Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W-IAP92 » Manual Viewer

Dell PowerConnect W-IAP92 Dell Instant 6.2.0.0-3.2.0.0 User Guide - Page 286

VPN Configuration, Creating a W-IAP Whitelist, Controller Whitelist DB, External Whitelist DB

View all Dell PowerConnect W-IAP92 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 286 highlights

VPN Configuration The following VPN configuration steps on the controller, enable W-IAPs to terminate their VPN connection on the controller: Creating a W-IAP Whitelist Controller Whitelist DB W-IAP whitelist is the list of approved AP's that can be provisioned on your controller. To create a W-IAP whitelist: 1. Navigate to Configuration > AP Installation (under Wireless) and then click the RAP Whitelist tab on the right side. 2. Click the New button and provide the following details: a. AP MAC Address - Mandatory parameter. Enter the MAC address of the AP. b. Username - Enter a username that will be used when the AP is provisioned. c. AP Group - Select a group to add the AP. d. AP Name - Enter a name for the AP. If an AP name is not entered, the MAC address will be used instead. e. Description - Enter a text description for the AP. f. IP-Address - Enter an IP address for the AP. 3. Click the Add button to add the instant AP to the whitelist. The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be any valid string. If an external whitelist is being used, the MAC address of the AP needs to be saved in the Radius server as a lower case entry without any delimiter. External Whitelist DB The external whitelist functionality enables you to configure the RADIUS server to use an external whitelist for authentication of MAC addresses of RAPs. If you are using Windows 2003 server, perform the following steps to configure external whitelist on it. There are equivalent steps available for Windows Server 2008 and other RADIUS servers. 1. Add the MAC addresses for all the RAPs in the Active Directory of the Radius server: a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the RAP for the user name and password. b. Right-click the user that you have just created and click Properties. c. In the Dial-in tab, select Allow access in the Remote Access Permission section and click OK. d. Repeat Step a through Step b for all RAPs. 2. Define the remote access policy in the Internet Authentication Service: a. In the Internet Authentication Service window, select Remote Access Policies. b. Launch the wizard to configure a new remote access policy. c. Define filters and select grant remote access permission in the Permissions window. d. Right-click the policy that you have just created and select Properties. e. In the Settings tab, select the policy condition, and Edit Profile.... f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor specific attributes. 286 | IAP-VPN Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.0 | User Guide

