2. Computers & electronics
  3. Software
  4. Alcatel-Lucent
  5. AOS-W 6.5.3.x

Alcatel-Lucent AOS-W 6.5.3.x User manual

  • Hello! I am an AI chatbot trained to assist you with the Alcatel-Lucent AOS-W 6.5.3.x User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
AOS-W 6.5.3.x
User Guide
Revision 01 | June 2017 AOS-W 6.5.3.x | User Guide
Copyright Information
Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other
trademarks used by affiliated companies of ALE Holding, visit:
enterprise.alcatel-lucent.com/trademarks
All other trademarks are the property of their respective owners. The information presented is subject to
change without notice. Neither ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies
contained herein. (2017)
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public
License, and/or certain other open source licenses.
AOS-W 6.5.3.x | User Guide Contents | 3
Contents
Contents 3
Revision History 18
About this Guide 19
What's New In AOS-W 6.5.x 19
Fundamentals 31
Related Documents 32
Conventions 32
Contacting Support 34
The Basic User-Centric Networks 35
Understanding Basic Deployment and Configuration Tasks 35
Switch Configuration Workflow 38
Connect the Switch to the Network 39
OAW-40xx Series and OAW-4x50 Series Switches 40
Using the LCD Screen 42
Configuring a VLAN to Connect to the Network 45
Enabling Wireless Connectivity 49
Enabling Wireless Connectivity 49
Configuring Your User-Centric Network 49
Replacing a Switch 49
Control Plane Security 56
Control Plane Security Overview 57
Configuring Control Plane Security 57
Managing AP Whitelists 59
Managing Whitelists on Master and Local Switches 66
Working in Environments with Multiple Master Switches 70
Replacing a Switch on a Multi-Switch Network 73
4| Contents AOS-W 6.5.3.x| User Guide
Configuring Control Plane Security after Upgrading 76
Troubleshooting Control Plane Security 77
Software Licenses 79
Getting Started with AOS-W Licenses 79
License Types and Usage 79
Licensing Best Practices and Limitations 82
Centralized Licensing Overview 83
Configuring Centralized Licensing 89
Installing a License 91
Deleting a License 93
Monitoring and Managing Centralized Licenses 94
Network Configuration Parameters 97
Campus WLAN Workflow 97
Understanding VLAN Assignments 98
Configuring VLANs 105
Configuring Ports 110
Configuring Static Routes 113
Configuring the Loopback IP Address 113
Configuring the Switch IP Address 114
Configuring GRE Tunnels 115
Configuring GRE Tunnel Groups 124
Jumbo Frame Support 127
IPv6 Support 130
Understanding IPv6 Notation 130
Understanding IPv6 Topology 130
Enabling IPv6 131
Enabling IPv6 Support for Switch and APs 131
Filtering an IPv6 Extension Header (EH) 139
Configuring a Captive Portal over IPv6 139
Working with IPv6 Router Advertisements (RAs) 140
RADIUS Over IPv6 144
TACACS Over IPv6 145
DHCPv6 Server 146
Understanding AOS-W Supported Network Configuration for IPv6 Clients 148
Understanding AOS-W Authentication and Firewall Features that Support IPv6 149
Managing IPv6 User Addresses 154
Understanding IPv6 Exceptions and Best Practices 155
Link Aggregation Control Protocol 157
Understanding LACP Best Practices and Exceptions 157
Configuring LACP 158
LACP Sample Configuration 160
OSPFv2 161
Understanding OSPF Deployment Best Practices and Exceptions 161
Understanding OSPFv2 by Example using a WLAN Scenario 162
Understanding OSPFv2 by Example using a Branch Scenario 163
Configuring OSPF 165
Sample Topology and Configuration 166
Authentication Servers 178
Understanding Authentication Server Best Practices and Exceptions 178
Understanding Servers and Server Groups 178
Configuring Authentication Servers 179
Managing the Internal Database 196
Configuring Server Groups 199
Assigning Server Groups 205
Configuring Authentication Timers 210
Authentication Server Load Balancing 211
MAC-based Authentication 212
Configuring MAC-Based Authentication 212
AOS-W 6.5.3.x | User Guide Contents | 5
6| Contents AOS-W 6.5.3.x| User Guide
Configuring Clients 213
BranchSwitch Config for Cloud Services Switches 215
Branch Deployment Features 216
Scalable Site-to-Site VPN Tunnels 217
Layer-3 Redundancy for Branch Switch Masters 217
WAN Failure (Authentication) Survivability 218
WAN Health Check 224
WAN Optimization through IP Payload Compression 224
Interface Bandwidth Contracts 225
Branch Integration with a Palo Alto Networks (PAN) Portal 226
Branch Switch Routing Features 229
Cloud Management 230
Zero-Touch Provisioning 230
Using Smart Config to create a Branch Config Group 233
PortFast and BPDU Guard 254
Preventing WANLink Failure on Virtual APs 257
Branch WAN Dashboard 257
802.1X Authentication 259
Understanding 802.1X Authentication 259
Configuring 802.1X Authentication 262
Enabling 802.1X Supplicant Support on an AP 270
Sample Configurations 271
Performing Advanced Configuration Options for 802.1X 287
Application Single Sign-On Using L2 Authentication 287
Device Name as User Name for Non-802.1X Authentication 290
Stateful and WISPr Authentication 291
Working With Stateful Authentication 291
Working With WISPr Authentication 292
Understanding Stateful Authentication Best Practices 292
Configuring Stateful 802.1X Authentication 292
Configuring Stateful NTLM Authentication 293
Configuring Stateful Kerberos Authentication 294
Configuring WISPr Authentication 295
Certificate Revocation 298
Understanding OCSP and CRL 298
Configuring the Switch as an OCSP Client 299
Configuring the Switch as a CRL Client 301
Configuring the Switch as an OCSP Responder 302
Certificate Revocation Checking for SSH Pubkey Authentication 303
OCSPConfiguration for AOS-W VIA 304
Captive Portal Authentication 306
Understanding Captive Portal 306
Configuring Captive Portal in the Base Operating System 307
Using Captive Portal with a PEFNG License 309
Sample Authentication with Captive Portal 312
Configuring Guest VLANs 318
Configuring Captive Portal Authentication Profiles 319
Enabling Optional Captive Portal Configurations 324
Personalizing the Captive Portal Page 328
Creating and Installing an Internal Captive Portal 330
Creating Walled Garden Access 339
Enabling Captive Portal Enhancements 341
Netdestination for AAAA Records 345
Virtual Private Networks 346
Planning a VPN Configuration 346
Working with VPN Authentication Profiles 350
Configuring a Basic VPN for L2TP/IPsec 352
Configuring a VPN for L2TP/IPsec with IKEv2 356
AOS-W 6.5.3.x | User Guide Contents | 7
8| Contents AOS-W 6.5.3.x| User Guide
Configuring a VPN for Smart Card Clients 361
Configuring a VPN for Clients with User Passwords 362
Configuring Remote Access VPNs for XAuth 363
Working with Remote Access VPNs for PPTP 364
Working with Site-to-Site VPNs 365
Working with VPN Dialer 373
Roles and Policies 375
Configuring Firewall Policies 375
User Roles 385
Assigning User Roles 387
Understanding Global Firewall Parameters 393
Using AppRF 2.0 397
ClearPass Policy Manager Integration 402
Introduction 402
Important Points to Remember 402
Enabling Downloadable Role on a Switch 403
Sample Configuration 403
Virtual APs 411
Virtual AP Configuration Workflow 411
Virtual AP Profiles 412
Changing a Virtual AP Forwarding Mode 420
Radio Resource Management (802.11k) 420
BSSTransition Management (802.11v) 428
Fast BSS Transition ( 802.11r) 428
SSIDProfiles 430
WLAN Authentication 438
High-Throughput Virtual APs 441
Guest WLANs 446
Changing a Virtual AP Forwarding Mode 449
Adaptive Radio Management 450
Understanding ARM 450
Client Match 452
ARM Coverage and Interference Metrics 454
Configuring ARM Profiles 455
Assigning an ARM Profile to an AP Group 465
Using Multi-Band ARM for 802.11a/802.11g Traffic 465
Band Steering 466
Dynamic Bandwidth Switch 467
Enabling Traffic Shaping 468
Traffic Steering 470
Spectrum Load Balancing 471
Reusing Channels to Control RX Sensitivity Tuning 471
Configuring Non-802.11 Noise Interference Immunity 472
Troubleshooting ARM 472
Wireless Intrusion Prevention 474
Working with the Reusable Wizard 474
Monitoring the Dashboard 477
Detecting Rogue APs 478
Working with Intrusion Detection 481
Configuring Intrusion Protection 493
Configuring the WLAN Management System 497
Understanding Client Blacklisting 501
Working with WIP Advanced Features 503
Configuring TotalWatch 504
Administering TotalWatch 506
