3.1 Delta Training
Configuration Prior to 3.x• In AOS <3.x, the services over the air from an AP was determined by 2 major groups of settings-• Network wide setting
Inter-Controller MobilityMasterLocalLocalLocal1. Client roams to different controller (foreign agent) 2. FA recognizes client3. FA builds tunnel to
Mobility Domains• Domains define a boundary for roaming clients• Generally a controller belongs to one domain, although it can belong to more• Doma
Mobility DomainsBuilding 2Building 1MasterLocalLocalLocalLocal
Mobility DomainDeploying Mobility Over Large Areas AOS 2.xMasterLocalLocalLocalLocalMobility DomainMasterLocalLocalLocalLocalMobility DomainMasterLoca
Deploying Mobility Over Large Areas AOS 3.xMobility DomainMasterLocalLocalLocalLocalMobility DomainMasterLocalLocalLocalLocalMobility DomainMasterLoca
Domains IllustratedDomain 1 Domain 2Roaming within domain allows user to keep IP addresses, authentication, etcWhen roaming between domains, the user
Enabling Inter-Controller L3 MobilityEnable L3 MobilityCreate new Mobility Domain (optional)
Configure Mobility DomainBuild Home Agent Table
MobileIP on a per-VAP basis
VLAN Pooling
Profile Power• 2.x could only have most settings network-wide:aaa dot1x auth-server foo1• Sets the 802.1x auth server for the entire networkwms asso
VLAN pooling• For larger deployments, VLAN pooling can be used to maintain small broadcast domains while easing administrator burden of managing many
VLAN pooling cont.• Configuration simply means assigning a range of VLANs to a Virtual AP• Pool can be a comma-delimited list or range (or combination
ap group “Building 1”vlan 100-101VLAN PoolingData CenterFirst FloorSecond FloorDHCPE-mail101114Mobility Controllervlan 14: 10.1.14.6/24loopback: 10.1.
IDS
IDS Profiles• IDS settings are now in profiles• A set of default profiles have been created at a variety of levels
ClassificationBACKBONECorporation with Aruba WIPNeighboring Company or Public HotspotParking LotValidInterferingKnown InterferingRogueMobility Control
Rogue AP Configuration
Enable Air Monitor
Troubleshooting and Management Enhancements
Manageability - Overview• RF Trouble Shooting• Amazing tools for AP and Device debugging• Antenna Profile – Tells you which antenna transmits/receiv
AP Groups and ProfileAP GroupAP GroupWireless LANWireless LANRF ManagementRF ManagementAPAPQoSQoSIDSIDSVirtual APPropertiesVirtual APPropertiesSSIDSSI
Antenna Profile Test• This tests if an antenna on an AP is not connected properly or if it is malfunctioning. Packets are sent to a specific target f
Antenna Profile Example(Aruba5000-MX25) #rft test profile antenna-connectivity ip-addr 172.16.25.251 dest-mac 00:16:ce:73:b5:37 radio 0Transaction ID:
Link Profile Test• This test determines the most suitable data rate for a given target. Packets are sent at different rates to find the optimal rate.
Link Profile Examplerft test profile link-quality ip-addr 172.16.25.251 dest-mac 00:16:ce:73:b5:37 radio 1Show rft result all(Aruba5000-MX25) #rft te
Raw Profile Test• This test is effectively a Layer 2 ping.• A fixed number of null data packets are sent to a target and the result of the test is d
Raw Profile Example(Aruba5000-MX25) #rft test profile raw ip-addr 172.16.25.251 dest-mac 00:16:ce:73:b5:37 radio 1Transaction ID: 5701(Aruba5000-MX25)
CorporateNetworkMobility ControllerMobility ControllerClusterClusterSecuritySecurityApplianceApplianceDataCenterDataDataCenterCenterSyslogSyslog: : Vi
Profiles (cont.)
Apply Profiles to AP Group
Configuration - Summary• What does it all fundamentally mean?• Per SSID/Group Enable/disable auth method• TKIP & AES/ WPA & WPA2 any mix, a
Licensing Changes
Licensing changes• 3.1 adds a new “Voice Services” license. • This license adds many new voice- specific features• Voice-aware ARM scanning now req
New Voice Features• QoS• WMM• TSpec/TCLAS• UAPSD• Bandwidth contracts• Traffic Aware ARM scanning• TSpec/ TCLAS signalling enforcement• WMM vo
Voice Aware 802.1x / 802.11i• 802.1x transactions can affect call quality when the device is on call. This feature allows the 802.1x transactions to
What’s new in 3.1?• AP Name/AP Group• Profiles• Licensing changes• RF Plan FQLN and location• ARM Enhancements• Firewall Enhancements• Authenti
Voice Aware Mobility• Voice Awareness is now also built into the Aruba Mobility algorithm.• When a device on call moves from one controller to anoth
Battery Life features • Battery Boost• A wifi client in standby mode needs to wake up on regular interval to check for possible multicast frame. Thi
WEB UI Support
Voice Features: Voice scale and qualityQuality of Service• WMM • WMM EnforcementCall Capacity• T-Spec • Strict accuracyBattery Life• U-APSD / WMM-PS•
RF Plan, FQLN, and ARM
RF Plan changes in 3.1• FQLN• Power level display changes• .11a Channel updates• ARM updates
AP Names & AP Groups No more B.F.N• AP Config:• AP’s now have a single GROUP• AP’s now have a single NAME• Both are alphanumeric text strings-
FQLN• Use Fully Qualified Location Name (FQLN) to associate APs and AMs to a location• FQLN Format:APname.Floor.Building.Campus• Used to map AP to
Setting FQLNSelect building and Mapper
Assign FQLNDropdown options appear only after Campus, Building and Floor have been createdNote: Setting FQLN reboots APs
FQLN• NOTE: you do not have to use the FQLN mapper if you simply set the AP Name in the AP Installation menu to be the same as the AP Name in RF Plan
Power Level Adjustment• Aruba radio power levels are adjustable between 0 and 4• 4 is highest• Calibration will automatically set the power level t
Channel Selection• APs operate most efficiently when they are the only AP on the channel• Calibration will automatically assign channels to each AP
ARM Settings
Firewall Enhancements
Traffic-Aware ARM scanning• Allows one to configure firewal rules that describe traffic types that should cause ARM to pause scanning on whatever AP
Configuration• Configuration examples(config) # ip access-list session mycriticalapp(config-sess) # any any udp <port> permit disable-scanning(
The Advantage Of AP-Groups Group the APs by logical function, not by floors• APs are now grouped, however you like- not just by floor e.g• Cubicles•
Troubleshooting • The best way to troubleshoot this feature is to look at the session table (“show datapath session table”) and verify that the VOIP
Ethertype and MAC FW policies• ArubaOS 3.1 now allows the addition of Ethertype and MAC ACLs to user roles• Simlpy create an Ethertype or MAC ACL an
Per-SSID Bandwidth Contracts• Allocates “air time” to virtual APs on a given physical AP• SSIDs may burst above configured limit as long as other SS
Authentication and Encryption
Module Overview• Authentication• SSID• MAC• Captive Portal• VPN• 802.1x• Encryption• Layer 2 vs. Layer 3• Wireless security protocols• WPA•
Authentication
SSID Authentication• A user can be authenticated simply by associating with a given SSID• A policy is created such that anyone associating with a gi
SSID Authentication Configuration
MAC Authentication• A user’s MAC address can be used to establish Identity• However, MAC addresses can be spoofed by an attacker• Useful for device
MAC Auth Methods• There are 2 different mechanisms for performing MAC Authentication• MAC Auth Profile• User Derivation Rules
AP Name/AP Group• AP Name and AP Group are used to determine what configuration parameters/profiles are pushed to an AP• AP Name must be unique• If
MAC Auth ProfileFormat sent to serverNone: aabbccddeeffDash: aa-bb-cc-dd-ee-ffColon: aa:bb:cc:dd:ee:ff
Specify Authentication Server
User Derivation Rules
User Derivation Rules (cont.)