Section	Page
Contents	3
About This Guide	15
Dell PowerConnect W-Instant Access Point Overview	15
Supported Devices	15
Objective	15
Intended Audience	16
Conventions	16
Contacting Support	16
Initial Configuration	17
Initial Setup	17
Pre-Installation Checklist	17
Connecting a W-IAP	18
Assigning an IP Address to the W-IAP	18
Connecting to a Provisioning Wi-Fi Network	18
Disabling the Provisioning Wi-Fi Network	20
Assigning a Static IP	20
Log in to the Dell W-Series Instant UI	21
Specifying a Country Code	21
W-IAP Cluster	22
Dell W-Instant User Interface	23
Understanding the Dell W-Series Instant UI Layout	23
Banner	24
Search	24
Tabs	24
Networks Tab	24
Access Points Tab	25
Clients Tab	25
Links	26
New Version Available	27
Settings	27
RF	29
PEF	30
WIP	30
VPN	31
Wired	31
Maintenance	32
Support	32
Help	32
Logout	33
Monitoring	33
Info	33
RF Dashboard	34
Usage Trends	35
Spectrum	36
Overview (Device list)	36
Channel Utilization and Monitoring	36
Channel Details	37
Alerts	37
Client Alerts	37
Fault History	38
Active Faults	38
IDS	39
Configuration	39
AirGroup	40
Language	40
Dell PowerConnect W-AirWave Setup	40
Pause/Resume	41
Views	41
Wireless Network	43
Network Types	43
Employee Network	44
Adding an Employee Network	44
Voice Network	53
Adding a Voice Network	53
Guest Network	60
Adding a Guest Network	60
Editing a Network	68
Deleting a Network	68
Number of WLAN SSIDs Supported	68
Enabling the Extended SSID Option	69
VLAN Pooling	69
Managing W-IAPs	71
Preferred Band	71
Auto Join Mode	71
Disabling Auto Join Mode	71
Terminal Access	72
LED Display	72
TFTP Dump Server	72
Extended SSID	73
Deny Inter User Bridging and Deny Local Routing	73
Syslog Server	73
Syslog Facility Levels	74
Adding a W-IAP to the Network	74
Removing a W-IAP from the Network	75
Editing W-IAP Settings	75
Changing W-IAP Name	75
Changing IP Address of the W-IAP	76
Configuring Adaptive Radio Management	78
Configuring Uplink Management VLAN	79
Configuring Wired Bridging on Ethernet 0	79
Migrating to a Dell PowerConnect W-Series Mobility Controller Managed Network	80
Converting a W-IAP to RAP Mode	80
Converting a W-IAP to CAP	83
Converting a W-IAP to Standalone Mode	83
Converting Back to a W-IAP	84
Rebooting the W-IAP	84
Firmware Image Server in Cloud Network	86
Upgrade Using Dell PowerConnect W-AirWave and Image Server	86
Image Management Using Cloud Server	86
Image Management Using Dell PowerConnect W-AirWave	86
Automatic Firmware Image Check and Upgrade	87
Upgrading to New Version	88
Manual	88
Automatic	90
Layer-3 Mobility	91
Overview	91
Configuring a Mobility Domain	92
Home Agent Load Balancing	95
Spectrum Monitor	97
Creating Spectrum Monitors and Hybrid APs	97
Converting W-IAPs into Hybrid W-IAPs	97
Converting a W-IAP to a Spectrum Monitor	98
Spectrum Data	100
Overview - Device List	100
Non Wi-Fi Interferers	101
Channel Metrics	103
Channel Details	104
Spectrum Alerts	105
Time Management	107
NTP Server	107
Configuring an NTP Server	107
Daylight Saving Time	108
Enabling Daylight Saving Time	108
Virtual Controller	109
Master Election Protocol	109
Preference to an IAP with 3G/4G Card	109
Preference to a W-IAP with Non-Default IP	109
Virtual Controller IP Address	110
Specifying Name and IP Address for the Virtual Controller	110
Configuring the DHCP Server	110
Authentication	111
Authentication Methods in Dell W-Instant	111
802.1X Authentication	111
Internal RADIUS Server	112
External RADIUS Server	112
Authentication Terminated on W-IAP	112
Configuring an External RADIUS Server	113
Enabling RADIUS Server Support	115
Authentication Survivability	115
RADIUS Server Authentication with VSA	118
List of Supported VSA	118
Management Authentication Settings	120
Captive Portal	121
Internal Captive Portal	121
Configuring Internal Captive Portal Authentication when Adding a Guest Network	122
Configuring Internal Captive Portal Authentication when Editing a Guest Network	123
Configuring Internal Captive Portal with External RADIUS Server Authenticatio...	124
Customizing a Splash Page	125
Disabling Captive Portal Authentication	126
External Captive Portal	127
Configuring External Captive Portal Authentication when Adding a Guest Network	127
Configuring External Captive Portal Authentication when Editing a Guest Network	129
External Captive Portal Authentication using ClearPass Guest	131
Creating a Web Login page in the ClearPass Guest	131
Configuring the RADIUS Server in Instant	131
WISPr Authentication	132
Configuring WISPr Authentication	132
MAC Authentication	133
Configuring MAC Authentication	134
Walled Garden Access	134
Creating a Walled Garden Access	134
MAC + 802.1X Authentication	136
Configuring MAC + 802.1X Authentication	136
MAC + Captive Portal Authentication	137
Configuring MAC + Captive Portal Authentication	137
Wired Authentication on a W-IAP	138
Certificates	138
Loading Certificates using Dell W-Series Instant UI	139
Loading Certificates using Dell PowerConnect W-AirWave	140
Encryption	143
Encryption Types Supported in Dell W-Instant	143
WEP	143
TKIP	143
AES	143
Encryption Recommendations	143
Understanding WPA and WPA2	144
Recommended Authentication and Encryption Combinations	144
Role Derivation	145
User Roles	145
Creating a New User Role	145
Creating Role Assignment Rules	147
MAC-Address Attribute	147
DHCP Option and DHCP Fingerprinting	148
802.1X-Authentication-Type	148
User VLAN Derivation	149
User VLAN Derivation	149
Vendor Specific Attributes (VSA)	149
VLAN Derivation Rule	150
