Configuring System Parameters for an IAP

To configure system parameters for an access point (AP), complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click Show Advanced.
  5. Click the System tab.

    The System page is displayed.

  6. Click the General accordion and configure the following parameters:

    Table 1: System Parameters

    Data Pane Item

    Description

    Virtual Controller

    This parameter configuration is only applicable for APs that operate in a cluster deployment environment.

    To configure the virtual controller name and IP address, click the Edit icon and update the name and IP address. The IP address serves as a static IP address for the multi-AP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. messages with the static IP address and its MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to update the network ARP cache.

    • Name—Name of the virtual controller.
    • IP address—IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation.
    • IPv6 address—IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Allow IPv6 Management feature is enabled.
    • Country Code—Displays the country code of the virtual controller.

    IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses.

    The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1.

    Set Country code for group

    To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups.

    When a country code is configured for the group, it takes precedence over the country code setting configured at the device level.

    System Location

    Specify the system location of the AP.

    Timezone

    To configure a time zone, select a time zone from the Timezone drop-down list.

    If the selected time zone supports DST Daylight Saving Time. DST is also known as summer time that refers to the practice of advancing clocks, so that evenings have more daylight and mornings have less. Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn. , the UI displays the "The selected country observes Daylight Savings Time" message.

    Preferred Band

    This parameter assigns the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. band Band refers to a specified range of frequencies of electromagnetic radiation. to use for an AP that has a single radio. Assign a preferred band by selecting an appropriate option from the drop-down list.

    Reboot the AP after modifying the radio profile for changes to take effect.

    NTP Server

    This parameter allows you to configure NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. servers for the IAP. Up to four NTP servers can be configured for the AP, each separated by a comma.

    To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to:

    • Trace and track security gaps, network usage, and troubleshoot network issues.
    • Validate certificates.
    • Map an event on one network element to a corresponding event on another.
    • Maintain accurate time for billing services.
    • NTP helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data.

    By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42.

    To configure an NTP server, enter the IP address or the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the NTP server and reboot the AP to apply the configuration changes.

    Virtual Controller Netmask

    Virtual Controller Gateway

    Virtual Controller DNS

    Virtual Controller VLAN

    This parameter configuration is only applicable for APs that operate in a cluster deployment environment.

    The IP configured for the virtual controller can be in the same subnet Subnet is the logical division of an IP network. as AP or can be in a different subnet. Ensure that you configure the virtual controller VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., gateway, and subnet mask details only if the virtual controller IP is in a different subnet.

    Ensure that virtual controller VLAN is not the same as native VLAN of the AP.

    DHCP Option 82 XML

    DHCP Option 82 XML can be customized to cater to the requirements of any ISP Internet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. using the conductor AP. To facilitate customization using a XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced.

    The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server.

    For more information, see Configuring DHCP Scopes on IAPs.

     

    From the drop-down list, select one of the following XML files:

    • default_dhcpopt82_1.xml

    • default_dhcpopt82_2.xml

    • default_dhcpopt82_3.xml

      Execute the show dhcp opt82 CLI command to see detailed information on default_dhcpopt82_3.xml.

      NOTE: default_dhcpopt82_3.xml is supported only on APs running ArubaOS 10.5.1.0 or later versions.

    DHCP Option 82 XML VLAN list

    NOTE: This field is displayed if default_dhcpopt82_3.xml is selected in the DHCP Option 82 XML field.

    Enter the VLAN values. The maximum number of supported VLANs is 128.

    The VLAN values can be a range from 1-4094, or a comma separated list, or a combination of both.

    Dynamic CPU Utilization

    APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. management feature settings can be modified.

    To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization.

    • Automatic—When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option.
    • Always Disabled in all APs—When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience.
    • Always Enabled in all APs—When selected, the client and network management functions are protected. This setting helps in large networks with high client density.

    Auto-Join Mode

    When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default.

    APs allowed for Auto-Join Mode

    Displays the number of APs allowed for Auto-Join Mode.

    • Click View Allowed APs to view the details of AP allowed for Auto-Join mode.
    • Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode.

    When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on HPE Aruba Networking Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the HPE Aruba Networking Central UI.

    To manually add the list of allowed AP devices, complete the following steps:

    1. Under View Allowed APs, click + in the Allowed APs pane.
    2. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field.
    3. Click Save.

    Allow IPv6 Management

    Enables IPv6 address configuration for the virtual controller.

    You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled.

    Uplink switch native VLAN

    Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that uses the same VLAN as the native VLAN of the switch.

    By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1.

    Terminal Access

    When enabled, the users can access the AP CLI through SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. .

    Login Session Timeout

    Allows you to set a timeout for login session.

    Console Access

    When enabled, the users can access AP through the console port.

    WebUI Access

    If an AP is connected to HPE Aruba Networking Central, you can use this option to disable AP Web UI access and any communication via HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. or SSH. If you enable this feature, you can manage the AP only from HPE Aruba Networking Central.

    Telnet Server

    When enabled, the users can start a Telnet session with the AP CLI.

    LED Display

    Enables or disables the LED Light Emitting Diode. LED is a semiconductor light source that emits light when an electric current passes through it. display for all APs in a cluster.

    The LED display is always enabled during the AP reboot.

    Extended SSID

    Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings.

    For AP devices that support Aruba InstantOS 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks.

    Advanced Zone

    Turn on the Advanced Zone toggle switch to broadcast the same ESSIDs Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. on APs that are part of the same AP zone in a cluster.

    NOTE: When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID profiles if you want to disable extended SSID.

    Deny Inter User Bridging

    If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.

    To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch.

    Optimize inter-VLAN traffic between same-AP clients

    When enabled, traffic between two clients that are on the same AP but different VLANs will be directly routed by AP, if the AP is not the clients’ default gateway.

    Disable this option to prevent the local routing of traffic if you have security and traffic management policies defined (such as policies for blocking, exempting, or monitoring the traffic between devices) for upstream devices. The routing traffic between the clients is sent to the clients’ upstream default gateway to make the forwarding decision.

    Dynamic RADIUS Proxy

    If your network has separate RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers. To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. client in the RADIUS server profile.

    Dynamic TACACS Proxy

    If you want to route traffic to different TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers.

    If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used.

    Cluster Security

    This parameter is required to be set only for APs that operate in a cluster deployment environment.

    Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLS Datagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. enabled cluster.

    For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured.

    After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster.

    The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba InstantOS 8.4.0.0 firmware versions and above.

    Low Assurance PKI

    Turn on the toggle switch to allow low assurance devices that use non-TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. chip, in the network.

    To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide.

    The Low Assurance PKI toggle switch is supported in AP devices running Aruba InstantOS 6.5.3.0 firmware versions and later.

    Mobility Access Switch Integration

    Turn on the toggle switch to enable LLDP Link Layer Discovery Protocol. LLDP is a vendor-neutral link layer protocol in the Internet Protocol suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, which is principally a wired Ethernet. protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. priority and automatically configure VLANs on ports where APs are connected.

    URL Visibility

    Turn on the toggle switch to enable URL data logging for client HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS sessions and allows APs to extract URL information and periodically log them on ALE Analytics and Location Engine. ALE gives visibility into everything the wireless network knows. This enables customers and partners to gain a wealth of information about the people on their premises. This can be very important for many different verticals and use cases. ALE includes a location engine that calculates associated and unassociated device location periodically using context streams, including RSSI readings, from WLAN controllers or Instant clusters. for DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. and application analytics.

    Restrict uplink port to specified VLANs

    Turn on the toggle switch to restrict the default uplink port settings and apply the settings of the wired port profile defined in enet<X>-port-profile.

    VOIP QOS Trust

    Turn on the toggle switch to enable the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic based on the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value set by the end user device.

    Swarm Mode

    Allows you to set one of the following operation modes:

    • Cluster—Allows an IAP to operate in the cluster mode. When an IAP operates in the cluster mode, it can form a cluster with other virtual controller IAPs in the same VLAN.

    • Standalone—Allows an IAP to operate in the standalone mode. When an IAP operates in the standalone mode, it cannot join a cluster of IAPs even if the IAP is in the same VLAN.

    • Single-AP—Allows an IAP to operate in the single AP mode that is specifically designed for IAP deployments with only one AP in the site. This mode is a type of standalone AP deployment with additional security when the AP is directly facing a WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. connection. When configured as a single AP, the AP will not send or receive management frames such as mobility packets, roaming packets, and hierarchy beacons through the uplink port.

    • Cluster(Reboot)—Allows you to reboot the selected cluster immediately.

    • Standalone (Reboot)—Allows you to reboot the selected standalone IAP immediately.

    • Single-AP(Reboot)—Allows you to reboot the selected IAP immediately.

    NOTE: After changing the AP operation mode, ensure that you reboot the IAP.

    UTB Filter Block

    This parameter is used to control the band on which the Ultra Tri-Band (UTB) limitation is applied in the regulatory-domain-profile.

    The utb filter supports channel band on both 5 GHz Gigahertz. and 6 GHz.

    Listed below are the two options available:

    • 5 GHz - Select 5 GHz for upper band blocking.

    • 6 GHz - Select 6 GHz for lower band blocking.

    Default value: 6 GHz

    NOTE: The UTB Filter Block is supported only for AP-635.

    IPv6 Address Generation

    Allows you to change the method with which IPv6 addresses are generated. Currently, there are two supported methods to generate IPv6 addresses.

    PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. Cache Timeout (in hours)

    Allows you to set a PMK cache timeout interval, in hours. PMK caching allows a client to skip 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication for those APs which are neighbors of current AP. The range is 1-2000 hours. The default value is eight hours.

  7. Click Save Settings.

The following animation shows how to configure the system parameters for an AP: