Home » Dell Manuals » Wireless » Dell W-Series 207 » Manual Viewer

Dell W-Series 207 Instant 6.5.1.0-4.3.1.0 User Guide - Page 246

Branch-ID Allocation, VPN Local Pool Configuration, Role Assignment for the Authenticated W-IAPs

Add to My Manuals
Save this manual to your list of manuals

Page 246 highlights

If you are using the Windows 2003 server, perform the following steps to configure the external whitelist database on it. There are equivalent steps available for the Windows Server 2008 and other RADIUS servers. 1. Add the MAC addresses of all the W-IAPs in the Active Directory of the RADIUS server: a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the W-IAP for the username and password, respectively. b. Right-click the user that you have just created and click Properties. c. On the Dial-in tab, select Allow access in the Remote Access Permission section and click OK. d. Repeat Step a through Step c for all W-IAPs. 2. Define the remote access policy in the Internet Authentication Service: a. In the Internet Authentication Service window, select Remote Access Policies. b. Launch the wizard to configure a new remote access policy. c. Define filters and select grant remote access permission in the Permissions window. d. Right-click the policy that you have just created and select Properties. e. In the Settings tab, select the policy condition, and click Edit Profile.... f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor-specific attributes. g. Add new vendor-specific attributes and click OK. h. In the IP tab, provide the IP address of the W-IAP and click OK. VPN Local Pool Configuration The VPN local pool is used to assign an IP address to the W-IAP after successful XAUTH VPN. (Instant AP) # ip local pool "rapngpool" Role Assignment for the Authenticated W-IAPs Define a role that includes an Source-NAT rule to allow connections to the RADIUS server and for the Dynamic RADIUS Proxy in the W-IAP to work. This role is assigned to W-IAPs after successful authentication. (host) (config) #ip access-list session iaprole (host) (config-sess-iaprole)#any host any src-nat (host) (config-sess-iaprole)#any any any permit (host) (config-sess-iaprole)#! (host) (config) #user-role iaprole (host) (config-role) #session-acl iaprole VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an external server) and the role assigned to the W-IAP after successful authentication. (host) (config) #aaa authentication vpn default-iap (host) (VPN Authentication Profile "default-iap") #server-group default (host) (VPN Authentication Profile "default-iap") #default-role iaprole Branch-ID Allocation For branches deployed in Distributed, L3 and Distributed, L2 modes, the master W-IAP in the branch and the controller should agree upon a subnet/IP addresses to be used for DHCP services in the branch. The process or protocol used by the master W-IAP and the controller to determine the subnet/IP addresses used in a branch is called BID allocation. The BID allocation process is not essential for branches deployed in local or Centralized, L2 mode. The following are some of the key functions of the BID allocation process: l Determines the IP addresses used in a branch for Distributed, L2 mode l Determines the subnet used in a branch for Distributed, L3 mode l Avoids IP address or subnet overlap (that is, avoids IP conflict) Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide IAP-VPN Deployment | 246