Tarpit Shielding Overview 507
Configuring Tarpit Shielding 507
AOS-W 6.5.3.x | User Guide Contents | 9
10| Contents AOS-W 6.5.3.x| User Guide
Access Points 509
Important Points to Remember 509
APDiscovery Logic 510
Basic Functions and Features 523
Naming and Grouping APs 524
Understanding AP Configuration Profiles 526
Before you Deploy an AP 533
Enable Switch Discovery 533
Enable DHCP to Provide APs with IP Addresses 534
AP Provisioning Profiles 535
Configuring Installed APs 538
Optional AP Configuration Settings 543
RF Management 558
Optimizing APs Over Low-Speed Links 572
AP Scanning Optimization 580
Channel Group Scanning 582
Configuring AP Channel Assignments 583
Managing AP Console Settings 585
Link Aggregation Support on OAW-AP220 Series, OAW-AP270 Series, and OAW-AP320 Series 588
Recording Consolidated AP-Provisioned Information 592
Intelligent Power Monitoring 593
Secure Enterprise Mesh 595
Mesh Overview Information 595
Mesh Configuration Procedures 595
Understanding Mesh Access Points 595
Understanding Mesh Links 597
Understanding Mesh Profiles 599
Understanding Remote Mesh Portals (RMPs) 603
Understanding the AP Boot Sequence 604
Mesh Deployment Solutions 605
Mesh Deployment Planning 607
Configuring Mesh Cluster Profiles 609
Creating and Editing Mesh Radio Profiles 613
Creating and Editing Mesh High-Throughput SSID Profiles 618
Configuring Ethernet Ports for Mesh 624
Provisioning Mesh Nodes 626
Verifying Your Mesh Network 628
Configuring Remote Mesh Portals (RMPs) 630
Increasing Network Uptime Through Redundancy and VRRP 633
High Availability 633
VRRP-Based Redundancy 633
High Availability Deployment Models 634
Client State Synchronization 636
High Availability Inter-Switch Heartbeats 637
High Availability Extended Switch Capacity 637
Configuring High Availability 638
High Availability Alerting 640
Migrating from VRRP or Backup-LMS Redundancy 641
Configuring VRRP Redundancy 643
RSTP 651
Understanding RSTP Migration and Interoperability 651
Working with Rapid Convergence 651
Configuring RSTP 652
Troubleshooting RSTP 654
PVST+ 655
Understanding PVST+ Interoperability and Best Practices 655
Enabling PVST+ in the CLI 655
Enabling PVST+ in the WebUI 656
AOS-W 6.5.3.x | User Guide Contents | 11
12| Contents AOS-W 6.5.3.x| User Guide
Link Layer Discovery Protocol 657
Important Points to Remember 657
LLDP Overview 657
Configuring LLDP 658
Monitoring LLDP Configuration 659
IP Mobility 663
Understanding Alcatel-Lucent Mobility Architecture 663
Configuring Mobility Domains 664
Tracking Mobile Users 668
Configuring Advanced Mobility Functions 670
Understanding Bridge Mode Mobility Deployments 679
Enabling Mobility Multicast 680
External Firewall Configuration 684
Understanding Firewall Port Configuration Among Alcatel-Lucent Devices 684
Enabling Network Access 685
Ports Used for Virtual Intranet Access (VIA) 685
Configuring Ports to Allow Other Traffic Types 685
PAPIEnhanced Security 687
Interoperability 687
Configuring PAPIEnhanced Security 687
Verifying PAPIEnhanced Security 688
Palo Alto Networks Firewall Integration 689
Limitation 689
Preconfiguration on the PANFirewall 689
Configuring PAN Firewall Integration 692
Remote Access Points 695
About Remote Access Points 695
Configuring the Secure Remote Access Point Service 697
Deploying a Branch/Home Office Solution 703
Enabling Remote AP Advanced Configuration Options 709
Understanding Split Tunneling 723
Understanding Bridge 729
Provisioning Wi-Fi Multimedia 734
Reserving Uplink Bandwidth 734
Provisioning 4G USB Modems on Remote Access Points 735
Provisioning RAPs at Home 737
Configuring OAW-RAP3WN and OAW-RAP3WNP Access Points 740
Converting an IAP to RAP or CAP 741
Enabling Bandwidth Contract Support for RAPs 742
RAP TFTP Image Upgrade 745
Virtual Intranet Access 748
Spectrum Analysis 749
Understanding Spectrum Analysis 749
Creating Spectrum Monitors and Hybrid APs 754
Connecting Spectrum Devices to the Spectrum Analysis Client 756
Configuring the Spectrum Analysis Dashboards 759
Customizing Spectrum Analysis Graphs 762
Working with Non-Wi-Fi Interferers 787
Understanding the Spectrum Analysis Session Log 788
