Aruba Networks AirOS v2.3 Скачать руководство пользователя страница 61 | Manualshive

Страница: 61 / 254

background image

Configuring Firewall Roles and Policies

51

Chapter 5

C

HAPTER

5

Configuring Firewall Roles
and Policies

This chapter discusses configuring firewall roles and policies in an Aruba network. The
firewall roles and policies form the cornerstone of all functionality in an Aruba WLAN
Switch. Every

“user”

in the system is associated with a

“role”

and this role determines the

privileges associated with the

“user”

.

Every user in an Aruba network is associated with a user role. The user role is defined as a set
of network privileges permitted to a user associated with the user role. This concept of users
and user-roles is central to the entire functioning of the Aruba network.

In a practical scenario, the administrator can configure firewall policies by creating a new
firewall policy and adding rules to the policy or by editing existing pre-defined firewall
policies. The administrator can then associate a set of these firewall policies with a user role to
define the network privileges associated with a user role.

Every user that associates to the Aruba network is placed in an initial pre-defined role called

“logon”

role having enough privileges to use one of the authentication methods to authenticate

the user and be placed in a user role accordingly. The role of an authenticated user can be
derived from the following mechanisms:

1

Server derivation rules: The administrator can configure these rules to match
attributes returned by the authentication server (such as the RADIUS attributes)
in different ways to values to derive a role for the authenticated user.

As an example, consider a user

abc

authenticated using a RADIUS server. The adminis-

trator can create a rule that says if attribute

x

contains the string

“xyz”

, the user shall

derive a role called

“Authenticated-user-role1”

. Refer to “Configuring AAA Servers” on

page 67 for more explanation on how to configure these rules.

«
...
59
60
61
62
63
...
»

Содержание AirOS v2.3

Страница 1: ...Aruba AirOS v2 3 User Guide TM 1322 Crossman Avenue Sunnyvale California 94089 Net www arubanetworks com Tel 408 227 4500 Fax 408 227 4550...

Страница 2: ...Any other trademarks appearing in this manual are the property of their respective companies Legal Notice The use of Aruba Wireless Networks Inc switching platforms and software by all individuals or...

Страница 3: ...iguring Network Parameters 9 Conceptual Overview 9 Network Configuration 10 Create Edit a VLAN 10 Configuring a Port to Be an Access Port 11 Configuring a Trunk Port 13 Configuring Static Routes 15 Mo...

Страница 4: ...Policy 52 Editing an Existing Policy 58 Applying the Policy to a User Role 60 Chapter 6 Configuring AAA Servers 67 Authentication Timers 67 Accessing the Configuration page 67 Authentication Servers 6...

Страница 5: ...figuring Virtual Private Networks 127 VPN Configuration 127 Enabling VPN Authentication 127 Configuring VPN with L2TP IPSec 129 Enabling Src NAT 131 IKE Shared Secrets 131 IKE Policies 132 Configuring...

Страница 6: ...from the Switch 178 SNMP traps from Access Point Air Monitor 181 Configuring Logging 185 Chapter 12 Configuring Quality of Service for Voice Applications 191 Configuring QoS for SVP 192 Configuring Qo...

Страница 7: ...ch configurations such as Virtual Private Networks VPNs firewalls and redundancy This guide shows you how to configure your environment with the most commonly needed features and services To use this...

Страница 8: ...software devices and certain commands when men tioned in the text Commands In the command examples this bold font depicts text that the user must type exactly as shown Arguments In the command example...

Страница 9: ...ain Site http www arubanetworks com z Support http www arubanetworks com support z Sales sales arubanetworks com z Support support arubanetworks com z Main 408 227 4500 z Fax 408 227 4550 z Sales 408...

Страница 10: ...x Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 11: ...wireless APs also applicable to APs deployed as Air Monitors AMs are designed to be low touch configuration devices that require only minimal provisioning to make them fully operational on an Aruba e...

Страница 12: ...ent These prerequisites ensure that the APs are able to discover and attach to a host Aruba WLAN switch defined as the master This also relieves the administra tor from the need to manually configure...

Страница 13: ...ery Protocol ADP Plug and Play Aruba APs are factory configured with ADP a feature that allows plug and play provisioning for APs connected via Layer 2 3 to a master Aruba WLAN switch on an ADP enable...

Страница 14: ...erver for this subnet To enable DHCP server capability on an Aruba switch z Navigate to the Configuration DHCP Server page z Create a DHCP server pool configuration z Create an excluded address range...

Страница 15: ...n the DHCP vendor specific attribute option 43 The vendor class identifier used to identify DHCP requests from Aruba APs is ArubaAP NOTE DHCP requires the format and contents of the vendor class ident...

Страница 16: ...00 config adp igmp join enable z Proceed to Deploying APs in the Network below 3 Deploying APs in the Network You are now ready to physically install the APs and attach them to the network For infor m...

Страница 17: ...red for each AP in the network using the WebUI of the master Aruba WLAN switch To configure an AP with a unique location code z Navigate to the Maintenance Program AP Re provision page This page displ...

Страница 18: ...tory for all detachable antenna models as the AP will not will bring up its radio interface or function as an AP without it z Click Apply to apply the configuration to the AP NOTE The configuration do...

Страница 19: ...as well as a layer 3 IP interface similar to most layer 2 3 switches The administrator can configure a set of ports to be members of a VLAN and define an IP address netmask for the VLAN interface A s...

Страница 20: ...this VLAN On the next screen as shown below enter the VLAN ID the IP address and network mask of the VLAN interface If required the address of the DHCP server for that VLAN can also be configured by c...

Страница 21: ...ation 4 Verify that the VLAN has been created on the VLAN page Configuring a Port to Be an Access Port The in band Ethernet ports can be configured as access ports and members of a single VLAN using t...

Страница 22: ...on the appropriate box in the Port Selection section of the page After selecting the port choose the VLAN from the drop down list in the Configure Selected Ports Enter VLAN s section and click Apply t...

Страница 23: ...icitly made Make sure that the configura tion for all items on the list is as desired before clicking Apply 4 Verify that the Configuration was applied by navigating to the Configuration Switch VLAN s...

Страница 24: ...iate checkbox in the Port Selec tion section 2 Select the Trunk option to the Port Mode section 3 Select Allow all VLANs to assign all configured VLANs to this port If the desired list of VLANs is dif...

Страница 25: ...figuring Static Routes 1 Navigate to the Configuration Switch IP Routing page 2 Click Add to add a static route to a destination network or host Enter the desti nation IP and network mask 255 255 255...

Страница 26: ...witch reboot To change the switch loopback IP address 1 Navigate to the Configuration Switch General page on the WebUI 2 Modify the loopback IP address in the Loopback Interface section on this page a...

Страница 27: ...nce Switch Reboot page to reboot the switch to apply the change of loopback IP address 4 Click Continue to save the configuration 5 When prompted that the changes were written successfully to flash cl...

Страница 28: ...18 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 29: ...in an active active mode or a hot standby mode master backing up a set of local switches a pair of switches acting as a redundant pair of master switches in a hot standby mode Each of these modes is e...

Страница 30: ...on the same broadcast domain or layer 2 connected for VRRP operation The two switches should be of the same class A800 to A800 or higher and both switches should be running the same version of AirOS...

Страница 31: ...figure this with the same value as the VLAN ID for easy administration Advertisement Interval This is the interval between successive VRRP advertisements sent by the current master Recommended to leav...

Страница 32: ...mption Selecting this option means that a switch can take over the role of master if it detects a lower priority switch currently acting as master For this topology it is recommended NOT to select thi...

Страница 33: ...floor location with 0 being used as a wild card for any of the values Thus a location code of 10 0 0 would refer to all the APs in building 10 Refer to the AP provisioning guide for directions on how...

Страница 34: ...unavailable The Master switch is also responsible for providing the configuration for any AP to complete its boot process If the Master becomes unavailable the network continues to run without any in...

Страница 35: ...easier administration and maintenance Step 2 vlan vlan id Associates the VRRP instance with a VLAN VLAN ID from step i Step 3 ip address ip address Virtual IP address for the VRRP instance Virtual IP...

Страница 36: ...of up to 8 characters can be configured on both the peer switches This is an optional configuration Step 6 description description Optional Optional description to the VRRP instance Any text descript...

Страница 37: ...e following commands to change the Master IP of the local switch The switch will require a reboot after changing the Master IP of the switch If DNS resolution is the chosen mechanism for the APs to di...

Страница 38: ...er the APs once more This type of redundant solution is illustrated by the following topology diagram NOTE This solution requires that the master switch has a layer 2 connectivity to all the local swi...

Страница 39: ...respectively Note the master switch will be configured for a number of VRRP instances equal to the number of local switches the master is backing up Command Explanation Expected Recommended Values Ste...

Страница 40: ...config vrrp priority 110 Aruba2400 config vrrp preempt Aruba2400 config vrrp authentication password Aruba2400 config vrrp description local backed by master Aruba2400 config vrrp no shutdown Configur...

Страница 41: ...ba2400 config ap location 1 1 0 Aruba2400 sap config location 1 1 0 lms ip 10 200 11 254 Aruba2400 sap config location 1 1 0 Command Explanation Expected recommended values Step 1 ap location b f l Ch...

Страница 42: ...32 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 43: ...section walks the user through the basic 802 11 configurations The web interface classifies the WLAN configurations into 3 major categories z Network The global WLAN configurations can be done under...

Страница 44: ...ng fields needs to be configured for each SSID separately Parameter Definition Explanation SSID The SSID of the network Radio type Choose the radio types to apply the configurations a b g a b g a b g...

Страница 45: ...TE The default SSID present is aruba ap This will be broadcast as a valid SSID if the value is not changed This is the only SSID that permits the change of the SSID name AES CCM Advanced Encryption St...

Страница 46: ...any encryption open system WEP TKIP AES CCM Mixed TKIP AES CCM SSID Default VLAN The VLAN that will be assigned to the wireless users after they associate to the SSID The value for the VLAN can be sel...

Страница 47: ...be no encryption The packets between the AP and the client would be in clear text Click the Apply tab to apply the configuration changes made and to prevent loss of work before navigating to other pag...

Страница 48: ...igating to other pages Configuring TKIP Encryption z Select the radio button to enable TKIP encryption This opens the TKIP dialog z Select PSK TKIP for static TKIP key configuration and WPA TKIP for d...

Страница 49: ...key configuration and WPA2 AES CCM for dynamic AES z If PSK AES CCM is selected the key can be hex or ASCII Enter a 64 character hex key or a 8 63 character ASCII key Valid characters are letters and...

Страница 50: ...er hex key or a 8 63 character ASCII key z Click Apply to apply the configuration changes made and to prevent loss of work before navigating to other pages 3 To configure multiple SSID click Add and r...

Страница 51: ...o take effect Configuring WLANs Radio Configuration The radio settings can be fine tuned using the Web interface Selecting these options may affect roaming performance 1 Navigate to the Configuration...

Страница 52: ...ser Guide January 2005 7 Check Apply to apply the changes before navigating to other pages to prevent loss of configuration 8 The above configuration can be created for 802 11a by navigating to the Co...

Страница 53: ...ons and these locations are used to configure the AP uniquely The global configurations will be overridden by the location specific configurations 1 Navigate to the Configuration WLAN Radio Advanced p...

Страница 54: ...d configuring the radios as required by selecting the tabs on the page To add a new SSID 1 Click Add and configure the SSID similar to configuring the 802 11 Networks 2 All radio configurations for th...

Страница 55: ...ith dynamic WEP z A b g SSID called voice with static WEP z The AP in location 4 2 6 is set to have guest SSID in addition to the other two SSID The guest SSID is open 1 Configure the a b g SSID aruba...

Страница 56: ...46 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 3 Configure the guest SSID for location 1 10 2 z Add the location 1 10 2...

Страница 57: ...Adaptive Radio Management Adaptive Radio Management ARM is the next generation RF resource allocation algorithm in AirOS 2 3 ARM is an enhancement to Auto RRA functionality and performance ARM is the...

Страница 58: ...rference index is greater than the interference index on the new channel by a value greater than or equal to the free channel index If the criteria are not met the AP will remain on the current channe...

Страница 59: ...io 802 11b g page to enable ARM on the b g radio 2 Set ARM Assignment to Enable from the pull down menu to enable ARM 3 Set ARM Scanning to Enable to enable scanning on the AP 4 The ARM Scan Interval...

Страница 60: ...50 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 6 Once these changes are made along with the Radio changes click Apply to apply the configurations...

Страница 61: ...ned firewall policies The administrator can then associate a set of these firewall policies with a user role to define the network privileges associated with a user role Every user that associates to...

Страница 62: ...dress that starts with bytes xx yy zz 3 Default role for an authentication method Every authentication method can be derived with a default role for users that are successfully authenticated using tha...

Страница 63: ...hapter 5 2 Click Add to create a new policy 3 Click Add to add a rule to the policy being created The following table summa rizes the various fields that are required for a rule to be created and the...

Страница 64: ...ic host When this option is chosen it is required to con figure the IP address of the host z network This refers to a traffic that has a source IP from a sub net of IP addresses When this option is ch...

Страница 65: ...onfigure a range of TCP port s to match for the rule to be applied z UDP Using this option the administrator can configure a range of UDP port s to match for the rule to be applied z Pre defined Servi...

Страница 66: ...kets matching the rule When this option is selected the administrator also needs to select a NAT pool If this pool is not configured the administrator needs to config ure a NAT pool by navigating to t...

Страница 67: ...eld indicates that a client that is the source or destination of traffic that matches the rule should be automatically blacklisted Select this option if it is required to auto blacklist a client that...

Страница 68: ...he rules can be re ordered by the using the up and down but tons provided with each rule 5 Once all the required rules are created and ordered as required click the Apply button to apply this configur...

Страница 69: ...n the Edit policy page the administrator can delete existing rules add new rules following the same procedure in Step 3 of Creating a New Policy on page 52 or reorder the policies 4 When all rules hav...

Страница 70: ...policy can be applied to one or more user roles Similarly each user role can constitute one or more policies 1 Navigate to the Configuration Security Roles page on the WebUI This page shows the list...

Страница 71: ...nd Policies 61 Chapter 5 3 Enter the desired name for the role In the example used below the name given to the role is employee 4 To apply a set of policies to this user role click the Add button in t...

Страница 72: ...62 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 The following table summarizes the different fields visible and the expected recommended values for each field...

Страница 73: ...nd click the Done button to add the policy to the list of policies in the user role If this policy is to be applied to this user role only for specific locations the appli cable location codes can be...

Страница 74: ...ew contract and assign it to the role 5 VPN Dialer This assigns a VPN dialer to a user role For details about VPN dialer refer to the Configuring VPNs section Select a dialer from the drop down list a...

Страница 75: ...65 Chapter 5 6 To edit an existing role click Edit for the required user role to start editing a user role The fields are the same as shown above The screen shot below shows the screen when the Edit o...

Страница 76: ...66 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 77: ...it to interface with these servers On the server side the switch needs to be recognized for the server to process requests from the switch This document talks only about the configuration on the switc...

Страница 78: ...lied only when there are two or more authentication servers configured The authentication Server Dead Timeout is the maximum period for which an authentication server is proclaimed dead before being a...

Страница 79: ...d applied in case of errors and changes at any time 2 Navigate to Configuration AAA Servers RADIUS page 3 Configure the RADIUS settings Parameter Description Value in the Example Server Name The name...

Страница 80: ...rver entry Enter the values gathered from the previous step 5 Set the Mode to Enable to activate the authentication server 6 Click Apply to apply the configuration NOTE The configuration will not take...

Страница 81: ...3 The configuration page displays Make the required modifications on the page and click Apply to save the configurations Deleting an Existing Entry 1 Navigate to the Configuration AAA Servers RADIUS...

Страница 82: ...of the node which contains the entire user database that we want to use cn Users dc lm dc arubanetworks dc com Admin DN A user who has read search privileges across all the entries in the LDAP databa...

Страница 83: ...step 1 4 Set the mode to Enable to enable the LDAP server when it is online 5 Click Apply to apply the changes made to the configuration NOTE The configuration does not take effect until this step is...

Страница 84: ...he entry to be modified and modify the desired parameters 3 Click Apply to have the changes take effect Deleting an Existing Entry 1 Navigate to the Configuration AAA Servers Security LDAP page 2 Clic...

Страница 85: ...y needs to be created for each user To add a new user entry to the Internal Database 1 Navigate to the Configuration AAA Servers Internal Database page The parameters a description of the parameters a...

Страница 86: ...tivated on creation If this box is unchecked this user entry will not be considered during authentication 5 Configure the role of the user 6 Apply the configuration by clicking Apply after creating ea...

Страница 87: ...delete the entry and re create the entry with the neces sary modifications All entries must be individually created and modified Deleting an Entry 1 Navigate to the Configuration AAA Servers Internal...

Страница 88: ...for some users based on the attributes returned for the user during authentication These values would take precedence over the default role and VLAN configuration for the authenticated user To add a s...

Страница 89: ...if and only if the attribute value contains the string in parameter Value z Starts with the rule is applied if and only if the attribute value returned starts with the string in parameter Value z Ends...

Страница 90: ...ross all the authentication types that use the server as the primary authentication server Example Based on the filter ID returned users will be classified as admin employee and guest If none of the r...

Страница 91: ...figuring AAA Servers 81 Chapter 6 The first rule that matches the condition gets applied Also the rules are applied in the order shown To change the order use the S or T arrows to the right of the ent...

Страница 92: ...82 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 93: ...network by allowing them to logon as guests Captive portal can also be configured to allow users to download the Aruba VPN dialer for the Microsoft VPN client if the VPN is going to be terminated on...

Страница 94: ...nfigure the role that the guest logon users will take See Configuring Firewall Roles and Policies for information on configuring a role 3 Determine the protocol captive portal will use Modify the capt...

Страница 95: ...ps ensure that the captiveportal policy has the following rules user alias mswitch svc https permit user any svc http dst nat 8080 user any svc https dst nat 8081 4 In the default user role of un auth...

Страница 96: ...ver In case of guest logon this field needs to be unchecked if captive portal is used for guest logon only Default Checked Enable Logout Popup Window When this is enabled a pop up window will appear w...

Страница 97: ...If CPU utilization is above 50 wait for 10 15 seconds before popping up logon page z In this example there is no pause time before redirecting to the captive portal page Redirect Pause Timeout This is...

Страница 98: ...ers that the switch can support 1 Navigate to the Configuration Security Authentication Methods Captive Portal Authentication page Parameter Values for this example Default role cap_guest Enable Guest...

Страница 99: ...etermine the protocol captive portal will use Modify the captiveportal policy to support the selected protocol z HTTP If the protocol selected is http ensure that the following rules are included in t...

Страница 100: ...y svc http dst nat 8080 user any svc https dst nat 8081 4 In the default role for unauthenticated users logon role by default ensure that the cap tiveportal policy has been added The user traffic need...

Страница 101: ...The protocol used on re direction to captive portal page http https If http is selected the captive portal policy will have to be modified to allow http traffic Default https Redirect Pause Timeout T...

Страница 102: ...he Enable User Logon checkbox is selected 8 Set the protocol type http or https as per the requirement 9 Set the welcome page location to the required URL To configure the AAA server captive portal wi...

Страница 103: ...ght on the entry to move it higher up or lower down in the list 6 Click the Apply for the configuration changes made to take effect Example This example sets up the captive portal for user logon z The...

Страница 104: ...e Policy 1 Navigate to the Maintenance Captive Portal Customize Login page Parameter Values for this example Default role employee Enable Guest Logon Unchecked Enable User Logon Checked Enable Logout...

Страница 105: ...ge design present To customize the page design 1 Select the YOUR CUSTOM DESIGN page 2 Under Additional Information enter the location of the JPEG image in the space pro vided beside Upload your own cu...

Страница 106: ...to be displayed in the Page Text in HTML format message box To view the changes click Submit at the bottom on the page and then click the View CaptivePortal link This will bring up the captive portal...

Страница 107: ...Configuring the Captive Portal 97 Chapter 7...

Страница 108: ...98 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 The text keyed in will appear in a text box when the Acceptable Use Policy is clicked on the captive portal web page...

Страница 109: ...ng the client to authenticate the network These authentication protocols are all based on EAP Extensible Authentication Protocol and are also referred to as EAP types The 802 1x system consists of thr...

Страница 110: ...es and Policies z Authentication Server The authentication server the switch would use to validate the users Verify that the authentication server supports 802 1x Most LDAP servers do not The Internal...

Страница 111: ...Configuring 802 1x Security 101 Chapter 8 The following fields need to be modified for wireless user authentication...

Страница 112: ...e role assigned to the user when the user signs in using 802 1x authentication The default value is guest If derivation rules are present the roles assigned to the user through these rules will take p...

Страница 113: ...of the timer is 24 hours If the user fails to re authenticate will valid credentials the state of the user is cleared If derivation rules are used to classify dot1x users then the Re authentication t...

Страница 114: ...January 2005 2 From the pull down menu under Choose an Authentication Server select the RADIUS server that will be the primary authentication server Click Add after making the choice 3 To add multiple...

Страница 115: ...ending priority The first entry is always the pri mary server To change the order use the S or T to the right on the entry to move it higher up or lower down in the list 5 Click the Apply to apply the...

Страница 116: ...100 configured by role Authentication Server Radius_Server_1 RADIUS server that supports 802 1x SSID dot1x with dynamic TKIP Authentication Failure Threshold for Station Blacklisting 3 NOTE If necessa...

Страница 117: ...Configuring 802 1x Security 107 Chapter 8 3 Create the SSID dot1x with dynamic TKIP 4 Click Apply to apply the configuration...

Страница 118: ...3 User Guide January 2005 Configuring User and Machine Authentication 802 1x can be used to perform user and machine authentication This tightens the authentication process further since both machine...

Страница 119: ...Role Limited access depending on users like guest Passed Failed If machine authentication succeeds and user authentication has not been initiated the role assigned would be the Machine Authentication...

Страница 120: ...es z Authentication Server The authentication server the switch would use to validate the users Verify that the authentication server supports 802 1x Most LDAP servers do not The Internal Server does...

Страница 121: ...Configuring 802 1x Security 111 Chapter 8 The following fields need to be modified for machine and user 802 1x authentication...

Страница 122: ...s field need to be checked Default Unchecked Checkbox Select this box Enable Re authentication When set this will force the client to do a 802 1x re authentication after the expiry of the default time...

Страница 123: ...he machine authentication goes through but the user authentication has not yet been initiated Default guest Pull down menu of pre configured roles Select the role that needs to be applied if only mach...

Страница 124: ...king the choice 4 To add multiple auth servers repeat above steps for each server 5 The servers appear in the order of descending priority The first entry is always the pri mary server To change the o...

Страница 125: ...ilure Threshold for Station Blacklisting 3 In this example z If machine authentication succeeds the role assigned would be the dot1x_mc role z If only user authentication succeeds the role assigned wo...

Страница 126: ...116 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 3 Enter the values as per the example 4 Click Apply for the configuration to take effect...

Страница 127: ...id other devices from accessing the voice network using what is normally an insecure SSID Configuring the Switch To enable MAC based authentication on the Aruba WLAN switch 1 Before configuring MAC ba...

Страница 128: ...If not set the value to 0 Parameters Description Type of value Operation Authentication Enabled To enable MAC based authentication this field must be checked Default Unchecked Checkbox Select this box...

Страница 129: ...right of the entry to move it higher up or lower down in the list 4 Click Apply to apply the changes made Verify that the changes made have taken effect on the resultant page Configuring Users This se...

Страница 130: ...r that is different from the MAC based authentication default role in the Role field enter the role for the user z Select the Enabled checkbox to activate the user z Click Apply to apply the settings...

Страница 131: ...o the wireless users To create this configuration 1 Configure the 802 1x for user or user and machine authentication as explained in the pre vious sections 2 Check the Enable Wired Clients check box i...

Страница 132: ...changes Care should be taken to clear all logged on users and forcing them to re authenticate Remember to apply the changes made by clicking Apply for the changes to take effect Resetting the 802 1x S...

Страница 133: ...4 Click Apply This will reset the settings to factory default Advanced Configuration Options of 802 1x This section talks about the Advanced Configuration on the 802 1x page NOTE The Advanced Configur...

Страница 134: ...after which the authentication server is timed out as the 802 1x server after it fails to respond Client Response Timeout Time in sees Time after which the client is timed out as after it fails to re...

Страница 135: ...e updated after each re authorization Enable Multicast Key Rotation This option enables the rotation of multicast keys Multicast keys are used to encrypt multicast packets generated for each AP Multic...

Страница 136: ...126 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 137: ...used as a VPN concentrator terminating all VPN connections from wire and wireless users For Windows a dialer can be downloaded from the switch to auto configure the tunnel settings on the dialer This...

Страница 138: ...old for Station Blacklisting to an integer value This number indicates the number of contiguous authentication failures before the station is blacklisted 5 Click Apply to apply the settings and to avo...

Страница 139: ...list 6 Click Apply to apply the configuration changes made before navigating to other pages to avoid losing the changes made 7 Click Save Configuration to save the configuration between reboots Config...

Страница 140: ...the authentication method Currently supported methods are PAP CHAP MSC HAP and MSCHAPv2 6 Configure the Primary Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the...

Страница 141: ...req uisite for using this option is to have a NAT pool which can be created by navigating to the Security Advanced NAT Pools page IKE Shared Secrets Set the value of the IKE key The key the subnet ca...

Страница 142: ...2 7 The configurations from a through e along with the pre share key need to be reflected in the VPN client configuration When using a 3rd party VPN client set the VPN configuration on clients to matc...

Страница 143: ...Currently supported method is MSCHAPv2 Check the radio button to select it 6 Configure the Primary Secondary DNS servers and Primary and Secondary WINS Server that will be pushed to the VPN Dialer 7...

Страница 144: ...age 5 Click Apply to apply the changes made before navigating to other pages Configuring Aruba Dialer Example 1 Navigate to the Security VPN Settings Dialers page Click Add to add a new dialer or Edit...

Страница 145: ...e Group configuration as per the IKE Policy configuration setting for Diffie Hel man Group 4 Select the IPSEC Encryption as per the IKE Policy configuration setting for Encryption 5 Select the IPSEC H...

Страница 146: ...art 0500036 02 v2 3 User Guide January 2005 Examples In this example the following settings apply VPN Settings Authentication Server radon Default VPN role vpn_user Authentication method MSCHAPv2 Prim...

Страница 147: ...uthentication Secondary DNS 10 10 1 2 Primary WINS 10 1 1 2 L2TP Pool 192 168 100 1 192 168 100 100 Pre shared key test123 Primary DNS 10 10 1 1 Secondary DNS 10 10 1 2 Primary WINS 10 1 1 2 IKE encry...

Страница 148: ...138 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 Configure L2TP IPSec 1 Configure the DNS and WINS server...

Страница 149: ...Configuring Virtual Private Networks 139 Chapter 9 2 Configuring the L2TP pool 3 Click Add below Address Pools Once completed click Done...

Страница 150: ...0500036 02 v2 3 User Guide January 2005 4 Configure the IKE shared secret test123 5 Configure the IKE policies 6 The final config page should look like the page below Once this done click Apply to app...

Страница 151: ...figuring Virtual Private Networks 141 Chapter 9 7 Configure the dialer by configuring the key to match the IKE shared secret key in Con figure the IKE policies Click Apply when done to apply the chang...

Страница 152: ...6 02 v2 3 User Guide January 2005 8 Configure the dialer in the captive portal user role that will be used to download the dialer Configuring PPTP 1 Navigate to the PPTP configuration page as explaine...

Страница 153: ...WINS server Check the Enable PPTP and MSCHAPv2 check box 3 Configure the PPTP pool 4 Click Apply for the configurations to take effect 5 Configure the dialer Check the Enable L2TP and MSCHAPv2 checkbo...

Страница 154: ...02 v2 3 User Guide January 2005 6 Configure the dialer in the captive portal user role that will be used to download the dialer by navigating to the Configuration Security Authentication Methods Capti...

Страница 155: ...Configuring Virtual Private Networks 145 Chapter 9...

Страница 156: ...146 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 157: ...y to detect a interfering rogue AP and classify it as a interfering or a rogue AP An interfering AP is an Access Point that the Aruba Access points Air Monitors in the air A rogue AP is an Access Poin...

Страница 158: ...AP beacons to confuse legitimate users and to increase the amount of processing client operating systems must do Refer to the Configuring Denial of Service attack detection section for more details M...

Страница 159: ...te and edit new sig natures For more details on how to configure and create new signatures refer to the Con figuring Signature detection section WLAN Policies z Adhoc network detection containment As...

Страница 160: ...Ps using these reserved resources This feature can be used in a multi tenant building where different enterprises must share the RF envi ronment This feature can also be used to defend against honeypo...

Страница 161: ...ue AP will be disconnected from the rogue AP through a denial of service attack 2 Mark All New Access Points as Valid Access Points When installing an Aruba WLAN Switch in an environment with an exist...

Страница 162: ...ts as Rogue Access Points In an environment where no interfering APs should exist for example a building far away from any other buildings or an RF shielded building enable this option to turn off the...

Страница 163: ...efined by the 802 11 standard The following table explains what each field implies To edit any of the values from the default values for a channel click the Edit button in the appropriate section chan...

Страница 164: ...must elapse before another identical alarm may be triggered This option prevents excessive messages in the log file Field Description 1 Enable Fake AP Flood Detection Enables or disables the feature 2...

Страница 165: ...onfigure station disconnection detection click Disconnect Station The following table gives a brief description of the fields in this section 1 To configure EAP Handshake analysis click the EAP Handsh...

Страница 166: ...ber of EAP handshakes that must be received within the EAP Time Interval in order to trigger an alarm 3 EAP Time Interval secs The time period in which a configured number of EAP handshakes must be re...

Страница 167: ...eed the sequence number difference threshold in order for an alarm to be triggered 4 Sequence Number Checking Quiet Time secs After an alarm has been triggered the amount of time that must pass before...

Страница 168: ...es or disables this feature 2 Signature Analysis Quiet Time secs After an alarm has been triggered the amount of time that must pass before another identical alarm may be triggered Signature Descripti...

Страница 169: ...e containing a null SSID A number of popular NIC cards will lock up upon receiving such a probe response 4 NetStumbler Generic NetStumbler is a popular wardriving application used to locate 802 11 net...

Страница 170: ...e leave this field disabled if only creating a signature but enabling detection at this point 3 Click Add to add a signature rule 4 In the Add Condition section add a rule that matches an attribute to...

Страница 171: ...ayload This looks for a pattern at a fixed offset in the payload of a 802 11 frame The administrator can configure the pattern and the offset where the pattern is expected to be found in the frame z S...

Страница 172: ...he list of the rules as shown above When the required number of rules has been added click Apply to apply the configuration NOTE The configuration will not take effect if it is not applied Configuring...

Страница 173: ...Detection Policies Misconfigured AP as shown in the figure below Field Description 1 Enable Adhoc Networks Activity Detection Enable detection of Ad hoc networks 2 Enable Adhoc Network Protection When...

Страница 174: ...erprise 802 11b g Channels Defines the list of valid 802 11b g channels that 3rd party APs are allowed to use 4 Valid Enterprise 802 11a Channels Defines the list of valid 802 11a channels that 3rd pa...

Страница 175: ...to enable this feature Configuring Multi Tenancy detection To configure multi tenancy policies navigate to Configuration WLAN Intrusion Detection Policies Multi Tenancy as shown in the figure below 8...

Страница 176: ...be disabled using a denial of service attack 2 Valid Enterprise SSID List A list of reserved SSIDs 3 Disable Access Points Violating Channel Allocation Agreements When an unknown AP is detected using...

Страница 177: ...ing SNMP for the Aruba WLAN Switch Aruba WLAN Switches and APs support versions 1 2c and 3 of SNMP for reporting purposes only In other words SNMP cannot be used for setting values in an Aruba system...

Страница 178: ...me of the switch String to act as the host name for the switch being configured 2 System Contact Name of the person who acts as the System Contact or administrator for the switch System contacts name...

Страница 179: ...of SNMP traps to configured SNMP trap receivers Refer to the list of traps in the SNMP traps section below for a list of traps that are generated by the Aruba WLAN Switch Select this option and confi...

Страница 180: ...2 3 User Guide January 2005 2 Enter the details for the SNMPv3 user as explained in the table below Field Description Expected recommended Values 1 User name A string representing the name of the user...

Страница 181: ...essages sent on behalf of this user can be authenticated the private authentication key for use with the authentication protocol String password for MD5 SHA depending on the choice above 4 Privacy pro...

Страница 182: ...Access Points can be done at a global level thereby being applicable for all the Aruba Access Points in the network as well as for a particular set of Access Point s by using the AP location codes Th...

Страница 183: ...d Network Management 173 Chapter 11 2 Configure the basic SNMP parameters in the section SNMP System Information The fields are similar to the ones explained for the switch and are explained in the ta...

Страница 184: ...or all APs 4 Enable SNMP Traps Enables generation of SNMP traps from all Access Points Refer to the list of traps in SNMP traps section for a complete list of traps that may be generated by Aruba Acce...

Страница 185: ...be 1 or 2c z Community string UDP port on which the trap receiver is listening for traps The default is the UDP port number 162 This is OPTIONAL and will use the default port number if not modified by...

Страница 186: ...gate to Configuration WLAN Advanced page on the WebUI of the Master switch 3 Authentication protocol password If messages sent on behalf of this user can be authenticated the private authentication ke...

Страница 187: ...a location code using 0 as the wild card value when required as explained above If the set already exists click Edit for the chosen set and proceed to step 4 to configure the SNMP parame ters for the...

Страница 188: ...m the Switch The following is a list of key traps generated by the Aruba WLAN Switch 1 1 Switch IP changed a Description This indicates the switch IP has been changed The Switch IP is either the Loopb...

Страница 189: ...witch where the user is visible b Priority Level Medium 4 Authentication server request timed out a Description This trap indicates that a request to a authentication server did not receive a response...

Страница 190: ...nt at the same time in the user table is 4096 b Priority Level Critical 8 Authentication Bandwidth contracts table full a Description This trap indicates that the maximum number of configured bandwidt...

Страница 191: ...oved a Description These traps indicate that a Supervisor card has been inserted or removed from the switch b Priority Level Critical 16 Power supply missing a Description This trap indicates that one...

Страница 192: ...In addition to this the BSSID and SSID of the detected AP is also included b Priority Level High 4 Valid SSID violation a Description This indicates a configuration in the configuration of the SSID of...

Страница 193: ...cription This trap indicates an error in the Short Preamble configuration of an Access Point The AP generates the trap and includes its BSSID the configured SSID and the location of the AP in the trap...

Страница 194: ...should be configured related to this event are Frame Retry Rate High Watermark and Frame Retry Rate Low watermark The High Watermark refers to the percentage threshold which if surpassed triggers the...