Section	Page
About this Guide	9
Intended Audience	9
Related Documents	9
Conventions	9
Contacting Dell	10
About Instant	11
Instant Overview	11
What is New in this Release	14
Setting up a W-IAP	16
Setting up Instant Network	16
Provisioning a W-IAP	17
Logging in to the Instant UI	19
Accessing the Instant CLI	20
Automatic Retrieval of Configuration	24
Managed Mode Operations	24
Prerequisites	24
Configuring Managed Mode Parameters	25
Verifying the Configuration	26
Instant User Interface	28
Login Screen	28
Main Window	29
Initial Configuration Tasks	56
Configuring System Parameters	56
Changing Password	62
Customizing W-IAP Settings	63
Modifying the W-IAP Host Name	63
Configuring Zone Settings on a W-IAP	63
Specifying a Method for Obtaining IP Address	64
Configuring External Antenna	65
Configuring Radio Profiles for a W-IAP	66
Configuring Uplink VLAN for a W-IAP	68
Changing the W-IAP Installation Mode	68
Changing USB Port Status	69
Master Election and Virtual Controller	70
Adding a W-IAP to the Network	71
Removing a W-IAP from the Network	72
VLAN Configuration	73
VLAN Pooling	73
Uplink VLAN Monitoring and Detection on Upstream Devices	73
IPv6 Support	74
IPv6 Notation	74
Enabling IPv6 Support for W-IAP Configuration	74
Firewall Support for IPv6	76
Debugging Commands	76
Wireless Network Profiles	77
Configuring Wireless Network Profiles	77
Configuring Fast Roaming for Wireless Clients	97
Configuring Modulation Rates on a WLAN SSID	100
Multi-User-MIMO	101
Management Frame Protection	102
Disabling Short Preamble for Wireless Client	102
Editing Status of a WLAN SSID Profile	102
Editing a WLAN SSID Profile	103
Deleting a WLAN SSID Profile	103
Wired Profiles	104
Configuring a Wired Profile	104
Assigning a Profile to Ethernet Ports	109
Editing a Wired Profile	109
Deleting a Wired Profile	110
Link Aggregation Control Protocol	110
Understanding Hierarchical Deployment	111
Captive Portal for Guest Access	113
Understanding Captive Portal	113
Configuring a WLAN SSID for Guest Access	114
Configuring Wired Profile for Guest Access	120
Configuring Internal Captive Portal for Guest Network	122
Configuring External Captive Portal for a Guest Network	125
Configuring Facebook Login	131
Configuring Guest Logon Role and Access Rules for Guest Users	132
Configuring Captive Portal Roles for an SSID	134
Configuring Walled Garden Access	137
Authentication and User Management	139
Managing W-IAP Users	139
Supported Authentication Methods	143
Supported EAP Authentication Frameworks	145
Configuring Authentication Servers	146
Understanding Encryption Types	160
Configuring Authentication Survivability	161
Configuring 802.1X Authentication for a Network Profile	163
Enabling 802.1X Supplicant Support	165
Configuring MAC Authentication for a Network Profile	166
Configuring MAC Authentication with 802.1X Authentication	168
Configuring MAC Authentication with Captive Portal Authentication	170
Configuring WISPr Authentication	171
Blacklisting Clients	172
Uploading Certificates	175
Roles and Policies	178
Firewall Policies	178
Content Filtering	191
Configuring User Roles	195
Configuring Derivation Rules	197
Using Advanced Expressions in Role and VLAN Derivation Rules	203
DHCP Configuration	207
Configuring DHCP Scopes	207
Configuring the Default DHCP Scope for Client IP Assignment	214
Configuring Time-Based Services	217
Time Range Profiles	217
Configuring a Time Range Profile	217
Applying a Time Range Profile to a WLAN SSID	218
Verifying the Configuration	219
Dynamic DNS Registration	221
Enabling Dynamic DNS	221
Configuring Dynamic DNS Updates for Clients	222
Verifying the Configuration	223
VPN Configuration	224
Understanding VPN Features	224
Configuring a Tunnel from a W-IAP to a Mobility Controller	225
Configuring Routing Profiles	236
IAP-VPN Deployment	238
Understanding IAP-VPN Architecture	238
Configuring W-IAP and Controller for IAP-VPN Operations	241
Adaptive Radio Management	249
ARM Overview	249
Configuring ARM Features on a W-IAP	250
Configuring Radio Settings	256
Deep Packet Inspection and Application Visibility	261
Deep Packet Inspection	261
Enabling Application Visibility	261
Application Visibility	262
Enabling URL Visibility	267
Configuring ACL Rules for Application and Application Categories	267
Configuring Web Policy Enforcement Service	270
Voice and Video	273
Wi-Fi Multimedia Traffic Management	273
Media Classification for Voice and Video Calls	276
Enabling Enhanced Voice Call Tracking	277
Services	279
Configuring AirGroup	279
Configuring a W-IAP for RTLS Support	288
Configuring a W-IAP for Analytics and Location Engine Support	289
Managing BLE Beacons	290
Clarity Live	291
Configuring OpenDNS Credentials	293
Integrating a W-IAP with Palo Alto Networks Firewall	293
Integrating a W-IAP with an XML API Interface	295
CALEA Integration and Lawful Intercept Compliance	298
Cluster Security	304
Overview	304
Enabling Cluster Security	305
Cluster Security Debugging Logs	305
Verifying the Configuration	306
W-IAP Management and Monitoring	307
Managing a W-IAP from W-AirWave	307
Uplink Configuration	318
Uplink Interfaces	318
Uplink Preferences and Switching	323
Intrusion Detection	328
Detecting and Classifying Rogue W-IAPs	328
OS Fingerprinting	328
Configuring Wireless Intrusion Protection and Detection Levels	329
Configuring IDS	334
Mesh W-IAP Configuration	335
Mesh Network Overview	335
Setting up Instant Mesh Network	336
Configuring Wired Bridging on Ethernet 0 for Mesh Point	336
Mobility and Client Management	338
Layer-3 Mobility Overview	338
Configuring L3-Mobility	339
Spectrum Monitor	341
Understanding Spectrum Data	341
Configuring Spectrum Monitors and Hybrid W-IAPs	347
W-IAP Maintenance	349
Upgrading a W-IAP	349
Backing up and Restoring W-IAP Configuration Data	352
Converting a W-IAP to a Remote AP and Campus AP	353
Resetting a Remote AP or Campus AP to a W-IAP	359
Rebooting the W-IAP	359
Monitoring Devices and Logs	361
Configuring SNMP	361
Configuring a Syslog Server	365
Configuring TFTP Dump Server	366
Running Debug Commands	367
Uplink Bandwidth Monitoring	371
Hotspot Profiles	373
Understanding Hotspot Profiles	373
Configuring Hotspot Profiles	375
Sample Configuration	386
ClearPass Guest Setup	389
Configuring ClearPass Guest	389
Verifying ClearPass Guest Setup	392
Troubleshooting	392
IAP-VPN Deployment Scenarios	394
Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy	395
Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy	399
Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Cont...	403
Scenario 4—GRE: Single Datacenter Deployment with No Redundancy	408
Glossary	411
Acronyms and Abbreviations	416

Match case Limit results 1 per page

If you are using the Windows 2003 server, perform the following steps to configure the external whitelist

database on it. There are equivalent steps available for the Windows Server 2008 and other RADIUS servers.

1. Add the MAC addresses of all the W-IAPs in the Active Directory of the RADIUS server:

Open the

Active Directory and Computers

window, add a new user and specify the MAC address

(without the colon delimiter) of the W-IAP for the username and password, respectively.

b. Right-click the user that you have just created and click

Properties

On the

Dial-in

tab, select

Allow access

in the

Remote Access Permission

section and click

d. Repeat Step a through Step c for all W-IAPs.

2. Define the remote access policy in the Internet Authentication Service:

In the

Internet Authentication Service

window, select

Remote Access Policies

b. Launch the wizard to configure a new remote access policy.

Define filters and select

grant remote access permission

in the

Permissions

window.

d. Right-click the policy that you have just created and select

Properties

In the

Settings

tab, select the policy condition, and click

Edit Profile...

In the

Advanced

tab, select

Vendor Specific

, and click

Add

to add new vendor-specific attributes.

Add new vendor-specific attributes and click

h. In the

tab, provide the IP address of the W-IAP and click

VPN Local Pool Configuration

The VPN local pool is used to assign an IP address to the W-IAP after successful XAUTH VPN.

(Instant AP) # ip local pool "rapngpool" <startip> <endip>

Role Assignment for the Authenticated W-IAPs

Define a role that includes an Source-NAT rule to allow connections to the RADIUS server and for the Dynamic

RADIUS Proxy in the W-IAP to work. This role is assigned to W-IAPs after successful authentication.

(host) (config) #ip access-list session iaprole

(host) (config-sess-iaprole)#any host <radius-server-ip> any src-nat

(host) (config-sess-iaprole)#any any any permit

(host) (config-sess-iaprole)#!

(host) (config) #user-role iaprole

(host) (config-role) #session-acl iaprole

VPN Profile Configuration

The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an external server)

and the role assigned to the W-IAP after successful authentication.

(host) (config) #aaa authentication vpn default-iap

(host) (VPN Authentication Profile "default-iap") #server-group default

(host) (VPN Authentication Profile "default-iap") #default-role iaprole

Branch-ID Allocation

For branches deployed in Distributed, L3 and Distributed, L2 modes, the master W-IAP in the branch and the

controller should agree upon a subnet/IP addresses to be used for DHCP services in the branch. The process or

protocol used by the master W-IAP and the controller to determine the subnet/IP addresses used in a branch is

called BID allocation. The BID allocation process is not essential for branches deployed in local or Centralized,

L2 mode. The following are some of the key functions of the BID allocation process:

Determines the IP addresses used in a branch for Distributed, L2 mode

Determines the subnet used in a branch for Distributed, L3 mode

Avoids IP address or subnet overlap (that is, avoids IP conflict)

Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide

IAP-VPN Deployment |

246