Aruba instant 6.4.0.2 4.1 user guide

User
Guide
ArubaInstant
6.4.0.2-4.1

0511580-01|May2014 ArubaInstant6.4.0.2-4.1|UserGuide
Copyright
©2014ArubaNetworks,Inc.ArubaNetworkstrademarksinclude ,ArubaNetworks
®
,Aruba
WirelessNetworks
®
,theregisteredArubatheMobileEdgeCompanylogo,ArubaMobilityManagementSystem
®
,
MobileEdgeArchitecture
®
,PeopleMove.NetworksMustFollow
®
,RFProtect
®
,GreenIsland
®
.Allrightsreserved.
Allothertrademarksarethepropertyoftheirrespectiveowners.
OpenSourceCode
CertainArubaproductsincludeOpenSourcesoftwarecodedevelopedbythirdparties,includingsoftwarecode
subjecttotheGNUGeneralPublicLicense(GPL),GNULesserGeneralPublicLicense(LGPL),orotherOpen
SourceLicenses.IncludessoftwarefromLitechSystemsDesign.TheIF-MAPclientlibrarycopyright2011Infoblox,
Inc.Allrightsreserved.ThisproductincludessoftwaredevelopedbyLarsFennebergetal.TheOpenSourcecode
usedcanbefoundatthissite:
http://www.arubanetworks.com/open_source
LegalNotice
TheuseofArubaNetworks,Inc.switchingplatformsandsoftware,byallindividualsorcorporations,toterminate
othervendors’VPNclientdevicesconstitutescompleteacceptanceofliabilitybythatindividualorcorporationfor
thisactionandindemnifies,infull,ArubaNetworks,Inc.fromanyandalllegalactionsthatmightbetakenagainstit
withrespecttoinfringementofcopyrightonbehalfofthosevendors.
Warranty
ThishardwareproductisprotectedbyanArubawarranty.Formoreinformation,refertotheArubaCareserviceand
supporttermsandconditions.

ArubaInstant6.4.0.2-4.1|UserGuide Contents|3
Contents
Contents 3
AboutthisGuide 28
IntendedAudience 28
RelatedDocuments 28
Conventions 28
ContactingSupport 29
AboutArubaInstant 30
InstantOverview 30
SupportedDevices 30
InstantUI 31
InstantCLI 31
WhatisNewinArubaInstant6.4.0.2-4.1 32
SettingupanIAP 34
SettingupInstantNetwork 34
ConnectinganIAP 34
AssigninganIPaddresstotheIAP 34
AssigningaStaticIP 35
ConnectingtoaProvisioningWi-FiNetwork 35
IAPCluster 35
DisablingtheProvisioningWi-FiNetwork 36
LoggingintotheInstantUI 36
RegulatoryDomains 37
CountryCode 37
SpecifyingCountryCode 40
AccessingtheInstantCLI 40
ConnectingtoaCLISession 41
ApplyingConfigurationChanges 41
Example: 41

4|Contents ArubaInstant6.4.0.2-4.1|UserGuide
UsingSequenceSensitiveCommands 42
InstantUserInterface 43
LoginScreen 43
LoggingintotheInstantUI 43
ViewingConnectivitySummary 43
Language 43
MainWindow 44
Banner 44
Search 44
Tabs 44
NetworksTab 45
AccessPointsTab 45
ClientsTab 46
Links 46
NewVersionAvailable 46
System 47
RF 48
Security 49
Maintenance 50
More 51
VPN 51
IDS 52
Wired 53
Services 53
DHCPServer 54
Support 55
Help 56
Logout 56
Monitoring 56
Info 56
RFDashboard 58
RFTrends 59
UsageTrends 60

MobilityTrail 65
ClientMatch 65
AppRF 66
Spectrum 66
Alerts 66
IDS 70
AirGroup 71
Configuration 71
AirWaveSetup 72
ArubaCentral 72
Pause/Resume 72
Views 72
InitialConfigurationTasks 73
BasicConfigurationTasks 73
ModifyingtheIAPName 73
IntheInstantUI 74
IntheCLI 74
UpdatingLocationDetailsofanIAP 74
IntheInstantUI 74
IntheCLI 74
ConfiguringaPreferredBand 74
IntheInstantUI 74
IntheCLI 74
ConfiguringVirtualControllerIPAddress 75
IntheInstantUI 75
IntheCLI 75
ConfiguringTimezone 75
IntheInstantUI 75
IntheCLI 75
ConfiguringanNTPServer 75
IntheInstantUI 76
IntheCLI 76
ArubaInstant6.4.0.2-4.1|UserGuide Contents|5

6|Contents ArubaInstant6.4.0.2-4.1|UserGuide
EnablingAppRFVisibility 76
ChangingPassword 76
IntheInstantUI 76
IntheCLI 76
AdditionalConfigurationTasks 77
ConfiguringVirtualControllerVLAN 77
IntheInstantUI 78
IntheCLI 78
ConfiguringAutoJoinMode 78
EnablingorDisablingAutoJoinMode 78
IntheInstantUI 78
IntheCLI 78
ConfiguringTerminalAccess 79
IntheInstantUI 79
IntheCLI 79
ConfiguringConsoleAccess 79
IntheInstantUI 79
IntheCLI 79
ConfiguringLEDDisplay 80
IntheInstantUI 80
IntheCLI 80
ConfiguringAdditionalWLANSSIDs 80
EnablingtheExtendedSSID 80
IntheInstantUI 80
IntheCLI 81
PreventingInter-userBridging 81
IntheInstantUI 81
IntheCLI 81
PreventingLocalRoutingbetweenClients 81
IntheInstantUI 81
IntheCLI 82
EnablingDynamicCPUManagement 82

IntheInstantUI 82
IntheCLI 82
CustomizingIAPSettings 83
ModifyingtheIAPHostname 83
IntheInstantUI 83
IntheCLI 83
ConfiguringZoneSettingsonanIAP 83
IntheInstantUI 84
IntheCLI 84
SpecifyingaMethodforObtainingIPAddress 84
IntheInstantUI 84
IntheCLI 85
ConfiguringExternalAntenna 85
EIRPandAntennaGain 85
Example 85
ConfiguringAntennaGain 85
IntheInstantUI 85
IntheCLI 86
ConfiguringRadioProfilesforanIAP 86
ConfiguringARM AssignedRadioProfilesforanIAP 86
ConfiguringRadioProfilesManuallyforIAP 86
IntheCLI 87
ConfiguringUplinkVLAN foranIAP 87
IntheInstantUI 87
IntheCLI 88
MasterElectionandVirtualController 88
MasterElectionProtocol 88
PreferencetoanIAPwith3G/4GCard 88
PreferencetoanIAPwithNon-DefaultIP 89
ViewingMasterElectionDetails 89
ManualProvisioningofMasterIAP 89
ProvisioninganIAPasaMasterIAP 89
ArubaInstant6.4.0.2-4.1|UserGuide Contents|7

8|Contents ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI 89
IntheCLI 89
AddinganIAPtotheNetwork 90
RemovinganIAPfromtheNetwork 90
VLANConfiguration 91
VLANPooling 91
UplinkVLANMonitoringandDetectiononUpstreamDevices 91
WirelessNetworkProfiles 92
ConfiguringWirelessNetworkProfiles 92
NetworkTypes 92
ConfiguringWLANSettingsforanSSIDProfile 92
IntheInstantUI 93
IntheCLI 95
ConfiguringVLANSettingsforaWLANSSIDProfile 96
IntheInstantUI 96
IntheCLI 97
ConfiguringSecuritySettingsforaWLANSSIDProfile 98
ConfiguringSecuritySettingsforanEmployeeorVoiceNetwork 98
IntheInstantUI 98
IntheCLI 102
ConfiguringAccessRulesforaWLANSSIDProfile 103
IntheInstantUI 104
IntheCLI 104
Example 105
ConfiguringFastRoamingforWirelessClients 105
OpportunisticKeyCaching 105
ConfiguringanIAPforOKCRoaming 105
IntheInstantUI 106
IntheCLI 106
FastBSS Transition(802.11rRoaming) 106
ConfiguringanIAPfor802.11rsupport 107
IntheInstantUI 107
IntheCLI 107

Example 107
RadioResourceManagement(802.11k) 107
BeaconReportRequestsandProbeResponses 108
ConfiguringaWLAN SSIDfor802.11kSupport 108
IntheInstantUI 108
IntheCLI 108
Example 108
BSSTransitionManagement(802.11v) 108
ConfiguringaWLAN SSIDfor802.11vSupport 108
IntheInstantUI 109
IntheCLI 109
Example 109
EditingStatusofaWLANSSIDProfile 109
IntheInstantUI 109
IntheCLI 109
EditingaWLANSSIDProfile 109
DeletingaWLANSSIDProfile 110
WiredProfiles 111
ConfiguringaWiredProfile 111
ConfiguringWiredSettings 111
IntheInstantUI 111
IntheCLI 112
ConfiguringVLANforaWiredProfile 113
IntheInstantUI 113
IntheCLI 113
ConfiguringSecuritySettingsforaWiredProfile 114
ConfiguringSecuritySettingsforaWiredEmployeeNetwork 114
IntheInstantUI 114
IntheCLI 114
ConfiguringAccessRulesforaWiredProfile 115
IntheInstantUI 115
IntheCLI 115
AssigningaProfiletoEthernetPorts 116
ArubaInstant6.4.0.2-4.1|UserGuide Contents|9

10|Contents ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI 116
IntheCLI 116
EditingaWiredProfile 116
DeletingaWiredProfile 117
LinkAggregationControlProtocolforIAP-220Series 117
UnderstandingHierarchicalDeployment 118
CaptivePortalforGuestAccess 120
UnderstandingCaptivePortal 120
TypesofCaptivePortal 120
WalledGarden 121
ConfiguringaWLAN SSIDforGuestAccess 121
IntheInstantUI 121
IntheCLI 124
ConfiguringWiredProfileforGuestAccess 125
IntheInstantUI 125
IntheCLI 126
ConfiguringInternalCaptivePortalforGuestNetwork 126
IntheInstantUI 127
IntheCLI 128
ConfiguringExternalCaptivePortalforaGuestNetwork 129
ExternalCaptivePortalProfiles 129
CreatingaCaptivePortalProfile 129
IntheInstantUI 129
IntheCLI 130
ConfiguringanSSIDorWiredProfiletoUseExternalCaptivePortalAuthentication 131
IntheInstantUI 131
IntheCLI 132
ConfiguringExternalCaptivePortalAuthenticationUsingClearPassGuest 132
CreatingaWebLoginpageinClearPassGuest 133
ConfiguringRADIUSServerinInstantUI 133
ConfiguringGuestLogonRoleandAccessRulesforGuestUsers 133
IntheInstantUI 133

IntheCLI 134
Example 135
ConfiguringCaptivePortalRolesforanSSID 135
IntheInstantUI 135
IntheCLI 137
ConfiguringWalledGardenAccess 138
IntheInstantUI 138
IntheCLI 138
DisablingCaptivePortalAuthentication 138
AuthenticationandUserManagement 140
ManagingIAPUsers 140
ConfiguringAuthenticationParametersforManagementUsers 141
ConfiguringaTACACS+ ServerProfileforManagementUserAuthentication 141
IntheInstantUI 141
IntheCLI 142
ConfiguringAdministratorCredentialsfortheVirtualControllerInterface 142
IntheInstantUI 142
IntheCLI 143
ConfiguringGuestManagementInterfaceAdministratorCredentials 144
IntheInstantUI 144
IntheCLI 144
ConfiguringUsersforInternalDatabaseofanIAP 144
IntheInstantUI 144
IntheCLI 145
ConfiguringtheRead-OnlyAdministratorCredentials 146
IntheInstantUI 146
IntheCLI 146
AddingGuestUsersthroughtheGuestManagementInterface 146
UnderstandingAuthenticationMethods 147
802.1Xauthentication 147
MACauthentication 148
MACauthenticationwith802.1Xauthentication 148
ArubaInstant6.4.0.2-4.1|UserGuide Contents|11

12|Contents ArubaInstant6.4.0.2-4.1|UserGuide
CaptivePortalAuthentication 148
MACauthenticationwithCaptivePortalauthentication 148
802.1XauthenticationwithCaptivePortalRole 148
WISPrauthentication 149
SupportedEAPAuthenticationFrameworks 149
AuthenticationTerminationonIAP 149
SupportedAuthenticationServers 150
InternalRADIUSServer 150
ExternalRADIUSServer 150
RADIUSServerAuthenticationwithVSA 150
DynamicLoadBalancingbetweenTwoAuthenticationServers 154
UnderstandingEncryptionTypes 154
WPAandWPA2 155
RecommendedAuthenticationandEncryptionCombinations 155
SupportforAuthenticationSurvivability 156
ConfiguringAuthenticationSurvivability 156
IntheInstantUI 156
ImportantPointstoRemember 157
IntheCLI 157
ConfiguringAuthenticationServers 157
ConfiguringanExternalServerforAuthentication 157
IntheInstantUI 158
IntheCLI 161
ConfiguringDynamicRADIUS ProxyParameters 161
EnablingDynamicRADIUSProxy 162
IntheInstantUI 162
IntheCLI 162
ConfiguringDynamicRADIUSProxyParametersforAuthenticationServers 162
IntheInstantUI 162
IntheCLI 162
AssociatetheAuthentication ServerswithanSSIDorWiredProfile 163
IntheCLI 163
Configuring802.1XAuthenticationforaNetworkProfile 163

Configuring802.1XAuthenticationforaWirelessNetworkProfile 164
IntheInstantUI 164
IntheCLI 164
Configuring802.1XAuthenticationforWiredProfiles 165
IntheInstantUI 165
IntheCLI 165
ConfiguringMACAuthenticationforaNetworkProfile 165
ConfiguringMACAuthenticationforWirelessNetworkProfiles 165
IntheInstantUI 165
IntheCLI 166
ConfiguringMACAuthenticationforWiredProfiles 166
IntheInstantUI 166
IntheCLI 167
ConfiguringMACAuthenticationwith802.1XAuthentication 167
ConfiguringMACand802.1XAuthenticationforaWirelessNetworkProfile 167
IntheInstantUI 167
IntheCLI 168
ConfiguringMACand802.1XAuthenticationforWiredProfiles 168
IntheInstantUI 168
IntheCLI 168
ConfiguringMACAuthenticationwithCaptivePortalAuthentication 169
ConfiguringMACAuthenticationwithCaptivePortalAuthentication 169
IntheInstantUI 169
IntheCLI 169
ConfiguringWISPrAuthentication 170
IntheInstantUI 170
IntheCLI 171
BlacklistingClients 171
BlacklistingClientsManually 171
AddingaClienttotheBlacklist 171
IntheInstantUI 171
IntheCLI 171
ArubaInstant6.4.0.2-4.1|UserGuide Contents|13

14|Contents ArubaInstant6.4.0.2-4.1|UserGuide
BlacklistingUsersDynamically 172
AuthenticationFailureBlacklisting 172
SessionFirewallBasedBlacklisting 172
ConfiguringBlacklistDuration 172
IntheInstantUI 172
IntheCLI 172
UploadingCertificates 173
LoadingCertificatesthroughInstantUI 173
LoadingCertificatesthroughInstantCLI 174
LoadingCertificatesthroughAirWave 174
RolesandPolicies 176
FirewallPolicies 176
AccessControlListRules 176
ConfiguringAccess RulesforNetworkServices 177
IntheInstantUI 177
IntheCLI 178
Example 178
ConfiguringNetworkAddressTranslationRules 179
ConfiguringaSourceNATAccessRule 179
IntheInstantUI 179
IntheCLI 179
ConfiguringSource-BasedRouting 180
ConfiguringaDestinationNATAccessRule 180
IntheInstantUI 180
IntheCLI 180
ConfiguringALGProtocols 181
IntheInstantUI 181
IntheCLI 181
ConfiguringFirewallSettingsforProtectionfromARPAttacks 181
IntheInstantUI 182
IntheCLI 182
ManagingInboundTraffic 183
ConfiguringInboundFirewallRules 183

IntheInstantUI 183
IntheCLI 185
Example 185
ConfiguringManagementSubnets 185
IntheInstantUI 185
IntheCLI 186
ConfiguringRestrictedAccesstoCorporateNetwork 186
IntheInstantUI 186
IntheCLI 186
ContentFiltering 186
EnablingContentFiltering 187
EnablingContentFilteringforaWirelessProfile 187
IntheInstantUI 187
IntheCLI 187
EnablingContentFilteringforaWiredProfile 187
IntheInstantUI 187
IntheCLI 188
ConfiguringEnterpriseDomains 188
IntheInstantUI 188
IntheCLI 188
ConfiguringURLFilteringPolicies 188
IntheInstantUI 188
IntheCLI 189
Example 189
ConfiguringUserRoles 190
CreatingaUserRole 190
IntheInstantUI 190
IntheCLI 190
AssigningBandwidthContractstoUserRoles 190
IntheInstantUI 191
IntheCLI: 191
ConfiguringMachineandUserAuthenticationRoles 191
IntheInstantUI 191
ArubaInstant6.4.0.2-4.1|UserGuide Contents|15

16|Contents ArubaInstant6.4.0.2-4.1|UserGuide
IntheCLI 192
ConfiguringDerivationRules 192
UnderstandingRoleAssignmentRule 192
RADIUSVSAAttributes 192
MAC-AddressAttribute 192
RolesBasedonClientAuthentication 193
DHCPOptionandDHCPFingerprinting 193
CreatingaRoleDerivationRule 193
IntheInstantUI 193
IntheCLI 194
Example 194
UnderstandingVLANAssignment 194
VendorSpecificAttributes 195
VLANAssignmentBasedonDerivationRules 196
UserRole 196
VLANsCreatedforanSSID 196
ConfiguringVLANDerivationRules 196
IntheInstantUI 196
IntheCLI 197
Example 198
UsingAdvancedExpressionsinRoleandVLANDerivationRules 198
ConfiguringaUserRoleforVLANDerivation 199
CreatingaUserVLANRole 199
IntheInstantUI 199
IntheCLI 199
AssigningUserVLANRolestoaNetworkProfile 200
IntheInstantUI 200
IntheCLI 200
DHCPConfiguration 201
ConfiguringDHCPScopes 201
ConfiguringDistributedDHCPScopes 201
IntheInstantUI 201
IntheCLI 203

ConfiguringaCentralizedDHCPScope 204
IntheInstantUI 204
IntheCLI 205
ConfiguringLocalandLocal,L3DHCPScopes 206
IntheInstantUI 206
IntheCLI 207
ConfiguringtheDefaultDHCPScopeforClientIPAssignment 208
IntheInstantUI 208
IntheCLI 209
VPNConfiguration 210
UnderstandingVPNFeatures 210
ConfiguringaTunnelfromanIAPtoArubaMobilityController 210
ConfiguringanIPSecTunnel 210
IntheInstantUI 210
IntheCLI 211
Example 212
EnablingAutomaticConfigurationofGRE Tunnel 212
IntheInstantUI 212
IntheCLI 214
ManuallyConfiguringaGRE Tunnel 214
IntheInstantUI 214
IntheCLI 215
ConfiguringanL2TPv3Tunnel 215
IntheInstantUI 216
IntheCLI 218
Example 218
ConfiguringRoutingProfiles 221
IntheInstantUI 221
IntheCLI 222
IAP-VPNDeployment 223
UnderstandingIAP-VPNArchitecture 223
IAP-VPNScalabilityLimits 223
ArubaInstant6.4.0.2-4.1|UserGuide Contents|17

18|Contents ArubaInstant6.4.0.2-4.1|UserGuide
IAP-VPNForwardingModes 224
LocalorNATMode 224
L2SwitchingMode 224
DistributedL2Mode 224
CentralizedL2Mode 224
L3RoutingMode 225
DistributedL3mode 225
CentralizedL3Mode 225
ConfiguringIAPandControllerforIAP-VPNOperations 225
ConfiguringanIAPnetworkforIAP-VPNoperations 225
DefiningtheVPNhostsettings 225
ConfiguringRoutingProfiles 226
ConfiguringDHCPProfiles 226
ConfiguringanSSIDorWiredPort 226
EnablingDynamicRADIUSProxy 227
ConfiguringEnterpriseDomains 227
ConfiguringaControllerforIAP-VPNOperations 227
OSPFConfiguration 227
VPNConfiguration 229
WhitelistDatabaseConfiguration 229
VPNLocalPoolConfiguration 230
RoleAssignmentfortheAuthenticatedIAPs 230
VPNProfileConfiguration 230
Branch-IDAllocation 230
BranchStatusVerification 230
Example 230
AdaptiveRadioManagement 232
ARMOverview 232
ChannelorPowerAssignment 232
VoiceAwareScanning 232
LoadAwareScanning 232
MonitoringtheNetworkwithARM 232
ARMMetrics 232

ConfiguringARMFeaturesonanIAP 233
BandSteering 233
IntheInstantUI 233
IntheCLI 233
AirtimeFairnessMode 233
IntheInstantUI 234
IntheCLI 234
ClientMatch 234
IntheInstantUI 235
IntheCLI 236
AccessPointControl 236
IntheInstantUI 236
IntheCLI 237
VerifyingARMConfiguration 237
ConfiguringRadioSettingsforanIAP 238
IntheInstantUI 238
IntheCLI 239
DeepPacketInspectionandApplicationVisibility 241
DeepPacketInspection 241
EnablingApplicationVisibility 241
IntheInstantUI 241
IntheCLI 241
ApplicationVisibility 242
ApplicationCategoryCharts 242
ApplicationCharts 243
WebCategoriesCharts 245
WebReputationCharts 245
ConfiguringAccessRulesforApplicationandApplicationCategories 246
IntheInstantUI 246
IntheCLI 248
Example 249
ConfiguringURLFilteringPolicies 249
ArubaInstant6.4.0.2-4.1|UserGuide Contents|19

20|Contents ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI 249
IntheCLI 250
Example 250
VoiceandVideo 251
Wi-FiMultimediaTrafficManagement 251
ConfiguringWMMforWirelessClients 251
IntheInstantUI 252
IntheCLI 252
ConfiguringWMM-DSCPMapping 252
IntheInstantUI 253
IntheCLI 253
QoSforMicrosoftOfficeOCSandAppleFacetime 253
MicrosoftOCS 253
AppleFacetime 253
Services 255
AirGroupConfiguration 255
MulticastDNSandBonjour®Services 256
DLNAUPnPSupport 257
AirGroupFeatures 258
AirGroupServices 259
AirGroupComponents 260
CPPMandClearPassGuestFeatures 260
ConfiguringAirGroupandAirGroupServicesonanIAP 261
IntheInstantUI 261
IntheCLI 262
ConfiguringAirGroupandCPPMinterfaceinInstant 263
CreatingaRADIUSServer 263
AssignaServertoAirGroup 263
ConfigureCPPMtoEnforceRegistration 263
ChangeofAuthorization(CoA) 263
ConfiguringanIAPforRTLS Support 263
IntheInstantUI 263

IntheCLI 264
ConfiguringanIAPforAnalyticsandLocationEngineSupport 265
ALEwithInstant 265
EnablingALESupportonanIAP 265
IntheInstantUI 265
IntheCLI 266
VerifyingALEConfigurationonanIAP 266
ConfiguringOpenDNSCredentials 266
IntheInstantUI 266
IntheCLI 267
IntegratinganIAPwithPaloAltoNetworksFirewall 267
IntegrationwithInstant 267
ConfiguringanIAPforPANintegration 267
IntheInstantUI 267
IntheCLI 268
IntegratinganIAPwithanXML API interface 268
IntegrationwithInstant 269
ConfiguringanIAPforXML APIintegration 269
IntheInstantUI 269
IntheCLI 269
CALEAIntegrationandLawfulInterceptCompliance 270
CALEAServerIntegration 270
TrafficFlowfromIAPtoCALEAServer 270
TrafficFlowfromIAPtoCALEAServerthroughVPN 271
ClientTrafficReplication 271
ConfiguringanIAPforCALEA Integration 271
CreatingaCALEAProfile 272
IntheInstantUI 272
IntheCLI 272
CreatinganAccessRuleforCALEA 272
IntheInstantUI 272
IntheCLI 273
ArubaInstant6.4.0.2-4.1|UserGuide Contents|21

22|Contents ArubaInstant6.4.0.2-4.1|UserGuide
Verifyingtheconfiguration 273
Example 273
IAPManagementandMonitoring 275
ManaginganIAPfromAirWave 275
ImageManagement 275
IAPandClientMonitoring 275
Template-basedConfiguration 275
TrendingReports 276
IntrusionDetectionSystem 276
WirelessIntrusionDetectionSystem(WIDS)EventReportingtoAirWave 276
RFVisualizationSupportfor Instant 276
PSK-basedandCertificate-basedAuthentication 277
ConfigurablePortforIAPandAirWaveManagementServerCommunication 277
ConfiguringOrganizationString 277
SharedKey 278
ConfiguringAirWaveInformation 278
IntheInstantUI 278
IntheCLI 278
ConfiguringforAirWaveDiscoverythroughDHCP 279
StandardDHCPoption60and43onWindowsServer2008 279
AlternateMethodforDefiningVendor-SpecificDHCPOptions 283
ArubaCentral 285
ProvisioninganIAPusingCentral 286
MaintainingtheSubscriptionList 286
FirmwareMaintenance 287
UplinkConfiguration 288
UplinkInterfaces 288
EthernetUplink 288
ConfiguringPPPoEUplinkProfile 289
IntheInstantUI 289
IntheCLI 290
CellularUplink 290

ConfiguringCellularUplinkProfiles 293
IntheInstantUI 293
IntheCLI 293
Wi-FiUplink 294
ConfiguringaWi-FiUplinkProfile 294
UplinkPreferencesandSwitching 295
EnforcingUplinks 295
IntheInstantUI 295
IntheCLI 296
SettinganUplinkPriority 296
IntheInstantUI 296
IntheCLI 296
EnablingUplinkPreemption 296
IntheInstantUI 296
IntheCLI 296
SwitchingUplinksBasedonVPNandInternetAvailability 297
SwitchingUplinksBasedonVPNStatus 297
SwitchingUplinksBasedonInternetAvailability 297
IntheInstantUI 297
IntheCLI 298
ViewingUplinkStatusandConfiguration 298
IntrusionDetection 299
DetectingandClassifyingRogueAPs 299
OSFingerprinting 299
ConfiguringWirelessIntrusionProtectionandDetectionLevels 300
ContainmentMethods 304
ConfiguringIDS UsingCLI 304
MeshIAPConfiguration 306
MeshNetworkOverview 306
MeshIAPs 306
MeshPortals 306
MeshPoints 307
SettingupInstantMeshNetwork 307
ArubaInstant6.4.0.2-4.1|UserGuide Contents|23

24|Contents ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringWiredBridgingonEthernet0forMeshPoint 307
IntheInstantUI 307
IntheCLI 308
MobilityandClientManagement 309
Layer-3MobilityOverview 309
ConfiguringL3-Mobility 310
HomeAgentLoadBalancing 310
ConfiguringaMobilityDomainforInstant 310
IntheInstantUI 310
IntheCLI 311
SpectrumMonitor 312
UnderstandingSpectrumData 312
DeviceList 312
NonWi-FiInterferers 313
ChannelDetails 315
ChannelMetrics 316
SpectrumAlerts 317
ConfiguringSpectrumMonitorsandHybridIAPs 317
Convertingan IAPtoaHybridIAP 317
IntheInstantUI 317
IntheCLI 318
Convertingan IAPtoaSpectrumMonitor 318
IntheInstantUI 318
IntheCLI 318
IAPMaintenance 320
UpgradinganIAP 320
UpgradinganIAPandImageServer 320
ImageManagementUsingAirWave 320
ImageManagementUsingCloudServer 320
ConfiguringHTTPProxyonanIAP 320
IntheInstantUI 320
IntheCLI 321

UpgradinganIAPUsingAutomaticImageCheck 321
UpgradingtoaNewVersionManually 322
UpgradinganImageUsingCLI 322
BackingupandRestoringIAPConfigurationData 322
ViewingCurrentConfiguration 322
BackingupConfigurationData 323
RestoringConfiguration 323
ConvertinganIAPtoaRemoteAPandCampusAP 323
RegulatoryDomainRestrictionsforIAPtoRAPorCAPConversion 323
ConvertinganIAPtoaRemoteAP 324
ConvertinganIAPtoaCampusAP 326
ConvertinganIAPtoStandaloneMode 327
ConvertinganIAPusingCLI 328
ResettingaRemoteAPorCampusAPtoanIAP 328
RebootingtheIAP 328
MonitoringDevicesandLogs 330
ConfiguringSNMP 330
SNMPParametersforIAP 330
ConfiguringSNMP 331
CreatingcommunitystringsforSNMPv1andSNMPv2UsingInstantUI 331
CreatingcommunitystringsforSNMPv3UsingInstantUI 331
ConfiguringSNMPCommunityStringsintheCLI 332
ConfiguringSNMPTraps 333
IntheInstantUI 333
IntheCLI 333
ConfiguringaSyslogServer 333
IntheInstantUI 333
IntheCLI 335
ConfiguringTFTPDumpServer 335
IntheInstantUI 335
IntheCLI 335
RunningDebugCommandsfromtheUI 336
ArubaInstant6.4.0.2-4.1|UserGuide Contents|25

26|Contents ArubaInstant6.4.0.2-4.1|UserGuide
SupportCommands 336
HotspotProfiles 341
UnderstandingHotspotProfiles 341
GenericAdvertisementService(GAS) 341
AccessNetworkQueryProtocol(ANQP) 342
Hotspot2.0QueryProtocol(H2QP) 342
InformationElements(IEs)andManagementFrames 342
NAIRealmList 342
ConfiguringHotspotProfiles 342
CreatingAdvertisementProfilesforHotspotConfiguration 343
ConfiguringanNAIRealmProfile 343
ConfiguringaVenueNameProfile 345
ConfiguringaNetworkAuthenticationProfile 346
ConfiguringaRoamingConsortiumProfile 347
Configuringa3GPPProfile 347
ConfiguringanIPAddressAvailabilityProfile 347
ConfiguringaDomainProfile 347
ConfiguringanOperator-friendlyProfile 348
ConfiguringaConnectionCapabilityProfile 348
ConfiguringanOperatingClassProfile 348
ConfiguringaWANMetricsProfile 348
CreatingaHotspotProfile 349
AssociatinganAdvertisementProfiletoaHotspotProfile 351
CreatingaWLANSSIDandAssociatingHotspotProfile 352
SampleConfiguration 352
MobilityAccessSwitchIntegration 355
MobilityAccessSwitchOverview 355
MASIntegrationwithanIAP 355
ConfiguringIAPsforMASIntegration 355
IntheInstantUI 356
IntheCLI 356

ClearPassGuestSetup 357
Testing 361
Troubleshooting 361
IAP-VPNDeploymentScenarios 362
Scenario1-IPSec:SingleDatacenterDeploymentwithNoRedundancy 363
Topology 363
APConfiguration 363
APConnectedSwitchConfiguration 365
DatacenterConfiguration 365
Scenario2-IPSec:SingleDatacenterwithMultipleControllersforRedundancy 366
Topology 366
APConfiguration 367
APConnectedSwitchConfiguration 369
DatacenterConfiguration 369
Scenario3-IPSec:MultipleDatacenterDeploymentwithPrimaryandBackupControllersforRedundancy370
Topology 370
APConfiguration 371
APConnectedSwitchConfiguration 374
DatacenterConfiguration 374
Scenario4-GRE:SingleDatacenterDeploymentwithNoRedundancy 375
Topology 375
APConfiguration 375
APConnectedSwitchConfiguration 377
DatacenterConfiguration 377
Terminology 379
AcronymsandAbbreviations 379
Glossary 380
ArubaInstant6.4.0.2-4.1|UserGuide Contents|27

ArubaInstant6.4.0.2-4.1|UserGuide AboutthisGuide|28
Chapter1
AboutthisGuide
ThisUserGuidedescribesthefeaturessupportedbyArubaInstantandprovidesdetailedinstructionsforsettingup
andconfiguringtheInstant network.
IntendedAudience
ThisguideisintendedforcustomerswhoconfigureanduseInstant.
RelatedDocuments
Inadditiontothisdocument,theInstantproductdocumentationincludesthefollowing:
lArubaInstantInstallationGuides
lArubaInstant6.4.0.2-4.1QuickStartGuide
lArubaInstant6.4.0.2-4.1CLIReferenceGuide
lArubaInstant6.4.0.2-4.1MIBReferenceGuide
lArubaInstant6.4.0.2-4.1SyslogMessagesReferenceGuide
lArubaInstant6.4.0.2-4.1ReleaseNotes
Conventions
Thefollowingconventionsareusedthroughoutthismanualtoemphasizeimportantconcepts:
TypeStyle Description
Italics Thisstyleisusedtoemphasizeimportanttermsandtomarkthetitlesofbooks.
Systemitems Thisfixed-widthfontdepictsthefollowing:
lSamplescreenoutput
lSystemprompts
lFilenames,softwaredevices,andspecificcommandswhenmentionedinthetext.
Commands Inthecommandexamples,thisstyledepictsthekeywordsthatmustbetypedexactlyas
shown.
<Arguments> Inthecommandexamples,italicizedtextwithinanglebracketsrepresentsitemsthatyou
shouldreplacewithinformationappropriatetoyourspecificsituation.Forexample:
#send<textmessage>
Inthisexample,youwouldtype“send”atthesystempromptexactlyasshown,followedby
thetextofthemessageyouwishtosend.Donottypetheanglebrackets.
[Optional] Commandexamplesenclosedinbracketsareoptional.Donottypethebrackets.
{ItemA|
ItemB}
Inthecommandexamples,itemswithincurledbracesandseparatedbyaverticalbar
representtheavailablechoices.Enteronlyonechoice.Donottypethebracesorbars.
Table1:TypographicalConventions

29|AboutthisGuide ArubaInstant6.4.0.2-4.1|UserGuide
Thefollowinginformationaliconsareusedthroughoutthisguide:
Indicateshelpfulsuggestions,pertinentinformation,andimportantthingstoremember.
Indicatesariskofdamagetoyourhardwareorlossofdata.
Indicatesariskofpersonalinjuryordeath.
ContactingSupport
MainSite arubanetworks.com
SupportSite support.arubanetworks.com
AirheadsSocialForumsand
KnowledgeBase
community.arubanetworks.com
NorthAmericanTelephone 1-800-943-4526(TollFree)
1-408-754-1200
InternationalTelephones arubanetworks.com/support-services/aruba-support-
program/contact-support/
SoftwareLicensingSite licensing.arubanetworks.com/login.php
WirelessSecurityIncident
ResponseTeam(WSIRT)
arubanetworks.com/support/wsirt.php
SupportEmailAddresses
AmericasandAPAC [email protected]
EMEA [email protected]
WSIRTEmail
Pleaseemaildetailsofany
securityproblemfoundinan
Arubaproduct.
[email protected]
Table2:SupportInformation

ArubaInstant6.4.0.2-4.1|UserGuide AboutArubaInstant|30
Chapter2
AboutArubaInstant
Thischapterprovidesthefollowinginformation:
lInstantOverview
lWhatisNewinArubaInstant6.4.0.2-4.1
InstantOverview
InstantvirtualizesArubaMobilityControllercapabilitieson802.11accesspoints(APs),creatingafeature-rich
enterprise-gradewirelessLAN(WLAN)thatcombinesaffordabilityandconfigurationsimplicity.
Instantisasimple,easytodeployturn-keyWLANsolutionconsistingofoneormoreAPs.AnEthernetportwith
routableconnectivitytotheInternetoraself-enclosednetworkisusedfordeployinganInstantWirelessNetwork.
AnInstantAccessPoint(IAP)canbeinstalledatasinglesiteordeployedacrossmultiplegeographically-dispersed
locations.Designedspecificallyforeasydeployment,andproactivemanagementofnetworks,Instantisidealfor
smallcustomersorremotelocationswithoutanyon-siteITadministrator.
InstantconsistsofanIAPandaVirtualController.TheVirtualControllerresideswithinoneoftheAPs.InanInstant
deploymentscenario,onlythefirstIAPneedstobeconfigured.AfterthefirstIAPisconfigured,theotherIAPsinherit
alltherequiredconfigurationinformationfromtheVirtualController.Instantcontinuallymonitorsthenetworkto
determinetheIAPthatshouldfunctionastheVirtualControlleratanytime,andtheVirtualControllerwillmovefrom
oneIAPtoanotherasnecessarywithoutimpactingnetworkperformance.
SupportedDevices
ThefollowingdevicesaresupportedinthecurrentreleaseofInstant:
lIAP-103
lIAP-104
lIAP-105
lIAP-114/115
lIAP-134/135
lIAP-175P/175AC
lRAP-3WN/3WNP
lRAP-108/109
lRAP155/155P
lIAP-224/225
lIAP-274/275
AsofInstant4.1relelase,Arubarecommendsthatnetworkswithmorethan128APsshouldbedesignedas
multiple,smallervirtual-controllernetworkswithLayer-3mobilityenabledbetweenthem.
AllIAPsexceptIAP-224/225,IAP-114/115,andIAP-274/275areavailableasthefollowingvariants:
lIAP-US(UnitedStates)
lIAP-JP(Japan)
lIAP-IL(Israel)

31|AboutArubaInstant ArubaInstant6.4.0.2-4.1|UserGuide
lIAP-RW(RestofWorld)
TheIAP-224/225,IAP-114/115,andIAP-274/275areavailableasthefollowingvariants:
lIAP-US(UnitedStates)
lIAP-RW.TheRW variantalsoincludesILandJPvariants.
ForinformationonregulatorydomainsandthelistofcountriessupportedbytheIAP-RWtype,seeCountryCodeon
page37.
InstantUI
TheInstantUserInterface(UI)providesastandardWeb-basedinterfacethatallowsyoutoconfigureandmonitora
Wi-Finetwork.InstantisaccessiblethroughastandardWebbrowserfromaremotemanagementconsoleor
workstationandcanbelaunchedusingthefollowingbrowsers:
lInternetExplorer10orlower
lSafari6.0orlater
lGoogleChrome23.0.1271.95orlater
lMozillaFirefox17.0orlater
IftheInstantUIislaunchedthroughanunsupportedbrowser,awaringmessageisdisplayedalongwithalistof
recommendedbrowsers.However,theusersareallowedtologinusingtheContinueloginlinkontheLoginpage.
ToviewtheInstantUI,ensurethattheJavaScriptisenabledontheWebbrowser.
TheInstantUIlogsoutautomaticallyifthewindowisinactivefor15minutes.
InstantCLI
TheInstantCommandLineInterface(CLI)isatext-basedinterfaceaccessiblethroughaSecureShell(SSH)
session.
SSHaccessrequiresthatyouconfigureanIPaddressandadefaultgatewayontheIAPandconnecttheIAPtoyour
network.ThisistypicallyperformedwhentheInstantnetworkonanIAPissetup.

WhatisNewinArubaInstant6.4.0.2-4.1
ThefollowingfeaturesareaddedintheArubaInstant6.4.0.2-4.1release:
Feature Description
SupportforAppRFand
DPIservice
Inthecurrentrelease,InstantsupportsLayer7applicationandweb-filteringservice
calledDeepPacketInspection(DPI).AspartoftheDPIserviceandAppRFfeature
support,Instantsupportsthefollowing:
lAccesscontrolbasedonapplicationandapplicationcategories
lApplicationvisibility
lWebfilteringservicebasedonwebcategoriesandsecurityratingsassignedtothe
websites
URLfiltering IAPssupportaccesscontrolandcontentfilteringbasedonwebcategoriesandwebsite
reputationratings.Theadministratorscannowconfigureaccessrulestopermitordeny
clientaccesstocertainwebsites.
Supportfornew4G
modems
Instantnowsupportsthefollowing4Gmodems:
lNetgearAircard341u
lPantechUML295
lFraklinWirelessu770
lHuawei3276s-150
AirGroupEnhancements IAPsnowsupportUniversalPlugandPlay(UPnP)andDLNA(DigitalLivingNetwork
Alliance)enableddevices.DLNAisanetworkstandardderivedfromUPnP,which
enablesdevicestodiscovertheservicesavailableinanetwork.
DSCPMappingforWMM
AccessCategories
InstantnowsupportsWi-FiMultimediaandDSCPmappingconfigurationforupstream
anddownstreamtraffic.
Fastroaming
enhancements
IAPsnowsupport802.11K(RadioResourceManagement)and802.11v(BSSTransition
Management)standardstoimproveQualityofService(QoS)andseamlessconnectivity.
Authentication
survivabilitywithEAP-
TLS
InstantnowsupportstheauthenticationsurvivabilityfeaturewiththeEAP-TLS
authenticationprotocol.Theauthenticationsurvivabilityfeaturesupportsasurvivable
authenticationframeworkagainsttheremotelinkfailurewhenworkingwiththeexternal
authenticationservers.
SupportforAPzone
configuration
YoucannowconfigurezonesettingsonanIAPandanSSID,sothattheSSIDiscreated
onsspecificIAPinthecluster.
Configurableportfor
communicationbetween
IAPandAirWave
managementserver
communication
YoucannowcustomizetheportnumberoftheAirWavemanagementserverthroughthe
server_host:server_portformat,forexample,amp.google.com:4343.
Clientmatch
visualization
TheInstantUInowprovidesagraphicalrepresentationoftheclientdistributiononanAP,
theRSSIdetails,andthechannelavailabilityandutilizationmetrics.
ConsoleaccesstoIAP Inthecurrentrelease,youcanalloworrestrictaccesstoanIAPconsolethroughthe
serialport.Bydefault,theconsoleaccesstoanIAPisenabled.
BackupRADIUSserver InstantnowsupportstheconfigurationoftheprimaryandbackupRADIUSserversinan
Table3:NewFeaturesin6.4.0.2-4.1
ArubaInstant6.4.0.2-4.1|UserGuide AboutArubaInstant|32

33|AboutArubaInstant ArubaInstant6.4.0.2-4.1|UserGuide
Feature Description
withEAPtermination enterpriseWLAN SSIDthathasEAPterminationenabled.
Supportfor
TACACS+ Server
Inthisrelease,anewexternalservercalledTACACS+ Serverisaddedtosupport
authenticationandaccountingprivilegesformanagementusers.
XML APIIntegration TheInstantUI nowallowsuserstointegrateanXMLAPIInterfacewithanIAP.Theusers
canusetheXMLAPIinterfacetoadd,delete,authenticate,orqueryauseroraclient.
Supportforinbound
firewallrules
configuration
Youcannowconfigurefirewallrulesbasedonthesourcesubnetfortheinboundtraffic
comingthroughtheuplinkportsofanIAP.
Fulltunnelsupport InstantnowallowsyoutoconfigurefulltunnelfortheCentralized,L2subnets.Whenthe
split-tunnelfeatureisdisabled,theredirectandsourceNATACLrulesarenotgenerated
forthissubnet,therebyallowingalltraffictogetswitchedtotheGREtunnel.
Table3:NewFeaturesin6.4.0.2-4.1
IAPPlatformDescription
IAP-270SeriesTheIAP-274andIAP-275areenvironmentallyhardened,outdoorrated,dual-radioIEEE802.11ac
wirelessaccesspoints.TheseaccesspointsuseMIMO(Multiple-in,Multiple-out)technologyand
otherhigh-throughputmodetechniquestodeliverhigh-performance,802.11ac2.4GHzand5GHz
functionalitywhilesimultaneouslysupportingexisting802.11a/b/g/nwirelessservices.Formore
informationaboutthisproduct,visitwww.arubanetworks.com.
IAP-103 TheIAP-103wirelessaccesspointsupportstheIEEE802.11nstandardforhigh-performance
WLAN.ThisaccesspointusesMIMO(Multiple-in,Multiple-out)technologyandotherhigh-
throughputmodetechniquestodeliverhighperformance,802.11n2.4GHzor5GHzfunctionality
whilesimultaneouslysupportingexisting802.11a/b/gwirelessservices.Formoreinformationabout
thisproduct,visitwww.arubanetworks.com.
Table4:NewHardwarePlatformsintroducedinthisrelease

ArubaInstant6.4.0.2-4.1|UserGuide SettingupanIAP|34
Chapter3
SettingupanIAP
Thischapterdescribesthefollowingprocedures:
lSettingupInstantNetworkonpage34
lLoggingintotheInstantUIonpage36
lAccessingtheInstantCLIonpage40
SettingupInstantNetwork
BeforeinstallinganIAP:
lEnsurethatyouhaveanEthernetcableoftherequiredlengthtoconnectanIAPtothehomerouter.
lEnsure thatyouhaveoneofthefollowingpowersources:
nIEEE802.3af/at-compliantPoweroverEthernet(PoE)source.ThePoEsourcecanbeanypowersource
equipment(PSE)switchoramidspanPSEdevice.
nIAPpoweradapterkit.
PerformthefollowingprocedurestosetuptheInstantnetwork:
1.ConnectinganIAPonpage34
2.AssigninganIPaddresstotheIAPonpage34
3.ConnectingtoaProvisioningWi-FiNetworkonpage35
ConnectinganIAP
Basedonthetypeofthepowersourceused,performoneofthefollowingstepstoconnectanIAPtothepower
source:
lPoEswitch—ConnecttheENET0portoftheIAPtotheappropriateportonthePoEswitch.
lPoEmidspan—ConnecttheENET0portoftheIAPtotheappropriateportonthePoEmidspan.
lACtoDCpoweradapter—Connectthe12VDCpowerjacksockettotheACtoDCpoweradapter.
RAP-155PsupportsPSEfor802.3atpowereddevice(class0-4)ononeport(E1orE2),or802.3afpoweredDCIN
(PowerSocket)ontwoports(E1andE2).
AssigninganIPaddresstotheIAP
TheIAPneedsanIPaddressfornetworkconnectivity.WhenyouconnectanIAPtoanetwork,itreceivesanIP
addressfromaDHCPserver.
ToobtainanIPaddressforanIAP:
1.EnsurethattheDHCPserviceisenabledonthenetwork.
2.ConnecttheENET0portofIAPtoaswitchorrouterusinganEthernetcable.
3.ConnecttheIAPtoapowersource.TheIAPreceivesanIPaddressprovidedbytheswitchorrouter.
IfthereisnoDHCPserviceonthenetwork,theIAPcanbeassignedastaticIPaddress.IfastaticIPisnot
assigned,theIAPobtainsanIP automaticallywithinthe169.254subnet.

35|SettingupanIAP ArubaInstant6.4.0.2-4.1|UserGuide
AssigningaStaticIP
ToassignastaticIPtoanIAP:
1.Connectaterminal,PC,orworkstationrunningaterminalemulationprogramtotheConsoleportontheIAP.
2.PowerontheIAP.Anautobootcountdownpromptthatallowsyoutointerruptthenormalstartupprocessand
accessapbootisdisplayed.
3.ClickEnterbeforethetimerexpires.TheIAPgoesintotheapbootmode.
4.Intheapbootmode,usethefollowingcommandstoassignastaticIPtotheIAP.
Hit<Enter>tostopautoboot:0
apboot>
apboot>setenvipaddr192.0.2.0
apboot>setenvnetmask255.255.255.0
apboot>setenvgatewayip192.0.2.2
apboot>save
SavingEnvironmenttoFlash...
Un-Protected1sectors
.done
Erased1sectors
Writing
5.Usetheprintenvcommandtoviewtheconfiguration.
apboot>printenv
ConnectingtoaProvisioningWi-FiNetwork
TheIAPsbootwithfactorydefaultconfigurationandtrytoprovisionautomatically.Iftheautomaticprovisioningis
successful,theinstantSSIDwillnotbeavailable.IfAirWaveandActivatearenotreachableandtheautomatic
provisioningfails,theinstantSSIDbecomesavailableandtheuserscanconnecttoaprovisioningnetworkbyusing
theinstantSSID.
ToconnecttoaprovisioningWi-Finetwork:
1.Ensurethattheclientisnotconnectedtoanywirednetwork.
2.ConnectawirelessenabledclienttoaprovisioningWi-Finetwork:forexample,instant.
3.IftheWindowsOSsystemisused:
a.Clickthewirelessnetworkconnectioniconinthesystemtray.TheWirelessNetworkConnectionwindow
isdisplayed.
b.ClickontheinstantnetworkandthenclickConnect.
4.IftheMacOSsystemisused:
a.ClicktheAirPorticon.AlistofavailableWi-Finetworksisdisplayed.
b.Clickontheinstantnetwork.
TheinstantSSIDsarebroadcastin2.4GHzonly.
IAPCluster
IAPsinthesameVLANautomaticallyfindeachotherandformasinglefunctioningnetworkmanagedbyaVirtual
Controller.
MovinganIAPfromoneclustertoanotherrequiresafactoryresetoftheIAP.

DisablingtheProvisioningWi-FiNetwork
Theprovisioningnetworkisenabledbydefault.Instantprovidestheoptiontodisabletheprovisioningnetwork
throughtheconsoleport.UsethisoptiononlywhenyoudonotwantthedefaultSSIDinstanttobebroadcastinyour
network.
Todisabletheprovisioningnetwork:
1.ConnectaterminalorPC/workstationrunningaterminalemulationprogramtotheConsoleportontheIAP.
2.Configuretheterminalorterminalemulationprogramtousethefollowingcommunicationsettings:
BaudRate DataBits Parity StopBits FlowControl
9600 8 None 1 None
Table5:TerminalCommunicationSettings
3.PowerontheIAP.Anautobootcountdownpromptthatallowsyoutointerruptthenormalstartupprocessand
accessapbootisdisplayed.
4.ClickEnterbeforethetimerexpires.TheIAPgoesintotheapbootmodethroughconsole.
5.Intheapbootmode,usethefollowingcommandstodisabletheprovisioningnetwork:
napboot>factory_reset
napboot>setenvdisable_prov_ssid1
napboot>saveenv
napboot>reset
LoggingintotheInstantUI
LaunchaWebbrowserandenterhttp://instant.arubanetworks.com.Intheloginscreen,enterthefollowing
credentials:
lUsername—admin
lPassword—admin
ThefollowingfigureshowstheLoginscreen:
Figure1LoginScreen
WhenyouuseaprovisioningWi-FinetworktoconnecttotheInternet,allbrowserrequestsaredirectedtotheInstant
UI.Forexample,ifyouenterwww.example.comintheaddressfield,youaredirectedtotheInstantUI.Youcan
changethedefaultlogincredentialsafterthefirstlogin.
ArubaInstant6.4.0.2-4.1|UserGuide SettingupanIAP|36

37|SettingupanIAP ArubaInstant6.4.0.2-4.1|UserGuide
RegulatoryDomains
TheIEEE802.11/b/g/nWi-Finetworksoperateinthe2.4GHzspectrumandIEEE802.11a/noperatesinthe5.0
GHzspectrum.Thespectrumisdividedintochannels.The2.4GHzspectrumisdividedinto14overlapping,
staggered20MHzwirelesscarrierchannels.Thesechannelsarespaced5MHzapart.The5GHzspectrumis
dividedintomorechannels.Thechannelsthatcanbeusedinaparticularcountrydifferbasedontheregulationsof
thatcountry.
TheinitialWi-FisetuprequiresyoutospecifythecountrycodeforthecountryinwhichtheInstantoperates.This
configurationsetstheregulatorydomainfortheradiofrequenciesthattheIAPsuse.Withintheregulated
transmissionspectrum,ahigh-throughput802.11ac,802.11a,802.11b/g,or802.11nradiosettingcanbeconfigured.
Theavailable20MHz,40MHz,or80MHzchannelsaredependentonthespecifiedcountrycode.
YoucannotchangethecountrycodefortheIAPsintherestrictedregulatorydomainssuchasUS,Japan,andIsrael
formostoftheIAPmodels.Impropercountrycodeassignmentscandisruptwirelesstransmissions.Mostcountries
imposepenaltiesandsanctionsonoperatorsofwirelessnetworkswithdevicessettoimpropercountrycodes.
CountryCode
Thefollowingtableprovidesalistofsupportedcountrycodes:
Code CountryName
AE UnitedArabEmirates
AR Argentina
AT Austria
AU Australia
BG Bulgaria
BH Bahrain
BM Bermuda
BO Bolivia
BR Brazil
CA Canada
CH Switzerland
CL Chile
CN China
CO Colombia
CR CostaRica
CS SerbiaandMontenegro
CY Cyprus
Table6:CountryCodesList

Code CountryName
CZ CzechRepublic
DE Germany
DK Denmark
DO DominicanRepublic
DZ Algeria
EC Ecuador
EE Estonia
EG Egypt
ES Spain
FI Finland
FR France
GB UnitedKingdom
GR Greece
GT Guatemala
HK HongKong
HN Honduras
ID Indonesia
IE Ireland
IL Israel
IN India
IS Iceland
IT Italy
JM Jamaica
JO Jordan
JP Japan
KE Kenya
KR RepublicofKorea(South
Korea)
KW Kuwait
ArubaInstant6.4.0.2-4.1|UserGuide SettingupanIAP|38

39|SettingupanIAP ArubaInstant6.4.0.2-4.1|UserGuide
Code CountryName
LB Lebanon
LI Liechtenstein
LI Liechtenstein
LK SriLanka
LT Lithuania
LU Luxembourg
MA Morocco
MU Mauritius
MX Mexico
NL Netherlands
NO Norway
NZ NewZealand
OM Oman
PA Panama
PE Peru
PH Philippines
PK IslamicRepublicofPakistan
PL Poland
PR PuertoRico
PT Portugal
QA Qatar
RO Romania
RU Russia
SA SaudiArabia
SG Singapore
SI Slovenia
SK SlovakRepublic
SV ElSalvador

Code CountryName
TH Thailand
TN Tunisia
TR Turkey
TT TrinidadandTobago
TW Taiwan
UA Ukraine
US UnitedStates
UY Uruguay
VE Venezuela
VN Vietnam
ZA SouthAfrica
SpecifyingCountryCode
ThisprocedureisapplicabletotheIAP-RoW(RestofWorld)variantsonly.SkipthisstepifyouareinstallingIAPin
theUnitedStates,Japan,orIsrael.
TheCountryCodewindowisdisplayedfortheIAP-RoW(RestofWorld)variantswhenyoulogintotheUIforthe
firsttime.YoucanspecifyacountrycodebyselectinganappropriateoptionfromthePleaseSpecifytheCountry
Codedrop-downlist.
Figure2SpecifyingaCountryCode
.
ForthecompletelistofthecountrycodessupportedbytheIAP-ROWvarianttype,seeCountryCodeonpage37.
AccessingtheInstantCLI
InstantsupportstheuseofCommandLineInterface(CLI)forscriptingpurposes.Whenyoumakeconfiguration
changesonamasterIAPintheCLI,allassociatedIAPsintheclusterinheritthesechangesandsubsequently
updatetheirconfigurations.Bydefault,youcanaccesstheCLIfromtheserialportorfromanSSHsession.You
mustexplicitlyenableTelnetaccessontheIAPtoaccesstheCLIthroughaTelnetsession.
ForinformationonenablingSSHandTelnetaccesstotheIAPCLI,seeConfiguringTerminalAccessonpage79.
ArubaInstant6.4.0.2-4.1|UserGuide SettingupanIAP|40

41|SettingupanIAP ArubaInstant6.4.0.2-4.1|UserGuide
ConnectingtoaCLISession
OnconnectingtoaCLIsession,thesystemdisplaysitshostnamefollowedbytheloginprompt.Usethe
administratorcredentialstostartaCLIsession.Forexample:
(InstantAP)
User:admin
Iftheloginissuccessful,theprivilegedcommandmodeisenabledandacommandpromptisdisplayed.For
example:
(InstantAP)#
Theprivilegedmodeprovidesaccesstoshow,clear,ping,traceroute,andcommitcommands.Theconfiguration
commandsareavailableinconfigmode.Tomovefromprivilegedmodetotheconfigurationmode,enterthe
followingcommandatthecommandprompt:
(InstantAP)#configureterminal
Theconfigureterminalcommandallowsyoutoenterthebasicconfigurationmodeandthecommandpromptis
displayedasfollows:
(InstantAP)(config)#
TheInstantCLIallowsCLIscriptinginseveralothersub-commandmodestoallowtheuserstoconfigureindividual
interfaces,SSIDs,accessrules,andsecuritysettings.
Youcanusethequestionmark(?)toviewthecommandsavailableinaprivilegedmode,configurationmode,orsub-
mode.
Althoughautomaticcompletionissupportedforsomecommandssuchasconfigureterminal,thecompleteexit
andendcommandsmustbeenteredatcommandprompt.
ApplyingConfigurationChanges
EachcommandprocessedbytheVirtualControllerisappliedonalltheslavesinacluster.Thechangesconfigured
inaCLIsessionaresavedintheCLIcontext.TheCLIdoesnotsupporttheconfigurationdataexceedingthe4K
buffersizeinaCLIsession.Therefore,Arubarecommendsthatyouconfigurefewerchangesatatimeandapplythe
changesatregularintervals.
Toapplyandsavetheconfigurationchangesatregularintervals,usethefollowingcommandintheprivilegedmode:
(InstantAP)#commitapply
Toapplytheconfigurationchangestotheclusterwithoutsavingtheconfiguration,usethefollowingcommandinthe
privilegedmode:
(InstantAP)#commitapplyno-save
Toviewthechangesthatareyettobeapplied,usethefollowingcommandintheprivilegedmode:
(InstantAP)#showuncommitted-config
Toreverttotheearlierconfiguration,usethefollowingcommandintheprivilegedmode.
(InstantAP)#commitrevert
Example:
(InstantAP)(config)#rfdot11a-radio-profile
(InstantAP)(RFdot11aRadioProfile)#beacon-interval200
(InstantAP)(RFdot11aRadioProfile)#nolegacy-mode
(InstantAP)(RFdot11aRadioProfile)#dot11h
(InstantAP)(RFdot11aRadioProfile)#interference-immunity3
(InstantAP)(RFdot11aRadioProfile)#csa-count2
(InstantAP)(RFdot11aRadioProfile)#spectrum-monitor
(InstantAP)(RFdot11aRadioProfile)#end

(InstantAP)#showuncommitted-config
rfdot11a-radio-profile
nolegacy-mode
beacon-interval200
nodot11h
interference-immunity3
csa-count1
nospectrum-monitor
InstantAccessPoint#commitapply
UsingSequenceSensitiveCommands
TheInstantCLIdoesnotsupportpositioningorprecedenceofsequence-sensitivecommands.Therefore,Aruba
recommendsthatyouremovetheexistingconfigurationbeforeaddingormodifyingtheconfigurationdetailsfor
sequence-sensitivecommands.Youcaneitherdeleteanexistingprofileorremoveaspecificconfigurationbyusing
theno…commands.
Thefollowingtableliststhesequence-sensitivecommandsandthecorrespondingnocommandtoremovethe
configuration.
Sequence-SensitiveCommand Correspondingnocommand
opendns<username<password> noopendns
rule<dest><mask><match><protocol><start-port>
<end-port>{permit|deny|src-nat|dst-nat{<IP-
address><port>|<port>}}[<option1....option9>]
norule<dest><:mask><match>
<protocol><start-port><end-port>
{permit|deny|src-nat|dst-nat}
mgmt-auth-server<auth-profile-name> nomgmt-auth-server<auth-profile-
name>
set-role<attribute>{{equals|not-equals|starts-
with|ends-with|contains}<operator><role>|value-
of}
noset-role<attribute>{{equals|
not-equals|starts-with|ends-with|
contains}<operator>|value-of}
noset-role
set-vlan<attribute>{{equals|not-equals|starts-
with|ends-with|contains}<operator><VLAN-ID>|
value-of}
noset-vlan<attribute>{{equals|
not-equals|starts-with|ends-with|
contains}<operator>|value-of}
noset-vlan
auth-server<name> noauth-server<name>
Table7:Sequence-SensitiveCommands
ArubaInstant6.4.0.2-4.1|UserGuide SettingupanIAP|42

ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|43
Chapter4
InstantUserInterface
ThischapterdescribesthefollowingInstantUIelements:
lLoginScreen
lMainWindow
LoginScreen
TheInstantloginpageallowsyouto:
lLogintotheInstantUI.
lViewInstantNetworkConnectivitysummary
lViewtheInstantUIinaspecificlanguage
LoggingintotheInstantUI
TologintotheInstantUI,enterthefollowingcredentials:
lUsername—admin
lPassword—admin
TheInstantUImainwindowisdisplayed.
ViewingConnectivitySummary
TheLoginpagealsodisplaystheconnectivitystatustotheInstantnetwork.Theuserscanviewasummarythat
indicatesthestatusoftheInternetavailability,uplink,cellularmodemandsignalstrength,VPN,andAirWave
configurationdetailsbeforeloggingintotheInstantUI.
Thefollowingfigureshowstheinformationdisplayedintheconnectivitysummary:
Figure3ConnectivitySummary
TheInternetstatusisavailableonlyiftheInternetfailoverfeature(System>Showadvancedoption>uplink>
Internetfailover)isenabled.
Thecellularproviderandcellularstrengthinformationisonlyavailablewhena3Gor4Gmodemisinuse.
Language
TheLanguagedrop-downliststhelanguagesandallowsuserstoselecttheirpreferredlanguagebeforelogginginto
theInstantUI.Adefaultlanguageisselectedbasedonthelanguagepreferencesintheclientdesktopoperating
systemorbrowser.IfInstantcannotdetectthelanguage,thenEnglishisusedasthedefaultlanguage.

44|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
YoucanalsoselecttherequiredlanguageoptionfromtheLanguagesdrop-downlocatedatthebottomleftcornerof
theInstantmainwindow.
MainWindow
OnloggingintoInstant,theInstantUIMainWindowisdisplayed.ThefollowingfigureshowstheInstantmain
window:
Figure4InstantMainWindow
Themainwindowconsistsofthefollowingelements:
lBanner
lSearch
lTabs
lLinks
lViews
Banner
ThebannerisahorizontalgrayrectanglethatappearsatthetopleftcorneroftheInstantmainwindow.Itdisplays
thecompanyname,logo,andVirtualController'sname.
Search
AdministratorscansearchforanIAP,client,oranetworkintheSearchtextbox.Whenyoutypeasearchtext,the
searchfunctionsuggestsmatchingkeywordsandallowsyoutoautomaticallycompletethesearchtextentry.
Tabs
TheInstantmainwindowconsistsofthefollowingtabs:
nNetworksTab—ProvidesinformationaboutthenetworkprofilesconfiguredintheInstantnetwork.
nAccessPointsTab—ProvidesinformationabouttheIAPsconfiguredintheInstantnetwork.
nClientsTab—ProvidesinformationabouttheclientsintheInstantnetwork.
Eachtabappearsinacompressedviewbydefault.Thenumberofnetworks,IAPs,orclientsinthenetwork
precedesthetabnames.Theindividualtabscanbeexpandedorcollapsedbyclickingonthetabs.Thelistitemsin
eachtabcanbesortedbyclickingthetriangleiconnexttotheheadinglabels.

NetworksTab
ThistabdisplaysalistofWi-FinetworksthatareconfiguredintheInstantnetwork.Thenetworknamesare
displayedaslinks.TheexpandedviewdisplaysthefollowinginformationabouteachWLANSSID:
lName(SSID)—Nameofthenetwork.
lClients—Numberofclientsthatareconnectedtothenetwork.
lType—TypeofnetworktypesuchasEmployee,Guest,orVoice.
lBand—Bandinwhichthenetworkisbroadcast:2.4GHzband,5GHzband,orboth.
lAuthenticationMethod—Authenticationmethodrequiredtoconnecttothenetwork.
lKeyManagement—Authenticationkeytype.
lIPAssignment—SourceofIPaddressfortheclient.
lZone—APzoneconfiguredontheSSID.
Toaddawirelessnetworkprofile,clicktheNewlinkintheNetworkstab.Toedit,clicktheeditlinkthatisdisplayed
onclickingthenetworknameintheNetworkstab.Todeleteanetwork,clickonthelinkx.
Formoreinformationontheproceduretoaddormodifyawirelessnetwork,seeWirelessNetworkProfilesonpage
92.
AccessPointsTab
IftheAutoJoinModefeatureisenabled,alistofenabledandactiveIAPsintheInstantnetworkisdisplayedinthe
AccessPointstab.TheIAPnamesaredisplayedaslinks.IftheAutoJoinModefeatureisdisabled,theNewlinkis
displayed.ClickthislinktoaddanewIAPtothenetwork.IfanIAPisconfiguredandnotactive,itsMACAddressis
displayedinred.
TheexpandedviewoftheAccessPointstabdisplaysthefollowinginformationabouteachIAP:
lName—NameoftheIAP.IftheIAPfunctionsasamasterIAPinthenetwork,theasterisksign"*"isdisplayed
nexttotheIAP.
lIPAddress—IPaddressoftheIAP.
lMode—ModeoftheIAP.
nAccess—Inthismode,theAPservesclientsandscansthehomechannelforspectrumanalysiswhile
monitoringchannelsforrogueAPsinthebackground.
nMonitor—Inthismode,theAPactsasadedicatedAirMonitor(AM),scanningallchannelsforrogueAPsand
clients.
lSpectrum—Whenenabled,theAPfunctionsasadedicatedfull-spectrumRFmonitor,scanningallchannelsto
detectinterferencefromneighboringAPsornon-Wi-Fidevicessuchasmicrowavesandcordlessphones.When
Spectrumisenabled,theAPdoesnotprovideaccessservicestoclients.
lClients—NumberofclientsthatarecurrentlyassociatedtotheIAP.
lType—ModelnumberoftheIAP.
lMeshRole—RoleoftheIAPasameshportalormeshpoint.
lZone—APzone.
lChannel—ChannelonwhichtheIAPiscurrentlybroadcast.
lPower(dB)—MaximumtransmissionEIRPoftheradio.
lUtilization(%)—Percentageoftimethatthechannelisutilized.
lNoise(dBm)—Noisefloorofthechannel.
AneditlinkisdisplayedonclickingtheIAPname.FordetailsabouteditingIAPsettingsseeCustomizingIAP
Settingsonpage83.
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|45

46|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
ClientsTab
ThistabdisplaysalistofclientsthatareconnectedtotheInstantnetwork.Theclientnamesaredisplayedaslinks.
Theexpandedviewdisplaysthefollowinginformationabouteachclient:
lName—Usernameoftheclientorguestusersifavailable.
lIPAddress—IPaddressoftheclient.
lMACAddress—MACaddressoftheclient.
lOS—Operatingsystemthatrunsontheclient.
lNetwork—Thenetworktowhichtheclientisconnected.
lAccessPoint—IAPtowhichtheclientisconnected.
lChannel—Theclientoperatingchannel.
lType—TypeoftheWi-Ficlient:A,G,AN,orGN.
lRole—Roleassignedtotheclient.
lSignal—Currentsignalstrengthoftheclient,asdetectedbytheAP.
lSpeed(mbps)—Currentspeedatwhichdataistransmitted.WhentheclientisassociatedwithanAP,it
constantlynegotiatesthespeedofdatatransfer.Avalueof0meansthattheAPhasnotheardfromtheclientfor
sometime.
Links
lThefollowinglinksallowyoutoconfigurevariousfeaturesfortheInstantnetwork:
lNewVersionAvailable
lSystem
lRF
lSecurity
lMaintenance
lMore
lHelp
lLogout
lMonitoring
lClientMatch
lAppRF
lSpectrum
lAlerts
lIDS
lConfiguration
lAirGroup
lAirWaveSetup
lPause/Resume
Eachoftheselinksisexplainedinthesubsequentsections.
NewVersionAvailable
ThislinkisdisplayedinthetoprightcorneroftheInstantmainwindowonlyifanewimageversionisavailableonthe
imageserverandAirWaveisnotconfigured.FormoreinformationabouttheNewversionavailablelinkandits
functions,seeUpgradinganIAPonpage320.

System
Thislinkdisplaysthe Systemwindow.TheSystemwindowconsistsofthefollowingtabs:
UsetheShow/HideAdvancedoptionatthebottomoftheSystemwindowtovieworhidetheadvancedoptions.
lGeneral—Allowsyoutoconfigure,vieworedittheName,IPaddress,NTPServer,andotherIAPsettingsforthe
VirtualController.Formoreinformationonthebasicandadditionalconfigurationsettingsthatcanbeperformed
onthistab,seeBasicConfigurationTasksonpage73andAdditionalConfigurationTasksonpage77.
lAdmin—AllowsyoutoconfigureadministratorcredentialsforaccesstotheVirtualControllerManagementUser
Interface.YoucanalsoconfigureAirWaveinthistab.Formoreinformationonmanagementinterfaceand
AirWaveconfiguration,seeManagingIAPUsersonpage140andManaginganIAPfromAirWaveonpage275
respectively.
lUplink—Allowsyoutovieworconfigureuplinksettings.SeeUplinkConfigurationonpage288formore
information.
lL3Mobility—AllowsyoutovieworconfiguretheLayer-3mobilitysettings.SeeConfiguringL3-Mobilityonpage
310formoreinformation.
lEnterpriseDomains—AllowsyoutovieworconfiguretheDNSdomainnamesthatarevalidintheenterprise
network.SeeConfiguringEnterpriseDomainsonpage188formoreinformation.
lMonitoring—Allowsyoutovieworconfigurethefollowingdetails:
nSyslog—AllowsyoutovieworconfigureSyslogServerdetailsforsendingsyslogmessagestotheexternal
servers.SeeConfiguringaSyslogServeronpage333formoreinformation.
nTFTPDump—AllowsyoutovieworconfigureaTFTPdumpserverforcoredumpfiles.SeeConfiguring
TFTPDumpServeronpage335formoreinformation.
nSNMP—AllowsyoutovieworconfigureSNMPagentsettings.SeeConfiguringSNMPonpage330formore
information.
lWISPr—AllowsyoutovieworconfiguretheWISPrsettings.SeeConfiguringWISPrAuthenticationonpage170
formoreinformation.
lProxy—AllowsyoutoconfigureHTTPproxyonanIAP.SeeConfiguringHTTPProxyonanIAPonpage320for
moreinformation.
ThefollowingfigureprovidesaviewoftheSystemwindowwiththeadvancedoptions.
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|47

48|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Figure5SystemWindow
RF
TheRF linkdisplaysawindowforconfiguringAdaptiveRadioManagement(ARM)andRadiofeatures.
lARM—AllowsyoutovieworconfigurechannelandpowersettingsforalltheIAPsinthenetwork.Forinformation
aboutARMconfiguration,seeARMOverviewonpage232.
lRadio—Allowsyoutovieworconfigureradiosettingsfor2.4GHzandthe5GHzradioprofiles.Forinformation
aboutRadio,seeConfiguringRadioSettingsforanIAPonpage238.
ThefollowingfigureprovidesaviewoftheRFwindowwiththeadvancedoptionsforARMconfiguration:

Figure6RFWindow
Security
TheSecuritylinkdisplaysawindowwiththefollowingtabs:
lAuthenticationServers—UsethistabtoconfigureanexternalRADIUSserverforawirelessnetwork.Formore
information,seeConfiguringanExternalServerforAuthenticationonpage157.
lUsersforInternalServer—Usethistabtopopulatethesystem’sinternalauthenticationserverwithusers.This
listisusedbynetworksforwhichper-userauthorizationisspecifiedusingtheVirtualController’sinternal
authenticationserver.Formoreinformationaboutusers,seeManagingIAPUsersonpage140.
lRoles—UsethistabtoviewtherolesdefinedforalltheNetworks.TheAccessRulespartallowsyoutoconfigure
permissionsforeachrole.Formoreinformation,seeConfiguringUserRolesonpage190andConfiguring
Access RulesforNetworkServicesonpage177.
lBlacklisting—Usethistabtoblacklistclients.Formoreinformation,seeBlacklistingClientsonpage171.
lFirewallSettings—UsethistabtoenableordisableApplicationLayerGateway(ALG)supportingaddressand
porttranslationforvariousprotocolsandtoconfigureprotectionagainstwiredattacks.Formoreinformation,see
ConfiguringALGProtocolsonpage181andConfiguringFirewallSettingsforProtectionfromARPAttackson
page181
lInboundFirewall—Usethistabtoenhancetheinboundfirewallbyallowingconfigurationofinboundfirewall
rules,managementsubnets,andrestrictedcorporateaccessthroughanuplinkswitch.Formoreinformation,see
ManagingInboundTrafficonpage183.
lWalledGarden—Usethiswindowtoalloworpreventaccesstoaselectedlistofwebsites.Formoreinformation,
seeConfiguringWalledGardenAccessonpage138.
lExternalCaptivePortal—Usethiswindowtoconfigureexternalcaptiveportalprofiles.Formoreinformation,
seeConfiguringExternalCaptivePortalforaGuestNetworkonpage129.
ThefollowingfigureshowsthedefaultviewoftheSecuritywindow:
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|49

50|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Figure7SecurityWindow-DefaultView
Maintenance
TheMaintenancelinkdisplaysawindowthatallowsyoutomaintaintheWi-Finetwork.TheMaintenancewindow
consistsofthefollowingtabs:
lAbout—Displaysthenameoftheproduct,buildtime,IAPmodelname,theInstantversion,websiteaddressof
ArubaNetworks,andCopyrightinformation.
lConfiguration—Displaysthefollowingdetails:
nCurrentConfiguration—Displaysthecurrentconfigurationdetails.
nClearConfiguration—Allowsyoutoclearthecurrentconfigurationdetailsofthenetwork.
nBackupConfiguration—Allowsyoutobackuplocalconfigurationdetails.Thebackedupconfigurationdata
issavedinthefilenamedinstant.cfg.
nRestoreConfiguration—Allowsyoutorestorethebackedupconfiguration.TheIAPmustberebootedafter
restoringtheconfigurationforthechangestoaffect.
lCertificates—DisplaysinformationaboutthecertificatesinstalledontheIAP.Youcanalsouploadnew
certificatesandsetapassphraseforthecertificates.Formoreinformation,seeUploadingCertificatesonpage
173.
lFirmware—Displaysthecurrentfirmwareversionandprovidesvariousoptionstoupgradetoanewfirmware
version.Formoreinformation,seeUpgradinganIAPonpage320.
lReboot—DisplaystheIAPsinthenetworkandprovidesanoptiontoreboottherequiredaccesspointorall
accesspoints.Formoreinformation,seeUpgradinganIAPonpage320.
lConvert—ProvidesanoptiontoconvertanIAPtoamobilitycontrollermanagedRemoteAPorCampusAP,or
tothedefaultVirtualControllermode.Formoreinformation,seeConvertinganIAPtoaRemoteAPandCampus
APonpage323.
ThefollowingfigureshowsthedefaultviewoftheMaintenancewindow:

Figure8MaintenanceWindow-DefaultView
More
TheMorelinkallowsyoutoselectthefollowingoptions:
lVPN
lIDS
lWired
lServices
lDHCPServer
lSupport
VPN
TheVPN windowallowsyoutodefinecommunicationsettingswitharemoteController.SeeVPNConfigurationon
page210formoreinformation.ThefollowingfigureshowsanexampleoftheIPSecconfigurationoptionsavailablein
theVPNwindow:
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|51

52|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Figure9VPNwindowforIPSecConfiguration
IDS
TheIDS windowallowsyoutoconfigurewirelessintrusiondetectionandprotectionlevels.Thefollowingfigures
showtheIDSwindow:
Figure10IDSWindow:IntrusionDetection

Figure11IDSWindow:IntrusionProtection
Formoreinformationonwirelessintrusiondetectionandprotection,seeDetectingandClassifyingRogueAPson
page299.
Wired
TheWiredwindowallowsyoutoconfigureawirednetworkprofile.SeeWiredProfilesonpage111formore
information.ThefollowingfigureshowstheWiredwindow:
Figure12WiredWindow
Services
TheServiceswindowallowsyoutoconfigureservicessuchasAirGroup,RTLS,andOpenDNS.TheServices
windowconsistsofthefollowingtabs:
lAirGroup—AllowsyoutoconfiguretheAirGroupandAirGroupservices.Formoreinformation,seeAirGroup
Configurationonpage255.
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|53

54|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
lRTLS—AllowsyoutointegrateAirWaveManagementplatformorthird-partyRealTimeLocationServersuchas
AeroscoutRealTimeLocationServerwithInstant.Formoreinformation,seeConfiguringanIAPfor
RTLS Supportonpage263.
TheRTLStabalsoallowsyoutointegrateIAPwiththeAnalyticsandLocationEngine(ALE).Formore
informationaboutconfiguringanIAPforALEintegration,seeConfiguringanIAPforAnalyticsandLocation
EngineSupportonpage265.
lOpenDNS—AllowsyoutoconfiguresupportforOpenDNSbusinesssolutions,whichrequireanOpenDNS
(www.opendns.com)account.TheOpenDNScredentialsareusedbyInstantandAirWavetofiltercontentatthe
enterpriselevel.Formoreinformation,seeConfiguringOpenDNSCredentialsonpage266.
lCALEA—AllowsyouconfiguresupportforCommunicationsAssistanceforLawEnforcementAct(CALEA)
serverintegration,therebyensuringcompliancewithLawfulInterceptandCALEAspecifications.Formore
information,seeCALEAIntegrationandLawfulInterceptComplianceonpage270.
lNetworkIntegration—AllowsyoutoconfigureanIAPforintegrationwithPaloAltoNetworks(PAN)Firewalland
XMLAPIserver.FormoreinformationaboutIAPintegrationwithPAN,seeIntegratinganIAPwithPaloAlto
NetworksFirewallonpage267andIntegratinganIAPwithanXML API interfaceonpage268.
ThefollowingfigureshowsthedefaultviewoftheServiceswindow:
Figure13ServicesWindow:DefaultView
DHCPServer
TheDHCPServerswindowallowsyoutoconfigurevariousDHCPmodes.Thefollowingfigureshowsthecontents
oftheDHCPServerswindow:

Figure14DHCPServersWindow
Formoreinformation,seeDHCPConfigurationonpage201.
Support
TheSupportconsistsofthefollowingfields:
lCommand—Allowsyoutoselectasupportcommandforexecution.
lTarget—DisplaysalistofIAPsinthenetwork.
lRun—AllowsyoutoexecutetheselectedcommandforaspecificIAPorallIAPsandviewlogs.
lAutoRun—AllowsyoutoconfigureascheduleforautomaticexecutionofasupportcommandforaspecificIAP
orallIAPs.
lFilter—Allowsyoutofilterthecontentsofacommandoutput.
lClear—Clearsthecommandoutputdisplayedafteracommandisexecuted.
lSave—AllowsyoutosavethesupportcommandlogsasanHTMLortextfile.
Formoreinformationonsupportcommands,seeRunningDebugCommandsfromtheUIonpage336.Thefollowing
figureshowstheSupportwindow:
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|55

56|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Figure15SupportWindow
Help
TheHelplinkallowsyoutoviewashortdescriptionordefinitionofselectedtermsandfieldsintheUIwindowsor
dialogs.
Toactivatethecontext-sensitivehelp:
1.ClicktheHelplinkatthetoprightcornerofInstantmainwindow.
2.Clickanytextortermdisplayedingreenitalicstoviewitsdescriptionordefinition.
3.Todisablethehelpmode,clickDone.
Logout
TheLogoutlinkallowsyoutologoutoftheInstantUI.
Monitoring
TheMonitoringlinkdisplaystheMonitoringpanefortheInstantnetwork.Usethedownarrow locatedtothe
rightsideoftheselinkstocompressorexpandthemonitoringpane.
Themonitoringpaneconsistsofthefollowingsections:
lInfo
lRFDashboard
lRFTrends
lUsageTrends
lMobilityTrail
Info
TheInfosectiondisplaystheconfigurationinformationoftheVirtualControllerbydefault.OnselectingtheNetwork
Viewtab,themonitoringpanedisplaysconfigurationinformationoftheselectednetwork.SimilarlyintheAccess
PointortheClientview,thissectiondisplaystheconfigurationinformationoftheselectedIAPortheclient.

Name Description
InfosectioninVirtual
Controllerview
TheInfosectionintheVirtualControllerviewdisplaysthefollowinginformation:
lName—DisplaystheVirtualControllername.
lCountryCode—DisplaystheCountryinwhichtheVirtualControllerisoperating.
lVirtualControllerIPaddress—DisplaystheIPaddressoftheVirtualController.
lManagement:IndicatesiftheIAPismanagedlocallyorthroughAirWaveor
ArubaCentral.
lMaster—DisplaystheIPaddressoftheAccessPointactingasVirtualController.
lOpenDNSStatus—DisplaystheOpenDNSstatus.IftheOpenDNSstatus
indicatesNotConnected,ensurethatthenetworkconnectionisupand
appropriatecredentialsareconfiguredforOpenDNS.
lMASintegration—DisplaysthestatusoftheMASintegrationfeature.
lUplinktype—DisplaysthetypeofuplinkconfiguredontheIAP,forexample,
Ethernetor3G.
lUplinkstatus—Indicatestheuplinkstatus.
lBlacklistedclients—Displaysthenumberofblacklistedclients.
lInternalRADIUSUsers—DisplaysthenumberofinternalRADIUS users.
lInternalGuestUsers—Displaysthenumberofinternalguestusers.
lInternalUserOpenSlots—Displaystheavailableslotsforuserconfigurationas
supportedbytheIAPmodel.
InfosectioninNetworkview TheInfosectionintheNetworkviewdisplaysthefollowinginformation:
lName—Displaysthenameofthenetwork.
lStatus—Displaysthestatusofthenetwork.
lType—Displaysthetypeofnetwork,forexample,Employee,Guest,orVoice.
lIPAssignment—IndicatesiftheIAPclientsareassignedIPaddressfromthe
networkthattheVirtualControllerisconnectedto,orfromaninternalauto-
generatedIPscopefromtheVirtualController.
lAccess—Indicatesthelevelofaccesscontrolconfiguredforthenetwork.
lWMMDSCP—DisplaysWMM DSCPmappingdetails.
lSecuritylevel—Indicatesthetypeofuserauthenticationanddataencryption
configuredforthenetwork.
TheinfosectionforWLANSSIDsalsoindicatesstatusofCaptivePortalandCALEA
ACLsandprovidesalinktouploadcertificatesforinternalserver.Formore
information,seeUploadingCertificatesonpage173.
InfosectioninAccessPoint
view
TheInfosectionintheAccessPointviewdisplaysthefollowinginformation:
lName—DisplaysthenameoftheselectedIAP.
lIPAddress—DisplaystheIPaddressoftheIAP.
lMode—DisplaysthemodeinwhichtheAPisconfiguredtooperate:
lInAccessmode,theIAPservesclients,whilealsomonitoringfor
rogueAPsinthebackground.
lInMonitormode,theIAPactsasadedicatedmonitor,scanningall
channelsforrogueAPsandclients.
lSpectrum—Displaysthestatusofthespectrummonitor.
lClients—NumberofclientsassociatedwiththeIAP.
lType—DisplaysthemodelnumberoftheIAP.
lZone—DisplaysAPzonedetails.
lCPUUtilization—DisplaystheCPUutilizationinpercentage.
lMemoryFree—DisplaysthememoryavailabilityoftheIAPinMB.
lSerialnumber—DisplaystheserialnumberoftheIAP.
lMAC—DisplaystheMACaddress.
lFromPort—DisplaystheportfromwheretheslaveIAPislearnedinhierarchy
mode.
Table8:ContentsoftheInfoSectionintheInstantMainWindow
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|57

58|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Name Description
InfosectioninClientview TheInfosectionintheClientviewdisplaysthefollowinginformation:
lName—Displaysthenameoftheclient.
lIPAddress—DisplaysIPaddressoftheclient.
lMACAddress—DisplaysMACAddressoftheclient.
lOS—DisplaystheOperatingSystemthatisrunningontheclient.
lNetwork—Indicatesthenetworktowhichtheclientisconnected.
lAccessPoint—IndicatestheIAPtowhichtheclientisconnected.
lChannel—Indicatesthechannelthatiscurrentlyusedbytheclient.
lType—Displaysthechanneltypeonwhichclientisbroadcasting.
lRole—Displaystheroleassignedtotheclient.
Table8:ContentsoftheInfoSectionintheInstantMainWindow
RFDashboard
TheRFDashboardsectionliststheIAPsthatexceedtheutilization,noise,orerrorthreshold.Italsoshowsthe
clientswithlowspeedorsignalstrengthinthenetworkandtheRFinformationfortheIAPtowhichtheclientis
connected.
TheIAPnamesaredisplayedaslinks.WhenanIAPisclicked,theIAPconfigurationinformationisdisplayedinthe
InfosectionandtheRFDashboardsectionisdisplayedatthebottomleftcorneroftheInstantmainwindow.
ThefollowingfigureshowsanexampleoftheRFdashboardwithUtilization,Bandframes,NoiseFloor,andErrors
details:
Figure16RFDashboardintheMonitoringPane
ThefollowingtabledescribestheiconsavailableontheRFDashboardpane:

IconName Description
1 Signal
Icon
Displaysthesignalstrengthoftheclient.Dependingonthesignalstrengthoftheclient,thecolor
ofthelinesontheSignalbarchangesfromGreen>Orange>Red.
lGreen—Signalstrengthismorethan20decibels.
lOrange—Signalstrengthisbetween15-20decibels.
lRed—Signalstrengthislessthan15decibels.
Toviewthesignalgraphforaclient,clickonthesignaliconnexttotheclientintheSignal
column.
2 Speed
icon
Displaysthedatatransferspeedoftheclient.Dependingonthedatatransferspeedoftheclient,
thecoloroftheSignalbarchangesfromGreen>Orange>Red.
lGreen—Datatransferspeedismorethan50percentofthemaximumspeedsupportedby
theclient.
lOrange—Datatransferspeedisbetween25-50percentofthemaximumspeedsupportedby
theclient.
lRed—Datatransferspeedislessthan25percentofthemaximumspeedsupportedbythe
client.
Toviewthedatatransferspeedgraphofaclient,clickonthespeediconagainsttheclientinthe
Speedcolumn.
3 Utilization
icon
DisplaystheradioutilizationrateoftheIAPs.Dependingonthepercentageofutilization,the
colorofthelinesontheUtilizationiconchangesfromGreen>Orange>Red.
lGreen—Utilizationislessthan50percent.
lOrange—Utilizationisbetween50-75percent.
lRed—Utilizationismorethan75percent.
ToviewtheutilizationgraphofanIAP,clicktheUtilizationiconnexttotheIAPintheUtilization
column.
4 NoiseiconDisplaysthenoisefloordetailsfortheIAPs.Noiseismeasuredindecibels/meter.Dependingon
thenoisefloor,thecolorofthelinesontheNoiseiconchangesfromGreen>Orange>Red.
lGreen—Noisefloorismorethan87dBm.
lOrange—Noisefloorisbetween80dBm-87dBm.
lRed—Noisefloorislessthan80dBm.
ToviewthenoisefloorgraphofanIAP,clickthenoiseiconnexttotheIAPintheNoisecolumn.
5 Errors
icon
DisplaystheerrorsfortheIAPs.Dependingontheerrors,colorofthelinesontheErrorsicon
changesfromGreen>Yellow>Red.
lGreen—Errorsarelessthan5000framespersecond.
lOrange—Errorsarebetween5000-10000framespersecond.
lRed—Errorsaremorethan10000framespersecond.
ToviewtheerrorsgraphofanIAP,clicktheErrorsiconnexttotheIAPintheErrorscolumn.
Table9:RFDashboardIcons
RFTrends
TheRFTrendssectiondisplaysthefollowinggraphsfortheselectedAPandtheclient.Toviewthedetailsonthe
graphs,clickthegraphsandhoverthemouseonadatapoint:
Figure17RFTrendsforAccessPoint
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|59

60|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Figure18RFTrendsforClients
UsageTrends
TheUsageTrendsdisplaysthefollowinggraphs:
lClients—Inthedefaultview,theClientsgraphdisplaysthenumberofclientsthatwereassociatedwiththe
VirtualControllerinthelast15minutes.InNetworkorAccessPointsview,thisgraphdisplaysthenumberof
clientsthatwereassociatedwiththeselectednetworkorIAPinthelast15minutes.
lThroughput—Inthedefaultview,theThroughputgraphdisplaystheincomingandoutgoingthroughputtrafficfor
theVirtualControllerinthelast15minutes.IntheNetworkorAccessPointsview,thisgraphdisplaysthe
incomingandoutgoingthroughputtrafficfortheselectednetworkorIAPinthelast15minutes.
Figure19UsageTrendsGraphsintheDefaultView

ThefollowingtabledescribesthegraphsdisplayedintheNetworkview:
GraphName Description MonitoringProcedure
Clients TheClientsgraphshowsthenumberofclients
associatedwiththenetworkforthelast15
minutes.
Toseeanenlargedview,clickthegraph.
lTheenlargedviewprovidesLast,Minimum,
Maximum,andAveragestatisticsforthe
numberofclientsassociatedwiththeVirtual
Controllerforthelast15minutes.
lToseetheexactnumberofclientsinthe
Instantnetworkataparticulartime,movethe
cursoroverthegraphline.
Tocheckthenumberofclientsassociated
withthenetworkforthelast15minutes,
1.LogintotheInstantUI.TheVirtual
Controllerviewappears.Thisisthe
defaultview.
2.IntheNetworkstab,clickthenetworkfor
whichyouwanttochecktheclient
association.TheNetworkviewis
displayed.
3.StudytheClientsgraphintheUsage
Trendspane.Forexample,thegraph
showsthatoneclientisassociatedwith
theselectednetworkat12:00hours.
Throughput TheThroughputgraphshowsthethroughputof
theselectednetworkforthelast15minutes.
lOutgoingtraffic—Throughputforoutgoing
trafficisdisplayedingreen.Outgoingtrafficis
shownabovethemedianline.
lIncomingtraffic—Throughputforincoming
trafficisdisplayedinblue.Incomingtrafficis
shownbelowthemedianline.
Toseeanenlargedview,clickthegraph.
lTheenlargedviewprovidesLast,Minimum,
Maximum,andAveragestatisticsforthe
incomingandoutgoingtrafficthroughputofthe
networkforthelast15minutes.
Toseetheexactthroughputoftheselected
networkataparticulartime,movethecursorover
thegraphline.
Tocheckthethroughputoftheselected
networkforthelast15minutes,
1.LogintotheInstantUI.TheVirtual
Controllerviewisdisplayed.Thisisthe
defaultview.
2.IntheNetworkstab,clickthenetworkfor
whichyouwanttochecktheclient
association.TheNetworkviewis
displayed.
3.StudytheThroughputgraphintheUsage
Trendspane.Forexample,thegraph
shows22.0Kbpsincomingtraffic
throughputfortheselectednetworkat
12:03hours.
Table10:NetworkView—GraphsandMonitoringProcedures
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|61

62|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
ThefollowingtabledescribesthegraphsdisplayedintheAccessPointview:
Graph
Name
Description MonitoringProcedure
Neighboring
APs
TheNeighboringAPsgraphshowsthe
numberofAPsheardbytheselectedIAP:
lValidAPs:AnAPthatispartofthe
enterpriseprovidingWLANservice.
lInterferingAPs:AnAPthatisseenin
theRFenvironmentbutisnot
connectedtothenetwork.
lRogueAPs:AnunauthorizedAPthatis
pluggedintothewiredsideofthe
network.
Toseethenumberofdifferenttypesof
neighboringAPsforthelast15minutes,
movethecursorovertherespectivegraph
lines.
TochecktheneighboringAPsdetectedbytheIAPfor
thelast15minutes,
1.LogintotheInstantUI.TheVirtualControllerview
isdisplayed.Thisisthedefaultview.
2.IntheAccessPointstab,clicktheIAPforwhichyou
wanttomonitortheclientassociation.TheIAPview
isdisplayed.
3.StudytheNeighboringAPsgraphintheOverview
section.Forexample,thegraphshowsthat148
interferingAPsaredetectedbytheIAPat12:04
hours.
CPU
Utilization
TheCPUUtilizationgraphdisplaysthe
utilizationofCPUfortheselectedIAP.
ToseetheCPUutilizationoftheIAP,move
thecursoroverthegraphline.
TochecktheCPUutilizationoftheIAPforthelast15
minutes,
1.LogintotheInstantUI.TheVirtualControllerview
isdisplayed.Thisisthedefaultview.
2.IntheAccessPointstab,clicktheIAPforwhichyou
wanttomonitortheclientassociation.TheIAPview
isdisplayed.
3.StudytheCPUUtilizationgraphintheOverview
pane.Forexample,thegraphshowsthattheCPU
utilizationoftheIAPis30%at12:09hours.
Neighboring
Clients
TheNeighboringClientsgraphshowsthe
numberofclientsnotconnectedtothe
selectedAP,butheardbyit.
lAnyclientthatsuccessfully
authenticateswithavalidAPand
passesencryptedtrafficisclassifiedas
avalidclient.
lInterfering:Aclientassociatedtoany
APandisnotvalidisclassifiedasan
interferingclient.
Toseethenumberofdifferenttypesof
neighboringclientsforthelast15minutes,
movethecursorovertherespectivegraph
lines.
TochecktheneighboringclientsdetectedbytheIAP
forthelast15minutes,
1.LogintotheInstantUI.TheVirtualControllerview
isdisplayed.Thisisthedefaultview.
2.IntheAccessPointstab,clicktheIAPforwhichyou
wanttomonitortheclientassociation.TheIAPview
isdisplayed.
3.StudytheNeighboringClientsgraphinthe
Overviewpane.Forexample,thegraphshowsthat
20interferingclientsweredetectedbytheIAPat
12:15hours.
Table11:AccessPointView—UsageTrendsandMonitoringProcedures

Graph
Name
Description MonitoringProcedure
Memoryfree
(MB)
Thememoryfreegraphdisplaysthe
memoryavailabilityoftheIAPinMB.
ToseethefreememoryoftheIAP,move
thecursoroverthegraphline.
TocheckthefreememoryoftheIAPforthelast15
minutes,
1.LogintotheInstantUI.TheVirtualControllerview
isdisplayed.Thisisthedefaultview.
2.IntheAccessPointstab,clicktheIAPforwhichyou
wanttomonitortheclientassociation.TheIAPview
isdisplayed.
3.StudytheMemoryfreegraphintheOverviewpane.
Forexample,thegraphshowsthatthefreememory
oftheIAPis64MBat12:13hours.
Clients TheClientsgraphshowsthenumberof
clientsassociatedwiththeselectedIAPfor
thelast15minutes.
Toseeanenlargedview,clickthegraph.
TheenlargedviewprovidesLast,
Minimum,Maximum,andAverage
statisticsforthenumberofclients
associatedwiththeIAPforthelast15
minutes.
Toseetheexactnumberofclients
associatedwiththeselectedIAPata
particulartime,movethecursoroverthe
graphline.
TocheckthenumberofclientsassociatedwiththeIAP
forthelast15minutes,
1.LogintotheInstantUI.TheVirtualControllerview
isdisplayed.Thisisthedefaultview.
2.IntheAccessPointstab,clicktheIAPforwhichyou
wanttomonitortheclientassociation.TheIAPview
isdisplayed.
3.StudytheClientsgraph.Forexample,thegraph
showsthatsixclientsareassociatedwiththeIAPat
12:11hours.
Throughput TheThroughputgraphshowsthe
throughputfortheselectedIAPforthelast
15minutes.
lOutgoingtraffic—Throughputfor
outgoingtrafficisdisplayedingreen.
Outgoingtrafficisshownaboutthe
medianline.
lIncomingtraffic—Throughputfor
incomingtrafficisdisplayedinblue.
Incomingtrafficisshownbelowthe
medianline.
Toseeanenlargedview,clickthegraph.
lTheenlargedviewprovidesLast,
Minimum,Maximum,andAverage
statisticsfortheincomingandoutgoing
trafficthroughputoftheIAPforthelast
15minutes.
Toseetheexactthroughputoftheselected
IAPataparticulartime,movethecursor
overthegraphline.
TocheckthethroughputoftheselectedIAPforthelast
15minutes,
1.LogintotheInstantUI.TheVirtualControllerview
isdisplayed.Thisisthedefaultview.
2.IntheAccessPointstab,clicktheIAPforwhichyou
wanttomonitorthethroughput.TheIAPviewis
displayed.
3.StudytheThroughputgraph.Forexample,the
graphshows44.03Kbpsincomingtraffic
throughputat12:08hours.
Table11:AccessPointView—UsageTrendsandMonitoringProcedures
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|63

64|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
ThefollowingtabledescribestheRFtrendsgraphsavailableintheclientview:
Graph
Name
Description MonitoringProcedure
Signal TheSignalgraphshowsthesignal
strengthoftheclientforthelast15minutes.
Itismeasuredindecibels.
Toseeanenlargedview,clickthegraph.
TheenlargedviewprovidesLast,
Minimum,Maximum,andAveragesignal
statisticsoftheclientforthelast15
minutes.
Toseetheexactsignalstrengthata
particulartime,movethecursoroverthe
graphline.
Tomonitorthesignalstrengthoftheselectedclientfor
thelast15minutes,
1.LogintotheInstantUI.TheVirtualControllerviewis
displayed.Thisisthedefaultview.
2.IntheClientstab,clicktheIPaddressoftheclient
forwhichyouwanttomonitorthesignalstrength.
Theclientviewisdisplayed.
3.StudytheSignalgraphintheRFTrendspane.For
example,thegraphshowsthatsignalstrengthfor
theclientis54.0dBat12:23hours.
Frames TheFramesGraphshowstheInandOut
frameratepersecondoftheclientforthe
last15minutes.Italsoshowsdataforthe
RetryInandRetryOutframes.
lOutgoingframes—Outgoingframe
trafficisdisplayedingreen.Itisshown
abovethemedianline.
lIncomingframes—Incomingframe
trafficisdisplayedinblue.Itisshown
belowthemedianline.
lRetryOut—Retriesfortheoutgoing
framesaredisplayedabovethemedian
lineinblack.
lRetryIn—Retriesfortheincoming
framesaredisplayedbelowthemedian
lineinred.
Toseeanenlargedview,clickthegraph.
TheenlargedviewprovidesLast,
Minimum,Maximum,andAveragestatistics
fortheIn,Out,RetriesIn,andRetriesOut
frames.
Toseetheexactframesataparticulartime
movethecursoroverthegraphline.
TomonitortheInandOutframeratepersecondand
retryframesfortheInandOuttraffic,forthelast15
minutes,
1.LogintotheInstantUI.TheVirtualControllerviewis
displayed.Thisisthedefaultview.
2.IntheClientstab,clicktheIPaddressoftheclient
forwhichyouwanttomonitortheframes.Theclient
viewisdisplayed.
3.StudytheFramesgraphintheRFTrendspane.For
example,thegraphshows4.0framespersecond
fortheclientat12:27hours.
Speed TheSpeedgraphshowsthedatatransfer
speedfortheclient.Datatransferis
measuredinMbps.
Toseeanenlargedview,clickthegraph.
TheenlargedviewshowsLast,Minimum,
Maximum,andAveragestatisticsofthe
clientforthelast15minutes.
Toseetheexactspeedataparticulartime,
movethecursoroverthegraphline.
Tomonitorthespeedfortheclientforthelast15
minutes,
1.LogintotheInstantUI.TheVirtualControllerviewis
displayed.Thisisthedefaultview.
2.IntheClientstab,clicktheIPaddressoftheclient
forwhichyouwanttomonitorthespeed.Theclient
viewisdisplayed.
3.StudytheSpeedgraphintheRFTrendspane.For
example,thegraphshowsthatthedatatransfer
speedat12:26hoursis240Mbps.
Throughput TheThroughputGraphshowsthe
throughputoftheselectedclientforthelast
15minutes.
lOutgoingtraffic—Throughputfor
outgoingtrafficisdisplayedingreen.
Outgoingtrafficisshownabovethe
medianline.
lIncomingtraffic—Throughputfor
Tomonitortheerrorsfortheclientforthelast15
minutes,
1.LogintotheInstantUI.TheVirtualControllerviewis
displayed.Thisisthedefaultview.
2.IntheClientstab,clicktheIPaddressoftheclient
forwhichyouwanttomonitorthethroughput.The
clientviewisdisplayed.
3.StudytheThroughputgraphintheRFTrendspane.
Table12:ClientView—RFTrendsGraphsandMonitoringProcedures

Graph
Name
Description MonitoringProcedure
incomingtrafficisdisplayedinblue.
Incomingtrafficisshownbelowthe
medianline.
Toseeanenlargedview,clickthegraph.
TheenlargedviewshowsLast,Minimum,
Maximum,andAveragestatisticsforthe
incomingandoutgoingtrafficthroughputof
theclientforthelast15minutes.
Toseetheexactthroughputataparticular
time,movethecursoroverthegraphline.
Forexample,thegraphshows1.0Kbpsoutgoing
trafficthroughputfortheclientat12:30hours.
Table12:ClientView—RFTrendsGraphsandMonitoringProcedures
MobilityTrail
TheMobilityTrailsectiondisplaysthefollowingmobilitytrailinformationfortheselectedclient:
lAssociationTime—ThetimeatwhichtheselectedclientwasassociatedwithaparticularIAP.
TheInstantUIshowstheclientandIAPassociationoverthelast15minutes.
lAccessPoint—TheIAPnamewithwhichtheclientwasassociated.
MobilityinformationabouttheclientisreseteachtimeitroamsfromoneIAPtoanother.
ClientMatch
Ifclientmatchisenabled,theClientMatchlinkprovidesagraphicalrepresentationofradiomapviewofanAPand
theclientdistributiononanAPradio.
OnclickinganaccesspointintheAccessPointstabandtheClientMatchlink,astationsmapviewisdisplayed
andagraphisdrawnwithreal-timedatapointsfortheAPradio.IftheAPsupportsdualband,youcantoggle
between2.4GHzand5GHzlinksintheclientmatchgraphareatoviewthedata.Whenyouhoverthemouseonthe
graph,detailssuchasRSSI,clientmatchstatus,andtheclientdistributiononchannelsaredisplayed.
ThefollowingfigureshowstheclientdistributiondetailsforanAPradio.
Figure20ClientDistributiononAPRadio
OnclickingaclientintheClientstabandtheClientMatchlink,agraphisdrawnwithreal-timedatapointsforanAP
radiomap.Whenyouhoverthemouseonthegraph,detailssuchasRSSI,channelutilizationdetails,andclient
countoneachchannelaredisplayed.
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|65

66|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
ThefollowingfigureshowstheclientviewheatmapforanAPradio:
Figure21ChannelAvailabilityMapforClients
AppRF
TheAppRFlinkdisplaystheapplicationtrafficsummaryforIAPsandclientdevices.TheAppRFlinkintheactivity
panelisdisplayedonlyifAppRFvisibilityisenabledintheSystemwindow.Formoreinformationonapplication
visibilityandAppRFcharts,seeApplicationVisibilityonpage242.
Spectrum
Thespectrumlink(intheAccessPointview)displaysthespectrumdatathatiscollectedbyahybridAPorbyan
IAPthathasenabledspectrummonitor.ThespectrumdataisnotreportedtotheVirtualController.
Thespectrumlinkdisplaysthefollowing:
lDevicelist-Thedevicelistdisplayconsistsofadevicesummarytableandchannelinformationforactivenon
Wi-FidevicescurrentlyseenbyaspectrummonitororhybridAPradio.
lChannelUtilizationandMonitoring-Thischartprovidesanoverviewofchannelqualityacrossthespectrum.It
showschannelutilizationinformationsuchaschannelquality,availability,andutilizationmetricsasseenbya
spectrummonitorforthe2.4GHzand5GHzradiobands.Thefirstbarforeachchannelrepresentsthe
percentageofairtimeusedbynonWi-FiinterferenceandWi-Fidevices.Thesecondbarindicatesthechannel
quality.Ahigherpercentagevalueindicatesbetterquality.
lChannelDetails-Whenyoumoveyourmouseoverachannel,thechanneldetailsorthesummaryofthe5GHz
and2.4GHzchannelsasdetectedbyaspectrummonitoraredisplayed.Youcanviewtheaggregatedatafor
eachchannelseenbythespectrummonitorradio,includingthemaximumAPpower,interferenceandtheSignal-
to-NoiseandInterferenceRatio(SNIR).Spectrummonitorsdisplayspectrumanalysisdataseenonallchannels
intheselectedband,andhybridIAPsdisplaydatafromtheonechanneltheyaremonitoring.
Formoreinformationonspectrummonitoring,seeSpectrumMonitoronpage312.
Alerts
Alertsaregeneratedwhenauserencountersproblemswhileaccessingorconnectingtoanetwork.Thealertsthat
aregeneratedcanbecategorizedasfollows:
l802.11relatedassociationandauthenticationfailurealerts
l802.1Xrelatedmodeandkeymismatch,server,andclienttime-outfailurealerts
lIPaddressrelatedfailures-StaticIPaddressorDHCPrelatedalerts.
ThefollowingfigureshowsthecontentsofdetailsdisplayedonclickingtheAlertslink:

Figure22AlertsLink
TheAlertslinkdisplaysthefollowingtypesofalerts:
lClientAlerts
lActiveFaults
lFaultHistory
TypeofAlertDescription InformationDisplayed
ClientAlerts TheClientalertsoccurwhen
clientsareconnectedtothe
Instantnetwork.
Aclientalertdisplaysthefollowingfields:
lTimestamp—Displaysthetimeatwhichtheclientalertwas
recorded.
lMACaddress—DisplaystheMACaddressoftheclientthat
causedthealert.
lDescription—Providesashortdescriptionofthealert.
lAccessPoints—DisplaystheIPaddressoftheIAPtowhich
theclientisconnected.
lDetails—Providescompletedetailsofthealert.
ActiveFaults TheActiveFaultsoccurinthe
eventofasystemfault.
AnActiveFaultsconsistsofthefollowingfields:
lTime—Displaysthesystemtimewhenaneventoccurs.
lNumber—Indicatesthenumberofsequence.
lDescription—Displaystheeventdetails.
FaultHistory TheFaultHistoryalertsoccurin
theeventofasystemfault.
TheFaultHistorydisplaysthefollowinginformation:
lTime—Displaysthesystemtimewhenaneventoccurs.
lNumber—Indicatesthenumberofsequence.
lClearedby—Displaysthemodulewhichclearedthisfault.
lDescription—Displaystheeventdetails.
Table13:TypesofAlerts
Thefollowingfiguresshowtheclientalerts,faulthistory,andactivefaults:
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|67

68|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Figure23ClientAlerts
Figure24FaultHistory
Figure25ActiveFaults
ThefollowingtabledisplaysalistofalertsthataregeneratedintheIAPnetwork:

Type
Code
Description Details CorrectiveActions
100101 Internalerror TheIAPhasencounteredan
internalerrorforthisclient.
ContacttheArubacustomersupport
team.
100102 UnknownSSIDin
associationrequest
TheIAPcannotallowthis
clienttoassociate,because
theassociationrequest
receivedcontainsanunknown
SSID.
IdentifytheclientandcheckitsWi-Fi
driverandmanagersoftware.
100103 Mismatched
authentication/encryption
setting
TheIAPcannotallowthis
clienttoassociate,becauseits
authenticationorencryption
settingsdonotmatchIAP's
configuration.
Ascertainthecorrectauthenticationor
encryptionsettingsandtrytoassociate
again.
100104 Unsupported802.11rate TheIAPcannotallowthis
clienttoassociatebecauseit
doesnotsupportthe802.11
raterequestedbythisclient.
ChecktheconfigurationontheIAPto
seeifthedesiredratecanbe
supported;ifnot,considerreplacing
theIAPwithanothermodelthatcan
supporttherate.
100105 Maximumcapacityreached
onIAP
TheIAPhasreached
maximumcapacityandcannot
accommodateanymore
clients.
Considerexpandingcapacityby
installingadditionalIAPsorbalance
loadbyrelocatingIAPs.
100206 InvalidMACAddress TheIAPcannotauthenticate
thisclientbecausetheclient's
MACaddressisnotvalid.
Thisconditionmaybeindicativeofa
misbehavingclient.Trytolocatethe
clientdeviceandcheckitshardware
andsoftware.
100307 Clientblockeddueto
repeatedauthentication
failures
TheIAPistemporarily
blockingthe802.1X
authenticationrequestfrom
thisclient,becausethe
credentialsprovidedare
rejectedbytheRADIUSserver
toomanytimes.
Identifytheclientandcheckits802.1X
credentials.
100308 RADIUSserverconnection
failure
TheIAPcannotauthenticate
thisclientusing802.1X,
becausetheRADIUSserver
didnotrespondtothe
authenticationrequest.
IftheIAPisusingtheinternalRADIUS
server,Arubarecommendschecking
therelatedconfigurationaswellasthe
installedcertificateandpassphrase.
IftheIAPisusinganexternalRADIUS
server,checkifthereareanyissues
withtheRADIUSserverandtry
connectingagain.
Table14:Alertslist
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|69

70|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
Type
Code
Description Details CorrectiveActions
100309 RADIUSserver
authenticationfailure
TheIAPcannotauthenticate
thisclientusing802.1X,
becausetheRADIUSserver
rejectedtheauthentication
credentials(passwordandso
on)providedbytheclient.
Ascertainthecorrectauthentication
credentialsandloginagain.
100410 Integritycheckfailurein
encryptedmessage
TheIAPcannotreceivedata
fromthisclient,becausethe
integritycheckofthereceived
message(MIC)hasfailed.
Checktheencryptionsettingonthe
clientandontheIAP.
100511 DHCPrequesttimedout Thisclientdidnotreceivea
responsetoitsDHCPrequest
intime.
CheckthestatusoftheDHCPserverin
thenetwork.
Table14:Alertslist
IDS
TheIDS linkdisplaysalistofforeignAPsandforeignclientsthataredetectedinthenetwork.Itconsistsofthe
followingsections:
lForeignAccessPointsDetected—ListstheAPsthatarenotcontrolledbytheVirtualController.Thefollowing
informationisdisplayedforeachforeignAP:
nMACaddress—DisplaystheMACaddressoftheforeignAP.
nNetwork—DisplaysthenameofthenetworktowhichtheforeignAPisconnected.
nClassification—DisplaystheclassificationoftheforeignAP,forexample,InterferingIAPorRogueIAP.
nChannel—DisplaysthechannelinwhichtheforeignAPisoperating.
nType—DisplaystheWi-FitypeoftheforeignAP.
nLastseen—DisplaysthetimewhentheforeignAPwaslastdetectedinthenetwork.
nWhere—ProvidesinformationabouttheIAPthatdetectedtheforeignAP.Clickthepushpinicontoviewthe
information.
lForeignClientsDetected—ListstheclientsthatarenotcontrolledbytheVirtualController.Thefollowing
informationisdisplayedforeachforeignclient:
nMACaddress—DisplaystheMACaddressoftheforeignclient.
nNetwork—Displaysthenameofthenetworktowhichtheforeignclientisconnected.
nClassification—Displaystheclassificationoftheforeignclient:Interferingclient.
nChannel—Displaysthechannelinwhichtheforeignclientisoperating.
nType—DisplaystheWi-Fitypeoftheforeignclient.
nLastseen—Displaysthetimewhentheforeignclientwaslastdetectedinthenetwork.
nWhere—ProvidesinformationabouttheIAPthatdetectedtheforeignclient.Clickthepushpinicontoviewthe
information.
Thefollowingfigureshowsanexamplefortheintrusiondetectionlog.

Figure26IntrusionDetection
Formoreinformationontheintrusiondetectionfeature,seeIntrusionDetectiononpage299.
AirGroup
ThisAirGrouplinkprovidesanoverallviewofyourAirGroupconfiguration.Clickeachfieldtovieworeditthe
settings.
lMAC—DisplaystheMACaddressoftheAirGroupservers.
lIP—DisplaystheIPaddressoftheAirGroupservers.
lHostName—DisplaysthemachinenameorhostnameoftheAirGroupservers.
lService—DisplaysthetypeoftheservicessuchasAirPlayorAirPrint.
lVLAN—DisplaysVLAN detailsoftheAirGroupservers.
lWired/Wireless—DisplaysiftheAirGroupserverisconnectedviawiredorwirelessinterface.
lRole—Displaystheuserroleiftheserverisconnectedthrough802.1Xauthentication.Iftheserverisconnected
throughPSKoropenauthentication,thisfieldisblank.
lGroup—Displaysthegroup.
lCPPM—Byclickingonthis,yougetdetailsoftheregisteredrulesinClearPassPolicyManager(CPPM)forthis
server.
lMDNSCache—Byclickingonthis,youreceiveMDNSrecorddetailsofaparticularserver.
ThefollowingfigureshowstheAirGroupserverdetailsavailableonclickingtheAirGrouplink:
Figure27AirGroupLink
Configuration
TheConfigurationlinkprovidesanoverallviewofyourVirtualController,AccessPoints,andWLAN
SSID configuration.ThefollowingfigureshowstheVirtualControllerconfigurationdetailsdisplayedonclickingthe
Configurationlink.
Figure28ConfigurationLink
ArubaInstant6.4.0.2-4.1|UserGuide InstantUserInterface|71

72|InstantUserInterface ArubaInstant6.4.0.2-4.1|UserGuide
AirWaveSetup
AirWaveisasolutionformanagingrapidlychangingwirelessnetworks.Whenenabled,AirWaveallowsyouto
managetheInstantnetwork.FormoreinformationonAirWave,seeManaginganIAPfromAirWaveonpage275.
TheAirWavestatusisdisplayedatthebottomoftheInstantmainwindow.IftheAirWavestatusisNotSetUp,
clicktheSetUpNowlinktoconfigureAirWave.TheSystemwindowisdisplayedwithAdmintabselected.
ArubaCentral
TheInstantUIprovidesalinktolaunchasupportportalforArubaCentral.YoucanuseCentral'sevaluation
accountsthroughthiswebsiteandgetregisteredforafreeaccount.Youmustfillintheregistrationformavailableon
thispage.Afteryoucompletethisprocess,anactivationlinkwillbesenttoyourregisteredIDtogetstarted.
Pause/Resume
ThePause/ResumelinkislocatedatthebottomrightcorneroftheInstantmainwindow.
ClickthePauselinktopausetheautomaticrefreshingoftheInstantUafterevery15secondsbydefault.The
InstantUIisautomaticallyrefreshedafterevery15secondsbydefault.Whentheautomaticrefreshingispaused,
thePauselinkchangestoResume.ClicktheResumelinktoresumeautomaticrefreshing.
Automaticrefreshingallowsyoutogetthelatestinformationaboutthenetworkandnetworkelements.Youcanuse
thePauselinkwhenyouwanttoanalyzeormonitorthenetworkoranetworkelement,andthereforedonotwantthe
userinterfacetorefresh.
Views
Dependingonthelinkortabthatisclicked,theInstantdisplaysinformationabouttheVirtualController,Wi-Fi
networks,IAPs,ortheclientsintheInfosection.TheviewsontheInstantmainwindowareclassifiedasfollows:
lVirtualControllerview—TheVirtualControllerviewisthedefaultview.Thisviewallowsyoutomonitorthe
Instantnetwork.ThisviewallowsyoutomonitortheInstantnetwork.
lThefollowingInstantUIelementsareavailableinthisview:
nTabs—Networks,AccessPoints,andClients.Fordetailedinformationaboutthetabs,seeTabsonpage44.
nLinks—Monitoring,ClientAlerts,andIDS.TheSpectrumlinkisvisibleifyouhaveconfiguredtheIAPasa
spectrummonitor.TheselinksallowyoutomonitortheInstantnetwork.Formoreinformationaboutthese
links,seeMonitoringonpage56,IDSonpage70,Alertsonpage66,andSpectrumMonitoronpage312.
lNetworkview—TheNetworkviewprovidesinformationthatisnecessarytomonitoraselectedwirelessnetwork.
AllWi-FinetworksintheInstantnetworkarelistedintheNetworkstab.Clickthenameofthenetworkthatyou
wanttomonitor.Networkviewfortheselectednetworkisdisplayed.
lInstantAccessPointview—TheInstantAccessPointviewprovidesinformationthatisnecessarytomonitora
selectedIAP.AllIAPsintheInstantnetworkarelistedintheAccessPointstab.ClickthenameoftheIAPthat
youwanttomonitor.AccessPointviewforthatIAPisdisplayed.
lClientview—TheClientviewprovidesinformationthatisnecessarytomonitoraselectedclient.IntheClient
view,alltheclientsintheInstantnetworkarelistedintheClientstab.ClicktheIPaddressoftheclientthatyou
wanttomonitor.Clientviewforthatclientisdisplayed.
Formoreinformationonthegraphsandtheviews,seeMonitoringonpage56.

ArubaInstant6.4.0.2-4.1|UserGuide InitialConfigurationTasks|73
Chapter5
InitialConfigurationTasks
ThischapterdescribesthegeneralconfigurationtaskstoperformwhenanIAPissetup.
lBasicConfigurationTasksonpage73
lAdditionalConfigurationTasksonpage77
BasicConfigurationTasks
ThissectiondescribesthefollowingbasicconfigurationtasksthatcanbeperformedintheSystem>Generaltab
afteranIAPissetup:
lModifyingtheIAPNameonpage73
lUpdatingLocationDetailsofanIAPonpage74
lConfiguringVirtualControllerIPAddressonpage75
lConfiguringTimezoneonpage75
lConfiguringaPreferredBandonpage74
lConfiguringanNTPServeronpage75
lEnablingAppRFVisibilityonpage76
ThefollowingfigureshowsanexampleforthebasicconfigurationsettingsundertheSystem>Generaltab:
ForinformationonMobilityAccessSwitchintegrationandDynamicRADIUSproxyconfiguration,seeMobility
AccessSwitchIntegrationonpage355andConfiguringAuthenticationServersonpage157respectively.
ModifyingtheIAPName
YoucanchangethenameofanIAPbyusingtheInstantUIorCLI.

74|InitialConfigurationTasks ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.NavigatetoSystem>General.
2.SpecifythenameofIAPintheNametextbox.
3.ClickOK.
IntheCLI
Tochangethename:
(InstantAP)#name<name>
UpdatingLocationDetailsofanIAP
YoucanupdatethephysicallocationdetailsofanIAPbyusingtheInstantUIorCLI.Thesystemlocationdetailsare
usedforretrievinginformationthroughtheSNMPsysLocationMIBobject.
IntheInstantUI
Toupdatelocationdetails:
1.NavigatetoSystem>General.
2.SpecifythelocationofanIAPintheSystemlocationtextbox.
3.ClickOK.
IntheCLI
ToupdatelocationdetailsofanIAP:
(InstantAP)(config)#syslocation<location-name>
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringaPreferredBand
YoucanconfigureapreferredbandforanIAPbyusingtheInstantUIortheCLI.
IntheInstantUI
1.NavigatetoSystem>General.
2.Select2.4GHz,5GHzorAllfromthePreferredbanddrop-downlistforsingle-radioaccesspoints.
3.ClickOK.
ReboottheIAPafterconfiguringtheradioprofileforthechangestoaffect.
IntheCLI
Toconfigureapreferredband:
(InstantAP)(config)#rf-band<band>
(InstantAP)(config)#end
(InstantAP)#commitapply

ConfiguringVirtualControllerIPAddress
YoucanspecifyasinglestaticIPaddressthatcanbeusedtomanageamulti-APInstantnetwork.ThisIPaddress
isautomaticallyprovisionedonashadowinterfaceontheIAPthattakestheroleofaVirtualController.WhenanIAP
becomesaVirtualController,itsendsthreeAddressResolutionProtocol(ARP)messageswiththestaticIP
addressanditsMACaddresstoupdatethenetworkARPcache.
YoucanconfiguretheVirtualControllernameandIPaddressusingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSystem>General.
2.EntertheIPaddressinVirtualControllerIP.
3.ClickOK.
IntheCLI
ToconfiguretheVirtualControllerNameandIPaddress:
(InstantAP)(config)#virtual-controller-ip<IP-address>
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringTimezone
YoucanconfiguretimezoneinwhichtheIAPmustoperatebyusingtheInstantortheCLI.
IntheInstantUI
Toconfiguretimezone:
1.NavigatetoSystem>General.
2.SelectatimezonefromtheTimezonedrop-downlist.
Youcanenabledaylightsavingtime(DST)onIAPsifthetimezoneyouselectedsupportsthedaylight
savingtime.IftheTimeZoneselecteddoesnotsupportDST,theDaylightSavingTimeoptionisnot
displayed.Whenenabled,theDaylightsavingtimeensuresthattheIAPsreflecttheseasonaltime
changesintheregiontheyserve.
3.Toenabledaylightsavingtime,selecttheDaylightSavingTimecheckbox.
4.ClickOK.
IntheCLI
Toconfiguretimezone:
(InstantAP)(config)#clocktimezone<name><hour-offset><minute-offset>
(InstantAP)(config)#clocksummer-time<timezone>recurring<start-week><start-day><start-
month><start-hour><end-week><end-day><end-month><end-hour>
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringanNTPServer
Tofacilitatecommunicationbetweenvariouselementsinanetwork,timesynchronizationbetweentheelementsand
acrossthenetworkiscritical.Timesynchronizationallowsyouto:
lTraceandtracksecuritygaps,networkusage,andtroubleshootnetworkissues.
lValidatecertificates
lMapaneventononenetworkelementtoacorrespondingeventonanother.
ArubaInstant6.4.0.2-4.1|UserGuide InitialConfigurationTasks|75

76|InitialConfigurationTasks ArubaInstant6.4.0.2-4.1|UserGuide
lMaintainaccuratetimeforbillingservicesandsimilar.
TheNetworkTimeProtocol(NTP)helpsobtaintheprecisetimefromaserverandregulatethelocaltimeineach
networkelement.ConnectivitytoavalidNTPserverisrequiredtosynchronizetheIAPclocktosetthecorrecttime.
IfNTPserverisnotconfiguredintheIAPnetwork,anIAPrebootmayleadtovariationintimedata.
Bydefault,theIAPtriestoconnecttopool.ntp.orgtosynchronizetime.AdifferentNTPservercanbeconfigured
eitherfromtheUI orfrommanagementplatformssuchasCentral.ItcanalsobeprovisionedthroughtheDHCP
option42.IftheNTPserverisconfigured,ittakesprecedenceovertheDHCPoption42provisionedvalue.TheNTP
serverprovisionedthroughtheDHCPoption42isusedifnoserverisconfigured.Thedefaultserverpool.ntp.orgis
usedifnoNTPserverisconfiguredorprovisionedthroughDHCPoption42.
ReboottheAPtoapplytheNTPserverconfiguration.
YoucanconfigureanNTPserverbyusingtheInstantUIortheCLI.
IntheInstantUI
ToconfigureanNTPserver:
1.NavigatetoSystem>General.
2.EntertheIPaddressortheURL(domainname)oftheNTPserverintheNTPServertextbox.
3.ClickOK.
4.ReboottheIAP.
IntheCLI
ToconfigureanNTPserver:
(InstantAP)(config)#ntp-server<name>
(InstantAP)(config)#end
(InstantAP)#commitapply
TochecktheNTPstatusandassociation,runtheshowclockandshowprocesscommands.
EnablingAppRFVisibility
IfyourIAPsupportstheAppRFfeature,youcanenableAppRFvisibilitytoviewtheAppRFstatisticsforanIAPor
theclientsassociatedwithanIAP.FormoreinformationontheprocedureforenablingAppRFvisualization,see
EnablingApplicationVisibilityonpage241.
ChangingPassword
YoucanupdateyourpassworddetailsbyusingtheInstantUIortheCLI.
IntheInstantUI
1.NavigatetoSystem>Admin.
2.UnderLocal,provideanewpasswordthatyouwouldliketheadminuserstouse.
3.ClickOK.
IntheCLI
Tochangepasswordfortheadminuser:
(InstantAP)(config)#mgmt-user<username>[password]
(InstantAP)(config)#end
(InstantAP)#commitapply

AdditionalConfigurationTasks
ThissectiondescribesthefollowingadditionaltasksthatcanbeperformedafteranIAPissetup:
lConfiguringVirtualControllerVLANonpage77
lConfiguringAutoJoinModeonpage78
lConfiguringTerminalAccessonpage79
lConfiguringConsoleAccessonpage79
lConfiguringLEDDisplayonpage80
lConfiguringAdditionalWLANSSIDsonpage80
lPreventingInter-userBridgingonpage81
lPreventingLocalRoutingbetweenClientsonpage81
lEnablingDynamicCPUManagementonpage82
ThefollowingfigureshowstheadditionalconfigurationoptionsavailableundertheSystem>Generaltab:
ConfiguringVirtualControllerVLAN
TheIPconfiguredfortheVirtualControllercanbeinthesamesubnetasIAPorcanbeinadifferent
subnet.EnsurethatyouconfiguretheVirtualControllerVLAN,gateway,andsubnetmaskdetailsonly
iftheVirtualControllerIPisinadifferentsubnet.
YoucanconfiguretheVirtualControllerVLANbyusingInstantUIorCLI.
ArubaInstant6.4.0.2-4.1|UserGuide InitialConfigurationTasks|77

78|InitialConfigurationTasks ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.NavigatetoSystem>General>Showadvancedoptions.Theadvancedoptionsaredisplayed.
2.EntersubnetmaskdetailsinVirtualControllerNetmask.
3.EnteragatewayaddressinVirtualControllerGateway.
4.EnterVirtualControllerVLANinVirtualControllerVLAN.
EnsurethatVirtualControllerVLANisnotthesameasnativeVLANoftheIAP.
5.ClickOK.
IntheCLI
ToconfiguretheVirtualControllerNameandIPaddress:
(InstantAP)(config)#virtual-controller-vlan<vcvlan><vcmask><vcgw>
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringAutoJoinMode
TheautojoinmodefeatureallowsIAPstoautomaticallydiscovertheVirtualControllerandjointhenetwork.
TheAutoJoinModefeatureisenabledbydefault.Iftheautojoinmodefeatureisdisabled,aNewlinkisdisplayed
intheAccessPointstab.ClickthislinktoaddIAPstothenetwork.Ifthisfeatureisdisabled,theinactiveIAPsare
displayedinredasshowninthefollowingfigure:
Figure29InactiveIAPs
EnablingorDisablingAutoJoinMode
YoucanenableordisableautojoinmodebyusingtheInstantUIorCLI.
IntheInstantUI
Toenableordisableautojoinmode:
1.NavigatetoSystem>General>Showadvancedoptions.
2.SelectDisabledorEnabledfromtheAutojoinmodedrop-downlisttodenyorallowAPstojointhenetwork.
3.ClickOK.
IntheCLI
Todisableautojoinmode:
(InstantAP)(config)#noallow-new-aps
(InstantAP)(config)#end
(InstantAP)#commitapply
Toenableautojoinmode:
(InstantAP)(config)#allow-new-aps

(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringTerminalAccess
Whenterminalaccessisenabled,youcanaccesstheInstantCLIthroughSSH orTelnetserver.Theterminal
accessisenabledbydefault.
YoucanenableordisableterminalaccesstoanIAPbyusingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSystem>General>Showadvancedoptions.
2.SelectDisabledorEnabledfromtheTerminalaccessdrop-downlist.
3.ToenableTelnetserverbasedaccess,selectEnabledfromtheTelnetserverdrop-downlist.
4.ClickOK.
IntheCLI
Toenableterminalaccess:
(InstantAP)(config)#terminal-access
(InstantAP)(config)#end
(InstantAP)#commitapply
ToenableaccesstotheInstantCLIthroughTelnet:
(InstantAP)(config)#telnet-server
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringConsoleAccess
YoucanaccessanIAPconsolethroughaserialporttoconfigureordebugsystemerrors.Youcanenableordisable
consoleaccesstoanIAPthroughtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSystem>General>Showadvancedoptions.
2.SelectDisabledorEnabledfromtheConsoleaccessdrop-downlist.Bydefault,theconsoleaccessis
enabled.Whendisabled,theIAPconsolecannotbeaccessedthroughtheserialport.
3.ClickOK.
IntheCLI
Toenableconsoleaccess:
(InstantAP)(config)#console
(InstantAP)(console)#enable
(InstantAP)(console)#end
(InstantAP)#commitapply
Todisableconsoleaccess:
(InstantAP)(config)#console
(InstantAP)(console)#disable
(InstantAP)(console)#end
(InstantAP)#commitapply
Toviewtheconsolesettings:
(InstantAP)#showconsole-settings
ArubaInstant6.4.0.2-4.1|UserGuide InitialConfigurationTasks|79

80|InitialConfigurationTasks ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringLEDDisplay
TheLEDdisplayisalwaysintheEnabledmodeduringtheanIAPreboot.
YoucanenableordisableLED DisplayforanIAPusingtheInstantUIorCLI.
IntheInstantUI
ToenableordisableLED displayforallIAPsinacluster,performthefollowingsteps:
1.NavigatetoSystem>General>Showadvancedoptions.
2.FromtheLEDDisplaydrop-downlist,selectEnabledtoenableLEDdisplayorDisabledtoturnofftheLED
display.
3.ClickOK.
IntheCLI
ToenableLED display:
(InstantAP)(config)#led-off
(InstantAP)(config)#end
(InstantAP)#commitapply
TodisableLED display:
(InstantAP)(config)#noled-off
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringAdditionalWLANSSIDs
ThenumberofSSIDsallowedoneachIAPdependsontheIAPplatform.Thefollowingtabledescribesthenumber
ofSSIDssupportedoneachplatform:
IAPPlatform
No.ofSSIDssupportedwith
ExtendedSSIDdisabled
No.ofSSIDssupportedwith
ExtendedSSIDenabled
IAP-175P/175AC,IAP-104/105,andRAP-
108/109
6 8
AllotherIAPs(excludingIAP-175P/175AC,
IAP-104/105,andRAP-108/109)
14 16
EnablingtheExtendedSSID
ExtendedSSIDisenabledbydefaultinthefactorydefaultsettingsofAPs.Thisdisablesmeshinthefactorydefault
settings.
YoucanconfigureadditionalSSIDsbyusingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSystem>General>Showadvancedoptionslink.
2.IntheGeneraltab,selectEnabledfromtheExtendedSSIDdrop-downlist.
3.ClickOK.

4.ReboottheIAPtoapplythechanges.AfteryouenabletheoptionandreboottheIAP,theWi-Fiandmeshlinks
aredisabledautomatically.
IntheCLI
ToenabletheextendedSSIDs:
(InstantAP)(config)#extended-ssid
(InstantAP)(config)#end
(InstantAP)#commitapply
PreventingInter-userBridging
Ifyouhavesecurityandtrafficmanagementpoliciesdefinedinupstreamdevices,youcandisablebridgingtraffic
betweentwoclientsconnectedtothesameAPonthesameVLAN.Wheninter-userbridgingisdenied,theclients
canconnecttotheInternetbutcannotcommunicatewitheachother,andthebridgingtrafficbetweentheclientsis
senttotheupstreamdevicetomaketheforwardingdecision.
Youcandisableinter-userbridgingthroughtheInstantUIorCLI.
IntheInstantUI
Topreventinter-userbridging:
1.NavigatetoSystem>General>Showadvancedoptions.
2.FromtheDenyinteruserbridgingdrop-downlist,selectEnabledtopreventtrafficbetweentwoclients
connectedtoanIAPonthesameVLANs.
3.ClickOK.
IntheCLI
Todenyinter-userbridging:
(InstantAP)(config)#deny-inter-user-bridging
(InstantAP)(config)#end
(InstantAP)#commitapply
Todenyinter-userbridgingfortheWLANSSIDclients:
(InstantAP)(config)#wlanssid-profile<ssid-profile>
(InstantAP)(SSIDProfile<ssid-profile>)#deny-inter-user-bridging
(InstantAP)(SSIDProfile<ssid-profile>)#end
(InstantAP)#commitapply
PreventingLocalRoutingbetweenClients
Ifyouhavesecurityandtrafficmanagementpoliciesdefinedinupstreamdevices,youcandisableroutingtraffic
betweentwoclientsconnectedtothesameIAPondifferentVLANs.Whenlocalroutingisdisabled,theclientscan
connecttotheInternetbutcannotcommunicatewitheachother,andtheroutingtrafficbetweentheclientsissentto
theupstreamdevicetomaketheforwardingdecision.
YoucandisablelocalroutingthroughtheInstantUIorCLI.
IntheInstantUI
Todisablelocalrouting:
1.NavigatetoSystem>General>Showadvancedoptions.
2.FromtheDenylocalroutingdrop-downlist,selectEnabledtopreventlocalroutingtrafficbetweentwoclients
connectedtoanIAPondifferentVLANs.
3.ClickOK.
ArubaInstant6.4.0.2-4.1|UserGuide InitialConfigurationTasks|81

82|InitialConfigurationTasks ArubaInstant6.4.0.2-4.1|UserGuide
IntheCLI
Todisablelocalrouting:
(InstantAP)(config)#deny-local-routing
(InstantAP)(config)#end
(InstantAP)#commitapply
TodenylocalroutingfortheWLANSSIDclients:
(InstantAP)(config)#wlanssid-profile<ssid-profile>
(InstantAP)(SSIDProfile<ssid-profile>)#deny-local-routing
(InstantAP)(SSIDProfile<ssid-profile>)#end
(InstantAP)#commitapply
EnablingDynamicCPUManagement
IAPsperformvariousfunctionssuchaswirelessclientconnectivityandtrafficflows,wiredclientconnectivityand
trafficflows,wirelesssecurity,networkmanagement,andlocationtracking.Likewithanynetworkelement,anIAP
canbesubjecttoheavyloads.Insuchascenario,itisimportanttoprioritizetheplatformresourcesacrossdifferent
functions.Typically,theIAPsmanageresourcesautomaticallyinreal-time.However,underspecialcircumstances,
ifdynamicresourcemanagementneedstobeenforcedordisabledaltogether,thedynamicCPUmanagement
featuresettingscanbemodified.
YoucanconfigurethedynamicCPUmanagementfeaturebyusingtheInstantUIorCLI.
IntheInstantUI
Toenableordisablethemanagementplaneprotection:
1.ClickSystem>General>ShowAdvancedOptions.
2.SelectanyofthefollowingoptionsfromtheDynamicCPUManagementdrop-downlist.
nAutomatic—Whenselected,theCPUmanagementisenabledordisabledautomaticallyduringrun-time.This
decisionisbasedonreal-timeloadcalculationstakingintoaccountalldifferentfunctionsthattheCPUneeds
toperform.Thisisthedefaultandrecommendedoption.
nAlwaysdisabledonallAPs—Whenselected,thissettingmanuallydisablesCPUmanagementonallAPs,
typicallyforsmallnetworks.Thissettingprotectsuserexperience.
nAlwaysenabledonAPs—Whenselected,theclientandnetworkmanagementfunctionsareprotected.This
settinghelpsinlargenetworkswithhighclientdensity.
3.ClickOK.
IntheCLI
(InstantAP)(config)#dynamic-cpu-mgmt{auto|enable|disable}

ArubaInstant6.4.0.2-4.1|UserGuide CustomizingIAPSettings|83
Chapter6
CustomizingIAPSettings
ThischapterdescribestheproceduresforconfiguringsettingsthatarespecifictoanIAPinthecluster.
lModifyingtheIAPHostnameonpage83
lConfiguringZoneSettingsonanIAPonpage83
lSpecifyingaMethodforObtainingIPAddressonpage84
lConfiguringExternalAntennaonpage85
lConfiguringRadioProfilesforanIAPonpage86
lConfiguringUplinkVLAN foranIAPonpage87
lMasterElectionandVirtualControlleronpage88
lAddinganIAPtotheNetworkonpage90
lRemovinganIAPfromtheNetworkonpage90
ModifyingtheIAPHostname
YoucanchangethehostnameofanIAPthroughtheInstantUIorCLI.
IntheInstantUI
1.IntheAccessPointstab,clicktheIAPyouwanttorename.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheeditwindowformodifyingIAPdetailsisdisplayed.
3.EdittheIAPnameinName.Youcanspecifyanameofupto32ASCIIcharacters.
4.ClickOK.
IntheCLI
Tochangethename:
(InstantAP)#hostname<name>
ConfiguringZoneSettingsonanIAP
AllAPsinaclusterusethesameSSIDconfigurationincludingmasterandslaveIAPs.However,ifyouwantto
assignanSSIDtoaspecificIAP,youcanconfigurezonesettingsforanIAP.
ThefollowingconstraintsapplytotheAPzoneconfiguration:
lAnIAPcanbelongtoonlyonezoneandonlyonezonecanbeconfiguredonanSSID.
lIfanSSIDbelongstoazone,allIAPsinthiszonecanbroadcastthisSSID.IfnoIAPbelongstothezone
configuredontheSSID,theSSIDisnotbroadcast.
lIfanSSIDdoesnotbelongtoanyzone,allIAPscanbroadcastthisSSID.
YoucanaddanAPzonebythroughtheUIorCLI.
FortheSSIDtobeassignedtoanIAP,thesamezonedetailsmustbeconfiguredontheSSID.Formore
informationonSSIDconfiguration,seeConfiguringWLANSettingsforanSSIDProfileonpage92.

84|CustomizingIAPSettings ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.IntheAccessPointstab,clicktheIAPforwhichyouwanttosetthezone.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheeditwindowformodifyingIAPdetailsisdisplayed.
3.SpecifytheAPzoneinZone.
4.ClickOK.
IntheCLI
Tochangethename:
(InstantAP)#zone<name>
SpecifyingaMethodforObtainingIPAddress
YoucaneitherspecifyastaticIPaddressorallowtheIAPtoobtainanIPaddressfromtheDHCPserver.By
default,theIAPsobtainIPaddressfromtheDHCPserver.YoucanspecifyastaticIPaddressfortheIAPbyusing
theInstantUIorCLI.
IntheInstantUI
1.IntheAccessPointstab,clicktheIAPtomodify.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheeditwindowformodifyingtheIAPdetailsisdisplayed.
Figure30ConfiguringIAPSettings
3.SelectSpecifystaticallyoptiontospecifyastaticIPaddress.Thefollowingfieldsaredisplayed:
a.EnterthenewIPaddressfortheIAPintheIPaddresstextbox.
b.EnterthesubnetmaskofthenetworkintheNetmasktextbox.
c.EntertheIPaddressofthedefaultgatewayintheDefaultgatewaytextbox.
d.EntertheIPaddressoftheDNSserverintheDNSservertextbox.
e.EnterthedomainnameintheDomainnametextbox.
4.ClickOKandreboottheIAP.

IntheCLI
ToconfigureastaticIPaddress:
(InstantAP)#ip-address<IP-address><subnet-mask><NextHop-IP><DNS-IP-address><domain-
name>
ConfiguringExternalAntenna
IfyourIAPhasexternalantennaconnectors,youneedtoconfigurethetransmitpowerofthesystem.The
configurationmustensurethatthesystem’sEquivalentIsotropicallyRadiatedPower(EIRP)isincompliancewith
thelimitspecifiedbytheregulatoryauthorityofthecountryinwhichtheIAPisdeployed.Youcanalsomeasureor
calculateadditionalattenuationbetweenthedeviceandantennabeforeconfiguringtheantennagain.Toknowifyour
APdevicesupportsexternalantennaconnectors,seetheInstallGuidethatisshippedalongwiththeAPdevice.
EIRPandAntennaGain
ThefollowingformulacanbeusedtocalculatetheEIRPlimitrelatedRFpowerbasedonselectedantennas
(antennagain)andfeeder(CoaxialCableloss):
EIRP=TxRFPower(dBm)+GA(dB)-FL(dB)
Thefollowingtabledescribesthisformula:
FormulaElement Description
EIRP Limitspecificforeachcountryofdeployment
TxRFPower RFpowermeasuredatRFconnectoroftheunit
GA Antennagain
FL Feederloss
Table15:FormulaVariableDefinitions
Example
Forexample,themaximumgainthatcanbeconfiguredonanIAP-134withAP-ANT-1Fdual-bandandomni-
directionalantennaisasfollows:
FrequencyBand Gain(dBi)
2.4-2.5GHz 2.0dBi
4.9–5.875GHz 5.0dBi
Table16:MaximumAntennaGains
Forinformationonantennagainrecommendedbythemanufacturer,seewww.arubanetworks.com.
ConfiguringAntennaGain
YoucanconfigureantennagainforAPswithexternalconnectorsusingInstantUIorCLI.
IntheInstantUI
1.NavigatetotheAccessPointtab,selecttheaccesspointtoconfigureandthenclickedit.
ArubaInstant6.4.0.2-4.1|UserGuide CustomizingIAPSettings|85

86|CustomizingIAPSettings ArubaInstant6.4.0.2-4.1|UserGuide
2.IntheEditAccessPointwindow,selectExternalAntennatoconfiguretheantennagainvalue.Thisoptionis
availableonlyforaccesspointsthatsupportexternalantennas,forexample,IAP-134.
3.EntertheantennagainvaluesindBmforthe2.4GHzand5GHzbands.
4.ClickOK.
IntheCLI
Toconfigureexternalantennafor5GHzfrequency:
(InstantAP)#a-external-antenna<dBi>
Toconfigureexternalantennafor2,4GHzfrequency:
(InstantAP)#g-external-antenna<dBi>
ConfiguringRadioProfilesforanIAP
YoucanconfigurearadioprofileonanIAPeithermanuallyorbyusingtheAdaptiveRadioManagement(ARM)
feature.
AdaptiveRadioManagement(ARM)isenabledonInstantbydefault.Itautomaticallyassignsappropriatechannel
andpowersettingsfortheIAPs.FormoreinformationonARM,seeAdaptiveRadioManagementonpage232.
ConfiguringARM AssignedRadioProfilesforanIAP
ToenableARMassignedradioprofiles:
1.IntheAccessPointstab,clicktheIAPtomodify.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheeditwindowformodifyingIAPdetailsisdisplayed.
3.ClicktheRadiotab.TheRadiotabdetailsaredisplayed.
4.Ensurethatanappropriatemodeisselected.
5.SelecttheAdaptiveradiomanagementassignedoptionunderthebandsthatareapplicabletotheIAP
configuration.
6.ClickOK.
ConfiguringRadioProfilesManuallyforIAP
Whenradiosettingsareassignedmanuallybytheadministrator,theARM isdisabled.
Tomanuallyconfigureradiosettings:
1.IntheAccessPointstab,clicktheAPforwhichyouwanttoenableARM.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheEditAccessPointwindowisdisplayed.
3.ClicktheRadiotab.
4.Ensurethatanappropriatemodeisselected.
BydefaultthechannelandpowerforanAPareoptimizeddynamicallyusingAdaptiveRadioManagement
(ARM).YoucanoverrideARMonthe2.4GHzand5GHzbandsandsetthechannelandpowermanuallyif
desired.ThefollowingtabledescribesvariousconfigurationmodesforanAP:

Mode Description
Access InAccessmode,theAPservesclients,whilealsomonitoringforrogueAPsinthe
background.
IftheAccessmodeisselected,performthefollowingactions:
1.SelectAdministratorassignedin2.4GHzand5GHzbandsections.
2.SelectappropriatechannelnumberfromtheChanneldrop-downlistforboth2.4
GHzand5GHzbandsections.
3.EnterappropriatetransmitpowervalueintheTransmitpowertextboxin2.4GHz
and5GHzbandsections.
Monitor InMonitormode,theAPactsasadedicatedmonitor,scanningallchannelsforrogue
APsandclients.YoucansetoneradioontheMonitormodeandtheotherradioon
accessmode,sothattheclientscanuseoneradiowhentheotheroneisintheAir
Monitormode.
SpectrumMonitor InSpectrumMonitormode,theAPfunctionsasadedicatedfull-spectrumRFmonitor,
scanningallchannelstodetectinterference,whetherfromtheneighboringAPsorfrom
non-WiFidevicessuchasmicrowavesandcordlessphones.
Table17:IAPRadioModes
IntheSpectrumMonitormode,theAPsdonotprovideaccessservicestoclients.
4.ClickOK.
IntheCLI
Toconfigurearadioprofile:
(InstantAP)#wifi0-mode{<access>|<monitor>|<spectrum- monitor>}
(InstantAP)#wifi1-mode{<access>|<monitor>|<spectrum- monitor>}
Iftheaccessmodeisconfigured,youcanconfigurethechannelandtransmissionpowerbyrunningthefollowing
commands:
(InstantAP)#a-channel<channel><tx-power>
(InstantAP)#g-channel<channel><tx-power>
ConfiguringUplinkVLAN foranIAP
InstantsupportsamanagementVLANfortheuplinktrafficonanIAP.YoucanconfigureanuplinkVLAN whenan
IAPneedstobemanagedfromanon-nativeVLAN.AfteranIAPisprovisionedwiththeuplinkmanagementVLAN,
allmanagementtrafficsentfromtheIAPistaggedwiththemanagementVLAN.
EnsurethatthenativeVLANoftheIAPanduplinkarenotthesame.
YoucanconfiguretheuplinkmanagementVLANonanIAPbyusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureuplinkmanagementVLAN:
1.IntheAccessPointstab,clicktheIAPtomodify.Theeditlinkisdisplayed.
ArubaInstant6.4.0.2-4.1|UserGuide CustomizingIAPSettings|87

88|CustomizingIAPSettings ArubaInstant6.4.0.2-4.1|UserGuide
2.Clicktheeditlink.TheeditwindowformodifyingIAPdetailsisdisplayed.
3.ClicktheUplinktab.
4.SpecifytheVLANintheUplinkManagementVLANfield.
5.ClickOK.
6.ReboottheIAP.
IntheCLI
ToconfigureuplinkVLAN:
(InstantAP)#uplink-vlan<VLAN-ID>
ToviewtheuplinkVLANstatus:
(InstantAP)#showuplink-vlan
UplinkVlanCurrent:0
UplinkVlanProvisioned:1
MasterElectionandVirtualController
InstantdoesnotrequireanexternalmobilitycontrollertoregulateandmanagetheWi-Finetwork.Instead,oneIAPin
everynetworkassumestheroleofVirtualController.Itcoordinates,stores,anddistributesthesettingsrequiredto
provideacentralizedfunctionalitytoregulateandmanagetheWi-Finetwork.TheVirtualControlleristhesinglepoint
ofconfigurationandfirmwaremanagement.Whenconfigured,theVirtualControllersetsupandmanagestheVPN
tunneltoaMobilityControllerinthedatacenter.
TheVirtualControlleralsofunctionslikeanyotherAPwithfullRFscalability.Italsoactsasanode,coordinating
DHCPaddressallocationfornetworkaddresstranslatedclientsensuringmobilityoftheclientswhentheyroam
betweendifferentIAPs.
MasterElectionProtocol
TheMasterElectionProtocolenablestheInstantnetworktodynamicallyelectanIAPtotakeonaVirtualController
roleandallowgracefulfailovertoanewVirtualControllerwhentheexistingVirtualControllerisnotavailable.This
protocolensuresstabilityofthenetworkduringinitialstartuporwhentheVirtualControllergoesdownbyallowing
onlyoneIAPtoself-electasaVirtualController.
PreferencetoanIAPwith3G/4GCard
TheMasterElectionProtocolpreferstheIAPwitha3G/4Gcard,whenelectingaVirtualControllerfortheInstant
networkduringtheinitialsetup.TheVirtualControllerisselectedbasedonthefollowingcriteria:
lIfthereismorethanoneIAPwith3G/4Gcards,oneoftheseIAPsisdynamicallyelectedastheVirtual
Controller.
lWhenanIAPwithout3G/4GcardiselectedastheVirtualControllerbutisupforlessthan5minutes,anotherIAP
with3G/4GcardinthenetworkiselectedastheVirtualControllertoreplaceitandthepreviousVirtualController
reboots.
lWhenanIAPwithout3G/4GcardisalreadyelectedastheVirtualControllerandisupformorethan5minutes,
theVirtualControllerwillnotbereplaceduntilitgoesdown.
IAP-135ispreferredoverIAP-105whenaVirtualControlleriselected.

PreferencetoanIAPwithNon-DefaultIP
TheMasterElectionProtocolprefersanIAPwithnon-defaultIP,whenelectingaVirtualControllerfortheInstant
networkduringinitialstartup.IftherearemorethanoneIAPwithnon-defaultIPsinthenetwork,allIAPswithdefault
IPwillautomaticallyrebootandtheDHCPprocessisusedtoassignnewIPaddresses.
ViewingMasterElectionDetails
ToverifythestatusofanIAPandmasterelectiondetails,usethefollowingcommands:
(InstantAP)#showelectionstatistics
(InstantAP)#showsummarysupport
ManualProvisioningofMasterIAP
Inmostcases,themasterelectionprocessautomaticallydeterminesthebestIAPthatcanperformtheroleofVirtual
Controller,whichwillapplyitsimageandconfigurationtoallotherIAPsinthesameAPmanagementVLAN.When
theVirtualControllergoesdown,anewVirtualControlleriselected.
ProvisioninganIAPasaMasterIAP
YoucanprovisionanIAPasamasterIAPbyusingtheInstantUIorCLI.
IntheInstantUI
1.IntheAccessPointstab,clicktheIAPtomodify.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheeditwindowformodifyingIAPdetailsisdisplayed.
3.SelectEnabledfromPreferredmasterdrop-down.Thisoptionisdisabledbydefault.
Figure31IAPSettings—ProvisioningMasterIAP
4.ClickOK.
IntheCLI
ToprovisionanIAPasamasterIAP:
(InstantAP)#iap-master
ToverifyiftheIAPisprovisionedasmasterIAP:
(InstantAP)#showap-env
AntennaType:Internal
ArubaInstant6.4.0.2-4.1|UserGuide CustomizingIAPSettings|89

90|CustomizingIAPSettings ArubaInstant6.4.0.2-4.1|UserGuide
Iap_master:1
AddinganIAPtotheNetwork
ToaddanIAPtotheInstantnetwork,assignanIPaddress.Formoreinformation,seeAssigninganIPaddressto
theIAPonpage34.
AfteranIAPisconnectedtothenetwork,iftheAutoJoinModefeatureisenabled,theIAPinheritstheconfiguration
fromtheVirtualControllerandislistedintheAccessPointstab.
IftheAutoJoinModeisdisabled,performthefollowingstepstoaddanIAPtothenetwork:
1.IntheAccessPointstab,clicktheNewlink.TheNewAccessPointwindowisdisplayed.
2.IntheNewAccessPointwindow,entertheMACaddressforthenewIAP.
3.ClickOK.
RemovinganIAPfromtheNetwork
YoucanremoveanIAPfromthenetworkonlyiftheAutoJoinModefeatureisdisabled.ToremoveanIAPfromthe
network:
1.IntheAccessPointstab,clicktheIAPtodelete.ThexiconisdisplayedagainsttheIAP.
2.Clickxtoconfirmthedeletion.
ThedeletedIAPscannotjointheInstantnetworkanymoreandnolongeraredisplayedintheInstantUI.However,
themasterIAPdetailscannotbedeletedfromtheVirtualControllerdatabase.

ArubaInstant6.4.0.2-4.1|UserGuide VLANConfiguration|91
Chapter7
VLANConfiguration
VLANconfigurationisrequiredfornetworkswithmoredevicesandbroadcasttrafficonaWLANSSIDorwired
profile.Basedonthenetworktypeanditsrequirements,youcanconfiguretheVLANsforaWLANSSIDorwired
portprofile.
FormoreinformationonVLAN configurationforaWLAN SSIDandwiredportprofile,seeConfiguringVLANSettings
foraWLANSSIDProfileonpage96andConfiguringVLANforaWiredProfileonpage113.
VLANPooling
InasingleIAPcluster,alargenumberofclientscanbeassignedtothesameVLAN.UsingthesameVLANfor
multipleclientscanleadtoahighlevelofbroadcastsinthesamesubnet.Tomanagethebroadcasttraffic,youcan
partitionthenetworkintodifferentsubnetsanduseL3-mobilitybetweenthosesubnetswhenclientsroam.However,
ifalargenumberofclientsneedtobeinthesamesubnet,youcanconfigureVLANpooling,inwhicheachclientis
randomlyassignedaVLANfromapoolofVLANsonthesameSSID.Thus,VLANpoolingallowsautomatic
partitioningofasinglebroadcastdomainofclientsintomultipleVLANs.
UplinkVLANMonitoringandDetectiononUpstreamDevices
IfaclientconnectstoanSSIDorwiredinterfacewithaVLANthatisnotallowedontheupstreamdevice,theclient
willnotbeassignedanIPaddressandthuscannotconnecttotheInternet.WhenaclientconnectstoanSSIDora
wiredinterfacewithVLAN thatisnotallowedontheupstreamdevice,theInstantUInowdisplaysthefollowingalert
message:
Figure32UplinkVLANDetection
Toresolvethisissue,ensurethatthereisnomismatchintheVLANconfiguration.

ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|92
Chapter8
WirelessNetworkProfiles
Thischapterprovidesthefollowinginformation:
lConfiguringWirelessNetworkProfilesonpage92
lConfiguringFastRoamingforWirelessClientsonpage105
lEditingStatusofaWLANSSIDProfileonpage109
lEditingaWLANSSIDProfileonpage109
lDeletingaWLANSSIDProfileonpage110
ConfiguringWirelessNetworkProfiles
Duringstartup,awirelessclientsearchesforradiosignalsorbeaconframesthatoriginatefromthenearestIAP.
AfterlocatingtheIAP,thefollowingtransactionstakeplacebetweentheclientandtheIAP:
1.Authentication—TheIAPcommunicateswithaRADIUSservertovalidateorauthenticatetheclient.
2.Connection—Aftersuccessfulauthentication,theclientestablishesaconnectionwiththeIAP.
NetworkTypes
Instantwirelessnetworksarecategorizedas:
lEmployeenetwork—AnEmployeenetworkisaclassicWi-Finetwork.Thisnetworktypeisusedbythe
employeesinanorganizationanditsupportspassphrase-basedor802.1Xbasedauthenticationmethods.
Employeescanaccesstheprotecteddataofanenterprisethroughtheemployeenetworkaftersuccessful
authentication.Theemployeenetworkisselectedbydefaultduringanetworkprofileconfiguration.
lVoicenetwork—ThisVoicenetworktypeallowsyoutoconfigureanetworkprofilefordevicesthatprovideonly
voiceservicessuchashandsetsorapplicationsthatrequirevoicetrafficprioritization.
lGuestnetwork—TheGuestwirelessnetworkiscreatedforguests,visitors,contractors,andanynon-employee
userswhousetheenterpriseWi-Finetwork.TheVirtualControllerassignstheIPaddressfortheguestclients.
captiveportalorpassphrasebasedauthenticationmethodscanbesetforthiswirelessnetwork.Typically,a
guestnetworkisanun-encryptednetwork.However,youcanspecifytheencryptionsettingswhenconfiguringa
guestnetwork.
WhenaclientisassociatedtotheVoicenetwork,alldatatrafficismarkedandplacedintothehighpriorityqueuein
QoS(QualityofService).
Toconfigureanewwirelessnetworkprofile,completethefollowingprocedures:
1.ConfiguringWLANSettings
2.ConfiguringVLANSettings
3.ConfiguringSecuritySettings
4.ConfiguringAccessRulesforaNetwork
ConfiguringWLANSettingsforanSSIDProfile
YoucanconfigureWLANsettingsusingtheInstantUIorCLI.

93|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
ToconfigureWLANsettings:
1.IntheNetworkstaboftheInstantmainwindow,clicktheNewlink.TheNewWLANwindowisdisplayed.The
followingfigureshowsthecontentsoftheWLANSettingstab:
Figure33WLANSettingsTab
2.EnteranamethatuniquelyidentifiesawirelessnetworkintheName(SSID)textbox.
3.Basedonthetypeofnetworkprofile,selectanyofthefollowingoptionsunderPrimaryusage:
lEmployee
lVoice
lGuest
4.ClicktheShowadvancedoptionslink.Theadvancedoptionsforconfigurationaredisplayed.Specifythe
followingparametersasrequired.

Parameter Description
Broadcastfiltering Selectanyofthefollowingvalues:
lAll—WhensettoAll,theIAPdropsallbroadcastandmulticastframesexceptDHCPand
ARP.
lARP—WhensettoARP,theIAPconvertsARPrequeststounicastandsendframes
directlytotheassociatedclient.
lDisabled—WhensettoDisabled,allbroadcastandmulticasttrafficisforwarded.
DTIMinterval TheDTIMintervalindicatesthedeliverytrafficindicationmessage(DTIM)periodinbeacons,
whichcanbeconfiguredforeveryWLANSSID profile.TheDTIM intervaldetermineshow
oftentheIAPshoulddeliverthebufferedbroadcastandmulticastframestoassociatedclients
inthepowersavemode.Thedefaultvalueis1,whichmeanstheclientchecksforbuffered
dataontheIAPateverybeacon.YoucanalsoconfigureahigherDTIMvalueforpower
saving.
Multicasttransmission
optimization
SelectEnabledifyouwanttheIAPtoselecttheoptimalrateforsendingbroadcastand
multicastframesbasedonthelowestofunicastratesacrossallassociatedclients.Whenthis
optionisenabled,multicasttrafficcanbesentatupto24Mbps.Thedefaultrateforsending
framesfor2.4GHzis1Mbpsand5.0GHzis6Mbps.Thisoptionisdisabledbydefault.
Dynamicmulticast
optimization
SelectEnabledtoallowIAPtoconvertmulticaststreamsintounicaststreamsoverthe
wirelesslink.EnablingDynamicMulticastOptimization(DMO)enhancesthequalityand
reliabilityofstreamingvideo,whilepreservingthebandwidthavailabletothenon-video
clients.
NOTE:WhenyouenableDMOonmulticastSSIDprofiles,ensurethattheDMOfeatureis
enabledonallSSIDsconfiguredinthesameVLAN.
DMOchannel
utilizationthreshold
SpecifyavaluetosetathresholdforDMOchannelutilization.WithDMO,theIAPconverts
multicaststreamsintounicaststreamsaslongasthechannelutilizationdoesnotexceedthis
threshold.Thedefaultvalueis90%andthemaximumthresholdvalueis100%.Whenthe
thresholdisreachedorexceedsthemaximumvalue,theIAPsendsmulticasttrafficoverthe
wirelesslink.
TransmitRates Specifythefollowingparameters:
l2.4GHz—Ifthe2.4GHzbandisconfiguredontheIAP,specifytheminimumand
maximumtransmissionrate.Thedefaultvalueforminimumtransmissionrateis1Mbps
andmaximumtransmissionrateis54Mbps.
l5GHz—Ifthe5GHzbandisconfiguredontheIAP,specifytheminimumandmaximum
transmissionrate.Thedefaultvalueforminimumtransmissionrateis6Mbpsand
maximumtransmissionrateis54Mbps.
Zone SpecifythezonefortheSSID.WhenthezoneisdefinedinSSIDprofileandifthesamezone
isdefinedonanIAP,theSSIDiscreatedonthatIAP.Formoreinformationonconfiguring
zonedetailsonanIAP,seeConfiguringZoneSettingsonanIAPonpage83.
Thefollowingconstraintsapplytothezoneconfiguration:
lAnIAPcanbelongtoonlyonezoneandonlyonezonecanbeconfiguredonanSSID.
lIfanSSIDbelongstoazone,allIAPsinthiszonecanbroadcastthisSSID.IfnoIAP
belongstothezoneconfiguredontheSSID,theSSIDisnotbroadcast.
lIfanSSIDdoesnotbelongtoanyzone,allIAPscanbroadcastthisSSID.
BandwidthLimits UnderBandwidthLimits:
lAirtime—Selectthischeckboxtospecifyanaggregateamountofairtimethatallclientsin
thisnetworkcanuseforsendingandreceivingdata.Specifytheairtimepercentage.
lEachradio—Selectthischeckboxtospecifyanaggregateamountofthroughputthateach
radioisallowedtoprovidefortheconnectedclients.
lDownstreamandUpstream—Specifythedownstreamandupstreamrateswithinarange
of1to65535KbpsfortheSSIDusers.Iftheassignmentisspecificforeachuser,select
thePerusercheckbox.
Table18:WLANConfigurationParameters
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|94

95|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
Wi-FiMultimedia
(WMM)traffic
management
ConfigurethefollowingoptionsforWMMtrafficmanagement.WMMsupportsvoice,video,
besteffort,andbackgroundaccesscategories.Toallocatebandwidthforthefollowingtypes
oftraffic,specifyapercentagevalueunderShare.ToconfigureDSCPmapping,specifya
valueunderDSCPMapping.
lBackgroundWMM:Forbackgroundtrafficsuchasfiledownloadsorprintjobs.
lBesteffortWMM—Forbestefforttrafficsuchastrafficfromlegacydevicesortrafficfrom
applicationsordevicesthatdonotsupportQoS.
lVideoWMM—Forvideotrafficgeneratedfromvideostreaming.
lVoiceWMM—Forvoicetrafficgeneratedfromtheincomingandoutgoingvoice
communication.
FormoreinformationonWMMtrafficandDSCPmapping,seeWi-FiMultimediaTraffic
Managementonpage251
Contentfiltering SelectEnabledtorouteallDNSrequestsforthenon-corporatedomainstoOpenDNSonthis
network.
Band Selectavaluetospecifythebandatwhichthenetworktransmitsradiosignals.Youcanset
thebandto2.4GHz,5GHz,orAll.TheAlloptionisselectedbydefault.
Inactivitytimeout Specifyanintervalforsessiontimeoutinseconds,minutesorhours.Ifaclientsessionis
inactiveforthespecifiedduration,thesessionexpiresandtheusersarerequiredtologin
again.Youcanspecifyavaluewithintherangeof60-86400secondsorupto24hoursfora
clientsession.Thedefaultvalueis1000seconds.
HideSSID SelectthischeckboxifyoudonotwanttheSSID(networkname)tobevisibletousers.
DisableSSID SelectthischeckboxifyouwanttodisabletheSSID.Onselectingthis,theSSIDwillbe
disabled,butwillnotberemovedfromthenetwork.Bydefault,allSSIDsareenabled.
Canbeusedwithout
Uplink
SelectthecheckboxifyoudonotwanttoSSIDprofiletouseuplink.
MaxclientsthresholdSpecifythemaximumnumberofclientsthatcanbeconfiguredforeachBSSIDonaWLAN.
Youcanspecifyavaluewithintherangeof0to255.Thedefaultvalueis64.
Localproberequest
threshold
Specifyathresholdvaluetolimitthenumberofincomingproberequests.Whenaclient
sendsabroadcastproberequestframetosearchforallavailableSSIDs,thisoptioncontrols
systemresponseforthisnetworkprofileandignoresproberequestsifrequired.Youcan
specifyaReceivedsignalstrengthindication(RSSI)valuewithinrangeof0to100dB.
Table18:WLANConfigurationParameters
5.ClickNexttoconfigureVLANsettings.Formoreinformation,seeConfiguringVLANSettingsforaWLANSSID
Profileonpage96.
IntheCLI
ToconfigureWLANsettingsforanSSIDprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#essid<ESSID-name>
(InstantAP)(SSIDProfile<name>)#type{<Employee>|<Voice>| <Guest>}
(InstantAP)(SSIDProfile<name>)#broadcast-filter<type>
(InstantAP)(SSIDProfile<name>)#dtim-period<number-of-beacons>
(InstantAP)(SSIDProfile<name>)#multicast-rate-optimization
(InstantAP)(SSIDProfile<name>)#dynamic-multicast-optimization
(InstantAP)(SSIDProfile<name>)#dmo-channel-utilization-threshold
(InstantAP)(SSIDProfile<name>)#a-max-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#a-min-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#g-max-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#g-min-tx-rate<rate>

(InstantAP)(SSIDProfile<name>)#zone<zone>
(InstantAP)(SSIDProfile<name>)#bandwidth-limit<limit>
(InstantAP)(SSIDProfile<name>)#per-user-bandwidth-limit<limit>
(InstantAP)(SSIDProfile<name>)#air-time-limit<limit>
(InstantAP)(SSIDProfile<name>)#wmm-background-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-background-share<share>
(InstantAP)(SSIDProfile<name>)#wmm-best-effort-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-best-effort-share<share>
(InstantAP)(SSIDProfile<name>)#wmm-video-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-video-share<share>
(InstantAP)(SSIDProfile<name>)#wmm-voice-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-voice-share<share>
(InstantAP)(SSIDProfile<name>)#rf-band{<2.4>|<5.0>|<all>}
(InstantAP)(SSIDProfile<name>)#content-filtering
(InstantAP)(SSIDProfile<name>)#hide-ssid
(InstantAP)(SSIDProfile<name>)#inactivity-timeout<interval>
(InstantAP)(SSIDProfile<name>)#work-without-uplink
(InstantAP)(SSIDProfile<name>)#local-probe-req-thresh<threshold>
(InstantAP)(SSIDProfile<name>)#max-clients-threshold<number-of-clients>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ConfiguringVLANSettingsforaWLANSSIDProfile
IfyouarecreatinganewSSIDprofile,completetheWLAN SettingsprocedurebeforeconfiguringVLAN.Formore
information,seeConfiguringWLANSettingsforanSSIDProfileonpage92.
YoucanconfigureVLANsettingsforanSSIDprofileusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureVLANsettingsforanSSID:
1.IntheVLANtaboftheNewWLANwindow.TheVLANtabcontentsaredisplayed.
Figure34VLANTab
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|96

97|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
2.SelectanyforthefollowingoptionsforClientIPassignment:
lVirtualControllerassigned—Onselectingthisoption,theclientobtainstheIPaddressfromtheVirtual
Controller.
lNetworkassigned—Onselectingthisoption,theIPaddressisobtainedfromthenetwork.
3.BasedonthetypeclientIPassignmentmodeselected,youcanconfiguretheVLAN assignmentforclientsas
describedinthefollowingtable:
ClientIPAssignment ClientVLANAssignment
VirtualControllerassignedIftheVirtualControllerassignedisselectedforclientIPassignment,theVirtual
ControllercreatesaprivatesubnetandVLANontheIAPforthewirelessclients.The
networkaddresstranslationforallclienttrafficthatgoesoutofthisinterfaceiscarriedout
atthesource.ThissetupeliminatestheneedforcomplexVLANandIPaddress
managementforamulti-sitewirelessnetwork.
Onselectingthisoption,thefollowingclientVLANassignmentoptionsaredisplayed:
lDefault:Whenselected,thedefaultVLAN asdeterminedbytheVirtualControlleris
assignedforclients.
lCustom:Whenselected,youcanspecifyacustomVLANassignmentoption.Youcan
selectanexistingDHCPscopeforclientIPandVLANassignmentoryoucancreate
anewDHCPscopebyselectingNew.FormoreinformationonDHCPscopes,see
ConfiguringDHCPScopesonpage201.
Networkassigned IftheNetworkassignedisselected,youcanspecifyanyofthefollowingoptionsforthe
ClientVLANassignment.
lDefault—Onselectingthisoption,theclientobtainstheIPaddressinthesame
subnetastheIAPs.Bydefault,theclientVLANisassignedtothenativeVLANonthe
wirednetwork.
lStatic—Onselectingthisoption,youneedtospecifyasingleVLAN,acomma
separatedlistofVLANS,orarangeofVLANsforallclientsonthisnetwork.Select
thisoptionforconfiguringVLANpooling.
lDynamic—Onselectingthisoption,youcanassigntheVLANsdynamicallyfroma
DynamicHostConfigurationProtocol(DHCP)server.TocreateVLANassignment
rules,clickNewtoassigntheusertoaVLAN.IntheNewVLANAssignmentRule
window,enterthefollowinginformation:
lAttribute—SelectanattributereturnedbytheRADIUSserverduring
authentication.
lOperator—Selectanoperatorformatchingthestring.
lString—Enterthestringtomatch
lVLAN—EntertheVLANtobeassigned.
Table19:IPandVLANAssignmentforWLANSSID Clients
4.ClickNexttoconfiguresecuritysettingsfortheemployeenetwork.Formoreinformation,seeConfiguring
SecuritySettingsforaWLANSSIDProfileonpage98.
IntheCLI
TomanuallyassignVLANsforWLANSSIDusers:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#vlan<vlan-ID>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ToenforceDHCP-basedVLANassignment:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#enforce-dhcp
(InstantAP)(SSIDProfile<name>)#end

(InstantAP)#commitapply
TocreateanewVLANassignmentrule:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-vlan<attribute>{{contains|ends-with|equals|matches-
regular-expression|not-equals|starts-with}<operand><vlan>|value-of}
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ConfiguringSecuritySettingsforaWLANSSIDProfile
Thefollowingproceduresaredescribedinthissection:
lConfiguringSecuritySettingsforanEmployeeorVoiceNetworkonpage98
Forinformationonguestnetworkconfiguration,seeCaptivePortalforGuestAccess.
IfyouarecreatinganewSSIDprofile,configuretheWLAN andVLANsettingsbeforedefiningsecuritysettings.
Formoreinformation,seeConfiguringWLANSettingsforanSSIDProfileonpage92andConfiguringVLAN
SettingsforaWLANSSIDProfileonpage96.
ConfiguringSecuritySettingsforanEmployeeorVoiceNetwork
YoucanconfiguresecuritysettingsforanemployeeorvoicenetworkbyusingtheInstantUIorCLI.
IntheInstantUI
Toconfiguresecuritysettingsforanemployeeorvoicenetwork:
1.IntheSecuritytab,specifyanyofthefollowingtypesofsecuritylevelsbymovingtheslidertoadesiredlevel:
lEnterprise—Onselectingenterprisesecuritylevel,theauthenticationoptionsapplicabletotheenterprise
networkaredisplayed.
lPersonal—Onselectingpersonalsecuritylevel,theauthenticationoptionsapplicabletothepersonalized
networkaredisplayed.
lOpen—OnselectingOpensecuritylevel,theauthenticationoptionsapplicabletoanopennetworkare
displayed:
ThedefaultsecuritysettingforanetworkprofileisPersonal.
ThefollowingfiguresshowtheconfigurationoptionsforEnterprise,Personal,andOpensecuritysettings:
Figure35SecurityTab:Enterprise
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|98

99|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
Figure36SecurityTab:Personal
Figure37SecurityTab:Open
2.Basedonthesecuritylevelspecified,specifythefollowingparameters:

Parameter Description
SecurityLevel
Type
Key
Management
ForEnterprisesecuritylevel,selectanyofthefollowingoptionsfromthe
Keymanagementdrop-downlist:
lWPA-2Enterprise
lBoth(WPA-2&WPA)
lWPAEnterprise
lDynamicWEPwith802.1X—Ifyoudonotwanttouseasessionkey
fromtheRADIUSServertoderivepairwiseunicastkeys,setSession
KeyforLEAPtoEnabled.Thisisrequiredforoldprintersthatuse
dynamicWEPthroughLightweightExtensibleAuthenticationProtocol
(LEAP)authentication.TheSessionKeyforLEAPfeatureisDisabled
bydefault.
Applicableto
Enterpriseand
Personalsecurity
levelsonly.
FortheOpen
securitylevel,no
encryptionsettings
arerequired.
ForPersonalsecuritylevel,selectanencryptionkeyfromtheKey
managementdrop-downlist.
lForWPA-2Personal,WPAPersonal,andBoth(WPA-2&WPA)keys,
specifythefollowingparameters:
1.Passphraseformat:Selectapassphraseformatfromthe
Passphraseformatdrop-downlist.Theoptionsare
availableare8-63alphanumericcharactersand64
hexadecimalcharacters.
2.EnterapassphraseinthePassphrasetextboxand
reconfirm.
lForStaticWEP,specifythefollowingparameters:
1.SelectanappropriatevalueforWEPkeysizefromthe
WEPkeysizedrop-downlist.Youcanspecify64-bitor
128-bit.
2.SelectanappropriatevalueforTxkeyfromtheTxKey
drop-downlist.Youcanspecify1,2,3,or4.
3.EnteranappropriateWEPkeyandreconfirm.
Termination ToterminatetheEAPportionof802.1XauthenticationontheIAPinsteadof
theRADIUSserver,setTerminationtoEnabled.
EnablingTerminationcanreducenetworktraffictotheexternalRADIUS
serverbyterminatingtheauthorizationprotocolontheIAP.Bydefault,for
802.1Xauthorization,theclientconductsanEAPexchangewiththe
RADIUSserver,andtheIAPactsasarelayforthisexchange.
WhenTerminationisenabled,theIAPbyitselfactsasanauthentication
serverandterminatestheouterlayersoftheEAPprotocol,onlyrelayingthe
innermostlayertotheexternalRADIUSserver.Itcanalso
reducethenumberofexchangepacketsbetweentheIAPand
authenticationserver.
NOTE:Instantsupportstheconfigurationofprimaryandbackup
authenticationserversinanEAPterminationenabledSSID.
NOTE:IfyouareusingLDAPforauthentication,ensurethatAPtermination
isconfiguredtosupportEAP.
Enterprisesecurity
level
Authentication
server1and
Authentication
server2
SelectanyofthefollowingoptionsfromtheAuthenticationserver1drop-
downlist:
lSelectanauthenticationserverfromthelistifanexternalserversare
alreadyconfigured.
lSelectNewtoconfigureanyofthefollowingserversasanexternal
server:
lRADIUS Server
lLDAPServer
Enterprise,
Personal,andOpen
securitylevels.
Table20:ConfigurationParametersforWLAN SecuritySettingsinanEmployeeorVoiceNetwork
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|100

101|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
SecurityLevel
Type
lCPPM ServerforAirGroupCoA
Forinformationonconfiguringexternalservers,seeConfiguringan
ExternalServerforAuthenticationonpage157.
lTouseaninternalserver,selectInternalserverandaddtheclientsthat
arerequiredtoauthenticatewiththeinternalRADIUSserver.Clickthe
Userslinktoaddtheusers.Forinformationonaddingauser,see
ManagingIAPUsersonpage140.
Ifanexternalserverisselected,youcanalsoconfigureanother
authenticationserver.
LoadbalancingSetthistoEnabledifyouareusingtwoRADIUSauthenticationservers,so
thattheloadacrossthetwoRADIUS serversisbalanced.Formore
informationonthedynamicloadbalancingmechanism,seeDynamicLoad
BalancingbetweenTwoAuthenticationServersonpage154.
Enterprise,
Personal,andOpen
securitylevels.
ReauthintervalSpecifyavalueforReauthinterval.Whensettoavaluegreaterthanzero,
APsperiodicallyreauthenticateallassociatedandauthenticatedclients.
Enterprise,
Personal,andOpen
securitylevels.
Blacklisting Toenableblacklistingoftheclientswithaspecificnumberofauthentication
failures,selectEnabledfromtheBlacklistingdrop-downlistandspecifya
valueforMaxauthenticationfailures.Theuserswhofailtoauthenticatethe
numberoftimesspecifiedinMaxauthenticationfailuresfieldare
dynamicallyblacklisted.
Enterprise,
Personal,andOpen
securitylevels.
Accounting Toenableaccounting,selectEnabledfromtheAccountingdrop-downlist.
OnsettingthisoptiontoEnabled,APspostaccountinginformationtothe
RADIUSserveratthespecifiedAccountinginterval.
Enterprise,
Personal,andOpen
securitylevels.
Authentication
survivability
Toenableauthenticationsurvivability,setAuthenticationsurvivabilityto
Enabled.SpecifyavalueinhoursforCachetimeout(global)tosetthe
durationafterwhichtheauthenticatedcredentialsinthecachemustexpire.
Whenthecacheexpires,theclientsarerequiredtoauthenticateagain.You
canspecifyavaluewithinrangeof1to99hoursandthedefaultvalueis24
hours.
NOTE:TheauthenticationsurvivabilityfeaturerequiresClearPassPolicy
Manager6.0.2orlater,andisavailableonlywhentheNewserveroptionis
selectedauthentication.OnsettingthisparametertoEnabled,Instant
authenticatesthepreviouslyconnectedclientsusingEAP-PEAP
authenticationevenwhenconnectivitytoClearPassPolicyManageris
temporarilylost.TheAuthenticationsurvivabilityfeatureisnotapplicable
whenaRADIUSserverisconfiguredasaninternalserver.
Enterprisesecurity
level
MAC
authentication
ToenableMACaddressbasedauthenticationforPersonalandOpen
securitylevels,setMACauthenticationtoEnabled.
ForEnterprisesecuritylevel,thefollowingoptionsareavailable:
lPerformMACauthenticationbefore802.1X—Selectthischeckboxto
use802.1XauthenticationonlywhentheMACauthenticationis
successful.
lMACauthenticationfail-thru—Onselectingthischeckbox,the802.1X
authenticationisattemptedwhentheMACauthenticationfails.
Enterprise,
Personal,andOpen
securitylevels.
Delimiter
character
Specifyacharacter( forexample,colonordash)asadelimiterfortheMAC
addressstring.Whenconfigured,theIAPwillusethedelimiterintheMAC
Enterprise,
Personal,andOpen
securitylevels.
Table20:ConfigurationParametersforWLAN SecuritySettingsinanEmployeeorVoiceNetwork

Parameter Description
SecurityLevel
Type
authenticationrequest.Forexample,ifyouspecifythecolonasadelimiter,
MACaddressesinthexx:xx:xx:xx:xx:xxformatareused.Ifthedelimiteris
notspecified,theMACaddressinthexxxxxxxxxxxxformatisused.
ThisoptionisavailableonlywhenMACauthenticationisenabled.
Uppercase
support
SettoEnabledtoallowtheIAPtouseuppercaselettersinMACaddress
stringforMACauthentication.
ThisoptionisavailableonlyifMACauthenticationisenabled.
Enterprise,
Personal,andOpen
securitylevels.
Upload
Certificate
ClickUploadCertificateandbrowsetouploadacertificatefileforthe
internalserver.Formoreinformationoncertificates,seeUploading
Certificatesonpage173.
Enterprise,
Personal,andOpen
securitylevels
FastRoaming YoucanconfigurethefollowingfastroamingoptionsfortheWLANSSID:
lOpportunisticKeyCaching:WhenWPA-2EnterpriseandBoth(WPA2-
WPA)encryptiontypesareselectedandif802.1xauthentication
methodisconfigured,theOpportunisticKeyCaching(OKC)isenabled
bydefault.IfOKCisenabled,acachedpairwisemasterkey(PMK)is
usedwhentheclientroamstoanewAP.Thisallowsfasterroamingof
clientswithouttheneedforacomplete802.1xauthentication.
l802.11r:SelectingthischeckboxenablesfastBSStransition.TheFast
BSSTransitionmechanismminimizesthedelaywhenaclient
transitionsfromoneBSStoanotherwithinthesamecluster.
l802.11k:Selectingthischeckboxenables802.11kroamingontheSSID
profile.The802.11kprotocolenablesIAPsandclientstodynamically
measuretheavailableradioresources.When802.11kisenabled,IAPs
andclientssendneighborreports,beaconreports,andlink
measurementreportstoeachother.
l802.11v:Selectingthischeckboxenables802.11vbasedBSS
transition.802.11vstandarddefinesmechanismsforwirelessnetwork
managementenhancementsandBSS transitionmanagement.Itallows
theclientdevicestoexchangeinformationaboutthenetworktopology
andRFenvironment.TheBSStransitionmanagementmechanism
enablesanAPtorequestavoiceclienttotransitiontoaspecificAP,or
suggestasetofpreferredAPstoavoiceclient,duetonetworkload
balancingorBSStermination.Italsohelpsthevoiceclientidentifythe
bestAPtotransitiontoastheyroam.
Enterprise,
Personal,andOpen
securitylevels.
NOTE:OKC
roamingcanbe
configuredonlyfor
theEnterprise
securitylevel.
Table20:ConfigurationParametersforWLAN SecuritySettingsinanEmployeeorVoiceNetwork
4.ClickNexttoconfigureaccessrules.Formoreinformation,seeConfiguringAccessRulesforaWLANSSID
Profileonpage103.
IntheCLI
ToconfigureenterprisesecuritysettingsfortheemployeeandvoiceusersofaWLANSSIDprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#opmode{wpa2-aes|wpa-tkip,wpa2-aes|wpa-psk-tkip,wpa2-psk-
aes|dynamic-wep}
(InstantAP)(SSIDProfile<name>)#leap-use-session-key
(InstantAP)(SSIDProfile<name>)#termination
(InstantAP)(SSIDProfile<name>)#auth-server<server-name>
(InstantAP)(SSIDProfile<name>)#external-server
(InstantAP)(SSIDProfile<name>)#server-load-balancing
(InstantAP)(SSIDProfile<name>)#blacklist
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#l2-auth-failthrough
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|102

103|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(SSIDProfile<name>)#auth-survivability
(InstantAP)(SSIDProfile<name>)#radius-accounting
(InstantAP)(SSIDProfile<name>)#radius-accounting-mode{user-association|user-
authentication}
(InstantAP)(SSIDProfile<name>)#radius-interim-accounting-interval<minutes>
(InstantAP)(SSIDProfile<name>)#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>)#max-authentication-failures<number>
(InstantAP)(SSIDProfile<name>)#nookc-disable
(InstantAP)(SSIDProfile<name>)#dot11r
(InstantAP)(SSIDProfile<name>)#dot11k
(InstantAP)(SSIDProfile<name>)#dot11v
(InstantAP)(SSIDProfile<name>)#exit
(InstantAP)(config)#auth-survivabilitycache-time-out
(InstantAP)(config)#end
(InstantAP)#commitapply
ToconfigurepersonalsecuritysettingsfortheemployeeandvoiceusersofaWLANSSIDprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#opmode{wpa2-psk-aes|wpa-tkip|wpa-psk-tkip|wpa-psk-
tkip,wpa2-psk-aes|static-wep}
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#auth-server<server-name>
(InstantAP)(SSIDProfile<name>)#external-server
(InstantAP)(SSIDProfile<name>)#server-load-balancing
(InstantAP)(SSIDProfile<name>)#blacklist
(InstantAP)(SSIDProfile<name>)#max-authentication-failures<number>
(InstantAP)(SSIDProfile<name>)#radius-accounting
(InstantAP)(SSIDProfile<name>)#radius-accounting-mode{user-association|user-
authentication}
(InstantAP)(SSIDProfile<name>)#radius-interim-accounting-interval<minutes>
(InstantAP)(SSIDProfile<name>)#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ToconfigureopensecuritysettingsforemployeeandvoiceusersofaWLANSSIDprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#opmodeopensystem
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>#auth-server<server-name>
(InstantAP)(SSIDProfile<name>#external-server
(InstantAP)(SSIDProfile<name>#server-load-balancing
(InstantAP)(SSIDProfile<name>#blacklist
(InstantAP)(SSIDProfile<name>#max-authentication-failures<number>
(InstantAP)(SSIDProfile<name>#radius-accounting
(InstantAP)(SSIDProfile<name>#radius-accounting-mode{user-association|user-
authentication}
(InstantAP)(SSIDProfile<name>#radius-interim-accounting-interval<minutes>
(InstantAP)(SSIDProfile<name>#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
ConfiguringAccessRulesforaWLANSSIDProfile
Thissectiondescribestheprocedureforconfiguringsecuritysettingsforemployeeandvoicenetworkonly.For
informationonguestnetworkconfiguration,seeCaptivePortalforGuestAccess.
IfyouarecreatinganewSSIDprofile,completetheWLAN SettingsandconfigureVLANandsecurityparameters,
beforedefiningaccessrules.Formoreinformation,seeConfiguringWLANSettingsforanSSIDProfileonpage92,
ConfiguringVLANSettingsforaWLANSSIDProfileonpage96,andConfiguringSecuritySettingsforaWLAN
SSIDProfileonpage98.

Youcanconfigureupto128accessrulesforanemployee,voice,orguestnetworkusingtheInstantUIorCLI.
IntheInstantUI
Toconfigureaccessrulesforanemployeeorvoicenetwork:
1.IntheAccessRulestab,setslidertoanyofthefollowingtypesofaccesscontrol:
lUnrestricted—Selectthistosetunrestrictedaccesstothenetwork.
lNetwork-based—SettheslidertoNetwork-basedtosetcommonrulesforallusersinanetwork.TheAllow
anytoalldestinationsaccessruleisenabledbydefault.Thisruleallowstraffictoalldestinations.Todefine
anaccessrule:
a.ClickNew.
b.SelectappropriateoptionsintheNewRulewindow.
c.ClickOK.
lRole-based—SelectRole-basedtoenableaccessbasedonuserroles.Forrole-basedaccesscontrol:
nCreateauserroleifrequired.Formoreinformation,seeConfiguringUserRoles.
nCreateaccessrulesforaspecificuserrole.Formoreinformation,seeConfiguringAccess Rulesfor
NetworkServicesonpage177.Youcanalsoconfigureanaccessruletoenforcecaptiveportal
authenticationforanSSID thatisconfiguredtouse802.1Xauthenticationmethod.Formoreinformation,
seeConfiguringCaptivePortalRolesforanSSIDonpage135.
nCreatearoleassignmentrule.Formoreinformation,seeConfiguringDerivationRulesonpage192.
2.ClickFinish.
IntheCLI
ToconfigureaccesscontrolrulesforaWLANSSID:
(InstantAP)(config)#wlanaccess-rule<name>
(InstantAP)(AccessRule<name>)#rule<dest><mask><match>{<protocol><start-port><end-
port>{permit|deny|src-nat|dst-nat{<IP-address><port>|<port>}}|app<app>{permit|deny}|
appcategory<appgrp>|webcategory<webgrp>{permit|deny}|webreputation<webrep>
[<option1....option9>]
(InstantAP)(AccessRule<name>)#end
(InstantAP)#commitapply
ToconfigureaccesscontrolbasedontheSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-role-by-ssid
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Toconfigureroleassignmentrules:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-role<attribute>{{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><role>|value-of}
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Toconfigureapre-authenticationrole:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-role-pre-auth<pre-authentication-role>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Toconfiguremachineanduserauthenticationroles
(InstantAP)(config)#wlanssid-profile<name>
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|104

105|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(SSIDProfile<name>)#set-role-machine-auth<machine-authentication-only><user-
authentication-only>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Toconfigureunrestrictedaccess:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-role-unrestricted
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Example
Thefollowingexampleconfiguresaccessrulesforthewirelessnetwork:
(InstantAP)(config)#wlanaccess-ruleWirelessRule
(InstantAP)(AccessRule"WirelessRule")#rule192.0.2.2255.255.255.0match643434343log
classify-media
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchappdenythrottle-downstream256
throttle-up256
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchappcategorycollaborationpermit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebcategorygamblingdeny
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebcategorytraining-and-tools
permit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationwell-known-sites
permit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationsafe-sitespermit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationbenign-sitespermit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationsuspicious-sites
deny
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationhigh-risk-sites
deny
(InstantAP)(AccessRule"WirelessRule")#end
(InstantAP)#commitapply
ConfiguringFastRoamingforWirelessClients
Instantsupportsthefollowingfeaturesthatenablefastroamingofclients:
lOpportunisticKeyCaching
lFastBSS Transition(802.11rRoaming)
lRadioResourceManagement(802.11k)
lBSSTransitionManagement(802.11v)
OpportunisticKeyCaching
Instantnowsupportsopportunistickeycaching(OKC)basedroaming.IntheOKCbasedroaming,theAPstores
onepairwisemasterkey(PMK)perclient,whichisderivedfromlast802.1xauthenticationcompletedbytheclientin
thenetwork.ThecachedPMKisusedwhenaclientroamstoanewAP.Thisallowsfasterroamingofclients
betweentheIAPsinacluster,withoutrequiringacomplete802.1Xauthentication.
OKCroaming(whenconfiguredinthe802.1xAuthenticationprofile)issupportedonWPA2clients.Ifthewireless
client(the802.1Xsupplicant)doesnotsupportthisfeature,acomplete802.1Xauthenticationisrequired
wheneveraclientroamstoanewAP.
ConfiguringanIAPforOKCRoaming
YoucanenableOKCroamingforWLAN SSIDbyusingInstantUIorCLI.

IntheInstantUI
1.NavigatetotheWLANwizard(clickNetwork>NeworNetwork>SelecttheWLANSSID>edit).
2.ClicktheSecuritytab.
3.SlidetoEnterprisesecuritylevel.Onselectingasecuritylevel,theauthenticationoptionsapplicableto
Enterprisenetworkaredisplayed.
4.SelecttheWPA-2EnterpriseorBoth(WPA-2&WPA)optionfromtheKeymanagementdrop-downlist.
Whenanyoftheseencryptiontypesisselected,OpportunisticKeyCaching(OKC)isenabledbydefault.
5.ClickNextandthenclickFinish.
IntheCLI
TodisableOKCroamingonaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#opmode{wpa2-aes|wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes}
(InstantAP)(SSIDProfile<name>)#okc-disable
(InstantAP)(config)#end
(InstantAP)#commitapply
ToenableOKCroamingonaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#opmode{wpa2-aes|wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes}
(InstantAP)(SSIDProfile<name>)#nookc-disable
(InstantAP)(config)#end
(InstantAP)#commitapply
FastBSS Transition(802.11rRoaming)
802.11risaroamingstandarddefinedbyIEEE.Whenenabled,802.11rreducesroamingdelaybypre-authenticating
clientswithmultipletargetAPsbeforeaclientroamstoanAP.With802.11rimplementation,clientspre-
authenticatewithmultipleAPsinacluster.
Aspartofthe802.11rimplementation,InstantsupportstheFastBSSTransitionprotocol.TheFastBSSTransition
mechanismreducesclientroamingdelaywhenaclienttransitionsfromoneBSStoanotherwithinthesamecluster.
ThisminimizesthetimerequiredtoresumedataconnectivitywhenaBSStransitionhappens.
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|106

107|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
FastBSSTransitionisoperationalonlyifthewirelessclientsupports802.11rstandard.Iftheclientdoesnot
support802.11rstandard,itfallsbacktothenormalWPA2authenticationmethod.
ConfiguringanIAPfor802.11rsupport
Youcanconfigure802.11rsupportforaWLAN SSIDbyusingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetotheWLANwizard(clickNetwork>NeworNetwork>SelecttheWLANSSID>edit).
2.ClicktheSecuritytab.
3.UnderFastRoaming,selectthe802.11rcheckbox.
4.ClickNextandthenclickFinish.
IntheCLI
Toenable802.11rroamingonaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#dot11r
(InstantAP)(config)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanssid-profiledot11r-profile
(InstantAP)(SSIDProfile"dot11r-profile")#dot11r
(InstantAP)(config)#end
(InstantAP)#commitapply
RadioResourceManagement(802.11k)
The802.11kprotocolprovidesmechanismsforAPsandclientstodynamicallymeasuretheavailableradio
resourcesandenablesstationstoqueryandmanagetheirradioresources.Inan802.11kenablednetwork,APsand
clientscanshareradioandlinkmeasurementinformation,neighborreports,andbeaconreportswitheachother.This
allowstheWLAN networkinfrastructuralelementsandclientstoassessresourcesandmakeoptimalmobility
decisionstoensureQualityofService(QoS) andseamlesscontinuity.
Instantsupportsthefollowingradioresourcemanagementinformationelementswith802.11ksupportenabled:
lPowerConstraintIE—Thepowerconstraintelementcontainstheinformationnecessarytoallowaclientto
determinethelocalmaximumtransmitpowerinthecurrentchannel.
lAPChannelReportIE—TheAPchannelreportelementcontainsalistofchannelsinaregulatoryclasswherea
clientislikelytofindanAP,includingtheAPtransmittingtheAPchannelreport.
lRRMEnabledCapabilitiesIE—TheRRMEnabledCapabilitieselementsignalssupportforradiomeasurementsin
adevice.TheclientsusethisIEtospecifytheirradiomeasurementcapabilities.
lBSSLoadElement:TheBSSLoadelementcontainsinformationonthedensityofclientsandtrafficlevelsinthe
QBSS.
lTransmitPowerControl(TPC)ReportIE:TheTPCIEcontainstransmitpowerandlinkmargininformation.
lQuietIE:TheQuietIEdefinesanintervalduringwhichnotransmissionoccursinthecurrentchannel.This
intervalmaybeusedtoassistinmakingchannelmeasurementswithoutinterferencefromotherstationsinthe
BSS.
lExtendedCapabilitiesIE-TheextendedcapabilitiesIEcarriesinformationaboutthecapabilitiesofanIEEE
802.11station.

BeaconReportRequestsandProbeResponses
ThebeaconrequestframeissentbyanAPtorequestaclienttoreportthelistofbeaconsheardbytheclientonall
channels.
lThebeaconrequestissentusingtheradiomeasurementrequestactionframe.
lItissentonlytothoseclientsthathavethecapabilitytogeneratebeaconreports.Theclientsindicatetheir
capabilitiesthroughtheRRMenabledcapabilitiesIEsentintheassociationrequestframes.
lBydefault,thebeaconrequestframesaresentataperiodicityof60seconds.
ConfiguringaWLAN SSIDfor802.11kSupport
Youcanenable802.11ksupportonaWLAN SSIDbyusingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetotheWLANwizard(clickNetwork>NeworNetwork>SelecttheWLANSSID>edit).
2.ClicktheSecuritytab.
3.UnderFastRoaming,Selectthe802.11kcheckbox.
4.ClickNextandthenclickFinish.
ToallowtheAPandclientstoexchangeneighborreports,ensurethattheClientmatchisenabledthroughRF>
ARM>Clientmatch>EnabledintheUIorbyexecutingtheclient-matchcommandinthearmconfiguration
sub-mode.
IntheCLI
Toenable802.11kprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#dot11k
(InstantAP)(config)#end
(InstantAP)#commitapply
Toviewthebeaconreportdetails:
showapdot11k-beacon-report<mac>
Toviewtheneighbordetails:
showapdot11k-nbrs
Example
(InstantAP)(config)#wlanssid-profiledot11k-profile
(InstantAP)(SSIDProfile"dot11k-profile")#dot11k
(InstantAP)(config)#end
(InstantAP)#commitapply
BSSTransitionManagement(802.11v)
The802.11vstandardprovidesWirelessNetworkManagementenhancementstotheIEEE802.11MACandPHY.It
extendsradiomeasurementstodefinemechanismsforwirelessnetworkmanagementofstationsincludingBSS
transitionmanagement.
IAPssupportthegenerationoftheBSStransitionmanagementrequestframestothe802.11kclientswhena
suitableAPisidentifiedforaclientthroughclientmatch.
ConfiguringaWLAN SSIDfor802.11vSupport
Youcanenable802.11vsupportonaWLAN SSIDbyusingtheInstantUIorCLI.
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|108

109|WirelessNetworkProfiles ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.NavigatetotheWLANwizard(clickNetwork>NeworNetwork>SelecttheWLANSSID>edit).
2.ClicktheSecuritytab.
3.UnderFastRoaming,Selectthe802.11vcheckbox.
4.ClickNextandthenclickFinish.
IntheCLI
Toenable802.11vprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#dot11v
(InstantAP)(config)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanssid-profiledot11v-profile
(InstantAP)(SSIDProfile"dot11v-profile")#dot11v
(InstantAP)(config)#end
(InstantAP)#commitapply
EditingStatusofaWLANSSIDProfile
YoucanenableordisableanSSIDprofileintheInstantUIorCLI.
IntheInstantUI
TomodifythestatusofaWLANSSIDprofile:
1.IntheNetworkstab,selectthenetworkthatyouwanttoedit.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheEditnetworkwindowisdisplayed.
3.SelectorcleartheDisableSSIDcheckboxtodisableorenabletheSSID.TheSSIDisenabledbydefault.
4.ClickNextorthetabnametomovetothenexttab.
5.ClickFinishtosavethemodifications.
IntheCLI
TodisableanSSID
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#disable
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ToenableanSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#enable
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
EditingaWLANSSIDProfile
ToeditaWLANSSIDprofile:
1.IntheNetworkstab,selectthenetworkthatyouwanttoedit.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheEditnetworkwindowisdisplayed.
3.Modifytherequiredsettings.ClickNexttomovetothenexttab.

