Aruba IAP-134 User guide

User Guide

Aruba Instant

6.4.3.4-4.2.1.0

Edition 1 | November 2015 Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

Copyright

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public

License, and/or certain other open source licenses. A complete machine-readable copy of the source code

corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information

and shall expire three years following the date of the final distribution of this product version by Hewlett-

Packard Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:

Hewlett-Packard Company

Attn: General Counsel

3000 Hanover Street

Palo Alto, CA 94304

USA

Please specify the product and version for which you are requesting source code. You may also request a copy

of this source code free of charge at dl-gplquery@arubanetworks.com.

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 3

Contents

About this Guide 27

Intended Audience 27

Related Documents 27

Conventions 27

Contacting Support 28

About Aruba Instant 30

Instant Overview 30

Supported AP Platforms 30

Instant UI 32

Instant CLI 33

What is New in this Release 33

Setting up an IAP 36

Setting up Instant Network 36

Connecting an IAP 36

Assigning an IP address to the IAP 36

Assigning a Static IP 37

Connecting to a Provisioning Wi-Fi Network 37

IAP Cluster 37

Disabling the Provisioning Wi-Fi Network 38

Logging in to the Instant UI 38

Regulatory Domains 39

Specifying Country Code 39

Accessing the Instant CLI 39

Connecting to a CLI Session 40

Applying Configuration Changes 40

Using Sequence Sensitive Commands 41

Automatic Retrieval of Configuration 42

Managed Mode Operations 42

Pre-requisites 42

Configuring Managed Mode Parameters 43

4| Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

Example 44

Verifying the Configuration 44

Instant User Interface 46

Login Screen 46

Viewing Connectivity Summary 46

Language 46

Logging into the Instant UI 46

Main Window 47

Banner 47

Search 47

Tabs 47

Networks Tab 48

Access Points Tab 48

Clients Tab 49

Links 49

New Version Available 50

System 50

RF 50

Security 50

Maintenance 51

More 52

VPN 52

IDS 52

Wired 53

Services 54

DHCP Server 55

Support 55

Help 56

Logout 56

Monitoring 56

Info 56

RF Dashboard 58

RF Trends 60

Usage Trends 60

Mobility Trail 66

Client Match 66

AppRF 67

Spectrum 67

Alerts 68

IDS 72

AirGroup 73

Configuration 73

AirWave Setup 74

Aruba Central 74

Pause/Resume 74

Initial Configuration Tasks 76

Configuring System Parameters 76

Changing Password 82

In the Instant UI 82

In the CLI 82

Customizing IAP Settings 83

Modifying the IAP Hostname 83

In the Instant UI 83

In the CLI 83

Configuring Zone Settings on an IAP 83

In the Instant UI 83

In the CLI 84

Specifying a Method for Obtaining IP Address 84

In the Instant UI 84

In the CLI 84

Configuring External Antenna 84

EIRP and Antenna Gain 84

Configuring Antenna Gain 85

In the Instant UI 85

In the CLI 85

Configuring Radio Profiles for an IAP 85

Configuring ARMAssigned Radio Profiles for an IAP 86

Configuring Radio Profiles Manually for IAP 86

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 5

6| Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

In the CLI 87

Configuring Uplink VLANfor an IAP 87

In the Instant UI 87

In the CLI 87

Changing USB Port Status 87

