Home » Dell Manuals » Wireless » Dell W-Series 314 » Manual Viewer

Dell W-Series 314 Instant 6.4.3.1-4.2 User Guide - Page 174

Recommended Authentication and Encryption Combinations, Configuring Authentication Survivability

Add to My Manuals
Save this manual to your list of manuals

Page 174 highlights

l Personal-Personal is also called Pre-Shared Key (PSK). In this type, a unique key is shared with each client in the network. Users have to use this key to securely log in to the network. The key remains the same until it is changed by authorized personnel. You can also configure key change intervals . l Enterprise-Enterprise is more secure than WPA Personal. In this type, every client automatically receives a unique encryption key after securely logging on to the network. This key is automatically updated at regular intervals. WPA uses TKIP and WPA2 uses the AES algorithm. Recommended Authentication and Encryption Combinations The following table summarizes the recommendations for authentication and encryption combinations for the Wi-Fi networks. Table 36: Recommended Authentication and Encryption Combinations Network Type Authentication Encryption Employee 802.1X AES Guest Network Captive portal None Voice Network or Handheld devices 802.1X or PSK as supported by the device AES if possible, TKIP or WEP if necessary (combine with security settings assigned for a user role). Configuring Authentication Survivability The authentication survivability feature supports a survivable authentication framework against the remote link failure when working with the external authentication servers. When enabled, this feature allows the WIAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost. Instant supports the following EAP standards for authentication survivability: l EAP-PEAP: The Protected Extensible Authentication Protocol also known as Protected EAP or PEAP is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The EAP-PEAP supports the MSCHAPv2 and GTC methods. l EAP-TLS: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer Security (TLS) protocol. When the authentication survivability feature is enabled, the following authentication process is used: 1. The client associates to a W-IAP and authenticates to the external authentication server. The external authentication server can be either CPPM (for EAP-PEAP) or RADIUS server (EAP-TLS). 2. Upon successful authentication, the associated W-IAP caches the authentication credentials of the connected users for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1-99 hours, with 24 hours being the default cache timeout duration. 3. If the client roams or tries to reconnect to the W-IAP and the remote link fails due to the unavailability of the authentication server, the W-IAP uses the cached credentials in the internal authentication server to authenticate the user. However, if the user tries to reconnect after the cache expiry, the authentication fails. 4. When the authentication server is available and if the client tries to reconnect, the W-IAP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the W-IAP cache details are refreshed. Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide Authentication and User Management | 174

Section	Page
About this Guide	27
Intended Audience	27
Related Documents	27
Conventions	27
Contacting Dell	28
About Instant	29
Instant Overview	29
Supported AP Platforms	29
Instant UI	31
Instant CLI	32
What is New in this Release	32
Support for New W-IAP Devices	34
No Support for W-IAP92/93	35
Setting up a W-IAP	36
Setting up Instant Network	36
Connecting a W-IAP	36
Assigning an IP address to the W-IAP	36
Assigning a Static IP	37
Connecting to a Provisioning Wi-Fi Network	37
W-IAP Cluster	37
Disabling the Provisioning Wi-Fi Network	38
Logging in to the Instant UI	38
Regulatory Domains	39
Specifying Country Code	39
Accessing the Instant CLI	40
Connecting to a CLI Session	40
Applying Configuration Changes	40
Using Sequence Sensitive Commands	41
Automatic Retrieval of Configuration	43
Managed Mode Operations	43
Pre-requisites	43
Configuring Managed Mode Parameters	44
Example	45
Verifying the Configuration	45
Instant User Interface	47
Login Screen	47
Viewing Connectivity Summary	47
Language	47
Logging into the Instant UI	47
Main Window	48
Banner	48
Search	48
Tabs	48
Networks Tab	49
Access Points Tab	49
Clients Tab	50
Links	50
New Version Available	50
System	51
RF	51
Security	51
Maintenance	52
More	52
VPN	53
IDS	53
Wired	54
Services	55
DHCP Server	56
Support	56
Help	57
Logout	57
Monitoring	57
Info	57
RF Dashboard	59
RF Trends	61
Usage Trends	61
Mobility Trail	67
Client Match	67
AppRF	68
Spectrum	68
Alerts	69
IDS	73
AirGroup	74
Configuration	74
W-AirWave Setup	75
Pause/Resume	75
Views	75
Initial Configuration Tasks	77
Basic Configuration Tasks	77
Modifying the W-IAP Name	77
In the Instant UI	78
In the CLI	78
Updating Location Details of a W-IAP	78
In the Instant UI	78
In the CLI	78
Configuring a Preferred Band	78
In the Instant UI	78
In the CLI	78
Configuring Virtual Controller IP Address	78
In the Instant UI	79
In the CLI	79
Configuring a Timezone	79
In the Instant UI	79
In the CLI	79
Configuring an NTP Server	79
In the Instant UI	80
In the CLI	80
Enabling AppRF Visibility	80
Changing Password	80
In the Instant UI	80
In the CLI	80
Additional Configuration Tasks	80
Configuring Virtual Controller Network Settings	81
In the Instant UI	81
In the CLI	82
Configuring Auto Join Mode	82
Enabling or Disabling Auto Join Mode	82
In the Instant UI	82
In the CLI	83
Configuring Terminal Access	83
In the Instant UI	83
In the CLI	83
Configuring Console Access	83
In the Instant UI	83
In the CLI	83
Configuring LED Display	84
In the Instant UI	84
In the CLI	84
Configuring Additional WLAN SSIDs	84
Enabling the Extended SSID	85
In the Instant UI	85
In the CLI	85
Preventing Inter-user Bridging	85
In the Instant UI	85
In the CLI	85
Preventing Local Routing between Clients	86
In the Instant UI	86
In the CLI	86
Enabling Dynamic CPU Management	86
In the Instant UI	86
In the CLI	87
Customizing W-IAP Settings	88
Modifying the W-IAP Hostname	88
In the Instant UI	88
In the CLI	88
Configuring Zone Settings on a W-IAP	88
In the Instant UI	88
In the CLI	89
Specifying a Method for Obtaining IP Address	89
In the Instant UI	89
In the CLI	89
Configuring External Antenna	89
EIRP and Antenna Gain	89
Configuring Antenna Gain	90
In the Instant UI	90
In the CLI	90
Configuring Radio Profiles for a W-IAP	90
Configuring ARM Assigned Radio Profiles for a W-IAP	91
Configuring Radio Profiles Manually for W-IAP	91
In the CLI	92
Configuring Uplink VLAN for a W-IAP	92
In the Instant UI	92
In the CLI	92
Changing USB Port Status	92
In the Instant UI	93
In the CLI	93
Master Election and Virtual Controller	93
Master Election Protocol	93
Preference to a W-IAP with 3G/4G Card	93
Preference to a W-IAP with Non-Default IP	94
Viewing Master Election Details	94
Manual Provisioning of Master W-IAP	94
Provisioning a W-IAP as a Master W-IAP	94
In the Instant UI	94
In the CLI	95
Adding a W-IAP to the Network	95
Removing a W-IAP from the Network	95
VLAN Configuration	96
VLAN Pooling	96
Uplink VLAN Monitoring and Detection on Upstream Devices	96
Wireless Network Profiles	97
Configuring Wireless Network Profiles	97
Network Types	97
Configuring WLAN Settings for an SSID Profile	98
In the Instant UI	98
In the CLI	101
Configuring VLAN Settings for a WLAN SSID Profile	102
In the Instant UI	102
In the CLI	103
Configuring Security Settings for a WLAN SSID Profile	104
Configuring Security Settings for an Employee or Voice Network	104
In the Instant UI	104
In the CLI	110
Configuring Access Rules for a WLAN SSID Profile	111
In the Instant UI	112
In the CLI	112
Configuring Fast Roaming for Wireless Clients	113
Opportunistic Key Caching	113
Configuring a W-IAP for OKC Roaming	113
In the Instant UI	114
In the CLI	114
Fast BSS Transition (802.11r Roaming)	114
Configuring a W-IAP for 802.11r support	115
In the Instant UI	115
In the CLI	115
Example	115
Radio Resource Management (802.11k)	115
Beacon Report Requests and Probe Responses	116
Configuring a WLAN SSID for 802.11k Support	116
In the Instant UI	116
In the CLI	116
Example	116
BSS Transition Management (802.11v)	116
Configuring a WLAN SSID for 802.11v Support	116
In the Instant UI	117
In the CLI	117
Example	117
Editing Status of a WLAN SSID Profile	117
In the Instant UI	117
In the CLI	117
Editing a WLAN SSID Profile	117
Deleting a WLAN SSID Profile	118
Wired Profiles	119
Configuring a Wired Profile	119
Configuring Wired Settings	119
In the Instant UI	119
In the CLI	120
Configuring VLAN for a Wired Profile	120
In the Instant UI	120
In the CLI	121
Configuring Security Settings for a Wired Profile	121
Configuring Security Settings for a Wired Employee Network	121
In the Instant UI	121
In the CLI	122
Configuring Access Rules for a Wired Profile	122
In the Instant UI	122
In the CLI	123
Assigning a Profile to Ethernet Ports	124
In the Instant UI	124
In the CLI	124
Editing a Wired Profile	124
Deleting a Wired Profile	124
Link Aggregation Control Protocol	125
Understanding Hierarchical Deployment	126
Captive Portal for Guest Access	127
Understanding Captive Portal	127
Types of Captive Portal	127
Walled Garden	128
Configuring a WLAN SSID for Guest Access	128
In the Instant UI	128
In the CLI	132
Configuring Wired Profile for Guest Access	133
In the Instant UI	133
In the CLI	134
Configuring Internal Captive Portal for Guest Network	135
In the Instant UI	135
In the CLI	137
wConfiguring External Captive Portal for a Guest Network	138
External Captive Portal Profiles	138
Creating a Captive Portal Profile	138
In the Instant UI	138
In the CLI	139
Configuring an SSID or Wired Profile to Use External Captive Portal Authentic...	140
In the Instant UI	140
In the CLI	141
External Captive Portal Redirect Parameters	142
Configuring External Captive Portal Authentication Using ClearPass Guest	142
Creating a Web Login page in ClearPass Guest	143
Configuring RADIUS Server in Instant UI	143
Configuring Facebook Login	143
Setting up a Facebook Page	144
Configuring an SSID	144
In the Instant UI	144
In the CLI	144
Example	144
Configuring the Facebook Portal Page	144
Accessing the Portal Page	145
Configuring Guest Logon Role and Access Rules for Guest Users	145
In the Instant UI	145
In the CLI	146
Example	146
Configuring Captive Portal Roles for an SSID	147
In the Instant UI	147
In the CLI	149
Configuring Walled Garden Access	150
In the Instant UI	150
In the CLI	150
Disabling Captive Portal Authentication	150
Authentication and User Management	152
Managing W-IAP Users	152
Configuring W-IAP Users	153
In the Instant UI	153
In the CLI	154
Configuring Authentication Parameters for Management Users	154
In the Instant UI	154
In the CLI	155
Adding Guest Users through the Guest Management Interface	156
Supported Authentication Methods	156
802.1X authentication	157
MAC authentication	157
MAC authentication with 802.1X authentication	157
Captive Portal Authentication	157
MAC authentication with Captive Portal authentication	158
802.1X authentication with Captive Portal Role	158
WISPr authentication	158
Supported EAP Authentication Frameworks	158
Authentication Termination on W-IAP	159
Configuring Authentication Servers	159
Supported Authentication Servers	159
Internal RADIUS Server	159
External RADIUS Server	160
RADIUS Server Authentication with VSA	160
TACACS Servers	164
Dynamic Load Balancing between Two Authentication Servers	164
Configuring an External Server for Authentication	164
In the Instant UI	164
In the CLI	168
Enabling RADIUS Communication over TLS	169
Configuring RadSec Protocol	169
In the UI	169
In the CLI	170
Associate the Server Profile with a Network Profile	170
In the CLI	170
Configuring Dynamic RADIUS Proxy Parameters	171
Enabling Dynamic RADIUS Proxy	171
In the Instant UI	171
In the CLI	171
Configuring Dynamic RADIUS Proxy Parameters	171
In the Instant UI	171
In the CLI	172
Associate Server Profiles to a Network Profile	172
In the CLI	172
Understanding Encryption Types	173
WPA and WPA2	173
Recommended Authentication and Encryption Combinations	174
Configuring Authentication Survivability	174
Enabling Authentication Survivability	175
In the Instant UI	175
Important Points to Remember	175
In the CLI	175
Configuring 802.1X Authentication for a Network Profile	176
Configuring 802.1X Authentication for a Wireless Network Profile	176
In the Instant UI	176
In the CLI	177
Configuring 802.1X Authentication for Wired Profiles	177
In the Instant UI	177
In the CLI	177
Configuring MAC Authentication for a Network Profile	177
Configuring MAC Authentication for Wireless Network Profiles	178
In the Instant UI	178
In the CLI	178
Configuring MAC Authentication for Wired Profiles	179
In the Instant UI	179
In the CLI	179
FConfiguring MAC Authentication with 802.1X Authentication	179
Configuring MAC and 802.1X Authentication for a Wireless Network Profile	180
In the Instant UI	180
In the CLI	180
Configuring MAC and 802.1X Authentication for Wired Profiles	180
In the Instant UI	180
In the CLI	181
hConfiguring MAC Authentication with Captive Portal Authentication	181
In the Instant UI	181
In the CLI	181
Configuring WISPr Authentication	182
In the Instant UI	182
In the CLI	183
Blacklisting Clients	183
Blacklisting Clients Manually	183
Adding a Client to the Blacklist	183
In the Instant UI	183
In the CLI	183
Blacklisting Users Dynamically	184
Authentication Failure Blacklisting	184
Session Firewall Based Blacklisting	184
Configuring Blacklist Duration	184
In the Instant UI	184
In the CLI	184
Uploading Certificates	186
Loading Certificates through Instant UI	186
Loading Certificates through Instant CLI	186
Removing Certificates	187
Loading Certificates through W-AirWave	187
Roles and Policies	189
Firewall Policies	189
Access Control List Rules	189
Configuring ACL Rules for Network Services	189
In the Instant UI	190
In the CLI	191
Example	191
Configuring Network Address Translation Rules	192
Configuring a Source NAT Access Rule	192
In the Instant UI	192
In the CLI	193
Configuring Source-Based Routing	193
Configuring a Destination NAT Access Rule	193
In the Instant UI	193
In the CLI	194
Configuring ALG Protocols	194
In the Instant UI	194
In the CLI	194
Configuring Firewall Settings for Protection from ARP Attacks	195
In the Instant UI	195
In the CLI	195
Managing Inbound Traffic	196
Configuring Inbound Firewall Rules	196
In the Instant UI	196
In the CLI	198
Example	198
Configuring Management Subnets	199
In the Instant UI	199
In the CLI	199
Configuring Restricted Access to Corporate Network	199
In the Instant UI	199
In the CLI	200
Content Filtering	200
Enabling Content Filtering	200
Enabling Content Filtering for a Wireless Profile	200
In the Instant UI	200
In the CLI	201
Enabling Content Filtering for a Wired Profile	201
In the Instant UI	201
In the CLI	201
Configuring Enterprise Domains	201
In the Instant UI	201
In the CLI	201
Configuring URL Filtering Policies	202
In the Instant UI	202
In the CLI	202
Example	203
Creating Custom Error Page for Web Access Blocked by AppRF Policies	203
Creating a List of Error Page URLs	203
In the Instant UI	203
In the CLI	203
Configuring ACL Rules to Redirect Users to a Specific URL	203
In the UI	203
In the CLI	203
Configuring User Roles	204
Creating a User Role	204
In the Instant UI	204
In the CLI	204
Assigning Bandwidth Contracts to User Roles	204
In the Instant UI	205
In the CLI:	205
Configuring Machine and User Authentication Roles	205
In the Instant UI	206
In the CLI	206
Configuring Derivation Rules	206
Understanding Role Assignment Rule	206
RADIUS VSA Attributes	206
MAC-Address Attribute	206
Roles Based on Client Authentication	207
DHCP Option and DHCP Fingerprinting	207
Creating a Role Derivation Rule	207
In the Instant UI	207
In the CLI	208
Example	208
Understanding VLAN Assignment	208
Vendor Specific Attributes	209
VLAN Assignment Based on Derivation Rules	210
User Role	211
VLANs Created for an SSID	211
Configuring VLAN Derivation Rules	211
In the Instant UI	211
In the CLI	212
Example	212
Using Advanced Expressions in Role and VLAN Derivation Rules	212
Configuring a User Role for VLAN Derivation	213
Creating a User VLAN Role	214
In the Instant UI	214
In the CLI	214
Assigning User VLAN Roles to a Network Profile	214
In the Instant UI	214
In the CLI	214
DHCP Configuration	215
Configuring DHCP Scopes	215
Configuring Local DHCP Scopes	215
In the Instant UI	215
In the CLI	216
Configuring Distributed DHCP Scopes	217
In the Instant UI	218
In the CLI	219
Configuring Centralized DHCP Scopes	220
In the Instant UI	220
In the CLI	222
Configuring the Default DHCP Scope for Client IP Assignment	222
In the Instant UI	223
In the CLI	223
VPN Configuration	225
Understanding VPN Features	225
Supported VPN Protocols	226
Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Contro...	226
Configuring an IPSec Tunnel	227
In the Instant UI	227
In the CLI	228
Example	228
Configuring an L2-GRE Tunnel	228
Configuring Manual GRE Parameters	228
In the Instant UI	229
In the CLI	229
Configuring Dell GRE Parameters	230
In the Instant UI	230
In the CLI	231
Configuring an L2TPv3 Tunnel	231
In the Instant UI	232
In the CLI	234
Example	234
Configuring Routing Profiles	237
In the Instant UI	237
In the CLI	238

Match case Limit results 1 per page

Personal

—Personal is also called Pre-Shared Key (PSK). In this type, a unique key is shared with each client

in the network. Users have to use this key to securely log in to the network. The key remains the same until

it is changed by authorized personnel. You can also configure key change intervals .

Enterprise

—Enterprise is more secure than WPA Personal. In this type, every client automatically receives a

unique encryption key after securely logging on to the network. This key is automatically updated at regular

intervals. WPA uses TKIP and WPA2 uses the AES algorithm.

Recommended Authentication and Encryption Combinations

The following table summarizes the recommendations for authentication and encryption combinations for the

Wi-Fi networks.

Network Type

Authentication

Encryption

Employee

802.1X

AES

Guest Network

Captive portal

None

Voice Network or

Handheld devices

802.1X or PSK as supported

by the device

AES if possible, TKIP or WEP if

necessary (combine with security

settings assigned for a user role).

Table 36:

Recommended Authentication and Encryption Combinations

Configuring Authentication Survivability

The authentication survivability feature supports a survivable authentication framework against the remote

link failure when working with the external authentication servers. When enabled, this feature allows the W-

IAPs to authenticate the previously connected clients against the cached credentials if the connection to the

authentication server is temporarily lost.

Instant supports the following EAP standards for authentication survivability:

EAP-PEAP

: The Protected Extensible Authentication Protocol also known as Protected EAP or PEAP is a

protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security

(TLS) tunnel. The EAP-PEAP supports the MSCHAPv2 and GTC methods.

EAP-TLS

: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer

Security (TLS) protocol.

When the authentication survivability feature is enabled, the following authentication process is used:

1. The client associates to a W-IAP and authenticates to the external authentication server. The external

authentication server can be either CPPM (for EAP-PEAP) or RADIUS server (EAP-TLS).

2. Upon successful authentication, the associated W-IAP caches the authentication credentials of the

connected users for the configured duration. The cache expiry duration for authentication survivability can

be set within the range of 1-99 hours, with 24 hours being the default cache timeout duration.

3. If the client roams or tries to reconnect to the W-IAP and the remote link fails due to the unavailability of the

authentication server, the W-IAP uses the cached credentials in the internal authentication server to

authenticate the user. However, if the user tries to reconnect after the cache expiry, the authentication fails.

4. When the authentication server is available and if the client tries to reconnect, the W-IAP detects the

availability of server and allows the client to authenticate to the server. Upon successful authentication, the

W-IAP cache details are refreshed.

Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide

Authentication and User Management |

174