Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W-IAP92 » Manual Viewer

Dell PowerConnect W-IAP92 Dell Instant 6.2.0.0-3.2.0.0 User Guide - Page 287

VPN Local Pool Configuration, VPN Profile Configuration, Radius Proxy for VPN Connected IAPs

View all Dell PowerConnect W-IAP92 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 287 highlights

g. Add new vendor specific attributes and click OK. h. In the IP tab, provide the IP for the RAP and click OK. VPN Local Pool Configuration To configure the VPN Local Pool: 1. Navigate to the Configuration > Advanced Services > VPN Services > IPSec page. 2. Select (check) Enable L2TP. 3. Make sure that only PAP (Password Authentication Protocol) is selected for Authentication Protocols. 4. To configure the L2TP IP pool, click Add in the Address Pools section. Configure the L2TP pool from which the APs will be assigned addresses, then click Done. NOTE: The size of the pool should correspond to the maximum number of APs that the controller is licensed to manage. 5. To configure an Internet Security Association and Key Management Protocol (ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared Secrets section and configure the preshared key. Click Done to return to the IPSec page. 6. Click Apply. VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an external server) and the role for W-IAP user. This role is used to define src-nat rule to Radius server to get Dynamic Radius proxy working. 1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. 2. In the Profiles list, select the VPN Authentication Profile> default-iap. 3. For Default Role, enter the user role you created previously (for example, InstantAP). 4. Click Apply. 5. In the Profile list, under VPN Authentication Profile, select Server Group. 6. Select the server group from the drop-down menu. 7. Click Apply. For more information on VPN profile configuration, see "VPN Configuration" on page 261. Radius Proxy for VPN Connected IAPs The Radius proxy for VPN connected W-IAPs functionality defines the server used to authenticate the W-IAP (internal or an external server) and the role for W-IAP user. This role is used to define src-nat rule to Radius server to get Dynamic Radius proxy working. 1. Navigate to the Configuration > Security > Access Control > User Roles page. Click Add to create the sysadmin role. 2. For Role Name, enter sysadmin. 3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done. 4. Click Apply. For more information on VPN profile configuration, see "VPN Configuration" on page 261. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.0 | User Guide 287 | IAP-VPN

Section	Page
Contents	3
About This Guide	15
Dell PowerConnect W-Instant Access Point Overview	15
Supported Devices	15
Objective	15
Intended Audience	16
Conventions	16
Contacting Support	16
Initial Configuration	17
Initial Setup	17
Pre-Installation Checklist	17
Connecting a W-IAP	18
Assigning an IP Address to the W-IAP	18
Connecting to a Provisioning Wi-Fi Network	18
Disabling the Provisioning Wi-Fi Network	20
Assigning a Static IP	20
Log in to the Dell W-Series Instant UI	21
Specifying a Country Code	21
W-IAP Cluster	22
Dell W-Instant User Interface	23
Understanding the Dell W-Series Instant UI Layout	23
Banner	24
Search	24
Tabs	24
Networks Tab	24
Access Points Tab	25
Clients Tab	25
Links	26
New Version Available	27
Settings	27
RF	29
PEF	30
WIP	30
VPN	31
Wired	31
Maintenance	32
Support	32
Help	32
Logout	33
Monitoring	33
Info	33
RF Dashboard	34
Usage Trends	35
Spectrum	36
Overview (Device list)	36
Channel Utilization and Monitoring	36
Channel Details	37
Alerts	37
Client Alerts	37
Fault History	38
Active Faults	38
IDS	39
Configuration	39
AirGroup	40
Language	40
Dell PowerConnect W-AirWave Setup	40
Pause/Resume	41
Views	41
Wireless Network	43
Network Types	43
Employee Network	44
Adding an Employee Network	44
Voice Network	53
Adding a Voice Network	53
Guest Network	60
Adding a Guest Network	60
Editing a Network	68
Deleting a Network	68
Number of WLAN SSIDs Supported	68
Enabling the Extended SSID Option	69
VLAN Pooling	69
Managing W-IAPs	71
Preferred Band	71
Auto Join Mode	71
Disabling Auto Join Mode	71
Terminal Access	72
LED Display	72
TFTP Dump Server	72
Extended SSID	73
Deny Inter User Bridging and Deny Local Routing	73
Syslog Server	73
Syslog Facility Levels	74
Adding a W-IAP to the Network	74
Removing a W-IAP from the Network	75
Editing W-IAP Settings	75
Changing W-IAP Name	75
Changing IP Address of the W-IAP	76
Configuring Adaptive Radio Management	78
Configuring Uplink Management VLAN	79
Configuring Wired Bridging on Ethernet 0	79
Migrating to a Dell PowerConnect W-Series Mobility Controller Managed Network	80
Converting a W-IAP to RAP Mode	80
Converting a W-IAP to CAP	83
Converting a W-IAP to Standalone Mode	83
Converting Back to a W-IAP	84
Rebooting the W-IAP	84
Firmware Image Server in Cloud Network	86
Upgrade Using Dell PowerConnect W-AirWave and Image Server	86
Image Management Using Cloud Server	86
Image Management Using Dell PowerConnect W-AirWave	86
Automatic Firmware Image Check and Upgrade	87
Upgrading to New Version	88
Manual	88
Automatic	90
Layer-3 Mobility	91
Overview	91
Configuring a Mobility Domain	92
Home Agent Load Balancing	95
Spectrum Monitor	97
Creating Spectrum Monitors and Hybrid APs	97
Converting W-IAPs into Hybrid W-IAPs	97
Converting a W-IAP to a Spectrum Monitor	98
Spectrum Data	100
Overview - Device List	100
Non Wi-Fi Interferers	101
Channel Metrics	103
Channel Details	104
Spectrum Alerts	105
Time Management	107
NTP Server	107
Configuring an NTP Server	107
Daylight Saving Time	108
Enabling Daylight Saving Time	108
Virtual Controller	109
Master Election Protocol	109
Preference to an IAP with 3G/4G Card	109
Preference to a W-IAP with Non-Default IP	109
Virtual Controller IP Address	110
Specifying Name and IP Address for the Virtual Controller	110
Configuring the DHCP Server	110
Authentication	111
Authentication Methods in Dell W-Instant	111
802.1X Authentication	111
Internal RADIUS Server	112
External RADIUS Server	112
Authentication Terminated on W-IAP	112
Configuring an External RADIUS Server	113
Enabling RADIUS Server Support	115
Authentication Survivability	115
RADIUS Server Authentication with VSA	118
List of Supported VSA	118
Management Authentication Settings	120
Captive Portal	121
Internal Captive Portal	121
Configuring Internal Captive Portal Authentication when Adding a Guest Network	122
Configuring Internal Captive Portal Authentication when Editing a Guest Network	123
Configuring Internal Captive Portal with External RADIUS Server Authenticatio...	124
Customizing a Splash Page	125
Disabling Captive Portal Authentication	126
External Captive Portal	127
Configuring External Captive Portal Authentication when Adding a Guest Network	127
Configuring External Captive Portal Authentication when Editing a Guest Network	129
External Captive Portal Authentication using ClearPass Guest	131
Creating a Web Login page in the ClearPass Guest	131
Configuring the RADIUS Server in Instant	131
WISPr Authentication	132
Configuring WISPr Authentication	132
MAC Authentication	133
Configuring MAC Authentication	134
Walled Garden Access	134
Creating a Walled Garden Access	134
MAC + 802.1X Authentication	136
Configuring MAC + 802.1X Authentication	136
MAC + Captive Portal Authentication	137
Configuring MAC + Captive Portal Authentication	137
Wired Authentication on a W-IAP	138
Certificates	138
Loading Certificates using Dell W-Series Instant UI	139
Loading Certificates using Dell PowerConnect W-AirWave	140
Encryption	143
Encryption Types Supported in Dell W-Instant	143
WEP	143
TKIP	143
AES	143
Encryption Recommendations	143
Understanding WPA and WPA2	144
Recommended Authentication and Encryption Combinations	144
Role Derivation	145
User Roles	145
Creating a New User Role	145
Creating Role Assignment Rules	147
MAC-Address Attribute	147
DHCP Option and DHCP Fingerprinting	148
802.1X-Authentication-Type	148
User VLAN Derivation	149
User VLAN Derivation	149
Vendor Specific Attributes (VSA)	149
VLAN Derivation Rule	150
Configuring VLAN Derivation Rules on a W-IAP	150
User Role	151
Configuring a User Role	151
SSID Profile	152
Configuring VLAN Derivation Rules Using an SSID Profile	153
Instant Firewall	155
Service Options	156
Destination Options	158
Examples for Access Rules	158
Allow TCP Service to a Particular Network	158
Allow POP3 Service to a Particular Server	159
Deny FTP Service except to a Particular Server	160
Deny bootp Service except to a Particular Network	161
Content Filtering	163
Enabling Content Filtering	163
Enterprise Domains	164
OS Fingerprinting	167
Adaptive Radio Management	169
ARM Features	169
Channel or Power Assignment	169
Voice Aware Scanning	169
Load Aware Scanning	169
Band Steering Mode	169
Airtime Fairness Mode	170
Airtime Fairness Modes	170
Access Point Control	171
Customize Valid Channels	171
Min Transmit Power	171
Max Transmit Power	171
Client Aware	171
Scanning	171
Wide Channel Bands	171
Monitoring the Network with ARM	172
ARM Metrics	172
Configuring Administrator Assigned Radio Settings for W-IAP	172
Configuring Radio Profiles in Instant	173
Intrusion Detection System	177
Rogue AP Detection and Classification	177
Wireless Intrusion Protection (WIP)	177
Containment Methods	181
SNMP	183
SNMP Parameters for W-IAP	183
SNMP Traps	185
Ethernet Downlink	187
Ethernet Downlink Overview	187
Ethernet Downlink Profile Parameters	187
Assigning a Profile to the Ethernet Port	190
Hierarchical Deployment	193
Deployment	193
Uplink Configuration	195
Uplink Interface Configuration	195
Ethernet Uplink	195
3G/4G Uplink	196
Types of Modems	196
Provisioning 3G/4G Uplink Manually	198
Provisioning 3G Uplink Automatically	199
Provisioning a 3G/4G Switch Network	199
Wi-Fi Uplink	200
Provisioning Wi-Fi Uplink	200
Provisioning 3G/4G and Wi-Fi Uplink with Factory Setting	200
Uplink Management	201
Enforce Uplink	201
Uplink Preemption	201
Uplink Switchover	201
Uplink Switching Based on VPN Status	201
Uplink Switching Based on Internet Connectivity Status	202
PPPoE	202
Configuring PPPoE	202
Dell PowerConnect W-AirWave Integration and Management	205
Dell PowerConnect W-AirWave Features	205
Image Management	205
W-IAP and Client Monitoring	205
Template-based Configuration	205
Trending Reports	206
Intrusion Detection System	206
Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConne...	206
RF Visualization Support for Dell W-Instant	207
Configuring Dell PowerConnect W-AirWave	207
Creating your Organization String	207
About Shared Key	208
Entering the Organization String and AMP Information into the W-IAP	208
Dell PowerConnect W-AirWave Discovery through DHCP Option	208
Standard DHCP option 60 and 43 on Windows Server 2008	208
Alternate Method for Defining Vendor-Specific DHCP Options	212
AirGroup	215
Introducing AirGroup	215
What is Bonjour and Zero Configuration Networking?	215
WLANs and Bonjour	216
AirGroup Solution	216
AirGroup Features	217
Dell PowerConnect W-ClearPass Policy Manager and ClearPass Guest Features	217
AirGroup Architecture	217
How Does AirGroup Work?	218
Use Case: Higher Education Wireless LAN	219
The AirGroup Solution Components	219
Configuring AirGroup on W-Instant	220
Using the Dell W-Series Instant UI	220
Enabling or Disabling AirGroup	220
Disallow Role	221
Disallow VLAN	222
Configuring AirGroup-CPPM Interface in W-Instant	223
Creating a RADIUS Server	223
Assign a Server to AirGroup	224
Configure CPPM to Enforce Registration	225
Change of Authorization (CoA)	225
AirGroup Monitoring	226
Troubleshooting and Log Messages	226
Monitoring	229
Virtual Controller View	229
Monitoring Link	230
Info	230
RF Dashboard	230
Usage Trends	230
Client Alerts Link	232
IDS Link	232
Network View	232
Info	233
Usage Trends	233
Dell W-Instant Access Point View	235
Info	235
RF Dashboard	235
Overview	236
Client View	243
Info	244
RF Dashboard	244
RF Trends	244
Mobility Trail	247
Alert Types and Management	249
Alert Types	249
Policy Enforcement Firewall	251
Authentication Servers	251
Users for Internal Server	251
Roles	252
Extended Voice and Video Functionalities	253
QoS for Microsoft Office OCS and Apple Facetime	253
Microsoft OCS	254
Apple Facetime	254
Client Blacklisting	255
Types of Client Blacklisting	256
Manual Blacklisting	256
Adding a Client to the Manual Blacklist	256
Dynamic Blacklisting	257
Authentication Failure Blacklisting	257
Session Firewall Based Blacklisting	257
PEF Settings	258
Firewall ALG Configuration	258
Firewall-based Logging	259
VPN Configuration	261
VPN Configuration	261
Fast Failover	262
Routing Profile Configuration	262
DHCP Server Configuration	263
NAT DHCP Configuration	264
Distributed L2 DHCP Configuration	265
Distributed L3 DHCP Configuration	266
Centralized L2 DHCP Configuration	267
User Database	269
Adding a User	269
Editing User Settings	270
Deleting a User	270
Regulatory Domain	271
Country Codes List	271
Controller Configuration for VPN	277
Whitelist DB Configuration	277
VPN Local Pool Configuration	277
W-IAP VPN Profile Configuration	278
Dell PowerConnect W-ClearPass Configuration for AirGroup	279
Dell PowerConnect W-ClearPass Setup	279
Testing	283
Troubleshooting	283
IAP-VPN	285
Licensing Requirements	285
VPN Configuration	286
Creating a W-IAP Whitelist	286
Controller Whitelist DB	286
External Whitelist DB	286
VPN Local Pool Configuration	287
VPN Profile Configuration	287
Radius Proxy for VPN Connected IAPs	287
Viewing Branch Status	288
Example	288
Troubleshooting	289
Viewing Logs	289
Support Commands	289
Abbreviations	295

Match case Limit results 1 per page

Add new vendor specific attributes and click

In the

tab, provide the IP for the RAP and click

VPN Local Pool Configuration

To configure the VPN Local Pool:

Navigate to the

Configuration > Advanced Services > VPN Services > IPSec

page.

Select (check)

Enable L2TP

Make sure that only

PAP

(Password Authentication Protocol) is selected for Authentication

Protocols.

To configure the L2TP IP pool, click

Add

in the

Address Pools

section. Configure the L2TP

pool from which the APs will be assigned addresses, then click

Done

NOTE: The size of the pool should correspond to the maximum number of APs that the

controller is licensed to manage.

To configure an Internet Security Association and Key Management Protocol (ISAKMP)

encrypted subnet and preshared key, click

Add

in the IKE Shared Secrets section and

configure the preshared key. Click

Done

to return to the IPSec page.

Click

Apply

VPN Profile Configuration

The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an

external server) and the role for W-IAP user. This role is used to define

src-nat

rule to Radius

server to get Dynamic Radius proxy working.

Navigate to the

Configuration > Security > Authentication > L3 Authentication

page.

In the Profiles list, select the

VPN Authentication Profile> default-iap

For Default Role, enter the user role you created previously (for example, InstantAP).

Click

Apply

In the

Profile

list, under

VPN Authentication Profile

, select

Server Group

Select the server group from the drop-down menu.

Click

Apply

For more information on VPN profile configuration, see

"VPN Configuration" on page 261

Radius Proxy for VPN Connected IAPs

The Radius proxy for VPN connected W-IAPs functionality defines the server used to authenticate

the W-IAP (internal or an external server) and the role for W-IAP user. This role is used to define

src-nat

rule to Radius server to get Dynamic Radius proxy working.

Navigate to the

Configuration > Security > Access Control > User Roles

page. Click

Add

to create the sysadmin role.

For Role Name, enter

sysadmin

Under Firewall Policies, click

Add

. In Choose from Configured Policies, select the predefined

allowall policy. Click

Done

Click

Apply

For more information on VPN profile configuration, see

"VPN Configuration" on page 261

Dell PowerConnect W-Series Instant Access Point

6.2.0.0-3.2.0.0

User Guide

287

IAP-VPN