Home » Dell Manuals » Wireless » Dell W-Series 228 » Manual Viewer

Dell W-Series 228 Instant 6.4.3.1-4.2 User Guide - Page 158

MAC authentication with Captive Portal authentication, 802.1X authentication with Captive Portal Role

Add to My Manuals
Save this manual to your list of manuals

Page 158 highlights

MAC authentication with Captive Portal authentication You can enforce MAC authentication for captive portal clients. For more information configuring a W-IAP to use MAC authentication with captive portal authentication, see hConfiguring MAC Authentication with Captive Portal Authentication on page 181. 802.1X authentication with Captive Portal Role This authentication mechanism allows you to configure different captive portal settings for clients on the same SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal captive portal, or none. For more information on configuring captive portal roles for an SSID with 802.1X authentication, see Configuring Captive Portal Roles for an SSID on page 147. WISPr authentication Wireless Internet Service Provider roaming (WISPr) authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an Internet Service Provider (ISP) with whom the client may not have an account. If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client's credentials to the partner ISP's WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on your hotspot's own ISP as per their service agreements. The W-IAP assigns the default WISPr user role to the client when your ISP sends an authentication message to the W-IAP. For more information on WISPr authentication, see Configuring WISPr Authentication on page 182. Supported EAP Authentication Frameworks The following EAP authentication frameworks are supported in the Instant network: l EAP-TLS- The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and certification authority (CA) certificates installed on the W-IAP. The client certificate is verified on the Virtual Controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server. l EAP-TTLS (MSCHAPv2)- The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAPTTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords. l EAP-PEAP (MSCHAPv2)- EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure. l LEAP- Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication between the client and authentication server. To use the W-IAP's internal database for user authentication, add the names and passwords of the users to be authenticated. Dell does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks. Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide Authentication and User Management | 158

Section	Page
About this Guide	27
Intended Audience	27
Related Documents	27
Conventions	27
Contacting Dell	28
About Instant	29
Instant Overview	29
Supported AP Platforms	29
Instant UI	31
Instant CLI	32
What is New in this Release	32
Support for New W-IAP Devices	34
No Support for W-IAP92/93	35
Setting up a W-IAP	36
Setting up Instant Network	36
Connecting a W-IAP	36
Assigning an IP address to the W-IAP	36
Assigning a Static IP	37
Connecting to a Provisioning Wi-Fi Network	37
W-IAP Cluster	37
Disabling the Provisioning Wi-Fi Network	38
Logging in to the Instant UI	38
Regulatory Domains	39
Specifying Country Code	39
Accessing the Instant CLI	40
Connecting to a CLI Session	40
Applying Configuration Changes	40
Using Sequence Sensitive Commands	41
Automatic Retrieval of Configuration	43
Managed Mode Operations	43
Pre-requisites	43
Configuring Managed Mode Parameters	44
Example	45
Verifying the Configuration	45
Instant User Interface	47
Login Screen	47
Viewing Connectivity Summary	47
Language	47
Logging into the Instant UI	47
Main Window	48
Banner	48
Search	48
Tabs	48
Networks Tab	49
Access Points Tab	49
Clients Tab	50
Links	50
New Version Available	50
System	51
RF	51
Security	51
Maintenance	52
More	52
VPN	53
IDS	53
Wired	54
Services	55
DHCP Server	56
Support	56
Help	57
Logout	57
Monitoring	57
Info	57
RF Dashboard	59
RF Trends	61
Usage Trends	61
Mobility Trail	67
Client Match	67
AppRF	68
Spectrum	68
Alerts	69
IDS	73
AirGroup	74
Configuration	74
W-AirWave Setup	75
Pause/Resume	75
Views	75
Initial Configuration Tasks	77
Basic Configuration Tasks	77
Modifying the W-IAP Name	77
In the Instant UI	78
In the CLI	78
Updating Location Details of a W-IAP	78
In the Instant UI	78
In the CLI	78
Configuring a Preferred Band	78
In the Instant UI	78
In the CLI	78
Configuring Virtual Controller IP Address	78
In the Instant UI	79
In the CLI	79
Configuring a Timezone	79
In the Instant UI	79
In the CLI	79
Configuring an NTP Server	79
In the Instant UI	80
In the CLI	80
Enabling AppRF Visibility	80
Changing Password	80
In the Instant UI	80
In the CLI	80
Additional Configuration Tasks	80
Configuring Virtual Controller Network Settings	81
In the Instant UI	81
In the CLI	82
Configuring Auto Join Mode	82
Enabling or Disabling Auto Join Mode	82
In the Instant UI	82
In the CLI	83
Configuring Terminal Access	83
In the Instant UI	83
In the CLI	83
Configuring Console Access	83
In the Instant UI	83
In the CLI	83
Configuring LED Display	84
In the Instant UI	84
In the CLI	84
Configuring Additional WLAN SSIDs	84
Enabling the Extended SSID	85
In the Instant UI	85
In the CLI	85
Preventing Inter-user Bridging	85
In the Instant UI	85
In the CLI	85
Preventing Local Routing between Clients	86
In the Instant UI	86
In the CLI	86
Enabling Dynamic CPU Management	86
In the Instant UI	86
In the CLI	87
Customizing W-IAP Settings	88
Modifying the W-IAP Hostname	88
In the Instant UI	88
In the CLI	88
Configuring Zone Settings on a W-IAP	88
In the Instant UI	88
In the CLI	89
Specifying a Method for Obtaining IP Address	89
In the Instant UI	89
In the CLI	89
Configuring External Antenna	89
EIRP and Antenna Gain	89
Configuring Antenna Gain	90
In the Instant UI	90
In the CLI	90
Configuring Radio Profiles for a W-IAP	90
Configuring ARM Assigned Radio Profiles for a W-IAP	91
Configuring Radio Profiles Manually for W-IAP	91
In the CLI	92
Configuring Uplink VLAN for a W-IAP	92
In the Instant UI	92
In the CLI	92
Changing USB Port Status	92
In the Instant UI	93
In the CLI	93
Master Election and Virtual Controller	93
Master Election Protocol	93
Preference to a W-IAP with 3G/4G Card	93
Preference to a W-IAP with Non-Default IP	94
Viewing Master Election Details	94
Manual Provisioning of Master W-IAP	94
Provisioning a W-IAP as a Master W-IAP	94
In the Instant UI	94
In the CLI	95
Adding a W-IAP to the Network	95
Removing a W-IAP from the Network	95
VLAN Configuration	96
VLAN Pooling	96
Uplink VLAN Monitoring and Detection on Upstream Devices	96
Wireless Network Profiles	97
Configuring Wireless Network Profiles	97
Network Types	97
Configuring WLAN Settings for an SSID Profile	98
In the Instant UI	98
In the CLI	101
Configuring VLAN Settings for a WLAN SSID Profile	102
In the Instant UI	102
In the CLI	103
Configuring Security Settings for a WLAN SSID Profile	104
Configuring Security Settings for an Employee or Voice Network	104
In the Instant UI	104
In the CLI	110
Configuring Access Rules for a WLAN SSID Profile	111
In the Instant UI	112
In the CLI	112
Configuring Fast Roaming for Wireless Clients	113
Opportunistic Key Caching	113
Configuring a W-IAP for OKC Roaming	113
In the Instant UI	114
In the CLI	114
Fast BSS Transition (802.11r Roaming)	114
Configuring a W-IAP for 802.11r support	115
In the Instant UI	115
In the CLI	115
Example	115
Radio Resource Management (802.11k)	115
Beacon Report Requests and Probe Responses	116
Configuring a WLAN SSID for 802.11k Support	116
In the Instant UI	116
In the CLI	116
Example	116
BSS Transition Management (802.11v)	116
Configuring a WLAN SSID for 802.11v Support	116
In the Instant UI	117
In the CLI	117
Example	117
Editing Status of a WLAN SSID Profile	117
In the Instant UI	117
In the CLI	117
Editing a WLAN SSID Profile	117
Deleting a WLAN SSID Profile	118
Wired Profiles	119
Configuring a Wired Profile	119
Configuring Wired Settings	119
In the Instant UI	119
In the CLI	120
Configuring VLAN for a Wired Profile	120
In the Instant UI	120
In the CLI	121
Configuring Security Settings for a Wired Profile	121
Configuring Security Settings for a Wired Employee Network	121
In the Instant UI	121
In the CLI	122
Configuring Access Rules for a Wired Profile	122
In the Instant UI	122
In the CLI	123
Assigning a Profile to Ethernet Ports	124
In the Instant UI	124
In the CLI	124
Editing a Wired Profile	124
Deleting a Wired Profile	124
Link Aggregation Control Protocol	125
Understanding Hierarchical Deployment	126
Captive Portal for Guest Access	127
Understanding Captive Portal	127
Types of Captive Portal	127
Walled Garden	128
Configuring a WLAN SSID for Guest Access	128
In the Instant UI	128
In the CLI	132
Configuring Wired Profile for Guest Access	133
In the Instant UI	133
In the CLI	134
Configuring Internal Captive Portal for Guest Network	135
In the Instant UI	135
In the CLI	137
wConfiguring External Captive Portal for a Guest Network	138
External Captive Portal Profiles	138
Creating a Captive Portal Profile	138
In the Instant UI	138
In the CLI	139
Configuring an SSID or Wired Profile to Use External Captive Portal Authentic...	140
In the Instant UI	140
In the CLI	141
External Captive Portal Redirect Parameters	142
Configuring External Captive Portal Authentication Using ClearPass Guest	142
Creating a Web Login page in ClearPass Guest	143
Configuring RADIUS Server in Instant UI	143
Configuring Facebook Login	143
Setting up a Facebook Page	144
Configuring an SSID	144
In the Instant UI	144
In the CLI	144
Example	144
Configuring the Facebook Portal Page	144
Accessing the Portal Page	145
Configuring Guest Logon Role and Access Rules for Guest Users	145
In the Instant UI	145
In the CLI	146
Example	146
Configuring Captive Portal Roles for an SSID	147
In the Instant UI	147
In the CLI	149
Configuring Walled Garden Access	150
In the Instant UI	150
In the CLI	150
Disabling Captive Portal Authentication	150
Authentication and User Management	152
Managing W-IAP Users	152
Configuring W-IAP Users	153
In the Instant UI	153
In the CLI	154
Configuring Authentication Parameters for Management Users	154
In the Instant UI	154
In the CLI	155
Adding Guest Users through the Guest Management Interface	156
Supported Authentication Methods	156
802.1X authentication	157
MAC authentication	157
MAC authentication with 802.1X authentication	157
Captive Portal Authentication	157
MAC authentication with Captive Portal authentication	158
802.1X authentication with Captive Portal Role	158
WISPr authentication	158
Supported EAP Authentication Frameworks	158
Authentication Termination on W-IAP	159
Configuring Authentication Servers	159
Supported Authentication Servers	159
Internal RADIUS Server	159
External RADIUS Server	160
RADIUS Server Authentication with VSA	160
TACACS Servers	164
Dynamic Load Balancing between Two Authentication Servers	164
Configuring an External Server for Authentication	164
In the Instant UI	164
In the CLI	168
Enabling RADIUS Communication over TLS	169
Configuring RadSec Protocol	169
In the UI	169
In the CLI	170
Associate the Server Profile with a Network Profile	170
In the CLI	170
Configuring Dynamic RADIUS Proxy Parameters	171
Enabling Dynamic RADIUS Proxy	171
In the Instant UI	171
In the CLI	171
Configuring Dynamic RADIUS Proxy Parameters	171
In the Instant UI	171
In the CLI	172
Associate Server Profiles to a Network Profile	172
In the CLI	172
Understanding Encryption Types	173
WPA and WPA2	173
Recommended Authentication and Encryption Combinations	174
Configuring Authentication Survivability	174
Enabling Authentication Survivability	175
In the Instant UI	175
Important Points to Remember	175
In the CLI	175
Configuring 802.1X Authentication for a Network Profile	176
Configuring 802.1X Authentication for a Wireless Network Profile	176
In the Instant UI	176
In the CLI	177
Configuring 802.1X Authentication for Wired Profiles	177
In the Instant UI	177
In the CLI	177
Configuring MAC Authentication for a Network Profile	177
Configuring MAC Authentication for Wireless Network Profiles	178
In the Instant UI	178
In the CLI	178
Configuring MAC Authentication for Wired Profiles	179
In the Instant UI	179
In the CLI	179
FConfiguring MAC Authentication with 802.1X Authentication	179
Configuring MAC and 802.1X Authentication for a Wireless Network Profile	180
In the Instant UI	180
In the CLI	180
Configuring MAC and 802.1X Authentication for Wired Profiles	180
In the Instant UI	180
In the CLI	181
hConfiguring MAC Authentication with Captive Portal Authentication	181
In the Instant UI	181
In the CLI	181
Configuring WISPr Authentication	182
In the Instant UI	182
In the CLI	183
Blacklisting Clients	183
Blacklisting Clients Manually	183
Adding a Client to the Blacklist	183
In the Instant UI	183
In the CLI	183
Blacklisting Users Dynamically	184
Authentication Failure Blacklisting	184
Session Firewall Based Blacklisting	184
Configuring Blacklist Duration	184
In the Instant UI	184
In the CLI	184
Uploading Certificates	186
Loading Certificates through Instant UI	186
Loading Certificates through Instant CLI	186
Removing Certificates	187
Loading Certificates through W-AirWave	187
Roles and Policies	189
Firewall Policies	189
Access Control List Rules	189
Configuring ACL Rules for Network Services	189
In the Instant UI	190
In the CLI	191
Example	191
Configuring Network Address Translation Rules	192
Configuring a Source NAT Access Rule	192
In the Instant UI	192
In the CLI	193
Configuring Source-Based Routing	193
Configuring a Destination NAT Access Rule	193
In the Instant UI	193
In the CLI	194
Configuring ALG Protocols	194
In the Instant UI	194
In the CLI	194
Configuring Firewall Settings for Protection from ARP Attacks	195
In the Instant UI	195
In the CLI	195
Managing Inbound Traffic	196
Configuring Inbound Firewall Rules	196
In the Instant UI	196
In the CLI	198
Example	198
Configuring Management Subnets	199
In the Instant UI	199
In the CLI	199
Configuring Restricted Access to Corporate Network	199
In the Instant UI	199
In the CLI	200
Content Filtering	200
Enabling Content Filtering	200
Enabling Content Filtering for a Wireless Profile	200
In the Instant UI	200
In the CLI	201
Enabling Content Filtering for a Wired Profile	201
In the Instant UI	201
In the CLI	201
Configuring Enterprise Domains	201
In the Instant UI	201
In the CLI	201
Configuring URL Filtering Policies	202
In the Instant UI	202
In the CLI	202
Example	203
Creating Custom Error Page for Web Access Blocked by AppRF Policies	203
Creating a List of Error Page URLs	203
In the Instant UI	203
In the CLI	203
Configuring ACL Rules to Redirect Users to a Specific URL	203
In the UI	203
In the CLI	203
Configuring User Roles	204
Creating a User Role	204
In the Instant UI	204
In the CLI	204
Assigning Bandwidth Contracts to User Roles	204
In the Instant UI	205
In the CLI:	205
Configuring Machine and User Authentication Roles	205
In the Instant UI	206
In the CLI	206
Configuring Derivation Rules	206
Understanding Role Assignment Rule	206
RADIUS VSA Attributes	206
MAC-Address Attribute	206
Roles Based on Client Authentication	207
DHCP Option and DHCP Fingerprinting	207
Creating a Role Derivation Rule	207
In the Instant UI	207
In the CLI	208
Example	208
Understanding VLAN Assignment	208
Vendor Specific Attributes	209
VLAN Assignment Based on Derivation Rules	210
User Role	211
VLANs Created for an SSID	211
Configuring VLAN Derivation Rules	211
In the Instant UI	211
In the CLI	212
Example	212
Using Advanced Expressions in Role and VLAN Derivation Rules	212
Configuring a User Role for VLAN Derivation	213
Creating a User VLAN Role	214
In the Instant UI	214
In the CLI	214
Assigning User VLAN Roles to a Network Profile	214
In the Instant UI	214
In the CLI	214
DHCP Configuration	215
Configuring DHCP Scopes	215
Configuring Local DHCP Scopes	215
In the Instant UI	215
In the CLI	216
Configuring Distributed DHCP Scopes	217
In the Instant UI	218
In the CLI	219
Configuring Centralized DHCP Scopes	220
In the Instant UI	220
In the CLI	222
Configuring the Default DHCP Scope for Client IP Assignment	222
In the Instant UI	223
In the CLI	223
VPN Configuration	225
Understanding VPN Features	225
Supported VPN Protocols	226
Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Contro...	226
Configuring an IPSec Tunnel	227
In the Instant UI	227
In the CLI	228
Example	228
Configuring an L2-GRE Tunnel	228
Configuring Manual GRE Parameters	228
In the Instant UI	229
In the CLI	229
Configuring Dell GRE Parameters	230
In the Instant UI	230
In the CLI	231
Configuring an L2TPv3 Tunnel	231
In the Instant UI	232
In the CLI	234
Example	234
Configuring Routing Profiles	237
In the Instant UI	237
In the CLI	238

Match case Limit results 1 per page

MAC authentication with Captive Portal authentication

You can enforce MAC authentication for captive portal clients. For more information configuring a W-IAP to use

MAC authentication with captive portal authentication, see

hConfiguring MAC Authentication with Captive

Portal Authentication on page 181

802.1X authentication with Captive Portal Role

This authentication mechanism allows you to configure different captive portal settings for clients on the same

SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some

of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external

or internal captive portal, or none. For more information on configuring captive portal roles for an SSID with

802.1X authentication, see

Configuring Captive Portal Roles for an SSID on page 147

WISPr authentication

Wireless Internet Service Provider roaming (WISPr) authentication allows a smart client to authenticate on the

network when they roam between wireless Internet service providers, even if the wireless hotspot uses an

Internet Service Provider (ISP) with whom the client may not have an account.

If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the

Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and

allows the client to access the network. If the client only has an account with a

partner

ISP, the WISPr AAA

server forwards the client’s credentials to the partner ISP’s WISPr AAA server for authentication. When the

client is authenticated on the partner ISP, it is also authenticated on your hotspot’s own ISP as per their service

agreements. The W-IAP assigns the default WISPr user role to the client when your ISP sends an authentication

message to the W-IAP. For more information on WISPr authentication, see

Configuring WISPr Authentication

on page 182

Supported EAP Authentication Frameworks

The following EAP authentication frameworks are supported in the Instant network:

EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the

termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and

certification authority (CA) certificates installed on the W-IAP. The client certificate is verified on the Virtual

Controller (the client certificate must be signed by a known CA), before the username is verified on the

authentication server.

EAP-TTLS (MSCHAPv2)— The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-

TTLS) method uses server-side certificates to set up authentication between clients and servers. However,

the actual authentication is performed using passwords.

EAP-PEAP (MSCHAPv2)— EAP-PEAP is an 802.1X authentication method that uses server-side public key

certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS

tunnel between the client and the authentication server. Exchange of information is encrypted and stored

in the tunnel ensuring the user credentials are kept secure.

LEAP— Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication

between the client and authentication server.

To use the W-IAP’s internal database for user authentication, add the names and passwords of the users to be

authenticated.

Dell does not recommend the use of LEAP authentication, because it does not provide any resistance to

network attacks.

Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide

Authentication and User Management |

158