Download Print this page

Aruba IAP-335 User Manual

Aruba IAP-335 User Manual

Instant software

Hide thumbs Also See for IAP-335:

Installation manual (13 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

See also: Installation Manual

Aruba Instant

6.5.0.0-4.3.0.0

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the IAP-335 and is the answer not in the manual?

Questions and answers

Summary of Contents for Aruba IAP-335

Page 1 Aruba Instant 6.5.0.0-4.3.0.0...
Page 2 Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett Packard Enterprise Company Attn: General Counsel 3000 Hanover Street Palo Alto, CA 94304 Revision 03 | October 2016 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 3: Table Of Contents
Configuring System Parameters Changing Password Customizing IAP Settings Modifying the IAP Host Name Configuring Zone Settings on an IAP Specifying a Method for Obtaining IP Address Configuring External Antenna Configuring Radio Profiles for an IAP Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 4: Table Of Contents
Editing a Wired Profile Deleting a Wired Profile Link Aggregation Control Protocol Understanding Hierarchical Deployment Captive Portal for Guest Access Understanding Captive Portal Configuring a WLAN SSID for Guest Access Configuring Wired Profile for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 5: Table Of Contents
DHCP Configuration Configuring DHCP Scopes Configuring the Default DHCP Scope for Client IP Assignment Configuring Time-Based Services Time Range Profiles Configuring a Time Range Profile Applying a Time Range Profile to a WLAN SSID Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 6: Table Of Contents
Enabling Enhanced Voice Call Tracking Services Configuring AirGroup Configuring an IAP for RTLS Support Configuring an IAP for Analytics and Location Engine Support Managing BLE Beacons Configuring OpenDNS Credentials Integrating an IAP with Palo Alto Networks Firewall Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 7: Table Of Contents
Converting an IAP to a Remote AP and Campus AP Resetting a Remote AP or Campus AP to an IAP Rebooting the IAP Monitoring Devices and Logs Configuring SNMP Configuring a Syslog Server Configuring TFTP Dump Server Running Debug Commands Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 8: Table Of Contents
Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy Scenario 4—GRE: Single Datacenter Deployment with No Redundancy Glossary Acronyms and Abbreviations Glossary Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 9: About This Guide
Chapter 1 About this Guide This User Guide describes the features supported by Aruba Instant and provides detailed instructions for setting up and configuring the Instant network. Intended Audience This guide is intended for administrators who configure and use IAPs. Related Documents...
Page 10: Contacting Support
Indicates a risk of personal injury or death. Contacting Support Table 2: Support Information Main Site arubanetworks.com Support Site support.arubanetworks.com Airheads Social Forums and community.arubanetworks.com Knowledge Base North American Telephone 1-800-943-4526 (Toll Free) 1-408-754-1200 International Telephone arubanetworks.com/support-services/contact-support/ | About this Guide Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 11 Software Licensing Site hpe.com/networking/support End-of-life Information arubanetworks.com/support-services/end-of-life/ Security Incident Response Site: arubanetworks.com/support-services/security-bulletins/ Team (SIRT) Email: sirt@arubanetworks.com Aruba Instant 6.5.0.0-4.3.0.0 | User Guide About this Guide |...
Page 12: About Aruba Instant
What is New in this Release on page 15 Instant Overview Instant virtualizes Aruba Mobility Controller capabilities on 802.1--capable access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Instant is a simple, easy to deploy turnkey WLAN solution consisting of one or more IAPs. An Ethernet port with routable connectivity to the Internet or a self-enclosed network is used for deploying an Instant Wireless Network.
Page 13 IAP first, and add the new IAP. Aruba recommends that networks with more than 128 IAPs be designed as multiple, smaller VC networks with Layer-3 mobility enabled between these networks.
Page 14 Login page. To view the Instant UI, ensure that JavaScript is enabled on the web browser. The Instant UI logs out automatically if the window is inactive for 15 minutes. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide About Aruba Instant |...
Page 15: What Is New In This Release
IAPs can trigger a radio profile to perform frequent scanning and selection of a valid channel in a short span of time. A new command, ap-frequent-scan enables the IAPs to frequently scan signals in the radio profile. | About Aruba Instant Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 16 Instant versions prior to Instant 6.5.0.0-4.3.0.0, the devices will reboot with the Image Sync Fail reason. To resolve this issue, upgrade the existing cluster to minimum Instant 6.5.0.0-4.3.0.0 release, and then add the new IAP devices. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide About Aruba Instant |...
Page 17 The IAP-330 wireless access points provide the following capabilities: IEEE 802.11a/b/g/n/ac wireless access point IEEE 802.11a/b/g/n/ac wireless air monitor IEEE 802.11a/b/g/n/ac spectrum analysis Compatible with IEEE 802.3at PoE+ power sources Centralized management, configuration and upgrades Integrated BLE radio | About Aruba Instant Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 18: Setting Up An Iap
If there is no DHCP service on the network, the IAP can be assigned a static IP address. If a static IP is not assigned, the IAP obtains an IP automatically within the 169.254 subnet. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Setting up an IAP |...
Page 19: Provisioning An Iap
IAPs. Aruba activate is hosted in the cloud and is available at activate.arubanetworks.com. You can register for a free account by using the serial number and MAC address of the device you currently own. For more information on how to setup your device and provision using Aruba Activate, refer to the Aruba Activate User Guide.
Page 20 Stop Bits Flow Control 9600 None None 3. Turn on the IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Setting up an IAP |...
Page 21 During reboot, if the VC has the Central URL stored, it will connect directly to Central using the activation key obtained from the Aruba Activate server. If there is no URL stored, the VC tries to establish a connection with the Activate server every 5 minutes, until a successful SSL connection is established and the activation key is obtained.
Page 22: Logging In To The Instant Ui
MAC address will be displayed under the Info section of the main window. You can also check the cloud activation key of an IAP by running the show about and show activate status commands. For more information on these commands, refer to the Aruba Instant 6.5.0.0-4.3.0.0 CLI Reference Guide.
Page 23: Accessing The Instant Cli
Israel for most of the IAP models. For IAP-RW variants, you can select from the list of supported regulatory domains. If the supported country code is not in the list, contact your Aruba Support team to know if the required country code is supported and obtain the software that supports the required country code.
Page 24 CLI context. The CLI does not support the configuration data exceeding the 4K buffer size in a CLI session. Therefore, Aruba recommends that you configure fewer changes at a time and apply the changes at regular intervals.
Page 25 The Instant CLI does not support positioning or precedence of sequence-sensitive commands. Therefore, Aruba recommends that you remove the existing configuration before adding or modifying the configuration details for sequence-sensitive commands. You can either delete an existing profile or remove a specific configuration by using the no…...
Page 26 0 to disable CLI session timeouts. The users must re-login to the IAP after the session times out. The session does not time out when the value is set to 0. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Setting up an IAP |...
Page 27: Automatic Retrieval Of Configuration
Perform the following checks before configuring the managed mode command parameters: Ensure that the IAP is running Instant 6.2.1.0-3.4 or later versions. When the IAPs are in the managed mode, ensure that the IAPs are not managed by AirWave. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Automatic Retrieval of Configuration |...
Page 28: Configuring Managed Mode Parameters
You can use either FTP or FTPS for downloading configuration files. 5. Specify the name of the server or the (Instant AP)(managed-mode-profile)# server <server_name> IP address of the server from which the configuration file must be downloaded. | Automatic Retrieval of Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 29: Verifying The Configuration
(Instant AP)# show managed-mode config (Instant AP)# show managed-mode status 2. Verify the status of download by running the following command at the command prompt: (Instant AP)# show managed-mode logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Automatic Retrieval of Configuration |...
Page 30 If the configuration settings retrieved in the configuration file are incomplete, IAPs reboot with the earlier configuration. | Automatic Retrieval of Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 31: Instant User Interface
You can also select the required language option from the Languages drop-down list located on the Instant main window. Logging into the Instant UI To log in to the Instant UI, enter the following credentials: Username—admin Password—admin The Instant UI main window is displayed. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 32: Main Window
When you log in to an IAP with the factory default settings, a popup box displays an option to sign up for the Aruba cloud solution and enable IAP management through Aruba Central. To sign up for a free 90-day trial of...
Page 33 Serial number—Serial number of the device. Channel—Channel on which the IAP is currently broadcast. Power (dB)—Maximum transmission Effective Isotropic Radiated Power (EIRP) of the radio. Utilization (%)—Percentage of time that the channel is utilized. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 34 New Version Available System Security Maintenance More Help Logout Monitoring Client Match AppRF Spectrum Alerts AirGroup Configuration AirWave Setup Pause/Resume Each of these links is explained in the subsequent sections. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 35 ARM Overview on page 253. Radio—Allows you to view or configure radio settings for 2.4 GHz and the 5 GHz radio profiles. For information on Radio, see Configuring Radio Settings on page 260. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 36 The Maintenance link displays a window that allows you to maintain the Wi-Fi network. The Maintenance window consists of the following tabs: About—Displays the name of the product, build time, IAP model name, the Instant version, website address of Aruba Networks, and copyright information. Configuration—Displays the following details: Current Configuration—Displays the current configuration details.
Page 37 Wired Services DHCP Server Support The VPN window allows you to define communication settings with an Aruba controller or a third party VPN concentrator. See VPN Configuration on page 228 for more information. The following figure shows an example of the IPsec configuration options available in the VPN window: Figure 5 VPN Window for IPsec Configuration The IDS window allows you to configure wireless intrusion detection and protection levels.
Page 38 Figure 6 IDS Window: Intrusion Detection Figure 7 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue IAPs on page 327. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 39 Firewall and XML API server. For more information on IAP integration with PAN, see Integrating an IAP with Palo Alto Networks Firewall on page 295and Integrating an IAP with an XML API Interface on page 297. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 40 Command—Allows you to select a support command for execution. Target—Displays a list of IAPs in the network. Run—Allows you to execute the selected command for a specific IAP or all IAPs and view logs. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 41 Similarly, in the Access Point or the Client view, this section displays the configuration information of the selected IAP or the client. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 42 Info section in the Access The Info section in the Access Point view displays the following information: Point view Name—Displays the name of the selected IAP. IP Address—Displays the IP address of the IAP. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 43 The following figure shows an example of the RF dashboard with Utilization, Band frames, Noise Floor, and Errors details: Figure 11 RF Dashboard in the Monitoring Pane The following table describes the icons available on the RF Dashboard pane: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 44 Orange—Utilization is between 50% and 75%. Red—Utilization is more than 75%. To view the utilization graph of an IAP, click the Utilization icon next to the IAP in the Utilization column. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 45 The RF Trends section displays the following graphs for the selected IAP and the client. To view the details on the graphs, click the graphs and hover the mouse on a data point: Figure 12 RF Trends for Access Point Figure 13 RF Trends for Clients Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 46 Maximum, and Average statistics of the 3. Study the Speed graph in the RF Trends pane. For client for the last 15 minutes. example, the graph shows that the data transfer | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 47 VC in the last 15 minutes. In the Network view or the Access Point view, this graph displays the incoming and outgoing throughput traffic for the selected network or IAP in the last 15 minutes. Figure 14 Usage Trends Graphs in the Default View Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 48 15 minutes. To see the exact throughput of the selected network at a particular time, move the cursor over the graph line. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 49 To see the free memory of the IAP, move 1. Log in to the Instant UI. The Virtual Controller the cursor over the graph line. view is displayed. This is the default view. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 50 The Instant UI shows the client and IAP association over the last 15 minutes. Access Point—The IAP name with which the client was associated. Mobility information about the client is reset each time it roams from one IAP to another. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 51 Wi-Fi devices currently seen by a spectrum monitor or a hybrid IAP radio. Channel Utilization and Monitoring—This chart provides an overview of channel quality across the spectrum. It shows channel utilization information such as channel quality, availability, and utilization Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 52 The following figure shows the contents of details displayed on clicking the Alerts link: Figure 17 Alerts Link The Alerts link displays the following types of alerts: Client Alerts Active Faults Fault History | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 53 Number—Indicates the number of sequence. Cleared by—Displays the module which cleared this fault. Description—Displays the event details. The following figures show the client alerts, active faults, and fault history: Figure 18 Client Alerts Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 54 The IAP cannot allow this Ascertain the correct authentication/encryption client to associate because authentication or encryption setting its authentication or settings and try to associate again. encryption settings do not match AP's configuration. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 55 Ascertain the correct authentication failure this client using 802.1X, authentication credentials and log because the RADIUS server in again. rejected the authentication credentials (for example, password) provided by the client. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 56 Channel—Displays the channel in which the foreign client is operating. Type—Displays the Wi-Fi type of the foreign client. Last seen—Displays the time when the foreign client was last detected in the network. | Instant User Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 57 Figure 22 AirGroup Link Configuration The Configuration link provides an overall view of your VC, IAPs, and WLAN SSID configuration. The following figure shows the VC configuration details displayed on clicking the Configuration link. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 58 Aruba Central The Instant UI provides a link to launch a support portal for Aruba Central. You can use Central's evaluation accounts through this website and get registered for a free account. You must fill in the registration form available on this page.