Viewing Spectrum Analysis Data 788
Recording Spectrum Analysis Data 789
Troubleshooting Spectrum Analysis 792
Dashboard Monitoring 794
WAN 794
Performance 795
Usage 796
Potential Issues 797
Traffic Analysis 797
AOS-W 6.5.3.x | User Guide Contents | 13
14| Contents AOS-W 6.5.3.x| User Guide
AirGroup 819
Security 820
UCC 820
Controller 822
WLANs 824
Access Points 825
Clients 826
Firewall 827
Management Access 833
Configuring Certificate Authentication for WebUI Access 833
Secure Shell (SSH) 834
WebUI Session Timer 835
Enabling RADIUS Server Authentication 836
Connecting to an OmniVista Server 842
Custom Certificate Support for RAP 846
Implementing a Specific Management Password Policy 848
Configuring AP Image Preload 850
Configuring Centralized Image Upgrades 852
Managing Certificates 854
Configuring SNMP 860
Enabling Capacity Alerts 862
Configuring Logging 864
Enabling Guest Provisioning 868
Managing Files on the Switch 882
Setting the System Clock 885
ClearPass Profiling with IF-MAP 887
Whitelist Synchronization 888
Downloadable Regulatory Table 889
802.11u Hotspots 892
Hotspot Profile Configuration Tasks 892
Hotspot 2.0 Overview 892
Configuring Hotspot 2.0 Profiles 895
Configuring Hotspot Advertisement Profiles 899
Configuring ANQP Venue Name Profiles 901
Configuring ANQP Network Authentication Profiles 903
Configuring ANQP Domain Name Profiles 904
Configuring ANQP IPAddress Availability Profiles 905
Configuring ANQPNAIRealm Profiles 906
Configuring ANQP Roaming Consortium Profiles 909
Configuring ANQP 3GPP Cellular Network Profiles 909
Configuring H2QP Connection Capability Profiles 910
Configuring H2QP Operator Friendly Name Profiles 912
Configuring H2QP Operating Class Indication Profiles 913
Configuring H2QP WAN Metrics Profiles 914
Configuring H2QP OSU Provider List Profiles 915
Adding Local Switches 920
Moving to a Multi-Switch Environment 920
Configuring Local Switches 923
Uplink Monitoring and Management 925
Voice and Video 927
Voice and Video License Requirements 927
Configuring Voice and Video 927
Working with QoS for Voice and Video 936
Unified Communication and Collaboration 945
Understanding Extended Voice and Video Features 964
Advanced Voice Troubleshooting 988
AOS-W 6.5.3.x | User Guide Contents | 15
16| Contents AOS-W 6.5.3.x| User Guide
AirGroup 994
Zero Configuration Networking 994
AirGroup Solution 994
AirGroup Integrated Deployment Model 998
Features Supported in AirGroup 999
ClearPass Policy Manager and ClearPass Guest Features 1004
Auto-association and Switch-based Policy 1004
Best Practices and Limitations 1006
Integrated Deployment Model 1010
Switch Dashboard Monitoring 1018
Configuring the AirGroup-CPPM Interface 1021
Bluetooth-Based Discovery and AirGroup 1028
AirGroup mDNS Static Records 1029
mDNS APVLANAggregation 1031
mDNS Multicast Response Propagation 1033
Troubleshooting and Log Messages 1035
Instant AP VPN Support 1038
Overview 1038
VPN Configuration 1043
Viewing Branch Status 1044
External Services Interface 1046
Sample ESI Topology 1046
Understanding the ESI Syslog Parser 1048
Configuring ESI 1051
Sample Route-Mode ESI Topology 1058
Sample NAT-mode ESI Topology 1063
Understanding Basic Regular Expression (BRE) Syntax 1066
External User Management 1069
Overview 1069
How the AOS-W XML API Works 1069
Creating an XML Request 1069
XML Response 1072
Using the XML API Server 1076
Sample Scripts 1080
Behavior and Defaults 1086
Understanding Mode Support 1086
Understanding Basic System Defaults 1088
Understanding Default Management User Roles 1096
Understanding Default Open Ports 1099
DHCP with Vendor-Specific Options 1102
Configuring a Windows-Based DHCP Server 1102
Enabling DHCP Relay Agent Information Option (Option-82) 1105
Enabling Linux DHCP Servers 1107
802.1X Configuration for IAS and Windows Clients 1109
Configuring Microsoft IAS 1109
Configuring Management Authentication using IAS 1111
Window XP Wireless Client Sample Configuration 1113
Glossary of Terms 1116
AOS-W 6.5.3.x | User Guide Contents | 17
18| Contents AOS-W 6.5.3.x| User Guide
Revision History
The following table lists the revisions of this document.
