Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W-IAP92 » Manual Viewer

Dell PowerConnect W-IAP92 Dell Instant 6.1.3.4-3.1.0.0 User Guide - Page 225

Dynamic Blacklisting, Authentication Failure Blacklisting, Session Firewall Based Blacklisting

View all Dell PowerConnect W-IAP92 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 225 highlights

4. Click Ok. The Blacklisted Since tab displays the time at which the current blacklisting started for the client. 5. To delete a client from the manual blacklist, select the MAC Address of the client under the Manual Blacklisting window and then click Delete. Dynamic Blacklisting The clients can be blacklisted dynamically when they exceed the authentication failure threshold or a blacklisting rule was triggered as part of the authentication process. Authentication Failure Blacklisting When the time taken by a client fails to authenticate exceeds the configured threshold, the client is automatically blacklisted by an IAP. Session Firewall Based Blacklisting In session firewall based blacklisting, an ACL rule is used to enable the option for automation blacklisting. when the ACL rule is hit, it would send out blacklist information and the client would be blacklisted. To set the blacklist duration: 1. Select the PEF link and then select Blacklisting tab.  Auth failure blacklist time- Enter the duration since the blacklisting has been triggered when the authentication failure threshold is exceeded.  PEF rule blacklisted time- Enter the duration since the blacklisting has been triggered when a blacklisting rule has been triggered. NOTE: In the Networks tab, click the New link and go to New WLAN > VLAN > Security page to enable Blacklisting. Set a value between 1 to 10 in the max authentication failures field for the selected SSID. To enable session firewall based blacklisting, click New and navigate to WLAN Settings > VLAN > Security > Access window and enable the Blacklist option of the corresponding ACL rule. Figure 204 Dynamic Blacklisting PEF Settings Firewall ALG Configuration Instant firewall now supports the ALG (Application Layer Gateway) functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols. To enable or disable the protocols for ALG in Dell Instant perform the following steps: 1. Select PEF from the top right of the Instant UI. 2. Select PEF Settings tab. 3. Select Enabled from the corresponding drop-down list to enable SIP, VOCERA, Alcatel NOE, and Cisco skinny protocols. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.0 | User Guide Policy Enforcement Firewall | 225

