Configuring Security Settings for a Wired Profile
|
If you are creating a new wired profile, complete the Wired Settings and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. procedures before specifying the security settings. For more information, see Configuring Wired Settings and Enforcing DHCP. |
Configuring Security Settings for a Wired Employee Network
You can configure security parameters for the Employee network by using the Instant WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
In the Old WebUI
To configure security parameters for the Employee network:
1. Configure the following parameters in the tab.
Instant AP, select . When the Port type is trusted, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication parameters cannot be configured. The Port Type is by default.
—To support trusted ports in anIn a trusted mode, Instant APs will not create any user entry. A predefined ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied to the trusted port in order to control the client traffic that needs to be source NATed.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication, select . The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is disabled by default.
—To enable802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, select . The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is disabled by default.
—To enable802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails. The check box is displayed only when both and are .
—To enable authentication fail-thru, select . When this feature is enabled,Select any of the following options for Authentication server 1:
New—On selecting this option, an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server must be configured to authenticate the users. For information on configuring an external server, see Configuring an External Server for Authentication.Aruba Instant 8.6.0.0 Online Help Center Help Center
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server. Click the Users link to add users. For information on adding a user, see Overview of Instant AP Users.
— If an internal server is selected, add the clients that are required to authenticate with the internal—Select any of the following options:
—Disables accounting.
—When selected, the authentication servers configured for the wired profile are used for accounting purposes.
—Allows you to configure separate accounting servers. —Allows you set an accounting interval within the range of 0–60 minutes for sending interim accounting information to the
Reauth interval—Specify the interval at which all associated and authenticated clients must be reauthenticated.
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication servers, so that the load across the two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.
—Set this to if you are using two
|
The parameter does not appear if the option is selected as the authentication server. |
2. Click . The Access tab details are displayed.
In the New WebUI
To configure security parameters for the Employee network:
1. Configure the following parameters in the > > tab.
Instant AP, select . When the Port type is trusted, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication parameters cannot be configured. The Port Type is by default.
—To support trusted ports in anIn a trusted mode, Instant APs will not create any user entry. A predefined ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is applied to the trusted port in order to control the client traffic that needs to be source NATed.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication. The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is disabled by default.
—Click the toggle switch to enable802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is disabled by default.
—Click the toggle switch to enable802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails. The option is displayed only when both and parameters are enabled.
—Click the toggle switch to enable authentication fail-thru. When this feature is enabled,Select an existing RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication server or in the Authentication server 1 drop-down list. When is selected, an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server must be configured to authenticate the users. For information on configuring an external server, see Configuring an External Server for Authentication.Aruba Instant 8.6.0.0 Online Help Center Help Center
—Select any of the following options.
—Disables accounting.
—When selected, the authentication servers configured for the wired profile are used for accounting purposes.
—Allows you to configure separate accounting servers. —Allows you set an accounting interval within the range of 0–60 minutes for sending interim accounting information to the
Reauth interval—Specify the interval at which all associated and authenticated clients must be reauthenticated.
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication servers, so that the load across the two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.
—Click the toggle switch if you are using two
|
The parameter does not appear if the option is selected as the authentication server. |
2. Click . The Access tab details are displayed.
In the CLI
To configure security settings for an employee network:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# mac-authentication
(Instant AP)(wired ap profile <name>)# l2-auth-failthrough
(Instant AP)(wired ap profile <name>)# auth-server <name>
(Instant AP)(wired ap profile <name>)# server-load-balancing
(Instant AP)(wired ap profile <name>)# radius-accounting
(Instant AP)(wired ap profile <name>)# radius-accounting-mode {user-association|user-authentication}
(Instant AP)(wired ap profile <name>)# radius-interim-accounting-interval <minutes>
(Instant AP)(wired ap profile <name>)# radius-reauth-interval <Minutes>
(Instant AP)(wired ap profile <name>)# trusted