Delta AP-100 User Manual

3.1 Delta Training

Configuration Prior to 3.x• In AOS <3.x, the services over the air from an AP was determined by 2 major groups of settings-• Network wide setting

Inter-Controller MobilityMasterLocalLocalLocal1. Client roams to different controller (foreign agent) 2. FA recognizes client3. FA builds tunnel to

Mobility Domains• Domains define a boundary for roaming clients• Generally a controller belongs to one domain, although it can belong to more• Doma

Mobility DomainsBuilding 2Building 1MasterLocalLocalLocalLocal

Mobility DomainDeploying Mobility Over Large Areas AOS 2.xMasterLocalLocalLocalLocalMobility DomainMasterLocalLocalLocalLocalMobility DomainMasterLoca

Deploying Mobility Over Large Areas AOS 3.xMobility DomainMasterLocalLocalLocalLocalMobility DomainMasterLocalLocalLocalLocalMobility DomainMasterLoca

Domains IllustratedDomain 1 Domain 2Roaming within domain allows user to keep IP addresses, authentication, etcWhen roaming between domains, the user

Enabling Inter-Controller L3 MobilityEnable L3 MobilityCreate new Mobility Domain (optional)

Configure Mobility DomainBuild Home Agent Table

MobileIP on a per-VAP basis

VLAN Pooling

Profile Power• 2.x could only have most settings network-wide:aaa dot1x auth-server foo1• Sets the 802.1x auth server for the entire networkwms asso

VLAN pooling• For larger deployments, VLAN pooling can be used to maintain small broadcast domains while easing administrator burden of managing many

VLAN pooling cont.• Configuration simply means assigning a range of VLANs to a Virtual AP• Pool can be a comma-delimited list or range (or combination

ap group “Building 1”vlan 100-101VLAN PoolingData CenterFirst FloorSecond FloorDHCPE-mail101114Mobility Controllervlan 14: 10.1.14.6/24loopback: 10.1.

IDS

IDS Profiles• IDS settings are now in profiles• A set of default profiles have been created at a variety of levels

ClassificationBACKBONECorporation with Aruba WIPNeighboring Company or Public HotspotParking LotValidInterferingKnown InterferingRogueMobility Control

Rogue AP Configuration

Enable Air Monitor

Troubleshooting and Management Enhancements

Manageability - Overview• RF Trouble Shooting• Amazing tools for AP and Device debugging• Antenna Profile – Tells you which antenna transmits/receiv

AP Groups and ProfileAP GroupAP GroupWireless LANWireless LANRF ManagementRF ManagementAPAPQoSQoSIDSIDSVirtual APPropertiesVirtual APPropertiesSSIDSSI

Antenna Profile Test• This tests if an antenna on an AP is not connected properly or if it is malfunctioning. Packets are sent to a specific target f

Antenna Profile Example(Aruba5000-MX25) #rft test profile antenna-connectivity ip-addr 172.16.25.251 dest-mac 00:16:ce:73:b5:37 radio 0Transaction ID:

Link Profile Test• This test determines the most suitable data rate for a given target. Packets are sent at different rates to find the optimal rate.

Link Profile Examplerft test profile link-quality ip-addr 172.16.25.251 dest-mac 00:16:ce:73:b5:37 radio 1Show rft result all(Aruba5000-MX25) #rft te

Raw Profile Test• This test is effectively a Layer 2 ping.• A fixed number of null data packets are sent to a target and the result of the test is d

Raw Profile Example(Aruba5000-MX25) #rft test profile raw ip-addr 172.16.25.251 dest-mac 00:16:ce:73:b5:37 radio 1Transaction ID: 5701(Aruba5000-MX25)

CorporateNetworkMobility ControllerMobility ControllerClusterClusterSecuritySecurityApplianceApplianceDataCenterDataDataCenterCenterSyslogSyslog: : Vi

Profiles (cont.)

Apply Profiles to AP Group

Configuration - Summary• What does it all fundamentally mean?• Per SSID/Group Enable/disable auth method• TKIP & AES/ WPA & WPA2 any mix, a

Licensing Changes

Licensing changes• 3.1 adds a new “Voice Services” license. • This license adds many new voice- specific features• Voice-aware ARM scanning now req

New Voice Features• QoS• WMM• TSpec/TCLAS• UAPSD• Bandwidth contracts• Traffic Aware ARM scanning• TSpec/ TCLAS signalling enforcement• WMM vo

Voice Aware 802.1x / 802.11i• 802.1x transactions can affect call quality when the device is on call. This feature allows the 802.1x transactions to

What’s new in 3.1?• AP Name/AP Group• Profiles• Licensing changes• RF Plan FQLN and location• ARM Enhancements• Firewall Enhancements• Authenti

Voice Aware Mobility• Voice Awareness is now also built into the Aruba Mobility algorithm.• When a device on call moves from one controller to anoth

Battery Life features • Battery Boost• A wifi client in standby mode needs to wake up on regular interval to check for possible multicast frame. Thi

WEB UI Support

Voice Features: Voice scale and qualityQuality of Service• WMM • WMM EnforcementCall Capacity• T-Spec • Strict accuracyBattery Life• U-APSD / WMM-PS•

RF Plan, FQLN, and ARM

RF Plan changes in 3.1• FQLN• Power level display changes• .11a Channel updates• ARM updates

AP Names & AP Groups No more B.F.N• AP Config:• AP’s now have a single GROUP• AP’s now have a single NAME• Both are alphanumeric text strings-

FQLN• Use Fully Qualified Location Name (FQLN) to associate APs and AMs to a location• FQLN Format:APname.Floor.Building.Campus• Used to map AP to

Setting FQLNSelect building and Mapper

Assign FQLNDropdown options appear only after Campus, Building and Floor have been createdNote: Setting FQLN reboots APs

FQLN• NOTE: you do not have to use the FQLN mapper if you simply set the AP Name in the AP Installation menu to be the same as the AP Name in RF Plan

Power Level Adjustment• Aruba radio power levels are adjustable between 0 and 4• 4 is highest• Calibration will automatically set the power level t

Channel Selection• APs operate most efficiently when they are the only AP on the channel• Calibration will automatically assign channels to each AP

ARM Settings

Firewall Enhancements

Traffic-Aware ARM scanning• Allows one to configure firewal rules that describe traffic types that should cause ARM to pause scanning on whatever AP

Configuration• Configuration examples(config) # ip access-list session mycriticalapp(config-sess) # any any udp <port> permit disable-scanning(

The Advantage Of AP-Groups Group the APs by logical function, not by floors• APs are now grouped, however you like- not just by floor e.g• Cubicles•

Troubleshooting • The best way to troubleshoot this feature is to look at the session table (“show datapath session table”) and verify that the VOIP

Ethertype and MAC FW policies• ArubaOS 3.1 now allows the addition of Ethertype and MAC ACLs to user roles• Simlpy create an Ethertype or MAC ACL an

Per-SSID Bandwidth Contracts• Allocates “air time” to virtual APs on a given physical AP• SSIDs may burst above configured limit as long as other SS

Authentication and Encryption

Module Overview• Authentication• SSID• MAC• Captive Portal• VPN• 802.1x• Encryption• Layer 2 vs. Layer 3• Wireless security protocols• WPA•

Authentication

SSID Authentication• A user can be authenticated simply by associating with a given SSID• A policy is created such that anyone associating with a gi

SSID Authentication Configuration

MAC Authentication• A user’s MAC address can be used to establish Identity• However, MAC addresses can be spoofed by an attacker• Useful for device

MAC Auth Methods• There are 2 different mechanisms for performing MAC Authentication• MAC Auth Profile• User Derivation Rules

AP Name/AP Group• AP Name and AP Group are used to determine what configuration parameters/profiles are pushed to an AP• AP Name must be unique• If

MAC Auth ProfileFormat sent to serverNone: aabbccddeeffDash: aa-bb-cc-dd-ee-ffColon: aa:bb:cc:dd:ee:ff

Specify Authentication Server

User Derivation Rules

User Derivation Rules (cont.)

