Dell W-Series 207 Instant 6.5.1.0-4.3.1.0 User Guide - Page 246
Branch-ID Allocation, VPN Local Pool Configuration, Role Assignment for the Authenticated W-IAPs
View all Dell W-Series 207 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 246 highlights
If you are using the Windows 2003 server, perform the following steps to configure the external whitelist database on it. There are equivalent steps available for the Windows Server 2008 and other RADIUS servers. 1. Add the MAC addresses of all the W-IAPs in the Active Directory of the RADIUS server: a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the W-IAP for the username and password, respectively. b. Right-click the user that you have just created and click Properties. c. On the Dial-in tab, select Allow access in the Remote Access Permission section and click OK. d. Repeat Step a through Step c for all W-IAPs. 2. Define the remote access policy in the Internet Authentication Service: a. In the Internet Authentication Service window, select Remote Access Policies. b. Launch the wizard to configure a new remote access policy. c. Define filters and select grant remote access permission in the Permissions window. d. Right-click the policy that you have just created and select Properties. e. In the Settings tab, select the policy condition, and click Edit Profile.... f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor-specific attributes. g. Add new vendor-specific attributes and click OK. h. In the IP tab, provide the IP address of the W-IAP and click OK. VPN Local Pool Configuration The VPN local pool is used to assign an IP address to the W-IAP after successful XAUTH VPN. (Instant AP) # ip local pool "rapngpool" Role Assignment for the Authenticated W-IAPs Define a role that includes an Source-NAT rule to allow connections to the RADIUS server and for the Dynamic RADIUS Proxy in the W-IAP to work. This role is assigned to W-IAPs after successful authentication. (host) (config) #ip access-list session iaprole (host) (config-sess-iaprole)#any host any src-nat (host) (config-sess-iaprole)#any any any permit (host) (config-sess-iaprole)#! (host) (config) #user-role iaprole (host) (config-role) #session-acl iaprole VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an external server) and the role assigned to the W-IAP after successful authentication. (host) (config) #aaa authentication vpn default-iap (host) (VPN Authentication Profile "default-iap") #server-group default (host) (VPN Authentication Profile "default-iap") #default-role iaprole Branch-ID Allocation For branches deployed in Distributed, L3 and Distributed, L2 modes, the master W-IAP in the branch and the controller should agree upon a subnet/IP addresses to be used for DHCP services in the branch. The process or protocol used by the master W-IAP and the controller to determine the subnet/IP addresses used in a branch is called BID allocation. The BID allocation process is not essential for branches deployed in local or Centralized, L2 mode. The following are some of the key functions of the BID allocation process: l Determines the IP addresses used in a branch for Distributed, L2 mode l Determines the subnet used in a branch for Distributed, L3 mode l Avoids IP address or subnet overlap (that is, avoids IP conflict) Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide IAP-VPN Deployment | 246