Page 59 Client view, all the clients in the Instant network are listed in the Clients tab. Click the IP address of the client that you want to monitor. For more information on the graphs and the views, see Monitoring on page Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Instant User Interface |...
Page 60: Initial Configuration Tasks
SSID that has the same VLAN as the native VLAN of the upstream switch, to which the IAP is connected. By default, the IAP considers the uplink switch native VLAN value as 1. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Initial Configuration Tasks |...
Page 61 (Instant AP)(config) between the elements and across the network is # ntp-server <name> critical. Time synchronization allows you to: Trace and track security gaps, monitor network usage, and troubleshoot network issues. | Initial Configuration Tasks Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 62 NOTE: Reboot the IAP after modifying the radio profile for changes to take effect. (Instant AP)(config) AppRF Visibility Select one of the following options from the AppRF # dpi visibility drop-down list. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Initial Configuration Tasks |...
Page 63 # no allow-new-aps tab indicating that there are new IAPs discovered in To enable auto-join the network. Click this link if you want to add these mode: IAPs to the network. | Initial Configuration Tasks Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 64 SSIDs with Extended SSID disabled and up to 8 SSIDs with Extended SSID enabled. All other IAPs support up to 14 SSIDs when Extended SSID is disabled and up to 16 SSIDs with Extended SSID enabled. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Initial Configuration Tasks |...
Page 65 CPU needs to perform. This is the default and recommended option. Always Disabled in all APs—When selected, this setting disables CPU management on all | Initial Configuration Tasks Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 66: Changing Password
3. Select the Hash Management Password check box. This will enable the hashing of the management user password. The check box will appear grayed out after this setting is enabled, as this setting cannot be reversed. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Initial Configuration Tasks |...
Page 67 (Instant AP)(config)# hash-mgmt-user john password cleartext password01 usertype read-only (Instant AP)(config)# end (Instant AP)# commit apply The following examples removes a management user with read-only privilege: (Instant AP)(config)# no hash-mgmt-user read-only (Instant AP)(config)# end (Instant AP)# commit apply | Initial Configuration Tasks Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 68: Customizing Iap Settings
For the SSID to be assigned to an IAP, the same zone details must be configured on the SSID. For more information on SSID configuration, see Configuring WLAN Settings for an SSID Profile on page Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Customizing IAP Settings |...
Page 69: Specifying A Method For Obtaining Ip Address
To know if your IAP device supports external antenna connectors, refer to the Aruba Instant Installation Guide that is shipped along with the IAP device.
Page 70: Configuring Radio Profiles For An Iap
(Instant AP)# g-external-antenna <dBi> Configuring Radio Profiles for an IAP You can configure a radio profile on an IAP either manually or by using the Adaptive Radio Management (ARM) feature. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Customizing IAP Settings |...
Page 71 In Spectrum Monitor mode, the IAP functions as a dedicated full-spectrum RF Spectrum Monitor monitor, scanning all channels to detect interference, whether from the neighboring IAPs or from non-WiFi devices such as microwaves and cordless phones. | Customizing IAP Settings Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 72: Configuring Uplink Vlan For An Iap
1. On the Access Points tab, click the IAP to modify. 2. Click the edit link. 3. Click the Uplink tab. 4. Specify the VLAN in the Uplink Management VLAN text box. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Customizing IAP Settings |...
Page 73: Changing Usb Port Status
Wi-Fi network. The VC is the single point of configuration and firmware management. When configured, the VC sets up and manages the Virtual Private Network (VPN) tunnel to a mobility controller in the data center. | Customizing IAP Settings Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 74 1. On the Access Points tab, click the IAP to modify. 2. Click the edit link. 3. Select Enabled from the Preferred master drop-down list. This option is disabled by default. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Customizing IAP Settings |...
Page 75: Adding An Iap To The Network
2. In the New Access Point window, enter the MAC address for the new IAP. 3. Click OK. Removing an IAP from the Network You can remove an IAP from the network by using the Instant UI, only if the Auto-Join feature is disabled. | Customizing IAP Settings Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 76 2. Click x to confirm the deletion. The deleted IAPs cannot join the Instant network anymore and are not displayed in the Instant UI. However, the master IAP details cannot be deleted from the VC database. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Customizing IAP Settings |...
Page 77: Vlan Configuration
IP address and thus cannot connect to the Internet. In such scenario, the Instant UI now displays the following alert message: Figure 25 Uplink VLAN Detection To resolve this issue, ensure that there is no mismatch in the VLAN configuration. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide VLAN Configuration |...
Page 78: Ipv6 Support
V4-prefer—Supports both IPv4 and IPv6 addresses. If the IAP gets both IPv4 and IPv6 responses for a DNS query, then the IAP would prefer the IPv4 DNS address instead of the IPv6 DNS address. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IPv6 Support |...
Page 79 SNMP agent, where the IPv6 address will be used as the VC address.For more information on configuring SNMP parameters, see Configuring SNMP on page 361. To view the SNMP configuration: (Instant AP)# show running-config|include snmp snmp-server community e96a5ff136b5f481b6b55af75d7735c16ee1f61ba082d7ee snmp-server host 2001:470:20::121 version 2c aruba-string inform | IPv6 Support Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 80: Firewall Support For Ipv6
—displays the IPv6 routing information. show ipv6 route —displays IPv6 sessions. show datapath ipv6 session —displays IPv6 client details. show datapath ipv6 user —displays the details about IAP clients. show clients show clients debug Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IPv6 Support |...
Page 81: Wireless Network Profiles
(Quality of Service) QoS. To configure a new wireless network profile, complete the following procedures: Configuring WLAN Settings Configuring VLAN Settings Configuring Security Settings Configuring Access Rules for a Network Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 82 3. Based on the type of network profile, select any of the following options under Primary usage: Employee Voice Guest 4. Click the Show advanced options link. The advanced options for configuration are displayed. Specify the following parameters as required. | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 83 Select a value to specify the band at which the network transmits radio signals. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 84 Best effort WMM—For best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Video WMM—For video traffic generated from video streaming. Voice WMM—For voice traffic generated from the incoming and outgoing voice communication. | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 85 Identifier (BSSID) on a WLAN. You can specify a value within the range of 0–255. The default value is 64. NOTE: This is a per-ap configuration setting, hence the maximum client threshold is set Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 86 (Instant AP)(SSID Profile <name>)# hide-ssid (Instant AP)(SSID Profile <name>)# out-of-service <def> <name> (Instant AP)(SSID Profile <name>)# time-range <profile name> {<Enable>|<Disable>} (Instant AP)(SSID Profile <name>)# inactivity-timeout <interval> (Instant AP)(SSID Profile <name>)# local-probe-req-thresh <threshold> | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 87 To configure VLAN settings for an SSID: 1. On the VLAN tab of the New WLAN window, perform the following steps. The following figure displays the contents of the VLAN tab. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 88 Network assigned—On selecting this option, the IP address is obtained from the network. 3. Based on the type of client IP assignment mode selected, you can configure the VLAN assignment for clients as described in the following table: | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 89 To create a new VLAN assignment rule: (Instant AP)(config)# wlan ssid-profile <name> (Instant AP)(SSID Profile <name>)# set-vlan <attribute> {{contains|ends-with|equals|matches- regular-expression|not-equals|starts-with} <operand> <vlan>|value-of} (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 90 Open—On selecting the open security level, the authentication options applicable to an open network are displayed. The default security setting for a network profile is Personal. The following figures show the configuration options for Enterprise, Personal, and Open security settings: | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 91 Figure 28 Security Tab: Enterprise Figure 29 Security Tab: Personal Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 92 Figure 30 Security Tab: Open 2. Based on the security level selected, specify the following parameters: | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 93 RADIUS server by terminating the authorization protocol on the IAP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the IAP acts as a relay for this exchange. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 94 When Reauth interval is configured on an SSID performing both L2 and L3 authentication (MAC with captive portal authentication)—When reauthentication succeeds, the client retains the role that is already assigned. If reauthentication fails, a pre-authentication role is assigned to the client. | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 95 MAC authentication fail-thru—On selecting this check box, the 802.1X authentication is attempted when the MAC authentication fails. NOTE: If Enterprise Security level is chosen, the server used for mac Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 96 Set to Enabled to allow the IAP to use uppercase letters in MAC address Enterprise, support string for MAC authentication. Personal, and Open security NOTE: This option is available only if MAC authentication is enabled. levels. | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 97 (Instant AP)(SSID Profile <name>)# server-load-balancing (Instant AP)(SSID Profile <name>)# blacklist (Instant AP)(SSID Profile <name>)# mac-authentication (Instant AP)(SSID Profile <name>)# l2-auth-failthrough (Instant AP)(SSID Profile <name>)# auth-survivability (Instant AP)(SSID Profile <name>)# radius-accounting Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 98 Configuring WLAN Settings for an SSID Profile on page Configuring VLAN Settings for a WLAN SSID Profile on page 87, and Configuring Security Settings for a WLAN SSID Profile on page | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 99 (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply To configure a pre-authentication role: (Instant AP)(config)# wlan ssid-profile <name> (Instant AP)(SSID Profile <name>)# set-role-pre-auth <role> (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 100 (Instant AP)# per-ap-ssid <text> To configure the per-ap-vlan variable: (Instant AP)# per-ap-vlan <vlan> To verify the per-ap-ssid and per-ap-vlan configurations: (Instant AP)# show ap-env Antenna Type:Internal name:TechPubsAP per_ap_ssid:PCCW per_ap_vlan:vlan lacp_mode:enable | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 101: Configuring Fast Roaming For Wireless Clients
2. Click the Security tab. 3. Move the slider to the Enterprise security level. On selecting the Enterprise security level, the authentication options applicable to the Enterprise network are displayed. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 102 (Instant AP)(SSID Profile <name>)# dot11r (Instant AP)(config)# end (Instant AP)# commit apply Example (Instant AP)(config)# wlan ssid-profile dot11r-profile (Instant AP)(SSID Profile "dot11r-profile")# dot11r (Instant AP)(config)# end (Instant AP)# commit apply | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 103 To allow the IAP and clients to exchange neighbor reports, ensure that Client match is enabled through RF > ARM > Client match > Enabled in the UI or by executing the client-match command in the arm configuration subcommand mode. In the CLI To enable 802.11k profile: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 104: Configuring Modulation Rates On A Wlan Ssid
For example, the 802.11g band supports the modulation rate including 1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps and 802.11a band supports a modulation rate set including 6, 9, 12, 18, 24, 36, 48, 54 Mbps. | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 105: Multi-User-Mimo
RTS threshold. By default, the RTS threshold is set to 2333 octets. Configuring RTS/CTS Threshold You can set the RTS/CTS threshold value within the range of 0–2347 octets. By default, the RTS/CTS threshold is set to 2333. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 106: Management Frame Protection
3. Select or clear the Disable SSID check box to disable or enable the SSID. The SSID is enabled by default. 4. Click Next (or the tab name) to move to the next tab. 5. Click Finish to save the modifications. | Wireless Network Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 107: Editing A Wlan Ssid Profile
1. On the Network tab, click the network that you want to delete. A x link is displayed beside the network to be deleted. 2. Click x. A delete confirmation window is displayed. 3. Click Delete Now. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wireless Network Profiles |...
Page 108: Wired Profiles
Uplink—Select Enabled to configure uplink on this wired profile. If Uplink is set to Enabled and this network profile is assigned to a specific port, the port will be enabled as Uplink port. For more Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wired Profiles |...
Page 109 Specify the VLAN in Allowed VLAN, enter a list of comma separated digits or ranges, for example, 1,2,5 or 1–4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode. | Wired Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 110 802.1X authentication—To enable 802.1X authentication, select Enabled. The 802.1X authentication is disabled by default. MAC authentication fail-thru—To enable authentication fail-thru, select Enabled. When this feature is enabled, 802.1X authentication is attempted when MAC authentication fails. The MAC Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wired Profiles |...
Page 111 Configuring VLAN for a Wired Profile on page 109, and Configuring Security Settings for a Wired Profile on page 110. You can configure access rules by using the Instant UI or the CLI. | Wired Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 112 (Instant AP)(wired ap profile <name>)# set-role <attribute>{{equals|not-equal|starts-with| ends-with|contains|matches-regular-expression}<operator> <role>|value-of} (Instant AP)(wired ap profile <name>)# end (Instant AP)# commit apply To configure a pre-authentication role: (Instant AP)(config)# wired-port-profile <name> (Instant AP)(wired ap profile <name>)# set-role-pre-auth <role> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wired Profiles |...
Page 113: Assigning A Profile To Ethernet Ports
2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. Modify the required settings. 5. Click Finish to save the modifications. | Wired Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 114: Deleting A Wired Profile
There is no configuration required on the IAP for enabling LACP support. However, you can view the status of LACP on IAPs by using the following command: (Instant AP)# show lacp status AP LACP Status -------------- Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wired Profiles |...
Page 115: Understanding Hierarchical Deployment
Instant network. In a single Ethernet port platform deployment, the root IAP must be configured to use the 3G uplink. A typical hierarchical deployment consists of the following: | Wired Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 116 Ensure that the downlink port configured in a private VLAN is not used for any wired client connection. Other downlink ports can be used for connecting to the wired clients. The following figure illustrates a hierarchical deployment scenario: Figure 31 Hierarchical Deployment Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Wired Profiles |...
Page 117: Captive Portal For Guest Access
Internet. The guest users who are required to authenticate must already be added to the user database. Internal Acknowledged—When Internal Acknowledged is enabled, a guest user must accept the terms and conditions to access the Internet. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 118: Configuring A Wlan Ssid For Guest Access
3. Select the Guest option for Primary usage. 4. Click the Show advanced options link. The advanced options for configuration are displayed. 5. Enter the required values for the following configuration parameters: | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 119 Select a value to specify the band at which the network transmits radio signals. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 120 DSCP Mapping. Background WMM—For background traffic such as file downloads or print jobs. Best effort WMM—For best effort traffic such as traffic from legacy devices or traffic | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 121 For example, if the VPN is down and the configured hold time is 45 seconds, the effect of this out-of-service state impacts the SSID availability after 45 seconds. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 122 Network assigned—On selecting this option, the IP address is obtained from the network. 8. Based on the type client IP assignment mode selected, you can configure the VLAN assignment for clients as described in the following table: | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 123 (Instant AP)(SSID Profile <name>)# type <Guest> (Instant AP)(SSID Profile <name>)# broadcast-filter <type> (Instant AP)(SSID Profile <name>)# dtim-period <number-of-beacons> (Instant AP)(SSID Profile <name>)# multicast-rate-optimization (Instant AP)(SSID Profile <name>)# dynamic-multicast-optimization (Instant AP)(SSID Profile <name>)# dmo-channel-utilization-threshold Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 124: Configuring Wired Profile For Guest Access
STP will not operate on the uplink port and is supported only on IAPs with three or more ports. By default Spanning Tree is disabled on wired profiles. 4. Click Next. The VLAN tab details are displayed. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 125 (Instant AP)(wired ap profile <name>)# native-vlan {<guest|1…4095>} To configure a new VLAN assignment rule: (Instant AP)(config)# wired-port-profile <name> (Instant AP)(wired ap profile <name>)# set-vlan <attribute>{equals|not-equals|starts- with|ends-with|contains|matches-regular-expression} <operator> <VLAN-ID>|value-of} Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 126: Configuring Internal Captive Portal For Guest Network
Select any one of the following: Auth server 2 A server from the list of servers, if the server is already configured. Internal Server to authenticate user credentials at run time. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 127 If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 128 (Instant AP)(SSID Profile <name>)# radius-reauth-interval <Minutes> (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply To configure internal captive portal for a wired profile: (Instant AP)(config)# wired-port-profile <name> | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 129: Configuring External Captive Portal For A Guest Network
In the Instant UI 1. Go to Security > External Captive Portal. 2. Click New. The New popup window is displayed. 3. Specify values for the following parameters: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 130 Sends the IP address of the VC in the redirection URL when external captive portal servers are used. This option is disabled by default. Redirect URL Specify a redirect URL if you want to redirect the users to another URL. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 131 Authenticated splash pages and is not applicable for wired profiles. MAC authentication Select Enabled if you want to enable MAC authentication. For information on MAC authentication, see Configuring MAC Authentication for a Network Profile on page 170. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 132 Disable if uplink type Select Enabled to configure encryption settings and specify the encryption parameters. Encryption 5. Click Next to continue and then click Finish to apply the changes. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 133 9c:1c:12:cb:a2:90 IAP host name apmac 9c:1c:12:cb:a2:90 IAP MAC address vcname instant-C8:1D:DA" VC name switchip securelogin.arubanetworks.com Captive portal domain used for external captive portal authentication http://www.google.com/ original URL Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 134 Enter /page_name.php in the URL text box. This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page. For example, if the Page Name is Aruba, the URL should be /Aruba.php in the Instant UI.
Page 135: Configuring Facebook Login
Facebook. If the IAP registration is successful, the Facebook configuration link is displayed in the Security tab of the WLAN wizard. In the CLI To configure an account for captive portal authentication: (Instant AP)(config)# wlan ssid-profile <name> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 136: Configuring Guest Logon Role And Access Rules For Guest Users
A captive-portal role—This role can be assigned to any network such as Empolyee, Voice, or Guest. When the user is assigned with this role, a splash page is displayed after opening a browser and the users may need to authenticate. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 137 (Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends- with|contains|matches-regular-expression}<operator><role>|value-of} (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply To configure a pre-authentication role: (Instant AP)(config)# wlan ssid-profile <name> (Instant AP)(SSID Profile <name>)# set-role-pre-auth <role> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 138: Configuring Captive Portal Roles For An Ssid
To enforce the captive portal role, use the Instant UI or the CLI. In the Instant UI To create a captive portal role: 1. Select an SSID profile from the Network tab. The Edit <WLAN-Profile> window is displayed. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 139 The initial page asks for user credentials or email, depending on the splash page type configured. To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 140 6. Click OK. The enforce captive portal rule is created and listed as an access rule. 7. Create a role assignment rule based on the user role to which the captive portal access rule is assigned. 8. Click Finish. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 141: Configuring Walled Garden Access
5. To modify the list, select the domain name/URL and click Edit . To remove an entry from the list, select the URL from the list and click Delete. 6. Click OK to apply the changes. In the CLI To create a walled garden access: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Captive Portal for Guest Access |...
Page 142 MAC authentication failures, and configure encryption keys for authorized access. 4. If required, configure the security parameters. 5. Click Next and then click Finish to apply the changes. | Captive Portal for Guest Access Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 143: Authentication And User Management
The user access privileges are determined by IAP management settings in the AirWave Management client and Aruba Central, and the type of the user. The following table outlines the access privileges defined for the admin user, guest management interface admin, and read-only users.
Page 144 4. Enter the password in the Password text box and reconfirm. 5. Select the type of network from the Type drop-down list. 6. Click Add and click OK. The users are listed in the Users list. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 145 You can configure authentication parameters for local admin, read-only, and guest management administrator account settings through the Instant UI or the CLI. In the Instant UI 1. Navigate to System > Admin. The Admin tab details are displayed. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 146 1. Specify the Username and Password. 2. Retype the password to confirm. If a RADIUS or TACACS server is configured, select Authentication server Authentication server for authentication. 3. Click OK. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 147 To add guest users through the Guest Management interface: 1. Log in to the Instant UI with the guest management interface administrator credentials. The guest management interface is displayed. Figure 35 Guest Management Interface Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 148: Supported Authentication Methods
802.1X authentication. For more information on configuring an IAP to use 802.1X authentication, see Configuring 802.1X Authentication for a Network Profile on page 167. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 149: Mac Authentication
Internet service providers, even if the wireless hotspot uses an Internet Service Provider (ISP) with whom the client may not have an account. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 150: Supported Eap Authentication Frameworks
To use the IAP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated. Aruba does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks. Authentication Termination on IAP IAPs support EAP termination for enterprise WLAN SSIDs.
Page 151: Configuring Authentication Servers
(VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA. Instant supports the following VSAs for user role and VLAN derivation rules: AP-Group AP-Name Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 152 Acct-Output-Octets Acct-Output-Packets Acct-Session-Id Acct-Session-Time Acct-Status-Type Acct-Terminate-Cause Acct-Tunnel-Packets-Lost Add-Port-To-IP-Address Aruba-AP-Group Aruba-AP-IP-Address Aruba-AS-Credential-Hash Aruba-AS-User-Name Aruba-Admin-Path Aruba-Admin-Role Aruba-AirGroup-Device-Type Aruba-AirGroup-Shared-Group Aruba-AirGroup-Shared-Role Aruba-AirGroup-Shared-User Aruba-AirGroup-User-Name Aruba-AirGroup-Version Aruba-Auth-SurvMethod Aruba-Auth-Survivability Aruba-CPPM-Role Aruba-Calea-Server-Ip Aruba-Device-Type Aruba-Essid-Name Aruba-Framed-IPv6-Address Aruba-Location-Id Aruba-Mdps-Device-Iccid | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 153 Aruba-Port-Id Aruba-Priv-Admin-User Aruba-Template-User Aruba-User-Group Aruba-User-Role Aruba-User-Vlan Aruba-WorkSpace-App-Name Authentication-Sub-Type Authentication-Type CHAP-Challenge Callback-Id Callback-Number Chargeable-User-Identity Class Connect-Info Connect-Rate Crypt-Password DB-Entry-State Digest-Response Domain-Name EAP-Message Error-Cause Event-Timestamp Exec-Program Exec-Program-Wait Expiration Fall-Through Filter-Id Framed-AppleTalk-Link Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 154 Framed-Routing Full-Name Group Group-Name Hint Huntgroup-Name Idle-Timeout Location-Capable Location-Data Location-Information Login-IP-Host Login-IPv6-Host Login-LAT-Node Login-LAT-Port Login-LAT-Service Login-Service Login-TCP-Port Menu Message-Auth NAS-IPv6-Address NAS-Port-Type Operator-Name Password Password-Retry Port-Limit Prefix Prompt Rad-Authenticator Rad-Code | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 155 IAP users can create several TACACS server profiles and associate these profiles to the user accounts to enable authentication of the management users. TACACS supports the following types of authentication: ASCII Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 156 2083. RFC 3576—When set to Enabled, it allows the IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. NAS IP address | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 157 DRP VLAN—VLAN in which the RADIUS packets are sent. DRP Gateway—Gateway IP address of the DRP VLAN. For more information on dynamic RADIUS proxy parameters and configuration procedure, see Configuring Dynamic RADIUS Proxy Parameters on page 162. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 158 TACACS—To configure TACACS server, select the TACACS option and configure the following parameters: | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 159 4. Click OK. The ClearPass Policy Manager server acts as a RADIUS server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 160 (Instant AP)(config)# wlan auth-server <profile-name> (Instant AP)(Auth Server <profile-name>)# ip <host> (Instant AP)(Auth Server <profile-name>)# key <key> (Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-port <port> (Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only (Instant AP)(Auth Server <profile-name>)# end | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 161 (Instant AP)(Auth Server "name")# ip <host> (Instant AP)(Auth Server "name")# radsec [port <port>] (Instant AP)(Auth Server "name")# rfc3576 (Instant AP)(Auth Server "name")# nas-id <id> (Instant AP)(Auth Server "name")# nas-ip <ip> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 162 Associate the authentication servers to SSID or a wired profile to which the clients connect. After completing the configuration steps mentioned above, you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 163 (Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID> (Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address> (Instant AP)(Auth Server <profile-name>)# timeout <seconds> (Instant AP)(Auth Server <profile-name>)# retry-count <number> (Instant AP)(Auth Server <profile-name>)# deadtime <minutes> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 164: Understanding Encryption Types
TKIP. TKIP—Temporal Key Integrity Protocol (TKIP) uses the same encryption algorithm as WEP. However, TKIP is more secure and has an additional message integrity check (MIC). | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 165 WEP and TKIP are limited to WLAN connection speed of 54 Mbps. The 802.11n connection supports only AES encryption. Aruba recommends AES encryption. Ensure that all devices that do not support AES are upgraded or replaced with the devices that support AES encryption.
Page 166: Configuring Authentication Survivability
You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours. 6. Click Next and then click Finish to apply the changes. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 167: Configuring 802.1X Authentication For A Network Profile
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 168 (Instant AP)(config)# end (Instant AP)# commit apply Configuring 802.1X Authentication for Wired Profiles You can configure 802.1X authentication for a wired profile in the Instant UI or the CLI. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 169: Enabling 802.1X Supplicant Support
In the Access Points tab, click the IAP on which you want to set the variables for 802.1X authentication, and then click the edit link. b. In the Edit Access Point window, click the Uplink tab. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 170: Configuring Mac Authentication For A Network Profile
MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication. However, it is recommended that you do not use the MAC-based authentication. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 171 (Instant AP)(SSID Profile <name>)# server-load-balancing (Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes> (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply To add users for MAC authentication based on internal authentication server: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 172: Configuring Mac Authentication With 802.1X Authentication
This section describes the following procedures: Configuring MAC and 802.1X Authentications for Wireless Network Profiles on page 173 Configuring MAC and 802.1X Authentications for Wired Profiles on page 173 | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 173 5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see Configuring Security Settings for a Wired Profile on page 110. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 174: Configuring Mac Authentication With Captive Portal Authentication
(Instant AP)(SSID Profile <name>)# mac-authentication (Instant AP)(SSID Profile <name>)# captive-portal {<type> [exclude-uplink <types>]|external [Profile <name>] [exclude-uplink <types>]} (Instant AP)(SSID Profile <name>)# set-role-mac-auth <mac-only> (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 175: Configuring Wispr Authentication
9. Enter the name of the Hotspot location in the Location name text box. If no name is defined, the name of the IAP to which the user is associated is used. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 176: Blacklisting Clients
5. Click OK. The Blacklisted Since tab displays the time at which the current blacklisting has started for the client. 6. To delete a client from the manual blacklist, select the MAC Address of the client under the Manual Blacklisting, and then click Delete. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 177 Security Settings for a WLAN SSID Profile on page To enable session-firewall-based blacklisting, click New and navigate to WLAN Settings > VLAN > Security > Access window, and enable the Blacklist option of the corresponding ACL rule. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 178 Blacklist Time Auth Failure Blacklist Time Manually Blacklisted Clients ---------------------------- Time ---- Dynamically Blacklisted Clients ------------------------------- Reason Timestamp Remaining time(sec) AP IP ------ --------- ------------------- ----- Dyn Blacklist Count | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 179: Uploading Certificates
When a Captive Portal server certificate is uploaded using the Instant UI, the default management certificate on the UI is also replaced by the Captive portal server certificate. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 180 Select Server Cert for certificate Type, and provide the passphrase if you want to upload a server certificate. Select either Intermediate CA or Trusted CA certificate Type, if you want to upload a CA certificate. | Authentication and User Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 181 5. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the IAP. 6. To clear the certificate options, click Revert. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management |...
Page 182: Roles And Policies
You can configure up to 128 access control entries in an ACL for a user role. The maximum configurable universal role is 4096. Configuring ACL Rules for Network Services This section describes the procedure for configuring ACLs to control access to network services. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 183 4. Ensure that the rule type is set to Access Control. 5. To configure a rule to control access to network services, select Network under service category and specify the following parameters: | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 184 Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging. Firewall logs on the IAPs are generated as security logs. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 185 (Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 21 21 deny (Instant AP)(Access Rule "employee")# rule 192.0.2.1 255.255.255.0 invert 17 67 69 deny (Instant AP)(Access Rule "employee")# end (Instant AP)# commit apply | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 186 Select the required option from the Destination drop-down list. e. If required, enable other parameters such as Log, Blacklist, Classify media, Disable scanning, DSCP tag, and 802.1p priority. f. Click OK. 6. Click Finish. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 187 Select destination-NAT from the Action drop-down list, to allow for making changes to the source IP address. c. Specify the IP address and port details. d. Select a service from the list of available services. e. Select the required option from the Destination drop-down list. | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 188 To configure protocols for ALG: (Instant AP)(config)# alg (Instant AP)(ALG)# sccp-disable (Instant AP)(ALG)# no sip-disable (Instant AP)(ALG)# no ua-disable (Instant AP)(ALG)# no vocera-disable (Instant AP)(ALG)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 189 (Instant AP)(ATTACK)# end (Instant AP)# commit apply To view the configuration status: (Instant AP)# show attack config Current Attack -------------- Attack Status ------ ------ drop-bad-arp Enabled fix-dhcp Enabled poison-check Enabled | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 190 In the CLI (Instant AP)(config)# firewall (Instant AP)(firewall)# disable-auto-topology-rules (Instant AP)(firewall)# end (Instant AP)# commit apply To view the configuration status: Firewall -------- Type Value ---- ----- Auto topology rules disable Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 191 1. Navigate to Security > Inbound Firewall. The Inbound Firewall tab contents are displayed. 2. Under Inbound Firewall Rules, click New. The New Rule window is displayed. Figure 42 Inbound Firewall Rules - New Rule Window 3. Configure the following parameters: | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 192 IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 193 Telnet, SSH, and UI is restricted to these subnets only. You can configure management subnets by using the Instant UI or the CLI. | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 194 2. Select Enabled from the Restrict Corporate Access drop-down list. 3. Click OK. In the CLI To configure restricted management access: (Instant AP)(config) # restrict-corp-access (Instant AP)(config) # end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 195: Content Filtering
(Instant AP)(SSID Profile <name>)# content-filtering (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile, perform the following steps: | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 196 2. Select any WLAN SSID or wired profile role, and click New in the Access Rules section. The New Rule window appears. 3. Select Access Control from the Rule Type drop-down list. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 197 (Instant AP)(Access Rule "URLFilter")# rule any any match webreputation trustworthy-sites permit (Instant AP)(Access Rule "URLFilter")# rule any any match webreputation suspicious-sites deny (Instant AP)(Access Rule "URLFilter")# end (Instant AP)# commit apply | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 198 To redirect blocked HTTPS websites to a custom error page URL In the UI 1. Navigate to Security > Roles. 2. Select any WLAN SSID or Wired profile role, and click New in the Access Rules section. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 199: Configuring User Roles
To configure user roles and access rules: (Instant AP)(config)# wlan access-rule <access-rule-name> (Instant AP)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <end- port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat {<IP-address> <port>|<port>}} [<option1…option9>] | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 200 To associate the access rule to a wired profile: (Instant AP)(config)# wired-port-profile <name> (Instant AP)(wired ap profile <name>)# access-rule-name <access-rule-name> (Instant AP)(wired ap profile <name>)# end (Instant AP) # commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 201: Configuring Derivation Rules
You can assign a user role to the clients connecting to an SSID by any of the following methods. The role assigned by some methods may take precedence over the roles assigned by the other methods. | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 202 RADIUS VSA Attributes The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication. The role derived from an Aruba VSA takes precedence over roles defined by other methods. MAC-Address Attribute The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
Page 203 (Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends- with|contains|matches-regular-expression} <operator><role>|value-of} (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply To configure role assignment rules for a wired profile: (Instant AP)(config)# wired-port-profile <name> | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 204 Vendor-Specific Attributes When an external RADIUS server is used, the user VLAN can be derived from the Aruba-User-Vlan VSA. The VSA is then carried in an Access-Accept packet from the RADIUS server. The IAP can analyze the return message and derive the value of the VLAN which it assigns to the user.
Page 205 If the rule is matched, the VLAN value defined by the rule is assigned to the user. For a complete list of RADIUS server attributes, see RADIUS Server Authentication with VSA on page 151. Figure 47 Configuring RADIUS Attributes on the RADIUS Server | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 206 Operand. starts-with—The rule is applied only if the attribute value starts with the string specified in Operand. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 207: Using Advanced Expressions In Role And Vlan Derivation Rules
WLAN client. The following table lists some of the most commonly used regular expressions, which can be used in user role and user VLAN derivation rules: Table 42: Regular Expressions | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 208 For information on how to use regular expressions in role and VLAN derivation rules, see the following topics: Creating a Role Derivation Rule on page 202 Configuring VLAN Derivation Rules on page 206 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 209 To assign VLAN role to a WLAN profile: (Instant AP)(config)# wlan ssid-profile <name> (Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals <operator> <role>|not-equals <operator> <role>|starts-with <operator> <role>|ends-with <operator> <role>|contains <operator> <role>}|value-of} (Instant AP)(SSID Profile <name>)# end | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 210 (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Roles and Policies |...
Page 211: Dhcp Configuration
2. To configure a Local; Local, L2; or Local, L3 DHCP scopes, click New under Local DHCP Scopes. The New DHCP Scope window is displayed. 3. Based on the type of DHCP scope selected, configure the following parameters: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide DHCP Configuration |...
Page 212 176, 242, and 161. To add multiple DHCP options, click the + icon. 4. Click OK. In the CLI To configure a Local DHCP scope: (Instant AP)(config)# ip dhcp <profile-name> (Instant AP)(DHCP Profile <profile-name>)# server-type <local> (Instant AP)(DHCP Profile <profile-name>)# server-vlan <vlan-ID> | DHCP Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 213 IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC is configured with a unique subnet and a corresponding scope. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide DHCP Configuration |...
Page 214 VLAN for a Wired Profile on page 109. Netmask If Distributed, L2 is selected for the type of DHCP scope, specify the subnet mask. The subnet mask and the network determine the size of subnet. | DHCP Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 215 6. Click Next. The Static IP tab is displayed. 7. Specify the number of first and last IP addresses to reserve in the subnet. 8. Click Finish. In the CLI To configure a Distributed, L2 DHCP scope: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide DHCP Configuration |...
Page 216 2. To configure a centralized DHCP scope, click New under Centralized DHCP Scopes. The New DHCP Scope window is displayed. 3. To configure a centralized profile, select the profile type as Centralized, L2 or Centralized, L3 and configure the following parameters. | DHCP Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 217 The ALU format for the Option 82 string consists of the following: Remote Circuit ID; X AP-MAC; SSID; SSID-Type Remote Agent; X IDUE-MAC NOTE: The Option 82 string is specific to Alcatel and is not configurable. 4. Click OK. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide DHCP Configuration |...
Page 218: Configuring The Default Dhcp Scope For Client Ip Assignment
If your wired network uses either 172.31.98.0/23 or 10.254.98.0/23, and you experience problems with the Virtual Controller Assigned networks after upgrading to Aruba Instant 6.2.1.0-3.4.0.0 or later, manually configure the DHCP pool by following the steps described in this section.
Page 219 (Instant AP)(DHCP)# lease-time <minutes> (Instant AP)(DHCP)# subnet <IP-address> (Instant AP)(DHCP)# subnet-mask <subnet-mask> (Instant AP)(DHCP)# end (Instant AP)# commit apply To view the DHCP database: (Instant AP)# show ip dhcp database DHCP Subnet :192.0.2.0 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide DHCP Configuration |...
Page 220 DHCP Netmask :255.255.255.0 DHCP Lease Time(m) DHCP Domain Name :example.com DHCP DNS Server :192.0.2.1 | DHCP Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 221: Configuring Time-Based Services
1. Navigate to System > Show advanced options > Time Based Services . 2. Click New under Time Range Profiles. The New Profile window for creating time range profiles is displayed. 3. Configure the parameters listed in the following table: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Configuring Time-Based Services |...
Page 222: Applying A Time Range Profile To A Wlan Ssid
When a time range profile is enabled on an SSID, the SSID is made available to the users for the configured time range. For example, if the specified time range is 12:00–13:00, the SSID becomes available only between 12 PM and 1 PM on a given day. | Configuring Time-Based Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 223 (Instant AP)(config)# time-range testhshs12 periodic daily 10:20 to 10:35 The following command creates a periodic time range profile that executes during the weekday: (Instant AP)(config)# time-range timep3 periodic weekday 10:20 to 10:35 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Configuring Time-Based Services |...
Page 224 The following command creates a periodic time range profile that executes during the weekend: (Instant AP)(config)# time-range timep4 periodic weekend 10:20 to 10:30 The following command removes the time range configuration: (Instant AP)(config)# no time-range testhshs12 | Configuring Time-Based Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 225: Dynamic Dns Registration
You can enable Dynamic DNS using the Instant UI or the CLI. In the Instant UI To enable dynamic DNS: 1. Navigate to Services > Dynamic DNS. 2. Select the Enable Dynamic DNS check box. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Dynamic DNS Registration |...
Page 226: Configuring Dynamic Dns Updates For Clients
DNS updates will be dropped. The DDNS updates are secured by using TSIG shared secret keys, when communicating between the client and the server. For more information, see Configuring Distributed DHCP Scopes on page 213. | Dynamic DNS Registration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 227 The show running-config command displays the Key in the encrypted format. You can also configure dynamic DNS on an IAP or clients using the privileged execution mode in the CLI. For more information, refer to the show ddns clients command in the Aruba Instant 6.4.4.4-4.2.3.0 CLI Reference Guide.
Page 228: Vpn Configuration
When a VPN is configured, the IAP acting as the VC creates a VPN tunnel to an Aruba Mobility Controller in your corporate office. The controller acts as a VPN endpoint and does not supply the IAP with any configuration.
Page 229: Configuring A Tunnel From An Iap To A Mobility Controller
Generic Routing Encapsulation (GRE) is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an endpoint. IAPs support the configuration of L2 GRE (Ethernet over GRE) tunnel with an Aruba controller to encapsulate the packets sent and received by the IAP.
Page 230 1. Click the More > VPN link in the Instant UI. The Tunneling window is displayed. 2. Select Aruba IPSec from the Protocol drop-down list. 3. Enter the IP address or fully qualified domain name (FQDN) for the primary VPN/IPsec endpoint in the Primary host text box.
Page 231 If a VC IP is configured and if Per-AP tunnel is disabled, use VC IP. If a VC IP is not configured or if Per-AP tunnel is enabled, use the IAP IP. | VPN Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 232 To view VPN configuration details: (Instant AP)# show vpn config To configure GRE tunnel on the controller: (Instant AP)(config)# interface tunnel <Number> (Instant AP)(config-tunnel)# description <Description> (Instant AP)(config-tunnel)# tunnel mode gre <ID> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide VPN Configuration |...
Page 233 (Instant AP)(config-tunnel)# tunnel vlan <allowed-VLAN> Configuring Aruba GRE Parameters The Aruba GRE feature uses the IPsec connection between the IAP and the controller to send the control information for setting up a GRE tunnel. When Aruba GRE configuration is enabled, a single IPsec tunnel between the IAP cluster and the controller, and one or several GRE tunnels are created based on the Per-AP tunnel configuration on the IAP.
Page 234 Instant supports tunnel and session configuration, and uses Control Message Authentication (RFC 3931) for tunnel and session establishment. Each L2TPv3 tunnel supports one data connection and this connection is termed as an L2TPv3 session. Each IAP supports tunneling over User Datagram Protocol (UDP) only. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide VPN Configuration |...
Page 235 Figure 54 L2TPv3 Tunneling 2. Select L2TPv3 from the Protocol drop-down list. 3. To configure the tunnel profile: a. Click the New button. b. Enter the tunnel name to be used for tunnel creation. | VPN Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 236 Specify a value for the tunnel MTU value if required. The default value is 1460. m. Click OK. 4. Configure the session profile: a. Enter the session name to be used for session creation. Figure 56 Session Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide VPN Configuration |...
Page 237 (Instant AP)(L2TPv3 Tunnel Profile "test_tunnel")# hello-timeout 150 (Instant AP)(L2TPv3 Tunnel Profile "test_tunnel")# mtu 1570 (Instant AP)(L2TPv3 Tunnel Profile "test_tunnel")# peer-port 3000 (Instant AP)(L2TPv3 Tunnel Profile "test_tunnel")# secret-key test123 (Instant AP)(L2TPv3 Tunnel Profile "test_tunnel")# end | VPN Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 238 16, rx bytes: 1560, rx errors: 0 rx cookie error 0 data tx packets: 6, tx bytes: 588, tx errors: 0 To view L2TPV3 tunnel status: (Instant AP)# show l2tpv3 tunnel status Aruba Instant 6.5.0.0-4.3.0.0 | User Guide VPN Configuration |...
Page 239 60, retry timeout 1, idle timeout 0 rx window size 10, tx window size 10, max retries 5 use UDP checksums: OFF do pmtu discovery: OFF, mtu: 1460 framing capability: SYNC ASYNC bearer capability: DIGITAL ANALOG | VPN Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 240: Configuring Routing Profiles
SLI 0 0 0 Configuring Routing Profiles IAPs can terminate a single VPN connection on an Aruba Mobility Controller. The routing profile defines the corporate subnets which need to be tunneled through IPsec. You can configure routing profiles for policy based routing into the VPN tunnel using the Instant UI or the CLI.
Page 241 Routing profile is primarily used for IAP-VPN scenarios, to control which traffic should flow between the master IAP and the VPN tunnel, and which traffic should flow outside of the tunnel. | VPN Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 242: Iap-Vpn Deployment
NAT Users Total L2 Users 3200 1000 1000 64,000 3400 2000 2000 64,000 3600 8000 8000 64,000 8000 8000 64,000 7210 8000 8000 64,000 7220 16,000 16,000 128,000 7240 32,000 32,000 128,000 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment |...
Page 243 In this mode, the network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsec tunnel and is forwarded through the IPsec tunnel. The traffic destined to the non- corporate network is routed. | IAP-VPN Deployment Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 244 Either the controller or an upstream router can be the gateway for the clients. For DHCP services in Centralized, L2 mode, Aruba recommends using an external DHCP server and not the DHCP server on the controller. Client traffic destined to datacenter resources is forwarded by the master IAP (through the IPsec tunnel) to the client's default gateway in the datacenter.
Page 245: Configuring Iap And Controller For Iap-Vpn Operations
IAP-VPN Deployment Scenarios on page 396. Configuring an IAP Network for IAP-VPN Operations An IAP network requires the following configurations for IAP-VPN operations. Defining the VPN Host Settings | IAP-VPN Deployment Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 246 IAP-VPN Forwarding Modes on page 243. You can create any of the following types of DHCP profiles for the IAP-VPN operations: Local Local, L2 Local, L3 Distributed, L2 Distributed, L3 Centralized, L2 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment |...
Page 247 196. Configuring a Controller for IAP-VPN Operations Aruba controllers provide an ability to terminate the IPsec and GRE VPN tunnels from the IAP and provide corporate connectivity to the branch network. | IAP-VPN Deployment Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 248 (Instant AP)# show ip ospf database OSPF Database Table ------------------- Area ID LSA Type Link ID Adv Router Seq# Checksum ------- -------- ------- ---------- ---- -------- 0.0.0.15 ROUTER 9.9.9.9 9.9.9.9 0x80000016 0xee92 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment |...
Page 249 If an external server is used as the location for the whitelist database, add the MAC addresses of the valid IAPs in the external database or external directory server and then configure a RADIUS server to authenticate the IAPs using the entries in the external database or external directory server. | IAP-VPN Deployment Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 250 Determines the IP addresses used in a branch for Distributed, L2 mode Determines the subnet used in a branch for Distributed, L3 mode Avoids IP address or subnet overlap (that is, avoids IP conflict) Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment |...
Page 251 Displays the MAC address of the VC of the branch. Address Displays the current status of the branch (UP/DOWN). Status Inner IP Displays the internal VPN IP of the branch. Assigned Displays the subnet mask assigned to the branch. Subnet | IAP-VPN Deployment Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 252 IAP is connected to a backup controller or it is connected to a primary controller without any Distributed, L2 or Distributed, L3 subnets. The show iap table command output does not display the Key and Bid(Subnet Name) details. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment |...
Page 253: Adaptive Radio Management
IAP RF environment. Each IAP gathers other metrics on its ARM- assigned channel to provide a snapshot of the current RF health state. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Adaptive Radio Management |...
Page 254: Configuring Arm Features On An Iap
2. Click OK. In the CLI To configure band steering: (Instant AP)(config)# arm (Instant AP)(ARM)# band-steering-mode {<Prefer 5 GHz>| <Force 5 GHz>|<Balance Bands>|<Disabled>} (Instant AP)(ARM)# end (Instant AP)# commit apply | Adaptive Radio Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 255 802.11ac-capable access points do not support the legacy band steering, station handoff assist, or load balancing settings; so these access points must be managed using client match. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Adaptive Radio Management |...
Page 256 IAP radio. For more information, see Client Match on page In the Instant UI 1. For client match configuration, specify the following parameters in the RF > ARM > Show advanced options tab: | Adaptive Radio Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 257 You can configure access point control parameters through the Instant UI or the CLI. In the Instant UI 1. For Access Point Control, specify the following parameters in the RF > ARM > Show advanced options tab: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Adaptive Radio Management |...
Page 258 ARM to assign 80 MHz channels on IAPs with 5 GHz radios, which support a very high throughput. This setting is enabled by default. NOTE: Only the IAPs that support 802.11ac can be configured with 80 MHz channels. 2. Reboot the IAP. | Adaptive Radio Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 259 Custom Channels 2.4 GHz Channels ---------------- Channel Status ------- ------ enable disable disable disable disable enable disable disable disable disable enable disable disable enable disable disable disable disable disable enable Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Adaptive Radio Management |...
Page 260: Configuring Radio Settings
You can specify a value within the range of 60-500. The default value is 100 milliseconds. Select to increase the immunity level to improve performance in high-interference Interference environments. immunity level | Adaptive Radio Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 261 To configure 2.4 GHz radio settings: (Instant AP)(config)# rf dot11g-radio-profile (Instant AP)(RF dot11g Radio Profile)# beacon-interval <milliseconds> (Instant AP)(RF dot11g Radio Profile)# legacy-mode (Instant AP)(RF dot11g Radio Profile)# spectrum-monitor (Instant AP)(RF dot11g Radio Profile)# dot11h Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Adaptive Radio Management |...
Page 262 IAPs receive coverage area, thereby minimizing co-channel interference and optimizing channel reuse. The default 0 dB reduction allows the radio to retain its current default Rx sensitivity value. | Adaptive Radio Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 263 The following example triggers ARM scanning on a 2.4 GHz frequency band radio profile: (Instant AP)# ap-frequent-scan 2.4 To verify the status of ARM scanning: (Instant AP)# show ap debug am-config Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Adaptive Radio Management |...
Page 264: Deep Packet Inspection And Application Visibility
Configuring Web Policy Enforcement Service on page 273 Deep Packet Inspection AppRF is Aruba's custom-built Layer 7 firewall capability. It consists of an onboard deep packet inspection and a cloud-based Web Policy Enforcement (WPE) service that allows creating firewall policies based on types of application.
Page 265: Application Visibility
The application categories chart displays details on the client traffic towards the application categories. By clicking the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 59 Application Categories Chart: Client View | Deep Packet Inspection and Application Visibility Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 266 The applications chart displays details on the client traffic towards the applications. By clicking the rectangular area, you can view the following graphs, and toggle between the chart and list views. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Deep Packet Inspection and Application Visibility |...
Page 267 Figure 62 Applications Chart: Client View Figure 63 Applications List: Client View | Deep Packet Inspection and Application Visibility Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 268 Figure 65 Web Categories Chart: Client View Figure 66 Web Categories List: Client View Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Deep Packet Inspection and Application Visibility |...
Page 269 By clicking in the rectangle area, you can view the following graphs, and toggle between the chart and list views. Figure 68 Web Reputation Chart: Client View Figure 69 Web Reputation List: Client View | Deep Packet Inspection and Application Visibility Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 270: Enabling Url Visibility
The Wired profile (More > Wired > Edit > Edit Wired Network > Access) window. 2. Select the role for which you want to configure the access rules. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Deep Packet Inspection and Application Visibility |...
Page 271 To specify a bandwidth limit: | Deep Packet Inspection and Application Visibility Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 272 Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients on page 176. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Deep Packet Inspection and Application Visibility |...
Page 273: Configuring Web Policy Enforcement Service
3. Select the rule type as Access Control. 4. To set an access policy based on the web category: a. Under Service, select Web category and expand the Web categories drop-down list. | Deep Packet Inspection and Application Visibility Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 274 Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high-risk sites. 7. If required, select the following check boxes : Blacklist Disable scanning Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Deep Packet Inspection and Application Visibility |...
Page 275 (Instant AP)(Access Rule "URLFilter")# rule any any match webcategory training-and-tools permit (Instant AP)(Access Rule "URLFilter")# rule any any match webreputation suspicious-sites deny (Instant AP)(Access Rule "URLFilter")# end (Instant AP)# commit apply | Deep Packet Inspection and Application Visibility Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 276: Voice And Video
In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can configure an SSID with higher values for best effort and voice ACs, to allocate a higher bandwidth to clients transmitting best effort and voice traffic. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Voice and Video |...
Page 277 DSCP classifies packets based on network policies and rules. The following table shows the default WMM AC to DSCP mappings and the recommended WMM AC to DSCP mappings. Table 60: WMM AC-DSCP Mapping DSCP Value WMM Access Category Background Best effort | Voice and Video Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 278 You can configure up to 8 DSCP mappings values within the range of 0-63. You can also configure a combination of multiple values separated by a comma, for example, wmm-voice-dscp 46,44,42,41. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Voice and Video |...
Page 279: Media Classification For Voice And Video Calls
(Instant AP)(example_s4b_test)# rule any any match tcp 5061 5061 permit log classify-media (Instant AP)(example_s4b_test)# rule any any match tcp 5223 5223 permit log classify-media (Instant AP)(example_s4b_test)# rule any any match any any any permit (Instant AP)(example_s4b_test)# end (Instant AP)# commit apply | Voice and Video Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 280: Enabling Enhanced Voice Call Tracking
Enabling Enhanced Voice Call Tracking Aruba Instant provides seamless support for tracking VoIP calls in the network by using SNMP to send the location details of the caller to the third-party server. This feature is currently applied for tracking Emergency 911 (E911) VoIP calls.
Page 281 Master IAP using SNMP GET. The Master IAP responds back to the SNMP server with the location (IAP Name) of the VoIP caller. Following are the key parameters in the response sent by the Master IAP: VoIP Client IP Address VoIP Client MAC Address IAP MAC Address IAP Name | Voice and Video Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 282: Services
LAN network to preserve the airtime and battery life. This inhibits the performance of AirGroup services that rely on multicast traffic. Aruba addresses this challenge with AirGroup technology. The distributed AirGroup architecture allows each IAP to handle multicast DNS (mDNS) and Digital Living Network Alliance (DLNA) queries and responses individually instead of overloading a VC with these tasks.
Page 283 TV1 device to IAP1 and IAP2. This type of distributed architecture allows any IAP to respond to its connected devices locally. In this example, the iPad connected to IAP2 obtains direct response from the same IAP about the other Bonjour-enabled services in the network. | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 284 In an IAP cluster, the IAPs maintain a list of associated UPnP devices and allow the discovery of the associated devices. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 285 When configured, AirGroup enables a client to perform a location-based discovery. For example, when a client roams from one Instant cluster to another, it can discover devices available in the new cluster to which the client is currently connected. | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 286 DLNA Print—This service is used by printers that support DLNA. In the Instant 6.4.0.2-4.1.0.0 release, it is recommended to have a maximum of upto 80 AirGroup servers in the network. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 287 288. AirGroup Components AirGroup leverages key elements of the Aruba solution portfolio including operating system software for Instant, ClearPass Policy Manager, and the VLAN-based or role-based filtering options offered by the AirGroup services. The components that make up the AirGroup solution include the Instant, ClearPass Policy Manager, and ClearPass Guest.
Page 288 IAP shares the mDNS database information with the other clusters. The DNS records in the VC can be shared with all the VC configured for L3 Mobility. By default, this feature is disabled. To define clusters, go to the System > L3 Mobility tab. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 289 (Instant AP)# commit apply To enable support for Bonjour services: (Instant AP)(config)# airgroup (Instant AP)(config)# enable mdns-only (Instant AP)(airgroup)# end (Instant AP)# commit apply To configure AirGroup services: (Instant AP)(config)# airgroupservice <airgroup-service> | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 290 RADIUS server with CoA , see Configuring an External Server for Authentication on page 156. You can also create a CoA only server in the Services > AirGroup > Clear Pass Settings > CoA server window. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 291: Configuring An Iap For Rtls Support
1. Click the More > Services link on the Instant main window. 2. In the Services section, click the RTLS tab. 3. Under Aruba, select the RTLS check box to integrate Instant with the AMP or Ekahau Real Time Location Server. The following figure shows the contents of the RTLS tab.
Page 292: Configuring An Iap For Analytics And Location Engine Support
You can configure an IAP for ALE support by using the Instant UI or the CLI. In the Instant UI Configuring ALE support: 1. Click More > Services. 2. Click the RTLS tab. 3. Select the Analytics & Location Engine check box. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 293: Managing Ble Beacons
(Instant AP)# show ale status Managing BLE Beacons In Instant 6.4.3.4-4.2.1.0, IAPs support Aruba Bluetooth Low Energy (BLE) devices, such as BT-100 and BT- 105, which are used for location tracking and proximity detection. The BLE devices can be connected to an IAP and are monitored or managed by a cloud-based Beacon Management Console (BMC).
Page 294: Configuring Opendns Credentials
Configuring OpenDNS Credentials When configured, the OpenDNS credentials are used by Instant to access OpenDNS to provide enterprise level content filtering. You can configure OpenDNS credentials by using the Instant UI or the CLI. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 295: Integrating An Iap With Palo Alto Networks Firewall
After a client is disconnected or dissociated from the IAP, the IAP sends a logout message. Configuring an IAP for PAN integration You can configure an IAP for PAN firewall integration by using the Instant UI or the CLI. | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 296 (Instant AP)(firewall-external-enforcement pan)# enable (Instant AP)(firewall-external-enforcement pan)# domain-name <name> (Instant AP)(firewall-external-enforcement pan)# ip <ip-address> (Instant AP)(firewall-external-enforcement pan)# port <port> (Instant AP)(firewall-external-enforcement pan)# user <name> <password> (Instant AP)(firewall-external-enforcement pan)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 297: Integrating An Iap With An Xml Api Interface
In the CLI To enable XML API integration with the IAP: (Instant AP)(config)# xml-api-server <xml_api_server_profile> (Instant AP)(xml-api-server <profile-name>)# ip <subnet> [mask <mask>] (Instant AP)(xml-api-server)# key <key> (Instant AP)(xml-api-server)# end (Instant AP)# commit apply | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 298 IPv4 or IPv6 addresses, but only the queried IP address is displayed in the output. Each XML API command requires certain mandatory options to successfully execute the task. The list of all available options are: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 299: Calea Integration And Lawful Intercept Compliance
Instant supports CALEA integration in a hierarchical and flat topology, mesh IAP network, the wired and wireless networks. Enable this feature only if lawful interception is authorized by a law enforcement agency. | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 300 The controller handles the IPsec client traffic while GRE data is routed to the CALEA server. The following figure illustrates the traffic flow from IAP to the CALEA server through VPN. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 301 WLAN SSID or wired profile. Verify the configuration. Creating a CALEA Profile You can create a CALEA profile by using the Instant UI or the CLI. | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 302 2. To add the access rule to a new profile: a. Click New under the Network tab and create a WLAN profile or, a. Click More > Wired > New and create a wired port profile. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 303 (Instant AP)(config)# wlan ssid-profile Calea-Test (Instant AP)(SSID Profile"Calea-Test")# enable (Instant AP)(SSID Profile"Calea-Test")# index 0 (Instant AP)(SSID Profile"Calea-Test")# type employee (Instant AP)(SSID Profile"Calea-Test")# essid QA-Calea-Test (Instant AP)(SSID Profile"Calea-Test")# opmode wpa2-aes (Instant AP)(SSID Profile"Calea-Test")# max-authentication-failures 0 | Services Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 304 (Instant AP)# show calea statistics Rt resolve fail : 0 Dst resolve fail: 0 Alloc failure : 0 Fragged packets : 0 Jumbo packets : 263 Total Tx fail : 0 Total Tx ok : 263 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Services |...
Page 305: Iap Management And Monitoring
Managing IAP from Aruba Central on page 314 Managing an IAP from AirWave AirWave is a powerful platform and easy-to-use network operations system that manages Aruba wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third- party manufacturers.
Page 306 RAPIDS is a powerful and easy-to-use tool for automatic detection of unauthorized wireless devices. It supports multiple methods of rogue detection and uses authorized wireless IAPs to report other devices within range. | IAP Management and Monitoring Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 307 You can now customize the port number of the AMP server through the server_host:server_port format, for example, amp.aruba.com:4343. The following example shows how to configure the port number of the AMP server: 24:de:c6:cf:63:60 (config) # ams-ip 10.65.182.15:65535 24:de:c6:cf:63:60 (config) # end 24:de:c6:cf:63:60# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Management and Monitoring |...
Page 308 Configuring for AirWave Discovery Through DHCP The AirWave can be discovered through the DHCP server. You can configure this only if AirWave was not configured earlier or if you have deleted the precedent configuration. | IAP Management and Monitoring Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 309 (ZTP )and transfer the AirWave configuration to the IAP. When a domain option xxx is included in the DHCP configuration, the IAP will search the DNS server records for aruba-airwave.xxx. When there is no domain option, the IAP will search only the server records for aruba-airwave.
Page 310 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6. Right-click Server Options and select the configuration options. | IAP Management and Monitoring Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 311 Figure 86 Instant and DHCP options for AirWave: Server Options 7. Select 060 Aruba Instant AP in the Server Options window and enter ArubaInstantAP in the String value text box. Figure 87 Instant and DHCP options for AirWave—060 IAP in Server Options 8.
Page 312 This creates DHCP options 60 and 43 on a global basis. You can do the same on a per-scope basis. The per- scope option overrides the global option. Figure 89 Instant and DHCP options for AirWave: Scope Options | IAP Management and Monitoring Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 313 Upon completion, the IAP shows up as a new device in AirWave, and a new group called tme-store4 is created. Navigate to APs/Devices > New > Group to view this group. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Management and Monitoring |...
Page 314: Managing Iap From Aruba Central
Figure 92 AirWave—Monitor Managing IAP from Aruba Central The Aruba Central user interface provides a standard web-based interface that allows you to configure and monitor multiple Aruba Instant networks from anywhere with a connection to the Internet. Central supports all the IAPs running Instant 6.2.1.0-3.3.0.0 or later versions.
Page 315 Maintaining the Subscription List Aruba Central maintains a subscription list for the IAPs. If an IAP is not included in this list, Central identifies it as an unauthorized IAP and prevents it from joining the network. The service providers use Aruba Central to track the subscription of each IAP based on its serial number and MAC address.
Page 316 Firmware Maintenance For a multiclass IAP network, ensure that the IAP can download software images from the Aruba Cloud-Based Image Service. You may also need to configure HTTP proxy settings on the IAP if they are required for Internet access in your network. For more information about image upgrade and HTTP proxy configuration, see...
Page 317: Uplink Configuration
The Eth0 port on an IAP is enabled as an uplink port by default. You can view the type of uplink and the status of uplink of an IAPin the Info tab on selecting a client. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Uplink Configuration |...
Page 318 CHAP secret and Retype text boxes. You can use a maximum of 34 characters for the CHAP secret key. c. Enter the username for the PPPoE connection in the User text box. | Uplink Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 319 To configure the UML290 for the 3G network only, manually set the USB type to pantech-3g. To configure the UML290 for the 4G network only, manually set the 4G USB type to pantech-lte. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Uplink Configuration |...
Page 320 After enabling SIM PIN lock, reboot the IAP to apply the SIM PIN lock configuration changes. To enable SIM PIN lock: (Instant AP)# pin-enable <pin_current_used> To disable SIM PIN locking: (Instant AP)# no pin-enable <pin_current_used> | Uplink Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 321 8–63 alphanumeric characters 64 hexadecimal characters Ensure that the hexadecimal password string is exactly 64 digits in length. 9. Enter a Pre-Shared Key (PSK) passphrase in the Passphrase text box and click OK. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Uplink Configuration |...
Page 322: Uplink Preferences And Switching
When an uplink is enforced and multiple Ethernet ports are configured ,and if the uplink is enabled on the wired profiles, the IAP tries to find an alternate Ethernet link based on the priority configured. | Uplink Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 323 (Instant AP)(uplink)# uplink-priority ethernet port 0 1 (Instant AP)(uplink)# end (Instant AP)# commit apply Enabling Uplink Preemption The following configuration conditions apply to uplink preemption: Preemption can be enabled only when no uplink is enforced. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Uplink Configuration |...
Page 324 When uplink switching based on the Internet availability is enabled, the uplink switching based on VPN failover is automatically disabled. Switching Uplinks Based on Internet Availability You can configure Instant to switch uplinks based on Internet availability. | Uplink Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 325 To enable uplink switching based on Internet availability: (Instant AP)(config)# uplink (Instant AP)(uplink)# failover-internet (Instant AP)(uplink)# failover-internet-ip <ip> (Instant AP)(uplink)# failover-internet-pkt-lost-cnt <count> (Instant AP)(uplink)# failover-internet-pkt-send-freq <frequency> (Instant AP)(uplink)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Uplink Configuration |...
Page 326 :none Ethernet uplink eth0 :DHCP Internet failover :disable Max allowed test packet loss Secs between test packets VPN failover timeout (secs) :180 Internet check timeout (secs) :10 Secs between test packets | Uplink Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 327: Intrusion Detection
OS Fingerprinting is enabled in the Instant network by default. The following operating systems are identified by Instant: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Intrusion Detection |...
Page 328: Configuring Wireless Intrusion Protection And Detection Levels
The detection levels can be configured using the IDS window. To view the IDS window, click More > IDS link on the Instant main window. The following levels of detection can be configured in the WIP Detection page: Medium High | Intrusion Detection Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 329 Detect Malformed Frame—Large Duration High Detect IAP Impersonation Detect ad hoc Networks Detect Valid SSID Misuse Detect Wireless Bridge Detect 802.11 40 MHz intolerance settings Detect Active 802.11n Greenfield Mode Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Intrusion Detection |...
Page 330 Detect EAP Rate Anomaly Detect Rate Anomaly Detect Chop Chop Attack Detect TKIP Replay Attack IDS Signature—Air Jack IDS Signature—ASLEAP The following levels of detection can be configured in the WIP Protection page: High | Intrusion Detection Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 331 The following table describes the detection policies that are enabled in the Client Protection Custom settings text box: Table 70: Client Protection Policies Protection Level Protection Policy All protection policies are disabled Protect Valid Station High Protect Windows Bridge Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Intrusion Detection |...
Page 332 Tarpit containment—With Tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained. Figure 98 Containment Methods | Intrusion Detection Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 333: Configuring Ids
(Instant AP)(IDS)# signature-airjack (Instant AP)(IDS)# signature-asleap (Instant AP)(IDS)# protect-ssid (Instant AP)(IDS)# rogue-containment (Instant AP)(IDS)# protect-adhoc-network (Instant AP)(IDS)# protect-ap-impersonation (Instant AP)(IDS)# protect-valid-sta (Instant AP)(IDS)# protect-windows-bridge (Instant AP)(IDS)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Intrusion Detection |...
Page 334: Mesh Iap Configuration
(mesh links between neighboring mesh points that establish the best path to the mesh portal) from the wireless mesh network to the wired LAN. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Mesh IAP Configuration |...
Page 335: Setting Up Instant Mesh Network
When using 3G uplink, the wired port will be used as downlink. You can configure support for wired bridging on the Enet0 port of an IAP by using the Instant UI or the CLI. | Mesh IAP Configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 336 To configure Ethernet bridging: (Instant AP)# enet0-bridging Make the necessary changes to the wired-profile when eth0 is used as the downlink port. For more information, see Configuring a Wired Profile on page 108. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Mesh IAP Configuration |...
Page 337: Mobility And Client Management
IP addresses after roaming. You can configure a list of VC IP addresses across which L3 mobility is supported. The Aruba Instant Layer-3 mobility solution defines a Mobility Domain as a set of Instant networks, with the same WLAN access parameters, across which client roaming is supported. The Instant network to which the client first connects is called its home network.
Page 338: Configuring L3-Mobility
1. Click the System link on the Instant main window. 2. In the Services section, click the Show advanced options link. The advanced options are displayed. 3. Click L3 Mobility. The L3 Mobility window is displayed. | Mobility and Client Management Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 339 To configure a mobility domain: (Instant AP)(config)# l3-mobility (Instant AP)(L3-mobility)# home-agent-load-balancing (Instant AP)(L3-mobility)# virtual-controller <IP-address> (Instant AP)(L3-mobility)# subnet <IP-address> <subnet-mask> <VLAN-ID> <virtual-controller-IP- address> (Instant AP)(L3-mobility)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Mobility and Client Management |...
Page 340: Spectrum Monitor
Channel Details Spectrum Alerts Device List The device list consists of a device summary table and channel information for active non-Wi-Fi devices currently seen by a spectrum monitor or hybrid IAP radio. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Spectrum Monitor |...
Page 341 Center frequency of the signal sent from the device. Bandwidth Channel bandwidth used by the device. Channels-affected Radio channels affected by the wireless device. Signal-strength Strength of the signal sent from the device, represented in dBm. | Spectrum Monitor Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 342 2.4 GHz or 5 GHz bands. Some phones use both 2.4 GHz and 5 Network) GHz bands (for example, 5 GHz for Base-to-handset and 2.4 GHz for Handset-to-base). These phones may be classified as unique Frequency Hopper devices on both bands. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Spectrum Monitor |...
Page 343 Ratio (SNIR). SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel. Spectrum monitors display spectrum data of all channels in the selected band, and hybrid IAPs display data for the channel they are monitoring. | Spectrum Monitor Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 344 2.4 GHz or 5 GHz radio bands. While spectrum monitors can display data for all channels in their selected band, hybrid IAPs display data for a single monitored channel. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Spectrum Monitor |...
Page 345 When a new non-Wi-Fi device is found, an alert is reported to the VC. The spectrum alert messages include the device ID, device type, IP address of the spectrum monitor or hybrid IAP, and the timestamp. VC reports the detailed device information to AMP. | Spectrum Monitor Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 346: Configuring Spectrum Monitors And Hybrid Iaps
In the Instant UI To convert an IAP to a spectrum monitor: 1. In the Access Points tab, click the IAP that you want to convert to a spectrum monitor. 2. Click the edit link. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Spectrum Monitor |...
Page 347 Channel Reuse Threshold:0 Background Spectrum Monitor:disable 5.0 GHz: Legacy Mode:disable Beacon Interval:100 802.11d/802.11h:disable Interference Immunity Level:2 Channel Switch Announcement Count:0 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable Standalone Spectrum Band:5ghz-upper | Spectrum Monitor Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 348: Iap Maintenance
While upgrading an IAP, you can use the image check feature to allow the IAP to find new software image versions available on a cloud-based image server hosted and maintained by Aruba Networks. The location of the image server is fixed and cannot be changed by the user. The image server is loaded with the latest versions of the Instant software.
Page 349 The IAP downloads the image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: Upgrading—While image upgrading is in progress. | IAP Maintenance Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 350 Image Upgrade Progress ---------------------- IP Address AP Class Status Image Info Error Detail --------- -------- ------ ---------- ------------ d8:c7:c8:c4:42:98 10.17.101.1 Hercules image-ok image file none Auto reboot :enable Use external URL :disable Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Maintenance |...
Page 351: Backing Up And Restoring Iap Configuration Data
3. Click Browse to browse your local system and select the configuration file. 4. Click Restore Now. 5. Click Restore Configuration to confirm restoration. The configuration is restored and the IAP reboots to load the new configuration. (Instant AP)(config)# copy config tftp://x.x.x.x/confgi.cfg | IAP Maintenance Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 352: Converting An Iap To A Remote Ap And Campus Ap
Table 75: IAP-to-ArubaOS Conversion Controller Regulatory Variant Regulatory Domain ArubaOS release Domain Unrestricted ArubaOS 6.5.0.0 or later IAP-314/315 IAP-334/335 ArubaOS 6.4.4.0 or later IAP-324/325 IAP-277 ArubaOS 6.4.3.0 or later IAP-228 ArubaOS 6.4.3.0 or later Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Maintenance |...
Page 353 Regulatory Domain ArubaOS release Domain Unrestricted IAP-205H ArubaOS 6.4.3.0 or later IAP-21x ArubaOS 6.4.2.0 or later IAP-205 ArubaOS 6.4.1.0 or later IAP-274/275 ArubaOS 6.4 or later IAP-103H ArubaOS 6.4 or later | IAP Maintenance Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 354 If the IAP does not get AirWave information through DHCP provisioning, it tries provisioning through the Activate server in the cloud by sending a serial number MAC address. If an entry for the IAP is present in Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Maintenance |...
Page 355 ArubaOS 6.4 or later versions Instant 4.1 or later versions IAP-103 ArubaOS 6.4 or later versions Instant 4.1 or later versions IAP-114/115 ArubaOS 6.3.1.1 or later Instant 4.0 or later versions versions | IAP Maintenance Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 356 For IAPs to function as Remote APs, configure the IAP in the Remote AP whitelist and enable the FTP service on the controller. If the VPN setup fails and an error message is displayed, click OK, copy the error logs, and share them with your local administrator. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Maintenance |...
Page 357 VLAN. If the IAP is in the cluster mode, it can form a cluster with other VC IAPs in the same VLAN. To deploy an IAP as a stand-alone or autonomous IAP: 1. Click Maintenance in the Instant main window. 2. Click the Convert tab. The Convert tab contents are displayed. | IAP Maintenance Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 358: Resetting A Remote Ap Or Campus Ap To An Iap
If you encounter any problem with the IAPs, you can reboot all IAPs or a selected IAP in a network using the Instant UI. To reboot an IAP: 1. Click Maintenance in the Instant main window. 2. Click the Reboot tab. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP Maintenance |...
Page 359 Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete. If the system fails to boot, the Unable to contact Access Points after reboot was initiated message is displayed. 5. Click OK. | IAP Maintenance Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 360: Monitoring Devices And Logs
SNMP Parameters for IAP Instant supports SNMPv1, SNMPv2, and SNMPv3 for reporting purposes only. An IAP cannot use Simple Network Management Protocol (SNMP) to set values in an Aruba system. You can configure the following parameters for an IAP: Table 77: SNMP Parameters for IAP...
Page 361: Configuring Snmp
1. Click the System link on the Instant main window. 2. In the System window that is displayed, click the Monitoring tab. Figure 110 Monitoring Tab: SNMP Configuration Parameters | Monitoring Devices and Logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 362 To configure SNMPv1 and SNMPv2 community strings: (Instant AP)(config)# snmp-server community <password> To configure SNMPv3 community strings: (Instant AP)(config)# snmp-server user <name> <auth-protocol> <password> <privacy-protocol> <password> To view SNMP configuration: (Instant AP)# show snmp-configuration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Monitoring Devices and Logs |...
Page 363 (Instant AP)# commit apply Instant supports SNMP Management Information Bases (MIBs) along with Aruba-MIBs. For information about MIBs and SNMP traps, refer to the Aruba Instant 6.5.0.0-4.3.0.0 MIB Reference Guide. | Monitoring Devices and Logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 364: Configuring A Syslog Server
Network—Log about change of network; for example, when a new IAP is added to a network. Security—Log about network security; for example, when a client connects using wrong password. System—Log about configuration and system status. User—Important logs about client. User-Debug—Detailed logs about client debugging. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Monitoring Devices and Logs |...
Page 365: Configuring Tftp Dump Server
Configuring TFTP Dump Server You can configure a TFTP server for storing core dump files by using the Instant UI or the CLI. | Monitoring Devices and Logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 366: Running Debug Commands
IAP CLI. The output of this command displays the list of support commands that you can run through the UI and the corresponding CLI commands. For more information on these commands, refer to the respective command page in the Aruba Instant 6.5.0.0-4.3.0.0 CLI Reference Guide. (Instant AP) # show support-commands...
Page 367 AP L3 Mobility Events log show log l3-mobility AP L3 Mobility Status show l3-mobility status AP LACP Status show lacp status AP Log All show log debug | Monitoring Devices and Logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 368 AP Virtual Beacon Report show ap virtual-beacon-report AP VPN Config show vpn config AP VPN Status show vpn status AP IAP-VPN Retry Counters show vpn tunnels AP Wired Port Settings show wired-port-settings Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Monitoring Devices and Logs |...
Page 369 VC Saved Configuration show configuration VC Scanning Stats show aps scanning VC Show SBR Table show datapath sbr VC SNMP Configuration show snmp-configuration VC Uplink 3G/4G Configuration show cellular config | Monitoring Devices and Logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 370: Uplink Bandwidth Monitoring
VC rfc3576-radius statistics show ap debug rfc3576-radius-statistics Use the support commands under the supervision of Aruba technical support. Uplink Bandwidth Monitoring An IAP uses Iperf3 as a TCP or UDP client to run a speed test and measure the bandwidth on an uplink. The results from the speed test are collated by the IAP and published to Analytics and Location Engine (ALE).
Page 371 --------- Type Value ---- ----- VC package 0 RSSI package 0 APPRF package 0 URLv package 0 STATE package 0 STAT package 0 UPLINK BW package 0 Total 0 | Monitoring Devices and Logs Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 372: Hotspot Profiles
GAS is a request-response protocol, that provides L2 transport mechanism between a wireless client and a server in the network prior to authentication. It helps to determine an 802.11 infrastructure before associating clients and allows clients to send queries to multiple 802.11 networks in parallel. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 373 IAP. The IEs are included in the following Management Frames when 802.11u is enabled: Beacon Frame Probe Request Frame Probe Response frame Association Request Re-Association request | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 374: Configuring Hotspot Profiles
(Instant AP)(nai-realm <name>)# nai-realm-auth-id-2 <authentication-ID> (Instant AP)(nai-realm <name>)# nai-realm-auth-value-1 <authentication-value> (Instant AP)(nai-realm <name>)# nai-realm-auth-value-2 <authentication-value> (Instant AP)(nai-realm <name>)# nai-home-realm (Instant AP)(nai-realm <name>)# enable (Instant AP)(nai-realm <name>)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 375 0. The associated numeric value is 2. pap—The associated numeric value is 1. chap—The associated numeric value is 2. mschap—The associated numeric value is 3. mschapv2—The associated numeric value is 4. | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 376 (Instant AP)(venue-name <name>)# venue-name <name> (Instant AP)(venue-name <name>)# venue-group <group-name> (Instant AP)(venue-name <name>)# venue-type <type> (Instant AP)(venue-name <name>)# venue-lang-code <language> (Instant AP)(venue-name <name>)# enable (Instant AP)(venue-name <name>)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 377 3. factory-and-industrial unspecified—The associated numeric value is 0. The associated numeric value is 4. factory—The associated numeric value is 1. institutional unspecified—The associated numeric value is 0. | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 378 1. city-park—The associated numeric value is 2. rest-area—The associated numeric value is 3. traffic-control—The associated numeric value is 4. bus-stop—The associated numeric value is 5. kiosk—The associated numeric value is 6. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 379 (Instant AP)# commit apply The Public Land Mobile Network (PLMN) ID is a combination of the mobile country code and network code. You can specify up to 6 PLMN IDs for a 3GPP profile. | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 380 Configuring an Operating-Class Profile You can configure an operating-class profile to list the channels on which the hotspot is capable of operating. To configure an H2QP operating-class profile: (Instant AP)(config) # hotspot h2qp-oper-class-profile <name> Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 381 (Instant AP)(Hotspot2.0 <name>)# roam-cons-len-2 <integer> (Instant AP)(Hotspot2.0 <name>)# roam-cons-len-3 <integer> (Instant AP)(Hotspot2.0 <name>)# roam-cons-oi-1 <integer> (Instant AP)(Hotspot2.0 <name>)# roam-cons-oi-2 <integer> (Instant AP)(Hotspot2.0 <name>)# roam-cons-oi-3 <integer> (Instant AP)(Hotspot2.0 <name>)# venue-group <group> (Instant AP)(Hotspot2.0 <name>)# venue-type <type> | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 382 GAS response is delayed. You can specify a value within the range of 100-2000 milliseconds and the default value is 500 milliseconds. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 383 Specify a venue type to be advertised in the ANQP IEs from IAPs associated with this hotspot profile. For more information about the supported venue types for each venue group, see Table | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 384 (Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-authentication| user- association} (Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes> (Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes> (Instant AP)(SSID Profile <name>)# set-role-by-ssid (Instant AP)(SSID Profile <name>)# end (Instant AP)# commit apply Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 385: Sample Configuration
(Instant AP)(connection-capabilities <name>)# tcp-ssh (Instant AP)(connection-capabilities <name>)# tcp-tls-vpn (Instant AP)(connection-capabilities <name>)# tcp-voip (Instant AP)(connection-capabilities <name>)# udp-ike2 (Instant AP)(connection-capabilities <name>)# udp-ipsec-vpn (Instant AP)(connection-capabilities <name>)# udp-voip (Instant AP)(connection-capabilities <name>)# enable (Instant AP)(connection-capabilities <name>)# exit | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 386 (Instant AP)(Hotspot2.0 "hs1")# end (Instant AP)# commit apply Step 4: Associating the hotspot profile with WLAN SSID: (Instant AP)# configure terminal (Instant AP)# wlan ssid-profile ssidProfile1 (Instant AP)(SSID Profile "ssidProfile1")# essid hsProf Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Hotspot Profiles |...
Page 387 (Instant AP)(SSID Profile "ssidProfile1")# radius-reauth-interval 20 (Instant AP)(SSID Profile "ssidProfile1")# max-authentication-failures 2 (Instant AP)(SSID Profile "ssidProfile1")# set-role-by-ssid (Instant AP)(SSID Profile "ssidProfile1")# hotspot-profile hs1 (Instant AP)(SSID Profile "ssidProfile1")# end (Instant AP)# commit apply | Hotspot Profiles Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 388: Mobility Access Switch Integration
Configuring IAPs for Mobility Access Switch Integration on page 389 Mobility Access Switch Overview The Aruba Mobility Access Switch enables a secure, role-based network access for wired users and devices, independent of their location or application. Installed in wiring closets, the Mobility Access Switch delivers up to 384 wire-speed Gigabit Ethernet switch ports and operates as a wired access point when deployed with an Aruba Mobility Controller.
Page 389: Configuring Iaps For Mobility Access Switch Integration
Info area of the main window as shown in the following figure: Figure 113 Mobility Access Switch Integration Status In the CLI To enable the Mobility Access Switch integration: (Instant AP)(config)# mas-integration (Instant AP)(config# end (Instant AP)# commit apply | Mobility Access Switch Integration Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 390: Clearpass Guest Setup
To configure ClearPass Guest: 1. From the ClearPass Guest UI, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 114 Configure AirGroup Services 3. Click Add a new controller. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide ClearPass Guest Setup |...
Page 391 To create a AirGroup administrator and AirGroup operator account using the ClearPass Policy Manager UI: 1. Navigate to the ClearPass Policy Manager UI, and navigate to Configuration > Identity > Local Users. | ClearPass Guest Setup Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 392 2. Click Add User. 3. Create an AirGroup Administrator by entering the required values. Figure 118 Create an AirGroup Administrator 4. Click Add. 5. Now click Add User to create an AirGroup Operator. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide ClearPass Guest Setup |...
Page 393 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 121 Create a Device | ClearPass Guest Setup Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 394: Verifying Clearpass Guest Setup
4. Disconnect the OSX Mountain Lion/iOS 6 device and delete it from the controller’s user table. Reconnect using the username that was added to the Shared With box. The OSX Mountain Lion/iOS 6 device should once again have access to the AppleTV. Troubleshooting Table 83: Troubleshooting Aruba Instant 6.5.0.0-4.3.0.0 | User Guide ClearPass Guest Setup |...
Page 395 Problem Solution Limiting devices has no effect. Ensure IPv6 is disabled. Apple Macintosh running Mountain Lion can use Ensure IPv6 is disabled. AirPlay but iOS devices cannot. | ClearPass Guest Setup Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 396: Iap-Vpn Deployment Scenarios
Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy on page 401 Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy on page 405 Scenario 4—GRE: Single Datacenter Deployment with No Redundancy on page 410 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 397: Scenario 1—Ipsec: Single Datacenter Deployment With No Redundancy
The following table provides information on the configuration steps performed through the CLI with example values. For information on the UI procedures, see the topics referenced in the UI Procedure column. | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 398 (Instant AP)(Auth Server "server1")# key SSID. Authentication "presharedkey" (Instant AP)(Auth Server "server1")# exit (Instant AP)(config)# wlan auth-server server2 (Instant AP)(Auth Server "server2")# ip 10.2.2.2 (Instant AP)(Auth Server "server2")# port 1812 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 399 (Instant AP)(Access Rule "wired-port")# rule any any ACL Rules for example, the rule match any any any permit permits all traffic. Network Services For WLAN SSID: (Instant AP)(config)# wlan access-rule wireless-ssid | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 400 For information on controller configuration, see Configuring a Controller for IAP-VPN Operations on page 247. Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 401: Scenario 2—Ipsec: Single Datacenter With Multiple Controllers For Redundancy
10.0.0.0/8 is the corporate network 10.20.0.0/16 subnet is reserved for L2 mode – used for guest network 10.30.0.0/16 subnet is reserved for L3 mode Client count in each branch is 200 | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 402 (Instant AP)(DHCP Profile "l3-dhcp")# server-type Distributed,L3 (Instant AP)(DHCP Profile "l3-dhcp")# server-vlan 30 (Instant AP)(DHCP Profile "l3-dhcp")# ip-range 10.30.0.0 10.30.255.255 (Instant AP)(DHCP Profile "l3-dhcp")# dns-server 10.1.1.50,10.1.1.30 (Instant AP)(DHCP Profile "l3-dhcp")# domain-name corpdomain.com Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 403 (Instant AP)(config) # wlan ssid-profile guest (Instant AP)(SSID Profile "guest")# enable (Instant AP)(SSID Profile "guest")# type guest (Instant AP)(SSID Profile "guest")# essid guest (Instant AP)(SSID Profile "guest")# opmode opensystem (Instant AP)(SSID Profile "guest")# vlan 20 | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 404 For information on controller configuration, see Configuring a Controller for IAP-VPN Operations on page 247. Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 405: Scenario 3—Ipsec: Multiple Datacenter Deployment With Primary And Backup Controllers For Redundancy
Figure 125 Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy The IP addressing scheme used in this example is as follows: 10.0.0.0/8 is the corporate network. 10.30.0.0/16 subnet is reserved for L3 mode –used by Employee SSID. | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 406 (Instant AP)(config)# ip dhcp l3-dhcp (Instant AP)(DHCP profile "l3-dhcp")# server-type Distributed,L3 (Instant AP)(DHCP profile "l3-dhcp")# server-vlan 40 (Instant AP)(DHCP profile "l3-dhcp")# ip-range 10.40.0.0 10.40.255.255 (Instant AP)(DHCP profile "l3-dhcp")# dns-server 10.1.1.50,10.1.1.30 Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 407 (Instant AP)(wired-port-profile "wired-port")# Profiles allowed-vlan all (Instant AP)(wired-port-profile "wired-port")# native-vlan 20 (Instant AP)(wired-port-profile "wired-port")# no shutdown (Instant AP)(wired-port-profile "wired-port")# access-rule-name wired-port (Instant AP)(wired-port-profile "wired-port")# type employee (Instant AP)(wired-port-profile "wired-port")# auth- server server1 | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 408: Configuration Steps
(Instant AP)(Access Rule "wired-port")# rule any any ACL Rules for example, the rule match any any any permit permits all traffic. For Network contractor SSID role, the Services rule allows only For WLAN SSID employee roles: Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 409 The following OSPF configuration is required on the controller to redistribute IAP-VPN routes to upstream routers: (host)(config) # router ospf (host)(config) # router ospf router-id <ID> (host)(config) # router ospf area 0.0.0.0 (host)(config) # router ospf redistribute rapng-vpn | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 410: Scenario 4—Gre: Single Datacenter Deployment With No Redundancy
This scenario includes the following configuration elements: Single VPN primary configuration using GRE Aruba GRE, does not require any configuration on the Aruba Mobility Controller that acts as a GRE endpoint. Manual GRE, which requires GRE tunnels to be explicitly configured on the GRE endpoint that can be an Aruba Mobility Controller or any device that supports GRE termination.
Page 411 GRE tunnel each IAP to form an independent GRE tunnel to the GRE end- configuration and point. Aruba GRE requires each IAP MAC to be present in the requires controller controller whitelist. Manual GRE requires GRE configuration for configuration to the IP of each IAP on the controller.
Page 412 (Instant AP)(SSID Profile "wireless-ssid")# essid wireless-ssid (Instant AP)(SSID Profile "wireless-ssid")# opmode wpa2-aes (Instant AP)(SSID Profile "wireless-ssid")# vlan 20 (Instant AP)(SSID Profile "wireless-ssid")# auth- server server1 (Instant AP)(SSID Profile "wireless-ssid")# auth- server server2 | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 413: Glossary
(host)(config-tunnel)# tunnel mode gre <ID> (host)(config-tunnel)# tunnel source <controller-IP> (host)(config-tunnel)# tunnel destination <AP-IP> (host)(config-tunnel)# trusted (host)(config-tunnel)# tunnel vlan <allowed-VLAN> Glossary The following table lists the terms and their definitions used in this document. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 414 Internet connection, and possibly gain access to company records and other resources. | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 415 Use of radio frequency spectrum regulated by governments. frequency spectrum Part of the electromagnetic spectrum. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 416 A VPN ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol ( L2TP ). Data is encrypted at the sending end and decrypted at the receiving end. | IAP-VPN Deployment Scenarios Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 417 (RF) signals rather than through end-to- end wire communication. WLAN Wireless local area network (WLAN) is a local area network (LAN) that the users access through a wireless connection. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide IAP-VPN Deployment Scenarios |...
Page 418: Acronyms And Abbreviations
Acronyms and Abbreviations The following table lists the acronyms and abbreviations used in Aruba documents. Table 89: List of Acronyms and Abbreviations Acronym or Abbreviation Definition Third Generation of Wireless Mobile Telecommunications Technology Fourth Generation of Wireless Mobile Telecommunications Technology...
Page 419 Bring Your Own Device Certification Authority Call Admission Control CALEA Communications Assistance for Law Enforcement Act Campus AP Clear Channel Assessment Cisco Discovery Protocol Call Detail Records Common Event Format Common Gateway Interface | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 420 Comma Separated Values Clear to Send Contention Window Distributed Antenna System Decibel Decibel Milliwatt Data Center Bridging Data Communication Equipment Distributed Coordination Function DDMO Distributed Dynamic Multicast Optimization Data Encryption Standard Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 421 Data Terminal Equipment DTIM Delivery Traffic Indication Message DTLS Datagram Transport Layer Security Data Unit Extensible Authentication Protocol EAP-FAST EAP-Flexible Authentication Secure Tunnel EAP-GTC EAP-Generic Token Card EAP-MD5 EAP-Method Digest 5 | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 422 Fast Fourier Transform FHSS Frequency Hopping Spread Spectrum Forwarding Information Base FIPS Federal Information Processing Standards FQDN Fully Qualified Domain Name FQLN Fully Qualified Location Name FRER Frame Receive Error Rate Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 423 HSPA High-Speed Packet Access High Throughput HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure Internet Authentication Service ICMP Internet Control Message Protocol Identity Provider Intrusion Detection System Information Element | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 424 Link Aggregation Control Protocol Link Aggregation Group Local Area Network Liquid Crystal Display LDAP Lightweight Directory Access Protocol LDPC Low-Density Parity-Check Law Enforcement Agency LEAP Lightweight Extensible Authentication Protocol Light Emitting Diode Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 425 Multi-factor Authentication Megahertz Management Information Base MIMO Multiple-Input Multiple-Output Multicast Listener Discovery MPDU MAC Protocol Data Unit MPLS Multiprotocol Label Switching MPPE Microsoft Point-to-Point Encryption MSCHAP Microsoft Challenge Handshake Authentication Protocol | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 426 Network Mapper Non-Maskable Interrupt Network Management Server New Office Environment Network Time Protocol OAuth Open Authentication OCSP Online Certificate Status Protocol OpenFlow Agent OFDM Orthogonal Frequency Division Multiplexing Object Identifier Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 427 Protocol-Independent Multicast Personal Identification Number PKCS Public Key Cryptography Standard Public Key Infrastructure PLMN Public Land Mobile Network Pairwise Master Key Power over Ethernet POST Power On Self Test Point-to-Point Protocol | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 428 Request for Comments RFID Radio Frequency Identification Routing Information Protocol Round Robin Database Rivest, Shamir, Adleman RSSI Received Signal Strength Indicator RSTP Rapid Spanning Tree Protocol RTCP RTP Control Protocol Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 429 Software-Defined Wide Area Network SFTP Secure File Transfer Protocol Secure Hash Algorithm Subscriber Identity Module Session Initiation Protocol SIRT Security Incident Response Team Stock Keeping Unit SLAAC Stateless Address Autoconfiguration | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 430 Secure Thin RAP SU-MIMO Single-User Multiple-Input Multiple-Output SpectraLink Voice Priority Technical Assistance Center TACACS Terminal Access Controller Access Control System TCP/IP Transmission Control Protocol/ Internet Protocol TFTP Trivial File Transfer Protocol Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 431 User Datagram Protocol User Interface UMTS Universal Mobile Telecommunication System UPnP Universal Plug and Play Uniform Resource Identifier Uniform Resource Locator Universal Serial Bus Coordinated Universal Time Virtual Appliance Virtual Branch Networking | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 432 Wireless Intrusion Detection System WINS Windows Internet Naming Service WIPS Wireless Intrusion Prevention System WISPr Wireless Internet Service Provider Roaming WLAN Wireless Local Area Network Wireless Multimedia Extensions Windows Management Instrumentation Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 433 802.11 standards, 802.11b uses complementary code keying (CCK), which allows higher data speeds and is less susceptible to multipath-propagation interference. 802.11b operates in the 2.4 GHz band and the maximum data transfer rate is 11 Mbps. | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 434 DHCP also provides a central database to keep track of computers connected to the network. This database helps in preventing any two computers from being configured with the same IP address. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 435 Endspan— The switch that an AP is connected for power supply. Midspan— A device can sit between the switch and APs | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...
Page 436 802.11 standard. Wi-Fi has gained acceptance in many businesses, agencies, schools, and homes as an alternative to a wired LAN. Many airports, hotels, and fast-food facilities offer public access to Wi-Fi networks. Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Acronyms and Abbreviations |...
Page 437 (RF) signals rather than through end-to- end wire communication. WLAN Wireless local area network (WLAN) is a local area network (LAN) that the users access through a wireless connection. | Acronyms and Abbreviations Aruba Instant 6.5.0.0-4.3.0.0 | User Guide...

This manual is also suitable for:

Iap-334 Iap-314 Iap-325 Iap-205h Iap-228 Iap-204 ... Show all

Save PDF