In the Instant UI 88

In the CLI 88

Master Election and Virtual Controller 88

Master Election Protocol 88

Preference to an IAP with 3G/4G Card 88

Preference to an IAP with Non-Default IP 89

Viewing Master Election Details 89

Manual Provisioning of Master IAP 89

Provisioning an IAP as a Master IAP 89

In the Instant UI 89

In the CLI 90

Adding an IAP to the Network 90

Removing an IAP from the Network 90

VLAN Configuration 91

VLAN Pooling 91

Uplink VLAN Monitoring and Detection on Upstream Devices 91

Wireless Network Profiles 92

Configuring Wireless Network Profiles 92

Network Types 92

Configuring WLAN Settings for an SSID Profile 93

In the Instant UI 93

In the CLI 96

Configuring VLAN Settings for a WLAN SSID Profile 97

In the Instant UI 97

In the CLI 99

Enforcing DHCP 100

Configuring Security Settings for a WLAN SSID Profile 100

Configuring Security Settings for an Employee or Voice Network 100

In the Instant UI 100

In the CLI 106

Configuring Access Rules for a WLAN SSID Profile 107

In the Instant UI 108

In the CLI 108

Configuring Fast Roaming for Wireless Clients 109

Opportunistic Key Caching 109

Configuring an IAP for OKC Roaming 109

In the Instant UI 110

In the CLI 110

Fast BSSTransition (802.11r Roaming) 110

Configuring an IAP for 802.11r support 111

In the Instant UI 111

In the CLI 111

Example 111

Radio Resource Management (802.11k) 111

Beacon Report Requests and Probe Responses 112

Configuring a WLANSSID for 802.11k Support 112

In the Instant UI 112

In the CLI 112

Example 112

BSS Transition Management (802.11v) 112

Configuring a WLANSSID for 802.11v Support 112

In the Instant UI 113

In the CLI 113

Example 113

Configuring Modulation Rates on a WLAN SSID 113

Disabling Short Preamble for Wireless Client 113

Editing Status of a WLAN SSID Profile 114

In the Instant UI 114

In the CLI 114

Editing a WLAN SSID Profile 114

Deleting a WLAN SSID Profile 114

Wired Profiles 115

Configuring a Wired Profile 115

Configuring Wired Settings 115

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 7

8| Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

In the Instant UI 115

In the CLI 116

Configuring VLAN for a Wired Profile 116

In the Instant UI 116

In the CLI 117

Configuring Security Settings for a Wired Profile 117

Configuring Security Settings for a Wired Employee Network 117

In the Instant UI 117

In the CLI 118

Configuring Access Rules for a Wired Profile 118

In the Instant UI 118

In the CLI 119

Assigning a Profile to Ethernet Ports 120

In the Instant UI 120

In the CLI 120

Editing a Wired Profile 120

Deleting a Wired Profile 120

Link Aggregation Control Protocol 121

Understanding Hierarchical Deployment 122

Captive Portal for Guest Access 123

Understanding Captive Portal 123

Types of Captive Portal 123

Walled Garden 124

Configuring a WLANSSID for Guest Access 124

In the Instant UI 124

In the CLI 128

Configuring Wired Profile for Guest Access 129

In the Instant UI 129

In the CLI 130

Configuring Internal Captive Portal for Guest Network 131

In the Instant UI 131

In the CLI 133

Configuring External Captive Portal for a Guest Network 134

External Captive Portal Profiles 134

Creating a Captive Portal Profile 134

In the Instant UI 134

In the CLI 136

Configuring an SSID or Wired Profile to Use External Captive Portal Authentication 136