Revision Change Description
Revision 02
Updated acronyms in the ClearPass Policy Manager Integration chapter.
Revision 01 Initial release.
Table 1: Revision History
AOS-W 6.5.3.x | User Guide About this Guide | 19
About this Guide
This User Guide describes the features supported in AOS-W 6.5.3.x and provides instructions and examples to
configure switches and access points (APs). This guide is intended for system administrators responsible for
configuring and maintaining wireless networks and assumes administrator knowledge in Layer 2 and Layer 3
networking technologies.
This chapter covers the following topics:
n What's New In AOS-W 6.5.x on page 19
n Fundamentals on page 31
n Related Documents on page 32
n Conventions on page 32
n Contacting Support on page 34
What's New In AOS-W 6.5.x
This section lists the new features and enhancements introduced in AOS-W 6.5.x.
Features in AOS-W 6.5.3.0
The following features are introduced in AOS-W 6.5.3.0:
Feature Description
AMON Source IP Address Starting with AOS-W 6.5.3.0, users can specify the source IP address of
AMON packets emitted from the switch.
AP Deployment Policy Starting with AOS-W 6.5.3.0, users can predefine the APmode using the
APdeployment policy. The APdeployment policy redirects all APs in the
specified IP address ranges to the Instant discovery process, ensuring that
the APs run only in switch-less mode.
Certificate Support for Non-
TPM Devices
Starting with AOS-W 6.5.3.0, switches provide device certificate for APs that
do not have a TPMchip. The factory certificate of the AP is validated
against the device certificate stored on the switch.
Table 2: New Features in AOS-W 6.5.3.0
20| About this Guide AOS-W 6.5.3.x| User Guide
Features in AOS-W 6.5.2.0
The following features are introduced in AOS-W 6.5.2.0:
Feature Description
AP Discovery Logic Starting with AOS-W 6.5.2.0, APs can run in either switch-based mode or
switch-less mode. Based on the selected mode, the AP runs a different
image:
n Switch-based APs run an AOS-W image.
n Switch-less APs run an Instant image.
AP Health Check The AP Health check feature uses ping probes to check reachability and
latency levels for the connection between the AP and the switch. The
recorded latency information appears in the output of the show ap ip
health-check command. If the switch IPaddress becomes unreachable
from the AP uplink, this feature records the time that the connection failed,
and saves that information in a log file.
Dynamic Data Support for
RADIUSattribute
Starting with AOS-W 6.5.2.0, dynamic data for the included attributes in the
RADIUS Attribute modifier is supported. Users can configure the dynamic
value for each included attribute in the RADIUS modifier.
Enabling Flexible Radio This feature allows the AP to seamlessly switch between modes where the
radio resources are either combined in a single 2x2 radio (2.4 GHz or 5
GHz), or separated in two 1x1 radios (2.4 GHz and 5 GHz).
Inline Monitoring
Starting with AOS-W 6.5.2.0, inline monitoring feature is supported for
Remote APs.
Roaming RADIUS Accounting
Service
Starting with AOS-W 6.5.2.0, the Roaming RADIUS Accounting Service
feature offers tracking a wireless client who roams to a differentAP.
Source Interface for
TACACSServer
Starting with AOS-W 6.5.2.0, a user has the option of specifying the source
IP for a TACACS server.
Support for BLE-based Asset
Tracking
Starting with AOS-W 6.5.2.0, APs can monitor BLE asset tags to track the
location of time-sensitive, high-value assets embedded with BLE tags.
Intelligent Power Monitoring Starting with AOS-W 6.5.2.0, IPM is supported in OAW-AP303H access
points.
AirMatch Monitoring When AirMatch monitoring is enabled in the APsystem profile, each AP
measures its RF environment every 30 minutes by default.The switch uses
this information to analyze its RFneighborhood, and can send this
information in AMON messages.
Smart Antenna Polarization The Smart Antenna setting is introduced to support the smart antenna
feature on the OAW-AP335, which optimizes the selection of antenna
polarization values.
Centralized License Servers
Supports new Topology
Starting with AOS-W 6.5.2.0, the centralized licensing feature supports
topologies where a licensing master is connected to a standalone master
licensing client switch, a redundant licensing server, and a local licensing
client switch.
Table 3: New Features in AOS-W 6.5.2.0
/