Internal Database• Built into the controller• Simple authentication option• Can be used with EAP-offload

Internal Database (continued)

Captive Portal• Web-based authentication method (SSL)• Enabled by default• Typically found in Public Hotspots, Universities• User associates (open

Captive Portal Configuration StepsCreate a Server Group.Create CP profileConfigure Auth ServerCreate Initial RoleStep 1: Configure the auth-server (ex

Create Captive Portal Profile

Captive Portal Login

Profiles & WebUI Navigation

Assign CP Profile to Initial Role

Define Initial Role in AAA Profile

Create Open SSID

Assign SSID and AAA Profiles to VAP

Customize Captive Portal Page

VPN• Aruba supports 2 VPN types• PPTP (widely supported, Windows, Mac, Unix, PDA)• L2TP over IPSec (Windows 2000 and XP, Mac OSX, Unix)• Protocol

VPN Configuration StepsCreate a server group.Configure VPN profileConfigure Auth ServerConfigure VPN settingsStep 1: Configure the external auth-serve

VPN ConfigurationSpecify Server group and Default Role

L2TP Configuration

PPTP Configuration

Web UI Navigation

VPN Dialer• Captive Portal may be used for authentication• For Windows users, a ‘dialer’ application may be downloaded directly from the switch foll

802.1x• Standard protocol for authenticating user *prior* to granting access to L2 media• Utilizes EAP (Extensible Authentication Protocol)• Evolve

EAP DefinitionsSupplicant: client stationAuthenticator: Aruba controllerAuthentication Server: RADIUS Server

EAP Overview1. Supplicant communicates with authentication server through the authenticator2. Authenticator reformats 802.1x to RADIUS and forwards

EAP ExchangeClientAruba ControllerAuthenticationServerEAP Exchange (Controller used as pass-through doesn’t have to know EAP type)TrustedNetwork802.11

802.1x Process802.1x Access Control – Sequence of eventsClientAuthenticatorAuthentication ServerRequest IdentityResponse Identity (anonymous)Response

EAP FlavorsLEAP• Cisco proprietary• Dynamic WEP• Has been broken. Not recommended for current deploymentEAP-TLS (EAP with Transport Layer Security

EAP Flavors (continued)EAP-FAST• Cisco proprietary• Uses a PSK in phase 0 to obtain a PAC file, PAC is used as credentials on network• Subject to m

Configuring an SSID to use dot1xCreate a server group.Configure dot1x profileConfigure Auth ServerConfigure AAA profileStep 1: Configure the external

802.1x ConfigurationSelect Profile and provision 802.1x parameters. Remember to set server group too.

WebUI Navigation

EAP-OffloadNASAuthenticationServerEAP Exchange TrustedNetwork802.11 a/b/gSecured LinkClient

EAP Offload (continued)

Encryption

Configuring 802.1x/802.11i

Guest Provisioning

Aruba Guest Provisioning• Aruba offers a mechanism for managing guest accounts• A guest provisioning management account presents a security guard or r

Create Guest Provisioning Account• Create the admin account to be used by the guard or receptionist to log into the Aruba Controller

Guest Provisioning Interface1) Log in to the controller using the Guest Provisioning Account2) Click Add User, enter user info, and click “Apply andPr

Guest Provisioning cont.

Customizing Guest Provisioning

Profiles• Profiles are a powerful tool that allow administrators increased flexibility over other configuration methods• All aspects of the configur

Guest Access Configuration StepsAssign IP addressConfigure DHCP ServerCreate VLANEnable DHCP ServerStep 1: Create user VLAN and assign IP addressStep

Captive Portal Configuration StepsCreate a Server Group.Create CP profileConfigure Auth ServerCreate Initial RoleStep 1: Configure the auth-server (ex

Master-Local and Mobility

Master-Local IPSec Tunnel• An IPSec Tunnels are automatically created between the Master and each Local for inter-controller communication• Built fr

Intercontroller IPSec SetupUse default key, or create unique pairs

Multi-ControllerMasterLocalLocalAP Group Building 2Local Controller IPAP Group Building 3Local Controller IPGRE TunnelBuilding 1Building 2Building 3

Configure APs for Multi-Controller• Point lms-ip to local controllers

Layer 2 Mobility141002001410020014, 100, 200VLAN 100 VLAN 100AP Group Building1vlan 100AP Group Building2vlan 200AP Group Building1 AP Group Building2

Enabling Inter-Controller L2 Mobility

Layer 3 Mobility• L3 mobility should be enabled when controllers are separated by an L3 network• Controllers build mobile-IP tunnels to transmit cli