In the Instant UI 136

In the CLI 138

External Captive Portal Redirect Parameters 138

Configuring External Captive Portal Authentication Using ClearPass Guest 139

Creating a Web Login page in ClearPass Guest 139

Configuring RADIUS Server in Instant UI 139

Configuring RADIUS Attribute for CPPMServer Load Balancing 140

Configuring Facebook Login 140

Setting up a Facebook Page 140

Configuring an SSID 140

In the Instant UI 140

In the CLI 141

Example 141

Configuring the Facebook Portal Page 141

Accessing the Portal Page 141

Configuring Guest Logon Role and Access Rules for Guest Users 141

In the Instant UI 142

In the CLI 142

Example 143

Configuring Captive Portal Roles for an SSID 143

In the Instant UI 144

In the CLI 146

Configuring Walled Garden Access 146

In the Instant UI 146

In the CLI 147

Disabling Captive Portal Authentication 147

Authentication and User Management 148

Managing IAP Users 148

Configuring IAP Users 149

In the Instant UI 149

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 9

10 | Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

In the CLI 150

Configuring Authentication Parameters for Management Users 151

In the Instant UI 151

In the CLI 152

Adding Guest Users through the Guest Management Interface 152

Supported Authentication Methods 153

802.1X authentication 154

MAC authentication 154

MAC authentication with 802.1X authentication 154

Captive Portal Authentication 154

MAC authentication with Captive Portal authentication 155

802.1X authentication with Captive Portal Role 155

WISPr authentication 155

Supported EAP Authentication Frameworks 155

Authentication Termination on IAP 156

Configuring Authentication Servers 156

Supported Authentication Servers 156

Internal RADIUS Server 156

External RADIUS Server 157

RADIUS Server Authentication with VSA 157

TACACS Servers 161

Dynamic Load Balancing between Two Authentication Servers 161

Configuring an External Server for Authentication 161

In the Instant UI 161

In the CLI 165

Enabling RADIUS Communication over TLS 166

Configuring RadSec Protocol 166

In the UI 166

In the CLI 167

Associate the Server Profile with a Network Profile 167

In the CLI 167

Configuring Dynamic RADIUSProxy Parameters 168

Enabling Dynamic RADIUS Proxy 168

In the Instant UI 168

In the CLI 168

Configuring Dynamic RADIUS Proxy Parameters 168

In the Instant UI 168

In the CLI 169

Associate Server Profiles to a Network Profile 169

In the CLI 169

Understanding Encryption Types 170

WPA and WPA2 170

Recommended Authentication and Encryption Combinations 171

Configuring Authentication Survivability 171

Enabling Authentication Survivability 171

In the Instant UI 172

Important Points to Remember 172

In the CLI 172

Configuring 802.1X Authentication for a Network Profile 172

Configuring 802.1X Authentication for a Wireless Network Profile 173

In the Instant UI 173

In the CLI 173

Configuring 802.1X Authentication for Wired Profiles 174

In the Instant UI 174

In the CLI 174

Configuring MAC Authentication for a Network Profile 174

Configuring MAC Authentication for Wireless Network Profiles 175

In the Instant UI 175

In the CLI 175

Configuring MAC Authentication for Wired Profiles 176

In the Instant UI 176

In the CLI 176

FConfiguring MAC Authentication with 802.1X Authentication 176

Configuring MAC and 802.1X Authentication for a Wireless Network Profile 177

In the Instant UI 177

In the CLI 177

Configuring MAC and 802.1X Authentication for Wired Profiles 177

In the Instant UI 177

In the CLI 178

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 11

12 | Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

hConfiguring MAC Authentication with Captive Portal Authentication 178

In the Instant UI 178

In the CLI 178

Configuring WISPr Authentication 179

In the Instant UI 179

In the CLI 180

Blacklisting Clients 180

Blacklisting Clients Manually 180

Adding a Client to the Blacklist 180

In the Instant UI 180

In the CLI 180

Blacklisting Users Dynamically 181

Authentication Failure Blacklisting 181

Session Firewall Based Blacklisting 181

Configuring Blacklist Duration 181

In the Instant UI 181

In the CLI 181

Uploading Certificates 183

Loading Certificates through Instant UI 183

Loading Certificates through Instant CLI 183

Removing Certificates 184

Loading Certificates through AirWave 184

Roles and Policies 186

Firewall Policies 186

Access Control List Rules 186

Configuring ACL Rules for Network Services 186

