1. Manuals
  2. Brands
  3. Aruba Networks Manuals
  4. Software
  5. AirOS v2.3
  6. User manual

Aruba Networks AirOS v2.3 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Aruba AirOS
TM
v2.3 User Guide
1322 Crossman Avenue
Sunnyvale, California 94089
Net www.arubanetworks.com
Tel
408.227.4500
Fax 408.227.4550

Advertisement

Table of Contents
loading

Related Manuals for Aruba Networks AirOS v2.3

Summary of Contents for Aruba Networks AirOS v2.3

  • Page 1 Aruba AirOS v2.3 User Guide 1322 Crossman Avenue Sunnyvale, California 94089 Net www.arubanetworks.com 408.227.4500 Fax 408.227.4550...

  • Page 2: Legal Notice

    Copyright Copyright © 2005 Aruba Wireless Networks, Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. Trademarks AirOS, Aruba 5000, and Aruba 52 are trademarks of Aruba Wireless Networks, Inc. in the United States and certain other countries.

  • Page 3: Table Of Contents

    Contents ..... . Preface ....Document Organization .
  • Page 4 ..Chapter 4 Configuring Wireless LANs ....Conceptual Overview ..Configuring WLAN—802.11 Networks .
  • Page 5 ..Chapter 8 Configuring 802.1x Security ..Configuring Wireless User Authentication Only ..Configuring the Authentication Servers ..... Example .
  • Page 6 Chapter 11 System and Network Management ......167 . . . Configuring SNMP for the Aruba WLAN Switch .

  • Page 7: Preface

    Preface This preface includes the following information: An overview of the sections in this manual A list of related documentation for further reading A key to the various text conventions used throughout this manual Aruba Wireless Networks support and service information Document Organization This user guide includes instructions and examples for commonly used, basic wireless LAN (WLAN) switch configurations such as Virtual Private Networks (VPNs), firewalls, and...

  • Page 8: Related Documents

    Related Documents The following items are part of the complete documentation set for the Aruba system: Aruba WLAN Switch Installation Guides Aruba AP Installation Guides Aruba AirOS Reference Guide Text Conventions The following conventions are used throughout this manual to emphasize important concepts: 1 Text Conventions ABLE Type Style...

  • Page 9: Contacting Aruba Wireless Networks

    Contacting Aruba Wireless Networks Web Site Main Site http://www.arubanetworks.com Support http://www.arubanetworks.com/support E-mail Sales sales@arubanetworks.com Support support@arubanetworks.com Telephone Numbers Main 408-227-4500 408-227-4550 Sales 408-754-1201 Support In the U.S.:800-WI-FI-LAN (800-943-4526) International:408-754-1200 Preface...
  • Page 10 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 11: Chapter 1 Deploying Access Points

    HAPTER Deploying Access Points This chapter outlines the recommended methods used to deploy and provision Aruba Access Points (APs) in an enterprise network environment, detailing the various provisioning options and steps required. Overview Aruba wireless APs (also applicable to APs deployed as Air Monitors (AMs) are designed to be low-touch configuration devices that require only minimal provisioning to make them fully operational on an Aruba-enabled WLAN network.

  • Page 12: Getting Started

    Getting Started Planning Decide where you wish to locate the APs in advance of physical installation. Aruba RF Plan can be utilized to provide an AP placement map relative to a building floor plan to ensure optimal RF coverage. (For more information on RF Plan, see the Aruba RF Plan for Windows User Guide.) When deploying APs, note the AP MAC address and serial number against the physical location.
  • Page 13 aruba-master DNS Server Aruba APs are factory configured with as the Configuration DNS host name. A DNS server on the network can be aruba-master configured with an entry for with the master Aruba WLAN switch/loopback IP address as the resolution. To configure this option see “DNS Server-derived AP Provisioning...
  • Page 14 Step 2a. Assigning the IP Address to the AP Either configure a DHCP server in the same subnet where the APs will be connected to the network, or configure a device in the same subnet to act as a relay agent for a DHCP server on a different subnet that can provide the AP with its IP information.
  • Page 15 —The APs request for DNS resolution is for the Fully Qualified Domain aruba-master Name so make sure that this name is configured. After initial pro- visioning, if the default domain name values are changed, make sure the AP and switch domain name settings match. Aruba recommends DNS server-derived AP configuration because it involves minimal changes to the network and offers the greatest flexibility in placement of APs.
  • Page 16 ADP Configuration ----------------- value ----- discovery enable igmp-join enable If ADP discovery is not enabled, use the following command to enable it: (Aruba2400) (config) #adp discovery enable When APs are connected to Aruba switches indirectly (via an IP-routed network), the administrator needs to make sure that multicast routing is enabled in the network, and that all routers are configured to listen for IGMP joins from the master Aruba WLAN switch and to route these multicast packets.
  • Page 17 Assigning AP Location Codes Now the APs are provisioned on the network, the final step in Access Point deployment is to configure (re-provision) each AP with a unique location code, which is used for location service capability. This location code is numerical and in the format 1.2.3 (where 1=build- ing, 2=floor, 3=location).
  • Page 18 Enter the location code in the format explained above. If the AP being provisioned is a model with detachable antenna capability (such as an Aruba AP-60) enter the antenna gain in dBi, for example 4.0. This is mandatory for all detachable antenna models as the AP will not will bring up its radio interface or function as an AP without it.

  • Page 19: Configuring Network Parameters

    HAPTER Configuring Network Parameters This section outlines the steps involved to configure the various network parameters required to set up an Aruba WLAN switch. This includes configuring VLANs, IP interfaces, static routes, and loopback IP addresses. Conceptual Overview The concept of VLAN is used in the Aruba WLAN Switch as a layer 2 broadcast domain as well as a layer 3 IP interface, similar to most layer 2/3 switches.

  • Page 20: Network Configuration

    Network Configuration Create/Edit a VLAN Configuration > Switch > VLAN Navigate to the page on the WebUI. Edit Click to create a new VLAN. To edit an existing VLAN click for this VLAN. On the next screen (as shown below), enter the VLAN ID, the IP address and network mask of the VLAN interface.

  • Page 21: Configuring A Port To Be An Access Port

    Apply Click to apply this configuration. Verify that the VLAN has been created on the VLAN page. Configuring a Port to Be an Access Port The in-band Ethernet ports can be configured as access ports and members of a single VLAN using the following steps: Configuration >...
  • Page 22 Port Select the port to be configured by clicking on the appropriate box in the Selection section of the page. After selecting the port, choose the VLAN from the Configure Selected Ports Enter VLAN(s) drop down list in the section and click Apply to complete the choice.

  • Page 23: Configuring A Trunk Port

    Apply Click to make this configuration active. —This will apply the entire configuration shown in the Configure Selected Ports section, including changes that were not explicitly made. Make sure that the configura- Apply tion for all items on the list is as desired before clicking Configuration >...
  • Page 24 Configuration > Switch > Port Navigate to the page on the WebUI. Select the Port Selec- port(s) to be configured by selecting the appropriate checkbox in the tion section. Trunk Port Mode Select the option to the section. Allow all VLANs Select to assign all configured VLANs to this port.

  • Page 25: Configuring Static Routes

    Configuration > Verify VLAN membership is as configured by navigating to the Switch > VLAN page. Configuring Static Routes Configuration > Switch > IP Routing Navigate to the page. Click to add a static route to a destination network or host. Enter the desti- nation IP and network mask (255.255.255.255 for a host route) and the next hop IP address.

  • Page 26: Modifying The Loopback Ip Address

    Apply Configuration Updated Click to add this route to the routing table. The message Successfully will confirm that the route has been added. Modifying the Loopback IP Address —This procedure requires a switch reboot. To change the switch loopback IP address: Configuration >...
  • Page 27 Maintenance > Switch > Reboot Navigate to the page to reboot the switch to apply the change of loopback IP address Continue Click to save the configuration. When prompted that the changes were written successfully to flash, click The switch will boot up with the changed loopback IP address. Configuring Network Parameters Chapter 2...
  • Page 28 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 29: Chapter 3 Configuring Redundancy

    HAPTER Configuring Redundancy This chapter outlines the steps required to configure the various redundancy options available in an Aruba network. The redundancy can include backing up an Aruba WLAN Switch for the Access Points being controlled (and through them the clients accessing the wireless network), backing up an Aruba Master switch.

  • Page 30: Redundancy Configuration

    Redundancy Configuration In an Aruba network, the Access Points are controlled by an Aruba WLAN Switch. The APs tunnel all data to the switch that does all the processing of the data, including encryption/decryption, bridging/forwarding etc. Local switch redundancy refers to providing redundancy for this switch such that the APs “failover”...
  • Page 31 Enter the various VRRP parameters for the VRRP instance. The table below explains what each of the parameters means and the recommended/expected values for this configuration. Parameter Explanation Expected/Recommended Values This is the Virtual Router ID Recommended to configure this Virtual Router that uniquely identifies this with the same value as the VLAN...
  • Page 32 IP Address This is the Virtual IP address Configure this with the Virtual IP that will be owned by the address reserved in step i. elected VRRP master. Enable Router Selecting this option means that For this topology it is Pre-emption a switch can take over the role recommended NOT to select this...
  • Page 33 Configure the Access Points to terminate their tunnels on the Virtual-IP address. This can be done with greater flexibility and ease from the CLI. The APs can be identified by their location code (building.floor.location) with 0 being used as a wild card for any of the values.

  • Page 34: Master Switch Redundancy

    Command Purpose Step 1 configure terminal Enter the global configuration mode. Step 2 ap location b.f.l Use the location code value to select set of AP(s) to configure. Step 3 lms-ip ip-address Configure the lms-ip for the selected set of APs.
  • Page 35 Virtual IP address that has been reserved to be used for the VRRP instance Connect to the switch CLI using Telnet or SSH. After logging into the switch, enter the global configuration mode. To configure VRRP on the VLAN ID. Expected/Recommended Command Explanation...
  • Page 36 authentication (Optional) Step 5 password Optional authentication Any password of up to 8 password that is used to characters can be configured authenticate packets between on both the peer switches. VRRP peers This is an optional configuration. description (Optional) Step 6 description Optional description to the Any text description can be...
  • Page 37 (Aruba2400) (config-vrrp) #vlan 22 (Aruba2400) (config-vrrp) #ip address 10.200.22.254 (Aruba2400) (config-vrrp) #priority 100 (Aruba2400) (config-vrrp) #preempt (Aruba2400) (config-vrrp) #authentication password (Aruba2400) (config-vrrp) #description Backup-Master (Aruba2400) (config-vrrp) #tracking master-up-time 30 add 20 (Aruba2400) (config-vrrp) #no shutdown Use the following steps to associate the VRRP instance with master switch redundancy. Expected/recommended Command Explanation...

  • Page 38: Master-Local Switch Redundancy

    Master-local Switch Redundancy This section outlines the concepts behind a redundancy solution where a master can act as a backup for one or more local switches and shows how to configure the Aruba WLAN Switches for such a redundant solution. In this solution, the local switches act as the controller for the APs.
  • Page 39 Configure the interface on the master switch to be a trunk port with 1, 2… n being member VLANs. Refer to the “Configuring Network Parameters” for more details on how to configure this. Collect the following data before configuring master switch redundancy. VLAN IDs on the switches corresponding to the VLANs 1, 2…n shown in the topol- ogy above.
  • Page 40 authentication (Optional) Step 5 password Optional authentication Any password of up to 8 password that is used to characters can be configured on authenticate packets both the peer switches. This is between VRRP peers an optional configuration. description (Optional) Step 6 description Optional description to Any text description can be...
  • Page 41 and so on. All the local switches are backed up by the master switch as shown above. In such a case, configure all APs on floor 1 to be controlled by the Virtual IP address of the VRRP between local switch 1 and master and so on. This can be done by following these steps: Command Explanation Expected/recommended values...
  • Page 42 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 43: Chapter 4 Configuring Wireless Lans

    HAPTER Configuring Wireless LANs This document details the WLAN configuration using the GUI or the web interface. Conceptual Overview The WLAN configuration page is primarily used to set the 802.11 related parameters such the SSID, encryption methods, transmit powers, to name a few. The following section walks the user through the basic 802.11 configurations.

  • Page 44: Configuring Wlan-802.11 Networks

    Configuring WLAN—802.11 Networks Pre-requisites Before configuring a new SSID or editing an SSID setting, you should have the following information regarding the SSID. (This is not mandatory and you can return to these pages to modify the configuration at any time.) Multiple SSIDs can be configured per AP.
  • Page 45 AES-CCM Advanced Encryption Standard (AES) in Counter with CBC-MAC (CCM) Mode Mixed TKIP/AES-CCM Combined TKIP and AES-CCM Reply to Broadcast Whether the AP should probe requests respond to broadcast probe request with this SSID. Configuration > WLAN > Network Navigate to the page.
  • Page 46 SSID Enter the SSID name used by the wireless clients to associate. The SSID is case sensitive. Radio Type Specify the radio type that this SSID will be applied to. This can be applied to the a network only, the b/g network only or to a nd b/g by making the appropriate selection from the pull down menu.

  • Page 47: Configuring Wep Encryption

    Once the selection is made, the corresponding dialog windows will open to allow the user to configure as per the selection. Configuring NULL Encryption If the encryption type selected is null or the open system then there will be no encryption. The packets between the AP and the client would be in clear text.
  • Page 48 Use as Tx Key Click the radio button corresponding to the S. No of the key to be used. From the pull down menu select the key size – 10 hex characters or 26 Hex Charac- ters. Type in the key as per the selection made. The characters should belong to the set [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f].
  • Page 49 Configuring AES-CCMP Encryption Select the radio button to enable AES-CCM encryption. This opens the WPA2 dia- log. Select PSK AES-CCM for static PSK AES key configuration and WPA2 AES-CCM for dynamic AES. If PSK AES-CCM is selected, the key can be hex or ASCII. Enter a 64 character hex key or a 8 –...
  • Page 50 Configuring Mixed TKIP and AES Encryption Select the radio button to enable TKIP/AES-CCM encryption. This opens the Mixed TKIP/AES-CCM dialog. Select PSK TKIP/AES-CCM for static TKIP and AES key configuration or WPA/2 TKIP/AES-CCM for dynamic TKIP and AES. If PSK TKIP/AES-CCM is selected, the key can be hex or ASCII. Enter a 64 char- acter hex key or a 8 –...

  • Page 51: Configuring Wlans-Radio Configuration

    Configure the LMS address The AP can bootstrap with any switch on the WLAN network (in a setup with master and local switches), if all of the switches are on the same VLAN, and if load balancing is enabled on the switches. To force the AP to bootstrap with a particular switch the lmsip is configured with the IP address of the desired switch.
  • Page 52 Apply Check to apply the changes before navigating to other pages to prevent loss of configuration. Configu- The above configuration can be created for 802.11a by navigating to the ration > WLAN > Radio > 802.11a page. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 53: Configuring Wlans-Advanced

    Configuring WLANs—Advanced While the above two sections deal with global AP configurations, individual AP can be configured with specific settings using the Advanced tab under WLAN. Each of the APs are identified by unique locations and these locations are used to configure the AP uniquely. The global configurations will be overridden by the location specific configurations.
  • Page 54 The configuration of the specific location can be customized by adding SSIDs and configuring the radios as required by selecting the tabs on the page. To add a new SSID: Click and configure the SSID similar to configuring the 802.11 Networks. All radio configurations for the location can also be made by selecting the 802.11b/g or the 802.11a tab Apply the configurations for the configurations to take effect.

  • Page 55: Example

    Example The following example includes: aruba A a/b/g SSID called with dynamic WEP voice A b/g SSID called with static WEP 4.2.6 guest The AP in location is set to have SSID in addition to the other two SSID. The guest SSID is open Configure the a/b/g SSID aruba in the global location 0.0.0 with dynamic WEP.
  • Page 56 Configure the guest SSID for location 1.10.2 Add the location 1.10.2. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 57: Adaptive Radio Management

    Once the location is added, the location page is opened up with the inherited SSID. guest Click to add a new SSID Configure the SSID with open system and native VLAN for the guest users to be the required VLAN. Adaptive Radio Management Adaptive Radio Management (ARM) is the next generation RF resource allocation algorithm in AirOS 2.3.

  • Page 58: Deciding The Channel Setting

    setting decisions independent of the switch and based on the RF environment as they hear it. This results in a highly scalable and reliable RF environment while also significantly reducing the AP’s reaction time to the network. The APs scan all valid channels (channels in the regulatory domain) at regular intervals and compute the following metrics per channels - Coverage index : signal to noise ratio for all valid APs Interference index : signal to noise ratio for all APs...

  • Page 59: Configuring Arm

    Since channel decisions are based on the information the AP receives from the RF envi- ronment, interference due to third party APs are accounted for. ARM compliments Aruba’s next generation GRID architecture. Configuring ARM Radio ARM configuration has to be enabled on the radio type under or under Advanced .
  • Page 60 Apply Once these changes are made along with the Radio changes, click apply the configurations. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 61: Configuring Firewall Roles And Policies

    HAPTER Configuring Firewall Roles and Policies This chapter discusses configuring firewall roles and policies in an Aruba network. The firewall roles and policies form the cornerstone of all functionality in an Aruba WLAN Switch. Every “user” in the system is associated with a “role” and this role determines the privileges associated with the “user”.

  • Page 62: Configuring Policies

    User derivation rules: The administrator can configure these rules to match a user characteristic in different ways to values to derive a role for the user. The various user characteristics that can be used to derive a user role are: BSSID of the Access Point that client is associated to.
  • Page 63 Click to create a new policy. Click to add a rule to the policy being created. The following table summa- rizes the various fields that are required for a rule to be created and the various options that may be used in the rule. Configuring Firewall Roles and Policies Chapter 5...
  • Page 64 Required/ Field Explanation Expected/Recommended values Optional Source Required Source of the traffic The source can be configured to be one of the following: any: It acts as a wildcard and applies to any source address. user: This refers to traffic from the wireless client/user.
  • Page 65 Service Required Type of traffic. This field This can be configured as one of the can indicate the Layer 4 following: protocol (TCP/UDP) TCP: Using this option, the along with the port administrator can configure a numbers of the same or an range of TCP port(s) to match application such as for the rule to be applied.
  • Page 66 Action Required The action that the This field can take one of the administrator wants the following fields: switch to perform on a permit: Permits the traffic packet that matches the matching this rule. criteria provided above. drop: Drops the packets match- ing this rule without any notifi- cation reject: Drops the packet and...
  • Page 67 Optional This field indicates if any Select this option if it is required to match of this rule should be log a match to this rule. It is logged. recommended to use this option when a rule indicates a security breach such as a data packet on a policy that is meant only to be used for voice calls.

  • Page 68: Editing An Existing Policy

    Click to add this rule to the policy being created. If more rules are needed, follow the same process to create and add more rules to the policy —If required, the rules can be re-ordered by the using the up and down but- tons provided with each rule.
  • Page 69 Edit Click for the policy that is to be edited. In the example shown below the “guest” policy is being edited. On the Edit policy page, the administrator can delete existing rules, add new rules (following the same procedure in Step of “Creating a New Policy”...

  • Page 70: Applying The Policy To A User Role

    Applying the Policy to a User Role This section outlines the steps required to apply the policy to a user role. A policy can be applied to one or more user roles. Similarly, each user role can constitute one or more policies. Configuration >...
  • Page 71 Enter the desired name for the role. In the example used below, the name given to the role is “employee”. To apply a set of policies to this user role, click the Add button in the Firewall Policies section. Configuring Firewall Roles and Policies Chapter 5...
  • Page 72 The following table summarizes the different fields visible and the expected/recommended values for each field. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 73 Field Explanation Expected/recommended values Firewall Policies This will consist of the policies There are three options to add a that will define the privileges of a firewall policy to a user role: user in this role. Choose from configured poli- cies: Select a policy from the list The field called Location is used of configured policies and click...
  • Page 74 Bandwidth contract A bandwidth contract can be To create a new bandwidth contract, assigned to a user role to provide select the “Add New” option. Enter an upper limit to the bandwidth the name of the bandwidth contract utilized by users in this user role. and the bandwidth to be allowed (in As an example, the administrator kbps or mbps).
  • Page 75 Edit To edit an existing role, click for the required user role to start editing a user role. The fields are the same as shown above. The screen shot below shows Edit the screen when the option is chosen for the “guest” user role. Configuring Firewall Roles and Policies Chapter 5...
  • Page 76 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 77: Chapter 6 Configuring Aaa Servers

    HAPTER Configuring AAA Servers The software allows users to use an external server or create an internal user database for authentication purposes. This document briefly describes the configuration procedure involved on the switch to interface with an external authentication server (RADIUS and LDAP), or to create an internal database of users and set the authentication timers for authentication purposes.
  • Page 78 c. Configure the timers on the tab. General Set the user idle timeout value. The value of this field is in minutes. To prevent the user from timing out set the value of this field to 0. The user idle timeout is the time in minutes for which the switch maintains state of an unresponsive client.

  • Page 79: Authentication Servers

    Apply Once the values are set click before moving onto another page or closing the browser. Failure to do this will result in the loss of configuration and the user will have to reconfigure the settings. To save the configuration, click the Save Configuration tab on the upper right hand corner of the screen.
  • Page 80 Click to add a new RADIUS server entry. Enter the values gathered from the previous step. Enable Set the Mode to to activate the authentication server. Apply Click to apply the configuration. —The configuration will not take effect until this step is performed. For additional RADIUS servers, repeat steps 1 through 6.

  • Page 81: Editing An Existing Entry

    Editing an Existing Entry Configuration > AAA Servers > RADIUS Navigate to the page. Edit Click on the right side of the desired RADIUS Server entry. The configuration page displays. Make the required modifications on the page Apply and click to save the configurations.

  • Page 82: Ldap Server Settings

    To continue with the deletion click . The entry is deleted. LDAP Server Settings To add a new LDAP server entry: Configuration > AAA Servers > Security > LDAP Navigate to the page. To configure the switch, the following information is required. Parameters Description Values...
  • Page 83 Fill in the information collected from step 1. Enable Set the mode to to enable the LDAP server when it is online. Apply Click to apply the changes made to the configuration. —The configuration does not take effect until this step is performed. To add multiple servers, repeat steps 1 through 5 for each server.

  • Page 84: Editing An Existing Entry

    Editing an Existing Entry Configuration > AAA Servers > Security > LDAP Navigate to the page. Edit Click for the entry to be modified and modify the desired parameters. Apply Click to have the changes take effect. Deleting an Existing Entry Configuration >...

  • Page 85: Internal Database

    Internal Database The internal database can also be used to authenticate users. The internal database can store a list of users along with the user password and their default role. When the switch is configured as the primary server, user information in the incoming authentication requests will be checked against the internal database.
  • Page 86 Add the user information. Enable Check the box if this entry needs to be activated on creation. If this box is unchecked, this user entry will not be considered during authentication. Configure the role of the user. Apply Apply the configuration by clicking after creating each user.

  • Page 87: Editing An Existing Entry

    Editing an Existing Entry Configuration > AAA Servers > Internal Database Navigate to the page. To edit an existing entry, delete the entry and re-create the entry with the neces- sary modifications. All entries must be individually created and modified. Deleting an Entry Configuration >...

  • Page 88: Configuring Server Rules

    Click to delete the entry. Configuring Server Rules Once a server is configured, it is possible to set the VLAN and role for some users based on the attributes returned for the user during authentication. These values would take precedence over the default role and VLAN configuration for the authenticated user.
  • Page 89 The parameters are: This can be one of Role Assignment or Vlan Assignment. With Role assignment, a user can be assigned a specific role based on the RADIUS Rule type attributes returned. In case of VLAN assignment, the user can be placed in a specific VLAN based on the RADIUS attributes returned.

  • Page 90: Example

    This specifies the value that the attribute must match along with the condition Value for the rule to be applied. Role / The role or the VLAN applied to the user when the rule is matched. VLAN The server rules are applied based on the first match principle. The first rule that is applicable for the server and the attribute returned will be applied to the user and would be the only rule applied from the server rules.
  • Page 91 The first rule that matches the condition gets applied. Also the rules are applied in the order shown. To change the order use the arrows to the right of the entry. Configuring AAA Servers Chapter 6...
  • Page 92 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 93: Configuring The Captive Portal

    HAPTER Configuring the Captive Portal This document deals with the configuration of captive portal to support guest logon and for user authentication. One of the methods of authentication supported by the Aruba WLAN switch is captive portal. This document outlines the steps required to configure the captive portal authentication parameters for both guest logon as well as standard user authentication.
  • Page 94 Configuration > Security > Authentication Methods > Captive Portal Navigate to the Authentication page. Configure the role that the guest logon users will take. (See “Configuring Firewall Roles and Policies” for information on configuring a role). Determine the protocol captive portal will use. Modify the captiveportal policy to support the selected protocol.
  • Page 95 user alias mswitch svc-http permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 HTTPs: If the protocol is https, ensure that the captiveportal policy has the following rules: user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 In the default user role of un-authenticated users (logon role by default), ensure that the captiveportal policy has been added.
  • Page 96 Configure the captive portal parameters. Parameter Description Default role The role assigned to the guest user on logon. Default: guest Enable Guest Logon This field need to be checked to enable guest logon as explained above. Default: Unchecked Enable User Logon This field needs to be checked to enable user logon authentication using an authentication server.

  • Page 97: Example

    Redirect Pause Timeout This is the time seconds, the system remains in the initial welcome page before re-directing the user to the final web URL. If set to 0, the welcome page is skipped. Default: 10 secs Welcome Page Location The welcome page is the page that appears soon after logon and before re-direction to the web URL.

  • Page 98: Configuring Captive Portal For User Logon

    Parameter Values for this example Default role cap_guest Enable Guest Logon Checked Enable User Logon Unchecked Enable Logout Popup Window Checked Protocol type https Redirect Pause Timeout Welcome Page Location Leave as default Logon wait Interval 10 – 15 CPU Utilization Threshold Configuring Captive Portal for User Logon Captive Portal can also be used to authenticate users using an authentication server.
  • Page 99 Configure the role that a user authenticated using captive portal will take. (See Chapter 1, Configuring Firewall Roles and Policies for information on configuring a role). Determine the protocol captive portal will use. Modify the captiveportal policy to support the selected protocol. HTTP: If the protocol selected is http, ensure that the following rules are included in the captive portal policy user...
  • Page 100 user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 In the default role for unauthenticated users (logon role by default), ensure that the cap- tiveportal policy has been added. The user traffic needs to hit the rules in this policy for captive portal to work.
  • Page 101 Parameter Description Default role The role assigned to the guest user on logon. Default: guest Enable Guest Logon This field needs to be checked to only if guest logon needs to be enabled in addition to user logon. Default: Unchecked Enable User Logon This field needs to be checked to enable user logon authentication using an authentication server.
  • Page 102 From the pop-down menu select the desired role the user will be placed in after logon. Note that this role would be applied only if there are no other derivation rules that super- sede it. Ensure that the Enable User Logon checkbox is selected Set the protocol type http or https as per the requirement.

  • Page 103: Example

    To add more authentication servers as backup servers, repeat the steps above. The servers appear in the order of descending priority. The first entry is always the pri- mary server. To change the order, use the or to the right on the entry to move it higher up or lower down in the list.

  • Page 104: Personalizing The Captive Portal Page

    Parameter Values for this example Default role employee Enable Guest Logon Unchecked Enable User Logon Checked Enable Logout Popup Window Checked Protocol type https Redirect Pause Timeout Welcome Page Location Leave as default Logon wait Interval 10 – 15 CPU Utilization Threshold Authentication Server Radius_Server_1 Internal_Server...
  • Page 105 You can choose one of three page designs. To select an existing design, click the first or the second page design present. To customize the page design, YOUR CUSTOM DESIGN Select the page. Additional Information Under , enter the location of the JPEG image in the space pro- Upload your own custom background vided beside Custom page background color...
  • Page 106 Submit The background setting can be viewed by first clicking on the bottom on the View CaptivePortal page, then clicking the link that will actually open up the captive por- tal page as seen by the users. To customize the captive portal background text Page Text (in HTML format) Enter the text that will needs to be displayed in the Submit...
  • Page 107 Configuring the Captive Portal Chapter 7...
  • Page 108 The text keyed in will appear in a text box when the Acceptable Use is clicked on the captive portal web page. Policy Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 109: Configuring 802.1X Security

    HAPTER Configuring 802.1x Security The main aim of this document is to help the user configure 802.1x through web interface. This document includes a description of the steps, examples and any common problems the user needs to watch out for while configuring 802.1x on the Aruba WLAN switches. 802.1x is an IEEE standard designed to provide authentication before L2 access to the network is permitted.

  • Page 110: Configuring Wireless User Authentication Only

    Configuring Wireless User Authen- tication Only 802.1x can be used to authenticate users alone. The procedure for configuring wireless user authentication is described in this section. Prior to configuring 802.1x on the switch, the following need to configured: Role – The role that will be assigned as the default role for the 802.1x users. (Refer to document on Configuring Firewall Roles and Policies).
  • Page 111 The following fields need to be modified for wireless user authentication: Configuring 802.1x Security Chapter 8...
  • Page 112 Type of Parameters Description Operation Value Default Role Enter the default role to be Pull down Select the role from the menu of roles menu that will be the the role assigned to the configured. 802.1x default role user when the user signs in using 802.1x authentication.

  • Page 113: Configuring The Authentication Servers

    Enable To select 802.1x as an Checkbox Select this box Authentication authentication method this field need to be checked. Default: Unchecked Enable Re- When set this will force Checkbox Select this box only if authentication re-authentication needs the client to do a 802.1x to be enabled.
  • Page 114 Choose an Authentication Server From the pull down menu under , select the RADIUS server that will be the primary authentication server. Click after making the choice. To add multiple auth servers repeat steps above for each server. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 115 The servers appear in the order of descending priority. The first entry is always the pri- mary server. To change the order, use the to the right on the entry to move it higher up or lower down in the list. Apply Click the to apply the changes made.

  • Page 116: Example

    Example The following example uses the following settings: Default role dot1x_user 100 (configured by role) Vlan the users are in Authentication Server Radius_Server_1 (RADIUS server that supports 802.1x) dot1x with dynamic TKIP SSID Authentication Failure Threshold for Station Blacklisting —If necessary, create dot1x_user and VLAN 100. Configure the access policies and the VLAN for the 802.1x users.
  • Page 117 Create the SSID dot1x with dynamic TKIP. Apply Click to apply the configuration. Configuring 802.1x Security Chapter 8...

  • Page 118: Configuring User And Machine Authentication

    Configuring User and Machine Authentication 802.1x can be used to perform user and machine authentication. This tightens the authentication process further since both machine and user need to be authenticated. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 119 Enabling machine authentication gives rise to the following scenarios. Machine User Typical Access Auth Auth Description Role Policy Status Status Failed Failed Both machine authentication and Logon No access to user authentication failed. User network remain in the logon role Failed Passed If the machine authentication...
  • Page 120 Role – There are three different roles when machine authentication is enabled as described above – the User Authentication Default Role, the Machine Authenti- cation Default Role and the Default role. The three can be the same but would be preferable to define the roles as per the polices that need to be enforced as explained above.
  • Page 121 The following fields need to be modified for machine and user 802.1x authentication Configuring 802.1x Security Chapter 8...
  • Page 122 Parameters Description Type of value Operation Default Role Enter the default role to be the Pull down Select the role from the role that the user gets if both menu of roles menu that will be the machine and user configured.
  • Page 123 Machine The role and policies that will Pull down Select the role that Authentication be applied if the machine menu of pre- needs to be applied if Default Role authentication goes through configured only machine but the user authentication has roles authentication is not yet been initiated.

  • Page 124: Example

    Choose an Authentication Server Click under the to add a RAIDIUS server to the 801.x setting. From the pull down menu, select the RADIUS server that will be the primary authentica- tion server. Click after making the choice. To add multiple auth servers repeat above steps for each server. The servers appear in the order of descending priority.
  • Page 125 dot1x_mc Machine Authentication Default Role User Authentication Default Role guest Vlan the users are in 100 (configured by role) Authentication Server Radius_Server_1 (RADIUS server that supports 802.1x) SSID dot1x with dynamic TKIP Authentication Failure Threshold for Station Blacklisting In this example, If machine authentication succeeds, the role assigned would be the dot1x_mc role.
  • Page 126 Enter the values as per the example. Apply Click for the configuration to take effect. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 127: Configuring Mac-Based Authentication

    Configuring MAC-based Authenti- cation This section of the document shows how to configure MAC-based authentication on the Aruba switch using the WebUI.. Use MAC-based authentication to authenticate devices based on their physical MAC address. While not the most secure and scalable method, MAC-based authentication still implicitly provides an addition layer of security authentication devices.
  • Page 128 Default Role From the pull down list for select the default role that will be assigned to the MAC-authenticated users. Authentication Failure Threshold for station Blacklisting Set the to a non-zero value if you want the station to be blacklisted upon failure to authenticate within the specified number of tries.

  • Page 129: Configuring Users

    Authentication This specifies the number of Integer Set value to 0 to Failure times a user can try to login disable blacklisting. Threshold for with wrong credentials after Station Set to a non zero which the user will be Blacklisting integer value to blacklisted as a security blacklist after the...
  • Page 130 User Name In the field, enter the MAC-address of the device to be used, (this is the MAC-address of the physical interface that will be used to access the network). The entry should be in xx:xx:xx:xx:xx:xx format. Password Verify Enter the same address in the above mentioned format in the Password fields.

  • Page 131: Configuring 802.1X For Wired Users

    Configuring 802.1x for Wired Users The switch can also be configured to support dot1x authentication for wired users in addition to the wireless users. To create this configuration: Configure the 802.1x for user or user and machine authentication as explained in the pre- vious sections.

  • Page 132: Modifying The 802.1X Settings

    Continue configuration as explained above. Modifying the 802.1x Settings The 802.1x settings can be modified at any time by simply accessing the page, making the required changes and applying these changes. Care should be taken to clear all logged on users and forcing them to re-authenticate.

  • Page 133: Advanced Configuration Options Of 802.1X

    Reset 802.1x Parameters to Factory Default Check the Apply Click . This will reset the settings to factory default. Advanced Configuration Options of 802.1x This section talks about the Advanced Configuration on the 802.1x page. — The Advanced Configuration settings should not be modified unless there is a need to customize at a more detailed level.
  • Page 134 Accessing the Advanced options can be done by clicking the Show tab on the right of the Advanced Configuration option on the 802.1x configuration page. The various fields, a brief description and the default values in this section is: Fields Description Authentication Server Timeout Time in seconds.

  • Page 135: Default Open Ports

    Key Retry Count This is the number of attempts the switch makes to obtain the key. Reauthentication Time Interval This is the time period after the elapse of which the re-authentication of supplicants takes place. Unicast keys are updated after each re-authorization.

  • Page 136: V2.3 User Guide January

    Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 137: Configuring Virtual Private Networks

    HAPTER Configuring Virtual Private Networks The aim of this document is to help users configure VPN using the web-interface. The combination of L2TP and IPSec, known as L2TP/IPSec, is a highly secure technology for making remote access virtual private network (VPN) connections across public networks such as the Internet.
  • Page 138 Authentication Server – The authentication server the switch would use to validate the users. (Refer to document on authentication servers for configuration details) To enable VPN authentication: Configuration > Security > Authentication Methods > VPN Authenti- Navigate to the cation page.

  • Page 139: Configuring Vpn With L2Tp Ipsec

    To add multiple auth servers repeat steps above for each server. The servers appear in the order of descending priority. The first entry is always the pri- mary server. To change the order, use the to the right on the entry to move it higher up or lower down in the list.
  • Page 140 Enable L2TP To enable L2TP, check Select the authentication method. Currently supported methods are PAP, CHAP, MSC- HAP and MSCHAPv2. Configure the Primary, Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the VPN Client. Configure the VPN Address Pool.

  • Page 141: Enabling Src Nat

    Add Address Pool Click . The page appears. Specify the start address, the end address and the pool name. Done 10 Click on the completion to apply the configuration. Enabling Src NAT In case the users need to be nated to access the network the use this option. The pre-req- uisite for using this option is to have a NAT pool which can be created by navigating to the Security >...

  • Page 142: Ike Policies

    Configure the Subnet and Subnet mask. To make the IKE key global specify 0.0.0.0 and 0.0.0.0 for both the values. IKE Shared Secret and Verify IKE Shared Secret Configure the Done Click to apply the configurations. Back Click to return to the main VPN L2TP configuration page. IKE Policies Click under IKE Policies opens the IPSEC Policy configuration page.
  • Page 143 To enable PPTP, check the Enable PPTP radio button. Select the authentication method. Currently supported method is MSCHAPv2. Check the radio button to select it. Configure the Primary, Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the VPN Dialer. Configure the VPN Address Pool.

  • Page 144: Configuring Aruba Dialer Example

    Specify the start address, the end address and the pool name. Click Done on the completion to apply the configuration. Back Click to access the main PPTP config page. Apply Click to apply the changes made before navigating to other pages. Configuring Aruba Dialer Example Security >...
  • Page 145 Select the authentication protocol. This should match the L2TP protocol list selected if Enable L2TP Enable PPTP is checked or the PPTP list configured if is checked. For L2TP : IKE Hash Algorithm Set the type of , SHA or MD5 in the IKE Policies page. In case Pre-shared was selected as the IKE Authentication in the IKE Policies page (as described in the L2TP IPSec configuration), key in the pre-share key used in the L2TP con- figuration.

  • Page 146: Examples

    Examples In this example, the following settings apply. VPN Settings Authentication Server radon Default VPN role vpn_user Authentication method MSCHAPv2 Primary DNS 10.10.1.1 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 147 Secondary DNS 10.10.1.2 Primary WINS 10.1.1.2 L2TP Setting L2TP Pool 192.168.100.1 – 192.168.100.100 Pre-shared key test123 Primary DNS 10.10.1.1 Secondary DNS 10.10.1.2 Primary WINS 10.1.1.2 IKE encryption 3DES IKE Authentication Pre-shared IKE Hash IKE Group PPTP Setting PPTP Pool 192.168.200.1 – 192.168.200.100 Configuration Enable VPN Authentication.
  • Page 148 Configure L2TP IPSec Configure the DNS and WINS server. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 149 Configuring the L2TP pool. Done Click below Address Pools. Once completed click Configuring Virtual Private Networks Chapter 9...
  • Page 150 Configure the IKE shared secret test123 Configure the IKE policies. Apply The final config page should look like the page below. Once this done click apply the configurations. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 151 Configure the dialer by configuring the key to match the IKE shared secret key in “Con- Apply figure the IKE policies.” Click when done to apply the changes. Configuring Virtual Private Networks Chapter 9...
  • Page 152 Configure the dialer in the captive portal user role that will be used to download the dialer. Configuring PPTP Navigate to the PPTP configuration page as explained in the previous sections Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 153 Configure the DNS and WINS server. Check the Enable PPTP and MSCHAPv2 check- box. Configure the PPTP pool Apply Click for the configurations to take effect. Configure the dialer. Check the Enable L2TP and MSCHAPv2 checkbox. Ensure that all the Authentication types are unchecked. Apply the changes. Configuring Virtual Private Networks Chapter 9...
  • Page 154 Configure the dialer in the captive portal user role that will be used to download the dialer Configuration > Security > Authentication > Methods > Captive by navigating to the Portal Authentication page. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 155 Configuring Virtual Private Networks Chapter 9...
  • Page 156 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 157: Intrusion Detection

    HAPTER Intrusion Detection This document outlines the steps needed to configure the various IDS capabilities present in an Aruba network. Like most other security related configuration on the Aruba system, the IDS configuration is completely done on the Master switch in the network. The Aruba solution offers a variety of IDS/IPS features that can be configured and deployed as required.

  • Page 158: Denial Of Service Detection

    Denial of Service Detection DoS attacks are designed to prevent or inhibit legitimate users from accessing the net- work. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment. Denial of Service attack detection encompasses both rate analysis and detection of a specific DoS attack known as FakeAP.

  • Page 159: Signature Detection

    Sequence number analysis: During an impersonation attack, the attacker will generally spoof the MAC address of a client or AP. If two devices are active on the network with the same MAC address, their 802.11 sequence numbers will not match – since the sequence number is usually generated by the NIC firmware, even a custom driver will not generally be able to modify these numbers.

  • Page 160: Configuring Rogue Ap Detection

    Misconfigured AP detection: If desired, a list of parameters can be configured that defines the characteristics of a valid AP. This is primarily used when non-Aruba APs are being used in the network, since the WLAN switch cannot configure the 3 -party APs.
  • Page 161 The following table explains the fields for this configuration and what it means to select each of them. Field Description 1. Disable Users from Connecting By default, rogue APs are only to Rogue Access Points detected, but are not automatically disabled.

  • Page 162: Configuring Denial Of Service Attack Detection

    3. Mark Unknown Access Points In an environment where no as Rogue Access Points interfering APs should exist – for example, a building far away from any other buildings or an RF shielded building – enable this option to turn off the classification process.
  • Page 163 Configuration is divided into two sections: Channel thresholds and node thresholds. A channel threshold applies to an entire channel, while a node threshold applies to a particu- lar client MAC address. All frame types are standard management frames as defined by the 802.11 standard.
  • Page 164 3. Channel/node Quiet time After an alarm has been triggered, specifies the amount of time that must elapse before another identical alarm may be triggered. This option prevents excessive messages in the log file. Configuration > WLAN To configure the Fake AP detection, select the Fake AP tab on the Intrusion Detection >...

  • Page 165: Configuring Man-In-The-Middle Attack Detection

    Configuring Man-In-The-Middle Attack Detection Configuration > WLAN Intrusion Detection > Man-In-The-Middle Navigate to the page on the WebUI of the Master switch. Select the required tab to configure each of the following: Disconnect Station To configure station disconnection detection, click The following table gives a brief description of the fields in this section.
  • Page 166 The following table describes each of the fields in this section. Field Description 1. Enable EAP Handshake Enables or disables this feature. Analysis 2. EAP Handshake Threshold The number of EAP handshakes that must be received within the EAP Time Interval in order to trigger an alarm.

  • Page 167: Configuring Signature Detection

    3. Sequence Number Checking The time interval in which sequence Time Tolerance (msec) numbers must exceed the sequence number difference threshold in order for an alarm to be triggered. 4. Sequence Number Checking After an alarm has been triggered, the Quiet Time (secs) amount of time that must pass before another identical alarm may be triggered.
  • Page 168 The table below explains the configuration parameters in this section: Field Description 1. Enable Signature Analysis Enables or disables this feature. 2. Signature Analysis Quiet After an alarm has been triggered, the amount of Time (secs) time that must pass before another identical alarm may be triggered.

  • Page 169: Adding A New Signature Pattern

    3. AirJack An attack with the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up upon receiving such a probe response.
  • Page 170 Enter a name for the newly added signature pattern in the Signature Name field and select the Signature Mode option to enable detection for this signature (leave this field disabled if only creating a signature but enabling detection at this point). Click to add a signature rule.
  • Page 171 Frame Type: This refers to the type of 802.11 frame. For each type of frame further details can be specified to filter and detect only the required frames. It can be one of the following: Association Auth Control Data Deauth Deassoc Management Probe-request...

  • Page 172: Configuring Wlan Policies

    If required, add another rule to the list of the rules as shown above. When the required number of rules has been added, click Apply to apply the configuration. —The configuration will not take effect if it is not applied. Configuring WLAN Policies Configuration >...

  • Page 173: Configuring Wireless Bridge Detection

    Configuring Ad-hoc Network Protection The table below describes the parameters in this section. Field Description Enable Adhoc Networks Activity Enable detection of Ad-hoc networks. Detection Enable Adhoc Network When Ad-hoc networks are detected, they will be Protection disabled using a denial of service attack. Adhoc Detection Quiet Time After an alarm has been triggered, the amount of time (secs)
  • Page 174 The table below describes the fields shown in this section. Field Description Detect Misconfigured Access Enable/disable the misconfigured AP detection Points feature. Disable Detected Misconfigured When valid APs are found that violate the list of Access Points allowable parameters, prevents clients from associating to those APs using a denial of service attack.
  • Page 175 Valid Access Point Manufacturers A list of MAC address OUIs that define valid AP OUI List manufacturers. Any valid AP with a differing OUI will (OUIs must be entered in be flagged as misconfigured. the format xx:xx:xx:xx:xx:xx where x is a hexadecimal number, f being the wildcard) Configuring Weak WEP detection: To configure detection of weak WEP implementations, Configuration >...
  • Page 176 The table below describes the fields in this section. Field Description Disable Access Points Violating When an unknown AP is detected advertising a Enterprise SSID List reserved SSID, the AP will be disabled using a denial of service attack. Valid Enterprise SSID List A list of reserved SSIDs.

  • Page 177: System And Network

    HAPTER System and Network Management This document outlines the steps to configure SNMP and syslog for an Aruba wireless network. Configuring SNMP for the Aruba WLAN Switch Aruba WLAN Switches and APs support versions 1, 2c, and 3 of SNMP for reporting purposes only.
  • Page 178 Expected/recommended Field Description Value 1. Host Name Host name of the switch. String to act as the host name for the switch being configured. 2. System Contact Name of the person who acts System contacts name/ as the System Contact or contact information.
  • Page 179 4. Read Community Strings Community strings used to These are the community authenticate requests for strings that are allowed to SNMP versions before access the SNMP data version 3. Note: This is from the switch. needed only if using SNMP v2c and is not needed if using version 3.
  • Page 180 Enter the details for the SNMPv3 user as explained in the table below. Expected/recommended Field Description Values 1. User name A string representing the A string value for the user name of the user. name. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 181 2. Authentication protocol An indication of This can take one of the whether messages sent two values: on behalf of this user MD5: HMAC-MD5-96 Digest Authentication be authenticated, Protocol and if so, the type of SHA: HMAC-SHA-96 authentication protocol Digest Authentication which is used.

  • Page 182: Configuring Snmp For The Access Points

    Configuring SNMP for the Access Points The Aruba Access Points also support SNMP and the administrator can configure all or some of the Access Points to access data using SNMP as well as receive traps from the Access Points. The Access Points can be acting as Air Monitors when they are used to access information about the wireless network using SNMP.
  • Page 183 Configure the basic SNMP parameters in the section “SNMP System Information”. The fields are similar to the ones explained for the switch and are explained in the table below. System and Network Management Chapter 11...
  • Page 184 Field Description Expected/recommended Values 1. Host Name Host name for all Access Any name to identify the Points in the network. devices as Aruba APs. 2. System Location Location for Access Points String to identify the location in the network of the APs.
  • Page 185 6. Trap receivers Host information about a Configure the following for trap receiver. This host each host/trap receiver: needs to be running a trap IP address SNMP version: can be 1 or receiver to receive and interpret the traps sent by Community string the Aruba Access Points UDP port on which the trap...
  • Page 186 3. Authentication protocol If messages sent on String password for password behalf of this user can be MD5/SHA depending on authenticated, the the choice above. (private) authentication key for use with the authentication protocol. 4. Privacy protocol An indication of This takes the value DES whether messages sent (CBC-DES Symmetric...
  • Page 187 If the required set does not exist, click to add the set of APs represented by a location code (using 0 as the wild card value when required as explained above). If the set already Edit exists, click for the chosen set and proceed to step 4 to configure the SNMP parame- ters for the chosen set.

  • Page 188: Snmp Traps From The Switch

    Refer to the tables above for the fields to be configured for the set of APs. Apply Click to apply the configuration. SNMP Traps from the Switch The following is a list of key traps generated by the Aruba WLAN Switch. Switch IP changed.
  • Page 189 Switch role changed a. Description: This indicates that the switch has transitioned from being a Master switch to a Local switch or vice versa. b. Priority Level: Critical User entry created/deleted/authenticated/de-authenticated/authentication failed. a. Description: Each of these traps are triggered by an event related to a user event.
  • Page 190 a. Description: This trap indicates that an authentication server that was previously not responding has started responding to authentication requests. This will be triggered by a user event that causes the switch to send an authentication request to the authentication server. b.

  • Page 191: Snmp Traps From Access Point/Air Monitor

    a. Description: This trap indicates an out of range voltage being supplied to the switch. b. Priority Level: Critical 13 Out of Range temperature. a. Description: This trap indicates an out of range operating temperature being supplied to the switch. b.
  • Page 192 which the AP was detected as well as the BSSID and SSID of the detected AP. b. Priority Level: Critical. Station impersonation. a. Description: This trap indicates an Air Monitor has detected a Station impersonation event. The trap will provide the location of the Air Monitor that has detected the event and the MAC address of the Station.
  • Page 193 a. Description: This trap indicates an error in the SSID configuration of an Access Point. The AP generates the trap and includes its BSSID, the configured SSID and the location of the AP in the trap b. Priority level: High Short Preamble misconfiguration.
  • Page 194 a. Description: This trap indicates that the Air Monitor has detected Adhoc networks. b. Priority Level: High. 13 Valid station policy violation. a. Description: This trap indicates that a valid Station policy is being violated. b. Priority Level: High. 14 AP interference. a.

  • Page 195: Configuring Logging

    b. Priority Level: Medium 17 Frame low speed rate exceeded. a. Description: This trap refers to the event when the percentage of received and transmitted frames at low speed (less that 5.5Mbps for 802.11b and less that 24 Mbps for 802.11a) exceeds the configured High Watermark.
  • Page 196 Station Manager The module responsible for all wireless stations at a 802.11 level. Traffic A logical module to track traffic patterns to help troubleshooting. RF Director The monitor responsible for monitoring the wireless network for any rogues/intrusions etc. The administrator can configure the logging levels for each of these modules as well as the IP address of a syslog server that the switch can direct these logs to.
  • Page 197 Click to add the logging server to the list of logging servers. Ensure that the syslog server is enabled and configured on this host. System and Network Management Chapter 11...
  • Page 198 If the logging levels of all the modules are as required, proceed to step 6. To modify the logging level of any of the modules, select the required module from the list of the modules shown. From the drop down list that appears on the screen, choose the appropriate logging level.
  • Page 199 Done Click to make the modification. System and Network Management Chapter 11...
  • Page 200 Apply Click to apply the configuration. —Until this step is completed, none of the configuration changes will take effect. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 201: Configuring Quality Of Service For Voice Applications

    HAPTER Configuring Quality of Service for Voice Applications This document outlines the steps required to configure QoS on an Aruba WLAN Switch for voice devices, including SIP phones and SVP phones. Since voice applications are more vulnerable to delay and jitter, the network infrastructure should be able to prioritize the voice traffic over the data traffic.

  • Page 202: Configuring Qos For Svp

    Configuring QoS for SVP Follow the steps below to configure a role for phones using SVP and provide QoS for the same. Create a policy called “svp-policy” that allows only SVP traffic. (Refer to the Configuring Firewall roles and policies for more details on how to add a pol- icy).
  • Page 203 Create a role for SVP phones called “svp-phones” and assign the policy “svp-policy” to it. (Refer to Configuring Firewall Roles and Policies for more details on adding and configur- ing a firewall role). Configure the devices to be placed in the role “svp-phones” on the basis of the SSID used or OUI of their MAC address.
  • Page 204 ii.Add a condition “equals” with the SSID value being “voice- SSID” (i.e the SSID being used for voice devices) and role name being “svp-phones” (i.e. the role name configured in the step above). iii.Click Apply to apply the configuration. — The changes will not take effect until this step is completed.
  • Page 205 b. OUI based role derivation: i. Navigate to Configuration > Security > Authentication Methods > Advanced ii.Add a condition with rule type “Mac Address”, condition “contains”, value being the first three octets or the OUI of the devices being used (for instance, we are using the Spectralink OUI 00:09:7a), and role name being “svp-phones”...
  • Page 206 iii.Click Apply to apply this configuration. Note: The changes will not take effect until this step is completed. —For deployments where there is expected to be considerable delay between the switch and the Access Points, it is recommended to enable the “local probe response” feature.

  • Page 207: Configuring Qos For Sip

    Configuring QoS for SIP Follow the steps below to configure a role for phones using SIP and provide QoS for the same. Create a service for SIP traffic called “svc-sip” that corresponds to the UDP protocol 5060. a. Navigate to Configuration >...
  • Page 208 b. Click to add a new service alias for SIP traffic. Enter the details for SIP traffic i.e Service name = “svc-sip”, Protocol = “UDP”, Starting port = “5060”. c. Click Apply to apply the configuration. —The changes will not take effect until this step is completed. Create a policy called “sip-policy”...
  • Page 209 Configure the devices to be placed in the role “sip-phones” on the basis of the SSID used or the OUI of their MAC address. Each of the two are explained in the following two steps respectively: a. SSID based role derivation: i.
  • Page 210 iii.Click to apply this configuration. Apply —The changes will not take effect until this step is completed b. OUI based role derivation: i. Navigate to Configuration > Security > Authentication Methods > Advanced Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 211 ii.Add a condition with rule type “Mac Address”, condition “contains”, value being the first three octets or the OUI of the devices being used (for instance, we are using an example OUI 00:0a:0b), and role name being “sip-phones” i.e. the role configured in the steps above.
  • Page 212 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 213: Chapter 13 Topology Example One

    HAPTER Topology Example One The example included in this chapter require that the Aruba WLAN switch has been set up according to the instructions in the Quick Start Guide. These examples use specific Aruba WLAN switches and Access Points. However, these configurations are valid for all Aruba WLAN switches (A5000, A2400, and A800) and for all Aruba Access Points (APs) (AP52/60/61), unless explicitly mentioned otherwise.
  • Page 214 13-1 Example One Topology IGURE The following steps configure the topology shown in Figure 13-1 Configure the DHCP server on the switch to serve the subnet that includes the AP. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 215 13-2 Configuring the DHCP Server IGURE Click (Pool Configuration) and enter the details for the pool: 13-3 Adding the DHCP Pool IGURE Apply this configuration and then start the DHCP server. Add all the ports on the Aruba WLAN Switch to the subnet 14. Configuration >...
  • Page 216 Enter VLAN(s) Add VLAN 14 in the field. Make Port Trusted Select to make all ports trusted. Enable 802.3af Power Over Ethernet Select to enable PoE on all ports. 13-4 Configuring the Ports IGURE Apply this configuration. Plug the Aruba AP into one of the fast Ethernet ports. The Aruba AP will be powered by PoE from the Aruba WLAN Switch.
  • Page 217 Configuration > WLAN > Network > Configure the WLAN network parameters on the SSID page. 13-5 Configuring the SSID IGURE 10 Click Edit to change the parameters of the default WLAN network. Specify the following basic configuration: SSID (demo-aruba) Encryption type (Static WEP). WEP key.
  • Page 218 13-6 Configuring the Radio Parameters IGURE 13 Apply this configuration. 14 Configure the role for an authenticated user (called authenticated-user in this example) on Configuration > Security > Roles page. 13-7 Configuring the User Roles IGURE Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 219 15 Click to add a new user-defined role called authenticated-user. Configure the follow- ing: Name of the user-role : authenticated-user. Privileges for a user in this role : In this case, choose allowall to give all privileges after choosing the policy called allowall Done to an authenticated user.
  • Page 220 13-9 Configuring Captive Port Authentication IGURE 19 This step is not needed if you are using an external authentication server. If you are using the internal server, use the following CLI commands to add the required users to the data- base: (WLAN-switch) #local-userdb add username <username>...

  • Page 221: Chapter 14 Topology Example Two

    HAPTER Topology Example Two The example included in this chapter require that the Aruba WLAN switch has been set up according to the instructions in the Quick Start Guide. These examples use specific Aruba WLAN switches and Access Points. However, these configurations are valid for all Aruba WLAN switches (A5000, A2400, and A800) and for all Aruba Access Points (APs) (AP52/60/61), unless explicitly mentioned otherwise.
  • Page 222 14-1 Example Two Topology IGURE This section covers some basic network configuration required to allow the Access Points to use the Aruba Discovery Protocol to discover the Aruba WLAN Switch. In this example, configure an IP helper address on the Layer-3 switch on the same subnet as the Access Points with the IP address of the Aruba WLAN Switch.
  • Page 223 layer3(config-if) #ip helper-address 10.200.14.14 ; ADP relay Configuration > Net- Configure the WLAN parameters for the WLAN network on the work > SSID page. Click Edit to modify the parameters of the default WLAN network. 14-2 Configuring SSIDs IGURE Configure the SSID of the network as desired (company-ssid in the example). Select WEP as the encryption type and select both Static WEP and Dynamic WEP.
  • Page 224 14-3 Editing the SSID IGURE Apply the configuration to complete the WLAN network configuration. Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 225 To enable the APs to accept associations from clients, configure the Max Clients value on WLAN > Radio > 802.11b/g page. ( Configure the same on the 802.11a page if you are also using 802.11a clients). 14-4 Configuring the Radios IGURE Apply this configuration to enable Access Points to accept associations.
  • Page 226 14-5 Configuring User Roles IGURE 14-6 Adding User Roles IGURE Configure the pre-defined guest role to have privileges to only use HTTP protocol. To do this, configure the pre-defined policy called guest on the Configuration > Security > Policies page to add a rule to allow HTTP traffic. Apply this configuration to complete configuring the guest policy.
  • Page 227 14-7 Applying the User Role Configuration IGURE 14-8 Editing Policies IGURE 10 Add this policy to the list of applied policies to the pre-defined role guest to complete configuration guest privileges on the network. Topology Example Two Chapter 14...
  • Page 228 14-9 Adding Policies to Roles IGURE 14-10 Editing Roles IGURE 11 Apply this configuration to complete the configuration of the guest privileges. 12 Complete the 802.1x configuration for the deployment model by adding the RADIUS Configuration > Security > AAA server and its characteristics to the list of servers on the Servers >...
  • Page 229 14-11 Configuring RADIUS Servers IGURE 14-12 Adding a RADIUS Server IGURE 13 Apply this configuration. The following screen should indicate that the RADIUS server configuration is success- fully applied. Topology Example Two Chapter 14...
  • Page 230 14-13 RADIUS Server Configuration Successful IGURE Configuration > 14 Enable 802.1x authentication and configure the 802.1x parameter on the Security > Authentication Methods > 802.1x page. 15 Choose the newly created role called authenticated-user as the default-role and User authentication as the default role. 16 Select Enable Authentication to enable 802.1x authentication and add the RADIUS server to the list of authentication servers.
  • Page 231 17 Apply this configuration to complete 802.1x configuration. 14-14 Completing 802.1x Authentication Configu- IGURE ration 18 Select the Captive Portal tab on Authentication Methods to enable guest logon using Cap- tive Portal. 19 Select Enable Guest Logon to allow for guest logon using the Captive Portal. Topology Example Two Chapter 14...
  • Page 232 14-15 Configuring Captive Portal Authentication IGURE Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 233: Chapter 15 Topology Example Three

    HAPTER Topology Example Three The example included in this chapter require that the Aruba WLAN switch has been set up according to the instructions in the Quick Start Guide. These examples use specific Aruba WLAN switches and Access Points. However, these configurations are valid for all Aruba WLAN switches (A5000, A2400, and A800) and for all Aruba Access Points (APs) (AP52/60/61), unless explicitly mentioned otherwise.
  • Page 234 15-1 Example Three Topology IGURE Use the following steps to configure the topology shown in Figure 15-1 above: This section applies only to Access Points in a different subnet from any Aruba WLAN Switch. If the Access Points are in the same subnet as the Aruba WLAN Switches, skip this section.
  • Page 235 Layer-3 switch configuration: layer3(config) #interface vlan 15 layer3(config-if) #ip helper-address 10.4.0.12 ; DHCP Relay layer3(config-if) #ip helper-address 10.200.14.14 ; ADP relay Configure the Virtual Router Redundancy Protocol (VRRP) on both the switches on the subnet that connects the two Aruba WLAN Switches as shown below: 15-2 Configuring VRRP IGURE Click Add to create a new VRRP instance on the switch and configure various VRRP...
  • Page 236 15-3 Adding Virtual Routers IGURE Click Add configuring the various parameters and configuring the Admin state to Up. The VRRP instance should be added to the list of VRRP instances as shown below: 15-4 Completing VRRP Configuration IGURE Configuration > Net- Configure the WLAN parameters for the WLAN network on the work >...
  • Page 237 15-5 Configuring SSIDs IGURE Configure the SSID of the network as desired (company-ssid) in the example). Select WEP as the encryption type and select both Static WEP and Dynamic WEP. Also enter the static WEP key to be used, as shown below. 15-6 Editing SSIDs IGURE Apply the configuration to complete the WLAN network configuration.
  • Page 238 10 To enable the APs to accept associations from clients, configure the Max Clients value on WLAN > Radio > 802.11b/g page. (Configure the same on 802.11a page if you are also using 802.11a clients). 15-7 Configuring Radios IGURE 11 Apply this configuration to enable Access Points to accept associations. 12 For the RADIUS server configuration, the client IP address is the interface IP address of the interface that connects the Aruba WLAN Switch to the RADIUS server.
  • Page 239 15-8 Adding Roles IGURE 15 Additionally configure the pre-defined guest role to have privileges to only use HTTP protocol. To do this, configure the pre-defined policy called guest on the Configuration > Security > Policies page to add a rule to allow HTTP traffic. 16 Apply this configuration to complete configuring the guest policy.
  • Page 240 15-10 Editing Policies IGURE 17 Add this policy to the list of applied policies to the pre-defined role guest to complete configuration guest privileges on the network. 15-11 Completing User Role Configuration IGURE Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 241 15-12 Editing Roles IGURE 18 Apply this configuration to complete the configuration of the guest privileges. 19 To complete the 802.1x configuration for the deployment model add the RADIUS server Configuration > Security > AAA Servers and its characteristics to the list of servers on >...
  • Page 242 15-14 Adding a RADIUS Server IGURE 20 Apply this configuration. The following screen should indicate that the RADIUS server configuration was success- fully applied. 15-15 Completing RADIUS Server Configuration IGURE Configuration > 21 Enable 802.1x authentication and configure the 802.1x parameter on the Security >...
  • Page 243 22 Choose the newly created role called authenticated-user as the default-role and User authentication default role. Select Enable Authentication to enable 802.1x authenti- cation and add the RADIUS server to the list of authentication servers. The following screen shows this configuration. 23 Apply this configuration to complete 802.1x configuration.
  • Page 244 15-17 Configuring Captive Portal Authentication IGURE Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...
  • Page 245 26 Rogue AP detection and classification is enabled by default. To enable the feature that dis- ables users from connecting to Access Points that have been identified as Rogue Access Configuration > WLAN Intrusion Detection > Rogue AP Dis- Points, go to and select able Users from Connecting to Rogue Access Points as shown in...
  • Page 246 Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

  • Page 247: Chapter 16 Topology Example Four

    HAPTER Topology Example Four Consider a building with three floors looking to deploy a switch on each floor. The APs on each floor would be connected via a L2/L3 network to local switch on that floor and would bootstrap with the same switch. Each of these Local switches is on a different VLAN and subnet.
  • Page 248 The guest users will be allowed to access the network using the guest SSID. This will be an open system without encryption. All the guest users will be allowed to access the internet alone. The user IP addresses will be nated. The users are authenticated using captive portal to connect to the internet.

  • Page 249: Topology Diagram

    Topology Diagram Local 1 Local 2 Local 3 Topology Description Redundancy This topology uses the N+1 redundancy. The master switch acts as a backup for all local switches. The master is not redundant which means that if the master goes down, the network will be affected as there is no redundant master to take its place.
  • Page 250 During failover, the operation state of the client is not maintained and the client will have to re-authenticate to gain access. VRRP instance Switches involved Master and Local_101 VRRP address 10.1.101.12 VLAN 101 VRRP instance on Priority = 150 local_101 Pre-empt = enable VRRP instance on Priority = 100...
  • Page 251 The priority of the VRRP instance on the local switch should be higher than that of the master The pre-emption on the local switch must be enabled to allow the local switch to take over as master when it is functional. AP and RF Settings AP Settings This topology has all the APs bootstrapping to the local switch on the corresponding...
  • Page 252 SSID guest Vlan-ID encryption Open system Open Open system system employee1 Vlan-ID Encryption WPA-TKIP WPA-TKIP WPA-TKIP employee2 Vlan-ID Encryption Static WEP Static WEP Static WEP WEP key 1234567890 123456789 1234567890 …. 0…. … User Authentication and Access Policies Guest Access Guest users will use the SSID guest.
  • Page 253 Employee Access with WPA TKIP and PEAP 802.1x authentication must be enabled for MSFT PEAP Set the employee role as the default role for 802.1x authentication. Configure the IAS RADIUS server as the authentication server. Topology Example Four Chapter 16...

  • Page 254: V2.3 User Guide January

    Aruba AirOS Part 0500036-02 v2.3 User Guide January 2005...

Table of Contents