Avaya WLAN 8100 Technical Configuration Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Network Router
  5. WLAN 8100 Series
  6. Technical configuration manual
Avaya WLAN 8100 Technical Configuration Manual

Avaya WLAN 8100 Technical Configuration Manual

Wireless lan, identity engines
Hide thumbs Also See for WLAN 8100:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Reference
Wireless LAN 8100
Identity Engines
Engineering
> Bring Your Own Device
Technical Configuration Guide
Avaya Networking Solutions
Document Date: April, 2012
Document Number: NN48500-636
Document Version: 1.0

Advertisement

Table of Contents
loading

Related Manuals for Avaya WLAN 8100

Summary of Contents for Avaya WLAN 8100

  • Page 1 Wireless LAN 8100 Identity Engines Engineering > Bring Your Own Device Technical Configuration Guide Avaya Networking Solutions Document Date: April, 2012 Document Number: NN48500-636 Document Version: 1.0...
  • Page 2 Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/...
  • Page 3 The Technical Configuration Guide will describe Avaya’s Bring Your Own Device solution as well as detail how to create a simple configuration of the WLAN 8100 and Identity Engines products. Together these two products provide a solution that differentiates both the user and device when authenticating and applying access policies.

  • Page 4: Table Of Contents

    Design Restrictions ........................8 Architecture ........................... 9 Prerequisites and Requirements ....................11 Configuration ............................12 Configure WLAN 8100 ........................ 12 Configure Identity Engines and VSAs ..................31 Configure Access Policies on Identity Engines ................45 Alternative Access Policies ......................60 Summary .............................

  • Page 5: Figures

    Figures Figure 1 – BYOD Architecture ........................10 Avaya Inc. –External Distribution August 2011...
  • Page 6 Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucida Console font: ERS5520-48T# show sys-info Operation Mode:...

  • Page 7: Introduction

    Avaya’s BYOD solution is aimed at allowing IT to regain control over this environment in such a way that intelligent policies can be applied that limit access and reduce the risk imposed by these devices.

  • Page 8: Design Restrictions

    Therefore, each SSID adds a significant amount of overhead on the channel. Avaya recommends that you use as few SSIDs as possible and no more than 5. In the past with user device capabilities being so varied, you might have some that only supported WEP, other that were only capable of PSK authentication, and still others with full WPA2 support.

  • Page 9: Architecture

    SSIDs to different VLANs. However, many products, including Avaya’s WLAN 8100, are capable of using AAA to assign different devices and/or users to separate VLANs, even though they are part of the same SSID. Avaya recommends that you have separate VLANs for guest, secure, and insecure devices and assign users and devices to them as appropriate based on AAA policy.
  • Page 10 Once the user and device have been authenticated, Identity Engines returns an accept/deny response to WLAN 8100 along with additional information about what VLAN to use or ACL to apply to the session. In this solution, authorized users on insecure devices will be mapped to a separate VLAN. Access controls should be applied to these sessions, restricting access to only certain applications and resources.

  • Page 11: Prerequisites And Requirements

    VLAN mapping. WLAN 8100 will map the device to a VLAN that is separate from BYOD devices. There will be no ACL or firewall applied to these WLAN client sessions, as access will not be restricted. Note: Some organizations do prefer to apply firewall rules to all WLAN clients regardless of authentication, or status.