Section	Page
Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.0	1
Contents	3
About this Guide	11
Dell PowerConnect W-Instant Access Point Overview	11
Supported Devices	11
Objective	11
Intended Audience	11
Conventions	12
Contacting Support	12
Initial Configuration	13
Initial Setup	13
Pre-Installation Checklist	13
Connecting the IAP to a Power Source	14
Assigning an IP Address to the IAP	14
Connecting to a Provisioning Wi-Fi Network	14
Disabling the Provisioning Wi-Fi Network	15
Login into Instant User Interface	16
Specifying the Country Code	16
IAP Cluster	17
Instant User Interface	19
Understanding the Instant UI Layout	19
Banner	20
Search	20
Tabs	20
Networks Tab	20
Access Points Tab	21
Clients Tab	21
Links	22
New Version Available	22
Settings	23
RF	25
PEF	26
WIP	27
VPN	27
Wired	28
Maintenance	28
Support	30
Help	33
Logout	33
Monitoring	33
Spectrum	36
Alerts	38
IDS	40
Configuration	41
Language	41
Dell PowerConnect W-AirWave Setup	41
Pause/Resume	42
Views	42
Wireless Network	43
Network Types	43
Employee Network	43
Adding an Employee Network	44
Voice Network	51
Adding a Voice Network	52
Guest Network	58
Adding a Guest Network	59
Editing a Network	65
Deleting a Network	65
Number of WLAN SSIDs supported	65
Enabling the Extended SSID option	66
Mesh Network	67
Mesh Instant Access Points	67
Mesh Portals	67
Mesh Points	68
Instant Mesh Setup	68
Managing IAPs	71
Preferred Band	71
Auto Join Mode	71
Disabling Auto Join Mode	71
Terminal Access	72
LED Display	73
TFTP Dump Server	74
Extended SSID	75
Deny Inter User Bridging and Deny Local Routing	76
Terminal Access	77
Syslog Server	78
Syslog Facility Levels	78
Adding an IAP to the Network	79
Removing an IAP from the Network	79
Editing IAP Settings	80
Changing IAP Name	80
Changing IP Address of the IAP	80
Configuring Adaptive Radio Management	81
Configuring Uplink Management VLAN	82
Configuring Wired Bridging on Ethernet 0	82
Migrating to a Mobility Controller Managed Network	83
Converting an IAP to RAP Mode	83
Converting an IAP to CAP	86
Converting an IAP to Standalone Mode	86
Converting back to an IAP	87
Rebooting the IAP	87
Firmware Image Server in Cloud Network	89
Upgrade using Dell PowerConnect W-AirWave and Image Server	89
Image management using Cloud Server	89
Image management using Dell PowerConnect W-AirWave	89
Automatic Firmware Image Check and Upgrade	89
Upgrading to New Version	90
Manual	90
Automatic	92
Layer-3 Mobility	93
Overview	93
Configuring a mobility domain	94
Home Agent Load Balancing	96
Spectrum Monitor	97
Creating Spectrum Monitors and Hybrid APs	97
Converting IAPs into Hybrid IAPs	97
Converting an IAP to a Spectrum Monitor	98
Spectrum Data	100
Overview - Device List	100
Non-WiFi Interferers	101
Channel Metrics	102
Channel Details	103
Spectrum Alerts	103
NTP Server	105
Configuring an NTP Server	105
Virtual Controller	107
Master Election Protocol	107
Virtual Controller IP Address	107
Specifying Name and IP Address for the Virtual Controller	107
Configuring the DHCP Server	108
Authentication	109
Authentication Methods in Dell Instant	109
802.1X Authentication	109
Internal RADIUS Server	109
External RADIUS Server	110
Authentication Terminated on IAP	110
Configuring an External RADIUS Server	110
Enabling Instant RADIUS	112
RADIUS Server Authentication with VSA	113
List of supported VSA	113
Management Authentication Settings	116
Captive Portal	116
Internal Captive Portal	117
Configuring Internal Captive Portal Authentication when Adding a Guest Network	117
Configuring Internal Captive Portal Authentication when Editing a Guest Network	118
Configuring Internal Captive Portal with External Radius Server Authentication when Adding a Guest Network	119
Customizing a Splash Page	120
Disabling Captive Portal Authentication	121
External Captive Portal	122
Configuring External Captive Portal Authentication when Adding a Guest Network	122
Configuring External Captive Portal Authentication when Editing a Guest Network	124
External Captive Portal Authentication using Dell PowerConnect W-ClearPass GuestConnect	126
Creating a Web Login page in the Dell PowerConnect W-ClearPass GuestConnect	126
Configuring the RADIUS Server in Instant	126
MAC Authentication	127
Configuring MAC Authentication	127
Walled Garden Access	128
Creating a Walled Garden Access	128
Wired Authentication on an IAP	129
Certificates	129
Loading Certificates using Instant WebUI	130
Loading Certificates using Dell PowrConnect W-AirWave	131
Encryption	135
Encryption Types Supported in Dell Instant	135
WEP	135
TKIP	135
AES	135
Encryption Recommendations	135
Understanding WPA and WPA2	136
Recommended Authentication and Encryption Combinations	136
Role Derivation	137
User Roles	137
Creating a New User Role	137
Creating Role Assignment Rules	138
DHCP Option and DHCP Fingerprinting	139
802.1X-Authentication-Type	140
User VLAN Derivation	141
User VLAN Derivation	141
Vendor Specific Attributes (VSA)	141
VLAN Derivation Rule	142
Configuring VLAN Derivation Rules on an IAP	142
User Role	143
Configuring a User Role	143
SSID Profile	145
Configuring VLAN Derivation Rules Using SSID Profile	145
Instant Firewall	147
Service Options	148
Destination Options	149
Examples for Access Rules	150
Allow TCP Service to a Particular Network	150
Allow POP3 Service to a Particular Server	151
Deny FTP Service except to a Particular Server	152
Deny bootp Service except to a Particular Network	153
Content Filtering	155
Enabling Content Filtering	155
Enterprise Domains	156
OS Fingerprinting	157
Adaptive Radio Management	159
ARM Features	159
Channel or Power Assignment	159
Voice Aware Scanning	159
Load Aware Scanning	159
Band Steering Mode	159
Airtime Fairness Mode	160
Airtime Fairness Modes	160
Access Point Control	160
Customize Valid Channels	160
Min Transmit Power	161
Max Transmit Power	161
Client Aware	161
Scanning	161
Wide Channel Bands	161
Monitoring the Network with ARM	161
ARM Metrics	161
Configuring Administrator Assigned Radio Settings for IAP	162
Configuring Radio Profiles in Instant	163
Intrusion Detection System	165
Rogue AP Detection and Classification	165
Wireless Intrusion Protection (WIP)	165
Containment Methods	169
SNMP	171
SNMP Parameters for IAP	171
SNMP Traps	173
Hierarchical Deployment	175
Deployment	175
Ethernet Downlink	177
Ethernet Downlink Overview	177
Ethernet Downlink Profile Parameters	177
Assigning a Profile to the Ethernet Port	180
Uplink Configuration	181
Uplink Configuration Overview	181
Ethernet Uplink	181
3G/4G Uplink	182
Types of Modems	182
Uplink Switchover	186
Uplink Switching based on VPN Status	186
Uplink Preemption	186
Uplink Preference	186
PPPoE	187
Configuring PPPoE	187
Dell PowerConnect W-AirWave Integration and Management	189
Dell PowerConnect W-AirWave Features	189
Image Management	189
IAP and Client Monitoring	189
Template-based Configuration	190
Trending Reports	190
Intrusion Detection System	190
Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConnect W-AirWave	190
RF Visualization Support for Dell Instant	191
Configuring Dell PowerConnect W-AirWave	191
Creating your Organization String	191
About Shared Key	192
Entering the Organization String and AMP Information into the IAP	192
Dell PowerConnect W-AirWave Discovery through DHCP Option	192
Standard DHCP option 60 and 43 on Windows Server 2008	192
Alternate method for defining Vendor Specific DHCP options	195
Monitoring	199
Virtual Controller View	199
Monitoring Link	200
Info	200
RF Dashboard	200
Usage Trends	200
Client Alerts Link	202
IDS Link	202
Network View	202
Info	203
Usage Trends	203
Instant Access Point View	204
Info	205
RF Dashboard	205
Overview	205
Client View	212
Info	213
RF Dashboard	213
RF Trends	213
Mobility Trail	216
Alert Types and Management	217
Alert Types	217
Policy Enforcement Firewall	219
Authentication Servers	219
Users for Internal Server	220
Roles	220
Extended Voice and Video Functionalities	221
QoS for Microsoft Office OCS and Apple Facetime	221
Client Blacklisting	223
Types of Client Blacklisting	224
Manual Blacklisting	224
Adding a Client to the Manual Blacklist	224
Dynamic Blacklisting	225
Authentication Failure Blacklisting	225
Session Firewall Based Blacklisting	225
PEF Settings	225
Firewall ALG Configuration	225
Firewall-based Logging	226
VPN Configuration	227
VPN Configuration	227
Routing Profile Configuration	228
DHCP Server Configuration	229
NAT DHCP Configuration	229
Distributed L2 DHCP Configuration	230
Distributed L3 DHCP Configuration	231
Centralized L2 DHCP Configuration	232
User Database	235
Adding a User	235
Editing User Settings	236
Deleting a User	236
Regulatory Domain	237
Country Codes List	238
Controller Configuration for VPN	241
Whitelist DB Configuration if the Controller is acting as the Whitelist Entry	241
VPN Local Pool Configuration	242
IAP VPN Profile Configuration	242
Abbreviations	245

Match case Limit results 1 per page

Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.0

| User Guide

Policy Enforcement Firewall

225

Click

The

Blacklisted Since

tab displays the time at which the current blacklisting started for the client.

To delete a client from the manual blacklist, select the MAC Address of the client under the

Manual

Blacklisting

window and then click

Delete

Dynamic Blacklisting

The clients can be blacklisted dynamically when they exceed the authentication failure threshold or a blacklisting

rule was triggered as part of the authentication process.

Authentication Failure Blacklisting

When the time taken by a client fails to authenticate exceeds the configured threshold, the client is

automatically blacklisted by an IAP.

Session Firewall Based Blacklisting

In session firewall based blacklisting, an ACL rule is used to enable the option for automation blacklisting. when

the ACL rule is hit, it would send out blacklist information and the client would be blacklisted.

To set the blacklist duration:

Select the

PEF

link and then select

Blacklisting

tab.



Auth failure blacklist time

— Enter the duration since the blacklisting has been triggered when the

authentication failure threshold is exceeded.



PEF rule blacklisted time

— Enter the duration since the blacklisting has been triggered when a blacklisting

rule has been triggered.

Figure 204

Dynamic Blacklisting

PEF Settings

Firewall ALG Configuration

Instant firewall now supports the ALG (Application Layer Gateway) functions such as SIP, Vocera, Alcatel NOE,

and Cisco Skinny protocols.

To enable or disable the protocols for ALG in Dell Instant perform the following steps:

Select

PEF

from the top right of the Instant UI.

Select

PEF

Settings

tab.

Select

Enabled

from the corresponding drop-down list to enable SIP, VOCERA, Alcatel NOE, and Cisco

skinny protocols.

NOTE:

In the

Networks

tab, click the

New

link and go to

New WLAN > VLAN > Security

page to enable

Blacklisting

. Set a value

between 1 to 10 in the

max authentication failures

field

for the selected SSID. To enable session firewall based blacklisting, click

New and navigate to

WLAN Settings > VLAN > Security > Access

window and enable the

Blacklist

option of the corresponding

ACL rule.