Aruba无线网络配置培训ppt课件

1、ARUBA无线网络培训People move. Networks must follow.公司简介市场笼统：全球领先的平安无线网络供应商全球独一的WLAN专业上市公司硅谷技术公司排名(#1 ranking)全球客户数量：6500+衔接性Aruba产品的市场定位交融的挪动运用QoS, Roaming, Handovers, Location, RFID平安接入Authentication, Encryption, Intrusion Prevention挪动设备管理Security, Battery Life, Device ManagementWireless LAN 覆盖RF Managem

2、ent, Rogue AP Detection平安性挪动性用户分级Employees, Contractors, GuestsARUBA以用户为中心的网络 高性能无线园区网 即插即用的远程接入点 适宜各种规模的分支办公室网络 平安的企业无线网状网 RFprotect 无线入侵防备Who, What, Where, When, How? 基于角色的平安战略 叠加的网络平安特性 整合的网络准入控制 平安访客接入 继续的话音呼叫 数据会话的永续性 运用感知的效力质量 基于定位的运用 视频优化自顺应无线局域网基于身份的平安性运用层质量保证Follow-MeApplicationsFollow-MeSe

3、curityFollow-MeManagementFollow-Me Connectivity User-CentricNetworks 多厂商设备管理 用户级管理和报表 可视的无线热区图 非法AP识别和定位 缺点诊断专家系统一致的用户网络管理自动优化：不需求人工干涉的智能网络自顺应射频管理Adaptive Radio Management 基于可用频谱对WLAN进展继续优化对频谱进展实时扫描和监视自动选择最正确信道和功率，降低网络冲突和干扰，并在AP失效时自动对盲区进展覆盖基于用户和流量进展负载平衡对双频段用户提供频段指引公平接入快速和慢速客户端基于负载感知的射频扫描物理位置时间可用信道挑战

4、 动态射频环境在一个期望的覆盖范围，可以运用的任务信道并不是一成不变的，与环境中存在的干扰和用户密度、流量负载等有关大厅自习室会议室办公室/公位便于扩展：随时随地对无线网络进展扩展6分支机构/办公室公司总部Internet 效力来客Internet 访问DMZINTERNETGUESTCORPCORP语音VOICEDSL路由器GUESTVLANInternet 效力分割隧道用于传输互联网流量的分割隧道以用户为中心的内置防火墙防火墙/NATFan TrayUp to 4 M3 Mark IRedundant PSUs40 x 1000Base-X (SFP)8x 10GBase-X (XFP)业

5、界最强大的无线控制器 单台支持80G线速转发 单台管理2048个无线AP从室内向室外扩展向更加宽广的Internet扩展基于身份的访问控制和带宽管理用户权限管理Who(用户认证)+What(认证方式) +When(接入时间)+Where(接入位置)+How(接入终端)基于用户的无线形状防火墙 单一物理网络设备 恣意对用户进展分组 不同组或用户设定不同L2-L7战略控制 不同用户设定不同的上下行带宽分配 不同用户设定的不同QOS级别Aruba的Firewall可以检测到ICMP,TCP Sync,IP Session,IP Spoofing, RST Relay,ARP等多种潜在网络攻击,并自动

6、将攻击者放入黑名单,断开无线衔接 Virtual AP 1SSID: ABCVirtual AP 2SSID: VOICE规范客户免费客户路由器WEB门户挪动性控制器接入点VIP独一权限、QoS, 战略免费客户语音普通客户VIP客户话音客户AAA 根底设备入门客户一样或不同的VLANARUBA无线网络的组网架构 Server10/100 MbpsL2/3DHCP Server1.3.4.通讯过程：AP衔接到现有网络的交换机端口，加电起动后，获得IP地址AP经过各种方式获得ARUBA控制器的Loop IP地址静态获得、DHCP前往、DNS解析、组播、广播AP与控制器之间建立PAPI隧道UDP 8

7、211，经过FTP或TFTP到ARUBA控制器上比对并下载AP的image软件和配置文档，并根据配置信息建立AP与控制器之间的GRE隧道，同时向无线用户提供无线接入效力无线用户经过SSID衔接无线网络，一切的用户流量都经过AP与ARUBA控制器之间的GRE隧道直接传送到ARUBA控制器上，进展相应的加解密、身份验证、授权、战略和转发2.配置ARUBA无线控制器管理员登陆(admin/saic_admin)CliWeb管理帐号网络配置VlanIP addressIP routeIP dhcp平安配置PolicyRoleAAA无线配置SSIDVirtual AP配置ARUBA无线控制器管理员登陆登

8、陆ARUBA无线控制器Command lineUser: adminPassword: *(Aruba800) enPassword:*(Aruba800) #configure tEnter Configuration commands, one per line. End with CNTL/ZWeb UIhttpsAdmin帐号管理#mgmt-user (Aruba800) (config) #mgmt-user admin root Password:*Re-Type password:*(Aruba800) (config) #配置ARUBA无线控制器ARUBA无线控制器的网络配置A

9、RUBA无线控制器的网络配置配置Vlan(Aruba800) (config) #vlan 200(Aruba800) (config) #interface fastethernet 1/0接入方式：(Aruba800) (config-if)#switchport access vlan 200 (Aruba800) (config-if)#switchport mode access中继方式：(Aruba800) (config-if)#switchport trunk allowed vlan all (Aruba800) (config-if)#switchport mode tru

10、nk (Aruba800) (config-if)#show vlanVLAN CONFIGURATIONVLAN Name Ports 1 Default FE1/1-7 100 VLAN0100 GE1/8 200 VLAN0200 FE1/0 配置IP address(Aruba800) (config) #interface vlan 200(Aruba800) (config-subif)#ip address 54 (vlan interface)(Aruba800) (config-subif)#ip helper-address (DHCP relay)ARUBA无线控制器的网

11、络配置配置IP route配置缺省路由: (Aruba800) (config) #ip default-gateway 配置静态路由：(Aruba800) (config) #ip route (Aruba800) (config) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate defaultGateway of last resort is to network S* /0 1/0 via *S /24 1/0 via

12、*C is directly connected, VLAN1C is directly connected, VLAN100C is directly connected, VLAN200配置dhcp server(Aruba800) (config) #ip dhcp pool user_pool(Aruba800) (config-dhcp)#default-router 54(Aruba800) (config-dhcp)#dns-server (Aruba800) (config-dhcp)#network (Aruba800) (config-dhcp)#exit(Aruba800

13、) (config) #service dhcp配置ARUBA无线控制器ARUBA无线控制器的平安配置ARUBA控制器的平安配置Rule 1Rule 2Rule 3Rule nRule 1Rule 2Rule 1Rule 1Rule 2Rule 3Rule 4Rule 1Rule 2Rule 3Rule 4Policy 1Policy 2Policy 3Policy 4Policy 5Role 1 Policy 1 Policy 2Role 2 Policy 1 Policy 3 Policy 4Role 3 Policy 4 Policy 5Role 4 Policy 4User1 User

14、2 User3 User4 User5 User6 UserNRole Derivation:1) Locally Derived2) Server Assigned3) Default RoleAssigns usersto a roleMethods:PoliciesRolesDerivation ARUBA控制器的平安配置AddressesFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range战略例如：ip access-list session Internet_Only user any udp 68 deny use

15、r any svc-dhcp permituser host svc-dns permituser host svc-dns permituser alias Internal-Network deny loguser any any permit防火墙战略：一组按照特定次序陈列的规那么的集合别名的定义：1)网络别名netdestination Internal-Network network network netdestination External-network network network invert2)效力别名netservice svc- tcp 80 ARUBA控制器的平

16、安配置AddressesFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range防火墙战略：一组按照特定次序陈列的规那么的集合Creating RolesCreating Policies212-21ARUBA无线控制器的平安配置用户角色Role决议了每个用户的访问权限每一个role都必需与一个或多个policy绑定防火墙战略按次序执行最后一个隐含的缺省战略是“deny all可以设定role的带宽限制和会话数限制用户角色Role的分配可以经过多种方式实现基于接入认证方式的缺省角色 (i.e. 802.1x, VPN, WEP,

17、etc.)由认证效力器导出的用户角色(i.e. RADIUS/LDAP属性)本地导出规那么ESSIDMACEncryption typeEtc.ARUBA控制器中的每一个用户都会被分配一个Role!ARUBA无线控制器的平安配置(Aruba800) #show rights RoleTableName ACL Bandwidth ACL List Type ap-role 4 Up: No Limit,Dn: No Limit control,ap-acl Systemauthenticated 39 Up: No Limit,Dn: No Limit allowall,v6-allowall

18、 Userdefault-vpn-role 37 Up: No Limit,Dn: No Limit allowall,v6-allowall Userguest 3 Up: No Limit,Dn: No Limit -acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-acl Userguest-logon 6 Up: No Limit,Dn: No Limit logon-control,captiveportal Userlogon 1 Up: No Lim

19、it,Dn: No Limit logon-control,captiveportal,vpnlogon,v6-logon-control Userstateful-dot1x 5 Up: No Limit,Dn: No Limit Systemvoice 38 Up: No Limit,Dn: No Limit sip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-acl,tftp-acl,dns-acl,icmp-acl UserARUBA无线控制器的平安配置(Aruba800) #show rights authentic

20、atedDerived Role = authenticated Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled ACL Number = 39/0 Max Sessions = 65535access-list ListPosition Name Location 1 allowall 2 v6-allowall allowallPriority Source Destination S

21、ervice Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan 1 any any any permit Low v6-allowallPriority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan 1 any any any permit Low Expired Policies (due to time constraints) = 0ARUBA无线控制器

22、的平安配置定义用户角色role(Aruba800) (config) #user-role visitors(Aruba800) (config-role) #access-list session internet-only(Aruba800) (config-role) #max-sessions 100(Aruba800) (config-role) #exit(Aruba800) (config) #ARUBA无线控制器的平安配置基于接入认证方式的缺省角色role分配(Aruba800) (config) #show aaa profile defaultAAA Profile def

23、aultParameter Value Initial role logonMAC Authentication Profile N/AMAC Authentication Default Role guestMAC Authentication Server Group default802.1X Authentication Profile N/A802.1X Authentication Default Role guest802.1X Authentication Server Group N/ARADIUS Accounting Server Group N/AXML API ser

24、ver N/ARFC 3576 server N/AUser derivation rules N/AWired to Wireless Roaming EnabledSIP authentication role N/A(Aruba800) (config) #show aaa authentication captive-portal defaultCaptive Portal Authentication Profile defaultParameter Value Default Role guestServer Group defaultRedirect Pause 10 secUs

25、er Login EnabledGuest Login DisabledLogout popup window EnabledUse for authentication DisabledLogon wait minimum wait 5 secLogon wait maximum wait 10 seclogon wait CPU utilization threshold 60 %Max Authentication failures 0Show FQDN DisabledUse CHAP (non-standard) DisabledSygate-on-demand-agent Disa

26、bledLogin page /auth/index.htmlWelcome page /auth/welcome.htmlShow Welcome Page YesAdding switch ip address in redirection URL DisabledARUBA无线控制器的平安配置基于接入认证方式的缺省角色role分配ARUBA无线控制器的平安配置基于效力期前往规那么的角色role分配(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #set role condition memb

27、erOf contains student set-value student阐明：从LDAP效力器获取用户属性，并以此为根据分配用户角色时，只能经过CLI进展配置ARUBA无线控制器的平安配置基于用户定义规那么的角色role分配(Aruba800) (config) #aaa derivation-rules user test_rule(Aruba800) (user-rule) #set role condition encryption-type equals dynamic-aes set-value authenticated position 1(Aruba800) (user-

28、rule) #set role condition encryption-type equals dynamic-tkip set-value guest position 2Blacklisting ClientsWhat Is Blacklisting?Deauthenticated from the networkIf a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect.Blocke

29、d from associating to APsBlacklisting prevents a client from associating with any AP in the network for a specified amount of time.Blocked from other SSIDsWhile blacklisted, the client cannot associate with another SSID in the network.2-31Methods Of BlacklistingManually blacklist Admin user can blac

30、klist a specific client via the clients screen at Monitoring ClientsFirewall policy A firewall Policy can result in the client being blacklistedFails to AuthenticateA client fails to successfully authenticate for a configured number of times for a specified authentication method. The client is autom

31、atically blacklisted.IDS AttackThe detection of a denial of service or man in the middle (MITM) attack in the network. 2-32Duration Of BlacklistingBlacklist Duration on Per-SSID basisConfigured in Virtual AP Profile2-33Rule based BlacklistingConfiguration - Access control - PoliciesConfiguring Firew

32、all Policy BlacklistingThis rule set is used to blacklist clients attaching to the controller IP address2-35Viewing Blacklist ClientsMonitoring Blacklist ClientsThis screen allows clients to be put back into production/logon roles by removing them from the blacklist2-36Considerations When Blacklisti

33、ng ClientsPolicy enforcementDevices with weak encryptionDeny Guest from corporate accessMay be disruptive to employees2-37Bandwidth ContractsBandwidth ContractsApplied to RolesSpecified in Kbps or MbpsUpstream - DownstreamFor all Users or Per User 2-39Bandwidth Contracts2-40Apply BW-Contract To The

34、Role2-41配置ARUBA无线控制器ARUBA无线控制器的无线配置ARUBA无线控制器的无线配置AP GroupWireless LANRF ManagementAPQoSIDSVirtual APPropertiesSSIDAAAa/g RadioSettingsRFOptimizationsSystem ProfileEthernetRegulatorySNMPVoIPa/g ManagementVirtual APPropertiesSSIDAAAVLANVLANARUBA无线控制器的无线配置加密方法确保数据在空中传输时的私密性可以选择不加密(open)、二层加密(WEP, TKIP

35、, AES) 或者三层加密 (VPN)认证方式确保接入无线网络的用户都是合法用户认证方式可以选择不认证，或者MAC、EAP、captive portal、VPN等认证方式访问控制对接入无线网络的合法用户流量进展有效控制，包括可以访问的网络资源、带宽、时间等WLAN效力的配置要点SSID ProfileAAA ProfileRoleARUBA无线控制器的无线配置(Aruba800) #show wlan virtual-ap defaultVirtual AP profile defaultParameter Value Virtual AP enable EnabledAllowed band

36、 allSSID Profile defaultVLAN 100Forward mode tunnelDeny time range N/AMobile IP EnabledHA Discovery on-association DisabledDoS Prevention DisabledStation Blacklisting EnabledBlacklist Time 3600 secAuthentication Failure Blacklist Time3600 secFast Roaming DisabledStrict Compliance DisabledVLAN Mobili

37、ty DisabledAAA Profile defaultRemote-AP Operation standardARUBA无线控制器的无线配置SSID Profile的定义(Aruba800) (config) #wlan ssid-profile test(Aruba800) (SSID Profile “test) #essid testWLAN显示的SSID称号(Aruba800) (SSID Profile “test) #opmode ? WLAN可以选用的加密方式dynamic-wep WEP with dynamic keysopensystem No encryptions

38、tatic-wep WEP with static keyswpa-aes WPA with AES encryption and dynamic keys using 802.1Xwpa-psk-aes WPA with AES encryption using a pre-shared keywpa-psk-tkip WPA with TKIP encryption using a pre-shared keywpa-tkip WPA with TKIP encryption and dynamic keys using 802.1Xwpa2-aes WPA2 with AES encry

39、ption and dynamic keys using 802.1Xwpa2-psk-aes WPA2 with AES encryption using a pre-shared keywpa2-psk-tkip WPA2 with TKIP encryption using a pre-shared keywpa2-tkip WPA2 with TKIP encryption and dynamic keys using 802.1XxSec xSec encryption(Aruba800) (SSID Profile “test) #opmode opensystemARUBA无线控

40、制器的无线配置SSID Profile的定义ARUBA无线控制器的无线配置AAA Profile的定义配置基于Open的AAA Profile(Aruba800) (config) #aaa profile test (Aruba800) (AAA Profile test) #clone default配置基于Portal认证的CaptivePortal Profile(Aruba800) (config) #aaa authentication captive-portal test(Aruba800) (Captive Portal Authentication Profile test

41、) #clone default(Aruba800) (Captive Portal Authentication Profile test) #default-role guest(Aruba800) (Captive Portal Authentication Profile test) #no enable-welcome(Aruba800) (Captive Portal Authentication Profile test) #server-group testARUBA无线控制器的无线配置配置LDAP效力器(Aruba800) (config) #aaa authenticati

42、on-server ldap test(Aruba800) (LDAP Server test) # host 0(Aruba800) (LDAP Server test) #admin-dn admin(Aruba800) (LDAP Server test) #admin-passwd admin(Aruba800) (LDAP Server test) #base-dn cn=users,dc=qa,dc=domain,dc=com(Aruba800) (LDAP Server test) #allow-cleartext (Aruba800) (LDAP Server test) #A

43、RUBA无线控制器的无线配置配置Server-Group(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #auth-server test(Aruba800) (Server Group test) #set role condition memberOf contains guest set-value guest (Aruba800) (config) #show aaa server-group testFail Through:NoAuth ServersName Server-Type

44、trim-FQDN Match-Type Match-Op Match-Str test Ldap No Role/VLAN derivation rules Priority Attribute Operation Operand Type Action Value Valid 1 memberOf contains guest String set role guest NoARUBA无线控制器的无线配置在用户初始角色initial role中调用CaptivePortal Profile(Aruba800) (config) #user-role logon(Aruba800) (con

45、fig-role) #captive-portal test(Aruba800) (config-role) #exitARUBA无线控制器的无线配置Virtual APAAAVLANSSIDESSIDOpenSystemCaptive PortalDefault RoleServer GroupInitial RoleLDAP ServerRadius ServerDerived RolePolicyPolicyThank YouFollow-Me Connectivity.Follow-Me Security.Follow-Me Applications.Follow-Me Managem

46、ent.WEBTable X1AP1AP2MasterMgmt VLAN 1X = 10.1.1X.2/24Loopback = 10.1.1X.100Employee VLAN 10XTableXWEPMasterMgmt VLAN 11 = /24Loopback = 00Employee VLAN 101AP1AP2Table1WEPTable 1RADIUS, DHCP, DNS , Corp WEB1L3 Switch(Native VLAN) Mgmt VLAN 11 = /24(Trunk VLAN) VLAN 101 = /24L3 Switch(Native VLAN) Mgmt VLAN 1X = 10.1.1X.1/24(Trunk VLAN) VLAN 10X = 172.16.10X.1/24Lab Topology - Basic InstallMasterMgmt VLAN 11 = /24Loopback = 00Employee VLAN 101Voice VLAN 701WEB And Corporate SIP ServerTable 1MasterMgmt VLAN 1X = 10.1.1X.2/24Loopb