Example Configurations

The following examples show basic configurations:

Configuring Authentication with an 802.1X RADIUS Server

The examples show how to configure using the WebUI and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands.

802.1X Configuration for IAS and Windows Clients describes how to configure the Microsoft Internet Authentication Server and Windows XP wireless client to operate with the managed device configuration shown in this section.

Configuring Roles and Policies

You can create the following policies and user roles for:

  • Student
  • Faculty
  • Guest
  • Sysadmin
  • Computer

Creating the Student Role and Policy

The student policy prevents students from using telnet, POP3, FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. , SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission., SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. , or SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. to the wired portion of the network. The student policy is mapped to the student user role.

Before creating a student role, it is recommended to create a destination alias Internal Network.

The following procedure describes how to create a destination alias.

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Aliases tab.
  2. In Network Aliases, click +.
  3. Select an IP Version from the drop-down list.
  4. For Name, enter Internalnetwork
  5. For Description, enter a description of the destination within 128 characters.
  6. Select Invert to specify that the inverse of the network addresses configured are used.
  7. For Items, click +.
  8. In the Add New Destination Add New User Rule window, for Rule Type, select Network. For IP Address, enter 10.0.0.0. For Network Mask or Range, enter 255.0.0.0. Click OK.
  9. Click Submit.
  10. Click Pending Changes.
  11. In the Pending Changes window, select the check box and click Deploy changes.

The following procedure describes how to create a student role:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  2. Select + to add the student policy.
  3. For Policy Name, enter student.
  4. For Policy Type, select Session.
  5. Click Submit.
  6. Select the student role from the Policies table.
  7. Click + in the Policies > student table to add rules for the policy.
    1. For Rule type, select Access Control, then click OK.
    2. For Source, select User.
    3. For Destination, select Alias.
    4. The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies.
    5. For Destination alias, select Internalnetwork.
    6. For Service/app, select service. In the Service scrolling list, select svc-telnet.
    7. Under Action, select drop.
    8. Click Submit.
  8. Repeat step 7 to create rules for the following services: svc-pop3, svc-ftp, svc-smtp, svc-snmp, and svc-ssh.
  9. Click Submit.
  10. Click the Roles tab. Click + to create the student role.
    1. For Name, enter student then click Submit.
    2. Select the role you just created from the Roles table.
    3. Select Show Advanced View.
    4. In the Roles > student table, select the Policies tab.
    5. Click + to add a new policy.
    6. Select Add existing session policy and select the student policy you previously created.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create a destination alias:

(host)[mynode](config) #ip access-list session student

   user alias “Internal Network” svc-telnet deny

   user alias “Internal Network” svc-pop3 deny

   user alias “Internal Network” svc-ftp deny

   user alias “Internal Network” svc-smtp deny

   user alias “Internal Network” svc-snmp deny

   user alias “Internal Network” svc-ssh deny

 

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command s create the student role and policy:

(host)[mynode](config) #user-role student

   session-acl student

   session-acl allowall

Creating the Faculty Role and Policy

The faculty policy is similar to the student policy, however faculty members are allowed to use POP3 and SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. remote access from home. (Students are not permitted to use VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. remote access.) The faculty policy is mapped to the faculty user role.

The following procedure describes how to create the faculty role and policy:

  1. In a Managed Networknode hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  2. Click + to add the faculty policy.
  3. For Policy Name, enter faculty.
  4. For Policy Type, select Session.
  5. Click Submit.
  6. Select the new faculty policy from the Policies table.
  7. Click + in the Policies > Faculty table to add rules for the policy.
    1. Select the Rule Type as Access Control, then click OK.
    2. For Source, and select User.
    3. For Destination, select Alias, then select Internal Network for Destination Alias.
    4. For Service/App, select Service.
    5. For Service Alias, select svc-telnet.
    6. For Action, and select Deny.
    7. Click Submit.
  8. Repeat steps A-E to create rules for the following services: svc-ftp, svc-snmp, and svc-ssh.
  9. Select the Roles tab. Click + to create the faculty role.
    1. Enter faculty for Name .
  10. Click Submit.
  11. Select the role you just created from the Roles table.
  12. Select Show Advanced View.
    1. In the Roles > faculty table, select the Policies tab.
    2. Click + to add a new policy.
    3. Select Add existing session policy and select the faculty policy you previously created.
  13. Click Submit.
  14. Click Pending Changes.
  15. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create the faculty role and policy:

(host)[mynode](config) #ip access-list session faculty

   user alias “Internal Network” svc-telnet deny

   user alias “Internal Network” svc-ftp deny

   user alias “Internal Network” svc-snmp deny

   user alias “Internal Network” svc-ssh deny

 

(host)[mynode](config) #user-role faculty

   session-acl faculty

   session-acl allowall

Creating the Guest Role and Policy

The guest policy permits only access to the internet (via HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) and only during daytime working hours. The guest policy is mapped to the guest user role.

The following procedure describes how to create the guest role and policy:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Roles & Policies> Roles tab.
  2. Select a role name and click + in the Name of the role > Global roles table.
  3. Click + for the Time range field and enter the following details:
    1. For Name, enter working-hours.
    2. For Type, select Periodic. Click +.
    3. For Start day, click Weekday.
    4. For Start time(hh:mm), enter 07:30.
    5. For End time(hh:mm), enter 17:00.
  4. Click OK.
  5. Click Submit.
  6. Click the Policies tab. Click + to add the guest policy.
    1. For Policy Name, enter guest.
    2. For Policy Type, select Session.
  7. Click Submit.
  8. Select the Policy created under Policies. The Policies > policy Name table is displayed.
  9. Click + under the Policies > policy Name table.
  10. Select Access Control for the Rule Type and click OK.
  11. Add the following New Forwarding Rule information for the policy.
  12. To create rules to permit access to DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. servers during working hours:
    1. For Source, select User.
    2. For Destination, select Host. In Host IP, enter 10.1.1.25.
    3. For Service, select Service. In the Service scrolling list, select svc-dhcp.
    4. For Action, select Permit.
    5. For Time Range, select working-hours.
  13. Click Submit.
  14. Repeat steps A-F to create a rule for svc-dns.
  15. To create a rule to deny access to the internal network:
    1. For Source, select User.
    2. For Destination, select alias. Select Internal Network.
    3. Under Service, select Any.
    4. Under Action, select Deny
  16. Click Submit.
  17. To create rules to permit HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. access during working hours:
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service/app, select Service. In the Services scrolling list, select svc-http.
    4. For Action, select Permit.
    5. For Time Range, select working-hours.
  18. Click Submit.
  19. Repeat steps A-F for the svc-https service.
  20. To create a rule that denies the user access to all destinations and all services:
    1. For Source, select User.
    2. For Destination, select Any.
    3. For Service/app, select Any.
    4. For Action, select drop.
  21. Click Submit.
  22. Click the Roles tab. Click + to create the guest role.
  23. For Role Name, enter guest and click Submit.
  24. Under Firewall Policies, click +. In Choose from Configured Policies, select the guest policy you previously created. Click Submit.
  25. Click Pending Changes.
  26. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create the guest role and policy:

(host)[mynode](config) time-range working-hours periodic

   weekday 07:30 to 17:00

 

(host)[mynode](config) #ip access-list session guest

   user host 10.1.1.25 svc-dhcp permit time-range working-hours

   user host 10.1.1.25 svc-dns permit time-range working-hours

   user alias “Internal Network” any deny

   user any svc-http permit time-range working-hours

   user any svc-https permit time-range working-hours

   user any any deny

 

(host)[mynode](config) #user-role guest

   session-acl guest

Creating Roles and Policies for Sysadmin and Computer

The allowall policy, a predefined policy, allows unrestricted access to the network. The allowall policy is mapped to both the sysadmin user role and the computer user role.

The following procedure describes how to create roles and policies for sysadmin and computer:

  1. In a Managed Network node hierarchy, navigate to Configuration > Roles & Policies> Roles tab. Click + to create the sysadmin role.
  2. 2. Enter a Role Name in the Name field. Enter sysadmin or computer for the required role.
  3. Select the role created.
  4. In the <Name of the role> table, click Show Advanced View.
  5. Under Policies, Click +. In Add Policy, select the Add existing policy and select the predefined allowall policy from the Policy Name drop-down list.
  6. Click Submit.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create roles and policies for sysadmin and computer:

(host)[mynode](config) #user-role sysadmin
   session-acl allowall

(host)[mynode](config) #user-role computer
   session-acl allowall

Creating an Alias for the Internal Network

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure an alias for the internal network:

(host)[MyNode](config) #netdestination “Internal Network”
   network 10.0.0.0 255.0.0.0
   network 172.16.0.0 255.255.0.0

Configuring the RADIUS Authentication Server

Configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server IAS1, with IP address 10.1.1.21 and shared key. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is configured to sent an attribute called Class to the managed device; the value of this attribute is set to either “student,” “faculty,” or “sysadmin” to identify the group of users. The managed device uses the literal value of this attribute to determine the role name.

On the managed device, you add the configured server (IAS1) into a server group. For the server group, you configure the server rule that allows the Class attribute returned by the server to set the user role.

The following procedure describes how to configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Authentication > Auth Servers page.
  2. In the All Servers list, click +.
  3. In the New Server window, enter IAS1 for the server name
    1. Enter 10.1.1.21 for the server IP address/hostname.
    2. Set the Type to RADIUS.
  4. Click Submit.
  5. Select the new server from the All Servers list.
    1. In the Shared Key field, enter a key, such as |*a^t%183923!. (You must enter the key string twice.)
  6. Click Submit.
  7. In the Server Groups list, click +.
  8. Enter the server name IAS and click Submit.
  9. Select the server group IAS to display configuration parameters for the server group.
    1. In the Server Group > IAS table, click +.
  10. Select Add existing server, select IAS1, then click Submit.
    1. In the Server Groups table, select the IAS Internet Authentication Service. IAS is a component of Windows Server operating systems that provides centralized user authentication, authorization, and accounting. server group. The Server Group > IAS table appears.
    2. In the Server Group > IAS table, select Server Rules.
    3. Click + to add a new server rule.
    4. For Attribute, select an attribute from the drop-down list.
    5. For Operation, select value-of from the drop-down list.
    6. For Action, select set role.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server:

[host][mynode](config) #aaa authentication-server radius IAS1

host 10.1.1.21
key |*a^t%183923!

 

[host][mynode](config) #aaa server-group IAS

auth-server IAS1

set role condition Class value-of

Configuring 802.1X Authentication

An AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile specifies the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. server group to be used for authenticating clients for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.. The AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile also specifies the default user roles for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

In the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile, configure enforcement of machine authentication before user authentication. If a user attempts to log in before machine authentication completes, the user is placed in the limited guest role.

The following procedure describes how to configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Authentication > L2 Authentication page.
  2. Select 802.1X Authentication Profile.
  3. Select the Profile name.
  4. Select Enforce Machine Authentication.
    1. For the Machine Authentication: Default Machine Role, select computer.
    2. For the Machine Authentication: Default User Role, select guest.
  5. Click Submit
  6. In the Configuration > Authentication > AAA Profiles tab.
    1. Expand AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. Profiles, click + in AAA Profile: New Profile to add a new profile.
    2. Enter aaa_dot1x as the Profile Name.
    3. For MAC Authentication Default Role, select computer.
    4. For 802.1X Authentication Default Role, select faculty.
  7. Click Submit.
    1. In the Profiles list (under the aaa_dot1x profile), select 802.1X Authentication Profile.
    2. From the drop-down list, select the dot1x authentication profile you configured previously.
  8. Click Submit
    1. In the Profiles list (under the aaa_dot1x profile), select 802.1X Authentication Server Group.
    2. From the drop-down list, select the IAS server group you created previously.
  9. Click Submit.
  10. Click Pending Changes.
  11. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

(host)[mynode](config) #aaa authentication dot1x dot1x

machine-authentication enable

machine-authentication machine-default-role computer

machine-authentication user-default-role guest

 

(host)[mynode](config) #aaa profile aaa_dot1x

d>ot1x-default-role faculty

mac-default-role computer

authentication-dot1x dot1x

d>ot1x-server-group IAS

Configuring VLANs

In this example, wireless clients are assigned to either VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60 or 61 while guest users are assigned to VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 63. VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast traffic. The VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are internal to the Aruba managed device only and do not extend into other parts of the wired network. The clients’ default gateway Gateway is a network node that allows traffic to flow in and out of the network. is the Aruba managed device, which routes traffic out to the 10.1.1.0 subnetwork.

You configure the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., assign IP addresses to each VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., and establish the “helper address” to which client DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  requests are forwarded.

The following procedure describes how to configure VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

1. In a Managed Network node hierarchy, navigate to the Configuration > Interfaces > VLANs page. Click + to add VLAN_60.

a. Enter a VLAN name.

a. For VLAN ID, enter 60.

b. Click Submit.

c. Repeat steps A and B to add VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61 and 63.

2. To configure IP parameters for the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., navigate to the Configuration > Interfaces > VLANs page.

a. Select VLAN 60.

b. Under VLANs > VLAN_60 table, select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, 60. Click IPv4.

c. For IP Address, enter 10.1.60.1.

d. For Net Mask, enter 255.255.255.0.

e. Click Submit.

3. Similarly, for VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61, navigate to the Configuration > Interfaces > VLANs page.

a. Select VLAN_61.

b. Under VLANs > VLAN_61 table, select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, 61. Click IPv4.

c. For IP Address, enter 10.1.61.1.

d. For Net Mask, enter 255.255.255.0.

e. Click Submit.

4. Similarly, for VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 63, navigate to the Configuration > Interfaces > VLANs page.

a. Select VLAN_63.

b. Under VLANs > VLAN_63 table, select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, 61. Click IPv4.

a. For IP Address, enter 10.1.63.1.

b. For Net Mask, enter 255.255.255.0.

c. Click Submit.

5. Select the IP Routes tab.

a. Click + in the Static Default Gateway Gateway is a network node that allows traffic to flow in and out of the network. table.

a. For IP address, enter 10.1.1.254.

b. Click Submit.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(host)[mynode](config) #vlan 60

(host)[mynode](config) #interface vlan 60

ip address 10.1.60.1 255.255.255.0

ip helper-address 10.1.1.25

 

(host)[mynode](config) #vlan 61

(host)[mynode](config) #interface vlan 61

ip address 10.1.61.1 255.255.255.0

ip helper-address 10.1.1.25

 

(host)[mynode](config) #vlan 63

(host)[mynode](config) #interface vlan 63

ip address 10.1.63.1 255.255.255.0

ip helper-address 10.1.1.25

 

(host)[mynode](config) #ip default-gateway 10.1.1.254

Configuring the WLANs

In this example, default AP parameters for the entire network are: the default ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is WLAN-01 and the encryption mode is TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard.. A second ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. called “guest” has the encryption mode set to static WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. with a configured WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

In this example, the non-guest clients that associate to an AP are mapped into one of two different user VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. The initial AP to which the client associates determines the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.: clients that associate to APs in the first floor of the building are mapped to VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60, and clients that associate to APs in the second floor of the building are mapped to VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61. Therefore, the APs in the network are segregated into two AP groups, named first-floor and second-floor. (See AP Groups for information about creating AP groups.) The guest clients are mapped into VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 63.

Configuring the Guest WLAN

You create and configure the virtual AP profile, guest and apply the profile to each AP group. The “guest” virtual AP profile contains the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile “guest” which configures static WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. with a WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

The following procedure describes how to configure guest WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

  1. In a Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. Under All Profiles, select Wireless LAN and then select SSID
  3. Click + in the SSID Profile: New Profile. Enter the Profile Name and ESSID as guest.
  4. For Encryption, select static-wep. Click Submit.
  5. Select Virtual AP under Wireless LAN.
  6. Click + in the Virtual AP Profile: New Profile.
  7. Enter the Profile Name as guest and select Virtual AP enable. Enter a value for VLAN.
  8. Click Submit.
  9. Select the Virtual AP created and select SSID. Select guest from the SSID profile drop-down list. Click Submit.
  10. Navigate to Configuration > AP groups.
  11. In the AP Groups list, select an AP group. In the APgroups > <name of the group> table, click the WLANs tab.
  12. Click +.
  13. Select the Virtual AP guest from the Virtual - AP drop-down list. Click Submit.
  14. Click Submit.
  15. Click Pending Changes.
  16. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure guest WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

(host)v(config) #wlan ssid-profile guest

essid guest

wepkey1 aaaaaaaaaa

opmode static-wep

 

(host)[mynode](config) #wlan virtual-ap guest

vlan 63

ssid-profile guest

 

(host)[mynode](config) #ap-group first-floor

virtual-ap guest

(host)(config) #ap-group second-floor

virtual-ap guest

Configuring the Non-Guest WLANs

You create and configure the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile “WLAN-01” with the ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. “WLAN-01” and WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. encryption. You need to create and configure two virtual AP profiles: one with VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60 for the first-floor AP group and the other with VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61 for the second-floor AP group. Each virtual AP profile references the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile “WLAN-01” and the previously-configured AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile aaa_dot1x.

The following procedure describes how to configure the non-guest WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

  1. In a Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. Under All Profiles, select Wireless LAN and then select SSID
  3. Click + in the SSID Profile: New Profile. Enter the Profile Name and ESSID as WLAN-01.
  4. For Encryption, select wpa-tkip. Click Submit.
  5. Select Virtual AP under Wireless LAN.
  6. Click + in the Virtual AP Profile: New Profile.
  7. Enter a Profile Name for the first floor AP and select Virtual AP enable. Enter 60 for VLAN.
  8. Click Submit.
  9. Select the Virtual AP created and select SSID. Select WLAN-01 from the SSID profile drop-down list. Click Submit.
  10. Select the Virtual AP created and select AAA profile. Select the previously-configured aaa_dot1x profile from the AAA drop down-list.
  11. Repeat steps 5 to 10 to create and associate SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. and AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profiles for the second floor Virtual AP. Enter the VLAN as 61 for the second floor Virtual AP.
  12. Navigate to Configuration > AP groups.
  13. In the AP Groups list, select first-floor. In the APgroups > first-floor table, click the WLANs tab.
  14. Click +.
  15. Select the Virtual AP created for first-floor from the Virtual-Ap drop-down list. Click Submit.
  16. Repeat steps 13 and 14 and select the Virtual AP created for second-floor from the Virtual-Ap drop-down list.
  17. Click Submit.
  18. Click Pending Changes.
  19. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the non-guest WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

(host)[mynode](config) #wlan ssid-profile WLAN-01

essid WLAN-01

opmode wpa-tkip

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_first-floor

vlan 60

aaa-profile aaa_dot1x

ssid-profile WLAN-01

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_second-floor

vlan 61

aaa-profile aaa_dot1x

sid-profile WLAN-01

 

(host)[mynode](config) #ap-group first-floor

virtual-ap WLAN-01_first-floor

(host)[mynode](config) #ap-group second-floor

virtual-ap WLAN-01_second-floor

(host)[mynode](config) #wlan ssid-profile WLAN-01

essid WLAN-01

opmode wpa-tkip

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_first-floor

vlan 60

aaa-profile aaa_dot1x

ssid-profile WLAN-01

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_second-floor

vlan 61

aaa-profile aaa_dot1x

ssid-profile WLAN-01

 

(host)[mynode](config) #ap-group first-floor

virtual-ap WLAN-01_first-floor

ap-group second-floor

virtual-ap WLAN-01_second-floor

Configuring Authentication with the Internal Database of the Managed Device

In the following example:

The internal database of the managed device provides user authentication.

The authentication type is WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.. From the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication exchange, the client and the managed device derive dynamic keys to encrypt data transmitted on the wireless network.

Configuring the Internal Database

Configure the internal database with the username, password, and role (student, faculty, or sysadmin) for each user. There is a default internal server group that includes the internal database. For the internal server group, configure a server derivation rule that assigns the role to the authenticated client.

The following procedure describes how to configure the internal database:

  1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.
  2. In the All Servers list, select Internal.
  3. Select a server name under the Server > Internal table or Click + to add a new server. User name can be entered only for a new server. The User name for an already existing server cannot be changed.
  4. For each user, enter a Password.
  5. Select a Role for each user (if a role is not specified, the default role is guest).
  6. Select the Expiration time for the user account in the internal database.
  7. Click Submit.
  8. Click Pending Changes.
  9. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the internal database:

(host)[mynode](config) #local-userdb add username <user> password <password>

Configuring a Server Rule

The following procedure describes how to configure a server rules:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Authentication > Auth Servers page.
  2. Select the internal server group from the Server Groups table.
  3. Click Server Rules tab in the Server Group > Internal table.
  4. Click + to add a server derivation rule.
    1. Select an Attribute.
    2. Select value-of from the Operations drop-down list.
    3. Select Set Role from the Action drop-down list.
    4. Click Add.
  5. Click Submit.
  6. Click Pending Changes.
  7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure server rules:

(host)[mynode](config) #aaa server-group internal

set role condition Role value-of

Configuring 802.1X Authentication

An AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile specifies the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. server group to be used for authenticating clients for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.. The AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile also specifies the default user role for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

For this example, you enable both 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication and termination on the managed device.

The following procedure describes how to configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Authentication > L2 Authentication tab. In the profiles list, select 802.1X Authentication Profile.
  2. Click + in 802.1x Authentication: New Profile.
    1. For Profile Name, enter dot1x.
    2. Select Termination check box.
    3. Click Submit.
  3. Select the AAA Profiles tab and expand AAA Profiles.
    1. In the AAA Profile: New Profile, click + to add a new profile.
    2. Enter aaa_dot1x for Profile Name.
    3. For 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Authentication Default Role, select faculty.
    4. Click Submit.
  4. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1X Authentication Profile.
    1. Select the dot1x profile from the 802.1X Authentication Profile drop-down list.
    2. Click Submit.
  5. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1X Authentication Server Group.
    1. Select the internal server group.
    2. Click Submit.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

(host)[mynode](config) #aaa authentication dot1x dot1x

termination enable

 

(host)[mynode](config) #aaa profile aaa_dot1x

d>ot1x-default-role student

authentication-dot1x dot1x

d>ot1x-server-group internal

Configuring VLANs

In this example, wireless clients are assigned to either VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60 or 61 while guest users are assigned to VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 63. VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast traffic. The VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are internal to the Aruba managed device only and do not extend into other parts of the wired network. The default gateway Gateway is a network node that allows traffic to flow in and out of the network. of the client is the Aruba managed device, which routes traffic out to the 10.1.1.0 subnetwork.

You configure the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., assign IP addresses to each VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., and establish the “helper address” to which client DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  requests are forwarded.

The following procedure describes how to configure VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Interfaces > VLANs page. Click + to add VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN._60.
    1. Enter a VLAN name.
    2. For VLAN ID, enter 60.
    3. Click Submit.
    4. Repeat steps A and B to add VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61 and 63.
  2. To configure IP parameters for the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., navigate to the Configuration > Interfaces > VLANs page.
    1. Select VLAN_60.
    2. Under VLANs > VLAN_60 table, select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, 60. Click IPv4.
    3. For IP address, enter 10.1.60.1.
    4. For Net Mask, enter 255.255.255.0.
    5. Click Submit.
  3. To configure IP parameters for the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., navigate to the Configuration > Interfaces > VLANs page.
    1. Select VLAN_61.
    2. Under VLANs > VLAN_61 table, select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, 61. Click IPv4.
    3. For IP Address, enter 10.1.61.1.
    4. For Net Mask, enter 255.255.255.0.
    5. Click Submit.
  4. To configure IP parameters for the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., navigate to the Configuration > Interfaces > VLANs page.
    1. Select VLAN_63.
    2. Under VLANs > VLAN_63 table, select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, 63. Click IPv4.
    3. For IP Address, enter 10.1.63.1.
    4. For Net Mask, enter 255.255.255.0.
    5. Click Submit.
  5. Select the IP Routes tab.
    1. Click + in the Static Default Gateway table.
    2. For IP address, enter 10.1.1.254.
    3. Click Submit.
  6. Click Pending Changes.
  7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(host)[mynode](config) #vlan 60

(host)[mynode](config) #interface vlan 60

ip address 10.1.60.1 255.255.255.0

ip helper-address 10.1.1.25

 

(host)[mynode](config) #vlan 61

(host)[mynode](config) #interface vlan 61

ip address 10.1.61.1 255.255.255.0

ip helper-address 10.1.1.25

 

(host)[mynode](config) #vlan 63

(host)[mynode](config) #interface vlan 63

ip address 10.1.63.1 255.255.255.0

ip helper-address 10.1.1.25

 

(host)[mynode](config) #ip default-gateway 10.1.1.254

Configuring WLANs

In this example, default AP parameters for the entire network are as follows: the default ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. is WLAN-01 and the encryption mode is TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard.. A second ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. called guest has the encryption mode set to static WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. with a configured WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

In this example, the non-guest clients that associate to an AP are mapped into one of two different user VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. The initial AP to which the client associates determines the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.: clients that associate to APs in the first floor of the building are mapped to VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60, and clients that associate to APs in the second floor of the building are mapped to VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61. Therefore, the APs in the network are segregated into two AP groups, named first-floor and second-floor. (See AP Groups for information about creating AP groups.) The guest clients are mapped into VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 63.

Configuring the Guest WLAN

You create and configure the virtual AP profile, guest and apply the profile to each AP group. The guest virtual AP profile contains the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, guest which configures static WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. with a WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

The following procedure describes how to configure guest WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

  1. In a Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. Under All Profiles, select Wireless LAN and then select SSID
  3. Click + in the SSID Profile: New Profile. Enter the Profile Name and ESSID as guest.
  4. For Encryption, select static-wep. Click Submit.
  5. Select Virtual AP under Wireless LAN.
  6. Click + in the Virtual AP Profile: New Profile.
  7. Enter the Profile Name as guest and select Virtual AP enable. Enter a value for VLAN.
  8. Click Submit.
  9. Select the Virtual AP created and select SSID. Select guest from the SSID profile drop-down list. Click Submit.
  10. Navigate to Configuration > AP groups.
  11. In the AP Groups list, select an AP group. In the APgroups > <name of the group> table, click the WLANs tab.
  12. Click +.
  13. Select the Virtual AP guest from the Virtual - AP drop-down list. Click Submit.
  14. Click Submit.
  15. Click Pending Changes.
  16. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure guest WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

(host)[mynode](config) #wlan ssid-profile WLAN-01

essid WLAN-01

opmode wpa-tkip

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_first-floor

vlan 60

aaa-profile aaa_dot1x

ssid-profile WLAN-01

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_second-floor

vlan 61

aaa-profile aaa_dot1x

sid-profile WLAN-01

 

(host)[mynode](config) #ap-group first-floor

virtual-ap WLAN-01_first-floor

(host)[mynode](config) #ap-group second-floor

virtual-ap WLAN-01_second-floor

 

(host)[mynode](config) #wlan ssid-profile guest

essid guest

wepkey1 aaaaaaaaaa

opmode static-wep

 

(host)[mynode](config) #wlan virtual-ap guest

vlan 63

ssid-profile guest

 

(host)[mynode](config) #ap-group first-floor

virtual-ap guest

(host)[mynode](config) #ap-group second-floor

virtual-ap guest

Configuring the Non-Guest WLANs

You create and configure the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile “WLAN-01” with the ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. “WLAN-01” and WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. encryption. You need to create and configure two virtual AP profiles: one with VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 60 for the first-floor AP group and the other with VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 61 for the second-floor AP group. Each virtual AP profile references the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile “WLAN-01” and the previously-configured AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile “aaa_dot1x”.

The following procedure describes how to configure non-guest WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

  1. In a Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. Under All Profiles, select Wireless LAN and then select SSID
  3. Click + in the SSID Profile: New Profile. Enter the Profile Name and ESSID as WLAN-01.
  4. For Encryption, select wpa-tkip. Click Submit.
  5. Select Virtual AP under Wireless LAN.
  6. Click + in the Virtual AP Profile: New Profile.
  7. Enter a Profile Name for the first floor AP and select Virtual AP enable. Enter 60 for VLAN.
  8. Click Submit.
  9. Select the Virtual AP created and select SSID. Select WLAN-01 from the SSID profile drop-down list. Click Submit.
  10. Select the Virtual AP created and select AAA profile. Select the previously-configured aaa_dot1x profile from the AAA drop down-list.
  11. Repeat steps 5 to 10 to create and associate SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. and AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profiles for the second floor Virtual AP. Enter the VLAN as 61 for the second floor Virtual AP.
  12. Navigate to Configuration > AP groups.
  13. In the AP Groups list, select first-floor. In the APgroups > first-floor table, click the WLANs tab.
  14. Click +.
  15. Select the Virtual AP created for first-floor from the Virtual-Ap drop-down list. Click Submit.
  16. Repeat steps 13 and 14 and select the Virtual AP created for second-floor from the Virtual-Ap drop-down list.
  17. Click Submit.
  18. Click Pending Changes.
  19. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure non-guest WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.:

(host)[mynode](config) #wlan ssid-profile WLAN-01

essid WLAN-01

opmode wpa-tkip

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_first-floor

vlan 60

aaa-profile aaa_dot1x

ssid-profile WLAN-01

 

(host)[mynode](config) #wlan virtual-ap WLAN-01_second-floor

vlan 61

aaa-profile aaa_dot1x

sid-profile WLAN-01

 

(host)[mynode](config) #ap-group first-floor

virtual-ap WLAN-01_first-floor

(host)[mynode](config) #ap-group second-floor

virtual-ap WLAN-01_second-floor

Configuring Mixed Authentication Modes

Use l2-auth-fail-through command to perform mixed authentication which includes both MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. When MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails, enable the l2-auth-fail-through command to perform 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

By default the l2-auth-fail-through command is disabled.

Table 1: Mixed Authentication Modes

Authentication

1

2

3

4

5

6

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication

Success

Success

Success

Fail

Fail

Fail

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication

Success

Fail

Success

Fail

Association

dynamic-wep

No Association

static-wep

dynamic-wep

No Association

static-wep

Role Assignment

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.

logon

Table 1 describes the different authentication possibilities

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure mixed authentication:

(host) [mynode] (config) #aaa profile test

l2-auth-fail-through