group window Navigate to Services gt AirGroup gt Clear Pass Settings gt CPPM server 1 gt and select New from the drop down menu Assign a Server to AirGroup To associate CPPM server with AirGroup select the CPPM server from the CPPM Server 1 drop down If two CPPM servers are configured the CPPM server 1 acts as a primary server and the CPPM server 2 acts as a backup server After the configuration is complete this particular server will be displayed in the CoA server option To view this server go to Services gt AirGroup gt ClearPass Settings gt CoA server Configure CPPM to Enforce Registration When CPPM registration is enforced the devices registered with CPPM will be discovered by Bonjour devices based on the CPPM policy Change of Authorization CoA When a RADIUS server is configured with Change of Authorization CoA with CPPM server the guest users ar
313. he OAW IAPs in the network click Reboot All The Confirm Reboot for AP message is displayed Click Reboot Now to proceed The Reboot in Progress message is displayed indicating that the reboot is in progress The Reboot Successful message is displayed after the process is complete If the system fails to boot the Unable to contact Access Points after reboot was initiated message is displayed Click OK e B e c A ER EBEENUBUN AOS W Instant 6 3 1 1 4 0 User Guide OAW IAP Management 310 Chapter 33 Monitoring Devices and Logs This chapter provides the following information e Configuring SNMP on page 311 e Configuring a Syslog Server on page 314 e Configuring TFTP Dump Server on page 316 e Running Debug Commands from the AOS W Instant UI on page 317 Configuring SNMP This section provides the following information e SNMP Parameters for OAW IAP on page 311 e Configuring SNMP on page 312 e Configuring SNMP Traps on page 314 SNMP Parameters for OAW IAP AOS W Instant supports SNMPv1 SNMPv2c and SNMPv3 for reporting purposes only An OAW IAP cannot use SNMP to set values in an Alcatel Lucent system You can configure the following parameters for an OAW IAP Table 61 SNM
314. he associated numeric value is 6 e eap tls To use EAP Transport Layer Security The associated numeric value is 13 e eap sim To use EAP for GSM Subscriber Identity Modules The associated numeric value is 18 AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 289 e eap ttls To use EAP Tunneled Transport Layer Security The associated numeric value is 21 e peap Touse protected Extensible Authentication Protocol The associated numeric value is 25 e crypto card To use crypto card authentication The associated numeric value is 28 e peapmschapv2 To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 MSCHAPV2 The associated numeric value is 29 e eap aka To use EAP for UMTS Authentication and Key Agreement The associated numeric value is 50 The following table lists the possible authentication IDs and their respective values Table 55 NAI Realm Profile Configuration Parameters Authentication ID Authentication Value reserved e Uses the reserved authentication method e The associated numeric value is 0 expanded eap Use expanded eap as the authentication value e Uses the expanded EAP authentication method e The associated numeric value is 1 non eap inner auth The following authentication values apply e Uses non EAP inner authentication type b reserved Th iated numeric value is 0 e The associated numeric value is 2 eserved e associated numeric value is 0 pap The
315. he selected client for the last 15 minutes 1 2 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view In the Clients tab click the IP address of the client for which you want to monitor the signal strength The client view is displayed Study the Signal graph in the RF Trends pane For example the graph shows that signal strength for the client is 54 0 dB at 12 23 hours AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 58 Table 11 Client View RF Trends Graphs and Monitoring Procedures Graph Name Frames Throughput Mobility Trail Description The Frames Graph shows the In and Out frame rate per second of the client for the last 15 minutes It also shows data for the Retry In and Retry Out frames e Outgoing frames Outgoing frame traffic is displayed in green Itis shown above the median line Incoming frames Incoming frame traffic is displayed in blue Itis shown below the median line Retry Out Retries for the outgoing frames are displayed above the median line in black Retry In Retries for the incoming frames are displayed below the median line in red To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the In Out Retries In and Retries Out frames To see the exact frames ata particular time move the cursor over the graph line
316. hentication Load balancing Select Enabled to enable load balancing if two authentication servers are used Reauth interval Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients Auth server 2 Blacklisting If you are configuring a wireless network profile select Enabled to enable l blacklisting of the clients with a specific number of authentication failures Applicable for WLAN SSIDs only a ____ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ __ _ _ _ _ ______ ___ ___zz_ gt gt ___EEEEEOXEE EE QQLlL zz AOS W Instant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 116 Parameter Description Accounting mode Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval When the accounting mode is set to Applicable for WLAN SSIDs Authentication the accounting starts only after client authentication is successful only and stops when the client logs out of the network If the accounting mode is set to Association the accounting starts when the client associates to the network successfully and stops when the client is disconnected Disable if uplink type is To exclude uplink select an uplink type Encryption Select Enabled to configure encryption parameters Applicable for WLAN SSIDs only Splash Page Design Under Splash Page Visuals use the editor to specify text and colors for the initial page that
317. hentication AOS W Instant 6 3 1 1 4 0 User Guide 5 From the Authentication Server 1 drop down select the server name on which dynamic RADIUS proxy parameters are enabled You can also create a new server with RADIUS and RADIUS proxy parameters by selecting New 6 Click Next and then click Finish 7 Toassign the RADIUS authentication server to a network profile select the newly added server when configuring security settings for a wireless or wired network profile You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile For more information see Configuring Security Settings for a WLAN NOTE SSID Profile on page 90 and Configuring Security Settings for a Wired Profile on page 104 In the CLI To associate an authentication server to a WLAN SSID Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt auth server server name Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply To associate an authentication server to a wired profile Instant Access Point Instant Access Point wired ap profile lt name gt auth server lt name gt Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply config wired port profile lt name gt Configuring Authentication Parameters for Virtual Controller Manageme
318. ia e KDDI DATAO7 Huawei KDDI Japan e Huawei E353 China Unicom e Huawei EC167 China Telecom e Huawei E367 Vodafone UK e Huawei E352s 5 T Mobile Germany No auto detect e Huawei D41HW e ZTEAC2726 Table 33 4G Supported Modem Modem Type Supported 4G Modem True Auto Detect e Pantech UML290 e Ether lte When UML290 runs in auto detect mode the modem can switch from 4G network to 3G network or vice versa based on the signal strength To configure the UML290 for the 3G network only manually set the USB type to NOTE pantech 3g To configure the UML290 for the 4G network only manually set the 4G USB type to pantech lte Configuring Cellular Uplink Profiles You can configure 3G or 4G uplinks using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at the upper right comer of the AOS W Instant main window The System window is displayed 2 Inthe System window click the show advanced settings link The advanced options are displayed 3 Click the Uplink tab and perform any of the following steps e To configure a 3G or 4G uplink automatically select the Country and ISP The parameters are automatically populated e To configure a 3G or 4G uplink manually perform the following steps a Obtain the modem configuration parameters from the local IT administrator or the modem manufacturer b Enter the type of the 3G 4G modem driver type e For3G Enter the type of 3G modem in
319. ia and Montenegro Cyprus Czech Republic Germany Denmark Dominican Republic Algeria Ecuador Egypt Spain Finland France United Kingdom Greece Guatemala Hong Kong Honduras Indonesia Ireland Israel AOS W Instant 6 3 1 1 4 0 User Guide Code Country Name T Italy JM Jamaica O Jordan Japan Kenya Republic of Korea South Korea Kuwait Kuwait Lebanon Liechtenstein Liechtenstein Sri Lanka Lithuania Lithuania Luxembourg Morocco Morocco Mauritius Mexico Mexico Netherlands Norway New Zealand New Zealand Panama Panama AOS W Instant 6 3 1 1 4 0 User Guide Regulatory Domain 324 Country Name Peru Philippines Islamic Republic of Pakistan Poland Poland Puerto Rico Puerto Rico Saudi Arabia Singapore Slovenia Slovenia Slovak Republic Slovak Republic El Salvador Tunisia Turkey Trinidad and Tobago Taiwan Ukraine United States Uruguay 325 Regulatory Domain AOS W Instant 6 3 1 1 4 0 User Guide Code Country Name AOS W Instant 6 3 1 1 4 0 User Guide Regulatory Domain 326 ClearPass Guest Setup To configure ClearPass Guest 1 On ClearPass Guest navigate to Administration gt AirGroup Services 2 Click Configure AirGroup Services Figure 116 Configure AirGroup Services AirGroup Services Use the commands below to configure AirGroup services on your network Configure AirGroup Services Make changes to the AirG
320. id APs via the AP group s 802 11a and 802 11g radio profiles Converting an OAW IAP to a Hybrid OAW IAP You can convert all OAW IAPs in an AOS W Instant network into a hybrid OAW IAPs by selecting the Background spectrum monitoring option in the AOS W Instant network s 802 11a and 802 11g radio profiles APs in Access mode continue to provide normal access service to clients while providing the additional function of monitoring RF interference If any OAW IAP in the AOS W Instant network does not support the spectrum monitoring feature that AP continues to function as a standard OAW IAP rather than a hybrid OAW IAP By default the background spectrum monitoring option is disabled In the hybrid mode spectrum monitoring is performed only on the home channel You can convert OAW IAPs in an AOS W Instant network to hybrid mode using AOS W Instant UI or CLI In the AOS W Instant UI To convert an OAW IAP to a hybrid OAW IAP 1 Click the RF link at the top right corner of the AOS W Instant UI 2 Click Show advanced options to view the Radio tab 3 To enable a spectrum monitor on the 802 11g radio band in the 2 4 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 4 To enable a spectrum monitor on the 802 11a radio band in the 5 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 5 Click OK In the CLI To configure 2 4 GHz radio settings Insta
321. ide Column Description Signal strength of the non Wi Fi device that has the highest signal strength dBm SNIR db The ratio of signal strength to the combined levels of interference and noise on that channel This value is calculated by determining the maximum noise floor and interference signal levels and then calculating how strong the desired signal is above this maximum Channel Metrics The channel metrics graph displays channel quality availability and utilization metrics as seen by a spectrum monitor or hybrid AP You can view the channel utilization data for the percentage of each channel that is currently being used by Wi Fi devices and the percentage of each channel being used by non Wi Fi devices and 802 11 adjacent channel interference ACI This chart shows the channel availability the percentage of each channel that is available for use or the current relative quality of selected channels in the 2 4 GHz or 5 GHz radio bands While spectrum monitors can display data for all channels in their selected band hybrid APs display data for their one monitored channel only To view this graph click 2 4 GHz in the Spectrum section of the dashboard Figure 69 Channel Metrics for the 2 4 GHz Radio Channel Spectrum 2 4 GHz Channel Utilization and Quality To view this graph click 5 GHz in the Spectrum section of the dashboard Figure 70 Channel Metrics for the 5 GHz Radio Channel Spectrum 5 GHz Channel Utilizat
322. ific Attributes VSA for RADIUS server authentication The role derived from an Alcatel Lucent VSA takes precedence over roles defined by other methods MAC Address Attribute The first three octets in a MAC address are known as Organizationally Unique Identifier OUI and are purchased from the Institute of Electrical and Electronics Engineers Incorporated IEEE Registration Authority This identifier uniquely identifies a vendor manufacturer or other organization referred to by the IEEE as the assignee globally and effectively reserves a block of each possible type of derivative identifier such as MAC addresses for the exclusive use of the assignee OAW IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configures to assign a desired role for users who have completed 802 1X authentication and MAC authentication The user role can be derived from the user attributes after a client associates with an AP You can configure rules that assign a user role to clients that match a MAC address based criteria For example you can assign a voice role any client with a MAC address starting a0 a1 a2 Roles Based on Client Authentication The user role can be the default user role configured for an authentication method such as 802 1x authentication For each authentication method you can configure a default role for clients who are successfully authenticated using that method DHCP Option and DHCP Fingerp
323. igns a new user role to the guest Ld AOS W Instant supports role derivation based on DHCP option for Captive Portal authentication When the Captive NOTE users instead of the pre authenticated role Vendor Specific Attributes VSA When an external RADIUS server is used the user VLAN can be derived from the Alcatel Lucent User Vlan VSA The VSA is then carried in an Access Accept packet from the RADIUS server The OAW IAP can analyze the return message and derive the value of the VLAN which it assigns to the user AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 180 Figure 58 RADIUS Access Accept packets with VSA AAA wephomy Tools tp Ara aa SAXSA Ve 2 OFZ on RaRa BEAZ Length 340 ra eie iiao spel aA n qe karta VSA Aruba User Vian in Radius Access Accept Time from request 0 000773000 seconds Value 100 Aruba User v1an A a 19 07 63 6c 6 2 74 08 06 01 01 01 i 96 06 90 00 09 92 db 05 31 31 31 4f 06 03 of 19 2e 94 09 23 00 rH 01 37 00 01 02 00 7 a e 5 00 0 oo L 7f 40 5 68 82 E o 22 01 37 de Se 0 a EH Of 06 00 00 00 78 01 51 41 42 4a la 33 00 O00 39 35 37 39 30 43 41 34 35 45 38 44 42 41 44 36 38 34 46 44 46 36 30 33 41 43 42 43 42 32 37 42 41 32 46 30 37 1a 3a 00 00 01 37 10 34 2525254540 c7 24 bd 4d ad 77 10 9c d8 bd 91 41 a7 f4 Od 80 9c 92 2b 07 6b 17 a2 Attribute name Venda Speckie I Server Manager QA SERVER Overview Conditions Settings Ley ne intr ta thes ratet eK Active Orectory Cer
324. igure 103 RTLS Window Services Air Group RTLS OpenDNS CALEA Network Intergration Aruba RTLS IP address Port Passphrase Retype Update Include unassociated stations Analytics amp Location Engine 3rd party Aeroscou it Specify the IP address and port to which the location reports must be sent Specify the shared secret key in the Passphrase text box 6 Specify the frequency at which the Virtual Controller can send updates to the server You can specify a value within the range of 5 3600 seconds The default value is 5 seconds 7 Select the Include unassociated stations check box to send reports on the stations that are not associated to any OAW IAP to the RTLS server 8 Click OK To configure third party RTLS such as Aeroscout Select the Aeroscout check box to send the RFID tag information to an AeroScout RTLS Specify the IP address and port number of the AeroScout server to which location reports must be sent Select the Include unassociated stations check box to send reports on the stations that are not associated to any OAW IAP to the Aeroscout RTLS server 4 Click OK In the CLI To configure AirWave RTLS Instant Access Point config airwave rtls IP address port passphrase seconds includ e unassoc sta Instant Access Point config end Instant Access Point commit apply To configure Aeroscout RTLS Instant Access Point config aeroscout rtls
325. ile test tunnel f hello timeout 150 _tunnel mtu 1570 ct Instant Access Poin Instant Access Poin Instant Access Poin Instant Access Poin Instant Access Point Instant Access Point ct L2TPv3 Tunnel Profile tes L2TPv3 Tunnel Profile test_tunnel peer port 3000 L2TPv3 Tunnel Profile test _tunnel secret key test123 L2TPv3 Tunnel Profile test_tunnel end commit apply ct ct 1 1 1 1 1 1 1 1 1 1 ERICA tort Instant Access Poin Instant Access Poin Instant Access Poin Instant Access Poin 255 0 vlan 5 Instant Access Point L2TPv3 Tunnel Profile test tunnel end Instant Access Point commit apply config 12tpv3 session test session L2TPv3 Session Profile test session cookie len 4 value 12345678 L2TPv3 Session Profile test _session l2tpv3 tunnel test tunnel L2TPv3 Session Profile test session f tunnel ip 1 1 1 1 mask 255 255 Cr oct Ct Ct To view L2TPv3 configuration Instant Access Point show 12tpv3 config L2TPV3 Tunnel configuration Tunnel Profile Primary Peer Backup Peer Peer UDP Port Local UDP Port Hello Interval Ho st Name MTU Message Digest Typ secret Key Failover Mode F ailover Retry Count Retry Interval Checksum test_tunnel 10 0 0 63 10 0 0 65 3000 1701 150 In stant C4 42 98 1570 MD5 625beed39fa4ff3424edb3082ede48fa non preemptive 5 80 Disable
326. illiseconds gt Instant Access Point RF dotll g Radio Profile legacy mode Instant Access Point RF dotll g Radio Profile spectrum monitor Instant Access Point RF dotll g Radio Profile dotllh Instant Access Point RF dotll g Radio Profile interference immunity level Instant Access Point RF dotll g Radio Profile csa count count Instant Access Point RF dot11 g Radio Profile max distance count Instant Access Point RF dotll g Radio Profile end Instant Access Point commit apply To configure 5 GHz radio settings Instant Access Point config rf dotlla radio profile Instant Access Point RF dotlla Radio Profile beacon interval lt milliseconds gt Instant Access Point RF dotlla Radio Profile legacy mode Instant Access Point RF dotlla Radio Profile spectrum monitor Instant Access Point RF dotlla Radio Profile spectrum band type Instant Access Point RF dotlla Radio Profile dotllh Instant Access Point RF dotlla Radio Profile interference immunity lt level gt Instant Access Point RF dotlla Radio Profile max distance count Instant Access Point RF dotlla Radio Profile csa count count Instant Access Point RF dot11 g Radio Profile end Instant Access Point commit apply To view the radio configuration Instant Access Point show radio config Legacy Mode enable Beacon Interva
327. infrastructure detection level lt type gt Instant Access Point IDS client detection level lt type gt Instant Access Point IDS infrastructure protection level lt type gt Instant Access Point IDS client protection level lt type gt 226 Intrusion Detection AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point DS T wireless containment type Instant Access Point DS T wired containment DS T detect ap spoofing DS T detect windows bridge DS T signature deauth broadcast DS signature deassociation broadcast DS detect adhoc using valid ssid DS T detect malformed large duration DS T detect ap impersonation DS detect adhoc network DS T detect valid ssid misuse DS T detect wireless bridge DS T detect ht 40mhz intolerance DS T detect ht greenfield DS T dete
328. ing disallowed roles and sharing disallowed vlans are displayed 273 AirGroup Configuration AOS W Instant 6 3 1 1 4 0 User Guide e To select block user roles from accessing an AirGroup service click the corresponding edit link and select the user roles for which you want to restrict access By default an AirGroup service is accessible by all user roles configured in your OAW IAP cluster e To select VLANs from allowing access to an AirGroup service click the corresponding edit link and select the VLANs to exclude By default the AirGroup services are accessible by users or devices in all VLANs configured in your OAW IAP cluster 8 ClearPass Settings Use this section to configure the CPPM server CoA server and enforce ClearPass registering CPPM server 1 Indicates the ClearPass Policy Manager server information for AirGroup policy e Enforce ClearPass registering When enabled only devices registered with CPPM will be discovered by Bonjour devices based on the CPPM policy In the CLI To configure AirGroup Instant Access Poin Instant Access Poin Instant Access Poin Instant Access Poin Access Poin Access Poin Instan Instan Instant Access Poin Instant Access Poin Instant Access Poin Instant Access Poin config airgroup airgroup airgroup airgroup airgroup airgroup airgroup airgroup To configure AirGroup Service Instant Access P
329. ing information about each OAW IAP Name Name of the OAW IAP IP Address IP address of the OAW IAP Mode Mode of the OAW IAP Access In this mode the AP serves clients and scans the home channel for spectrum analysis while monitoring channels for rogue APs in the background Monitor In this mode the AP acts as a dedicated Air Monitor AM scanning all channels for rogue APs and clients Spectrum When enabled the AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference from neighboring APs or non Wi Fi devices such as microwaves and cordless phones When Spectrum is enabled the AP does not provide access services to clients Clients Number of clients that are connected to the OAW IAP Type Model number of the OAW IAP Mesh Role Role of the mesh portal or mesh point Channel Channel on which the OAW IAP is currently broadcast Power dB Maximum transmission EIRP of the radio Utilization 96 Percentage of time that the channel is utilized Noise dBm Noise floor of the channel AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 40 An edit link is displayed on clicking the OAW IAP name For details about editing OAW IAP settings see Initial Configuration Tasks on page 67 Clients Tab This tab displays a list of clients that are connected to the AOS W Instant network The client names are displayed as links The expanded view
330. ing outdated operating systems Helps to locate outdated and unexpected OS in the company network e Locating and patching vulnerable operating systems Assists in locating and patching specific operating system versions on the network that have known vulnerabilities thereby securing the company network OS Fingerprinting is enabled in the AOS W Instant network by default The following operating systems are identified by AOS W Instant e Windows 7 e Windows Vista AOS W Instant 6 3 1 1 4 0 User Guide Intrusion Detection 221 Windows Server Windows XP Windows ME OS X iPhone iOS Android Blackberry Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats Like most other security related features of the Alcatel Lucent network the WIP can be configured on the OAW IAP You can configure the following options Infrastructure Detection Policies Specifies the policy for detecting wireless attacks on access points Client Detection Policies Specifies the policy for detecting wireless attacks on clients Infrastructure Protection Policies Specifies the policy for protecting access points from wireless attacks Client Protection Policies Specifies the policy for protecting clients from wireless attacks Containment Methods Prevents unauthorized stations from connecting to your AOS W In
331. inks Based on VPN and Internet Availability on page 197 Viewing Uplink Status and Configuration on page 199 Enforcing Uplinks The following configuration conditions apply to the uplink enforcement e When an uplink is enforced the OAW IAP uses the specified uplink regardless of uplink preemption configuration and the current uplink status e When an uplink is enforced and multiple Ethernet ports are configured and uplink is enabled on the wired profiles the OAW IAP tries to find an alternate Ethernet link based on the priority configured When no uplink is enforced and preemption is not enabled and if the current uplink fails the OAW IAP tries to find an available uplink based on the priority configured When no uplink is enforced and preemption is enabled and if the current uplink fails the OAW IAP tries to find an available uplink based on in the priority configured If current uplink is active the OAW IAP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active You can enforce a specific uplink on an OAW IAP by using the AOS W Instant UI or CLI In the AOS W Instant UI To enforce an uplink 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Management select the type of uplink from the Enforce Uplink drop down list If Ethernet uplink is selected the Port field is displayed 3 Specify th
332. int Instant Access Point Instant Access Point Instant Access Point Instant Access Point SSID Profile ssidProfilel end commit apply 300 Hotspot Profiles AOS W Instant 6 3 1 1 4 0 User Guide Chapter 29 Extended Voice and Video AOS W Instant has the added ability to identify and prioritize voice and video traffic from applications such as Microsoft Office Communications Server OCS and Apple Facetime QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish control and terminate voice and video calls These control or signaling sessions are usually permitted using pre defined ACLs If the control signaling packets are encrypted the OAW IAP cannot determine the dynamic ports are used for voice or video traffic In these cases the OAW IAP has to use an ACL with the classify media option enabled to identify the voice or video flow based on a deep packet inspection and analysis of the actual traffic Microsoft OCS Microsoft Office Communications Server OCS uses Session Initiation Protocol SIP over TLS to establish control and terminate voice and video calls Apple Facetime When an Apple device starts a Facetime video call it initiates a TCP session to the Apple Facetime server over port 5223 then sends SIP signaling messages over a non default port When media traffic starts flowing audio and video data are sent through that
333. ion and Quality lable Avai WiFi L Quality Interference 6 Channel Metrics shows the information displayed in the channel metrics graph 1622864328713 Table 37 Channel Metrics Column Description A 2 4 GHz or 5 GHz radio channel AOS W Instant 6 3 1 1 4 0 User Guide Spectrum Monitor 207 Column Description Quality Current relative quality of selected channels in the 2 4 GHz or 5 GHz radio bands as determined by the percentage of packet retries the current noise floor and the duty cycle for non Wi Fi devices on that channel Availability The percentage of the channel currently available for use Utilization The percentage of the channel being used WiFi Util The percentage of the channel currently being used by Wi Fi devices Interference Util The percentage of the channel currently being used by non Wi Fi interference Wi Fi ACI Adjacent Channel Interference Spectrum Alerts When new non Wi Fi device is found an alert is reported to the Virtual Controller The spectrum alert messages include the device ID device type IP address of the spectrum monitor or hybrid AP and the timestamp Virtual Controller reports the detailed device information to AMP Configuring Spectrum Monitors and Hybrid OAW IAPs An OAW IAP can be provisioned to function as a spectrum monitor or as a hybrid OAW IAP The radios on groups of APs can be converted to dedicated spectrum monitors or hybr
334. ion and other status information to the ALE server AOS W Instant supports integration with the Palo Alto Networks PAN firewall To integrate an OAW IAP with PAN user ID a global profile is added This profile can be configured on an OAW IAP with PAN firewall information such as IP address port user name password firewall enabled or disabled status OAW IAP maintains the network such as mapping IP address and user information for its clients in the network and can provide the required information for the user ID feature on PAN firewall AOS W Instant supports configuration of domain based Access Control List ACL rule Access to specific domains is allowed or denied based on the ACL rule definition AOS W Instant now supports customization of logo policy text and usage terms for the internal Captive portal splash page AOS W Instant supports multiple Captive portal profiles and allows the users to customize the Captive portal profiles based on guest logon role and SSID You can create a set of captive portal profiles and associate them with an SSID or wired profile or create an external Captive portal profile fora WLAN SSID or a wired profile in the WLAN wizard or Wired Network window AOS W Instant supports the ARM client match feature that continually monitors a client s RF neighborhood to provide the ongoing client bandsteering service and load balancing and enhanced OAW IAP reassignment for roaming mobile clients AOS W Instant
335. ions such as a hard drive error Errors Error conditions AOS W Instant 6 3 1 1 4 0 User Guide Monitoring Devices and Logs 315 Logging Level Description Warning Warning messages Notice Significant events of a non critical and normal nature The default value for all Syslog facilities Informational Messages of general interest to system users Debug Messages containing information useful for debugging 6 Click OK In the CLI To configure a syslog server Instant Access Point config syslog server lt IP address gt To configure syslog facility levels Instant Access Point config syslog level lt logging level gt ap debug network security system user user debug wireless Instant Access Point config end Instant Access Point commit apply To view syslog logging levels Instant Access Point show syslog level Logging Level Facility Level ap debug warn network warn security warn system warn user warn user debug warn wireless error Configuring TFTP Dump Server You can configure a TFTP server for storing core dump files by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Inthe AOS W Instant main window click the System link The System window is displayed Click Show advanced options to display the advanced options Click the Monitoring tab The Monitoring tab details are displayed Enter the IP address of the TFTP server in the TFTP Dum
336. ios that gather spectrum data but do not service clients Each SM scans and analyzes the spectrum band used by the SM s radio 2 4 GHz or 5 GHz An AP radio in hybrid AP mode continues to serve clients as an access point while it analyzes spectrum analysis data for the channel the radio uses to serve clients You can record data for both types of spectrum monitor devices However the recorded spectrum is not reported to the Virtual Controller A spectrum alert is sent to the VC when a non Wi Fi interference device is detected The spectrum monitor is supported on OAW IAP 104 OAW IAP 105 OAW IAP 134 and OAW IAP 135 radios The spectrum data is collected by each OAW IAP spectrum monitor and hybrid AP The spectrum data is not reported to the VC The Spectrum link is visible in the AOS W Instant Ul Access Point view only if you have enabled the spectrum monitoring feature You can view the following spectrum data in the AOS W Instant UI e Device List e Non Wi Fi Interferers e Channel Metrics e Channel Details e Spectrum Alerts Device List The device list consists of a device summary table and channel information for active non Wi Fi devices currently seen by aspectrum monitor or hybrid AP radio To view the device list click Spectrum in the dashboard To view the device list click Spectrum in the dashboard The following figure shows an example of the device list details AOS W Instant 6 3 1 1 4 0 User Guide Spectrum Monitor 203
337. is disabled by default e 802 1X authentication To enable 802 1X authentication select Enabled e MAC authentication fail thru To enable authentication fail thru select Enabled When this feature is enabled 802 1X authentication is attempted when MAC authentication fails The MAC authentication fail thru check box is displayed only when both MAC authentication and 802 1X authentication are Enabled e Select any of the following options for Authentication server 1 New On selecting this option an external RADIUS server must be configured to authenticate the users For information on configuring an external server see Configuring an External Server for Authentication on page 144 Authentication on page 134 Internal server If an internal server is selected add the clients that are required to authenticate with the internal RADIUS server Click the Users link to add the users For information on adding a user see User Management on page 128 e Reauth interval Specify the interval at which all associated and authenticated clients must be reauthenticated e Load balancing Set this to Enabled if you are using two RADIUS authentication servers so that the load across the two RADIUS servers is balanced 2 Click Next The Access tab details are displayed In the CLI To configure security settings for an employee network Instant Access Point config wired port profile lt name gt Instant
338. isplayed In this window you can define a match method by which the string in Operandis matched with the attribute values returned by the authentication server AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 182 Figure 61 VLAN Assignment Rule Window VLAN Assignment Default VLAN 1 Rules New VLAN Assignment Rule Attribute Operator AP Group e contains 3 Select the attribute from the Attribute drop down list The list of supported attributes includes RADIUS attributes dhcp option dot1x authentication type mac address and mac address and dhcp options For information on a list of RADIUS attributes see RADIUS Server Authentication with VSA on page 136 4 Select the operator from the Operator drop down list The following types of operators are supported contains The rule is applied only if the attribute value contains the string specified in Operand equals The rule is applied only if the attribute value is equal to the string specified in Operand not equals The rule is applied only if the attribute value is not equal to the string specified in Operand starts with The rule is applied only if the attribute value starts with the string specified in Operand ends with The rule is applied only if the attribute value ends with string specified in Operand matches regular expression The rule is applied only if the attribute value matches the regular expression pattern spe
339. ithin its 802 11 regulatory domain at regular intervals and sends reports to a Virtual Controller on network WLAN coverage interference and intrusion detection ARM Metrics ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each OAW IAP RF environment Each OAW IAP gathers other metrics on its ARM assigned channel to provide a snapshot of the current RF health state Configuring ARM Features on an OAW IAP You can configure ARM features such as band steering spectrum load balancing and airtime fairness mode either using AOS W Instant UI or CLI In the AOS W Instant UI To configure ARM 1 Click the RF link at the top right corner of the AOS W Instant main window 2 Click Show advanced options The ARM tab details are displayed AOS W Instant 6 3 1 1 4 0 User Guide Adaptive Radio Management 213 Figure 71 RF Window ARM Tab ARM Radio Client Control Band steering mode Prefer SGhz Airtime fairness mode Fair Access Client match Disabled CM calculating interval 30 seconds CM neighbor matching 75 96 CM threshold 2 SLB mode Channel 2 Access Point Control Customize valid channels Min transmit power 18 Max transmit power Max y Client aware Enabled y Scanning Enabled Wide channel bands SGHz 80MHz support Enabled v Hide advanced options 3 Configure
340. its contents The users who do not sign up for the Internet service can view only the allowed Websites typically hotel property Websites The administrators can allow or block access to specific URLs by creating a whitelist and blacklist When the users attempt to navigate to other Websites which are not in the whitelist of the walled garden profile the users are redirected to the login page If the requested URL is on the blacklist it is blocked If it appears on neither list the request is redirected to the external Captive portal Configuring a WLAN SSID for Guest Access You create an SSID for guest access by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Inthe Networks tab of the AOS W Instant main window click the New link The New WLAN window is displayed Enter a name that uniquely identifies a wireless network in the Name SSID text box Based on the type of network profile specify the Primary usage as Guest Click the Show advanced options link The advanced options for configuration are displayed ar wr Enter the required values for the following configuration parameters Table 19 WLAS SSID Configuration Parameters for Guest Network Parameters Description Broadcast Multicast Select any of the following values under Broadcast filtering All When set to All the OAW IAP drops all broadcast and multicast frames except DHCP and ARP ARP When set to ARP the OAW IAP converts ARP requests to unicas
341. k the Errors icon next to the OAW IAP in the Errors column RF Trends The RF Trends section displays the following graphs for the selected client Figure 17 Signal Graph Signal dB 60 AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 54 Figure 18 Frames Graph Frames fps 10 In 12 27 01 Min n Max Figure 19 Speed Graph Speed mbps speed 2300 240 0 e 12 26 31 Figure 20 Throughput Graph Errors fps Errors 9514 0 22 48 52 Out 1 1 4 3 j Usage Trends The Usage Trends displays the following graphs Retries In Retries Out 0 0 0 0 0 0 0 0 Last 2851 Min 1182 Max 12842 Avg 7012 e Clients In the default view the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes In Network or Instant Access Points view this graph displays the number of clients that were associated with the selected network or OAW IAP in the last 15 minutes e Throughput In the default view the Throughput graph displays the incoming and outgoing throughput traffic for the Virtual Controller in the last 15 minutes In the Network or Instant Access Points view this graph displays the incoming and outgoing throughput traffic for the selected network or OAW IAP in the last 15 minutes 55 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Figure 21 U
342. klist a client Instant Access Point config blacklist client lt MAC Address gt Instant Access Point config end Instant Access Point commit apply To view the blacklisted clients Instant Access Point show blacklist client Blacklisted Clients MAC Reason Timestamp Remaining time sec AP name Blacklisting Users Dynamically The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process Authentication Failure Blacklisting When a client takes time to authenticate and exceeds the configured failure threshold it is automatically blacklisted by an OAW IAP Session Firewall Based Blacklisting In session firewall based blacklisting an ACL rule is used to enable the option for automation blacklisting when the ACL rule is triggered it sends out blacklist information and the client is blacklisted Configuring Blacklist Duration You can set the blacklist duration using AOS W Instant UI or CLI In the AOS W Instant UI To set a blacklist duration 1 Click the Security link from the top right corner of the AOS W Instant main window 2 Click the Blacklisting tab 159 Authentication AOS W Instant 6 3 1 1 4 0 User Guide 3 Under Dynamic Blacklisting For Auth failure blacklist time duration in seconds after which the clients that exceed the authentication failure threshold must be blacklisted 5
343. l When automatic GRE configuration is enabled a single PSec tunnel between the OAW IAP cluster and switch and one or several GRE tunnels are created based on the Per AP tunnel configuration on the OAW IAP When this feature is enabled on the OAW IAP no manual configuration is required on switch to create the GRE tunnel Automatic configuration of GRE tunnel is supported only on Alcatel Lucent switchs This feature is not supported on switches running AOS W Instant 6 3 x x or lower versions You can configure an OAW IAP to automatically set up a GRE tunnel from the OAW IAP to Switch by using AOS W Instant UI or CLI In the AOS W Instant Ul 1 Click the More gt VPN link at the top right corner of the AOS W Instant UI The Tunneling window is displayed 2 Select Aruba GRE from the Protocol drop down list 3 Enter the IP address or FQDN for the main VPN IPSec endpoint in the Primary host field 4 Enter the IP address or FQDN for the backup VPN IPSec endpoint in the Backup host field This entry is optional When you enter Primary host IP address Backup host IP address other fields are displayed 5 Specify the following parameters A sample configuration is shown in Figure 80 AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 241 a To allow the VPN tunnel to switch back to the primary host when it becomes available again select Enabled from the Preemption drop down list This step is optional b If Preemption is enabled
344. l 100 AOS W Instant 6 3 1 1 4 0 User Guide Adaptive Radio Management 219 802 118 802 11h enable Interference Immunity Level 2 Channel Switch Announcement Count 0 MAX Distance 600 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable 5 0 GHz Legacy Mode enable Beacon Interval 100 802 11d 802 11h enable Interference Immunity Level 2 Channel Switch Announcement Count 2 MAX Distance 600 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable Standalone Spectrum Band 5ghz upper _ ___ yt 220 Adaptive Radio Management AOS W Instant 6 3 1 1 4 0 User Guide Chapter 19 Intrusion Detection The Intrusion Detection System IDS is a feature that monitors the network for the presence of unauthorized OAW IAPs and clients It also logs information about the unauthorized OAW IAPs and clients and generates reports based on the logged information The IDS feature in the AOS W Instant network enables you to detect rogue APs interfering APs and other devices that can potentially disrupt network operations This chapter describes the followin
345. l RADIUS server the IP address of the Virtual Controller is configured as the NAS IP address AOS W Instant RADIUS is implemented on the Virtual Controller and this eliminates the need to configure multiple NAS clients for every OAW IAP on the RADIUS server for client authentication AOS W Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server The RADIUS server responds to the authentication request with an Access Accept or Access Reject message and users are allowed or denied access to the network depending on the response from the RADIUS server When you enable an external RADIUS server for the network the client on the OAW IAP sends a RADIUS packet to the local IP address The external RADIUS server then responds to the RADIUS packet AOS W Instant supports the following external authentication servers RADIUS Remote Authentication Dial In User Service LDAP Lightweight Directory Access Protocol CPPM Server for AirGroup CoA To use an LDAP server for user authentication configure the LDAP server on the Virtual Controller and configure user IDs and passwords To use a RADIUS server for user authentication configure the RADIUS server on the Virtual Controller RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the OAW IAP the vendor specific attribute VSA that contains the name of the network role for the user The authenticated
346. l services available to mobile devices With AirGroup the context based policies determine the Bonjour services that can be accessed by an end user s mobile device Figure 100 AirGroup in a Higher Education Environment Shared Device Registration Portal AirGroup Device Information AirGroup Administrator gx Personal Device Registration Portal wi ClearPass CoA Request AirGroup Guest and Updates Policy Manager AirGroup Query AirGroup Enabled AirGroup Database AirGroup Operators A Lookup 827 AirGroup Features AirGroup supports the following features e AirGroup sends unicast responses to mDNS queries and reduces mDNS traffic footprint e Ensure cross VLAN visibility and availability of mDNS devices and services e Allow or block mDNS services for all users 271 AirGroup Configuration AOS W Instant 6 3 1 1 4 0 User Guide e Alloworblock mDNS services based on user roles e Allow or block mDNS services based on VLANs e Match users devices such as iPads to their closest Bonjour devices such as printers This requires CPPM support CPPM and ClearPass Guest Features CPPM and ClearPass Guest support the following features e Registration portal for WLAN users to register their personal devices such as Apple TVs and printers e Registration portal for WLAN administrators to register shared devices such as conference room Apple TVs and printers e Operator defined personal AirGroup to specify a
347. ld Specify a value to seta threshold for DMO channel utilization With DMO the OAW IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 When the threshold is reached or exceeds the maximum value the OAW IAP sends multicast traffic over the wireless link NOTE When you enable DMO on multicast SSID profiles ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN Transmit Rates Specify the following parameters e 2 4 GHz If the 2 4 GHz band is configured on the OAW IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps 5 GHz Ifthe 5 GHz band is configured on the OAW IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps Bandwidth Limits Select any of the following check boxes to specify the bandwidth limit e Airtime Select this check box to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data Specify the airtime percentage Each user Select this check box to specify a throughput for any single user in this network Specify the throughput value in Kbps Each radio Select this check box to specify an aggregate amount of throughp
348. le modem country country Instant Access Point cellular uplink profile modem isp service provider name Instant Access Point cellular uplink profile usb auth type usb authentication type Instant Access Point cellular uplink profile usb user username Instant Access Point cellular uplink profile 4 usb passwd password Instant Access Point cellular uplink profile usb dev lt device ID gt Instant Access Point cellular uplink profile usb tty lt tty port gt AOS W Instant 6 3 1 1 4 0 User Guide Uplink Configuration 193 Instant Access Poin t cellular uplink profile usb init lt Initialization parameter gt Instant Access Poin t t cellular uplink profile usb dial lt dial parameter gt cellular uplink profile end commit apply Access Poin Access Poin Instan Instan L To view the cellular configuration Instant Access Point show cellular config USB Plugged in Vendor ID 0 Product_ID 0 cellular configure Type Value 4g usb type pantech lte usb type usb dev test usb tty usb init usb user usb passwd usb auth type PAP usb dial usb init usb modeswitch modem isp verison modem country India Supported Country list To view the cellular status Instant Access Point show cellular status cellular status card detect link Not present Not detect Linkdown Wi Fi Uplink The Wi Fi uplink is su
349. le AP deployment Uplink redundancy with the PPPoE link is not supported When the Ethernet link is up it is used as a PPPoE or DHCP uplink After the PPPoE settings are configured PPPoE has the highest priority for the uplink connections The OAW IAP can establish a PPPoE session witha PPPoE server at the ISP and get authenticated using Password Authentication Protocol PAP or the Challenge Handshake Authentication Protocol CHAP Depending upon the request from the PPPoE server either the PAP or the CHAP credentials are used for authentication After configuring PPPoE reboot the OAW IAP for the configuration to affect The PPPoE connection is dialed after the AP comes up The PPPoE configuration is checked during OAW IAP boot and if the configuration is correct Ethernet is used for the uplink connection When PPPOE is used do not configure Dynamic RADIUS Proxy and IP address of the Virtual Controller An SSID created with default VLAN is not supported with PPPoE uplink You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails Configuring PPPoE Uplink Profile You can configure PPPOE settings from the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at the top right corner of the AOS W Instant main window The System window is displayed 2 Click the Show advanced options link The advanced options are displayed 3 Inthe Uplink tab perform the following steps
350. le lists the terms and their definitions used in this guide Table 66 List of Terms Term Definition 802 11 An evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers IEEE 802 11 standards use the Ethernet protocol and CSMA CA carrier sense multiple access with collision avoidance for path sharing 802 11a Provides specifications for wireless systems Networks using 802 11a operate at radio frequencies in the 5GHz band The specification uses a modulation scheme known as orthogonal frequency division multiplexing OFDM that is especially well suited to use in office settings The maximum data transfer rate is 54 Mbps 802 11b WLAN standard often called Wi Fi backward compatible with 802 11 Instead of the phase shift keying PSK modulation method historically used in 802 11 standards 802 11b uses complementary code keying CCK which allows higher data speeds and is less susceptible to multipath propagation interference 802 11b operates in the 2 4 GHz band and the maximum data transfer rate is 11 Mbps 802 11g Offers transmission over relatively short distances at up to 54 Mbps compared with the 11 Mbps theoretical maximum of 802 11b 802 11g operates in the 2 4 GHz band and employs orthogonal frequency division multiplexing OFDM the modulation scheme used in 802 1 1a to obtain higher data speed Computers or terminals set up for 802 11g can fa
351. led altogether the dynamic CPU management feature settings can be modified Configuring for Dynamic CPU Management You can configure the dynamic CPU management feature by using the AOS W Instant UI or CLI In the AOS W Instant Ul To enable or disable the management plane protection 1 Click System gt Show Advanced Options 2 Select any of the following options from the Dynamic CPU Management drop down Automatic When selected the CPU management is enabled or disabled automatically during run time This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform This is the default and recommended option Always disabled on all APs When selected this setting manually disables CPU management on all APs typically for small networks This setting protects user experience Always enabled on APs When selected the client and network management functions are protected This setting helps in large networks with high client density 3 Click OK In the CLI Instant Access Point config dynamic cpu mgmt auto enable disable Example To enable the dynamic CPU management feature Instant Access Point config dynamic cpu mgmt enable Instant Access Point config end Instant Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide Dynamic CPU Management 302 Chapter 31 Link Aggregation Control Protocol for OAW IAP220 Series
352. ler assigns the IP addresses to the WLAN or wired clients By default the OAW IAP automatically determines a suitable DHCP pool for Virtual Controller Assigned networks In the current release the OAW IAP typically selects the 172 31 98 0 23 subnet If the IP address of the OAW IAP is within the 172 31 98 0 23 subnet the OAW IAP selects the 10 254 98 0 23 subnet However this mechanism does not guarantee that it would avoid all possible conflicts with the wired network If your wired network uses either 172 31 98 0 23 or 10 254 98 0 23 and you experience problems with the Virtual Controller Assigned networks after upgrading to AOS W Instant 6 2 1 0 3 4 manually configure the DHCP pool by following the steps described in this section You can configure a domain name DNS server and DHCP server for client IP assignment using AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed 2 Inthe DHCP tab enter the domain name of the client in the Domain name text box 3 Enterthe IP addresses of the DNS servers separated by comma in the DNS server text box 4 Enterthe duration of the DHCP lease in the Lease time text box 5 Select Minutes Hours or Days forthe lease time from the drop down list next to Lease time The default lease time is 0 6 Enterthe network in the Network text box 7 Enterthe mask in the Mask text box To provide
353. list of other users who can share devices with the operator e Administrator defined username user role and location attributes for shared devices AirGroup Components The components that make up the AirGroup Solution include the AOS W Instant CPPM and ClearPass Guest The version requirements are described in the following table Table 54 AOS W Instant CPPM and ClearPass Guest Requirements Component Minimum Version AOS W Instant 6 2 0 0 3 2 0 0 ClearPass Guest Services plugin 0 8 7 Starting from ClearPass version 6 0 the ClearPass Guest and the AirGroup Services plug in are integrated into a single platform AirGroup Services The AirGroup supports zero configuration services The services are pre configured and are available as part of the factory default configuration The administrator can also enable or disable any or all services by using the AOS W Instant UI or CLI The following services are available for OAW IAP clients e AirPlay Apple AirPlay allows wireless streaming of music video and slideshows from your iOS device to Apple TV and other devices that support the AirPlay feature e AirPrint Apple AirPrint allows you to print from an iPad iPhone or iPod Touch directly to any AirPrint compatible printers e iTunes iTunes service is used by iTunes Wi Fi sync and iTunes home sharing applications across all Apple devices e RemoteMgmt Use this service for remote login rem
354. ll back to speeds of 11 Mbps so that 802 11b and 802 11g devices can be compatible within a single network 802 11n Wireless networking standard to improve network throughput over the two previous standards 802 11a and 802 11g with a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams ata channel width of 40 MHz 802 11n operates in the 2 4 and 5 0 bands 332 Terminology AOS W Instant 6 3 1 1 4 0 User Guide Table 66 List of Terms Definition AP An access point AP connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network The number of access points a WLAN needs is determined by the number of users and the size of the network access point mapping The act of locating and possibly exploiting connections to WLANs while driving around a city or elsewhere To do war driving you need a vehicle a computer which can be a laptop a wireless Ethernet card set to work in promiscuous mode and some kind of an antenna which can be mounted on top of or positioned inside the car Because a WLAN may have a range that extends beyond an office building an outside user may be able to intrude into the network obtain a free Internet connection and possibly gain access to company records and other resources ad hoc network ALAN or other small network especially one with wireless or temporary plug in
355. ll 198 nues ee 198 Viewing Uplink Status and Configuration 02 000 nennen 199 AOS W Instant 6 3 1 1 4 0 User Guide Contents 15 Mobility and Client Management 200 Layers Mobility e LT 200 Configuring L3 Mobility o 0222222 c ccc cece ccc cece cece cece cece cece esses esses sese sese sre 201 Home Agent Load Balancing suus RR RR cece cecceeeceeeeeeees 201 Configuring a Mobility Domain for AOS W Instant eee cece cece cece cece ee eeeeeeeees 201 Inthe AOS W Instant U 201 SL ai B 202 SOS MOMO TT 203 Understanding Spectrum Data _ 2200 22 ccc cece cece cece cece cece cece cece cccecccccccecceeeeeeees 203 SAA A oe fonce eae in Go a AA 203 Non Wi Fi CO CO 204 Channel Detalls cooper eeu al Wee eee de Sete a aN Ra aoa 206 haic ol i ooh e dl Ue ee ho Sete eels 207 Spectrum Alerts 5 citar tie a dis 208 Configuring Spectrum Monitors and Hybrid OAW IAPS o occcccccccccccccccccccccccccccccccccccccccccccccooo 208 Converting an OAW IAP to a Hybrid OAW IAP 1 ooo ccc cece cece cece cece cee eceeeeeeeeeeeeees 208 Inthe AOS W Instant UI 222222222 eee eee eee 208 Take BT 208 Converting an OAW IAP to a Spectrum Monitor e e e cece eee eee ee eee eee cess eeeeeeees 209 In the AOS W Instant U 209 A A a e 209 Adaptive Radio Management 211 PRI OVW SIV GW aise was pe Pash cert cre et be RENE 211 Channel or Power Assignment L cece c cece cece cece eceeeeeeecee
356. llowing features f the captive portal splash page type is Internal Authenticated or External RADIUS Server MAC authentication reuses the server configurations If the captive portal splash page type is Internal Acknowledged or External Authentication Text and MAC authentication is enabled a server configuration page is displayed a Ifthe captive portal splash page type is none MAC authentication is disabled You can configure the mac auth only role when MAC authentication is enabled with captive portal authentication For more information configuring an OAW IAP to use MAC and Captive Portal authentication see Configuring MAC Authentication with Captive Portal Authentication on page 156 802 1X authentication with Captive Portal authentication This authentication mechanism allows you to configure different Captive portal settings for clients on the same SSID For example you can configure an 802 1x SSID and create a role with for captive portal access so that some of the clients using the SSID derive the Captive portal role You can configure rules to indicate access to external or internal Captive portal or none For more information on configuring Captive portal roles for an SSID with 802 1x authentication see Configuring Captive Portal Roles for an SSID on page 123 WISPr authentication Wireless Internet Service Provider roaming WISPr authentication allows a smart client to authenticate on the network when they roam betwe
357. ls Instant Access Point show vpn config Configuring an L2TPv3 Tunnel The Layer 2 Tunneling Protocol version 3 L2TPv3 feature allows OAW IAP to act as L2TP Access Concentrator LAC and tunnel all wireless clients L2 traffic from AP to L2TP Network Server LNS In a centralized L2 model the VLAN on the corporate side are extended to remote branch sites Wireless clients associated to OAW IAP gets the IP address from the DHCP server running on LNS For this AP has to transparently allow DHCP transactions through the L2TPv3 tunnel In this release L2TPv3 supports following e AOS W Instant supports tunnel and session configuration and uses Control Message Authentication RFC 3931 for tunnel and session establishment Each L2TPv3 tunnel supports one data connection and this connection is termed as an L2TPv3 session e Each OAW IAP supports tunneling over UDP only e f primary LNS is down then it will failover to the backup LNS L2TPv3 has one tunnel profile and under this one primary peer and a backup peer are configured If the primary tunnel creation fails or if the primary tunnel gets deleted the backup starts Following two failover modes are supported Preemptive In this mode if the primary comes up when the backup is active the backup tunnel is deleted and primary will be the only active tunnel If you configure the tunnel to be preemptive and when the primary tunnel goes down it will start the persistence timer which trie
358. lt attribute gt equals lt operator gt lt role gt n ot equals lt operator gt lt role gt starts with lt operator gt lt role gt ends with lt operator gt lt role gt con tains operator lt role gt value of Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 186 Chapter 15 Uplink Configuration This chapter provides the following information e Uplink Interfaces on page 187 e Ethernet Uplink on page 188 e 3G AG Uplink on page 190 e Wi Fi Uplink on page 194 e Uplink Preferences and Switching on page 196 Uplink Interfaces AOS W Instant network supports Ethernet 3G and 4G USB modems and the Wi Fi uplink to provide access to the corporate Instant network The 3G 4G USB modems and the Wi Fi uplink can be used to extend the connectivity to places where an Ethernet uplink cannot be configured It also provides a reliable backup link for the Ethernet based Instant network The following figure illustrates a scenario in which the OAW IAPs join the Virtual Controller as slave OAW IAPs through a wired or mesh Wi Fi uplink Figure 63 Uplink Types 3G 4G Wi Fi Uplink Master IAP The following types of uplinks are supported on AOS W Instant e Ethernet Uplink e 3G 4G Uplink e Wi Fi Uplink The following figure shows the window for configuring uplinks in the AOS W Instant UI AOS W Instant 6 3
359. me SNMPv3 Users Name Authentication Type Encryption Type SNMP Trap Hosts IP Address Version Name Port Inform AOS W Instant 6 3 1 1 4 0 User Guide Cancel Enter the authentication password in the Password text box and retype the password in the Retype text box Enter the privacy protocol password in the Password text box and retype the password in the Retype text box gt lt auth protocol gt lt password gt lt privacy pr Monitoring Devices and Logs 313 Configuring SNMP Traps AOS W Instant supports the configuration of external trap receivers Only the OAW IAP acting as the Virtual Controller generates traps The OID of the traps is 1 3 6 1 4 1 14823 2 3 3 1 200 2 X You can configure SNMP traps using AOS W Instant UI or CLI In the AOS W Instant UI To configure an SNMP trap receiver 1 Navigate to System gt Show advanced options gt Monitoring The Monitoring window is displayed 1 Under SNMP Traps enter a name in the SNMP Engine ID text box It indicates the name of the SNMP agent on the access point The SNMPV3 agent has an engine ID that uniquely identifies the agent in the device and is unique to that internal network 2 Click New and update the following fields IP Address Enter the IP Address of the new SNMP Trap receiver Version Select the SNMP version v1 v2c v3 from the drop down list The version specifies the format of traps generated by the access point Community Username Specif
360. mic CPU Management 2 000 eee eee eee eee seen nen 302 In the AOS W Instant UL eee 302 IMthe GLI p 302 Example orco ile LU tU CTS MEM E 302 Link Aggregation Control Protocol for OAW IAP220 Series ssssusssss 303 OAW IAP Management 304 Configuring WED DIS play uice Pres te tomi eese easet eae ee des atesora bird isa 304 Mhe AOS W instant Ul MM 304 lu So EEE 304 Backing up and Restoring OAW IAP Configuration Data ese e eee eee 304 Viewing Current Configuration ss e cece Rs Aaa aaa aaron an 304 Backing up Configuration Data 2 2 2 2220 00 cece ccc cece cece cece cece cece ceceeeeeeeeeeeeeeeeeees 304 Restoring Configuration e e cece eee eee ee eee none erre rere 305 Converting an OAW IAP to a Remote AP and Campus AP 00 002 ee 305 Converting an OAW IAP to Remote AP 2 222 e cece cece cece cece cece cece cece cece eeceeeeeeeereeeees 305 Converting an OAW IAP using CU 307 Converting an OAW IAP to Campus AP e cece ee cece ce eeceeeeeeeeeeeeeeeees 308 Converting an OAW IAP to Standalone Mode 308 Converting an OAW IAP using CU 309 22 Contents AOS W Instant 6 3 1 1 4 0 User Guide Resetting a Remote AP or Campus AP to an OAW IAP ooo 2 o oo ccc ccc ee ee eese nl 309 Rebooting the OAW IAP cc ns 309 Monitoring Devices and LogS eere re nien 311 Gonfiguilig siNMP oo ssc ces leto Le ee ree
361. mpt exactly as shown followed by the text of the message you wish to send Do not type the angle brackets Command examples enclosed in brackets are optional Do not type the brackets Item A In the command examples items within curled braces and separated by a vertical bar Item B represent the available choices Enter only one choice Do not type the braces or bars AOS W Instant 6 3 1 1 4 0 User Guide About this Guide 25 The following informational icons are used throughout this guide Indicates helpful suggestions pertinent information and important things to remember Indicates a risk of damage to your hardware or loss of data Indicates a risk of personal injury or death Contacting Support Table 2 Support Information Contact Center Online http www alcatel lucent com enterprise e Support Site https service esd alcatel lucent com a esd support alcatel lucent com Service Support Contact Center Telephone e North America 1 800 995 2696 e Latin America 1 877 919 9526 e Asia Pacific 65 6240 8484 e Worldwide 1 818 878 4507 800 00200100 Toll Free or 1 650 385 2193 26 About this Guide AOS W Instant 6 3 1 1 4 0 User Guide Chapter 2 About AOS W Instant This chapter provides the following information e AOS W Instant Overview e What is New in AOS W Instant 6 3 1 1 4 0 AOS W Instant Overview AOS W Instant virtualizes OmniAccess WLAN Switch capabilities on 802 11 access poin
362. ms ip gt lt ams key gt AOS Enhancements W Instant now supports a new format organization lt ams domain gt Also the OAW IAP now performs a certificate based authentication with OmniVista Management server instead of the current PSK based login process Support for HTTP Proxy AOS W Instant now supports HTTP proxy configuration The HTTP proxy enables the Configuration OAW IAP to download the image from the cloud server AirGroup Enhancements AOS W Instant now supports different AirGroup services such as iTunes Sharing Chat and so on You can either allow all services or customize the required services Dynamic RADIUS Proxy AOS W Instant allows the configuration of separate IP address and VLAN details which DRP IP address can be used as source IP address and VLAN for RADIUS packets When the dynamic configuration RADIUS proxy IP address and VLAN are configured the clients associated with an OAW IAP can be authenticated with multiple RADIUS servers across different geographical areas networks and VLANs Restricted access AOS W Instant allows you to configure management subnets and restrict access to the management corporate network in order to prevent unauthorized users from accessing the corporate network Uplink VLAN monitoring The AOS W Instant UI now displays an alert message when a client connects to an SSID and detection on or wired interface with a VLAN ID that is not allowed on the upstream device The alert ups
363. must retrieve an API key that will be used for authentication for all APIs OAW IAP and PAN firewall integration can be seamless with the XML API that available with PAN OS 5 0 or later To integrate an OAW IAP with PAN user ID a global profile is added This profile can be configured on an OAW IAP with PAN firewall information such as IP address port user name password firewall enabled or disabled status The OAW IAP sends messages to PAN based on the type of authentication and client status After a client completes the authentication and is assigned an ip address OAW IAP will send the login message After a client is disconnected or dissociated from the OAW IAP the OAW IAP sends a logout message Configuring an OAW IAP for PAN integration You can configure an OAW IAP for PAN firewall integration using AOS W Instant UI or CLI In the AOS W Instant UI 1 Click More gt Services The Services window is displayed 2 Click Network Integration The PAN firewall configuration options are displayed 279 Integration with Security and Location Services Applications AOS W Instant 6 3 1 1 4 0 User Guide Figure 104 Services Window Network Integration Tab Services Air Group RTLS OpenDNS CALEA Network Intergration Palo Alto Network firewall intergration Enable 7 Username Password Retype IP address Port 3 Select the Enable checkbox to enable PAN firewall 4 Specify the user
364. n OAW IAP on page 70 41 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide System This link displays the System window The System window consists of the following tabs Use the Show Hide Advanced option at the bottom of the System window to view or hide the advanced options General Allows you to configure view or edit the Name IP address NTP Server and other OAW IAP settings for the Virtual Controller For information about Virtual Controller configuration see Virtual Controller Configuration on page 82 Forinformation about NTP Server configuration see Configuring an NTP Server on page 77 For information about Auto join mode Terminal Access LED display TFTP Dump Server and Deny inter user bridging see OAW IAP Management on page 304 Admin Allows you to configure administrator credentials for access to the Virtual Controller Management User Interface You can also configure OmniVista in this tab For more information on management interface and OmniVista configuration see Configuring Authentication Parameters for Virtual Controller Management Interface on page 150 and Configuring Omnivista on page 260 respectively DHCP Allows you to configure DHCP server settings for the Virtual Controller Uplink Allows you to view or configure uplink settings See Uplink Configuration on page 187 for more information L3 Mobility Allows you to view or configure the Layer 3 mobility settings See
365. n the Access Point view displays the spectrum data that is collected by a hybrid AP or by an OAW IAP that has enabled spectrum monitor The spectrum data is not reported to the Virtual Controller The spectrum link displays the following Device list The device list display consists of a device summary table and channel information for active non Wi Fi devices currently seen by a spectrum monitor or hybrid AP radio Channel Utilization and Monitoring This chart provides an overview of channel quality across the spectrum It shows channel utilization information such as channel quality availability and utilization metrics as seen by a spectrum monitor for the 2 4 GHz and 5 GHz radio bands The first bar for each channel represents the percentage of air time used by non Wi Fi interferers and Wi Fi devices The second bar indicates the channel quality A higher percentage value indicates better quality Channel Details When you move your mouse over a channel the channel details or the summary of the 5 GHz and 2 4 GHz channels as detected by a spectrum monitor are displayed You can view the aggregate data for each channel seen by the spectrum monitor radio including the maximum AP power interference and the Signal to Noise and Interference Ratio SNIR Spectrum monitors display spectrum analysis data seen on all channels in the selected band and hybrid OAW IAPs display data from the one channel they are monitoring For more information on spect
366. nabled the Bonjour devices are visible only in the guest VLAN and AirGroup will not discover or enforce policies in guest VLAN 5 Select the Enable Air Group across mobility domains check box to enable Inter cluster mobility AOS W Instant supports two types assignment modes e Intra Cluster In the Intra Cluster model the OAW IAP does not share the mDNS database information with the other clusters e Inter Cluster In the Inter Cluster model the OAW IAP shares the mDNS database information with the other clusters The DNS records in the Virtual Controller can be shared with the all the Virtual Controllers configured for L3 Mobility By default this feature is disabled To define clusters go to System L3 Mobility tab 6 Select the required AirGroup services The service IDs associated with an AirGroup service are also displayed To add any service click New and add To allow all services select allowall 7 Basedonthe services configured you can block any user roles and VLAN from accessing an AirGroup service The user roles and VLANs marked as disallowed are prevented from accessing the corresponding AirGroup service You can create a list of disallowed user roles and VLANs for all AirGroup services configured on the OAW IAP For example If the AirPlay service is selected the edit links for the airplay disallowed roles and airplay disallowed vlans are displayed Similarly if sharing service is selected the edit links for the shar
367. name admin e Password admin 7 Create a new SSID and wpa 2 personal keys with unrestricted or network based access rules Select any permit for basic connectivity 8 Connect a client to the new SSID and disconnect from the instant SSID All the OAW IAPs show up on the Virtual Controller Disconnect the OAW IAPs that you want to deploy as Mesh Points from the switch and place the OAW IAPs at the desired location The OAW IAPs with valid uplink connections function as the mesh portal The OAW IAPs in US JP or IL regulatory domain which are in factory default state scan for several minutes after booting An OAW IAP mesh point in factory default state automatically joins the portal only if a single Instant mesh network is found You can also enable the auto join feature in the existing network to allow mesh points to automatically join the network 80 Mesh OAW IAP Configuration AOS W Instant 6 3 1 1 4 0 User Guide Chapter 7 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile Based on the network type and its requirements you can configure the VLANs for a WLAN SSID or wired port profile For more information on VLAN configuration for a WLAN SSID and wired port profile see Configuring VLAN Settings fora WLAN SSID Profile on page 89 and Configuring VLAN for a Wired Profile on page 103 VLAN Pooling In a single OAW IAP cluster a large number of
368. name gt key lt key gt Instant Access Point Auth Server lt profile name gt port port Instant Access Point Auth Server lt profile name gt acctport lt port gt Instant Access Point Auth Server lt profile name gt nas id lt NAS ID gt Instant Access Point Auth Server lt profile name gt nas ip lt NAS IP address gt Instant Access Point Auth Server lt profile name gt timeout seconds Instant Access Point Auth Server lt profile name gt retry count number Instant Access Point Auth Server lt profile name gt deadtime minutes Instant Access Point Auth Server lt profile name gt drp ip lt IP address gt mask vlan lt vlan gt gateway lt gateway IP address gt Instant Access Point Auth Server lt profile name gt end Instant Access Point commit apply Associate the Authentication Servers with an SSID or Wired Profile 1 Access the WLAN wizard or Wired Settings window e To open the WLAN wizard select an existing SSID in the Network tab and click edit e To open the wired settings window click More gt Wired In the Wired window select a profile and click Edit You can also associate the authentication servers when creating a new WLAN or wired profile Click the Security tab If you are configuring authentication server for a WLAN SSID under Security tab slide to Enterprise security level 4 Ensure that an authentication type is enabled 149 Aut
369. ndicate if additional steps are required for authentication When enabled the following information is sent to the clientin response to an ANQP query For ASRA ensure that the network authentication type is associated comeback mode Enable this parameter to allow the client to obtain a GAS Request and Response as a Comeback Request and Comeback Response By default this comeback mode is disabled gas comeback del Specify a GAS come back delay interval in milliseconds to allow the clientto retrieve the query ay response using a comeback request action frame when the GAS response is delayed You can specify a value within the range of 100 2000 milliseconds and the default value is 500 milliseconds group frame block Enable this parameter if you wantto stop the AP from sending forward downstream group addressed frames hessid Specify a Homogenous Extended Service Set Identifier HESSID in a hexadecimal format separated by colons internet Specify this parameter to allow the OAW IAP to send an Information Element IE indicating that the network allows Internet access Specify this parameter to advertise support for P2P Cross Connections p2p dev mgmt Specify this parameter to advertise support for P2P device management pame bi Specify this parameter to enable Pre Association Message Exchange BSSID Independent PAME BI bit with which the OAW IAP can indicate that the Advertisement Server can return a query response independent of the B
370. net 7 Click Finish In the CLI To configure Distributed L2 DHCP scope Instant Access Point config ip dhcp lt profile name gt Instant Access Point DHCP Profile lt profile name gt ip dhcp server type lt Distributed L2 gt Instant Access Point DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant Access Point DHCP Profile lt profile name gt subnet mask lt subnet mask gt Instant Access Point DHCP Profile lt profile name gt default router lt IP address gt Instant Access Point DHCP Profile lt profile name gt client count number Instant Access Point DHCP Profile lt profile name gt dns server lt name gt Instant Access Point DHCP Profile profile name f domain name lt domain name gt Instant Access Point DHCP Profile lt profile name gt lease time minutes Instant Access Point DHCP Profile lt profile name gt ip range lt start IP gt lt end IP gt Instant Access Point DHCP Profile lt profile name gt reserve first last lt count gt Instant Access Point DHCP Profile lt profile name gt option type value Instant Access Point DHCP Profile lt profile name gt end Instant Access Point commit apply To configure Distributed L3 DHCP scope Instant Access Point config ip dhcp lt profile name gt Instant Access Point DHCP Profile lt profile name gt ip dhcp serve
371. network slide to Network based To configure access rules for user roles slide to Role based 4 Tocreate a new rule forthe network click New To create an access rule for a user role select the user role and then click New The New Rule window is displayed In the New Rule window Select Access control from the Rule type drop down list Select Source NAT from the Action drop down list to allow changes to the source IP address Select a service from the list of available services Oo No sg Select the required option from the Destination drop down 10 If required enable other parameters such as Log Blacklist Classify media Disable scanning DSCP tag and 802 1p priority 11 Click OK and then click Finish In the CLI To configure source NAT access rule Instant Access Point config wlan access rule access rule Instant Access Point Access Rule access rule f rule dest mask match protocol sp ort lt eport gt src nat Instant Access Point Access Rule access rule f end Instant Access Point commit apply Configuring Source Based Routing To allow different forwarding policies for different SSIDs you can configure source based routing The source based routing configuration overrides the routing profile configuration and allows any destination or service to be configured to have direct access to the Internet bypassing VPN tunnel based on the ACL rule definition When
372. ng DHCP scope are independent of subnets configured in other OAW IAP clusters The Virtual Controller assigns an IP address from a local subnet and forwards traffic to both corporate and non corporate destinations The network address is translated appropriately and the packet is forwarded through the IPSec tunnel or through the uplink This DHCP assignment mode is used for the NAT forwarding mode e Local L3 In this mode the Virtual Controller acts as a DHCP server and the gateway and assigns an IP address from the local subnet The OAW IAP routes the packets sent by clients on its uplink This mode does not provide corporate access through the IPsec tunnel This DHCP assignment mode is used with the L3 forwarding mode In the AOS W Instant Ul To configure a Local or Local L3 DHCP scope 1 Click More gt DHCP Server The DHCP Server window is displayed 2 Toconfigure a Local or Local L3 DHCP scopes click New under Local DHCP Scopes The New DHCP Scope window is displayed The following figure shows the contents of the New DHCP Scope window Figure 78 New DHCP Scope Other DHCP scopes Local DHCP Scopes New DHCP Scope Name Local lt Network Netmask Excluded address DNS server Domain name Lease time i min Option Type Value 3 Based on type of DHCP scope configure the following parameters Table 50 DHCP Mode Configuration Parameters Name Description Name Enter a name for the DH
373. ng the 802 1X authentication request from this client because the credentials provided are rejected by the RADIUS server too many times The OAW IAP cannot authenticate this client using 802 1X because the RADIUS server did not respond to the authentication request The OAW IAP cannot authenticate this client using 802 1X because the RADIUS server rejected the authentication credentials password and so on provided by the client The OAW IAP cannot receive data from this client because the integrity check of the received message MIC has failed This client did not receive a response to its DHCP request in time Corrective Actions Consider expanding capacity by installing additional OAW IAPs or balance load by relocating OAW IAPs This condition may be indicative of a misbehaving client Try to locate the client device and check its hardware and software Identify the client and check its 802 1X credentials If the OAW IAP is using the internal RADIUS server recommend checking the related configuration as well as the installed certificate and passphrase If the OAW IAP is using an external RADIUS server check if there are any issues with the RADIUS server and try connecting again Ascertain the correct authentication credentials and log in again Check the encryption setting on the client and on the OAW IAP Check the status of the DHCP server in the network The IDS link displays a lis
374. nical support AP Uplink Status Displays uplink status for the OAW IAP AP derivation rules Displays derivation rules configured on the OAW IAP AP User Table Displays the list of clients for the OAW IAP AP Valid Channels Displays valid channels of the OAW IAP AP Version Displays the version number of the OAW IAP AP VPN Status Displays VPN status for the OAW IAP AP Environment Variable Displays information about the type of antenna used by the OAW IAP AP Wired Port Settings Displays wired port configuration details for the OAW IAP AP Wired User Table Displays the list of clients associated with the wired network profile configured on the OAW IAP VC 802 1x Certificate Displays the CA certificate and server certificate for the Virtual Controller VC About Displays information such as AP type build time of image and image version for the Virtual Controller VC Active Configuration Displays the active configuration of Virtual Controller VC Airgroup Service Displays the Bonjour services supported by the Virtual Controller VC Airgroup Status Displays the status of the AirGroup Air and CPPM server details configured on the Virtual Controller VC Allowed AP Table Displays the list of allowed APs VC AMP Current State Data Displays the current status of Omnivista VC AMP Current Stats Data Displays the current Omnivista configuration details VC AMP Data Sent Displays information about the da
375. nk bond0 DHCP Internet failover disable Max allowed test packet loss 10 Secs between test packets 30 VEN failover timeout secs 180 AOS W Instant 6 3 1 1 4 0 User Guide Uplink Configuration 199 This chapter provides the following information Layer 3 Mobility Overview OAW IAPs form a single AOS W Instant network when they are in the same Layer 2 L2 domain As the number of clients increase multiple subnets are required to avoid broadcast overhead In such a scenario a client must be allowed to roam away from the AOS W Instant network to which it first connected home network to another network supporting the same WLAN access parameters foreign network and continue its existing sessions Layer 3 L3 mobility allows a client to roam without losing its IP address and sessions If WLAN access parameters are same across these networks clients connected to OAW IAPs in a given AOS W Instant network can roam to APs ina foreign AOS W Instant network and continue their existing sessions Clients roaming across these networks are able to continue using their IP addresses after roaming You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported AOS W Instant Layer 3 mobility solution defines a Mobility Domain as a set of Instant networks with same WLAN access parameters across which client roaming is supported The AOS W Instant network to which the client first connects is call
376. nnect to E the subnet defined by this scope This is because you can specify only one option 43 for a scope and if other NOTE devices that use option 43 connect to this subnet they are presented with Instant specific information In server 2008 navigate to Server Manager gt Roles gt DHCP Server gt Domain DHCP Server gt IPv4 Select a scope subnet Scope 10 169 145 0 145 is selected in the example shown in the figure below Right click and select Advanced and then specify the following options Vendor class DHCP Standard Options Userclass Default User Class Available options Select 043 Vendor Specific Info String Value Alcatel LucentInstantAP tme store4 10 169 240 8 Alcatel Lucent123 which is the AP description organization string Omnivista IP address or domain name Pre shared key for Omnivista Figure 95 Vendor Specific DHCP options Z active Drectory Doma Services lt Active Orectory Users and Computers R By nde Ererig com DAS n 2 Ms te ar banetwerks com Y dl Oman Controllers i 4172756261 960737461 607 E 5 ForeigsecurtyPrinciosts Managed Service Accounts I Users 3 gui Active Drectory Stes and Services 2 Y OHOP Server 7 B tde server 1de arubanetwors com S pv L3 Scope 10 169 131 0 131 7 Scope 10 169 135 0 135 gt Scope 10 169 137 0 137 Scope 10 165 138 0 139 7 Scope 10 169 14 0 145 hatos Pool aqu OS Lomies Mi Reservations 41 72 7S 62 61 49 E 7
377. ns with the Mobility Switch This list can be either stored in the Mobility Switch or on an external server Switch Whitelist Database You can use the following CLI command to configure the whitelist database entry if the switch is acting as the whitelist database host whitelist db rap add mac address 00 11 22 33 44 55 ap group test The ap group parameter is not used for any configuration but needs to be configured The parameter can be any valid string External Whitelist Database If an external server is used as the location for the whitelist database add the MAC addresses of the valid OAW IAPs in the external database or external directory server and then configure a RADIUS server to authenticate the OAW IAPs using the entries in the external database or external directory server If you are using Windows 2003 server perform the following steps to configure the external whitelist database on it There are equivalent steps available for Windows Server 2008 and other RADIUS servers 1 Add the MAC addresses for all the OAW IAPs in the Active Directory of the RADIUS server a Open the Active Directory and Computers window add a new user and specify the MAC address without the colon delimiter of the OAW IAP for the user name and password b Right click the user that you have just created and click Properties c Inthe Dial in tab select Allow access in the Remote Access Permission section and click OK d Repeat Step a throug
378. nstant Access Point config hotspot anqp domain name profile lt name gt Instant Access Point domain name lt name gt domain name lt domain name gt Instant Access Point domain name lt name gt enabl AOS W Instant 6 3 1 1 4 0 User Guide Hotspot Profiles 293 Instant Access Point domain name lt name gt end Instant Access Point commit apply Configuring an Operator friendly Profile You can configure the operator friendly name profile to define the identify the operator To configure an H2QP operator friendly name profile Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point Instant Access Point config hotspot h2qp oper name profile lt name gt operator friendly name lt name gt op fr name lt op fr name gt operator friendly name lt name gt op lang code lt op lang code gt operator friendly name lt name gt enabl operator friendly name lt name gt end commit apply Configuring a Connection Capability Profile You can configure a Connection Capability profile to define information such as the hotspot IP protocols and associated port numbers that are available for communication To configure an H2QP connection capability profile Instant Access Point config hotspot h2qp conn cap profile Instant Access Point connection capabilities lt name gt esp
379. nt Access Point SSID Profile lt name gt wep key WEP key lt WEP index gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply Configuring External Captive Portal Authentication Using ClearPass Guest You can configure AOS W Instant to point to ClearPass Guest as an external Captive Portal server With this configuration the user authentication is performed by matching a string in the server response and RADIUS server either ClearPass Guest or a different RADIUS server Creating a Web Login page in the ClearPass Guest The ClearPass Guest Visitor Management Appliance provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access With ClearPass Guest the users can have a controlled access to a dedicated visitor management user database Through a customizable web portal the administrators can easily create an account reset a password or set an expiry time for visitors Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit By defining a web login page on the ClearPass Guest Visitor Management Appliance you are able to provide a customized graphical login page for visitors accessing the network For information on setting up the RADIUS Web Login feature see the RADIUS Services section in the ClearPass Guest Deployment G
380. nt Access Point config rf dotllg radio profile Instant Access Point RF dot11 g Radio Profile spectrum monitor 208 Spectrum Monitor AOS W Instant 6 3 1 1 4 0 User Guide To configure 5 GHz radio settings Instant Access Point config rf dotlla radio profile Instant Access Point RF dotlla Radio Profile spectrum monitor Converting an OAW IAP to a Spectrum Monitor In spectrum mode spectrum monitoring is performed on entire bands However for the 5 GHz radio spectrum monitoring is performed on only one of the three bands 5 GHz lower 5 GHz middle 5 GHz higher By default spectrum monitoring is performed on a higher band of the 5 GHz radio You can configure an OAW IAP to function as a standalone spectrum monitor using AOS W Instant UI or CLI In the AOS W Instant UI To convert an OAW IAP to a spectrum monitor In the Access Points tab click the AP that you want to convert to a spectrum monitor The edit link is displayed Click the edit link The Edit Access Point window is displayed Click the Radio tab From the Access Mode drop down list select Spectrum Monitor Click OK Reboot the OAW IAP for the changes to affect To enable spectrum monitoring for any other band for the 5 GHz radio a Click the RF link at the upper right corner of the AOS W Instant UI b Click Show advanced options to view the Radio tab Mog F WN c Forthe 5 GHz radio specify the spectrum band you want that radio to moni
381. nt Interface You can configure authentication settings to access to the Virtual Controller management user interface in the AOS W Instant Ul or CLI In the AOS W Instant Ul 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed 2 Select the Admin tab The Admin tab details are displayed The following figure shows the contents of the Admin tab AOS W Instant 6 3 1 1 4 0 User Guide Authentication 150 Figure 49 Admin Tab Management Authentication Parameters General Admin Local AirWave Authentication Internal Organization AirWave IP Username admin Password AirWave backup IP Shared key Retype Retype View Only Username ftest123 Password mm Retype mm Guest Registration Only Username GuestAdminl Password eo Retype ITTI Show advanced options 3 Under Local select any of the following options from the Authentication drop down list e Internal Select this option to specify a single set of user credentials Enter the Username and Password for accessing the Virtual Controller Management User Interface e RADIUS Server Specify one or two RADIUS servers to authenticate clients If two servers are configured users can use them in primary or backup mode or load balancing mode To enable load balancing select Enabled from the Load balancing drop down list e RADI
382. nt version required for the Campus AP or Remote AP conversion Table 60 OAW AP Platforms and Minimal AOS W Instant Versions for OAW IAP to Remote AP Conversion OAW IAP Platform AOS W Instant Version AOS W Instant Version To convert an OAW IAP to RAP perform the following steps 1 Click the Maintenance link in the AOS W Instant main window 2 Click the Convert tab The Convert tab is displayed AOS W Instant 6 3 1 1 4 0 User Guide OAW IAP Management 306 Figure 107 Maintenance Convert Tab Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to a Mobility Controller Hostname or IP Address of Mobility Controller After conversion all Access Points will be managed by the Controller specified above Figure 108 Convert options Maintenance About Configuration Certificates Firmware Reboot Convert Convert one or more Access Points to Remote APs managed by a Mobility Controller iv Remote APs managed by a Mobility Controller Campus APs managed by a Mobility Controller Standalone AP After conversion all Access Points will be managed by the Controller specified above 3 Select Remote APs managed by a Mobility Controller from the drop down list 4 Enterthe hostname fully qualified domain name or the IP address of the Switch in the Hostname or IP Address of Mobility Controller text box Contact your local network administrator
383. ntication is enabled with captive portal authentication Configuring MAC Authentication with Captive Portal Authentication You can configure the MAC authentication with Captive Portal authentication for a network profile using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Select an existing wireless or wired profile for which you want to enable MAC with Captive Portal authentication Depending on the network profile selected the Edit lt WLAN Profile gt or Edit Wired Network window is displayed Youcan configure MAC authentication with Captive Portal authentication in the Access tab of the New WLAN and yp New Wired Network windows when configuring a new profile AOS W Instant 6 3 1 1 4 0 User Guide Authentication 156 2 Inthe Access tab specify the following parameters for a network with Role Based rules a Select the Enforce Machine Authentication check box when MAC authentication is enabled for Captive Portal If the MAC authentication fails the Captive Portal authentication role is assigned to the client b For wireless network profile select Enforce MAC Auth Only Role check box when MAC authentication is enabled for Captive Portal After successful MAC authentication MAC auth only role is assigned to the client 3 Click Next and then click Finish to apply the changes In the CLI To configure MAC authentication with Captive Portal authentication for a wireless profile
384. ntp server lt name gt Instant Access Point config end Instant Access Point commit apply To configure timezone Instan Instan Access Point config end Access Point commit apply Instant Access Point config clock timezone name lt hour offset gt lt minute offset gt Instant Access Point config clock summer time lt timezone gt recurring lt start week gt start da y gt lt start month gt lt start hour gt lt end week gt lt end day gt lt end month gt lt end hour gt 78 Initial Configuration Tasks AOS W Instant 6 3 1 1 4 0 User Guide Chapter 6 Mesh OAW IAP Configuration This chapter provides the following information e Mesh Network Overview on page 79 e Setting up AOS W Instant Mesh Network on page 80 Mesh Network Overview The AOS W Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires As traffic traverses across mesh OAW IAPs the mesh network automatically reconfigures around broken or blocked paths This self healing feature provides increased reliability and redundancy and allows the network to continue operation even when an OAW IAP stops functioning or if a connection fails Mesh OAW IAPs Mesh network requires at least one valid uplink wired or 3G connection Any provisioned OAW IAP that has a valid uplink wired or 3G functions as a mesh portal and th
385. ntroller for communication with external RADIUS servers Ensure that the Virtual Controller IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled For more information on configuring RADIUS server attributes see Configuring an External Server for Authentication on page 144 In the CLI To enable the dynamic RADIUS proxy feature Instant Access Point config dynamic radius proxy Instant Access Point config end Instant Access Point commit apply Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers You can configure DRP parameters for the authentication server by using the AOS W Instant UI or CLI In the AOS W Instant UI Click the Security gt Authentication Servers 2 Tocreate a new server click New and configure the required RADIUS server parameters as described in Table 27 3 Ensure that the following dynamic RADIUS proxy parameters are configured e DRP IP IP address to be used as source IP for RADIUS packets e DRP Mask Subnet mask of the DRP IP address e DRP VLAN VLAN in which the RADIUS packets are sent e DRP Gateway Gateway IP address of the DRP VLAN 4 Click OK In the CLI To configure dynamic RADIUS proxy parameters Instant Access Point config wlan auth server lt profile name gt Instant Access Point Auth Server lt profile name gt ip lt IP address gt Instant Access Point Auth Server lt profile
386. ode VLAN to be part of the same L2 broadcast domain on the Switch e L3 Routing Mode In this mode the traffic destined for the corporate network is routed through the VPN tunnel to the Switch and the traffic destined for the non corporate network is translated using the IP address of the OAW IAP and is forwarded through the uplink When an OAW IAP registers with the Switch and is configured to use the L3 DHCP address assignment mode the Mobility Switch adds a route on the Switch enabling routing of traffic from the corporate network to clients on this subnet in the branch AOS W Instant 6 3 1 1 4 0 User Guide IAP VPN Configuration 252 IAP VPN Scalability Limits AOS W Instant provides enhancements to the scalability limits for the IAP VPN branches terminating on the switch The following table provides the IAP VPN scalability information for various switch platforms Table 51 AP VPN Scalability Platforms Branches Routes L3 Mode Users NAT Users Total L2 Users 3200 1000 1000 2000 2000 8000 8000 8000 8000 16000 16000 128000 32000 32000 128000 e Branches The number of IAP VPN branches that can be terminated on a given switch platform e Routes The number of L3 routes supported on the switch e L3 mode and NAT mode users The number of trusted users supported on the switch There is no scale impact on the switch They are limited only by the number of clients supported per OAW IAP e L2 mode users The number of L2 mo
387. ofile name gt Instant Access Point DHCP Profile profile name 4 server type centralized Instant Access Point DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant Access Point DHCP Profile lt profile name gt option82 alu Instant Access Point DHCP Profile lt profile name gt end Instant Access Point commit apply Instant Access Point commit apply To configure Centralized DHCP scope for L3 clients Instant Access Point config ip dhcp lt profile name gt Instant Access Point DHCP Profile lt profile name gt server type centralized Instant Access Point DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant Access Point DHCP Profile lt profile name gt dhcp relay Instant Access Point DHCP Profile lt profile name gt dhcp server lt DHCP relay server gt Instant Access Point DHCP Profile lt profile name gt vlan ip lt DHCP IP address gt mask lt VLAN mas k gt Instant Access Point DHCP Profile lt profile name gt end AOS W Instant 6 3 1 1 4 0 User Guide DHCP Configuration 235 Instant Access Point commit apply Configuring Local and Local L3 DHCP Scopes You can configure Local and Local L3 DHCP scopes by using the AOS W Instant UI or CLI e Local Inthis mode the Virtual Controller acts as both the DHCP Server and the default gateway The configured subnet and the correspondi
388. oin Instant Access Poin Access Poin Access Poin Instan Instan Instant Access Poin Instant Access Poin Instant Access Poin t config To view AirGroup configuration status Instant Access Point AirGroup Feature Disabled AirGroup Multi Swarm Disabled AirGroup Guest Multicast Disabled CPPM Parameters CPPM Enforce Registration Disabled 10 hours CPPM Server query interval airgroup airgroup airgroup airgroup airgroup commit apply airgroup cppm enforce registration cppm server lt server gt cppm server dead time lt interval gt cppm query interval lt interval gt disallow vlan lt vlan ID gt enable guest multicast multi swarm end commit apply airgroupservice lt airgroup service gt service id lt airgroupservice ID gt service description lt text gt service disallow role role disallow vlan lt vlan ID gt service end service show airgroup status AOS W Instant 6 3 1 1 4 0 User Guide AirGroup Configuration 274 CPPM Server dead tim 100 Seconds AirGroup Service Information Service Status airplay Enabled airprint Disabled itunes Disabled remotemgmt Enabled sharing Disabled chat Enabled allowall Disabled Configuring AirGroup and CPPM interface in AOS W Instant Configure the AOS W Instant and CPPM interface to allow an AirGroup OAW IAP and CPPM to exc
389. omes a Virtual Controller it sends three Address Resolution Protocol ARP messages with the static IP address and its MAC address to update the network ARP cache Configuring IP Address for Virtual Controller You can configure the Virtual Controller name and IP address using AOS W Instant UI or CLI 83 Virtual Controller Configuration AOS W Instant 6 3 1 1 4 0 User Guide In the AOS W Instant UI 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed 2 Click the Show advanced options link The advanced options are displayed 3 Inthe General tab enter the appropriate IP address in the Virtual Controller IP text box The IP configured for the Virtual Controller can be in the same subnet as OAW IAP or can be in a different subnet If the Virtual Controller IP is in a different subnet configure the Virtual Controller mask gateway and VLAN as described in the following steps a Enter subnet mask details in the Virtual Controller Netmask text box b Entera gateway address in the Virtual Controller Gateway text box c Enter Virtual Controller VLAN n the Virtual Controller VLAN text box Ensure that Virtual Controller VLAN is not the same as native VLAN of the OAW IAP NOTE 4 Click OK In the CLI To configure the Virtual Controller Name and IP address Instant Access Point config virtual controller ip lt IP address gt Instant Access Point config virtu
390. on Rules on page 178 AOS W Instant supports role derivation based on DHCP option for Captive Portal authentication When the Captive Portal authentication is successful a new user role is assigned to the guest users based on DHCP option configured for the SSID profile instead of the pre authenticated role 2 Click Finish In the CLI To configure access control rules for a WLAN SSID Instant Access Point config wlan access rule lt name gt AOS W Instant 6 3 1 1 4 0 User Guide Captive Portalfor Guest Access 122 Instant Access lt end port gt permit 9 gt Instant Access Instant Access Poin Poin Poin t Access Rul deny src nat t Access Rule lt t commit apply name gt end To configure access control based on the SSID Instant Access Access Access Instan Instan Instant Access Poin Poin Poin Poin t SSID Profil SSID Profile commit apply t To configure role assignment rules Instant Access Instant Access Poin Poin h ends with contains t Access t Access Instan Instan To configure a pre a Instant Access Instant Access Instant Access Instant Access Poin Poin Poin Poin Poin Poin lt name gt set rol lt name gt end t SSID Profil lt name gt set rol t SSID Profile t commit apply uthentication role SSID Profil l
391. on about the client match configuration status on OAW IAP Radio 0 AP Radio 1 Client Match Status Displays information about the client match configuration status on OAW IAP Radio 1 AP Radio 0 Client Probe Report Displays a report on the AP clients connected to OAW IAP Radio 0 AP Radio 1 Client Probe Report Displays a report on the AP clients connected to OAW IAP Radio 1 AP Client View Displays client details of an OAW IAP AP Virtual Beacon Report Displays a report on virtual beacons for an OAW IAP AP Client Match Live Displays the live details of the client match configuration on an OAW IAP AP Client Match History Displays the historical details of the client match configuration on an OAW IAP AP RADIUS Statistics Displays the RADIUS server statistics for the OAW IAP AOS W Instant 6 3 1 1 4 0 User Guide Monitoring Devices and Logs 319 AP Shaping Table Displays shaping information for clients associated with the OAW IAP AP Sockets Displays information sockets of the OAW IAP AP STM Configuration Displays STM configuration details for each SSID profile configured on the OAW IAP AP System Status Displays detailed system status information for the OAW IAP AP System Summary Displays the OAW IAP configuration AP Swarm State Displays details of the OAW IAP cluster to which the AP is connected AP Tech Support Dump Displays the logs with complete OAW IAP configuration information required for tech
392. on encryption settings Key for LEAP to Enabled This is required for old printers that use are required dynamic WEP through Lightweight Extensible Authentication Protocol LEAP authentication The Session Key for LEAP feature is Disabled by default NOTE When WPA 2 Enterprise and Both WPA2 WPA encryption types are selected and if 802 1x authentication method is configured the Opportunistic Key Caching OKC is enabled by default If OKC is enabled a cached pairwise master key PMk is used when the client roams to a new AP This allows faster roaming of clients without the need fora complete 802 1x authentication OKC roaming can be configured only for the Enterprise security level For Personal security level select an encryption key from the Key management drop down list e For WPA 2 Personal WPA Personal and Both WPA 2 amp WPA keys specify the following parameters 1 Passphrase format Select a passphrase format from the Passphrase format drop down list The options are available are 8 63 alphanumeric characters and 64 hexadecimal characters Enter a passphrase in the Passphrase text box and reconfirm e For Static WEP specify the following parameters 92 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide Parameter 802 11r roaming Termination Authentication server 1 and Authentication server 2 Load balancing Reauth interval Blacklisting AOS W Instant 6 3 1 1 4 0 User Guide
393. on for Personal and Open security levels set MAC authentication to Enabled For Enterprise security level the following options are available e Perform MAC authentication before 802 1X Select this check box to use 802 1X authentication only when the MAC authentication is successful MAC authentication fail thru On selecting this check box the 802 1X authentication is attempted when the MAC authentication fails Specify a character for example colon or dash as a delimiter for MAC address string When configured the OAW IAP will use the delimiter in the MAC authentication request For example if you specify colon as a delimiter MAC addresses in the xxox oxxxxx xx format are used If the delimiter is not specified the MAC address in the xxxxxxxxxxxx format is used This option is available only when MAC authentication is enabled Set to Enabled to allow the OAW IAP to use uppercase letters in MAC address string for MAC authentication This option is available only if MAC authentication is enabled Click Upload Certificate and browse to upload a certificate file for the internal server For more information on certificates see Uploading Certificates on page 160 Security Level Type Enterprise Personal and Open security levels Enterprise security level Enterprise Personal and Open security levels Enterprise Personal and Open security levels Enterprise Personal and Open security levels
394. on page 137 181 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide Figure 60 Configuring RADIUS Attributes on the RADIUS Server Configure H conditio PETET H TTT To add an altis lt ts i stime L L si K an di L 44 Attribute Information PH To add a custe Add Access type Attributes User Role If the VSA and VLAN derivation rules are not matching then the user VLAN can be derived by a user role VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching and the User Role does not contain a VLAN the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile Configuring VLAN Derivation Rules The rule assigns the user to a VLAN based on the attributes returned by the RADIUS server when the user is authenticated and the MAC address of the user You can configure VLAN derivation rules for an SSID profile by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Perform the following steps e To configure VLAN derivation rule for a WLAN SSID profile Click Network gt New gt New WLAN gt VLAN or Network gt edit gt Edit lt WLAN profile gt gt VLAN Select the Dynamic option under the Client VLAN assignment e To configure VLAN derivation rule for a wired network profile click Wired gt New gt New Wired Network gt VLAN or Wired gt Edit gt Edit Wired Network gt VLAN 2 Click New to create a VLAN assignment rule The New VLAN Assignment Rule window is d
395. one port E1 or E2 or 802 3af powered DC IN Power Socket on two ports E1 and E2 Assigning an IP address to the OAW IAP The OAW IAP needs an IP address for network connectivity When you connect an OAW IAP to a network it receives an IP address from a DHCP server To obtain an IP address for an OAW IAP 1 Ensure that the DHCP service is enabled on the network 2 Connect the ENET 0 port of OAW IAP to a switch or router using an Ethernet cable 3 Connect the OAW IAP to a power source The OAW IAP receives an IP address provided by the switch or router If there is no DHCP service on the network the OAW IAP can be assigned a static IP address If a static IP is not assigned the OAW IAP obtains an IP automatically within the 169 254 subnet AOS W Instant 6 3 1 1 4 0 User Guide Setting up an OAW IAP 32 Assigning a Static IP To assign a static IP to an OAW IAP 1 Connect a terminal PC or workstation running a terminal emulation program to the Console port on the OAW IAP 2 Power on the OAW IAP An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed 3 Click Enter before the timer expires The OAW IAP goes into the apboot mode Inthe apboot mode use the following commands to assign a static IP to the OAW IAP Hit lt Enter gt to stop autoboot 0 apboot gt apboot gt setenv ipaddr 192 0 2 0 apboot gt setenv netmask 255 255 255 0 apboot gt set
396. onfiguration are displayed Specify the following parameters as required Table 17 WLAN Configuration Parameters Parameter Description Broadcast filtering Select any of the following values e All When set to All the OAW IAP drops all broadcast and multicast frames except DHCP and ARP e ARP When set to ARP the OAW IAP converts ARP requests to unicast and send frames 86 Wireless Network Profiles AOS W Instant 6 3 1 1 4 0 User Guide Table 17 WLAN Configuration Parameters Parameter DTIM interval Multicast transmission optimization Dynamic multicast optimization DMO channel utilization threshold Transmit Rates Bandwidth Limits Wi Fi Multimedia WMM traffic management AOS W Instant 6 3 1 1 4 0 User Guide Description directly to the associated client e Disabled When set to Disabled all broadcast and multicast traffic is forwarded The DTIM interval indicates the delivery traffic indication message DTIM period in beacons which can be configured for every WLAN SSID profile The DTIM interval determines how often the OAW IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode The default value is 1 which means the client checks for buffered data on the OAW IAP at every beacon You can also configure a higher DTIM value for power saving Select Enabled if you want the OAW IAP to select the optimal rate for sending broadcast and multicast f
397. onfiguration information of the selected OAW IAP or the client 51 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Table 7 Contents of the Info Section in the AOS W Instant Main Window Description Info section in Virtual The Info section in the Virtual Controller view displays the following information Controller view e Name Displays the Virtual Controller name System Location Displays the system location Country Code Displays the Country in which the Virtual Controller is operating Virtual Controller IP address Displays the IP address of the Virtual Controller OmniVista Server and Backup Server Displays the names of the OmniVista server and the backup servers if OmniVista servers are configured Band Displays the band in which the Virtual Controller is operating 2 4 GHz band 5 GHz band or both Master Displays the IP address of the Access Point acting as Virtual Controller OpenDNS Status Displays the OpenDNS status If the OpenDNS status indicates as Not Connected ensure that the network connection is up and appropriate credentials are configured for OpenDNS MAS integration Displays the status of the MAS integration feature Uplink type Displays the type of uplink configured on the OAW IAP for example Ethernet or 3G Uplink status Indicates the uplink status Blacklisted clients Displays the number of blacklisted clients Internal RADIUS Users Displays the number of internal RA
398. onfiguration to all other OAW IAPs in the same AP management AOS W Instant 6 3 1 1 4 0 User Guide Virtual Controller Configuration 82 VLAN When the Virtual Controller goes down a new Virtual Controller is elected Provisioning an OAW IAP as a Master OAW IAP You can provision an OAW IAP as a master OAW IAP by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Inthe Access Points tab click the OAW IAP to modify The edit link is displayed 2 Click the edit link The edit window for modifying OAW IAP details is displayed 3 Select Enabled from Preferred master drop down This option is disabled by default Figure 31 OAW IAP Settings Provisioning Master OAW IAP Edit Access Point d8 c7 c8 c4 00 ef General Radio Uplink Name d8 c7 c8 c4 00 ef Preferred master Enabled m IP address for Access Point 9 Get IP address from DHCP server Specify statically Cancel 4 Click OK In the CLI To provision an OAW IAP as a master OAW IAP Instant Access Point iap master To verify if the OAW IAP is provisioned as master IAP Instant Access Point show ap env Antenna Type Internal lap master 1 Virtual Controller IP Address Configuration You can specify a single static IP address that can be used to manage a multi AP AOS W Instant network This IP address is automatically provisioned on a shadow interface on the OAW IAP that takes the role of a Virtual Controller When an OAW IAP bec
399. onfigure a 3GPP profile enter the following commands at the command prompt Instant Access Point config hotspot anqp 3gpp profile lt name gt Instant Access Point 3gpp lt name gt 3gpp plmn1 lt plmn ID gt 3gpp lt name gt enable 3gpp lt name gt end commit apply Instant Access Point Instant Access Point Instant Access Point The Public Land Mobile Network PLMN ID is a combination of the mobile country code and network code You can specify up to 6 PLMN IDs for a 3GPP profile Configuring an IP Address Availability Profile You can configure the available IP address types to send information on IP address availability as an ANQP IE ina GAS query response To configure an IP address availability profile enter the following commands at the command prompt Instant Access Point config hotspot anqp ip addr avail profile lt name gt Instant Access Point IP addr avail lt name gt ipv4 addr avail Instant Access Point IP addr avail lt name gt ipv6 addr avail Instant Access Point end IP addr avail name IP addr avail lt name gt enable Instant Access Point Instant Access Point commit apply Configuring a Domain Profile You can configure a domain profile to send the domain names as an ANQP IE in a GAS query response To configure a domain name profile enter the following commands at the command prompt I
400. onfigure access rules In the CLI To configure internal captive portal authentication Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt essid lt ESSID name gt Instant Access Point SSID Profile lt name gt type Guest Instant Access Point SSID Profile lt name gt captive portal lt internal authenticated gt exclude u plink 3G 4G Wifi Ethernet Instant Access Point SSID Profile lt name gt mac authentication Instant Access Point SSID Profile lt name gt auth server lt serverl gt Instant Access Point SSID Profile lt name gt radius reauth interval lt Minutes gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply To configure intemal captive portal for a wired profile Instant Access Point Instant Access Point Instant Access Point lt internal acknowledged gt Instant Access Point config wired port profile lt name gt wired ap profile lt name gt type guest wired ap profile lt name gt captive portal lt internal authenticated gt xclude uplink 3G 4G Wifi Ethernet wired ap profile lt name gt mac authentication 117 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point wired ap profile lt name gt auth server lt serverl gt Instant Access Point
401. onfigure rules to provide access to external Captive portal internal Captive portal or none so that some of the clients using this SSID can derive the Captive portal role The following conditions apply to the 802 1X and Captive portal authentication configuration e f auser role does not have Captive Portal settings configured the Captive portal settings configured for an SSID are applied to the client s profile e Ifthe SSID does not have Captive Portal settings configured the Captive portal settings configured for a user role are applied to the client s profile e If Captive portal settings are configured for both SSID and user role the Captive portal settings configured for a user role are applied to the client s profile You can create a Captive portal role for both Internal acknowledged and External Authentication Text splash page types To enforce Captive Portal role use the AOS W Instant Ul or CLI 123 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide In the AOS W Instant UI To create a Captive portal role Select an SSID profile from the Networks tab The Edit lt WLAN Profile gt window is displayed In the Access tab slide to Role based access control by using the scroll bar Select a role or create a new if required Click New to add a new rule The New Rule window is displayed ak wn Inthe New Rule window specify the following parameters The following figures show th
402. ot2 0 lt name gt roam cons len 1 integer Instant Access Point Hotspot2 0 lt name gt roam cons len 2 integer Instant Access Point Hotspot2 0 lt name gt roam cons len 3 integer Instant Access Point Hotspot2 0 lt name gt roam cons oi 1 integer Instant Access Point Hotspot2 0 lt name gt roam cons oi 2 integer Instant Access Point Hotspot2 0 lt name gt roam cons oi 3 integer Instant Access Point Hotspot2 0 lt name gt venue group group Instant Access Point Hotspot2 0 lt name gt venue type type Instant Access Point Hotspot2 0 lt name gt enable Instant Access Point Hotspot2 0 lt name gt end Instant Access Point commit apply The hotspot profile configuration parameters are described in the following table Table 57 Hotspot Configuration Parameters Parameter Description access network Specify any of the following 802 11u network types type lt type gt e private This network is accessible for authorized users only For example home networks or enterprise networks that require user authentication The corresponding integer value for this network type is 0 private with guest This network is accessible to guest users based on guest authentication methods For example enterprise networks that allow guest users with captive portal authentication The corresponding integer value for this network type is 1 chargeable publi
403. ote management and FTP utilities on Apple devices e Sharing Applications such as disk sharing and file sharing use the service ID that are part of this service on one or more Apple devices e Chat The iChat Instant Messenger application on Apple devices uses this service AOS W Instant 6 3 1 1 4 0 User Guide AirGroup Configuration 272 Configuring AirGroup and AirGroup Services on an OAW IAP You can configure AirGroup services using AOS W Instant UI or CLI In the AOS W Instant UI To enable AirGroup and its services 1 Click the More gt Services link at the top right corner of the AOS W Instant main window 2 Click Air Group tab The Air Group tab details are displayed 3 Select the Enable Air Group check box The AirGroup configuration parameters are displayed Figure 101 AirGroup Configuration Air Group RTLS OpenDNS CALEA Network Intergration V Enable AirGroup Enable Guest Bonjour multicast Enable AirGroup across mobility domains AirGroup Settings AirGroup Service airplay disallowed roles Edit jairplay tsi airplay disallowed vlans Edit airprint A Service ID remotemgmt _airplay _tcp sharing raop _tc chat P _tcp _appletv v2 _tcp allowall New ClearPass Settings CPPM server 1 Select Server Enforce ClearPass registration 4 Select Enable Guest Bonjour multicast to allow the users to use Bonjour services enabled in a guest VLAN When this check box is e
404. other regulatory domain Mesh Portals A mesh portal MPP is a gateway between the wireless mesh network and the enterprise wired LAN The mesh roles are automatically assigned based on the OAW IAP configuration A mesh network could have multiple mesh portals to support redundant mesh paths mesh links between neighboring mesh points that establish the best path to the mesh portal from the wireless mesh network to the wired LAN The mesh portal broadcasts a mesh services set identifier MSSID mesh cluster name to advertise the mesh network service to other mesh points in that AOS W Instant network This is not configurable and is transparent to the user The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard AES encryption AOS W Instant 6 3 1 1 4 0 User Guide Mesh OAW IAP Configuration 79 The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network Mesh Points The mesh point establishes an all wireless path to the mesh portal The mesh point provides traditional WLAN services such as client connectivity intrusion detection system IDS capabilities user role association and Quality of Service QoS for LAN to mesh communication to clients and performs mesh backhaul network connectivity Mesh point also supports LAN bridging You can connect any wired device to the downlink port of the mesh point In the case of single Ethernet
405. ow The Wired window is displayed 2 Click New under Wired Networks The New Wired Network window is displayed The following figure shows the contents of Wired Settings tab Figure 38 New Wired Network Window Wired Settings Window New Wired Network Wired Settings Wired Settings Name EAS Primary usage Employee Guest Speed Duplex Auto z Auto POE Enabled zm Admin status Up Content filtering Disabled x Uplink Disabled Spanning tree Disabled 3 Click the Wired Settings tab and enter the following information AOS W Instant 6 3 1 1 4 0 User Guide Wired Profiles 102 a Name Specify a name for the profile b Primary Usage Select Employee or Guest c Speed Duplex Ensure that appropriate values are selected for Speed Duplex Contact your network administrator if you need to assign speed and duplex parameters d POE Set POE to Enabled to enable Power over Ethernet The E2 port on OAW RAP3WNP supports Power Sourcing Equipment PSE to supply power to any compliant 802 3af powered class 0 4 device OAW RAP155P supports PSE for 802 3af powered device class 0 4 on one NOTE port E1 or E2 or 802 3at powered DC IN Power Socket on two ports E1 and E2 e Admin Status Ensure that an appropriate value is selected The Admin Status indicates if the port is up or down f Content Filtering To ensure that all DNS requests to non corporate domains on this wired net
406. owed vlan lt vlan gt Access Point wired ap profile lt name gt native vlan guest 1 4095 Access Poin Access Point wired ap profile lt name gt end Access Point commit apply To configure a new VLAN assignment rule Instan Instan ts with Instan CE CT Instan Configu Access Point config wired port profile lt name gt Access Point wired ap profile lt name gt set vlan lt attribute gt equals not equals star ends with contains matches regular expression lt operator gt lt VLAN ID gt value of Access Point wired ap profile lt name gt end Access Point commit apply ring Security Settings for a Wired Profile If you are creating a new wired profile complete the Wired Settings and VLAN procedures before specifying security settings For more information see Configuring Wired Settings on page 102 and Configuring VLAN Settings for a NOTE WLAN SSID Profile on page 89 Configuring Security Settings for a Wired Employee Network You can configure security parameters for an employee network by using the AOS W Instant UI or CLI AOS W Instant 6 3 1 1 4 0 User Guide Wired Profiles 104 In the AOS W Instant UI To configure security parameters for an employee network 1 Configure the following parameters in the Security tab e MAC authentication To enable MAC authentication select Enabled The MAC authentication
407. ox to configure access rights to clients based on whether the client device supports machine authentication Select the Machine auth only and User auth only rules Machine Authentication is only supported on Windows devices and devices such as iPads If Enforce Machine Authentication is enabled both the device and the user must be authenticated for the role assignment rule to apply NOTE 2 Click Finish In the CLI To configure access rules for a wired profile Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt access rule name lt name gt Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply To configure role assignment rules Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt set role lt attribute gt equals not equal star ts with ends with contains matches regular expression lt operator gt lt role gt value of Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply To configure a pre authentication role can can can can t Access Point config wired port profile lt name gt wired ap profile lt name gt set role pre auth lt pre authentication role gt wired ap profile lt name gt end commit apply t Access Poin t Access Poin t Access Poin t t t t
408. p Server text box Click OK ak wn In the CLI To configure a TFTP server Instant Access Point config tftp dump server lt IP address gt Instant Access Point config end Instant Access Point commit apply 316 Monitoring Devices and Logs AOS W Instant 6 3 1 1 4 0 User Guide Running Debug Commands from the AOS W Instant UI To run the debugging commands from the AOS W Instant UI 1 Navigate to More gt Support at the top right corner of the AOS W Instant main window The Support window is displayed 2 Select the required option from the Command drop down list 3 Select All Access Points or Instant Access Point VC from the Target drop down list 4 Click Run Support Commands You can view the following information for each access point in the AOS W Instant network using the support window AP 3G 4G Status Displays the cellular status of the OAW IAP AP 802 1X Statistics Displays the 802 1X statistics of the OAW IAP AP Access Rule Table Displays the list of ACL rules configured on the OAW IAP AP Active Displays the list of active APs in Instant network AP Airgroup Cache Displays the Bonjour Multicast DNS mDNS records for the OAW IAP AP Airgroup CPPM Entries Displays the AirGroup CPPM policies of the registered devices AP Airgroup CPPM Servers Displays the AirGroup CPPM server information AP Airgroup Debug Statistics Displays the debug statistics for the OAW IAP AP Airgroup Serv
409. p server is configured Enter the remote end UDP port number The default value is 1701 e Enter the interval at which the hello packets are sent through the tunnel The default value is 60 seconds AOS W Instant 6 3 1 1 4 0 User Guide VPN Configuration 245 Select the message digest as MD5 or SHA used for message authentication Enter a shared key for the message digest This key should match with the tunnel end point shared key pou e If required select the failover mode as Primary or Backup when backup server is available Specify a value for tunnel MTU value if required The default value is 1460 j Click OK 4 Configure the session profile a Enterthe session name to be used for session creation Figure 84 Session Configuration Session Configuration Profile name session1 Tunnel profile name tunneli Tunnel IP address 10 0 0 6 Tunnel Netmask 255 255 255 0 Tunnel VLAN 8 Cookie Len 4 Cookie 12345678 Remote end ID b Enterthe tunnel profile name where the session will be associated c Configure tunnel IP address with corresponding network mask and VLAN ID This is required to reach AP from a corporate network For example SNMP polling d Select the cookie length and enter a cookie value corresponding to the length By default the cookie length is not set e Click OK 5 Click Next to continue In the CLI To configure a L2TPv3 VPN tunnel Ins
410. pany remotely with a secure connection Increasingly public places such as airports hotels and coffee shops are providing free wireless access for customers IEEE 802 11 standards The IEEE 802 11 is a setof standards that are categorized based on the radio wave frequency and the data transfer rate Power over Ethernet PoE is a method of delivering power on the same physical Ethernet wire used for data communication Power for devices is provided in one of the following two ways e Endspan The switch that an AP is connected for power supply e Midspan A device can sit between the switch and APs The choice of endspan or midspan depends on the capabilities of the switch to which the OAW IAP is connected Typically if a switch is in place and does not support PoE midspan power injectors are used Point to Point Protocol over Ethernet PPPoE is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem Quality of Service QoS refers to the capability of a network to provide better service to a specific network traffic over various technologies Radio Frequency RF refers to the portion of electromagnetic spectrum in which electromagnetic waves are generated by feeding alternating current to an antenna A Virtual Private Network VPN network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure ac
411. ply Configuring Walled Garden Access On the Internet a walled garden typically controls access to web content and services The Walled garden access is required when an external Captive portal is used For example a hotel environment where the unauthenticated users are allowed to navigate to a designated login page for example a hotel website and all its contents The users who do not sign up for the Internet service can view the allowed Websites typically hotel property Websites The Website names must be DNS based and support the option to define wildcards This works for client devices with or without HTTP proxy settings When a user attempts to navigate to other Websites which are not in the whitelist of the walled garden profile the user is redirected to the login page In addition a blacklisted walled garden profile can also be configured to explicitly block the unauthenticated users from accessing some Websites You can create a walled garden access in AOS W Instant UI or CLI In the AOS W Instant UI To create a Walled Garden access 1 Click the Security link at the top right comer of the AOS W Instant main window and click Walled Garden The Walled Garden tab contents are displayed 2 Toallow users to access a specific domain click New and enter the domain name or URL in the Whitelist section of the window This allows access to a domain while the user remains unauthenticated Specify a POSIX regular expression reg
412. port Instant Access Point connection capabilities lt name gt icmp Instant Access Point connection capabilities lt name gt tcp ftp Instant Access Point connection capabilities lt name gt tcp http Instant Access Point connection capabilities lt name gt tcp pptp vpn Instant Access Point connection capabilities lt name gt tcp ssh Instant Access Point connection capabilities lt name gt tcp tls vpn Instant Access Point connection capabilities lt name gt tcp voip Instant Access Point connection capabilities lt name gt udp ike2 Instant Access Point connection capabilities lt name gt udp ipsec vpn Instant Access Point connection capabilities lt name gt udp voip Instant Access Point connection capabilities lt name gt nabl Instant Access Point connection capabilities lt name gt end Instant Access Point commit apply Configuring an Operating Class Profile You can configure an operating class profile to list the channels on which the hotspot is capable of operating To configure an H2QP operating class profile Instant Access Point Instant Access Point config 4 hotspot h2qp oper class profile name Instant Access Point operator class lt name gt op class lt class ID gt operator class lt name gt enable operator class lt name gt end commit apply Instant Access Point Instant Access Point Con
413. pported for all the OAW IAP models but only the master OAW IAP uses this uplink The Wi Fi allows uplink to open PSK CCMP and PSK TKIP SSIDs e Forsingle radio OAW IAPs the radio serves wireless clients and the Wi Fi uplink e For dual radio OAW IAPs both radios can be used to serve clients but only one of them can be used for the Wi Fi uplink When the Wi Fi uplink is in use the client IP is assigned by the internal DHCP server Configuring a Wi Fi Uplink Profile The following configuration conditions apply to the Wi Fi uplink e To bind or unbind the Wi Fi uplink on the 5 GHz band reboot the OAW IAP 194 Uplink Configuration AOS W Instant 6 3 1 1 4 0 User Guide If the Wi Fi uplink is used on the 5 GHz band mesh is disabled The two links are mutually exclusive For OAW IAPs to connect to an AOS W Instant based WLAN using Wi Fi uplink the mobilityswitch must run AOS W Instant 6 2 1 0 or later To provision an OAW IAP with the Wi Fi Uplink complete the following steps 1 If you are configuring a Wi Fi uplink after restoring factory settings on an OAW IAP connect the OAW IAP to an Ethernet cable to allow the OAW IAP to get the IP address Otherwise go to step 2 2 Click the System link at the top right corner of the AOS W Instant main window The System window is displayed 3 Click the Show advanced options link The advanced options are displayed 4 Click the Uplink tab 5 Under Wi Fi enter the name of th
414. profile lt name gt Instant Access Point wired ap profile lt name gt set role lt attribute gt equals not equal start with ends with contains lt operator gt lt role gt value of Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply Example Instant Access Point config wlan ssid profile Profilel Instant Access Point SSID Profile Profilel set role mac address and dhcp options matche regular expression bring b Profilel Instant Access Point SSID Profile Profilel end Instant Access Point commit apply Understanding VLAN Assignment You can assign VLANs to a client based on the following configuration conditions The default VLAN configured for the WLAN can be assigned to a client If VLANs are configured fora WLAN SSID or an Ethernet port profile the VLAN for client can be derived before the authentication from the rules configured for these profiles If a rule derives a specific VLAN it is prioritized over the user roles that may have a VLAN configured The user VLANs can be derived from the default roles configured for 802 1X authentication or MAC authentication After client authentication the VLAN can be derived from Vendor Specific Attributes VSA for RADIUS server authentication The DHCP based VLANs can be derived for Captive Portal authentication Portal authentication is successful the role derivation based on DHCP option ass
415. provisioning it tries provisioning through a firmware image server in the cloud by sending a serial number MAC address If an entry for the OAW IAP is present in the firmware image cloud server and is provisioned as an OAW IAP gt Remote AP the firmware image cloud server responds with mobility Switch IP address AP group and AP type The OAW IAP then contacts the Switch establishes certificate based secure communication and obtains configuration and image from the Switch The OAW IAP reboots and comes up as a Remote AP The OAW IAP then establishes an IPSEC connection with the Switch and begins operating in the Remote AP mode If an OAW IAP entry for the AP is present in the firmware image cloud server the OAW IAP obtains OmniVista server information from the cloud server and downloads configuration from OmniVista to operate in the OAW IAP mode If there is no response from the cloud server or AirGroup is received the OAW IAP comes up in AOS W Instant mode 305 OAW IAP Management AOS W Instant 6 3 1 1 4 0 User Guide e For more information on firmware image cloud server see Upgrading an OAW IAP on page 70 A mesh point cannot be converted to Remote AP because mesh access points do not support VPN nnection Rore onnectio An OAW IAP can be converted to a Campus AP and Remote AP only if the Switch is running AOS W Instant 6 1 4 or later The following table describes the supported OAW IAP platforms and minimal AOS W Insta
416. pstream kbps Peruser OK Cancel 6 Specify the downstream and upstream rates in Kbps If the assignment is specific for each user select the Peruser checkbox 7 Click OK 8 Associate the user role to a WLAN SSID or wired profile You can also create a user role and assign bandwidth contracts while configuring an SSID or wired profile Assigning a bandwidth contract using AOS W Instant CLI To assign a bandwidth contract in the CLI AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 176 Instant Access Point config wlan access rule lt name gt Instant Access Point Access Rule lt name gt bandwidth limit downstream lt kbps gt upstream lt kbp s gt peruser downstream lt kbps gt upstream lt kbps gt Instant Access Point Access Rule lt name gt end Instant Access Point commit apply To associate the access rule to a wired profile Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt access rule name lt access rule name gt wired ap profile lt name gt end commit apply Instant Access Point Instant Access Point Configuring Machine and User Authentication Roles You can assign different rights to clients based on whether their hardware device supports machine authentication Machine Authentication is only supported on Windows devices so this can be used to dis
417. pting the user to authenticate with a user name and password is displayed Types of Captive Portal AOS W Instant supports the following types of Captive portal authentication e Internal Captive portal For Internal Captive portal authentication an internal server is used for hosting the captive portal service It supports the following types of authentication Internal Authenticated When Internal Authenticated is enabled a guest user must authenticate in the captive portal page to access the Internet The guest users who are required to authenticate must already be added to the user database Internal Acknowledged When Internal Acknowledged is enabled a guest user must accept the terms and conditions to access the Internet e External Captive portal For external Captive portal authentication an external portal on the cloud or on a server outside the enterprise network is used AOS W Instant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 110 Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time When an external Captive portal is used the administrators can configure a walled garden which determines access to the URLs requested by the guest users For example a hotel environment where the unauthenticated users are allowed to navigate to a designated login page for example a hotel website and all
418. r Description In a non WMM or hybrid environment where some clients are not WMM capable you can allocate higher values for Best effort WMM share and Voice WMM share to allocate a higher bandwidth to clients transmitting best effort and voice traffic Content filtering Select Enabled to route all DNS requests for the non corporate domains to OpenDNS on this network Select a value to specify the band at which the network transmits radio signals You can set the band to 2 4 GHz 5 GHz or All The All option is selected by default Inactivity timeout Specify an interval for session timeout If a client session is inactive for the specified duration the session expires and the users are required to log in again The minimum value is set to 60 seconds and the default value is 1000 seconds HideSSID Select this checkbox if you do not want the SSID network name to be visible to users Disable SSID Select this checkbox if you want to disable the SSID On selecting this the SSID will be disabled but will not be removed from the network By default all SSIDs are enabled Can be used without Select the checkbox if you do not want to SSID profile to use uplink Uplink Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN You can specify a value within the range of 0 to 255 The default value is 64 Local probe request Specify a threshold value to limit the number of incoming probe reque
419. r a wired profile More Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile 2 Click the Security tab and assign values for the configuration parameters Table 20 nternal Captive Portal Configuration Parameters Parameter Description Splash page type Select any ofthe following from the drop down list e Internal Authenticated When Internal Authenticated is enabled the guest users are required to authenticate in the captive portal page to access the Internet The guest users who are required to authenticate must already be added to the user database Internal Acknowledged When Internal Acknowledged is enabled the guest users are required to accept the terms and conditions to access the Internet MAC authentication Select Enabled from the drop down list to enable the MAC authentication WISPr Select Enabled if you want to enable WISPr authentication For more information on WISPr authentication see Configuring WISPr Authentication on page 157 Applicable for WLAN SSIDs only NOTE The WISPr authentication is applicable only for Internal Authenticated splash pages and is not applicable for wired profiles Auth server 1 Select any one of the following e Aserver from the list of servers if the server is already configured e Internal Server to authenticate user credentials at run time e Select New for configuring an new external RADIUS server for aut
420. r authentication roles fora WLAN SSID Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt set role machine auth lt machine authentication onl y gt lt user authentication only gt Instant Access Point SSID Profile lt name gt end Instant Access Point commit apply To configure machine and user authentication roles for wired profile Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt set role machine auth lt machine authenticatio n only gt lt user authentication only gt Instant Access Point wired ap profile lt name gt end Instant Access Point commit apply 177 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide Configuring Derivation Rules AOS W Instant allows you to configure role and VLAN derivation rules You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile Understanding Role Assignment Rule When an SSID or wired profile is created a default role for the clients connecting this SSID or wired profile is assigned You can assign a user role to the clients connecting to an SSID by any of the following methods The role assigned by some methods may take precedence over the roles assigned by the other methods RADIUS VSA Attributes The user role can be derived from Alcatel Lucent Vendor Spec
421. r the OAW IAP AP Datapath User Table Displays datapath user statistics such as current entries pending deletes high water mark maximum entries total entries allocation failures invalid users and maximum link length for the OAW IAP AP Datapath VLAN Table Displays the VLAN table information such as VLAN memberships inside the datapath including L2 tunnels for the OAW IAP AP Daylight Saving Time Displays the Daylight Saving Time configured on the OAW IAP AP Driver Configuration Displays driver configuration details of the OAW IAP AP Election and AP Election Statistics Display the master election statistics AP ESSID Table Displays the SSID profiles configured on the OAW IAP AP Flash Configuration Displays statistics of the OAW IAP configuration stored in flash memory AP IGMP Group Table Displays IGMP group information AP Interface Counters Displays information about the Ethernet interface packet counters for the OAW IAP AP Interface Status Displays the Ethernet port status for the OAW IAP AP Internal DHCP Status Displays details on DHCP allocation AP IP Interface Displays a summary of all IP related information for Ethernet interfaces configured on the OAW IAP AP IP Route Table Displays information about IP routes for the OAW IAP AP L3 Mobility Datapath Display L3 mobility details AP L3 Mobility Events Log Displays a log with L3 client roaming details AP L3 Mobility Status Displays th
422. r type lt Distributed L3 gt Instant Access Point DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant Access Point DHCP Profile profile name 4 client count number Instant Access Point DHCP Profile lt profile name gt dns server lt name gt Instant Access Point DHCP Profile lt profile name gt domain name lt domain name gt Instant Access Point DHCP Profile lt profile name gt lease time lt minutes gt AOS W Instant 6 3 1 1 4 0 User Guide DHCP Configuration 233 DHCP Profile lt profile name gt ip range lt start IP gt lt end IP gt Instant Access Point DHCP Profile lt profile name gt reserve first last count Instant Access Point Instant Access Point DHCP Profile lt profile name gt option type value Instant Access Point DHCP Profile lt profile nae gt end Instant Access Point commit apply Configuring Centralized DHCP Scope The Centralized DHCP scope supports L2 and L3 clients When a centralized DHCP scope is configured e The Virtual Controller does not assign an IP address to the client and the DHCP traffic is directly forwarded to the DHCP Server e ForL2clients the Virtual Controller bridges the DHCP traffic to the switch over the VPN GRE tunnel The IP address is obtained from the DHCP server behind the switch serving the VLAN GRE of the client This DHCP assignment mode also allows you to add the DH
423. rGroup admin or the AirGroup operator credentials Next navigate to List Devices gt Test Apple TV gt Edit Add a username that is not used to log in to the Apple devices in the Shared With field 3 Disconnect and remove the OSX Mountain Lion iOS 6 device from the controller s user table Reconnect the device by not using the username that you added to the Shared With field The AppleTV should not be available to this device 4 Disconnect the OSX Mountain Lion iOS 6 device and delete it from the controllers user table Reconnect using the username that was added to the Shared With field The OSX Mountain Lion iOS 6 device should once again have access to the AppleTV Troubleshooting Table 64 Troubleshooting Problem Solution Limiting devices has no effect Ensure IPv6 is disabled Apple Macintosh running Mountain Lion can use Ensure IPv6 is disabled AirPlay but iOS devices cannot 330 ClearPass Guest Setup AOS W Instant 6 3 1 1 4 0 User Guide Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this user guide Table 65 List of abbreviations Abbreviation Expansion C Layer Security LANNNENL L LL NN S A LI M N S P X A S P AOS W Instant 6 3 1 1 4 0 User Guide Terminology 331 Table 65 List of abbreviations Abbreviation Expansion PEAP Protected Extensible Authentication Protocol VC VSA wooo i peee O wooo pesee Glossary The following tab
424. ra WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e To configure access rules for a wired profile More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile Click the Access tab Slide to Network based using the scroll barto specify access rules for the network Click New to add a new rule The New Rule window is displayed co G MM Inthe New Rule window specify the following parameters Table 30 Access Rule Configuration Parameters Field Description Rule type Select a rule type for example Access control from the drop down list Action Select any of following attributes e Select Allow to allow access users based on the access rule e Select Deny to deny access to users based on the access rule e Select Destination NAT to allow changes to destination IP address e Select Source NAT to allow changes to the source IP address Select a service from the list of available services You can allow or deny access to any or all of the following services based on your requirement e any Access is allowed or denied to all services e custom Available options are TCP UDP and Other If you select the TCP or UDP options enter appropriate port numbers If you select the Other option enter the appropriate ID adp Application Distribution Protocol 169 Roles and Policies AOS W Instant 6 3 1 1 4 0 U
425. rames based on the lowest of unicast rates across all associated clients When this option is enabled multicast traffic can be sent at up to 24 Mbps The default rate for sending frames for 2 4 GHz is 1 Mbps and 5 0 GHz is 6 Mbps This option is disabled by default Select Enabled to allow OAW IAP to convert multicast streams into unicast streams over the wireless link Enabling Dynamic Multicast Optimization DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to the non video clients NOTE When you enable DMO on multicast SSID profiles ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN Specify a value to set a threshold for DMO channel utilization With DMO the OAW IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold The default value is 90 and the maximum threshold value is 100 When the threshold is reached or exceeds the maximum value the OAW IAP sends multicast traffic over the wireless link specify the following parameters e 2 4 GHz If the 2 4 GHz band is configured on the OAW IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps 5 GHz Ifthe 5 GHz band is configured on the OAW IAP specify the minimum and maximum transmission rate The default value for minimum transmission rate is 6 Mbps
426. rator Credentials You can assign the read only privilege to an admin user by using the AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the System link at top right corner of the AOS W Instant main window The System window is displayed 2 Click the Admin tab The Admin tab details are displayed 3 Under View Only a Specify a Username and Password b Retype the password to confirm 4 Click OK When the users log in with these credentials the Instant UI is displayed in the read only mode In the CLI To configure a user with read only privilege Instant Access Point config T mgmt user username password read only Instant Access Point config end Instant Access Point commit apply Adding Guest Users through the Guest Management Interface To add guest users through the Guest Management interface 1 Login to AOS W Instant UI with the guest management interface administrator credentials The guest management interface is displayed Figure 44 Guest Management Interface Alcatel Lucent Instant Guest Users El Guest Users 0 created 512 available Delete All Name New AOS W Instant 6 3 1 1 4 0 User Guide User Management 132 VIRTUALCONTROLLER PowerConnect W Series El Guest Users 0 created 512 available Name New To add a user click New The New Guest User pop up window is displayed Specify a Username and Password Retype the password to confirm Click OK
427. reby ensuring compliance with Lawful Intercept and CALEA specifications For more information see Lawful Intercept and CALEA Integration on page 281 e Network Integration Allows you configure an OAW IAP for integration with Palo Alto Networks PAN Firewall For more information about OAW IAP integration with PAN see Integrating an OAW IAP with Palo Alto Networks Firewall on page 278 The following figure shows the default view of the Services window 49 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Figure 13 Services Window Default View S Services Air Group RTLS OpenDNS CALEA Network Integration Enable AirGroup E Enable Guest Bonjour multicast E Enable AirGroup across mobility domains DHCP Server The DHCP Servers window allows you to configure various DHCP modes The following figure shows the contents of the DHCP Servers window Figure 14 DHCP Servers Window DHCP Servers Distributed DHCP Scopes Distributed DHCP Scopes 0 Name Type VLAN Branch Subnet New Centralized DHCP Scopes Centralized DHCP Scopes 0 Name VLAN New Local DHCP Scopes Local DHCP Scopes 0 Name Type VLAN Network For more information see DHCP Configuration on page 231 Support The Support consists of the following fields e Command Allows you to select a support command for execution e Target Displays a list of OAW IAPs in the network e Run Allows you to e
428. red Network window is displayed AOS W Instant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 126 You can also customize splash page design in the Security tab of New WLAN and New Wired Network windows when configuring a new profile NOTE guring p 2 Navigate to the Security tab 3 Select None from the Splash page type drop down list 4 Click Next and then click Finish to apply the changes 127 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Chapter 12 User Management This chapter provides the following information e OAW IAP Users on page 128 e Configuring Administrator Credentials for the Virtual Controller Interface on page 128 e Configuring Guest Management Interface Administrator Credentials on page 130 e Configuring Users for Internal Database of an OAW IAP on page 130 e Configuring the Read Only Administrator Credentials on page 132 e Adding Guest Users through the Guest Management Interface on page 132 OAW IAP Users The OAW IAP users can classified as follows e Administrator An admin user who creates SSIDs wired profiles DHCP server configuration parameters and manages local user database The admin users can access to the Virtual Controller Management User Interface e Quest administrator A guest interface management user who manages guest users added in the local user database e Administrator with read only access The read only admin user does not have access
429. rinting The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame Based on the operating system type a role can be assigned to the device For example to create a role assignment rule with DHCP option select equals from the Operator drop down list and enter 370103060F 77FC in the String text box Since 370103060F 77FC is the fingerprint for Apple iOS devices such as iPad and iPhone OAW IAP assigns Apple iOS devices to the role that you choose Table 31 Validated DHCP Fingerprint Device DHCP Option DHCP Fingerprint Apple iOS Option 55 370103060F77FC Android Option 60 3C64686370636420342E302E3135 Blackberry Option 60 3C426C61636B4265727279 Windows 7 Vista Desktop Option 55 37010f03062c2e2f1f2179f92b AOS W Instant 6 3 1 1 4 0 User Guide Roles and Policies 178 Device DHCP Option DHCP Fingerprint Windows XP SP3 Home Option 55 37010f03062c2e2f1f21f92b Professional Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500 Windows 7 Phone Option 55 370103060f2c2e2f Apple Mac OSX Option 55 370103060f775ffc2c2e2f Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client When creating more than one role assignment rule the first matching rule in the rule list is applied NOTE You can create a role assignment rules by using the AOS W Instant UI or CLI In the AOS W
430. rotocols Microwave Common residential microwave ovens with a single magnetron are classified as a Microwave These types of microwave ovens may be used in cafeterias break rooms dormitories and similar environments Some industrial healthcare or manufacturing environments may also have other equipment that behave like a microwave and may also be classified as a Microwave device Microwave Some newer model microwave ovens have the inverter technology to control the power Inverter output and these microwave ovens may have a duty cycle close to 10096 These microwave ovens are classified as Microwave Inverter Dual magnetron industrial microwave ovens with higher duty cycle may also be classified as Microwave Inverter There may be other equipment that behaves like inverter microwaves in some industrial healthcare or manufacturing environments Those devices may also be classified as Microwave Inverter AOS W Instant 6 3 1 1 4 0 User Guide Spectrum Monitor 205 Non Wi Fi Interferer Description Generic Any non frequency hopping device that does not fall into one of the other categories Interferer described in this table is classified as a Generic Interferer For example a Microwave like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer Similarly wide band interfering devices may be classified as Generic Interferers Channel Details
431. roup Services plugin wy configuration ES Back to administration Back to main 3 Click Add a new controller 4 Update the fields with the appropriate information Ensure that the port configured matches the CoA port RFC 3576 set on the OAW IAP configuration NOTE 5 Click Save Configuration In order to demonstrate AirGroup either an AirGroup Administrator or an AirGroup Operator account must be created 1 Navigate to the ClearPass Policy Manager UI and navigate to Configuration gt Identity gt Local Users Figure 117 Configuration gt Identity gt Local Users Selection Dashboard z Monitoring XX Start Here 1X Services amp Authentication 1X Methods Sources Q Identity m oA e 2 Click Add User 3 Create an AirGroup Administrator AOS W Instant 6 3 1 1 4 0 User Guide ClearPass Guest Setup 327 Figure 118 Create an AirGroup Administrator Add Local User bd User ID airgroup admin Name AirGroup Admin Password 99999999999999 Verify Password 990009999099099 Enable User Y Check to enable local user Role AirGroup Administrator Attributes Attribute Value 1 Click to add Cancel 4 Inthis example the password used is test123 Click Add 5 Now click Add User and create an AirGroup Operator Figure 119 Create an AirGroup Operator Add Local User User ID airgroup oper Name AirGroup Operator Password 9999999099990999 Verify Pass
432. rresponding event on another Maintain accurate time for billing services and similar The Network Time Protocol NTP helps obtain the precise time from a server and regulate the local time in each network element If NTP server is not configured in the AOS W Instant network an OAW IAP reboot may lead to variation in time data The NTP server is set to pool ntp org by default You can configure an NTP server by using the AOS W Instant UI or the CLI In the AOS W Instant UI To configure an NTP server 1 Click System link at the top right corner of the AOS W Instant Ul The System window is displayed 2 Inthe General tab of System window enter the IP address or the URL domain name of the NTP server in the NTP Server text box AOS W Instant 6 3 1 1 4 0 User Guide Initial Configuration Tasks 77 3 Select atime zone from the Timezone drop down list The time zone indicates the time returned by the NTP server You can enable daylight saving time DST on OAW IAPs if the time zone you selected supports the La daylight saving time If the Time Zone selected does not support DST the Daylight Saving Time poy option is not displayed When enabled the Daylight saving time ensures that the OAW IAPs reflect the seasonal time changes in the region they serve 4 Toenable daylight saving time select the Daylight Saving Time check box 5 Click OK In the CLI To configure an NTP server Instant Access Point config
433. rum monitoring see Spectrum Monitor on page 203 Alerts Alerts are generated when a user encounters problems while accessing or connecting to a network The alerts that are generated on AOS W Instant can be categorized as follows 802 11 related association and authentication failure alerts 802 1X related mode and key mismatch server and client time out failure alerts IP address related failures Static IP address or DHCP related alerts The following figure shows the contents of details displayed on clicking the Alerts link Figure 22 Alerts Link AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 60 The Alerts link displays the following types of alerts e Client Alerts e Active Faults e Fault History Table 12 Types of Alerts Type of Alert Description Information Displayed Client Alerts The Client alerts occur when A client alert displays the following fields clients are connected to the e Timestamp Displays the time at which the client alert was AOS W Instant network recorded MAC address Displays the MAC address of the client which caused the alert Description Provides a short description of the alert Access Points Displays the IP address of the OAW IAP to which the client is connected e Details Provides complete details of the alert Active Faults The Active Faults occur in the An Active Faults consists of the following fields event of a system fault e Time Displays the
434. rver lt profile name gt Instant Access Point Auth Server lt profile name gt ip IP address Instant Access Point Auth Server lt profile name gt key key Instant Access Point Auth Server lt profile name gt port port Instant Access Point Auth Server lt profile name gt acctport port Instant Access Point Auth Server lt profile name gt nas id lt NAS ID gt Instant Access Point Auth Server lt profile name gt nas ip NAS IP address Instant Access Point Auth Server lt profile name gt timeout seconds Instant Access Point Auth Server lt profile name gt retry count number Instant Access Point Auth Server lt profile name gt rfc3576 Instant Access Point Auth Server lt profile name gt deadtime minutes Instant Access Point Auth Server lt profile name gt drp ip IP address mask vlan lt vlan gt gateway lt gateway IP address Instant Access Point Auth Server lt profile name gt end Instant Access Point commit apply 147 Authentication AOS W Instant 6 3 1 1 4 0 User Guide To configure an LDAP server Instant Access Point config wlan ldap server lt profile name gt Instant Access Point LDAP Server lt profile name gt ip lt IP address gt Instant Access Point LDAP Server lt profile name gt port port Instant Access Point LDAP Server lt profile name gt admin dn lt name gt Instant Acc
435. s An AP that is seen in the RF environment but is not connected to the network Rogue APs An unauthorized AP that is plugged into the wired side of the network To see the number of different types of neighboring APs for the last 15 minutes hover the cursor over the respective graph lines The CPU Utilization graph displays the utilization of CPU for the selected OAW IAP To see the CPU utilization of the OAW IAP hover the cursor over the graph line The Neighboring Clients graph shows the number of clients not connected to the selected AP but heard by it e Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client Interfering A client associated to any AP and is not valid is classified as an interfering client To see the number of different types of neighboring clients for the last 15 minutes hover the cursor over the respective graph lines The memory free graph displays the memory availability of the OAW IAP in MB To see the free memory of the OAW IAP hover the cursor over the graph line Monitoring Procedure To check the neighboring APs detected by the OAW IAP for the last 15 minutes 1 Log in to the AOS W Instant UI The Virtual Controller view is displayed This is the default view Inthe Access Points tab click the OAW IAP for which you want to monitor the client association The OAW IAP view is displayed Study the N
436. s Point Instant Access Point Instant Access Point config T calea calea ip 192 0 2 7 calea ip mtu 1500 calea encapsulation type GRE calea gre type 255 calea end Access Poin Access Poin Instant Access Point Instan Instan Instant Access Point Instant Access Point Instant Access Point Instant Access Point config wlan access rule ProfileCalea Access Rule ProfileCalea calea Access Rule ProfileCalea end commit apply H Instant Access Point config wlan ssid profile Calea Test Instant Access Point SSID Profile Calea Test nabl Instant Access Point SSID Profile Calea Test index 0 Instant Access Point SSID Profile Calea Test type employee Instant Access Point SSID Profile Calea Test ssid QA Calea Test Instant Access Point SSID Profile Calea Test opmode wpa2 aes Instant Access Point SSID Profile Calea Test max authentication failures 0 Instant Access Point SSID Profile Calea Test auth server serverl Instant Access Point SSID Profile Calea Test set role Filter Id equals 123456 calea test Instant Access Point SSID Profile Calea Test rf band 5 0 Instant Access Point SSID Profile Calea Test captive portal disable Instant Access Point SSID Profile Calea Test dtim period 1 Instant Access Point SSID Profile Calea Test inactivity timeout 1000 Instant Access Point SSID Profile C
437. s common for Bonjour capable devices to connect to the network across VLANs As a result user devices such as an iPad on a specific VLAN cannot discover an Apple TV that resides on another VLAN As the addresses used by the protocol are link scope multicast addresses each query or advertisement can only be forwarded on its respective VLAN but not across different VLANs Broadcast and multicast traffic are usually filtered out from a wireless LAN network to preserve the airtime and battery life This inhibits the performance of Bonjour services as they rely on multicast traffic Alcatel Lucent addresses this multicast DNS mDNS challenge with AirGroup technology AirGroup leverages key elements of Alcatel Lucent s solution portfolio including operating system software for AOS W Instant CPPM and the VLAN based or role based filtering options offered by Bonjour services AirGroup maintains seamless connectivity between clients and services across VLANs and SSIDs The mDNS packet traffic is minimized thereby preserving valuable wired network bandwidth and WLAN airtime The following table summarizes the filtering options Table 53 AirGroup Filtering Options Features AOS W Instant Deployment Models Integrated Integrated with CPPM Allow mDNS to propagate across subnets VLANs Yes Limit multicast mDNS traffic on the network Yes Yes VLAN based mDNS service policy enforcement Yes Yes User role based mDNS service policy Yes Yes enforcement
438. s to bring up the primary tunnel Non Preemptive In this mode when the back tunnel is established after primary tunnel goes down it does not make the primary tunnel active again e L2TPV3 configuration is supported on the following OAW IAPs a OAW RAP108 244 VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide a OAW RAP109 a OAW IAP135 You can configure an L2TPv3 tunnel from Virtual Controller using AOS W Instant UI or CLI In the AOS W Instant UI 1 Click the More gt VPN link at the top right corner of the AOS W Instant UI The Tunneling window is displayed Figure 82 L3TPv3 Tunneling Tunneling Controller Controller Protocol Tunnel profile Session profile L2TPv3 x New Show advanced options 2 Select L2TPv3 from the Protocol drop down list 3 Configure the tunnel profile a Enter the tunnel name to be used for tunnel creation Figure 83 Tunnel Configuration unnel Configuration Primary Peer address Backup Peer address Peer UDP port Local UDP port Hello interval Message digest type Shared key Checksum Failover mode Failover retry interval Failover retry count MTU 10 0 0 63 10 0 0 65 3000 1701 150 MDS Disabled y non Preemptive y 80 5 b Enter the primary server IP address c Enter the remote end backup tunnel IP address This is an optional field and required only when backu
439. sage Trends Section in the Monitoring Pane Usage Trends Clients Throughput bps 1M 10K 100 Oh 100 10K 12 00 12 05 1M The following table describes the graphs displayed in the Network view 2 00 12 05 CE In Table 9 Network View Graphs and Monitoring Procedures Graph Name Clients Throughput Description The Clients graph shows the number of clients associated with the network for the last 15 minutes To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the number of clients associated with the Virtual Controller for the last 15 minutes To see the exact number of clients in the AOS W Instant network at a particular time hover the cursor over the graph line The Throughput graph shows the throughput of the selected network for the last 15 minutes e Outgoing traffic Throughput for outgoing traffic is displayed in green Outgoing traffic is shown above the median line e Incoming traffic Throughput for incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an enlarged view click the graph e The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic throughput of the network for the last 15 minutes To see the exact throughput of the selected network ata particular time hover the cursor over the graph lin
440. same port using RTP The audio and video packets are interleaved in the air though individual the sessions can be uniquely identified using their payload type and sequence numbers The RTP header and payload also get encapsulated under the TURN ChannelData Messages The Facetime call is terminated with a SIP BYE message that can be sent by either party The following table lists the ports used by Apple Facetime Facetime users need to be assigned a role where traffic is allowed on these ports Table 59 Ports Used by the Apple Facetime Application Port Packet Type 443 TCP 3478 3497 UDP 5223 TCP 16384 16387 UDP 16393 16402 UDP AOS W Instant 6 3 1 1 4 0 User Guide Extended Voice and Video 301 Chapter 30 Dynamic CPU Management This chapter provides the following information e Dynamic CPU Management on page 302 e Configuring for Dynamic CPU Management on page 302 Dynamic CPU Management OAW IAPs perform various functions such as wireless client connectivity and traffic flows wired client connectivity and traffic flows wireless security network management and location tracking Like with any network element an OAW IAP can be subject to heavy loads In such a scenario it is important to prioritize the platform resources across different functions Typically the OAW IAPs manage resources automatically in real time However under special circumstances if dynamic resource management needs to be enforced or disab
441. scopes If required specify the domain name for the Local and Local L3 scopes Specify a lease time for the client in minutes Specify the type and a value for the DHCP option You can configure the organization specific DHCP options supported by the DHCP server For example 176 242 and 161 To add multiple DHCP options click the icon 4 Click OK In the CLI To configure Local DHCP scope Instant Access Point config ip dhcp lt profile name gt Instant Access Point DHCP Profile lt profile name gt server type Local Instant Access Point DHCP Profile lt profile name gt server vlan lt vlan ID gt Instant Access Point DHCP Profile profile name f subnet lt IP address gt Instant Access Point DHCP Profile lt profile name gt subnet mask lt subnet mask gt Instant Access Point DHCP Profile lt profile name gt dns server lt name gt Instant Access Point DHCP Profile lt profile name gt domain name domain name Instant Access Point DHCP Profile lt profile name gt lease time minutes Instant Access Point DHCP Profile lt profile name gt option type value Instant Access Point DHCP Profile lt profile name gt end Instant Access Point commit apply To configure Local L3 DHCP scope Instant Access Point config ip dhcp lt profile name gt Instant Access Point D
442. scovery through DHCP on page 262 e Alternate Method for Defining Vendor Specific DHCP Options on page 265 Configuring Organization String The Organization string is a set of colon separated strings created by the Omnivista administrator to accurately represent the deployment of each AOS W Instant system This string is defined by the installation personnel on the site You can use any of the following strings e AMP Role Org Admin initially disabled e AMP User Org Admin assigned to the role Org Admin AOS W Instant 6 3 1 1 4 0 User Guide Omnivista Integration and Management 260 e Folder Org under the Top folder in AMP e Configuration Group Org You can also assign additional strings to create a hierarchy of sub folders under the folder named Org For example subfolder1 for a folder under the Org folder subfolder2 for a folder under subfolder1 Shared Key The Shared Secret key is an optional field used by the administrator to manually authorize the first Virtual Controller for an organization Any string is acceptable Configuring OmniVista Information You can configure Omnivista information using AOS W Instant UI or CLI In the AOS W Instant Ul 1 Click the Omnivista Set Up Now link in the bottom middle region of the AOS W Instant Ul window The System window is displayed with the Omnivista parameters in the Admin tab Figure 88 Configuring Omnivista General Admin Local AirWave
443. se external URL disable Enabling Terminal Access When terminal access is enabled you can access the AOS W Instant CLI through SSH or Telnet server You can enable terminal access to an OAW IAP by using the AOS W Instant UI or CLI In the AOS W Instant Ul 1 Inthe AOS W Instant main window click the System link The System window is displayed Inthe General tab of System window click Show advanced options to display the advanced options Select Enabled from the Terminal access drop down list To enable Telnet server based access select Enabled from the Telnet server drop down list Click OK a FF wD In the CLI To enable terminal access Instant Access Point config terminal access Instant Access Point config end Instant Access Point commit apply To enable access to the Instant CLI through Telnet AOS W Instant 6 3 1 1 4 0 User Guide Initial Configuration Tasks 73 Instant Access Point config telnet server Instant Access Point config end Instant Access Point commit apply Enabling Auto Join Mode The Auto Join Mode feature allows OAW IAPs to automatically discover the Virtual Controller and join the network The Auto Join Mode feature is enabled by default If the Auto Join Mode feature is disabled a New link is displayed in the Access Points tab Click this link to add OAW IAPs to the network If this feature is disabled the inactive OAW IAPs are displayed in red Disabling Auto Join
444. ser Guide Table 30 Access Rule Configuration Parameters Destination Description bootp Bootstrap Protocol cfgm tcp cups Common UNIX Printing System dhcp Dynamic Host Configuration Protocol dns Domain Name Server esp Encapsulating Security Payload ftp File Transfer Protocol gre Generic Routing Encapsulation h323 tcp H 323 Transmission Control Protocol h323 udp H 323 User Datagram Protocol http proxy2 Hypertext Transfer Protocol proxy2 http proxy3 Hypertext Transfer Protocol proxy3 http Hypertext Transfer Protocol https Hypertext Transfer Protocol Secure icmp Internet Control Message Protocol ike Internet Key Exchange kerberos Computer network authentication protocol I2tp Layer 2 Tunneling Protocol Ipd tcp Line Printer Daemon protocol Transmission Control Protocol Ipd udp Line Printer Daemon protocol User Datagram Protocol msrpc tcp Microsoft Remote Procedure Call Transmission Control Protocol msrpc udp Microsoft Remote Procedure Call User Datagram Protocol netbios dgm Network Basic Input Output System Datagram Service netbios ns Network Basic Input Output System Name Service netbios ssn Network Basic Input Output System Session Service noe Alcatel NOE service noe oxo ntp Network Time Protocol papi Point of Access for Providers of Information pop3 Post Office Protocol 3 pptp Point to Point Tunneling Protocol rtsp Real Time Streaming Protocol sccp Skinny Call Control
445. server vlan 2 Instant Access Point DHCP Profile distL2 ip range 10 15 205 0 10 15 205 255 Instant Access Point DHCP Profile distL2 subnet mask 255 255 255 0 Instant Access Point DHCP Profile distL2 lease time 86400 Instant Access Point DHCP Profile distL2 default router 10 15 205 254 Instant Access Point DHCP Profile distL2 dns server 10 13 6 110 10 1 1 50 Instant Access Point DHCP Profile distL2 domain name alcatel lucent com Instant Access Point DHCP Profile distL2 client count 5 Instant Access Point config ip dhcp local Instant Access Point DHCP Profile local server type Local Instant Access Point DHCP Profile local server vlan 200 Instant Access Point DHCP Profile local subnet 172 16 200 1 Instant Access Point DHCP Profile local subnet mask 255 255 255 0 Instant Access Point DHCP Profile local lease time 86400 Instant Access Point DHCP Profile local dns server 10 13 6 110 10 1 1 50 Instant Access Point DHCP Profile local domain name alcatel lucent com To view VPN configuration Instant Access Point show vpn config Enabling Automatic Configuration of GRE Tunnel GRE is an Alcatel Lucent proprietary tunnel protocol for encapsulating multicast broadcast and L2 packets between the Switch and OAW IAPs The automatic GRE feature uses the IPSec connection between OAW IAP and switch to send the control information for setting up a GRE tunne
446. simultaneous access to more than 512 clients use the Network and Mask fields to specify a larger range While the network or prefix is the common part of the address range the mask suffix specifies how long the variable part of the address range is 8 Click OKto apply the changes In the CLI To configure a DHCP pool Instant Access Point config ip dhcp pool Instant Access Point DHCP 4 domain name domain Instant Access Point DHCP dns server lt DNS IP address gt Instant Access Point DHCP lease time lt lease time gt Instant Access Point DHCP subnet IP address Instant Access Point DHCP 4 subnet mask lt subnet mask gt To view the DHCP database Instant Access Point show ip dhcp database DHCP Subnet 2192 0 2 0 DHCP Netmask 255 255 255 0 DHCP Lease Time m 20 DHCP Domain Name example com DHCP DNS Server 192 0 2 1 238 DHCP Configuration AOS W Instant 6 3 1 1 4 0 User Guide Chapter 22 VPN Configuration This chapter describes the following VPN configuration procedures e Understanding VPN Features on page 239 e Configuring a Tunnel from an OAW IAP to OmniAccess WLAN Switch on page 239 e Configuring Routing Profiles on page 250 Understanding VPN Features As OAW IAPs use a Virtual Controller architecture the OAW IAP network does not require a physical controller to provide the configured WLAN services However a physical switch is required for terminating
447. sk of the DRP IP address DRP VLAN VLAN in which the RADIUS packets are sent DRP Gateway Gateway IP address of the DRP VLAN For more information on dynamic RADIUS proxy parameters and configuration procedure see Configuring Dynamic RADIUS Proxy Parameters on page 148 e LDAP Server To configure an LDAP server specify the attributes described in the following table Table 28 LDAP Server Configuration Parameters Parameter Description Name Enter the name of the LDAP server IP address Enter the IP address of the LDAP server Auth port Enter the authorization port number of the LDAP server The default port number is 389 Admin DN Enter a distinguished name for the admin user with read search privileges across all the entries in the LDAP database the user need not have write privileges but the user must be able to search the database and read attributes of other users in the database Admin password Enter a password for administrator Enter a distinguished name for the node which contains the entire user database Filter Specify the filter to apply when searching for a user in the LDAP database The default filter string is objectclass Key Attribute Specify the attribute to use as a key while searching for the LDAP server For Active AOS W Instant 6 3 1 1 4 0 User Guide Authentication 146 Parameter Description LS Directory the value is sAMAccountName Enter a value between 1 and 30 seconds The default v
448. sponse To configure a NAI profile enter the following commands at the command prompt tan tan tan tan tan tan tan tan tan tan tan tan T CF T or T T E T CE T 0 ET Access Access Access Access Access Access Access Access Access Access Access Access Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin Poin 333338383333 hotspot angp nai realm profile lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt apply nai real nai real nai real m name lt name gt m encoding lt utf8 gt lt rfc4282 gt nai real nai real nai real nai real m eap method lt eap method gt m auth id 1 lt authentication ID gt m auth id 2 lt authentication ID gt m auth value 1 lt authentication value gt m auth value 2 lt authentication value gt nai home realm enable end You can specify any of the following EAP methods for the nai realm eap method lt eap method gt command e identity To use EAP Identity type The associated numeric value is 1 e notification To allow the hotspot realm to use EAP Notification messages for authentication The associated numeric value is 2 e one time password To use Authentication with a single use password The associated numeric value is 5 e generic token card To use EAP Generic Token Card EAP GTC T
449. ss according to the username role or user location The distributed AirGroup architecture allows each OAW IAP to handle Bonjour queries and responses individually instead of overloading a Virtual Controller with these tasks This results in a scalable AirGroup solution As shown in the following figure the OAW IAP1 discovers Air Printer P1 and OAW IAP3 discovers Apple TV TV1 OAW IAP1 advertises information about its connected P1 device to the other OAW IAPs that isOAW IAP2 and OAW IAP3 Similarly OAW IAP3 advertises TV1 device to OAW IAP1 and OAW IAP2 This type of distributed architecture allows any OAW IAP to respond to its connected devices locally In this example the iPad connected to OAW IAP2 obtains direct response from the same OAW IAP about the other Bonjour enabled services in the network AOS W Instant 6 3 1 1 4 0 User Guide AirGroup Configuration 268 Figure 98 AirGroup Architecture P1 Air Print P1 Air Print P1 P1 TV1 Air Play TV1 AirPlay TV1 AirPlay LOCAL AREA NETWORK o9 z 2 C o S a a n 2 a 2 a o9 a uw a ci 2 vi z z a a z z Air Printer P1 Apple TV TV1 pple AirGroup is not supported on a 3G uplink NOTE AirGroup with AOS W Instant AirGroup capabilities are available as a feature in Alcatel Lucent WLANs where Wi Fi data is distributed among AOS W Instant APs When an Alcatel Lucent WLAN is powered by AOS W Instant and CPPM AirGroup begins to function An AirGroup device can
450. ssages to the ALE server at the specified interval The default interval is 30 seconds 6 Click OK In the CLI To enable OAW IAP integration with the ALE server config ale server server name IP address gt config ale report interval lt seconds gt config end commit apply Instant Access Point Instant Access Point Instant Access Point Instant Access Point Verifying ALE Configuration on an OAW IAP To view the configuration details Instant Access Point show ale config To verify the configuration status Instant Access Point show ale status Configuring an OAW IAP for RTLS Support AOS W Instant supports the real time tracking of devices when integrated with Omnivista or third party Real Time Location Server such as Aeroscout Real Time Location Server With the help of the RTLS the devices can be monitored in real time or through history You can configure RTLS using AOS W Instant UI or CLI In the AOS W Instant UI To configure Aruba RTLS 1 Click the More gt Services link at the top right corner of the AOS W Instant main window The Services window is displayed 277 Integration with Security and Location Services Applications AOS W Instant 6 3 1 1 4 0 User Guide 2 Click the RTLS tab The following figure shows the contents of the RTLS tab 3 Under Aruba select the RTLS check box to integrate AOS W Instant with Omnivista or Ekahau Real Time Location Server F
451. ssociation response connect to networks and roam between networks without additional authentication The Hotspot 2 0 provides the following services e Network discovery and selection Allows the clients to discover suitable and available networks by advertising the access network type roaming consortium and venue information through the management frames For network discovery and selection Generic Advertisement Service GAS and Access Network Query Protocol ANQP are used e QOS Mapping Provides a mapping between the network layer QoS packet marking and over the air QoS frame marking based on user priority When a hotspot is configured in a network e The clients search for available hotspots using the beacon management frame e When a hotspot is found client sends queries to obtain information about the type of network authentication and IP address and IP address availability using the Generic Advertisement Service GAS action frames e Basedonthe response of the advertisement Server response to the GAS Action Frames the relevant hotspot is selected and the client attempts to associate with it e Basedonthe authentication mode used for mobility clients the client authenticates to access the network Generic Advertisement Service GAS GAS is a request response protocol which provides L2 transport mechanism between a wireless client and a server in the network prior to authentication It helps in determining an 802
452. stant 6 3 1 1 4 0 User Guide Captive Portal for Guest Access 120 Table 22 External Captive Portal Configuration Parameters Parameter Description Encryption Select Enabled to configure encryption settings and specify the encryption parameters 5 Click Next to continue and then click Finish to apply the changes In the CLI To configure security settings for guest users of the WLAN SSID profile Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt essid lt ESSID name gt Instant Access Point SSID Profile lt name gt type Guest Instant Access Point SSID Profile lt name gt captive portal type external profile exclude uplink lt uplink type gt Instant Access Point SSID Profile lt name gt blacklist Instant Access Point SSID Profile lt name gt mac authentication Instant Access Point SSID Profile lt name gt max authentication failures number Instant Access Point SSID Profile lt name gt auth server lt server name gt Instant Access Point SSID Profile lt name gt radius accounting Instant Access Point SSID Profile lt name gt radius interim accounting interval Instant Access Point SSID Profile lt name gt radius accounting mode user association user authentication Instant Access Point SSID Profile lt name gt wpa passphrase WPA key Insta
453. stant UI features see AOS W Instant User Interface on page 38 All Inthe current release AOS W Instant Ul does not support Internet Explorer 11 All The AOS W Instant UI logs out automatically if the window is inactive for 15 minutes AOS W Instant CLI The AOS W Instant Command Line Interface CLI is a text based interface accessible through a Secure Shell SSH session SSH access requires that you configure an IP address and a default gateway on the OAW IAP and connect the OAW IAP to your network This is typically performed when the AOS W Instant network on an OAW IAP is set up What is New in AOS W Instant 6 3 1 1 4 0 The following features are added in the AOS W Instant 6 3 1 1 4 0 release 28 About AOS W Instant AOS W Instant 6 3 1 1 4 0 User Guide Table 3 New Features in 6 3 1 1 4 0 Feature Bandwidth contract enhancements Support for 802 11r Roaming and Fast BSS Transition Support for Client Roaming Based on Opportunistic Key Caching LACP on OAW IAP220 Series OAW IAP Guest Management Interface OAW IAP Integration with Analytics and Location Engine ALE OAW IAP Integration with Palo Alto Networks Firewall Domain name based ACL Enhancements to Internal Captive Portal Splash Page Support for multiple Captive portal profiles Client Match Support for Spanning Tree Protocol AOS W Instant 6 3 1 1 4 0 User Guide Description AOS W Instant supports assigning b
454. stant network Each of these options contains several default levels that enable different sets of policies An administrator can customize enable or disable these options accordingly The detection levels can be configured using the IDS window To view the IDS window click More gt IDS link at the top right comer of the Instant main window The following levels of detection can be configured in the WIP Detection page Off Low Medium High 222 Intrusion Detection AOS W Instant 6 3 1 1 4 0 User Guide Figure 73 Wireless Intrusion Detection Wireless Intrusion Protection WIP Detection Specify What Threats to Detect Infrastructure Custom settings detect ap spoofing detect windows bridge Medium signature deauth broadcast signature deassociation broadcast detect adhoc using valid ssid detect malformed large duration High Low Custom settings detect valid clientmisassociation detect disconnect sta detect omerta attack detect fatajack detect block ack attack detect hotspotter attack The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field Table 43 Infrastructure Detection Policies Detection Level Detection Policy Detect AP Spoofing Detect Windows Bridge IDS Signature Deauthentication Broadcast IDS Signature Deassociation Broadcast Detect Adhoc networks using VALID SSID Valid SSID listis auto configured based on Instant AP con
455. stes Bt a A to 228 Enabling Content Filtering for a Wireless Profile 0 2 000000 c cece cece cece cece cece eee eeeceeeeeees 228 Inthe AOS W Instatit Ul AAA 228 Tas sie BIT 228 Enabling Content Filtering for a Wired Profile 1 1 2 0 0 000000 e cece eee ccc ee eee cece ee ee eee eee ee eeees 229 Inthe AOS W Instant UL iren oes EE NESER T Sede iia Z HEERA HAEL EIIE Zi R TA 229 Tans aie BT 229 Configuring Enterprise Domains occ esses essere nnne 229 Inthe AOS W Instant Ul iioc koe 22 d T ga 2 22h ioe ReniIlfllseSee LA ORTA A nada e 229 anie EE 229 Configuring OpenDNS Credentials 00000 e cece eeeeeeeeeeeeeees 229 Inthe AOS W Instant Ul iiie oes ee bles heck T Z Sede Seda Se seek Wie See odes wt TA ge 230 Inthe CLI M 230 DHCP OND MAA A 231 Configuring DHCP Scopes e cece cece cece eee eee ceeeeeeeeeeeeeeeeees 231 Configuring Distributed DHCP Scopes 2 20000 e cece eee ESEE AER E I Reels llle nelli 231 Inthe AOS W Instant UL 231 pole S A 233 AOS W Instant 6 3 1 1 4 0 User Guide Contents 17 Configuring Centralized DHCP Scope e eee se eee eher rrr rrr rrr 234 Inthe AOS W Instant UL 234 pole oo oases oie gees EEEE cones bese ee nui seen eas ese See toe esate P 235 Configuring Local and Local L3 DHCP Scopes 0 c cece cece cece eee esses essel sse sels 236 In the AOS W Instant U 236 Tap se SA 237 Configuring DHCP Server for
456. sts When a client threshold sends a broadcast probe request frame to search for all available SSIDs this option controls system response for this network profile and ignores probe requests if required You can specify a Received signal strength indication RSSI value within range of 0 to 100 dB 5 Click Next to configure VLAN settings For more information see Configuring VLAN Settings fora WLAN SSID Profile on page 89 In the CLI To configure WLAN settings for an SSID profile Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt essid lt ESSID name gt Instant Access Point SSID Profile lt name gt type lt Employee gt lt Voice gt lt Guest gt Instant Access Point SSID Profile lt name gt broadcast filter type Instant Access Point SSID Profile lt name gt dtim period number of beacons Instant Access Point SSID Profile lt name gt multicast rate optimization Instant Access Point SSID Profile lt name gt dynamic multicast optimization Instant Access Point SSID Profile lt name gt dmo channel utilization threshold Instant Access Point SSID Profile lt name gt a max tx rate rate Instant Access Point SSID Profile lt name gt a min tx rate rate Instant Access Point SSID Profile lt name gt g max tx rate rate Instant Access Point SSID Profile lt name gt g min tx rat
457. switch over When uplink switching based on the Internet availability is enabled the uplink switching based on VPN failover is automatically disabled Switching Uplinks Based on Internet Availability You can configure AOS W Instant to switch uplinks based on Internet availability When the uplink switchover based on Internet availability is enabled the OAW IAP continuously sends ICMP packets to some well known Internet servers If the request is timed out due to a bad uplink connection or uplink interface failure and the public Internet is not reachable from the current uplink the OAW IAP switches to a different connection You can set preferences for uplink switching using AOS W Instant UI and CLI In the AOS W Instant UI To configure uplink switching 1 Click the System gt show advanced settings gt Uplink The Uplink tab contents are displayed 2 Under Uplink Management configure the following parameters VPN failover timeout To configure uplink switching based on VPN status specify the duration to wait for an uplink switch The default duration is set to 180 seconds Internet failover To configure uplink switching based on Internet availability perform the following steps a Select Enabled from the Internet failover drop down list b Specify the required values for Max allowed test packet loss and Secs between test packets c Click OK When Internet failover is enabled the OAW IAP ignores the VPN status
458. system time when an event occurs e Number Indicates the number of sequence e Description Displays the event details Fault History The Fault History alerts occur in The Fault History displays the following information the event of a system fault e Time Displays the system time when an event occurs e Number Indicates the number of sequence e Cleared by Displays the module which cleared this fault e Description Displays the event details The following figures show the client alerts fault history and active faults Figure 23 Client Alerts amp 5 Networks d El 20 Clients Name Clients Na lante Name ARUBA GUEST Aruba Domsin PEKRSGVRGLT4108 QMENG ARUBA bia eus vue vxue uu 10 64 102 58 iLongevity Client Alerts Timestamp MAC Add 15 48 27 40 5f besdf c5 ce 61 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Figure 24 Fault History d 5 Networks Figure 25 Active Faults E 16 Access Points El 20 Clients Name PEKROGVRGLT410S El 19 Clients PEKROSVRGLTS10S The following table displays a list of alerts that are generated on the AOS W Instant network Table 13 Alerts list Type Code 100101 Internal error 100102 Unknown SSID in association request Description 100103 Mismatched authentication encryption setting 100104 Unsupported 802 11 rate AOS W Instant 6 3 1 1 4 0 User Guide Details The OAW IAP has encountered an int
459. t ALG no ua disable Instant Access Point ALG no vocera disable Instant Access Point ALG end Instant Access Point commit apply To view the ALG configuration Instant Access Point show alg Current ALG ALG Status sccp Disabled sip Enabled ua Enabled vocera Enabled 165 Roles and Policies AOS W Instant 6 3 1 1 4 0 User Guide Configuring Firewall Settings for Protection from ARP Attacks You can configure firewall settings to protect the network against attacks using AOS W Instant using AOS W Instant UI or CLI In the AOS W Instant Ul To configure firewall settings 1 Click the Security link at the top right corner of AOS W Instant main window 2 Click the Firewall Settings tab The Firewall Settings tab contents are displayed 3 Toconfigure protection against security attacks select the following check boxes e Select Drop bad ARP to enable the OAW IAP to drop the fake ARP packets e Select Fix malformed DHCP to the OAW IAP to fix the malformed DHCP packets e Select ARP poison check to enable the OAW IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs Figure 56 Firewall Settings Protection Against Wired Attacks Security Authentication Servers Users for Internal Server Roles Blacklisting Firewall Settings Walled Garden External Captive Portal Application Layer Gateway ALG Algorithms Protection against wired attacks SIP
460. t Instant Access Point domain end Instant Access Point commit apply Configuring OpenDNS Credentials When configured the OpenDNS credentials are used by AOS W Instant to access OpenDNS to provide enterprise level content filtering You can configure OpenDNS credentials using AOS W Instant UI or CLI 229 Content Filtering AOS W Instant 6 3 1 1 4 0 User Guide In the AOS W Instant UI To configure OpenDNS credentials 1 Click More Services OpenDNS The OpenDNS tab contents are displayed 2 Enterthe Username and Password to enable access to OpenDNS 3 Click OKto apply the changes In the CLI To configure OpenDNS credentials Instant Access Point config T opendns username password Instant Access Point config end Instant Access Point commit apply AOS W Instant 6 3 1 1 4 0 User Guide Content Filtering 230 Chapter 21 DHCP Configuration This chapter provides the following information e Configuring DHCP Scopes on page 231 e Configuring DHCP Server for Client IP Assignment on page 238 Configuring DHCP Scopes The Virtual Controller supports different modes of DHCP address assignment With each DHCP address assignment mode various client traffic forwarding modes are associated For more information client traffic forwarding modes for IAP VPN see L2 L3 Forwarding Modes on page 252 You can configure Distributed L2 Distributed L3 Local or NAT DHCP Loc
461. t click the first square box in the splash page type the required text in the Welcome text box and click OK Ensure that the welcome text does not exceed 127 characters To change the policy text click the second square in the splash page type the required text in the Policy text box and click OK Ensure that the policy text does not exceed 255 characters Specify the URL to which you want redirect the guest users To upload a custom logo click Upload your own custom logo Image browse the image file and click upload image Click Preview to preview the Captive Portal page External If External is selected perform the following steps e Selecta profile from the Captive portal profile drop down e Ifyou want to edit the profile click Edit and update the following parameters e Type Select either Radius Authentication to enable user authentication against a RADIUS server or Authentication Text to specify the authentication text to returned by the external server after a successful user authentication IP or hostname Enter the IP address or the hostname of the external splash page server URL Enter the URL for the external splash page server Port Enter the number of the port to use for communicating with the external splash page server Redirect URL Specify a redirect URL if you want to redirect the users to another URL Captive Portal failure This field allows you to configure Internet access for the guest clients
462. t Access Point hostname lt system name gt Updating Location Details of an OAW IAP You can update the physical location details of an OAW IAP by using the AOS W Instant UI or CLI The system location details are used for retrieving information through the SNMP sysLocation MIB object In the AOS W Instant Ul To update location details 1 Inthe AOS W Instant main window click the System link The System window is displayed 2 Inthe General tab of System window specify the location of the an OAW IAP in the System location text box 3 Click OK In the CLI To update location details of an OAW IAP Instant Access Point config syslocation lt location name gt Instant Access Point config end Instant Access Point commit apply Configuring External Antenna If your OAW IAP has external antenna connectors you need to configure the transmit power of the system The configuration must ensure that the system s Equivalent Isotropically Radiated Power EIRP is in compliance with the limit specified by the regulatory authority of the country in which the OAW IAP is deployed You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain To know if your AP device supports external antenna connectors see the nstall Guidethat is shipped along with the AP device EIRP and Antenna Gain The following formula can be used to calculate the EIRP limit related RF power based
463. t and send frames directly to the associated client Disabled When set to Disabled all broadcast and multicast traffic is forwarded DTIM interval The DTIM interval indicates the delivery traffic indication message DTIM period in beacons which can be configured for every WLAN SSID profile The DTIM interval determines how often the OAW IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode The default value is 1 which means the client checks for buffered data on the OAW IAP at every beacon You can also configure a higher DTIM value for power saving Multicast transmission Select Enabled if you want the OAW IAP to select the optimal rate for sending optimization broadcast and multicast frames based on the lowest of unicast rates across all associated clients When this option is enabled multicast traffic can be sent at up to 24 Mbps The default rate for sending frames for 2 4 GHz is 1 Mbps and 5 0 GHzis 6 Mbps This option is disabled by default Dynamic multicast optimization Select Enabled to allow OAW IAP to convert multicast streams into unicast streams over the wireless link Enabling Dynamic Multicast Optimization DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to the non video clients 111 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Parameters Description DMO channel utilization thresho
464. t dBi gt Upgrading an OAW IAP While upgrading an OAW IAP you can use the image check feature to allow the OAW IAP to find new software image versions available on a cloud based image server hosted and maintained by Alcatel Lucent The location of the image server is fixed and cannot be changed by the user The image server is loaded with latest versions of AOS W Instant software Upgrading an OAW IAP and Image Server AOS W Instant supports mixed AP class instant deployment with all APs as part of the same Virtual Controller cluster Image Management Using OmniVista If the multi class OAW IAP network is managed by OmniVista image upgrades can only be done through the OmniVista UI The OAW IAP images for different classes must be uploaded on the AMP server When new OAW 70 Initial Configuration Tasks AOS W Instant 6 3 1 1 4 0 User Guide IAPs joining the network need to synchronize their software with the version running on the Virtual Controller and if the new OAW IAP belongs to a different class the image file for the new OAW IAP is provided by OmniVista If Omnivista does not have the appropriate image file the new AP will not be able to join the network The Virtual Controller communicates with the OmniVista server if OmniVista is configured If OmniVista is not configured on the OAW IAP the image is requested from the Image server Image Management Using Cloud Server If the multi class OAW IAP network is not managed by
465. t from an OAW IAP to the client to identify the OAW IAP s network and service provider If a client requests this information through a GAS query the hotspot AP sends the ANQP capability list in the GAS Initial Response frame indicating support for the following IEs Venue Name Domain Name Network Authentication Type Roaming Consortium List Network Access Identifier Realm 3GPP Cellular Network Data Hotspot 2 0 Query Protocol H2QP The H2QP profiles provide a range of information on hotspot 2 0 elements such as hotspot protocol and port operating class operator names WAN status and uplink and downlink metrics Information Elements IEs and Management Frames The hotspot 2 0 configuration supports the following IEs Interworking IE Provides information about the Interworking service capabilities such as the Internet availability in a specific service provider network Advertisement Protocol E Provides information about the advertisement protocol that a client can use for communication with the advertisement servers in a network Roaming Consortium IE Provides information about the service provider network for roaming clients which can be used to authenticate with the AP The IEs are included in the following Management Frames when 802 11u is enabled Beacon Frame Probe Request Frame Probe response frame Association Request Re Association request NAI Realm List An NAI Realm profile identifies and describes a N
466. t name gt end lt name gt set rol lt name gt rule dest mask match protocol lt start port gt dst nat lt IP address gt port lt port gt optionl option config wlan ssid profile lt name gt by ssid config wlan ssid profile lt name gt lt attribute gt equals not equals starts wit matches regular expression lt operator gt lt role gt value of config wlan ssid profile lt name gt pre auth lt pre authentication role gt SSID Profile E E E t commit apply lt name gt end To configure machine and user authentication roles Instant Access Instant Access Poin Poin t SSID Profil y gt lt user authentication only gt Instant Access Instant Access To configure unrestricted Instant Access Instant Access Instant Access Instant Access Poin Poin Poin Poin Poin Poin t SSID Profile t commit apply access SSID Profil lt name gt set rol lt name gt end lt name gt set rol t config wlan ssid profile lt name gt machine auth machine authentication onl config wlan ssid profile lt name gt unrestricted SSID Profile commit apply t lt name gt end Configuring Captive Portal Roles for an SSID You can configure an access rule to enforce Captive portal authentication for SSIDs with 802 1X authentication enabled You can c
467. t of foreign APs and foreign clients that are detected in the network It consists of the following sections e Foreign Access Points Detected Lists the APs that are not controlled by the Virtual Controller The following information is displayed for each foreign AP s MAC address Displays the MAC address of the foreign AP Network Displays the name of the network to which the foreign AP is connected 63 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide Classification Displays the classification of the foreign AP for example Interfering OAW IAP or Rogue OAW IAP Channel Displays the channel in which the foreign AP is operating Type Displays the Wi Fi type of the foreign AP Last seen Displays the time when the foreign AP was last detected in the network a Where Provides information about the OAW IAP that detected the foreign AP Click the pushpin icon to view the information Foreign Clients Detected Lists the clients that are not controlled by the Virtual Controller The following information is displayed for each foreign client MAC address Displays the MAC address of the foreign client Network Displays the name of the network to which the foreign client is connected Classification Displays the classification of the foreign client Interfering client Channel Displays the channel in which the foreign client is operating Type Displays the Wi Fi type of the foreign client
468. t port gt lt optionl option9 gt t deny src nat dst nat mgmt auth server lt auth profile name gt no mgmt auth server lt auth profile na me gt set role lt attribute gt equals not equals starts no set role lt attribute gt equals with ends with contains lt operator gt lt role gt value not equals starts with ends with of contains lt operator gt value of no set role set vlan lt attribute gt equals not equals starts no set vlan lt attribute gt equals with ends with contains lt operator gt lt VLAN ID gt not equals starts with ends with value of contains lt operator gt value of no set vlan auth server lt name gt no auth server lt name gt 37 Setting up an OAW IAP AOS W Instant 6 3 1 1 4 0 User Guide Chapter 4 AOS W Instant User Interface This chapter describes the following AOS W Instant UI elements e Login Screen e Main Window Login Screen The AOS W Instant login page allows you to e Login to the AOS W Instant UI e View AOS W Instant Network Connectivity summary e View the AOS W InstantUl in a specific language Logging into the AOS W Instant UI To log in to the AOS W Instant UI enter the following credentials e Username admin e Password admin The AOS W Instant Ul main window is displayed Viewing Connectivity Summary The Login page also displays the connectivity status to the AOS W Instant network The users can view a summ
469. ta exchange between Omnivista Server and the Virtual Controller VC AMP Events Pending Displays information about the pending events on the Omnivista server VC AMP Last Configuration Received Displays the last configuration details received from Omnivista VC AMP Single Sign on Key Displays single sign on key details for Omnivista VC Application Services Displays the details of application services which includes protocol number port number VC Auth Survivability cache Displays the list of 802 1X cached user s information VC DHCP Option 43 Received Displays information about the current activities for the DHCP scope with Option 43 VC Global Alerts Displays the list of alerts for all OAW IAPs managed by the Virtual Controller VC Global Statistics Displays the flow information and signal strength of the Virtual Controller VC IDS AP List Displays the list of OAW IAPs monitored by the Virtual Controller VC IDS Client List Displays the list of clients detected by IDS for the Virtual Controller VC Internal DHCP Server Configuration Displays the configuration details of the internal DHCP server VC Local User Database Displays the list of users configured for the OAW IAP 320 Monitoring Devices and Logs AOS W Instant 6 3 1 1 4 0 User Guide VC L2TPv3 config Displays the L2TPv3 configuration status VC L2TPv3 tunnel status Displays the L2TPv3 tunnel status VC L2TPv3 tunnel configuration Displays the
470. tab Under the channel 2 4 GHz or 5GHz or both configure the following parameters U MA Table 42 Radio Configuration Parameters Parameter Description Legacy only Select Enabled to run the radio in non 802 11n mode This option is set to Disabled by default 802 11d Select Enabled to allow the radio to advertise its 802 11d Country Information and 802 11h 802 11h Transmit Power Control capabilities This option is setto Disabled by default Beacon interval Enter the Beacon period for the OAW IAP in milliseconds This indicates how often the 802 11 beacon management frames are transmitted by the access point You can specify a value within the range of 60 500 The default value is 100 milliseconds Interference Select to increase the immunity level to improve performance in high interference immunity level environments The default immunity level is 2 e Level 0 no ANI adaptation e Level 1 Noise immunity only This level enables power based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet 218 Adaptive Radio Management AOS W Instant 6 3 1 1 4 0 User Guide Parameter Description Level 2 Noise and spur immunity This level also controls the detection of OFDM packets and is the default setting for the Noise Immunity feature Level 3 Level 2 settings and weak OFDM immunity This level minimizes false detects on the radio due to interference
471. tant Access Point config f 12tpv3 tunnel lt l2tpv3 tunnel profile Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt backup peer address lt p eer ip addr tunnel Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt checksum L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt failover mode lt preempt Instant Access Point ive non preemptive Instant Access Point L2TPv3 Tunnel Profile lt l2tpv3 tunnel profile gt failover retry count lt retry count Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt failover retry interva l interval in seconds Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt hello timeout lt interva l in seconds Instant Access Point L2TPv3 Tunnel Profile lt l2tpv3 tunnel profile gt local port local udp port number Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt message digest type d igest algorithm Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt mtu tunnel MTU size Instant Access Point L2TPv3 Tunnel Profile 12tpv3 tunnel profile gt peer port peer udp po rt number 7 7 ID Instant Access Point L2TPv3 Tunnel Profile lt l2tpv3 tunnel profile gt primary peer address lt peer ip addr tunnel 246 VPN Configuration AOS W Instant 6 3 1 1 4 0 User Guide
472. te Select an attribute returned by the RADIUS server during authentication e Operator Select an operator for matching the string e String Enter the string to match e VLAN Enter the VLAN to be assigned 9 Click Next to configure internal or external Captive portal authentication roles and access rules for the guest users In the CLI To configure WLAN settings for an SSID profile Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt essid lt ESSID name gt Instant Access Point SSID Profile lt name gt type lt Guest gt 113 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Poin SSID Profile lt name gt hide ssid Instant Access Poin SSID Profile lt name gt inactivity timeout lt interval gt SSID Profile lt name gt work without uplink Instant Access Point E SSI t SSI Instant Access Poin Profile lt name gt local probe req thresh threshold Instant Access Point Profile name 4 max clients threshold number of clients Instant Access Point SSID Profile lt name gt broadcast filter type Instant Access Point SSID Profile lt name gt dtim period lt number of beacons gt Instant Access Point SSID Profile lt name gt multicast rate optimization Instant Access Point SSID Profile lt name gt dynamic multicast optimization Instant Access Point S
473. ter a name for the profile Select any one of the following types of authentication e Radius Authentication Select this option to enable user authentication against a RADIUS server Authentication Text Select this option to specify an authentication text The specified text will be returned by the external server after a successful user authentication IP or hostname Enter the IP address or the hostname of the external splash page server Enter the URL for the external Captive portal server pan Enter the number of the port to use for communicating with the external Captive portal server Use https Select Enabled to enforce clients to use HTTPS to communicate with the Captive portal server Available only if RADIUS Authentication is selected Captive Portal failure This field allows you to configure Internet access for the guest clients when the external captive portal server is not available Select Deny Internet to prevent clients from using the network or Allow Internet to allow the guest clients to access Internet when the external Captive portal server is not available Automatic URL Select Enabled or Disabled to enable or disable automatic whitelisting of URLs On selecting Whitelisting the check box for the external Captive portal authentication the URLs that are allowed for the unauthenticated users to access are automatically whitelisted In the current release the automatic URL whitelisting is disabled by default
474. tficate ME eae MM T ctm pma ied Ga pulty Parii de con Active Owectory Doman Serv C Select bon kst Active Orectory Ughtwesft i 005 server c Requised To seed addtional ban to RADIUS charts select a Vendee P Et Vando Code daD 3 28 then click Edt 9 you do not configure an stitute not sent id you RADIUS chert documentahon let red aed abuses Speciy whethes the aix vendor specte tie number 5 D Forward Lookup a E modes abi Yes H coros 8 1 fenmareupdt Y 7 gabi arubane 3 arubanetwort Specily a Realin Name B deco Ambue ot a Reverse Lookup RADIUS loiad DD Conditional Form Standand Fle Services G Network Poke and Access Se 3 sao 2 D RADIUS ertr and 2 RAONS Chores E Remote RADIUS J Paor y 2 Connection Requ TI Network Pokcies I Heath Poloes Network Access Proti Accounting Terrglates Managers Meth Registration AP Routing and Remote Acor Gy Web Server IIS VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication the RADIUS server may retum a reply message for authentication If the RADIUS server supports return attributes and sets an attribute value to the reply message the OAW IAP can analyze the return message and match attributes with a user pre defined VLAN derivation rule If the rule is matched the VLAN value defined by the rule is assigned to the user For a complete list of RADIUS server attributes see Supported VSAs
475. th multiple backhaul options the OAW IAP switches to an uplink connection based on the VPN connection status instead of only using the Ethernet or the physical backhaul link The following configuration conditions apply to uplink switching If the current uplink is Ethernet and the VPN connection is down the OAW IAP tries to reconnect to VPN The retry time depends on the fast failover configuration and the primary or backup VPN tunnel If this fails the OAW IAP waits for the VPN failover timeout and selects a different uplink such as 3G 4G or Wi Fi AOS W Instant 6 3 1 1 4 0 User Guide Uplink Configuration 197 If the current uplink is 3G or Wi Fi and Ethernet has a physical link the OAW IAP periodically suspends user traffic to try and connect to the VPN on the Ethernet If the OAW IAP succeeds the OAW IAP switches to Ethernet If the OAW IAP does not succeed it restores the VPN connection to the current uplink Uplink switching based on VPN status is automatically enabled if VPN is configured on the OAW IAP However you can specify the duration in VPN failover timeout field to wait for an uplink switch By default this duration is set to 180 seconds The OAW IAP monitors the VPN status and when the VPN connection is not available for 3 minutes the uplink switches to another available connection if a low priority uplink is detected and the uplink preference is set to none When VPN failover timeout is set to 0 uplink does not
476. that enable fast roaming of clients e 802 11r Roaming e Opportunistic Key Caching 802 11r Roaming 802 11ris a roaming standard defined by IEEE When enabled 802 11r reduces roaming delay by pre authenticating clients with multiple target APs before a client roams to an AP With 802 11r implementation clients pre authenticate with multiple APs in a cluster As part of the 802 11r implementation AOS W Instant supports the Fast BSS Transition protocol The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster This minimizes the time required to resume data connectivity when a BSS transition happens Fast BSS Transition is operational only if the wireless client supports 802 11r standard If the client does not support 802 11r standard it falls back to the normal WPA2 authentication method Configuring an OAW IAP for 802 11r support You can configure 802 11r support for a WLAN SSID by using AOS W Instant UI or CLI In the AOS W Instant UI 1 Navigate to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click the Security tab 3 Slide to Enterprise Personal or Open security level On selecting a security level the authentication options applicable to the corresponding network are displayed The following figure shows the Enterprise security level details I _ AOS W Instant 6 3 1 1 4 0 User Guide Wireless Ne
477. the IP address of the client that you want to monitor Client view for that client is displayed For more information on the graphs and the views see Monitoring on page 51 AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 66 Chapter 5 Initial Configuration Tasks This chapter describes the following basic OAW IAP deployment methods and configuration tasks e Updating IP Address of an OAW IAP on page 67 e Modifying the OAW IAP Name on page 68 e Updating Location Details of an OAW IAP on page 69 e Configuring External Antenna on page 69 e Upgrading an OAW IAP on page 70 e Adding an OAW IAP to the Network on page 74 e Removing an OAW IAP from the Network on page 74 e Enabling Terminal Access on page 73 e Enabling Auto Join Mode on page 74 e Configuring a Preferred Band on page 74 e Configuring Radio Profiles for an OAW IAP on page 75 e Configuring Inter user Bridging and Local Routing on page 76 e Configuring Uplink VLAN for an OAW IAP on page 77 e Configuring an NTP Server on page 77 Updating IP Address of an OAW IAP You can configure IP address of an OAW IAP by using AOS W Instant UI or CLI In the AOS W Instant UI To change the IP address of OAW IAP 1 Inthe Access Points tab click the OAW IAP to modify The edit link is displayed 2 Click the edit link The edit window for modifying OAW IAP details is displayed AOS W Instant 6 3 1 1 4 0 User Guide Initial Configuration Tasks 67
478. the following parameters for Band steering mode Table 38 Band Steering Mode Configuration Parameters Parameter Description Select this option to use band steering in 5 GHz mode On selecting this the OAW IAP steers the client to 5 GHz band if the client is 5 GHz capable but allows the client connection on the 2 4 GHz band if the client persistently attempts for 2 4 GHz association Force 5 GHz Select this option to enforce 5 GHz band steering mode on the OAW IAPs Balance Bands Select this option is selected the OAW IAP tries to balance the clients across the two radios to best utilize the available 2 4 GHz bandwidth This feature takes into account the fact that the 5 GHz band has more channels than the 2 4 GHz band and that the 5 GHz channels operate in 40MHz while the 2 5 GHz band operates in 20MHz Disabled Select this option if you want to allow the clients to select the band to use 214 Adaptive Radio Management AOS W Instant 6 3 1 1 4 0 User Guide 4 For Airtime fairness mode specify any of the following values Table 39 Airtime Fairness Mode Configuration Parameters Parameter Description Default Access Select this option to provide access based on client requests When Air Time Fairness is set to default access per user and per SSID bandwidth limits are not enforced Select this option to allocate Airtime evenly across all the clients Preferred Access Select this option to set a preference where 11n
479. the heading labels Networks Tab This tab displays a list of Wi Fi networks that are configured in the Instant network The network names are displayed as links The expanded view displays the following information about each Wi Fi network Name SSID Name of the network Clients Number of clients that are connected to the network Type Type of network type such as Employee Guest or Voice Band Band in which the network is broadcast 2 4 GHz band 5 GHz band or both Authentication Method Authentication method required to connect to the network Key Management Authentication key type IP Assignment Source of IP address for the client To add a Wi Fi network click the New link in the Networks tab An edit link is displayed on clicking the network name in the Networks tab To delete a network click on the link x next to the edit link For more information on the procedure to add or modify a wireless network see Wireless Network Profiles on page 85 Access Points Tab If the Auto Join Mode feature is enabled a list of enabled and active OAW IAPs in the AOS W Instant network is displayed in the Access Points tab The OAW IAP names are displayed as links If the Auto Join Mode feature is disabled the New link is displayed Click this link to add a new OAW IAP to the network If an OAW IAP is configured and not active its MAC Address is displayed in red The expanded view of the Access Points tab displays the follow
480. tinguish between Windows devices and other devices such as iPads You can create any of the following types of rules Machine Auth only role This indicates a Windows machine with no user logged in The device supports machine authentication and has a valid RADIUS account but a user has not yet logged in and authenticated User Auth only role This indicates a known user or a non Windows device The device does not support machine auth or does not have a RADIUS account but the user is logged in and authenticated When a device does both machine and user authentication the user obtains the default role or the derived role based on the RADIUS attribute You can configure machine authentication with role based access control using AOS W Instant UI or CLI In the AOS W Instant UI To configure machine authentication with role based access control perform the following steps 1 Inthe Access tab of the WLAN New WLAN or Edit lt WLAN profile gt or Wired Network configuration New Wired Network or Edit Wired Network window under Roles create Machine auth only and User auth only roles 2 Configure access rules for these roles by selecting the role and applying the rule For more information on configuring access rules see Configuring Access Rules on page 169 3 Select Enforce Machine Authentication and select the Machine auth only and User auth only roles Click Finish to apply these changes In the CLI To configure machine and use
481. tinually monitor the client s RSSI as it roams between OAW IAPs and move the client to an OAW IAP when a better radio match can be found This prevents mobile clients from remaining associated to an APs with less than ideal RSSI which can cause poor connectivity and reduce performance for other clients associated with that OAW IAP e Band Steering OAW IAPs using the client match feature monitor the RSSI for clients that advertise a dual band capability If a client is currently associated to a 2 4 GHz radio and the AP detects that the client has a good RSSI from the 5 GHz radio the controller will attempt to steer the client to the 5 GHz radio as long as the 5 GHz RSSI is not significantly worse than the 2 4 GHz RSSI and the OAW IAP retains a suitable distribution of clients on each of its radios By default the client match feature is disabled For information on client match configuration on an OAW IAP see Configuring ARM Features on an OAW IAP on page 213 In the Instant 6 3 1 1 4 0 release spectrum load balancing is integrated with the client match feature Client match allows the APs in a cluster to be divided into several logical AP RF neighborhood called domains which share the same clients The Virtual Controller determines the distribution of clients and balances client load across channels regardless of whether the AP is responding to the wireless clients probe requests Airtime Fairness Mode The Airtime Faimess feature provid
482. tion parameters displayed in the Monitoring tab 3 Click New in the Users for SNMPV3 box A window for specifying SNMPv3 user information is displayed 312 Monitoring Devices and Logs AOS W Instant 6 3 1 1 4 0 User Guide Figure 113 SNMPv3 User New SNMPV3 User Name Auth protocol SHA Privacy protocol DES Password Password Retype Retype Enter the name of the user in the Name text box oman oun A Click OK 10 To edit the details for a particular user select the user and click Edit 11 To delete a particular user select the user and click Delete Configuring SNMP Community Strings in the CLI To configure an SNMP engine ID and host Select the type of authentication protocol from the Auth protocol drop down list Select the type of privacy protocol from the Privacy protocol drop down list Instant Access Point config snmp server engine id Instant Access Point config host lt ipaddr gt version inform udp port lt port gt To configure SNMPv1 and SNMPv2 community strings Instant Access Point config snmp server community To configure SNMPv3 community strings lt engine ID gt 1 lt name gt udp port lt port gt 2c 3 lt name gt Instant Access Point config snmp server user nam otocol gt lt password gt To view SNMP configuration Instant Access Point show snmp configuration Engine ID D8C7C8C44298 Community Strings Na
483. to CALEA Server through VPN You can also deploy CALEA server with Switch and configure an additional IPSec tunnel for corporate access When CALEA server is configured with Switch the client traffic is replicated by the slave OAW IAP and client data is encapsulated by GRE on slave and routed to the master IAP The master IAP sends the IPsec client traffic to Switch Switch handles the IPSec client traffic while GRE data is routed to the CALEA server The following figure illustrates the traffic flow from IAP to the CALEA server through VPN Cl 282 Lawful Intercept and CALEA Integration AOS W Instant 6 3 1 1 4 0 User Guide Figure 106 AP to CALEA Server through VPN Law Enforcement Agency 1 Requests for intercept on user MAC 5 ISP post processes data and sends it to LEA ISP CALEA Server 2 RADIUS Server 5 User trafficis sent uses special VSA to through GRE to the inform IAP that CALEA Server traffic replication is needed fora particular client at the end of its authentication process 4 Sends IPSec traffic to the Controller and sends the replicated user traffic into the GRE tunnel 3 Receives instruction to start replication Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN For more information on configuring IPSec see Configuring IPSec Tunnel on page 239 Client Traffic Replication Client traffic is replicated in the following ways
484. to an OAW IAP with 3G 4G Card ocn 82 Preference to an OAW IAP with Non Default IP _ 20 2 202222002 82 Manual Provisioning of Master OAW IAP 2 022220 0 cece ccc e cece cece cece eee e cece eceeeeeeeeeeeeeeeeeees 82 Provisioning an OAW IAP as a Master OAW IAP 2 oo 22220000 e cece ss essen eli 83 Inthe AOS W Instant UL 83 Ie 83 Virtual Controller IP Address Configuration 222000 cece cece cece cece cece s e Re esse relin 83 Configuring IP Address for Virtual Controller 83 Inthe AOS W Instant Ul occ ns 84 Inthe CLI NNNM 84 Wireless Network Profiles 85 Understanding Wireless Network Profiles 85 Network Types ccoo 85 Configuring WLAN Settings for an SSID Profile 0 20 00 0 cece ccc cece cece ee eee cece essen nee 86 Inthe AOS W Instant Ul conoci er irane a EE ease A desde 86 GA 88 Configuring VLAN Settings fora WLAN SSID Profile liiis seen snes 89 Inthe AOS W Instant Ul orita 28 dacs a aes ES 89 WHE B 90 Configuring Security Settings fora WLAN SSID Profile liliis senes 90 Configuring Security Settings for an Employee or Voice Network 22222222 e cece e cece eeceeeeee 90 In the AOS W Instant U 91 nies C 94 Configuring Access Rules fora WLAN SSID Profile eee eee cece cece cece e cece cece eeeeeee 95 Inthe AOS W Instant U 96 Tas sie BTT 96 Configuring Support for Fast Roaming of Clients 2 e e cece nenne 97 802 11r Roaming 0022200 s e ess essem cece cece cece
485. to indicates that the downlink speed is unknown or unspecified e Uplink speed Indicates the WAN uplink speed in Kbps e Load duration Indicates the duration in seconds during which the downlink utilization is measured e Symmetric links Indicates if the uplink and downlink have the same speed e WAN Link Status Indicates if the WAN is down link down up link up or in test state link under test Creating a Hotspot Profile To create a hotspot profile Instant Access Point config hotspot hs profile lt name gt Instant Access Point Hotspot2 0 lt name gt asra Instant Access Point Hotspot2 0 lt name gt access network type type Instant Access Point Hotspot2 0 lt name gt addtl roam cons ois roam consortium OIs Instant Access Point Hotspot2 0 lt name gt comeback mode Instant Access Point Hotspot2 0 lt name gt gas comeback lt delay interval gt Instant Access Point Hotspot2 0 lt name gt group frame block Instant Access Point Hotspot2 0 lt name gt hessid lt hotspot essid gt Instant Access Point Hotspot2 0 lt name gt internet Instant Access Point Hotspot2 0 lt name gt p2p cross connect Instant Access Point Hotspot2 0 lt name gt p2p dev mgmt Instant Access Point Hotspot2 0 lt name gt pame bi Instant Access Point Hotspot2 0 lt name gt query response length limit integer Instant Access Point Hotsp
486. to the WLAN wizard click Network gt New or Network gt Select the WLAN SSID gt edit 2 Click the Security tab 3 Slide to Enterprise security level On selecting a security level the authentication options applicable to Enterprise network are displayed WLAN Settings VLAN Security Level More Secure Enterprise Key management 802 11r roaming Termination Authentication server 1 WPA 2 Enterprise Z opportunistic Key Caching OKC Disabled Disabled InternalServer i El Personal Reauth interval E hrs 2 Open V Perform MAC authentication before 802 1X MAC authentication fail thru MAC authentication Internal server No users Users Default certificate Upload certificate ied lel Disabled Internal server Blacklisting Next Cancel 4 Select the WPA 2 Enterprise or Both WPA 2 amp WPA option from the Key management drop down list When any of these encryption types is selected Opportunistic Key Caching OKC is enabled by default 5 Click Next and then click Finish In the CLI To disable OKC roaming ona WLAN SSID Instant Access Point config wlan ssid profile lt name gt Instant Access Point SSID Profile lt name gt opmode wpa2 aes wpa tkip wpa aes wpa2 tkip wpa2 aes Instant Access Point SSID Profile lt name gt okc disable Instant Access Point config end Instant Access Point commit apply To enable
487. tor by selecting Lower Middle or Higher from the Standalone spectrum band drop down list d Click OK In the CLI To convert an OAW IAP to a spectrum monitor Instant Access Point wifi0 mode lt access gt lt monitor gt lt spectrum monitor gt Instant Access Point wifil mode lt access gt lt monitor gt lt spectrum monitor gt To enable spectrum monitoring for any other band for the 5 GHz radio Instant Access Point config rf dotlla radio profile Instant Access Point RF dotlla Radio Profile spectrum band type To view the radio configuration Instant Access Point show radio config 2 4 GHz Legacy Mode disable Beacon Interval 100 802 11d 802 11h disable Interference Immunity Level 2 Channel Switch Announcement Count 0 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable AOS W Instant 6 3 1 1 4 0 User Guide Spectrum Monitor 209 5 0 GHz Legacy Mode disable Beacon Interval 100 802 11d 802 11h disable Interference Immunity Level 2 Channel Switch Announcement Count 0 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable Standalone Spectrum Band 5ghz upper a in EC yt 210 Spectrum Monitor AOS W Instant 6 3 1 1 4 0 User Guide Chapter 18 Adaptive Radio Management This chapter provides the following information e ARM Overview on page 211 e Configuring ARM Features on an OAW IAP on page
488. tream devices message notifies the users about the mismatch in the VLAN configuration on the OAW IAP or the upstream device of an OAW IAP Telnet access to the AOS W Instant now supports Telnet access to the AOS W Instant CLI AOS W Instant CLI Table 4 New Hardware Platforms introduced in this release Stal der Description Platform p OAW The OAW IAP224 and OAW IAP225 wireless access points support the IEEE 802 11ac standard for IAP224 225 high performance WLAN These APs use MIMO Multiple in Multiple out technology and other high throughput mode techniques to deliver high performance 802 11n 2 4 GHz and 802 11ac 5 GHz functionality while simultaneously supporting existing legacy wireless services The OAW IAP220 Series support 802 11ac on the 5GHz band using 80 MHz channels For more information about this product visit 30 About AOS W Instant AOS W Instant 6 3 1 1 4 0 User Guide OAW IAP Platform Description OAW The OAW IAP114 and OAW IAP115 are dual radio dual band wireless access points that support IAP114 115 the IEEE 802 11n standard for high performance WLAN These APs use MIMO Multiplein Multiple out technology and other high throughput mode techniques to deliver high performance 802 11n 2 4 GHz and 5 GHz functionality while simultaneously supporting existing 802 1 1a b g wireless services For more information about this product visit Check with your local Dell sales representative on device av
489. try code details for the OAW IAP AP CPU Details Displays detailed information about memory utilization and CPU load for system processes AP CPU Utilization Displays utilization of CPU for the OAW IAP AOS W Instant 6 3 1 1 4 0 User Guide Monitoring Devices and Logs 317 AP Crash Info Displays crash log information if it exists for the OAW IAP The stored information is cleared from the flash after the AP reboots AP Current Time Displays the current time configured on the OAW IAP AP Current Timezone Displays the current time zone configured on the OAW IAP AP Datapath ACL Table Allocation Displays ACL table allocation details for the OAW IAP AP Datapath ACL Tables Displays the list of ACL rules configured for the SSID and Ethernet port profiles AP Datapath Bridge Table Displays bridge table entry statistics including MAC address VLAN assigned VLAN Destination and flag information for the OAW IAP AP Datapath DMO Session Displays details of a DMO session AP Datapath Dns Id Map Displays the mapping details for the DNS ID AP Datapath Multicast Table Displays multicast table statistics for the OAW IAP AP Datapath Nat Pool Displays NAT pool details configured in the datapath AP Datapath Route Table Displays route table statistics for the OAW IAP AP Datapath Session Table Displays the datapath session table statistics for the OAW IAP AP Datapath Statistics Displays the hardware packet statistics fo
490. ts APs creating a feature rich enterprise grade wireless LAN WLAN that combines affordability and configuration simplicity AOS W Instant is a simple easy to deploy turn key WLAN solution consisting of one or more APs An Ethernet port with routable connectivity to the Internet or a self enclosed network is used for deploying an Instant Wireless Network An Instant Access Point OAW IAP can be installed at a single site or deployed across multiple geographically dispersed locations Designed specifically for easy deployment and proactive management of networks AOS W Instant is ideal for small customers or remote locations without any on site IT administrator AOS W Instant consists of an OAW IAP and a Virtual Controller The Virtual Controller resides within one of the APs In an AOS W Instant deployment scenario only the first OAW IAP needs to be configured After the first OAW IAP is configured the other OAW IAPs inherit all the required configuration information from the Virtual Controller AOS W Instant continually monitors the network to determine the OAW IAP that should function as the Virtual Controller at any time and the Virtual Controller will move from one OAW IAP to another as necessary without impacting network performance Supported Devices The following devices are supported in the current release of AOS W Instant e OAW IAP92 e OAW IAP93 e OAW IAP104 e OAW IAP105 e OAW IAP114 e OAW IAP115 e OAW IAP134 e OAW IAP135
491. ts and relay 234 DHCP Configuration AOS W Instant 6 3 1 1 4 0 User Guide Table 48 DHCP Mode Configuration Parameters Name Description Helper address Enter the IP address of the DHCP server VLAN IP Specify the VLAN IP address of the DHCP relay server VLAN Mask Specify the VLAN subnet mask of the DHCP relay server Option82 This option is available only if Centralized is selected Select Alcatel to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string The Option 82 string is available only in the Alcatel ALU format The ALU format for the Option 82 string consists of the following e Remote Circuit ID X AP MAC SSID SSID Type e Remote Agent X IDUE MAC 4 Click OK The Option 82 is specific to Alcatel and is not configurable in this version of AOS W Instant The following table describes the behavior of DHCP Relay Agent and Option 82 in the OAW IAP Table 49 DHCP Relay and Option 82 DHCP Relay Option 82 Behavior Enabled Enabled DHCP packet relayed with the ALU specific Option 82 string Enabled Disabled DHCP packet relayed without the ALU specific Option 82 string Disabled Enabled DHCP packet not relayed but broadcast with the ALU specific Option 82 string Disabled Disabled DHCP packet not relayed but broadcast without the ALU specific Option 82 string In the CLI To configure Centralized DHCP scope for L2 clients Instant Access Point config ip dhcp lt pr
492. twork This view allows you to monitor the AOS W Instant network 65 AOS W Instant User Interface AOS W Instant 6 3 1 1 4 0 User Guide The following AOS W Instant UI elements are available in this view Tabs Networks Access Points and Clients For detailed information about the tabs see Tabs on page 39 a Links Monitoring Client Alerts and IDS The Spectrum link is visible if you have configured the OAW IAP as a spectrum monitor These links allow you to monitor the AOS W Instant network For more information about these links see Monitoring on page 51 IDS on page 63 Alerts on page 60 and Spectrum Monitor on page 203 Network view The Network view provides information that is necessary to monitor a selected wireless network All Wi Fi networks in the AOS W Instant network are listed in the Networks tab Click the name of the network that you want to monitor Network view for the selected network is displayed AOS W Instant Access Point view The AOS W Instant Access Point view provides information that is necessary to monitor a selected OAW IAP All OAW IAPs in the AOS W Instant network are listed in the Access Points tab Click the name of the OAW IAP that you want to monitor Access Point view for that OAW IAP is displayed Client view The Client view provides information that is necessary to monitor a selected client In the Client view all the clients in the AOS W Instant network are listed in the Clients tab Click
493. twork Profiles 97 Figure 37 WLAN Security Settings Enterprise Tab New WLAN WLAN Settings VLAN Security Level More Secure Enterprise Personal Open Less Secure Key management WPA 2 Enterprise Ml opportunistic Key Caching OKC 802 11r roaming Disabled Termination Disabled Authentication server 1 InternalServer gt Reauth interval E hrs gt MAC authentication Y Perform MAC authentication before 802 1X MAC authentication fail thru Internal server No users Users Internal server Default certificate Upload certificate Blacklisting Disabled 7 Next Cancel 4 Set 802 11r roaming to Enabled 802 11r roaming can also be enabled for Personal and Open security levels 5 Click Next and then click Finish In the CLI To enable 802 11r roaming on an enterprise WLAN SSID Access Access Access Access Access Instan Instan Instan Instan Instan i GT ok ET OUI Poin Poin Poin Poin Poin config 4 wlan ssid profile lt name gt SSID Profile name 4 opmode wpa2 aes SSID Profile lt name gt dotllr config end t t t t t commit apply To enable 802 11r roaming for personal security settings Access Access tkip wpa2 aes Access Access Access CE Gt j 3 n ct w 3 Cr CT o6 Poin Poin wpa p Poin Poin Poin t config wlan ssid profile lt name gt t SSID Profile lt name gt
494. u can configure a preferred band for an OAW IAP by using the AOS W Instant UI or the CLI In the AOS W Instant UI 1 In the AOS W Instant main window click the System link The System window is displayed 2 Inthe General tab of System window select 2 4 GHz 5 GHz or All from the Preferred band drop down list for single radio access points 74 Initial Configuration Tasks AOS W Instant 6 3 1 1 4 0 User Guide 3 Click OK Reboot the OAW IAP after configuring the radio profile for the changes to affect In the CLI To configure a preferred band Instant Access Point config rf band band Instant Access Point config end Instant Access Point commit apply Configuring Radio Profiles for an OAW IAP You can configure a radio profile on an OAW IAP either manually or by using the Adaptive Radio Management ARM feature Adaptive Radio Management ARM is enabled on AOS W Instant by default It automatically assigns appropriate channel and power settings for the OAW IAPs For more information on ARM see Adaptive Radio Management on page 211 Configuring ARM Assigned Radio Profiles for an OAW IAP To enable ARM assigned radio profiles In the Access Points tab click the OAW IAP to modify The edit link is displayed Click the edit link The edit window for modifying OAW IAP details is displayed Click the Radio tab The Radio tab details are displayed Ensure that an appropriate mode is selected ak Wn
495. uide Configuring the RADIUS Server in AOS W Instant To configure AOS W Instant to point to ClearPass Guest as an external Captive Portal server perform the following steps 1 Select the WLAN SSID for which you want to enable external Captive portal authentication with CPPM You can also configure RADIUS server when configuring a new SSID profile Inthe Security tab select External from the Splash page type 3 Select New the Captive portal profile drop down and update the following fields 121 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide d Enter the IP address of the ClearPass Guest server in the IP or hostname field Obtain the ClearPass Guest IP address from your system administrator Enter page_name php in the URL field This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page For example if the Page Name is Alcatel Lucent the URL should be Alcatel Lucent php in the AOS W Instant UI Enter the Port number generally should be 80 The ClearPass Guest server uses this port for HTTP services Click OK 4 Tocreate an external RADIUS server select New from the Authentication server 1 drop down list For information on RADIUS server configuration parameters see Configuring an External Server for Authentication on page 144 9 NO Click Next and then click Finish Click the updated SSID in Network tab Open any browser and type any URL AOS W Instant r
496. untry Modems of this type require the user to specify the Country and ISP The same modem is used for different ISPs with different parameters configured for each of them No Auto detect Modems of this type are used only if they share the same Device ID Country and ISP details You need to configure different parameters for each of them These modems work with AOS W Instant when the appropriate parameters are configured The following table lists the types of supported 3G modems Table 32 List of Supported 3G Modems Modem Type Supported 3G Modems True Auto Detect USBConnect 881 Sierra 881U Quicksilver Globetrotter ICON 322 UM100C UTstarcom Icon 452 Aircard 250U Sierra USB 598 Sierra U300 Franklin wireless 190 Uplink Configuration AOS W Instant 6 3 1 1 4 0 User Guide Table 32 List of Supported 3G Modems Modem Type Auto detect ISP country AOS W Instant 6 3 1 1 4 0 User Guide Supported 3G Modems U301 Franklin wireless USB U760 for Virgin Novatel USB U720 Novatel Qualcomm UM175 Pantech UM150 Pantech UMW190 Pantech SXC 1080 Qualcomm Globetrotter ICON 225 UMG181 NTT DoCoMo L 05A LG FOMA LOBA NTT DoCoMo L 02A ZTE WCDMA Technologies MSM MF668 Fivespot ZTE c motech CNU 600 ZTE AC2736 SEC 8089 EpiValley Nokia CS 10 NTT DoCoMo L 08C LG NTT DoCoMo L 02C LG Novatel MC545 Huawei E220 for Movistar in Spain Huawei E180 for Movistar in Spain ZTE MF820 Hua
497. uration parameters see Configuring Security Settings for a Wired Profile on page 104 Click Next to define access rules and then click Finish to apply the changes 7 Assign the profile to an Ethernet port For more information see Assigning a Profile to Ethernet Ports on page 108 In the CLI To enable 802 1X authentication for a wired profile Instant Access Point config f wired port profile name Instant Access Point wired ap profile lt name gt type lt employee gt lt guest gt Instant Access Point wired ap profile lt name gt dotlx Instant Access Point wired ap profile lt name gt auth server serverl Instant Access Point wired ap profile lt name gt auth server lt serverl gt Instant Access Point wired ap profile name 4 server load balancing Instant Access Point wired ap profile name 4 radius reauth interval Minutes Instant Access Point wired ap profile name 4 end Instant Access Point commit apply Configuring MAC Authentication for a Network Profile MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication However it is recommended that you do not use the MAC based authentication This section describes the following procedures Configuring MAC Authentication for Wireless Network Profiles on page 154 Configuring MAC Authentication for Wireless Network Profiles on page 154
498. ure external Captive portal authentication fora WLAN SSID in the Network tab click New to create a new network profile or edit to modify an existing profile e Toconfigure external Captive portal authentication for a wired profile More gt Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile Inthe Security tab select External from the Splash page type drop down From the Captive portal profile drop down select a profile You can select a default profile or an already existing profile or click New and create a new profile 4 Configure the following parameters based on the type of splash page you selected Table 22 External Captive Portal Configuration Parameters Parameter WISPr MAC authentication Authentication server Reauth interval Accounting mode Blacklisting Max authentication failures Walled garden Description Select Enabled if you want to enable WISPr authentication For more information on WISPr authentication see Configuring WISPr Authentication on page 157 NOTE The WISPr authentication is applicable only for the External RADIUS Server and Internal Authenticated splash pages and is not applicable for wired profiles Select Enabled if you want to enable MAC authentication For information on MAC authentication see Configuring MAC Authentication for a Network Profile on page 153 To configure Authentication server sele
499. uring Source Based Routing 2 2 0 2 2 occ c cnc e eee eee eee e eee cece ec cecee ee eceeeesseeee 172 Configuring a Destination NAT Access Rue 173 Inthe AOS WilnstantUl a x 2555282 a R sede A dele bc hele aes eee 173 A E EEEE ES 173 Configuration Examples for Access Rules 200 0 222 000000000000000 00000 aada sss sss seres n els 173 Allow POP3 Service to a Particular Server 174 Allow TCP Service to a Particular Network 174 Deny FTP Service except to a Particular Server 2 222 2022 2 222 eee eee eee eee cece cece eeeeee 174 Deny bootp Service except to a Particular Network _ 22 2 22 20 2222 2 eee eee eee eee eeeee eee 175 Configuring User Roles 175 AOS W Instant 6 3 1 1 4 0 User Guide Contents 13 Creating a User Role ac eens heen eee ae A KR law o it Mel eda 175 In the AOS W Instant UL 175 AA 176 Assigning Bandwidth Contracts to User Roles 176 Assigning Bandwidth Contracts in the AOS W InstantUl o 222222222 eee eee ee 176 Assigning a bandwidth contract using AOS W Instant CLI 2 222222 2 2222 eee eee eee eee 176 Configuring Machine and User Authentication Roles 2220 c ccc ee cece cece cece cceececeeeeeeeees 177 Inthe AOS W Instant U 177 Inthe e e os seein acinccaSease orar iras iii caer n 177 Configuring Derivation Rules 2 2 2 22 2 eR RR ec ccc eee araara raran rinan 178 Understanding Role Assignment Rule 0000002002 cece ccc ccc cc ccc ccc ce cece cec
500. ut uuuuuuuuuuuullllllllllssssseeess e eee e eee e eee ee cece eee eee 0 30032222222 51 MONTON IDEE RERO RR EORR EET RENTRER 51 uo HEIC ETC CE 51 RE Dashboard 2222 2 ct E RR EQ T c 53 RFEduends 2222223295 5155256 a o iia pe iA cl I ul 10 CL LR CL Le le oo De 54 Usage Wrendsuz42a 6o eoe e c cael LA entem adl eo D Re t ee ese ess MEC 55 MOD VIRES RN ERR EE ER E ERE haben aes So Shee dee 59 sed NEM 60 Alerts 60 4 Contents AOS W Instant 6 3 1 1 4 0 User Guide Configuration MM eee ee eee eee eee cece eee cece cece ee eeeeeeeeeeeeee 64 Dell R 65 OmniVista 3600 Setup nas 65 Pause RESUME qp LEM 65 MO EN 65 Initial Configuration Tasks ooooccocccccccccocccccco coc concconconccnnccnncnnconccnnccncinnccniis 67 Updating IP Address of an OAW IAP cnn 67 In the AOS W Instant U 67 Dien 68 Modityimgthie OAW TAP INamie i ouieo a ooh ashes ease case ead g e Ui eive aE mo SEP M P DO eed 68 In the AOS W Instant U 68 A 69 Updating Location Details of an OAWHAP cnn cnn nn 69 In the AOS W Instant U 69 Mihe CE 2 mos sica gates os dee tet acta ais seen ee eaves a Bao a 69 Configuring Extemal Antennal 3 e cso ende ere eme eens soso ici ti 69 EIRP and Antenna Gain Sa a iii daa 69 Configuring Antenna Gain 2 2 0 aaa aac a 0 Aaaa RRR RR cece ARR AR EES ER RAR RR R Raa 70 Inthe AOS W Instant Ul soraira E E Era
501. ut that each radio is allowed to provide for the connected clients Wi Fi Multimedia WMM traffic Configure the following options for Wi Fi Multimedia WMM traffic management management WMM supports voice video best effort and background access categories You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile Specify a percentage value for the following parameters e Background WMM share Allocates bandwidth for background traffic such as file downloads or print jobs Best effort WMM share Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS e Video WMM share Allocates bandwidth for video traffic generated from video streaming e Voice WMM share Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication NOTE In a non WMM or hybrid environment where some clients are not WMM capable you can allocate higher values for Best effort WMM share and Voice WMM share to allocate a higher bandwidth to clients transmitting best effort and voice traffic Content filtering Set to Enabled to route all DNS requests for the non corporate domains to OpenDNS on this network Band Select a value to specify the band at which the network transmits radio signals You can set the band to 2 4 GHz 5 GHz or All The All option is selected by default
502. ver 0 0 0 0 Ap Debug Warning User Warning Network Warning User Debug Warning Security Warning Wireless Warning SNMP Community Strings for SNMPV1 and SNMPV2 Users for SNMPV3 Name Authentication Protocol Privacy Protocol New SNMP Traps SNMP Trap Receivers IP Address Version Community Username Inform Hide advanced options In the Syslog server text box enter the IP address of the server to which you want to send system logs Select the required values to configure syslog facility levels Syslog Facility is an information field associated with a syslog message It is an application or operating system component that generates a log message The following seven facilities are supported by Syslog AP Debug Detailed log about the AP device Network Log about change of network for example when a new OAW IAP is added to a network Security Log about network security for example when a client connects using wrong password System Log about configuration and system status User Important logs about client User Debug Detailed log about client Wireless Log about radio The following table describes the logging levels in order of severity from the most to the least severe Table 62 Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable Alert Any condition requiring immediate attention and correction Critical Any critical condit
503. vice in dBm Duty cycle Device duty cycle This value represents the percent of time the device broadcasts a signal Time at which the device was first detected Time at which the device s status was updated Non Wi Fi Interferers The following table describes each type of non Wi Fi interferer detected by the spectrum monitor feature 204 Spectrum Monitor AOS W Instant 6 3 1 1 4 0 User Guide Table 35 Non Wi Fi Interferer Types Non Wi Fi Interferer Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2 4 GHz band is classified as a Bluetooth device Bluetooth uses a frequency hopping protocol Fixed Some audio devices such as wireless speakers and microphones also use fixed frequency Frequency to continuously transmit audio These devices are classified as Fixed Frequency Audio Audio Description Fixed Some cordless phones use a fixed frequency to transmit data much like the fixed frequency Frequency video devices These devices are classified as Fixed Frequency Cordless Phones Cordless Phones Fixed Video transmitters that continuously transmit video on a single frequency are classified as Frequency Fixed Frequency Video These devices typically have close to a 100 duty cycle These Video types of devices may be used for video surveillance TV or other video distribution and similar applications Fixed All other fixed frequency devices that do not fall into one of the abov
504. violation is detected and automatically repairs the incorrectly configured devices AOS W Instant 6 3 1 1 4 0 User Guide Omnivista Integration and Management 258 Figure 86 Template based Configuration E UC AE Templates MOTA Group KMart Name Aruba Instant Vrtual Controller 6 Device Type Aruba Instant Virtual Controler e Rastrict to this version Yes 9 No Fetch template from device ans ip Wxamager in address ans key peoc ardh clock timezone none 00 00 rf band all allownew eps allowed ape Trending Reports Omnivista saves up to 14 months of actionable information including network performance data and user roaming patterns so you can analyze how network usage and performance trends have changed over time It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization Intrusion Detection System Omnivista provides advanced rules based rogue classification It automatically detects rogue APs irrespective of their location in the network and prevents authorized OAW IAPs from being detected as rogue OAW IAPs It tracks and correlates the IDS events to provide a complete picture of network security Wireless Intrusion Detection System WIDS Event Reporting to OmniVista Omnivista supports Wireless Intrusion Detection System WIDS Event Reporting which is provided by AOS W Instant This includes WIDS classification integration with the
505. wei E173s 1 Sierra 320 Longcheer WM72 U600 3G mode O e e e e e e e e e e e e e e e e e e e e e e e e e e Sierra USB 306 HK CLS 1010 HK Sierra 306 308 Telstra Aus Sierra 503 PCIe Telstra Aus Sierra 312 Telstra Aus Aircard USB 308 AT amp T s Shockwave Compass 597 Sierra Sprint U597 Sierra Verizon Tstick C597 Sierra Telecom NZ Ovation U727 Novatel Sprint USB U727 Novatel Verizon USB U760 Novatel Sprint USB U760 Novatel Verizon Novatel MiFi 2200 Verizon Mifi 2200 Huawei E272 E170 E220 ATT Huawei E169 E180 E220 E272 Vodafone SmarTone Hk Huawei E160 O2 UK Huawei E160 SFR France Huawei E220 NZ and JP Huawei E176G Telstra Aus Huawei E1553 E176 3 HUTCH Aus Huawei K4505 Vodafone SmarTone Hk Huawei K4505 Vodafone UK ZTE MF656 Netcom norway ZTE MF636 HK CSL 1010 ZTE MF633 MF636 Telstra Aus ZTE MF637 Orange in Israel Huawei E180 E1692 E1762 Optus Aus 0 00 0000000 0 000 0 Oe 0 0 0 EOE 000 Uplink Configuration 191 Table 32 List of Supported 3G Modems Modem Type Supported 3G Modems e Huawei E1731 Airtel 3G India e Huawei E3765 Vodafone Aus e Huawei E3765 T Mobile Germany e Huawei E1552 SingTel e Huawei E1750 T Mobile Germany e UGM 1831 TMobile e Huawei D33HW EMOBILE Japan e Huawei GD01 EMOBILE Japan e Huawei EC150 Reliance NetConnect Ind
506. when the external captive portal server is not available Select Deny Internet to prevent clients from using the network or Allow Internet to allow the guest clients to access Internet when the external Captive portal server is not available Automatic URL Whitelisting Select Enabled or Disabled to enable or disable automatic whitelisting of URLs selecting the check box for the external Captive portal authentication the URLs allowed for the unauthenticated users to access are automatically whitelisted The automatic URL whitelisting is disabled by default Auth Text Indicates the authentication text returned by the external server after a successful user authentication 6 Click OK The enforce captive portal rule is created and listed as an access rule 7 Create arole assignment rule based on the user role to which the Captive portal access rule is assigned 8 Click Finish The client can connect to this SSID after authenticating with username and password After a successful user login the Captive portal role is assigned to the client In the CLI To create a Captive portal role Instant Access Point config wlan access rule Name Instant Access Point Access Rule lt Name gt captive portal external profile lt name gt interna 1j 125 Captive Portal for Guest Access AOS W Instant 6 3 1 1 4 0 User Guide Instant Access Point Access Rule lt Name gt end Instant Access Point commit ap
507. will be displayed to the users connecting to the network The initial page asks for user credentials or email depending on the splash page type Internal Authenticated or Internal Acknowledged for which you are customizing the splash page design Perform the following steps to customize splash page design e To change the color of the splash page click the Splash page rectangle and select the required color from the Background Color palette To change the welcome text click the first square box in the splash page type the required text in the Welcome text box and click OK Ensure that the welcome text does not exceed 127 characters To change the policy text click the second square in the splash page type the required text in the Policy text box and click OK Ensure that the policy text does not exceed 255 characters To upload a custom logo click Upload your own custom logo Image browse the image file and click upload image e To redirect users to another URL specify a URL in Redirect URL e Click Preview to preview the Captive Portal page NOTE You can customize the captive portal page using double byte characters Traditional Chinese Simplified Chinese and Korean are a few languages that use double byte characters Click on the banner term or policy in the Splash Page Visuals to modify the text in the red box These fields accept double byte characters or a combination of English and double byte characters 3 Click Next to c
508. word 99909909009099099 Enable User Y Check to enable local user q AirGroup Operator Attribute 1 Click to add EE 6 Click Add to savethe user with an AirGroup Operator role The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen Me 328 ClearPass Guest Setup AOS W Instant 6 3 1 1 4 0 User Guide Figure 120 Local Users UI Screen Support Hep Logout admin Super Administrator ClearPass Policy Manager Configuration Identity Local Users Local Users 4 Add User Z Import Users User deleted sfully Ser eos Export Users Filter User ID contains e Show 10 x records UserIDA Hame Role Status airgroup admin AirGroup Admin AirGroup Administrator Enabled IB test TestRole Enabled Showing 1 3 of 3 Export Delete 7 Navigate to the ClearPass Guest UI and click Logout The ClearPass Guest Login page is displayed Use the AirGroup admin credentials to log in 8 After logging in click Create Device Figure 121 Create a Device e Start Here P Create Device d List Devices The following page is displayed Figure 122
509. work are sent to OpenDNS select Enabled for Content Filtering g Uplink Select Enabled to configure uplink on this wired profile If Uplink is set to Enabled and this network profile is assigned to a specific port the port will be enabled as Uplink port For more information on assigning a wired network profile to a port see Assigning a Profile to Ethernet Ports on page 108 h Spanning Tree Select the Spanning Tree checkbox to enable Spanning Tree Protocol STP on the wired profile STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports regardless of forwarding mode STP will not operate on the uplink port and is supported only on OAW IAPs with three or more ports By default Spanning Tree is disabled on wired profiles 4 Click Next The VLAN tab details are displayed 5 Configure VLAN for the wired profile For more information see Configuring VLAN for a Wired Profile on page 103 In the CLI To configure wired settings for Instant Access Point config wired port profile lt name gt Instant Access Point wired ap profile lt name gt type lt employee gt lt guest gt Instant Access Point wired ap profile lt name gt speed 10 100 1000 auto Instant Access Point wired ap profile lt name gt duplex lt half gt lt full gt lt auto gt Instant Access Point wired ap profile lt name gt no shutdown Instant Access Point wir
510. work assignments wired instant 0 0 default wired port profile 0 4 wired instant default wired port profile 1 wired instant 0 2 wired instant 0 3 wired instant Wired Users Wired Users OK Cancel Services The Services window allows you to configure services such as AirGroup RTLS and OpenDNS The Services window consists of the following tabs e AirGroup Allows you to configure the AirGroup and AirGroup services For more information see AirGroup Configuration on page 268 e RTLS Allows you to integrate OmniVista Management platform or third party Real Time Location Server such as Aeroscout Real Time Location Server with AOS W Instant For more information see Integration with Security and Location Services Applications on page 276 The RTLS tab also allows you to integrate OAW IAP with the Analytics and Location Engine ALE For more information about configuring an OAW IAP for ALE integration see Configuring an OAW IAP for Analytics and Location Engine Support on page 276 e OpenDNS Allows you to configure support for OpenDNS business solutions which require an OpenDNS www opendns com account The OpenDNS credentials are used by AOS W Instant and OmniVista to filter content at the enterprise level For more information see Configuring OpenDNS Credentials on page 229 e CALEA Allows you configure support for Communications Assistance for Law Enforcement Act CALEA server integration the
511. xecute the selected command for a specific OAW IAP or all OAW IAPs and view logs AOS W Instant 6 3 1 1 4 0 User Guide AOS W Instant User Interface 50 e Auto Run Allows you to configure a schedule for automatic execution of a support command for a specific OAW IAP or all OAW IAPs e Filter Allows you to filter the contents of a command output e Clear Clears the command output displayed after a command is executed e Save Results Allows you to save the support command logs as an HTML or text file For more information on support commands see Running Debug Commands from the AOS W Instant Ul on page 317 The following figure shows the Support window Figure 15 Support Window Comman d AP3G AG Status v Target All Access Points v Run Auto Run Logout The Logout link allows you to log out of the AOS W Instant UI Monitoring The Monitoring link displays the Monitoring pane for the AOS W Instant network Use the down arrow located to the right side of these links to compress or expand the monitoring pane The monitoring pane consists of the following sections e Info e RF Dashboard e RF Trends e Usage Trends e Mobility Trail Info The Info section displays the configuration information of the Virtual Controller by default On selecting the Network View tab the monitoring pane displays configuration information of the selected network Similarly in the Access Point or the Client view this section displays the c
512. y on OAW IAP220 Series There is no configuration required on the AP for enabling LACP support However you can view the status of LACP on OAW IAPs by using the following command Instant Access Point show lacp status AP LACP Status Link Status LACP Rate Num Ports Actor Key Partner Key Partner MAC Up slow 2 17 1 70 81 05 11 3e 80 Slave Interface Status Slave I f Name Permanent MAC Addr Link Status Member of LAG Link Fail Count etho 6c 3 7 c6 76 6e Up Yes 0 eth1 GCS f3i7 00 T76 6f Up Yes 0 0 0 0 1 0 0 non wifi 2 17 AOS W Instant 6 3 1 1 4 0 User Guide Link Aggregation Control Protocol for OAW IAP220 Series 303 Chapter 32 OAW IAP Management This section provides information on the following procedures e Configuring LED Display on page 304 e Backing up and Restoring OAW IAP Configuration Data on page 304 e Converting an OAW IAP to a Remote AP and Campus AP on page 305 e Resetting a Remote AP or Campus AP to an OAW IAP on page 309 e Rebooting the OAW IAP on page 309 Configuring LED Display La The LED display is always in the Enabled mode during the an OAW IAP reboot NOTE You can enable or disable LED Display for an OAW IAP using either AOS W Instant UI or CLI In the AOS W Instant UI To enable or disable LED display for all OAW IAPs in an Instant network perform the following steps 1 Inthe AOS W Instant main window click the System link The System window is displayed 2 Inthe General tab o
513. y the community string for SNMPv1 and SNMPv2c traps and a username for SNMPv3 traps Port Enter the port to which the traps are sent The default value is 162 Inform When enabled traps are sent as SNMP INFORM messages It is applicable to SNMPV3 only The default value is Yes 3 Click OKto view the trap receiver information in the SNMP Trap Receivers window In the CLI To configure SNMP traps Instant Access Point config snmp server host lt IP address gt version 1 version 2 version 3 name udp port port inform Instant Access Point config end Instant Access Point commit apply The current release of AOS W Instant supports SNMP Management Information Bases MIBs along with Alcatel yp Lucent MIBs For information about MIBs and SNMP traps see AOS W Instant MIB Reference Guide Configuring a Syslog Server You can specify a syslog server for sending syslog messages to the external servers either by using AOS W Instant UI or CLI In the AOS W Instant UI 1 In the AOS W Instant main window click the System link The System window is displayed 2 Click Show advanced options to display the advanced options 3 Click the Monitoring tab The Monitoring tab details are displayed 314 Monitoring Devices and Logs AOS W Instant 6 3 1 1 4 0 User Guide Figure 114 Syslog Server Servers Syslog Facility Levels Syslog server 0 0 0 0 Syslog Warning System Warning TFTP Dump Ser
Download Pdf Manuals
Related Search