Aruba IAP-204 User Manual

437 pages

To Next Page

To Next Page

Page #1 background image

Loading...

Page #1 background image

User Guide

Aruba Instant

6.5.0.0-4.3.0.0

Table of Contents

Default Chapter3
- Table of Contents3
- Intended Audience9
About this Guide9
- Related Documents9
- Conventions9
- Typographical Conventions10
- Contacting Support10
- Instant Overview12
- Supported IAP Platforms12
About Aruba Instant12
- Supported IAP Variants13
- Instant UI14
- Instant CLI15
- What Is New in this Release15
- Setting up Instant Network18
- Assigning a Static IP19
- Provisioning an IAP19
- Logging in to the Instant UI22
  - Provisioning Iaps through Airwave22
  - Regulatory Domains22
- Accessing the Instant CLI23
- Managed Mode Operations27
- Prerequisites27
Automatic Retrieval of Configuration27
- Configuring Managed Mode Parameters28
- Verifying the Configuration29
- Login Screen31
Instant User Interface31
- Main Window32
- Configuring System Parameters60
Initial Configuration Tasks60
- Changing Password66
- Hashing of Management User Password66
- Modifying the IAP Host Name68
Customizing IAP Settings68
- Configuring Zone Settings on an IAP68
- Specifying a Method for Obtaining IP Address69
- Configuring External Antenna69
- Configuring Radio Profiles for an IAP70
- Configuring Uplink VLAN for an IAP72
- Changing USB Port Status73
- Master Election and Virtual Controller73
- Adding an IAP to the Network75
- Removing an IAP from the Network75
- VLAN Pooling77
- Uplink VLAN Monitoring and Detection on Upstream Devices77
VLAN Configuration77
- Ipv6 Notation78
- Enabling Ipv6 Support for IAP Configuration78
- Firewall Support for Ipv680
- Debugging Commands80
- SNTP over Ipv680
Wireless Network Profiles81
- Configuring Wireless Network Profiles81
- Configuring Fast Roaming for Wireless Clients101
- Configuring Modulation Rates on a WLAN SSID104
- Multi-User-MIMO105
- Management Frame Protection106
- Disabling Short Preamble for Wireless Client106
- Editing Status of a WLAN SSID Profile106
- Editing a WLAN SSID Profile107
- Deleting a WLAN SSID Profile107
- Configuring a Wired Profile108
- Assigning a Profile to Ethernet Ports113
- Editing a Wired Profile113
- Deleting a Wired Profile114
- Link Aggregation Control Protocol114
- Enabling Port-Channel on a Switch114
- Understanding Hierarchical Deployment115
- Understanding Captive Portal117
- Types of Captive Portal117
Captive Portal for Guest Access117
- Configuring a WLAN SSID for Guest Access118
- Configuring Wired Profile for Guest Access124
  - To Configure the Settings for the Wired Profile125
  - To Configure VLAN Settings for a Wired Profile125
- Configuring Internal Captive Portal for Guest Network126
- Internal Captive Portal Configuration Parameters128
- Configuring External Captive Portal for a Guest Network129
- Configuring Facebook Login135
- Configuring Guest Logon Role and Access Rules for Guest Users136
- Configuring Captive Portal Roles for an SSID138
- Configuring Walled Garden Access141
- Disabling Captive Portal Authentication142
Authentication and User Management143
- Managing IAP Users143
  - User Privileges143
  - Configuring IAP Users144
  - Adding a User144
  - Edit or Delete User Settings145
  - Configuring Authentication Parameters for Management Users145
  - Authentication Parameters for Management Users146
  - Adding Guest Users through the Guest Management Interface147
  - Guest Management Interface147
- Supported Authentication Methods148
  - 802.1X Authentication148
  - MAC Authentication with 802.1X Authentication149
  - Captive Portal Authentication149
  - MAC Authentication with Captive Portal Authentication149
  - 802.1X Authentication with Captive Portal Role149
- Supported EAP Authentication Frameworks150
- Authentication Termination on IAP150
- Configuring Authentication Servers151
  - Supported Authentication Servers151
  - Internal RADIUS Server151
  - External RADIUS Server151
  - TACACS Servers155
  - Dynamic Load Balancing between Two Authentication Servers156
  - Configuring an External Server for Authentication156
  - RADIUS Server Configuration Parameters156
  - LDAP Server Configuration Parameters158
  - TACACS Configuration Parameters159
  - Enabling RADIUS Communication over TLS161
  - Configuring Radsec Protocol161
  - Associate the Server Profile with a Network Profile162
  - Configuring Dynamic RADIUS Proxy Parameters162
  - Enabling Dynamic RADIUS Proxy163
  - Associate Server Profiles to a Network Profile164
- Understanding Encryption Types164
  - WPA and WPA-2165
  - Recommended Authentication and Encryption Combinations165
- Configuring Authentication Survivability166
- Enabling Authentication Survivability166
- Configuring 802.1X Authentication for a Network Profile167
  - Configuring 802.1X Authentication for Wireless Network Profiles168
  - Configuring 802.1X Authentication for Wired Profiles168
- Enabling 802.1X Supplicant Support169
- Configuring an IAP for 802.1X Supplicant Support169
- Configuring MAC Authentication for a Network Profile170
  - Configuring MAC Authentication for Wireless Network Profiles171
  - Configuring MAC Authentication for Wired Profiles172
- Configuring MAC Authentication with 802.1X Authentication172
- Configuring MAC and 802.1X Authentications for Wired Profiles173
- Configuring MAC Authentication with Captive Portal Authentication174
- Configuring Wispr Authentication175
- Blacklisting Clients176
  - Blacklisting Clients Manually176
  - Adding a Client to the Blacklist176
  - Blacklisting Users Dynamically177
  - Authentication Failure Blacklisting177
  - Session Firewall-Based Blacklisting177
  - Configuring Blacklist Duration177
- Uploading Certificates179
  - Loading Certificates through Instant UI179
  - Loading Certificates through Instant CLI180
  - Removing Certificates180
  - Loading Certificates through Airwave180
  - Server Certificate181
  - Selecting the Group181
- Firewall Policies182
- Access Control List Rules182
Roles and Policies182
- Access Rule Configuration Parameters184
- Configuring a Source-NAT Access Rule186
- Configuring Network Address Translation Rules186
- Configuring a Destination-NAT Access Rule187
- Configuring Policy-Based Corporate Access187
- Configuring ALG Protocols188
- To Configure Protocols for ALG188
- Configuring Firewall Settings for Protection from ARP Attacks189
- Firewall Settings —Protection against Wired Attacks189
- Configuring Firewall Settings to Disable Auto Topology Rules190
- Configuring Inbound Firewall Rules191
- Inbound Firewall Rules - New Rule Window191
- Managing Inbound Traffic191
- Configuring Management Subnets193
- Configuring Restricted Access to Corporate Network194
- Content Filtering195
  - Enabling Content Filtering195
  - Enabling Content Filtering for a Wireless Profile195
  - Configuring Enterprise Domains196
  - Configuring URL Filtering Policies196
  - Creating a List of Error Page Urls198
  - Creating Custom Error Page for Web Access Blocked by Apprf Policies198
- Configuring User Roles199
- Assigning Bandwidth Contracts to User Roles200
- Configuring Derivation Rules201
  - Configuring Machine and User Authentication Roles201
  - Understanding Role Assignment Rule201
  - DHCP Option and DHCP Fingerprinting202
  - MAC-Address Attribute202
  - RADIUS VSA Attributes202
  - Roles Based on Client Authentication202
  - RADIUS Access-Accept Packets with VSA204
  - Understanding VLAN Assignment204
  - Vendor-Specific Attributes204
  - Configure VSA on a RADIUS Server205
  - Configuring RADIUS Attributes on the RADIUS Server205
  - VLAN Assignment Based on Derivation Rules205
  - Configuring VLAN Derivation Rules206
  - User Role206
  - VLAN Assignment Rule Window206
  - Vlans Created for an SSID206
- Using Advanced Expressions in Role and VLAN Derivation Rules207
  - Assigning User VLAN Roles to a Network Profile209
  - Configuring a User Role for VLAN Derivation209
  - Creating a User VLAN Role209
- Configuring DHCP Scopes211
- Configuring Local DHCP Scopes211
DHCP Configuration211
- Configuring Distributed DHCP Scopes213
- Distributed DHCP Mode Configuration Parameters214
- New DHCP Scope: Distributed DHCP Mode214
- Configuring Centralized DHCP Scopes216
- Configuring the Default DHCP Scope for Client IP Assignment218
  - DHCP Relay and Option 82218
  - DHCP Servers Window219
Configuring Time-Based Services221
- Time Range Profiles221
- Configuring a Time Range Profile221
- Applying a Time Range Profile to a WLAN SSID222
- Time Range Profile Configuration Parameters222
- Verifying the Configuration223
- Enabling Dynamic DNS225
Dynamic DNS Registration225
- Configuring Dynamic DNS Updates for Clients226
- Dynamic DNS Configuration Parameters226
- Verifying the Configuration227
- Understanding VPN Features228
VPN Configuration228
- Configuring a Tunnel from an IAP to a Mobility Controller229
- Configuring Routing Profiles240
- To View L2Tpv3 System Statistics240
IAP-VPN Deployment242
- Understanding IAP-VPN Architecture242
- Configuring IAP and Controller for IAP-VPN Operations245
- ARM Overview253
Adaptive Radio Management253
- Configuring ARM Features on an IAP254
- Configuring Radio Settings260
- Enabling Application Visibility264
Deep Packet Inspection and Application Visibility264
- Application Visibility265
- Enabling URL Visibility270
- Web Reputation Chart: IAP View270
- Configuring ACL Rules for Application and Application Categories270
- Configuring Web Policy Enforcement Service273
- Wi-Fi Multimedia Traffic Management276
- WMM AC to 802.1P Priority Mapping276
Voice and Video276
- Configuring WMM for Wireless Clients277
- Mapping WMM Acs and DSCP Tags277
- WMM AC-DSCP Mapping277
- Classify Media Flag279
- Configuring WMM U-APSD279
- Media Classification for Voice and Video Calls279
- Enabling Enhanced Voice Call Tracking280
- Configuring Airgroup282
Services282
- Airgroup Enables Personal Device Sharing283
- Multicast DNS and Bonjour Services283
- Bonjour Services and Airgroup Architecture284
- DLNA Upnp Support284
- Airgroup Features285
- DLNA Upnp Services and Airgroup Architecture285
- Airgroup in a Higher-Education Environment286
- Airgroup Services286
- Airgroup Components287
- Clearpass Policy Manager and Clearpass Guest Features288
- Configuring Airgroup and Airgroup Services on an IAP288
- Configuring Airgroup and Clearpass Policy Manager Interface in Instant290
- Configuring Change of Authorization (Coa)290
- Configuring Clearpass Policy Manager to Enforce Registration290
- Creating a RADIUS Server290
- Configuring an IAP for RTLS Support291
- ALE with Instant292
- Configuring an IAP for Analytics and Location Engine Support292
- Enabling ALE Support on an IAP292
- Managing BLE Beacons293
  - Verifying ALE Configuration on an IAP293
  - BLE Operation Modes294
- Configuring Opendns Credentials294
- Configuring an IAP for PAN Integration295
- Integrating an IAP with Palo Alto Networks Firewall295
  - Integration with Instant295
  - Configuring an IAP for XML API Integration297
- Integrating an IAP with an XML API Interface297
  - Creating an XML API Request298
  - XML API Command298
- CALEA Integration and Lawful Intercept Compliance299
  - XML API Command Options299
  - CALEA Server Integration300
  - Traffic Flow from IAP to CALEA Server300
  - Client Traffic Replication301
  - Configuring an IAP for CALEA Integration301
  - Creating a CALEA Profile301
  - IAP to CALEA Server through VPN301
  - Creating an Access Rule for CALEA302
  - IAP and Client Monitoring305
  - Image Management305
- Managing an IAP from Airwave305
  - Resetting an IAP305
  - Intrusion Detection System (IDS)306
  - Template-Based Configuration306
  - Trending Reports306
  - Wireless Intrusion Detection System (WIDS) Event Reporting to Airwave306
  - Adding an IAP in Visualrf307
  - Configurable Port for IAP and Airwave Management Server Communication307
  - PSK-Based and Certificate-Based Authentication307
  - RF Visualization Support for Instant307
  - Configuring Airwave Information308
  - Configuring Organization String308
  - Shared Key308
  - Enabling DNS-Based Discovery of the Provisioning AMP Server309
  - Standard DHCP Options 60 and 43 on Windows Server 2008309
  - Alternate Method for Defining Vendor-Specific DHCP Options313
  - Airwave—Monitor314
  - Airwave—New Group314
- Managing IAP from Aruba Central314
  - Maintaining the Subscription List315
  - Provisioning an IAP Using Central315
  - Firmware Maintenance316
  - Ethernet Uplink317
- Uplink Interfaces317
- Uplink Types317
Uplink Configuration317
- Configuring Pppoe Uplink Profile318
- Uplink Status318
- Cellular Uplink319
- Configuring Cellular Uplink Profiles320
- Managing Cellular SIM PIN320
- Configuring a Wi-Fi Uplink Profile321
- Wi-Fi Uplink321
- Enforcing Uplinks322
- Uplink Preferences and Switching322
- Detecting and Classifying Rogue Iaps327
- OS Fingerprinting327
Intrusion Detection327
- Configuring Wireless Intrusion Protection and Detection Levels328
- Configuring IDS333
- Mesh Network Overview334
- Mesh Portals334
Mesh IAP Configuration334
- Setting up Instant Mesh Network335
- Configuring Wired Bridging on Ethernet 0 for Mesh Point335
- Mesh Points335
- Layer-3 Mobility Overview337
Mobility and Client Management337
- Configuring L3-Mobility338
  - Home Agent Load Balancing338
  - Configuring a Mobility Domain for Instant338
- Understanding Spectrum Data340
- Device List340
Spectrum Monitor340
- Device Summary and Channel Information341
- Non-Wi-Fi Interferer Types342
- Non-Wi-Fi Interferers342
- Configuring Spectrum Monitors and Hybrid Iaps346
- Upgrading an IAP348
- Upgrading an IAP and Image Server348
IAP Maintenance348
- Proxy Configuration Window349
- Upgrading an IAP Using Automatic Image Check349
- Upgrading an Image Using CLI350
- Upgrading to a New Version Manually350
- Backing up and Restoring IAP Configuration Data351
- Converting an IAP to a Remote AP and Campus AP352
- Rebooting the IAP358
- Resetting a Remote AP or Campus AP to an IAP358
- Stand-Alone IAP Conversion358
Monitoring Devices and Logs360
- Configuring SNMP360
- Configuring a Syslog Server364
- Syslog Server364
- Configuring TFTP Dump Server365
- Logging Levels365
- Running Debug Commands366
- Uplink Bandwidth Monitoring370
- Understanding Hotspot Profiles372
- Configuring Hotspot Profiles374
- Sample Configuration385
- Creating ANQP and H2QP Advertisement Profiles385
- Mobility Access Switch Overview388
- Mobility Access Switch Integration with an IAP388
Configuring Iaps for Mobility Access Switch Integration389
- Configuring Clearpass Guest390
- Clearpass Guest Setup390
Verifying Clearpass Guest Setup394
- Troubleshooting394
IAP-VPN Deployment Scenarios396
- IAP Configuration397
- Scenario 1-Ipsec: Single Datacenter Deployment with no Redundancy397
- Scenario 2-Ipsec: Single Datacenter with Multiple Controllers for Redundancy401
- Scenario 3-Ipsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy405
- Scenario 4-GRE: Single Datacenter Deployment with no Redundancy410
- Glossary413
- List of Acronyms and Abbreviations418
- Glossary433

Questions and Answers:

Need help?

Do you have a question about the Aruba IAP-204 and is the answer not in the manual?

Aruba IAP-204 Specifications

General

Model	IAP-204
Wireless Standards	802.11a/b/g/n/ac
Frequency Bands	2.4 GHz and 5 GHz
Maximum Data Rate (5 GHz)	867 Mbps
Maximum Data Rate (2.4 GHz)	300 Mbps
Radio Chains/Streams	2
Antenna	Internal
Ethernet Ports	2
Ethernet Ports (PoE)	1
Ethernet Ports (Total)	2
Power over Ethernet (PoE)	802.3af
Product Name	Instant IAP-204
MIMO	2x2
Power Source	Power over Ethernet or AC adapter
Operating Temperature	0°C to +40°C
Operating Temperature (°F)	32 to 122 °F
Mounting	Wall, ceiling
Radio Technology	Dual Radio

Related product manuals

Preview: Aruba IAP-335

Preview: Aruba Instant On AP22

Aruba Instant On AP22

Preview: Aruba Instant On AP11

Aruba Instant On AP11

Preview: Aruba AP-105

Preview: Aruba 387 Series

Aruba 387 Series

Preview: Aruba 207 Series

Aruba 207 Series