Aruba Networks AirOS v2.3 User Manual Download Page 61 | Manualshive

Page: 61 / 254

background image

Configuring Firewall Roles and Policies

51

Chapter 5

C

HAPTER

5

Configuring Firewall Roles
and Policies

This chapter discusses configuring firewall roles and policies in an Aruba network. The
firewall roles and policies form the cornerstone of all functionality in an Aruba WLAN
Switch. Every

“user”

in the system is associated with a

“role”

and this role determines the

privileges associated with the

“user”

.

Every user in an Aruba network is associated with a user role. The user role is defined as a set
of network privileges permitted to a user associated with the user role. This concept of users
and user-roles is central to the entire functioning of the Aruba network.

In a practical scenario, the administrator can configure firewall policies by creating a new
firewall policy and adding rules to the policy or by editing existing pre-defined firewall
policies. The administrator can then associate a set of these firewall policies with a user role to
define the network privileges associated with a user role.

Every user that associates to the Aruba network is placed in an initial pre-defined role called

“logon”

role having enough privileges to use one of the authentication methods to authenticate

the user and be placed in a user role accordingly. The role of an authenticated user can be
derived from the following mechanisms:

1

Server derivation rules: The administrator can configure these rules to match
attributes returned by the authentication server (such as the RADIUS attributes)
in different ways to values to derive a role for the authenticated user.

As an example, consider a user

abc

authenticated using a RADIUS server. The adminis-

trator can create a rule that says if attribute

x

contains the string

“xyz”

, the user shall

derive a role called

“Authenticated-user-role1”

. Refer to “Configuring AAA Servers” on

page 67 for more explanation on how to configure these rules.

«
...
59
60
61
62
63
...
»

Summary of Contents for AirOS v2.3

Page 1: ...Aruba AirOS v2 3 User Guide TM 1322 Crossman Avenue Sunnyvale California 94089 Net www arubanetworks com Tel 408 227 4500 Fax 408 227 4550...

Page 2: ...Any other trademarks appearing in this manual are the property of their respective companies Legal Notice The use of Aruba Wireless Networks Inc switching platforms and software by all individuals or...

Page 3: ...iguring Network Parameters 9 Conceptual Overview 9 Network Configuration 10 Create Edit a VLAN 10 Configuring a Port to Be an Access Port 11 Configuring a Trunk Port 13 Configuring Static Routes 15 Mo...

Page 4: ...Policy 52 Editing an Existing Policy 58 Applying the Policy to a User Role 60 Chapter 6 Configuring AAA Servers 67 Authentication Timers 67 Accessing the Configuration page 67 Authentication Servers 6...

Page 5: ...figuring Virtual Private Networks 127 VPN Configuration 127 Enabling VPN Authentication 127 Configuring VPN with L2TP IPSec 129 Enabling Src NAT 131 IKE Shared Secrets 131 IKE Policies 132 Configuring...

Page 6: ...from the Switch 178 SNMP traps from Access Point Air Monitor 181 Configuring Logging 185 Chapter 12 Configuring Quality of Service for Voice Applications 191 Configuring QoS for SVP 192 Configuring Qo...

Page 7: ...ch configurations such as Virtual Private Networks VPNs firewalls and redundancy This guide shows you how to configure your environment with the most commonly needed features and services To use this...

Page 8: ...software devices and certain commands when men tioned in the text Commands In the command examples this bold font depicts text that the user must type exactly as shown Arguments In the command example...

Page 9: ...ain Site http www arubanetworks com z Support http www arubanetworks com support z Sales sales arubanetworks com z Support support arubanetworks com z Main 408 227 4500 z Fax 408 227 4550 z Sales 408...

Page 10: ...x Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 11: ...wireless APs also applicable to APs deployed as Air Monitors AMs are designed to be low touch configuration devices that require only minimal provisioning to make them fully operational on an Aruba e...

Page 12: ...ent These prerequisites ensure that the APs are able to discover and attach to a host Aruba WLAN switch defined as the master This also relieves the administra tor from the need to manually configure...

Page 13: ...ery Protocol ADP Plug and Play Aruba APs are factory configured with ADP a feature that allows plug and play provisioning for APs connected via Layer 2 3 to a master Aruba WLAN switch on an ADP enable...

Page 14: ...erver for this subnet To enable DHCP server capability on an Aruba switch z Navigate to the Configuration DHCP Server page z Create a DHCP server pool configuration z Create an excluded address range...

Page 15: ...n the DHCP vendor specific attribute option 43 The vendor class identifier used to identify DHCP requests from Aruba APs is ArubaAP NOTE DHCP requires the format and contents of the vendor class ident...

Page 16: ...00 config adp igmp join enable z Proceed to Deploying APs in the Network below 3 Deploying APs in the Network You are now ready to physically install the APs and attach them to the network For infor m...

Page 17: ...red for each AP in the network using the WebUI of the master Aruba WLAN switch To configure an AP with a unique location code z Navigate to the Maintenance Program AP Re provision page This page displ...

Page 18: ...tory for all detachable antenna models as the AP will not will bring up its radio interface or function as an AP without it z Click Apply to apply the configuration to the AP NOTE The configuration do...

Page 19: ...as well as a layer 3 IP interface similar to most layer 2 3 switches The administrator can configure a set of ports to be members of a VLAN and define an IP address netmask for the VLAN interface A s...

Page 20: ...this VLAN On the next screen as shown below enter the VLAN ID the IP address and network mask of the VLAN interface If required the address of the DHCP server for that VLAN can also be configured by c...

Page 21: ...ation 4 Verify that the VLAN has been created on the VLAN page Configuring a Port to Be an Access Port The in band Ethernet ports can be configured as access ports and members of a single VLAN using t...

Page 22: ...on the appropriate box in the Port Selection section of the page After selecting the port choose the VLAN from the drop down list in the Configure Selected Ports Enter VLAN s section and click Apply t...

Page 23: ...icitly made Make sure that the configura tion for all items on the list is as desired before clicking Apply 4 Verify that the Configuration was applied by navigating to the Configuration Switch VLAN s...

Page 24: ...iate checkbox in the Port Selec tion section 2 Select the Trunk option to the Port Mode section 3 Select Allow all VLANs to assign all configured VLANs to this port If the desired list of VLANs is dif...

Page 25: ...figuring Static Routes 1 Navigate to the Configuration Switch IP Routing page 2 Click Add to add a static route to a destination network or host Enter the desti nation IP and network mask 255 255 255...

Page 26: ...witch reboot To change the switch loopback IP address 1 Navigate to the Configuration Switch General page on the WebUI 2 Modify the loopback IP address in the Loopback Interface section on this page a...

Page 27: ...nce Switch Reboot page to reboot the switch to apply the change of loopback IP address 4 Click Continue to save the configuration 5 When prompted that the changes were written successfully to flash cl...

Page 28: ...18 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 29: ...in an active active mode or a hot standby mode master backing up a set of local switches a pair of switches acting as a redundant pair of master switches in a hot standby mode Each of these modes is e...

Page 30: ...on the same broadcast domain or layer 2 connected for VRRP operation The two switches should be of the same class A800 to A800 or higher and both switches should be running the same version of AirOS...

Page 31: ...figure this with the same value as the VLAN ID for easy administration Advertisement Interval This is the interval between successive VRRP advertisements sent by the current master Recommended to leav...

Page 32: ...mption Selecting this option means that a switch can take over the role of master if it detects a lower priority switch currently acting as master For this topology it is recommended NOT to select thi...

Page 33: ...floor location with 0 being used as a wild card for any of the values Thus a location code of 10 0 0 would refer to all the APs in building 10 Refer to the AP provisioning guide for directions on how...

Page 34: ...unavailable The Master switch is also responsible for providing the configuration for any AP to complete its boot process If the Master becomes unavailable the network continues to run without any in...

Page 35: ...easier administration and maintenance Step 2 vlan vlan id Associates the VRRP instance with a VLAN VLAN ID from step i Step 3 ip address ip address Virtual IP address for the VRRP instance Virtual IP...

Page 36: ...of up to 8 characters can be configured on both the peer switches This is an optional configuration Step 6 description description Optional Optional description to the VRRP instance Any text descript...

Page 37: ...e following commands to change the Master IP of the local switch The switch will require a reboot after changing the Master IP of the switch If DNS resolution is the chosen mechanism for the APs to di...

Page 38: ...er the APs once more This type of redundant solution is illustrated by the following topology diagram NOTE This solution requires that the master switch has a layer 2 connectivity to all the local swi...

Page 39: ...respectively Note the master switch will be configured for a number of VRRP instances equal to the number of local switches the master is backing up Command Explanation Expected Recommended Values Ste...

Page 40: ...config vrrp priority 110 Aruba2400 config vrrp preempt Aruba2400 config vrrp authentication password Aruba2400 config vrrp description local backed by master Aruba2400 config vrrp no shutdown Configur...

Page 41: ...ba2400 config ap location 1 1 0 Aruba2400 sap config location 1 1 0 lms ip 10 200 11 254 Aruba2400 sap config location 1 1 0 Command Explanation Expected recommended values Step 1 ap location b f l Ch...

Page 42: ...32 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 43: ...section walks the user through the basic 802 11 configurations The web interface classifies the WLAN configurations into 3 major categories z Network The global WLAN configurations can be done under...

Page 44: ...ng fields needs to be configured for each SSID separately Parameter Definition Explanation SSID The SSID of the network Radio type Choose the radio types to apply the configurations a b g a b g a b g...

Page 45: ...TE The default SSID present is aruba ap This will be broadcast as a valid SSID if the value is not changed This is the only SSID that permits the change of the SSID name AES CCM Advanced Encryption St...

Page 46: ...any encryption open system WEP TKIP AES CCM Mixed TKIP AES CCM SSID Default VLAN The VLAN that will be assigned to the wireless users after they associate to the SSID The value for the VLAN can be sel...

Page 47: ...be no encryption The packets between the AP and the client would be in clear text Click the Apply tab to apply the configuration changes made and to prevent loss of work before navigating to other pag...

Page 48: ...igating to other pages Configuring TKIP Encryption z Select the radio button to enable TKIP encryption This opens the TKIP dialog z Select PSK TKIP for static TKIP key configuration and WPA TKIP for d...

Page 49: ...key configuration and WPA2 AES CCM for dynamic AES z If PSK AES CCM is selected the key can be hex or ASCII Enter a 64 character hex key or a 8 63 character ASCII key Valid characters are letters and...

Page 50: ...er hex key or a 8 63 character ASCII key z Click Apply to apply the configuration changes made and to prevent loss of work before navigating to other pages 3 To configure multiple SSID click Add and r...

Page 51: ...o take effect Configuring WLANs Radio Configuration The radio settings can be fine tuned using the Web interface Selecting these options may affect roaming performance 1 Navigate to the Configuration...

Page 52: ...ser Guide January 2005 7 Check Apply to apply the changes before navigating to other pages to prevent loss of configuration 8 The above configuration can be created for 802 11a by navigating to the Co...

Page 53: ...ons and these locations are used to configure the AP uniquely The global configurations will be overridden by the location specific configurations 1 Navigate to the Configuration WLAN Radio Advanced p...

Page 54: ...d configuring the radios as required by selecting the tabs on the page To add a new SSID 1 Click Add and configure the SSID similar to configuring the 802 11 Networks 2 All radio configurations for th...

Page 55: ...ith dynamic WEP z A b g SSID called voice with static WEP z The AP in location 4 2 6 is set to have guest SSID in addition to the other two SSID The guest SSID is open 1 Configure the a b g SSID aruba...