4.ClickFinishtosavethemodifications.
DeletingaWLANSSIDProfile
TodeleteaWLANSSIDprofile:
1.IntheNetworkstab,clickthenetworkthatyouwanttodelete.Axlinkisdisplayedagainstthenetworktobe
deleted.
2.Clickx.Adeleteconfirmationwindowisdisplayed.
3.ClickDeleteNow.
ArubaInstant6.4.0.2-4.1|UserGuide WirelessNetworkProfiles|110

ArubaInstant6.4.0.2-4.1|UserGuide WiredProfiles|111
Chapter9
WiredProfiles
Thischapterdescribesthefollowingprocedures:
lConfiguringaWiredProfileonpage111
lAssigningaProfiletoEthernetPortsonpage116
lEditingaWiredProfileonpage116
lDeletingaWiredProfileonpage117
lLinkAggregationControlProtocolforIAP-220Seriesonpage117
lUnderstandingHierarchicalDeploymentonpage118
ConfiguringaWiredProfile
TheEthernetportsallowthird-partydevicessuchasVoIPphonesorprinters(whichsupportonlywiredconnections)
toconnecttothewirelessnetwork.YoucanalsoconfigureanAccessControlList(ACL)foradditionalsecurityon
theEthernetdownlink.
Thewiredprofileconfigurationforemployeenetworkinvolvesthefollowingprocedures:
1.ConfiguringWiredSettingsonpage111
2.ConfiguringVLANforaWiredProfileonpage113
3.ConfiguringSecuritySettingsforaWiredProfileonpage114
4.ConfiguringAccessRulesforaWiredProfileonpage115
Forinformationoncreatingawiredprofileforguestnetwork,seeCaptivePortalforGuestAccess
ConfiguringWiredSettings
YoucanconfigurewiredsettingsforawiredprofilebyusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheWiredlinkunderMoreatthetoprightcorneroftheInstantmainwindow.TheWiredwindowis
displayed.
2.ClickNewunderWiredNetworks.TheNewWiredNetworkwindowisdisplayed.Thefollowingfigureshows
thecontentsoftheWiredSettingstab:

112|WiredProfiles ArubaInstant6.4.0.2-4.1|UserGuide
Figure38NewWiredNetworkWindow:WiredSettingsWindow
3.ClicktheWiredSettingstabandenterthefollowinginformation:
a.Name—Specifyanamefortheprofile.
b.PrimaryUsage—SelectEmployeeorGuest.
c.Speed/Duplex—EnsurethatappropriatevaluesareselectedforSpeed/Duplex.Contactyournetwork
administratorifyouneedtoassignspeedandduplexparameters.
d.POE—SetPOEtoEnabledtoenablePoweroverEthernet.
TheE2portonRAP-3WNPsupportsPowerSourcingEquipment(PSE)tosupplypowertoanycompliant802.3af
powered(class0-4)device.RAP-155PsupportsPSEfor802.3afpowereddevice(class0-4)ononeport(E1orE2),
or802.3atpoweredDCIN(PowerSocket)ontwoports(E1andE2).
e.AdminStatus—Ensurethatanappropriatevalueisselected.TheAdminStatusindicatesiftheportisupor
down.
f.ContentFiltering—ToensurethatallDNSrequeststonon-corporatedomainsonthiswirednetworkaresent
toOpenDNS,selectEnabledforContentFiltering.
g.Uplink—SelectEnabledtoconfigureuplinkonthiswiredprofile.IfUplinkissettoEnabledandthisnetwork
profileisassignedtoaspecificport,theportwillbeenabledasUplinkport.Formoreinformationonassigning
awirednetworkprofiletoaport,seeAssigningaProfiletoEthernetPortsonpage116.
h.SpanningTree—SelecttheSpanningTreecheckboxtoenableSpanningTreeProtocol(STP)onthewired
profile.STPensuresthattherearenoloopsinanybridgedEthernetnetworkandoperatesonalldownlink
ports,regardlessofforwardingmode.STPwillnotoperateontheuplinkportandissupportedonlyonIAPs
withthreeormoreports.BydefaultSpanningTreeisdisabledonwiredprofiles.
4.ClickNext.TheVLANtabdetailsaredisplayed.
5.ConfigureVLANforthewiredprofile.Formoreinformation,seeConfiguringVLANforaWiredProfileonpage
113.
IntheCLI
Toconfigurewiredsettingsfor:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type{<employee>|<guest>}
(InstantAP)(wiredapprofile<name>)#speed{10|100|1000|auto}
(InstantAP)(wiredapprofile<name>)#duplex{half|full|auto}
(InstantAP)(wiredapprofile<name>)#noshutdown
(InstantAP)(wiredapprofile<name>)#poe

(InstantAP)(wiredapprofile<name>)#uplink-enable
(InstantAP)(wiredapprofile<name>)#content-filtering
(InstantAP)(wiredapprofile<name>)#spanning-tree
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringVLANforaWiredProfile
Ifyouarecreatinganewwiredprofile,completetheWired SettingsprocedurebeforeconfiguringVLAN.Formore
information,seeConfiguringWiredSettingsonpage111.
YoucanconfigureVLANusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureVLAN:
1.IntheVLANtab,enterthefollowinginformation.
a.Mode—Youcanspecifyanyofthefollowingmodes:
lAccess—SelectthismodetoallowtheporttocarryasingleVLANspecifiedasthenativeVLAN.
lTrunk—SelectthismodetoallowtheporttocarrypacketsformultipleVLANsspecifiedasallowed
VLANs.
b.SpecifyanyofthefollowingvaluesforClientIPAssignment:
lVirtualControllerAssigned:SelectthisoptiontoallowtheVirtualControllertoassignIPaddressesto
thewiredclients.WhentheVirtualControllerassignmentisused,thesourceIPaddressistranslatedfor
allclienttrafficthatgoesthroughthisinterface.TheVirtualControllercanalsoassignaguestVLANtoa
wiredclient.
lNetworkAssigned:SelectthisoptiontoallowtheclientstoreceiveanIPaddressfromthenetworkto
whichtheVirtualControllerisconnected.Onselectingthisoption,theNewbuttontocreateaVLANis
displayed.CreateanewVLANifrequired.
c.IftheTrunkmodeisselected:
lSpecifytheAllowedVLAN,enteralistofcommaseparateddigitsorranges1,2,5or1-4,orall.The
AllowedVLANreferstotheVLANscarriedbytheportinAccessmode.
lIftheClientIPAssignmentissettoNetworkAssigned,specifyavalueforNativeVLAN.AVLANthat
doesnothaveaVLANIDtagintheframesisreferredtoasNativeVLAN.Youcanspecifyavaluewithin
therangeof1-4093.
d.IftheAccessmodeisselected:
lIftheClientIPAssignmentissettoVirtualControllerAssigned,proceedtostep2.
lIftheClientIPAssignmentissettoNetworkAssigned,specifyavalueforAccessVLANtoindicatethe
VLANcarriedbytheportintheAccessmode.
2.ClickNext.TheSecuritytabdetailsaredisplayed.
3.Configuresecuritysettingsforthewiredprofile.Formoreinformation,seeConfiguringSecuritySettingsfora
WiredProfileonpage114.
IntheCLI
ToconfigureVLANsettingsforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#switchport-mode{trunk|access}
(InstantAP)(wiredapprofile<name>)#allowed-vlan<vlan>
(InstantAP)(wiredapprofile<name>)#native-vlan{<guest|1…4095>}
(InstantAP)(wiredapprofile<name>)#end
ArubaInstant6.4.0.2-4.1|UserGuide WiredProfiles|113

114|WiredProfiles ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)#commitapply
ToconfigureanewVLANassignmentrule:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-vlan<attribute>{equals|not-equals|starts-with|
ends-with|contains|matches-regular-expression}<operator><VLAN-ID>|value-of}
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringSecuritySettingsforaWiredProfile
Ifyouarecreatinganewwiredprofile,completetheWiredSettingsandVLANproceduresbeforespecifyingsecurity
settings.Formoreinformation,seeConfiguringWiredSettingsonpage111andConfiguringVLANSettingsfora
WLANSSIDProfileonpage96.
ConfiguringSecuritySettingsforaWiredEmployeeNetwork
YoucanconfiguresecurityparametersforanemployeenetworkbyusingtheInstantUIorCLI.
IntheInstantUI
Toconfiguresecurityparametersforanemployeenetwork:
1.ConfigurethefollowingparametersintheSecuritytab.
lMACauthentication—ToenableMACauthentication,selectEnabled.TheMAC authenticationisdisabled
bydefault.
l802.1Xauthentication—Toenable802.1Xauthentication,selectEnabled.
lMACauthenticationfail-thru—Toenableauthenticationfail-thru,selectEnabled.Whenthisfeatureis
enabled,802.1XauthenticationisattemptedwhenMACauthenticationfails.TheMACauthenticationfail-
thrucheckboxisdisplayedonlywhenbothMACauthenticationand802.1XauthenticationareEnabled.
lSelectanyofthefollowingoptionsforAuthenticationserver1:
nNew—Onselectingthisoption,anexternalRADIUSservermustbeconfiguredtoauthenticatetheusers.
Forinformationonconfiguringanexternalserver,seeConfiguringanExternalServerforAuthenticationon
page157.AuthenticationandUserManagementonpage140
nInternalserver—Ifaninternalserverisselected,addtheclientsthatarerequiredtoauthenticatewiththe
internalRADIUSserver.ClicktheUserslinktoaddtheusers.Forinformationonaddingauser,see
ManagingIAPUsersonpage140.
lReauthinterval—Specifytheintervalatwhichallassociatedandauthenticatedclientsmustbe
reauthenticated.
lLoadbalancing—SetthistoEnabledifyouareusingtwoRADIUSauthenticationservers,sothattheload
acrossthetwoRADIUS serversisbalanced.Formoreinformationonthedynamicloadbalancing
mechanism,seeDynamicLoadBalancingbetweenTwoAuthenticationServersonpage154.
2.ClickNext.TheAccesstabdetailsaredisplayed.
IntheCLI
Toconfiguresecuritysettingsforanemployeenetwork:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#mac-authentication
(InstantAP)(wiredapprofile<name>)#l2-auth-failthrough
(InstantAP)(wiredapprofile<name>)#auth-server<name>
(InstantAP)(wiredapprofile<name>)#server-load-balancing
(InstantAP)(wiredapprofile<name>)#radius-reauth-interval<Minutes>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply

ConfiguringAccessRulesforaWiredProfile
TheEthernetportsallowthird-partydevicessuchasVoIPphonesorprinters(thatsupportonlywiredconnections)to
connecttothewirelessnetwork.YoucanalsoconfigureanAccessControlList(ACL)foradditionalsecurityonthe
Ethernetdownlink.
Ifyouarecreatinganewwiredprofile,completetheWired SettingsandconfigureVLANandsecurityparameters,
beforedefiningaccessrules.Formoreinformation,seeConfiguringWiredSettingsonpage111,ConfiguringVLAN
foraWiredProfileonpage113,andConfiguringSecuritySettingsforaWiredProfileonpage114.
YoucanconfigureaccessrulesbyusingtheInstantUIorCLI.
IntheInstantUI
Toconfigureaccessrules:
1.IntheAccesstab,configurethefollowingaccessruleparameters.
a.Selectanyofthefollowingtypesofaccesscontrol:
lRole-based—Allowstheuserstoobtainaccessbasedontherolesassignedtothem.
lUnrestricted—Allowstheuserstoobtainunrestrictedaccessontheport.
lNetwork-based—Allowstheuserstobeauthenticatedbasedonaccessrulesspecifiedforanetwork.
b.IftheRole-basedaccesscontrolisselected,performthefollowingsteps:
lUnderRoles,selectanexistingroleforwhichyouwanttoapplytheaccessrules,orclickNewandadd
therequiredrole.ThelistofrolesdefinedforallnetworksisdisplayedunderRoles.
Thedefaultrolewiththesamenameasthenetwork,isautomaticallydefinedforeachnetwork.Thedefaultroles
cannotbemodifiedordeleted.
lSelecttheaccessruleassociatedwithaspecificroleandmodifyifrequired.Toaddanewaccessrule,
clickNewintheAccessRuleswindow.Youcanconfigureupto64accessrules.Formoreinformationon
configuringaccessrules,seeConfiguringAccess RulesforNetworkServicesonpage177.
lConfigurerulestoassignrolesforanauthenticatedclient.YoucanalsoconfigurerulestoderiveVLANs
forthewirednetworkprofile.FormoreinformationonroleassignmentrulesandVLANderivationrules,see
ConfiguringDerivationRulesonpage192andConfiguringVLANDerivationRulesonpage196.
lSelecttheAssignpre-authenticationrolecheckboxtoaddapre-authenticationrolethatallowssome
accesstotheusersbeforetheclientauthentication.
lSelecttheEnforceMachineAuthenticationcheckbox,toconfigureaccessrightstoclientsbasedon
whethertheclientdevicesupportsmachineauthentication.SelecttheMachineauthonlyandUserauth
onlyrules.MachineAuthenticationisonlysupportedonWindowsdevicesanddevicessuchasiPads.
IfEnforceMachineAuthenticationisenabled,boththedeviceandtheusermustbeauthenticatedfor
theroleassignmentruletoapply.
2.ClickFinish.
IntheCLI
Toconfigureaccessrulesforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#access-rule-name<name>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Toconfigureroleassignmentrules:
ArubaInstant6.4.0.2-4.1|UserGuide WiredProfiles|115

116|WiredProfiles ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-role<attribute>{{equals|not-equal|starts-with|
ends-with|contains|matches-regular-expression}<operator><role>|value-of}
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Toconfigureapre-authenticationrole:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-role-pre-auth<pre-authentication-role>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Toconfiguremachineanduserauthenticationroles:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-role-machine-auth<machine_only><user-only>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Toconfigureunrestrictedaccess:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-role-unrestricted
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
AssigningaProfiletoEthernetPorts
YoucanassignprofilestoEthernetportsusingtheInstantUIorCLI.
IntheInstantUI
ToassignprofilestoEthernetports:
1.ClicktheWiredlinkunderMoreatthetoprightcorneroftheInstantmainwindow.TheWiredwindowis
displayed.
2.ToassignanEthernetdownlinkprofiletoEthernet0port:
a.Ensurethatthewiredbridgingontheportisenabled.Formoreinformation,seeConfiguringWiredBridgingon
Ethernet0forMeshPointonpage307.
b.Selectandassignaprofilefromthe0/0dropdownlist.
c.ToassignawiredprofiletoEthernet0/1port,selecttheprofilefromthe0/1dropdownlist.
d.IftheIAPsupportsE2,E3andE4ports,assignprofilestootherEthernetportsbyselectingaprofilefromthe
0/2,0/3,and0/4drop-downlist.
IntheCLI
ToassignprofilestoEthernetports:
(InstantAP)(config)#enet0-port-profile<name>
(InstantAP)(config)#enet1-port-profile<name>
(InstantAP)(config)#enet2-port-profile<name>
(InstantAP)(config)#enet3-port-profile<name>
(InstantAP)(config)#enet4-port-profile<name>
(InstantAP)(config)#end
(InstantAP)#commitapply
EditingaWiredProfile
Toeditawiredprofile:

1.ClicktheWiredlinkunderMoreatthetoprightcorneroftheInstantmainwindow.TheWiredwindowis
displayed.
2.IntheWiredwindow,selectthewiredprofiletomodify.
3.ClickEdit.TheEditWiredNetworkwindowisdisplayed.
4.Modifytherequiredsettings.
5.ClickFinishtosavethemodifications.
DeletingaWiredProfile
Todeleteawiredprofile:
1.ClicktheWiredlinkunderMoreatthetoprightcorneroftheInstantmainwindow.TheWiredwindowis
displayed.
2.IntheWiredwindow,selectthewiredprofiletodelete.
3.ClickDelete.Thewiredprofileisdeleted.
LinkAggregationControlProtocolforIAP-220Series
IAP-220SeriessupportstheIEEE802.11acstandardforhigh-performanceWLAN.Tosupportmaximumtraffic,port
aggregationisrequiredasitincreasesthroughputandenhancesreliability.Tosupportportaggregation,Instant
supportsLinkAggregationControlProtocol(LACP)basedontheIEEE802.3adstandard.802.3adstandardfor
EthernetaggregationusesLACPasamethodtomanagelinkconfigurationandbalancetrafficamongaggregated
ports.
LACPprovidesastandardizedmeansforexchanginginformationwithpartnersystemstoformadynamiclink
aggregationgroup.TheLACPfeatureisautomaticallyenabledduringIAPbootsanditdynamicallydetectstheAPif
connectedtoapartnersystemwithLACPcapability,bycheckingifthereisanyLACPProtocolDataUnit(PDU)
receivedoneithereth0oreth1port.
IftheswitchintheclusterhastheLACPcapability,youcancombineeth0andeth1interfacesintothelink
aggregationgrouptoformasinglelogicalinterface(port-channel).Port-channelscanbeusedtoprovideadditional
bandwidthorlinkredundancybetweentwodevices.IAP-220Seriessupportslinkaggregationusingeitherstandard
port-channel(configurationbased)orLinkAggregationControlProtocol(protocolsignalingbased).IAP-220Series
canoptionallybedeployedwithLACPconfigurationtobenefitfromthehigher(greaterthan1Gbps)aggregate
throughputcapabilitiesofthetworadios.
TheLACPfeatureissupportedonlyonIAP-220Series.
Toenableport-channelonaS3500MobilityAccessSwitch:
1.Createaswitchingprofilebyrunningthefollowingcommands:
interface-profileswitching-profile<profile-name>
switchport-mode{trunk}
exit
2.Createaport-channelandassociatetheswitchingprofilebyrunningthefollowingcommands:
interfaceport-channel<0-63>
port-channel-members[<interface-list>|[add|delete]gigabitethernet
<slot/module/port>]
shutdown
switching-profile<profile-name>
ArubaInstant6.4.0.2-4.1|UserGuide WiredProfiles|117

118|WiredProfiles ArubaInstant6.4.0.2-4.1|UserGuide
ThereisnoconfigurationrequiredontheAP forenablingLACPsupport.However,youcanviewthestatusofLACP
onIAPsbyusingthefollowingcommand:
(InstantAP)#showlacpstatus
APLACPStatus
--------------
LinkStatusLACPRateNumPortsActorKeyPartnerKeyPartnerMAC
------------------------------------------------------------
Upslow217170:81:05:11:3e:80
SlaveInterfaceStatus
----------------------
SlaveI/fNamePermanentMACAddrLinkStatusMemberofLAGLinkFailCount
-----------------------------------------------------------------------
eth06c:f3:7f:c6:76:6e UpYes0
eth16c:f3:7f:c6:76:6f UpYes0
TrafficSentonEnetPorts
--------------------------
RadioNumEnet0TxCountEnet1TxCount
---------------------------------------
000
100
non-wifi217
UnderstandingHierarchicalDeployment
An IAP-130SeriesorRAP-3WN(withmorethanonewiredport)canbeconnectedtothedownlinkwiredportof
anotherIAP(ethX).An IAPwithasingleEthernetport(likeIAP-90orIAP-100seriesdevices)canbeprovisionedto
useEthernetbridging,sothatEthernet0portisconvertedtoadownlinkwiredport.
Youcanalsoforman IAPnetworkbyconnectingthedownlinkportofanAPtootherAPs.OnlyoneAPinthe
networkusesitsdownlinkporttoconnecttotheotherAPs.ThisAP(calledtherootAP)actsasthewireddevicefor
thenetwork,providesDHCPserviceandanL3connectiontotheISPuplinkwithNAT.TherootAPisalwaysthe
masteroftheInstantnetwork.InasingleEthernetportplatformdeployment,therootAPmustbeconfiguredtouse
the3Guplink.
Atypicalhierarchicaldeploymentconsistsofthefollowing:
lAdirectwiredISPconnectionorawirelessuplink.
lOneormoreDHCPpoolsforprivateVLANs.
lOnedownlinkportconfiguredonaprivateVLANwithoutauthenticationforconnectingtoslaveAPs.Ensurethat
thedownlinkportconfiguredinaprivateVLANisnotusedforanywiredclientconnection.Otherdownlinkports
canbeusedforconnectingtothewiredclients.
Thefollowingfigureillustratesahierarchicaldeploymentscenario:

Figure39HierarchicalDeployment
ArubaInstant6.4.0.2-4.1|UserGuide WiredProfiles|119

ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|120
Chapter10
CaptivePortalforGuestAccess
Thischapterprovidesthefollowinginformation:
lUnderstandingCaptivePortalonpage120
lConfiguringaWLAN SSIDforGuestAccessonpage121
lConfiguringWiredProfileforGuestAccessonpage125
lConfiguringInternalCaptivePortalforGuestNetworkonpage126
lConfiguringExternalCaptivePortalforaGuestNetworkonpage129
lConfiguringExternalCaptivePortalAuthenticationUsingClearPassGuestonpage132
lConfiguringGuestLogonRoleandAccessRulesforGuestUsersonpage133
lConfiguringCaptivePortalRolesforanSSIDonpage135
lConfiguringWalledGardenAccessonpage138
lDisablingCaptivePortalAuthenticationonpage138
UnderstandingCaptivePortal
Instantsupportsthecaptiveportalauthenticationmethod,whereaWebpageispresentedtotheguestuserswhen
theytrytoaccesstheInternetwhetherinhotels,conferencecentersorWi-Fihotspots.TheWebpagealsoprompts
theguestuserstoauthenticateoraccepttheusagepolicyandterms.captiveportalsareusedatmanyWi-Fi
hotspotsandcanbeusedtocontrolwiredaccessaswell.
TheInstantcaptiveportalsolutionconsistsofthefollowing:
lThecaptiveportalWebloginpagehostedbyaninternalorexternalserver.
lTheRADIUSauthenticationoruserauthenticationagainstIAP'sinternaldatabase.
lTheSSIDbroadcastbytheIAP.
WithInstant,theadministratorscancreateawiredorWLANguestnetworkbasedoncaptiveportalauthentication
forguests,visitors,contractors,andanynon-employeeuserswhocanusetheenterpriseWi-Finetwork.The
administratorscanalsocreateguestaccountsandcustomizethecaptiveportalpagewithorganization-specificlogo,
terms,andusagepolicy.Withcaptiveportalauthenticationandguestprofiles,thedevicesassociatingwiththe
guestSSIDareassignedaninitialroleandareassignedIPaddresses.WhenaguestusertriestoaccessaURL
throughHTTPorHTTPS,thecaptiveportalwebpagepromptingtheusertoauthenticatewithausernameand
passwordisdisplayed.
TypesofCaptivePortal
Instantsupportsthefollowingtypesofcaptiveportalauthentication:
lInternalcaptiveportal—ForInternalcaptiveportalauthentication,aninternalserverisusedforhostingthe
captiveportalservice.Itsupportsthefollowingtypesofauthentication:
nInternalAuthenticated—WhenInternalAuthenticatedisenabled,aguestusermustauthenticateinthe
captiveportalpagetoaccesstheInternet.Theguestuserswhoarerequiredtoauthenticatemustalreadybe
addedtotheuserdatabase.
nInternalAcknowledged—WhenInternalAcknowledgedisenabled,aguestusermustaccepttheterms
andconditionstoaccesstheInternet.

121|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
lExternalcaptiveportal—Forexternalcaptiveportalauthentication,anexternalportalonthecloudoronaserver
outsidetheenterprisenetworkisused.
WalledGarden
Theadministratorscanalsocontroltheresourcesthattheguestuserscanaccessandtheamountofbandwidthor
airtimetheycanuseatanygiventime.Whenanexternalcaptiveportalisused,theadministratorscanconfigurea
walledgarden,whichdeterminesaccesstotheURLsrequestedbytheguestusers.Forexample,ahotel
environmentwheretheunauthenticatedusersareallowedtonavigatetoadesignatedloginpage(forexample,a
hotelwebsite)andallitscontents.TheuserswhodonotsignupfortheInternetservicecanviewonlythe“allowed”
websites(typicallyhotelpropertywebsites).
TheadministratorscanalloworblockaccesstospecificURLsbycreatingawhitelistandblacklist.Whentheusers
attempttonavigatetootherwebsites,whicharenotinthewhitelistofthewalledgardenprofile,theusersare
redirectedtotheloginpage.IftherequestedURLisontheblacklist,itisblocked.Ifitappearsonneitherlist,the
requestisredirectedtotheexternalcaptiveportal.
ConfiguringaWLAN SSIDforGuestAccess
YoucreateanSSIDforguestaccessbyusingtheInstantUIorCLI:
IntheInstantUI
1.IntheNetworkstaboftheInstantmainwindow,clicktheNewlink.TheNewWLANwindowisdisplayed.
2.EnteranamethatuniquelyidentifiesawirelessnetworkintheName(SSID)textbox.
3.Basedonthetypeofnetworkprofile,specifythePrimaryusageasGuest.
4.ClicktheShowadvancedoptionslink.Theadvancedoptionsforconfigurationaredisplayed.
5.Entertherequiredvaluesforthefollowingconfigurationparameters:
Parameters Description
Broadcast/Multicast SelectanyofthefollowingvaluesunderBroadcastfiltering:
lAll—WhensettoAll,theIAPdropsallbroadcastandmulticastframesexcept
DHCPandARP.
lARP—WhensettoARP,theIAPconvertsARPrequeststounicastandsend
framesdirectlytotheassociatedclient.
lDisabled—WhensettoDisabled,allbroadcastandmulticasttrafficis
forwarded.
DTIMinterval TheDTIMintervalindicatesthedeliverytrafficindicationmessage(DTIM)period
inbeacons,whichcanbeconfiguredforeveryWLANSSID profile.The
DTIM intervaldetermineshowoftentheIAPshoulddeliverthebuffered
broadcastandmulticastframestoassociatedclientsinthepowersavemode.
Thedefaultvalueis1,whichmeanstheclientchecksforbuffereddataonthe
IAPateverybeacon.YoucanalsoconfigureahigherDTIMvalueforpower
saving.
Multicasttransmission
optimization
SelectEnabledifyouwanttheIAPtoselecttheoptimalrateforsending
broadcastandmulticastframesbasedonthelowestofunicastratesacrossall
associatedclients.Whenthisoptionisenabled,multicasttrafficcanbesentatup
to24Mbps.Thedefaultrateforsendingframesfor2.4GHzis1Mbpsand5.0
GHzis6Mbps.Thisoptionisdisabledbydefault.
Table21:WLASSSIDConfigurationParametersforGuestNetwork

Parameters Description
Dynamicmulticastoptimization SelectEnabledtoallowIAPtoconvertmulticaststreamsintounicaststreams
overthewirelesslink.EnablingDynamicMulticastOptimization(DMO)
enhancesthequalityandreliabilityofstreamingvideo,whilepreservingthe
bandwidthavailabletothenon-videoclients.
DMOchannelutilizationthresholdSpecifyavaluetosetathresholdforDMOchannelutilization.WithDMO,theIAP
convertsmulticaststreamsintounicaststreamsaslongasthechannelutilization
doesnotexceedthisthreshold.Thedefaultvalueis90%andthemaximum
thresholdvalueis100%.Whenthethresholdisreachedorexceedsthe
maximumvalue,theIAPsendsmulticasttrafficoverthewirelesslink.
NOTE:WhenyouenableDMOonmulticastSSIDprofiles,ensurethattheDMO
featureisenabledonallSSIDsconfiguredinthesameVLAN.
TransmitRates Specifythefollowingparameters:
l2.4GHz—Ifthe2.4GHzbandisconfiguredontheIAP,specifytheminimum
andmaximumtransmissionrate.Thedefaultvalueforminimumtransmission
rateis1Mbpsandmaximumtransmissionrateis54Mbps.
l5GHz—Ifthe5GHzbandisconfiguredontheIAP,specifytheminimumand
maximumtransmissionrate.Thedefaultvalueforminimumtransmissionrate
is6Mbpsandmaximumtransmissionrateis54Mbps.
Zone SpecifythezonefortheSSID.WhenthezoneisdefinedinSSIDprofileandifthe
samezoneisdefinedonanIAP,theSSIDiscreatedonthatIAP.Formore
informationonconfiguringzonedetailsonanIAP,seeConfiguringZone
SettingsonanIAPonpage83.
Thefollowingconstraintsapplytothezoneconfiguration:
lAnIAPcanbelongtoonlyonezoneandonlyonezonecanbeconfiguredon
anSSID.
lIfanSSIDbelongstoazone,allIAPsinthiszonecanbroadcastthisSSID.If
noIAPbelongstothezoneconfiguredontheSSID,theSSIDisnot
broadcast.
lIfanSSIDdoesnotbelongtoanyzone,allIAPscanbroadcastthisSSID.
BandwidthLimits Selectanyofthefollowingcheckboxestospecifythebandwidthlimit:
lAirtime—Selectthischeckboxtospecifyanaggregateamountofairtimethat
allclientsinthisnetworkcanuseforsendingandreceivingdata.Specifythe
airtimepercentage.
lEachuser—Selectthischeckboxtospecifyathroughputforanysingleuser
inthisnetwork.SpecifythethroughputvalueinKbps.
lEachradio—Selectthischeckboxtospecifyanaggregateamountof
throughputthateachradioisallowedtoprovidefortheconnectedclients.
Wi-FiMultimedia(WMM)traffic
management
ConfigurethefollowingoptionsforWMMtrafficmanagement.WMMsupports
voice,video,besteffort,andbackgroundaccesscategories.Toallocate
bandwidthforthefollowingtypesoftraffic,specifyapercentagevalueunder
Share.ToconfigureDSCPmapping,specifyavalueunderDSCPMapping.
lBackgroundWMM:Forbackgroundtrafficsuchasfiledownloadsorprint
jobs.
lBesteffortWMM—Forbestefforttrafficsuchastrafficfromlegacydevicesor
trafficfromapplicationsordevicesthatdonotsupportQoS.
lVideoWMM—Forvideotrafficgeneratedfromvideostreaming.
lVoiceWMM—Forvoicetrafficgeneratedfromtheincomingandoutgoing
voicecommunication.
FormoreinformationonWMMtrafficandDSCPmapping,seeWi-FiMultimedia
TrafficManagementonpage251
Contentfiltering SettoEnabledtorouteallDNSrequestsforthenon-corporatedomainsto
OpenDNSonthisnetwork.
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|122

123|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
Parameters Description
Band Selectavaluetospecifythebandatwhichthenetworktransmitsradiosignals.
Youcansetthebandto2.4GHz,5GHz,orAll.TheAlloptionisselectedby
default.
Inactivitytimeout Specifyatimeoutinterval.Ifaclientsessionisinactiveforthespecifiedduration,
thesessionexpiresandtheusersarerequiredtologinagain.Theminimum
valueissetto60secondsandthedefaultvalueis1000seconds.
HideSSID SelectthecheckboxifyoudonotwanttheSSID(networkname)tobevisibleto
users
DisableSSID SelecttothecheckboxtodisabletheSSID.Onselectingthischeckbox,theSSID
isdisabled,butnotremovedfromthenetwork.Bydefault,allSSIDsareenabled.
CanbeusedwithoutUplink SelectthecheckboxifyoudonotwanttheSSIDuserstouseuplink.
Maxclientsthreshold SpecifythemaximumnumberofclientsthatcanbeconfiguredforeachBSSID
onaWLANinthetextbox.Youcanspecifyavaluewithintherangeof0to255.
Thedefaultvalueis64.
Localproberequestthreshold SpecifyathresholdvalueintheLocalproberequestthresholdtextboxtolimit
thenumberofincomingproberequests.Whenaclientsendsabroadcastprobe
requestframetosearchforallavailableSSIDs,thisoptioncontrolssystem
responseforthisnetworkprofileandignoresproberequestsifrequired.Youcan
specifyaReceivedsignalstrengthindication(RSSI)valuewithinrangeof0to
100dB.
6.ClickNexttoconfigureVLANsettings.TheVLANtabcontentsaredisplayed.
7.SelectanyforthefollowingoptionsforClientIPassignment:
lVirtualControllerassigned—Onselectingthisoption,theclientobtainstheIPaddressfromtheVirtual
Controller.
lNetworkassigned—Onselectingthisoption,theIPaddressisobtainedfromthenetwork.
8.BasedonthetypeclientIPassignmentmodeselected,youcanconfiguretheVLAN assignmentforclientsas
describedinthefollowingtable:

ClientIPAssignment ClientVLANAssignment
VirtualControllerassignedIftheVirtualControllerassignedisselectedforclientIPassignment,theVirtual
ControllercreatesaprivatesubnetandVLANontheIAPforthewirelessclients.The
networkaddresstranslationforallclienttrafficthatgoesoutofthisinterfaceiscarriedout
atthesource.ThissetupeliminatestheneedforcomplexVLANandIPaddress
managementforamulti-sitewirelessnetwork.
Onselectingthisoption,thefollowingclientVLANassignmentoptionsaredisplayed:
lDefault:Whenselected,thedefaultVLAN asdeterminedbytheVirtualControlleris
assignedforclients.
lCustom:Whenselected,youcanspecifyacustomVLANassignmentoption.Youcan
selectanexistingDHCPscopeforclientIPandVLANassignmentoryoucancreate
anewDHCPscopebyselectingNew.FormoreinformationonDHCPscopes,see
ConfiguringDHCPScopesonpage201.
Networkassigned IftheNetworkassignedisselected,youcanspecifyanyofthefollowingoptionsforthe
ClientVLANassignment.
lDefault—Onselectingthisoption,theclientobtainstheIPaddressinthesame
subnetastheIAPs.Bydefault,theclientVLANisassignedtothenativeVLANonthe
wirednetwork.
lStatic—Onselectingthisoption,youneedtospecifyasingleVLAN,acomma
separatedlistofVLANS,orarangeofVLANsforallclientsonthisnetwork.Select
thisoptionforconfiguringVLANpooling.
lDynamic—Onselectingthisoption,youcanassigntheVLANsdynamicallyfroma
DynamicHostConfigurationProtocol(DHCP)server.TocreateVLANassignment
rules,clickNewtoassigntheusertoaVLAN.IntheNewVLANAssignmentRule
window,enterthefollowinginformation:
lAttribute—SelectanattributereturnedbytheRADIUSserverduring
authentication.
lOperator—Selectanoperatorformatchingthestring.
lString—Enterthestringtomatch
lVLAN—EntertheVLANtobeassigned.
Table22:IPandVLANAssignmentforWLANSSID Clients
9.ClickNexttoconfigureinternalorexternalcaptiveportalauthentication,rolesandaccessrulesfortheguest
users.
IntheCLI
ToconfigureWLANsettingsforanSSIDprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#essid<ESSID-name>
(InstantAP)(SSIDProfile<name>)#type<Guest>
(InstantAP)(SSIDProfile<name>)#broadcast-filter<type>
(InstantAP)(SSIDProfile<name>#dtim-period<number-of-beacons>
(InstantAP)(SSIDProfile<name>)#multicast-rate-optimization
(InstantAP)(SSIDProfile<name>)#dynamic-multicast-optimization
(InstantAP)(SSIDProfile<name>)#dmo-channel-utilization-threshold
(InstantAP)(SSIDProfile<name>)#a-max-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#a-min-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#g-max-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#g-min-tx-rate<rate>
(InstantAP)(SSIDProfile<name>)#zone<zone>
(InstantAP)(SSIDProfile<name>)#bandwidth-limit<limit>
(InstantAP)(SSIDProfile<name>)#per-user-bandwidth-limit<limit>
(InstantAP)(SSIDProfile<name>)#air-time-limit<limit>
(InstantAP)(SSIDProfile<name>)#wmm-background-share<percentage-of-traffic_share>
(InstantAP)(SSIDProfile<name>)#wmm-best-effort-share<percentage-of-traffic-share>
(InstantAP)(SSIDProfile<name>)#wmm-video-share<percentage-of-traffic_share>
(InstantAP)(SSIDProfile<name>)#wmm-voice-share<percentage-of-traffic_share>
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|124

125|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(SSIDProfile<name>)#rf-band{<2.4>|<5.0>|<all>}
(InstantAP)(SSIDProfile<name>)#content-filtering
(InstantAP)(SSIDProfile<name>)#hide-ssid
(InstantAP)(SSIDProfile<name>)#inactivity-timeout<interval>
(InstantAP)(SSIDProfile<name>)#work-without-uplink
(InstantAP)(SSIDProfile<name>)#local-probe-req-thresh<threshold>
(InstantAP)(SSIDProfile<name>)#max-clients-threshold<number-of-clients>
TomanuallyassignVLANsforWLANSSIDusers:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#vlan<vlan-ID>
ToenforceDHCP-basedVLANassignment:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#enforce-dhcp
TocreateanewVLANassignmentrule:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-vlan<attribute>{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><VLAN-ID>|value-of}
ConfiguringWiredProfileforGuestAccess
YoucanconfigurewiredsettingsforawiredprofilebyusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheWiredlinkunderMoreatthetoprightcorneroftheInstantmainwindow.TheWiredwindowis
displayed.
2.ClickNewunderWiredNetworks.TheNewWiredNetworkwindowisdisplayed.
3.ClicktheWiredSettingstabandenterthefollowinginformation:
a.Name—Specifyanamefortheprofile.
b.PrimaryUsage—SelectEmployeeorGuest.
c.Speed/Duplex—EnsurethatappropriatevaluesareselectedforSpeed/Duplex.Contactyournetwork
administratorifyouneedtoassignspeedandduplexparameters.
d.POE—SetPOEtoEnabledtoenablePoweroverEthernet.
e.AdminStatus—Ensurethatanappropriatevalueisselected.TheAdminStatusindicatesiftheportisupor
down.
f.ContentFiltering—ToensurethatallDNSrequeststonon-corporatedomainsonthiswirednetworkaresent
toOpenDNS,selectEnabledforContentFiltering.
g.Uplink—SelectEnabledtoconfigureuplinkonthiswiredprofile.IfUplinkissettoEnabledandthisnetwork
profileisassignedtoaspecificport,theportwillbeenabledasUplinkport.Formoreinformationonassigning
awirednetworkprofiletoaport,seeAssigningaProfiletoEthernetPortsonpage116.
h.SpanningTree—SelecttheSpanningTreecheckboxtoenableSpanningTreeProtocol(STP)onthewired
profile.STPensuresthattherearenoloopsinanybridgedEthernetnetworkandoperatesonalldownlink
ports,regardlessofforwardingmode.STPwillnotoperateontheuplinkportandissupportedonlyonIAPs
withthreeormoreports.BydefaultSpanningTreeisdisabledonwiredprofiles.
4.ClickNext.TheVLANtabdetailsaredisplayed.
5.Enterthefollowinginformation.
a.Mode—Youcanspecifyanyofthefollowingmodes:
lAccess—SelectthismodetoallowtheporttocarryasingleVLANspecifiedasthenativeVLAN.

lTrunk—SelectthismodetoallowtheporttocarrypacketsformultipleVLANsspecifiedasallowed
VLANs.
b.SpecifyanyofthefollowingvaluesforClientIPAssignment:
lVirtualControllerAssigned:SelectthisoptiontoallowtheVirtualControllertoassignIPaddressesto
thewiredclients.WhentheVirtualControllerassignmentisused,thesourceIPaddressistranslatedfor
allclienttrafficthatgoesthroughthisinterface.TheVirtualControllercanalsoassignaguestVLANtoa
wiredclient.
lNetworkAssigned:SelectthisoptiontoallowtheclientstoreceiveanIPaddressfromthenetworkto
whichtheVirtualControllerisconnected.Onselectingthisoption,theNewbuttontocreateaVLANis
displayed.CreateanewVLANifrequired.
c.IftheTrunkmodeisselected:
lSpecifytheAllowedVLAN,enteralistofcommaseparateddigitsorranges1,2,5or1-4,orall.The
AllowedVLANreferstotheVLANscarriedbytheportinAccessmode.
lIftheClientIPAssignmentissettoNetworkAssigned,specifyavalueforNativeVLAN.AVLANthat
doesnothaveaVLANIDtagintheframesisreferredtoasNativeVLAN.Youcanspecifyavaluewithin
therangeof1-4093.
d.IftheAccessmodeisselected:
lIftheClientIPAssignmentissettoVirtualControllerAssigned,proceedtostep2.
lIftheClientIPAssignmentissettoNetworkAssigned,specifyavalueforAccessVLANtoindicatethe
VLANcarriedbytheportintheAccessmode.
6.ClickNexttoconfigureinternalorexternalcaptiveportalauthentication,rolesandaccessrulesfortheguest
users.
IntheCLI
Toconfigurewiredsettingsfor:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type<guest>
(InstantAP)(wiredapprofile<name>)#speed{10|100|1000|auto}
(InstantAP)(wiredapprofile<name>)#duplex{half|full|auto}
(InstantAP)(wiredapprofile<name>)#noshutdown
(InstantAP)(wiredapprofile<name>)#poe
(InstantAP)(wiredapprofile<name>)#uplink-enable
(InstantAP)(wiredapprofile<name>)#content-filtering
(InstantAP)(wiredapprofile<name>)#spanning-tree
ToconfigureVLANsettingsforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#switchport-mode{trunk|access}
(InstantAP)(wiredapprofile<name>)#allowed-vlan<vlan>
(InstantAP)(wiredapprofile<name>)#native-vlan{<guest|1…4095>}
ToconfigureanewVLANassignmentrule:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-vlan<attribute>{equals|not-equals|starts-with|
ends-with|contains|matches-regular-expression}<operator><VLAN-ID>|value-of}
ConfiguringInternalCaptivePortalforGuestNetwork
IntheInternalCaptivePortaltype,aninternalserverisusedforhostingthecaptiveportalservice.Youcanconfigure
internalcaptiveportalauthenticationwhenaddingoreditingaguestnetworkcreatedforwirelessorwiredprofile
throughtheInstantUIorCLI.
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|126

127|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.NavigatetotheWLANwizardorWiredwindow.
lToconfigureinternalcaptiveportalauthenticationforaWLAN SSID,intheNetworktab,clickNewtocreate
anewnetworkprofileoredittomodifyanexistingprofile.
lToconfigureinternalcaptiveportalauthenticationforawiredprofile,clickMore>Wired.IntheWiredwindow,
clickNewunderWiredNetworkstocreateanewnetwork,orclickEdittoselectanexistingprofile.
2.ClicktheSecuritytabandassignvaluesfortheconfigurationparameters:
Parameter Description
Splashpagetype Selectanyofthefollowingfromthedrop-downlist.
lInternal-Authenticated—WhenInternalAuthenticatedisenabled,theguest
usersarerequiredtoauthenticateinthecaptiveportalpagetoaccessthe
Internet.Theguestuserswhoarerequiredtoauthenticatemustalreadybe
addedtotheuserdatabase.
lInternal-Acknowledged—WhenInternalAcknowledgedisenabled,theguest
usersarerequiredtoacceptthetermsandconditionstoaccesstheInternet.
MACauthentication SelectEnabledfromthedrop-downlisttoenabletheMACauthentication.
WISPr
(ApplicableforWLANSSIDs
only.)
SelectEnabledifyouwanttoenableWISPrauthentication.Formoreinformationon
WISPrauthentication,seeConfiguringWISPrAuthenticationonpage170.
NOTE:TheWISPrauthenticationisapplicableonlyforInternal-Authenticatedsplash
pagesandisnotapplicableforwiredprofiles.
Authserver1
Authserver2
Selectanyoneofthefollowing:
lAserverfromthelistofserversiftheserverisalreadyconfigured.
lInternalServertoauthenticateusercredentialsatruntime.
lSelectNewforconfiguringanewexternalRADIUS orLDAPserverfor
authentication.
Loadbalancing SelectEnabledtoenableloadbalancingiftwoauthenticationserversareused.
Reauthinterval SelectavaluetoallowtheAPstoperiodicallyreauthenticateallassociatedand
authenticatedclients.
Blacklisting
(ApplicableforWLANSSIDs
only.)
Ifyouareconfiguringawirelessnetworkprofile,selectEnabledtoenable
blacklistingoftheclientswithaspecificnumberofauthenticationfailures.
Accountingmode
(ApplicableforWLANSSIDs
only.)
SelectanaccountingmodefromAccountingmodeforpostingaccounting
informationatthespecifiedAccountinginterval.Whentheaccountingmodeissetto
Authentication,theaccountingstartsonlyafterclientauthenticationissuccessful
andstopswhentheclientlogsoutofthenetwork.Iftheaccountingmodeissetto
Association,theaccountingstartswhentheclientassociatestothenetwork
successfullyandstopswhentheclientisdisconnected.
Table23:InternalCaptivePortalConfigurationParameters

Parameter Description
Disableifuplinktypeis Toexcludeuplink,selectanuplinktype.
Encryption
(ApplicableforWLANSSIDs
only.)
SelectEnabledtoconfigureencryptionparameters.
SplashPageDesign UnderSplashPageVisuals,usetheeditortospecifytextandcolorsfortheinitial
pagethatwillbedisplayedtotheusersconnectingtothenetwork.Theinitialpage
asksforusercredentialsoremail,dependingonthesplashpagetype(Internal-
AuthenticatedorInternal-Acknowledged)forwhichyouarecustomizingthesplash
pagedesign.Performthefollowingstepstocustomizethesplashpagedesign.
lTochangethecolorofthesplashpage,clicktheSplashpagerectangleand
selecttherequiredcolorfromtheBackgroundColorpalette.
lTochangethewelcometext,clickthefirstsquareboxinthesplashpage,type
therequiredtextintheWelcometextbox,andclickOK.Ensurethatthewelcome
textdoesnotexceed127characters.
lTochangethepolicytext,clickthesecondsquareinthesplashpage,typethe
requiredtextinthePolicytextbox,andclickOK.Ensurethatthepolicytextdoes
notexceed255characters.
lTouploadacustomlogo,clickUploadyourowncustomlogoImage,browsethe
imagefile,andclickuploadimage.Ensurethattheimagefilesizedoesnot
exceed16KB.
lToredirectuserstoanotherURL,specifyaURLinRedirectURL.
lClickPreviewtopreviewtheCaptivePortalpage.
NOTE:Youcancustomizethecaptiveportalpageusingdouble-bytecharacters.
TraditionalChinese,SimplifiedChinese,andKoreanareafewlanguagesthatuse
double-bytecharacters.Clickonthebanner,term,orpolicyintheSplashPage
Visualstomodifythetextintheredbox.Thesefieldsacceptdouble-bytecharacters
oracombinationofEnglishanddouble-bytecharacters.
3.ClickNexttoconfigureaccessrules.
IntheCLI
Toconfigureinternalcaptiveportalauthentication:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#essid<ESSID-name>
(InstantAP)(SSIDProfile<name>)#type<Guest>
(InstantAP)(SSIDProfile<name>)#captive-portal<internal-authenticated>exclude-uplink
{3G|4G|Wifi|Ethernet}
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#auth-server<server1>
(InstantAP)(SSIDProfile<name>)#radius-reauth-interval<Minutes>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Toconfigureinternalcaptiveportalforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type<guest>
(InstantAP)(wiredapprofile<name>)#captive-portal{<internal-authenticated>|<internal-
acknowledged>}exclude-uplink{3G|4G|Wifi|Ethernet}
(InstantAP)(wiredapprofile<name>)#mac-authentication
(InstantAP)(wiredapprofile<name>)#auth-server<server1>
(InstantAP)(wiredapprofile<name>)#radius-reauth-interval<Minutes>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Tocustomizeinternalcaptiveportalsplashpage:
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|128

129|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(config)#wlancaptive-portal
(InstantAP)(CaptivePortal)#authenticated
(InstantAP)(CaptivePortal)#background-color<color-indicator>
(InstantAP)(CaptivePortal)#banner-color<color-indicator>
(InstantAP)(CaptivePortal)#banner-text<text>
(InstantAP)(CaptivePortal)#decoded-texts<text>
(InstantAP)(CaptivePortal)#redirect-url<url>
(InstantAP)(CaptivePortal)#terms-of-use<text>
(InstantAP)(CaptivePortal)#use-policy<text>
(InstantAP)(CaptivePortal)#end
(InstantAP)#commitapply
TouploadacustomizedlogofromaTFTPservertotheIAP:
(InstantAP)#copyconfigtftp<ip-address><filename>portallogo
ConfiguringExternalCaptivePortalforaGuestNetwork
Thissectionprovidesthefollowinginformation:
lExternalCaptivePortalProfilesonpage129
lCreatingaCaptivePortalProfileonpage129
lConfiguringanSSIDorWiredProfiletoUseExternalCaptivePortalAuthenticationonpage131
ExternalCaptivePortalProfiles
YoucannowconfigureexternalcaptiveportalprofilesandassociatetheseprofilestoauserroleorSSID.Youcan
createasetofcaptiveportalprofilesintheSecurity>ExternalCaptivePortalwindowandassociatetheseprofiles
withanSSIDorawiredprofile.YoucanalsocreateanewcaptiveportalprofileundertheSecuritytaboftheWLAN
wizardoraWiredNetworkwindow.Inthecurrentrelease,youcanconfigureuptoeightexternalcaptiveportal
profiles.
WhenthecaptiveportalprofileisassociatedtoanSSID,itisusedbeforeuserauthentication.Iftheprofileis
associatedtoarole,itisusedonlyaftertheuserauthentication.WhenacaptiveportalprofileisappliedtoanSSID
orwiredprofile,theusersconnectingtotheSSIDorwirednetworkareassignedarolewiththecaptiveportalrule.
TheguestuserroleallowsonlyDNSandDHCPtrafficbetweentheclientandnetwork,anddirectsallHTTPor
HTTPSrequeststothecaptiveportalunlessexplicitlypermitted.
CreatingaCaptivePortalProfile
YoucancreateacaptiveportalprofileusingtheInstantUIorCLI.
IntheInstantUI
1.ClickSecurity>ExternalCaptivePortal.
2.ClickNew.TheNewpop-upwindowisdisplayed.
3.Specifyvaluesforthefollowingparameters:

Parameter Description
Name Enteranamefortheprofile.
Type Selectanyoneofthefollowingtypesofauthentication:
lRadiusAuthentication-SelectthisoptiontoenableuserauthenticationagainstaRADIUS
server.
lAuthenticationText-Selectthisoptiontospecifyanauthenticationtext.Thespecifiedtext
willbereturnedbytheexternalserverafterasuccessfuluserauthentication.
IPorhostname EntertheIPaddressorthehostnameoftheexternalsplashpageserver.
URL EntertheURLfortheexternalcaptiveportalserver.
Port Enterthenumberoftheporttouseforcommunicatingwiththeexternalcaptiveportalserver.
Usehttps
(Availableonlyif
RADIUS
Authenticationis
selected)
SelectEnabledtoenforceclientstouseHTTPStocommunicatewiththecaptiveportalserver.
CaptivePortalfailureThisfieldallowsyoutoconfigureInternetaccessfortheguestclientswhentheexternal
captiveportalserverisnotavailable.SelectDenyInternettopreventclientsfromusingthe
network,orAllowInternettoallowtheguestclientstoaccessInternetwhentheexternal
captiveportalserverisnotavailable.
AutomaticURL
Whitelisting
SelectEnabledorDisabledtoenableordisableautomaticwhitelistingofURLs.Onselecting
thecheckboxfortheexternalcaptiveportalauthentication,theURLsthatareallowedforthe
unauthenticateduserstoaccessareautomaticallywhitelisted.TheautomaticURLwhitelisting
isdisabledbydefault.
AuthText
(Availableonlyif
AuthenticationTextis
selected)
IftheExternalAuthenticationsplashpageisselected,specifytheauthenticationtextthatmust
bereturnedbytheexternalserveraftersuccessfulauthentication.
RedirectURL SpecifyaredirectURLifyouwanttoredirecttheuserstoanotherURL.
Table24:CaptivePortalProfileConfigurationParameters
IntheCLI
ToconfigureanexternalCaptivePortalprofile:
(InstantAP)(config)#wlanexternal-captive-portal[profile_name]
(InstantAP)(ExternalCaptivePortal)#server<server>
(InstantAP)(ExternalCaptivePortal)#port<port>
(InstantAP)(ExternalCaptivePortal)#url<url>
(InstantAP)(ExternalCaptivePortal)#https
(InstantAP)(ExternalCaptivePortal)#redirect-url<url>
(InstantAP)(ExternalCaptivePortal)#server-fail-through
(InstantAP)(ExternalCaptivePortal)#noauto-whitelist-disable
(InstantAP)(ExternalCaptivePortal)#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|130

131|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringanSSIDorWiredProfiletoUseExternalCaptivePortalAuthentication
Youcanconfigureexternalcaptiveportalauthenticationforanetworkprofilewhenaddingoreditingaguestnetwork
usingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetotheWLANwizardorWiredwindow.
lToconfigureexternalcaptiveportalauthenticationforaWLAN SSID,intheNetworktab,clickNewtocreatea
newnetworkprofileoredittomodifyanexistingprofile.
lToconfigureexternalcaptiveportalauthenticationforawiredprofile,clickMore>Wired.IntheWiredwindow,
clickNewunderWiredNetworkstocreateanewnetwork,orclickEdittoselectanexistingprofile.
2.IntheSecuritytab,selectExternalfromtheSplashpagetypedrop-downlist.
3.Fromthecaptiveportalprofiledrop-downlist,selectaprofile.Youcanselectadefaultprofile,oranalready
existingprofile,orclickNewandcreateanewprofile.
4.Configurethefollowingparametersbasedonthetypeofsplashpageyouselected.
Parameter Description
WISPr SelectEnabledifyouwanttoenableWISPrauthentication.FormoreinformationonWISPr
authentication,seeConfiguringWISPrAuthenticationonpage170.
NOTE:TheWISPrauthenticationisapplicableonlyfortheExternal-RADIUSServerand
Internal-Authenticatedsplashpagesandisnotapplicableforwiredprofiles.
MACauthenticationSelectEnabledifyouwanttoenableMACauthentication.ForinformationonMAC
authentication,seeConfiguringMACAuthenticationforaNetworkProfileonpage165.
Authentication
server
Toconfigureanauthenticationserver,selectanyofthefollowingoptions:
lIftheserverisalreadyconfigured,selecttheserverfromthelist.
lTocreatenewexternalRADIUS server,selectNew.Formoreinformation,seeConfiguring
anExternalServerforAuthenticationonpage157.
Reauthinterval
SpecifyavalueforthereauthenticationintervalatwhichtheAPsperiodicallyreauthenticateall
associatedandauthenticatedclients.
Accountingmode SelectanaccountingmodefromAccountingmodeforpostingaccountinginformationatthe
specifiedAccountinginterval.WhentheaccountingmodeissettoAuthentication,the
accountingstartsonlyafterclientauthenticationissuccessfulandstopswhentheclientlogs
outofthenetwork.IftheaccountingmodeissettoAssociation,theaccountingstartswhenthe
clientassociatestothenetworksuccessfullyandstopswhentheclientisdisconnected.
Blacklisting Ifyouareconfiguringawirelessnetworkprofile,selectEnabledtoenableblacklistingofthe
clientswithaspecificnumberofauthenticationfailures.
Maxauthentication
failures
IfyouareconfiguringawirelessnetworkprofileandtheBlacklistingisenabled,specifya
maximumnumberofauthenticationfailuresafterwhichuserswhofailtoauthenticatemustbe
dynamicallyblacklisted.
Table25:ExternalCaptivePortalConfigurationParameters

Parameter Description
Walledgarden
ClickthelinktoopentheWalledGardenwindow.Thewalledgardenconfigurationdetermines
accesstothewebsites.Formoreinformation,seeConfiguringWalledGardenAccessonpage
138.
Disableifuplinktype
is
Selectthetypeoftheuplinktoexclude.
Encryption SelectEnabledtoconfigureencryptionsettingsandspecifytheencryptionparameters.
Table25:ExternalCaptivePortalConfigurationParameters
5.ClickNexttocontinueandthenclickFinishtoapplythechanges.
IntheCLI
ToconfiguresecuritysettingsforguestusersoftheWLANSSIDprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#essid<ESSID-name>
(InstantAP)(SSIDProfile<name>)#type<Guest>
(InstantAP)(SSIDProfile<name>)#captive-portal{<type>[exclude-uplink<types>]|external
[exclude-uplink<types>|profile<name>[exclude-uplink<types>]]}
(InstantAP)(SSIDProfile<name>)#blacklist
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#max-authentication-failures<number>
(InstantAP)(SSIDProfile<name>)#auth-server<server-name>
(InstantAccessPoint(SSIDProfile<name>)#radius-accounting
(InstantAccessPoint(SSIDProfile<name>)#radius-interim-accounting-interval
(InstantAccessPoint(SSIDProfile<name>)#radius-accounting-mode{user-association|user-
authentication}
(InstantAP)(SSIDProfile<name>)#wpa-passphrase<WPA_key>
(InstantAP)(SSIDProfile<name>)#wep-key<WEP-key><WEP-index>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Toconfiguresecuritysettingsforguestusersofthewiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type<Guest>
(InstantAP)(wiredapprofile<name>)#captive-portal{<type>[exclude-uplink<types>]|external
[exclude-uplink<types>|profile<name>[exclude-uplink<types>]]}
(InstantAP)(wiredapprofile<name>)#mac-authentication
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringExternalCaptivePortalAuthenticationUsingClearPassGuest
YoucanconfigureInstanttopointtoClearPassGuestasanexternalCaptivePortalserver.Withthisconfiguration,
theuserauthenticationisperformedbymatchingastringintheserverresponseandRADIUSserver(either
ClearPassGuestoradifferentRADIUSserver).
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|132

133|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
CreatingaWebLoginpageinClearPassGuest
TheClearPassGuestVisitorManagementApplianceprovidesasimpleandpersonalizeduserinterfacethrough
whichoperationalstaffcanquicklyandsecurelymanagevisitornetworkaccess.WithClearPassGuest,theusers
canhaveacontrolledaccesstoadedicatedvisitormanagementuserdatabase.ThroughacustomizableWebportal,
theadministratorscaneasilycreateanaccount,resetapasswordorsetanexpirytimeforvisitors.Visitorscanbe
registeredatreceptionandprovisionedwithanindividualguestaccountthatdefinestheirvisitorprofileandthe
durationoftheirvisit.BydefiningaWebloginpageontheClearPassGuestVisitorManagementAppliance,youare
abletoprovideacustomizedgraphicalloginpageforvisitorsaccessingthenetwork.
ForinformationonsettinguptheRADIUSWebLoginfeature,seetheRADIUSServicessectionintheClearPass
GuestDeploymentGuide.
ConfiguringRADIUSServerinInstantUI
ToconfigureInstanttopointtoClearPassGuestasanexternalCaptivePortalserver,performthefollowingsteps:
1.SelecttheWLAN SSIDforwhichyouwanttoenableexternalcaptiveportalauthenticationwithCPPM.Youcan
alsoconfiguretheRADIUSserverwhenconfiguringanewSSIDprofile.
2.IntheSecuritytab,selectExternalfromtheSplashpagetype.
3.SelectNewfromtheCaptiveportalprofiledrop-downlistandupdatethefollowingfields:
a.EntertheIPaddressoftheClearPassGuestserverintheIPorhostnamefield.ObtaintheClearPassGuest
IPaddressfromyoursystemadministrator.
b.Enter/page_name.phpintheURLfield.ThisURLmustcorrespondtothePageNameconfiguredinthe
ClearPassGuestRADIUSWebLoginpage.Forexample,ifthePageNameisAruba,theURLshouldbe
/Aruba.phpintheInstantUI.
c.EnterthePortnumber(generallyshouldbe80).TheClearPassGuestserverusesthisportforHTTP
services.
d.ClickOK.
4.TocreateanexternalRADIUSserver,selectNewfromtheAuthenticationserver1drop-downlist.For
informationonauthenticationserverconfigurationparameters,seeConfiguringanExternalServerfor
Authenticationonpage157.
5.ClickNextandthenclickFinish.
6.ClicktheupdatedSSIDintheNetworktab.
7.OpenanybrowserandtypeanyURL.InstantredirectstheURLtoClearPassGuestloginpage.
8.LogintothenetworkwiththeusernameandpasswordspecifiedusedwhileconfiguringtheRADIUSserver.
ConfiguringGuestLogonRoleandAccessRulesforGuestUsers
Forcaptiveportalprofile,youcancreateanythefollowingtypesofroles:
lApre-authenticatedrole-Thisroleisassignedbeforethecaptiveportalauthentication.Theusercanonlyaccess
certaindestinationswiththisrole.
lAguestrole–Thisroleisassignedafteruserauthentication.
lAcaptive-portalrole-Thisrolecanbeassignedtoanynetworksuchasempolyee,voice,orguest.Whenthe
userisassignedwiththisrole,asplashpageisdisplayedafteropeningabrowserandtheusersmayneedto
authenticate.
Youcanconfigureupto128accessrulesforguestuserrolesthroughtheInstantUIorCLI.
IntheInstantUI
Toconfigurerolesandaccessrulesfortheguestnetwork:

1.IntheAccessRulestab,settheslidertoanyofthefollowingtypesofaccesscontrol:
lUnrestricted—Selectthistosetunrestrictedaccesstothenetwork.
lNetwork-based—SettheslidertoNetwork-basedtosetcommonrulesforallusersinanetwork.TheAllow
anytoalldestinationsaccessruleisenabledbydefault.Thisruleallowstraffictoalldestinations.Todefine
anaccessrule:
a.ClickNew.
b.SelectappropriateoptionsintheNewRulewindow.
c.ClickOK.
lRole-based—SelectRole-basedtoenableaccessbasedonuserroles.Forrole-basedaccesscontrol:
nCreateauserroleifrequired.Formoreinformation,seeConfiguringUserRoles.
nCreateaccessrulesforaspecificuserrole.Formoreinformation,seeConfiguringAccess Rulesfor
NetworkServicesonpage177.Youcanalsoconfigureanaccessruletoenforcecaptiveportal
authenticationforanSSID withthe802.1Xauthenticationmethod.Formoreinformation,seeConfiguring
CaptivePortalRolesforanSSIDonpage135.
nCreatearoleassignmentrule.Formoreinformation,seeConfiguringDerivationRulesonpage192.
InstantsupportsrolederivationbasedontheDHCPoptionforCaptivePortalauthentication.Whenthe
CaptivePortalauthenticationissuccessful,anewuserroleisassignedtotheguestusersbasedon
DHCPoptionconfiguredfortheSSIDprofile,insteadofthepre-authenticatedrole.
2.ClickFinish.
IntheCLI
ToconfigureaccesscontrolrulesforaWLANSSID:
(InstantAP)(config)#wlanaccess-rule<name>
(InstantAP)(AccessRule<name>)#rule<dest><mask><match>{<protocol><start-port><end-
port>{permit|deny|src-nat|dst-nat{<IP-address><port>|<port>}}|app<app>{permit|deny}|
appcategory<appgrp>|webcategory<webgrp>{permit|deny}|webreputation<webrep>
[<option1....option9>]
(InstantAP)(AccessRule<name>)#end
(InstantAP)#commitapply
ToconfigureaccesscontrolbasedontheSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role-by-ssid
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Toconfigureroleassignmentrules:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role<attribute>{{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><role>|value-of}
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Toconfigureapre-authenticationrole:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role-pre-auth<pre-authentication-role>
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Toconfiguremachineanduserauthenticationroles
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role-machine-auth<machine-authentication-only><user-
authentication-only>
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|134

135|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Toconfigureunrestrictedaccess:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role-unrestricted
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Example
Thefollowingexampleconfiguresaccessrulesforthewirelessnetwork:
(InstantAP)(config)#wlanaccess-ruleWirelessRule
(InstantAP)(AccessRule"WirelessRule")#rule192.0.2.2255.255.255.0match643434343log
classify-media
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchappdenythrottle-downstream256
throttle-up256
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchappcategorycollaborationpermit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebcategorygamblingdeny
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebcategorytraining-and-tools
permit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationwell-known-sites
permit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationsafe-sitespermit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationbenign-sitespermit
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationsuspicious-sites
deny
(InstantAP)(AccessRule"WirelessRule")#ruleanyanymatchwebreputationhigh-risk-sites
deny
(InstantAP)(AccessRule"WirelessRule")#end
(InstantAP)#commitapply
ConfiguringCaptivePortalRolesforanSSID
YoucanconfigureanaccessruletoenforcecaptiveportalauthenticationforSSIDswith802.1Xauthentication
enabled.Youcanconfigurerulestoprovideaccesstoanexternalcaptiveportal,internalcaptiveportal,sothatsome
oftheclientsusingthisSSIDcanderivethecaptiveportalrole.
Thefollowingconditionsapplytothe802.1Xandcaptiveportalauthenticationconfiguration:
lIfauserroledoesnothaveCaptivePortalsettingsconfigured,thecaptiveportalsettingsconfiguredforanSSID
areappliedtotheclient'sprofile.
lIftheSSIDdoesnothaveCaptivePortalsettingsconfigured,thecaptiveportalsettingsconfiguredforauserrole
areappliedtotheclient'sprofile.
lIfcaptiveportalsettingsareconfiguredforbothSSIDanduserrole,thecaptiveportalsettingsconfiguredfora
userroleareappliedtotheclient'sprofile.
YoucancreateacaptiveportalroleforbothInternal-acknowledgedandExternalAuthenticationTextsplash
pagetypes.
ToenforcetheCaptivePortalrole,usetheInstantUIorCLI.
IntheInstantUI
Tocreateacaptiveportalrole:
1.SelectanSSIDprofilefromtheNetworkstab.TheEdit<WLAN-Profile>windowisdisplayed.
2.IntheAccesstab,slidetoRole-basedaccesscontrolbyusingthescrollbar.
3.Selectaroleorcreateanewoneifrequired.

4.ClickNewtoaddanewrule.TheNewRulewindowisdisplayed.
5.IntheNewRulewindow,specifythefollowingparameters.Thefollowingfiguresshowtheparametersfor
CaptivePortalroleconfiguration:
Figure40CaptivePortalRuleforInternalAcknowledgedSplashPage
Figure41CaptivePortalRuleforExternalCaptiveportalprofile
Field Description
Ruletype SelectCaptivePortalfromthedrop-downlist.
SplashPage
Type
Selectanyoffollowingattributes:
lSelectInternaltoconfigurearuleforinternalcaptiveportalauthentication.
lSelectExternaltoconfigurearuleforexternalcaptiveportalauthentication.
Internal IfInternalisselectedassplashpagetype,performthefollowingsteps:
lUnderSplashPageVisuals,usetheeditortospecifytextandcolorsfortheinitial
pagethatwouldbedisplayedtousersconnectingtothenetwork.Theinitial
pageasksforusercredentialsoremail,dependingonthesplashpagetype
configured
lTochangethecolorofthesplashpage,clicktheSplashpagerectangleand
selecttherequiredcolorfromtheBackgroundColorpalette.
lTochangethewelcometext,clickthefirstsquareboxinthesplashpage,type
therequiredtextintheWelcometextbox,andclickOK.Ensurethatthe
welcometextdoesnotexceed127characters.
Table26:NewAccessRuleConfigurationParameters
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|136

137|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
Field Description
lTochangethepolicytext,clickthesecondsquareinthesplashpage,typethe
requiredtextinthePolicytextbox,andclickOK.Ensurethatthepolicytextdoes
notexceed255characters.
lSpecifytheURLtowhichyouwanttoredirecttheguestusers.
lTouploadacustomlogo,clickUploadyourowncustomlogoImage,browsethe
imagefile,andclickuploadimage.
lClickPreviewtopreviewtheCaptivePortalpage.
External IfExternalisselected,performthefollowingsteps:
lSelectaprofilefromtheCaptiveportalprofiledrop-downlist.
lIfyouwanttoedittheprofile,clickEditandupdatethefollowingparameters:
lType—SelecteitherRadiusAuthentication( toenableuser
authenticationagainstaRADIUSserver)orAuthenticationText
(tospecifytheauthenticationtexttoreturnedbytheexternal
serverafterasuccessfuluserauthentication).
lIPorhostname—EntertheIPaddressorthehostnameofthe
externalsplashpageserver.
lURL—EntertheURLfortheexternalsplashpageserver.
lPort—Enterthenumberoftheporttouseforcommunicatingwith
theexternalsplashpageserver
lRedirectURL—SpecifyaredirectURLifyouwanttoredirectthe
userstoanotherURL.
lCaptivePortalfailure—ThisfieldallowsyoutoconfigureInternet
accessfortheguestclientswhentheexternalcaptiveportal
serverisnotavailable.SelectDenyInternettopreventclients
fromusingthenetwork,orAllowInternettoallowtheguest
clientstoaccessInternetwhentheexternalcaptiveportalserver
isnotavailable.
lAutomaticURLWhitelisting—SelectEnabledorDisabledto
enableordisableautomaticwhitelistingofURLs.Onselecting
thecheckboxfortheexternalcaptiveportalauthentication,the
URLsallowedfortheunauthenticateduserstoaccessare
automaticallywhitelisted.TheautomaticURLwhitelistingis
disabledbydefault.
lAuthText—Indicatestheauthenticationtextreturnedbythe
externalserverafterasuccessfuluserauthentication.
6.ClickOK.Theenforcecaptiveportalruleiscreatedandlistedasanaccessrule.
7.Createaroleassignmentrulebasedontheuserrole,towhichthecaptiveportalaccessruleisassigned.
8.ClickFinish.
TheclientcanconnecttothisSSIDafterauthenticatingwithusernameandpassword.Afterasuccessfuluserlogin,
thecaptiveportalroleisassignedtotheclient.
IntheCLI
Tocreateacaptiveportalrole:
(InstantAP)(config)#wlanaccess-rule<Name>
(InstantAP)(AccessRule<Name>)#captive-portal{external[profile<name>]|internal}
(InstantAP)(AccessRule<Name>)#end
(InstantAP)#commitapply

ConfiguringWalledGardenAccess
OntheInternet,awalledgardentypicallycontrolsaccesstoWebcontentandservices.TheWalledgardenaccess
isrequiredwhenanexternalcaptiveportalisused.Forexample,ahotelenvironmentwheretheunauthenticated
usersareallowedtonavigatetoadesignatedloginpage(forexample,ahotelwebsite)andallitscontents.
TheuserswhodonotsignupfortheInternetservicecanviewthe“allowed”websites(typicallyhotelproperty
websites).ThewebsitenamesmustbeDNS-basedandsupporttheoptiontodefinewildcards.Thisworksforclient
deviceswithorwithoutHTTPproxysettings.
Whenauserattemptstonavigatetootherwebsites,whicharenotinthewhitelistofthewalledgardenprofile,the
userisredirectedtotheloginpage.Inaddition,ablacklistedwalledgardenprofilecanalsobeconfiguredtoexplicitly
blocktheunauthenticatedusersfromaccessingsomewebsites.
YoucancreateawalledgardenaccessinInstantUIorCLI.
IntheInstantUI
TocreateaWalledGardenaccess:
1.ClicktheSecuritylinkatthetoprightcorneroftheInstantmainwindowandclickWalledGarden.TheWalled
Gardentabcontentsaredisplayed.
2.Toallowuserstoaccessaspecificdomain,clickNewandenterthedomainnameorURLintheWhitelist
sectionofthewindow.Thisallowsaccesstoadomainwhiletheuserremainsunauthenticated.SpecifyaPOSIX
regularexpression(regex(7)).Forexample:
lyahoo.commatchesvariousdomainssuchasnews.yahoo.com,travel.yahoo.comandfinance.yahoo.com
lwww.apple.com/library/testisasubsetofwww.apple.comsitecorrespondingtopath/library/test/*
lfavicon.icoallowsaccessto/favicon.icofromalldomains.
3.Todenyusersaccesstoadomain,clickNewandenterthedomainnameorURLintheBlacklistsectionofthe
window.Thispreventstheunauthenticatedusersfromviewingspecificwebsites.WhenaURLspecifiedinthe
blacklistisaccessedbyanunauthenticateduser,IAPsendsanHTTP403responsetotheclientwithasimple
errormessage.
IftherequestedURLdoesnotappearontheblacklistorwhitelistlist,therequestisredirectedtotheexternal
captiveportal.
4.Selectthedomainname/URLandclickEdittomodifyorDeletetoremovetheentryfromthelist.
5.ClickOKtoapplythechanges.
IntheCLI
TocreateaWalledGardenaccess:
(InstantAP)(config)#wlanwalled-garden
(InstantAP)(WalledGarden)#white-list<domain>
(InstantAP)(WalledGarden)#black-list<domain>
(InstantAP)(WalledGarden)#end
(InstantAP)#commitapply
DisablingCaptivePortalAuthentication
Todisablecaptiveportalauthentication,performthefollowingsteps:
1.Selectanexistingwirelessorwiredprofile.Dependingonthenetworkprofileselected,theEdit<WLAN-Profile>
orEditWiredNetworkwindowisdisplayed.
YoucanalsocustomizesplashpagedesignintheSecuritytabofNewWLANandNewWiredNetworkwindows
whenconfiguringanewprofile.
ArubaInstant6.4.0.2-4.1|UserGuide CaptivePortalforGuestAccess|138

139|CaptivePortalforGuestAccess ArubaInstant6.4.0.2-4.1|UserGuide
2.NavigatetotheSecuritytab.
3.SelectNonefromtheSplashpagetypedrop-downlist.
4.ClickNextandthenclickFinishtoapplythechanges.

ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|140
Chapter11
AuthenticationandUserManagement
Thischapterprovidesthefollowinginformation:
lManagingIAPUsersonpage140
lUnderstandingAuthenticationMethodsonpage147
lSupportedAuthenticationServersonpage150
lUnderstandingEncryptionTypesonpage154
lSupportforAuthenticationSurvivabilityonpage156
lConfiguringAuthenticationServersonpage157
lConfiguring802.1XAuthenticationforaNetworkProfileonpage163
lConfiguringMACAuthenticationforaNetworkProfileonpage165
lConfiguringMACAuthenticationwith802.1XAuthenticationonpage167
lConfiguringMACAuthenticationwithCaptivePortalAuthenticationonpage169
lConfiguringWISPrAuthenticationonpage170
lBlacklistingClientsonpage171
lUploadingCertificatesonpage173
ManagingIAPUsers
TheIAPuserscanbeclassifiedasfollows:
lAdministrator—AnadminuserwhocreatesSSIDs,wiredprofiles,DHCPserverconfigurationparameters,and
managesthelocaluserdatabase.TheadminuserscanaccesstotheVirtualControllerManagementUser
Interface.
lGuestadministrator—Aguestinterfacemanagementuserwhomanagesguestusersaddedinthelocaluser
database.
lAdministratorwithread-onlyaccess—Theread-onlyadminuserdoesnothaveaccesstotheInstantCLI.The
InstantUIwillbedisplayedintheread-onlymodefortheseusers.
lEmployeeusers—Employeeswhousetheenterprisenetworkforofficialtasks.
lGuestusers—VisitinguserswhotemporarilyusetheenterprisenetworktoaccesstheInternet.
TheuseraccessprivilegesaredeterminedbyIAPmanagementsettingsintheAirWaveManagementclientand
ArubaCentral,andthetypeoftheuser.Thefollowingtableoutlinestheaccessprivilegesdefinedfortheadminuser,
guestmanagementinterfaceadmin,andread-onlyusers.
UserCategory
ArubaCentralorAirWave
ManagementPlatforminManagement
Mode
IAPinmonitormodeorwithoutAirWave
ManagementPlatformorArubaCentral
administrator Accesstolocaluserdatabaseonly CompleteaccesstotheIAP
read-only
administrator
Nowriteprivileges Nowriteprivileges
guestadministratorAccesstolocaluserdatabaseonly Accesstolocaluserdatabaseonly
Table27:UserPrivileges

141|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringAuthenticationParametersforManagementUsers
InstantnowallowsyoutoconfigureaTACACS+ Serverastheauthenticationservertosupportauthenticationand
accountingprivilegesformanagementusers.TACACS+serverallowsaremoteaccessservertocommunicatewith
anauthenticationservertodetermineiftheuserhasaccesstothenetwork.InInstant,theuserscancreateseveral
TACACS+serverprofiles,outofwhichoneortwooftheserverscanbespecifiedtoauthenticatemanagement
users.
TACACS+supportsthefollowingtypesofauthenticationformanagementusersinInstant:
lASCII
lPAP
lCHAP
lARAP
lMSCHAP
TheTACACS+servercannotbeattributedtoanySSIDorwiredprofileingeneralastheauthenticationserverand
isconfiguredonlyformanagementusers.
YoucanalsoenableTACACS+accountingwhentheTACACS+serverisusedforauthentication.
ConfiguringaTACACS+ ServerProfileforManagementUserAuthentication
ToconfigureaTACACS+authenticationserver:
IntheInstantUI
1.NavigatetoSecurity>AuthenticationServers.TheSecuritywindowisdisplayed.
2.Tocreateanewserver,clickNew.Awindowforconfiguringserverdetailsforthenewserverisdisplayed.The
followingfigureshowstheparameterstoconfigureforanewauthenticationserverconfiguration:
Figure42NewAuthenticationServerWindow
TocreateaTACACS+serverprofile,specifytheattributesdescribedinthefollowingtable:

Parameter Description
IP address EntertheIPaddressoftheTACACS+server.
AuthPort EntertheTCP IP portusedbytheserver.Thedefaultportnumberis49.
SharedKey EnterthesecretkeyofyourchoicetoauthenticatecommunicationbetweentheTACACS+
clientandserver.
RetypeKey Re-enterthesecretkeyyouhavespecifiedastheSharedKey.
Timeout Enteranumberbetween1and30secondstoindicatethetimeoutperiodforTACACS+
requests.Thedefaultvalueis20seconds.
RetryCount Enteranumberbetween1and5toindicatethemaximumnumberofauthenticationattempts.
Thedefaultvalueis3.
Table28:TACACS+ ServerConfigurationParameters
IntheCLI
ToconfigureaTACACS+ server:
(InstantAP)(config)#wlantacacs-server<profile-name>
(InstantAP)(TACACSServer<profile-name>)#ip<IP-address>
(InstantAP)(TACACSServer<profile-name>)#port<port>
(InstantAP)(TACACSServer<profile-name>)#key<key>
(InstantAP)(TACACSServer<profile-name>)#timeout<seconds>
(InstantAP)(TACACSServer<profile-name>)#retry-count<number>
(InstantAP)(TACACSServer<profile-name>)#deadtime<minutes>
(InstantAP)(TACACSServer<profile-name>)#end
ConfiguringAdministratorCredentialsfortheVirtualControllerInterface
YoucanconfigureauthenticationparametersforadminuserstoenableaccesstotheVirtualControllermanagement
userinterfaceintheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystemlinkattoprightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.ClicktheAdmintab.TheAdmintabdetailsaredisplayed.ThefollowingfigureshowsthecontentsoftheAdmin
tab:
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|142

143|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
Figure43AdminTab:ManagementAuthenticationParameters
3.UnderLocal,selectanyofthefollowingoptionsfromtheAuthenticationdrop-downlist:
lInternal—Selectthisoptiontospecifyasinglesetofusercredentials.EntertheUsernameandPasswordfor
accessingtheVirtualControllerManagementUserInterface.
lAuthenticationServer—Specifyoneortwoauthenticationserverstoauthenticateclients.Iftwoserversare
configured,userscanusetheminprimaryorbackupmodeorloadbalancingmode.Toenableloadbalancing,
selectEnabledfromtheLoadbalancingdrop-downlist.Formoreinformationonloadbalancing,seeDynamic
LoadBalancingbetweenTwoAuthenticationServersonpage154.
YoumayalsospecifyaRADIUS ServerasoneoftheauthenticationserversalongwithaTACACS+server.Ifa
TACACS+serverisselected,youcanselecttheTACACSaccountingcheckboxforreportingmanagement
commands.
TheTACACSaccountingoptionisavailableonlywhenaTACACS+serverisspecifiedasoneofthe
authenticationservers.
lAuthenticationserverw/fallbacktointernal—Selectthisoptiontousebothinternalandexternalservers.
Whenenabled,theauthenticationswitchestoInternalifthereisnoresponsefromtheRADIUSserver(RADIUS
servertimeout).Tocompletethisconfiguration,performthefollowingstep:
a.Toenableloadbalancing,selectEnabledfromtheLoadbalancingdrop-downlist.
b.SpecifyaUsernameandPassword.
c.Retypethepasswordtoconfirm.
4.ClickOK.
IntheCLI
Toconfigureanadminuser:
(InstantAP)(config)#mgmt-user<username>[password]
(InstantAP)(config)#end
(InstantAP)#commitapply
ToconfigureRADIUSorTACACS+authenticationparameters:
(InstantAP)(config)#mgmt-auth-server<authentication_server1>

(InstantAP)(config)#mgmt-auth-server<authentication_server2>
(InstantAP)(config)#mgmt-auth-server-load-balancing
(InstantAP)(config)#mgmt-auth-server-local-backup
(InstantAP)(config)#end
(InstantAP)#commitapply
Toconfiguremanagementauthenticationsettings:
(InstantAP)(config)#mgmt-auth-server<server1>
(InstantAP)(config)#mgmt-auth-server<server2>
(InstantAP)(config)#mgmt-auth-server-load-balancing
(InstantAP)(config)#mgmt-auth-server-local-backup
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringGuestManagementInterfaceAdministratorCredentials
YoucanconfigureguestadministratorcredentialsintheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystemlinkattoprightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.ClicktheAdmintab.TheAdmintabdetailsaredisplayed.
3.UnderGuestRegistrationOnly:
a.SpecifyaUsernameandPassword.
b.Retypethepasswordtoconfirm.
4.ClickOK.Whentheguestmanagementadministratorlogsinwiththesecredentials,theguestmanagement
interfaceisdisplayed.
IntheCLI
Toconfigureguestmanagementadministratorcredentials:
(InstantAP)(config)#mgmt-user<username>[password]guest-mgmt
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringUsersforInternalDatabaseofanIAP
TheInstantuserdatabaseconsistsofalistofguestandemployeeusers.Theadditionofauserinvolvesspecifying
alogincredentialsforauser.ThelogincredentialsfortheseusersareprovidedoutsidetheInstantsystem.
AguestusercanbeavisitorwhoistemporarilyusingtheenterprisenetworktoaccesstheInternet.However,ifyou
donotwanttoallowaccesstotheinternalnetworkandtheIntranet,youcansegregatetheguesttrafficfromthe
enterprisetrafficbycreatingaguestWLANandspecifyingtherequiredauthentication,encryption,andaccessrules.
Anemployeeuseristheemployeewhoisusingtheenterprisenetworkforofficialtasks.YoucancreateEmployee
WLANs,specifytherequiredauthentication,encryptionandaccessrulesandallowtheemployeestousethe
enterprisenetwork.
TheuserdatabaseisalsousedwhenanIAPisconfiguredasaninternalRADIUSserver.
ThelocaluserdatabaseofAPscansupportupto512userentriesexceptIAP-9x.IAP-9xsupportsonly
256userentries.Iftherearealready512users,IAP-9xwillnotbeabletojointhecluster.
IntheInstantUI
Toconfigureusers:
1.ClicktheSecurityatthetoprightcornerofInstantmainwindow.
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|144

145|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
2.ClickUsersforInternalServer.ThefollowingfigureshowsthecontentsoftheUsersforInternalServertab.
Figure44AddingaUser
3.EntertheusernameintheUsernametextbox.
4.EnterthepasswordinthePasswordtextboxandreconfirm.
5.SelectatypeofnetworkfromtheTypedrop-downlist.
6.ClickAddandclickOK.TheusersarelistedintheUserslist.
7.Toeditusersettings:
a.SelecttheusertomodifyunderUsers
b.ClickEdittomodifyusersettings.
c.ClickOK.
8.Todeleteauser:
a.IntheUserssection,selecttheusernametodelete
b.ClickDelete.
c.ClickOK.
9.Todeleteallormultipleusersatatime:
a.Selecttheusernamesthatyouwanttodelete
b.ClickDeleteAll.
c.ClickOK.
Deletingauseronlyremovestheuserrecordfromtheuserdatabase,andwillnotdisconnecttheonlineuser
associatedwiththeusername.
IntheCLI
Toconfigureanemployeeuser:
(InstantAP)(config)#user<username><password>radius
(InstantAP)(config)#end

(InstantAP)#commitapply
Toconfigureaguestuser:
(InstantAP)(config)#user<username><password>portal
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringtheRead-OnlyAdministratorCredentials
Youcanassigntheread-onlyprivilegetoanadminuserbyusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystemlinkattoprightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.ClicktheAdmintab.TheAdmintabdetailsaredisplayed.
3.UnderViewOnly:
a.SpecifyaUsernameandPassword.
b.Retypethepasswordtoconfirm.
4.ClickOK.Whentheusersloginwiththesecredentials,theInstantUIisdisplayedintheread-onlymode.
IntheCLI
Toconfigureauserwithread-onlyprivilege:
(InstantAP)(config)#mgmt-user<username>[password]read-only
(InstantAP)(config)#end
(InstantAP)#commitapply
AddingGuestUsersthroughtheGuestManagementInterface
ToaddguestusersthroughtheGuestManagementinterface:
1.LogintoInstantUIwiththeguestmanagementinterfaceadministratorcredentials.Theguestmanagement
interfaceisdisplayed.
Figure45GuestManagementInterface
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|146

147|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
2.Toaddauser,clickNew.TheNewGuestUserpop-upwindowisdisplayed.
3.SpecifyaUsernameandPassword.
4.Retypethepasswordtoconfirm.
5.ClickOK.
UnderstandingAuthenticationMethods
AuthenticationisaprocessofidentifyingauserbythroughavalidusernameandpasswordorbasedontheirMAC
addresses.ThefollowingauthenticationmethodsaresupportedinInstant:
l802.1Xauthentication
lMACauthentication
lMACauthenticationwith802.1Xauthentication
lCaptivePortalAuthentication
lMACauthenticationwithCaptivePortalauthentication
l802.1XauthenticationwithCaptivePortalRole
lWISPrauthentication
802.1Xauthentication
802.1XisanIEEEstandardthatprovidesanauthenticationframeworkforWLANs.802.1xusestheExtensible
AuthenticationProtocol(EAP)toexchangemessagesduringtheauthenticationprocess.Theauthentication
protocolsthatoperateinsidethe802.1XframeworkincludeEAP-TransportLayerSecurity(EAP-TLS),Protected
EAP(PEAP),andEAP-TunneledTLS(EAP-TTLS).Theseprotocolsallowthenetworktoauthenticatetheclient
whilealsoallowingtheclienttoauthenticatethenetwork.FormoreinformationonEAPauthenticationframework
supportedbytheIAP,seeSupportedEAPAuthenticationFrameworksonpage149.
802.1XauthenticationmethodallowsanIAPtoauthenticatetheidentityofauserbeforeprovidingnetworkaccessto
theuser.TheRemoteAuthenticationDialInUserService(RADIUS)protocolprovidescentralizedauthentication,
authorization,andaccountingmanagement.Forauthenticationpurpose,thewirelessclientcanassociatetoa
networkaccessserver(NAS)orRADIUSclientsuchasawirelessIAP.Thewirelessclientcanpassdatatraffic
onlyaftersuccessful802.1Xauthentication.
FormoreinformationonconfiguringanIAPtouse802.1Xauthentication,seeConfiguring802.1XAuthenticationfor
aNetworkProfileonpage163.

MACauthentication
MACauthenticationisusedforauthenticatingdevicesbasedontheirphysicalMACaddresses.MACauthentication
requiresthattheMACaddressofamachinematchesamanuallydefinedlistofaddresses.Thisauthentication
methodisnotrecommendedforscalablenetworksandthenetworksthatrequirestringentsecuritysettings.For
moreinformationonconfiguringanIAPtouseMACauthentication,seeConfiguringMACAuthenticationfora
NetworkProfileonpage165.
MACauthenticationwith802.1Xauthentication
Thisauthenticationmethodhasthefollowingfeatures:
lMACauthenticationprecedes802.1Xauthentication-TheadministratorscanenableMACauthenticationfor
802.1Xauthentication.MACauthenticationsharesalltheauthenticationserverconfigurationswith802.1X
authentication.Ifawirelessorwiredclientconnectstothenetwork,MACauthenticationisperformedfirst.If
MACauthenticationfails,802.1Xauthenticationdoesnottrigger.IfMACauthenticationissuccessful,802.1X
authenticationisattempted.If802.1Xauthenticationissuccessful,theclientisassignedan802.1X
authenticationrole.If802.1Xauthenticationfails,theclientisassignedadeny-allroleormac-auth-onlyrole.
lMACauthenticationonlyrole-Allowsyoutocreateamac-auth-onlyroletoallowrole-basedaccessruleswhen
MACauthenticationisenabledfor802.1Xauthentication.Themac-auth-onlyroleisassignedtoaclientwhen
theMACauthenticationissuccessfuland802.1Xauthenticationfails.If802.1Xauthenticationissuccessful,the
mac-auth-onlyroleisoverwrittenbythefinalrole.Themac-auth-onlyroleisprimarilyusedforwiredclients.
lL2authenticationfall-through-Allowsyoutoenablethel2-authentication-fallthroughmode.Whenthisoption
isenabled,the802.1XauthenticationisallowedeveniftheMACauthenticationfails.Ifthisoptionisdisabled,
802.1Xauthenticationisnotallowed.Thel2-authentication-fallthroughmodeisdisabledbydefault.
FormoreinformationonconfiguringanIAPtouseMAC+802.1XAuthentication,seeConfiguringMAC
Authenticationwith802.1XAuthenticationonpage167.
CaptivePortalAuthentication
Captiveportalauthenticationisusedforauthenticatingguestusers.FormoreinformationonCaptivePortal
authentication,seeCaptivePortalforGuestAccessonpage120.
MACauthenticationwithCaptivePortalauthentication
Thisauthenticationmethodhasthefollowingfeatures:
lIfthecaptiveportalsplashpagetypeisInternal-AuthenticatedorExternal-RADIUSServer,MAC
authenticationreusestheserverconfigurations.
lIfthecaptiveportalsplashpagetypeisInternal-AcknowledgedorExternal-AuthenticationTextandMAC
authenticationisenabled,aserverconfigurationpageisdisplayed.
lIfthecaptiveportalsplashpagetypeisnone,MACauthenticationisdisabled.
lYoucanconfigurethemac-auth-onlyrolewhenMACauthenticationisenabledwithcaptiveportal
authentication.
FormoreinformationconfiguringanIAPtouseMACandCaptivePortalauthentication,seeConfiguringMAC
AuthenticationwithCaptivePortalAuthenticationonpage169.
802.1XauthenticationwithCaptivePortalRole
Thisauthenticationmechanismallowsyoutoconfiguredifferentcaptiveportalsettingsforclientsonthesame
SSID.Forexample,youcanconfigurean802.1xSSIDandcreatearoleforcaptiveportalaccess,sothatsomeof
theclientsusingtheSSIDderivethecaptiveportalrole.Youcanconfigurerulestoindicateaccesstoexternalor
internalcaptiveportal,ornone.FormoreinformationonconfiguringcaptiveportalrolesforanSSIDwith802.1x
authentication,seeConfiguringCaptivePortalRolesforanSSIDonpage135.
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|148

149|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
WISPrauthentication
WirelessInternetServiceProviderroaming(WISPr)authenticationallowsasmartclienttoauthenticateonthe
networkwhentheyroambetweenwirelessInternetserviceproviders,evenifthewirelesshotspotusesanInternet
ServiceProvider(ISP)withwhomtheclientmaynothaveanaccount.
IfahotspotisconfiguredtouseWISPrauthenticationinaspecificISPandaclientattemptstoaccesstheInternet
atthathotspot,theWISPrAAAserverconfiguredfortheISPauthenticatestheclientdirectlyandallowstheclientto
accessthenetwork.IftheclientonlyhasanaccountwithapartnerISP,theWISPrAAAserverforwardstheclient’s
credentialstothepartnerISP’sWISPrAAAserverforauthentication.Whentheclientisauthenticatedonthepartner
ISP,itisalsoauthenticatedonyourhotspot’sownISPaspertheirserviceagreements.TheIAPassignsthedefault
WISPruserroletotheclientwhenyourISPsendsanauthenticationmessagetotheIAP.Formoreinformationon
WISPrauthentication,seeConfiguringWISPrAuthenticationonpage170.
SupportedEAPAuthenticationFrameworks
ThefollowingEAPauthenticationframeworksaresupportedintheInstantnetwork:
lEAP-TLS—TheExtensibleAuthenticationProtocol-TransportLayerSecurity(EAP-TLS)methodsupportsthe
terminationofEAP-TLSsecurityusingtheinternalRADIUSserver.TheEAP-TLSrequiresbothserverand
certificationauthority(CA)certificatesinstalledontheIAP.TheclientcertificateisverifiedontheVirtual
Controller(theclientcertificatemustbesignedbyaknownCA),beforetheusernameisverifiedonthe
authenticationserver.
lEAP-TTLS(MSCHAPv2)—TheExtensibleAuthenticationProtocol-TunneledTransportLayerSecurity(EAP-
TTLS)methodusesserver-sidecertificatestosetupauthenticationbetweenclientsandservers.However,the
actualauthenticationisperformedusingpasswords.
lEAP-PEAP(MSCHAPv2)—EAP-PEAPisan802.1Xauthenticationmethodthatusesserver-sidepublickey
certificatestoauthenticateclientswithserver.ThePEAPauthenticationcreatesanencryptedSSL/TLStunnel
betweentheclientandtheauthenticationserver.Exchangeofinformationisencryptedandstoredinthetunnel
ensuringtheusercredentialsarekeptsecure.
lLEAP—LightweightExtensibleAuthenticationProtocol(LEAP)usesdynamicWEPkeysforauthentication
betweentheclientandauthenticationserver.
TousetheIAP’sinternaldatabaseforuserauthentication,addthenamesandpasswordsoftheuserstobe
authenticated.
ArubadoesnotrecommendtheuseofLEAPauthentication,becauseitdoesnotprovideanyresistancetonetwork
attacks.
AuthenticationTerminationonIAP
IAPssupportEAPterminationforenterpriseWLAN SSIDs.TheEAPterminationcanreducethenumberof
exchangepacketsbetweentheIAPandtheauthenticationservers.InstantallowsExtensibleAuthentication
Protocol(EAP)terminationforProtectedExtensibleAuthenticationProtocol(PEAP)-GenericTokenCard(PEAP-
GTC)andProtectedExtensibleAuthenticationProtocol-MicrosoftChallengeAuthenticationProtocolversion2
(PEAP-MSCHAV2).PEAP-GTCterminationallowsauthorizationagainstanLightweightDirectoryAccessProtocol
(LDAP)serverandexternalRADIUSserverwhilePEAP-MSCHAV2allowsauthorizationagainstanexternal
RADIUSserver.
ThisallowstheuserstorunPEAP-GTCterminationwiththeirusernameandpasswordtoalocalMicrosoftActive
DirectoryserverwithLDAPauthentication.
lEAP-GenericTokenCard(GTC)—ThisEAPmethodpermitsthetransferofunencryptedusernamesand
passwordsfromclienttoserver.ThemainusesforEAP-GTCareone-timetokencardssuchasSecureIDand

theuseofLDAPorRADIUSastheuserauthenticationserver.Youcanalsoenablecachingofusercredentials
ontheIAPtoanexternalauthenticationserverforuserdatabackup.
lEAP-MicrosoftChallengeAuthenticationProtocolversion2(MS-CHAPv2)—ThisEAPmethodiswidely
supportedbyMicrosoftclients.ARADIUSservermustbeusedastheback-endauthenticationserver.
SupportedAuthenticationServers
Basedonthesecurityrequirements,youcanconfigureinternalorexternalauthentication servers.Thissection
describesthetypesofserversthatcanbeconfiguredforclientauthentication:
lInternalRADIUSServeronpage150
lExternalRADIUSServeronpage150
lDynamicLoadBalancingbetweenTwoAuthenticationServersonpage154
In6.4.0.2-4.1release,youcanconfigureTACACS+serverforauthenticatingmanagementusers.Formore
information,onmanagementusersandTACACS+serverbasedauthentication,seeConfiguringAuthentication
ParametersforManagementUsers.
InternalRADIUSServer
EachIAPhasaninstanceoffreeRADIUSserveroperatinglocally.WhenyouenabletheinternalRADIUSserver
optionforthenetwork,theclientontheIAPsendsaRADIUSpackettothelocalIPaddress.TheinternalRADIUS
serverlistensandrepliestotheRADIUSpacket.InstantitselfservesasaRADIUSserverfor802.1X
authentication.However,theinternalRADIUSservercanalsobeconfiguredasabackupRADIUSserverforan
externalRADIUSserver.
ExternalRADIUSServer
IntheexternalRADIUSserver,theIPaddressoftheVirtualControllerisconfiguredastheNASIPaddress.Instant
RADIUSisimplementedontheVirtualController,andthiseliminatestheneedtoconfiguremultipleNASclientsfor
everyIAPontheRADIUSserverforclientauthentication.InstantRADIUSdynamicallyforwardsallthe
authenticationrequestsfromaNAStoaremoteRADIUSserver.TheRADIUSserverrespondstothe
authenticationrequestwithanAccess-AcceptorAccess-Rejectmessage,andtheclientsareallowedordenied
accesstothenetworkdependingontheresponsefromtheRADIUSserver.WhenyouenableanexternalRADIUS
serverforthenetwork,theclientontheIAPsendsaRADIUSpackettothelocalIPaddress.TheexternalRADIUS
serverthenrespondstotheRADIUSpacket.
Instantsupportsthefollowingexternalauthenticationservers:
lRADIUS(RemoteAuthenticationDial-InUserService)
lLDAP(LightweightDirectoryAccessProtocol)
lCPPM ServerforAirGroupCoA
TouseanLDAPserverforuserauthentication,configuretheLDAPserverontheVirtualController,andconfigure
userIDsandpasswords.TouseaRADIUSserverforuserauthentication,configuretheRADIUSserveronthe
VirtualController.
RADIUSServerAuthenticationwithVSA
AnexternalRADIUSserverauthenticatesnetworkusersandreturnstotheIAPthevendor-specificattribute(VSA)
thatcontainsthenameofthenetworkrolefortheuser.Theauthenticateduserisplacedintothemanagementrole
specifiedbytheVSA.
InstantsupportsthefollowingVSAsforuserroleandVLAN derivationrules:
lAP-Group
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|150

151|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
lAP-Name
lARAP-Features
lARAP-Security
lARAP-Security-Data
lARAP-Zone-Access
lAcct-Authentic
lAcct-Delay-Time
lAcct-Input-Gigawords
lAcct-Input-Octets
lAcct-Input-Packets
lAcct-Interim-Interval
lAcct-Link-Count
lAcct-Multi-Session-Id
lAcct-Output-Gigawords
lAcct-Output-Octets
lAcct-Output-Packets
lAcct-Session-Id
lAcct-Session-Time
lAcct-Status-Type
lAcct-Terminate-Cause
lAcct-Tunnel-Packets-Lost
lAdd-Port-To-IP-Address
lAruba-AP-Group
lAruba-AP-IP-Address
lAruba-AS-Credential-Hash
lAruba-AS-User-Name
lAruba-Admin-Role
lAruba-AirGroup-Device-Type
lAruba-AirGroup-Shared-Group
lAruba-AirGroup-Shared-Role
lAruba-AirGroup-Shared-User
lAruba-AirGroup-User-Name
lAruba-AirGroup-Version
lAruba-Auth-Survivability
lAruba-CPPM-Role
lAruba-Device-Type
lAruba-Essid-Name
lAruba-Framed-IPv6-Address
lAruba-Location-Id
lAruba-Mdps-Device-Iccid
lAruba-Mdps-Device-Imei
lAruba-Mdps-Device-Name

lAruba-Mdps-Device-Product
lAruba-Mdps-Device-Profile
lAruba-Mdps-Device-Serial
lAruba-Mdps-Device-Udid
lAruba-Mdps-Device-Version
lAruba-Mdps-Max-Devices
lAruba-Mdps-Provisioning-Settings
lAruba-Named-User-Vlan
lAruba-Network-SSO-Token
lAruba-No-DHCP-Fingerprint
lAruba-Port-Id
lAruba-Priv-Admin-User
lAruba-Template-User
lAruba-User-Group
lAruba-User-Role
lAruba-User-Vlan
lAruba-WorkSpace-App-Name
lAuthentication-Sub-Type
lAuthentication-Type
lCHAP-Challenge
lCallback-Id
lCallback-Number
lChargeable-User-Identity
lClass
lConnect-Info
lConnect-Rate
lCrypt-Password
lDB-Entry-State
lDigest-Response
lDomain-Name
lEAP-Message
lError-Cause
lEvent-Timestamp
lExec-Program
lExec-Program-Wait
lExpiration
lFall-Through
lFilter-Id
lFramed-AppleTalk-Link
lFramed-AppleTalk-Network
lFramed-AppleTalk-Zone
lFramed-Compression
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|152

153|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
lFramed-IP-Address
lFramed-IP-Netmask
lFramed-IPX-Network
lFramed-IPv6-Pool
lFramed-IPv6-Prefix
lFramed-IPv6-Route
lFramed-Interface-Id
lFramed-MTU
lFramed-Protocol
lFramed-Route
lFramed-Routing
lFull-Name
lGroup
lGroup-Name
lHint
lHuntgroup-Name
lIdle-Timeout
lLocation-Capable
lLocation-Data
lLocation-Information
lLogin-IP-Host
lLogin-IPv6-Host
lLogin-LAT-Node
lLogin-LAT-Port
lLogin-LAT-Service
lLogin-Service
lLogin-TCP-Port
lMenu
lMessage-Auth
lNAS-IPv6-Address
lNAS-Port-Type
lOperator-Name
lPassword
lPassword-Retry
lPort-Limit
lPrefix
lPrompt
lRad-Authenticator
lRad-Code
lRad-Id
lRad-Length
lReply-Message

lRequested-Location-Info
lRevoke-Text
lServer-Group
lServer-Name
lService-Type
lSession-Timeout
lSimultaneous-Use
lState
lStrip-User-Name
lSuffix
lTermination-Action
lTermination-Menu
lTunnel-Assignment-Id
lTunnel-Client-Auth-Id
lTunnel-Client-Endpoint
lTunnel-Connection-Id
lTunnel-Medium-Type
lTunnel-Preference
lTunnel-Private-Group-Id
lTunnel-Server-Auth-Id
lTunnel-Server-Endpoint
lTunnel-Type
lUser-Category
lUser-Name
lUser-Vlan
lVendor-Specific
DynamicLoadBalancingbetweenTwoAuthenticationServers
YoucanconfiguretwoauthenticationserverstoserveasaprimaryandbackupRADIUSserverandenableload
balancingbetweentheseservers.Loadbalancingofauthenticationserversensuresthattheauthenticationloadis
splitacrossmultipleauthenticationserversandenablestheIAPstoperformloadbalancingofauthentication
requestsdestinedtoauthenticationserverssuchasRADIUSorLDAP.
TheloadbalancinginIAPisperformedbasedonoutstandingauthenticationsessions.Iftherearenooutstanding
sessionsandiftherateofauthenticationislow,onlyprimaryserverwillbeused.Thesecondaryisusedonlyifthere
areoutstandingauthenticationsessionsontheprimaryserver.Withthis,theloadbalancecanbeperformedacross
asymmetriccapacityRADIUSserverswithouttheneedtoobtaininputsabouttheservercapabilitiesfromthe
administrators.
UnderstandingEncryptionTypes
Encryptionistheprocessofconvertingdataintoacrypticformatorcodewhenitistransmittedonanetwork.
Encryptionpreventsunauthorizeduseofthedata.
Instantsupportsthefollowingtypesofencryption:
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|154

155|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
lWEP—WiredEquivalentPrivacy(WEP)isanauthenticationmethodwherealluserssharethesamekey.WEP
isnotsecureasotherencryptiontypessuchasTKIP.
lTKIP—TemporalKeyIntegrityProtocol(TKIP)usesthesameencryptionalgorithmasWEP.However,TKIPis
moresecureandhasanadditionalmessageintegritycheck(MIC).
lAES—TheAdvancedEncryptionStandard(AES)encryptionalgorithmawidelysupportedencryptiontypeforall
wirelessnetworksthatcontainanyconfidentialdata.AESinWi-Fileverages802.1XorPSKstogenerateper
stationkeysforalldevices.AESprovidesahighlevelofsecuritylikeIPSecurity(IPsec)clients.
WEPandTKIParelimitedtoWLANconnectionspeedof54Mbps.The802.11nconnectionsupportsonlyAES
encryption.ArubarecommendsAES encryption.EnsurethatalldevicesthatdonotsupportAESareupgradedor
replacedwiththedevicesthatsupportAESencryption.
WPAandWPA2
WPAiscreatedbasedonadraftof802.11i,whichalloweduserstocreatemoresecureWLANs.WPA2
encompassesthefullimplementationofthe802.11istandard.WPA2isasupersetthatencompassesthefullWPA
featureset.
Thefollowingtablesummarizesthedifferencesbetweenthetwocertifications:
Certification Authentication Encryption
WPA lPSK
lIEEE802.1Xwith
Extensible
Authentication
Protocol(EAP)
TKIPwithmessageintegritycheck(MIC)
WPA2 lPSK
lIEEE802.1Xwith
EAP
AES--CounterModewithCipherBlockChaining
MessageAuthenticationCode(AESCCMP)
Table29:WPAandWPA2Features
WPAandWPA2canbefurtherclassifiedasfollows:
lPersonal—PersonalisalsocalledPre-SharedKey(PSK).Inthistype,auniquekeyissharedwitheachclientin
thenetwork.Usershavetousethiskeytosecurelylogintothenetwork.Thekeyremainsthesameuntilitis
changedbyauthorizedpersonnel.Youcanalsoconfigurekeychangeintervals.
lEnterprise—EnterpriseismoresecurethanWPAPersonal.Inthistype,everyclientautomaticallyreceivesa
uniqueencryptionkeyaftersecurelyloggingontothenetwork.Thiskeyisautomaticallyupdatedatregular
intervals.WPAusesTKIPandWPA2usestheAESalgorithm.
RecommendedAuthenticationandEncryptionCombinations
ThefollowingtablesummarizestherecommendationsforauthenticationandencryptioncombinationsfortheWi-Fi
networks.

NetworkType Authentication Encryption
Employee 802.1X AES
GuestNetwork CaptivePortal None
VoiceNetworkorHandheld
devices
802.1XorPSKas
supportedbythedevice
AESifpossible,TKIPorWEPif
necessary(combinewithsecurity
settingsassignedforauserrole).
Table30:RecommendedAuthenticationandEncryptionCombinations
SupportforAuthenticationSurvivability
Theauthenticationsurvivabilityfeaturesupportsasurvivableauthenticationframeworkagainsttheremotelink
failurewhenworkingwiththeexternalauthenticationservers.Whenenabled,thisfeatureallowstheIAPsto
authenticatethepreviouslyconnectedclientsagainstthecachedcredentialsiftheconnectiontotheauthentication
serveristemporarilylost.
InstantsupportsthefollowingEAPstandardsforauthenticationsurvivability:
lEAP-PEAP:TheProtectedExtensibleAuthenticationProtocolalsoknownasProtectedEAPorPEAPisa
protocolthatencapsulatesEAPwithinapotentiallyencryptedandauthenticatedTransportLayerSecurity(TLS)
tunnel.TheEAP-PEAPsupportstheMSCHAPv2andGTCmethods.
lEAP-TLS:EAP-TransportLayerSecurity(EAP-TLS)isanIETFopenstandardthatusestheTransportLayer
Security(TLS)protocol.
Whentheauthenticationsurvivabilityfeatureisenabled,thefollowingauthenticationprocessisused:
1.TheclientassociatestoanIAPandauthenticatestotheexternalauthenticationserver.Theexternal
authenticationservercanbeeitherCPPM (forEAP-PEAP) orRADIUS server(EAP-TLS).
2.Uponsuccessfulauthentication,theassociatedIAPcachestheauthenticationcredentialsoftheconnected
usersfortheconfiguredduration.Thecacheexpirydurationforauthenticationsurvivabilitycanbesetwithinthe
rangeof1-99hours,with24hoursbeingthedefaultcachetimeoutduration.
3.IftheclientroamsortriestoreconnecttotheIAPandtheremotelinkfailsduetotheunavailabilityofthe
authenticationserver,theIAPusesthecachedcredentialsintheinternalauthenticationservertoauthenticate
theuser.However,iftheusertriestoreconnectafterthecacheexpiry,theauthenticationfails.
4.Whentheauthenticationserverisavailableandiftheclienttriestoreconnect,theIAPdetectstheavailabilityof
serverandallowstheclienttoauthenticatetotheserver.Uponsuccessfulauthentication,theIAPcachedetails
arerefreshed.
ConfiguringAuthenticationSurvivability
YoucanenableauthenticationsurvivabilityforawirelessnetworkprofilethroughtheUIorCLI.
IntheInstantUI
Toconfigureauthenticationsurvivabilityforawirelessnetwork:
1.IntheNetworktab,clickNewtocreateanewnetworkprofileorselectanexistingprofileforwhichyouwantto
enableauthenticationsurvivabilityandclickedit.
2.IntheEdit<profile-name>orNewWLANwindow,ensurethatallrequiredWLANandVLANattributesare
defined,andthenclickNext.
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|156

157|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
3.IntheSecuritytab,underEnterprisesecuritysettings,selectanexistingauthenticationserverorcreateanew
serverbyclickingNew.
4.Toenableauthenticationsurvivability,selectEnabledfromtheAuthenticationsurvivabilitydrop-down.On
enablingthis,theIAPauthenticatesthepreviouslyconnectedclientsusingEAP-PEAPandEAP-TLS
authenticationwhenconnectiontotheexternalauthenticationserveristemporarilylost.
5.Specifythecachetimeoutduration,afterwhichthecacheddetailsofthepreviouslyauthenticatedclientsexpire.
Youcanspecifyavaluewithintherangeof1-99hoursandthedefaultcachetimeoutdurationis24hours.
6.ClickNextandthenclickFinishtoapplythechanges.
ImportantPointstoRemember
lAnyclientconnectedthroughCPPMandauthenticatedthroughIAPremainsauthenticatedwiththeIAPevenif
theclientisremovedfromtheCPPMserverduringtheCPPMdowntime.
lDonotmakeanychangestotheauthenticationsurvivabilitycachetimeoutdurationwhentheauthentication
serverisdown.
lForEAP-PEAPauthentication,ensurethattheCPPM6.0.2orlaterversionisusedforauthentication.ForEAP-
TLSauthentication,anyexternalorthird-partyservercanbeused.
lForEAP-TLSauthentication,ensurethattheserverandCA certificatesfromtheauthenticationserversare
uploadedonIAP.Formoreinformation,seeUploadingCertificatesonpage173.
IntheCLI
Toconfigureauthenticationsurvivabilityforawirelessnetwork:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#type{<Employee>|<Voice>|<Guest>}
(InstantAP)(SSIDProfile<name>)#auth-server<server-name1>
(InstantAP)(SSIDProfile<name>)#auth-survivability
(InstantAP)(SSIDProfile<name>)#exit
(InstantAP)(config)#auth-survivabilitycache-time-out<hours>
(InstantAP)(config)#end
(InstantAP)#commitapply
Toviewthecacheexpiryduration:
(InstantAP)#showauth-survivabilitytime-out
ToviewtheinformationcachedbytheIAP:
(InstantAP)#showauth-survivabilitycached-info
Toviewlogsfordebugging:
(InstantAP)#showauth-survivabilitydebug-log
ConfiguringAuthenticationServers
Thissectiondescribesthefollowingprocedures:
lConfiguringanExternalServerforAuthenticationonpage157
lConfiguringDynamicRADIUS ProxyParametersonpage161
ConfiguringanExternalServerforAuthentication
YoucanaddanexternalRADIUSserver,LDAPserver,CPPMserverforAirGrouporCoAthroughtheInstantUIor
CLI.
In6.4.0.2-4.1release,youcanconfigureTACACS+serverforauthenticatingmanagementusers.Formore

information,onmanagementusersandTACACS+serverbasedauthentication,seeConfiguringAuthentication
ParametersforManagementUsers..
IntheInstantUI
Toconfigureanauthenticationserver:
1.NavigatetoSecurity>AuthenticationServers.TheSecuritywindowisdisplayed.
2.Tocreateanewserver,clickNew.Awindowforspecifyingdetailsforthenewserverisdisplayed.Thefollowing
figureshowstheparameterstoconfigureforanewRADIUS authenticationserverconfiguration:
Figure46NewAuthenticationServerWindow
3.Configureanyofthefollowingtypesofserver:
lRADIUSServer—ToconfigureaRADIUS server,specifytheattributesdescribedinthefollowingtable:
Parameter Description
Name EnterthenameofthenewexternalRADIUSserver.
IPaddress EntertheIPaddressoftheexternalRADIUSserver.
Authport EntertheauthorizationportnumberoftheexternalRADIUSserver.Thedefaultport
numberis1812.
Accountingport Entertheaccountingportnumber.Thisportisusedforsendingaccountingrecords
totheRADIUSserver.Thedefaultportnumberis1813.
Table31:RADIUS ServerConfigurationParameters
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|158

159|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
Sharedkey EnterasharedkeyforcommunicatingwiththeexternalRADIUSserver.
Retypekey Re-enterthesharedkey.
Timeout Specifyatimeoutvalueinseconds.Thevaluedeterminesthetimeoutforone
RADIUSrequest.TheIAPretriestosendtherequestseveraltimes(asconfigured
intheRetrycount),beforetheusergetsdisconnected.Forexample,iftheTimeout
is5seconds,Retrycounteris3,userisdisconnectedafter20seconds.Thedefault
valueis5seconds.
Retrycount Specifyanumberbetween1and5.Indicatesthemaximumnumberof
authenticationrequeststhataresenttotheservergroup,andthedefaultvalueis3
requests.
RFC3576 SelectEnabledtoallowtheAPstoprocessRFC3576-compliantChangeof
Authorization(CoA)anddisconnectmessagesfromtheRADIUSserver.
Disconnectmessagescauseausersessiontobeterminatedimmediately,
whereastheCoAmessagesmodifysessionauthorizationattributessuchasdata
filters.
NASIPaddress EntertheVirtualControllerIPaddress.TheNASIPaddressistheVirtualController
IPaddressthatissentindatapackets.
NOTE:IfyoudonotentertheIPaddress,theVirtualControllerIPaddressisused
bydefaultwhenDynamicRADIUSProxyisenabled.
NASidentifier UsethistoconfigurestringsforRADIUSattribute32,NASIdentifier,tobesentwith
RADIUSrequeststotheRADIUSserver.
DeadTime Specifyadeadtimeforauthenticationserverinminutes.
WhentwoormoreauthenticationserversareconfiguredontheIAPandaserveris
unavailable,thedeadtimeconfigurationdeterminesthedurationforwhichthe
authenticationserverwouldbeavailableiftheserverismarkedasunavailable.
DynamicRADIUS
proxyparameters
SpecifythefollowingdynamicRADIUSproxyparameters:
lDRPIP—IPaddresstobeusedassourceIPforRADIUSpackets
lDRPMask—SubnetmaskoftheDRPIPaddress.
lDRPVLAN—VLANinwhichtheRADIUSpacketsaresent.
lDRPGateway—GatewayIPaddressoftheDRPVLAN.
FormoreinformationondynamicRADIUSproxyparametersandconfiguration
procedure,seeConfiguringDynamicRADIUS ProxyParametersonpage161.
lLDAPServer—ToconfigureanLDAPserver,selecttheLDAPoptionandspecifytheattributesdescribedinthe
followingtable:
Parameter Description
Name EnterthenameoftheLDAPserver.
IPaddress EntertheIPaddressoftheLDAP server.
Authport EntertheauthorizationportnumberoftheLDAP server.Thedefaultportnumberis
389.
Table32:LDAP ServerConfigurationParameters

Parameter Description
Admin-DN Enteradistinguishednamefortheadminuserwithread/searchprivilegesacross
alltheentriesintheLDAPdatabase(theuserneednothavewriteprivileges,but
theusermustbeabletosearchthedatabase,andreadattributesofotherusersin
thedatabase).
Adminpassword Enterapasswordforadministrator.
Base-DN Enteradistinguishednameforthenodethatcontainstheentireuserdatabase.
Filter SpecifythefiltertoapplywhensearchingforauserintheLDAPdatabase.The
defaultfilterstringis(objectclass=*).
KeyAttribute SpecifytheattributetouseasakeywhilesearchingfortheLDAPserver.ForActive
Directory,thevalueissAMAccountName
Timeout Enteravaluebetween1and30seconds.Thedefaultvalueis5.
Retrycount Enteravaluebetween1and5.Thedefaultvalueis3.
DeadTime Specifyadeadtimeforauthenticationserverinminuteswithintherangeof1-1440
minutes.Thedefaultdeadtimeintervalis5minutes.
WhentwoormoreauthenticationserversareconfiguredontheIAPandaserveris
unavailable,thedeadtimeconfigurationdeterminesthedurationforwhichthe
authenticationserverwouldbeavailableiftheserverismarkedasunavailable.
lCPPM ServerforAirGroupCoA—ToconfigureaCPPMserverusedforAirGroupCoA(Changeof
Authorization),selecttheCoAonlycheckbox.TheRADIUS serverisautomaticallyselected.
Parameter Description
Name Enterthenameoftheserver.
IPaddress EntertheIPaddressoftheserver.
AirGroupCoAportEnteraportnumberforsendingAirGroupCoAonadifferentportthanonthe
standardCoAport.Thedefaultvalueis5999.
Sharedkey EnterasharedkeyforcommunicatingwiththeexternalRADIUSserver.
Retypekey Re-enterthesharedkey.
Table33:CPPMServerConfigurationParametersforAirGroupCoA
4.ClickOK.
TheCPPMserveractsasaRADIUSserverandasynchronouslyprovidestheAirGroupparametersfor
theclientdeviceincludingshareduser,role,andlocation.
ToassigntheRADIUS authenticationservertoanetworkprofile,selectthenewlyaddedserverwhenconfiguring
securitysettingsforawirelessorwirednetworkprofile.
YoucanalsoaddanexternalRADIUS serverbyselectingtheNewoptionwhenconfiguringaWLANor
wiredprofile.Formoreinformation,seeConfiguringSecuritySettingsforaWLANSSIDProfileonpage
98andConfiguringSecuritySettingsforaWiredProfileonpage114.
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|160

161|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
IntheCLI
ToconfigureaRADIUSserver:
(InstantAP)(config)#wlanauth-server<profile-name>
(InstantAP)(AuthServer<profile-name>)#ip<IP-address>
(InstantAP)(AuthServer<profile-name>)#key<key>
(InstantAP)(AuthServer<profile-name>)#port<port>
(InstantAP)(AuthServer<profile-name>)#acctport<port>
(InstantAP)(AuthServer<profile-name>)#nas-id<NAS-ID>
(InstantAP)(AuthServer<profile-name>)#nas-ip<NAS-IP-address>
(InstantAP)(AuthServer<profile-name>)#timeout<seconds>
(InstantAP)(AuthServer<profile-name>)#retry-count<number>
(InstantAP)(AuthServer<profile-name>)#rfc3576
(InstantAP)(AuthServer<profile-name>)#deadtime<minutes>
(InstantAP)(AuthServer<profile-name>)#drp-ip<IP-address><mask>vlan<vlan>gateway
<gateway-IP-address)
(InstantAP)(AuthServer<profile-name>)#end
(InstantAP)#commitapply
(InstantAP)#commitapply
ToconfigureanLDAPserver:
(InstantAP)(config)#wlanldap-server<profile-name>
(InstantAP)(LDAPServer<profile-name>)#ip<IP-address>
(InstantAP)(LDAPServer<profile-name>)#port<port>
(InstantAP)(LDAPServer<profile-name>)#admin-dn<name>
(InstantAP)(LDAPServer<profile-name>)#admin-password<password>
(InstantAP)(LDAPServer<profile-name>)#base-dn<name>
(InstantAP)(LDAPServer<profile-name>)#filter<filter>
(InstantAP)(LDAPServer<profile-name>)#key-attribute<key>
(InstantAP)(LDAPServer<profile-name>)#timeout<seconds>
(InstantAP)(LDAPServer<profile-name>)#retry-count<number>
(InstantAP)(LDAPServer<profile-name>)#deadtime<minutes>
(InstantAP)(LDAPServer<profile-name>)#end
(InstantAP)#commitapply
ToconfigureaCPPMserverusedforAirGroupCoA(ChangeofAuthorization):
(InstantAP)(config)#wlanauth-server<profile-name>
(InstantAP)(AuthServer<profile-name>)#ip<IP-address>
(InstantAP)(AuthServer<profile-name>)#key<key>
(InstantAP)(AuthServer<profile-name>#cppm-rfc3576-port<port>
(InstantAP)(AuthServer<profile-name>)#cppm-rfc3576-only
(InstantAP)(AuthServer<profile-name>)#end
(InstantAP)#commitapply
ConfiguringDynamicRADIUS ProxyParameters
TheRADIUSservercanbedeployedatdifferentlocationsandVLANs.Inmostcases,acentralizedRADIUS or
localserverisusedtoauthenticateusers.However,someusernetworkscanusealocalRADIUSserverfor
employeeauthenticationandacentralizedRADIUSbasedcaptiveportalserverforguestauthentication.Toensure
thattheRADIUStrafficisroutedtotherequiredRADIUSserver,thedynamicRADIUS proxyfeaturemustbe
enabled.
IftheIAPclientsneedtoauthenticatetotheRADIUSserversthroughadifferentIPaddressandVLAN,ensurethat
thefollowingstepsarecompleted:
1.EnabledynamicRADIUS proxy.
2.ConfiguredynamicRADIUS proxyIP,VLAN.netmask,gatewayforeachauthenticationserver.
3.AssociatetheauthenticationserverstoSSIDorawiredprofiletowhichtheclientsconnect.

Aftercompletingtheabove-mentionedconfigurationsteps,youcanauthenticatetheSSIDusersagainstthe
configureddynamicRADIUS proxyparameters.
EnablingDynamicRADIUSProxy
YoucanenableRADIUSServerSupportusingtheInstantUIorCLI.
IntheInstantUI
ToenableRADIUSserversupport:
1.IntheInstantmainwindow,clicktheSystemlink.TheSystemwindowisdisplayed.
2.IntheGeneraltabofSystemwindow,selectEnabledfromtheDynamicRADIUSProxydrop-downlist.
3.ClickOK.
WhendynamicRADIUSproxyisenabled,ensurethatastaticVirtualControllerIPisconfigured.Formore
informationonconfiguringVirtualControllerIPaddress,seeConfiguringVirtualControllerIPAddressonpage75.
WhendynamicRADIUSproxyisenabled,theVirtualControllernetworkusestheIPAddressoftheVirtual
ControllerforcommunicationwithexternalRADIUSservers.EnsurethattheVirtualControllerIPAddressissetas
aNASIPwhenconfiguringRADIUSserverattributeswithdynamicRADIUSproxyenabled.Formoreinformation
onconfiguringRADIUSserverattributes,seeConfiguringanExternalServerforAuthenticationonpage157.
IntheCLI
ToenablethedynamicRADIUSproxyfeature:
(InstantAP)(config)#dynamic-radius-proxy
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringDynamicRADIUSProxyParametersforAuthenticationServers
YoucanconfigureDRPparametersfortheauthenticationserverbyusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSecurity>AuthenticationServers.
2.Tocreateanewserver,clickNewandconfiguretherequiredRADIUS serverparametersasdescribedinTable
31.
3.EnsurethatthefollowingdynamicRADIUSproxyparametersareconfigured:
lDRPIP—IPaddresstobeusedassourceIPforRADIUSpackets
lDRPMask—SubnetmaskoftheDRPIPaddress.
lDRPVLAN—VLANinwhichtheRADIUSpacketsaresent.
lDRPGateway—GatewayIPaddressoftheDRPVLAN.
4.ClickOK.
IntheCLI
ToconfiguredynamicRADIUSproxyparameters:
(InstantAP)(config)#wlanauth-server<profile-name>
(InstantAP)(AuthServer<profile-name>)#ip<IP-address>
(InstantAP)(AuthServer<profile-name>)#key<key>
(InstantAP)(AuthServer<profile-name>)#port<port>
(InstantAP)(AuthServer<profile-name>)#acctport<port>
(InstantAP)(AuthServer<profile-name>)#nas-id<NAS-ID>
(InstantAP)(AuthServer<profile-name>)#nas-ip<NAS-IP-address>
(InstantAP)(AuthServer<profile-name>)#timeout<seconds>
(InstantAP)(AuthServer<profile-name>)#retry-count<number>
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|162

163|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(AuthServer<profile-name>)#deadtime<minutes>
(InstantAP)(AuthServer<profile-name>)#drp-ip<IP-address><mask>vlan<vlan>gateway
<gateway-IP-address>
(InstantAP)(AuthServer<profile-name>)#end
(InstantAP)#commitapply
AssociatetheAuthentication ServerswithanSSIDorWiredProfile
1.AccesstheWLANwizardorWiredSettingswindow.
lToopentheWLANwizard,selectanexistingSSIDintheNetworktab,andclickedit.
lToopenthewiredsettingswindow,clickMore>Wired.IntheWiredwindow,selectaprofileandclickEdit.
YoucanalsoassociatetheauthenticationserverswhencreatinganewWLANorwiredprofile.
2.ClicktheSecuritytab.
3.IfyouareconfiguringtheauthenticationserverforaWLANSSID,underSecuritytab,slidetoEnterprise
securitylevel.
4.Ensurethatanauthenticationtypeisenabled.
5.FromtheAuthenticationServer1drop-downlist,selecttheservernameonwhichdynamicRADIUSproxy
parametersareenabled.YoucanalsocreateanewserverwithRADIUSandRADIUS proxyparametersby
selectingNew.
6.ClickNextandthenclickFinish.
7.ToassigntheRADIUS authenticationservertoanetworkprofile,selectthenewlyaddedserverwhenconfiguring
securitysettingsforawirelessorwirednetworkprofile.
YoucanalsoaddanexternalRADIUS serverbyselectingNewforAuthenticationServerwhen
configuringaWLANorwiredprofile.Formoreinformation,seeConfiguringSecuritySettingsforaWLAN
SSIDProfileonpage98andConfiguringSecuritySettingsforaWiredProfileonpage114.
IntheCLI
ToassociateanauthenticationservertoaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#auth-server<server-name>
(InstantAP)(SSIDProfile<name>#end
((InstantAP)#commitapply
Toassociateanauthenticationservertoawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#auth-server<name>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Configuring802.1XAuthenticationforaNetworkProfile
TheInstantnetworksupportsinternalRADIUSserverandexternalRADIUSserverfor802.1Xauthentication.
Thestepsinvolvedin802.1Xauthenticationareasfollows:
1.TheNASrequestsauthenticationcredentialsfromawirelessclient.
2.ThewirelessclientsendsauthenticationcredentialstotheNAS.
3.TheNASsendsthesecredentialstoaRADIUSserver.
4.TheRADIUSservercheckstheuseridentityandauthenticatestheclientiftheuserdetailsareavailableinits
database.TheRADIUSserversendsanAccess-AcceptmessagetotheNAS.IftheRADIUSservercannot

identifytheuser,itstopstheauthenticationprocessandsendsanAccess-RejectmessagetotheNAS.The
NASforwardsthismessagetotheclientandtheclientmustre-authenticatewithappropriatecredentials.
5.Aftertheclientisauthenticated,theRADIUSserverforwardstheencryptionkeytotheNAS.Theencryptionkey
isusedforencryptingordecryptingtrafficsenttoandfromtheclient.
TheNASactsasagatewaytoguardaccesstoaprotectedresource.Aclientconnectingtothewirelessnetworkfirst
connectstotheNAS.
Configuring802.1XAuthenticationforaWirelessNetworkProfile
Youcanconfigure802.1XauthenticationforawirelessnetworkprofileintheInstantUIorCLI.
IntheInstantUI
Toenable802.1Xauthenticationforawirelessnetwork:
1.IntheNetworktab,clickNewtocreateanewnetworkprofileorselectanexistingprofileforwhichyouwantto
enable802.1Xauthenticationandclickedit.
2.IntheEdit<profile-name>orNewWLANwindow,ensurethatallrequiredWLANandVLANattributesare
defined,andthenclickNext.
3.IntheSecuritytab,specifythefollowingparametersfortheEnterprisesecuritylevel:
a.SelectanyofthefollowingoptionsfromtheKeymanagementdrop-downlist.
lWPA-2Enterprise
lWPAEnterprise
lBoth(WPA-2&WPA)
lDynamicWEPwith802.1X
4.IfyoudonotwanttouseasessionkeyfromtheRADIUSServertoderivepairwiseunicastkeys,setSession
KeyforLEAPtoEnabled.
5.ToterminatetheEAPportionof802.1XauthenticationontheIAPinsteadoftheRADIUSserver,set
TerminationtoEnabled.
Bydefault,for802.1Xauthorization,theclientconductsanEAPexchangewiththeRADIUSserver,andtheAP
actsasarelayforthisexchange.WhenTerminationisenabled,theIAPbyitselfactsasanauthentication
serverandterminatestheouterlayersoftheEAPprotocol,onlyrelayingtheinnermostlayertotheexternal
RADIUSserver.
6.Specifythetypeofauthenticationservertouseandconfigureotherrequiredparameters.Youcanalsoconfigure
twodifferentauthenticationserverstofunctionasprimaryandbackupserverswhenterminationisenabled.For
moreinformationonRADIUS authenticationconfigurationparameters,seeConfiguringanExternalServerfor
Authenticationonpage157.
7.ClickNexttodefineaccessrules,andthenclickFinishtoapplythechanges.
IntheCLI
Toconfigure802.1Xauthenticationforawirelessnetwork:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#type{<Employee>|<Voice>}
(InstantAP)(SSIDProfile<name>)#opmode{wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynamic-wep}
(InstantAP)(SSIDProfile<name>)#leap-use-session-key
(InstantAP)(SSIDProfile<name>)#termination
(InstantAP)(SSIDProfile<name>)#auth-server<server1>
(InstantAP)(SSIDProfile<name>)#auth-server<server2>
(InstantAP)(SSIDProfile<name>)#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>)#auth-survivability
(InstantAP)(SSIDProfile<name>)#exit
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|164

165|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(config)#auth-survivabilitycache-time-out<hours>
(InstantAP)(config)#end
(InstantAP)#commitapply
Configuring802.1XAuthenticationforWiredProfiles
Youcanconfigure802.1XauthenticationforawiredprofileintheInstantUIorCLI.
IntheInstantUI
Toenable802.1Xauthenticationforawiredprofile:
1.ClicktheWiredlinkunderMoreatthetoprightcornerofthemainwindow.TheWiredwindowisdisplayed.
2.ClickNewunderWiredNetworkstocreateanewnetworkorselectanexistingprofileforwhichyouwantto
enable802.1XauthenticationandthenclickEdit.
3.IntheNewWiredNetworkortheEditWiredNetworkwindow,ensurethatalltherequiredWiredandVLAN
attributesaredefined,andthenclickNext.
4.IntheSecuritytab,selectEnabledfromthe802.1Xauthenticationdrop-downlist.
5.Specifythetypeofauthenticationservertouseandconfigureotherrequiredparameters.Formoreinformationon
configurationparameters,seeConfiguringSecuritySettingsforaWiredProfileonpage114.
6.ClickNexttodefineaccessrules,andthenclickFinishtoapplythechanges.
7.AssigntheprofiletoanEthernetport.Formoreinformation,seeAssigningaProfiletoEthernetPortsonpage
116.
IntheCLI
Toenable802.1Xauthenticationforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type{<employee>|<guest>}
(InstantAP)(wiredapprofile<name>)#dot1x
(InstantAP)(wiredapprofile<name>)#auth-server<server1>
(InstantAP)(wiredapprofile<name>)#auth-server<server2>
(InstantAP)(wiredapprofile<name>)#server-load-balancing
(InstantAP)(wiredapprofile<name>)#radius-reauth-interval<Minutes>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringMACAuthenticationforaNetworkProfile
MACauthenticationcanbeusedaloneoritcanbecombinedwithotherformsofauthenticationsuchasWEP
authentication.However,itisrecommendedthatyoudonotusetheMAC-basedauthentication.
Thissectiondescribesthefollowingprocedures:
lConfiguringMACAuthenticationforWirelessNetworkProfilesonpage165
lConfiguringMACAuthenticationforWiredProfilesonpage166
ConfiguringMACAuthenticationforWirelessNetworkProfiles
YoucanconfigureMACauthenticationforawiredprofileintheInstantUIorCLI.
IntheInstantUI
ToenableMACAuthenticationforawirelessnetwork:
1.IntheNetworktab,clickNewtocreateanewnetworkprofileorselectanexistingprofileforwhichyouwantto
enableMACauthenticationandclickedit.

2.IntheEdit<profile-name>orNewWLANwindow,ensurethatallrequiredWLANandVLANattributesare
defined,andthenclickNext.
3.IntheSecuritytab,selectEnabledfromtheMACauthenticationdrop-downlist,forPersonalorOpen
securitylevel.
4.Specifythetypeofauthenticationservertouse.
5.Iftheinternalauthenticationserverisused,performthefollowingstepstoallowMACaddressbased
authentication:
a.ClicktheUserslinkagainsttheInternalserverfield.TheUserswindowisdisplayed.
b.SpecifytheclientMACaddressastheusernameandpassword.
c.Specifythetypeoftheuser(employeeorguest).
d.ClickAdd.
e.Repeatthestepstoaddmoreusers.
f.ClickOK.
6.ToallowtheIAPtouseadelimiterintheMACauthenticationrequest,specifyacharacter( forexample,colonor
dash)asadelimiterfortheMACaddressstring.Forexample,ifyouspecifythecolonasadelimiter,MAC
addressesinthexx:xx:xx:xx:xx:xxformatareused.Ifthedelimiterisnotspecified,theMACaddressinthe
xxxxxxxxxxxxformatisused.
7.ToallowtheIAPtouseuppercaselettersintheMACaddressstring,setUppercasesupporttoEnabled.
8.Configureotherparametersasrequired.
9.ClickNexttodefineaccessrules,andthenclickFinishtoapplythechanges.
IntheCLI
ToconfigureMAC-addressbasedauthenticationwithexternalserver:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#type{<Employee>|<Voice>|<Guest>}
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#mac-authentication-delimiter<delim>
(InstantAP)(SSIDProfile<name>)#mac-authentication-upper-case
(InstantAP)(SSIDProfile<name>)#external-server
(InstantAP)(SSIDProfile<name>)#auth-server<server-name1>
(InstantAP)(SSIDProfile<name>)#auth-server<server-name2>
(InstantAP)(SSIDProfile<name>)#server-load-balancing
(InstantAP)(SSIDProfile<name>)#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ToaddusersforMACauthenticationbasedoninternalauthenticationserver:
(InstantAP)(config)#user<username>[<password>][portal|radius]
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringMACAuthenticationforWiredProfiles
YoucanconfigureMACauthenticationforawiredprofileintheInstantUIorCLI.
IntheInstantUI
ToenableMACauthenticationforawiredprofile:
1.ClicktheWiredlinkunderMoreatthetoprightcornerofthemainwindow.TheWiredwindowisdisplayed.
2.ClickNewunderWiredNetworkstocreateanewnetworkorselectanexistingprofileforwhichyouwantto
enableMACauthenticationandthenclickEdit.
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|166

167|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
3.IntheNewWiredNetworkortheEditWiredNetworkwindow,ensurethatalltherequiredWiredandVLAN
attributesaredefined,andthenclickNext.
4.IntheSecuritytab,selectEnabledfromtheMACauthenticationdrop-downlist.
5.Specifythetypeofauthenticationservertouse.
6.Iftheinternalauthenticationserverisused,performthefollowingstepstoallowMACaddressbased
authentication:
a.ClicktheUserslinkagainsttheInternalserverfield.TheUserswindowisdisplayed.
b.SpecifytheclientMACaddressastheusernameandpassword.
c.Specifythetypeoftheuser(employeeorguest).
d.ClickAdd.
e.Repeatthestepstoaddmoreusers.
f.ClickOK.
7.Configureotherparametersasrequired.
8.ClickNexttodefineaccessrules,andthenclickFinishtoapplythechanges.
IntheCLI
ToconfigureMAC-addressbasedauthenticationwithexternalserver:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type{<employee>|<guest>}
(InstantAP)(wiredapprofile<name>)#mac-authentication
(InstantAP)(wiredapprofile<name>)#auth-server<server-1>
(InstantAP)(wiredapprofile<name>)#auth-server<server-2>
(InstantAP)(wiredapprofile<name>)#server-load-balancing
(InstantAP)(wiredapprofile<name>)#radius-reauth-interval<Minutes>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ToaddusersforMACauthenticationbasedoninternalauthenticationserver:
(InstantAP)(config)#user<username>[<password>][portal|radius]
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringMACAuthenticationwith802.1XAuthentication
Thissectiondescribesthefollowingprocedures:
lConfiguringMACand802.1XAuthenticationforaWirelessNetworkProfileonpage167
lConfiguringMACand802.1XAuthenticationforWiredProfilesonpage168
ConfiguringMACand802.1XAuthenticationforaWirelessNetworkProfile
YoucanconfigureMACauthenticationwith802.1XauthenticationforwirelessnetworkprofileusingtheInstantUIor
CLI.
IntheInstantUI
ToconfigurebothMACand802.1Xauthenticationforawirelessnetwork:
1.IntheNetworktab,clickNewtocreateanewnetworkprofileorselectanexistingprofileforwhichyouwantto
enableMACand802.1Xauthenticationandclickedit.
2.IntheEdit<profile-name>orNewWLANwindow,ensurethatallrequiredWLANandVLANattributesare
defined,andthenclickNext.

3.IntheSecuritytab,ensurethattherequiredparametersforMACauthenticationand802.1Xauthenticationare
configured.
4.SelectthePerformMACauthenticationbefore802.1Xcheckboxtouse802.1Xauthenticationonlywhenthe
MACauthenticationissuccessful.
5.SelectthecheckboxMACauthenticationfail-thrutouse802.1XauthenticationevenwhentheMAC
authenticationfails.
6.ClickNextandthenclickFinishtoapplythechanges.
IntheCLI
ToconfigurebothMACand802.1Xauthenticationforawirelessnetwork:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#type{<Employee>|<Voice>|<Guest>}
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#l2-auth-failthrough
(InstantAP)(SSIDProfile<name>)#auth-server<server-name1>
(InstantAP)(SSIDProfile<name>)#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>)#auth-survivability
(InstantAP)(SSIDProfile<name>)#exit
(InstantAP)(config)#auth-survivabilitycache-time-out<hours>
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringMACand802.1XAuthenticationforWiredProfiles
YoucanconfigureMACand802.1XauthenticationforawiredprofileintheInstantUIorCLI.
IntheInstantUI
ToenableMACand802.1Xauthenticationforawiredprofile:
1.ClicktheWiredlinkunderMoreatthetoprightcornerofthemainwindow.TheWiredwindowisdisplayed.
2.ClickNewunderWiredNetworkstocreateanewnetworkorselectanexistingprofileforwhichyouwantto
enableMACauthenticationandthenclickEdit.
3.IntheNewWiredNetworkortheEditWiredNetworkwindow,ensurethatalltherequiredWiredandVLAN
attributesaredefined,andthenclickNext.
4.IntheSecuritytab,enablethefollowingoptions:
lSelectEnabledfromtheMACauthenticationdrop-downlist.
lSelectEnabledfromthe802.1Xauthenticationdrop-downlist.
lSelectEnabledfromtheMACauthenticationfail-thrudrop-downlist.
5.Specifythetypeofauthenticationservertouseandconfigureotherrequiredparameters.Formoreinformationon
configurationparameters,seeConfiguringSecuritySettingsforaWiredProfileonpage114
6.ClickNexttodefineaccessrules,andthenclickFinishtoapplythechanges.
IntheCLI
ToenableMACand802.1Xauthenticationforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile"<name>")#type{<employee>|<guest>}
(InstantAP)(wiredapprofile"<name>")#mac-authentication
(InstantAP)(wiredapprofile"<name>")#dot1x
(InstantAP)(wiredapprofile"<name>")#l2-auth-failthrough
(InstantAP)(wiredapprofile"<name>")#auth-server<name>
(InstantAP)(wiredapprofile"<name>")#server-load-balancing
(InstantAP)(wiredapprofile"<name>")#radius-reauth-interval<Minutes>
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|168

169|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(wiredapprofile"<name>")#end
(InstantAP)#commitapply
ConfiguringMACAuthenticationwithCaptivePortalAuthentication
Thisauthenticationmethodhasthefollowingfeatures:
lIfthecaptiveportalsplashpagetypeisInternal-AuthenticatedorExternal-RADIUSServer,MAC
authenticationreusestheserverconfigurations.
lIfthecaptiveportalsplashpagetypeisInternal-AcknowledgedorExternal-AuthenticationTextandMAC
authenticationisenabled,aserverconfigurationpageisdisplayed.
lIfthecaptiveportalsplashpagetypeisnone,MACauthenticationisdisabled.
lMACauthenticationonlyrole—YoucanusetheWLANwizardtoconfigurethemac-auth-onlyroleintherole-
basedaccessruleconfigurationsectionwhenMACauthenticationisenabledwithcaptiveportalauthentication.
ConfiguringMACAuthenticationwithCaptivePortalAuthentication
YoucanconfiguretheMACauthenticationwithCaptivePortalauthenticationforanetworkprofileusingtheInstant
UIorCLI.
IntheInstantUI
1.SelectanexistingwirelessorwiredprofileforwhichyouwanttoenableMACwithCaptivePortalauthentication.
Dependingonthenetworkprofileselected,theEdit<WLAN-Profile>orEditWiredNetworkwindowis
displayed.
YoucanconfigureMACauthenticationwithCaptivePortalauthentication,intheAccesstaboftheNewWLANand
NewWiredNetworkwindowswhenconfiguringanewprofile.
2.IntheAccesstab,specifythefollowingparametersforanetworkwithRole-Basedrules:
a.SelecttheEnforceMachineAuthenticationcheckboxwhenMACauthenticationisenabledforCaptive
Portal.IftheMACauthenticationfails,theCaptivePortalauthenticationroleisassignedtotheclient.
b.Forwirelessnetworkprofile,selectEnforceMACAuthOnlyRolecheckboxwhenMACauthenticationis
enabledforCaptivePortal.AftersuccessfulMACauthentication,MACauthonlyroleisassignedtotheclient.
3.ClickNextandthenclickFinishtoapplythechanges.
IntheCLI
ToconfigureMACauthenticationwithCaptivePortalauthenticationforawirelessprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#type<Guest>
(InstantAP)(SSIDProfile<name>)#mac-authentication
(InstantAP)(SSIDProfile<name>)#captive-portal<type>exclude-uplink<type>
(InstantAP)(SSIDProfile<name>)#set-role-machine-auth<machine-authentication><user-
authentication>
(InstantAP)(SSIDProfile<name>)#set-role-mac-auth<MAC-authentication-only>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ToconfigureMACauthenticationwithCaptivePortalauthenticationforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#type<guest>
(InstantAP)(wiredapprofile<name>)#mac-authentication
(InstantAP)(wiredapprofile<name>)#captive-portal<type>

(InstantAP)(wiredapprofile<name>)#captive-portal<type>exclude-uplink{<3G>|<4G>|
<Wifi>|Ethernet}
(InstantAP)(wiredapprofile<name>)#set-role-machine-auth<machine-only><user-only>
(InstantAP)(wiredapprofile<name>)#set-role-mac-auth<mac-only>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringWISPrAuthentication
Instantsupportsthefollowingsmartclients:
niPass
nBoingo
ThesesmartclientsenableclientauthenticationandroamingbetweenhotspotsbyembeddingiPassGeneric
InterfaceSpecification(GIS)redirect,authentication,andlogoffmessageswithinHTMLmessagesthataresentto
theIAP.
WISPrauthenticationissupportedonlyfortheInternal-AuthenticatedandExternal-RADIUSServercaptive
portalauthentication.SelecttheInternal–AuthenticatedortheExternal-RADIUSServeroptionfromthe
Splashpagetypedrop-downlisttoconfigureWISPrauthenticationforaWLANprofile.
YoucanconfigureWISPrauthenticationusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystemlinkatthetop-rightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.ClickShowadvancedoptions.
3.ClickWISPrtab.TheWISPrtabcontentsaredisplayed.ThefollowingfigureshowstheWISPrtabcontents:
Figure47ConfiguringWISPrAuthentication
4.EntertheISOCountryCodefortheWISPrLocationIDintheISOCountryCodetextbox.
5.EntertheE.164AreaCodefortheWISPrLocationIDintheE.164AreaCodetextbox.
6.EntertheoperatornameoftheHotspotintheOperatorNametextbox.
7.EntertheE.164CountryCodefortheWISPrLocationIDintheE.164CountryCodetextbox.
8.EntertheSSID/ZonesectionfortheWISPrLocationIDintheSSID/Zonetextbox.
9.EnterthenameoftheHotspotlocationintheLocationNametextbox.Ifnonameisdefined,thenameofthe
IAPtowhichtheuserisassociatedisused.
10.ClickOKtoapplythechanges.
TheWISPrRADIUSattributesandconfigurationparametersarespecifictotheRADIUSserverusedbyyourISPfor
theWISPrauthentication.ContactyourISPtodeterminethesevalues.YoucanfindalistofISOandITUcountry
andareacodesattheISOandITUwebsites(www.iso.organdhttp://www.itu.int).
ABoingosmartclientusesaNASidentifierintheformat<CarrierID>_<VenueID>forlocationidentification.To
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|170

171|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
supportBoingoclients,ensurethatyouconfiguretheNASidentifierparameterintheRadiusserverprofileforthe
WISPrserver.
IntheCLI
(InstantAP)(config)#wlanwispr-profile
(InstantAP)(WISPr)#wispr-location-id-ac
(InstantAP)(WISPr)#wispr-location-id-cc
(InstantAP)(WISPr)#wispr-location-id-isocc
(InstantAP)(WISPr)#wispr-location-id-network
(InstantAP)(WISPr)#wispr-location-name-location
(InstantAP)(WISPr)#wispr-location-name-operator-name
(InstantAP)(WISPr)#end
(InstantAP)#commitapply
BlacklistingClients
Theclientblacklistingdeniesconnectiontotheblacklistedclients.Whenaclientisblacklisted,itisnotallowedto
associatewithanIAPinthenetwork.Ifaclientisconnectedtothenetworkwhenitisblacklisted,adeauthentication
messageissenttoforceclientdisconnection.
Thissectiondescribesthefollowingprocedures:
lBlacklistingClientsManuallyonpage171
lBlacklistingUsersDynamicallyonpage172
BlacklistingClientsManually
ManualblacklistingaddstheMACaddressofaclienttotheblacklist.Theseclientsareaddedintoapermanent
blacklist.Theseclientsarenotallowedtoconnecttothenetworkunlesstheyareremovedfromtheblacklist.
AddingaClienttotheBlacklist
YoucanaddaclienttotheblacklistmanuallyusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSecuritylinkfromthetoprightcorneroftheInstantmainwindow.
2.ClicktheBlacklistingtab.
3.UndertheManualBlacklisting,clickNew.
4.EntertheMACaddressoftheclienttobeblacklistedintheMACaddresstoaddtextbox.
5.ClickOK.TheBlacklistedSincetabdisplaysthetimeatwhichthecurrentblacklistinghasstartedfortheclient.
6.Todeleteaclientfromthemanualblacklist,selecttheMACAddressoftheclientundertheManualBlacklisting,
andthenclickDelete.
IntheCLI
Toblacklistaclient:
(InstantAP)(config)#blacklist-client<MAC-Address>
(InstantAP)(config)#end
(InstantAP)#commitapply
Toviewtheblacklistedclients:
(InstantAP)#showblacklist-client
BlacklistedClients
-------------------
MACReasonTimestampRemainingtime(sec)APname

--------------------------------------------
00:1c:b3:09:85:15 user-defined17:21:29Permanent-
BlacklistingUsersDynamically
Theclientscanbeblacklisteddynamicallywhentheyexceedtheauthenticationfailurethresholdorwhena
blacklistingruleistriggeredaspartoftheauthenticationprocess.
AuthenticationFailureBlacklisting
Whenaclienttakestimetoauthenticateandexceedstheconfiguredfailurethreshold,itisautomaticallyblacklisted
byan IAP.
SessionFirewallBasedBlacklisting
Insessionfirewallbasedblacklisting,anACLruleisusedtoenabletheoptionforautomationblacklisting.Whenthe
ACLruleistriggered,itsendsoutblacklistinformationandtheclientisblacklisted.
ConfiguringBlacklistDuration
YoucansettheblacklistdurationusingtheInstantUIorCLI.
IntheInstantUI
Tosetablacklistduration:
1.ClicktheSecuritylinkfromthetoprightcorneroftheInstantmainwindow.
2.ClicktheBlacklistingtab.
3.UnderDynamicBlacklisting:
4.ForAuthfailureblacklisttime,thedurationinsecondsafterwhichtheclientsthatexceedtheauthentication
failurethresholdmustbeblacklisted.
5.ForPEFruleblacklistedtime,enterthedurationinsecondsafterwhichtheclientscanbeblacklistedduetoan
ACLruletrigger.
Youcanconfigureamaximumnumberofauthenticationfailuresbytheclients,afterwhichaclientmust
beblacklisted.Formoreinformationonconfiguringmaximumauthenticationfailureattempts,see
ConfiguringSecuritySettingsforaWLANSSIDProfileonpage98
Toenablesessionfirewallbasedblacklisting,clickNewandnavigatetoWLANSettings>VLAN>
Security>Accesswindow,andenabletheBlacklistoptionofthecorrespondingACLrule.
IntheCLI
Todynamicallyblacklistclients:
(InstantAP)(config)#auth-failure-blacklist-time<seconds>
(InstantAP)(config)#blacklist-time<seconds>
(InstantAP)(config)#end
(InstantAP)#commitapply
Toviewtheblacklistedclients:
(InstantAP)#showblacklist-clientconfig
BlacklistTime:60
AuthFailureBlacklistTime:60
ManuallyBlacklistedClients
----------------------------
MACTime
-------
DynamicallyBlacklistedClients
-------------------------------
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|172

173|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
MACReasonTimestampRemainingtime(sec)APIP
------------------------------------------
DynBlacklistCount:0
UploadingCertificates
Acertificateisadigitalfilethatcertifiestheidentityoftheorganizationorproductsoftheorganization.Itisalsoused
toestablishyourcredentialsforanyWebtransactions.Itcontainstheorganizationname,aserialnumber,expiration
date,acopyofthecertificate-holder'spublickey,andthedigitalsignatureofthecertificate-issuingauthoritysothata
recipientcanensurethatthecertificateisreal.
Instantsupportsthefollowingcertificatefiles:
lAuthserverorcaptiveportalservercertificate:PEMformatwithpassphrase(PSK)
lCAcertificate:PEMorDERformat
Inthecurrentrelease,IAPsupportsuploadingofacustomizedcertificateforinternalcaptiveportalserver.
Thissectiondescribesthefollowingprocedures:
lLoadingCertificatesthroughInstantUIonpage173
lLoadingCertificatesthroughInstantCLI
lLoadingCertificatesthroughAirWaveonpage174
LoadingCertificatesthroughInstantUI
ToloadacertificateintheInstantUI:
1.ClicktheMaintenancelinkatthetoprightcorneroftheInstantmainwindow.
2.ClicktheCertificatestab.TheCertificatestabcontentsaredisplayed.Thefollowingfigureshowsthe
Certificateswindow:
Figure48MaintenanceWindow:CertificatesTab
3.Touploadacertificate,clickUploadNewCertificate.TheNewCertificatewindowisdisplayed.
4.Browseandselectthefiletoupload.
5.SelectanyofthefollowingtypesofcertificatesfromtheCertificatetypedrop-downlist:
lCA—CAcertificatesvalidatetheclient’scertificate.
lAuthServer—Theauthenticationservercertificateverifiestheserver'sidentitytotheclient.
lCaptiveportalserver—Captiveportalservercertificateverifiesinternalcaptiveportalserver'sidentitytotheclient.

6.SelectthecertificateformatfromtheCertificateformatdrop-downlist.
7.IfyouhaveselectedAuthServerorCaptiveportalservertype,enterapassphraseinPassphraseand
reconfirm.Thedefaultpasswordiswhatever.Ifthecertificatedoesnotincludeapassphrase,thereisno
passphraserequired.
8.ClickBrowseandselecttheappropriatecertificatefile,andclickUploadCertificate.TheCertificate
SuccessfullyInstalledmessageisdisplayed.
LoadingCertificatesthroughInstantCLI
Touploadacertificate:
(InstantAP)#copytftp{<ip-address><filename>cpservercert<password>format{p12|pem}
|system{1xca[format{der|pem}]|1xcert<passsword>[format{p12|pem}]}
LoadingCertificatesthroughAirWave
YoucanmanagecertificatesusingtheAirWave.TheAMPdirectlyprovisionsthecertificatesandperformsbasic
certificateverification(suchascertificatetype,format,version,serialnumberandsoon),beforeacceptingthe
certificateanduploadingtoan IAPnetwork.TheAMPpackagesthetextofthecertificateintoanHTTPSmessage
andsendsittotheVirtualController.AftertheVCreceivesthismessage,itdrawsthecertificatecontentfromthe
message,convertsittotherightformat,andsavesitontheRADIUSserver.
ToloadacertificateinAirWave:
1.NavigatetoDeviceSetup>CertificateandthenclickAddtoaddanewcertificate.TheCertificatewindowis
displayed.
2.EnterthecertificateName,andclickChooseFiletobrowseanduploadthecertificate.
Figure49LoadingCertificateviaAirWave
3.SelecttheappropriateFormatthatmatchesthecertificatefilename.SelectServerCertforcertificateType,
andprovidethepassphraseifyouwanttouploadaServercertificate.SelecteitherIntermediateCAorTrusted
CAcertificateType,ifyouwanttouploadaCAcertificate.
ArubaInstant6.4.0.2-4.1|UserGuide AuthenticationandUserManagement|174

175|AuthenticationandUserManagement ArubaInstant6.4.0.2-4.1|UserGuide
Figure50ServerCertificate
4.Afteryouuploadthecertificate,navigatetoGroups,clicktheInstantGroupandthenselectBasic.TheGroup
nameisdisplayedonlyifyouhaveenteredtheOrganizationnameintheInstantUI.Formoreinformation,see
ConfiguringOrganizationStringonpage277forfurtherinformation.
Figure51SelectingtheGroup
TheVirtualControllerCertificatesectiondisplaysthecertificates(CAcertandServer).
5.ClickSavetoapplythechangesonlytoAirWave.ClickSaveandApplytoapplythechangestotheIAP.
6.Toclearthecertificateoptions,clickRevert.

ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|176
Chapter12
RolesandPolicies
Thischapterdescribestheproceduresforconfiguringuserroles,roleassignment,andfirewallpolicies.
lFirewallPoliciesonpage176
lContentFilteringonpage186
lConfiguringUserRolesonpage190
lConfiguringDerivationRulesonpage192
FirewallPolicies
Instantfirewallprovidesidentity-basedcontrolstoenforceapplication-layersecurity,prioritization,trafficforwarding,
andnetworkperformancepoliciesforwiredandwirelessnetworks.UsingInstantfirewall,youcanenforcenetwork
accesspoliciesthatdefineaccesstothenetwork,areasofthenetworkthatusersmayaccess,andtheperformance
thresholdsofvariousapplications.
Instantsupportsarole-basedstatefulfirewall.Instantfirewallrecognizesflowsinanetworkandkeepstrackofthe
stateofsessions.Instantfirewallmanagespacketsaccordingtothefirstrulethatmatchespacket.Thefirewalllogs
ontheIAPsaregeneratedassyslogmessages.
AccessControlListRules
YoucanuseAccessControlList(ACL)rulestoeitherpermitordenydatapacketspassingthroughtheIAP.Youcan
alsolimitpacketsorbandwidthavailabletoasetofuserrolesbydefiningaccessrules.Byaddingcustomrules,you
canblockorallowaccessbasedontheserviceorapplication,sourceordestinationIPaddresses.
Youcancreateaccessrulestoalloworblockdatapacketsthatmatchthecriteriadefinedinanaccessrule.Youcan
createrulesforeitherinboundtrafficoroutboundtraffic.Inboundrulesexplicitlyalloworblocktheinboundnetwork
trafficthatmatchesthecriteriaintherule.Outboundrulesexplicitlyalloworblockthenetworktrafficthatmatches
thecriteriaintherule.Forexample,youcanconfigurearuletoexplicitlyblockoutboundtraffictoanIPaddress
throughthefirewall.
TheIAPclientsareassociatedwithuserroles,whichdeterminetheclient’snetworkprivilegesandthefrequencyat
whichclientsre-authenticate.
InstantsupportsthefollowingtypesofACLs:
lACLsthatpermitordenytrafficbasedonthesourceIPaddressofthepacket.
lACLsthatpermitordenytrafficbasedonsourceordestinationIPaddress,sourceordestinationportnumber.
lACLsthatpermitordenytrafficbasedonnetworkservices,application,applicationcategories,webcategories,
andsecurityratings.
Youcanconfigureupto128accesscontrolentriesinanACLforauserrole.
Formoreinformationonconfiguringfirewallrules,see:
lConfiguringAccess RulesforNetworkServicesonpage177.
lConfiguringNetworkAddressTranslationRulesonpage179
lConfiguringInboundFirewallRulesonpage183
lConfiguringAccessRulesforApplicationandApplicationCategoriesonpage246

177|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
lConfiguringURLFilteringPoliciesonpage249
ConfiguringAccess RulesforNetworkServices
ThissectiondescribestheprocedureforconfiguringACLstocontrolaccesstonetworkservices.Forinformationon:
lConfiguringaccessrulesbasedonapplicationandapplicationcategories,seeConfiguringAccessRulesfor
ApplicationandApplicationCategoriesonpage246.
lConfiguringaccessrulesbasedonwebcategoriesandwebreputation,seeConfiguringURLFilteringPolicieson
page249.
IntheInstantUI
ToconfigureACLrulesforauserrole:
1.NavigatetoSecurity>Rolestab.TheRolestabcontentsaredisplayed.
YoucanalsoconfigureaccessrulesforawiredorwirelessclientthroughtheWLANwizard(Network
tab>WLANSSID>Edit>EditWLAN>Access) ortheWiredprofile(More>Wired>Edit>EditWired
Network>Access)window.
2.Selecttheroleforwhichyouwanttoconfigureaccessrules.
3.InAccessrulessection,clickNewtoaddanewrule.TheNewRulewindowisdisplayed.
4.EnsurethattheruletypeissettoAccessControl
5.Toconfigurearuletocontrolaccesstonetworkservices,selectNetworkunderservicecategoryandspecifythe
followingparameters:
Service
Category
Description
Network Selectaservicefromthelistofavailableservices.Youcanallowordenyaccesstoanyorall
ofthefollowingservicesbasedonyourrequirement:
lany—Accessisallowedordeniedtoallservices.
lcustom—AvailableoptionsareTCP,UDP,andOther.IfyouselecttheTCPorUDPoptions,
enterappropriateportnumbers.IfyouselecttheOtheroption,entertheappropriateID.
NOTE:IfTCPandUDPusesthesameport,ensurethatyouconfigureseparateaccessrules
topermitordenyaccess.
Action Selectanyoffollowingactions:
lSelectAllowtoallowaccessusersbasedontheaccessrule.
lSelectDenytodenyaccesstousersbasedontheaccessrule.
lSelectDestination-NATtoallowchangestodestinationIPaddress.
lSelectSource-NATtoallowchangestothesourceIPaddress.
Thedestination-natandsource-natactionsapplyonlytothenetworkservicesrules.
Destination Selectadestinationoptionfortheaccessrulesfornetworkservices,applications,and
applicationcategories.Youcanallowordenyaccesstoanythefollowingdestinationsbased
onyourrequirements.
ltoalldestinations—Accessisallowedordeniedtoalldestinations.
ltoaparticularserver—Accessisallowedordeniedtoaparticularserver.Afterselecting
thisoption,specifytheIPaddressofthedestinationserver.
lexcepttoaparticularserver—Accessisallowedordeniedtoserversotherthanthe
specifiedserver.Afterselectingthisoption,specifytheIPaddressofthedestination
server.
ltoanetwork—Accessisallowedordeniedtoanetwork.Afterselectingthisoption,specify
Table34:AccessRuleConfigurationParameters

Service
Category
Description
theIPaddressandnetmaskforthedestinationnetwork.
lexcepttoanetwork—Accessisallowedordeniedtonetworksotherthanthespecified
network.Afterselectingthisoption,specifytheIPaddressandnetmaskofthedestination
network.
ltodomainname—Accessisallowedordeniedtothespecifieddomains.Afterselecting
thisoption,specifythedomainnameintheDomainNametextbox.
Log Selectthischeckboxifyouwantalogentrytobecreatedwhenthisruleistriggered.Instant
supportsfirewallbasedloggingfunction.FirewalllogsontheIAPsaregeneratedassecurity
logs.
Blacklist SelecttheBlacklistcheckboxtoblacklisttheclientwhenthisruleistriggered.Theblacklisting
lastsforthedurationspecifiedasAuthfailureblacklisttimeontheBlacklistingtabofthe
Securitywindow.Formoreinformation,seeBlacklistingClientsonpage171.
Classifymedia SelecttheClassifymediacheckboxtoprioritizevideoandvoicetraffic.Whenenabled,a
packetinspectionisperformedonallnon-NATtrafficandthetrafficismarkedasfollows:
lVideo:Priority5(Critical)
lVoice:Priority6(InternetworkControl)
Disablescanning SelectDisablescanningcheckboxtodisableARMscanningwhenthisruleistriggered.
TheselectionoftheDisablescanningappliesonlyifARMscanningisenabled,Formore
information,seeConfiguringRadioSettingsforanIAPonpage238.
DSCPtag SelecttheDSCPtagcheckboxtospecifyaDSCPvaluetoprioritizetrafficwhenthisruleis
triggered.Specifyavaluewithintherangeof0to63.Toassignahigherpriority,specifya
highervalue.
802.1ppriority Selectthe802.1pprioritycheckboxtospecifyan802.1ppriority.Specifyavaluebetween0
and7.Toassignahigherpriority,specifyahighervalue.
Table34:AccessRuleConfigurationParameters
6.ClickOKandthenclickFinish.
IntheCLI
Toconfigureaccessrules:
(InstantAP)(config)#wlanaccess-rule<access-rule-name>
(InstantAP)(AccessRule<Name>)#rule<dest><mask><match/invert>{<protocol><start-port>
<end-port>{permit|deny|src-nat|dst-nat{<IP-address><port>|<port>}}[<option1....option9>]
(InstantAP)(AccessRule<Name>)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanaccess-ruleemployee
(InstantAP)(AccessRule"employee")#rule10.17.88.59255.255.255.255match643434343log
classify-media
(InstantAP)(AccessRule"employee")#rule192.0.2.8255.255.255.255invert6110110permit
(InstantAP)(AccessRule"employee")#rule192.0.2.2255.255.255.0192.0.2.7255.255.255.0
matchtcp2121deny
(InstantAP)(AccessRule"employee")#rule192.0.2.2255.255.255.0192.0.2.7255.255.255.0
matchudp2121deny
(InstantAP)(AccessRule"employee")#rule192.0.2.2255.255.255.0match6631631permit
(InstantAP)(AccessRule"employee")#rule192.0.2.8255.255.255.255invert62121deny
(InstantAP)(AccessRule"employee")#rule192.0.2.1255.255.255.0invert176769deny
(InstantAP)(AccessRule"employee")#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|178

179|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringNetworkAddressTranslationRules
NetworkAddressTranslation(NAT)istheprocessofmodifyingnetworkaddressinformationwhenpacketspass
througharoutingdevice.Theroutingdeviceactsasanagentbetweenthepublic(theInternet)andprivate(local
network),whichallowstranslationofprivatenetworkIPaddressestoapublicaddressspace.
InstantsupportstheNATmechanismtoallowaroutingdevicetousethetranslationtablestomaptheprivate
addressesintoasingleIPaddressandpacketsaresentfromthisaddress,sothattheyappeartooriginatefromthe
routingdevice.Similarly,ifthepacketsaresenttotheprivateIPaddress,thedestinationaddressistranslatedas
pertheinformationstoredinthetranslationtablesoftheroutingdevice.
ConfiguringaSourceNATAccessRule
ThesourceNATactioninaccessrulesallowstheusertooverridetheroutingprofileentries.Forexample,whena
routingprofileisconfiguredtouse0.0.0.0/0,theclienttrafficinL3modeaccessonanSSIDdestinedtothe
corporatenetworkissenttothetunnel.WhenanaccessruleisconfiguredwithSourceNATaction,theuserscan
specifytheservice,protocol,ordestinationtowhichthesourceNATisapplied.
YoucanalsoconfiguresourcebasedroutingtoallowclienttrafficononeSSIDtoreachtheInternetthroughthe
corporatenetwork,whiletheotherSSIDcanbeusedasanalternateuplink.Youcancreateanaccessruleto
performsourceNATbyusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureasourceNATaccessrule:
1.NavigatetotheWLANwizardorWiredsettingswindow:
lToconfigureaccessrulesforaWLAN SSID,intheNetworktab,clickNewtocreateanewnetworkprofileor
edittomodifyanexistingprofile.
lToconfigureaccessrulesforawiredprofile,More>Wired.IntheWiredwindow,clickNewunderWired
NetworkstocreateanewnetworkorclickEdittoselectanexistingprofile.
2.ClicktheAccesstab.
3.Toconfigureaccessrulesforthenetwork,slidetoNetwork-based.Toconfigureaccessrulesforuserroles,
slidetoRole-based.
4.Tocreateanewruleforthenetwork,clickNew.Tocreateanaccessruleforauserrole,selecttheuserroleand
thenclickNew.TheNewRulewindowisdisplayed.
5.IntheNewRulewindow:
6.SelectAccesscontrolfromtheRuletypedrop-downlist.
7.SelectSource-NATfromtheActiondrop-downlist,toallowchangestothesourceIPaddress.
8.Selectaservicefromthelistofavailableservices.
9.SelecttherequiredoptionfromtheDestinationdrop-downlist.
10.Ifrequired,enableotherparameterssuchasLog,Blacklist,Classifymedia,Disablescanning,DSCPtag,and
802.1ppriority.
11.ClickOKandthenclickFinish.
IntheCLI
ToconfiguresourceNATaccessrule:
(InstantAP)(config)#wlanaccess-rule<access_rule>
(InstantAP)(AccessRule"<access_rule>")#rule<dest><mask><match><protocol><sport>
<eport>src-nat
(InstantAP)(AccessRule"<access_rule>")#end
(InstantAP)#commitapply

ConfiguringSource-BasedRouting
ToallowdifferentforwardingpoliciesfordifferentSSIDs,youcanconfiguresource-basedrouting.Thesource-based
routingconfigurationoverridestheroutingprofileconfigurationandallowsanydestinationorservicetobeconfigured
tohavedirectaccesstotheInternet(bypassingVPNtunnel)basedontheACLruledefinition.Whensource-based
routingisenabled,theVirtualControllerperformssourceNAT byusingitsuplinkIPaddress.
Toconfiguresource-basedrouting:
1.EnsurethatanL3subnetwiththenetmask,gateway,VLAN,andIPaddressisconfigured.Formoreinformation
onconfiguringL3subnet,seeConfiguringL3-Mobilityonpage310.
2.EnsurethatthesourceIPaddressisassociatedwiththeIPaddressconfiguredfortheL3subnet.
3.CreateanaccessrulefortheSSIDprofilewithSourceNATactionasdescribedinConfiguringSource-Based
Routingonpage180.ThesourceNATpoolisconfiguredandsourcebasedroutingentryiscreated.
ConfiguringaDestinationNATAccessRule
InstantsupportsconfigurationofthedestinationNATrule,whichcanbeusedtoredirecttraffictothespecifiedIP
addressanddestinationport.Destination-NATconfigurationissupportedonlyinthebridgemodewithoutVPN.
Youcanconfigureadestination-NATaccessrulebyusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureadestinationNATaccessrule:
1.NavigatetotheWLANwizardorWiredsettingswindow:
lToconfigureaccessrulesforaWLAN SSID,intheNetworktab,clickNewtocreateanewnetworkprofileor
edittomodifyanexistingprofile.
lToconfigureaccessrulesforawiredprofile,More>Wired.IntheWiredwindow,clickNewunderWired
NetworkstocreateanewnetworkorclickEdittoselectanexistingprofile.
2.ClicktheAccesstab.
3.Toconfigureaccessrulesforthenetwork,slidetoNetwork-based.Toconfigureaccessrulesforuserroles,
slidetoRole-based.
4.Tocreateanewruleforthenetwork,clickNew.Tocreateanaccessruleforauserrole,selecttheuserroleand
thenclickNew.TheNewRulewindowisdisplayed.
5.IntheNewRulewindow:
6.SelectAccesscontrolfromtheRuletypedrop-downlist.
7.Selectdestination-NATfromtheActiondrop-downlist,toallowchangestothesourceIPaddress.
8.SpecifytheIPaddressandportdetails.
9.Selectaservicefromthelistofavailableservices.
10.SelecttherequiredoptionfromtheDestinationdrop-downlist.
11.Ifrequired,enableotherparameterssuchasLog,Blacklist,Classifymedia,Disablescanning,DSCPtag,and
802.1ppriority.
12.ClickOKandthenclickFinish.
IntheCLI
ToconfiguredestinationNATaccessrule:
(InstantAP)(config)#wlanaccess-rule<access_rule>
(InstantAP)(AccessRule"<access_rule>")#rule<dest><mask><match><protocol><sport>
<eport>dst-natip<IP-address>[<port>]
(InstantAP)(AccessRule"<access_rule>")#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|180

181|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringALGProtocols
YoucanenableordisableprotocolsforApplicationLayerGateway(ALG)usingtheInstantUIorCLI.
IntheInstantUI
ToconfigureprotocolsforALG:
1.ClicktheSecuritylinkatthetoprightcornerofInstantmainwindow.
2.Click theFirewallSettingstab.TheFirewallSettingstabcontentsaredisplayed.Thefollowingfigureshows
thecontentsoftheFirewallSettingstab:
Figure52FirewallSettings—ALGProtocols
3.SelectEnabledfromthecorrespondingdrop-downliststoenableSIP,VOCERA,AlcatelNOE,andCisco
skinnyprotocols.
4.ClickOK.
WhentheprotocolsforALGareDisabledthechangesdonottakeeffectaffectuntiltheexistingusersessionsare
expired.ReboottheIAPandtheclient,orwaitforfewminutesforchangestoaffect.
IntheCLI
ToconfigureprotocolsforALG:
(InstantAP)(config)#alg
(InstantAP)(ALG)#sccp-disable
(InstantAP)(ALG)#nosip-disable
(InstantAP)(ALG)#noua-disable
(InstantAP)(ALG)#novocera-disable
(InstantAP)(ALG)#end
(InstantAP)#commitapply
ToviewtheALGconfiguration:
(InstantAP)#showalg
CurrentALG
-----------
ALGStatus
---------
sccpDisabled
sipEnabled
uaEnabled
voceraEnabled
ConfiguringFirewallSettingsforProtectionfromARPAttacks
YoucanconfigurefirewallsettingstoprotectthenetworkagainstattacksusingtheInstantUIorCLI.

IntheInstantUI
Toconfigurefirewallsettings:
1.ClicktheSecuritylinkatthetoprightcornerofInstantmainwindow.
2.Click theFirewallSettingstab.TheFirewallSettingstabcontentsaredisplayed.
3.Toconfigureprotectionagainstsecurityattacks,selectthefollowingcheckboxes:
lSelectDropbadARPtoenabletheIAPtodropthefakeARPpackets.
lSelectFixmalformedDHCPtotheIAPtofixthemalformedDHCPpackets.
lSelectARPpoisonchecktoenabletheIAPtotriggeranalertnotifyingtheuserabouttheARPpoisoningthat
mayhavebeencausedbytherogueAPs.
Figure53FirewallSettings—ProtectionAgainstWiredAttacks
4.ClickOK.
IntheCLI
Toconfigurefirewallsettingstopreventattacks
(InstantAP)(config)#attack
(InstantAP)(ATTACK)#drop-bad-arp-enable
(InstantAP)(ATTACK)#fix-dhcp-enable
(InstantAP)(ATTACK)#poison-check-enable
(InstantAP)(ATTACK)#end
(InstantAP)#commitapply
Toviewtheconfigurationstatus:
(InstantAP)#showattackconfig
CurrentAttack
--------------
AttackStatus
------------
drop-bad-arpEnabled
fix-dhcpEnabled
poison-checkEnabled
Toviewtheattackstatistics
(InstantAP)#showattackstats
attackcounters
--------------------------------------
CounterValue
--------------
arppacketcounter0
dropbadarppacketcounter0
dhcpresponsepacketcounter0
fixedbaddhcppacketcounter0
sendarpattackalertcounter0
senddhcpattackalertcounter0
arppoisoncheckcounter0
garpsendcheckcounter0
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|182

183|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
ManagingInboundTraffic
Instantnowsupportsanenhancedinboundfirewallbyallowingtheconfigurationoffirewallrulesandmanagement
subnets,andrestrictingcorporateaccessthroughanuplinkswitch.
Toallowflexibilityinfirewallconfiguration,Instantsupportsthefollowingfeatures:
lInboundfirewallrules
lConfigurablemanagementsubnets
lRestrictedcorporateaccess
ConfiguringInboundFirewallRules
YoucannowconfigurefirewallrulesfortheinboundtrafficcomingthroughtheuplinkportsofanIAP.Therules
definedfortheinboundtrafficareappliedifthedestinationisnotauserconnectedtotheIAP.Ifthedestination
alreadyhasauserroleassigned,theuserroleoverridestheactionsoroptionsspecifiedininboundfirewall
configuration.However,ifadenyruleisdefinedfortheinboundtraffic,itisappliedirrespectiveofthedestinationand
userrole.UnliketheACLrulesinaWLANSSIDorwiredprofile,theinboundfirewallrulescanbeconfiguredbased
onthesourcesubnet.
Forallsubnets,adenyruleiscreatedbydefaultasthelastrule.Ifatleastoneruleisconfigured,thedenyallruleis
appliedtotheupstreamtrafficbydefault.
ManagementaccesstotheAPisallowedirrespectiveoftheinboundfirewallrule.Formoreinformationon
configuringrestrictedmanagementaccess,seeConfiguringManagementSubnetsonpage185.
TheinboundfirewallisnotappliedtotrafficcomingthroughGREtunnel.
YoucanconfigureinboundfirewallrulesthroughtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSecurity>InboundFirewalltab.TheInboundFirewalltabcontentsaredisplayed.
2.UnderInboundFirewallRules,clickNew.TheNewRulewindowisdisplayed.
Figure54InboundFirewallRules-NewRuleWindow
3.Configurethefollowingparameters:

Parameter Description
Action Selectanyoffollowingactions:
lSelectAllowtoallowaccessusersbasedontheaccessrule.
lSelectDenytodenyaccesstousersbasedontheaccessrule.
lSelectDestination-NATtoallowchangestodestinationIPaddress.
lSelectSource-NATtoallowchangestothesourceIPaddress.
Thedestination-natandsource-natactionsapplyonlytothenetworkservicesrules.
Service Selectaservicefromthelistofavailableservices.Youcanallowordenyaccesstoanyorall
ofthefollowingservicesbasedonyourrequirement:
lany—Accessisallowedordeniedtoallservices.
lcustom—AvailableoptionsareTCP,UDP,andOther.IfyouselecttheTCPorUDPoptions,
enterappropriateportnumbers.IftheOtheroptionisselected,ensureenterthe
appropriateIDisentered.
Source Selectanyofthefollowingoptions:
lfromallsources—Trafficfromallsourcesiseitherallowed,denied,ortheIPaddressis
translatedatthesourceordestinationasdefinedintherule.
lfromahost—Trafficfromaparticularhostiseitherallowed,denied,ortheIPaddressis
translatedatthesourceordestinationasdefinedintherule.Afterselectingthisoption,
specifytheIPaddressofthehost.
lfromanetwork—Trafficfromaparticularnetworkiseitherallowed,denied,ortheIP
addressistranslatedatthesourceordestinationasdefinedintherule.Afterselectingthis
option,specifytheIPaddressandnetmaskofthesourcenetwork.
Destination Selectadestinationoptionfortheaccessrulesfornetworkservices,applications,and
applicationcategories.Youcanallowordenyaccesstoanythefollowingdestinationsbased
onyourrequirements.
ltoalldestinations—Trafficforalldestinationsisallowed,denied,ortheIPaddressis
translatedatthesourceordestinationasdefinedintherule.
ltoaparticularserver—Traffictoaspecificserverisallowed,denied,ortheIPaddressis
translatedatthesourceordestinationasdefinedintherule.Afterselectingthisoption,
specifytheIPaddressofthedestinationserver.
lexcepttoaparticularserver—Accessisallowedordeniedtoserversotherthanthe
specifiedserver.Afterselectingthisoption,specifytheIPaddressofthedestination
server.
ltoanetwork—Traffictothespecifiednetworkisallowed,denied,ortheIPaddressis
translatedatthesourceordestinationasdefinedintherule.Afterselectingthisoption,
specifytheIPaddressandnetmaskforthedestinationnetwork.
lexcepttoanetwork—Accessisallowedordeniedtonetworksotherthanthespecified
network.Afterselectingthisoption,specifytheIPaddressandnetmaskofthedestination
network.
ltodomainname—Traffictothespecifieddomainisallowed,denied,ortheIPaddressis
translatedatthesourceordestinationasdefinedintherule.Afterselectingthisoption,
specifythedomainnameintheDomainNametextbox.
Log Selectthischeckboxifyouwantalogentrytobecreatedwhenthisruleistriggered.Instant
supportsfirewallbasedloggingfunction.FirewalllogsontheIAPsaregeneratedassecurity
logs.
Blacklist SelecttheBlacklistcheckboxtoblacklisttheclientwhenthisruleistriggered.Theblacklisting
lastsforthedurationspecifiedasAuthfailureblacklisttimeontheBlacklistingtabofthe
Securitywindow.Formoreinformation,seeBlacklistingClientsonpage171.
Classifymedia SelecttheClassifymediacheckboxtoprioritizevideoandvoicetraffic.Whenenabled,a
packetinspectionisperformedonallnon-NATtrafficandthetrafficismarkedasfollows:
lVideo:Priority5(Critical)
Table35:InboundFirewallRuleConfigurationParameters
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|184

185|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
lVoice:Priority6(InternetworkControl)
Disablescanning SelectDisablescanningcheckboxtodisableARMscanningwhenthisruleistriggered.
TheselectionoftheDisablescanningappliesonlyifARMscanningisenabled,Formore
information,seeConfiguringRadioSettingsforanIAPonpage238.
DSCPtag SelecttheDSCPtagcheckboxtospecifyaDSCPvaluetoprioritizetrafficwhenthisruleis
triggered.Specifyavaluewithintherangeof0to63.Toassignahigherpriority,specifya
highervalue.
802.1ppriority Selectthe802.1pprioritycheckboxtospecifyan802.1ppriority.Specifyavaluebetween0
and7.Toassignahigherpriority,specifyahighervalue.
Table35:InboundFirewallRuleConfigurationParameters
4.ClickOKandthenclickFinish.
IntheCLI
Toconfigureinboundfirewallrules:
(InstantAP)(config)#inbound-firewall
(InstantAP)(inbound-firewall)#rule<subnet><smask><dest><mask><protocol><sport><eport>
{permit|deny|src-nat|dst-nat<IP-address><port>}[<option1....option9>]
(InstantAP)(inbound-firewall)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#inbound-firewall
(InstantAP)(inbound-firewall)#rule192.0.2.1255.255.255.255anyanymatch6631631permit
(InstantAP)(inbound-firewall)#end
(InstantAP)#commitapply
ConfiguringManagementSubnets
YoucanconfiguresubnetstoensurethattheIAPmanagementiscarriedoutonlyfromthesesubnets.Whenthe
managementsubnetsareconfigured,Telnet,SSH,andUIaccessisrestrictedtothesesubnetsonly.
YoucanconfiguremanagementsubnetsbyusingtheInstantUIorCLI.
IntheInstantUI
Toconfiguremanagementsubnets:
1.NavigatetoSecurity>InboundFirewall.TheInboundFirewalltabcontentsaredisplayed.

Figure55Firewall Settings—ManagementSubnets
2.Toaddanewmanagementsubnet:
lEnterthesubnetaddressinSubnet.
lEnterthesubnetmaskinMask.
lClickAdd.
3.Toaddmultiplesubnets,repeatstep2.
4.ClickOK.
IntheCLI
Toconfigureamanagementsubnet:
(InstantAP)(config)#restricted-mgmt-access<subnet-IP-address><subnet-mask>
(InstantAP)(config)#end
(InstantAP)#commitapply
ConfiguringRestrictedAccesstoCorporateNetwork
Youcanconfigurerestrictedcorporateaccesstoblockunauthorizedusersfromaccessingthecorporatenetwork.
Whenrestrictedcorporateaccessisenabled,corporateaccessisblockedfromtheuplinkportofmasterIAP,
includingclientsconnectedtoaslaveIAP.YoucanconfigurerestrictedcorporateaccessbyusingtheInstantUIor
CLI.
IntheInstantUI
Toconfigurerestrictedcorporateaccess:
1.NavigatetoSecurity>InboundFirewall.TheInboundFirewall(seeFigure55)tabcontentsaredisplayed.
2.SelectEnabledfromtheRestrictCorporateAccess.
3.ClickOK.
IntheCLI
Toconfigurerestrictedmanagementaccess:
(InstantAP)(config)#restrict-corp-access
(InstantAP)(config)#end
(InstantAP)#commitapply
ContentFiltering
ThecontentfilteringfeatureallowsyoutorouteDNSrequesttotheOpenDNSplatformandcreatecontentfiltering
policies.
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|186

187|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
Withcontentfilter,youcan:
lAllowallDNSrequeststothenon-corporatedomainsonawirelessorwirednetworktobesenttotheopenDNS
server.WhentheOpenDNS credentialsareconfigured,theIAPusesthesecredentialstoaccessOpenDNSto
provideenterprise-levelcontentfiltering.Formoreinformation,seeConfiguringOpenDNSCredentialsonpage
266
lBlockcertaincategoriesofwebsitesbasedonyourorganizationpolicy.Forexample,ifyoublocktheweb-
based-emailcategory,clientswhoareassignedthispolicywillnotbeabletovisitemail-basedwebsitessuchas
mail.yahoo.com.
lPreventknownmalwarehostsfromaccessingyourwirelessnetwork.
lImproveemployeeproductivitybylimitingaccesstocertainwebsites.
lReducebandwidthconsumptionsignificantly.
Regardlessofwhethercontentfilteringisdisabledorenabled,theDNSrequeststo
http://instant.arubanetworks.comarealwaysresolvedinternallyonInstant.
ThecontentfilteringconfigurationappliestoallIAPsinthenetworkandtheserviceisenabledordisabledglobally
acrossthewirelessorwirednetworkprofiles.
EnablingContentFiltering
Thissectiondescribesthefollowingprocedures:
lEnablingContentFilteringforaWirelessProfileonpage187
lEnablingContentFilteringforaWiredProfile
EnablingContentFilteringforaWirelessProfile
ToenablecontentfilteringforawirelessSSID,performthefollowingsteps:
IntheInstantUI
1.SelectawirelessprofileintheNetworkstabandthenclicktheeditlink.ThewindowforeditingtheWLANSSID
profileisdisplayed.
2.ClickShowadvancedoptions.
3.SelectEnabledfromtheContentFilteringdrop-downlist,andclickNexttocontinue.
Youcanalsoenablecontentfilteringwhileaddinganewwirelessprofile.Formoreinformation,seeConfiguring
WLANSettingsforanSSIDProfileonpage92.
IntheCLI
ToenablecontentfilteringonaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#content-filtering
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
EnablingContentFilteringforaWiredProfile
Toenablecontentfilteringforawiredprofile,performthefollowingsteps:
IntheInstantUI
1.ClicktheWiredlinkunderMoreatthetoprightcornerofthemainwindow.TheWiredwindowisdisplayed.
2.IntheWiredwindow,selectthewiredprofiletomodify.

3.ClickEdit.TheEditWiredNetworkwindowisdisplayed.
4.IntheWiredSettingstab,selectEnabledfromtheContentFilteringdrop-downlistandclickNexttocontinue.
IntheCLI
ToenablecontentfilteringforawiredprofileintheCLI:
(InstantAP)(config)#wired-port-profiletest
(InstantAP)(wiredapprofile<name>)#content-filtering
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringEnterpriseDomains
TheenterprisedomainnameslistdisplaystheDNSdomainnamesthatarevalidontheenterprisenetwork.Thislist
isusedtodeterminehowclientDNSrequestsmustberouted.WhenContentFilteringisenabled,theDNSrequest
oftheclientsisverifiedandthedomainnamesthatdonotmatchthenamesinthelistaresenttotheopenDNS
server.
YoucanconfigureanenterprisedomainthroughtheInstantUIorCLI.
IntheInstantUI
Tomanuallyaddadomain:
1.NavigatetoSystem>General,clickShowadvancedoptions>EnterpriseDomains.TheEnterprise
Domaintabcontentsaredisplayed.
2.ClickNewandenteraNewDomainName.Using“*”asanenterprisedomaincausesallDNStraffictogo
throughthetunneltotheoriginalDNSserverofclients.Ifyouareconfiguringroutingprofilewithsplit-tunnel
disabled,youneedadd“*”totheenterprisedomainlist.
3.ClickOKtoapplythechanges.
Todeleteadomain,selectthedomainandclickDeletetoremovethedomainnamefromthelist.
IntheCLI
Toconfigureanenterprisedomain:
(InstantAP)(config)#internal-domains
(InstantAP)(domain)#domain-name<name>
(InstantAP)(domain)#end
(InstantAP)#commitapply
ConfiguringURLFilteringPolicies
YoucanconfigureURLfilteringpoliciestoblockcertaincategoriesofwebsitesbasedonyourorganization
specificationsbydefiningACLruleseitherthroughtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSecurity>Roles.
2.SelectanyWLANSSIDorwiredprofilerole,andclickNewintheAccessRulessection.TheNewRulewindow
appears.
3.SelecttheruletypeasAccessControl.
4.Tosetanaccesspolicybasedonthewebcategory:
a.UnderServices,selectWebcategoryandexpandtheWebcategoriesdrop-down.
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|188

189|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
Figure56
b.Selectthecategoriestowhichyouwanttodenyorallowaccess.Youcanalsosearchforawebcategoryand
selecttherequiredoption.
c.FromtheActiondrop-down,selectAlloworDenyasrequired.
d.ClickOK.
5.Tofilteraccessbasedonthesecurityratingsofthewebsite:
a.SelectWebreputationunderServices.
b.Movetheslidertotherequiredsecurityratinglevel.
c.FromtheActiondrop-down,selectAlloworDenyasrequired.
6.Tosetabandwidthlimitbasedonwebcategoryorwebreputationscore,selectApplicationThrottlingcheckbox
andspecifythedownstreamandupstreamratesinKbps.Forexample,youcansetahigherbandwidthfortrusted
sitesandalowbandwidthrateforhighrisksites.
7.ClickOKtosavetherules.
8.ClickOK inRolestabtosavethechangestotheroleforwhichyoudefinedACLrules.
IntheCLI
Tocontrolaccessbasedonwebcategoriesandsecurityratings:
(InstantAP)(config)#wlanaccess-rule<access_rule>
(InstantAP)(AccessRule"<access-rule>")#rule<dest><mask><match>webcategory<webgrp>
{permit|deny}[<option1....option9>]
(InstantAP)(AccessRule"<access-rule>")#rule<dest><mask><match>webreputation<webrep>
{permit|deny}[<option1....option9>]
(InstantAP)(AccessRule"<access-rule>")#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanaccess-ruleURLFilter
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebcategorygamblingdeny
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebcategorytraining-and-tools
permit
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebreputationtrustworthy-sites
permit
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebreputationsuspicious-sitesdeny
(InstantAP)(AccessRule"URLFilter")#end
(InstantAP)#commitapply

ConfiguringUserRoles
EveryclientintheInstantnetworkisassociatedwithauserrole,whichdeterminestheclient’snetworkprivileges,
thefrequencyofreauthentication,andtheapplicablebandwidthcontracts.
Instantallowsyoutoconfigurationofupto32userroles.Ifthenumberofrolesexceed32,anerrormessageis
displayed.
TheuserroleconfigurationonanIAPinvolvesthefollowingprocedures:
lCreatingaUserRoleonpage190
lAssigningBandwidthContractstoUserRolesonpage190
lConfiguringMachineandUserAuthenticationRolesonpage191
CreatingaUserRole
YoucancreateauserrolebyusingtheInstantUIorCLI.
IntheInstantUI
Tocreateauserrole:
1.ClicktheSecurityatthetoprightcornerofInstantmainwindow.TheSecuritywindowisdisplayed.
2.ClickRolestab.TheRolestabcontentsaredisplayed.
3.UnderRoles,clickNew.
4.EnteranameforthenewroleandclickOK.
Youcanalsocreateauserrolewhenconfiguringwirelessorwirednetworkprofiles.Formoreinformation,see
ConfiguringAccessRulesforaWLANSSIDProfileonpage103andConfiguringAccessRulesforaWiredProfile
onpage115
IntheCLI
Toconfigureuserrolesandaccessrules:
(InstantAP)(config)#wlanaccess-rule<access-rule-name>
(InstantAP)(AccessRule<Name>)#rule<dest><mask><match><protocol><start-port><end-
port>{permit|deny|src-nat|dst-nat{<IP-address><port>|<port>}}[<option1…option9>]
AssigningBandwidthContractstoUserRoles
Theadministratorscanmanagebandwidthutilizationbyassigningmaximumbandwidthrates,orbandwidth
contractstouserroles.TheadministratorcanassignabandwidthcontractconfiguredinKbpstoupstream(clientto
theIAP)ordownstream(IAPtoclients)trafficforauserrole.Thebandwidthcontractwillnotbeapplicabletothe
usertrafficonthebridgedout(samesubnet)destinations.Forexample,ifclientsareconnectedtoanSSID,youcan
restricttheupstreambandwidthrateallowedforeachuserto512Kbps.
Bydefault,allusersthatbelongtothesameroleshareaconfiguredbandwidthrateforupstreamordownstream
traffic.Theassignedbandwidthwillbeservedandsharedamongalltheusers.Youcanalsoassignbandwidthper
usertoprovideeveryuseraspecificbandwidthwithinarangeof1to65535Kbps.Ifthereisnobandwidthcontract
specifiedforatrafficdirection,unlimitedbandwidthisallowed.
Intheearlierreleases,bandwidthcontractcouldbeassignedperSSID.Inthecurrentrelease,thebandwidth
contractcanalsobeassignedforeachSSIDuser.IfthebandwidthcontractisassignedforanSSIDintheInstant
6.2.1.0-3.4.0.0image,andwhentheIAPisupgradedto6.4.0.2-4.1releaseversion,thebandwidthconfigurationper
SSIDwillbetreatedasaper-userdownstreambandwidthcontractforthatSSID.
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|190

191|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.ClicktheSecurityatthetoprightcornerofInstantmainwindow.TheSecuritywindowisdisplayed.
2.ClicktheRolestab.TheRolestabcontentsaredisplayed.
3.Createanewroleorselectanexistingrole.
4.UnderAccessRules,clickNew.TheNewRulewindowisdisplayed.
5.SelectBandwidthContractfromtheRuleTypedrop-downlist.
6.SpecifythedownstreamandupstreamratesinKbps.Iftheassignmentisspecificforeachuser,selectthe
Perusercheckbox.
7.ClickOK.
8.AssociatetheuserroletoaWLAN SSIDorwiredprofile.
YoucanalsocreateauserroleandassignbandwidthcontractswhileconfiguringanSSIDorwiredprofile.
IntheCLI:
ToassignabandwidthcontractintheCLI:
(InstantAP)(config)#wlanaccess-rule<name>
(InstantAP)(AccessRule<name>)#bandwidth-limit{downstream<kbps>|upstream<kbps>|peruser
{downstream<kbps>|upstream<kbps>}}
(InstantAP)(AccessRule<name>)#end
(InstantAP)#commitapply
Toassociatetheaccessruletoawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#access-rule-name<access-rule-name>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringMachineandUserAuthenticationRoles
Youcanassigndifferentrightstoclientsbasedonwhethertheirhardwaredevicesupportsmachineauthentication.
MachineAuthenticationisonlysupportedonWindowsdevices,sothiscanbeusedtodistinguishbetweenWindows
devicesandotherdevicessuchasiPads.
Youcancreateanyofthefollowingtypesofrules:
lMachineAuthonlyrole-ThisindicatesaWindowsmachinewithnouserloggedin.Thedevicesupportsmachine
authenticationandhasavalidRADIUSaccount,butauserhasnotyetloggedinandauthenticated.
lUserAuthonlyrole-Thisindicatesaknownuseroranon-Windowsdevice.Thedevicedoesnotsupport
machineauthordoesnothaveaRADIUSaccount,buttheuserisloggedinandauthenticated.
Whenadevicedoesbothmachineanduserauthentication,theuserobtainsthedefaultroleorthederivedrolebased
ontheRADIUSattribute.
Youcanconfiguremachineauthenticationwithrole-basedaccesscontrolusingtheInstantUIorCLI.
IntheInstantUI
Toconfiguremachineauthenticationwithrole-basedaccesscontrol,performthefollowingsteps:

1.IntheAccesstaboftheWLAN(NewWLANorEdit<WLAN-profile>)orWiredNetworkconfiguration(New
WiredNetworkorEditWiredNetwork)window,underRoles,createMachineauthonlyandUserauth
onlyroles.
2.Configureaccessrulesfortheserolesbyselectingtherole,andapplyingtherule.Formoreinformationon
configuringaccessrules,seeConfiguringAccess RulesforNetworkServicesonpage177.
3.SelectEnforceMachineAuthenticationandselecttheMachineauthonlyandUserauthonlyroles.
4.ClickFinishtoapplythesechanges.
IntheCLI
ToconfiguremachineanduserauthenticationrolesforaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role-machine-auth<machine-authentication-only><user-
authentication-only>
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Toconfiguremachineanduserauthenticationrolesforwiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-role-machine-auth<machine-authentication-only>
<user-authentication-only>
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
ConfiguringDerivationRules
InstantallowsyoutoconfigureroleandVLANderivation-rules.Youcanconfiguretheserulestoassignauserroleor
VLANtotheclientsconnectingtoanSSIDorawiredprofile.
UnderstandingRoleAssignmentRule
WhenanSSIDorwiredprofileiscreated,adefaultrolefortheclientsconnectingthisSSIDorwiredprofileis
assigned.YoucanassignauserroletotheclientsconnectingtoanSSIDbyanyofthefollowingmethods.Therole
assignedbysomemethodsmaytakeprecedenceovertherolesassignedbytheothermethods.
RADIUSVSAAttributes
TheuserrolecanbederivedfromArubaVendor-SpecificAttributes(VSA)forRADIUSserverauthentication.The
rolederivedfromanArubaVSAtakesprecedenceoverrolesdefinedbyothermethods.
MAC-AddressAttribute
ThefirstthreeoctetsinaMACaddressareknownasOrganizationallyUniqueIdentifier(OUI),andarepurchased
fromtheInstituteofElectricalandElectronicsEngineers,Incorporated(IEEE)RegistrationAuthority.Thisidentifier
uniquelyidentifiesavendor,manufacturer,orotherorganization(referredtobytheIEEEasthe“assignee”)globally
andeffectivelyreservesablockofeachpossibletypeofderivativeidentifier(suchasMACaddresses)forthe
exclusiveuseoftheassignee.
IAPsusetheOUIpartofaMACaddresstoidentifythedevicemanufacturerandcanbeconfigurestoassigna
desiredroleforuserswhohavecompleted802.1XauthenticationandMACauthentication.Theuserrolecanbe
derivedfromtheuserattributesafteraclientassociateswithanAP.Youcanconfigurerulesthatassignauserrole
toclientsthatmatchaMACaddressbasedcriteria.Forexample,youcanassignavoiceroletoanyclientwitha
MACaddressstartinga0:a1:a2.
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|192

193|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
RolesBasedonClientAuthentication
Theuserrolecanbethedefaultuserroleconfiguredforanauthenticationmethod,suchas802.1xauthentication.For
eachauthenticationmethod,youcanconfigureadefaultroleforclientswhoaresuccessfullyauthenticatedusing
thatmethod.
DHCPOptionandDHCPFingerprinting
TheDHCPfingerprintingallowsyoutoidentifytheoperatingsystemofadevicebylookingattheoptionsinthe
DHCPframe.Basedontheoperatingsystemtype,arolecanbeassignedtothedevice.
Forexample,tocreatearoleassignmentrulewiththeDHCPoption,selectequalsfromtheOperatordrop-down
listandenter370103060F77FCintheStringtextbox.Since370103060F77FCisthefingerprintforAppleiOS
devicessuchasiPadandiPhone,IAPassignsAppleiOSdevicestotherolethatyouchoose.
Device DHCPOption DHCPFingerprint
AppleiOS Option55 370103060F77FC
Android Option60 3C64686370636420342E302E3135
Blackberry Option60 3C426C61636B4265727279
Windows7/VistaDesktop Option55 37010f03062c2e2f1f2179f92b
WindowsXP(SP3,Home,
Professional)
Option55 37010f03062c2e2f1f21f92b
WindowsMobile Option60 3c4d6963726f736f66742057696e646f777320434500
Windows7Phone Option55 370103060f2c2e2f
AppleMacOSX Option55 370103060f775ffc2c2e2f
Table36:ValidatedDHCPFingerprint
CreatingaRoleDerivationRule
Youcanconfigurerulesfordeterminingtherolethatisassignedforeachauthenticatedclient.
Whencreatingmorethanoneroleassignmentrule,thefirstmatchingruleintherulelistisapplied.
YoucancreatearoleassignmentrulesbyusingtheInstantUIorCLI.
IntheInstantUI
1.NavigatetotheWLANwizardorWiredsettingswindow:
lToconfigureaccessrulesforaWLAN SSID,intheNetworktab,clickNewtocreateanewnetworkprofileor
edittomodifyanexistingprofile.
lToconfigureaccessrulesforawiredprofile,More>Wired.IntheWiredwindow,clickNewunderWired
NetworkstocreateanewnetworkorclickEdittoselectanexistingprofile.
2.ClicktheAccesstab.
3.UnderRoleAssignmentRules,clickNew.TheNewRoleAssignmentwindowallowsyoutodefineamatch
methodbywhichthestringinOperandismatchedwiththeattributevaluereturnedbytheauthenticationserver.

4.SelecttheattributefromtheAttributedrop-downlistthattheruleitmatchesagainst.Thelistofsupported
attributesincludesRADIUSattributes,dhcp-option,dot1x-authentication-type,mac-address,andmac-address-
and-dhcp-options.ForinformationonalistofRADIUSattributes,seeRADIUSServerAuthenticationwithVSA
onpage150.
5.SelecttheoperatorfromtheOperatordrop-downlist.Thefollowingtypesofoperatorsaresupported:
lcontains—TheruleisappliedonlyiftheattributevaluecontainsthestringspecifiedinOperand.
lIstherole—Theruleisappliediftheattributevalueistherole.
lequals—TheruleisappliedonlyiftheattributevalueisequaltothestringspecifiedinOperand.
lnot-equals—TheruleisappliedonlyiftheattributevalueisnotequaltothestringspecifiedinOperand.
lstarts-with—TheruleisappliedonlyiftheattributevaluestartswiththestringspecifiedinOperand.
lends-with—TheruleisappliedonlyiftheattributevalueendswithstringspecifiedinOperand.
lmatches-regular-expression—Theruleisappliedonlyiftheattributevaluematchestheregularexpression
patternspecifiedinOperand.Thisoperatorisavailableonlyifthemac-address-and-dhcp-optionsattribute
isselectedintheAttributedrop-down.Themac-address-and-dhcp-optionsattributeandmatches-
regular-expressionareapplicableonlyfortheWLANclients.
6.EnterthestringtomatchintheStringtextbox.
7.SelecttheappropriaterolefromtheRoledrop-downlist.
8.ClickOK.
WhenEnforceMachineAuthenticationisenabled,boththedeviceandtheusermustbeauthenticatedfortherole
assignmentruletoapply.
IntheCLI
ToconfigureroleassignmentrulesforaWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-role<attribute>{{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><role>|value-of}
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
Toconfigureroleassignmentrulesforawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(wiredapprofile<name>)#set-role<attribute>{{equals|not-equal|starts-with|
ends-with|contains}<operator><role>|value-of}
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanssid-profileProfile1
(InstantAP)(SSIDProfile"Profile1")#set-rolemac-address-and-dhcp-optionsmatches-regular-
expression\bring\bProfile1
(InstantAP)(SSIDProfile"Profile1")#end
(InstantAP)#commitapply
UnderstandingVLANAssignment
YoucanassignVLANstoaclientbasedonthefollowingconfigurationconditions:
lThedefaultVLANconfiguredfortheWLANcanbeassignedtoaclient.
lIfVLANsareconfiguredforaWLANSSIDoranEthernetportprofile,theVLANfortheclientcanbederived
beforetheauthentication,fromtherulesconfiguredfortheseprofiles.
lIfarulederivesaspecificVLAN,itisprioritizedovertheuserrolesthatmayhaveaVLANconfigured.
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|194

195|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
lTheuserVLANscanbederivedfromthedefaultrolesconfiguredfor802.1XauthenticationorMAC
authentication.
lAfterclientauthentication,theVLANcanbederivedfromVendorSpecificAttributes(VSA)forRADIUSserver
authentication.
lTheDHCP-basedVLANscanbederivedforCaptivePortalauthentication.
InstantsupportsrolederivationbasedontheDHCPoptionforCaptivePortalauthentication.WhentheCaptive
Portalauthenticationissuccessful,therolederivationbasedontheDHCPoptionassignsanewuserroletothe
guestusers,insteadofthepre-authenticatedrole.
VendorSpecificAttributes
WhenanexternalRADIUSserverisused,theuserVLANcanbederivedfromtheAruba-User-VlanVSA.The
VSAisthencarriedinanAccess-AcceptpacketfromtheRADIUSserver.TheIAPcananalyzethereturnmessage
andderivethevalueoftheVLANwhichitassignstotheuser.
Figure57RADIUSAccess-AcceptpacketswithVSA
Figure58ConfigureVSAonaRADIUSServer

VLANAssignmentBasedonDerivationRules
WhenanexternalRADIUSserverisusedforauthentication,theRADIUSservermayreturnareplymessagefor
authentication.IftheRADIUSserversupportsreturnattributes,andsetsanattributevaluetothereplymessage,the
IAPcananalyzethereturnmessageandmatchattributeswithauserpre-definedVLANderivationrule.Iftheruleis
matched,theVLANvaluedefinedbytheruleisassignedtotheuser.ForacompletelistofRADIUSserver
attributes,seeRADIUSServerAuthenticationwithVSAonpage150.
Figure59ConfiguringRADIUSAttributesontheRADIUSServer
UserRole
IftheVSAandVLANderivationrulesarenotmatching,thentheuserVLANcanbederivedbyauserrole.
VLANsCreatedforanSSID
IftheVSAandVLANderivationrulesarenotmatching,andtheUserRoledoesnotcontainaVLAN,theuserVLAN
canbederivedbyVLANsconfiguredforanSSIDorEthernetportprofile.
ConfiguringVLANDerivationRules
TheusersareassignedtoaVLANbasedontheattributesreturnedbytheRADIUSserveraftertheusers
authenticate.
YoucanconfigureVLANderivationrulesforanSSIDprofilebyusingtheInstantUIorCLI.
IntheInstantUI
1.Performthefollowingsteps:
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|196

197|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
lToconfigureVLANderivationruleforaWLANSSIDprofile,ClickNetwork>New>NewWLAN>VLANor
Network>edit>Edit<WLAN-profile>>VLAN.SelecttheDynamicoptionundertheClientVLAN
assignment.
lToconfigureVLANderivationruleforawirednetworkprofile,clickWired>New>NewWiredNetwork>
VLANorWired>Edit>EditWiredNetwork>VLAN.
2.ClickNewtocreateaVLANassignmentrule.TheNewVLANAssignmentRulewindowisdisplayed.Inthis
window,youcandefineamatchmethodbywhichthestringinOperandismatchedwiththeattributevalues
returnedbytheauthenticationserver.
Figure60VLANAssignmentRuleWindow
3.SelecttheattributefromtheAttributedrop-downlist.ThelistofsupportedattributesincludesRADIUS
attributes,dhcp-option,dot1x-authentication-type,mac-address,andmac-address-and-dhcp-options.For
informationonalistofRADIUSattributes,seeRADIUSServerAuthenticationwithVSAonpage150.
4.SelecttheoperatorfromtheOperatordrop-downlist.Thefollowingtypesofoperatorsaresupported:
lcontains—TheruleisappliedonlyiftheattributevaluecontainsthestringspecifiedinOperand.
lequals—TheruleisappliedonlyiftheattributevalueisequaltothestringspecifiedinOperand.
lnot-equals—TheruleisappliedonlyiftheattributevalueisnotequaltothestringspecifiedinOperand.
lstarts-with—TheruleisappliedonlyiftheattributevaluestartswiththestringspecifiedinOperand.
lends-with—TheruleisappliedonlyiftheattributevalueendswithstringspecifiedinOperand.
lmatches-regular-expression—Theruleisappliedonlyiftheattributevaluematchestheregularexpression
patternspecifiedinOperand.Thisoperatorisavailableonlyifthemac-address-and-dhcp-optionsattribute
isselectedintheAttributedrop-down.Themac-address-and-dhcp-optionsattributeandmatches-
regular-expressionareapplicableonlyfortheWLANclients.
5.EnterthestringtomatchintheStringfield.
6.SelecttheappropriateVLAN IDfromtheVLANdrop-downlist.
7.ClickOK.
8.Ensurethatallotherrequiredparametersareconfigured.
9.ClickFinishtoapplythechanges.
IntheCLI
TocreateaVLANassignmentruleforWLANSSID:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-vlan<attribute>{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><VLAN-ID>|value-of}
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply

ToconfigureaVLANassignmentruleforawiredprofile:
(InstantAP)(config)#wired-port-profile<nname>
(InstantAP)(wiredapprofile<name>)#set-vlan<attribute>{equals|not-equals|starts-
with|ends-with|contains}<operator><VLAN-ID>|value-of}
(InstantAP)(wiredapprofile<name>)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanssid-profileProfile1
(InstantAP)(SSIDProfile"Profile1")#set-vlanmac-address-and-dhcp-optionsmatches-regular-
expression..link100
(InstantAP)(SSIDProfile"Profile1")#end
(InstantAP)#commitapply
UsingAdvancedExpressionsinRoleandVLANDerivationRules
ForcomplexpoliciesofroleandVLANderivationusingdeviceDHCPfingerprints,youcanusearegularexpression
tomatchagainstthecombinedstringoftheMACaddressandtheDHCPoptions.Thecombinedstringisformedby
concatenatingthehexadecimalpresentationoftheMACaddressandalloftheDHCPoptionssentbyaparticular
device.Theregularexpressionisapowerfulpatterndescriptionlanguagethatcanbeusedtoperformadvanced
patternmatchingoftheabovestring.
Ifthecombineddevicefingerprintstringmatchesthespecifiedregularexpression,theroleorvlancanbesettothe
WLANclient.
Thefollowingtablelistssomeofthemostcommonlyusedregularexpressions,whichcanbeusedinuserroleand
userVLANderivationrules:
Operator Description
. Matchesanycharacter.Forexample,l..kmatcheslack,lark,link,lock,look,Lyncandsoon.
\ Matchesthecharacterthatfollowsthebackslash.Forexample,\192.\.0\..matchesIPaddressesranges
thatstartingwith192.0,suchas192.0.1.1.Theexpressionlooksonlyforthesinglecharactersthat
match.
[ ] Matchesanyonecharacterlistedbetweenthebrackets.Forexample,[bc]lockmatchesblockandclock.
\b Matchesthewordsthatbeginandendwiththegivenexpression.Forexample,\bdownmatches
downlink,linkdown,shutdown.
\B Matchesthemiddleofaword.Forexample,\Bvicematchesservices,devices,serviceID,deviceID,and
soon.
^ Matchesthecharactersatstartingpositioninastring.Forexample,^bcdmatchesbcdeorbcdf,butnot
abcd.
[^] Matchesanycharactersthatarenotlistedbetweenthebrackets.Forexample,[^u]linkmatches
downlink,link,butnotuplink.
? Matchesanyoneoccurrenceofthepattern.Forexample,?estmatchesbest,nest,rest,testandsoon.
$ Matchestheendofaninputstring.Forexample,eth$ matchesEth,butnotEthernet.
* Matchesthedeclaredelementmultipletimesifitexists.Forexample,eth*matchesalloccurrencesof
eth,suchasEth,Ethernet,Eth0andsoon.
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|198

199|RolesandPolicies ArubaInstant6.4.0.2-4.1|UserGuide
Operator Description
+ Matchesthedeclaredelementoneormoretimes.Forexample,aa+matchesoccurrencesofaaand
aaa.
( ) Matchesnestedcharacters.Forexample,(192)*matchesanynumberofthecharacterstring192.
| Matchesthecharacterpatternsoneithersideoftheverticalbar.Youcanusethisexpressiontoconstruct
aseriesofoptions.
\< Matchesthebeginningoftheword.Forexample,\<wirematcheswired,wirelessandsoon.
\> Matchestheendoftheword.Forexample,\>listmatchesblacklist,whitelist,andsoon.
{n} Wherenisaninteger"Matchesthedeclaredelementexactlythentimes.Forexample,{2}linkmatches
uplink,butnotdownlink.
{n,} Wherenisaninteger"Matchesthedeclaredelementatntimes.Forexample,{2,}inkmatchesdownlink,
butnotuplink.
ForinformationonhowtouseregularexpressionsinroleandVLANderivationrules,seethefollowingtopics:
lConfiguringVLANDerivationRulesonpage196
lCreatingaRoleDerivationRuleonpage193
ConfiguringaUserRoleforVLANDerivation
Thissectiondescribesthefollowingprocedures:
lCreatingaUserVLANRoleonpage199
lAssigningUserVLANRolestoaNetworkProfileonpage200
CreatingaUserVLANRole
YoucancreateauserroleforVLANderivationusingtheInstantUIorCLI
IntheInstantUI
ToconfigureauserroleforVLANderivation:
1.ClicktheSecurityatthetoprightcornerofInstantmainwindow.
2.ClicktheRolestab.TheRolestabcontentsaredisplayed.
3.UnderRoles,clickNew.
4.EnteranameforthenewroleandclickOK.
5.UndertheAccessrules,clickNew.
6.SelecttheRuletypeasVLANassignment.
7.EntertheIDoftheVLANintheVLANIDtextbox.
8.ClickOK.
IntheCLI
TocreateaVLANrole:
(InstantAP)(config)#wlanaccess-rule<rule-name>
(InstantAP)(AccessRule<rule-name>)#vlan200
(InstantAP)(AccessRule<rule-name>)#end
(InstantAP)#commitapply

AssigningUserVLANRolestoaNetworkProfile
YoucanconfigureuserVLANrolesforanetworkprofileusingInstantUIorCLI.
IntheInstantUI
ToassignauserVLANrole:
1.ClickNetwork>New>NewWLAN>AccessorNetwork>edit>Edit<WLAN-profile>>Access.
2.EnsurethatthesliderisattheRole-basedoption.
3.ClickNewundertheNewRoleAssignmentandconfigurethefollowingparameters:
a.SelecttheattributefromtheAttributedrop-downlist.
b.SelecttheoperatortomatchfromtheOperatordrop-downlist.
c.EnterthestringtomatchintheStringtextbox.
d.SelecttheroletobeassignedfromtheRoletextbox.ThefollowingfigureshowsanexamplefortheVLAN
roleassignment:
Figure61UserVLANRoleAssignment
4.ClickOK.
IntheCLI
ToassignVLANroletoaWLANprofile:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#set-role<attribute>{{equals<operator><role>|not-equals
<operator><role>|starts-with<operator><role>|ends-with<operator><role>|contains
<operator><role>}|value-of}
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide RolesandPolicies|200

ArubaInstant6.4.0.2-4.1|UserGuide DHCPConfiguration|201
Chapter13
DHCPConfiguration
Thischapterprovidesthefollowinginformation:
lConfiguringDHCPScopesonpage201
lConfiguringtheDefaultDHCPScopeforClientIPAssignmentonpage208
ConfiguringDHCPScopes
ThevirtualcontrollersupportsdifferentmodesofDHCPaddressassignment.WitheachDHCPaddressassignment
mode,variousclienttrafficforwardingmodesareassociated.Formoreinformationonclienttrafficforwardingmodes
forIAP-VPN,seeIAP-VPNForwardingModesonpage224.
YoucanconfigurethedefaultDHCPscopeforvirtualcontrollerassignednetworks,DistributedL2,DistributedL3,
LocalorNATDHCP,LocalL3,andCentralizedDHCPscopesthroughtheInstantUIorCLI.
Thissectiondescribesthefollowingprocedures:
lConfiguringtheDefaultDHCPScopeforClientIPAssignmentonpage208
lConfiguringDistributedDHCPScopesonpage201
lConfiguringaCentralizedDHCPScopeonpage204
lConfiguringLocalandLocal,L3DHCPScopesonpage206
ConfiguringDistributedDHCPScopes
InstantallowsyoutoconfiguretheDHCPaddressassignmentforthebranchesconnectedtothecorporatenetwork
throughVPN.YoucanconfiguretherangeofDHCPIPaddressesusedinthebranchesandthenumberofclient
addressesallowedperbranch.YoucanalsospecifytheIPaddressesthatmustbeexcludedfromthoseassignedto
clients,sothattheyareassignedstatically.
InstantsupportsthefollowingdistributedDHCPscopes:
lDistributed,L2—Inthismode,theVirtualControlleractsastheDHCPserver,butthedefaultgatewayisinthe
datacenter.Basedonthenumberofclientsspecifiedforeachbranch,therangeofIPaddressesisdivided.
BasedontheIPaddressrangeandclientcountconfiguration,theDHCPserverintheVirtualControllercontrolsa
scopethatisasubsetofthecompleteIPAddressrangeforthesubnetdistributedacrossallthebranches.This
DHCPAssignmentmodeisusedwiththeL2forwardingmode.
lDistributed,L3—Inthismode,theVirtualControlleractsastheDHCPserverandthedefaultgateway.Based
onthenumberofclientsspecifiedforeachbranch,therangeofIPaddressesisdivided.BasedontheIPaddress
rangeandclientcountconfiguration,theDHCPserverintheVirtualControllerisconfiguredwithauniquesubnet
andacorrespondingscope.
YoucanconfiguredistributedDHCPscopessuchasDistributed,L2orDistributed,L3byusingtheInstantUIorCLI.
IntheInstantUI
ToconfiguredistributedDHCPscopessuchasDistributed,L2orDistributed,L3:
1.ClickMore>DHCPServer.TheDHCPServerwindowisdisplayed.
2.ToconfigureadistributedDHCPmode,clickNewunderDistributedDHCPScopes.TheNewDHCPScope
windowisdisplayed.ThefollowingfigureshowsthecontentsoftheNewDHCPScopewindow.

202|DHCPConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
Figure62NewDHCPScope:DistributedDHCPMode
3.BasedonthetypeofdistributedDHCPscope,configurethefollowingparameters:
Name Description
Name EnteranamefortheDHCPscope.
Type Selectanyofthefollowingoptions:
lDistributed,L2—OnselectingDistributed,L2,theVirtualControlleractsasthe
DHCPServerbutthedefaultgatewayisinthedatacenter.Trafficisbridgedinto
VPNtunnel.
lDistributed,L3—OnselectingDistributed,L3,theVirtualControlleractsasboth
DHCPServeranddefaultgateway.TrafficisroutedintotheVPNtunnel.
VLAN SpecifyaVLAN ID.Tousethissubnet,ensurethattheVLAN IDspecifiedhereis
assignedtoanSSIDprofile.FormoreinformationonSSIDprofileconfiguration,see
ConfiguringVLANSettingsforaWLANSSIDProfileonpage96andConfiguring
VLANforaWiredProfileonpage113
Netmask IfDistributed,L2isselectedfortypeofDHCPscope,specifythesubnetmask.The
subnetmaskandthenetworkdeterminethesizeofsubnet.
Defaultrouter IfDistributed,L2isselectedfortypeofDHCPscope,specifytheIPaddressofthe
defaultrouter.
DNSServer Ifrequired,specifytheIPaddressofaDNSserver.
DomainName Ifrequired,specifythedomainname.
Table37:DistributedDHCPMode:ConfigurationParameters

Name Description
LeaseTime Specifyaleasetimefortheclientinminutes.
IPAddressRange SpecifyarangeofIPaddressestouse.Toaddanotherrange,clickthe+icon.Youcan
specifyuptofourdifferentrangesofIP addresses.
lForDistributed,L2mode,ensurethatallIPrangesareinthesamesubnetasthe
defaultrouter.OnspecifyingtheIPaddressranges,asubnetvalidationis
performedtoensurethatthespecifiedrangesofIPaddressareinthesamesubnet
asthedefaultrouterandsubnetmask.TheconfiguredIPrangeisdividedinto
blocksbasedontheconfiguredclientcount.
lForDistributed,L3mode,youcanconfigureanydiscontiguousIPranges.The
configuredIPrangeisdividedintomultipleIPsubnetsthataresufficientto
accommodatetheconfiguredclientcount.
NOTE:YoucanallocatemultiplebranchIDs(BID)persubnet.TheIAPgeneratesa
subnetnamefromtheDHCPIPconfiguration,whichthecontrollercanuseasasubnet
identifier.Ifstaticsubnetsareconfiguredineachbranch,allofthemareassignedthe
withBID0,whichismappeddirectlytotheconfiguredstaticsubnet.
Option SpecifythetypeandavaluefortheDHCPoption.Youcanconfiguretheorganization-
specificDHCPoptionssupportedbytheDHCPserver.Forexample,176,242,161,
andsoon.ToaddmultipleDHCPoptions,clickthe+icon.Youcanadduptoeight
DHCPoptions.
Table37:DistributedDHCPMode:ConfigurationParameters
4.ClickNext.
5.Specifythenumberofclientstouseperbranch.TheclientcountconfiguredforabranchdeterminestheuseofIP
addressesfromtheIPaddressrangedefinedforaDHCPscope.Forexample,if20IPaddressesareavailablein
anIPaddressrangeconfiguredforaDHCPscopeandaclientcountof9isconfigured,onlyafewIPaddresses
(inthisexample,9)fromthisrangewillbeusedandallocatedtoabranch.TheIAPdoesnotallowthe
administratorstoassigntheremainingIPaddressestoanotherbranch,althoughalowervalueisconfiguredfor
theclientcount.
6.ClickNext.TheStaticIPtabisdisplayed.SpecifythenumberoffirstandlastIPaddressestoreserveinthe
subnet.
7.ClickFinish.
IntheCLI
ToconfigureDistributed,L2DHCPscope:
(InstantAP)(config)#ipdhcp<profile-name>
(InstantAP)(DHCPProfile<profile-name>)#ipdhcpserver-type<Distributed,L2>
(InstantAP)(DHCPProfile<profile-name>)#server-vlan<vlan-ID>
(InstantAP)(DHCPProfile<profile-name>)#subnet-mask<subnet-mask>
(InstantAP)(DHCPProfile<profile-name>)#default-router<IP-address>
(InstantAP)(DHCPProfile<profile-name>)#client-count<number>
(InstantAP)(DHCPProfile<profile-name>)#dns-server<name>
(InstantAP)(DHCPProfile<profile-name>)#domain-name<domain-name>
(InstantAP)(DHCPProfile<profile-name>)#lease-time<minutes>
(InstantAP)(DHCPProfile<profile-name>)#ip-range<start-IP><end-IP>
(InstantAP)(DHCPProfile<profile-name>)#reserve{first|last}<count>
(InstantAP)(DHCPProfile<profile-name>)#option<type><value>
(InstantAP)(DHCPProfile<profile-name>)#end
(InstantAP)#commitapply
ToconfigureDistributed,L3DHCP scope:
(InstantAP)(config)#ipdhcp<profile-name>
(InstantAP)(DHCPProfile<profile-name>)#ipdhcpserver-type<Distributed,L3>
ArubaInstant6.4.0.2-4.1|UserGuide DHCPConfiguration|203

204|DHCPConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(DHCPProfile<profile-name>)#server-vlan<vlan-ID>
(InstantAP)(DHCPProfile<profile-name>)#client-count<number>
(InstantAP)(DHCPProfile<profile-name>)#dns-server<name>
(InstantAP)(DHCPProfile<profile-name>)#domain-name<domain-name>
(InstantAP)(DHCPProfile<profile-name>)#lease-time<minutes>
(InstantAP)(DHCPProfile<profile-name>)#ip-range<start-IP><end-IP>
(InstantAP)(DHCPProfile<profile-name>)#reserve{first|last}<count>
(InstantAP)(DHCPProfile<profile-name>)#option<type><value>
(InstantAP)(DHCPProfile<profile-name>)#end
(InstantAP)#commitapply
ConfiguringaCentralizedDHCPScope
Youcanconfigurecentralized,L2andcentralized,L3DHCPprofiles.WhenacentralizedDHCPscopeisconfigured:
lTheVirtualControllerdoesnotassignanIPaddresstotheclientandtheDHCPtrafficisdirectlyforwardedtothe
DHCPServer.
lForCentralized,L2clients,theVirtualControllerbridgestheDHCPtraffictothecontrollerovertheVPN/GRE
tunnel.TheIPaddressisobtainedfromtheDHCPserverbehindthecontrollerservingtheVLAN/GREofthe
client.ThisDHCPassignmentmodealsoallowsyoutoaddtheDHCPoption82totheDHCPtrafficforwarded
tothecontroller.
lForCentralized,L3clients,theVirtualControlleractsasaDHCPrelayagentthatforwardstheDHCPtrafficto
theDHCPserverlocatedeitherinthecorporateorlocalnetwork.ThecentralizedL3VLANIPisusedasthe
sourceIP.TheIPaddressisobtainedfromtheDHCPserver.
YoucanconfigureacentralizedDHCPscopethroughtheInstantUIorCLI.
IntheInstantUI
ToconfigureacentralizedDHCPscope:
1.ClickMore>DHCPServer.TheDHCPServerwindowisdisplayed.
2.ToconfigureacentralizedDHCPscopes,clickNewunderCentralizedDHCPScopes.TheNewDHCP
Scopewindowisdisplayed.
3.Toconfigurecentralized,L2profile,selecttheprofiletypeasCentralized,L2orCentralized,L3andconfigure
thefollowingparameters.
Name Description
Name EnteranamefortheDHCPscope.
Type Setthetypeasfollows:
lCentralized,L2forthecentralized,L2profile
lCentralized,L3forthecentralized,L3profile
VLAN SpecifyaVLAN ID.Tousethissubnet,ensurethattheVLAN IDspecifiedhereisassigned
toanSSIDprofile.FormoreinformationonSSIDprofileconfiguration,seeConfiguring
VLANSettingsforaWLANSSIDProfileonpage96andConfiguringVLANforaWired
Profileonpage113.
Splittunnel SetthistoEnabledorDisabledforsplittunnelfunctionalityforthecentralized,L2subnet.
Table38:CentralizedDHCPMode:ConfigurationParameters

Name Description
EnablingsplittunnelallowsaVPNusertoaccessapublicnetworkandalocalLANor
WANnetworkatthesametimethroughthesamephysicalnetworkconnection.For
example,ausercanusearemoteaccessVPNsoftwareclientconnectingtoacorporate
networkusingahomewirelessnetwork.Theuserwithsplittunnelingenabledisableto
connecttofileservers,databaseservers,mailserversandotherserversonthecorporate
networkthroughtheVPNconnection.WhentheuserconnectstoInternetresources(Web
sites,FTPsitesandsoon),theconnectionrequestgoesdirectlyoutthegatewayprovided
bythehomenetwork.Thesplit-DNSfunctionalityinterceptsDNSrequestsfromclientsfor
non-corporatedomains(asconfiguredinEnterpriseDomainslist)andforwardstoAP's
ownDNSserver.
Whensplit-tunnelisdisabled,allthetrafficincludingthecorporateandInternettrafficis
tunneledirrespectiveoftheroutingprofilespecifications.IftheGREtunnelisdownand
whenthecorporatenetworkisnotreachable,theclienttrafficisdropped.
DHCPrelay IfyouareconfiguringaCentralized,L2DHCPprofile,youcanselectEnabledtoallowthe
IAPstointerceptthebroadcastpacketsandrelayDHCPrequeststocentralizedDHCP
server.
NOTE:TheDHCPrelayoptionisnotavailableforcentralized,L3profileconfiguration.
Helperaddress SpecifytheIPaddressoftheDHCPserver.
NOTE:ForCentralized,L2DHCPprofiles,theHelperaddressoptionisdisplayedonly
whenDHCPrelayisenabled.
VLANIP SpecifytheCentralizedL3DHCPsubnetgatewayIP.
VLANMask SpecifythesubnetmaskoftheCentralizedL3DHCPsubnetgatewayIP.
Option82 SelectAlcateltoenableDHCPOption82toallowclientstosendDHCPpacketswiththe
Option82string.TheOption82stringisavailableonlyintheAlcatel(ALU)format.TheALU
formatfortheOption82stringconsistsofthefollowing:
lRemoteCircuitID;XAP-MAC;SSID;SSID-Type
lRemoteAgent;XIDUE-MAC
NOTE:TheOption82stringisspecifictoAlcatelandisnotconfigurable.
Table38:CentralizedDHCPMode:ConfigurationParameters
4.ClickOK.
ThefollowingtabledescribesthebehavioroftheDHCPRelayAgentandOption82intheIAP.
DHCPRelay Option82Behavior
Enabled Enabled DHCPpacketrelayedwiththeALU-specificOption82string
Enabled Disabled DHCPpacketrelayedwithouttheALU-specificOption82string
Disabled Enabled DHCPpacketnotrelayed,butbroadcastwiththeALU-specificOption82string
Disabled Disabled DHCPpacketnotrelayed,butbroadcastwithouttheALU-specificOption82
string
Table39:DHCPRelayandOption82
IntheCLI
Toconfigureacentralized,L2DHCPprofile:
(InstantAP)(config)#ipdhcp<profile-name>
(InstantAP)(DHCPProfile<profile-name>)#server-type<centralized>
ArubaInstant6.4.0.2-4.1|UserGuide DHCPConfiguration|205

206|DHCPConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(DHCPProfile<profile-name>)#server-vlan<vlan-ID>
(InstantAP)(DHCPProfile<profile-name>)#option82alu
(InstantAP)(DHCPProfile<profile-name>)#disable-split-tunnel
(InstantAP)(DHCPProfile<profile-name>)#end
(InstantAP)#commitapply
Toconfigureacentralized,L3DHCPprofile:
(InstantAP)(config)#ipdhcp<profile-name>
(InstantAP)(DHCPProfile<profile-name>)#server-type<centralized>
(InstantAP)(DHCPProfile<profile-name>)#server-vlan<vlan-ID>
(InstantAP)(DHCPProfile<profile-name>)#dhcp-relay
(InstantAP)(DHCPProfile<profile-name>)#dhcp-server<DHCP-relay-server>
(InstantAP)(DHCPProfile<profile-name>)#vlan-ip<DHCPIPaddress>mask<VLANmask>
(InstantAP)(DHCPProfile<profile-name>)#end
(InstantAP)#commitapply
ConfiguringLocalandLocal,L3DHCPScopes
YoucanconfigureLocalandLocal,L3DHCPscopesthroughtheInstantUIorCLI.
lLocal—Inthismode,theVirtualControlleractsasboththeDHCPServerandthedefaultgateway.The
configuredsubnetandthecorrespondingDHCPscopeareindependentofsubnetsconfiguredinotherIAP
clusters.TheVirtualControllerassignsanIPaddressfromalocalsubnetandforwardstraffictobothcorporate
andnon-corporatedestinations.Thenetworkaddressistranslatedappropriatelyandthepacketisforwarded
throughtheIPSectunnelorthroughtheuplink.ThisDHCPassignmentmodeisusedfortheNATforwarding
mode.
lLocal,L3—ThisDHCPassignmentmodeisusedwiththeL3forwardingmode.Inthismode,theVirtual
ControlleractsasaDHCPserverandthegateway,andassignsanIPaddressfromthelocalsubnet.TheIAP
routesthepacketssentbyclientsonitsuplink.TheLocal,L3subnetscannowaccesscorporatenetwork
throughtheIPsectunnel.ThenetworkaddressforalltrafficgeneratedbyclientsinLocal,L3subnetsare
translatedatthesourcebyusingthetunnelinnerIPtothecorporatesubnet.However,ifcorporateaccessto
Local,L3isnotrequired,youcanconfigureACLrulestodenyaccess.
IntheInstantUI
ToconfigureaLocalorLocal,L3DHCPscope:
1.ClickMore>DHCPServer.TheDHCPServerwindowisdisplayed.
2.ToconfigureaLocalorLocal,L3DHCPscopes,clickNewunderLocalDHCPScopes.TheNewDHCP
Scopewindowisdisplayed.
3.BasedontypeofDHCPscopeselected,configurethefollowingparameters:

Name Description
Name EnteranamefortheDHCPscope.
Type Selectanyofthefollowingoptions:
lLocal—OnselectingLocal,theDHCPserverforlocalbranchnetworkisusedfor
keepingthescopeofthesubnetlocaltotheIAP.IntheNATmode,thetrafficis
forwardedthroughtheIPSectunnelortheuplink.
lLocal,L3—OnselectingLocal,L3,theVirtualControlleractsasaDHCPserverand
gateway.Inthismode,theIAProutesthepacketssentbyclientsandalsoaddsa
routeonthecontroller,aftertheVPNtunnelissetupduringtheregistrationofthe
subnet.
VLAN SpecifyaVLAN ID.Tousethissubnet,ensurethattheVLAN IDspecifiedhereis
assignedtoanSSIDprofile.FormoreinformationonSSIDprofileconfiguration,see
ConfiguringVLANSettingsforaWLANSSIDProfileonpage96andConfiguring
VLANforaWiredProfileonpage113
Network Specifythenetworktouse.
Netmask IfLocalorLocal,L3isselected,specifythesubnetmask.Thesubnetmaskandthe
networkdeterminethesizeofsubnet.
Excludedaddress IfLocal,L3isselected,specifytheIPaddresstoexclude.Thevalueenteredinthefield
determinestheexclusionrangeofthesubnet.Basedonthesizeofthesubnet,theIP
addressesthatcomebeforeoraftertheIPaddressvaluespecifiedinthisfieldare
excluded.
DNSServer Ifrequired,specifytheIPaddressofaDNSserverfortheLocalandLocal,L3scopes.
DomainName Ifrequired,specifythedomainnamefortheLocalandLocal,L3scopes.
LeaseTime Specifyaleasetimefortheclientinminutes.
Option SpecifythetypeandavaluefortheDHCPoption.Youcanconfiguretheorganization-
specificDHCPoptionssupportedbytheDHCPserver.Forexample,176,242,and
161.ToaddmultipleDHCPoptions,clickthe+icon.
Table40:DHCPMode:ConfigurationParameters
4.ClickOK.
IntheCLI
ToconfigureLocalDHCPscope:
(InstantAP)(config)#ipdhcp<profile-name>
(InstantAP)(DHCPProfile<profile-name>)#server-type<Local>
(InstantAP)(DHCPProfile<profile-name>)#server-vlan<vlan-ID>
(InstantAP)(DHCPProfile<profile-name>)#subnet<IP-address>
(InstantAP)(DHCPProfile<profile-name>)#subnet-mask<subnet-mask>
(InstantAP)(DHCPProfile<profile-name>)#dns-server<name>
(InstantAP)(DHCPProfile<profile-name>)#domain-name<domain-name>
(InstantAP)(DHCPProfile<profile-name>)#lease-time<minutes>
(InstantAP)(DHCPProfile<profile-name>)#option<type><value>
(InstantAP)(DHCPProfile<profile-name>)#end
(InstantAP)#commitapply
ToconfigureLocal,L3DHCPscope:
(InstantAP)(config)#ipdhcp<profile-name>
(InstantAP)(DHCPProfile<profile-name>)#server-type<Local,L3>
ArubaInstant6.4.0.2-4.1|UserGuide DHCPConfiguration|207

208|DHCPConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(DHCPProfile<profile-name>)#server-vlan<vlan-ID>
(InstantAP)(DHCPProfile<profile-name>)#subnet<IP-address>
(InstantAP)(DHCPProfile<profile-name>)#subnet-mask<subnet-mask>
(InstantAP)(DHCPProfile<profile-name>)#exclude-address<IP-address>
(InstantAP)(DHCPProfile<profile-name>)#dns-server<name>
(InstantAP)(DHCPProfile<profile-name>)#domain-name<domain-name>
(InstantAP)(DHCPProfile<profile-name>)#lease-time<minutes>
(InstantAP)(DHCPProfile<profile-name>)#option<type><value>
(InstantAP)(DHCPProfile<profile-name>)#end
(InstantAP)#commitapply
ConfiguringtheDefaultDHCPScopeforClientIPAssignment
TheDHCPserverisabuilt-inserver,usedfornetworksinwhichclientsareassignedIPaddressbytheVirtual
Controller.YoucancustomizetheDHCPpoolsubnetandaddressrangetoprovidesimultaneousaccesstomore
numberofclients.Thelargestaddresspoolsupportedis2048.ThedefaultsizeoftheIPaddresspoolis512.
WhentheDHCPserverisconfiguredandiftheClientIPassignmentparameterforanSSIDprofileissetto
VirtualControllerAssigned,theVirtualControllerassignstheIPaddressestotheWLAN orwiredclients.By
default,theIAPautomaticallydeterminesasuitableDHCPpoolforVirtualControllerAssignednetworks.
Inthecurrentrelease,theIAPtypicallyselectsthe172.31.98.0/23subnet.IftheIPaddressoftheIAPiswithinthe
172.31.98.0/23subnet,theIAPselectsthe10.254.98.0/23subnet.However,thismechanismdoesnotguarantee
thatitwouldavoidallpossibleconflictswiththewirednetwork.Ifyourwirednetworkuseseither172.31.98.0/23or
10.254.98.0/23,andyouexperienceproblemswiththeVirtualControllerAssignednetworksafterupgradingto
ArubaInstant6.2.1.0-3.4orlater,manuallyconfiguretheDHCPpoolbyfollowingthestepsdescribedinthis
section.
Youcanconfigureadomainname,DNSserver,andDHCPserverforclientIPassignmentusingtheInstantUIor
CLI.
IntheInstantUI
1.NavigatetoMore>DHCPServertab.TheDHCPServertabcontentsaredisplayed.
Figure63DHCP ServersWindow
2.EnterthedomainnameoftheclientintheDomainnametextbox.
3.EntertheIPaddressesoftheDNSserversseparatedbyacomma(,)intheDNSserver(s)textbox.

4.EnterthedurationoftheDHCPleaseintheLeasetimetextbox.
5.SelectMinutes,Hours,orDaysfortheleasetimefromthedrop-downlistnexttoLeasetime.Thedefaultlease
timeis0.
6.EnterthenetworkrangefortheclientIPaddressesintheNetworkfield.Thesystemgeneratesanetworkrange
automaticallythatissufficientfor254addresses.Ifyouwanttoprovidesimultaneousaccesstomorenumberof
clients,specifyalargerrange.
7.SpecifythesubnetmaskdetailsforthenetworkrangeintheMasktextbox.
TheDNS cachefunctionisonlyenabledwhencontent-filteringisdisabled.
8.ClickOKtoapplythechanges.
IntheCLI
ToconfigureaDHCPpool:
(InstantAP)(config)#ipdhcppool
(InstantAP)(DHCP)#domain-name<domain>
(InstantAP)(DHCP)#dns-server<DNS-IP-address>
(InstantAP)(DHCP)#lease-time<lease-time>
(InstantAP)(DHCP)#subnet<IP-address>
(InstantAP)(DHCP)#subnet-mask<subnet-mask>
ToviewtheDHCPdatabase:
(InstantAP)#showipdhcpdatabase
DHCPSubnet:192.0.2.0
DHCPNetmask:255.255.255.0
DHCPLeaseTime(m):20
DHCPDomainName:example.com
DHCPDNSServer:192.0.2.1
ArubaInstant6.4.0.2-4.1|UserGuide DHCPConfiguration|209

ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|210
Chapter14
VPNConfiguration
ThischapterdescribesthefollowingVPNconfigurationprocedures:
lUnderstandingVPNFeaturesonpage210
lConfiguringaTunnelfromanIAPtoArubaMobilityControlleronpage210
lConfiguringRoutingProfilesonpage221
UnderstandingVPNFeatures
AsIAPsuseaVirtualControllerarchitecture,theIAPnetworkdoesnotrequireaphysicalcontrollertoprovidethe
configuredWLANservices.However,aphysicalcontrollerisrequiredforterminatingVirtualPrivateNetworks
(VPN)tunnelsfromtheIAPnetworksatbranchlocationstodatacenters,wheretheArubacontrolleractsasaVPN
concentrator.
WhentheVPN isconfigured,theIAPactingastheVirtualControllercreatesaVPNtunneltoanArubamobility
controllerinyourcorporateoffice.ThecontrolleractsasaVPNend-pointanddoesnotsupplytheIAPwithany
configuration.
TheVPN featuresarerecommendedfor:
lEnterpriseswithmanybranchesthatdonothaveadedicatedVPNconnectiontothecorporateoffice.
lBranchofficesthatrequiremultipleAPs.
lIndividualsworkingfromhome,connectingtotheVPN.
ThesurvivabilityfeatureofIAPswiththeVPNconnectivityofRAPsallowsyoutoprovidecorporateconnectivityon
non-corporatenetworks.
ConfiguringaTunnelfromanIAPtoArubaMobilityController
IAPsupportstheconfigurationoftunnelingprotocolssuchasGenericRoutingEncapsulation(GRE),IPsec,and
L2TPv3.ThissectiondescribestheprocedureforconfiguringVPNhostsettingsonanIAPtoenablecommunication
withacontrollerinaremotelocation:
lConfiguringanIPSecTunnelonpage210
lEnablingAutomaticConfigurationofGRE Tunnelonpage212
lManuallyConfiguringaGRE Tunnelonpage214
lConfiguringanL2TPv3Tunnelonpage215
ConfiguringanIPSecTunnel
AnIPsectunnelisconfiguredtoensurethatthedataflowbetweenthenetworksisencrypted.Whenconfigured,the
IPSectunneltothecontrollersecurescorporatedata.
YoucanconfigureanIPSectunnelfromVirtualControllerusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureatunnelusingtheIPSecprotocol:
1.ClicktheMore>VPNlinkatthetoprightcorneroftheInstantUI.TheTunnelingwindowisdisplayed.
2.SelectArubaIPSecfromtheProtocoldrop-downlist.

211|VPNConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
3.EntertheIPaddressorfullyqualifieddomainname(FQDN)fortheprimaryVPN/IPSecendpointinthePrimary
hostfield.
4.EntertheIPaddressorFQDNforthebackupVPN/IPSecendpointintheBackuphostfield.Thisentryis
optional.Whenyouspecifytheprimaryandbackuphostdetails,theotherfieldsaredisplayed.
5.Specifythefollowingparameters.AsampleconfigurationisshowninFigure64.
a.ToallowtheVPNtunneltoswitchbacktotheprimaryhostwhenitbecomesavailableagain,selectEnabled
fromthePreemptiondrop-downlist.Thisstepisoptional.
b.IfPreemptionisenabled,specifyavalueinsecondsforHoldtime.Whenpreemptionisenabledandthe
primaryhostcomesup,theVPN tunnelswitchesbacktotheprimaryhostafterthespecifiedhold-time.The
defaultvalueforHoldtimeis600seconds.
c.ToallowtheIAPtocreateabackupVPNtunneltothecontrolleralongwiththeprimarytunnel,andmaintain
boththeprimaryandbackuptunnelsseparately,selectEnabledfromtheFastfailoverdrop-downlist.When
fastfailoverisenabledandiftheprimarytunnelfails,theIAPcanswitchthedatastreamtothebackuptunnel.
Thisreducesthetotalfailovertimetolessthanoneminute.
d.TodisconnectallwiredandwirelessuserswhenthesystemswitchesduringVPN tunneltransitionfrom
primarytobackupandbackuptoprimary,setReconnectuseronfailovertoEnabled.
e.ToconfigureanintervalduringwhichthewiredandwirelessusersaredisconnectedduringaVPNtunnel
switch,specifyavalueinsecondsforReconnecttimeonfailoverwithinarangeof30—900seconds.By
default,thereconnectiondurationissetto60seconds.
f.SpecifyavalueinsecondsforSecsbetweentestpackets.Basedontheconfiguredfrequency,theIAPcan
verifyifanactiveVPNconnectionisavailable.Thedefaultvalueis5seconds,whichmeansthattheIAP
sendsonepackettothecontrollerevery5seconds.
g.EnteravalueforMaxallowedtestpacketloss,todefineanumberforlostpackets,afterwhichtheIAPcan
determinethattheVPN connectionisunavailable.Thedefaultvalueis2.
Figure64IPSecConfiguration
6.ClickNexttocreateroutingprofiles.WhentheIPsectunnelconfigurationiscompleted,thepacketsthataresent
fromandreceivedbyanIAPareencrypted.
IntheCLI
ToconfigureanIPSecVPNtunnel:
(InstantAP)(config)#vpnprimary<name>
(InstantAP)(config)#vpnbackup<name>
(InstantAP)(config)#vpnfast-failover
(InstantAP)(config)#vpnhold-time<seconds>
(InstantAP)(config)#vpnpreemption
(InstantAP)(config)#vpnmonitor-pkt-send-freq<frequency>
(InstantAP)(config)#vpnmonitor-pkt-lost-cnt<count>

(InstantAP)(config)#vpnreconnect-user-on-failover
(InstantAP)(config)#vpnreconnect-time-on-failover<down_time>
(InstantAP)(config)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#vpnprimary192.0.2.18
(InstantAP)(config)#vpnbackup192.0.2.18
(InstantAP)(config)#vpnfast-failover
(InstantAP)(config)#vpnpreemption
(InstantAP)(config)#ipdhcpdistl2
(InstantAP)(DHCPProfile"distL2")#server-typeDistributed,L2
(InstantAP)(DHCPProfile"distL2")#server-vlan2
(InstantAP)(DHCPProfile"distL2")#ip-range10.15.205.010.15.205.255
(InstantAP)(DHCPProfile"distL2")#subnet-mask255.255.255.0
(InstantAP)(DHCPProfile"distL2")#lease-time86400
(InstantAP)(DHCPProfile"distL2")#default-router10.15.205.254
(InstantAP)(DHCPProfile"distL2")#dns-server10.13.6.110,10.1.1.50
(InstantAP)(DHCPProfile"distL2")#domain-namearubanetworks.com
(InstantAP)(DHCPProfile"distL2")#client-count5
(InstantAP)(config)#ipdhcplocal
(InstantAP)(DHCPProfile"local")#server-typeLocal
(InstantAP)(DHCPProfile"local")#server-vlan200
(InstantAP)(DHCPProfile"local")#subnet172.16.200.1
(InstantAP)(DHCPProfile"local")#subnet-mask255.255.255.0
(InstantAP)(DHCPProfile"local")#lease-time86400
(InstantAP)(DHCPProfile"local")#dns-server10.13.6.110,10.1.1.50
(InstantAP)(DHCPProfile"local")#domain-namearubanetworks.com
ToviewVPNconfiguration:
InstantAccessPoint#showvpnconfig
EnablingAutomaticConfigurationofGRE Tunnel
GREisatunnelprotocolforencapsulatingmulticast,broadcast,andL2packetsbetweenacontrollerandtheIAPs.
TheautomaticGREfeatureusestheIPSecconnectionbetweentheIAPandcontrollertosendthecontrol
informationforsettingupaGREtunnel.WhenautomaticGREconfigurationisenabled,asingleIPSectunnel
betweentheIAPclusterandthecontrollerandoneorseveralGREtunnelsarecreatedbasedonthePer-APtunnel
configurationontheIAP.WhenthisfeatureisenabledontheIAP,nomanualconfigurationisrequiredonthe
controllertocreatetheGREtunnel.
AutomaticconfigurationoftheGREtunnelissupportedonlyonArubacontrollers.Thisfeatureisnotsupportedon
controllersrunningArubaOS6.3.x.xorlowerversions.
YoucanconfigureanIAPtoautomaticallysetupaGREtunnelfromtheIAPtoControllerbyusingtheInstantUIor
CLI.
IntheInstantUI
1.ClicktheMore>VPNlinkatthetoprightcorneroftheInstantUI.TheTunnelingwindowisdisplayed.
2.SelectArubaGREfromtheProtocoldrop-downlist.
3.EntertheIPaddressorFQDNforthemainVPN/IPSecendpointinthePrimaryhostfield.
4.EntertheIPaddressorFQDNforthebackupVPN/IPSecendpointintheBackuphostfield.Thisentryis
optional.WhenyouentertheprimaryhostIPaddressandbackuphostIPaddress,otherfieldsaredisplayed.
5.Specifythefollowingparameters.AsampleconfigurationisshowninFigure65.
ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|212

213|VPNConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
a.ToallowtheVPNtunneltoswitchbacktotheprimaryhostwhenitbecomesavailableagain,selectEnabled
fromthePreemptiondrop-downlist.Thisstepisoptional.
b.IfPreemptionisenabled,specifyavalueinsecondsforHoldtime.Whenpreemptionisenabledandthe
primaryhostcomesup,theVPN tunnelswitchestotheprimaryhostafterthespecifiedholdtime.Thedefault
valueforHoldtimeis600seconds.
c.ToallowtheIAPtocreateabackupVPNtunneltothecontrolleralongwiththeprimarytunnel,andmaintain
boththeprimaryandbackuptunnelsseparately,selectEnabledorDisabledfromtheFastfailoverdrop-
downlist.Iftheprimarytunnelfails,theIAPcanswitchthedatastreamtothebackuptunnel.Thisreduces
thetotalfailovertimetolessthanoneminute.
d.TodisconnectallwiredandwirelessuserswhenthesystemswitchesduringVPN tunneltransitionfrom
primarytobackupandbackuptoprimary,setReconnectuseronfailovertoEnabled.
e.ToconfigureanintervalforwhichwiredandwirelessusersaredisconnectedduringaVPNtunnelswitch,
specifyavalueinsecondsforReconnecttimeonfailoverwithintherangeof30—900seconds.Bydefault,
thereconnectiondurationissetto60seconds.
f.SpecifyavalueinsecondsforSecsbetweentestpackets.Basedontheconfiguredfrequency,theIAPcan
verifyifanactiveVPNconnectionisavailable.Thedefaultvalueis5seconds,whichmeansthattheIAP
sendsonepackettothecontrollerevery5seconds.
g.EnteravalueforMaxallowedtestpacketloss,todefineanumberforlostpackets,afterwhichtheIAPcan
determinethattheVPN connectionisunavailable.Thedefaultvalueis2.
h.SelectEnabledorDisabledfromthePer-APtunneldrop-downlist.Theadministratorcanenablethisoption
tocreateaGREtunnelfromeachIAPtotheVPN/GREEndpointratherthanthetunnelscreatedjustfromthe
masterIAP.Whenenabled,thetraffictothecorporatenetworkissentthroughaLayer-2GREtunnelfromthe
IAPitselfandneednotbeforwardedthroughthemasterIAP.
Figure65ArubaGREConfiguration
6.ClickNexttocontinue.

IntheCLI
ToenableautomaticconfigurationoftheGREtunnel:
(InstantAP)(config)#vpngre-outside
(InstantAP)(config)#vpnprimary<name/IP-address>
(InstantAP)(config)#vpnbackup<<name/IP-address>>
(InstantAP)(config)#vpnfast-failover
(InstantAP)(config)#vpnhold-time<seconds>
(InstantAP)(config)#vpnpreemption
(InstantAP)(config)#vpnmonitor-pkt-send-freq<frequency>
(InstantAP)(config)#vpnmonitor-pkt-lost-cnt<count>
(InstantAP)(config)#vpnreconnect-user-on-failover
(InstantAP)(config)#vpnreconnect-time-on-failover<down_time>
(InstantAP)(config)#end
(InstantAP)#commitapply
ToviewVPNconfigurationdetails:
(InstantAP)#showvpnconfig
ManuallyConfiguringaGRE Tunnel
YoucanalsomanuallyconfigureaGREtunnelbyconfiguringtheGREtunnelparametersontheIAPandcontroller.
ThisproceduredescribesthestepsinvolvedinthemanualconfigurationofaGREtunnelfromVirtualControllerby
usingtheInstantUIorCLI.
DuringthemanualGREsetup,youcaneitherusetheVirtualControllerIPortheIAPIPtocreatetheGREtunnelat
thecontrollersidedependinguponthefollowingIAPsettings:
lIfaVirtualControllerIPisconfiguredandifPer-APtunnelisdisabled,theVirtualControllerIPisusedtocreate
theGREtunnel.
lIfaVirtualControllerIPisnotconfiguredorifPer-APtunnelisenabled,theIAPIPisusedtocreatetheGRE
tunnel.
ForinformationontheGREtunnelconfigurationoncontroller,seeArubaOSUserGuide.
IntheInstantUI
1.ClicktheMore>VPNlinkatthetoprightcorneroftheInstantUI.TheTunnelingwindowisdisplayed.
2.SelectManualGREfromtheProtocoldrop-downlist.
3.Specifythefollowingparameters.AsampleconfigurationisshowninFigure66.
a.EnteranIPaddressortheFQDNforthemainVPN/GREendpoint.
b.EnteravaluefortheGREtypeparameter.
c.SelectEnabledorDisabledfromthePer-APtunneldrop-downlist.Theadministratorcanenablethisoption
tocreateaGREtunnelfromeachIAPtotheVPN/GREEndpointratherthanthetunnelscreatedjustfromthe
masterIAP.Whenenabled,thetraffictothecorporatenetworkissentthroughaLayer-2GREtunnelfromthe
IAPitselfandneednotbeforwardedthroughthemasterIAP.
Bydefault,thePer-APtunneloptionisdisabled.
ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|214

215|VPNConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
Figure66ManualGREConfiguration
4.ClickNexttocontinue.WhentheGRE tunnelconfigurationiscompletedonboththeIAPandController,the
packetssentfromandreceivedbyanIAPareencapsulated,butnotencrypted.
IntheCLI
ToconfigureamanualGREVPNtunnel:
(InstantAP)(config)#greprimary<name>
(InstantAP)(config)#gretype<type>
(InstantAP)(config)#greper-ap-tunnel
(InstantAP)(config)#end
(InstantAP)#commitapply
ToviewVPNconfigurationdetails:
InstantAccessPoint#showvpnconfig
ToconfigureGREtunnelonthecontroller:
(host)(config)#interfacetunnel<Number>
(host)(config-tunnel)#description<Description>
(host)(config-tunnel)#tunnelmodegre<ID>
(host)(config-tunnel)#tunnelsource<controller-IP>
(host)(config-tunnel)#tunneldestination<AP-IP>
(host)(config-tunnel)#trusted
(host)(config-tunnel)#tunnelvlan<allowed-VLAN>
ConfiguringanL2TPv3Tunnel
TheLayer2TunnelingProtocolversion3(L2TPv3)featureallowsIAPtoactasL2TPAccessConcentrator(LAC)
andtunnelallwirelessclientsL2trafficfromAPtoL2TPNetworkServer(LNS).InacentralizedL2model,theVLAN
onthecorporatesideareextendedtoremotebranchsites.WirelessclientsassociatedwithIAPgetstheIPaddress
fromtheDHCPserverrunningonLNS.Forthis,APhastotransparentlyallowDHCPtransactionsthroughthe
L2TPv3tunnel.Inthisrelease,L2TPv3supportsthefollowing:
lInstantsupportstunnelandsessionconfiguration,andusesControlMessageAuthentication(RFC3931)for
tunnelandsessionestablishment.EachL2TPv3tunnelsupportsonedataconnectionandthisconnectionis
termedasanL2TPv3session.
lEachIAPsupportstunnelingoverUDPonly.
lIftheprimaryLNSisdown,itfailsovertothebackupLNS.L2TPv3hasonetunnelprofileandunderthis,one
primarypeerandabackuppeerareconfigured.Iftheprimarytunnelcreationfailsoriftheprimarytunnelgets
deleted,thebackupstarts.Thefollowingtwofailovermodesaresupported:

nPreemptive:Inthismode,iftheprimarycomesupwhenthebackupisactive,thebackuptunnelisdeletedand
theprimarytunnelresumesasanactivetunnel.Ifyouconfigurethetunneltobepreemptive,andwhenthe
primarytunnelgoesdown,itstartsthepersistencetimerwhichtriestobringuptheprimarytunnel.
nNon-Preemptive:Inthismode,whenthebacktunnelisestablishedaftertheprimarytunnelgoesdown,it
doesnotmaketheprimarytunnelactiveagain.
lL2TPV3configurationissupportedonthefollowingIAPs:
nRAP-108
nRAP-109
nIAP-135
YoucanconfigureanL2TPv3tunnelandsessionprofilesthroughtheInstantUIorCLI.
IntheInstantUI
1.ClicktheMore>VPNlinkatthetoprightcorneroftheInstantUI.TheTunnelingwindowisdisplayed.
Figure67L3TPv3Tunneling
2.SelectL2TPv3fromtheProtocoldrop-downlist.
3.Configurethetunnelprofile:
a.Enterthetunnelnametobeusedfortunnelcreation.
ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|216

217|VPNConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
Figure68TunnelConfiguration
b.EntertheprimaryserverIPaddress.
c.EntertheremoteendbackuptunnelIPaddress.Thisisanoptionalfieldandisrequiredonlywhenbackup
serverisconfigured.
d.EntertheremoteendUDPportnumber.Thedefaultvalueis1701.
e.Entertheintervalatwhichthehellopacketsaresentthroughthetunnel.Thedefaultvalueis60seconds.
f.SelectthemessagedigestasMD5orSHAusedformessageauthentication.
g.Enterasharedkeyforthemessagedigest.Thiskeyshouldmatchwiththetunnelendpointsharedkey.
h.Ifrequired,selectthefailovermodeasPrimaryorBackup(whenthebackupserverisavailable).
i.SpecifyavalueforthetunnelMTUvalueifrequired.Thedefaultvalueis1460.
j.ClickOK.
4.Configurethesessionprofile:
a.Enterthesessionnametobeusedforsessioncreation.
Figure69SessionConfiguration
b.Enterthetunnelprofilenamewherethesessionwillbeassociated.
c.ConfigurethetunnelIPaddresswiththecorrespondingnetworkmaskandVLANID.Thisisrequiredtoreach
anAPfromacorporatenetwork.Forexample,SNMPpolling.

d.Selectthecookielengthandenteracookievaluecorrespondingtothelength.Bydefault,thecookielengthis
notset.
e.SpecifytheremoteendID.
f.Ifrequired,enabledefaultl2specificsublayerintheL2TPsession.
g.ClickOK.
5.ClickNexttocontinue.
IntheCLI
ToconfigureanL2TPv3VPNtunnelprofile:
(InstantAP)(config)#l2tpv3tunnel<l2tpv3_tunnel_profile>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#primarypeer-address<peer_ip_
addr_tunnel>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#backuppeer-address<peer_ip_
addr_tunnel>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#checksum
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#failover-mode<mode>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#failover-retry-count<retry_
count>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#failover-retry-interval
<interval_in_sec>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#hello-timeout<interval_in_sec>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#local-port<local_udp_port>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#peer-port<peer_udp_port>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#message-digest-type<digest_
algo>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#secret-key<key>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#mtu<tunnel_MTU>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_tunnel_profile>)#end
(InstantAP)#commitapply
ToconfigureanL2TPv3sessionprofile:
(InstantAP)(config)#l2tpv3session<l2tpv3_session_profile>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_session_profile>)#cookielen<len_of_cookie>
value<cookie_val>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_session_profile>)#l2tpv3tunnel<l2tpv3_tunnel_
name_to_associate>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_session_profile>)#tunnel-ip<local_ip_addr_
tunnel>mask<tunnel_mask>vlan<tunnel_mgmt_vlan>
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_session_profile>)#default-l2-specific-sublayer
(InstantAP)(L2TPv3TunnelProfile<l2tpv3_session_profile>)#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#l2tpv3tunneltest_tunnel
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#primarypeer-address10.0.0.65
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#backuppeer-address10.0.0.63
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#nochecksum
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#failover-modenon-preemptive
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#failover-retry-count5
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#failover-retry-interval80
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#hello-timeout150
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#mtu1570
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#peer-port3000
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#secret-keytest123
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|218

219|VPNConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(config)#l2tpv3sessiontest_session
(InstantAP)(L2TPv3SessionProfile"test_session")#cookielen4value12345678
(InstantAP)(L2TPv3SessionProfile"test_session")#l2tpv3tunneltest_tunnel
(InstantAP)(L2TPv3SessionProfile"test_session")#tunnel-ip1.1.1.1mask255.255.255.0vlan
5
(InstantAP)(L2TPv3TunnelProfile"test_tunnel")#end
(InstantAP)#commitapply
ToviewL2TPv3configuration:
(InstantAP)#showl2tpv3config
L2TPV3Tunnelconfiguration
---------------------------
TunnelProfilePrimaryPeerBackupPeerPeerUDPPortLocalUDPPortHelloIntervalHostName
MTUMessageDigestTypesecretKeyFailoverModeFailoverRetryCountRetryIntervalChecksum
----------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
-
test_tunnel10.0.0.6310.0.0.6530001701150Instant-C4:42:981570MD5
625beed39fa4ff3424edb3082ede48fa non-preemptive580Disabled
L2TPV3Sessionconfiguration
----------------------------
SessionNameTunnelNameLocaltunnelIPTunnelMaskTunnelVlanSessionCookieLengthSession
CookieSessionRemoteEndID
----------------------------------------------------------------------------------------
----------------------------
test_session1.1.1.1255.255.255.05000
ToviewL2TPv3globalconfiguration:
(InstantAP)#showl2tpv3globalparameter
L2TPV3Globalconfiguration
---------------------------
HostName
----------
Instant-C4:42:98
ToviewL2TPV3sessionstatus:
(InstantAP)#showl2tpv3sessionstatus
Session1821009927ontunnel858508253:-
type:LACIncomingCall,state:ESTABLISHED
createdat:Jul204:58:452013
administrativename:'test_session'(primary)
createdbyadmin:YES,peersessionid:12382
sessionprofilename:test_session_primary
datasequencingrequired:OFF
usedatasequencenumbers:OFF
Peerconfigurationdata:-
datasequencingrequired:OFF
framingtypes:
datarxpackets:16,rxbytes:1560,rxerrors:0rxcookieerror0
datatxpackets:6,txbytes:588,txerrors:0
ToviewL2TPV3tunnelstatus:
(InstantAP)#showl2tpv3tunnelstatus
Tunnel858508253,from10.13.11.29to10.13.11.157:-
state:ESTABLISHED
createdat:Jul204:58:252013

administrativename:'test_tunnel'(primary)
createdbyadmin:YES,tunnelmode:LAC,persist:YES
localhostname:Instant-C4:42:98
peertunnelid:1842732147,hostname:aruba1600pop636635.hsbtst2.aus
UDPports:local1701,peer3000
sessionlimit:0,sessioncount:1
tunnelprofile:test_tunnel_primary,peerprofile:default
sessionprofile:default
hellotimeout:150,retrytimeout:80,idletimeout:0
rxwindowsize:10,txwindowsize:10,maxretries:5
useudpchecksums:OFF
dopmtudiscovery:OFF,mtu:1460
traceflags:PROTOCOLFSMAPIAVPDATAFUNCXPRTDATASYSTEMCLI
peervendorname:KatalixSystemsLtd.Linux-2.6.32-358.2.1.el6.x86_64(x86_64)
peerprotocolversion:1.0,firmware0
peerrxwindowsize:10
Transportstatus:-
ns/nr:98/97,peer98/96
cwnd:10,ssthresh:10,congpkt_acc:9
Transportstatistics:-
out-of-sequencecontrol/datadiscards:0/0
ACKstx/txfail/rx:0/0/96
retransmits:0,duplicatepktdiscards:0,datapktdiscards:0
hellostx/txfail/rx:94/0/95
controlrxpackets:193,rxbytes:8506
controltxpackets:195,txbytes:8625
datarxpackets:0,rxbytes:0,rxerrors:0
datatxpackets:6,txbytes:588,txerrors:0
establishretries:0
ToviewL2TPv3tunnelconfig:
(InstantAP)#showl2tpv3tunnelconfig
Tunnelprofiletest_tunnel_primary
l2tphostname:Instant-C4:42:98
localUDPport:1701
peerIPaddress:10.0.0.65
peerUDPport:3000
hellotimeout150,retrytimeout80,idletimeout0
rxwindowsize10,txwindowsize10,maxretries5
useUDPchecksums:OFF
dopmtudiscovery:OFF,mtu:1570
framingcapability:SYNCASYNC
bearercapability:DIGITALANALOG
usetiebreaker:OFF
peerprofile:NOTSET
sessionprofile:NOTSET
traceflags:PROTOCOLFSMAPIAVPDATAFUNCXPRTDATASYSTEMCLI
Tunnelprofiletest_tunnel_backup
l2tphostname:aruba1600pop658509.hsb-dev4.aus
localUDPport:1701
peerIPaddress:10.13.11.157
peerUDPport:1701
hellotimeout60,retrytimeout1,idletimeout0
rxwindowsize10,txwindowsize10,maxretries5
useUDPchecksums:OFF
dopmtudiscovery:OFF,mtu:1460
framingcapability:SYNCASYNC
bearercapability:DIGITALANALOG
ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|220

221|VPNConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
usetiebreaker:OFF
peerprofile:NOTSET
sessionprofile:NOTSET
traceflags:PROTOCOLFSMAPIAVPDATAFUNCXPRTDATASYSTEMCLI
ToviewL2TPv3systemstatistics:
(InstantAP)#showl2tpv3systemstatistics
L2TPcounters:-
Totalmessagessent:99,received:194,retransmitted:0
illegal:0,unsupported:0,ignoredAVPs:0,vendorAVPs:0
Setupfailures:tunnels:0,sessions:0
Resourcefailures:controlframes:0,peers:0
tunnels:0,sessions:0
Limitexceedederrors:tunnels:0,sessions:0
Frameerrors:shortframes:0,wrongversionframes:0
unexpecteddataframes:0,badframes:0
Internal:authenticationfailures:0,messageencodefailures:0
nomatchingtunneldiscards:0,mismatchedtunnelids:0
nomatchingsession_discards:0,mismatchedsessionids:0
totalcontrolframesendfailures:0,eventqueuefulls:0
Messagecounters:-
MessageRXGoodRXBadTX
ILLEGAL000
SCCRQ001
SCCRP100
SCCCN001
STOPCCN000
RESERVED1000
HELLO95095
OCRQ000
OCRP000
OCCN000
ICRQ001
ICRP100
ICCN001
RESERVED2000
CDN000
WEN000
SLI000
ConfiguringRoutingProfiles
IAPscanterminateasingleVPNconnectiononanArubamobilitycontroller.Theroutingprofiledefinesthecorporate
subnetswhichneedtobetunneledthroughIPSec.Youcanconfigureroutingprofilestospecifyapolicybasedon
routingintotheVPNtunnelusingtheInstantUIorCLI.
IntheInstantUI
Toconfigurearoutingprofile:
1.ClickRoutingintheTunnelingwindow.Theroutingdetailsaredisplayed.
2.ClickNew.Therouteparameterstoconfigurearedisplayed.

Figure70Tunneling—Routing
3.Updatethefollowingparameters:
lDestination—SpecifythedestinationnetworkthatisreachablethroughtheVPNtunnel.ThisdefinestheIPor
subnetthatmustreachthroughtheIPsectunnel.TraffictotheIPorsubnetdefinedherewillbeforwarded
throughtheIPsectunnel.
lNetmask—SpecifythesubnetmasktothedestinationdefinedforDestination.
lGateway—Specifythegatewaytowhichtrafficmustberouted.ThisIPaddressmustbethecontrollerIP
addressonwhichtheVPNconnectionisterminated.Ifyouhaveaprimaryandbackuphost,configuretwo
routeswiththesamedestinationandnetmask,butensurethatthegatewayistheprimarycontrollerIPforone
routeandthebackupcontrollerIPforthesecondroute.
4.Repeatstep3tocreatetherequirednumberofroutingprofiles.
5.ClickOK.
6.ClickFinish.
IntheCLI
(InstantAP)(config)#routing-profile
(InstantAP)(Routing-profile)#route<destination><mask><gateway>
(InstantAP)(Routing-profile)#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide VPNConfiguration|222

ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeployment|223
Chapter15
IAP-VPNDeployment
Thissectionprovidesthefollowinginformation:
lUnderstandingIAP-VPNArchitectureonpage223
lConfiguringIAPandControllerforIAP-VPNOperationsonpage225
UnderstandingIAP-VPNArchitecture
TheIAP-VPNarchitectureincludesthefollowingtwocomponents:
lIAPsatbranchsites
lControlleratthedatacenter
ThemasterIAPatthebranchactsastheVPNendpointandthecontrolleratthedatacenteractsastheVPN
concentrator.WhenanIAPissetupforVPN,itformsanIPsectunneltothecontrollertosecuresensitivecorporate
data.IPsecauthenticationandauthorizationbetweenthecontrollerandtheIAPsisbasedontheRAPwhitelist
configuredonthecontroller.
OnlythemasterAPinanIAPclusterformstheVPNtunnel.
Fromthecontrollerperspective,themasterIAPsthatformtheVPNtunnelareconsideredasVPNclients.The
controllerterminatesVPN tunnelsandroutesorswitchesVPNtraffic.TheIAPclustercreatesanIPSecorGRE
VPN tunnelfromtheVirtualControllertoamobilitycontrollerinabranchoffice.ThecontrolleronlyactsanIPSecor
GREVPNend-pointanditdoesnotconfiguretheIAP.
IAP-VPNScalabilityLimits
ThecontrollerscalabilityinIAP-VPNarchitecturedependsonfactorssuchasIPsectunnellimit,BranchIDlimitand
datapathroutetablelimit.ThefollowingtableprovidestheIAP-VPNscalabilityinformationforvariouscontroller
platforms:
Platforms Branches Routes L3ModeUsers NAT Users TotalL2Users
3200 1000 1000
N/A N/A
64000
3400 2000 2000 64000
3600 8000 8000 64000
M3 8000 8000 64000
7210 8000 8000 64000
7220 16000 16000 128000
7240 32000 32000 128000
Table41:IAP-VPNScalability
lBranches—ThenumberofIAP-VPNbranchesthatcanbeterminatedonagivencontrollerplatform.
lRoutes—ThenumberofL3routessupportedonthecontroller.

224|IAP-VPNDeployment ArubaInstant6.4.0.2-4.1|UserGuide
lL3modeandNATmodeusers—Thenumberoftrusteduserssupportedonthecontroller.Thereisnoscale
impactonthecontroller.TheyarelimitedonlybythenumberofclientssupportedperIAP.
lL2modeusers—ThenumberofL2modeusersarelimitedto128000for7220/7240and64000acrossall
platforms.
IAP-VPNForwardingModes
ThefollowingforwardingmodesaresupportedintheIAP-VPNscenario.
lLocalmode
lCentralizedL2mode
lDistributedL2mode
lDistributedL3mode
TheforwardingmodesdeterminewhethertheDHCPserveranddefaultgatewayforclientsresideinthebranchorat
thedatacenter.Thesemodesdonotdeterminethefirewallprocessingortrafficforwardingbehavior.TheVirtual
ControllerenablesdifferentDHCPpools(variousassignmentmodes)inadditiontoallocatingIPsubnetsforeach
branch.TheVirtualControllerallowsdifferentmodesofforwardingoftrafficfromtheclientsonaVLANwithaVPN
tunnel.TheforwardingmodesareassociatedwithvariousmodesofDHCPaddressassignmentmodes.
LocalorNATMode
Inthismode,theIAPclusteratthatbranchhasalocalsubnetandthemasterIAPoftheclusteractsastheDHCP
serverandgatewayforclients.ThelocalmodeprovidesVPNcapabilitiesusingtheinnerIPoftheIAP-VPNIPsec
tunnel.ThesourceIPforallclienttrafficistranslatedandthetrafficdestinedforthecorporatenetworkistranslated
usingtheVPNtunnelIPaddressoftheIAP,andisforwardedthroughtheIPsecVPNtunnel.Thetrafficdestinedfor
thenon-corporatenetworkistranslatedusingtheIPaddressoftheIAPandisforwardedthroughtheuplink.
Whenthelocalmodeisusedforforwardingclienttraffic,hostsonthecorporatenetworkcannotestablish
connectionstotheclientsontheIAP,becausethesourceaddressoftheclientsistranslated.
L2SwitchingMode
Inthismode,thetrafficdestinedforthecorporatenetworkisbridgedthroughtheVPNtunneltothecontroller.The
trafficdestinedforthenon-corporatenetworkistranslatedusingtheIPaddressoftheIAPandisforwardedthrough
theuplink.
WhenanIAPregisterswiththecontroller,andisconfiguredtousetheL2DHCPscope,thecontrollerautomatically
addstheVPNtunnelassociatedtothisIAPintotheVLANmulticasttable.Thisallowstheclientsconnectingtothe
L2modeVLANtobepartofthesameL2broadcastdomainonthecontroller.
DistributedL2Mode
Inthismode,theIAPassignsanIPaddressfromtheconfiguredsubnetandforwardstraffictobothcorporateand
non-corporatedestinations.ClientsreceivethecorporateIPwithVirtualControllerastheDHCPserver.Thedefault
gatewayfortheclientstillresidesinthedatacenterandhencethismodeisanL2extensionofcorporateVLANto
remotesite.Eitherthecontrolleroranupstreamroutercanbethegatewayfortheclients.Clienttrafficdestinedto
datacenterresourcesisforwardedbytheMasterAP(throughtheIPSectunnel)totheclient'sdefaultgatewayinthe
datacenter.
CentralizedL2Mode
ThecentralizedL2modeextendsthecorporateVLANorbroadcastdomaintoremotebranches.TheDHCPserver
andthegatewayfortheclientsresideinthedatacenter.Eitherthecontrolleroranupstreamroutercanbethe
gatewayfortheclients.ForDHCPservicesincentralizedL2mode,ArubarecommendsusinganexternalDHCP

serverandnottheDHCPserveronthecontroller.Clienttrafficdestinedtodatacenterresourcesisforwardedbythe
masterIAP(throughtheIPsectunnel)totheclient'sdefaultgatewayinthedatacenter.
L3RoutingMode
Inthismode,thetrafficdestinedforthecorporatenetworkisroutedthroughtheVPNtunneltothecontroller.The
trafficdestinedforthenon-corporatenetworkistranslatedusingtheIPaddressoftheIAPandisforwardedthrough
theuplink.
WhenanIAPregisterswiththecontrollerandisconfiguredtousetheL3DHCPscope,theControlleraddsarouteto
enabletheroutingoftrafficfromthecorporatenetworktoclientsonthissubnetinthebranch.
DistributedL3mode
ThedistributedL3modecontainsallbroadcastandmulticasttraffictoabranch.ThedistributedL3modereducesthe
costandeliminatesthecomplexityassociatedwiththeclassicsite-siteVPN.However,thismodeisverysimilarto
aclassicsite-siteIPsecVPNwheretwoVPNendpointsconnectindividualnetworkstogetheroverapublicnetwork.
IndistributedL3mode,eachbranchlocationisassignedadedicatedsubnet.ThemasterAPinthebranchmanages
thededicatedsubnetandactsastheDHCPserverandgatewayforclients.Clienttrafficdestinedtodatacenter
resourcesisroutedtotheArubacontrollerthroughtheIPsectunnelwhichthenroutesthetraffictotheappropriate
corporatedestinations.
CentralizedL3Mode
ForcentralizedL3clients,thevirtualcontrolleractsasaDHCPrelayagentthatforwardstheDHCPtraffictothe
DHCPserverlocatedbehindthecontrollerinthecorporatenetworkandreachablethroughtheIPSectunnel.The
centralizedL3VLANIPisusedasthesourceIP.TheIPaddressisobtainedfromtheDHCPserver.
ConfiguringIAPandControllerforIAP-VPNOperations
ThissectiondescribestheconfigurationprocedurestoperformontheIAPandcontrollerforgenericusecases.For
informationonspecificdeploymentscenarios,seeIAP-VPNDeploymentScenariosonpage362.
ConfiguringanIAPnetworkforIAP-VPNoperations
ThissectiondescribestheconfigurationprocedurestoperformontheIAPforgenericusecases.Forinformation
onspecificdeploymentscenarios,seeIAP-VPNDeploymentScenariosonpage362.
AnIAPnetworkrequiresthefollowingconfigurationforIAP-VPNoperations.
1.DefiningtheVPNhostsettings
2.ConfiguringRoutingProfiles
3.ConfiguringDHCPProfiles
4.ConfiguringanSSIDorWiredPort
5.EnablingDynamicRADIUSProxy
6.ConfiguringEnterpriseDomains
DefiningtheVPNhostsettings
TheVPNendpointonwhichamasterIAPterminatesitsVPNtunnelisconsideredasthehost.AmasterAPinan
IAPnetworkcanbeconfiguredwithaprimaryandbackuphosttoprovideVPNredundancy.YoucandefineVPN
hostsettingsthroughMore>VPN>ControllerintheUI.
YoucanconfigurethefollowingVPN profilesfortheIAP-VPN operations.Formoreinformation,seeConfiguringa
TunnelfromanIAPtoArubaMobilityControlleronpage210.
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeployment|225

226|IAP-VPNDeployment ArubaInstant6.4.0.2-4.1|UserGuide
lIPSec
lArubaGRE
lManualGRE
ConfiguringRoutingProfiles
TheroutingprofileontheIAPdetermineswhetherthetrafficdestinedtoasubnetmustbetunneledthroughIPSecor
bridgedlocally.Iftheroutingprofileisempty,theclienttrafficwillalwaysbebridgedlocally.Forexample,ifthe
routingprofileisconfiguredtotunnel10.0.0.0/8,trafficdestinedto10.0.0.0/8willbeforwardedthroughtheIPsec
tunnelandthetraffictoallotherdestinationsisbridgedlocally.
Youcanalsoconfigurearoutingprofilewith0.0.0.0asgatewaytoallowbothclientandIAPtraffictoberouted
throughanon-tunnelroute.IfthegatewayisinthesamesubnetasuplinkIPaddress,itisusedasastaticgateway
entry.AstaticroutecanbeaddedonallmasterandslaveIAPsforthesedestinations.TheVPNtrafficfromthelocal
subnetofIAPorthevirtualcontrollerIPaddressinthelocalsubnetisnotroutedtotunnel,butwillbeswitchedtothe
relevantVLAN.Forexample,whena0.0.0.0/0.0.0.0routingprofileisdefined,tobypasscertainIPs,youcanadda
routetotheIPbydefining0.0.0.0asthedestination,therebyforcingthetraffictoberoutedthroughthedefault
gatewayoftheIAP.
YoucanconfigureroutingprofilesthroughMore>VPN>ControllerUI.Forstep-by-stepproceduralinformationon
configuringroutingprofile,seeConfiguringRoutingProfilesonpage221.
TheIAPnetworkhasonlyoneactivetunnelevenwhenfastfailoverenabled.Atanygiventime,trafficcanbe
tunneledonlytooneVPNhost.
ConfiguringDHCPProfiles
YoucancreateDHCPprofilestodeterminetheIAP-VPNmodeofoperation.AnIAPnetworkcanhavemultiple
DHCPprofilesconfiguredfordifferentmodesofIAP-VPN.YoucanconfigureuptoeightDHCPprofiles.Formore
informationontheIAP-VPNmodesofoperation,seeIAP-VPNForwardingModesonpage224.
YoucancreateanyofthefollowingtypesofDHCPprofilesfortheIAP-VPNoperations:
lLocal
lLocalL3
lDistributedL2
lDistributedL3
lCentralized
FormoreinformationonconfiguringDHCPprofiles,seeConfiguringDHCPScopesonpage201..
AcentralizedL2ordistributedL2VLANorsubnetcannotbeusedtoserveAPsinahierarchicalmodeof
deployment.EnsurethatthephysicalIPoftheAPsconnectingtothemasterAPinhierarchicalmodeof
deploymentisnotonaVLANorsubnetthatisincentralizedordistributedL2modeofoperation.Forinformationon
hierarchicalmodeofdeployment,seeUnderstandingHierarchicalDeploymentonpage118.
ConfiguringanSSIDorWiredPort
ForaclienttoconnecttotheIAP-VPN network,anSSIDorwiredportprofileonanIAPmustbeconfiguredwith
appropriateIAP-VPNmodeofoperation.TheVLANconfigurationinanSSIDorwiredportprofiledetermineswhether
anSSIDorwiredportisconfiguredfortheIAP-VPNoperations.
ToconfigureanSSIDorwiredportforaspecificIAP-VPN mode,theVLANIDdefinedintheSSIDorwiredport
profilemustmatchtheVLANIDdefinedintheDHCPprofileconfiguration.IftheVLANassignmentforanSSIDor
wiredportprofileissettoVirtualcontrollerassigned,default,orastaticVLANIDthatdoesnotmatchtheVLANID

configuredintheDHCPprofiles,theIAP-VPNoperationsareaffected.Forexample,ifalocalDHCPprofileis
configuredwithaVLANIDof200,theVLANconfigurationontheSSIDmustbesettoastaticVLANID200.
ForinformationonhowtoconfigureanSSIDorwiredportprofile,seeWirelessNetworkProfilesonpage92and
ConfiguringaWiredProfileonpage111respectively.
EnablingDynamicRADIUSProxy
TheRADIUSservercanbedeployedatdifferentlocationsandVLANs.Inmostcases,acentralizedRADIUS or
localserverisusedtoauthenticateusers.However,someusernetworkscanusealocalRADIUSserverfor
employeeauthenticationandacentralizedRADIUSbasedcaptiveportalserverforguestauthentication.Toensure
thattheRADIUStrafficisroutedtotherequiredRADIUSserver,thedynamicRADIUS proxyfeaturemustbe
enabled.Whenenabled,dynamicRADIUS proxyensuresthatalltheRADIUStrafficissourcedfromtheVirtual
ControllerIPorinnerIPoftheIAPIPsectunneldependingontheRADIUSserverIPandroutingprofile.
EnsurethatastaticVirtualControllerIPisconfiguredbeforeenablingdynamicRADIUSproxy,inordertotunnel
theRADIUStraffictothecentralRADIUSserverinthedatacenter.
ForinformationonenablingdynamicRADIUSproxy,seeConfiguringDynamicRADIUS ProxyParametersonpage
161.
ConfiguringEnterpriseDomains
Bydefault,alltheDNSrequestsfromaclientareforwardedtotheclientsDNSserver.InatypicalIAPdeployment
withoutVPNconfiguration,clientDNSrequestsareresolvedbytheDNSserverofclients.FortheIAP-VPN
scenario,theenterprisedomainsettingsontheIAPareusedfordetermininghowclientDNSrequestsarerouted.
Forinformationonhowtoconfigureenterprisedomains,seeConfiguringEnterpriseDomainsonpage188.
ConfiguringaControllerforIAP-VPNOperations
ArubacontrollersprovideanabilitytoterminatetheIPSecandGREVPN tunnelsfromtheIAPandprovidecorporate
connectivitytothebranchnetwork.ForIAP-VPNoperations,ensurethatthefollowingconfigurationandverification
proceduresarecompletedonthecontroller:
lOSPFConfiguration
lVPNConfiguration
lBranch-IDAllocation
lBranchStatusVerification
Thissectiondescribestheconfigurationprocedurestoperformonthecontrollerforgenericusecases.For
informationonspecificdeploymentscenarios,seeIAP-VPNDeploymentScenariosonpage362.
ArubaOS6.3orlateristherecommendedversiontorunonthecontrollersfortheIAP-VPNconfiguration.TheIAP-
VPNconfigurationisnotsupportedon600Seriescontrollers.
OSPFConfiguration
OpenShortestPathFirst(OSPF)isadynamicInteriorGatewayroutingProtocol(IGP)basedonIETFRFC2328.
ThepremiseofOSPFisthattheshortestorfastestroutingpathisused.TheimplementationofOSPFv2allows
controllerstodeployeffectivelyinaLayer3topology.Thecontrollerscanactasthedefaultgatewayforallclients
andforwarduserpacketstotheupstreamrouter.
EachIAP-VPNcanbedefinedaseparatesubnetderivedfromthecorporateintranetpooltoallowIAP-VPNdevices
toworkindependently.Forsampletopologyandconfiguration,seeArubaOSUserGuide.
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeployment|227

228|IAP-VPNDeployment ArubaInstant6.4.0.2-4.1|UserGuide
ToredistributeIAP-VPNroutesintotheOSPFprocess,usethefollowingcommand:
(host)(config)#routerospfredistributerapng-vpn
ToverifyiftheredistributionoftheIAP-VPNisenabled,usefollowingcommand:
(host)#showipospfredistribute
RedistributeRAPNG
ToconfigureaggregaterouteforIAP-VPNroutes,usethefollowingcommand:
(host)(config)#routerospfaggregate-routerapng-vpn
ToviewtheaggregatedroutesforIAP-VPNroutes,usethefollowingcommand:
(host)#showipospfrapng-vpnaggregate-routes
RAPNGVPNaggregateroutes
--------------------------
PrefixMaskContributingroutesCost
---------------------------------
201.201.200.0255.255.252.05268779624
100.100.2.0255.255.255.0110
Toverifythedetailsofconfiguredaggregatedroute,usethefollowingcommand:
(host)#showipospfrapng-vpnaggregated-routes<net><mask>
(host)#showipospfrapng-vpnaggregate-routes100.100.2.0255.255.255.0
ContributingroutesofRAPNGVPNaggregateroute
------------------------------------------------
PrefixMaskNext-HopCost
----------------------
100.100.2.64255.255.255.2245.5.0.1010
Toviewalltheredistributedroutes:
(host)#showipospfdatabase
OSPFDatabaseTable
-------------------
AreaIDLSATypeLinkIDAdvRouterAgeSeq#Checksum
-----------------------------------------------
0.0.0.15ROUTER9.9.9.99.9.9.91590x800000160xee92
0.0.0.15ROUTER10.15.148.1210.15.148.121660x800000160x4c0d
0.0.0.15NETWORK10.15.148.1210.15.148.121670x800000010x9674
0.0.0.15NSSA12.12.2.09.9.9.9290x800000030x7b54
0.0.0.15NSSA12.12.12.09.9.9.91640x800000080x63a
0.0.0.15NSSA12.12.12.329.9.9.91640x800000080x7b8
0.0.0.15NSSA50.40.40.09.9.9.91640x800000070x8ed4
0.0.0.15NSSA51.41.41.1289.9.9.91640x800000070x68f6
0.0.0.15NSSA53.43.43.329.9.9.91640x800000070x2633
0.0.0.15NSSA54.44.44.169.9.9.91640x800000070x353
N/AAS_EXTERNAL12.12.2.09.9.9.9290x800000030x8c06
N/AAS_EXTERNAL12.12.12.09.9.9.91690x800000010x25e4
N/AAS_EXTERNAL12.12.12.329.9.9.91690x800000010x2663
N/AAS_EXTERNAL50.40.40.09.9.9.91690x800000010xab80
N/AAS_EXTERNAL51.41.41.1289.9.9.91690x800000010x85a2
N/AAS_EXTERNAL53.43.43.329.9.9.91690x800000010x43de
N/AAS_EXTERNAL54.44.44.169.9.9.91690x800000010x20fe
Toverifyiftheredistributedroutesareinstalledornot:
(host)#showiproute
Codes:C-connected,O-OSPF,R-RIP,S-static
M-mgmt,U-routeusable,*-candidatedefault,V-RAPNGVPN
GatewayoflastresortisImportedfromDHCPtonetwork0.0.0.0atcost10
GatewayoflastresortisImportedfromCELLtonetwork0.0.0.0atcost10
GatewayoflastresortisImportedfromPPPOEtonetwork0.0.0.0atcost10
Gatewayoflastresortis10.15.148.254tonetwork0.0.0.0atcost1
S*0.0.0.0/0[1/0]via10.15.148.254*

V12.12.2.0/24[10/0]ipsecmap
V12.12.12.0/25[10/0]ipsecmap
V12.12.12.32/27[10/0]ipsecmap
V50.40.40.0/24[10/0]ipsecmap
V51.41.41.128/25[10/0]ipsecmap
V53.43.43.32/27[10/0]ipsecmap
V54.44.44.16/28[10/0]ipsecmap
C9.9.9.0/24isdirectlyconnected,VLAN9
C10.15.148.0/24isdirectlyconnected,VLAN1
C43.43.43.0/24isdirectlyconnected,VLAN132
C42.42.42.0/24isdirectlyconnected,VLAN123
C44.44.44.0/24isdirectlyconnected,VLAN125
C182.82.82.12/32isanipsecmap10.15.149.69-182.82.82.12
C182.82.82.14/32isanipsecmap10.17.87.126-182.82.82.14
VPNConfiguration
ThefollowingVPNconfigurationstepsonthecontrollerenabletheIAPstoterminatetheirVPNconnectiononthe
controller:
WhitelistDatabaseConfiguration
ThewhitelistdatabaseisalistoftheMACaddressesoftheIAPsthatareallowedtoestablishVPNconnections
withthecontroller.Thislistcanbeeitherstoredinthecontrollerdatabaseoronanexternalserver.
YoucanusethefollowingCLIcommandtoconfigurethewhitelistdatabaseentryifthecontrollerisactingasthe
whitelistdatabase:
(host)#whitelist-dbrapaddmac-address00:11:22:33:44:55 ap-grouptest
Theap-groupparameterisnotusedforanyconfiguration,butneedstobeconfigured.Theparametercanbeany
validstring.
Ifanexternalserverisusedasthelocationforthewhitelistdatabase,addtheMACaddressesofthevalidIAPsin
theexternaldatabaseorexternaldirectoryserverandthenconfigureaRADIUSservertoauthenticatetheIAPs
usingtheentriesintheexternaldatabaseorexternaldirectoryserver.
IfyouareusingtheWindows2003server,performthefollowingstepstoconfiguretheexternalwhitelistdatabaseon
it.ThereareequivalentstepsavailablefortheWindowsServer2008andotherRADIUSservers.
1.AddtheMACaddressesforalltheIAPsintheActiveDirectoryoftheRADIUSserver:
a.OpentheActiveDirectoryandComputerswindow,addanewuserandspecifytheMACaddress(without
thecolondelimiter)oftheIAPfortheusernameandpassword.
b.Right-clicktheuserthatyouhavejustcreatedandclickProperties.
c.IntheDial-intab,selectAllowaccessintheRemoteAccessPermissionsectionandclickOK.
d.RepeatStepathroughStepbforallIAPs.
2.DefinetheremoteaccesspolicyintheInternetAuthenticationService:
a.IntheInternetAuthenticationServicewindow,selectRemoteAccessPolicies.
b.Launchthewizardtoconfigureanewremoteaccesspolicy.
c.DefinefiltersandselectgrantremoteaccesspermissioninthePermissionswindow.
d.Right-clickthepolicythatyouhavejustcreatedandselectProperties.
e.IntheSettingstab,selectthepolicycondition,andEditProfile....
f.IntheAdvancedtab,selectVendorSpecific,andclickAddtoaddnewvendorspecificattributes.
g.AddnewvendorspecificattributesandclickOK.
h.IntheIPtab,providetheIPaddressoftheIAPandclickOK.
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeployment|229

230|IAP-VPNDeployment ArubaInstant6.4.0.2-4.1|UserGuide
VPNLocalPoolConfiguration
TheVPNlocalpoolisusedtoassignanIPAddresstotheIAPaftersuccessfulXAUTHVPN.
(host)#iplocalpool"rapngpool"<startip><endip>
RoleAssignmentfortheAuthenticatedIAPs
Definearolethatincludesasrc-natruletoallowconnectionstotheRADIUSserverandfortheDynamicRadius
ProxyintheIAPtowork.ThisroleisassignedtoIAPsaftersuccessfulauthentication.
(host)(config)#ipaccess-listsessioniaprole
(host)(config-sess-iaprole)#anyhost<radius-server-ip>anysrc-nat
(host)(config-sess-iaprole)#anyanyanypermit
(host)(config-sess-iaprole)#!
(host)(config)#user-roleiaprole
(host)(config-role)#session-acliaprole
VPNProfileConfiguration
TheVPNprofileconfigurationdefinestheserverusedtoauthenticatetheIAP(internaloranexternalserver)andthe
roleassignedtotheIAPaftersuccessfulauthentication.
(host)(config)#aaaauthenticationvpndefault-iap
(host)(VPNAuthenticationProfile"default-iap")#server-groupdefault
(host)(VPNAuthenticationProfile"default-iap")#default-roleiaprole
Branch-IDAllocation
ForbranchesdeployedindistributedL3anddistributedL2mode,themasterAPinthebranchandthecontroller
shouldagreeuponasubnet/IPaddressestobeusedforDHCPservicesinthebranch.Theprocessorprotocolused
bythemasterAPandthecontrollertodeterminethesubnet/IPaddressesusedinabranchiscalledBIDallocation.
TheBIDallocationprocessisnotessentialforbranchesdeployedinlocalorcentralizedL2mode.Thefollowingare
someofthekeyfunctionsoftheBIDallocationprocess:
lDeterminestheIPaddressesusedinabranchfordistributedL2mode
lDeterminesthesubnetusedinabranchfordistributedL3mode
lAvoidsIPaddressorsubnetoverlap(thatis,avoidsIPconflict)
lEnsuresthatabranchisallocatedthesamesubnetorrangeofIPaddressesirrespectiveofwhichAPinthe
branchbecomesthemasterintheIAPcluster
BranchStatusVerification
Toviewthedetailsofthebranchinformationconnectedtothecontroller,executetheshowiaptablecommand.
Example
Thisexampleshowsthedetailsofthebranchesconnectedtothecontroller:
(host)#showiaptablelong
IAPBranchTable
----------------
NameVCMACAddressStatusInnerIPAssignedSubnetAssignedVlan
------------------------------------------------------------
Tokyo-CB:D3:166c:f3:7f:cc:42:f8 DOWN0.0.0.0
Paris-CB:D3:166c:f3:7f:cc:3d:04 UP10.15.207.14010.15.206.99/292
LA6c:f3:7f:cc:42:25 UP10.15.207.11110.15.206.24/292
Munichd8:c7:c8:cb:d3:16 DOWN0.0.0.0
London-c0:e16c:f3:7f:c0:e1:b1 UP10.15.207.12010.15.206.64/292
Instant-CB:D36c:f3:7f:cc:42:1e DOWN0.0.0.0
Delhi6c:f3:7f:cc:42:ca DOWN0.0.0.0
Singapore6c:f3:7f:cc:42:cb UP10.15.207.12210.15.206.120/292

KeyBid(SubnetName)
-------------------
b3c65c...
b3c65c...
b3c65c...2(10.15.205.0-10.15.205.250,5),1(10.15.206.1-10.15.206.252,5)
a2a65c...0
b3c65c...7(10.15.205.0-10.15.205.250,5),8(10.15.206.1-10.15.206.252,5)
b3c65c...
b3c65c...1(10.15.205.0-10.15.205.250,5),2(10.15.206.1-10.15.206.252,5)
b3c65c...14(10.15.205.0-10.15.205.250,5),15(10.15.206.1-10.15.206.252,5)
Theoutputofthiscommandprovidesthefollowinginformation:
Parameter Description
Name Displaysthenameofthebranch.
VCMAC
Address
DisplaystheMACaddressoftheVirtualControllerofthebranch.
Status Displaysthecurrentstatusofthebranch(UP/DOWN).
InnerIP DisplaystheinternalVPNIPofthebranch.
Assigned
Subnet
Displaysthesubnetmaskassignedtothebranch.
Assigned
Vlan
DisplaystheVLANIDassignedtothebranch.
Key Displaysthekeyforthebranch,whichisuniquetoeachbranch.
Bid(Subnet
Name)
DisplaystheBranchID(BID)ofthesubnet.
lIntheexampleabove,thecontrollerdisplaysbid-per-subnet-per-branchi.e.,for"LA"
branch,BID"2"fortheip-range"10.15.205.0-10.15.205.250"withclientcountperbranch
"5").Ifabranchhasmultiplesubnets,itcanhavemultipleBIDs.
lIfabranchisinUPstateanddoesnothaveaBid(SubnetName),itmeansthattheIAPis
connectedtoacontroller,whichdidnotassignanyBIDforanysubnet.Intheabove
example,"Paris-CB:D3:16"branchisUPanddoesnothaveaBid(SubnetName).This
meansthateithertheIAPisconnectedtoabackupcontrolleroritisconnectedtoa
primarycontrollerwithoutanydistributedL2orL3subnets.
Table42:BranchDetails
TheshowiaptablecommandoutputdoesnotdisplaytheKeyandBid(SubnetName)details.
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeployment|231

ArubaInstant6.4.0.2-4.1|UserGuide AdaptiveRadioManagement|232
Chapter16
AdaptiveRadioManagement
Thischapterprovidesthefollowinginformation:
lARMOverviewonpage232
lConfiguringARMFeaturesonanIAPonpage233
lConfiguringRadioSettingsforanIAPonpage238
ARMOverview
AdaptiveRadioManagement(ARM)isaradiofrequencymanagementtechnologythatoptimizesWLAN
performanceeveninthenetworkswithhighesttrafficbydynamicallyandintelligentlychoosingthebest802.11
channelandtransmittingpowerforeachIAPinitscurrentRFenvironment.ARMworkswithallstandardclients,
acrossalloperatingsystems,whileremainingincompliancewiththeIEEE802.11standards.Itdoesnotrequireany
proprietaryclientsoftwaretoachieveitsperformancegoals.ARMensureslow-latencyroaming,consistentlyhigh
performance,andmaximumclientcompatibilityinamulti-channelenvironment.Byensuringthefairdistributionof
availableWi-Fibandwidthtomobiledevices,ARMensuresthatdata,voice,andvideoapplicationshavesufficient
networkresourcesatalltimes.ARMallowsmixed802.11a,b,g,n,andacclienttypestointeroperateatthehighest
performancelevels.
ChannelorPowerAssignment
ThechannelorpowerassignmentfeatureautomaticallyassignschannelandpowersettingsforalltheIAPsinthe
networkaccordingtochangesintheRFenvironment.Thisfeatureautomatesmanysetuptasksduringnetwork
installationandtheongoingoperationswhenRFconditionschange.
VoiceAwareScanning
TheVoiceAwarescanningfeaturepreventsanIAPsupportinganactivevoicecallfromscanningforotherchannels
intheRFspectrumandallowsanIAPtoresumescanningwhentherearenoactivevoicecalls.Thissignificantly
improvesthevoicequalitywhenacallisinprogressandsimultaneouslydeliverstheautomatedRFmanagement
functions.Bydefault,thisfeatureisenabled.
LoadAwareScanning
TheLoadAwareScanningfeaturedynamicallyadjustsscanningbehaviortomaintainuninterrupteddatatransferon
resourceintensivesystemswhenthenetworktrafficexceedsapredefinedthreshold.TheIAPsresumecomplete
monitoringscanswhenthetrafficdropstothenormallevels.Bydefault,thisfeatureisenabled.
MonitoringtheNetworkwithARM
WhenARMisenabled,an IAPdynamicallyscansall802.11channelswithinits802.11regulatorydomainatregular
intervalsandsendsreportstoaVirtualControlleronnetwork(WLAN)coverage,interference,andintrusion
detection.
ARMMetrics
ARMcomputescoverageandinterferencemetricsforeachvalidchannelandchoosesthebestperformingchannel
andtransmitpowersettingsforeachIAPRFenvironment.EachIAPgathersothermetricsonitsARM-assigned
channeltoprovideasnapshotofthecurrentRFhealthstate.

233|AdaptiveRadioManagement ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringARMFeaturesonanIAP
ThissectiondescribesthefollowingproceduresforconfiguringARMfeatures:
lBandSteeringonpage233
lAirtimeFairnessModeonpage233
lClientMatchonpage234
lAccessPointControlonpage236
BandSteering
Thebandsteeringfeatureassignsthedual-bandcapableclientstothe5GHzbandondual-bandIAPs.Thisfeature
reducesco-channelinterferenceandincreasesavailablebandwidthfordual-bandclients,becausetherearemore
channelsonthe5GHzbandthanonthe2.4GHzband.Youcanconfigurebandsteeringparametersthroughthe
InstantUIorCLI.
IntheInstantUI
Toconfigurebandsteering:
1.IntheRF > ARM>Showadvancedoptionsview,configurethefollowingparameters:
Parameter Description
Prefer5GHz Select thisoptiontousebandsteeringinthe5GHzmode.Onselectingthis,the
IAPsteerstheclienttothe5GHzband(iftheclientis5GHzcapable),butallows
theclientconnectiononthe2.4GHzbandiftheclientpersistentlyattemptsfor2.4
GHzassociation.
Force5GHz Selectthisoptiontoenforce5GHzbandsteeringmodeontheIAPs.
BalanceBands SelectthisoptiontoallowtheIAPtobalancetheclientsacrossthetworadiosto
bestutilizetheavailable2.4GHzbandwidth.Thisfeaturetakesintoaccountthe
factthatthe5GHzbandhasmorechannelsthanthe2.4GHzband,andthatthe5
GHzchannelsoperatein40MHz,whilethe2.5GHzbandoperatesin20MHz.
Disabled Selectthisoptionifyouwanttoallowtheclientstoselectthebandtouse.
Table43:BandSteeringMode-ConfigurationParameters
2.ClickOK.
IntheCLI
Toconfigurebandsteering:
(InstantAP)(config)#arm
(InstantAP)(ARM)#band-steering-mode{<Prefer5GHz>|<Force5GHz>|<Balance
Bands>|<Disabled>}
(InstantAP)(ARM)#end
(InstantAP)#commitapply
AirtimeFairnessMode
Theairtimefairnessfeatureprovidesequalaccesstoallclientsonthewirelessmedium,regardlessofclienttype,
capability,oroperatingsystem,thusdeliveringuniformperformancetoallclients.Thisfeaturepreventstheclients
frommonopolizingresources.YoucanconfigureairtimefairnessmodeparametersthroughtheInstantUIorCLI.

IntheInstantUI
1.ForAirtimefairnessmodeconfiguration,specifyanyofthefollowingvaluesintheRF > ARM>Show
advancedoptionstab:
Parameter Description
DefaultAccess Selectthisoptiontoprovideaccessbasedonclientrequests.WhenAirTime
Fairnessissettodefaultaccess,peruserandperSSIDbandwidthlimitsarenot
enforced.
FairAccess SelectthisoptiontoallocateAirtimeevenlyacrossalltheclients.
PreferredAccess Selectthisoptiontosetapreferencewhere11nclientsareassignedmoreairtime
than11a/11g.The11a/11gclientsgetmoreairtimethan11b.Theratiois16:4:1.
Table44:AirtimeFairnessMode-ConfigurationParameters
2.ClickOK.
IntheCLI
(InstantAP)(config)#arm
(InstantAP)(ARM)#air-time-fairness-mode{<DefaultAccess>|<FairAccess>|<Preferred
Access>
(InstantAP)(ARM)#end
(InstantAP)#commitapply
ClientMatch
TheARMclientmatchfeaturecontinuallymonitorsaclient'sRFneighborhoodtoprovideongoingclientband
steeringandloadbalancing,andenhancedAPreassignmentforroamingmobileclients.Thisfeaturesupersedesthe
legacybandsteeringandspectrumloadbalancingfeatures,which,unlikeclientmatch,donottriggerIAPchanges
forclientsalreadyassociatedtoanIAP.
Legacy802.11a/b/gaccesspointsdonotsupporttheclientmatchfeature.Whenclientmatchisenabledon
802.11ncapableaccesspoints,theclientmatchfeatureoverridesanysettingsconfiguredforthelegacyband
steering,stationhandoffassistorloadbalancingfeatures.802.11ac-capableaccesspointsdonotsupportthe
legacybandsteering,stationhandofforloadbalancingsettings,sotheseaccesspointsmustbemanagedusing
clientmatch.
WhentheclientmatchfeatureisenabledonanIAP,theIAPmeasurestheRFhealthofitsassociatedclients.Inthe
currentrelease,theclientmatchfeatureissupportedonlywithinanIAPcluster.Ifanyofthefollowingtrigger
conditionsismet,clientsaremovedfromoneAPtoanotherforbetterperformanceandclientexperience:
lDynamicLoadBalancing:ClientmatchbalancesclientsacrossIAPsondifferentchannels,basedontheclient
loadontheIAPsandtheSNRlevelstheclientdetectsfromanunderutilizedIAP.IfanIAPradiocansupport
additionalclients,theIAPwillparticipateinclientmatchloadbalancingandclientscanbedirectedtothatIAP
radio,subjecttothepredefinedSNRthresholds.Forbetterloadbalancing,clientsaresteeredfrombusy
channelstoidlechannels.
lStickyClients:TheclientmatchfeaturealsohelpsmobileclientsthattendtostayassociatedtoanIAPdespite
lowsignallevels.IAPsusingclientmatchcontinuallymonitortheclient'sRSSIasitroamsbetweenIAPs,and
movetheclienttoanIAPwhenabetterradiomatchcanbefound.Thispreventsmobileclientsfromremaining
associatedtoanAPswithlessthanidealRSSI,whichcancausepoorconnectivityandreduceperformancefor
otherclientsassociatedwiththatIAP.
ArubaInstant6.4.0.2-4.1|UserGuide AdaptiveRadioManagement|234

235|AdaptiveRadioManagement ArubaInstant6.4.0.2-4.1|UserGuide
lBandSteering:IAPsusingtheclientmatchfeaturemonitortheRSSIforclientsthatadvertiseadual-band
capability.Ifaclientiscurrentlyassociatedtoa2.4GHzradioandtheAPdetectsthattheclienthasagood
RSSIfromthe5GHzradio,theIAPsteerstheclienttothe5GHzradio,aslongasthe5GHzRSSIisnot
significantlyworsethanthe2.4GHzRSSI,andtheIAPretainsasuitabledistributionofclientsoneachofits
radios.
lChannelUtilization:Basedonthepercentageofchannelutilization,clientsaresteeredfromabusychannelto
anidlechannel.
lClientCapabilityMatch:Basedontheclientcapabilitymatch,clientsaresteeredtoappropriatechannel,for
example,HT20,HT40,orVHT80.
IntheInstant6.3.1.1-4.0release,spectrumloadbalancingisintegratedwiththeclientmatchfeature.Clientmatch
allowstheAPsinaclustertobedividedintoseverallogicalAPRFneighborhoodcalleddomains,whichsharethe
sameclients.TheVirtualControllerdeterminesthedistributionofclientsandbalancesclientloadacrosschannels,
regardlessofwhethertheAPisrespondingtotheproberequestsofwirelessclients.
YoucanconfigureclientmatchparametersinInstantUIorCLI.Whenclientmatchisenabled,thedashboardinthe
mainwindowdisplaystheClientMatchlinkonselectinganAPintheAccessPointstaboraclientintheClients
tab.ClickingthislinkprovidesagraphicalrepresentationofradiomapviewofanAPandtheclientdistributiononan
APradio.Formoreinformation,seeClientMatchonpage65.
IntheInstantUI
1.Forclientmatchconfiguration,specifythefollowingparameterstheRF > ARM>Showadvancedoptionstab:
Parameter Description
Clientmatch SelectEnabledtoenabletheClientmatchfeatureonAPs.Whenenabled,client
countwillbebalancedamongallthechannelsinthesameband.Formore
information,seeARMOverviewonpage232.Bydefault,theclientmatchfeatureis
disabled.
NOTE:Whenclientmatchisenabled,ensurethatScanningisenabled.
CMcalculating
interval
SpecifyavalueforthecalculatingintervalofClientmatch.Thevaluespecifiedfor
CMcalculatingintervaldeterminestheintervalatwhichclientmatchiscalculated.
Theintervalisspecifiedinsecondsandthedefaultvalueis30seconds.Youcan
specifyavaluewithintherangeof10-600.
CMneighbor
matching%
SpecifyavalueforCMneighbormatching%.Thisnumbertakesintoaccountthe
leastsimilaritypercentagetobeconsideredasinthesamevirtualRF
neighborhoodofclientmatch.Youcanspecifyapercentagevaluewithintherange
of20-100.Thedefaultvalueis75%.
CMthreshold SpecifyavalueforCM threshold.Thisnumbertakesacceptanceclientcount
differenceamongallthechannelsofClientmatchintoaccount.Whentheclient
loadonanAPreachesorexceedsthethresholdincomparison,clientmatchis
enabledonthatAP.
Youcanspecifyavaluewithinrangeof1-255.Thedefaultvalueis2.
SLBmode SelectamodefromtheSLBmodedrop-downlist.TheSLBmodedeterminesthe
balancingstrategyforclientmatch.Thefollowingoptionsareavailable:
lChannel
lRadio
lChannel+Radio
Table45:ClientMatchConfigurationParameters
2.ClickOK.

IntheCLI
(InstantAP)(config)#arm
(InstantAP)(ARM)#client-matchcalc-interval<seconds>
(InstantAP)(ARM)#client-matchcalc-threshold<threshold>
(InstantAP)(ARM)#client-matchnb-matching<percentage>
(InstantAP)(ARM)#client-matchslb-mode1
(InstantAP)(ARM)#end
(InstantAP)#commitapply
AccessPointControl
YoucanconfigureaccesspointcontrolparametersthroughtheInstantUIorCLI.
IntheInstantUI
1.ForAccessPointControl,specifythefollowingparametersintheRF > ARM>Showadvancedoptionstab:
Parameter Description
CustomizeValid
Channels
Selectthischeckboxtocustomizevalidchannelsfor2,4GHzand5GHz.Bydefault,
theAPusesvalidchannelsasdefinedbytheCountryCode(regulatorydomain).On
selectingtheCustomizeValidChannelscheckbox,alistofvalidchannelsforboth
2.4.GHzand5GHzaredisplayed.Thevalidchannelcustomizationfeatureis
disabledbydefault..
Minimum
TransmitPower
Specifytheminimumtransmissionpower.ThevaluespecifiedforMinimumTransmit
PowerindicatestheminimumEffectiveIsotropicRadiatedPower(EIRP)from3to33
dBmin3dBmincrements.IftheminimumtransmissionEIRPsettingconfiguredon
anAPisnotsupportedbytheAPmodel,thisvalueisreducedtothehighest
supportedpowersetting.Thedefaultvalueisforminimumtransmitpoweris18dBm.
Maximum
TransmitPower
Specifythemaximumtransmissionpower.ThevaluespecifiedforMaximum
TransmitPowerindicatesthemaximumEffectiveIsotropicRadiatedPower(EIRP)
from3to33dBmin3dBmincrements.IfthemaximumtransmissionEIRPconfigured
onanAPisnotsupportedbytheAPmodel,thevalueisreducedtothehighest
supportedpowersetting.Thedefaultvalueformaximumtransmitpoweris127dBm.
Clientaware WhenEnabled,ARMdoesnotchangechannelsfortheAPswithactiveclients,
exceptforhighpriorityeventssuchasradarorexcessivenoise.Thisfeaturemustbe
enabledinmostdeploymentsforastableWLAN.IftheClientAwaremodeis
Disabled,theIAPmaychangetoamoreoptimalchannel,whichchangemaydisrupt
currentclienttrafficforawhile.TheClientawareoptionisEnabledbydefault.
NOTE:WhenClientawareisdisabled,channelscanbechangedevenwhenthe
clientsareactiveonaBSSID.
Table46:AccessPointControl-ConfigurationParameters
ArubaInstant6.4.0.2-4.1|UserGuide AdaptiveRadioManagement|236

237|AdaptiveRadioManagement ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
Scanning SelectEnabledsothattheIAPdynamicallyscansall802.11channelswithinits
802.11regulatorydomainatregularintervalsandreportstotheIAP.Thisscanning
reportincludesWLANcoverage,interference,andintrusiondetectiondata.
NOTE:Forclientmatchconfiguration,ensurethatscanningisenabled.
WideChannel
Bands
SelectabandtoallowtheAPstobeplacedin40Mhz(wideband)channels.The
Widechannelbandallowsadministratorstoconfigure40MHzchannelsinthe2.4
GHzand5.0GHzbands.40MHzchannelsaretwo20MHzadjacentchannelsthat
arebondedtogether.40MHzchanneleffectivelydoublesthefrequencybandwidth
availablefordatatransmission.
80MHzSupport Enablesordisablestheuseof80MHzchannelsonAPs.ThisfeatureallowsARMto
assign80MHzchannelsonAPswith5GHzradios,whichsupportaveryhigh
throughput.Thissettingisenabledbydefault.
NOTE:OnlytheAPsthatsupport802.11accanbeconfiguredwith80MHz
channels.
2.ReboottheIAP.
3.ClickOK.
IntheCLI
Toconfigureaccesspointcontrolparameters:
(InstantAP)(config)#arm
(InstantAP)(ARM)#a-channels<5GHz-channels>
(InstantAP)(ARM)#min-tx-power<power>
(InstantAP)(ARM)#max-tx-power<power>
(InstantAP)(ARM)#client-aware
(InstantAP)(ARM)#wide-bands{<5GHz>|<2GHz>|<All>|<None>}
(InstantAP)(ARM)#scanning
(InstantAP)(ARM)#80mhz-support
(InstantAP)(ARM)#end
(InstantAP)#commitapply
VerifyingARMConfiguration
ToviewARMconfiguration:
(InstantAP)#showarmconfig
MinimumTransmitPower:18
MaximumTransmitPower:127
BandSteeringMode:prefer-5ghz
ClientAware:enable
Scanning:enable
WideChannelBands:5ghz
80MhzSupport:enable
AirTimeFairnessMode:fair-access
ClientMatch:disable
CMNBMatchingPercent:75
CMCalculatingInterval:30
CMSLBThreshold:2
CMSLBBalancingMode:channelbased
CMmaxclientmatchreq:5
CMmaxadoption:5
CustomChannels:No
2.4GHzChannels

----------------
ChannelStatus
-------------
1enable
2disable
3disable
4disable
5disable
6enable
7disable
8disable
9disable
10disable
11enable
12disable
13disable
1+enable
2+disable
3+disable
4+disable
5+disable
6+disable
7+enable
5.0GHzChannels
----------------
ChannelStatus
-------------
36enable
40enable
44enable
48enable
52enable
56enable
60enable
64enable
149enable
153enable
157enable
161enable
165enable
36+enable
44+enable
52+disable
60+disable
149+enable
157+enable
36Eenable
52Eenable
149Eenable
ConfiguringRadioSettingsforanIAP
Youcanconfigure2.4GHzand5GHzradiosettingsforanIAPeitherusingtheInstantUIorCLI.
IntheInstantUI
Toconfigureradiosettings:
1.ClicktheRFlinkatthetoprightcorneroftheInstantmainwindow.
2.ClickShowadvancedoptions.Theadvancedoptionsaredisplayed.
ArubaInstant6.4.0.2-4.1|UserGuide AdaptiveRadioManagement|238

239|AdaptiveRadioManagement ArubaInstant6.4.0.2-4.1|UserGuide
3.ClicktheRadiotab.
4.Underthechannel2.4.GHzor5GHzorboth,configurethefollowingparameters.
Parameter Description
Legacyonly SelectEnabledtoruntheradioinnon-802.11nmode.ThisoptionissettoDisabled
bydefault.
802.11d/
802.11h
SelectEnabledtoallowtheradiotoadvertiseits802.11d(CountryInformation)and
802.11h(TransmitPowerControl)capabilities.ThisoptionissettoDisabledby
default.
BeaconintervalEntertheBeaconperiodfortheIAPinmilliseconds.Thisindicateshowoftenthe
802.11beaconmanagementframesaretransmittedbytheaccesspoint.Youcan
specifyavaluewithintherangeof60-500.Thedefaultvalueis100milliseconds.
Interference
immunitylevel
Selecttoincreasetheimmunityleveltoimproveperformanceinhigh-interference
environments.
Thedefaultimmunitylevelis2.
lLevel0—noANIadaptation.
lLevel1—Noiseimmunityonly.Thislevelenablespower-basedpacketdetection
bycontrollingtheamountofpowerincreasethatmakesaradioawarethatithas
receivedapacket.
lLevel2—Noiseandspurimmunity.Thislevelalsocontrolsthedetectionof
OFDMpackets,andisthedefaultsettingfortheNoiseImmunityfeature.
lLevel3—Level2settingsandweakOFDMimmunity.Thislevelminimizesfalse
detectsontheradioduetointerference,butmayalsoreduceradiosensitivity.
Thislevelisrecommendedforenvironmentswithahigh-levelofinterference
relatedto2.4GHzappliancessuchascordlessphones.
lLevel4—Level3settings,andFIRimmunity.Atthislevel,theAPadjustsits
sensitivitytoin-bandpower,whichcanimproveperformanceinenvironments
withhighandconstantlevelsofnoiseinterference.
lLevel5—TheAPcompletelydisablesPHYerrorreporting,improving
performancebyeliminatingthetimetheIAPwouldspendonPHYprocessing.
NOTE:IncreasingtheimmunitylevelmakestheAPtoloseasmallamountofrange.
Channelswitch
announcement
count
Specifythecounttoindicatethenumberofchannelswitchingannouncementsthat
mustbesentbeforeswitchingtoanewchannel.Thisallowsassociatedclientsto
recovergracefullyfromachannelchange.
Background
spectrum
monitoring
SelectEnabledtoallowtheAPsinaccessmodetocontinuewithnormalaccess
servicetoclients,whileperformingadditionalfunctionofmonitoringRFinterference
(frombothneighboringAPsandnonWi-Fisourcessuchas,microwavesand
cordlessphones)onthechanneltheyarecurrentlyservingclients.
Table47:RadioConfigurationParameters
5.ReboottheIAPafterconfiguringtheradioprofilesettings.
IntheCLI
Toconfigure2.4GHzradiosettings:
(InstantAP)(config)#rfdot11g-radio-profile
(InstantAP)(RFdot11gRadioProfile)#beacon-interval<milliseconds>
(InstantAP)(RFdot11gRadioProfile)#legacy-mode
(InstantAP)(RFdot11gRadioProfile)#spectrum-monitor
(InstantAP)(RFdot11gRadioProfile)#dot11h
(InstantAP)(RFdot11gRadioProfile)#interference-immunity<level>
(InstantAP)(RFdot11gRadioProfile)#csa-count<count>
(InstantAP)(RFdot11gRadioProfile)#max-distance<count>
(InstantAP)(RFdot11gRadioProfile)#end

(InstantAP)#commitapply
Toconfigure5GHzradiosettings:
(InstantAP)(config)#rfdot11a-radio-profile
(InstantAP)(RFdot11aRadioProfile)#beacon-interval<milliseconds>
(InstantAP)(RFdot11aRadioProfile)#legacy-mode
(InstantAP)(RFdot11aRadioProfile)#spectrum-monitor
(InstantAP)(RFdot11aRadioProfile)#spectrum-band<type>
(InstantAP)(RFdot11aRadioProfile)#dot11h
(InstantAP)(RFdot11aRadioProfile)#interference-immunity<level>
(InstantAP)(RFdot11aRadioProfile)#max-distance<count>
(InstantAP)(RFdot11aRadioProfile)#csa-count<count>
(InstantAP)(RFdot11gRadioProfile)#end
(InstantAP)#commitapply
Toviewtheradioconfiguration:
(InstantAP)#showradioconfig
LegacyMode:enable
BeaconInterval:100
802.11d/802.11h:enable
InterferenceImmunityLevel:2
ChannelSwitchAnnouncementCount:0
MAXDistance:600
ChannelReuseType:disable
ChannelReuseThreshold:0
BackgroundSpectrumMonitor:disable
5.0GHz:
LegacyMode:enable
BeaconInterval:100
802.11d/802.11h:enable
InterferenceImmunityLevel:2
ChannelSwitchAnnouncementCount:2
MAXDistance:600
ChannelReuseType:disable
ChannelReuseThreshold:0
BackgroundSpectrumMonitor:disable
StandaloneSpectrumBand:5ghz-upper
ArubaInstant6.4.0.2-4.1|UserGuide AdaptiveRadioManagement|240

ArubaInstant6.4.0.2-4.1|UserGuide DeepPacketInspectionandApplicationVisibility|241
Chapter17
DeepPacketInspectionandApplicationVisibility
Thischapterprovidesthefollowinginformation:
lDeepPacketInspectiononpage241
lEnablingApplicationVisibilityonpage241
lApplicationVisibilityonpage242
lConfiguringAccessRulesforApplicationandApplicationCategoriesonpage246
lConfiguringURLFilteringPoliciesonpage249
DeepPacketInspection
DeepPacketInspectionorAppRFisAruba'scustombuiltLayer7applicationandweb-filteringservicethatallows
creatingfirewallpoliciesbasedontypesofapplication.IAPswithDPIcapabilityanalyzedatapacketstoidentify
applicationsin-useandallowyoutocreateaccessrulestodetermineclientaccesstoapplications,application
categories,webcategoriesandwebsiteURLsbasedonsecurityratings.Youcanalsodefinetrafficshapingpolicies
suchasbandwidthcontrolandQoSperapplicationforclientroles.Forexample,youcanblockbandwidth
monopolizingapplicationsonaguestrolewithinanenterprise.
TheAppRFfeatureprovidesapplicationvisibilityforanalyzingclienttrafficflow.IAPssupportboththepowerofin-
devicepacketflowidentificationanddynamicallyupdatedcloud-basedwebcategorization.
Toviewthegraphs,settheAppRFvisibilityoptionintheSystemwindowtoEnabled.FormoreinformationonDPI
ACLsandAppRFvisibility,seethefollowingtopics:
EnablingApplicationVisibility
EnablingAppRFvisibilityallowsyoutoviewtheAppRFstatisticsforanIAPortheclientsassociatedwithanIAP.
Whenvisibilityisenabled,theAppRFlinkappearsonthedashboardareaofthemainwindow.Onclickingthislink,
youcanviewtheclienttrafficflowbasedontheenforcements.
YoucanenableAppRFvisibilitythroughtheInstantUIorCLI:
IntheInstantUI
1.NavigatetoSystem>General.
2.SelectEnabledfromtheAppRFvisibilitydrop-down.
3.ClickOK.
IntheCLI
ToenableAppRFvisibility:
(InstantAP)(config)#dpi
(InstantAP)(config)#end
(InstantAP)#commitapply

242|DeepPacketInspectionandApplicationVisibility ArubaInstant6.4.0.2-4.1|UserGuide
ApplicationVisibility
TheAppRFgraphsarebasedonDeepPacketInspection(DPI)applicationandweb-filteringservice,whichprovides
applicationtrafficsummaryfortheclientdevicesassociatedwithanIAP.TheAppRFlinkabovetheactivitypanelof
thedashboardisdisplayedonlyifAppRFvisibilityisenabledintheSystemwindow.
ThefollowingfigureprovidesaviewoftheAppRFdashboard:
Figure71AppRFDashboard
TheAppRFdashboardpresentsfourdifferentgraphareaswithdatagraphsonallclienttrafficandcontentfilters
basedonwebcategoryandsecurityratings.Clickoneachcategorytoviewreal-timeclienttrafficdataorusage
trendinthelast15minutes.
TheapplicationchartsarenotsupportedonIAP-104/105,IAP-134/135,IAP-175,andRAP-3WN/3WNPplatforms.
OnlythewebcategorychartsaredisplayedfortheseIAPmodels.
ApplicationCategoryCharts
Theapplicationcategorychartdisplaysdetailsontheclienttraffictowardstheapplicationcategories.Onclickingin
therectanglearea,youcanviewthefollowinggraphsandtogglebetweenthechartandlistviews.
Figure72ApplicationCategoriesChart-ClientView

Figure73ApplicationCategoriesList-ClientView
Figure74ApplicationCategoryChart-APView
ApplicationCharts
Theapplicationchartdisplaysdetailsontheclienttraffictowardstheapplications.Onclickingintherectanglearea,
youcanviewthefollowinggraphsandtogglebetweenthechartandlistviews.
ArubaInstant6.4.0.2-4.1|UserGuide DeepPacketInspectionandApplicationVisibility|243

244|DeepPacketInspectionandApplicationVisibility ArubaInstant6.4.0.2-4.1|UserGuide
Figure75ApplicationChart-ClientView
Figure76ApplicationList-ClientView
Figure77ApplicationChart-APView

WebCategoriesCharts
Thewebcategorieschartdisplaysdetailsabouttheclienttraffictothewebcategories.Onclickingintherectangle
area,youcanviewthefollowinggraphsandtogglebetweenthechartandlistviews.
Figure78WebCategoriesChart-ClientView
Figure79WebCategoriesList-ClientView
Figure80WebCategoriesChart-APView
WebReputationCharts
ThewebreputationchartdisplaysdetailsabouttheclienttraffictotheURLswiththatareassignedasecurityscore.
Onclickingintherectanglearea,youcanviewthefollowinggraphsandtogglebetweenthechartandlistviews.
ArubaInstant6.4.0.2-4.1|UserGuide DeepPacketInspectionandApplicationVisibility|245

246|DeepPacketInspectionandApplicationVisibility ArubaInstant6.4.0.2-4.1|UserGuide
Figure81WebReputationChart-ClientView
Figure82WebReputationList-ClientView
Figure83WebReputationChart-APView
ConfiguringAccessRulesforApplicationandApplicationCategories
Thissectiondescribestheprocedureforconfiguringaccessrulesbasedonapplicationandapplicationcategories.
Forinformationon:
lConfiguringaccessrulestocontrolaccesstonetworkservices,seeConfiguringAccess RulesforNetwork
Servicesonpage177.
lConfiguringaccessrulesbasedonwebcategoriesandwebreputation,seeConfiguringURLFilteringPolicieson
page249
IntheInstantUI
ToconfigureACLrulesforauserrole:

1.NavigatetoSecurity>Rolestab.TheRolestabcontentsaredisplayed.
YoucanalsoconfigureaccessrulesforawiredorwirelessclientthroughtheWLANwizard(Network
tab>WLANSSID>Edit>EditWLAN>Access) ortheWiredprofile(More>Wired>Edit>EditWired
Network>Access)window.
2.Selecttheroleforwhichyouwanttoconfigureaccessrules.
3.InAccessrulessection,clickNewtoaddanewrule.TheNewRulewindowisdisplayed.
4.EnsurethattheruletypeissettoAccessControl
5.Toconfigureaccesstoapplicationsorapplicationcategory,selectaservicecategoryfromthefollowinglist:
lApplication
lApplicationcategory
ConfiguringaccessrulesbasedonapplicationandapplicationcategoryisnotsupportedonIAP-104/105,
IAP-134/135,andRAP-3WN/3WNPplatforms.
6.Basedontheselectedservicecategory,configurethefollowingparameters:
Service
Category
Description
Application Selecttheapplicationstowhichyouwanttoallowordenyaccess.
Application
category
Selectanyofthefollowingapplicationcategoriestowhichyouwanttoallowordenyaccess:
lantivirus
lauthentication
lcloud-file-storage
lcollaboration
lencrypted
lenterprise-apps
lgaming
lim-file-transfer
linstant-messaging
lmail-protocols
lmobile-app-store
lnetwork-service
lpeer-to-peer
lsocial-networking
lstandard
lstreaming
lthin-client
ltunneling
lunified-communications
lweb
lWebmail
Application
Throttling
Applicationthrottlingallowsyoutosetabandwidthlimitforanapplication,application
category,webcategory,orforsitesbasedontheirwebreputation.Forexample,youcanlimit
thebandwidthrateforvideostreamingapplicationssuchasYoutubeorNetflix,orassigna
lowbandwidthtohighrisksites.IfyourIAPmodeldoesnotsupportconfiguringaccessrules
basedonapplicationorapplicationcategory,youcancreatearulebasedonwebcategoryor
websitereputationandassignbandwidthrates.
Tospecifyabandwidthlimit:
Table48:AccessRuleConfigurationParameters
ArubaInstant6.4.0.2-4.1|UserGuide DeepPacketInspectionandApplicationVisibility|247

248|DeepPacketInspectionandApplicationVisibility ArubaInstant6.4.0.2-4.1|UserGuide
Service
Category
Description
1.SelecttheApplicationThrottlingcheckbox.
2.SpecifythedownstreamandupstreamratesinKbps.
Action Selectanyoffollowingactions:
lSelectAllowtoallowaccessusersbasedontheaccessrule.
lSelectDenytodenyaccesstousersbasedontheaccessrule.
lSelectDestination-NATtoallowchangestodestinationIPaddress.
lSelectSource-NATtoallowchangestothesourceIPaddress.
Thedestination-natandsource-natactionsapplyonlytothenetworkservicesrules.
Destination Selectadestinationoptionfortheaccessrulesfornetworkservices,applications,and
applicationcategories.Youcanallowordenyaccesstoanythefollowingdestinationsbased
onyourrequirements.
ltoalldestinations—Accessisallowedordeniedtoalldestinations.
ltoaparticularserver—Accessisallowedordeniedtoaparticularserver.Afterselecting
thisoption,specifytheIPaddressofthedestinationserver.
lexcepttoaparticularserver—Accessisallowedordeniedtoserversotherthanthe
specifiedserver.Afterselectingthisoption,specifytheIPaddressofthedestination
server.
ltoanetwork—Accessisallowedordeniedtoanetwork.Afterselectingthisoption,specify
theIPaddressandnetmaskforthedestinationnetwork.
lexcepttoanetwork—Accessisallowedordeniedtonetworksotherthanthespecified
network.Afterselectingthisoption,specifytheIPaddressandnetmaskofthedestination
network.
ltodomainname—Accessisallowedordeniedtothespecifieddomains.Afterselecting
thisoption,specifythedomainnameintheDomainNametextbox.
ltomasterIP—AccessisallowedordeniedtothemasterIPaddress.
Log Selectthischeckboxifyouwantalogentrytobecreatedwhenthisruleistriggered.Instant
supportsfirewallbasedloggingfunction.FirewalllogsontheIAPsaregeneratedassecurity
logs.
Blacklist SelecttheBlacklistcheckboxtoblacklisttheclientwhenthisruleistriggered.Theblacklisting
lastsforthedurationspecifiedasAuthfailureblacklisttimeontheBlacklistingtabofthe
Securitywindow.Formoreinformation,seeBlacklistingClientsonpage171.
Disablescanning SelectDisablescanningcheckboxtodisableARMscanningwhenthisruleistriggered.
TheselectionoftheDisablescanningappliesonlyifARMscanningisenabled,Formore
information,seeConfiguringRadioSettingsforanIAPonpage238.
DSCPtag SelecttheDSCPtagcheckboxtospecifyaDSCPvaluetoprioritizetrafficwhenthisruleis
triggered.Specifyavaluewithintherangeof0to63.Toassignahigherpriority,specifya
highervalue.
802.1ppriority Selectthe802.1pprioritycheckboxtospecifyan802.1ppriority.Specifyavaluebetween0
and7.Toassignahigherpriority,specifyahighervalue.
Table48:AccessRuleConfigurationParameters
3.ClickOKandthenclickFinish.
IntheCLI
Toconfigureaccessrules:
(InstantAP)(config)#wlanaccess-rule<access-rule-name>
(InstantAP)(AccessRule<Name>)#rule<dest><mask><match/invert>{app<app>{permit|deny}
|appcategory<appgrp>}[<option1....option9>]
(InstantAP)(AccessRule<Name>)#end

(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanaccess-ruleemployee
(InstantAP)(AccessRule"employee")#ruleanyanymatchappdenythrottle-downstream256
throttle-up256
(InstantAP)(AccessRule"employee")#ruleanyanymatchappcategorycollaborationpermit
(InstantAP)(AccessRule"employee")#end
(InstantAP)#commitapply
ConfiguringURLFilteringPolicies
YoucanconfigureURLfilteringpoliciestoblockcertaincategoriesofwebsitesbasedonyourorganization
specificationsbydefiningACLruleseitherthroughtheInstantUIorCLI.
IntheInstantUI
1.NavigatetoSecurity>Roles.
2.SelectanyWLANSSIDorwiredprofilerole,andclickNewintheAccessRulessection.TheNewRulewindow
appears.
3.SelecttheruletypeasAccessControl.
4.Tosetanaccesspolicybasedonthewebcategory:
a.UnderServices,selectWebcategoryandexpandtheWebcategoriesdrop-down.
Figure84
b.Selectthecategoriestowhichyouwanttodenyorallowaccess.Youcanalsosearchforawebcategoryand
selecttherequiredoption.
c.FromtheActiondrop-down,selectAlloworDenyasrequired.
d.ClickOK.
5.Tofilteraccessbasedonthesecurityratingsofthewebsite:
a.SelectWebreputationunderServices.
b.Movetheslidertotherequiredsecurityratinglevel.Movetheslidertoselectaspecificwebreputationvalueto
denyaccesstowebsiteswithareputationvaluelowerthanorequaltotheconfiguredvalueortopermit
accesstowebsiteswithareputationvaluehigherthanorequaltotheconfiguredvalue.Thefollowingoptions
areavailable:
nTrustworthy-Thesearewellknownsiteswithstrongsecuritypracticesandmaynotexposetheuserto
securityrisks.Thereisaverylowprobabilitythattheuserwillbeexposedtomaliciouslinksorpayloads.
ArubaInstant6.4.0.2-4.1|UserGuide DeepPacketInspectionandApplicationVisibility|249

250|DeepPacketInspectionandApplicationVisibility ArubaInstant6.4.0.2-4.1|UserGuide
nLowrisk-Thesearebenignsitesandmaynotexposetheusertosecurityrisks.Thereisalowprobability
thattheuserwillbeexposedtomaliciouslinksorpayloads.
nModeraterisk-Thesearegenerallybenignsites,butmayposeasecurityrisk.Thereissomeprobability
thattheuserwillbeexposedtomaliciouslinksorpayloads.
nSuspicious-Thesearesuspicioussites.Thereisahigherthanaverageprobabilitythattheuserwillbe
exposedtomaliciouslinksorpayloads.
nHighrisk-Thesearehighrisksites.Thereisahighprobabilitythattheuserwillbeexposedtomalicious
linksorpayloads.
c.FromtheActiondrop-down,selectAlloworDenyasrequired.
6.Tosetabandwidthlimitbasedonwebcategoryorwebreputationscore,selectApplicationThrottlingcheckbox
andspecifythedownstreamandupstreamratesinKbps.Forexample,youcansetahigherbandwidthfortrusted
sitesandalowbandwidthrateforhighrisksites.
7.Ifrequired,selectthefollowingcheckboxes:
lLog—Selectthischeckboxifyouwantalogentrytobecreatedwhenthisruleistriggered.Instantsupports
firewallbasedloggingfunction.FirewalllogsontheIAPsaregeneratedassecuritylogs.
lBlacklist—SelecttheBlacklistcheckboxtoblacklisttheclientwhenthisruleistriggered.Theblacklisting
lastsforthedurationspecifiedasAuthfailureblacklisttimeontheBlacklistingtaboftheSecuritywindow.
Formoreinformation,seeBlacklistingClientsonpage171.
lDisablescanning—SelectDisablescanningcheckboxtodisableARMscanningwhenthisruleistriggered.
TheselectionoftheDisablescanningappliesonlyifARMscanningisenabled,Formoreinformation,see
ConfiguringRadioSettingsforanIAPonpage238.
lDSCPtag—SelecttheDSCPtagcheckboxtospecifyaDSCPvaluetoprioritizetrafficwhenthisruleis
triggered.Specifyavaluewithintherangeof0to63.Toassignahigherpriority,specifyahighervalue.
l802.1ppriority—Selectthe802.1pprioritycheckboxtospecifyan802.1ppriority.Specifyavaluebetween
0and7.Toassignahigherpriority,specifyahighervalue.
8.ClickOKtosavetherules.
9.ClickOK inRolestabtosavethechangestotheroleforwhichyoudefinedACLrules.
IntheCLI
Tocontrolaccessbasedonwebcategoriesandsecurityratings:
(InstantAP)(config)#wlanaccess-rule<access_rule>
(InstantAP)(AccessRule"<access-rule>")#rule<dest><mask><match>webcategory<webgrp>
{permit|deny}[<option1....option9>]
(InstantAP)(AccessRule"<access-rule>")#rule<dest><mask><match>webreputation<webrep>
{permit|deny}[<option1....option9>]
(InstantAP)(AccessRule"<access-rule>")#end
(InstantAP)#commitapply
Example
(InstantAP)(config)#wlanaccess-ruleURLFilter
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebcategorygamblingdeny
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebcategorytraining-and-tools
permit
(InstantAP)(AccessRule"URLFilter")#ruleanyanymatchwebreputationsuspicious-sitesdeny
(InstantAP)(AccessRule"URLFilter")#end
(InstantAP)#commitapply

ArubaInstant6.4.0.2-4.1|UserGuide VoiceandVideo|251
Chapter18
VoiceandVideo
ThischapterthestepsrequiredtoconfigurevoiceandvideoservicesonanIAPforVoiceoverIP(VoIP)devices,
includingSessionInitiationProtocol(SIP),SpectralinkVoicePriority(SVP),H323,SCCP,Vocera,andAlcatelNOE
phones,clientsrunningMicrosoftOCS,andAppledevicesrunningtheFacetimeapplication.
Thissectionincludesthefollowingtopics:
lWi-FiMultimediaTrafficManagementonpage251
lQoSforMicrosoftOfficeOCSandAppleFacetimeonpage253
Wi-FiMultimediaTrafficManagement
Wi-FiMultimedia(WMM),isaWi-FiAlliancespecificationbasedontheIEEE802.11ewirelessQualityofService
(QoS)standard.WMMworkswith802.11a,b,g,andnphysicallayerstandards.
WMMsupportsthefollowingaccesscategories(ACs):
lVoice
lVideo
lBesteffort
lBackground
ThefollowingtableshowsthemappingoftheWMMaccesscategoriesto802.1ppriorityvalues.The802.1ppriority
valueiscontainedinatwo-byteQoScontrolfieldintheWMMdataframe.
802.1pPriority WMMAccessCategory
1 Background
2
0 Besteffort
3
4 Video
5
6 Voice
7
Table49:WMMACto802.1pPriorityMapping
Inanon-WMMorhybridenvironment,wheresomeclientsarenotWMM-capable,youcanconfigureanSSIDwith
highervaluesforbesteffortandvoiceACs,toallocateahigherbandwidthtoclientstransmittingbesteffortand
voicetraffic.
ConfiguringWMMforWirelessClients
YoucanconfigureWMMforwirelessclientsbyusingtheUIorCLI.

252|VoiceandVideo ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.NavigatetotheWLANwizard(clickNetwork>NeworNetwork>SelecttheWLANSSID>edit).
2.ClickShowadvancedoptionsunderWLANSettings.
3.SpecifyapercentagevalueforthefollowingWMMaccesscategoriesinthecorrespondingSharefield.Youcan
allocateahigherbandwidthforvoiceandvideotrafficthanothertypesoftrafficbasedonthenetworkprofile.
lBackgroundWMM—Allocatesbandwidthforbackgroundtrafficsuchasfiledownloadsorprintjobs.
lBesteffortWMM—Allocatesbandwidthorbestefforttrafficsuchastrafficfromlegacydevicesortrafficfrom
applicationsordevicesthatdonotsupportQoS.
lVideoWMM—Allocatesbandwidthforvideotrafficgeneratedfromvideostreaming.
lVoiceWMM—Allocatesbandwidthforvoicetrafficgeneratedfromtheincomingandoutgoingvoice
communication.
Inanon-WMMorhybridenvironment,wheresomeclientsarenotWMM-capable,youcanallocatehighervalues
forBesteffortWMMandVoiceWMMtoallocateahigherbandwidthtoclientstransmittingbesteffortandvoice
traffic.
4.ClickNextandcompletetheconfigurationasrequired.
IntheCLI
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#wmm-background-share<share>
(InstantAP)(SSIDProfile<name>)#wmm-best-effort-share<share>
(InstantAP)(SSIDProfile<name>)#wmm-video-share<share>
(InstantAP)(SSIDProfile<name>)#wmm-voice-share<share>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
ConfiguringWMM-DSCPMapping
TheIEEE802.11estandarddefinesthemappingbetweenWMMACsandDifferentiatedServicesCodepoint
(DSCP)tags.YoucancustomizethemappingvaluesbetweenWMMACsandDSCPtagstoprioritizevarioustraffic
typesandapplythesechangestoaWMM-enabledSSIDprofile.
DSCPclassifiespacketsbasedonnetworkpoliciesandrules.ThefollowingtableshowsthedefaultWMMACto
DSCPmappingsandtherecommendedWMMACtoDSCPmappings.
DSCPValue WMMAccessCategory
8 Background
16
0 Besteffort
24
32 Video
40
48 Voice
56
Table50:WMM-DSCPMapping

BycustomizingWMMACmappings,allpacketsreceivedarematchedagainsttheentriesinthemappingtableand
prioritizedaccordingly.Themappingtablecontainsinformationforupstream(clienttoIAP)anddownstream(IAPto
client)traffic.
YoucanconfiguredifferentWMMtoDSCPmappingvaluesforeachWMMACwhenconfiguringanSSIDprofile
eitherintheInstantUIorCLI.
IntheInstantUI
1.NavigatetotheWLANwizard(clickNetwork>NeworNetwork>SelecttheWLANSSID>edit).
2.ClickShowadvancedoptionsunderWLANSettings.
3.SpecifytheappropriateDSCPmappingvaluewithinarangeof0-63forthefollowingaccesscategoriesinthe
DSCPmappingfield:
lBackgroundWMM—DSCPmappingforthebackgroundtraffic.
lBesteffortWMM—DSCPmappingforthebest-efforttraffic.
lVideoWMM—DSCPmappingforthevideotraffic.
lVoiceWMM—DSCPmappingforthevoicetraffic.
4.ClickNextandcompletetheconfigurationasrequired.
IntheCLI
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>)#wmm-background-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-best-effort-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-video-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#wmm-voice-dscp<dscp>
(InstantAP)(SSIDProfile<name>)#end
(InstantAP)#commitapply
Youcanconfigureupto8DSCPmappingsvalueswithintherangeof0-63.Youcanalsoconfigureacombinationof
multiplevaluesseparatedbyacomma,forexample,wmm-voice-dscp46,44,42,41.
QoSforMicrosoftOfficeOCSandAppleFacetime
Voiceandvideodevicesuseasignalingprotocoltoestablish,control,andterminatevoiceandvideocalls.These
controlorsignalingsessionsareusuallypermittedusingpre-definedACLs.Ifthecontrolsignalingpacketsare
encrypted,theIAPcannotdeterminethedynamicportsareusedforvoiceorvideotraffic.Inthesecases,theIAP
hastouseanACLwiththeclassify-mediaoptionenabledtoidentifythevoiceorvideoflowbasedonadeeppacket
inspectionandanalysisoftheactualtraffic.Instantidentifiesandprioritizesvoiceandvideotrafficfromapplications
suchasMicrosoftOfficeCommunicationsServer(OCS)andAppleFacetime.
MicrosoftOCS
MicrosoftOfficeCommunicationsServer(OCS)usesSessionInitiationProtocol(SIP)overTLStoestablish,
control,andterminatevoiceandvideocalls.
AppleFacetime
WhenanAppledevicestartsaFacetimevideocall,itinitiatesaTCPsessiontotheAppleFacetimeserveroverport
5223,thensendsSIPsignalingmessagesoveranon-defaultport.Whenmediatrafficstartsflowing,audioandvideo
dataaresentthroughthatsameportusingRTP.(Theaudioandvideopacketsareinterleavedintheair,though
individualthesessionscanbeuniquelyidentifiedusingtheirpayloadtypeandsequencenumbers.)TheRTPheader
andpayloadalsogetencapsulatedundertheTURNChannelDataMessages.TheFacetimecallisterminatedwitha
SIPBYEmessagethatcanbesentbyeitherparty.
ArubaInstant6.4.0.2-4.1|UserGuide VoiceandVideo|253

254|VoiceandVideo ArubaInstant6.4.0.2-4.1|UserGuide
ThefollowingtableliststheportsusedbyAppleFacetime.Facetimeusersneedtobeassignedarolewheretrafficis
allowedontheseports.
Port PacketType
53 TCP/UDP
443 TCP
3478-3497 UDP
5223 TCP
16384-16387 UDP
16393-16402 UDP
Table51:PortsUsedbytheAppleFacetimeApplication

ArubaInstant6.4.0.2-4.1|UserGuide Services|255
Chapter19
Services
ThischapterprovidesinformationonhowtoconfigurefollowingservicesonanIAP:
lAirGroup
lRealTimeLocationServer(RTLS)
lAnalyticsandLocationEngine(ALE)
lOpenDNS
lCommunicationsAssistanceforLawEnforcementAct(CALEA)
lPaloAltoNetworkFirewall
lXML-APIServer
AirGroupConfiguration
AirGroupprovidesauniqueenterprise-classcapabilitythatleverageszeroconfigurationnetworkingtoenable
AirGroupservicesfrommobiledevicesinanefficientmanner.Zeroconfigurationnetworkingenablesservice
discovery,addressassignment,andnameresolutionfordesktopcomputers,mobiledevices,andnetworkservices.
Itisdesignedforflat,single-subnetIPnetworkssuchaswirelessnetworkingathome.Theuserscanregistertheir
personaldevicesanddefineagroupofuserswhocantosharetheregistereddevices.Administratorscanregister
andmanageanorganization'sshareddevicessuchasprintersandgrantglobalaccesstoeachdevice,orrestrict
accessaccordingtotheusername,role,oruserlocation.
Inlargeuniversitiesandenterprisenetworks,itiscommonfordevicestoconnecttothenetworkacrossVLANs.As
aresult,userdevicesonaspecificVLANcannotdiscoverservicethatresidesonanotherVLAN.Astheaddresses
usedbytheprotocolarelink-scopemulticastaddresses,eachqueryoradvertisementcanonlybeforwardedonits
respectiveVLAN,butnotacrossdifferentVLANs.Broadcastandmulticasttrafficareusuallyfilteredoutfroma
wirelessLANnetworktopreservetheairtimeandbatterylife.ThisinhibitstheperformanceofAirGroupservicesthat
relyonmulticasttraffic.ArubaaddressesthischallengewithAirGrouptechnology.
ThedistributedAirGrouparchitectureallowseachIAPtohandlemDNSandDLNA queriesandresponses
individuallyinsteadofoverloadingaVirtualControllerwiththesetasks.ThisresultsinascalableAirGroupsolution.
TheAirGroupsolutionsupportsbothwiredandwirelessdevices.AnAirGroupdevicecanberegisteredbyan
administratororaguestuser.
1.TheAirGroupadministratorgivesanendusertheAirGroupoperatorrole,whichauthorizestheusertoregisterthe
clientdevicesontheCPPMplatform.
2.IAPsmaintaininformationforallAirGroupservices. IAPqueriesCPPMtomapeachdevice’saccessprivileges
totheavailableservicesandrespondstothequerymadebyadevicebasedoncontextualdatasuchasuserrole,
username,andlocation.

256|Services ArubaInstant6.4.0.2-4.1|UserGuide
ThefollowingfigureillustrateshowAirGroupenablespersonalsharingofAppledevices:
Figure85AirGroupEnablesPersonalDeviceSharing
AirGroupisnotsupportedona3GandPPPoEuplinks.
MulticastDNSandBonjour®Services
BonjouristhetradenameforthezeroconfigurationimplementationintroducedbyApple.Itissupportedbymostof
theAppleproductlines,includingtheMacOSXoperatingsystem,iPhone,iPodTouch,iPad,AppleTV,andAirPort
Express.AppleAirPlayandAirPrintservicesarebasedontheBonjourprotocolandareessentialservicesin
campusWi-Finetworks.
BonjourcanbeinstalledoncomputersrunningMicrosoftWindows®andissupportedbythenewnetwork-capable
printers.BonjourisalsoincludedwithpopularsoftwareprogramssuchasAppleiTunes,Safari,andiPhoto.Bonjour
usesmulticastDNS(mDNS)tolocatedevicesandtheservicesofferedbythesedevices.
Asshowninthefollowingfigure,theIAP1discoversAirPrint(P1)andIAP3discoversAppleTV(TV1).IAP1
advertisesinformationaboutitsconnectedP1devicetotheotherIAPsthatisIAP2andIAP3.Similarly,IAP3
advertisesTV1devicetoIAP1andIAP2.ThistypeofdistributedarchitectureallowsanyIAPtorespondtoits
connecteddeviceslocally.Inthisexample,theiPadconnectedtoIAP2obtainsdirectresponsefromthesameIAP
abouttheotherBonjour-enabledservicesinthenetwork.

Figure86BonjourServicesandAirGroupArchitecture
ForalistofsupportedBonjourservices,seeAirGroupServicesonpage259.
DLNAUPnPSupport
InadditiontothemDNSprotocol,IAPsnowsupportUniversalPlugandPlay(UPnP)andDLNA(DigitalLiving
NetworkAlliance)enableddevices.DLNAisanetworkstandardderivedfromUPnP,whichenablesdevicesto
discovertheservicesavailableinanetwork.DLNAalsoprovidestheabilitytosharedatabetweentheWindowsor
Androidbasedmultimediadevices.AllthefeaturesandpoliciesapplicabletomDNSareextendedtoDLNAto
ensurefullinteroperabilitybetweencompliantdevices.
InaUPnPbasedscenario,thefollowingtypesofdevicesareavailableinanetwork:
lControlleddevices(servers)
lControlpoints(clients)
WhenacontrolleddevicejoinsanetworkandacquiresIPaddress,itmulticastsanumberofdiscoverymessages
advertisingitself,itsembeddeddevicesandservices.Ontheotherhand,whenacontrolpointjoinsanetwork,itmay
multicastasearchdiscoverymessagesearchingforinterestingdevicesandservices.Thedeviceslisteningonthe
multicastaddressrespondiftheymatchthesearchcriteriainthesearchmessage.
InasingleAPnetwork,theIAPmaintainsacachetablecontainingthelistofdiscoveredservicesinthenetwork.
TheIAPalsoenforcesnativepoliciessuchasdisallowingrolesandVLANsandthepoliciesdefinedonCPPMto
determinethedevicesorservicesthatareallowedandcanbediscoveredinthenetwork.Wheneverasearch
requestcomes,theAPlooksupitscachetableandfiltersbasedonconfiguredpoliciesandthenbuildsasearch
responseandunicastsittotherequestingdevice.
InanIAPcluster,theIAPsmaintainalistofassociatedUPnPdevicesandallowthediscoveryoftheassociated
devices.
ThefollowingfigureillustratesDLNA UPnP ServicesandAirGroupArchitecture.
ArubaInstant6.4.0.2-4.1|UserGuide Services|257

258|Services ArubaInstant6.4.0.2-4.1|UserGuide
Figure87DLNA UPnP ServicesandAirGroupArchitecture
ForalistofsupportedDLNA services,seeAirGroupServicesonpage259.
AirGroupFeatures
AirGroupsupportsthefollowingfeatures:
lSendsunicastresponsestomDNSorDLNA queriesandreducesthetrafficfootprint.
lEnsurescross-VLANvisibilityandavailabilityofAirGroupdevicesandservices.
lAllowsorblocksAirGroup servicesforallusers.
lAllowsorblocksAirGroupservicesbasedonuserroles.
lAllowsorblocksAirGroupservicesbasedonVLANs.
lMatchesdevicestotheirclosestservicessuchasprinters
AirGroupalsoenablescontextawarenessforservicesacrossthenetwork:
lAirGroupisawareofpersonalandshareddevices.Forexample,anAppleTVinadormroomcanbeassociated
withthestudentwhoownsitoranAppleTVinameetingroomoraprinterinasupplyroomthatisavailableto
certainusers,suchasthemarketingdepartment.
lAirGroupisawareofthelocationofserviceswhenCPPMsupportisenabled.Forexample,dependingon
proximity,auserwouldbepresentedwiththeclosestprinterinsteadofalltheprintersinthebuilding.
lWhenconfigured,AirGroupenablesaclienttoperformalocation-baseddiscovery.Forexample,whenaclient
roamsfromoneInstantclustertoanother,itcandiscoverdevicesavailableinthenewclustertowhichtheclient
iscurrentlyconnected.
Thefollowingfigureshowsanexampleofahigher-educationenvironmentwithshared,local,andpersonalservices
availabletomobiledevices.

Figure88AirGroupinaHigher-EducationEnvironment
WhenAirGroupdiscoversanewdevice,itinteractswithCPPMtoobtainthesharedattributessuchasshared
locationandrole.However,thecurrentversionsofIAPsdonotsupporttheenforcementofsharedlocationpolicy.
AirGroupServices
AirGroupsupportszeroconfigurationservices.Theservicesarepre-configuredandareavailableaspartofthe
factorydefaultconfiguration.TheadministratorcanalsoenableordisableanyorallservicesbyusingtheInstantUI
orCLI.
ThefollowingservicesareavailableforIAPclients:
lAirPlay™—Apple®AirPlayallowswirelessstreamingofmusic,video,andslideshowsfromyouriOSdeviceto
AppleTV®andotherdevicesthatsupporttheAirPlayfeature.
lAirPrint™—AppleAirPrintallowsyoutoprintfromaniPad®,iPhone®,oriPod®TouchdirectlytoanyAirPrint
compatibleprinters.
liTunes—TheiTunesserviceisusedbyiTunesWi-FisyncandiTuneshome-sharingapplicationsacrossallApple
devices.
lRemoteMgmt—TheRemoteMgmtserviceallowsremotelogin,remotemanagement,andFTPutilitiesonApple
devices.
lSharing—TheSharingserviceallowsapplicationssuchasdisksharingandfilesharingamongAppledevices.
lChat—TheiChat®(InstantMessenger)applicationonAppledevicesusesthisservice.
lChromeCast—ChromeCastserviceallowsyoutouseaChromeCastdevicetoplayaudioorvideocontentona
highdefinitiontelevisionbystreamingcontentthroughWi-FifromtheInternetorlocalnetwork.
lDLNA Media—ApplicationssuchasWindowsMediaPlayerusethisservicetobrowseandplaymediacontenton
aremotedevice.
lDLNA Print—ThisserviceisusedbyprintersthatsupportDLNA.
IntheInstant6.4.0.2-4.1release,Arubarecommendshavingamaximumofupto80AirGroupserversinthe
network
FormoreinformationonconfiguringAirGroupservices,seeConfiguringAirGroupandAirGroupServicesonanIAP
onpage261.
ArubaInstant6.4.0.2-4.1|UserGuide Services|259

260|Services ArubaInstant6.4.0.2-4.1|UserGuide
AirGroupComponents
AirGroupleverageskeyelementsoftheArubasolutionportfolioincludingoperatingsystemsoftwareforInstant,
CPPM,andtheVLAN-basedorrole-basedfilteringoptionsofferedbytheAirGroupservices.Thecomponentsthat
makeuptheAirGroupsolutionincludetheInstant,CPPM,andClearPassGuest.Theversionrequirementsare
describedinthefollowingtable:
Component
MinimumVersionformDNS
Services
MinimumVersionforDLNA
Services
Instant 6.2.0.0-3.2.0.0 6.4.0.2-4.1
ClearPassGuestsoftware 5.2 6.2
ClearPassGuestServicesplugin 6.2.0 6.3.0
Table52:Instant,CPPM,andClearPassGuestRequirements
StartingfromClearPassversion6.0,theClearPassGuestandtheAirGroupServicesplug-inareintegratedintoa
singleplatform.
AirGroupmaintainsseamlessconnectivitybetweenclientsandservicesacrossVLANsandSSIDs.Thefollowing
tablesummarizesthefilteringoptionssupportedbyInstant:
Features InstantDeploymentModels
Integrated IntegratedwithCPPM
AllowmDNSandDLNA traffictopropagate
acrosssubnets/VLANs
Yes Yes
LimitmDNSandDLNA trafficonthenetwork Yes Yes
VLANbasedAirGroupservicepolicyenforcementYes Yes
User-rolebasedAirGroupservicepolicy
enforcement
Yes Yes
Portaltoselfregisterpersonalleaves No Yes
Deviceownerbasedpolicyenforcement No Yes
Locationbasedpolicyenforcement No Yes
Shareduserlistbasedpolicyenforcement No Yes
Sharedrolelistbasedpolicyenforcement No Yes
Table53:AirGroupFilteringOptions
CPPMandClearPassGuestFeatures
CPPMandClearPassGuestsupportthefollowingfeatures:
lRegistrationportalforWLANuserstoregistertheirpersonaldevices.
lRegistrationportalforWLANadministratorstoregistershareddevices.
lOperator-definedpersonalAirGrouptospecifyalistofotheruserswhocansharedeviceswiththeoperator.
lAdministratordefinedusername,userrole,andlocationattributesforshareddevices.

ConfiguringAirGroupandAirGroupServicesonanIAP
YoucanconfigureAirGroupservices,usingtheInstantUIorCLI.
IntheInstantUI
ToenableAirGroupanditsservices:
1.ClicktheMore>ServiceslinkatthetoprightcorneroftheInstantmainwindow.
2.ClicktheAirGrouptab.TheAirGrouptabdetailsaredisplayed.
Figure89AirGroupConfiguration
3.ToenablesupportforBonjourservices,selecttheEnableBonjourcheckboxandselecttheAirGroupservices
relatedtoBonjourasrequired.
4.ToenableDLNAsupport,selecttheEnableDLNA checkboxandselecttheDLNA services.
5.ToallowtheuserstouseBonjourservicesenabledinaguestVLAN,selectEnableGuestBonjourmulticast.
Whenthischeckboxisenabled,theBonjourdevicesarevisibleonlyintheguestVLANandAirGroupwillnot
discoverorenforcepoliciesinguestVLAN.
6.SelecttheEnableAirGroupacrossmobilitydomainscheckboxtoenableinter-clustermobility.When
enabled,theIAPsharesthemDNSdatabaseinformationwiththeotherclusters.TheDNSrecordsintheVirtual
ControllercanbesharedwiththealltheVirtualControllersconfiguredforL3Mobility.
Bydefault,thisfeatureisdisabled.Todefineclusters,gotoSystem>L3Mobilitytab.
7.EnsurethattherequiredAirGroupservicesareselected.Toaddanyservice,clickNewandadd.Toallowall
services,selectallowall.Ifacustomserviceisadded,youcanaddacorrespondingserviceIDbyclickingNew
underServiceID.
IftheIAPisupgradedtocurrentreleaseandifBonjourisenabled,ensurethatthecorrespondingBonjourservices
areselected.
Instantsupportstheuseofupto6customservices.
8.Basedontheservicesconfigured,youcanblockanyuserrolesfromaccessinganAirGroupserviceandrestrict
theAirGroupserversconnectedtoaspecificsetofVLANsfrombeingdiscovered.TheuserrolesandVLANs
ArubaInstant6.4.0.2-4.1|UserGuide Services|261

262|Services ArubaInstant6.4.0.2-4.1|UserGuide
markedasdisallowedarepreventedfromaccessingthecorresponding AirGroupservice.Youcancreatealistof
disalloweduserrolesandVLANsforallAirGroupservicesconfiguredontheIAP.Forexample,IftheAirPlay
serviceisselected,theeditlinksfortheairplaydisallowedrolesandairplaydisallowedvlansaredisplayed.
Similarly,ifsharingserviceisselected,theeditlinksforthesharingdisallowedrolesandsharingdisallowed
vlansaredisplayed.
lToselectblockuserrolesfromaccessinganAirGroupservice,clickthecorrespondingeditlinkandselectthe
userrolesforwhichyouwanttorestrictaccess.Bydefault,anAirGroupserviceisaccessiblebyalluserroles
configuredinyourIAPcluster.
lToselectVLANsfromallowingaccesstoanAirGroupservice,clickthecorrespondingeditlinkandselectthe
VLANstoexclude.Bydefault,theAirGroupservicesareaccessiblebyusersordevicesinallVLANs
configuredinyourIAPcluster.
9.ClearPassSettings—UsethissectiontoconfiguretheCPPMserver,CoAserver,andenforceClearPass
registering.
lCPPMserver1—IndicatestheClearPassPolicyManagerserverinformationforAirGrouppolicy.
lEnforceClearPassregistering—Whenenabled,onlydevicesregisteredwithCPPMwillbediscoveredby
Bonjourdevices,basedontheCPPMpolicy.
IntheCLI
ToconfigureAirGroup:
(InstantAP)(config)#airgroup
(InstantAP)(airgroup)#enable[dlna-only|mdns-only]
(InstantAP)(airgroup)#cppmenforce-registration
(InstantAP)(airgroup)#cppm-server<server>
(InstantAP)(airgroup)#cppm-query-interval<interval>
(InstantAP)(airgroup)#disallow-vlan<vlan-ID>
(InstantAP)(airgroup)#enable-guest-multicast
(InstantAP)(airgroup)#multi-swarm
(InstantAP)(airgroup)#end
(InstantAP)#commitapply
ToenableDLNAsupport:
(InstantAP)(config)#airgroup
(InstantAP)(airgroup)#enabledlna-only
(InstantAP)(airgroup)#end
(InstantAP)#commitapply
ToenablesupportforBonjourservices:
(InstantAP)(config)#airgroup
(InstantAP)(config)#enablemdns-only
(InstantAP)(airgroup)#end
(InstantAP)#commitapply
ToconfigureAirGroupService
(InstantAP)(config)#airgroupservice<airgroup-service>
(InstantAP)(airgroup-service)#id<airgroupservice-ID>
(InstantAP)(airgroup-service)#description<text>
(InstantAP)(airgroup-service)#disallow-role<role>
(InstantAP)(airgroup-service)#disallow-vlan<vlan-ID>
(InstantAP)(airgroup-service)#end
(InstantAP)#commitapply
ToverifytheAirGroupconfigurationstatus:
(InstantAP)#showairgroupstatus

ConfiguringAirGroupandCPPMinterfaceinInstant
ConfiguretheInstantandCPPMinterfacetoallowanAirGroup IAPandCPPMtoexchangeinformationregarding
devicesharing,andlocation.TheconfigurationoptionsdefinetheRADIUSserverthatisusedbytheAirGroup
RADIUSclient.
TheAirGroupconfigurationwithCPPMinvolvesthefollowingsteps:
1.CreateaRADIUSservice
2.AssignaServertoAirGroup
3.ConfigureCPPMtoEnforceRegistration
CreatingaRADIUSServer
YoucanconfigureanexternalRADIUSSecuritywindow.FormoreinformationontheconfiguringCPPMserver,see
ConfiguringanExternalServerforAuthenticationonpage157.YoucanalsocreateaRADIUSserverintheAir
Groupwindow.NavigatetoServices>AirGroup>ClearPassSettings>CPPMserver1>andselectNew
fromthedrop-downlist.
AssignaServertoAirGroup
ToassociatetheCPPMserverwithAirGroup,selecttheCPPMserverfromtheCPPMServer1drop-downlist.
IftwoCPPMserversareconfigured,theCPPMserver1actsasaprimaryserverandtheCPPMserver2actsasa
backupserver.
Aftertheconfigurationiscomplete,thisparticularserverwillbedisplayedintheCoAserveroption.Toviewthis
servergotoServices>AirGroup>ClearPassSettings>CoAserver.
ConfigureCPPMtoEnforceRegistration
WhenCPPMregistrationisenforced,thedevicesregisteredwithCPPMwillbediscoveredbyBonjourdevices,
basedontheCPPMpolicy.
ChangeofAuthorization(CoA)
WhenaRADIUSserverisconfiguredwithChangeofAuthorization(CoA)withtheCPPMserver,theguestusers
areallowedtoregistertheirdevices.FormoreinformationonconfiguringRADIUS serverwithCoA,seeConfiguring
anExternalServerforAuthenticationonpage157.
YoucanalsocreateaCoAonlyserverintheServices>AirGroup>ClearPassSettings>CoAserver
window.
ConfiguringanIAPforRTLS Support
Instantsupportsthereal-timetrackingofdeviceswhenintegratedwiththeAirWaveManagementPlatform,ora
third-partyRealTimeLocationServersuchasAeroscoutRealTimeLocationServer.WiththehelpoftheRTLS,the
devicescanbemonitoredinreal-timeorthroughhistory.
YoucanconfigureRTLSusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureArubaRTLS:
1.ClicktheMore>ServiceslinkatthetoprightcorneroftheInstantmainwindow.TheServiceswindowis
displayed.
ArubaInstant6.4.0.2-4.1|UserGuide Services|263

264|Services ArubaInstant6.4.0.2-4.1|UserGuide
2.ClicktheRTLStab.ThefollowingfigureshowsthecontentsoftheRTLStab.
3.UnderAruba,selecttheRTLScheckboxtointegrateInstantwiththeAirWaveManagementPlatformorEkahau
RealTimeLocationServer.
Figure90RTLSWindow
4.SpecifytheIPaddressandporttowhichthelocationreportsmustbesent.
5.SpecifythesharedsecretkeyinthePassphrasetextbox.
6.SpecifythefrequencyatwhichtheVirtualControllercansendupdatestotheserver.Youcanspecifyavalue
withintherangeof5-3600seconds.Thedefaultvalueis5seconds.
7.SelecttheIncludeunassociatedstationscheckboxtosendreportsonthestationsthatarenotassociatedto
anyIAPtotheRTLS server.
8.ClickOK.
Toconfigurethird-partyRTLSsuchasAeroscout:
1.SelecttheAeroscoutcheckboxtosendtheRFIDtaginformationtoanAeroScoutRTLS.
2.SpecifytheIPaddressandportnumberoftheAeroScoutserver,towhichlocationreportsmustbesent.
3.SelecttheIncludeunassociatedstationscheckboxtosendreportsonthestationsthatarenotassociatedto
anyIAPtotheAeroscoutRTLS server.
4.ClickOK.
IntheCLI
ToconfigureAirWaveRTLS:
(InstantAP)(config)#airwave-rtls<IP-address><port><passphrase><seconds>include-unassoc-
sta
(InstantAP)(config)#end
(InstantAP)#commitapply
ToconfigureAeroscoutRTLS
(InstantAP)(config)#aeroscout-rtls<IP-address><port>include-unassoc-sta
(InstantAP)(config)#end
(InstantAP)#commitapply

ConfiguringanIAPforAnalyticsandLocationEngineSupport
TheAnalyticsandLocationEngine(ALE)isdesignedtogatherclientinformationfromthenetwork,processitand
shareitthroughastandardAPI.TheclientinformationgatheredbyALEcanbeusedforanalyzingaclient’sinternet
behaviorforbusinesssuchasshoppingpreferences.
ALEincludesalocationenginethatcalculatestheassociatedandunassociateddevicelocationevery30seconds
bydefault.Foreverydeviceonthenetwork,ALEprovidesthefollowinginformationthroughtheNorthboundAPI:
lClientusername
lIPaddress
lMACaddress
lDevicetype
lApplicationfirewalldata,showingthedestinationsandapplicationsusedbyassociateddevices.
lCurrentlocation
lHistoricallocation
ALErequirestheAPplacementdatatobeabletocalculatelocationforthedevicesinanetwork.
ALEwithInstant
TheInstant6.3.1.1-4.0releasesupportsAnalyticsandLocationEngine(ALE).TheALEserveractsasaprimary
interfacetoallthird-partyapplicationsandtheIAPsendsclientinformationandallstatusinformationtotheALE
server.
TointegrateIAPwithALE,theALEserveraddressmustbeconfiguredonanIAP.IftheALEseverisconfiguredwith
ahostname,theVirtualControllerperformsamutualcertificated-basedauthenticationwithALEserver,before
sendinganyinformation.
EnablingALESupportonanIAP
YoucanconfigureanIAPforALEsupportusingtheInstantUIorCLI.
IntheInstantUI
1.ClickMore>Services.TheServiceswindowisdisplayed.
2.ClicktheRTLStab.Thetabdetailsaredisplayed.
3.SelecttheAnalytics&LocationEnginecheckbox.
ArubaInstant6.4.0.2-4.1|UserGuide Services|265

266|Services ArubaInstant6.4.0.2-4.1|UserGuide
Figure91ServicesWindow—ALEIntegration
4.SpecifytheALEservernameorIPaddress.
5.Specifythereportingintervalwithintherangeof6–60seconds.TheIAPsendsmessagestotheALEserveratthe
specifiedinterval.Thedefaultintervalis30seconds.
6.ClickOK.
IntheCLI
ToenableIAPintegrationwiththeALEserver:
(InstantAP)(config)#ale-server<server-name|IP-address>
(InstantAP)(config)#ale-report-interval<seconds>
(InstantAP)(config)#end
(InstantAP)#commitapply
VerifyingALEConfigurationonanIAP
Toviewtheconfigurationdetails:
(InstantAP)#showaleconfig
Toverifytheconfigurationstatus
(InstantAP)#showalestatus
ConfiguringOpenDNSCredentials
Whenconfigured,theOpenDNScredentialsareusedbyInstanttoaccessOpenDNStoprovideenterprise-level
contentfiltering.YoucanconfigureOpenDNScredentialsusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureOpenDNScredentials:
1.ClickMore>Services>OpenDNS.TheOpenDNStabcontentsaredisplayed.
2.EntertheUsernameandPasswordtoenableaccesstoOpenDNS.
3.ClickOKtoapplythechanges.

IntheCLI
ToconfigureOpenDNScredentials:
(InstantAP)(config)#opendns<username<password>
(InstantAP)(config)#end
(InstantAP)#commitapply
IntegratinganIAPwithPaloAltoNetworksFirewall
PaloAltoNetworks(PAN)next-generationfirewallofferscontextualsecurityforallusersforsafeenablingof
applications.AsimplefirewallbeyondbasicIPaddressorTCPportnumbersonlyprovidesasubsetoftheenhanced
securityrequiredforenterprisestosecuretheirnetworks.Inthecontextofbusinessesusingsocialnetworkingsites,
legacyfirewallsarenotabletodifferentiatevalidauthorizedusersfromcasualsocialnetworkingusers.
ThePaloAltonext-generationfirewallisbasedonuserID,whichprovidesmanymethodsforconnectingtosources
ofidentityinformationandassociatingthemwithfirewallpolicyrules.Forexample,itprovidesanoptiontogather
userinformationfromActiveDirectoryorLDAPserver.
IntegrationwithInstant
ThefunctionalityprovidedbythePANfirewallbasedonuserIDrequiresthecollectionofinformationfromthe
network.IAPmaintainsthenetwork(suchasmappingIPaddress)anduserinformationforitsclientsinthenetwork
andcanprovidetherequiredinformationfortheuserIDfeatureonPANfirewall.Beforesendingtheuser-IDmapping
informationtothePANfirewall,theIAPmustretrieveanAPIkeythatwillbeusedforauthenticationforallAPIs.
IAPandPANfirewallintegrationcanbeseamlesswiththeXML-APIthatavailablewithPAN-OS5.0orlater.
TointegrateanIAPwithPANuserID,aglobalprofileisadded.ThisprofilecanbeconfiguredonanIAPwithPAN
firewallinformationsuchasIPaddress,port,username,password,firewallenabledordisabledstatus.
TheIAPsendsmessagestoPANbasedonthetypeofauthenticationandclientstatus:
lAfteraclientcompletestheauthenticationandisassignedanipaddress,IAPwillsendtheloginmessage.
lAfteraclientisdisconnectedordissociatedfromtheIAP,theIAPsendsalogoutmessage.
ConfiguringanIAPforPANintegration
YoucanconfigureanIAPforPANfirewallintegrationusingtheInstantUIorCLI.
IntheInstantUI
1.ClickMore>Services.TheServiceswindowisdisplayed.
2.ClickNetworkIntegration.ThePANfirewallconfigurationoptionsaredisplayed.
ArubaInstant6.4.0.2-4.1|UserGuide Services|267

268|Services ArubaInstant6.4.0.2-4.1|UserGuide
Figure92ServicesWindow-NetworkIntegrationTab
3.SelecttheEnablecheckboxtoenablePANfirewall.
4.Specifytheusernameandpassword.EnsurethatyouprovideusercredentialsofthePANfirewalladministrator.
5.EnterthePANfirewallIPaddress.
6.Entertheportnumberwithintherangeof1—65535.Thedefaultportis443.
7.ClickOK.
IntheCLI
ToenablePAN firewallintegrationwiththeIAP:
(InstantAP)(config)#firewall-external-enforcementpan
(InstantAP)(firewall-external-enforcementpan)#enable
(InstantAP)(firewall-external-enforcementpan)#ip<ip-address>
(InstantAP)(firewall-external-enforcementpan)#port<port>
(InstantAP)(firewall-external-enforcementpan)#user<name><password>
(InstantAP)(firewall-external-enforcementpan)#end
(InstantAP)#commitapply
IntegratinganIAPwithanXML API interface
TheXMLAPIinterfaceprovidesoptionstocreateandexecuteusermanagementoperationsseamlesslyonbehalfof
theclientsorusers.

IntegrationwithInstant
TheXMLAPIinterfaceallowsuserstosendspecificXMLcommandstoanIAPfromanexternalserver.These
XML commandscanbeusedtocustomizeIAPcliententries.YoucanusetheXMLAPIinterfacetoadd,delete,
authenticate,query,orblacklistauseroraclient.
TheuserauthenticationissupportedonlyforusersauthenticatedbyCaptivePortalauthenticationandnotforthe
dot1x-authenticationusers.
TheuseraddoperationperformedbytheXML API interfaceisonlyusedtomodifytheroleofanexistinguserand
nottocreateanewuser.
UserscannowuseHTTPorHTTPStopostcommandstoIAP.Thecommunicationprocessusingthe
XML API Interfaceisasfollows:
lAnAPIcommandisissuedinXMLformatfromtheServertotheVirtualController.
lTheVirtualControllerprocessestheXMLrequestandidentifieswheretheclientisandsendsthecommandto
thecorrectslaveIAP.
lOncetheoperationiscompleted,VirtualControllersendstheXMLresponsetotheXMLserver.
lUserscanusetheresponseandtakeappropriateactionthatsuittheirrequirements.Theresponsefromthe
controllerisreturnedusingpredefinedformats.
ConfiguringanIAPforXML APIintegration
YoucanconfigureanIAPforXML APIintegrationusingtheInstantUIorCLI.
IntheInstantUI
1.ClickMore>Services.TheServiceswindowisdisplayed.
2.ClickNetworkIntegration.TheXML API Serverconfigurationoptionsaredisplayed.
Figure93XMLAPIServerConfiguration
3.EntertheIP addressoftheXML API Server.
4.EnterthePassphraserequiredtoauthenticateandaccesstheXML API Server.
5.Re-enterthePassphraseintheRetypebox.
6.ClickOK.
IntheCLI
ToenableXML APIintegrationwiththeIAP:
(InstantAP)(config)#xml-api-server
(InstantAP)(xml-api-server)#ip<ip-address>
(InstantAP)(xml-api-server)#key<shared-key>
(InstantAP)(xml-api-server)#no<delete-command>
(InstantAP)(xml-api-server)#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide Services|269

270|Services ArubaInstant6.4.0.2-4.1|UserGuide
CALEAIntegrationandLawfulInterceptCompliance
LawfulIntercept(LI)allowstheLawEnforcementAgencies(LEA)toperformanauthorizedelectronicsurveillance.
Dependingonthecountryofoperation,theserviceproviders(SPs)arerequiredtosupportLIintheirrespective
networks.
IntheUnitedStates,SPsarerequiredtoensureLIcompliancebasedonCommunicationsAssistanceforLaw
EnforcementAct(CALEA)specifications.
InstantsupportsCALEAintegrationinahierarchicalandflattopology,meshIAPnetwork,thewiredandwireless
networks.
Enablethisfeatureonlyiflawfulinterceptionisauthorizedbyalawenforcementagency.
CALEAServerIntegration
TosupportCALEAintegrationandensureLIcompliance,youcanconfiguretheIAPstoreplicateaspecificor
selectedclienttrafficandsendittoaremoteCALEAserver.
TrafficFlowfromIAPtoCALEAServer
YoucanconfigureanIAPtosendGREencapsulatedpacketstotheCALEAserverandreplicateclienttrafficwithin
theGREtunnel.EachIAPsendsGREencapsulatedpacketsonlyforitsassociatedorconnectedclients.The
followingfigureillustratesthetrafficflowfromtheIAPtotheCALEAserver.
Figure94IAPtoCALEAServer

TrafficFlowfromIAPtoCALEAServerthroughVPN
YoucanalsodeploytheCALEAserverwiththecontrollerandconfigureanadditionalIPSectunnelforcorporate
access.WhenCALEAserverisconfiguredwiththecontroller,theclienttrafficisreplicatedbytheslaveIAPand
clientdataisencapsulatedbyGREonslave,androutedtothemasterIAP.ThemasterIAPsendstheIPsecclient
traffictothecontroller.ThecontrollerhandlestheIPSecclienttrafficwhileGREdataisroutedtotheCALEAserver.
ThefollowingfigureillustratesthetrafficflowfromIAPtotheCALEAserverthroughVPN.
Figure95IAPtoCALEAServerthroughVPN
EnsurethatIPSectunnelisconfigurediftheclientdatahastoberoutedtotheISPorCALEAserverthroughVPN.
FormoreinformationonconfiguringIPSec,seeConfiguringanIPSecTunnelonpage210.
ClientTrafficReplication
Clienttrafficisreplicatedinthefollowingways:
lThroughRADIUSVSA—Inthismethod,theclienttrafficisreplicatedbyusingtheRADIUSVSAtoassign
clientstoaCALEArelateduserrole.Toenableroleassignmenttoclients,youneedtocreateauserroleanda
CALEAaccessrule,andthenassigntheCALEAruletotheuserrole.Wheneveraclientthatisconfiguredtouse
aCALEAruleconnects,areplicationroleisassigned.
lThroughChangeofAuthorization (CoA)—Inthismethod,ausersessioncanstartwithoutreplication.Whenthe
networkadministratortriggersaCoAfromtheRADIUSserver,theusersessionisreplicated.Thereplicationis
stoppedwhentheuserdisconnectsorbysendingaCoAtochangethereplicationrole.
AstheclientinformationissharedbetweenmultipleIAPsinacluster,thereplicationrulespersistwhenclientsroam
withinthecluster.
ConfiguringanIAPforCALEA Integration
ToenableCALEAserverintegration,performthefollowingsteps:
1.CreateaCALEAprofile.
ArubaInstant6.4.0.2-4.1|UserGuide Services|271

272|Services ArubaInstant6.4.0.2-4.1|UserGuide
2.IfareplicationrolemustbeassignedthroughtheRADIUSVSA,createanaccessruleandassigntheaccess
ruletoaWLANSSIDorwiredprofile.
3.Verifytheconfiguration.
CreatingaCALEAProfile
YoucancreateaCALEA profilebyusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureaCALEAprofile:
1.ClickMore>ServicesatthetoprightcorneroftheInstantmainwindow.
2.ClickCALEA.TheCALEAtabdetailsaredisplayed.
3.Specifythefollowingparameters:
lIPaddress—SpecifytheIPaddressoftheCALEAserver.
lEncapsulationtype—Specifytheencapsulationtype.ThecurrentreleaseofInstantsupportsGREonly.
lGREtype—SpecifytheGREtype.
lMTU—Specifyasizeforthemaximumtransmissionunit(MTU)withintherangeof68—1500.AfterGRE
encapsulation,ifpacketlengthexceedstheconfiguredMTU,IPfragmentationoccurs.ThedefaultMTUsize
is1500.
4.ClickOK.
IntheCLI
(InstantAP)(config)#calea
(InstantAP)(calea)#ip<IP-address>
(InstantAP)(calea)#ipmtu<size>
(InstantAP)(calea)#encapsulation-type<gre>
(InstantAP)(calea)#gre-type<type>
(InstantAP)(calea)#end
(InstantAP)#commitapply
CreatinganAccessRuleforCALEA
YoucancreateanaccessruleforCALEAbyusingtheInstantUIorCLI.
IntheInstantUI
Tocreateanaccessrule:

1.ToaddtheCALEAaccessruletoanexistingprofile,selectanexistingwireless(Networkstab>edit)orwired
(More>Wired>Edit)profile.Toaddtheaccessruletoanewprofile,clickNewunderNetworktabandcreatea
WLANprofile,orclickMore>Wired>Newandcreateawiredportprofile.
2.IntheAccesstab,selecttheroleforwhichyouwantcreatetheaccessrule.
3.UnderAccessRules,clickNew.TheNewRulewindowisdisplayed.
4.SelectCALEA.
5.ClickOK.
6.Createaroleassignmentruleifrequired.
7.ClickFinish.
IntheCLI
TocreateaCALEAaccessrule:
(InstantAP)(config)#wlanaccess-rule<name>
(InstantAP)(AccessRule<name>)#calea
(InstantAP)(AccessRule<name>)#end
(InstantAP)#commitapply
ToassigntheCALEAruletoauserrole:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#set-role<attribute>{{equals|not-equals|starts-with|ends-
with|contains}<operator><role>|value-of}
(InstantAP)(SSIDProfile<name>#end
(InstantAP)(SSIDProfile<name>#commitapply
Toassociatetheaccessrulewithawiredprofile:
(InstantAP)(config)#wired-port-profile<name>
(InstantAP)(Wiredapprofile<name>)#access-rule-name<name>
(InstantAP)(Wiredapprofile<name>)#end
(InstantAP)#commitapply
Verifyingtheconfiguration
ToverifytheCALEAconfiguration:
(InstantAP)#showcaleaconfig
Toviewthetunnelencapsulationstatistics:
(InstantAP)#showcaleastatistics
Example
ToenableCALEAintegration:
(InstantAP)(config)#calea
(InstantAP)(calea)#ip192.0.2.7
(InstantAP)(calea)#ipmtu1500
(InstantAP)(calea)#encapsulation-typeGRE
(InstantAP)(calea)#gre-type255
(InstantAP)(calea)#end
(InstantAP)(config)#wlanaccess-ruleProfileCalea
(InstantAP)(AccessRule"ProfileCalea")#calea
(InstantAP)(AccessRule"ProfileCalea")#end
(InstantAP)#commitapply
(InstantAP)(config)#wlanssid-profileCalea-Test
(InstantAP)(SSIDProfile"Calea-Test")#enable
(InstantAP)(SSIDProfile"Calea-Test")#index0
ArubaInstant6.4.0.2-4.1|UserGuide Services|273

274|Services ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(SSIDProfile"Calea-Test")#typeemployee
(InstantAP)(SSIDProfile"Calea-Test")#essidQA-Calea-Test
(InstantAP)(SSIDProfile"Calea-Test")#opmodewpa2-aes
(InstantAP)(SSIDProfile"Calea-Test")#max-authentication-failures0
(InstantAP)(SSIDProfile"Calea-Test")#auth-serverserver1
(InstantAP)(SSIDProfile"Calea-Test")#set-roleFilter-Idequals123456calea-test
(InstantAP)(SSIDProfile"Calea-Test")#rf-band5.0
(InstantAP)(SSIDProfile"Calea-Test")#captive-portaldisable
(InstantAP)(SSIDProfile"Calea-Test")#dtim-period1
(InstantAP)(SSIDProfile"Calea-Test")#inactivity-timeout1000
(InstantAP)(SSIDProfile"Calea-Test")#broadcast-filternone
(InstantAP)(SSIDProfile"Calea-Test")#dmo-channel-utilization-threshold90
(InstantAP)(SSIDProfile"Calea-Test")#local-probe-req-thresh0
(InstantAP)(SSIDProfile"Calea-Test")#max-clients-threshold64
(InstantAP)(SSIDProfile"Calea-Test")#end
(InstantAP)(SSIDProfile"Calea-Test")#commitapply
Toverifytheconfiguration:
(InstantAP)#showcaleaconfig
calea-ip:10.0.0.5
encapsulation-type:gre
gre-type:25944
ipmtu:150
(InstantAP)#showcaleastatistics
Rtresolvefail:0
Dstresolvefail:0
Allocfailure:0
Fraggedpackets:0
Jumbopackets:263
TotalTxfail:0
TotalTxok:263

ArubaInstant6.4.0.2-4.1|UserGuide IAPManagementandMonitoring|275
Chapter20
IAPManagementandMonitoring
ThischapterprovidesinformationonIAPmanagementandmonitoringfrom:
lAirWavemanagementserver
lArubaCentral
ManaginganIAPfromAirWave
AirWaveisapowerfultoolandeasy-to-usenetworkoperationssystemthatmanagesArubawireless,wired,and
remoteaccessnetworks,aswellaswiredandwirelessinfrastructuresfromawiderangeofthird-party
manufacturers.Withitseasy-to-useinterface,AirWaveprovidesreal-timemonitoring,proactivealerts,historical
reporting,andfast,efficienttroubleshooting.ItalsoofferstoolsthatmanageRFcoverage,strengthenwireless
security,anddemonstrateregulatorycompliance.
TheIAPscommunicatewithAirWaveusingtheHTTPSprotocol.ThisallowsanAirWaveservertobedeployedin
thecloudacrossaNATdevice,suchasarouter.TheAirWavefeaturesavailableintheInstantnetworkare
describedinthefollowingsections.
ImageManagement
AirWaveallowsyoutomanagefirmwareupdatesonWLANdevicesbydefiningaminimumacceptablefirmware
versionforeachmakeandmodelofadevice.ItremotelydistributesthefirmwareimagetotheWLANdevicesthat
requireupdates,anditschedulesthefirmwareupdatessuchthatupdatingiscompletedwithoutrequiringyouto
manuallymonitorthedevices.
Thefollowingmodelscanbeusedtoupgradethefirmware:
lAutomatic—Inthismodel,theVirtualControllerperiodicallychecksfornewerupdatesfromaconfiguredURLand
automaticallyinitiatesupgradeofthenetwork.
lManual—Inthismodel,theusercanmanuallystartafirmwareupgradeforeachVirtualControllerorsetthe
desiredfirmwarepreferencepergroupofdevices.
IAPandClientMonitoring
AirWaveallowsyoutofindanyIAPorclientonthewirelessnetworkandtoseereal-timemonitoringviews.These
monitoringviewscanbeusedtoaggregatecriticalinformationandhigh-endmonitoringinformation.
IntheAirWaveUserInterface(UI),youcanselecteitherManageRead/WriteorMonitor-only+Firmware
Upgradesasmanagementmodes.WhentheManagementlevelissettoManageRead/Write,theInstantUIis
inread-onlymode.IfAirWaveManagementLevelissettoMonitor-only+FirmwareUpgradesmode,theInstant
UIchangestotheread-writemode.
Template-basedConfiguration
AirWaveautomaticallycreatesaconfigurationtemplatebasedonanyoftheexistingIAPs,anditappliesthat
templateacrossthenetworkasshowninthefollowingfigure.Itauditseverydeviceonanongoingbasistoensure
thatconfigurationsnevervaryfromtheenterprisepolicies.Italertsyouwheneveraviolationisdetectedand
automaticallyrepairstheincorrectlyconfigureddevices.

276|IAPManagementandMonitoring ArubaInstant6.4.0.2-4.1|UserGuide
Figure96Template-basedConfiguration
TrendingReports
AirWavesavesupto14monthsofactionableinformation,includingnetworkperformancedataanduserroaming
patterns,soyoucananalyzehownetworkusageandperformancetrendshavechangedovertime.Italsoprovides
detailedcapacityreportswithwhichyoucanplanthecapacityandappropriatestrategiesforyourorganization.
IntrusionDetectionSystem
AirWaveprovidesadvanced,rules-basedrogueclassification.ItautomaticallydetectsrogueAPsirrespectiveof
theirlocationinthenetworkandpreventsauthorizedIAPsfrombeingdetectedasrogueIAPs.Ittracksand
correlatestheIDSeventstoprovideacompletepictureofnetworksecurity.
WirelessIntrusionDetectionSystem(WIDS)EventReportingtoAirWave
AirWavesupportsWirelessIntrusionDetectionSystem(WIDS)EventReporting,whichisprovidedbyInstant.This
includesWIDSclassificationintegrationwiththeRAPIDS(RogueAccessPointDetectionSoftware)module.
RAPIDSisapowerfulandeasy-to-usetoolforautomaticdetectionofunauthorizedwirelessdevices.Itsupports
multiplemethodsofroguedetectionandusesauthorizedwirelessAPstoreportotherdeviceswithinrange.
TheWIDSreportcitesthenumberofIDSeventsfordevicesthathaveexperiencedthemostinstancesintheprior
24hoursandprovideslinkstosupportadditionalanalysisorconfigurationinresponse.
RFVisualizationSupportfor Instant
AirWavesupportsRFvisualizationforInstant.TheVisualRFmoduleprovidesareal-timepictureoftheactualradio
environmentofyourwirelessnetworkandtheabilitytoplanthewirelesscoverageofnewsites.VisualRFuses
sophisticatedRFfingerprintingtoaccuratelydisplaycoveragepatternsandcalculatethelocationofeveryInstant
deviceinrange.VisualRFprovidesgraphicalaccesstofloorplans,clientlocation,andRFvisualizationforfloors,
buildings,andcampusesthathostyournetwork.

Figure97Addingan IAPinVisualRF
PSK-basedandCertificate-basedAuthentication
OntheDHCPserver,twoformatsforoption43aresupported:
l<organization>,<ams-ip>,<ams-key>—Ifyouchoosethisformat,theIAPauthenticatestheAirWave
ManagementPlatformserverusingthePre-SharedKey(PSK)loginprocess.
l<organization>,<ams-domain>—Ifyouchoosethisformat,theIAPresolvestheAirWavedomainnameinto
oneortwoIPaddressesasAirWavePrimaryorAirWaveBackup,andthenIAPstartsacertificate-based
authenticationwithAirWaveManagementplatformserver,insteadofthePSKlogin.WhentheAirWave
Managementplatformdomainnameisused,theIAPperformscertificate-basedauthenticationwiththeAirWave
Managementplatformserver.TheIAPinitiatesanSSLconnectionwiththeAirWaveserver.TheAirWaveserver
verifiesthesignatureandpublickeycertificatefromtheIAP.Ifthesignaturematches,theAirWaverespondsto
theIAPwiththeloginrequest.
ConfigurablePortforIAPandAirWaveManagementServerCommunication
YoucannowcustomizetheportnumberoftheAirWavemanagementserverthroughtheserver_host:server_port
format,forexample,amp.google.com:4343.
ConfiguringOrganizationString
TheOrganizationstringisasetofcolon-separatedstringscreatedbytheAirWaveadministratortoaccurately
representthedeploymentofeachIAP.Thisstringisdefinedbytheinstallationpersonnelonthesite.
Youcanuseanyofthefollowingstrings:
lAMPRole—"OrgAdmin"(initiallydisabled)
lAMPUser—"OrgAdmin"(assignedtotherole"OrgAdmin")
lFolder—"Org"(undertheTopfolderinAMP)
lConfigurationGroup—"Org"
Youcanalsoassignadditionalstringstocreateahierarchyofsubfoldersunderthefoldernamed"Org".For
example:
nsubfolder1forafolderunderthe"Org"folder
nsubfolder2forafolderundersubfolder1
ArubaInstant6.4.0.2-4.1|UserGuide IAPManagementandMonitoring|277

278|IAPManagementandMonitoring ArubaInstant6.4.0.2-4.1|UserGuide
SharedKey
TheSharedSecretkeyisanoptionalfieldusedbytheadministratortomanuallyauthorizethefirstVirtualController
foranorganization.Anystringisacceptable.
ConfiguringAirWaveInformation
YoucanconfigureAirWaveinformationusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheAirWaveSetUpNowlinkinthebottom-middleregionofthemainwindow.TheSystemwindowis
displayedwiththeAirWaveparametersintheAdmintab.
Figure98ConfiguringAirWave
2.EnterthenameofyourorganizationintheOrganizationnametextbox.Thenamedefinedfororganizationis
displayedundertheGroupstabintheAirWaveuserinterface.
3.EntertheIPaddressordomainnameoftheAirWaveserverintheAirWaveIPtextbox.
4.EntertheIPaddressordomainnameofabackupAirWaveserverintheAirWavebackupIPtextbox.The
backupserverprovidesconnectivitywhentheprimaryserverisdown.IftheIAPcannotsenddatatotheprimary
server,theVirtualControllerswitchestothebackupserverautomatically.
5.EnterthesharedkeyintheSharedkeytextboxandreconfirm.Thissharedkeyisusedforconfiguringthefirst
APinthe Instantnetwork.
6.ClickOK.
IntheCLI
ToconfigureAirWaveinformationinInstant:
(InstantAP)(config)#organization<name>
(InstantAP)(config)#ams-ip<IP-addressordomainname>
(InstantAP)(config)#ams-backup-ip<IP-addressordomainname>
(InstantAP)(config)#ams-key<key>
(InstantAP)(config)#end

(InstantAP)#commitapply
ConfiguringforAirWaveDiscoverythroughDHCP
TheAirWavecanbediscoveredthroughDHCPserver.YoucanconfigurethisonlyifAirWavewasnotconfigured
earlierorifyouhavedeletedtheprecedentconfiguration.
OntheDHCPserver,theformatforoption60is“ InstantAP“,andthetwoformatsforoption43are
“<organization>,<ams-ip>,<ams-key>”and“<organization>,<ams-domain>”.
Ifyouusethe<organization>,<ams-ip>,<ams-key>format,thePSK-basedauthenticationisusedtoaccessthe
AirWaveManagementPlatformserver.
Ifyouusethe<organization>,<ams-domain>format,theIAPresolvesthedomainnameintotwoIPaddressas
AirWavePrimaryAirWaveBackup,andthenIAPstartsacertificate-basedauthenticationwithAirWave
Managementplatformserver,insteadofthePSKlogin.
Foroption43,whenyouchoosetoenterthedomainname,theIPaddressandkeyarenotavailable.
StandardDHCPoption60and43onWindowsServer2008
InnetworksthatarenotusingDHCPoption60and43,itiseasytousethestandardDHCPoptions60and43foran
APorIAP.ForAPs,theseoptionscanbeusedtoindicatethemastercontrollerorthelocalcontroller.ForIAPs,
theseoptionscanbeusedtodefinetheAirWaveIP,group,password,anddomainname.
1.FromaserverrunningWindowsServer2008navigatetoServerManager>Roles> DHCP
sever >domainDHCPServer>IPv4.
2.Right-clickIPv4andselectSetPredefinedOptions.
Figure99InstantandDHCPoptionsforAirWave:SetPredefinedOptions
3.SelectDHCPStandardOptionsintheOptionclassdrop-downlistandthenclickAdd.
4.Enterthefollowinginformation:
nName—Instant
nDataType—String
nCode—60
nDescription—InstantAP
ArubaInstant6.4.0.2-4.1|UserGuide IAPManagementandMonitoring|279

280|IAPManagementandMonitoring ArubaInstant6.4.0.2-4.1|UserGuide
Figure100InstantandDHCPoptionsforAirWave:PredefinedOptionsandValues
5.NavigatetoServerManagerandselectServerOptionsintheIPv4window.(Thissetsthevalueglobally.Use
optionsonaper-scopebasistooverridetheglobaloptions.)
6.Right-clickServerOptionsandselecttheconfigurationoptions.

Figure101InstantandDHCPoptionsforAirWave:ServerOptions
7.Select060Aruba InstantAPintheServerOptionswindowandenterArubaInstantAPintheStringValue.
Figure102InstantandDHCPoptionsforAirWave—060IAPinServerOptions
8.Select043VendorSpecificInfoandenteravalueforeitherofthefollowinginASCIIfield:
lairwave-orgn,airwave-ip,airwave-key;forexample:Aruba,192.0.2.20,12344567
lairwave-orgn,airwave-domain;forexample:Aruba,aruba.support.com
ArubaInstant6.4.0.2-4.1|UserGuide IAPManagementandMonitoring|281

282|IAPManagementandMonitoring ArubaInstant6.4.0.2-4.1|UserGuide
Figure103InstantandDHCPoptionsforAirWave—043VendorSpecificInfo
ThiscreatesaDHCPoption60and43onaglobalbasis.Youcandothesameonaper-scopebasis.Theper-scope
optionoverridestheglobaloption.
Figure104InstantandDHCPoptionsforAirWave:ScopeOptions

AlternateMethodforDefiningVendor-SpecificDHCPOptions
Thissectiondescribeshowtoaddvendor-specificDHCPoptionsfor InstantAPsinanetworkthatalreadyuses
DHCPoptions60and43forotherservices.SomenetworksuseDHCPstandardoptions60and43toprovidethe
DHCPclientsinformationaboutcertainservicessuchasPXE.Insuchanenvironment,thestandardDHCPoptions
60and43cannotbeusedforIAPs.
ThismethoddescribeshowtosetupaDHCPservertosendoption43withAirWaveinformationtotheIAP.This
sectionassumesthatoption43issentperscope,becauseoption60isbeingsharedbyotherdevicesaswell.
TheDHCPscopemustbespecifictoInstant,andthePXEdevicesthatuseoptions60and43mustnotconnectto
thesubnetdefinedbythisscope.Thisisbecauseyoucanspecifyonlyoneoption43forascope,andifother
devicesthatuseoption43connecttothissubnet,theyarepresentedwiththeinformationspecifictotheIAP.
1.Inserver2008,navigatetoServerManager>Roles>DHCPServer>DomainDHCPServer>IPv4.
2.Selectascope(subnet).Scope(10.169.145.0)145isselectedintheexampleshowninthefigurebelow.
3.Right-clickandselectAdvanced,andthenspecifythefollowingoptions:
nVendorclass—DHCPStandardOptions
nUserclass—DefaultUserClass
nAvailableoptions—Select043Vendor-SpecificInfo
nStringValue—ArubaInstantAP,tme-store4,10.169.240.8,Aruba123(whichistheAPdescription,
organizationstring,AirWaveIPaddressordomainname,Pre-sharedkey,forAirWave)
Figure105VendorSpecificDHCPoptions
Uponcompletion,theIAPshowsupasanewdeviceinAirWave,andanewgroupcalledtme-store4iscreated.
NavigatetoAPs/Devices>New>Grouptoviewthisgroup.
ArubaInstant6.4.0.2-4.1|UserGuide IAPManagementandMonitoring|283

284|IAPManagementandMonitoring ArubaInstant6.4.0.2-4.1|UserGuide
Figure106AirWave—NewGroup
Figure107AirWave—Monitor

ArubaInstant6.4.0.2-4.1|UserGuide |285
ArubaCentral

286| ArubaInstant6.4.0.2-4.1|UserGuide
TheArubaCentraluserinterfaceprovidesastandardWeb-basedinterfacethatallowsyoutoconfigureandmonitor
multipleArubaInstantnetworksfromanywherewithaconnectiontotheInternet.CentralsupportsalltheIAPs
running6.2.1.0-3.3.0.0orlaterversions.
UsingCentral,individualuserscanmanagetheirownwirelessnetwork.Thisuserinterfaceisaccessiblethrougha
standardWebbrowserandcanbelaunchedusingvariousbrowsers.ArubaCentralusesasecureHTTPs
connectionandprovidesastrongmutualauthenticationmechanismusingcertificatesforallcommunicationwith
IAPs.Thesecertificatesensurethehighestlevelofprotection.
ProvisioninganIAPusingCentral
AfteryousubscribeandregisteranIAP,logintotheCentraldashboardtomanageyourIAPusingtheURL,
https://portal.central.arubanetworks.com.
TheCentraluserinterfaceiscategorizedintothefollowingsections:
1.Monitoring
2.Configuration
3.Reporting
4.Maintenance
Thesesectionsarelayeredundergroups.TheconfigurationdetailsoftheIAPsaredefinedatagrouplevel.AnyIAP
joiningagroupinheritstheconfigurationdefinedforthegroup.Afteryoucreateagroup,navigatetotheConfiguration
sectionandcreateanewSSID.ArubaCentralsupportszerotouchprovisioning,whichallowsthenetwork
administratorstoconfiguretheIAPsevenbeforethehardwarearrives.
AfteryoupowerontheIAPandconnecttotheuplinkport,theIAPunderthedefaultgroupintheArubaCentraluser
interfaceisdisplayed.YoucanchoosetomovetheIAPtoadifferentgroupthatyoucreated.Theconfiguration
definedinthisgroupisautomaticallyappliedtotheIAP.
MaintainingtheSubscriptionList
ArubaCentralmaintainsasubscriptionlistfortheIAPs.IfanIAPisnotincludedinthislist,Centralidentifiesitasan
unauthorizedIAPandpreventsitfromjoiningthenetwork.TheserviceprovidersuseArubaCentraltotrackthe
subscriptionofeachIAPbasedonitsserialnumberandMACaddress.
ThefollowingtypesofsubscriptionstatusarelistedfortheIAPs:
lActive–CentralallowstheIAPtojointhenetwork.
lExpired-CentraldeniestheIAPfromjoiningthenetwork.
IfthestatusofamasterIAPchangesfromactivetoexpired,thevirtualcontrollerissettofactory
defaultsandreboots.
IfthestatusofaslaveIAPchangesfromactivetoexpired,thevirtualcontrollersetstheslaveIAPto
factorydefaultsandrebootstheIAP.
lUnknown-CentraldoesnotallowtheIAPtojointhenetwork.However,itgivesanoptiontoretrytheconnection.
ThelistmaintainedbyArubaCentralisdifferentfromthelistmaintainedbytheend-users.So,Centralcanprevent
anIAPfromjoiningthenetworkwhenthesubscriptionexpires,eveniftheIAPispresentinthesubscriptionlist
maintainedbytheend-user.
ThesubscriptionlistisdynamicandgetsupdatedeachtimeanIAPisincludedinCentral.

FirmwareMaintenance
Foramulti-classIAPnetwork,ensuretheIAPcandownloadsoftwareimagesfromtheArubaCloud-basedImage
Service.YoumayalsoneedtoconfigureHTTPproxysettingsontheIAPiftheyarerequiredforInternetaccessin
yournetwork.FormoreinformationaboutimageupgradeandHTTPproxyconfiguration,seesectionsImage
ManagementUsingCloudServeronpage320andConfiguringHTTPProxyonanIAPonpage320.
ArubaInstant6.4.0.2-4.1|UserGuide |287

ArubaInstant6.4.0.2-4.1|UserGuide UplinkConfiguration|288
Chapter22
UplinkConfiguration
Thischapterprovidesthefollowinginformation:
lUplinkInterfacesonpage288
lEthernetUplinkonpage288
lCellularUplinkonpage290
lWi-FiUplinkonpage294
lUplinkPreferencesandSwitchingonpage295
UplinkInterfaces
InstantnetworksupportsEthernet,3Gand4GUSBmodems,andtheWi-Fiuplinktoprovideaccesstothecorporate
Instantnetwork.The3G/4GUSBmodemsandtheWi-Fiuplinkcanbeusedtoextendtheconnectivitytoplaces
whereanEthernetuplinkcannotbeconfigured.ItalsoprovidesareliablebackuplinkfortheEthernetbasedInstant
network.
ThefollowingfigureillustratesascenarioinwhichtheIAPsjointheVirtualControllerasslaveIAPsthroughawired
ormeshWi-Fiuplink:
Figure108UplinkTypes
ThefollowingtypesofuplinksaresupportedonInstant:
lEthernetUplink
lCellularUplink
lWi-FiUplink
EthernetUplink
TheEthernet0portonan IAPisenabledasanuplinkportbydefault.Youcanviewthetypeofuplinkandthestatus
oftheuplinkintheInstantintheInfotabonselectingaclient.

289|UplinkConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
Figure109UplinkStatus
EthernetuplinksupportsthefollowingtypesofconfigurationinthisInstantrelease.
nPPPoE
nDHCP
nStaticIP
YoucanusePPPoEforyouruplinkconnectivityinbothIAPandIAP-VPNdeployments.PPPoEissupportedonlyin
asingleAPdeployment.
UplinkredundancywiththePPPoElinkisnotsupported.
WhentheEthernetlinkisup,itisusedasaPPPoEorDHCPuplink.AfterthePPPoEsettingsareconfigured,
PPPoEhasthehighestpriorityfortheuplinkconnections.TheIAPcanestablishaPPPoEsessionwithaPPPoE
serverattheISPandgetauthenticatedusingPasswordAuthenticationProtocol(PAP)ortheChallengeHandshake
AuthenticationProtocol(CHAP).DependingupontherequestfromthePPPoEserver,eitherthePAPortheCHAP
credentialsareusedforauthentication.AfterconfiguringPPPoE,reboottheIAPfortheconfigurationtoaffect.The
PPPoEconnectionisdialedaftertheAPcomesup.ThePPPoEconfigurationischeckedduringIAPbootandifthe
configurationiscorrect,Ethernetisusedfortheuplinkconnection.
WhenPPPoEisused,donotconfigureDynamicRADIUSProxyandIPaddressoftheVirtualController.AnSSID
createdwithdefaultVLANisnotsupportedwithPPPoEuplink.
YoucanalsoconfigureanalternateEthernetuplinktoenableuplinkfailoverwhenanEthernetportfails.
ConfiguringPPPoEUplinkProfile
YoucanconfigurePPPOEsettingsfromtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystemlinkatthetoprightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.ClicktheShowadvancedoptionslink.Theadvancedoptionsaredisplayed.
3.IntheUplinktab,performthefollowingstepsinthePPPoEsection:
a.EnterthePPPoEservicenameprovidedbyyourserviceproviderintheServicenamefield.
b.IntheCHAPsecretandRetypefields,enterthesecretkeyusedforChallengeHandshakeAuthentication
Protocol(CHAP)authentication.Youcanuseamaximumof34charactersfortheCHAPsecretkey.
c.EntertheusernameforthePPPoEconnectionintheUserfield.
d.InthePasswordandRetypefields,enterapasswordforthePPPoEconnectionandconfirmit.

4.TosetalocalinterfaceforthePPPoEuplinkconnections,selectavaluefromtheLocalinterfacedrop-downlist.
TheselectedDHCPscopewillbeusedasalocalinterfaceonthePPPoEinterfaceandtheLocal,L3DHCP
gatewayIPaddressasitslocalIPaddress.Whenconfigured,thelocalinterfaceactsasanunnumberedPPPoE
interfaceandallowstheentireLocal,L3DHCPsubnettobeallocatedtoclients.
TheoptionsintheLocalinterfacedrop-downlistaredisplayedonlyifaLocal,L3DHCPscopeisconfiguredonthe
IAP.
5.ClickOK.
6.ReboottheIAPfortheconfigurationtoaffect.
IntheCLI
ToconfigureaPPPoEuplinkconnection:
(InstantAP)(config)#pppoe-uplink-profile
(InstantAP)(pppoe-uplink-profile)#pppoe-svcname<service-name>
(InstantAP)(pppoe-uplink-profile)#pppoe-username<username>
(InstantAP)(pppoe-uplink-profile)#pppoe-passwd<password>
(InstantAP)(pppoe-uplink-profile)#pppoe-chapsecret<password>
(InstantAP)(pppoe-uplink-profile)#pppoe-unnumbered-local-l3-dhcp-profile<dhcp-profile>
(InstantAP)(pppoe-uplink-profile)#end
(InstantAP)#commitapply
ToviewthePPPoEconfiguration:
(InstantAP)#showpppoeconfig
PPPoEConfiguration
-------------------
TypeValue
---------
UsertestUser
Password3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c
Servicenameinternet03
CHAPsecret8e87644deda9364100719e017f88ebce
UnnumbereddhcpprofiledhcpProfile1
ToviewthePPPoEstatus:
(InstantAP)#showpppoestatus
pppoeuplinkstate:Suppressed.
CellularUplink
Instantsupportstheuseof3Gand4GUSBmodemstoprovidetheInternetbackhaultoanInstantnetwork.The3G
or4GUSBmodemscanbeusedtoextendclientconnectivitytoplaceswhereanEthernetuplinkcannotbe
configured.ThisenablestheIAPstoautomaticallychoosetheavailablenetworkinaspecificregion.
The3Gand4GLTEUSBmodemscanbeprovisionedonRAP-3WN/3WNP,RAP-108/109,andRAP-155/155P.
Thefollowing3Gmodemsaresupported:
lUSBConnect881(Sierra881U)
lQuicksilver(GlobetrotterICON322)
lUM100C(UTstarcom)
lIcon452
ArubaInstant6.4.0.2-4.1|UserGuide UplinkConfiguration|290

291|UplinkConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
lAircard250U(Sierra)
lUSB598(Sierra)
lU300(Franklinwireless)
lU301(Franklinwireless)
lUSBU760forVirgin(Novatel)
lUSBU720(Novatel/Qualcomm)
lUM175(Pantech)
lUM150(Pantech)
lUMW190(Pantech)
lSXC-1080(Qualcomm)
lGlobetrotterICON225
lUMG181
lNTTDoCoMoL-05A(LGFOMAL05A)
lNTTDoCoMoL-02A
lZTEWCDMATechnologiesMSM(MF668?)
lFivespot(ZTE)
lc-motechCNU-600
lZTEAC2736
lSEC-8089(EpiValley)
lNokiaCS-10
lNTTDoCoMoL-08C(LG)
lNTTDoCoMoL-02C(LG)
lNovatelMC545
lHuaweiE220forMovistarinSpain
lHuaweiE180forMovistarinSpain
lZTE-MF820
lHuaweiE173s-1
lSierra320
lLongcheerWM72
lU600(3Gmode)
lSierraUSB-306(HKCLS/1010(HK))
lSierra306/308(Telstra(Aus))
lSierra503PCIe(Telstra(Aus))
lSierra312(Telstra(Aus))
lAircardUSB308(AT&T'sShockwave)
lCompass597(Sierra)(Sprint)
lU597(Sierra)(Verizon)
lTstickC597(Sierra)(Telecom(NZ))
lOvationU727(Novatel)(Sprint)
lUSBU727(Novatel)(Verizon)
lUSBU760(Novatel)(Sprint)
lUSBU760(Novatel)(Verizon)

lNovatelMiFi2200(VerizonMifi2200)
lHuaweiE272,E170,E220(ATT)
lHuaweiE169,E180,E220,E272(Vodafone/SmarTone(HK))
lHuaweiE160(O2(UK))
lHuaweiE160(SFR(France))
lHuaweiE220(NZandJP)
lHuaweiE176G(Telstra(Aus))
lHuaweiE1553,E176(3/HUTCH(Aus))
lHuaweiK4505(Vodafone/SmarTone(HK))
lHuaweiK4505(Vodafone(UK))
lZTEMF656(Netcom(norway))
lZTEMF636(HKCSL/1010)
lZTEMF633/MF636(Telstra(Aus))
lZTEMF637(OrangeinIsrael)
lHuaweiE180,E1692,E1762(Optus(Aus))
lHuaweiE1731(Airtel-3G(India))
lHuaweiE3765(Vodafone(Aus))
lHuaweiE3765(T-Mobile(Germany)
lHuaweiE1552(SingTel)
lHuaweiE1750(T-Mobile(Germany))
lUGM1831(TMobile)
lHuaweiD33HW(EMOBILE(Japan))
lHuaweiGD01(EMOBILE(Japan))
lHuaweiEC150(RelianceNetConnect+(India))
lKDDIDATA07(Huawei)(KDDI(Japan))
lHuaweiE353(ChinaUnicom)
lHuaweiEC167(ChinaTelecom)
lHuaweiE367(Vodafone(UK))
lHuaweiE352s-5(T-Mobile(Germany))
lHuaweiK4505(Vodafone/SmarTone(HK))
lHuaweiK4505(Vodafone(UK))
lZTEMF656(Netcom(norway))
lZTEMF636(HKCSL/1010)
lZTEMF633/MF636(Telstra(Aus))
lZTEMF637(OrangeinIsrael)
lHuaweiE180,E1692,E1762(Optus(Aus))
lHuaweiE1731(Airtel-3G(India))
lHuaweiE3765(Vodafone(Aus))
lHuaweiE3765(T-Mobile(Germany)
lHuaweiE1552(SingTel)
lHuaweiE1750(T-Mobile(Germany))
lUGM1831(TMobile)
ArubaInstant6.4.0.2-4.1|UserGuide UplinkConfiguration|292

293|UplinkConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
lHuaweiD33HW(EMOBILE(Japan))
lHuaweiGD01(EMOBILE(Japan))
lHuaweiEC150(RelianceNetConnect+(India))
lKDDIDATA07(Huawei)(KDDI(Japan))
lHuaweiE353(ChinaUnicom)
lHuaweiEC167(ChinaTelecom)
lHuaweiE367(Vodafone(UK))
lHuaweiE352s-5(T-Mobile(Germany))
lHuaweiD41HW
lZTEAC2726
Thefollowingtableliststhesupported4Gmodems.
lNetgearU340
lNetgearAircard341u
lFraklinWirelessu770
lHuawei3276s-150
lMC551L
lPantechUML295
lPantechUML290
Inthe6.4.0.2-4.1release,allmodemsaredetectedautomaticallybytheIAP.
WhenUML290runsinautodetectmode,themodemcanswitchfrom4Gnetworkto3Gnetworkorvice-versa
basedonthesignalstrength.ToconfiguretheUML290forthe3Gnetworkonly,manuallysettheUSBtypeto
pantech-3g.ToconfiguretheUML290forthe4Gnetworkonly,manuallysetthe4GUSBtypetopantech-lte.
ConfiguringCellularUplinkProfiles
Youcanconfigure3Gor4GuplinksusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystemlinkattheupperrightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.IntheSystemwindow,clicktheshowadvancedsettingslink.Theadvancedoptionsaredisplayed.
3.ClicktheUplinktab.
4.Toconfigurea3Gor4Guplinkmanually,selecttheCountryandISP.
5.ClickOK.
6.ReboottheIAPforchangestoaffect.
IntheCLI
Toconfigure3G/4Guplinkmanually:
(InstantAP)(config)#cellular-uplink-profile
(InstantAP)(cellular-uplink-profile)#usb-type<3G-usb-type>
(InstantAP)(cellular-uplink-profile)#4g-usb-type<4g-usb>
(InstantAP)(cellular-uplink-profile)#modem-country<country>
(InstantAP)(cellular-uplink-profile)#modem-isp<service-provider-name>
(InstantAP)(cellular-uplink-profile)#usb-auth-type<usb-authentication_type>
(InstantAP)(cellular-uplink-profile)#usb-user<username>
(InstantAP)(cellular-uplink-profile)#usb-passwd<password>
(InstantAP)(cellular-uplink-profile)#usb-dev<device-ID>
(InstantAP)(cellular-uplink-profile)#usb-tty<tty-port>
(InstantAP)(cellular-uplink-profile)#usb-init<Initialization-parameter>

(InstantAP)(cellular-uplink-profile)#usb-dial<dial-parameter>
(InstantAP)(cellular-uplink-profile)#usb-modeswitch<usb-modem>
(InstantAP)(cellular-uplink-profile)#end
(InstantAP)#commitapply
Toswitchamodemfromthestoragemodetomodemmode:
(InstantAP)(config)#cellular-uplink-profile
(InstantAP)(cellular-uplink-profile)#usb-modeswitch<usb-modem>
Toviewthecellularconfiguration:
(InstantAP)#showcellularconfig
Wi-FiUplink
TheWi-FiuplinkissupportedforalltheIAPmodels,butonlythemasterIAPusesthisuplink.TheWi-Fiallows
uplinktoopen,PSK-CCMP,andPSK-TKIPSSIDs.
lForsingleradioIAPs,theradioserveswirelessclientsandtheWi-Fiuplink.
lFordualradioIAPs,bothradioscanbeusedtoserveclientsbutonlyoneofthemcanbeusedfortheWi-Fi
uplink.
WhentheWi-Fiuplinkisinuse,theclientIPisassignedbytheinternalDHCPserver.
ConfiguringaWi-FiUplinkProfile
ThefollowingconfigurationconditionsapplytotheWi-Fiuplink:
lTobindorunbindtheWi-Fiuplinkonthe5GHzband,reboottheIAP.
lIftheWi-Fiuplinkisusedonthe5GHzband,meshisdisabled.Thetwolinksaremutuallyexclusive.
lForIAPstoconnecttoanArubaOSbasedWLANusingWi-Fiuplink,thecontrollermustrunArubaOS6.2.1.0or
later.
ToprovisionanIAPwiththeWi-FiUplink,completethefollowingsteps:
1.IfyouareconfiguringaWi-FiuplinkafterrestoringfactorysettingsonanIAP,connecttheIAPtoanEthernet
cabletoallowtheIAPtogettheIPaddress.Otherwise,gotostep2.
2.ClicktheSystemlinkatthetoprightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
3.ClicktheShowadvancedoptionslink.Theadvancedoptionsaredisplayed.
4.ClicktheUplinktab.
5.UnderWi-Fi,enterthenameofthewirelessnetworkthatisusedfortheWi-FiuplinkintheName(SSID)text
box.
6.SelectthetypeofkeyforuplinkencryptionandauthenticationfromtheKeymanagementdrop-downlist.Ifthe
uplinkwirelessrouterusesmixedencryption,WPA-2isrecommendedfortheWi-Fiuplink.
7.Fromthebanddrop-downlist.SelectthebandinwhichtheVirtualControllercurrentlyoperates.Thefollowing
optionsareavailable:
l2.4GHz(default)
l5GHz
8.SelectapassphraseformatfromthePassphraseformatdrop-downlist.Thefollowingoptionsareavailable:
l8-63alphanumericcharacters
l64hexadecimalcharacters
Ensurethatthehexadecimalpasswordstringisexactly64digitsinlength.
ArubaInstant6.4.0.2-4.1|UserGuide UplinkConfiguration|294

295|UplinkConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
9.Enterapre-sharedkey(PSK)passphraseinthePassphrasetextboxandclickOK.
YoucanviewtheW-FiconfigurationanduplinkstatusintheCLI.ToviewtheconfigurationstatusintheCLI:
(InstantAP)#showwifi-uplinkstatus
configured:NO
(InstantAP)#showwifi-uplinkconfig
ESSID:
CipherSuite:
Passphrase:
Band:
(InstantAP)#showwifi-uplinkauthlog
----------------------------------------------------------------------
wifiuplinkauthconfiguration:
----------------------------------------------------------------------
----------------------------------------------------------------------
wifiuplinkauthlog:
----------------------------------------------------------------------
[1116]2000-01-0100:00:45.625:Globalcontrolinterface'/tmp/supp_gbl'
UplinkPreferencesandSwitching
Thistopicdescribesthefollowingprocedures:
lEnforcingUplinksonpage295
lSettinganUplinkPriorityonpage296
lEnablingUplinkPreemptiononpage296
lSwitchingUplinksBasedonVPNandInternetAvailabilityonpage297
lViewingUplinkStatusandConfigurationonpage298
EnforcingUplinks
Thefollowingconfigurationconditionsapplytotheuplinkenforcement:
lWhenanuplinkisenforced,theIAPusesthespecifieduplinkregardlessofuplinkpreemptionconfigurationand
thecurrentuplinkstatus.
lWhenanuplinkisenforcedandmultipleEthernetportsareconfiguredanduplinkisenabledonthewiredprofiles,
theIAPtriestofindanalternateEthernetlinkbasedonthepriorityconfigured.
lWhennouplinkisenforcedandpreemptionisnotenabled,andifthecurrentuplinkfails,theIAPtriestofindan
availableuplinkbasedonthepriorityconfigured.
lWhennouplinkisenforcedandpreemptionisenabled,andifthecurrentuplinkfails,theIAPtriestofindan
availableuplinkbasedonthepriorityconfigured.Ifcurrentuplinkisactive,theIAPperiodicallytriestousea
higherpriorityuplinkandswitchestothehigherpriorityuplinkevenifthecurrentuplinkisactive.
YoucanenforceaspecificuplinkonanIAPbyusingtheInstantUIorCLI.
IntheInstantUI
Toenforceanuplink:
1.ClicktheSystem>showadvancedsettings>Uplink.TheUplinktabcontentsaredisplayed.
2.UnderUplinkManagement,selectthetypeofuplinkfromtheEnforceUplinkdrop-downlist.IfEthernetuplink
isselected,thePortfieldisdisplayed.
3.SpecifytheEthernetinterfaceportnumber.

4.ClickOK.TheselecteduplinkisenforcedontheIAP.
IntheCLI
Toenforceanuplink:
(InstantAP)(config)#uplink
(InstantAP)(uplink)#enforce{cellular|ethernet|wifi|none}
(InstantAP)(uplink)#end
(InstantAP)#commitapply
SettinganUplinkPriority
YoucansetanuplinkprioritybyusingtheInstantUIorCLI.
IntheInstantUI
1.ClicktheSystem>showadvancedsettings>Uplink.TheUplinktabcontentsaredisplayed.
2.UnderUplinkPriorityList,selecttheuplink,andclicktheiconsatthebottomoftheUplinkPriorityListsection,
toincreaseordecreasethepriority.Bydefault,theEth0uplinkissetasahighpriorityuplink.
3.ClickOK.Theselecteduplinkisprioritizedoverotheruplinks.
IntheCLI
Tosetanuplinkpriority:
(InstantAP)(config)#uplink
(InstantAP)(uplink)#uplink-priority{cellular<priority>|ethernet<priority>|[port
<Interface-number><priority>]|wifi<priority>}
(InstantAP)(uplink)#end
(InstantAP)#commitapply
Forexample,tosetapriorityforEthernetuplink:
(InstantAP)(uplink)#uplink-priorityethernetport01
(InstantAP)(uplink)#end
(InstantAP)#commitapply
EnablingUplinkPreemption
Thefollowingconfigurationconditionsapplytouplinkpreemption:
lPreemptioncanbeenabledonlywhennouplinkisenforced.
lWhenpreemptionisdisabledandthecurrentuplinkgoesdown,theIAPtriestofindanavailableuplinkbasedon
theuplinkpriorityconfiguration.
lWhenpreemptionisenabledandifthecurrentuplinkisactive,theIAPperiodicallytriestouseahigherpriority
uplink,andswitchestoahigherpriorityuplinkevenifthecurrentuplinkisactive.
YoucanenableuplinkpreemptionusingInstantUIorCLI.
IntheInstantUI
1.ClicktheSystem>showadvancedsettings>Uplink.TheUplinktabcontentsaredisplayed.
2.UnderUplinkManagement,ensurethattheEnforceUplinkissettonone.
3.SelectEnabledfromthePre-emptiondrop-downlist.
4.ClickOK.
IntheCLI
Toenableuplinkpreemption:
(InstantAP)(config)#uplink
(InstantAP)(uplink)#preemption
ArubaInstant6.4.0.2-4.1|UserGuide UplinkConfiguration|296

297|UplinkConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(uplink)#end
(InstantAP)#commitapply
SwitchingUplinksBasedonVPNandInternetAvailability
ThedefaultpriorityforuplinkswitchoverisEthernetandthen3G/4G.TheIAPcanswitchtothelowerpriorityuplinkif
thecurrentuplinkisdown.
SwitchingUplinksBasedonVPNStatus
InstantsupportsswitchinguplinksbasedontheVPNstatuswhendeployingmultipleuplinks(Ethernet,3G/4G,and
Wi-Fi).WhenVPNisusedwithmultiplebackhauloptions,theIAPswitchestoanuplinkconnectionbasedonthe
VPNconnectionstatus,insteadofonlyusingtheEthernetorthephysicalbackhaullink.
Thefollowingconfigurationconditionsapplytouplinkswitching:
lIfthecurrentuplinkisEthernetandtheVPNconnectionisdown,theIAPtriestoreconnecttoVPN.Theretry
timedependsonthefastfailoverconfigurationandtheprimaryorbackupVPNtunnel.Ifthisfails,theIAPwaits
fortheVPNfailovertimeoutandselectsadifferentuplinksuchas3G/4GorWi-Fi.
lIfthecurrentuplinkis3GorWi-Fi,andEthernethasaphysicallink,theIAPperiodicallysuspendsusertrafficto
tryandconnecttotheVPNontheEthernet.IftheIAPsucceeds,theIAPswitchestoEthernet.IftheIAPdoes
notsucceed,itrestorestheVPNconnectiontothecurrentuplink.
UplinkswitchingbasedonVPNstatusisautomaticallyenabledifVPN isconfiguredontheIAP.However,youcan
specifythedurationinVPNfailovertimeoutfieldtowaitforanuplinkswitch.Bydefault,thisdurationissetto180
seconds.TheIAPmonitorstheVPNstatusandwhentheVPNconnectionisnotavailablefor3minutes,theuplink
switchestoanotheravailableconnection(ifalowpriorityuplinkisdetectedandtheuplinkpreferenceissettonone).
WhenVPNfailovertimeoutissetto0,uplinkdoesnotswitchover.
WhenuplinkswitchingbasedontheInternetavailabilityisenabled,theuplinkswitchingbasedonVPNfailoveris
automaticallydisabled.
SwitchingUplinksBasedonInternetAvailability
YoucanconfigureInstanttoswitchuplinksbasedonInternetavailability.
WhentheuplinkswitchoverbasedonInternetavailabilityisenabled,theIAPcontinuouslysendsICMPpacketsto
somewell-knownInternetservers.Iftherequestistimedoutduetoabaduplinkconnectionoruplinkinterface
failure,andthepublicInternetisnotreachablefromthecurrentuplink,theIAPswitchestoadifferentconnection.
YoucansetpreferencesforuplinkswitchingusingtheInstantUIandCLI.
IntheInstantUI
Toconfigureuplinkswitching:
1.ClicktheSystem>showadvancedsettings>Uplink.TheUplinktabcontentsaredisplayed.
2.UnderUplinkManagement,configurethefollowingparameters:
lVPNfailovertimeout—ToconfigureuplinkswitchingbasedonVPN status,specifythedurationtowaitfor
anuplinkswitch.Thedefaultdurationissetto180seconds.
lInternetfailover—ToconfigureuplinkswitchingbasedonInternetavailability,performthefollowingsteps:
a.SelectEnabledfromtheInternetfailoverdrop-downlist.
b.Specifytherequiredvaluesforthefollowingfields:
nMaxallowedtestpacketloss—ThemaximumnumberofICMPtestpacketsthatare
allowedtobelosttodetermineiftheIAPmustswitchtoadifferentuplinkconnection.You
canspecifyavaluewithintherangeof1—1000.

nSecsbetweentestpackets—ThefrequencyatwhichICMPtestpacketsaresent.Youcan
specifyavaluewithintherangeof1—3600seconds.
nInternetchecktime—Internetchecktimeoutisthedurationforthetestpackettimeout.You
canspecifyavaluewithintherangeof0—3600secondsandthedefaultvalueis10seconds.
c.ClickOK.
WhenInternetfailoverisenabled,theIAPignorestheVPNstatus,althoughuplinkswitchingbasedonVPNstatus
isenabled.
IntheCLI
ToenableuplinkswitchingbasedonVPNstatus:
(InstantAP)(config)#uplink
(InstantAP)(uplink)#failover-vpn-timeout<seconds>
(InstantAP)(uplink)#end
(InstantAP)#commitapply
ToenableuplinkswitchingbasedonInternetavailability:
(InstantAP)(config)#uplink
(InstantAP)(uplink)#failover-internet
(InstantAP)(uplink)#failover-internet-pkt-lost-cnt<count>
(InstantAP)(uplink)#failover-internet-pkt-send-freq<frequency>
(InstantAP)(uplink)#end
(InstantAP)#commitapply
ViewingUplinkStatusandConfiguration
ToviewtheuplinkstatusandconfigurationintheCLI:
InstantAccessPoint#showuplinkstatus
Uplinkpreemption:enable
Uplinkenforce:none
Ethernetuplinkbond0:DHCP
UplinkTable
------------
TypeStatePriorityInUse
-----------------------
eth0UP0Yes
Wifi-staLOAD6No
3G/4GINIT7No
Internetfailover:disable
Maxallowedtestpacketloss:10
Secsbetweentestpackets:30
VPNfailovertimeout(secs):180
ICMPpktsent:0
ICMPpktlost:0
Continuouspktlost:0
VPNdowntime:0
InstantAccessPoint#showuplinkconfig
Uplinkpreemption:enable
Uplinkenforce:none
Ethernetuplinkbond0:DHCP
Internetfailover:disable
Maxallowedtestpacketloss:10
Secsbetweentestpackets:30
VPNfailovertimeout(secs):180
ArubaInstant6.4.0.2-4.1|UserGuide UplinkConfiguration|298

ArubaInstant6.4.0.2-4.1|UserGuide IntrusionDetection|299
Chapter23
IntrusionDetection
TheIntrusionDetectionSystem(IDS)isafeaturethatmonitorsthenetworkforthepresenceofunauthorizedIAPs
andclients.ItalsologsinformationabouttheunauthorizedIAPsandclients,andgeneratesreportsbasedonthe
loggedinformation.
TheIDSfeatureintheInstantnetworkenablesyoutodetectrogueAPs,interferingAPs,andotherdevicesthatcan
potentiallydisruptnetworkoperations.
Thischapterdescribesthefollowingprocedures:
lDetectingandClassifyingRogueAPsonpage299
lOSFingerprintingonpage299
lConfiguringWirelessIntrusionProtectionandDetectionLevelsonpage300
lConfiguringIDS UsingCLIonpage304
DetectingandClassifyingRogueAPs
ArogueAPisanunauthorizedAPpluggedintothewiredsideofthenetwork.
AninterferingAPisanAPseenintheRFenvironmentbutitisnotconnectedtothewirednetwork.Whilethe
interferingAPcanpotentiallycauseRFinterference,itisnotconsideredadirectsecuritythreat,becauseitisnot
connectedtothewirednetwork.However,aninterferingAPmaybereclassifiedasarogueAP.
TodetecttherogueAPs,clicktheIDSlinkintheInstantmainwindow.Thebuilt-inIDSscansforaccesspointsthat
arenotcontrolledbytheVirtualController.ThesearelistedandclassifiedaseitherInterferingorRogue,depending
onwhethertheyareonaforeignnetworkoryournetwork.
Figure110IntrusionDetection
OSFingerprinting
TheOSFingerprintingfeaturegathersinformationabouttheclientthatisconnectedtotheInstantnetworktofindthe
operatingsystemthattheclientisrunningon.Thefollowingisalistofadvantagesofthisfeature:
lIdentifyingrogueclients—Helpstoidentifyclientsthatarerunningonforbiddenoperatingsystems.
lIdentifyingoutdatedoperatingsystems—HelpstolocateoutdatedandunexpectedOSinthecompanynetwork.
lLocatingandpatchingvulnerableoperatingsystems—Assistsinlocatingandpatchingspecificoperatingsystem
versionsonthenetworkthathaveknownvulnerabilities,therebysecuringthecompanynetwork.
OSFingerprintingisenabledintheInstantnetworkbydefault.Thefollowingoperatingsystemsareidentifiedby
Instant:
lWindows7

300|IntrusionDetection ArubaInstant6.4.0.2-4.1|UserGuide
lWindowsVista
lWindowsServer
lWindowsXP
lWindowsME
lOS-X
liPhone
liOS
lAndroid
lBlackberry
lLinux
ConfiguringWirelessIntrusionProtectionandDetectionLevels
WIPoffersawideselectionofintrusiondetectionandprotectionfeaturestoprotectthenetworkagainstwireless
threats.
Likemostothersecurity-relatedfeaturesoftheInstantnetwork,theWIPcanbeconfiguredontheIAP.
Youcanconfigurethefollowingoptions:
lInfrastructureDetectionPolicies—Specifiesthepolicyfordetectingwirelessattacksonaccesspoints.
lClientDetectionPolicies—Specifiesthepolicyfordetectingwirelessattacksonclients.
lInfrastructureProtectionPolicies—Specifiesthepolicyforprotectingaccesspointsfromwirelessattacks.
lClientProtectionPolicies—Specifiesthepolicyforprotectingclientsfromwirelessattacks.
lContainmentMethods—PreventsunauthorizedstationsfromconnectingtoyourInstantnetwork.
Eachoftheseoptionscontainsseveraldefaultlevelsthatenabledifferentsetsofpolicies.Anadministratorcan
customizeenableordisabletheseoptionsaccordingly.
ThedetectionlevelscanbeconfiguredusingtheIDSwindow.ToviewtheIDSwindow,clickMore>IDSlinkatthe
toprightcorneroftheInstantmainwindow.ThefollowinglevelsofdetectioncanbeconfiguredintheWIPDetection
page:
lOff
lLow
lMedium
lHigh

Figure111WirelessIntrusionDetection
ThefollowingtabledescribesthedetectionpoliciesenabledintheInfrastructureDetectionCustomsettingsfield.
DetectionLevel DetectionPolicy
Off RogueClassification
Low lDetectAPSpoofing
lDetectWindowsBridge
lIDSSignature—DeauthenticationBroadcast
lIDSSignature—DeassociationBroadcast
Medium lDetectAdhocnetworksusingVALIDSSID—Valid
SSIDlistisauto-configuredbasedonInstantAP
configuration
lDetectMalformedFrame—LargeDuration
High lDetectAPImpersonation
lDetectAdhocNetworks
lDetectValidSSIDMisuse
lDetectWirelessBridge
lDetect802.1140MHzintolerancesettings
lDetectActive802.11nGreenfieldMode
lDetectAPFloodAttack
lDetectClientFloodAttack
lDetectBadWEP
lDetectCTSRateAnomaly
lDetectRTSRateAnomaly
lDetectInvalidAddressCombination
Table54:InfrastructureDetectionPolicies
ArubaInstant6.4.0.2-4.1|UserGuide IntrusionDetection|301

302|IntrusionDetection ArubaInstant6.4.0.2-4.1|UserGuide
DetectionLevel DetectionPolicy
lDetectMalformedFrame—HTIE
lDetectMalformedFrame—AssociationRequest
lDetectMalformedFrame—Auth
lDetectOverflowIE
lDetectOverflowEAPOLKey
lDetectBeaconWrongChannel
lDetectdeviceswithinvalidMACOUI
Table54:InfrastructureDetectionPolicies
ThefollowingtabledescribesthedetectionpoliciesenabledintheClientDetectionCustomsettingsfield.
DetectionLevel DetectionPolicy
Off Alldetectionpoliciesaredisabled.
Low lDetectValidStationMisassociation
Medium lDetectDisconnectStationAttack
lDetectOmertaAttack
lDetectFATA-JackAttack
lDetectBlockACKDOS
lDetectHotspotterAttack
lDetectunencryptedValidClient
lDetectPowerSaveDOSAttack
High lDetectEAPRateAnomaly
lDetectRateAnomaly
lDetectChopChopAttack
lDetectTKIPReplayAttack
lIDSSignature—AirJack
lIDSSignature—ASLEAP
Table55:ClientDetectionPolicies
ThefollowinglevelsofdetectioncanbeconfiguredintheWIPProtectionpage:
lOff
lLow
lHigh

Figure112WirelessIntrusionProtection
ThefollowingtabledescribestheprotectionpoliciesthatareenabledintheInfrastructureProtectionCustom
settingsfield.
ProtectionLevel ProtectionPolicy
Off Allprotectionpoliciesaredisabled
Low lProtectSSID–ValidSSIDlistshouldbeauto
derivedfromInstantconfiguration
lRogueContainment
High lProtectfromAdhocNetworks
lProtectAPImpersonation
Table56:InfrastructureProtectionPolicies
ThefollowingtabledescribesthedetectionpoliciesthatareenabledintheClientProtectionCustomsettingsfield.
ProtectionLevel ProtectionPolicy
Off Allprotectionpoliciesaredisabled
Low ProtectValidStation
High ProtectWindowsBridge
Table57:ClientProtectionPolicies
ArubaInstant6.4.0.2-4.1|UserGuide IntrusionDetection|303

304|IntrusionDetection ArubaInstant6.4.0.2-4.1|UserGuide
ContainmentMethods
YoucanenablewiredandwirelesscontainmentstopreventunauthorizedstationsfromconnectingtoyourInstant
network.
Instantsupportsthefollowingtypesofcontainmentmechanisms:
lWiredcontainment—Whenenabled,IAPsgenerateARPpacketsonthewirednetworktocontainwireless
attacks.
lWirelesscontainment—Whenenabled,thesystemattemptstodisconnectallclientsthatareconnectedor
attemptingtoconnecttotheidentifiedAccessPoint.
nNone—Disablesallthecontainmentmechanisms.
nDeauthenticateonly—Withdeauthenticationcontainment,theAccessPointorclientiscontainedby
disruptingtheclientassociationonthewirelessinterface.
nTarpitcontainment—WithTarpitcontainment,theAccessPointiscontainedbyluringclientsthatare
attemptingtoassociatewithittoatarpit.Thetarpitcanbeonthesamechanneloradifferentchannelasthe
AccessPointbeingcontained.
Figure113ContainmentMethods
ConfiguringIDS UsingCLI
ToconfigureIDSusingCLI:
(InstantAP)(config)#ids
(InstantAP)(IDS)#infrastructure-detection-level<type>
(InstantAP)(IDS)#client-detection-level<type>
(InstantAP)(IDS)#infrastructure-protection-level<type>
(InstantAP)(IDS)#client-protection-level<type>

(InstantAP)(IDS)#wireless-containment<type>
(InstantAP)(IDS)#wired-containment
(InstantAP)(IDS)#detect-ap-spoofing
(InstantAP)(IDS)#detect-windows-bridge
(InstantAP)(IDS)#signature-deauth-broadcast
(InstantAP)(IDS)#signature-deassociation-broadcast
(InstantAP)(IDS)#detect-adhoc-using-valid-ssid
(InstantAP)(IDS)#detect-malformed-large-duration
(InstantAP)(IDS)#detect-ap-impersonation
(InstantAP)(IDS)#detect-adhoc-network
(InstantAP)(IDS)#detect-valid-ssid-misuse
(InstantAP)(IDS)#detect-wireless-bridge
(InstantAP)(IDS)#detect-ht-40mhz-intolerance
(InstantAP)(IDS)#detect-ht-greenfield
(InstantAP)(IDS)#detect-ap-flood
(InstantAP)(IDS)#detect-client-flood
(InstantAP)(IDS)#detect-bad-wep
(InstantAP)(IDS)#detect-cts-rate-anomaly
(InstantAP)(IDS)#detect-rts-rate-anomaly
(InstantAP)(IDS)#detect-invalid-addresscombination
(InstantAP)(IDS)#detect-malformed-htie
(InstantAP)(IDS)#detect-malformed-assoc-req
(InstantAP)(IDS)#detect-malformed-frame-auth
(InstantAP)(IDS)#detect-overflow-ie
(InstantAP)(IDS)#detect-overflow-eapol-key
(InstantAP)(IDS)#detect-beacon-wrong-channel
(InstantAP)(IDS)#detect-invalid-mac-oui
(InstantAP)(IDS)#detect-valid-clientmisassociation
(InstantAP)(IDS)#detect-disconnect-sta
(InstantAP)(IDS)#detect-omerta-attack
(InstantAP)(IDS)#detect-fatajack
(InstantAP)(IDS)#detect-block-ack-attack
(InstantAP)(IDS)#detect-hotspotter-attack
(InstantAP)(IDS)#detect-unencrypted-valid
(InstantAP)(IDS)#detect-power-save-dos-attack
(InstantAP)(IDS)#detect-eap-rate-anomaly
(InstantAP)(IDS)#detect-rate-anomalies
(InstantAP)(IDS)#detect-chopchop-attack
(InstantAP)(IDS)#detect-tkip-replay-attack
(InstantAP)(IDS)#signature-airjack
(InstantAP)(IDS)#signature-asleap
(InstantAP)(IDS)#protect-ssid
(InstantAP)(IDS)#rogue-containment
(InstantAP)(IDS)#protect-adhoc-network
(InstantAP)(IDS)#protect-ap-impersonation
(InstantAP)(IDS)#protect-valid-sta
(InstantAP)(IDS)#protect-windows-bridge
(InstantAP)(IDS)#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide IntrusionDetection|305

ArubaInstant6.4.0.2-4.1|UserGuide MeshIAPConfiguration|306
Chapter24
MeshIAPConfiguration
Thischapterprovidesthefollowinginformation:
lMeshNetworkOverviewonpage306
lSettingupInstantMeshNetworkonpage307
lConfiguringWiredBridgingonEthernet0forMeshPointonpage307
MeshNetworkOverview
TheArubaInstantsecureenterprisemeshsolutionisaneffectivewaytoexpandnetworkcoverageforoutdoorand
indoorenterpriseenvironmentswithoutanywires.AstraffictraversesacrossmeshIAPs,themeshnetwork
automaticallyreconfiguresaroundbrokenorblockedpaths.Thisself-healingfeatureprovidesincreasedreliability
andredundancyandallowsthenetworktocontinueoperationevenwhenanIAPstopsfunctioningorifaconnection
fails.
MeshIAPs
Meshnetworkrequiresatleastonevaliduplink(wiredor3G)connection.AnyprovisionedIAPthathasavaliduplink
(wiredor3G)functionsasameshportal,andtheIAPwithoutanEthernetlinkfunctionsasameshpoint.Themesh
portalcanalsoactasaVirtualController.AMeshportal(MPP)usesitsuplinkconnectiontoreachthecontroller,a
meshpoint,orestablishesanallwirelesspathtothemeshportal.Meshportalsandmeshpointsarealsoknownas
meshnodes,agenerictermusedtodescribeIAPsconfiguredformesh.
IftwoIAPshavevaliduplinkconnections,thereisredundancyinthemeshnetwork,andmostmeshpointstryto
meshdirectlywithoneofthetwoportals.However,dependingontheactualdeploymentandRFenvironment,some
meshpointsmaymeshthroughotherintermediatemeshpoints.
InanInstantmeshnetwork,themaximumhopcountistwonodes(point>point>portal)andthemaximumnumberof
meshpointspermeshportaliseight.
MeshIAPsdetecttheenvironmentwhentheybootup,locateandassociatewiththeirnearestneighbor,todetermine
thebestpathtothemeshportal.
InstantmeshfunctionalityissupportedonlyondualradioIAPsonly.Ondual-radioIAPs,the5GHzradioisalways
usedforbothmesh-backhaulandclienttraffic,whilethe2.4GHzradioisalwaysusedforclienttraffic.
Meshserviceisautomaticallyenabledon802.11abandfordual-radioIAPonly,andthisisnotconfigurable.
Themeshnetworkmustbeprovisionedforthefirsttimebypluggingintothewirednetwork.Afterthat,meshworks
onIAP-ROWslikeanyotherregulatorydomain.
MeshPortals
Ameshportal(MPP)isagatewaybetweenthewirelessmeshnetworkandtheenterprisewiredLAN.Themesh
rolesareautomaticallyassignedbasedontheIAPconfiguration.Ameshnetworkcouldhavemultiplemeshportals
tosupportredundantmeshpaths(meshlinksbetweenneighboringmeshpointsthatestablishthebestpathtothe
meshportal)fromthewirelessmeshnetworktothewiredLAN.

307|MeshIAPConfiguration ArubaInstant6.4.0.2-4.1|UserGuide
Themeshportalbroadcastsameshservicessetidentifier(MSSID/meshclustername)toadvertisethemesh
networkservicetoothermeshpointsinthatInstantnetwork.Thisisnotconfigurableandistransparenttotheuser.
ThemeshpointsauthenticatetothemeshportalandestablishalinkthatissecuredusingAdvancedEncryption
Standard(AES)encryption.
Themeshportalrebootsafter5minuteswhenitlosesitsuplinkconnectivitytoawirednetwork.
MeshPoints
Themeshpointestablishesanall-wirelesspathtothemeshportal.ThemeshpointprovidestraditionalWLAN
servicessuchasclientconnectivity,intrusiondetectionsystem(IDS)capabilities,userroleassociation,andQuality
ofService(QoS)forLAN-to-meshcommunicationtoclientsandperformsmeshbackhaul/networkconnectivity.
MeshpointalsosupportsLANbridging.Youcanconnectanywireddevicetothedownlinkportofthemeshpoint.In
thecaseofsingleEthernetportplatformssuchasAP-93andAP-105,youcanconverttheEth0uplinkporttoa
downlinkportbyenablingEth0Bridging.Foradditionalinformation,seeConfiguringWiredBridgingonEthernet0for
MeshPointonpage307.
SettingupInstantMeshNetwork
StartingfromInstant6.4.0.2-4.1release,meshfunctionalityisdisabledbydefault,becauseofwhichover-the-air
provisioningofmeshIAPsisnotsupported.
ToprovisionIAPsasmeshIAPs:
1.ConnecttheIAPstoawiredswitch.
2.EnsurethattheVirtualControllerkeyissynchronizedandthecountrycodeisconfigured.
3.EnsurethatavalidSSID isconfiguredontheIAP.
4.IftheIAPhasafactorydefaultSSID(instantSSID),deletetheSSID.
5.IfanextendedSSIDisenabledonthevirtualcontroller,disableitandreboottheIAPcluster.
6.DisconnecttheIAPsthatyouwanttodeployasmeshpointsfromtheswitchandplacetheIAPsataremote
location.TheIAPspoweronwithoutanywireduplinkconnectionandfunctionasmeshpointsandtheIAPswith
validuplinkconnectionsfunctionasthemeshportal.
ConfiguringWiredBridgingonEthernet0forMeshPoint
InstantsupportswiredbridgingontheEthernet0portofanIAP.IfIAPisconfiguredtofunctionasameshpoint,you
canconfigurewiredbridging.
EnablingwiredbridgingonthisportofanIAPmakestheportavailableasadownlinkwiredbridgeandallowsclient
accessthroughtheport.
Whenusing3Guplink,thewiredportwillbeusedasdownlink.
YoucanconfiguresupportforwiredbridgingontheEthernet0portofanIAPusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureEthernetbridging:
1.IntheAccessPointstab,clicktheIAPtomodify.Theeditlinkisdisplayed.

2.Clicktheeditlink.TheeditwindowformodifyingIAPdetailsisdisplayed.
3.ClicktheUplinktab.
4.SelectEnablefromtheEth0Bridgingdrop-downlist.
5.ClickOK.
6.ReboottheIAP.
IntheCLI
ToconfigureEthernetbridging:
InstantAccessPoint#enet0-bridging
ArubaInstant6.4.0.2-4.1|UserGuide MeshIAPConfiguration|308

ArubaInstant6.4.0.2-4.1|UserGuide MobilityandClientManagement|309
Chapter25
MobilityandClientManagement
Thischapterprovidesthefollowinginformation:
lLayer-3MobilityOverviewonpage309
lConfiguringL3-Mobilityonpage310
Layer-3MobilityOverview
IAPsformasingleInstantnetworkwhentheyareinthesameLayer-2(L2)domain.Asthenumberofclients
increase,multiplesubnetsarerequiredtoavoidbroadcastoverhead.Insuchascenario,aclientmustbeallowedto
roamawayfromtheInstantnetworktowhichitfirstconnected(homenetwork)toanothernetworksupportingthe
sameWLANaccessparameters(foreignnetwork)andcontinueitsexistingsessions.
Layer-3(L3)mobilityallowsaclienttoroamwithoutlosingitsIPaddressandsessions.IfWLANaccessparameters
arethesameacrossthesenetworks,clientsconnectedtoIAPsinagivenInstantnetworkcanroamtoAPsina
foreignInstantnetworkandcontinuetheirexistingsessions.Clientsroamingacrossthesenetworksareableto
continueusingtheirIPaddressesafterroaming.YoucanconfigurealistofVirtualControllerIPaddressesacross
whichL3mobilityissupported.
TheArubaInstantLayer-3mobilitysolutiondefinesaMobilityDomainasasetofInstantnetworks,withthesame
WLANaccessparameters,acrosswhichclientroamingissupported.TheInstantnetworktowhichtheclientfirst
connectsiscalleditshomenetwork.Whentheclientroamstoaforeignnetwork,anAPinthehomenetwork(home
AP)anchorsalltraffictoorfromthisclient.TheAPtowhichtheclientisconnectedintheforeignnetwork(foreign
AP)tunnelsallclienttraffictoorfromthehomeAPthroughaGREtunnel.
Figure114Routingoftrafficwhentheclientisawayfromitshomenetwork

310|MobilityandClientManagement ArubaInstant6.4.0.2-4.1|UserGuide
WhenaclientfirstconnectstoanInstantnetwork,amessageissenttoallconfiguredVirtualControllerIP
addressestoseeifthisisanL3roamedclient.OnreceivinganacknowledgementfromanyoftheconfiguredVirtual
ControllerIPaddresses,theclientisidentifiedasanL3roamedclient.IftheAPhasnoGREtunneltothishome
network,anewtunnelisformedtoanAP(homeAP)fromtheclient'shomenetwork.
EachforeignAPhasonlyonehomeAPperInstantnetworktoavoidduplicationofbroadcasttraffic.SeparateGRE
tunnelsarecreatedforeachforeignAP/homeAPpair.IfapeerAPisaforeignAPforoneclientandahomeAPfor
another,twoseparateGREtunnelsareusedtohandleL3roamingtrafficbetweentheseAPs.
Ifclientsubnetdiscoveryfailsonassociationduetosomereason,theforeignAPidentifiesitssubnetwhenitsends
outthefirstL3packet.IfthesubnetisnotalocalsubnetandbelongstoanotherInstantnetwork,theclientistreated
asanL3roamedclientandallitstrafficisforwardedtothehomenetworkthroughaGREtunnel.
ConfiguringL3-Mobility
Toconfigureamobilitydomain,youhavetospecifythelistofallInstantnetworksthatformthemobilitydomain.To
allowclientstoroamseamlesslyamongalltheAPs,specifytheVirtualControllerIPforeachforeignsubnet.You
mayincludethelocalInstantorVirtualControllerIPaddress,sothatthesameconfigurationcanbeusedacrossall
Instantnetworksinthemobilitydomain.
Itisrecommendedthatyouconfigureallclientsubnetsinthemobilitydomain.Whenclientsubnetsareconfigured:
lIfaclientisfromalocalsubnet,itisidentifiedasalocalclient.WhenalocalclientstartsusingtheIPaddress,
theL3roamingisterminated.
lIftheclientisfromaforeignsubnet,itisidentifiedasaforeignclient.WhenaforeignclientstartsusingtheIP
address,theL3roamingissetup.
HomeAgentLoadBalancing
HomeAgentLoadBalancingisrequiredinlargenetworkswheremultipletunnelsmightterminateonasingleborder
orlobbyAPandoverloadit.Whenloadbalancingisenabled,theVirtualControllerassignsthehomeAPforroamed
clientsbyusingaroundrobinpolicy.Withthispolicy,theloadfortheAPsactingasHomeAgentsforroamedclients
isuniformlydistributedacrosstheIAPcluster.
ConfiguringaMobilityDomainforInstant
YoucanconfigureL3mobilitydomainbyusingtheInstantUIorCLI.
IntheInstantUI
Toconfigureamobilitydomain,performthefollowingsteps:
1.ClicktheSystemlinkattoprightcorneroftheInstantmainwindow.TheSystemwindowisdisplayed.
2.ClicktheShowadvancedoptionslink.Theadvancedoptionsaredisplayed.
3.ClickL3Mobility.TheL3Mobilitywindowisdisplayed.

Figure115L3MobilityWindow
4.SelectEnabledfromtheHomeagentloadbalancingdrop-downlist.Bydefault,homeagentloadbalancingis
disabled.
5.ClickNewintheVirtualControllerIPAddressessection,addtheIPaddressofaVirtualControllerthatispart
ofthemobilitydomain,andclickOK.
6.RepeatStep2toaddtheIPaddressesofallVirtualControllersthatformtheL3mobilitydomain.
7.ClickNewintheSubnetssectionandspecifythefollowing:
a.EntertheclientsubnetintheIPaddresstextbox.
b.EnterthemaskintheSubnetmasktextbox.
c.EntertheVLANIDinthehomenetworkintheVLANIDtextbox.
d.EnterthehomeVCIPaddressforthissubnetintheVirtualControllerIPtextbox.
8.ClickOK.
IntheCLI
Toconfigureamobilitydomain:
(InstantAP)(config)#l3-mobility
(InstantAP)(L3-mobility)#home-agent-load-balancing
(InstantAP)(L3-mobility)#virtual-controller<IP-address>
(InstantAP)(L3-mobility)#subnet<IP-address><subnet-mask><VLAN-ID><virtual-controller-IP-
address>
(InstantAP)(L3-mobility)#end
(InstantAP)#commitapply
ArubaInstant6.4.0.2-4.1|UserGuide MobilityandClientManagement|311

ArubaInstant6.4.0.2-4.1|UserGuide SpectrumMonitor|312
Chapter26
SpectrumMonitor
Thischapterprovidesthefollowinginformation:
lUnderstandingSpectrumDataonpage312
lConfiguringSpectrumMonitorsandHybridIAPsonpage317
UnderstandingSpectrumData
Wirelessnetworksoperateinenvironmentswithelectricalandradiofrequencydevicesthatcaninterferewith
networkcommunications.Microwaveovens,cordlessphones,andevenadjacentWi-Finetworksareallpotential
sourcesofcontinuousorintermittentinterference.ThespectrummonitorsoftwaremodulesonIAPsthatsupportthis
featureareabletoexaminetheradiofrequency(RF)environmentinwhichtheWi-Finetworkisoperating,identify
interferenceandclassifyitssources.Ananalysisoftheresultscanthenbeusedtoquicklyisolateissueswith
packettransmission,channelquality,andtrafficcongestioncausedbycontentionwithotherdevicesoperatinginthe
samebandorchannel.
Spectrummonitors(SMs)areIAPradiosthatgatherspectrumdatabutdonotserviceclients.EachSMscansand
analyzesthespectrumbandusedbytheSM'sradio(2.4GHzor5GHz).AnAPradioinhybridAPmodecontinuesto
serveclientsasanaccesspointwhileitanalyzesspectrumanalysisdataforthechanneltheradiousestoserve
clients.Youcanrecorddataforbothtypesofspectrummonitordevices.However,therecordedspectrumisnot
reportedtotheVirtualController.AspectrumalertissenttotheVCwhenanonWi-Fiinterferencedeviceis
detected.
ThespectrummonitorissupportedonIAP-104/105,IAP-134/135,IAP-114/115,andIAP-224/225radios.
ThespectrumdataiscollectedbyeachIAPspectrummonitorandhybridAP.Thespectrumdataisnotreportedto
theVC.TheSpectrumlinkisvisibleintheUI(AccessPointview)onlyifyouhaveenabledthespectrummonitoring
feature.YoucanviewthefollowingspectrumdataintheUI:
lDeviceList
lNonWi-FiInterferers
lChannelMetrics
lChannelDetails
lSpectrumAlerts
DeviceList
ThedevicelistconsistsofadevicesummarytableandchannelinformationforactivenonWi-Fidevicescurrently
seenbyaspectrummonitororhybridAPradio.
Toviewthedevicelist,clickSpectruminthedashboard.Thefollowingfigureshowsanexampleofthedevicelist
details.

313|SpectrumMonitor ArubaInstant6.4.0.2-4.1|UserGuide
Figure116DeviceList
DeviceSummaryandChannelInformationshowsthedetailsoftheinformationthatisdisplayed:
Column Description
Type Devicetype.Thisparametercanbeanyofthefollowing:
laudioFF(fixedfrequency)
lbluetooth
lcordlessbaseFH(frequencyhopper)
lcordlessphoneFF(fixedfrequency)
lcordlessnetworkFH(frequencyhopper)
lgenericFF(fixedfrequency)
lgenericFH(frequencyhopper)
lgenericinterferer
lmicrowave
lmicrowaveinverter
lvideo
lxbox
NOTE:ForadditionaldetailsaboutnonWi-Fidevicetypesshowninthistable,
seeNonWi-FiInterfererTypes.
ID IDnumberassignedtothedevicebythespectrummonitororhybridAPradio.
SpectrummonitorsandhybridAPsassignauniquespectrumIDperdevice
type.
Cfreq Centerfrequencyofthesignalsentfromthedevice.
Bandwidth Channelbandwidthusedbythedevice.
Channels-affected Radiochannelsaffectedbythewirelessdevice.
Signal-strength Strengthofthesignalsentfromthedevice,indBm.
Duty-cycle Devicedutycycle.Thisvaluerepresentsthepercentoftimethedevice
broadcastsasignal.
Add-time Timeatwhichthedevicewasfirstdetected.
Update-time Timeatwhichthedevice’sstatuswasupdated.
Table58:DeviceSummaryandChannelInformation
NonWi-FiInterferers
ThefollowingtabledescribeseachtypeofnonWi-Fiinterfererdetectedbythespectrummonitorfeature.

NonWi-Fi
Interferer
Description
Bluetooth AnydevicethatusestheBluetoothprotocoltocommunicateinthe2.4GHzbandisclassified
asaBluetoothdevice.Bluetoothusesafrequencyhoppingprotocol.
Fixed
Frequency
(Audio)
Someaudiodevicessuchaswirelessspeakersandmicrophonesalsousefixedfrequency
tocontinuouslytransmitaudio.ThesedevicesareclassifiedasFixedFrequency(Audio).
Fixed
Frequency
(Cordless
Phones)
Somecordlessphonesuseafixedfrequencytotransmitdata(muchlikethefixedfrequency
videodevices).ThesedevicesareclassifiedasFixedFrequency(CordlessPhones).
Fixed
Frequency
(Video)
Videotransmittersthatcontinuouslytransmitvideoonasinglefrequencyareclassifiedas
FixedFrequency(Video).Thesedevicestypicallyhaveclosetoa100%dutycycle.These
typesofdevicesmaybeusedforvideosurveillance,TVorothervideodistribution,and
similarapplications.
Fixed
Frequency
(Other)
Allotherfixedfrequencydevicesthatdonotfallintooneoftheabovecategoriesare
classifiedasFixedFrequency(Other)).
NotethattheRFsignaturesofthefixedfrequencyaudio,videoandcordlessphonedevices
areverysimilarandthatsomeofthesedevicesmaybeoccasionallyclassifiedasFixed
Frequency(Other).
Frequency
Hopper
(CordlessBase)
Frequencyhoppingcordlessphonebaseunitstransmitperiodicbeacon-likeframesatall
times.Whenthehandsetsarenottransmitting(i.e.,noactivephonecalls),thecordlessbase
isclassifiedasFrequencyHopper(CordlessBas).
Frequency
Hopper
(Cordless
Network)
Whenthereisanactivephonecallandoneormorehandsetsarepartofthephone
conversation,thedeviceisclassifiedasFrequencyHopper(CordlessNetwork).Cordless
phonesmayoperatein2.4GHzor5GHzbands.Somephonesuseboth2.4GHzand5GHz
bands(forexample,5GHzforBase-to-handsetand2.4GHzforHandset-to-base).These
phonesmaybeclassifiedasuniqueFrequencyHopperdevicesonbothbands.
Frequency
Hopper(Xbox)
TheMicrosoftXboxdeviceusesafrequencyhoppingprotocolinthe2.4GHzband.These
devicesareclassifiedasFrequencyHopper(Xbox).
Frequency
Hopper(Other)
Whentheclassifierdetectsafrequencyhopperthatdoesnotfallintooneoftheabove
categories,itisclassifiedasFrequencyHopper(Other).SomeexamplesincludeIEEE
802.11FHSSdevices,gameconsolesandcordless/hands-freedevicesthatdonotuseone
oftheknowncordlessphoneprotocols.
Table59:NonWi-FiInterfererTypes
ArubaInstant6.4.0.2-4.1|UserGuide SpectrumMonitor|314

315|SpectrumMonitor ArubaInstant6.4.0.2-4.1|UserGuide
NonWi-Fi
Interferer
Description
Microwave Commonresidentialmicrowaveovenswithasinglemagnetronareclassifiedasa
Microwave.Thesetypesofmicrowaveovensmaybeusedincafeterias,breakrooms,
dormitoriesandsimilarenvironments.Someindustrial,healthcareormanufacturing
environmentsmayalsohaveotherequipmentthatbehavelikeamicrowaveandmayalso
beclassifiedasaMicrowavedevice.
Microwave
(Inverter)
Somenewer-modelmicrowaveovenshavetheinvertertechnologytocontrolthepower
outputandthesemicrowaveovensmayhaveadutycyclecloseto100%.Thesemicrowave
ovensareclassifiedasMicrowave(Inverter).Dual-magnetronindustrialmicrowaveovens
withhigherdutycyclemayalsobeclassifiedasMicrowave(Inverter).Theremaybeother
equipmentthatbehaveslikeinvertermicrowavesinsomeindustrial,healthcareor
manufacturingenvironments.ThosedevicesmayalsobeclassifiedasMicrowave(Inverter).
Generic
Interferer
Anynon-frequencyhoppingdevicethatdoesnotfallintooneoftheothercategories
describedinthistableisclassifiedasaGenericInterferer.ForexampleaMicrowave-like
devicethatdoesnotoperateintheknownoperatingfrequenciesusedbytheMicrowave
ovensmaybeclassifiedasaGenericInterferer.Similarlywide-bandinterferingdevicesmay
beclassifiedasGenericInterferers.
ChannelDetails
Whenyoumoveyourmouseoverachannel,thechanneldetailsorthesummaryofthe5GHzand2.4GHzchannels
asdetectedbyaspectrummonitoraredisplayed.Youcanviewtheaggregatedataforeachchannelseenbythe
spectrummonitorradio,includingthemaximumAPpower,interferenceandthesignal-to-noise-and-interference
Ratio(SNIR).SNIRistheratioofsignalstrengthtothecombinedlevelsofinterferenceandnoiseonthatchannel.
Spectrummonitorsdisplayspectrumdataseenonallchannelsintheselectedband,andhybridAPsdisplaydata
fromtheonechanneltheyaremonitoring.
Figure117ChannelDetails
ChannelDetailsInformationshowstheinformationthatyoucanviewinthechanneldetailsgraph.
Table60:ChannelDetailsInformation
Column Description
Channel An802.11aor802.11gradiochannel.
Quality(%) Currentrelativequalityofthechannel.
Utilization(%) Thepercentageofthechannelbeingused.

Column Description
Wi-Fi(%) ThepercentageofthechannelcurrentlybeingusedbyWi-Fidevices.
Type Devicetype.
Totalnonwifi(%) ThepercentageofthechannelcurrentlybeingusedbynonWi-Fidevices.
KnownAPs NumberofvalidAPsidentifiedontheradiochannel.
UnKnownAPs NumberofinvalidorrogueAPsidentifiedontheradiochannel.
ChannelUtil(%) Percentageofthechannelcurrentlyinuse.
MaxAPSignal(dBm)SignalstrengthoftheAPthathasthemaximumsignalstrengthonachannel.
MaxInterference
(dBm)
SignalstrengthofthenonWi-Fidevicethathasthehighestsignalstrength.
SNIR(db) Theratioofsignalstrengthtothecombinedlevelsofinterferenceandnoiseonthat
channel.Thisvalueiscalculatedbydeterminingthemaximumnoise-floorand
interference-signallevels,andthencalculatinghowstrongthedesiredsignalisabove
thismaximum.
ChannelMetrics
Thechannelmetricsgraphdisplayschannelquality,availabilityandutilizationmetricsasseenbyaspectrum
monitororhybridAP.Youcanviewthechannelutilizationdataforthepercentageofeachchannelthatiscurrently
beingusedbyWi-Fidevices,andthepercentageofeachchannelbeingusedbynonWi-Fidevicesand802.11
adjacentchannelinterference(ACI).Thischartshowsthechannelavailability,thepercentageofeachchannelthat
isavailableforuse,orthecurrentrelativequalityofselectedchannelsinthe2.4GHzor5GHzradiobands.While
spectrummonitorscandisplaydataforallchannelsintheirselectedband,hybridAPsdisplaydatafortheirone
monitoredchannelonly.
Toviewthisgraph,click2.4GHzintheSpectrumsectionofthedashboard.
Figure118ChannelMetricsforthe2.4GHzRadioChannel
Toviewthisgraph,click5GHzintheSpectrumsectionofthedashboard.
ArubaInstant6.4.0.2-4.1|UserGuide SpectrumMonitor|316

317|SpectrumMonitor ArubaInstant6.4.0.2-4.1|UserGuide
Figure119ChannelMetricsforthe5GHzRadioChannel
ChannelMetricsshowstheinformationdisplayedinthechannelmetricsgraph.
Column Description
Channel A2.4GHzor5GHzradiochannel.
Quality(%) Currentrelativequalityofselectedchannelsinthe2.4GHzor5GHzradiobands,as
determinedbythepercentageofpacketretries,thecurrentnoisefloor,andtheduty
cyclefornonWi-Fidevicesonthatchannel.
Availability(%) Thepercentageofthechannelcurrentlyavailableforuse.
Utilization(%) Thepercentageofthechannelbeingused.
WiFiUtil(%) ThepercentageofthechannelcurrentlybeingusedbyWi-Fidevices.
InterferenceUtil(%)ThepercentageofthechannelcurrentlybeingusedbynonWi-Fiinterference+Wi-Fi
ACI(AdjacentChannelInterference)
Table61:ChannelMetrics
SpectrumAlerts
WhenanewnonWi-Fideviceisfound,analertisreportedtotheVirtualController.Thespectrumalertmessages
includethedeviceID,devicetype,IPaddressofthespectrummonitororhybridAP,andthetimestamp.Virtual
ControllerreportsthedetaileddeviceinformationtoAMP.
ConfiguringSpectrumMonitorsandHybridIAPs
An IAPcanbeprovisionedtofunctionasaspectrummonitororasahybridIAP.TheradiosongroupsofAPscanbe
convertedtodedicatedspectrummonitorsorhybridAPsviatheAPgroup’s802.11aand802.11gradioprofiles.
Convertingan IAPtoaHybridIAP
YoucanconvertallIAPsinanInstantnetworkintohybridIAPsbyselectingtheBackgroundspectrummonitoring
optioninthe802.11aand802.11gradioprofilesofanIAP.APsinAccessmodecontinuetoprovidenormalaccess
servicetoclients,whileprovidingtheadditionalfunctionofmonitoringRFinterference.IfanyIAPintheInstant
networkdoesnotsupportthespectrummonitoringfeature,thatAPcontinuestofunctionasastandardIAP,rather
thanahybridIAP.Bydefault,thebackgroundspectrummonitoringoptionisdisabled.Inthehybridmode,spectrum
monitoringisperformedonlyonthehomechannel.
YoucanconvertIAPsinanInstantnetworktohybridmodeusingtheInstantUIorCLI.
IntheInstantUI
Toconvertan IAPtoahybridIAP:

1.ClicktheRFlinkatthetoprightcorneroftheInstantUI.
2.ClickShowadvancedoptionstoviewtheRadiotab.
3.Toenableaspectrummonitoronthe802.11gradioband,inthe2.4GHzradioprofile,selectEnabledfromthe
BackgroundSpectrumMonitoringdrop-downlist.
4.Toenableaspectrummonitoronthe802.11aradioband,inthe5GHzradioprofile,selectEnabledfromthe
BackgroundSpectrumMonitoringdrop-downlist.
5.ClickOK.
IntheCLI
Toconfigure2.4GHzradiosettings:
(InstantAP)(config)#rfdot11g-radio-profile
(InstantAP)(RFdot11gRadioProfile)#spectrum-monitor
Toconfigure5GHzradiosettings:
(InstantAP)(config)#rfdot11a-radio-profile
(InstantAP)(RFdot11aRadioProfile)#spectrum-monitor
Convertingan IAPtoaSpectrumMonitor
Inspectrummode,spectrummonitoringisperformedonentirebands.However,forthe5GHzradio,spectrum
monitoringisperformedononlyoneofthethreebands:
l5GHz-lower
l5GHz-middle
l5GHz-higher
Bydefault,spectrummonitoringisperformedonahigherbandofthe5GHzradio.
Youcanconfigurean IAPtofunctionasastandalonespectrummonitorusingtheInstantUIorCLI.
IntheInstantUI
Toconvertan IAPtoaspectrummonitor:
1.IntheAccessPointstab,clicktheAPthatyouwanttoconverttoaspectrummonitor.Theeditlinkisdisplayed.
2.Clicktheeditlink.TheEditAccessPointwindowisdisplayed.
3.ClicktheRadiotab.
4.FromtheAccessModedrop-downlist,selectSpectrumMonitor.
5.ClickOK.
6.ReboottheIAPforthechangestoaffect.
7.Toenablespectrummonitoringforanyotherbandforthe5GHzradio:
a.ClicktheRFlinkattheupperrightcorneroftheInstantUI.
b.ClickShowadvancedoptionstoviewtheRadiotab.
c.Forthe5GHzradio,specifythespectrumbandyouwantthatradiotomonitorbyselectingLower,Middle,or
HigherfromtheStandalonespectrumbanddrop-downlist.
d.ClickOK.
IntheCLI
Toconvertan IAPtoaspectrummonitor:
(InstantAP)#wifi0-mode{<access>|<monitor>|<spectrum- monitor>}
(InstantAP)#wifi1-mode{<access>|<monitor>|<spectrum- monitor>}
ArubaInstant6.4.0.2-4.1|UserGuide SpectrumMonitor|318

319|SpectrumMonitor ArubaInstant6.4.0.2-4.1|UserGuide
Toenablespectrummonitoringforanyotherbandforthe5GHzradio:
(InstantAP)(config)#rfdot11a-radio-profile
InstantAccessPoint(RFdot11aRadioProfile)#spectrum-band<type>
Toviewtheradioconfiguration:
InstantAccessPoint#showradioconfig
2.4GHz:
LegacyMode:disable
BeaconInterval:100
802.11d/802.11h:disable
InterferenceImmunityLevel:2
ChannelSwitchAnnouncementCount:0
ChannelReuseType:disable
ChannelReuseThreshold:0
BackgroundSpectrumMonitor:disable
5.0GHz:
LegacyMode:disable
BeaconInterval:100
802.11d/802.11h:disable
InterferenceImmunityLevel:2
ChannelSwitchAnnouncementCount:0
ChannelReuseType:disable
ChannelReuseThreshold:0
BackgroundSpectrumMonitor:disable
StandaloneSpectrumBand:5ghz-upper

ArubaInstant6.4.0.2-4.1|UserGuide IAPMaintenance|320
Chapter27
IAPMaintenance
Thissectionprovidesinformationonthefollowingprocedures:
lUpgradinganIAPonpage320
lBackingupandRestoringIAPConfigurationDataonpage322
lConvertinganIAPtoaRemoteAPandCampusAPonpage323
lResettingaRemoteAPorCampusAPtoanIAPonpage328
lRebootingtheIAPonpage328
UpgradinganIAP
WhileupgradinganIAP,youcanusetheimagecheckfeaturetoallowtheIAPtofindnewsoftwareimageversions
availableonacloud-basedimageserverhostedandmaintainedbyArubaNetworks.Thelocationoftheimageserver
isfixedandcannotbechangedbytheuser.TheimageserverisloadedwithlatestversionsofInstantsoftware.
UpgradinganIAPandImageServer
InstantsupportsmixedAP-classinstantdeploymentwithallAPsaspartofthesameVirtualControllercluster.
ImageManagementUsingAirWave
Ifthemulti-classIAPnetworkismanagedbyAirWave,imageupgradescanonlybedonethroughtheAirWaveUI.
TheIAPimagesfordifferentclassesmustbeuploadedontheAMPserver.WhennewIAPsjoiningthenetworkneed
tosynchronizetheirsoftwarewiththeversionrunningontheVirtualController,andifthenewIAPbelongstoa
differentclass,theimagefileforthenewIAPisprovidedbyAirWave.IfAirWavedoesnothavetheappropriate
imagefile,thenewAPwillnotbeabletojointhenetwork.
TheVirtualControllercommunicateswiththeAirWaveserverifAirWaveisconfigured.IfAirWaveisnotconfigured
ontheIAP,theimageisrequestedfromtheImageserver.
ImageManagementUsingCloudServer
Ifthemulti-classIAPnetworkisnotmanagedbyAirWave,imageupgradescanbedonethroughthecloud-based
imagecheckfeature.WhenanewIAPjoiningthenetworkneedstosynchronizeitssoftwareversionwiththeversion
ontheVirtualControllerandifthenewIAPbelongstoadifferentclass,theimagefileforthenewIAPisprovidedby
thecloudserver.
ConfiguringHTTPProxyonanIAP
Ifyournetworkrequiresaproxyserverforinternetaccess,youmustfirstconfiguretheHTTPproxyontheIAPto
downloadtheimagefromthecloudserver.AfteryousetuptheHTTPproxysettings,theIAPconnectstothe
Activateserver,AirWaveManagementplatform,Central,orOpenDNSserverthroughasecureHTTPconnection.
YoucanalsoexemptcertainapplicationsfromusingtheHTTPproxy(configuredonanIAP)byprovidingtheir
hostnameorIPaddressunderexceptions.
IntheInstantUI
PerformthesestepstoconfiguretheHTTPproxysettings:
1.NavigatetoSystem>Proxy.Theproxyconfigurationwindowisdisplayed.

321|IAPMaintenance ArubaInstant6.4.0.2-4.1|UserGuide
Figure120ProxyConfigurationWindow
2.EntertheHTTPproxyserver'sIPaddressandtheportnumber.
3.IfyoudonotwanttheHTTPproxytobeappliedforaparticularhost,clickNewtoenterthatIPaddressordomain
nameofthathostunderexceptionslist.
IntheCLI
(InstantAP)(config)#proxyserver192.0.2.18080
(InstantAP)(config)#proxyexception192.0.2.2
(InstantAP)(config)#end
(InstantAP)#commitapply
UpgradinganIAPUsingAutomaticImageCheck
YoucanupgradeanIAPbyusingtheautomaticimagecheckfeature.TheAutomaticimagechecksareperformed
onceaftertheAPbootsupandeveryweekthereafter.
IftheimagechecklocatesanewversionoftheInstantsoftwareontheimageserver,theNewversionavailable
linkisdisplayedatthetoprightcorneroftheUI.
IfAirWaveisconfigured,theautomaticimagecheckisdisabled.
Tocheckforanewversionontheimageserverinthecloud:
1.GotoMaintenance>Automatic>CheckforNewVersion.Aftertheimagecheckiscompleted,oneofthe
followingmessagesisdisplayed:
nNonewversionavailable—Ifthereisnonewversionavailable.
nImageservertimedout—ConnectionorsessionbetweentheimageserverandtheIAPistimedout.
nImageserverfailure—Iftheimageserverdoesnotrespond.
nAnewimageversionfound—Ifanewimageversionisfound.
2.Ifanewversionisfound,theUpgradeNowbuttonbecomesavailableandtheversionnumberisdisplayed.
3.ClickUpgradeNow.
TheIAPdownloadstheimagefromtheserver,savesittoflashandreboots.Dependingontheprogressand
successoftheupgrade,oneofthefollowingmessagesisdisplayed:
nUpgrading—Whileimageupgradingisinprogress.
nUpgradesuccessful—Whentheupgradingissuccessful.
nUpgradefailed—Whentheupgradingfails.
Iftheupgradefailsandanerrormessageisdisplayed,retryupgradingtheIAP.

UpgradingtoaNewVersionManually
Iftheautomaticimagecheckfeatureisdisabled,youcanuseobtainanimagefilefromalocalfilesystemorfroma
TFTP orHTTPURL.Tomanuallycheckforanewfirmwareimageversionandobtainanimagefile:
1.NavigatetoMaintenance>Firmware.TheFirmwarewindowisdisplayed.
2.UnderManualsection,performthefollowingsteps:
lSelecttheImagefileoption.Thismethodisonlyavailableforsingle-classIAPs.
ThefollowingexamplesdescribetheimagefileformatfordifferentIAPmodels:
nForIAP-134/135—ArubaInstant_Cassiopeia_6.4.0.2-4.1.0.0_xxxx
nForRAP-108/109,IAP-103,andIAP-114/115—ArubaInstant_Pegasus_6.4.0.2-4.1.0.0_xxxx
nForRAP-155/155P—ArubaInstant_Aries_6.4.0.2-4.1.0.0_xxxx
nForIAP-220SeriesandIAP-270Series—ArubaInstant_Centaurus_6.4.0.2-4.1.0.0_xxxx
nForallotherIAPs—ArubaInstant_Orion_6.4.0.2-4.1.0.0_xxxx
lSelecttheImageURLoption.SelectthisoptiontoobtainanimagefilefromaTFTP,FTP,orHTTPURL.
nHTTP-http://<IP-address>/<image-file>.Forexample,http://<IP-address>/ArubaInstant_Orion_6.4.0.2-
4.1.0.0_xxxx
nTFTP-tftp://<IP-address>/<image-file>.Forexample,tftp://<IP-address>/ArubaInstant_Orion_6.4.0.2-
4.1.0.0_xxxx
nFTP-ftp://<IP-address>/<image-file>.Forexample,ftp://<IP-address>/ArubaInstant_Orion_6.4.0.2-4.1.0.0_
xxxx
3.CleartheRebootallAPsafterupgradecheckboxifrequired.TheRebootallAPsafterupgradecheckboxis
selectedbydefaulttoallowtheIAPstorebootautomaticallyafterasuccessfulupgrade.ToreboottheIAPata
latertime,cleartheRebootallAPsafterupgradecheckbox.
4.ClickUpgradeNowtoupgradetheIAPtothenewerversion.
UpgradinganImageUsingCLI
ToupgradeanimageusingaHTTP,TFTP,orFTPURL:
(InstantAP)#upgrade-image<ftp/tftp/http-URL>
ToupgradeanimagewithoutrebootingtheIAP:
(InstantAP)#upgrade-image2-no-reboot<ftp/tftp/http-URL>
Toviewtheupgradeinformation:
(InstantAP)#showupgradeinfo
ImageUpgradeProgress
----------------------
MacIPAddressAPClassStatusImageInfoErrorDetail
------------------------------------------------
d8:c7:c8:c4:42:98 10.17.101.1Orionimage-okimagefilenone
Autoreboot:enable
UseexternalURL:disable
BackingupandRestoringIAPConfigurationData
YoucanbackuptheIAPconfigurationdataandrestoretheconfigurationwhenrequired.
ViewingCurrentConfiguration
ToviewthecurrentconfigurationontheIAP:
ArubaInstant6.4.0.2-4.1|UserGuide IAPMaintenance|322

323|IAPMaintenance ArubaInstant6.4.0.2-4.1|UserGuide
lIntheUI,navigatetoMaintenance>Configuration>CurrentConfiguration.
lIntheCLI,enterthefollowingcommandatthecommandprompt:
(InstantAP)#showrunning-config
BackingupConfigurationData
TobackuptheIAPconfigurationdata:
1.NavigatetotheMaintenance>Configuration>page.
2.ClickBackupConfiguration.
3.ClickContinuetoconfirmthebackup.Theinstant.cfgcontainingtheIAPconfigurationdataissavedinyour
localfilesystem.
4.ToviewtheconfigurationthatisbackedupbytheIAP,enterthefollowingcommandatthecommandprompt:
(InstantAP)#showbackup-config
RestoringConfiguration
Torestoreconfiguration:
1.NavigatetotheMaintenance>Configurationpage.
2.ClickRestoreConfiguration.ClickBrowsetobrowseyourlocalsystemandselecttheconfigurationfile.
3.ClickRestoreNow.
4.ClickRestoreConfigurationtoconfirmrestoration.TheconfigurationisrestoredandtheIAPrebootstoloadthe
newconfiguration.
ConvertinganIAPtoaRemoteAPandCampusAP
Thissectionprovidesthefollowinginformation:
lRegulatoryDomainRestrictionsforIAPtoRAPorCAPConversiononpage323
lConvertinganIAPtoaRemoteAPonpage324
lConvertinganIAPtoaCampusAPonpage326
lConvertinganIAPtoStandaloneModeonpage327
lConvertinganIAPusingCLIonpage328
RegulatoryDomainRestrictionsforIAPtoRAPorCAPConversion
YoucanprovisionanIAPasaCampusAPoraRemoteAPinacontroller-basednetwork.BeforeconvertinganIAP,
ensurethatthereisaregulatorydomainmatchbetweentheIAPandcontroller.

ThefollowingtabledescribestheregulatorydomainrestrictionsthatapplyfortheIAPtoArubaOSAPconversion:
ArubaOS
versionon
Controller
Controller
Regulatory
Domain
IAP-22x IAP-27x IAP-11x IAP-103 AllotherIAPs
US RW US RW US RW US RW US UnrestrictedJP IL
Versionslower
than6.3.0
US — — — —
— — — —
ValidX X X
Unrestricted — — — —
— — — —
X Valid Validfor
JP
country
code
X
IL — — — —
— — — —
X X X Valid
6.3.0 US ValidX — —
— — — —
ValidX X X
Unrestricted X X — —
— — — —
X Valid Validfor
JP
country
code
X
IL X X — —
— — — —
X X X Valid
6.3.1.0,
6.3.1.1,and
6.3.1.2
US ValidX — —
ValidX — —
ValidX X X
Unrestricted X X — —
X X — —
X Valid Validfor
JP
country
code
X
IL X X — —
X X — —
X X X Valid
6.3.1.3 US ValidX — —
ValidX — —
ValidX X X
Unrestricted X Valid— —
X Valid— —
X Valid Validfor
JP
country
code
X
IL X Valid— —
X Valid— —
X X X Valid
6.4orlater US ValidX ValidX ValidX ValidX ValidX X X
IL X ValidX ValidX ValidX ValidX Valid Validfor
JP
country
code
X
Unrestricted X ValidX ValidX ValidX ValidX X X Valid
NOTE:"—"indicatesnotsupportedand"X"indicatesinvalidconfiguration.
NOTE:TheminimumInstantversionforIAP-103andIAP-274/275is6.4.0.2-4.1.
Table62:IAPtoArubaOSAPConversion
ConvertinganIAPtoaRemoteAP
ForRemoteAPconversion,theVirtualControllersendstheRemoteAPconvertcommandtoalltheotherIAPs.The
VirtualControlleralongwiththeotherslaveIAPssetupaVPNtunneltotheremotecontroller,anddownloadthe
firmwarethroughFTP.TheVirtualControllerusesIPsectocommunicatetothemobilitycontrollerovertheInternet.
ArubaInstant6.4.0.2-4.1|UserGuide IAPMaintenance|324

325|IAPMaintenance ArubaInstant6.4.0.2-4.1|UserGuide
lIftheIAPobtainsAirWaveinformationthroughDHCP(Option43andOption60),itestablishesanHTTPS
connectiontotheAirWaveserveranddownloadstheconfigurationandoperatesintheIAPmode.
lIftheIAPdoesnotgetAirWaveinformationthroughDHCPprovisioning,ittriesprovisioningthroughafirmware
imageserverinthecloudbysendingaserialnumberMACaddress.IfanentryfortheIAPispresentinthe
firmwareimagecloudserverandisprovisionedasanIAP>RemoteAP,thefirmwareimagecloudserver
respondswithmobilitycontrollerIPaddress,APgroup,andAPtype.TheIAPthencontactsthecontroller,
establishescertificate-basedsecurecommunication,andobtainsconfigurationandimagefromthecontroller.
TheIAPrebootsandcomesupasaRemoteAP.TheIAPthenestablishesanIPSECconnectionwiththe
controllerandbeginsoperatingintheRemoteAPmode.
lIfanIAPentryfortheAPispresentinthefirmwareimagecloudserver,theIAPobtainsAirWaveserver
informationfromthecloudserveranddownloadsconfigurationfromAirWavetooperateintheIAPmode.
lIfthereisnoresponsefromthecloudserverorAirGroupisreceived,theIAPcomesupinInstantmode.
lFormoreinformationonfirmwareimagecloudserver,seeUpgradinganIAPonpage320.
AmeshpointcannotbeconvertedtoRemoteAP,becausemeshaccesspointsdonotsupportVPN
connection.
AnIAPcanbeconvertedtoaCampusAPandRemoteAPonlyifthecontrollerisrunningArubaOS6.1.4orlater.
ThefollowingtabledescribesthesupportedIAPplatformsandminimalArubaOSversionrequiredfortheCampus
APorRemoteAPconversion.
Table63:IAPPlatformsandMinimumArubaOSVersionsforIAPtoRemoteAPConversion
IAPPlatform ArubaOSVersion InstantVersion
IAP-103 6.4orlater 4.1orlater
IAP-104 6.1.4orlater 3.0orlater
IAP-105 6.1.4orlater 1.0orlater
IAP-134/135 6.1.4orlater 2.0orlater
IAP-175AC/175P 6.1.4orlater 3.0orlater
RAP-3WN/3WNP 6.1.4orlater 3.0orlater
RAP-108/109 6.2.0.0orlater 3.2orlater
RAP-155/155P 6.3orlater 3.3orlater
IAP-114/115 6.3.1.1orlater 4.0orlater
IAP-224/225 6.3.1.1orlater 4.0orlater
IAP-274/275 6.4orlater 4.1orlater
ToconvertanIAPtoaRAP,performthefollowingsteps:
1.ClicktheMaintenancelinkintheInstantmainwindow.
2.ClicktheConverttab.TheConverttabisdisplayed.

Figure121Maintenance—ConvertTab
3.SelectRemoteAPsmanagedbyaMobilityControllerfromthedrop-downlist.
4.Enterthehostname(fullyqualifieddomainname)ortheIPaddressofthecontrollerintheHostnameorIP
AddressofMobilityControllertextbox.ContactyourlocalnetworkadministratortoobtaintheIPaddress.
EnsurethatthemobilitycontrollerIPAddressisreachablebytheanIAPs.
5.ClickConvertNowtocompletetheconversion.TheIAPrebootsandbeginsoperatingintheRemoteAPmode.
6.Afterconversion,theIAPismanagedbythemobilitycontroller.
ForIAPstofunctionasRemoteAPs,configuretheIAPintheRemoteAPwhitelistandenabletheFTPserviceon
thecontroller.
IftheVPNsetupfailsandanerrormessageisdisplayed,clickOK,copytheerrorlogs,andsharethemwithyour
localadministrator.
ConvertinganIAPtoaCampusAP
ToconvertanIAPtoaCampusAP,dothefollowing:
1.ClicktheMaintenancelinkintheInstantmainwindow.
2.ClicktheConverttab.TheConverttabisdisplayed.
ArubaInstant6.4.0.2-4.1|UserGuide IAPMaintenance|326

327|IAPMaintenance ArubaInstant6.4.0.2-4.1|UserGuide
Figure122ConvertinganIAPtoCampusAP
3.SelectCampusAPsmanagedbyaMobilityControllerfromthedrop-downlist.
4.Enterthehostname,FullyQualifiedDomainName(FQDN),ortheIPaddressofthecontrollerintheHostname
orIPAddressofMobilityControllertextbox.Contactyourlocaladministratortoobtainthesedetails.
5.EnsurethattheIAPsaccessthemobilitycontrollerIPAddress.
6.ClickConvertNowtocompletetheconversion.
ConvertinganIAPtoStandaloneMode
ThisfeatureallowsyoutodeployanIAPasanautonomousAP,whichisaseparateentityfromtheexistingVirtual
ControllerclusterintheLayer2domain.
ToconvertanIAPtoastandaloneAP:
1.ClicktheMaintenancelinkintheInstantmainwindow.
2.ClicktheConverttab.TheConverttabisdisplayed.
Figure123StandaloneAPConversion
3.SelectStandaloneAPfromthedrop-downlist.
4.SelecttheAccessPointfromthedrop-downlist.
5.ClickConvertNowtocompletetheconversion.TheanIAPnowoperatesinthestandalonemode.

ConvertinganIAPusingCLI
ToconvertanIAP
(InstantAP)#convert-aos-ap<mode><controller-IP-address>
ResettingaRemoteAPorCampusAPtoanIAP
TheresetbuttonlocatedontherearofanIAPcanbeusedtoresettheIAPtofactorydefaultsettings.
ToresetanIAP,performthefollowingsteps:
1.PowerofftheIAP.
2.Pressandholdtheresetbuttonusingasmallandnarrowobjectsuchasapaperclip.
3.PowerontheIAPwithoutreleasingtheresetbutton.ThepowerLEDflasheswithin5secondsindicatingthatthe
resetiscompleted.
4.Releasetheresetbutton.TheIAPrebootswiththefactorydefaultsettings.
AllAPshavearesetbutton,exceptIAP-175P/175AC.ContactArubasupportforresettingtheseIAPs.
RebootingtheIAP
IfyouencounteranyproblemwiththeIAPs,youcanrebootallIAPsoraselectedIAPinanetworkusingtheInstant
UI.TorebootanIAP:
1.ClicktheMaintenancelink.TheMaintenancewindowisdisplayed.
2.ClicktheReboottab.
Figure124RebootingtheIAP
ArubaInstant6.4.0.2-4.1|UserGuide IAPMaintenance|328

329|IAPMaintenance ArubaInstant6.4.0.2-4.1|UserGuide
3.IntheIAPlist,selecttheIAPthatyouwanttorebootandclickRebootselectedAccessPoint.Torebootallthe
IAPsinthenetwork,clickRebootAll.
4.TheConfirmRebootforAPmessageisdisplayed.ClickRebootNowtoproceed.TheRebootinProgress
messageisdisplayedindicatingthattherebootisinprogress.TheRebootSuccessfulmessageisdisplayed
aftertheprocessiscomplete.Ifthesystemfailstoboot,theUnabletocontactAccessPointsafterreboot
wasinitiatedmessageisdisplayed.
5.ClickOK.

ArubaInstant6.4.0.2-4.1|UserGuide MonitoringDevicesandLogs|330
Chapter28
MonitoringDevicesandLogs
Thischapterprovidesthefollowinginformation:
lConfiguringSNMPonpage330
lConfiguringaSyslogServeronpage333
lConfiguringTFTPDumpServeronpage335
lRunningDebugCommandsfromtheUIonpage336
ConfiguringSNMP
Thissectionprovidesthefollowinginformation:
lSNMPParametersforIAPonpage330
lConfiguringSNMPonpage331
lConfiguringSNMPTrapsonpage333
SNMPParametersforIAP
InstantsupportsSNMPv1,SNMPv2c,andSNMPv3forreportingpurposesonly.AnIAPcannotuseSNMPtoset
valuesinanArubasystem.
YoucanconfigurethefollowingparametersforanIAP:
Field Description
CommunityStringsforSNMPV1
andSNMPV2
AnSNMPCommunitystringisatextstringthatactsasapassword,
andisusedtoauthenticatemessagessentbetweentheVirtual
ControllerandtheSNMPagent.
IfyouareusingSNMPv3toobtainvaluesfrom theIAP,youcanconfigurethefollowingparameters:
Name Astringrepresentingthenameoftheuser.
AuthenticationProtocol Anindicationofwhethermessagessentonbehalfofthisusercan
beauthenticated,andifso,thetypeofauthenticationprotocolused.
Thiscantakeoneofthetwovalues:
lMD5—HMAC-MD5-96DigestAuthenticationProtocol
lSHA:HMAC-SHA-96DigestAuthenticationProtocol
Authenticationprotocol
password
Ifmessagessentonbehalfofthisusercanbeauthenticated,the
(private)authenticationkeyforusewiththeauthenticationprotocol.
ThisisastringpasswordforMD5orSHAdependingonthechoice
above.
Privacyprotocol Anindicationofwhethermessagessentonbehalfofthisusercan
beprotectedfromdisclosure,andifso,thetypeofprivacyprotocol
whichisused.ThistakesthevalueDES(CBC-DESSymmetric
Encryption).
Privacyprotocolpassword Ifmessagessentonbehalfofthisusercanbeencrypted/decrypted
withDES,the(private)privacykeyforusewiththeprivacyprotocol.
Table64:SNMPParametersforIAP

331|MonitoringDevicesandLogs ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringSNMP
ThissectiondescribestheprocedureforconfiguringSNMPv1,SNMPv2,andSNMPv3communitystringsusingthe
InstantUIorCLI.
CreatingcommunitystringsforSNMPv1andSNMPv2UsingInstantUI
TocreatecommunitystringsforSNMPv1andSNMPv2:
1.ClicktheSystemlinkatthetoprightcorneroftheInstantmainwindow.Thesystemwindowisdisplayed.
2.ClicktheMonitoringtab.ThefollowingfigureshowstheSNMPconfigurationparametersdisplayedinthe
Monitoringtab.
Figure125MonitoringTab:SNMPConfigurationParameters
3.ClickNew.
4.EnterthestringintheNewCommunityStringtextbox.
5.ClickOK.
6.Todeleteacommunitystring,selectthestring,andclickDelete.
CreatingcommunitystringsforSNMPv3UsingInstantUI
TocreatecommunitystringsforSNMPv3:
1.ClickSystemlinkatthetoprightcorneroftheInstantmainwindow.Thesystemwindowisdisplayed.
2.ClicktheMonitoringtab.TheSNMPconfigurationparametersdisplayedintheMonitoringtab.
3.ClickNewintheUsersforSNMPV3box.AwindowforspecifyingSNMPv3userinformationisdisplayed.

Figure126SNMPv3User
4.EnterthenameoftheuserintheNametextbox.
5.SelectthetypeofauthenticationprotocolfromtheAuthprotocoldrop-downlist.
6.EntertheauthenticationpasswordinthePasswordtextboxandretypethepasswordintheRetypetextbox.
7.SelectthetypeofprivacyprotocolfromthePrivacyprotocoldrop-downlist.
8.EntertheprivacyprotocolpasswordinthePasswordtextboxandretypethepasswordintheRetypetextbox.
9.ClickOK.
10.Toeditthedetailsforaparticularuser,selecttheuserandclickEdit.
11.Todeleteaparticularuser,selecttheuserandclickDelete.
ConfiguringSNMPCommunityStringsintheCLI
ToconfigureanSNMPengineIDandhost:
(InstantAP)(config)#snmp-serverengine-id<engine-ID>
(InstantAP)(config)#host<ipaddr>version{1<name>udp-port<port>}|{2c|3<name>[inform]
[udp-port<port>]}
ToconfigureSNMPv1andSNMPv2communitystrings:
(InstantAP)(config)#snmp-servercommunity<password>
ToconfigureSNMPv3communitystrings:
(InstantAP)(config)#snmp-serveruser<name><auth-protocol><password><privacy-protocol>
<password>
ToviewSNMPconfiguration:
(InstantAP)#showsnmp-configuration
EngineID:D8C7C8C44298
CommunityStrings
-----------------
Name
----
SNMPv3Users
------------
NameAuthenticationTypeEncryptionType
--------------------------------------
SNMPTrapHosts
---------------
IPAddressVersionNamePortInform
-------------------------------
ArubaInstant6.4.0.2-4.1|UserGuide MonitoringDevicesandLogs|332

333|MonitoringDevicesandLogs ArubaInstant6.4.0.2-4.1|UserGuide
ConfiguringSNMPTraps
Instantsupportstheconfigurationofexternaltrapreceivers.OnlytheIAPactingastheVirtualControllergenerates
traps.ThetrapsforIAPclusteraregeneratedwithVirtualControllerIPasthesourceIPifVirtualControllerIPis
configured.TheOIDofthetrapsis1.3.6.1.4.1.14823.2.3.3.1.200.2.X.
YoucanconfigureSNMPtrapsusingtheInstantUIorCLI.
IntheInstantUI
ToconfigureanSNMPtrapreceiver:
1.NavigatetoSystem>Showadvancedoptions>Monitoring.TheMonitoringwindowisdisplayed.
2.UnderSNMPTraps,enteranameintheSNMPEngineIDtextbox.ItindicatesthenameoftheSNMPagenton
theaccesspoint.TheSNMPV3agenthasanengineIDthatuniquelyidentifiestheagentinthedeviceandis
uniquetothatinternalnetwork.
3.ClickNewandupdatethefollowingfields:
lIPAddress—EntertheIPAddressofthenewSNMPTrapreceiver.
lVersion—SelecttheSNMPversion—v1,v2c,v3fromthedrop-downlist.Theversionspecifiestheformatof
trapsgeneratedbytheaccesspoint.
lCommunity/Username—SpecifythecommunitystringforSNMPv1andSNMPv2ctrapsandausernamefor
SNMPv3traps.
lPort—Entertheporttowhichthetrapsaresent.Thedefaultvalueis162.
lInform—Whenenabled,trapsaresentasSNMPINFORMmessages.ItisapplicabletoSNMPv3only.The
defaultvalueisYes.
4.ClickOKtoviewthetrapreceiverinformationintheSNMPTrapReceiverswindow.
IntheCLI
ToconfigureSNMPtraps:
(InstantAP)(config)#snmp-serverhost<IP-address>{version1|version2|version3}<name>
udp-port<port>inform
(InstantAP)(config)#end
(InstantAP)#commitapply
InstantsupportsSNMPManagementInformationBases(MIBs)alongwithAruba-MIBs.ForinformationaboutMIBs
andSNMPtraps,seeArubaInstantMIBReferenceGuide.
ConfiguringaSyslogServer
YoucanspecifyasyslogserverforsendingsyslogmessagestotheexternalserverseitherbyusingtheInstantUI
orCLI.
IntheInstantUI
1.IntheInstantmainwindow,clicktheSystemlink.TheSystemwindowisdisplayed.
2.ClickShowadvancedoptionstodisplaytheadvancedoptions.
3.ClicktheMonitoringtab.TheMonitoringtabdetailsaredisplayed.

Figure127SyslogServer
4.IntheSyslogservertextbox,entertheIPaddressoftheservertowhichyouwanttosendsystemlogs.
5.Selecttherequiredvaluestoconfiguresyslogfacilitylevels.SyslogFacilityisaninformationfieldassociated
withasyslogmessage.Itisanapplicationoroperatingsystemcomponentthatgeneratesalogmessage.The
followingsevenfacilitiesaresupportedbySyslog:
lAP-Debug—DetailedlogabouttheAPdevice.
lNetwork—Logaboutchangeofnetwork,forexample,whenanewIAPisaddedtoanetwork.
lSecurity—Logaboutnetworksecurity,forexample,whenaclientconnectsusingwrongpassword.
lSystem—Logaboutconfigurationandsystemstatus.
lUser—Importantlogsaboutclient.
lUser-Debug—Detailedlogaboutclient.
lWireless—Logaboutradio.
Thefollowingtabledescribesthelogginglevelsinorderofseverity,fromthemosttotheleastsevere.
LoggingLevel Description
Emergency Panicconditionsthatoccurwhenthesystembecomesunusable.
Alert Anyconditionrequiringimmediateattentionandcorrection.
Critical Anycriticalconditionssuchasaharddriveerror.
Errors Errorconditions.
Table65:LoggingLevels
ArubaInstant6.4.0.2-4.1|UserGuide MonitoringDevicesandLogs|334

335|MonitoringDevicesandLogs ArubaInstant6.4.0.2-4.1|UserGuide
LoggingLevel Description
Warning Warningmessages.
Notice Significanteventsofanon-criticalandnormalnature.Thedefaultvaluefor
allSyslogfacilities.
Informational Messagesofgeneralinteresttosystemusers.
Debug Messagescontaininginformationusefulfordebugging.
6.ClickOK.
IntheCLI
Toconfigureasyslogserver:
(InstantAP)(config)#syslog-server<IP-address>
Toconfiguresyslogfacilitylevels:
(InstantAP)(config)#syslog-level<logging-level>[ap-debug|network|security|system|user|
user-debug|wireless]
(InstantAP)(config)#end
(InstantAP)#commitapply
Toviewsysloglogginglevels:
InstantAccessPoint#showsyslog-level
LoggingLevel
-------------
FacilityLevel
-------------
ap-debugwarn
networkwarn
securitywarn
systemwarn
userwarn
user-debugwarn
wirelesserror
ConfiguringTFTPDumpServer
YoucanconfigureaTFTPserverforstoringcoredumpfilesbyusingtheInstantUIorCLI.
IntheInstantUI
1.IntheInstantmainwindow,clicktheSystemlink.TheSystemwindowisdisplayed.
2.ClickShowadvancedoptionstodisplaytheadvancedoptions.
3.ClicktheMonitoringtab.TheMonitoringtabdetailsaredisplayed.
4.EntertheIPaddressoftheTFTPserverintheTFTPDumpServertextbox.
5.ClickOK.
IntheCLI
ToconfigureaTFTPserver:
(InstantAP)(config)#tftp-dump-server<IP-address>
(InstantAP)(config)#end
(InstantAP)#commitapply

RunningDebugCommandsfromtheUI
TorunthedebuggingcommandsfromtheUI:
1.NavigatetoMore>SupportatthetoprightcorneroftheInstantmainwindow.TheSupportwindowisdisplayed.
2.SelecttherequiredoptionfromtheCommanddrop-downlist.
3.SelectAllAccessPointsorInstantAccessPoint(VC)fromtheTargetdrop-downlist.
4.ClickRun.WhenyourundebugcommandsandclickSave,theoutputofalltheselectedcommandsis
displayedinasinglepage.
SupportCommands
Youcanviewthefollowinginformationforeachaccesspointintheclusterusingthesupportwindow:
lAP3G/4GStatus—DisplaysthecellularstatusoftheIAP.
lAP802.1xCertificate—DisplaystheCAcertificateandservercertificatefortheVirtualController.
lAP802.1XStatistics—Displaysthe802.1XstatisticsoftheIAP.
lAPAccessRuleTable—DisplaysthelistofACLrulesconfiguredontheIAP.
lAPInboundFirewallRules—DisplaysinboundfirewallrulesconfiguredontheIAP
lAPActive—DisplaysthelistofactiveAPsinInstantnetwork.
lAPAirgroupCache—DisplaystheBonjourMulticastDNS(mDNS)recordsfortheIAP.
lAPAirgroupCPPMEntries—DisplaystheAirGroupCPPMpoliciesoftheregistereddevices.
lAPAirgroupCPPMServers—DisplaystheAirGroupCPPMserverinformation.
lAPAirgroupDebugStatistics—DisplaysthedebugstatisticsfortheIAP.
lAPAirgroupServers—DisplaysinformationabouttheBonjourdeviceswhichsupportsAirPrintandAirPlay
servicesfortheIAP.
lAPAirgroupUser—DisplaystheIP/MACaddress,devicename,VLAN,typeofconnectionoftheBonjour
devicesfortheIAP.
lAPAllowedChannels—DisplaysinformationoftheallowedchannelsfortheIAP.
lAPAllowedMAX-EIRP—DisplaysinformationonthemaximumEIRPsettingsthatcanbeconfiguredonanIAP
servinginaspecificregulatorydomain.
lAPAllSupportedTimezones—DisplaysallthesupportedtimezonesofInstant.
lAPARMBandwidthManagement—DisplaysbandwidthmanagementinformationfortheIAP.
lAPARMChannels—DisplaysARMchanneldetailsfortheIAP.
lAPARMConfiguration—DisplaysARMconfigurationdetailsfortheIAP.
lAPARMHistory—DisplaysthechannelhistoryandpowerchangesduetoAdaptiveRadioManagement(ARM)
fortheIAP.
lAPARMNeighbors—DisplaystheARMneighborsoftheIAP.
lAPARMRFSummary—DisplaysthestatusandstatisticsforallchannelsmonitoredbytheIAP.
lAPARMScanTimes—DisplayschannelscanninginformationfortheIAP.
lAPARPTable—DisplaystheARPtableoftheIAP.
lAPAssociationTable—DisplaysinformationabouttheIAPassociation.
lAPAuth-Survivabilitycache—Displaysthelistof802.1Xcacheduser'sinformation.
lAPAuthenticationFrames—DisplaystheauthenticationtracebufferinformationoftheIAP.
lAPBSSIDTable—DisplaystheBasicServiceSet(BSS)tableoftheIAP.
lAPCaptivePortalDomains—DisplayscaptiveportaldomainsconfiguredontheIAP.
ArubaInstant6.4.0.2-4.1|UserGuide MonitoringDevicesandLogs|336

337|MonitoringDevicesandLogs ArubaInstant6.4.0.2-4.1|UserGuide
lAPCaptivePortalAutoWhiteList—Displaysdetailsabouttheautomaticwhitelistconfiguredforacaptiveportal
profile.
lAPChecksum—DisplayschecksumdetailsforanIAP.
lAPClientMatchAction—Displaysdetailsoftheclientmatchaction.
lAPClientMatchLive—DisplaysthelivedetailsoftheclientmatchconfigurationonanIAP.
lAPClientMatchHistory—DisplaysthehistoricaldetailsoftheclientmatchconfigurationonanIAP.
lAPClientMatchStatus—Displaysinformationabouttheclientmatchconfigurationstatus.
lAPClientMatchTriggers—Displaysinformationabouttheclientmatchtriggers.
lAPClientTable—Displaystheclientdetails.
lAPClientView—DisplaysclientdetailsofanIAP.
lAPCountryCodes—DisplayscountrycodedetailsfortheIAP.
lAPCPUDetails—DisplaysdetailedinformationaboutmemoryutilizationandCPUloadforsystemprocesses.
lAPCPUUtilization—DisplaysutilizationofCPUfortheIAP.
lAPCrashInfo—Displayscrashloginformation(ifitexists)fortheIAP.Thestoredinformationisclearedfromthe
flashaftertheAPreboots.
lAPCurrentTime—DisplaysthecurrenttimeconfiguredontheIAP.
lAPCurrentTimezone—DisplaysthecurrenttimezoneconfiguredontheIAP.
lAPDatapathACLTableAllocation—DisplaysACLtableallocationdetailsfortheIAP.
lAPDatapathACLTables—DisplaysthelistofACLrulesconfiguredfortheSSIDandEthernetportprofiles.
lAPDatapathBridgeTable—DisplaysbridgetableentrystatisticsincludingMACaddress,VLAN,assigned
VLAN,DestinationandflaginformationfortheIAP.
lAPDatapathDMOSession—DisplaysdetailsofaDMOsession.
lAPDatapathDnsIdMap—DisplaysthemappingdetailsfortheDNSID.
lAPDatapathDPISessionTableandAPDatapathDPISessionTableVerbose—Displaythedatapath
sessiontableentries.
lAPDatapathMulticastTable—DisplaysmulticasttablestatisticsfortheIAP.
lAPDatapathNatPool—DisplaysNATpooldetailsconfiguredinthedatapath.
lAPDatapathRouteTable—DisplaysroutetablestatisticsfortheIAP.
lAPDatapathSessionTable—DisplaysthedatapathsessiontablestatisticsfortheIAP.
lAPDatapathStatistics—DisplaysthehardwarepacketstatisticsfortheIAP.
lAPDatapathUserTable—Displaysdatapathuserstatisticssuchascurrententries,pendingdeletes,high
watermark,maximumentries,totalentries,allocationfailures,invalidusers,andmaximumlinklengthforthe
IAP.
lAPDatapathVLANTable—DisplaystheVLANtableinformationsuchasVLANmembershipsinsidethe
datapathincludingL2tunnelsfortheIAP.
lAPDaylightSavingTime—DisplaystheDaylightSavingTimeconfiguredontheIAP.
lAPDerivationRules—DisplaystheroleandVLAN derivationrulesconfiguredonanIAP.
lAPDPIDebugstatistics—DisplaysDPIstatisticsthatcanbeusedfordebuggingDPIissues.
lAPDriverConfiguration—DisplaysdriverconfigurationdetailsoftheIAP.
lAPElectionandAPElectionStatistics—Displaythemasterelectionstatistics.
lAPEnvironmentVariable—DisplaysinformationaboutthetypeofantennausedbytheIAP.
lAPESSIDTable—DisplaystheSSIDprofilesconfiguredontheIAP.
lAPFlashConfiguration—DisplaysstatisticsoftheIAPconfigurationstoredinflashmemory.
lAPIGMPGroupTable—DisplaysIGMPgroupinformation.

lAPIAP-VPNRetryCounters—DisplaysIAP-VPNtunneldetails.
lAPInterfaceCounters—DisplaysinformationabouttheEthernetinterfacepacketcountersfortheIAP.
lAPInterfaceStatus—DisplaystheEthernetportstatusfortheIAP.
lAPInternalDHCPStatus—DisplaysdetailsonDHCPallocation.
lAPIPInterface—DisplaysasummaryofallIP-relatedinformationforEthernetinterfacesconfiguredontheIAP.
lAPIPRouteTable—DisplaysinformationaboutIProutesfortheIAP.
lAPL3MobilityDatapath—DisplayL3mobilitydetails.
lAPL3MobilityEventsLog—DisplaysalogwithL3clientroamingdetails.
lAPL3MobilityStatus—DisplaysthestatusofL3roamingclients.
lAPLACPStatus—DisplaystheLinkAggregationControlProtocol(LACP)configurationstatus.
lAPLogAll—DisplaysalllogsfortheIAP.
lAPLogAP-Debug—DisplayslogswithdebugginginformationfortheIAP.
lAPLogConversion—DisplaysimageconversiondetailsfortheIAP.
lAPLogDriver—DisplaysthestatusofdriversconfiguredontheIAP.
lAPLogKernel—DisplayslogsforAP’skernel.
lAPLogNetwork—DisplaysnetworklogsfortheIAP.
lAPLogPPPd—DisplaysthePoint-to-PointProtocoldaemon(PPPd)networkconnectiondetails.
lAPLogRapper—Displaysrapperinformation.
lAPLogSapd—DisplaysSAPdlogs.
lAPLogSecurity—DisplayssecuritylogsoftheIAP.
lAPLogSystem—DisplayssystemlogsoftheIAP.
lAPLogTunnelStatusManagement—Displaystunnelstatus.
lAPLogUpgrade—DisplaysimagedownloadandupgradedetailsfortheIAP.
lAPLogUser-Debug—Displaysuser-debuglogsoftheIAP.
lAPLogUser—DisplaysuserlogsoftheIAP.
lAPLogVPNTunnelLog—DisplaysVPNtunnelstatusfortheIAP.
lAPLogWireless—DisplayswirelesslogsoftheIAP.
lAPManagementFrames—Displaysthetraced802.11managementframesfortheIAP.
lAPMemoryAllocationStateDumps—DisplaysthememoryallocationdetailsfortheIAP.
lAPMemoryUtilization—DisplaysmemoryutilizationoftheIAP.
lAPMeshCounters—DisplaysthemeshcountersoftheIAP.
lAPMeshLink—DisplaysthemeshlinkoftheIAP.
lAPMeshNeighbors—DisplaysthemeshlinkneighborsoftheIAP.
lAPMonitorActiveLaserBeams—DisplaystheactivelaserbeamsourcesfortheIAP.
lAPMonitorAPTable—DisplaysthelistofAPsmonitoredbytheIAP.
lAPMonitorARPCache—DisplaysARPcachedetailsfortheIAP.
lAPMonitorClientTable—DisplaysthelistofclientsmonitoredbytheIAP.
lAPMonitorContainmentInformation—DisplayscontainmentdetailsfortheIAP.
lAPMonitorPotentialAPTable—DisplaysthelistofpotentialAPsfortheIAP.
lAPMonitorPotentialClientTable—DisplaysthelistofpotentialclientsfortheIAP.
lAPMonitorRouter—Displaysinformationaboutthepotentialwirelessdevices.
lAPMonitorScanInformation—DisplaysscannedinformationfortheIAP.
ArubaInstant6.4.0.2-4.1|UserGuide MonitoringDevicesandLogs|338

339|MonitoringDevicesandLogs ArubaInstant6.4.0.2-4.1|UserGuide
lAPMonitorStatus—DisplaystheconfigurationandstatusofmonitorinformationoftheIAP.
lAPPersistentClients—DisplaysthelistpersistentclientsfortheIAP.
lAPPMKCache—DisplaysthePMKcachedetailsfortheclientsassociatedwiththeIAP.
lAPPPPoEuplinkdebug—DisplaysPPPoEdebuglogs.
lAPPPPoEuplinkstatus—DisplaysPPPoEuplinkstatus.
lAPProcesses—DisplaystheprocessesrunningontheIAP.
lAPRadio0Stats—DisplaysaggregatedebugstatisticsoftheIAPRadio0.
lAPRadio1Stats—DisplaysaggregatedebugstatisticsoftheIAPRadio1..
lAPRadio0ClientProbeReport—DisplaysareportontheAPclientsconnectedtoIAPRadio0.
lAPRadio1ClientProbeReport—DisplaysareportontheAPclientsconnectedtoIAPRadio1.
lAPRADIUSStatistics—DisplaystheRADIUSserverstatisticsfortheIAP.
lAPShapingTable—DisplaysshapinginformationforclientsassociatedwiththeIAP.
lAPSockets—DisplaysinformationsocketsoftheIAP.
lAPSTMConfiguration—DisplaysSTMconfigurationdetailsforeachSSIDprofileconfiguredontheIAP.
lAPSystemStatus—DisplaysdetailedsystemstatusinformationfortheIAP.
lAPSystemSummary—DisplaystheIAPconfiguration.
lAPSwarmState—DisplaysdetailsoftheIAPclustertowhichtheAPisconnected.
lAPTechSupportDump—DisplaysthelogswithcompleteIAPconfigurationinformationrequiredfordebugging
bytechnicalsupport.
lAPTechSupportDumpAdvanced—Displaysthelogswithadvancedconfigurationdetailsandlogsrequiredfor
debuggingbytechnicalsupport.
lAPUplinkStatus—DisplaysuplinkstatusfortheIAP.
lAPUserTable—DisplaysthelistofclientsfortheIAP.
lAPValidChannels—DisplaysvalidchannelsoftheIAP.
lAPVersion—DisplaystheversionnumberoftheIAP.
lAPVPNStatus—DisplaysVPNstatusfortheIAP.
lAPVirtualBeaconReport—DisplaysareportonvirtualbeaconsforanIAP.
lAPWiredPortSettings—DisplayswiredportconfigurationdetailsfortheIAP.
lAPWiredUserTable—Displaysthelistofclientsassociatedwiththewirednetworkprofileconfiguredonthe
IAP.
lVCAbout—DisplaysinformationsuchasAPtype,buildtimeofimage,andimageversionfortheVirtual
Controller.
lVCActiveConfiguration—DisplaystheactiveconfigurationofVirtualController.
lVCAirgroupService—DisplaystheBonjourservicessupportedbytheVirtualController.
lVCAirgroupStatus—DisplaysthestatusoftheAirGroupandCPPMserverdetailsconfiguredontheVirtual
Controller.
lVCAllowedAPTable—DisplaysthelistofallowedAPs.
lVCAMPCurrentStateData—DisplaysthecurrentstatusofAirWaveManagementPlatform.
lVCAMPCurrentStatsData—DisplaysthecurrentAirWaveconfigurationdetails.
lVCAMPDataSent—DisplaysinformationaboutthedataexchangebetweenAirWaveserverandtheVirtual
Controller.
lVCAMPEventsPending—DisplaysinformationaboutthependingeventsontheAirWaveserver.
lVCAMPLastConfigurationReceived—DisplaysthelastconfigurationdetailsreceivedfromAirWave.

lVCAMPSingleSign-onKey—Displayssinglesign-onkeydetailsforAirWave.
lVCApplicationServices—Displaysthedetailsofapplicationservices,whichincludesprotocolnumber,port
number.
lVCDHCPOption43Received—DisplaysinformationaboutthecurrentactivitiesfortheDHCPscopewith
Option43.
lVCGlobalAlerts—DisplaysthelistofalertsforallIAPsmanagedbytheVirtualController.
lVCGlobalStatistics—DisplaystheflowinformationandsignalstrengthoftheVirtualController.
lVCIDSAPList—DisplaysthelistofIAPsmonitoredbytheVirtualController.
lVCIDSClientList—DisplaysthelistofclientsdetectedbyIDSfortheVirtualController.
lVCInternalDHCPServerConfiguration—DisplaystheconfigurationdetailsoftheinternalDHCPserver.
lVCL2TPv3config—DisplaystheL2TPv3configurationstatus.
lVCL2TPv3tunnelstatus—DisplaystheL2TPv3tunnelstatus.
lVCL2TPv3tunnelconfiguration—DisplaystheL2TPv3tunnelconfigurationstatus.
lVCL2TPv3sessionstatus—DisplaystheL2TPv3sessionconfigurationstatus.
lVCL2TPv3systemwideglobalstatistics—DisplaystheL2TPv3systemstatistics.
lVCLocalUserDatabase—DisplaysthelistofusersconfiguredfortheIAP.
lVCOpenDNSConfigurationandStatus—DisplaysconfigurationdetailsandstatusoftheOpenDNSserver.
lVCRadiusAttributes—DisplaysinformationabouttheRADIUSattributes.
lVCRadiusServers—DisplaysthelistofRADIUSserversconfiguredontheIAP.
lVCSavedConfiguration—DisplaystheconfigurationdetailsoftheVirtualController.
lVCScanningStatistics—DisplaysthescannedinformationfortheIAP.
lVCSNMPConfiguration—DisplaystheSNMPconfigurationdetailsoftheIAP.
lVCUplink3G/4GConfiguration—Displaysthe3G/4GcellularconfigurationinformationfortheIAPsmanaged
bytheVirtualController.
lVCUplinkManagementConfiguration—DisplaysuplinkconfigurationdetailsfortheVirtualController.
lVCWISPrConfiguration—DisplaystheWISPrconfigurationdetails.
UsethesupportcommandsunderthesupervisionofArubatechnicalsupport.
ArubaInstant6.4.0.2-4.1|UserGuide MonitoringDevicesandLogs|340

ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|341
Chapter29
HotspotProfiles
Thischapterdescribesthefollowingprocedures:
lUnderstandingHotspotProfilesonpage341
lConfiguringHotspotProfilesonpage342
lSampleConfigurationonpage352
Inthecurrentrelease,InstantsupportsthehotspotprofileconfigurationonlythroughtheCLI.
UnderstandingHotspotProfiles
Hotspot2.0isaWi-FiAlliancespecificationbasedonthe802.11uprotocol,whichallowswirelessclientstodiscover
hotspotsusingmanagementframes(suchasbeacon,associationrequest,andassociationresponse),connectto
networks,androambetweennetworkswithoutadditionalauthentication.
TheHotspot2.0providesthefollowingservices:
lNetworkdiscoveryandselection—Allowstheclientstodiscoversuitableandavailablenetworksbyadvertising
theaccessnetworktype,roamingconsortium,andvenueinformationthroughthemanagementframes.For
networkdiscoveryandselection,GenericAdvertisementService(GAS)andAccessNetworkQueryProtocol
(ANQP)areused.
lQOSMapping—Providesamappingbetweenthenetwork-layerQoSpacketmarkingandover-the-airQoSframe
markingbasedonuserpriority.
Whenahotspotisconfiguredinanetwork:
lTheclientssearchforavailablehotspotsusingthebeaconmanagementframe.
lWhenahotspotisfound,theclientsendsqueriestoobtaininformationaboutthetypeofnetworkauthentication
andIPaddress,andIPaddressavailabilityusingtheGenericAdvertisementService(GAS) actionframes.
lBasedontheresponseoftheadvertisementServer(responsetotheGASActionFrames),therelevanthotspotis
selectedandtheclientattemptstoassociatewithit.
lBasedontheauthenticationmodeusedformobilityclients,theclientauthenticatestoaccessthenetwork.
GenericAdvertisementService(GAS)
GASisarequest-responseprotocol,whichprovidesL2transportmechanismbetweenawirelessclientandaserver
inthenetworkpriortoauthentication.Ithelpsindeterminingan802.11infrastructurebeforeassociatingclientsand
allowsclientstosendqueriestomultiple802.11networksinparallel.
AnAPcanincludeitsserviceproviderOrganizationIdentifier(OI)indicatingtheserviceprovideridentityinbeacons
andproberesponsestoclients.WhenaclientrecognizesanIAP'sOI,itattemptstoassociatetothatIAPusingthe
securitycredentialscorrespondingtothatserviceprovider.IftheclientdoesnotrecognizetheAP’sOI,theclient
sendsaGenericAdvertisementService(GAS)querytotheIAPtorequestmoreinformationaboutthenetwork
beforeassociating.AclienttransmitsaGASQueryusingaGASInitialRequestframeandtheIAPprovidesthe
queryresponseorinformationonhowtoreceivethequeryresponseinaGASInitialResponseframe.Totransmita
GASqueryforanyadvertisementprotocol,theadvertisementprotocolIDmustincludetheadvertisementprotocol
informationelementwithinformationabouttheadvertisementprotocolanditscorrespondingadvertisementcontrol.

342|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
AccessNetworkQueryProtocol(ANQP)
ANQPprovidesarangeofinformation,suchasIPaddresstypeandavailability,roamingpartnersaccessible
throughahotspot,andtheExtensibleAuthenticationProtocol(EAP)methodsupportedforauthentication,foraquery
andresponseprotocol.TheANQPInformationElements(IEs)provideadditionaldatathatcanbesentfromanIAP
totheclienttoidentifytheIAP'snetworkandserviceprovider.IfaclientrequeststhisinformationthroughaGAS
query,thehotspotAPsendstheANQPcapabilitylistintheGASInitialResponseframeindicatingsupportforthe
followingIEs:
lVenueName
lDomainName
lNetworkAuthenticationType
lRoamingConsortiumList
lNetworkAccessIdentifierRealm
l3GPPCellularNetworkData
Hotspot2.0QueryProtocol(H2QP)
TheH2QP profilesprovidearangeofinformationonhotspot2.0elementssuchashotspotprotocolandport,
operatingclass,operatornames,WANstatus,anduplinkanddownlinkmetrics.
InformationElements(IEs)andManagementFrames
Thehotspot2.0configurationsupportsthefollowingIEs:
lInterworkingIE—ProvidesinformationabouttheInterworkingservicecapabilitiessuchastheInternetavailability
inaspecificserviceprovidernetwork.
lAdvertisementProtocolIE—Providesinformationabouttheadvertisementprotocolthataclientcanusefor
communicationwiththeadvertisementserversinanetwork.
lRoamingConsortiumIE—Providesinformationabouttheserviceprovidernetworkforroamingclients,whichcan
beusedtoauthenticatewiththeAP.
TheIEsareincludedinthefollowingManagementFrameswhen802.11uisenabled:
lBeaconFrame
lProbeRequestFrame
lProberesponseframe
lAssociationRequest
lRe-Associationrequest
NAIRealmList
AnNAIRealmprofileidentifiesanddescribesaNAIrealmtowhichtheclientscanconnect.TheNAIrealmsettings
onanIAPasanadvertisementprofiletodeterminetheNAIrealmelementsthatmustbeincludedaspartofaGAS
Responseframe.
ConfiguringHotspotProfiles
Toconfigureahotspotprofile,performthefollowingsteps:
1.CreatetherequiredANQPandH2QPadvertisementprofiles.
2.Createahotspotprofile.

3.AssociatetherequiredANQPandH2QPadvertisementprofilescreatedinstep1tothehotspotprofilecreatedin
step2.
4.CreateaSSIDProfilewithenterprisesecurityandWPA2encryptionsettingsandassociatetheSSIDwiththe
hotspotprofilecreatedinstep2.
CreatingAdvertisementProfilesforHotspotConfiguration
Ahotspotprofilecontainsoneorseveraladvertisementprofiles.Thefollowingadvertisementprofilescanbe
configuredthroughtheInstantCLI:
lANQPadvertisementprofiles
nNAIRealmprofile
nVenueNameProfile
nNetworkAuthenticationProfile
nRoamingConsortiumProfile
n3GPPProfile
nIPAddressavailabilityProfile
nDomainNameProfile
lH2QPadvertisementprofiles
nOperatorFriendlyNameProfile
nConnectionCapabilityProfile
nOperatingClassProfile
nWAN-MetricsProfile
ConfiguringanNAIRealmProfile
YouconfigureaNetworkAccessIdentifier(NAI)RealmprofiletodefinetheNAIrealminformation,whichcanbe
sentasanANQPIEinaGASqueryresponse.
ToconfigureaNAIprofile,enterthefollowingcommandsatthecommandprompt:
(InstantAP)(config)#hotspotanqp-nai-realm-profile<name>
(InstantAP)(nai-realm<name>)#nai-realm-name<name>
(InstantAP)(nai-realm<name>)#nai-realm-encoding{<utf8>|<rfc4282>}
(InstantAP)(nai-realm<name>)#nai-realm-eap-method<eap-method>
(InstantAP)(nai-realm<name>)#nai-realm-auth-id-1<authentication-ID>
(InstantAP)(nai-realm<name>)#nai-realm-auth-id-2<authentication-ID>
(InstantAP)(nai-realm<name>)#nai-realm-auth-value-1<authentication-value>
(InstantAP)(nai-realm<name>)#nai-realm-auth-value-2<authentication-value>
(InstantAP)(nai-realm<name>)#nai-home-realm
(InstantAP)(nai-realm<name>)#enable
(InstantAP)(nai-realm<name>)#end
(InstantAP)#commitapply
YoucanspecifyanyofthefollowingEAPmethodsforthenai-realm-eap-method<eap-method>command:
lidentity—TouseEAPIdentitytype.Theassociatednumericvalueis1.
lnotification—ToallowthehotspotrealmtouseEAPNotificationmessagesforauthentication.Theassociated
numericvalueis2.
lone-time-password—TouseAuthenticationwithasingle-usepassword.Theassociatednumericvalueis5.
lgeneric-token-card—TouseEAPGenericTokenCard(EAP-GTC).Theassociatednumericvalueis6.
leap-tls—TouseEAP-TransportLayerSecurity.Theassociatednumericvalueis13.
leap-sim—TouseEAPforGSMSubscriberIdentityModules.Theassociatednumericvalueis18.
ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|343

344|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
leap-ttls—TouseEAP-TunneledTransportLayerSecurity.Theassociatednumericvalueis21.
lpeap—TouseprotectedExtensibleAuthenticationProtocol.Theassociatednumericvalueis25.
lcrypto-card—Tousecryptocardauthentication.Theassociatednumericvalueis28.
lpeapmschapv2—TousePEAPwithMicrosoftChallengeHandshakeAuthenticationProtocolversion2
(MSCHAPV2).Theassociatednumericvalueis29.
leap-aka—TouseEAPforUMTSAuthenticationandKeyAgreement.Theassociatednumericvalueis50.
ThefollowingtableliststhepossibleauthenticationIDsandtheirrespectivevalues:
AuthenticationID AuthenticationValue
reserved
lUsesthereservedauthentication
method.
lTheassociatednumericvalueis0.
—
expanded-eap
lUsestheexpandedEAPauthentication
method.
lTheassociatednumericvalueis1.
Useexpanded-eapastheauthenticationvalue.
non-eap-inner-auth
lUsesnon-EAPinnerauthenticationtype.
lTheassociatednumericvalueis2.
Thefollowingauthenticationvaluesapply:
lreserved—Theassociatednumericvalueis0.
lpap—Theassociatednumericvalueis1.
lchap—Theassociatednumericvalueis2.
lmschap—Theassociatednumericvalueis3.
lmschapv2—Theassociatednumericvalueis4.
eap-inner-auth
lUsesEAPinnerauthenticationtype.
lTheassociatednumericvalueis3.
Thefollowingauthenticationvaluesapply:
lreserved—Theassociatednumericvalueis0.
lpap—Theassociatednumericvalueis1.
lchap—Theassociatednumericvalueis2.
lmschap—Theassociatednumericvalueis3.
lmschapv2—Theassociatednumericvalueis4.
exp-inner-eap
lUsestheexpandedinnerEAP
authenticationmethod.
lTheassociatednumericvalueis4.
Usetheexp-inner-eapauthenticationvalue.
credential
lUsescredentialauthentication.
lTheassociatednumericvalueis5.
Thefollowingauthenticationvaluesapply:
lsim—Theassociatednumericvalueis1.
lusim—Theassociatednumericvalueis2.
lnfc-secure—Theassociatednumericvalueis3.
lhw-token—Theassociatednumericvalueis4.
lsoftoken—Theassociatednumericvalueis5.
lcertificate—Theassociatednumericvalueis6.
luname-passward—Theassociatednumericvalueis7.
lnone—Theassociatednumericvalueis8.
lreserved—Theassociatednumericvalueis9.
lvendor-specific—Theassociatednumericvalueis10.
Table66:NAIRealmProfileConfigurationParameters

ConfiguringaVenueNameProfile
YouconfigureavenuenameprofiletosendvenueinformationasanANQPIEinaGASqueryresponse.To
configureavenuenameprofile,enterthefollowingcommandsatthecommandprompt:
(InstantAP)(config)#hotspotanqp-venue-name-profile<name>
(InstantAP)(venue-name<name>)#venue-name<name>
(InstantAP)(venue-name<name>)#venue-group<group-name>
(InstantAP)(venue-name<name>)#venue-type<type>
(InstantAP)(venue-name<name>)#venue-lang-code<language>
(InstantAP)(venue-name<name>)#enable
(InstantAP)(venue-name<name>)#end
(InstantAP)#commitapply
Youcanspecifyanyofthefollowingvenuegroupsandthecorrespondingvenuetypes:
VenueGroup AssociatedVenueTypeValue
unspecified
Theassociatednumericvalueis0.
assembly
Theassociatednumericvalueis1.
lunspecified—Theassociatednumericvalueis0.
larena—Theassociatednumericvalueis1.
lstadium—Theassociatednumericvalueis2.
lpassenger-terminal—Theassociatednumericvalueis3.
lamphitheater—Theassociatednumericvalueis4.
lamusement-park—Theassociatednumericvalueis5.
lplace-of-worship—Theassociatednumericvalueis6.
lconvention-center—Theassociatednumericvalueis7.
llibrary—Theassociatednumericvalueis8.
lmuseum—Theassociatednumericvalueis9.
lrestaurant—Theassociatednumericvalueis10.
ltheater—Theassociatednumericvalueis11.
lbar—Theassociatednumericvalueis12.
lcoffee-shop—Theassociatednumericvalueis13.
lzoo-or-aquarium—Theassociatednumericvalueis14.
lemergency-cord-center—Theassociatednumericvalueis15.
business
Theassociatednumericvalueis2.
lunspecified—Theassociatednumericvalueis0.
ldoctor—Theassociatednumericvalueis1
lbank—Theassociatednumericvalueis2
lfire-station—Theassociatednumericvalueis3
lpolice-station—Theassociatednumericvalueis4
lpost-office—Theassociatednumericvalueis6
lprofessional-office—Theassociatednumericvalueis7
lresearch-and-dev-facility—Theassociatednumericvalueis8
lattorney-office—Theassociatednumericvalueis9
educational
Theassociatednumericvalueis3.
lunspecified—Theassociatednumericvalueis0.
lschool-primary—Theassociatednumericvalueis1.
lschool-secondary—Theassociatednumericvalueis2.
luniv-or-college—Theassociatednumericvalueis3.
factory-and-industrial
Theassociatednumericvalueis4.
lunspecified—Theassociatednumericvalueis0.
lfactory—Theassociatednumericvalueis1.
institutional lunspecified—Theassociatednumericvalueis0.
lhospital—Theassociatednumericvalueis1.
Table67:VenueTypes
ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|345

346|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
VenueGroup AssociatedVenueTypeValue
Theassociatednumericvalueis5. llong-term-care—Theassociatednumericvalueis2.
lalc-drug-rehab—Theassociatednumericvalueis3.
lgroup-home—Theassociatednumericvalueis4.
lprison-or-jail—Theassociatednumericvalueis5.
mercantile
Theassociatednumericvalueis6.
lunspecified—Theassociatednumericvalueis0.
lretail-store—Theassociatednumericvalueis1.
lgrocery-market—Theassociatednumericvalueis2.
lauto-service-station—Theassociatednumericvalueis3.
lshopping-mall—Theassociatednumericvalueis 4.
lgas-station—Theassociatednumericvalueis5
residential
Theassociatednumericvalueis7.
lunspecified—Theassociatednumericvalueis0.
lprivate-residence—Theassociatednumericvalueis1.
lhotel—Theassociatednumericvalueis3
ldormitory—Theassociatednumericvalueis4
lboarding-house—Theassociatednumericvalueis5.
storage
Theassociatednumericvalueis8.
unspecified—Theassociatednumericvalueis0.
utility-misc
Theassociatednumericvalueis9.
unspecified—Theassociatednumericvalueis0.
vehicular
Theassociatednumericvalueis10
lunspecified—Theassociatednumericvalueis0.
lautomobile-or-truck—Theassociatednumericvalueis1.
lairplane—Theassociatednumericvalueis2.
lbus—Theassociatednumericvalueis3.
lferry—Theassociatednumericvalueis4.
lship—Theassociatednumericvalueis5.
ltrain—Theassociatednumericvalueis6.
lmotor-bike—Theassociatednumericvalueis7.
outdoor
Theassociatednumericvalueis11.
lunspecified—Theassociatednumericvalueis0
lmuni-mesh-network—Theassociatednumericvalueis1.
lcity-park—Theassociatednumericvalueis2.
lrest-area—Theassociatednumericvalueis3.
ltraffic-control—Theassociatednumericvalueis4
lbus-stop—Theassociatednumericvalueis5
lkiosk—Theassociatednumericvalueis6
ConfiguringaNetworkAuthenticationProfile
Youcanconfigureanetworkauthenticationprofiletodefinetheauthenticationtypeusedbythehotspotnetwork.To
configureanetworkauthenticationprofile,enterthefollowingcommandsatthecommandprompt:
(InstantAP)(config)#hotspotanqp-nwk-auth-profile<name>
(InstantAP)(network-auth<name>)#nwk-auth-type<type>
(InstantAP)(network-auth<name>)#url<URL>
(InstantAP)(network-auth<name>)#enable
(InstantAP)(network-auth<name>)#end
(InstantAP)#commitapply
Youcanspecifyanyofthefollowingnetworkauthenticationtypeforthenwk-auth-type<type>command:
laccept-term-and-cond—Whenconfigured,thenetworkrequirestheusertoaccepttermsandconditions.This
optionrequiresyoutospecifyaredirectionURLstringasanIPaddress,FQDNorURL.
lonline-enrollment—Whenconfigured,thenetworksupportstheonlineenrollment.

lhttp-redirect—Whenconfigured,additionalinformationonthenetworkisprovidedthroughHTTP/HTTPS
redirection.
ldns-redirect—Whenconfigured,additionalinformationonthenetworkisprovidedthroughDNSredirection.This
optionrequiresyoutospecifyaredirectionURLstringasanIPaddress,FQDN,orURL.
ConfiguringaRoamingConsortiumProfile
YoucanconfigurearoamingconsortiumprofiletosendtheroamingconsortiuminformationasanANQPIEinaGAS
queryresponse.Toconfigurearoamingconsortiumprofile,enterthefollowingcommandsatthecommandprompt:
(InstantAP)(config)#hotspotanqp-roam-cons-profile<name>
(InstantAP)(roaming-consortium<name>)#roam-cons-oi<roam-cons-oi>
(InstantAP)(roaming-consortium<name>)#roam-cons-oi-len<roam-cons-oi-len>
(InstantAP)(roaming-consortium<name>)#enable
(InstantAP)(roaming-consortium<name>)#end
(InstantAP)#commitapply
Specifyahexadecimalstringof3to5octetsforroam-cons-oi<roam-cons-oi>.
BasedontheOIspecified,youcanspecifythefollowingparametersforthelengthofOIinroam-cons-oi-len
<roam-cons-oi-len>.
lFor0:0OctetsintheOI(Null)
lFor3:OIlengthis24-bit(3Octets)
lFor5:OIlengthis36-bit(5Octets)
Configuringa3GPPProfile
Youcanconfigurea3rdGenerationPartnershipProject(3GPP)profiletodefineinformationforthe3GCellular
Networkforhotspots.
Toconfigurea3GPPprofile,enterthefollowingcommandsatthecommandprompt:
(InstantAP)(config)#hotspotanqp-3gpp-profile<name>
(InstantAP)(3gpp<name>)#3gpp-plmn1<plmn-ID>
(InstantAP)(3gpp<name>)#enable
(InstantAP)(3gpp<name>)#end
(InstantAP)#commitapply
ThePublicLandMobileNetwork(PLMN)IDisacombinationofthemobilecountrycodeandnetworkcode.Youcan
specifyupto6PLMNIDsfora3GPPprofile.
ConfiguringanIPAddressAvailabilityProfile
YoucanconfiguretheavailableIPaddresstypestosendinformationonIPaddressavailabilityasanANQPIEina
GASqueryresponse.ToconfigureanIPaddressavailabilityprofile,enterthefollowingcommandsatthecommand
prompt:
(InstantAP)(config)#hotspotanqp-ip-addr-avail-profile<name>
(InstantAP)(IP-addr-avail<name>)#ipv4-addr-avail
(InstantAP)(IP-addr-avail<name>)#ipv6-addr-avail
(InstantAP)(IP-addr-avail<name>)#enable
(InstantAP)(IP-addr-avail<name>)#end
(InstantAP)#commitapply
ConfiguringaDomainProfile
YoucanconfigureadomainprofiletosendthedomainnamesasanANQPIEinaGASqueryresponse.To
configureadomainnameprofile,enterthefollowingcommandsatthecommandprompt:
(InstantAP)(config)#hotspotanqp-domain-name-profile<name>
(InstantAP)(domain-name<name>)#domain-name<domain-name>
(InstantAP)(domain-name<name>)#enable
ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|347

348|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(domain-name<name>)#end
(InstantAP)#commitapply
ConfiguringanOperator-friendlyProfile
Youcanconfiguretheoperator-friendlynameprofiletodefinetheidentifytheoperator.ToconfigureanH2QP
operator-friendlynameprofile:
(InstantAP)(config)#hotspoth2qp-oper-name-profile<name>
(InstantAP)(operator-friendly-name<name>)#op-fr-name<op-fr-name>
(InstantAP)(operator-friendly-name<name>)#op-lang-code<op-lang-code>
(InstantAP)(operator-friendly-name<name>)#enable
(InstantAP)(operator-friendly-name<name>)#end
(InstantAP)#commitapply
ConfiguringaConnectionCapabilityProfile
YoucanconfigureaConnectionCapabilityprofiletodefineinformationsuchasthehotspotIPprotocolsand
associatedportnumbersthatareavailableforcommunication.ToconfigureanH2QPconnectioncapabilityprofile:
(InstantAP)(config)#hotspoth2qp-conn-cap-profile
(InstantAP)(connection-capabilities<name>)#esp-port
(InstantAP)(connection-capabilities<name>)#icmp
(InstantAP)(connection-capabilities<name>)#tcp-ftp
(InstantAP)(connection-capabilities<name>)#tcp-http
(InstantAP)(connection-capabilities<name>)#tcp-pptp-vpn
(InstantAP)(connection-capabilities<name>)#tcp-ssh
(InstantAP)(connection-capabilities<name>)#tcp-tls-vpn
(InstantAP)(connection-capabilities<name>)#tcp-voip
(InstantAP)(connection-capabilities<name>)#udp-ike2
(InstantAP)(connection-capabilities<name>)#udp-ipsec-vpn
(InstantAP)(connection-capabilities<name>)#udp-voip
(InstantAP)(connection-capabilities<name>)#enable
(InstantAP)(connection-capabilities<name>)#end
(InstantAP)#commitapply
ConfiguringanOperatingClassProfile
Youcanconfigureanoperatingclassprofiletolistthechannelsonwhichthehotspotiscapableofoperating.To
configureanH2QPoperatingclassprofile:
(InstantAP)(config)#hotspoth2qp-oper-class-profile<name>
(InstantAP)(operator-class<name>)#op-class<class-ID>
(InstantAP)(operator-class<name>)#enable
(InstantAP)(operator-class<name>)#end
(InstantAP)#commitapply
ConfiguringaWANMetricsProfile
YoucanconfigureaWANmetricsprofiletodefineinformationaboutaccessnetworkcharacteristicssuchaslink
statusandmetrics.ToconfigureaWANmetricsprofile:
(InstantAP)(config)#hotspoth2qp-wan-metrics-profile<name>
(InstantAP)(WAN-metrics<name>)#at-capacity
(InstantAP)(WAN-metrics<name>)#downlink-load<load>
(InstantAP)(WAN-metrics<name>)#downlink-speed<speed>
(InstantAP)(WAN-metrics<name>)#load-duration<duration>
(InstantAP)(WAN-metrics<name>)#symm-link
(InstantAP)(WAN-metrics<name>)#uplink-load<load>
(InstantAP)(WAN-metrics<name>)#uplink-speed<speed>
(InstantAP)(WAN-metrics<name>)#wan-metrics-link-status<status>
(InstantAP)(WAN-metrics<name>)#end
(InstantAP)#commitapply
YoucanspecifythefollowingWANdownlinkanduplinkparameters:

lDownlinkload—IndicatesthepercentageoftheWANdownlinkcurrentlyutilized.Thedefaultvalueof0
indicatesthatthedownlinkspeedisunknownorunspecified.
lDownlinkspeed—IndicatestheWANdownlinkspeedinKbps.
lUplinkload—IndicatesthepercentageoftheWANuplinkcurrentlyutilized.Thedefaultvalueof0indicatesthat
thedownlinkspeedisunknownorunspecified.
lUplinkspeed—IndicatestheWANuplinkspeedinKbps.
lLoadduration—Indicatesthedurationinsecondsduringwhichthedownlinkutilizationismeasured.
lSymmetriclinks—Indicatesiftheuplinkanddownlinkhavethesamespeed.
lWANLinkStatus—IndicatesiftheWANisdown(link-down),up(link-up),orinteststate(link-under-test).
CreatingaHotspotProfile
Tocreateahotspotprofile:
(InstantAP)(config)#hotspoths-profile<name>
(InstantAP)(Hotspot2.0<name>)#asra
(InstantAP)(Hotspot2.0<name>)#access-network-type<type>
(InstantAP)(Hotspot2.0<name>)#addtl-roam-cons-ois<roam-consortium-OIs>
(InstantAP)(Hotspot2.0<name>)#comeback-mode
(InstantAP)(Hotspot2.0<name>)#gas-comeback<delay-interval>
(InstantAP)(Hotspot2.0<name>)#group-frame-block
(InstantAP)(Hotspot2.0<name>)#hessid<hotspot-essid>
(InstantAP)(Hotspot2.0<name>)#internet
(InstantAP)(Hotspot2.0<name>)#p2p-cross-connect
(InstantAP)(Hotspot2.0<name>)#p2p-dev-mgmt
(InstantAP)(Hotspot2.0<name>)#pame-bi
(InstantAP)(Hotspot2.0<name>)#query-response-length-limit<integer>
(InstantAP)(Hotspot2.0<name>)#roam-cons-len-1<integer>
(InstantAP)(Hotspot2.0<name>)#roam-cons-len-2<integer>
(InstantAP)(Hotspot2.0<name>)#roam-cons-len-3<integer>
(InstantAP)(Hotspot2.0<name>)#roam-cons-oi-1<integer>
(InstantAP)(Hotspot2.0<name>)#roam-cons-oi-2<integer>
(InstantAP)(Hotspot2.0<name>)#roam-cons-oi-3<integer>
(InstantAP)(Hotspot2.0<name>)#venue-group<group>
(InstantAP)(Hotspot2.0<name>)#venue-type<type>
(InstantAP)(Hotspot2.0<name>)#enable
(InstantAP)(Hotspot2.0<name>)#end
(InstantAP)#commitapply
Thehotspotprofileconfigurationparametersaredescribedinthefollowingtable:
ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|349

350|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
access-network-
type<type>
Specifyanyofthefollowing802.11unetworktypes.
lprivate—Thisnetworkisaccessibleforauthorizedusersonly.Forexample,homenetworks
orenterprisenetworksthatrequireuserauthentication.Thecorrespondingintegervaluefor
thisnetworktypeis0.
lprivate-with-guest—Thisnetworkisaccessibletoguestusersbasedonguestauthentication
methods.Forexample,enterprisenetworksthatallowguestuserswithcaptiveportal
authentication.Thecorrespondingintegervalueforthisnetworktypeis1.
lchargeable-public—ThisnetworkprovidesaccesstotheInternetbasedonpayment.For
example,asubscription-basedInternetaccessinacoffeeshoporahotelofferingchargeable
in-roomInternetaccessservice.Thecorrespondingintegervalueforthisnetworktypeis2.
lfree-public—Thisnetworkisaccessibletoallwithoutanychargesapplied.Forexample,a
hotspotinairportorotherpublicplacesthatprovideInternetaccesswithnoadditionalcost.
Thecorrespondingintegervalueforthisnetworktypeis3.
lpersonal-device—Thisnetworkisaccessibleforpersonaldevices.Forexample,alaptopor
cameraconfiguredwithaprinterforthepurposeofprinting.Thecorrespondingintegervalue
forthisnetworktypeis4.
lemergency-services—Thisnetworkislimitedtoaccessingemergencyservicesonly.The
correspondingintegervalueforthisnetworktypeis5.
ltest—Thisnetworkisusedfortestpurposesonly.Thecorrespondingintegervalueforthis
networktypeis14.
lwildcard—Thisnetworkindicatesawildcardnetwork.Thecorrespondingintegervalueforthis
networktypeis15.
addtl-roam-cons-
ois
SpecifythenumberofadditionalroamingconsortiumOrganizationIdentifiers(OIs)advertisedby
theAP.YoucanspecifyuptothreeadditionalOIs.
asra EnabletheAdditionalStepsRequiredforAccess(asra) toindicateifadditionalstepsare
requiredforauthentication.Whenenabled,thefollowinginformationissenttotheclientin
responsetoanANQPquery.ForASRA,ensurethatthenetworkauthenticationtypeis
associated.
comeback-mode EnablethisparametertoallowtheclienttoobtainaGASRequestandResponseasa
Comeback-RequestandComeback-Response.Bydefault,thiscomebackmodeisdisabled.
gas-comeback-
delay
SpecifyaGAScomebackdelayintervalinmillisecondstoallowtheclienttoretrievethequery
responseusingacomebackrequestactionframewhentheGASresponseisdelayed.Youcan
specifyavaluewithintherangeof100-2000millisecondsandthedefaultvalueis500
milliseconds.
group-frame-
block
EnablethisparameterifyouwanttostoptheAPfromsendingforwarddownstreamgroup-
addressedframes.
hessid SpecifyaHomogenousExtendedServiceSetIdentifier(HESSID)inahexadecimalformat
separatedbycolons.
internet SpecifythisparametertoallowtheIAPtosendanInformationElement(IE)indicatingthatthe
networkallowsInternetaccess.
p2p-cross-
connect
SpecifythisparametertoadvertisesupportforP2PCrossConnections.
p2p-dev-mgmt SpecifythisparametertoadvertisesupportforP2Pdevicemanagement.
pame-bi SpecifythisparametertoenablePre-AssociationMessageExchangeBSSIDIndependent
(PAME-BI)bit,withwhichtheIAPcanindicatethattheAdvertisementServercanreturnaquery
responseindependentoftheBSSIDusedintheGASFrameexchange.
Table68:HotspotConfigurationParameters

Parameter Description
query-
response-
length-limit
SpecifythisparametertosetthemaximumlengthoftheGASqueryresponse,inoctets.Youcan
specifyavaluewithintherangeof1-127.Thedefaultvalueis127.
roam-cons-len-
1
roam-cons-len-
2
roam-cons-len-
3
Specifythelengthoftheorganizationidentifier.Thevalueoftheroam-cons-len-1,roam-cons-
len-2,orroam-cons-len-3.TheroamingconsortiumOI isbasedonthefollowingparameters:
l0:ZeroOctetsintheOI(Null)
l3:OIlengthis24-bit(3Octets)
l5:OIlengthis36-bit(5Octets)
venue-group Specifyoneofthefollowingvenuegroups
lassembly
lbusiness
leducational
lfactory-and-industrial
linstitutional
lmercantile
loutdoor
lresidential
lstorage
lutility-and-misc
lvehicular
Bydefault,thebusinessvenuegroupisused.
venue-type SpecifyavenuetypetobeadvertisedintheANQPIEsfromIAPsassociatedwiththishotspot
profile.Formoreinformationaboutthesupportedvenuetypesforeachvenuegroup,seeTable
67.
Table68:HotspotConfigurationParameters
AssociatinganAdvertisementProfiletoaHotspotProfile
Toassociateahotspotprofilewithanadvertisementprofile:
(InstantAP)(config)#hotspoths-profile<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-protocol<protocol>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-3gpp<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-domain-name<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-ip-addr-avail<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-nai-realm<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-nwk-auth<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-roam-cons<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileanqp-venue-name<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileh2qp-conn-cap <name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileh2qp-oper-class<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileh2qp-oper-name<name>
(InstantAP)(Hotspot2.0<name>)#advertisement-profileh2qp-wan-metrics<name>
(InstantAP)(Hotspot2.0<name>)#end
(InstantAP)#commitapply
Theconfigurationparametersforassociatinganadvertisementprofilewithahotspotprofilearedescribedinthe
followingtable:
ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|351

352|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
Parameter Description
advertisement-
profile
Specifytheadvertisementprofiletoassociatewiththishotspotprofile.Forinformationon
advertisementprofiles,seeCreatingAdvertisementProfilesforHotspotConfigurationon
page343.
advertisement-
protocol
SpecifytheadvertisementprotocoltypesasAccessNetworkQueryProtocol(ANQP)as
anqp.
Table69:AdvertisementAssociationParameters
CreatingaWLANSSIDandAssociatingHotspotProfile
TocreateaWLANSSIDwithEnterpriseSecurityandWPA2EncryptionSettings:
(InstantAP)(config)#wlanssid-profile<name>
(InstantAP)(SSIDProfile<name>#essid<ESSID-name>
(InstantAP)(SSIDProfile<name>#type{<Employee>|<Voice>|<Guest>}
(InstantAP)(SSIDProfile<name>#vlan<vlan-ID>
(InstantAP)(SSIDProfile<name>#set-vlan<attribute>{equals|not-equals|starts-with|ends-
with|contains}<operator><VLAN-ID>|value-of}
(InstantAP)(SSIDProfile<name>#opmode{wpa2-aes|wpa-tkip,wpa2-aes}
(InstantAP)(SSIDProfile<name>#blacklist
(InstantAP)(SSIDProfile<name>#mac-authentication
(InstantAP)(SSIDProfile<name>#l2-auth-failthrough
(InstantAP)(SSIDProfile<name>#termination
(InstantAP)(SSIDProfile<name>#external-server
(InstantAP)(SSIDProfile<name>#auth-server<server-name>
(InstantAP)(SSIDProfile<name>#server-load-balancing
(InstantAP)(SSIDProfile<name>#radius-accounting
(InstantAP)(SSIDProfile<name>#radius-accounting-mode{user-authentication|user-
association}
(InstantAP)(SSIDProfile<name>#radius-interim-accounting-interval<minutes>
(InstantAP)(SSIDProfile<name>#radius-reauth-interval<minutes>
(InstantAP)(SSIDProfile<name>#set-role-by-ssid
(InstantAP)(SSIDProfile<name>)#hotspot-profile<name>
(InstantAP)(SSIDProfile<name>#end
(InstantAP)#commitapply
SampleConfiguration
Step1-CreatingANQPandH2QPAdvertisementProfile
(InstantAP)#configureterminal
(InstantAP)(config)#hotspotanqp-nai-realm-profilenr1
(InstantAP)(nai-realm"nr1")#nai-realm-namename1
(InstantAP)(nai-realm"nr1")#nai-realm-encodingutf8
(InstantAP)(nai-realm"nr1")#nai-realm-eap-methodeap-sim
(InstantAP)(nai-realm"nr1")#nai-realm-auth-id-1non-eap-inner-auth
(InstantAP)(nai-realm"nr1")#nai-realm-auth-value-1mschapv2
(InstantAP)(nai-realm"nr1")#nai-home-realm
(InstantAP)(nai-realm"nr1")#exit
(InstantAP)(config)#hotspotanqp-venue-name-profilevn1
(InstantAP)(venue-name"vn1")#venue-groupbusiness
(InstantAP)(venue-name"vn1")#venue-typeresearch-and-dev-facility
(InstantAP)(venue-name"vn1")#venue-lang-codeeng
(InstantAP)(venue-name"vn1")#venue-nameVenueName
(InstantAP)(venue-name"vn1")#exit
(InstantAP)(config)#hotspotanqp-nwk-auth-profilena1

(InstantAP)(network-auth"na1")#nwk-auth-typeaccept-term-and-cond
(InstantAP)(network-auth"na1")#urlwww.nwkauth.com
(InstantAP)(network-auth"na1")#exit
(InstantAP)(config)#hotspotanqp-roam-cons-profilerc1
(InstantAP)(roaming-consortium"rc1")#roam-cons-oi-len3
(InstantAP)(roaming-consortium"rc1")#roam-cons-oi888888
(InstantAP)(roaming-consortium"rc1")#exit
(InstantAP)(config)#hotspotanqp-3gpp-profile3g
(InstantAP)(3gpp"3g")#3gpp-plmn140486
(InstantAP)(3gpp"3g")#exit
(InstantAP)(config)#hotspotanqp-ip-addr-avail-profileip1
(InstantAP)(IP-addr-avail"ip1")#noipv4-addr-avail
(InstantAP)(IP-addr-avail"ip1")#ipv6-addr-avail
(InstantAP)(IP-addr-avail"ip1")#exit
(InstantAP)(config)#hotspotanqp-domain-name-profiledn1
(InstantAP)(domain-name"dn1")#domain-nameDomainName
(InstantAP)(domain-name"dn1")#exit
(InstantAP)(config)#hotspoth2qp-oper-name-profileon1
(InstantAP)(operator-friendly-name"on1")#op-lang-codeeng
(InstantAP)operator-friendly-name"on1")#op-fr-nameOperatorFriendlyName
(InstantAP)(operator-friendly-name"on1")#exit
Step2:Creatingahotspotprofile
(InstantAP)#configureterminal
(InstantAP)(config)#hotspoths-profilehs1
(InstantAP)(Hotspot2.0"hs1")#enable
(InstantAP)(Hotspot2.0"hs1")#comeback-mode
(InstantAP)(Hotspot2.0"hs1")#gas-comeback-delay10
(InstantAP)(Hotspot2.0"hs1")#noasra
(InstantAP)(Hotspot2.0"hs1")#nointernet
(InstantAP)(Hotspot2.0"hs1")#query-response-length-limit20
(InstantAP)(Hotspot2.0"hs1")#access-network-typechargeable-public
(InstantAP)(Hotspot2.0"hs1")#roam-cons-len-13
(InstantAP)(Hotspot2.0"hs1")#roam-cons-oi-1123456
(InstantAP)(Hotspot2.0"hs1")#roam-cons-len-23
(InstantAP)(Hotspot2.0"hs1")#roam-cons-oi-2223355
(InstantAP)(Hotspot2.0"hs1")#addtl-roam-cons-ois0
(InstantAP)(Hotspot2.0"hs1")#venue-groupbusiness
(InstantAP)(Hotspot2.0"hs1")#venue-typeresearch-and-dev-facility
(InstantAP)(Hotspot2.0"hs1")#pame-bi
(InstantAP)(Hotspot2.0"hs1")#group-frame-block
(InstantAP)(Hotspot2.0"hs1")#p2p-dev-mgmt
(InstantAP)(Hotspot2.0"hs1")#p2p-cross-connect
(InstantAP)(Hotspot2.0"hs1")#end
(InstantAP)#commitapply
Step3:Associatingadvertisementprofileswiththehotspotprofile
(InstantAP)#configureterminal
(InstantAP)(config)#hotspoths-profilehs1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-nai-realmnr1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-venue-namevn1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-nwk-authna1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-roam-consrc1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-3gpp3g1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-ip-addr-availip1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileanqp-domain-namedn1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileh2qp-oper-nameon1
ArubaInstant6.4.0.2-4.1|UserGuide HotspotProfiles|353

354|HotspotProfiles ArubaInstant6.4.0.2-4.1|UserGuide
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileh2qp-wan-metricswm1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileh2qp-conn-capcc1
(InstantAP)(Hotspot2.0"hs1")#advertisement-profileh2qp-oper-classoc1
(InstantAP)(Hotspot2.0"hs1")#exit
Step4:AssociatethehotspotprofilewithWLANSSID:
(InstantAP)#configureterminal
(InstantAP)#wlanssid-profilessidProfile1
(InstantAP)(SSIDProfile"ssidProfile1")#essidhsProf
(InstantAP)(SSIDProfile"ssidProfile1")#typeemployee
(InstantAP)(SSIDProfile"ssidProfile1")#vlan200
(InstantAP)(SSIDProfile"ssidProfile1")#opmodewpa2-aes
(InstantAP)(SSIDProfile"ssidProfile1")#blacklist
(InstantAP)(SSIDProfile"ssidProfile1")#mac-authentication
(InstantAP)(SSIDProfile"ssidProfile1")#l2-auth-failthrough
(InstantAP)(SSIDProfile"ssidProfile1")#radius-accounting
(InstantAP)(SSIDProfile"ssidProfile1")#radius-accounting-modeuser-association
(InstantAP)(SSIDProfile"ssidProfile1")#radius-interim-accounting-interval10
(InstantAP)(SSIDProfile"ssidProfile1")#radius-reauth-interval20
(InstantAP)(SSIDProfile"ssidProfile1")#max-authentication-failures2
(InstantAP)(SSIDProfile"ssidProfile1")#set-role-by-ssid
(InstantAP)(SSIDProfile"ssidProfile1")#hotspot-profilehs1
(InstantAP)(SSIDProfile"ssidProfile1")#end
(InstantAP)#commitapply

ArubaInstant6.4.0.2-4.1|UserGuide MobilityAccessSwitchIntegration|355
Chapter30
MobilityAccessSwitchIntegration
Thischapterprovidesthefollowinginformation:
lMobilityAccessSwitchOverviewonpage355
lConfiguringIAPsforMASIntegrationonpage355
MobilityAccessSwitchOverview
TheArubaMobilityAccessSwitch(MAS)enablessecure,role-basednetworkaccessforwiredusersanddevices,
independentoftheirlocationorapplication.Installedinwiringclosets,theMASdeliversupto384wire-speedGigabit
EthernetswitchportsandoperatesasawiredaccesspointwhendeployedwithanArubaMobilityController.
Asawiredaccesspoint,usersandtheirdevicesareauthenticatedandassignedauniquerolebytheMobility
Controller.TheserolesareappliedirrespectiveofwhethertheuserisaWi-Ficlient,orisconnectedtoaportonthe
MAS.TheuseofMASallowsanenterpriseworkforcetohaveconsistentandsecureaccesstonetworkresources
basedonthetypeofusers,clientdevices,andconnectionmethodused.
InstantsupportsS3500andS2500MobilityAccessSwitchmodels.
FormoreinformationonMAS,seeArubaOS7.2UserGuide.
MASIntegrationwithanIAP
YoucanintegrateanIAPwithaMASbyconnectingitdirectlytotheMASport.ThefollowingMASintegration
featurescanbeappliedwhileintegratingMASwithanIAP:
lRogueAPcontainment—WhenarogueAPisdetectedbyanIAP,itsendstheMACAddressoftherogueAPto
theMAS.TheMASblackliststheMACaddressoftherogueAPandturnsoffthePoEontheport.
lPoEprioritization—WhenanIAPisconnecteddirectlyintotheMASport,theMASincreasesthePoEpriorityof
theport.ThisisdoneonlyifthePoEpriorityissetbydefaultintheMAS.
ThePoEPrioritizationandRogueAPContainmentfeaturesisavailableforArubaOS7.2releaseonAruba
MobilityAccessSwitches.
lGVRPIntegration—ConfiguringGARPVLANRegistrationProtocol(GVRP)inArubaOSMASenablesthe
switchtodynamicallyregisterorde-registerVLANinformationreceivedfromaGVRPapplicantsuchasanIAP.
GVRPalsoenablestheswitchtopropagatetheregisteredVLANinformationtotheneighboringswitchesinthe
network.
TheassociatedstaticVLANsinusedwiredandwirelessprofilesarepropagatedtotheupstreamMASusing
GVRPmessages.
ForinformationonstepstointegrateMASwithanIAP,seeConfiguringIAPsforMASIntegrationonpage355.
ConfiguringIAPsforMASIntegration
WhenanIAPisintegratedwithMAS,theLinkLayerDiscoveryProtocol(LLDP)isenabled.Usingthisprotocol,the
IAPsinstructtheMAStoturnofftheportswhererogueAPsareconnected,performactionssuchasincreasingthe
PoEpriority,andconfiguretheVLANsontheportstowhichtheIAPsareconnected.
YoucanenableMASintegrationeitherusingtheInstantorCLI.

356|MobilityAccessSwitchIntegration ArubaInstant6.4.0.2-4.1|UserGuide
IntheInstantUI
1.NavigatetoSystem>General.
2.SelectEnabledfromtheMASintegrationdrop-downlist.TheMASintegrationstatusisdisplayedintheInfotab
ofInstantmainwindowasshowninthefollowingfigure:
Figure128-MASIntegrationStatus
IntheCLI
ToenableMASintegration:
(InstantAP)(config)#mas-integration
(InstantAP)(config#end
(InstantAP)#commitapply

ArubaInstant6.4.0.2-4.1|UserGuide ClearPassGuestSetup|357
ClearPassGuestSetup
ToconfigureClearPassGuest:
1.OnClearPassGuest,navigatetoAdministration>AirGroupServices.
2.ClickConfigureAirGroupServices.
Figure129ConfigureAirGroupServices
3.ClickAddanewcontroller.
Figure130AddaNewControllerforAirGroupServices
4.Updatethefieldswiththeappropriateinformation.
EnsurethattheportconfiguredmatchestheCoAport(RFC3576)setontheIAPconfiguration.

358|ClearPassGuestSetup ArubaInstant6.4.0.2-4.1|UserGuide
Figure131ConfigureAirGroupServicesControllerSettings
5.ClickSaveConfiguration.
InordertodemonstrateAirGroup,eitheranAirGroupAdministratororanAirGroupOperatoraccountmustbecreated.
1.NavigatetotheClearPassPolicyManagerUI,andnavigatetoConfiguration>Identity>LocalUsers.
Figure132Configuration>Identity>LocalUsersSelection
2.ClickAddUser.
3.CreateanAirGroupAdministrator.

Figure133CreateanAirGroupAdministrator
4.Inthisexample,thepasswordusedistest123.ClickAdd.
5.NowclickAddUser,andcreateanAirGroupOperator.
Figure134CreateanAirGroupOperator
6.ClickAddtosavetheuserwithanAirGroupOperatorrole.TheAirGroupAdministratorandAirGroup
OperatorIDswillbedisplayedintheLocalUsersUIscreen.
ArubaInstant6.4.0.2-4.1|UserGuide ClearPassGuestSetup|359

360|ClearPassGuestSetup ArubaInstant6.4.0.2-4.1|UserGuide
Figure135LocalUsersUIScreen
7.NavigatetotheClearPassGuestUIandclickLogout.TheClearPassGuestLoginpageisdisplayed.Usethe
AirGroupadmincredentialstologin.
8.Afterloggingin,clickCreateDevice.
Figure136CreateaDevice
Thefollowingpageisdisplayed.
Figure137-RegisterSharedDevice
Forthistest,addyourAppleTVdevicenameandMACaddressbutleaveallotherfieldsempty.

9.ClickRegisterSharedDevice.
Testing
Toverifythesetup:
1.DisconnectyourAppleTVandOSXMountainLion/iOS6devicesiftheywerepreviouslyconnectedtothe
wirelessnetwork.Removetheirentriesfromthecontroller’susertableusingthesecommands:
nFindtheMACaddress—showusertable
nDeletetheaddressfromthetable—aaauserdeletemac00:aa:22:bb:33:cc
2.Reconnectbothdevices.TolimitaccesstotheAppleTV,accesstheClearPassGuestUIusingeitherthe
AirGroupadminortheAirGroupoperatorcredentials.Next,navigatetoListDevices>TestAppleTV>Edit.
AddausernamethatisnotusedtologintotheAppledevicesintheSharedWithfield.
3.DisconnectandremovetheOSXMountainLion/iOS6devicefromthecontroller’susertable.Reconnectthe
devicebynotusingtheusernamethatyouaddedtotheSharedWithfield.TheAppleTVshouldnotbeavailable
tothisdevice.
4.DisconnecttheOSXMountainLion/iOS6deviceanddeleteitfromthecontroller’susertable.Reconnectusing
theusernamethatwasaddedtotheSharedWithfield.TheOSXMountainLion/iOS6deviceshouldonceagain
haveaccesstotheAppleTV.
Troubleshooting
Table70:Troubleshooting
Problem Solution
Limitingdeviceshasnoeffect. EnsureIPv6isdisabled.
AppleMacintoshrunningMountainLioncanuse
AirPlaybutiOSdevicescannot.
EnsureIPv6isdisabled.
ArubaInstant6.4.0.2-4.1|UserGuide ClearPassGuestSetup|361

ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|362
IAP-VPNDeploymentScenarios
ThissectiondescribesthemostcommonIAP-VPNdeploymentsmodelsandprovidesinformationtocarryoutthe
necessaryconfigurationprocedures.TheexamplesinthissectionrefertomorethanoneDHCPprofileandwired
portconfigurationinadditiontowirelessSSIDconfiguration.Alltheseareoptional.Inmostnetworks,asingleDHCP
profileandwirelessSSIDconfigurationreferringaDHCPprofileissufficient.
Thefollowingscenariosaredescribedinthissection:
lScenario1-IPSec:SingleDatacenterDeploymentwithNoRedundancyonpage363
lScenario2-IPSec:SingleDatacenterwithMultipleControllersforRedundancyonpage366
lScenario3-IPSec:MultipleDatacenterDeploymentwithPrimaryandBackupControllersforRedundancyon
page370
lScenario4-GRE:SingleDatacenterDeploymentwithNoRedundancyonpage375

363|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
Scenario1-IPSec:SingleDatacenterDeploymentwithNo
Redundancy
Thisscenarioincludesthefollowingconfigurationelements:
1.SingleVPNprimaryconfigurationusingIPSec
2.Splittunnelingofclienttraffic
3.SplittunnelingofDNStrafficfromclients
4.DistributedL3andCentralizedL2modeDHCP
5.RADIUSserverwithincorporatenetworkandauthenticationsurvivabilityforbranchsurvivability
6.WiredandwirelessusersinL2andL3modesrespectively
7.Accessrulesdefinedforwiredandwirelessnetworkstopermitalltraffic
Topology
Figure138showsthetopologyandtheIPaddressingschemeusedinthisscenario.
Figure138Scenario1-IPSec:SingledatacenterDeploymentwithNoRedundancy
ThefollowingIPaddressesareusedintheexamplesforthisscenario:
l10.0.0.0/8isthecorporatenetwork
l10.20.0.0/16subnetisreservedforL2mode
l10.30.0.0/16subnetisreservedforL3mode
lClientcountineachbranchis200
APConfiguration
ThefollowingtableprovidesinformationontheconfigurationstepsperformedthroughtheCLIwithexamplevalues.
ForinformationontheUIprocedures,seethetopicsreferencedintheUI NavigationDetailscolumn.

ConfigurationSteps CLICommands UIProcedure
1.Configuretheprimary
hostforVPNwiththe
PublicVRRPIPaddress
ofthecontroller.
(ap)(config)#vpnprimary<publicVRRPIPof
controller>
See
Configuringan
IPSecTunnel
2.Configurearouting
profiletotunnelall
10.0.0.0/8subnettrafficto
controller.
(ap)(config)#routing-profile
(ap)(routing-profile)#route10.0.0.0255.0.0.0<publicVRRPIPof
controller>
See
Configuring
Routing
Profiles
3.ConfigureEnterprise
DNSforsplitDNS.The
exampleinthenext
columnusesaspecific
enterprisedomaintoonly
tunnelallDNSqueries
matchingthatdomainto
corporate.
(ap)(config)#internal-domains
(ap)(domains)#domain-namecorpdomain.com
See
Configuring
Enterprise
Domains
4.ConfigurecentralizedL2
anddistributedL3with
VLAN20and30
respectively.
CentralizedL2profile(ap)(config)#ipdhcpl2-dhcp
(ap)(DHCPProfile"l2-dhcp")#server-type
Centralized,L2
(ap)(DHCPProfile"l2-dhcp")#server-vlan20
DistributedL3profile
(ap)(config)#ipdhcpl3-dhcp
(ap)(DHCPProfile"l3-dhcp")#server-type
Distributed,L3
(ap)(DHCPProfile"l3-dhcp")#server-vlan30
(ap)(DHCPProfile"l3-dhcp")#ip-range10.30.0.0
10.30.255.255
(ap)(DHCPProfile"l3-dhcp")#dns-server
10.1.1.50,10.1.1.30
(ap)(DHCPProfile"l3-dhcp")#domain-name
corpdomain.com
(ap)(DHCPProfile"l3-dhcp")#client-count200
NOTE:TheIPrangeconfigurationoneachbranchwillbethe
same.EachIAPwillderiveasmallersubnetbasedontheclient
countscopeusingtheBranchID(BID)allocatedbycontroller.
See
Configuringa
Centralized
DHCPScope
and
Configuring
Distributed
DHCPScopes
5.Createauthentication
serversforuser
authentication.The
exampleinthenext
columnassumes802.1x
SSID.
(ap)(config)#wlanauth-serverserver1
(ap)(AuthServer"server1")#ip10.2.2.1
(ap)(AuthServer"server1")#port1812
(ap)(AuthServer"server1")#acctport1813
(ap)(AuthServer"server1")#key"presharedkey"
(ap)(AuthServer"server1")#exit
(ap)(config)#wlanauth-serverserver2
(ap)(AuthServer"server2")#ip10.2.2.2
(ap)(AuthServer"server2")#port1812
(ap)(AuthServer"server2")#acctport1813
(ap)(AuthServer"server2")#key"presharedkey"
See
Configuringan
ExternalServer
for
Authentication
6.Configurewiredand
wirelessSSIDsusingthe
authenticationservers
andaccessrulescreated
ConfigurewiredportstooperateinL2modeandassociate
centralizedL2modeVLAN20tothewiredportprofile.
(ap)(config)#wired-port-profilewired-port
See
Configuringa
WiredProfile
andWireless
Table71:IAPConfigurationforScenario1-IPSec:SingleDatacenterDeploymentwithNoRedundancy
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|364

365|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
ConfigurationSteps CLICommands UIProcedure
aboveandenable
authentication
survivability.
(ap)(wired-port-profile"wired-port")#switchport-
modeaccess
(ap)(wired-port-profile"wired-port")#allowed-vlan
all
(ap)(wired-port-profile"wired-port")#native-vlan
20
(ap)(wired-port-profile"wired-port")#noshutdown
(ap)(wired-port-profile"wired-port")#access-rule-
namewired-port
(ap)(wired-port-profile"wired-port")#typeemployee
(ap)(wired-port-profile"wired-port")#auth-server
server1
(ap)(wired-port-profile"wired-port")#auth-server
server2
(ap)(wired-port-profile"wired-port")#dot1x
(ap)(wired-port-profile"wired-port")#exit
(ap)(config)#enet1-port-profilewired-port
ConfigureawirelessSSIDtooperateinL3modeandassociate
distributedL3modeVLAN 30totheWLANSSIDprofile.
(ap)(config)#wlanssid-profilewireless-ssid
(ap)(SSIDProfile"wireless-ssidt")#enable
(ap)(SSIDProfile"wireless-ssid")#typeemployee
(ap)(SSIDProfile"wireless-ssid")#essidwireless-
ssid
(ap)(SSIDProfile"wireless-ssid")#opmodewpa2-aes
(ap)(SSIDProfile"wireless-ssid")#vlan30
(ap)(SSIDProfile"wireless-ssid")#auth-server
server1
(ap)(SSIDProfile"wireless-ssid")#auth-server
server2
(ap)(SSIDProfile"wireless-ssid")#auth-
survivability
Network
Profiles
7.Createaccessrulefor
wiredandwireless
authentication.Inthis
example,therulepermits
alltraffic.
Forwiredprofile:
(ap)(config)#wlanaccess-rulewired-port
(ap)(AccessRule"wired-port")#ruleanyanymatch
anyanyany
permit
ForWLANSSID:
(ap)(config)#wlanaccess-rulewireless-ssid
(ap)(AccessRule"wireless-ssid")#ruleanyany
matchanyanyanypermit
See
Configuring
Access Rules
forNetwork
Services
NOTE:EnsurethatyouexecutethecommitapplycommandintheInstantCLIbeforesavingtheconfigurationand
propagatingchangesacrosstheIAPcluster.
Table71:IAPConfigurationforScenario1-IPSec:SingleDatacenterDeploymentwithNoRedundancy
APConnectedSwitchConfiguration
ClientVLANsdefinedinthisexamplemustbeopenedontheupstreamswitchesinmultiAPdeployments,asclient
trafficfromslavetomasteristaggedwiththeclientVLAN.
DatacenterConfiguration
Forinformationoncontrollerconfiguration,seeConfiguringaControllerforIAP-VPNOperationsonpage227.
EnsurethattheupstreamrouterisconfiguredwithastaticroutepointingtothecontrollerfortheL3VLAN.

366|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
Scenario2-IPSec:SingleDatacenterwithMultipleControllersfor
Redundancy
Thisscenarioincludesthefollowingconfigurationelements:
lAVRRPinstancebetweenthemaster/standby-masterpair,whichisconfiguredastheprimaryVPNIPaddress.
lTunnelingofalltraffictodatacenter.
lExceptionroutetobypasstunnelingofRADIUSandAirWavetraffic,whicharelocallyreachableinthebranch
andtheInternetrespectively.
lAllclientDNSqueriesaretunneledtothecontroller.
lDistributedL3andCentralizedL2modeDHCPonallbranches.L3isusedbytheemployeenetworkandL2is
usedbytheguestnetworkwithcaptiveportal.
lWiredandwirelessusersinL2andL3modes.
lAccessrulesdefinedforwiredandwirelessnetworks.
Topology
Figure139showsthetopologyandtheIPaddressingschemeusedinthisscenario.
Figure139Scenario2-IPSec:SingleDatacenterwithMultiplecontrollersforRedundancy
ThefollowingIPaddressesareusedintheexamplesforthisscenario:
l10.0.0.0/8isthecorporatenetwork
l10.20.0.0/16subnetisreservedforL2mode–usedforguestnetwork
l10.30.0.0/16subnetisreservedforL3mode
lClientcountineachbranchis200

l10.2.2.0/24isabranchownedsubnet,whichneedstooverrideglobalroutingprofile
l199.127.104.32isusedanexampleIPaddressoftheAirWaveserverintheInternet
APConfiguration
ThefollowingtableprovidesinformationontheconfigurationstepsperformedthroughtheCLIwithexamplevalues.
ForinformationontheUIprocedures,seethetopicsreferencedintheUI NavigationDetailscolumn.
ConfigurationSteps CLICommands UIProcedure
1.Configuretheprimary
hostforVPNwiththe
PublicVRRPIPaddress
ofthecontroller.
(ap)(config)#vpnprimary<publicVRRPIPof
controller>
See
Configuringan
IPSecTunnel
2.Configureroutingprofiles
totunneltrafficthrough
IPSec.
(ap)(config)#routing-profile
(ap)(routing-profile)#route0.0.0.00.0.0.0<publicVRRPIPof
controller>
See
Configuring
Routing
Profiles
3.Defineroutingprofile
exceptionRADIUSserver
andAirWaveIPs,since
thedesignrequirement
forthissolutionrequires
localRADIUS
authentication,even
thoughtheIPmatchesthe
routingprofiledestination.
(ap)(config)#routing-profile
(ap)(routing-profile)#route10.2.2.1
255.255.255.2550.0.0.0
(ap)(routing-profile)#route10.2.2.2
255.255.255.2550.0.0.0
(ap)(routing-profile)#route199.127.104.32
255.255.255.2550.0.0.0
See
Configuring
Routing
Profiles
4.ConfigureEnterprise
DNS.Theconfiguration
exampleinthenext
columntunnelsallDNS
queriestotheoriginal
DNSserverofclients
withoutproxyingonIAP.
(ap)(config)#internal-domains
(ap)(domains)#domain-name*
See
Configuring
Enterprise
Domains
5.ConfigurecentralizedL2
anddistributedL3with
VLAN20and30
respectively.
CentralizedL2profile
(ap)(config)#ipdhcpl2-dhcp
(ap)(DHCPProfile"l2-dhcp")#server-type
Centralized,L2
(ap)(DHCPProfile"l2-dhcp")#server-vlan20
DistributedL3profile
(ap)(config)#ipdhcpl3-dhcp
(ap)(DHCPProfile"l3-dhcp")#server-type
Distributed,L3
(ap)(DHCPProfile"l3-dhcp")#server-vlan30
(ap)(DHCPProfile"l3-dhcp")#ip-range10.30.0.0
10.30.255.255
(ap)(DHCPProfile"l3-dhcp")#dns-server
10.1.1.50,10.1.1.30
(ap)(DHCPProfile"l3-dhcp")#domain-name
corpdomain.com
(ap)(DHCPProfile"l3-dhcp")#client-count200
NOTE:TheIPrangeconfigurationoneachbranchwillbethe
See
Configuringa
Centralized
DHCPScope
and
Configuring
Distributed
DHCPScopes
Table72:IAPConfigurationforScenario2-IPSec:SingleDatacenterwithMultiplecontrollersforRedundancy
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|367

368|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
ConfigurationSteps CLICommands UIProcedure
same.EachIAPwillderiveasmallersubnetbasedontheclient
countscopeusingtheBranchID(BID)allocatedbycontroller.
6.Createauthentication
serversforuser
authentication.The
exampleinthenext
columnassumes802.1x
SSID.
(ap)(config)#wlanauth-serverserver1
(ap)(AuthServer"server1")#ip10.2.2.1
(ap)(AuthServer"server1")#port1812
(ap)(AuthServer"server1")#acctport1813
(ap)(AuthServer"server1")#key"presharedkey"
(ap)(AuthServer"server1")#exit
(ap)(config)#wlanauth-serverserver2
(ap)(AuthServer"server2")#ip10.2.2.2
(ap)(AuthServer"server2")#port1812
(ap)(AuthServer"server2")#acctport1813
(ap)(AuthServer"server2")#key"presharedkey"
See
Configuringan
ExternalServer
for
Authentication
7.Configurewiredand
wirelessSSIDsusingthe
authenticationservers
andaccessrulescreated
aboveandenable
authentication
survivability.
ConfigurewiredportstooperateinL3modeandassociate
distributedL3modeVLAN30tothewiredportprofile.
(ap)(config)#wired-port-profilewired-port
(ap)(wired-port-profile"wired-port")#switchport-
modeaccess
(ap)(wired-port-profile"wired-port")#allowed-vlan
all
(ap)(wired-port-profile"wired-port")#native-vlan
30
(ap)(wired-port-profile"wired-port")#noshutdown
(ap)(wired-port-profile"wired-port")#access-rule-
namewired-port
(ap)(wired-port-profile"wired-port")#typeemployee
(ap)(wired-port-profile"wired-port")#auth-server
server1
(ap)(wired-port-profile"wired-port")#auth-server
server2
(ap)(wired-port-profile"wired-port")#dot1x
(ap)(wired-port-profile"wired-port")#exit
(ap)(config)#enet1-port-profilewired-port
ConfigureawirelessSSIDtooperateinL2modeandassociate
CentralizedL2modeVLAN 20totheWLANSSIDprofile.
(ap)(config)#wlanssid-profileguest
(ap)(SSIDProfile"guest")#enable
(ap)(SSIDProfile"guest")#typeguest
(ap)(SSIDProfile"guest")#essidguest
(ap)(SSIDProfile"guest")#opmodeopensystem
(ap)(SSIDProfile"guest")#vlan20
(ap)(SSIDProfile"guest")#auth-serverserver1
(ap)(SSIDProfile"guest")#auth-serverserver2
(ap)(SSIDProfile"guest")#captive-portalinternal
NOTE:Thisexampleusesinternalcaptiveportalusecaseusing
externalauthenticationserver.Youcanalsouseanexternal
captiveportalexample.
NOTE:TheSSIDtypeguestisusedinthisexampletoenable
configurationofcaptiveportal.However,corporateaccessthrough
VPNtunnelisstillallowedforthisSSIDbecausetheVLAN
associatedtothisSSIDisaVPNenabledVLAN(20inthis
example).
See
Configuringa
WiredProfile
andWireless
Network
Profiles
Table72:IAPConfigurationforScenario2-IPSec:SingleDatacenterwithMultiplecontrollersforRedundancy

ConfigurationSteps CLICommands UIProcedure
8.Createaccessrulefor
wiredandwireless
authentication.Inthis
example,therulepermits
alltraffic.
Forwiredprofile:
(ap)(config)#wlanaccess-rulewired-port
(ap)(AccessRule"wired-port")#ruleanyanymatch
anyanyany
permit
ForWLANSSID:
(ap)(config)#wlanaccess-ruleguest
(ap)(AccessRule"guest")#ruleanyanymatchany
anyanypermit
See
Configuring
Access Rules
forNetwork
Services
NOTE:EnsurethatyouexecutethecommitapplycommandintheInstantCLIbeforesavingtheconfigurationand
propagatingchangesacrosstheIAPcluster.
Table72:IAPConfigurationforScenario2-IPSec:SingleDatacenterwithMultiplecontrollersforRedundancy
APConnectedSwitchConfiguration
ClientVLANsdefinedinthisexamplemustbeopenedontheupstreamswitchesinmultipleAPdeployments,as
clienttrafficfromslavetomasteristaggedwiththeclientVLAN.
DatacenterConfiguration
Forinformationoncontrollerconfiguration,seeConfiguringaControllerforIAP-VPNOperationsonpage227.
EnsurethattheupstreamrouterisconfiguredwithastaticroutepointingtothecontrollerfortheL3VLAN.
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|369

370|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
Scenario3-IPSec:MultipleDatacenterDeploymentwithPrimaryand
BackupControllersforRedundancy
Thisscenarioincludesthefollowingconfigurationelements:
lMultiplecontrollerdeploymentmodelwithcontrollersindifferentdatacentersoperatingasprimary/backupVPN
withfast-failoverandpre-emptionenabled.
lSplittunnelingoftraffic.
lSplittunnelingofclientDNStraffic.
lTwoDistributedL3modeDHCPs,oneeachforemployeeandcontractorsandoneLocalmodeDHCPserver.
lRADIUSserverwithincorporatenetworkandauthenticationsurvivabilityenabledforbranchsurvivability.
lWiredandwirelessusersinL3andNATmodesrespectively.
lAccessrulesforwiredandwirelessuserswithsourceNATbasedruleforcontractorrolestobypassglobal
routingprofile.
lOSPFbasedroutepropagationoncontroller.
Topology
Figure140showsthetopologyandtheIPaddressingschemeusedinthisscenario.
Figure140Scenario3-IPSec:MultipleDatacenterDeploymentwithPrimaryandBackupControllersfor
Redundancy
TheIPaddressingschemeusedinthisexampleisasfollows:
l10.0.0.0/8isthecorporatenetwork.
l10.30.0.0/16subnetisreservedforL3mode–usedbyEmployeeSSID.
l10.40.0.0/16subnetisreservedforL3mode–usedbyContractorSSID.

l172.16.20.0/24subnetisusedforNATmode–usedforwirednetwork.
lClientcountineachbranchis200.
lContractorsareonlypermittedtoreach10.16.0.0/16network.
APConfiguration
ThissectionprovidesinformationonconfigurationstepsperformedthroughtheCLIortheUI.
ConfigurationSteps CLICommands UIProcedure
1.ConfiguretheprimaryIP
address.ThisIPaddress
isthePublicIPaddressof
thecontroller.Fast
failoverisenabledforfast
convergence.
(ap)(config)#vpnprimary<publicIPofprimary
controller>
(ap)(config)#vpnbackup<publicIPofbackup
controllers>
(ap)(config)#vpnpreemption
(ap)(config)#vpnfast-failover
See
Configuringan
IPSecTunnel
2.Configureroutingprofiles
totunneltrafficthrough
IPSec.
(ap)(config)#routing-profile
(ap)(routing-profile)#route0.0.0.00.0.0.0<publicIPofprimary
controller>
(ap)(routing-profile)#route10.0.0.0255.0.0.0<publicIPofbackup
controller>
See
Configuring
Routing
Profiles
3.ConfigureEnterprise
DNSforsplitDNS.The
exampleinthenext
columnusesaspecific
enterprisedomainto
tunnelallDNSqueries
matchingthatdomainto
corporate.
(ap)(config)#internal-domains
(ap)(domains)#domain-namecorpdomain.com
See
Configuring
Enterprise
Domains
4.ConfiguredistributedL3
DHCPprofileswithVLAN
30and40.
DistributedL3profilewithVLAN 30
(ap)(config)#ipdhcpl3-dhcp
(ap)(DHCPprofile"l3-dhcp")#server-type
Distributed,L3
(ap)(DHCPprofile"l3-dhcp")#server-vlan30
(ap)(DHCPprofile"l3-dhcp")#ip-range10.30.0.0
10.30.255.255
(ap)(DHCPprofile"l3-dhcp")#dns-server
10.1.1.50,10.1.1.30
(ap)(DHCPprofile"l3-dhcp")#domain-name
corpdomain.com
(ap)(DHCPprofile"l3-dhcp")#client-count200
DistributedL3profilewithVLAN 40
(ap)(config)#ipdhcpl3-dhcp
(ap)(DHCPprofile"l3-dhcp")#server-type
Distributed,L3
(ap)(DHCPprofile"l3-dhcp")#server-vlan40
(ap)(DHCPprofile"l3-dhcp")#ip-range10.40.0.0
10.40.255.255
(ap)(DHCPprofile"l3-dhcp")#dns-server
10.1.1.50,10.1.1.30
(ap)(DHCPprofile"l3-dhcp")#domain-name
corpdomain.com
(ap)(DHCPprofile"l3-dhcp")#client-count200
LocalprofilewithVLAN20
See
Configuring
Distributed
DHCPScopes
and
Configuring
Localand
Local,L3
DHCPScopes
Table73:IAPConfigurationforScenario3-IPSec:MultipleDatacenterDeployment
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|371

372|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
ConfigurationSteps CLICommands UIProcedure
(ap)(config)#ipdhcplocal
(ap)(DHCPprofile"local")#server-typeLocal
(ap)(DHCPprofile"local")#server-vlan20
(ap)(DHCPprofile"local")#subnet172.16.20.1
(ap)(DHCPprofile"local")#subnet-mask
255.255.255.0
(ap)(DHCPprofile"local")#lease-time86400
(ap)(DHCPprofile"local")#dns-server
10.1.1.30,10.1.1.50
(ap)(DHCPprofile"local")#domain-name
arubanetworks.com
NOTE:TheIPrangeconfigurationoneachbranchwillbethe
same.EachIAPwillderiveasmallersubnetbasedontheclient
countscopeusingtheBranchID(BID)allocatedbycontroller.
5.Createauthentication
serversforuser
authentication.The
exampleinthenext
columnassumes802.1x
SSID.
(ap)(config)#wlanauth-serverserver1
(ap)(AuthServer"server1")#ip10.2.2.1
(ap)(AuthServer"server1")#port1812
(ap)(AuthServer"server1")#acctport1813
(ap)(AuthServer"server1")#key"presharedkey"
(ap)(AuthServer"server1")#exit
(ap)(config)#wlanauth-serverserver2
(ap)(AuthServer"server1")#ip10.2.2.2
(ap)(AuthServer"server1")#port1812
(ap)(AuthServer"server1")#acctport1813
(ap)(AuthServer"server1")#key"presharedkey"
See
Configuringan
ExternalServer
for
Authentication
6.Configurewiredand
wirelessSSIDsusingthe
authenticationservers
andaccessrulesand
enableauthentication
survivability.
ConfigurewiredportstooperateinNATmodeandassociateVLAN
20
tothewiredportprofile.
(ap)(config)#wired-port-profilewired-port
(ap)(wired-port-profile"wired-port")#switchport-
modeaccess
(ap)(wired-port-profile"wired-port")#allowed-vlan
all
(ap)(wired-port-profile"wired-port")#native-vlan
20
(ap)(wired-port-profile"wired-port")#noshutdown
(ap)(wired-port-profile"wired-port")#access-rule-
namewired-port
(ap)(wired-port-profile"wired-port")#typeemployee
(ap)(wired-port-profile"wired-port")#auth-server
server1
(ap)(wired-port-profile"wired-port")#auth-server
server2
(ap)(wired-port-profile"wired-port")#dot1x
(ap)(wired-port-profile"wired-port")#exit
(ap)(config)#enet1-port-profilewired-port
ConfigureawirelessSSIDtooperateinL3modeforemployeeand
associatedistributedL3modeVLAN30totheWLANSSIDprofile.
(ap)(config)#wlanssid-profilewireless-ssid
(ap)(SSIDProfile"wireless-ssid")#enable
(ap)(SSIDProfile"wireless-ssid")#typeemployee
See
Configuringa
WiredProfile
andWireless
Network
Profiles
Table73:IAPConfigurationforScenario3-IPSec:MultipleDatacenterDeployment

ConfigurationSteps CLICommands UIProcedure
(ap)(SSIDProfile"wireless-ssid")#essidwireless-
ssid
(ap)(SSIDProfile"wireless-ssid")#opmodewpa2-aes
(ap)(SSIDProfile"wireless-ssid")#vlan30
(ap)(SSIDProfile"wireless-ssid")#auth-server
server1
(ap)(SSIDProfile"wireless-ssid")#auth-server
server2
(ap)(SSIDProfile"wireless-ssid")#auth-
survivability
ConfigureawirelessSSIDisconfiguredtooperateinL3modefor
contractorandassociatedistributedL3modeVLAN40tothe
WLANSSIDprofile.
(ap)(config)#wlanssid-profilewireless-ssid-
contractor
(ap)(SSIDProfile"wireless-ssid-contractor")#
enable
(ap)(SSIDProfile"wireless-ssid-contractor")#type
employee
(ap)(SSIDProfile"wireless-ssid-contractor")#essid
wireless-ssid-contractor
(ap)(SSIDProfile"wireless-ssid-contractor")#
opmodewpa2-aes
(ap)(SSIDProfile"wireless-ssid-contractor")#vlan
40
(ap)(SSIDProfile"wireless-ssid-contractor")#auth-
serverserver1
(ap)(SSIDProfile"wireless-ssid-contractor")#auth-
serverserver2
(ap)(SSIDProfile"wireless-ssid-contractor")#auth-
survivability
7.Createaccessrulefor
wiredandwireless
authentication.Inthis
example,therulepermits
alltraffic.Forcontractor
SSIDrole,theruleallows
only10.16.0.0/16network
andallothertraffic
addressistranslatedat
thesourceandtheglobal
routingprofiledefinitionis
bypassed.
Forwiredprofile:
(ap)(config)#wlanaccess-rulewired-port
(ap)(AccessRule"wired-port")#ruleanyanymatch
anyanyany
permit
ForWLANSSIDemployeeroles:
(ap)(config)#wlanaccess-rulewireless-ssid
(ap)(AccessRule"wireless-ssid")#ruleanyany
matchanyanyanypermit
ForWLANSSIDcontractorroles:
(ap)(config)#wlanaccess-rulewireless-ssid-
contractor
(ap)(AccessRule"wireless-ssid-contractor")#rule
10.16.0.0255.255.0.0matchanyanyanypermit
(ap)(AccessRule"wireless-ssid-contractor")#rule
anyanymatchanyanyanysrc-nat
See
Configuring
Access Rules
forNetwork
Services
NOTE:EnsurethatyouexecutethecommitapplycommandintheInstantCLIbeforesavingtheconfigurationand
propagatingchangesacrosstheIAPcluster.
Table73:IAPConfigurationforScenario3-IPSec:MultipleDatacenterDeployment
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|373

374|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
APConnectedSwitchConfiguration
ClientVLANsdefinedinthisexamplemustbeopenedontheupstreamswitchesinmultipleAPdeployments,as
clienttrafficfromslavetomasteristaggedwiththeclientVLAN.
DatacenterConfiguration
Forinformationoncontrollerconfiguration,seeConfiguringaControllerforIAP-VPNOperationsonpage227.The
followingOSPFconfigurationisrequiredonthecontrollertoredistributeIAP-VPNroutestoupstreamrouters.
(host)(config)#routerospf
(host)(config)#routerospfrouter-id<ID>
(host)(config)#routerospfarea0.0.0.0
(host)(config)#routerospfredistributerapng-vpn

375|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
Scenario4-GRE:SingleDatacenterDeploymentwithNoRedundancy
Thisscenarioincludesthefollowingconfigurationelements:
lSingleVPNprimaryconfigurationusingGRE
nArubaGRE,doesnotrequireanyconfigurationontheArubaMobilityControllerthatactsasaGREendpoint.
nManualGRE,whichrequiresGREtunnelstobeexplicitlyconfiguredontheGRE-endpointthatcanbean
ArubaMobilityControlleroranydevicethatsupportsGREtermination.
lTunnelingofalltraffictodatacenter
lCentralizedL2modeDHCPprofile
lRADIUSserverwithincorporatenetworkandauthenticationsurvivabilityforbranchsurvivability.
lWiredandwirelessusersinL2mode
lAccessrulesdefinedforwiredandwirelessnetworkstopermitalltraffic
Topology
Figure141showsthetopologyandtheIPaddressingschemeusedinthisscenario:
Figure141Scenario4-GRE:SingleDatacenterDeploymentwithNoRedundancy
ThefollowingIPaddressesareusedintheexamplesforthisscenario:
l10.0.0.0/8isthecorporatenetwork.
l10.20.0.0/16subnetisreservedforL2mode.
APConfiguration
ThissectionprovidesinformationonconfigurationstepsperformedthroughtheCLIortheUI.

ConfigurationSteps CLICommands UIProcedure
1.ConfigureArubaGREor
manualGRE
lArubaGREusesan
IPSectunneltofacilitate
controllerconfiguration
andrequiresVPNtobe
configured.ThisVPN
tunnelisnotusedforany
clienttraffic.
lManualGREuses
standardGREtunnel
configurationand
requirescontroller
configurationtocomplete
theGREtunnel.
ArubaGREconfiguration
(ap)(config)#vpnprimary<controller-IP>
(ap)(config)#vpngre-outside
ManualGREconfiguration
(ap)(config)#greprimary<controller-IP>
(ap)(config)#gretype80
Per-APGREtunnelconfiguration
Optionally,per-APGREtunnelcanalsobeenabled,whichcauses
eachIAPtoformanindependentGREtunneltotheGREend-point.
ThisrequireseachIAPMACtobepresentinthecontrollerwhitelist
ifArubaGREisused,orGREconfigurationfortheIPoftheeach
IAPonthecontrollerforManualGRE.
(ap)(config)#greper-ap-tunnel
NOTE:Startingwith6.4.0.2-4.1,ifVirtualControllerIPisconfigured
andper-APGREtunnelisdisabled,IAPusesVirtualControllerIP
astheGREsourceIP.ForManualGRE,thissimplifiesconfiguration
oncontroller,sinceonlytheVirtualControllerIPdestinedGRE
tunnelinterfaceconfigurationisrequired.
SeeEnabling
Automatic
Configuration
ofGRE Tunnel
andManually
Configuringa
GRE Tunnel
2.Configureroutingprofiles
totunneltrafficthrough
GRE.
(ap)(config)#routing-profile
(ap)(routing-profile)#route0.0.0.00.0.0.0<IPofGRE-endpoint>
See
Configuring
Routing
Profiles
3.ConfigureEnterprise
DNS.Theexampleinthe
nextcolumntunnelsall
DNSqueriestothe
client’soriginalDNS
serverwithoutproxying
onIAP.
(ap)(config)#internal-domains
(ap)(domains)#domain-name*
See
Configuring
Enterprise
Domains
4.ConfigurecentralizedL2
DHCPprofilewithVLAN
20.
CentralizedL2DHCPprofileVLAN20
(ap)(config)#ipdhcpl2-dhcp
(ap)(DHCPprofile"l2-dhcp")#server-type
Centralized,L2
(ap)(DHCPprofile"l2-dhcp")#server-vlan20
See
Configuringa
Centralized
DHCPScope
5.Createauthentication
serversforuser
authentication.The
exampleinthenext
columnassumes802.1x
SSID.
(ap)(config)#wlanauth-serverserver1
(ap)(AuthServer"server1")#ip10.2.2.1
(ap)(AuthServer"server1")#port1812
(ap)(AuthServer"server1")#acctport1813
(ap)(AuthServer"server1")#key"presharedkey"
(ap)(AuthServer"server1")#exit
(ap)(config)#wlanauth-serverserver2
(ap)(AuthServer"server1")#ip10.2.2.2
(ap)(AuthServer"server1")#port1812
(ap)(AuthServer"server1")#acctport1813
(ap)(AuthServer"server1")#key"presharedkey"
See
Configuringan
ExternalServer
for
Authentication
6.Configurewiredand
wirelessSSIDsusingthe
authenticationservers
ConfigurewiredportstooperateincentralizedL2modeand
associateVLAN20tothewiredportprofile.
(ap)(config)#wired-port-profilewired-port
See
Configuringa
WiredProfile
Table74:IAPConfigurationforScenario
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|376

377|IAP-VPNDeploymentScenarios ArubaInstant6.4.0.2-4.1|UserGuide
ConfigurationSteps CLICommands UIProcedure
andaccessrules,and
enableauthentication
survivability.
(ap)(wired-port-profile"wired-port")#switchport-
modeaccess
(ap)(wired-port-profile"wired-port")#allowed-vlan
all
(ap)(wired-port-profile"wired-port")#native-vlan
20
(ap)(wired-port-profile"wired-port")#noshutdown
(ap)(wired-port-profile"wired-port")#access-rule-
namewired-port
(ap)(wired-port-profile"wired-port")#typeemployee
(ap)(wired-port-profile"wired-port")#auth-server
server1
(ap)(wired-port-profile"wired-port")#auth-server
server2
(ap)(wired-port-profile"wired-port")#dot1x
(ap)(wired-port-profile"wired-port")#exit
(ap)(config)#enet1-port-profilewired-port
ConfigureawirelessSSIDtooperateincentralizedL2modeand
associateVLAN20totheWLANSSIDprofile.
(ap)(config)#wlanssid-profilewireless-ssid
(ap)(SSIDProfile"wireless-ssid")#enable
(ap)(SSIDProfile"wireless-ssid")#typeemployee
(ap)(SSIDProfile"wireless-ssid")#essidwireless-
ssid
(ap)(SSIDProfile"wireless-ssid")#opmodewpa2-aes
(ap)(SSIDProfile"wireless-ssid")#vlan20
(ap)(SSIDProfile"wireless-ssid")#auth-server
server1
(ap)(SSIDProfile"wireless-ssid")#auth-server
server2
(ap)(SSIDProfile"wireless-ssid")#auth-
survivability
andWireless
Network
Profiles
7.Createaccessrulefor
wiredandwireless
authentication.
Forwiredprofile:
(ap)(config)#wlanaccess-rulewired-port
(ap)(AccessRule"wired-port")#ruleanyanymatch
anyanyany
permit
ForWLANSSIDemployeeroles:
(ap)(config)#wlanaccess-rulewireless-ssid
(ap)(AccessRule"wireless-ssid")#ruleanyanymatchanyanyany
permit
See
Configuring
Access Rules
forNetwork
Services
NOTE:EnsurethatyouexecutethecommitapplycommandintheInstantCLIbeforesavingtheconfigurationand
propagatingchangesacrosstheIAPcluster.
Table74:IAPConfigurationforScenario
APConnectedSwitchConfiguration
ClientVLANsdefinedinthisexamplemustbeopenedontheupstreamswitchesinmultipleAPdeployments,as
clienttrafficfromslavetomasteristaggedwiththeclientVLAN.
DatacenterConfiguration
Forinformationoncontrollerconfiguration,seeConfiguringaControllerforIAP-VPNOperationsonpage227.The
followingGREconfigurationisrequiredonthecontroller:
(host)(config)#interfacetunnel<Number>

(host)(config-tunnel)#description<Description>
(host)(config-tunnel)#tunnelmodegre<ID>
(host)(config-tunnel)#tunnelsource<controller-IP>
(host)(config-tunnel)#tunneldestination<AP-IP>
(host)(config-tunnel)#trusted
(host)(config-tunnel)#tunnelvlan<allowed-VLAN>
ArubaInstant6.4.0.2-4.1|UserGuide IAP-VPNDeploymentScenarios|378

ArubaInstant6.4.0.2-4.1|UserGuide Terminology|379
Terminology
AcronymsandAbbreviations
Thefollowingtableliststheabbreviationsusedinthisdocument.
Abbreviation Expansion
ARM AdaptiveRadioManagement
ARP AddressResolutionProtocol
BSS BasicServerSet
BSSID BasicServerSetIdentifier
CA CertificationAuthority
CLI CommandLineInterface
DHCP DynamicHostConfigurationProtocol
DMZ DemilitarizedZone
DNS DomainNameSystem
EAP-TLS ExtensibleAuthenticationProtocol-TransportLayerSecurity
EAP-TTLS ExtensibleAuthenticationProtocol-TunneledTransport
LayerSecurity
IAP InstantAccessPoint
IDS IntrusionDetectionSystem
IEEE InstituteofElectricalandElectronicsEngineers
ISP InternetServiceProvider
LEAP LightweightExtensibleAuthenticationProtocol
MX MailExchanger
MAC MediaAccessControl
NAS NetworkAccessServer
NAT NetworkAddressTranslation
NS NameServer
NTP NetworkTimeProtocol
Table75:Listofabbreviations

380|Terminology ArubaInstant6.4.0.2-4.1|UserGuide
Abbreviation Expansion
PEAP ProtectedExtensibleAuthenticationProtocol
PEM PrivacyEnhancedMail
PoE PoweroverEthernet
RADIUS RemoteAuthenticationDialInUserService
VC VirtualController
VSA Vendor-SpecificAttributes
WLAN WirelessLocalAreaNetwork
Table75:Listofabbreviations
Glossary
Thefollowingtableliststhetermsandtheirdefinitionsusedinthisdocument.
Term Definition
802.11 AnevolvingfamilyofspecificationsforwirelessLANsdevelopedbya
workinggroupoftheInstituteofElectricalandElectronicsEngineers
(IEEE).802.11standardsusetheEthernetprotocolandCSMA/CA(carrier
sensemultipleaccesswithcollisionavoidance)forpathsharing.
802.11a Providesspecificationsforwirelesssystems.Networksusing802.11a
operateatradiofrequenciesinthe5GHzband.Thespecificationusesa
modulationschemeknownasorthogonalfrequency-divisionmultiplexing
(OFDM)thatisespeciallywellsuitedtouseinofficesettings.The
maximumdatatransferrateis54Mbps.
802.11b WLANstandardoftencalledWi-Fi;backwardcompatiblewith802.11.
Insteadofthephase-shiftkeying(PSK)modulationmethodhistorically
usedin802.11standards,802.11busescomplementarycodekeying
(CCK),whichallowshigherdataspeedsandislesssusceptibleto
multipath-propagationinterference.802.11boperatesinthe2.4GHzband
andthemaximumdatatransferrateis11Mbps.
802.11g Offerstransmissionoverrelativelyshortdistancesatupto54Mbps,
comparedwiththe11Mbpstheoreticalmaximumof802.11b.802.11g
operatesinthe2.4GHzbandandemploysorthogonalfrequencydivision
multiplexing(OFDM),themodulationschemeusedin802.11a,toobtain
higherdataspeed.Computersorterminalssetupfor802.11gcanfall
backtospeedsof11Mbps,sothat802.11band802.11gdevicescanbe
compatiblewithinasinglenetwork.
802.11n Wirelessnetworkingstandardtoimprovenetworkthroughputoverthetwo
previousstandards802.11aand802.11gwithasignificantincreaseinthe
maximumrawdataratefrom54Mbpsto600Mbpswiththeuseoffour
spatialstreamsatachannelwidthof40MHz.802.11noperatesinthe2.4
and5.0bands.
Table76:ListofTerms

Term Definition
AP Anaccesspoint(AP)connectsuserstootheruserswithinthenetworkand
alsocanserveasthepointofinterconnectionbetweentheWLANanda
fixedwirenetwork.ThenumberofaccesspointsaWLANneedsis
determinedbythenumberofusersandthesizeofthenetwork.
accesspointmapping TheactoflocatingandpossiblyexploitingconnectionstoWLANswhile
drivingaroundacityorelsewhere.Todowardriving,youneedavehicle,
acomputer(whichcanbealaptop),awirelessEthernetcardsettoworkin
promiscuousmode,andsomekindofanantennawhichcanbemounted
ontopoforpositionedinsidethecar.BecauseaWLANmayhavearange
thatextendsbeyondanofficebuilding,anoutsideusermaybeableto
intrudeintothenetwork,obtainafreeInternetconnection,andpossibly
gainaccesstocompanyrecordsandotherresources.
ad-hocnetwork ALANorothersmallnetwork,especiallyonewithwirelessortemporary
plug-inconnections,inwhichsomeofthenetworkdevicesarepartofthe
networkonlyforthedurationofacommunicationssessionor,inthecase
ofmobileorportabledevices,whileinsomecloseproximitytotherestof
thenetwork.
band Aspecifiedrangeoffrequenciesofelectromagneticradiation.
DHCP TheDynamicHostConfigurationProtocol(DHCP)isanauto-configuration
protocolusedonIPnetworks.Computersoranynetworkperipheralsthat
areconnectedtoIPnetworksmustbeconfigured,beforetheycan
communicatewithothercomputersonthenetwork.DHCPallowsa
computertobeconfiguredautomatically,eliminatingtheneedfora
networkadministrator.DHCPalsoprovidesacentraldatabaseto
keeptrackofcomputersconnectedtothenetwork.Thisdatabasehelpsin
preventinganytwocomputersfrombeingconfiguredwiththesameIP
address.
DNSServer ADomainNameSystem(DNS)serverfunctionsasaphonebookforthe
InternetandInternetusers.Itconvertshumanreadablecomputer
hostnamesintoIPaddressesandvice-versa.
ADNSserverstoresseveralrecordsforadomainnamesuchasan
address'A'record,nameserver(NS),andmailexchanger(MX)records.
TheAddress'A'recordisthemostimportantrecordthatisstoredinaDNS
server,becauseitprovidestherequiredIPaddressforanetwork
peripheralorelement.
DST Daylightsavingtime(DST),alsoknownassummertime,isthepracticeof
advancingclocks,sothateveningshavemoredaylightandmornings
haveless.Typicallyclocksareadjustedforwardonehournearthestartof
springandareadjustedbackwardinautumn.
EAP Extensibleauthenticationprotocol(EAP)referstotheauthentication
protocolinwirelessnetworksthatexpandsonmethodsusedbythepoint-
to-pointprotocol(PPP),aprotocoloftenusedwhenconnectinga
computertotheInternet.EAPcansupportmultipleauthentication
mechanisms,suchastokencards,smartcards,certificates,one-time
passwords,andpublickeyencryptionauthentication.
Table76:ListofTerms
ArubaInstant6.4.0.2-4.1|UserGuide Terminology|381

382|Terminology ArubaInstant6.4.0.2-4.1|UserGuide
Term Definition
fixedwireless Wirelessdevicesorsystemsinfixedlocationssuchashomesandoffices.
Fixedwirelessdevicesusuallyderivetheirelectricalpowerfromtheutility
mains,unlikemobilewirelessorportablewirelesswhichtendtobe
battery-powered.Althoughmobileandportablesystemscanbeusedin
fixedlocations,efficiencyandbandwidtharecompromisedcomparedwith
fixedsystems.
frequencyallocation Useofradiofrequencyspectrumregulatedbygovernments.
frequencyspectrum Partoftheelectromagneticspectrum.
hotspot AWLANnodethatprovidesInternetconnectionandvirtualprivate
network(VPN)accessfromagivenlocation.Abusinesstraveler,for
example,withalaptopequippedforWi-Ficanlookupalocalhotspot,
contactit,andgetconnectedthroughitsnetworktoreachtheInternetand
theirowncompanyremotelywithasecureconnection.Increasingly,public
places,suchasairports,hotels,andcoffeeshopsareprovidingfree
wirelessaccessforcustomers.
IEEE802.11standards TheIEEE802.11isasetofstandardsthatarecategorizedbasedonthe
radiowavefrequencyandthedatatransferrate.
POE PoweroverEthernet(PoE)isamethodofdeliveringpoweronthesame
physicalEthernetwireusedfordatacommunication.Powerfordevicesis
providedinoneofthefollowingtwoways:
lEndspan—TheswitchthatanAPisconnectedforpowersupply.
lMidspan—AdevicecansitbetweentheswitchandAPs
Thechoiceofendspanormidspandependsonthecapabilitiesofthe
switchtowhichtheIAPisconnected.Typicallyifaswitchisinplaceand
doesnotsupportPoE,midspanpowerinjectorsareused.
PPPoE Point-to-PointProtocoloverEthernet(PPPoE)isamethodofconnecting
totheInternettypicallyusedwithDSLserviceswheretheclientconnects
totheDSLmodem.
QoS QualityofService(QoS)referstothecapabilityofanetworktoprovide
betterservicetoaspecificnetworktrafficovervarioustechnologies.
RF RadioFrequency(RF)referstotheportionofelectromagneticspectrumin
whichelectromagneticwavesaregeneratedbyfeedingalternatingcurrent
toanantenna.
TACACS Familyofprotocolsthathandleremoteauthenticationandrelatedservices
fornetworkaccesscontrolthroughacentralizedserver.
TACACS+ DerivedfromTACACSbutanentirelynewandseparateprotocolto
handleAAAservices.TACACS+usesTCPandisnotcompatiblewith
TACACS.Becauseitencryptspassword,username,authorization,and
accounting,itislessvulnerablethanRADIUS.
VPN AVirtualPrivateNetwork(VPN)networkthatusesapublic
telecommunicationinfrastructure,suchastheInternet,toprovideremote
officesorindividualuserswithsecureaccesstotheirorganization's
network.AVPNensuresprivacythroughsecurityproceduresand
tunnelingprotocolssuchastheLayerTwoTunnelingProtocol( L2TP).
Dataisencryptedatthesendingendanddecryptedatthereceivingend.
Table76:ListofTerms

Term Definition
W-CDMA OfficiallyknownasIMT-2000directspread;ITUstandardderivedfrom
Code-DivisionMultipleAccess(CDMA).Widebandcode-divisionmultiple
access(W-CDMA)isathird-generation(3G)mobilewirelesstechnology
thatpromisesmuchhigherdataspeedstomobileandportablewireless
devicesthancommonlyofferedintoday'smarket.
Wi-Fi AtermforcertaintypesofWLANs.Wi-Ficanapplytoproductsthatuse
any802.11standard.Wi-Fihasgainedacceptanceinmanybusinesses,
agencies,schools,andhomesasanalternativetoawiredLAN.Many
airports,hotels,andfast-foodfacilitiesofferpublicaccesstoWi-Fi
networks.
WEP Wiredequivalentprivacy(WEP)isasecurityprotocolspecifiedin802.11b,
designedtoprovideaWLANwithalevelofsecurityandprivacy
comparabletowhatisusuallyexpectedofawiredLAN.Dataencryption
protectsthevulnerablewirelesslinkbetweenclientsandaccesspoints;
oncethismeasurehasbeentaken,othertypicalLANsecurity
mechanismssuchaspasswordprotection,end-to-endencryption,virtual
privatenetworks(VPNs),andauthenticationcanbeputinplacetoensure
privacy.
wireless Describestelecommunicationsinwhichelectromagneticwaves(rather
thansomeformofwire)carrythesignaloverpartorallofthe
communicationpath.
wirelessnetwork InaWirelessLAN(WLAN),laptops,desktops,PDAs,andothercomputer
peripheralsareconnectedtoeachotherwithoutanynetworkcables.
Thesenetworkelementsorclientsuseradiosignalstocommunicatewith
eachother.WirelessnetworksaresetupbasedontheIEEE802.11
standards.
WISP WirelessISP(WISP)referstoaninternetserviceprovider(ISP)thatallows
subscriberstoconnecttoaserveratdesignatedhotspots(accesspoints)
usingawirelessconnectionsuchasWi-Fi.ThistypeofISPoffers
broadbandserviceandallowssubscribercomputers,calledstations,to
accesstheInternetandtheWebfromanywherewithinthezoneof
coverageprovidedbytheserverantenna,usuallyaregionwitharadiusof
severalkilometers.
wirelessserviceprovider Acompanythatofferstransmissionservicestousersofwirelessdevices
throughradiofrequency(RF)signalsratherthanthroughend-to-endwire
communication.
WLAN Wirelesslocalareanetwork(WLAN)isalocalareanetwork(LAN)thatthe
usersaccessthroughawirelessconnection.
Table76:ListofTerms
ArubaInstant6.4.0.2-4.1|UserGuide Terminology|383

Aruba instant 6.4.0.2 4.1 user guide

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Aruba instant 6.4.0.2 4.1 user guide

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77