In the Instant UI 187

In the CLI 188

Example 188

Configuring Network Address Translation Rules 189

Configuring a Source NAT Access Rule 189

In the Instant UI 189

In the CLI 190

Configuring Source-Based Routing 190

Configuring a Destination NAT Access Rule 190

In the Instant UI 190

In the CLI 191

Configuring ALG Protocols 191

In the Instant UI 191

In the CLI 191

Configuring Firewall Settings for Protection from ARP Attacks 192

In the Instant UI 192

In the CLI 192

Managing Inbound Traffic 193

Configuring Inbound Firewall Rules 193

In the Instant UI 193

In the CLI 195

Example 195

Configuring Management Subnets 196

In the Instant UI 196

In the CLI 196

Configuring Restricted Access to Corporate Network 196

In the Instant UI 196

In the CLI 197

Content Filtering 197

Enabling Content Filtering 197

Enabling Content Filtering for a Wireless Profile 197

In the Instant UI 197

In the CLI 198

Enabling Content Filtering for a Wired Profile 198

In the Instant UI 198

In the CLI 198

Configuring Enterprise Domains 198

In the Instant UI 198

In the CLI 198

Configuring URL Filtering Policies 199

In the Instant UI 199

In the CLI 199

Example 200

Creating Custom Error Page for Web Access Blocked by AppRF Policies 200

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 13

14 | Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

Creating a List of Error Page URLs 200

In the Instant UI 200

In the CLI 200

Configuring ACL Rules to Redirect Users to a Specific URL 200

In the UI 200

In the CLI 200

Configuring User Roles 201

Creating a User Role 201

In the Instant UI 201

In the CLI 201

Assigning Bandwidth Contracts to User Roles 201

In the Instant UI 202

In the CLI: 202

Configuring Machine and User Authentication Roles 202

In the Instant UI 203

In the CLI 203

Configuring Derivation Rules 203

Understanding Role Assignment Rule 203

RADIUS VSA Attributes 203

MAC-Address Attribute 203

Roles Based on Client Authentication 204

DHCP Option and DHCP Fingerprinting 204

Creating a Role Derivation Rule 204

In the Instant UI 204

In the CLI 205

Example 205

Understanding VLAN Assignment 205

Vendor Specific Attributes 206

VLAN Assignment Based on Derivation Rules 207

User Role 208

VLANs Created for an SSID 208

Configuring VLAN Derivation Rules 208

In the Instant UI 208

In the CLI 209

Example 209

Using Advanced Expressions in Role and VLAN Derivation Rules 209

Configuring a User Role for VLAN Derivation 210

Creating a User VLAN Role 211

In the Instant UI 211

In the CLI 211

Assigning User VLAN Roles to a Network Profile 211

In the Instant UI 211

In the CLI 211

DHCP Configuration 212

Configuring DHCP Scopes 212

Configuring Local DHCP Scopes 212

In the Instant UI 212

In the CLI 213

Configuring Distributed DHCP Scopes 214

In the Instant UI 215

In the CLI 216

Configuring Centralized DHCP Scopes 217

In the Instant UI 217

In the CLI 219

Configuring the Default DHCP Scope for Client IP Assignment 219

In the Instant UI 220

In the CLI 220

Configuring Time Based Services 222

Time Range Profiles 222

Configuring a Time Range Profile 222

In the Instant UI 222

In the CLI: 223

Applying a Time Range Profile to a WLAN SSID 223

In the CLI 224

Verifying the Configuration 224

Example 224

VPN Configuration 226

Understanding VPN Features 226

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 15

16 | Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

Supported VPN Protocols 227

Configuring a Tunnel from an IAP to a Mobility Controller 227

Configuring an IPSec Tunnel 228

In the Instant UI 228

In the CLI 229

Example 229

Configuring an L2-GRETunnel 229

Configuring Manual GRE Parameters 229

In the Instant UI 230

In the CLI 230

Configuring Aruba GRE Parameters 231

In the Instant UI 231

In the CLI 232

Configuring an L2TPv3 Tunnel 232

In the Instant UI 233

In the CLI 235

Example 235

Configuring Routing Profiles 238

In the Instant UI 238

In the CLI 239

IAP-VPN Deployment 240

Understanding IAP-VPN Architecture 240

IAP-VPN Scalability Limits 240

IAP-VPN Forwarding Modes 241

Local Mode 241

Local L2 Mode 241

Local L3 Mode 241

Distributed L2 Mode 242

Distributed L3 Mode 242

Centralized L2 Mode 242

Centralized L3 Mode 242

DHCP Scope and VPN Forwarding Modes Mapping 243

Configuring IAP and Controller for IAP-VPN Operations 243

Configuring an IAP Network for IAP-VPN Operations 243

Defining the VPN host settings 244

Configuring Routing Profiles 244