Page 56: ...46 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 3 Configure the guest SSID for location 1 10 2 z Add the location 1 10 2...

Page 57: ...Adaptive Radio Management Adaptive Radio Management ARM is the next generation RF resource allocation algorithm in AirOS 2 3 ARM is an enhancement to Auto RRA functionality and performance ARM is the...

Page 58: ...rference index is greater than the interference index on the new channel by a value greater than or equal to the free channel index If the criteria are not met the AP will remain on the current channe...

Page 59: ...io 802 11b g page to enable ARM on the b g radio 2 Set ARM Assignment to Enable from the pull down menu to enable ARM 3 Set ARM Scanning to Enable to enable scanning on the AP 4 The ARM Scan Interval...

Page 60: ...50 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 6 Once these changes are made along with the Radio changes click Apply to apply the configurations...

Page 61: ...ned firewall policies The administrator can then associate a set of these firewall policies with a user role to define the network privileges associated with a user role Every user that associates to...

Page 62: ...dress that starts with bytes xx yy zz 3 Default role for an authentication method Every authentication method can be derived with a default role for users that are successfully authenticated using tha...

Page 63: ...hapter 5 2 Click Add to create a new policy 3 Click Add to add a rule to the policy being created The following table summa rizes the various fields that are required for a rule to be created and the...

Page 64: ...ic host When this option is chosen it is required to con figure the IP address of the host z network This refers to a traffic that has a source IP from a sub net of IP addresses When this option is ch...

Page 65: ...onfigure a range of TCP port s to match for the rule to be applied z UDP Using this option the administrator can configure a range of UDP port s to match for the rule to be applied z Pre defined Servi...

Page 66: ...kets matching the rule When this option is selected the administrator also needs to select a NAT pool If this pool is not configured the administrator needs to config ure a NAT pool by navigating to t...

Page 67: ...eld indicates that a client that is the source or destination of traffic that matches the rule should be automatically blacklisted Select this option if it is required to auto blacklist a client that...

Page 68: ...he rules can be re ordered by the using the up and down but tons provided with each rule 5 Once all the required rules are created and ordered as required click the Apply button to apply this configur...

Page 69: ...n the Edit policy page the administrator can delete existing rules add new rules following the same procedure in Step 3 of Creating a New Policy on page 52 or reorder the policies 4 When all rules hav...

Page 70: ...policy can be applied to one or more user roles Similarly each user role can constitute one or more policies 1 Navigate to the Configuration Security Roles page on the WebUI This page shows the list...

Page 71: ...nd Policies 61 Chapter 5 3 Enter the desired name for the role In the example used below the name given to the role is employee 4 To apply a set of policies to this user role click the Add button in t...

Page 72: ...62 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 The following table summarizes the different fields visible and the expected recommended values for each field...

Page 73: ...nd click the Done button to add the policy to the list of policies in the user role If this policy is to be applied to this user role only for specific locations the appli cable location codes can be...

Page 74: ...ew contract and assign it to the role 5 VPN Dialer This assigns a VPN dialer to a user role For details about VPN dialer refer to the Configuring VPNs section Select a dialer from the drop down list a...

Page 75: ...65 Chapter 5 6 To edit an existing role click Edit for the required user role to start editing a user role The fields are the same as shown above The screen shot below shows the screen when the Edit o...

Page 76: ...66 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 77: ...it to interface with these servers On the server side the switch needs to be recognized for the server to process requests from the switch This document talks only about the configuration on the switc...

Page 78: ...lied only when there are two or more authentication servers configured The authentication Server Dead Timeout is the maximum period for which an authentication server is proclaimed dead before being a...

Page 79: ...d applied in case of errors and changes at any time 2 Navigate to Configuration AAA Servers RADIUS page 3 Configure the RADIUS settings Parameter Description Value in the Example Server Name The name...

Page 80: ...rver entry Enter the values gathered from the previous step 5 Set the Mode to Enable to activate the authentication server 6 Click Apply to apply the configuration NOTE The configuration will not take...

Page 81: ...3 The configuration page displays Make the required modifications on the page and click Apply to save the configurations Deleting an Existing Entry 1 Navigate to the Configuration AAA Servers RADIUS...

Page 82: ...of the node which contains the entire user database that we want to use cn Users dc lm dc arubanetworks dc com Admin DN A user who has read search privileges across all the entries in the LDAP databa...

Page 83: ...step 1 4 Set the mode to Enable to enable the LDAP server when it is online 5 Click Apply to apply the changes made to the configuration NOTE The configuration does not take effect until this step is...

Page 84: ...he entry to be modified and modify the desired parameters 3 Click Apply to have the changes take effect Deleting an Existing Entry 1 Navigate to the Configuration AAA Servers Security LDAP page 2 Clic...

Page 85: ...y needs to be created for each user To add a new user entry to the Internal Database 1 Navigate to the Configuration AAA Servers Internal Database page The parameters a description of the parameters a...

Page 86: ...tivated on creation If this box is unchecked this user entry will not be considered during authentication 5 Configure the role of the user 6 Apply the configuration by clicking Apply after creating ea...

Page 87: ...delete the entry and re create the entry with the neces sary modifications All entries must be individually created and modified Deleting an Entry 1 Navigate to the Configuration AAA Servers Internal...

Page 88: ...for some users based on the attributes returned for the user during authentication These values would take precedence over the default role and VLAN configuration for the authenticated user To add a s...

Page 89: ...if and only if the attribute value contains the string in parameter Value z Starts with the rule is applied if and only if the attribute value returned starts with the string in parameter Value z Ends...

Page 90: ...ross all the authentication types that use the server as the primary authentication server Example Based on the filter ID returned users will be classified as admin employee and guest If none of the r...

Page 91: ...figuring AAA Servers 81 Chapter 6 The first rule that matches the condition gets applied Also the rules are applied in the order shown To change the order use the S or T arrows to the right of the ent...

Page 92: ...82 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 93: ...network by allowing them to logon as guests Captive portal can also be configured to allow users to download the Aruba VPN dialer for the Microsoft VPN client if the VPN is going to be terminated on...

Page 94: ...nfigure the role that the guest logon users will take See Configuring Firewall Roles and Policies for information on configuring a role 3 Determine the protocol captive portal will use Modify the capt...

Page 95: ...ps ensure that the captiveportal policy has the following rules user alias mswitch svc https permit user any svc http dst nat 8080 user any svc https dst nat 8081 4 In the default user role of un auth...

Page 96: ...ver In case of guest logon this field needs to be unchecked if captive portal is used for guest logon only Default Checked Enable Logout Popup Window When this is enabled a pop up window will appear w...

Page 97: ...If CPU utilization is above 50 wait for 10 15 seconds before popping up logon page z In this example there is no pause time before redirecting to the captive portal page Redirect Pause Timeout This is...

Page 98: ...ers that the switch can support 1 Navigate to the Configuration Security Authentication Methods Captive Portal Authentication page Parameter Values for this example Default role cap_guest Enable Guest...

Page 99: ...etermine the protocol captive portal will use Modify the captiveportal policy to support the selected protocol z HTTP If the protocol selected is http ensure that the following rules are included in t...

Page 100: ...y svc http dst nat 8080 user any svc https dst nat 8081 4 In the default role for unauthenticated users logon role by default ensure that the cap tiveportal policy has been added The user traffic need...

Page 101: ...The protocol used on re direction to captive portal page http https If http is selected the captive portal policy will have to be modified to allow http traffic Default https Redirect Pause Timeout T...

Page 102: ...he Enable User Logon checkbox is selected 8 Set the protocol type http or https as per the requirement 9 Set the welcome page location to the required URL To configure the AAA server captive portal wi...

Page 103: ...ght on the entry to move it higher up or lower down in the list 6 Click the Apply for the configuration changes made to take effect Example This example sets up the captive portal for user logon z The...

Page 104: ...e Policy 1 Navigate to the Maintenance Captive Portal Customize Login page Parameter Values for this example Default role employee Enable Guest Logon Unchecked Enable User Logon Checked Enable Logout...

Page 105: ...ge design present To customize the page design 1 Select the YOUR CUSTOM DESIGN page 2 Under Additional Information enter the location of the JPEG image in the space pro vided beside Upload your own cu...

Page 106: ...to be displayed in the Page Text in HTML format message box To view the changes click Submit at the bottom on the page and then click the View CaptivePortal link This will bring up the captive portal...

Page 107: ...Configuring the Captive Portal 97 Chapter 7...

Page 108: ...98 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 The text keyed in will appear in a text box when the Acceptable Use Policy is clicked on the captive portal web page...

Page 109: ...ng the client to authenticate the network These authentication protocols are all based on EAP Extensible Authentication Protocol and are also referred to as EAP types The 802 1x system consists of thr...

Page 110: ...es and Policies z Authentication Server The authentication server the switch would use to validate the users Verify that the authentication server supports 802 1x Most LDAP servers do not The Internal...

Page 111: ...Configuring 802 1x Security 101 Chapter 8 The following fields need to be modified for wireless user authentication...

Page 112: ...e role assigned to the user when the user signs in using 802 1x authentication The default value is guest If derivation rules are present the roles assigned to the user through these rules will take p...

Page 113: ...of the timer is 24 hours If the user fails to re authenticate will valid credentials the state of the user is cleared If derivation rules are used to classify dot1x users then the Re authentication t...

Page 114: ...January 2005 2 From the pull down menu under Choose an Authentication Server select the RADIUS server that will be the primary authentication server Click Add after making the choice 3 To add multiple...

Page 115: ...ending priority The first entry is always the pri mary server To change the order use the S or T to the right on the entry to move it higher up or lower down in the list 5 Click the Apply to apply the...

Page 116: ...100 configured by role Authentication Server Radius_Server_1 RADIUS server that supports 802 1x SSID dot1x with dynamic TKIP Authentication Failure Threshold for Station Blacklisting 3 NOTE If necessa...

Page 117: ...Configuring 802 1x Security 107 Chapter 8 3 Create the SSID dot1x with dynamic TKIP 4 Click Apply to apply the configuration...

Page 118: ...3 User Guide January 2005 Configuring User and Machine Authentication 802 1x can be used to perform user and machine authentication This tightens the authentication process further since both machine...

Page 119: ...Role Limited access depending on users like guest Passed Failed If machine authentication succeeds and user authentication has not been initiated the role assigned would be the Machine Authentication...

Page 120: ...es z Authentication Server The authentication server the switch would use to validate the users Verify that the authentication server supports 802 1x Most LDAP servers do not The Internal Server does...

Page 121: ...Configuring 802 1x Security 111 Chapter 8 The following fields need to be modified for machine and user 802 1x authentication...

Page 122: ...s field need to be checked Default Unchecked Checkbox Select this box Enable Re authentication When set this will force the client to do a 802 1x re authentication after the expiry of the default time...

Page 123: ...he machine authentication goes through but the user authentication has not yet been initiated Default guest Pull down menu of pre configured roles Select the role that needs to be applied if only mach...

Page 124: ...king the choice 4 To add multiple auth servers repeat above steps for each server 5 The servers appear in the order of descending priority The first entry is always the pri mary server To change the o...

Page 125: ...ilure Threshold for Station Blacklisting 3 In this example z If machine authentication succeeds the role assigned would be the dot1x_mc role z If only user authentication succeeds the role assigned wo...

Page 126: ...116 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 3 Enter the values as per the example 4 Click Apply for the configuration to take effect...

Page 127: ...id other devices from accessing the voice network using what is normally an insecure SSID Configuring the Switch To enable MAC based authentication on the Aruba WLAN switch 1 Before configuring MAC ba...

Page 128: ...If not set the value to 0 Parameters Description Type of value Operation Authentication Enabled To enable MAC based authentication this field must be checked Default Unchecked Checkbox Select this box...

Page 129: ...right of the entry to move it higher up or lower down in the list 4 Click Apply to apply the changes made Verify that the changes made have taken effect on the resultant page Configuring Users This se...

Page 130: ...r that is different from the MAC based authentication default role in the Role field enter the role for the user z Select the Enabled checkbox to activate the user z Click Apply to apply the settings...

Page 131: ...o the wireless users To create this configuration 1 Configure the 802 1x for user or user and machine authentication as explained in the pre vious sections 2 Check the Enable Wired Clients check box i...

Page 132: ...changes Care should be taken to clear all logged on users and forcing them to re authenticate Remember to apply the changes made by clicking Apply for the changes to take effect Resetting the 802 1x S...

Page 133: ...4 Click Apply This will reset the settings to factory default Advanced Configuration Options of 802 1x This section talks about the Advanced Configuration on the 802 1x page NOTE The Advanced Configur...

Page 134: ...after which the authentication server is timed out as the 802 1x server after it fails to respond Client Response Timeout Time in sees Time after which the client is timed out as after it fails to re...

Page 135: ...e updated after each re authorization Enable Multicast Key Rotation This option enables the rotation of multicast keys Multicast keys are used to encrypt multicast packets generated for each AP Multic...

Page 136: ...126 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 137: ...used as a VPN concentrator terminating all VPN connections from wire and wireless users For Windows a dialer can be downloaded from the switch to auto configure the tunnel settings on the dialer This...

Page 138: ...old for Station Blacklisting to an integer value This number indicates the number of contiguous authentication failures before the station is blacklisted 5 Click Apply to apply the settings and to avo...

Page 139: ...list 6 Click Apply to apply the configuration changes made before navigating to other pages to avoid losing the changes made 7 Click Save Configuration to save the configuration between reboots Config...

Page 140: ...the authentication method Currently supported methods are PAP CHAP MSC HAP and MSCHAPv2 6 Configure the Primary Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the...

Page 141: ...req uisite for using this option is to have a NAT pool which can be created by navigating to the Security Advanced NAT Pools page IKE Shared Secrets Set the value of the IKE key The key the subnet ca...

Page 142: ...2 7 The configurations from a through e along with the pre share key need to be reflected in the VPN client configuration When using a 3rd party VPN client set the VPN configuration on clients to matc...

Page 143: ...Currently supported method is MSCHAPv2 Check the radio button to select it 6 Configure the Primary Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the VPN Dialer 7...

Page 144: ...age 5 Click Apply to apply the changes made before navigating to other pages Configuring Aruba Dialer Example 1 Navigate to the Security VPN Settings Dialers page Click Add to add a new dialer or Edit...

Page 145: ...e Group configuration as per the IKE Policy configuration setting for Diffie Hel man Group 4 Select the IPSEC Encryption as per the IKE Policy configuration setting for Encryption 5 Select the IPSEC H...

Page 146: ...art 0500036 02 v2 3 User Guide January 2005 Examples In this example the following settings apply VPN Settings Authentication Server radon Default VPN role vpn_user Authentication method MSCHAPv2 Prim...

Page 147: ...uthentication Secondary DNS 10 10 1 2 Primary WINS 10 1 1 2 L2TP Pool 192 168 100 1 192 168 100 100 Pre shared key test123 Primary DNS 10 10 1 1 Secondary DNS 10 10 1 2 Primary WINS 10 1 1 2 IKE encry...

Page 148: ...138 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 Configure L2TP IPSec 1 Configure the DNS and WINS server...

Page 149: ...Configuring Virtual Private Networks 139 Chapter 9 2 Configuring the L2TP pool 3 Click Add below Address Pools Once completed click Done...

Page 150: ...0500036 02 v2 3 User Guide January 2005 4 Configure the IKE shared secret test123 5 Configure the IKE policies 6 The final config page should look like the page below Once this done click Apply to app...

Page 151: ...figuring Virtual Private Networks 141 Chapter 9 7 Configure the dialer by configuring the key to match the IKE shared secret key in Con figure the IKE policies Click Apply when done to apply the chang...

Page 152: ...6 02 v2 3 User Guide January 2005 8 Configure the dialer in the captive portal user role that will be used to download the dialer Configuring PPTP 1 Navigate to the PPTP configuration page as explaine...

Page 153: ...WINS server Check the Enable PPTP and MSCHAPv2 check box 3 Configure the PPTP pool 4 Click Apply for the configurations to take effect 5 Configure the dialer Check the Enable L2TP and MSCHAPv2 checkbo...

Page 154: ...02 v2 3 User Guide January 2005 6 Configure the dialer in the captive portal user role that will be used to download the dialer by navigating to the Configuration Security Authentication Methods Capti...

Page 155: ...Configuring Virtual Private Networks 145 Chapter 9...

Page 156: ...146 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 157: ...y to detect a interfering rogue AP and classify it as a interfering or a rogue AP An interfering AP is an Access Point that the Aruba Access points Air Monitors in the air A rogue AP is an Access Poin...

Page 158: ...AP beacons to confuse legitimate users and to increase the amount of processing client operating systems must do Refer to the Configuring Denial of Service attack detection section for more details M...

Page 159: ...te and edit new sig natures For more details on how to configure and create new signatures refer to the Con figuring Signature detection section WLAN Policies z Adhoc network detection containment As...

Page 160: ...Ps using these reserved resources This feature can be used in a multi tenant building where different enterprises must share the RF envi ronment This feature can also be used to defend against honeypo...

Page 161: ...ue AP will be disconnected from the rogue AP through a denial of service attack 2 Mark All New Access Points as Valid Access Points When installing an Aruba WLAN Switch in an environment with an exist...

Page 162: ...ts as Rogue Access Points In an environment where no interfering APs should exist for example a building far away from any other buildings or an RF shielded building enable this option to turn off the...

Page 163: ...efined by the 802 11 standard The following table explains what each field implies To edit any of the values from the default values for a channel click the Edit button in the appropriate section chan...

Page 164: ...must elapse before another identical alarm may be triggered This option prevents excessive messages in the log file Field Description 1 Enable Fake AP Flood Detection Enables or disables the feature 2...

Page 165: ...onfigure station disconnection detection click Disconnect Station The following table gives a brief description of the fields in this section 1 To configure EAP Handshake analysis click the EAP Handsh...

Page 166: ...ber of EAP handshakes that must be received within the EAP Time Interval in order to trigger an alarm 3 EAP Time Interval secs The time period in which a configured number of EAP handshakes must be re...

Page 167: ...eed the sequence number difference threshold in order for an alarm to be triggered 4 Sequence Number Checking Quiet Time secs After an alarm has been triggered the amount of time that must pass before...

Page 168: ...es or disables this feature 2 Signature Analysis Quiet Time secs After an alarm has been triggered the amount of time that must pass before another identical alarm may be triggered Signature Descripti...

Page 169: ...e containing a null SSID A number of popular NIC cards will lock up upon receiving such a probe response 4 NetStumbler Generic NetStumbler is a popular wardriving application used to locate 802 11 net...

Page 170: ...e leave this field disabled if only creating a signature but enabling detection at this point 3 Click Add to add a signature rule 4 In the Add Condition section add a rule that matches an attribute to...

Page 171: ...ayload This looks for a pattern at a fixed offset in the payload of a 802 11 frame The administrator can configure the pattern and the offset where the pattern is expected to be found in the frame z S...

Page 172: ...he list of the rules as shown above When the required number of rules has been added click Apply to apply the configuration NOTE The configuration will not take effect if it is not applied Configuring...

Page 173: ...Detection Policies Misconfigured AP as shown in the figure below Field Description 1 Enable Adhoc Networks Activity Detection Enable detection of Ad hoc networks 2 Enable Adhoc Network Protection When...

Page 174: ...erprise 802 11b g Channels Defines the list of valid 802 11b g channels that 3rd party APs are allowed to use 4 Valid Enterprise 802 11a Channels Defines the list of valid 802 11a channels that 3rd pa...

Page 175: ...to enable this feature Configuring Multi Tenancy detection To configure multi tenancy policies navigate to Configuration WLAN Intrusion Detection Policies Multi Tenancy as shown in the figure below 8...

Page 176: ...be disabled using a denial of service attack 2 Valid Enterprise SSID List A list of reserved SSIDs 3 Disable Access Points Violating Channel Allocation Agreements When an unknown AP is detected using...

Page 177: ...ing SNMP for the Aruba WLAN Switch Aruba WLAN Switches and APs support versions 1 2c and 3 of SNMP for reporting purposes only In other words SNMP cannot be used for setting values in an Aruba system...

Page 178: ...me of the switch String to act as the host name for the switch being configured 2 System Contact Name of the person who acts as the System Contact or administrator for the switch System contacts name...

Page 179: ...of SNMP traps to configured SNMP trap receivers Refer to the list of traps in the SNMP traps section below for a list of traps that are generated by the Aruba WLAN Switch Select this option and confi...

Page 180: ...2 3 User Guide January 2005 2 Enter the details for the SNMPv3 user as explained in the table below Field Description Expected recommended Values 1 User name A string representing the name of the user...

Page 181: ...essages sent on behalf of this user can be authenticated the private authentication key for use with the authentication protocol String password for MD5 SHA depending on the choice above 4 Privacy pro...

Page 182: ...Access Points can be done at a global level thereby being applicable for all the Aruba Access Points in the network as well as for a particular set of Access Point s by using the AP location codes Th...

Page 183: ...d Network Management 173 Chapter 11 2 Configure the basic SNMP parameters in the section SNMP System Information The fields are similar to the ones explained for the switch and are explained in the ta...

Page 184: ...or all APs 4 Enable SNMP Traps Enables generation of SNMP traps from all Access Points Refer to the list of traps in SNMP traps section for a complete list of traps that may be generated by Aruba Acce...

Page 185: ...be 1 or 2c z Community string UDP port on which the trap receiver is listening for traps The default is the UDP port number 162 This is OPTIONAL and will use the default port number if not modified by...

Page 186: ...gate to Configuration WLAN Advanced page on the WebUI of the Master switch 3 Authentication protocol password If messages sent on behalf of this user can be authenticated the private authentication ke...

Page 187: ...a location code using 0 as the wild card value when required as explained above If the set already exists click Edit for the chosen set and proceed to step 4 to configure the SNMP parame ters for the...

Page 188: ...m the Switch The following is a list of key traps generated by the Aruba WLAN Switch 1 1 Switch IP changed a Description This indicates the switch IP has been changed The Switch IP is either the Loopb...

Page 189: ...witch where the user is visible b Priority Level Medium 4 Authentication server request timed out a Description This trap indicates that a request to a authentication server did not receive a response...

Page 190: ...nt at the same time in the user table is 4096 b Priority Level Critical 8 Authentication Bandwidth contracts table full a Description This trap indicates that the maximum number of configured bandwidt...

Page 191: ...oved a Description These traps indicate that a Supervisor card has been inserted or removed from the switch b Priority Level Critical 16 Power supply missing a Description This trap indicates that one...

Page 192: ...In addition to this the BSSID and SSID of the detected AP is also included b Priority Level High 4 Valid SSID violation a Description This indicates a configuration in the configuration of the SSID of...

Page 193: ...cription This trap indicates an error in the Short Preamble configuration of an Access Point The AP generates the trap and includes its BSSID the configured SSID and the location of the AP in the trap...

Page 194: ...should be configured related to this event are Frame Retry Rate High Watermark and Frame Retry Rate Low watermark The High Watermark refers to the percentage threshold which if surpassed triggers the...

Page 195: ...table below summarizes these modules Module Description 1 Management AAA The module responsible for authentication of management users telnet ssh WebUI 2 Authentication The module responsible for aut...

Page 196: ...teps below to configure the same 1 Navigate to the Configuration Management Logging page on the WebUI 2 To add a logging server click Add in the Logging Server section 10 Station Manager The module re...

Page 197: ...System and Network Management 187 Chapter 11 3 Click Add to add the logging server to the list of logging servers Ensure that the syslog server is enabled and configured on this host...

Page 198: ...o step 6 To modify the logging level of any of the modules select the required module from the list of the modules shown From the drop down list that appears on the screen choose the appropriate loggi...

Page 199: ...System and Network Management 189 Chapter 11 5 Click Done to make the modification...

Page 200: ...190 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 6 Click Apply to apply the configuration NOTE Until this step is completed none of the configuration changes will take effect...

Page 201: ...ing Firewall roles and policies document for more details Thus in an Aruba system the administrator can configure two roles one for clients that do mostly data traffic such as laptops and the other fo...

Page 202: ...ce to the voice traffic ensure that the high prior ity option is selected for the rule allowing SVP traffic as shown in the screen shot below Note This is highly recommended when deploying voice over...

Page 203: ...onfiguring Firewall Roles and Policies for more details on adding and configur ing a firewall role 6 Configure the devices to be placed in the role svp phones on the basis of the SSID used or OUI of t...

Page 204: ...on equals with the SSID value being voice SSID i e the SSID being used for voice devices and role name being svp phones i e the role name configured in the step above iii Click Apply to apply the conf...

Page 205: ...guration Security Authentication Methods Advanced ii Add a condition with rule type Mac Address condition contains value being the first three octets or the OUI of the devices being used for instance...

Page 206: ...be considerable delay between the switch and the Access Points it is recommended to enable the local probe response feature This can be done by accessing the CLI of the switch using the console connec...

Page 207: ...ter 12 Configuring QoS for SIP Follow the steps below to configure a role for phones using SIP and provide QoS for the same 1 Create a service for SIP traffic called svc sip that corresponds to the UD...

Page 208: ...mpleted 2 Create a policy called sip policy that allows only SIP traffic refer to Configuring Fire wall rules and policies for more details on creating a new policy If providing higher qual ity of ser...

Page 209: ...of their MAC address Each of the two are explained in the following two steps respectively a SSID based role derivation i Navigate to Configuration Security Authentication Methods SSID ii Add a condi...

Page 210: ...3 User Guide January 2005 iii Click Apply to apply this configuration NOTE The changes will not take effect until this step is completed b OUI based role derivation i Navigate to Configuration Securi...

Page 211: ...tion contains value being the first three octets or the OUI of the devices being used for instance we are using an example OUI 00 0a 0b and role name being sip phones i e the role configured in the st...

Page 212: ...202 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 213: ...LAN switches and Access Points However these configurations are valid for all Aruba WLAN switches A5000 A2400 and A800 and for all Aruba Access Points APs AP52 60 61 unless explicitly mentioned otherw...

Page 214: ...3 1 Example One Topology The following steps configure the topology shown in Figure 13 1 1 Configure the DHCP server on the switch to serve the subnet that includes the AP ASTER 0 0 NTERNET AYER 2OUTE...

Page 215: ...ration and enter the details for the pool FIGURE 13 3 Adding the DHCP Pool 3 Apply this configuration and then start the DHCP server 4 Add all the ports on the Aruba WLAN Switch to the subnet 14 5 On...

Page 216: ...sted to make all ports trusted z Select Enable 802 3af Power Over Ethernet to enable PoE on all ports FIGURE 13 4 Configuring the Ports 6 Apply this configuration 7 Plug the Aruba AP into one of the f...

Page 217: ...rk Specify the following basic configuration z SSID demo aruba z Encryption type Static WEP z WEP key 11 Apply this configuration 12 Enable the AP to accept association requests from clients by config...

Page 218: ...ary 2005 FIGURE 13 6 Configuring the Radio Parameters 13 Apply this configuration 14 Configure the role for an authenticated user called authenticated user in this example on the Configuration Securit...

Page 219: ...apply this configuration FIGURE 13 8 Adding User Roles 17 Configure the authentication parameters for Captive Portal Authentication on the Config uration Security Authentication Methods page Select th...

Page 220: ...rt Authentication 19 This step is not needed if you are using an external authentication server If you are using the internal server use the following CLI commands to add the required users to the dat...

Page 221: ...ll Aruba WLAN switches A5000 A2400 and A800 and for all Aruba Access Points APs AP52 60 61 unless explicitly mentioned otherwise This example is based on a topology which has the following characteris...

Page 222: ...IP helper address on the Layer 3 switch on the same subnet as the Access Points with the IP address of the Aruba WLAN Switch Additionally con figure an IP helper address on the Layer 3 switch for the...

Page 223: ...rk on the Configuration Net work SSID page Click Edit to modify the parameters of the default WLAN network FIGURE 14 2 Configuring SSIDs 3 Configure the SSID of the network as desired company ssid in...

Page 224: ...214 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 FIGURE 14 3 Editing the SSID 4 Apply the configuration to complete the WLAN network configuration...

Page 225: ...this example VLAN 14 is the interface Therefore the client IP address for the RADIUS server config uration is the IP address of the VLAN 14 interface 10 200 14 6 The NAS IP Address is the loopback IP...

Page 226: ...Adding User Roles 8 Configure the pre defined guest role to have privileges to only use HTTP protocol To do this configure the pre defined policy called guest on the Configuration Security Policies p...

Page 227: ...hapter 14 FIGURE 14 7 Applying the User Role Configuration FIGURE 14 8 Editing Policies 10 Add this policy to the list of applied policies to the pre defined role guest to complete configuration guest...

Page 228: ...IGURE 14 10 Editing Roles 11 Apply this configuration to complete the configuration of the guest privileges 12 Complete the 802 1x configuration for the deployment model by adding the RADIUS server an...

Page 229: ...o 219 Chapter 14 FIGURE 14 11 Configuring RADIUS Servers FIGURE 14 12 Adding a RADIUS Server 13 Apply this configuration The following screen should indicate that the RADIUS server configuration is su...

Page 230: ...ameter on the Configuration Security Authentication Methods 802 1x page 15 Choose the newly created role called authenticated user as the default role and User authentication as the default role 16 Se...

Page 231: ...plete 802 1x configuration FIGURE 14 14 Completing 802 1x Authentication Configu ration 18 Select the Captive Portal tab on Authentication Methods to enable guest logon using Cap tive Portal 19 Select...

Page 232: ...222 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 FIGURE 14 15 Configuring Captive Portal Authentication...

Page 233: ...er these configurations are valid for all Aruba WLAN switches A5000 A2400 and A800 and for all Aruba Access Points APs AP52 60 61 unless explicitly mentioned otherwise This example is based on a topol...

Page 234: ...ts to use the Aruba Discovery Protocol to discover the Aruba WLAN Switch over a layer 3 network There are various methods that can be used by this protocol including IP multi cast broadcast DHCP Vendo...

Page 235: ...CP Relay layer3 config if ip helper address 10 200 14 14 ADP relay 3 Configure the Virtual Router Redundancy Protocol VRRP on both the switches on the subnet that connects the two Aruba WLAN Switches...

Page 236: ...s parameters and configuring the Admin state to Up 6 The VRRP instance should be added to the list of VRRP instances as shown below FIGURE 15 4 Completing VRRP Configuration 7 Configure the WLAN param...

Page 237: ...SID of the network as desired company ssid in the example Select WEP as the encryption type and select both Static WEP and Dynamic WEP Also enter the static WEP key to be used as shown below FIGURE 15...

Page 238: ...to the RADIUS server In this example VLAN 14 is that interface Therefore the client IP address for the RADIUS server configuration is the IP address of the VLAN 14 interface 10 200 14 6 The NAS IP Add...

Page 239: ...ned guest role to have privileges to only use HTTP protocol To do this configure the pre defined policy called guest on the Configuration Security Policies page to add a rule to allow HTTP traffic 16...

Page 240: ...er Guide January 2005 FIGURE 15 10 Editing Policies 17 Add this policy to the list of applied policies to the pre defined role guest to complete configuration guest privileges on the network FIGURE 15...

Page 241: ...uration to complete the configuration of the guest privileges 19 To complete the 802 1x configuration for the deployment model add the RADIUS server and its characteristics to the list of servers on C...

Page 242: ...y this configuration The following screen should indicate that the RADIUS server configuration was success fully applied FIGURE 15 15 Completing RADIUS Server Configuration 21 Enable 802 1x authentica...

Page 243: ...ti cation and add the RADIUS server to the list of authentication servers The following screen shows this configuration 23 Apply this configuration to complete 802 1x configuration FIGURE 15 16 Config...

Page 244: ...234 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 FIGURE 15 17 Configuring Captive Portal Authentication...

Page 245: ...trusion Detection Rogue AP and select Dis able Users from Connecting to Rogue Access Points as shown in Figure 15 18 below FIGURE 15 18 Configuring Rogue APs 27 Click Apply to apply this configuration...

Page 246: ...236 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Page 247: ...itches can act as the DHCP server for the subnet or can use an external DHCP server To enable seamless mobility between the subnets as the clients move mobility needs to be enabled A brief description...

Page 248: ...th the WEP key 2 User Employee SSID employee1 Encryption WPA TKIP Firewall Policies Access to the entire network Authentication method MSFT PEAP using IAS RADIUS VLAN Native VLAN of the local switch T...

Page 249: ...h acts as a backup for all local switches The master is not redundant which means that if the master goes down the network will be affected as there is no redundant master to take its place However if...

Page 250: ...l Switch z The local switch shares a VRRP instance with the master The address of the VRRP instance VLAN ID on the local switch and the corresponding instance on the master must be the same Ex The VRR...

Page 251: ...for APs on the same floor but the vlan id and lms ip differ for APs on the different floors One approach is to number the APs such that APs connected to local switch have the same building and floor I...

Page 252: ...nat the guest users using that pool For example on local users could be nated using a pool of two address 10 1 101 15 10 1 101 16 z Appropriate ACLs will be applied to the guest role For example Inter...

Page 253: ...er 16 Employee Access with WPA TKIP and PEAP z 802 1x authentication must be enabled for MSFT PEAP z Set the employee role as the default role for 802 1x authentication z Configure the IAS RADIUS serv...

Page 254: ...244 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Reviews:

No comments

Related manuals for AirOS v2.3

SmartSwitch 1800

Brand: Cabletron Systems Pages: 48

Brand: Native Instruments Pages: 14

OneVision DEFINITY G3 Fault Management and integration

Brand: AT&T Pages: 153

Brand: Microtek Pages: 177

Auto Configuration Server Vantage Access

Brand: ZyXEL Communications Pages: 113

Brand: A&D Pages: 36

Brand: AMX Pages: 16

Brand: GRASS VALLEY Pages: 2

Brand: GRASS VALLEY Pages: 60

pcXset - NBX - PC

Brand: 3Com Pages: 26

VIRUS|POWERCORE

Brand: Access Pages: 124

CNS NetFlow Collection Engine

Brand: Cisco Pages: 36

Brand: DANE-ELEC Pages: 6

Brand: Kyocera Pages: 1

Brand: Kyocera Pages: 22

Brand: Snom Pages: 23

Brand: PrintFleet Pages: 49

Newton Backup Utility

Brand: Newton Pages: 43

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands