Home » Dell Manuals » Wireless » Dell W-Series 314 » Manual Viewer

Dell W-Series 314 Instant 6.4.3.1-4.2 User Guide - Page 206

In the Instant UI, In the CLI, Configuring Derivation Rules, Understanding Role Assignment Rule

Add to My Manuals
Save this manual to your list of manuals

Page 206 highlights

In the Instant UI To configure machine authentication with role-based access control: 1. In the Access tab of the WLAN wizard (New WLAN or Edit ) or wired profile configuration window (New Wired Network or Edit Wired Network), under Roles, create Machine auth only and User auth only roles. 2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see Configuring ACL Rules for Network Services on page 189. 3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles. 4. Click Finish to apply these changes. In the CLI To configure machine and user authentication roles for a WLAN SSID: (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile # set-role-machine-auth (Instant AP)(SSID Profile # end (Instant AP)# commit apply To configure machine and user authentication roles for wired profile: (Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# set-role-machine-auth (Instant AP)(wired ap profile )# end (Instant AP)# commit apply Configuring Derivation Rules Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile. Understanding Role Assignment Rule When an SSID or wired profile is created, a default role for the clients connecting this SSID or wired profile is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods. The role assigned by some methods may take precedence over the roles assigned by the other methods. RADIUS VSA Attributes The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication. The role derived from a Dell VSA takes precedence over roles defined by other methods. MAC-Address Attribute The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority. This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the "assignee") globally and effectively reserves a block of each possible type of derivative identifier (such as MAC addresses) for the exclusive use of the assignee. W-IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can be derived from the user attributes after a client associates with an AP. You can configure rules that assign a user role to clients that match a MAC address based criteria. For example, you can assign a voice role to any client with a MAC address starting a0:a1:a2. 206 | Roles and Policies Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide

Section	Page
About this Guide	27
Intended Audience	27
Related Documents	27
Conventions	27
Contacting Dell	28
About Instant	29
Instant Overview	29
Supported AP Platforms	29
Instant UI	31
Instant CLI	32
What is New in this Release	32
Support for New W-IAP Devices	34
No Support for W-IAP92/93	35
Setting up a W-IAP	36
Setting up Instant Network	36
Connecting a W-IAP	36
Assigning an IP address to the W-IAP	36
Assigning a Static IP	37
Connecting to a Provisioning Wi-Fi Network	37
W-IAP Cluster	37
Disabling the Provisioning Wi-Fi Network	38
Logging in to the Instant UI	38
Regulatory Domains	39
Specifying Country Code	39
Accessing the Instant CLI	40
Connecting to a CLI Session	40
Applying Configuration Changes	40
Using Sequence Sensitive Commands	41
Automatic Retrieval of Configuration	43
Managed Mode Operations	43
Pre-requisites	43
Configuring Managed Mode Parameters	44
Example	45
Verifying the Configuration	45
Instant User Interface	47
Login Screen	47
Viewing Connectivity Summary	47
Language	47
Logging into the Instant UI	47
Main Window	48
Banner	48
Search	48
Tabs	48
Networks Tab	49
Access Points Tab	49
Clients Tab	50
Links	50
New Version Available	50
System	51
RF	51
Security	51
Maintenance	52
More	52
VPN	53
IDS	53
Wired	54
Services	55
DHCP Server	56
Support	56
Help	57
Logout	57
Monitoring	57
Info	57
RF Dashboard	59
RF Trends	61
Usage Trends	61
Mobility Trail	67
Client Match	67
AppRF	68
Spectrum	68
Alerts	69
IDS	73
AirGroup	74
Configuration	74
W-AirWave Setup	75
Pause/Resume	75
Views	75
Initial Configuration Tasks	77
Basic Configuration Tasks	77
Modifying the W-IAP Name	77
In the Instant UI	78
In the CLI	78
Updating Location Details of a W-IAP	78
In the Instant UI	78
In the CLI	78
Configuring a Preferred Band	78
In the Instant UI	78
In the CLI	78
Configuring Virtual Controller IP Address	78
In the Instant UI	79
In the CLI	79
Configuring a Timezone	79
In the Instant UI	79
In the CLI	79
Configuring an NTP Server	79
In the Instant UI	80
In the CLI	80
Enabling AppRF Visibility	80
Changing Password	80
In the Instant UI	80
In the CLI	80
Additional Configuration Tasks	80
Configuring Virtual Controller Network Settings	81
In the Instant UI	81
In the CLI	82
Configuring Auto Join Mode	82
Enabling or Disabling Auto Join Mode	82
In the Instant UI	82
In the CLI	83
Configuring Terminal Access	83
In the Instant UI	83
In the CLI	83
Configuring Console Access	83
In the Instant UI	83
In the CLI	83
Configuring LED Display	84
In the Instant UI	84
In the CLI	84
Configuring Additional WLAN SSIDs	84
Enabling the Extended SSID	85
In the Instant UI	85
In the CLI	85
Preventing Inter-user Bridging	85
In the Instant UI	85
In the CLI	85
Preventing Local Routing between Clients	86
In the Instant UI	86
In the CLI	86
Enabling Dynamic CPU Management	86
In the Instant UI	86
In the CLI	87
Customizing W-IAP Settings	88
Modifying the W-IAP Hostname	88
In the Instant UI	88
In the CLI	88
Configuring Zone Settings on a W-IAP	88
In the Instant UI	88
In the CLI	89
Specifying a Method for Obtaining IP Address	89
In the Instant UI	89
In the CLI	89
Configuring External Antenna	89
EIRP and Antenna Gain	89
Configuring Antenna Gain	90
In the Instant UI	90
In the CLI	90
Configuring Radio Profiles for a W-IAP	90
Configuring ARM Assigned Radio Profiles for a W-IAP	91
Configuring Radio Profiles Manually for W-IAP	91
In the CLI	92
Configuring Uplink VLAN for a W-IAP	92
In the Instant UI	92
In the CLI	92
Changing USB Port Status	92
In the Instant UI	93
In the CLI	93
Master Election and Virtual Controller	93
Master Election Protocol	93
Preference to a W-IAP with 3G/4G Card	93
Preference to a W-IAP with Non-Default IP	94
Viewing Master Election Details	94
Manual Provisioning of Master W-IAP	94
Provisioning a W-IAP as a Master W-IAP	94
In the Instant UI	94
In the CLI	95
Adding a W-IAP to the Network	95
Removing a W-IAP from the Network	95
VLAN Configuration	96
VLAN Pooling	96
Uplink VLAN Monitoring and Detection on Upstream Devices	96
Wireless Network Profiles	97
Configuring Wireless Network Profiles	97
Network Types	97
Configuring WLAN Settings for an SSID Profile	98
In the Instant UI	98
In the CLI	101
Configuring VLAN Settings for a WLAN SSID Profile	102
In the Instant UI	102
In the CLI	103
Configuring Security Settings for a WLAN SSID Profile	104
Configuring Security Settings for an Employee or Voice Network	104
In the Instant UI	104
In the CLI	110
Configuring Access Rules for a WLAN SSID Profile	111
In the Instant UI	112
In the CLI	112
Configuring Fast Roaming for Wireless Clients	113
Opportunistic Key Caching	113
Configuring a W-IAP for OKC Roaming	113
In the Instant UI	114
In the CLI	114
Fast BSS Transition (802.11r Roaming)	114
Configuring a W-IAP for 802.11r support	115
In the Instant UI	115
In the CLI	115
Example	115
Radio Resource Management (802.11k)	115
Beacon Report Requests and Probe Responses	116
Configuring a WLAN SSID for 802.11k Support	116
In the Instant UI	116
In the CLI	116
Example	116
BSS Transition Management (802.11v)	116
Configuring a WLAN SSID for 802.11v Support	116
In the Instant UI	117
In the CLI	117
Example	117
Editing Status of a WLAN SSID Profile	117
In the Instant UI	117
In the CLI	117
Editing a WLAN SSID Profile	117
Deleting a WLAN SSID Profile	118
Wired Profiles	119
Configuring a Wired Profile	119
Configuring Wired Settings	119
In the Instant UI	119
In the CLI	120
Configuring VLAN for a Wired Profile	120
In the Instant UI	120
In the CLI	121
Configuring Security Settings for a Wired Profile	121
Configuring Security Settings for a Wired Employee Network	121
In the Instant UI	121
In the CLI	122
Configuring Access Rules for a Wired Profile	122
In the Instant UI	122
In the CLI	123
Assigning a Profile to Ethernet Ports	124
In the Instant UI	124
In the CLI	124
Editing a Wired Profile	124
Deleting a Wired Profile	124
Link Aggregation Control Protocol	125
Understanding Hierarchical Deployment	126
Captive Portal for Guest Access	127
Understanding Captive Portal	127
Types of Captive Portal	127
Walled Garden	128
Configuring a WLAN SSID for Guest Access	128
In the Instant UI	128
In the CLI	132
Configuring Wired Profile for Guest Access	133
In the Instant UI	133
In the CLI	134
Configuring Internal Captive Portal for Guest Network	135
In the Instant UI	135
In the CLI	137
wConfiguring External Captive Portal for a Guest Network	138
External Captive Portal Profiles	138
Creating a Captive Portal Profile	138
In the Instant UI	138
In the CLI	139
Configuring an SSID or Wired Profile to Use External Captive Portal Authentic...	140
In the Instant UI	140
In the CLI	141
External Captive Portal Redirect Parameters	142
Configuring External Captive Portal Authentication Using ClearPass Guest	142
Creating a Web Login page in ClearPass Guest	143
Configuring RADIUS Server in Instant UI	143
Configuring Facebook Login	143
Setting up a Facebook Page	144
Configuring an SSID	144
In the Instant UI	144
In the CLI	144
Example	144
Configuring the Facebook Portal Page	144
Accessing the Portal Page	145
Configuring Guest Logon Role and Access Rules for Guest Users	145
In the Instant UI	145
In the CLI	146
Example	146
Configuring Captive Portal Roles for an SSID	147
In the Instant UI	147
In the CLI	149
Configuring Walled Garden Access	150
In the Instant UI	150
In the CLI	150
Disabling Captive Portal Authentication	150
Authentication and User Management	152
Managing W-IAP Users	152
Configuring W-IAP Users	153
In the Instant UI	153
In the CLI	154
Configuring Authentication Parameters for Management Users	154
In the Instant UI	154
In the CLI	155
Adding Guest Users through the Guest Management Interface	156
Supported Authentication Methods	156
802.1X authentication	157
MAC authentication	157
MAC authentication with 802.1X authentication	157
Captive Portal Authentication	157
MAC authentication with Captive Portal authentication	158
802.1X authentication with Captive Portal Role	158
WISPr authentication	158
Supported EAP Authentication Frameworks	158
Authentication Termination on W-IAP	159
Configuring Authentication Servers	159
Supported Authentication Servers	159
Internal RADIUS Server	159
External RADIUS Server	160
RADIUS Server Authentication with VSA	160
TACACS Servers	164
Dynamic Load Balancing between Two Authentication Servers	164
Configuring an External Server for Authentication	164
In the Instant UI	164
In the CLI	168
Enabling RADIUS Communication over TLS	169
Configuring RadSec Protocol	169
In the UI	169
In the CLI	170
Associate the Server Profile with a Network Profile	170
In the CLI	170
Configuring Dynamic RADIUS Proxy Parameters	171
Enabling Dynamic RADIUS Proxy	171
In the Instant UI	171
In the CLI	171
Configuring Dynamic RADIUS Proxy Parameters	171
In the Instant UI	171
In the CLI	172
Associate Server Profiles to a Network Profile	172
In the CLI	172
Understanding Encryption Types	173
WPA and WPA2	173
Recommended Authentication and Encryption Combinations	174
Configuring Authentication Survivability	174
Enabling Authentication Survivability	175
In the Instant UI	175
Important Points to Remember	175
In the CLI	175
Configuring 802.1X Authentication for a Network Profile	176
Configuring 802.1X Authentication for a Wireless Network Profile	176
In the Instant UI	176
In the CLI	177
Configuring 802.1X Authentication for Wired Profiles	177
In the Instant UI	177
In the CLI	177
Configuring MAC Authentication for a Network Profile	177
Configuring MAC Authentication for Wireless Network Profiles	178
In the Instant UI	178
In the CLI	178
Configuring MAC Authentication for Wired Profiles	179
In the Instant UI	179
In the CLI	179
FConfiguring MAC Authentication with 802.1X Authentication	179
Configuring MAC and 802.1X Authentication for a Wireless Network Profile	180
In the Instant UI	180
In the CLI	180
Configuring MAC and 802.1X Authentication for Wired Profiles	180
In the Instant UI	180
In the CLI	181
hConfiguring MAC Authentication with Captive Portal Authentication	181
In the Instant UI	181
In the CLI	181
Configuring WISPr Authentication	182
In the Instant UI	182
In the CLI	183
Blacklisting Clients	183
Blacklisting Clients Manually	183
Adding a Client to the Blacklist	183
In the Instant UI	183
In the CLI	183
Blacklisting Users Dynamically	184
Authentication Failure Blacklisting	184
Session Firewall Based Blacklisting	184
Configuring Blacklist Duration	184
In the Instant UI	184
In the CLI	184
Uploading Certificates	186
Loading Certificates through Instant UI	186
Loading Certificates through Instant CLI	186
Removing Certificates	187
Loading Certificates through W-AirWave	187
Roles and Policies	189
Firewall Policies	189
Access Control List Rules	189
Configuring ACL Rules for Network Services	189
In the Instant UI	190
In the CLI	191
Example	191
Configuring Network Address Translation Rules	192
Configuring a Source NAT Access Rule	192
In the Instant UI	192
In the CLI	193
Configuring Source-Based Routing	193
Configuring a Destination NAT Access Rule	193
In the Instant UI	193
In the CLI	194
Configuring ALG Protocols	194
In the Instant UI	194
In the CLI	194
Configuring Firewall Settings for Protection from ARP Attacks	195
In the Instant UI	195
In the CLI	195
Managing Inbound Traffic	196
Configuring Inbound Firewall Rules	196
In the Instant UI	196
In the CLI	198
Example	198
Configuring Management Subnets	199
In the Instant UI	199
In the CLI	199
Configuring Restricted Access to Corporate Network	199
In the Instant UI	199
In the CLI	200
Content Filtering	200
Enabling Content Filtering	200
Enabling Content Filtering for a Wireless Profile	200
In the Instant UI	200
In the CLI	201
Enabling Content Filtering for a Wired Profile	201
In the Instant UI	201
In the CLI	201
Configuring Enterprise Domains	201
In the Instant UI	201
In the CLI	201
Configuring URL Filtering Policies	202
In the Instant UI	202
In the CLI	202
Example	203
Creating Custom Error Page for Web Access Blocked by AppRF Policies	203
Creating a List of Error Page URLs	203
In the Instant UI	203
In the CLI	203
Configuring ACL Rules to Redirect Users to a Specific URL	203
In the UI	203
In the CLI	203
Configuring User Roles	204
Creating a User Role	204
In the Instant UI	204
In the CLI	204
Assigning Bandwidth Contracts to User Roles	204
In the Instant UI	205
In the CLI:	205
Configuring Machine and User Authentication Roles	205
In the Instant UI	206
In the CLI	206
Configuring Derivation Rules	206
Understanding Role Assignment Rule	206
RADIUS VSA Attributes	206
MAC-Address Attribute	206
Roles Based on Client Authentication	207
DHCP Option and DHCP Fingerprinting	207
Creating a Role Derivation Rule	207
In the Instant UI	207
In the CLI	208
Example	208
Understanding VLAN Assignment	208
Vendor Specific Attributes	209
VLAN Assignment Based on Derivation Rules	210
User Role	211
VLANs Created for an SSID	211
Configuring VLAN Derivation Rules	211
In the Instant UI	211
In the CLI	212
Example	212
Using Advanced Expressions in Role and VLAN Derivation Rules	212
Configuring a User Role for VLAN Derivation	213
Creating a User VLAN Role	214
In the Instant UI	214
In the CLI	214
Assigning User VLAN Roles to a Network Profile	214
In the Instant UI	214
In the CLI	214
DHCP Configuration	215
Configuring DHCP Scopes	215
Configuring Local DHCP Scopes	215
In the Instant UI	215
In the CLI	216
Configuring Distributed DHCP Scopes	217
In the Instant UI	218
In the CLI	219
Configuring Centralized DHCP Scopes	220
In the Instant UI	220
In the CLI	222
Configuring the Default DHCP Scope for Client IP Assignment	222
In the Instant UI	223
In the CLI	223
VPN Configuration	225
Understanding VPN Features	225
Supported VPN Protocols	226
Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Contro...	226
Configuring an IPSec Tunnel	227
In the Instant UI	227
In the CLI	228
Example	228
Configuring an L2-GRE Tunnel	228
Configuring Manual GRE Parameters	228
In the Instant UI	229
In the CLI	229
Configuring Dell GRE Parameters	230
In the Instant UI	230
In the CLI	231
Configuring an L2TPv3 Tunnel	231
In the Instant UI	232
In the CLI	234
Example	234
Configuring Routing Profiles	237
In the Instant UI	237
In the CLI	238

Match case Limit results 1 per page

206

| Roles and Policies

Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide

In the Instant UI

To configure machine authentication with role-based access control:

1. In the

Access

tab of the WLAN wizard (

New WLAN

Edit <WLAN-profile>

) or wired profile

configuration window (

New Wired Network

Edit Wired Network

), under

Roles

, create

Machine

auth only

and

User auth only

roles.

2. Configure access rules for these roles by selecting the role, and applying the rule. For more information

on configuring access rules, see

Configuring ACL Rules for Network Services on page 189

3. Select

Enforce Machine Authentication

and select the

Machine auth only

and

User auth only

roles.

4. Click

Finish

to apply these changes.

In the CLI

To configure machine and user authentication roles for a WLAN SSID:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name># set-role-machine-auth <machine_only> <user_only>

(Instant AP)(SSID Profile <name># end

(Instant AP)# commit apply

To configure machine and user authentication roles for wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only>

(Instant AP)(wired ap profile <name>)# end

(Instant AP)# commit apply

Configuring Derivation Rules

Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user

role or VLAN to the clients connecting to an SSID or a wired profile.

Understanding Role Assignment Rule

When an SSID or wired profile is created, a default role for the clients connecting this SSID or wired profile is

assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods. The

role assigned by some methods may take precedence over the roles assigned by the other methods.

RADIUS VSA Attributes

The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication. The

role derived from a Dell VSA takes precedence over roles defined by other methods.

MAC-Address Attribute

The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are

purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.

This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the

“assignee”) globally and effectively reserves a block of each possible type of derivative identifier (such as MAC

addresses) for the exclusive use of the assignee.

W-IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign

a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can

be derived from the user attributes after a client associates with an AP. You can configure rules that assign a

user role to clients that match a MAC address based criteria. For example, you can assign a voice role to any

client with a MAC address starting a0:a1:a2.