Configuring DHCP Profiles 244

Configuring an SSID or Wired Port 245

Enabling Dynamic RADIUS Proxy 245

Configuring Enterprise Domains 245

Configuring a Controller for IAP-VPN Operations 245

OSPF Configuration 246

VPN Configuration 247

Whitelist Database Configuration 247

VPN Local Pool Configuration 248

Role Assignment for the Authenticated IAPs 248

VPN Profile Configuration 248

Branch-ID Allocation 248

Branch Status Verification 249

Example 249

Adaptive Radio Management 251

ARM Overview 251

Channel or Power Assignment 251

Voice Aware Scanning 251

Load Aware Scanning 251

Monitoring the Network with ARM 251

ARM Metrics 251

Configuring ARM Features on an IAP 252

Band Steering 252

In the Instant UI 252

In the CLI 252

Airtime Fairness Mode 253

In the Instant UI 253

In the CLI 253

Client Match 253

In the Instant UI 254

In the CLI 255

Access Point Control 255

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 17

18 | Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

In the Instant UI 255

In the CLI 257

Verifying ARM Configuration 257

Configuring Radio Settings 258

In the Instant UI 258

In the CLI 259

Configuring Cell Size Reduction using the CLI 261

Deep Packet Inspection and Application Visibility 262

Deep Packet Inspection 262

Enabling Application Visibility 262

In the Instant UI 262

In the CLI 262

Application Visibility 263

Application Category Charts 263

Application Charts 264

Web Categories Charts 266

Web Reputation Charts 267

Configuring ACL Rules for Application and Application Categories 268

In the Instant UI 268

In the CLI 270

Example 271

Configuring Web Policy Enforcement Service 271

In the Instant UI 271

In the CLI 272

Example 272

Voice and Video 274

Wi-Fi Multimedia Traffic Management 274

Configuring WMM for Wireless Clients 275

In the Instant UI 275

In the CLI 275

Mapping WMM ACs and DSCP Tags 275

In the Instant UI 276

In the CLI 276

Configuring WMM U-APSD 276

QoS for Microsoft Office Lync 277

Microsoft Office Lync 277

Services 278

AirGroup Configuration 278

Multicast DNS and Bonjour® Services 279

DLNA UPnP Support 280

AirGroup Features 281

AirGroup Services 282

AirGroup Components 283

CPPM and ClearPass Guest Features 283

Configuring AirGroup and AirGroup Services on an IAP 284

In the Instant UI 284

In the CLI 285

Configuring AirGroup and CPPM interface in Instant 286

Creating a RADIUS Server 286

Assign a Server to AirGroup 286

Configure CPPM to Enforce Registration 286

Change of Authorization (CoA) 286

Configuring an IAP for RTLSSupport 286

In the Instant UI 287

In the CLI 287

Configuring an IAP for Analytics and Location Engine Support 288

ALE with Instant 288

Enabling ALE Support on an IAP 288

In the Instant UI 288

In the CLI 289

Verifying ALE Configuration on an IAP 289

Configuring OpenDNS Credentials 289

In the Instant UI 289

In the CLI 289

Integrating an IAP with Palo Alto Networks Firewall 290

Integration with Instant 290

Configuring an IAP for PAN integration 290

In the Instant UI 290

Aruba Instant 6.4.3.4-4.2.1.0 | User Guide | 19

20 | Aruba Instant 6.4.3.4-4.2.1.0 | User Guide

In the CLI 291

Integrating an IAP with an XMLAPIinterface 291

Integration with Instant 292

Configuring an IAP for XMLAPI integration 292

In the Instant UI 292

In the CLI 292

Creating an XML API Request 292

CALEA Integration and Lawful Intercept Compliance 294

CALEA Server Integration 294

Traffic Flow from IAP to CALEA Server 295

Traffic Flow from IAP to CALEA Server through VPN 295

Client Traffic Replication 296

Configuring an IAP for CALEAIntegration 296

Creating a CALEA Profile 296

In the Instant UI 297

In the CLI 297

Creating an Access Rule for CALEA 297

In the Instant UI 297

In the CLI 298

Verifying the configuration 298

Example 298

IAP Management and Monitoring 300

Managing an IAP from AirWave 300

Image Management 300

Resetting an IAP 300

IAP and Client Monitoring 300

Template-based Configuration 301

Trending Reports 301

Intrusion Detection System 301

Wireless Intrusion Detection System (WIDS) Event Reporting to AirWave 301

RF Visualization Support forInstant 302

PSK-based and Certificate-based Authentication 302

Configurable Port for IAP and AirWave Management Server Communication 302

Configuring Organization String 302

Page is loading ...

Aruba IAP-134, IAP-104, IAP-175AC, IAP-325, IAP-92, Instant, Instant 6.4.3.4-4.2.1, RAP-108, RAP-155P, RAP-3WN User guide

Related papers

Other documents