  • Page 12: Configuration

    WLAN 8100 APs are in a managed state, and that all WLAN components are running 1.1 software or later. If APs are not in a managed state please consult the WLAN 8100 Quickstart Guide to get the WLAN 8100 controller and APs properly configured. This guide starts with configuring a new VLAN for clients and network profiles (SSIDs) for BYOD and guest devices.
  • Page 13 Without exiting the VLAN Configuration window opened in the previous step, Click the icon for adding Port Members. In the popup box, check the ports to add the VLAN. Click Save. Repeat for the other two VLANs you created, then click Save to close the VLAN Configuration window. Avaya Inc. –External Distribution August 2011...
  • Page 14 Telnet or use a console cable to access the controller CLI. From the CLI follow the commands, assuming your guest VLAN has a VLAN ID of “4”. If you used a different VLAN ID and/or IP address, then adjust your configuration commands accordingly. WC8180> en Avaya Inc. –External Distribution August 2011...
  • Page 15 VLAN somewhere in the network or use AAA to assign specific clients to certain VLANs, by using globally named VLANs. These names are globally unique across the cluster of WLAN 8100 controllers in the domain. You will map them to locally unique switch VLANs in the following step.
  • Page 16 Map Mobility Profiles to VLANs Map these Mobility VLANs to “real” VLANs on the controller. If you have more than one WLAN 8100 controller, and these controllers are in different locations within the network, they can each host different named VLANs that clients get mapped to.
  • Page 17 Change the role of each of these VLANs to “Server”. When you select this, it will change to the numerical designation which is “2”. Click Update. Avaya Inc. –External Distribution August 2011...
  • Page 18 The configuration should resemble this if you open the Domain Configuration / VLAN Map view again: Enable Captive Portal and Client QoS Click Configuration, Mobility Domains, <domain_name>, Policy, Captive Portal, General Settings. Check Enable Captive Portal and click Update. Avaya Inc. –External Distribution August 2011...
  • Page 19 Under Configuration, Mobility Domains, right-click on the <domain_name>, select Edit Settings. Check AP Client QoS Mode and click Save. Avaya Inc. –External Distribution August 2011...
  • Page 20 Configure a RADIUS Profile and Server Click Configuration, Mobility Domains, <domain_name>, Policy, Local Security DB, RADIUS Profiles. Click Add. Name the profile “radius_server” and click Add. Avaya Inc. –External Distribution August 2011...
  • Page 21 Click Configuration, Mobility Domains, <domain_name>, Policy, Local Security DB, RADIUS Profiles. In the right pane, click on “radius_server” and then in the pane below click Add. Type the IP address of the server and RADIUS Secret Avaya Inc. –External Distribution August 2011...
  • Page 22 Click on the Health Check tab. Change the Interval to 0 and click Add. Avaya Inc. –External Distribution August 2011...
  • Page 23 BYOD VLAN unless the AAA server provides a different mapping during authentication based on device credentials. Set the SSID to “secure” as well. Click on the Security tab. Choose wpaEnterprise as the 802.11 Security Mode. Avaya Inc. –External Distribution August 2011...
  • Page 24 Click on the General tab again. Choose “radius_server” as the authentication profile for this SSID. Click on the QoS tab. Check Enable Client QoS. Click Add. Avaya Inc. –External Distribution August 2011...
  • Page 25 Configure a Captive Portal Profile Click Configuration, Mobility Domains, <domain_name>, Policy, Captive Portal, Profiles. Click Add. Avaya Inc. –External Distribution August 2011...
  • Page 26 In the Captive Portal Profiles IP Mappings pane, click Add. Select the “my_captive” from the Captive Portal Profile drop-down box. Type the IP address of the VLAN interface that you previously configured. Click Add. Avaya Inc. –External Distribution August 2011...
  • Page 27 Select RADIUS as the Captive Portal User Validation type. Type “guest” as the SSID. Select “radius_server” as the Authentication Profile. Click the Security tab. Check Enable Captive Portal. Select “my_captive” from the Captive Portal drop- down box. Click Add. Avaya Inc. –External Distribution August 2011...
  • Page 28 Only a sample is shown. You will need to configure the rest of the ACL accordingly. Click Configuration, Mobility Domains, <domain_name>, Policy, DiffServ, Classifiers. Click Add. Name the classifier type. Click Add Avaya Inc. –External Distribution August 2011...
  • Page 29 In the Classifier Block pane below, click Add. Select the Element Type and fill in the corresponding information based on the type selected. Click Add. Avaya Inc. –External Distribution August 2011...
  • Page 30 DiffServ Policies pane on the top right. In the Policy Classifiers pane below, click Add. Choose the classifier name from previous steps and select the Action “allow” from the drop-down box. Check the Action Allow box. Click Add. Avaya Inc. –External Distribution August 2011...

  • Page 31: Configure Identity Engines And Vsas

    You will add rules to this policy later. Click Site <#>, Site Configuration, Access Policies, RADIUS. In the right hand pane, click New. Provide a name for this policy. In this example, the name is “Wireless”. Avaya Inc. –External Distribution August 2011...
  • Page 32 Configure an Authenticator Next you will need to configure the WLAN 8100 as an Authenticator on Identity Engines. If you have more than one controller in your WLAN 8100 domain, you will need to repeat this step for each controller.
  • Page 33 Click Site <#>, Site Configuration, Directories, Internal Store, Internal Groups. In the right hand pane, click Actions and choose Add a New Internal Group. Type “Guest” for the group name and click Ok. Repeat to create two more groups and name them “BYOD” and “Corp_asset”. Avaya Inc. –External Distribution August 2011...
  • Page 34 VLANs based on authentication. Click Site <#>, Site Configuration, Provisioning, Outbound Values. In the right pane click New. In the dialog box that appears, type the name “guest_vlan” and click New to define the Outbound Attribute. Avaya Inc. –External Distribution August 2011...
  • Page 35 Mobility VLAN) in the WLAN 8100 domain. If Identity Engines returns a value that doesn’t match  a Mobility Profile name in WLAN 8100, then the client won’t connect. If you use different Mobility Profile/VLAN names, then make sure you use your labels for the Outbound Attribute instead of those shown in this guide.
  • Page 36 Click Ok. Click Ok again to return to the list of Outbound Values. Repeat the above steps to create additional Outbound Values for the “secure_vlan” and configure an Outbound Attribute with the label “secure_vlan” and VLAN ID of “2”. Avaya Inc. –External Distribution August 2011...
  • Page 37 You will need to configure Identity Engines with the VSA for returning the DiffServ Policy name to the WLAN Controller 8180. Click Site <#>, Site Configuration, Provisioning, Vendors/VSAs. Click on the Actions button then select New Vendor. Avaya Inc. –External Distribution August 2011...
  • Page 38 Type “LVL7” as the Vendor Name, and “6132” as the Vendor ID. Click Ok. In the right hand pane, locate the new vendor name in the list, click the plus next to the LVL7 entry to expand it, and right-click VSA Definitions and choose New. Avaya Inc. –External Distribution August 2011...
  • Page 39 Type “LVL7-Wireless-Client-Policy-Dn” as the RADIUS VSA Name, and “122” as the Attribute Type. Click Ok. This attribute will carry the value of the DiffServ Policy name to apply on the client’s downstream traffic. Avaya Inc. –External Distribution August 2011...
  • Page 40 Up” and Attribute Type “123”. Click Ok. This attribute will carry the value of the DiffServ Policy name to apply on the client’s upstream traffic. Configure the DiffServ Policy Outbound Attribute on Identity Engines Click Site <#>, Site Configuration, Provisioning, Outbound Attributes. In the right pane, click New. Avaya Inc. –External Distribution August 2011...
  • Page 41 You will now need to configure the value that will be returned by Identity Engines when this attribute is used. Click Site <#>, Site Configuration, Provisioning, Outbound Values. In the right pane, click New. Avaya Inc. –External Distribution August 2011...
  • Page 42 Type “WLAN-Client-ACL-Dn” for the Outbound Value Name. Click New. Avaya Inc. –External Distribution August 2011...
  • Page 43 String. Click Ok. Click Ok again.  The String value of this attribute must match the Diffserv Policy name in the WLAN 8100 domain. If it does not, then no policy will be applied to the client. Avaya Inc. –External Distribution...
  • Page 44 Global Outbound Attribute “LVL7-Wireless-Client-Policy-Up” and String “BYOD_up”. Click Ok. Click Ok again.  The String value of this attribute must match the Diffserv Policy name in the WLAN 8100 domain. If it does not, then no policy will be applied to the client. Avaya Inc. –External Distribution...

  • Page 45: Configure Access Policies On Identity Engines

    This rule looks to see if the username is a member of the guest group. This allows you to implement a solution using Guest Manager that maps dynamic guest accounts to the “guest” group. The configuration of Guest Manager is Avaya Inc. –External Distribution August 2011...
  • Page 46 Click Site <#>, Site Configuration, Access Policies, RADIUS, <wireless-policy-name>. In the right pane, click on the Authentication Policy tab and click Edit. Check PEAP/EAP-MSCHAPv2 and NONE/PAP. Click Ok. Avaya Inc. –External Distribution August 2011...
  • Page 47 Click Site <#>, Site Configuration, Access Policies, RADIUS, <wireless-policy-name>. In the right pane click Authorization Policy. Click Edit. In the Edit Authorization Policy window, click Add to add a new rule. Type the name of the rule “guest”. Click Ok. Avaya Inc. –External Distribution August 2011...
  • Page 48 Now you will add constraints to the “Guest” rule. On the right hand side, click New to add a new Constraint. In the Constraint Detail window, choose “group-member”. Click Add on the right side and choose the “Guest” user group. Click Ok. Click Ok again to save the Constraint. Avaya Inc. –External Distribution August 2011...
  • Page 49 WEP+802.1x, WPA-Enterprise, and WPA2-Enterprise. WLAN authentication types, like captive portal, that authenticate after clients have been assigned to a VLAN and received an IP address have a problem if the assigned VLAN differs from the current client VLAN, resulting in Avaya Inc. –External Distribution August 2011...
  • Page 50 New to add a new Constraint. In the Constraint Details window, choose “Device” from the Attribute Category list, and then below, select “device-group-member”. On the right side, click Add and select the group “Corp_asset”. Click Ok. Avaya Inc. –External Distribution August 2011...
  • Page 51 Constraint. Select “Inbound” from the Attribute Category list, and below “Inbound-Calling- Station-Id”. On the right side, choose Format “Treat As MAC Address”, choose Dynamic Value of Attribute, then “Device”, and then “device-address”. Click Ok. Avaya Inc. –External Distribution August 2011...
  • Page 52 “secure_vlan” and click the left arrow to move it to the Provision With list. Do not close this window yet, as you will be adding one more rules in the next step. Avaya Inc. –External Distribution August 2011...
  • Page 53 New to add a new Constraint. In the Constraint Details window, choose “Device” from the Attribute Category list, and then below, select “device-group-member”. On the right side, click Add and select the group “BYOD”. Click Ok. Avaya Inc. –External Distribution August 2011...
  • Page 54 Constraint. Select “Inbound” from the Attribute Category list, and below “Inbound-Calling- Station-Id”. On the right side, select “Starts With”, select “Treat As MAC Address” for the Format, choose Dynamic Value of Attribute, then “Device”, and then “device-address”. Click Ok. Avaya Inc. –External Distribution August 2011...
  • Page 55 “secure_vlan” and click the left arrow to move it to the Provision With list. Similarly, move “WLAN_Client_ACL_Dn” and “WLAN_Clien_ACL_Up” over to the Provision With list. Do not close this window yet, as you will be performing one final step. Avaya Inc. –External Distribution August 2011...
  • Page 56 Site Configuration, Access Policies, RADIUS, <wireless-policy-name>. In the right pane click Authorization Policy. Click Edit. Ensure your list has the same order as below. If not, use the arrow buttons to move the individual rules up and down accordingly. Avaya Inc. –External Distribution August 2011...
  • Page 57 Click Similarly, create another account with the username as “guest-1” and password “guest-1”. Below, click Add to put this account in a group. Check “Guest” and click Ok. Click Ok again. Avaya Inc. –External Distribution August 2011...
  • Page 58 Click Site <#>, Site Configuration, Directories, Internal Store, Internal Devices. In the right pane click New. Type the MAC address of the corporate asset and type “corp_laptop1” for the Name Below, click Add to put this account in a group. Check “Corp_asset” and click Ok. Click Ok again. Avaya Inc. –External Distribution August 2011...
  • Page 59 OUI of that device/manufacturer and corresponding name. Repeat for additional device types. This step shows the OUI of an iPad2. Below, click Add to put this account in a group. Check “BYOD” and click Ok. Click Ok again. Avaya Inc. –External Distribution August 2011...

  • Page 60: Alternative Access Policies

    Identity Engines has the flexibility to implement virtually any set of policies that you desire. This guide does not illustrate alternative configurations, though certainly the possibilities are limitless. Below are some alternative policies, described in high level terms, but not illustrated. Avaya Inc. –External Distribution August 2011...

  • Page 61: Summary

    Implementing the policy so that network devices can enforce the IT security policy should be easy with the flexibility and security capabilities that Avaya’s WLAN 8100 series and Identity Engines provides collectively. This guide, while not comprehensive or exhaustive with respect to all the possibilities, attempts to show how such a policy can be configured.
  • Page 62 Avaya Inc. –External Distribution August 2011...

  • Page 63: Reference Documentation

    © 2010 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.

Table of Contents