Internal Database• Built into the controller• Simple authentication option• Can be used with EAP-offload
Internal Database (continued)
Captive Portal• Web-based authentication method (SSL)• Enabled by default• Typically found in Public Hotspots, Universities• User associates (open
Captive Portal Configuration StepsCreate a Server Group.Create CP profileConfigure Auth ServerCreate Initial RoleStep 1: Configure the auth-server (ex
Create Captive Portal Profile
Captive Portal Login
Profiles & WebUI Navigation
Assign CP Profile to Initial Role
Define Initial Role in AAA Profile
Create Open SSID
Assign SSID and AAA Profiles to VAP
Customize Captive Portal Page
VPN• Aruba supports 2 VPN types• PPTP (widely supported, Windows, Mac, Unix, PDA)• L2TP over IPSec (Windows 2000 and XP, Mac OSX, Unix)• Protocol
VPN Configuration StepsCreate a server group.Configure VPN profileConfigure Auth ServerConfigure VPN settingsStep 1: Configure the external auth-serve
VPN ConfigurationSpecify Server group and Default Role
L2TP Configuration
PPTP Configuration
Web UI Navigation
VPN Dialer• Captive Portal may be used for authentication• For Windows users, a ‘dialer’ application may be downloaded directly from the switch foll
802.1x• Standard protocol for authenticating user *prior* to granting access to L2 media• Utilizes EAP (Extensible Authentication Protocol)• Evolve
EAP DefinitionsSupplicant: client stationAuthenticator: Aruba controllerAuthentication Server: RADIUS Server
EAP Overview1. Supplicant communicates with authentication server through the authenticator2. Authenticator reformats 802.1x to RADIUS and forwards
EAP ExchangeClientAruba ControllerAuthenticationServerEAP Exchange (Controller used as pass-through doesn’t have to know EAP type)TrustedNetwork802.11
802.1x Process802.1x Access Control – Sequence of eventsClientAuthenticatorAuthentication ServerRequest IdentityResponse Identity (anonymous)Response
EAP FlavorsLEAP• Cisco proprietary• Dynamic WEP• Has been broken. Not recommended for current deploymentEAP-TLS (EAP with Transport Layer Security
EAP Flavors (continued)EAP-FAST• Cisco proprietary• Uses a PSK in phase 0 to obtain a PAC file, PAC is used as credentials on network• Subject to m
Configuring an SSID to use dot1xCreate a server group.Configure dot1x profileConfigure Auth ServerConfigure AAA profileStep 1: Configure the external
802.1x ConfigurationSelect Profile and provision 802.1x parameters. Remember to set server group too.
WebUI Navigation
EAP-OffloadNASAuthenticationServerEAP Exchange TrustedNetwork802.11 a/b/gSecured LinkClient
EAP Offload (continued)
Encryption
Configuring 802.1x/802.11i
Guest Provisioning
Aruba Guest Provisioning• Aruba offers a mechanism for managing guest accounts• A guest provisioning management account presents a security guard or r
Create Guest Provisioning Account• Create the admin account to be used by the guard or receptionist to log into the Aruba Controller
Guest Provisioning Interface1) Log in to the controller using the Guest Provisioning Account2) Click Add User, enter user info, and click “Apply andPr
Guest Provisioning cont.
Customizing Guest Provisioning
Profiles• Profiles are a powerful tool that allow administrators increased flexibility over other configuration methods• All aspects of the configur
Guest Access Configuration StepsAssign IP addressConfigure DHCP ServerCreate VLANEnable DHCP ServerStep 1: Create user VLAN and assign IP addressStep
Captive Portal Configuration StepsCreate a Server Group.Create CP profileConfigure Auth ServerCreate Initial RoleStep 1: Configure the auth-server (ex
Master-Local and Mobility
Master-Local IPSec Tunnel• An IPSec Tunnels are automatically created between the Master and each Local for inter-controller communication• Built fr
Intercontroller IPSec SetupUse default key, or create unique pairs
Multi-ControllerMasterLocalLocalAP Group Building 2Local Controller IPAP Group Building 3Local Controller IPGRE TunnelBuilding 1Building 2Building 3
Configure APs for Multi-Controller• Point lms-ip to local controllers
Layer 2 Mobility141002001410020014, 100, 200VLAN 100 VLAN 100AP Group Building1vlan 100AP Group Building2vlan 200AP Group Building1 AP Group Building2
Enabling Inter-Controller L2 Mobility
Layer 3 Mobility• L3 mobility should be enabled when controllers are separated by an L3 network• Controllers build mobile-IP tunnels to transmit cli
Comments to this Manuals