Страница 195: ...table below summarizes these modules Module Description 1 Management AAA The module responsible for authentication of management users telnet ssh WebUI 2 Authentication The module responsible for aut...

Страница 196: ...teps below to configure the same 1 Navigate to the Configuration Management Logging page on the WebUI 2 To add a logging server click Add in the Logging Server section 10 Station Manager The module re...

Страница 197: ...System and Network Management 187 Chapter 11 3 Click Add to add the logging server to the list of logging servers Ensure that the syslog server is enabled and configured on this host...

Страница 198: ...o step 6 To modify the logging level of any of the modules select the required module from the list of the modules shown From the drop down list that appears on the screen choose the appropriate loggi...

Страница 199: ...System and Network Management 189 Chapter 11 5 Click Done to make the modification...

Страница 200: ...190 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 6 Click Apply to apply the configuration NOTE Until this step is completed none of the configuration changes will take effect...

Страница 201: ...ing Firewall roles and policies document for more details Thus in an Aruba system the administrator can configure two roles one for clients that do mostly data traffic such as laptops and the other fo...

Страница 202: ...ce to the voice traffic ensure that the high prior ity option is selected for the rule allowing SVP traffic as shown in the screen shot below Note This is highly recommended when deploying voice over...

Страница 203: ...onfiguring Firewall Roles and Policies for more details on adding and configur ing a firewall role 6 Configure the devices to be placed in the role svp phones on the basis of the SSID used or OUI of t...

Страница 204: ...on equals with the SSID value being voice SSID i e the SSID being used for voice devices and role name being svp phones i e the role name configured in the step above iii Click Apply to apply the conf...

Страница 205: ...guration Security Authentication Methods Advanced ii Add a condition with rule type Mac Address condition contains value being the first three octets or the OUI of the devices being used for instance...

Страница 206: ...be considerable delay between the switch and the Access Points it is recommended to enable the local probe response feature This can be done by accessing the CLI of the switch using the console connec...

Страница 207: ...ter 12 Configuring QoS for SIP Follow the steps below to configure a role for phones using SIP and provide QoS for the same 1 Create a service for SIP traffic called svc sip that corresponds to the UD...

Страница 208: ...mpleted 2 Create a policy called sip policy that allows only SIP traffic refer to Configuring Fire wall rules and policies for more details on creating a new policy If providing higher qual ity of ser...

Страница 209: ...of their MAC address Each of the two are explained in the following two steps respectively a SSID based role derivation i Navigate to Configuration Security Authentication Methods SSID ii Add a condi...

Страница 210: ...3 User Guide January 2005 iii Click Apply to apply this configuration NOTE The changes will not take effect until this step is completed b OUI based role derivation i Navigate to Configuration Securi...

Страница 211: ...tion contains value being the first three octets or the OUI of the devices being used for instance we are using an example OUI 00 0a 0b and role name being sip phones i e the role configured in the st...

Страница 212: ...202 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 213: ...LAN switches and Access Points However these configurations are valid for all Aruba WLAN switches A5000 A2400 and A800 and for all Aruba Access Points APs AP52 60 61 unless explicitly mentioned otherw...

Страница 214: ...3 1 Example One Topology The following steps configure the topology shown in Figure 13 1 1 Configure the DHCP server on the switch to serve the subnet that includes the AP ASTER 0 0 NTERNET AYER 2OUTE...

Страница 215: ...ration and enter the details for the pool FIGURE 13 3 Adding the DHCP Pool 3 Apply this configuration and then start the DHCP server 4 Add all the ports on the Aruba WLAN Switch to the subnet 14 5 On...

Страница 216: ...sted to make all ports trusted z Select Enable 802 3af Power Over Ethernet to enable PoE on all ports FIGURE 13 4 Configuring the Ports 6 Apply this configuration 7 Plug the Aruba AP into one of the f...

Страница 217: ...rk Specify the following basic configuration z SSID demo aruba z Encryption type Static WEP z WEP key 11 Apply this configuration 12 Enable the AP to accept association requests from clients by config...

Страница 218: ...ary 2005 FIGURE 13 6 Configuring the Radio Parameters 13 Apply this configuration 14 Configure the role for an authenticated user called authenticated user in this example on the Configuration Securit...

Страница 219: ...apply this configuration FIGURE 13 8 Adding User Roles 17 Configure the authentication parameters for Captive Portal Authentication on the Config uration Security Authentication Methods page Select th...

Страница 220: ...rt Authentication 19 This step is not needed if you are using an external authentication server If you are using the internal server use the following CLI commands to add the required users to the dat...

Страница 221: ...ll Aruba WLAN switches A5000 A2400 and A800 and for all Aruba Access Points APs AP52 60 61 unless explicitly mentioned otherwise This example is based on a topology which has the following characteris...

Страница 222: ...IP helper address on the Layer 3 switch on the same subnet as the Access Points with the IP address of the Aruba WLAN Switch Additionally con figure an IP helper address on the Layer 3 switch for the...

Страница 223: ...rk on the Configuration Net work SSID page Click Edit to modify the parameters of the default WLAN network FIGURE 14 2 Configuring SSIDs 3 Configure the SSID of the network as desired company ssid in...

Страница 224: ...214 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 FIGURE 14 3 Editing the SSID 4 Apply the configuration to complete the WLAN network configuration...

Страница 225: ...this example VLAN 14 is the interface Therefore the client IP address for the RADIUS server config uration is the IP address of the VLAN 14 interface 10 200 14 6 The NAS IP Address is the loopback IP...

Страница 226: ...Adding User Roles 8 Configure the pre defined guest role to have privileges to only use HTTP protocol To do this configure the pre defined policy called guest on the Configuration Security Policies p...

Страница 227: ...hapter 14 FIGURE 14 7 Applying the User Role Configuration FIGURE 14 8 Editing Policies 10 Add this policy to the list of applied policies to the pre defined role guest to complete configuration guest...

Страница 228: ...IGURE 14 10 Editing Roles 11 Apply this configuration to complete the configuration of the guest privileges 12 Complete the 802 1x configuration for the deployment model by adding the RADIUS server an...

Страница 229: ...o 219 Chapter 14 FIGURE 14 11 Configuring RADIUS Servers FIGURE 14 12 Adding a RADIUS Server 13 Apply this configuration The following screen should indicate that the RADIUS server configuration is su...

Страница 230: ...ameter on the Configuration Security Authentication Methods 802 1x page 15 Choose the newly created role called authenticated user as the default role and User authentication as the default role 16 Se...

Страница 231: ...plete 802 1x configuration FIGURE 14 14 Completing 802 1x Authentication Configu ration 18 Select the Captive Portal tab on Authentication Methods to enable guest logon using Cap tive Portal 19 Select...

Страница 232: ...222 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 FIGURE 14 15 Configuring Captive Portal Authentication...

Страница 233: ...er these configurations are valid for all Aruba WLAN switches A5000 A2400 and A800 and for all Aruba Access Points APs AP52 60 61 unless explicitly mentioned otherwise This example is based on a topol...

Страница 234: ...ts to use the Aruba Discovery Protocol to discover the Aruba WLAN Switch over a layer 3 network There are various methods that can be used by this protocol including IP multi cast broadcast DHCP Vendo...

Страница 235: ...CP Relay layer3 config if ip helper address 10 200 14 14 ADP relay 3 Configure the Virtual Router Redundancy Protocol VRRP on both the switches on the subnet that connects the two Aruba WLAN Switches...

Страница 236: ...s parameters and configuring the Admin state to Up 6 The VRRP instance should be added to the list of VRRP instances as shown below FIGURE 15 4 Completing VRRP Configuration 7 Configure the WLAN param...

Страница 237: ...SID of the network as desired company ssid in the example Select WEP as the encryption type and select both Static WEP and Dynamic WEP Also enter the static WEP key to be used as shown below FIGURE 15...

Страница 238: ...to the RADIUS server In this example VLAN 14 is that interface Therefore the client IP address for the RADIUS server configuration is the IP address of the VLAN 14 interface 10 200 14 6 The NAS IP Add...

Страница 239: ...ned guest role to have privileges to only use HTTP protocol To do this configure the pre defined policy called guest on the Configuration Security Policies page to add a rule to allow HTTP traffic 16...

Страница 240: ...er Guide January 2005 FIGURE 15 10 Editing Policies 17 Add this policy to the list of applied policies to the pre defined role guest to complete configuration guest privileges on the network FIGURE 15...

Страница 241: ...uration to complete the configuration of the guest privileges 19 To complete the 802 1x configuration for the deployment model add the RADIUS server and its characteristics to the list of servers on C...

Страница 242: ...y this configuration The following screen should indicate that the RADIUS server configuration was success fully applied FIGURE 15 15 Completing RADIUS Server Configuration 21 Enable 802 1x authentica...

Страница 243: ...ti cation and add the RADIUS server to the list of authentication servers The following screen shows this configuration 23 Apply this configuration to complete 802 1x configuration FIGURE 15 16 Config...

Страница 244: ...234 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005 FIGURE 15 17 Configuring Captive Portal Authentication...

Страница 245: ...trusion Detection Rogue AP and select Dis able Users from Connecting to Rogue Access Points as shown in Figure 15 18 below FIGURE 15 18 Configuring Rogue APs 27 Click Apply to apply this configuration...

Страница 246: ...236 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Страница 247: ...itches can act as the DHCP server for the subnet or can use an external DHCP server To enable seamless mobility between the subnets as the clients move mobility needs to be enabled A brief description...

Страница 248: ...th the WEP key 2 User Employee SSID employee1 Encryption WPA TKIP Firewall Policies Access to the entire network Authentication method MSFT PEAP using IAS RADIUS VLAN Native VLAN of the local switch T...

Страница 249: ...h acts as a backup for all local switches The master is not redundant which means that if the master goes down the network will be affected as there is no redundant master to take its place However if...

Страница 250: ...l Switch z The local switch shares a VRRP instance with the master The address of the VRRP instance VLAN ID on the local switch and the corresponding instance on the master must be the same Ex The VRR...

Страница 251: ...for APs on the same floor but the vlan id and lms ip differ for APs on the different floors One approach is to number the APs such that APs connected to local switch have the same building and floor I...

Страница 252: ...nat the guest users using that pool For example on local users could be nated using a pool of two address 10 1 101 15 10 1 101 16 z Appropriate ACLs will be applied to the guest role For example Inter...

Страница 253: ...er 16 Employee Access with WPA TKIP and PEAP z 802 1x authentication must be enabled for MSFT PEAP z Set the employee role as the default role for 802 1x authentication z Configure the IAS RADIUS serv...

Страница 254: ...244 Aruba AirOS Part 0500036 02 v2 3 User Guide January 2005...

Отзывы:

Нет отзывов

Похожие инструкции для AirOS v2.3

DEVICE FILTER MAC

Бренд: FARONICS Страницы: 4

ZENworks 7.2 Linux Management

Бренд: Novell Страницы: 10

Бренд: IBM Страницы: 62

Бренд: FARONICS Страницы: 4

WINSELECT STANDARD

Бренд: FARONICS Страницы: 36

Бренд: ESET Страницы: 38

Бренд: Waves Страницы: 8

TI InterActive!

Бренд: Texas Instruments Страницы: 63

GW Dataport Command Interface D13202

Бренд: TANDBERG Страницы: 32

Бренд: Navman Страницы: 10

TonePrint Editor

Бренд: TC Electronic Страницы: 19

Бренд: Waves Страницы: 17

Бренд: Canon Страницы: 60

magicolor 2590MF

Бренд: 3D Nord Страницы: 198

Бренд: Epson Страницы: 4

PowerLite D6250

Бренд: Epson Страницы: 6

PowerLite Pro G6050W

Бренд: Epson Страницы: 270

PowerLite Pro G6750WU

Бренд: Epson Страницы: 6

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды