Configuring Security Settings for a Wired Profile

 

If you are creating a new wired profile, complete the Wired Settings and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. procedures before specifying the security settings. For more information, see Configuring Wired Settings and Enforcing DHCP.

Configuring Security Settings for a Wired Employee Network

You can configure security parameters for the Employee network by using the Instant WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure security parameters for the Employee network:

1. Configure the following parameters in the Security tab.

Port type—To support trusted ports in an Instant AP, select Trusted. When the Port type is trusted, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication parameters cannot be configured. The Port Type is Untrusted by default.

In a trusted mode, Instant APs will not create any user entry. A predefined ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied to the trusted port in order to control the client traffic that needs to be source NATed.

MAC authentication—To enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication, select Enabled. The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication is disabled by default.

802.1X authentication—To enable 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, select Enabled. The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is disabled by default.

MAC authentication fail-thru—To enable authentication fail-thru, select Enabled. When this feature is enabled, 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails. The MAC authentication fail-thru check box is displayed only when both MAC authentication and 802.1X authentication are Enabled.

Select any of the following options for Authentication server 1:

New—On selecting this option, an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server must be configured to authenticate the users. For information on configuring an external server, see Configuring an External Server for Authentication.Aruba Instant 8.6.0.0 Online Help Center Help Center

Internal server— If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Click the Users link to add users. For information on adding a user, see Overview of Instant AP Users.

Accounting—Select any of the following options:

Disabled—Disables accounting.

Use authentication servers—When selected, the authentication servers configured for the wired profile are used for accounting purposes.

Use separate servers—Allows you to configure separate accounting servers.

Accounting interval—Allows you set an accounting interval within the range of 0–60 minutes for sending interim accounting information to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Reauth interval—Specify the interval at which all associated and authenticated clients must be reauthenticated.

Load balancing—Set this to Enabled if you are using two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication servers, so that the load across the two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.

 

The Accounting parameter does not appear if the Internal server option is selected as the authentication server.

2. Click Next. The Access tab details are displayed.

In the New WebUI

To configure security parameters for the Employee network:

1. Configure the following parameters in the Configuration > Networks > Security tab.

Port type—To support trusted ports in an Instant AP, select Trusted. When the Port type is trusted, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication parameters cannot be configured. The Port Type is Untrusted by default.

In a trusted mode, Instant APs will not create any user entry. A predefined ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied to the trusted port in order to control the client traffic that needs to be source NATed.

MAC authentication—Click the toggle switch to enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication. The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication is disabled by default.

802.1X authentication—Click the toggle switch to enable 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is disabled by default.

MAC authentication fail-thru—Click the toggle switch to enable authentication fail-thru. When this feature is enabled, 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails. The MAC authentication fail-thru option is displayed only when both MAC authentication and 802.1X authentication parameters are enabled.

Select an existing RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server or + in the Authentication server 1 drop-down list. When+ is selected, an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server must be configured to authenticate the users. For information on configuring an external server, see Configuring an External Server for Authentication.Aruba Instant 8.6.0.0 Online Help Center Help Center

Accounting—Select any of the following options.

Disabled—Disables accounting.

Use authentication servers—When selected, the authentication servers configured for the wired profile are used for accounting purposes.

Use separate servers—Allows you to configure separate accounting servers.

Accounting interval—Allows you set an accounting interval within the range of 0–60 minutes for sending interim accounting information to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Reauth interval—Specify the interval at which all associated and authenticated clients must be reauthenticated.

Load balancing—Click the toggle switch if you are using two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication servers, so that the load across the two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.

 

The Accounting parameter does not appear if the Internal serveroption is selected as the authentication server.

2. Click Next. The Access tab details are displayed.

In the CLI

To configure security settings for an employee network:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# mac-authentication

(Instant AP)(wired ap profile <name>)# l2-auth-failthrough

(Instant AP)(wired ap profile <name>)# auth-server <name>

(Instant AP)(wired ap profile <name>)# server-load-balancing

(Instant AP)(wired ap profile <name>)# radius-accounting

(Instant AP)(wired ap profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(wired ap profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(wired ap profile <name>)# radius-reauth-interval <Minutes>

(Instant AP)(wired ap profile <name>)# trusted