Configuring VLAN Derivation Rules on a W-IAP	150
User Role	151
Configuring a User Role	151
SSID Profile	152
Configuring VLAN Derivation Rules Using an SSID Profile	153
Instant Firewall	155
Service Options	156
Destination Options	158
Examples for Access Rules	158
Allow TCP Service to a Particular Network	158
Allow POP3 Service to a Particular Server	159
Deny FTP Service except to a Particular Server	160
Deny bootp Service except to a Particular Network	161
Content Filtering	163
Enabling Content Filtering	163
Enterprise Domains	164
OS Fingerprinting	167
Adaptive Radio Management	169
ARM Features	169
Channel or Power Assignment	169
Voice Aware Scanning	169
Load Aware Scanning	169
Band Steering Mode	169
Airtime Fairness Mode	170
Airtime Fairness Modes	170
Access Point Control	171
Customize Valid Channels	171
Min Transmit Power	171
Max Transmit Power	171
Client Aware	171
Scanning	171
Wide Channel Bands	171
Monitoring the Network with ARM	172
ARM Metrics	172
Configuring Administrator Assigned Radio Settings for W-IAP	172
Configuring Radio Profiles in Instant	173
Intrusion Detection System	177
Rogue AP Detection and Classification	177
Wireless Intrusion Protection (WIP)	177
Containment Methods	181
SNMP	183
SNMP Parameters for W-IAP	183
SNMP Traps	185
Ethernet Downlink	187
Ethernet Downlink Overview	187
Ethernet Downlink Profile Parameters	187
Assigning a Profile to the Ethernet Port	190
Hierarchical Deployment	193
Deployment	193
Uplink Configuration	195
Uplink Interface Configuration	195
Ethernet Uplink	195
3G/4G Uplink	196
Types of Modems	196
Provisioning 3G/4G Uplink Manually	198
Provisioning 3G Uplink Automatically	199
Provisioning a 3G/4G Switch Network	199
Wi-Fi Uplink	200
Provisioning Wi-Fi Uplink	200
Provisioning 3G/4G and Wi-Fi Uplink with Factory Setting	200
Uplink Management	201
Enforce Uplink	201
Uplink Preemption	201
Uplink Switchover	201
Uplink Switching Based on VPN Status	201
Uplink Switching Based on Internet Connectivity Status	202
PPPoE	202
Configuring PPPoE	202
Dell PowerConnect W-AirWave Integration and Management	205
Dell PowerConnect W-AirWave Features	205
Image Management	205
W-IAP and Client Monitoring	205
Template-based Configuration	205
Trending Reports	206
Intrusion Detection System	206
Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConne...	206
RF Visualization Support for Dell W-Instant	207
Configuring Dell PowerConnect W-AirWave	207
Creating your Organization String	207
About Shared Key	208
Entering the Organization String and AMP Information into the W-IAP	208
Dell PowerConnect W-AirWave Discovery through DHCP Option	208
Standard DHCP option 60 and 43 on Windows Server 2008	208
Alternate Method for Defining Vendor-Specific DHCP Options	212
AirGroup	215
Introducing AirGroup	215
What is Bonjour and Zero Configuration Networking?	215
WLANs and Bonjour	216
AirGroup Solution	216
AirGroup Features	217
Dell PowerConnect W-ClearPass Policy Manager and ClearPass Guest Features	217
AirGroup Architecture	217
How Does AirGroup Work?	218
Use Case: Higher Education Wireless LAN	219
The AirGroup Solution Components	219
Configuring AirGroup on W-Instant	220
Using the Dell W-Series Instant UI	220
Enabling or Disabling AirGroup	220
Disallow Role	221
Disallow VLAN	222
Configuring AirGroup-CPPM Interface in W-Instant	223
Creating a RADIUS Server	223
Assign a Server to AirGroup	224
Configure CPPM to Enforce Registration	225
Change of Authorization (CoA)	225
AirGroup Monitoring	226
Troubleshooting and Log Messages	226
Monitoring	229
Virtual Controller View	229
Monitoring Link	230
Info	230
RF Dashboard	230
Usage Trends	230
Client Alerts Link	232
IDS Link	232
Network View	232
Info	233
Usage Trends	233
Dell W-Instant Access Point View	235
Info	235
RF Dashboard	235
Overview	236
Client View	243
Info	244
RF Dashboard	244
RF Trends	244
Mobility Trail	247
Alert Types and Management	249
Alert Types	249
Policy Enforcement Firewall	251
Authentication Servers	251
Users for Internal Server	251
Roles	252
Extended Voice and Video Functionalities	253
QoS for Microsoft Office OCS and Apple Facetime	253
Microsoft OCS	254
Apple Facetime	254
Client Blacklisting	255
Types of Client Blacklisting	256
Manual Blacklisting	256
Adding a Client to the Manual Blacklist	256
Dynamic Blacklisting	257
Authentication Failure Blacklisting	257
Session Firewall Based Blacklisting	257
PEF Settings	258
Firewall ALG Configuration	258
Firewall-based Logging	259
VPN Configuration	261
VPN Configuration	261
Fast Failover	262
Routing Profile Configuration	262
DHCP Server Configuration	263
NAT DHCP Configuration	264
Distributed L2 DHCP Configuration	265
Distributed L3 DHCP Configuration	266
Centralized L2 DHCP Configuration	267
User Database	269
Adding a User	269
Editing User Settings	270
Deleting a User	270
Regulatory Domain	271
Country Codes List	271
Controller Configuration for VPN	277
Whitelist DB Configuration	277
VPN Local Pool Configuration	277
W-IAP VPN Profile Configuration	278
Dell PowerConnect W-ClearPass Configuration for AirGroup	279
Dell PowerConnect W-ClearPass Setup	279
Testing	283
Troubleshooting	283
IAP-VPN	285
Licensing Requirements	285
VPN Configuration	286
Creating a W-IAP Whitelist	286
Controller Whitelist DB	286
External Whitelist DB	286
VPN Local Pool Configuration	287
VPN Profile Configuration	287
Radius Proxy for VPN Connected IAPs	287
Viewing Branch Status	288
Example	288
Troubleshooting	289
Viewing Logs	289
Support Commands	289
Abbreviations	295

Match case Limit results 1 per page

286

IAP-VPN

Dell PowerConnect W-Series Instant Access Point

6.2.0.0-3.2.0.0

User Guide

VPN Configuration

The following VPN configuration steps on the controller, enable W-IAPs to terminate their VPN

connection on the controller:

Creating a W-IAP Whitelist

Controller Whitelist DB

W-IAP whitelist is the list of approved AP’s that can be provisioned on your controller. To create

a W-IAP whitelist:

Navigate to

Configuration > AP Installation (under Wireless)

and then click the

RAP

Whitelist

tab on the right side.

Click the

New

button and provide the following details:

AP MAC Address — Mandatory parameter. Enter the MAC address of the AP.

Username — Enter a username that will be used when the AP is provisioned.

AP Group — Select a group to add the AP.

AP Name — Enter a name for the AP. If an AP name is not entered, the MAC address will

be used instead.

Description — Enter a text description for the AP.

IP-Address — Enter an IP address for the AP.

Click the

Add

button to add the instant AP to the whitelist.

The

ap-group

parameter is not used for any configuration, but needs to be configured. The

parameter can be any valid string. If an external whitelist is being used, the MAC address of the

AP needs to be saved in the Radius server as a lower case entry without any delimiter.

External Whitelist DB

The external whitelist functionality enables you to configure the RADIUS server to use an external

whitelist for authentication of MAC addresses of RAPs.

If you are using Windows 2003 server, perform the following steps to configure external whitelist

on it. There are equivalent steps available for Windows Server 2008 and other RADIUS servers.

Add the MAC addresses for all the RAPs in the Active Directory of the Radius server:

Open the

Active Directory and Computers

window, add a new user and specify the MAC

address (without the colon delimiter) of the RAP for the user name and password.

Right-click the user that you have just created and click

Properties

In the

Dial-in

tab, select

Allow access in the Remote Access Permission

section and click

Repeat Step a through Step b for all RAPs.

Define the remote access policy in the Internet Authentication Service:

In the

Internet Authentication Service

window, select

Remote Access Policies

Launch the wizard to configure a new remote access policy.

Define filters and select

grant remote access permission

in the

Permissions

window.

Right-click the policy that you have just created and select

Properties

In the

Settings

tab, select the policy condition, and

Edit Profile

....

In the

Advanced

tab, select

Vendor Specific

, and click

Add

to add new vendor specific

attributes.