Aruba 控制器操作配置模版 中文.doc

1. Mgmt用户设置设置mgmt用户ssh登录的方式：是证书还是用户名与密码ssh mgmt-auth public-key username/passwordmgmt-user ssh-pubkey client-cert mgmt用户验证使用外部认证服务器:aaa authentication-server radius rad1host keyaaa server-group corp_radauth-server rad1-aaa authentication mgmtdefault-role rootenableserver-group corp_rad禁用本地认证数据库mgmt-user localauth-disable设置用户超时退出loginsession timeout /CLI下web-server sessiontimeout /webUI下1.1配置mgmt的tacacs认证The pre-defined roles for the controllers are: 1. root - super user role 2. guest-provisioning - guest provisioning role 3. network-operations - Network operator role 4. read-only - Read only role 5. location-api-mgmt - Location API Management Role aaa authentication-server tacacs TACACS-SERVER host TACACS_SERVER_IP key PRESHARE_KEY session-authorization !aaa server-group TACACS-SERVER-GRP auth-server TACACS-SERVER !aaa tacacs-accounting server-group TACACS-SERVER-GRP mode enable command all|action|configuration|showaaa authentication mgmt server-group TACACS-SERVER-GRP enable !2. 系统默认的角色与策略：默认的策略：ip access-list session control，validuser，allowall，icmp-acl, logon-control, captiveportal,tftp-acl, https-acl, http-acl, dhcp-acl, ap-acl, 默认的角色：user-role ap-role， voice, guest-logon(portal认证), guest, authenticated，logon3. 本地数据库操作local-userdb export local-userdb import local-userdb add generate-username|username generate-password|password 4. 配置DHCP服务：ip dhcp pool user-pool default-router dns-server network !service dhcpip dhcp excluded-address 05. 配置带宽：aaa bandwidth-contract BC512_up kbps 512user-role web-guest bw-contract BC512_up per-user upstream6. 策略：限制访问内网netdestination “Internal Network”network network network ip access-list session block-internal-accessuser alias “Internal Network” any deny7. 配置portal认证： 外置portal时： netdestination portal-server host 21 ip access-list session abc-portal-acl user alias portral-server svc-http permitaaa authentication captive-portal c-portal default-role employee server-group cp-srv login-page 0/test.php user-role logon captive-portal c-portal session-acl abc-portal-aclaaa profile aaa_c-portal initial-role logonwlan ssid-profile ssid_c-portal essid c-portal-apwlan virtual-ap vp_c-portal aaa-profile aaa_c-portal ssid-profile ssid_c-portal vlan 20portal下增加白名单：(host)(config)# netdestination Mywhite-list(host)(config)#name (host)(config)#name (host) (config) #aaa authentication captive-portal default(host)(Captive Portal Authentication Profile default)#white-list Mywhite-list注意：如果在一台控制器配置多个captiveportal的Virtaul AP时，每个captiveportal必须分别配置不同的initial role和user role、cp profile、AAA profile与ssid profile;8. 配置Air time fair(Aruba651) (Traffic management profile test) #shaping-policy fair-access (Aruba651) (Traffic management profile test) #exit(Aruba651) (config)ap-group demo-group(Aruba651) (AP group demo-group) #dot11g-traffic-mgmt-profile test(Aruba651) (AP group demo-group) #9. 配置LACP:LACP默认不生效每台设备最多创建8个组（0-7），每个组最多允许8个端口加入,所有端口的属性要相同；1、Enable LACP and configure the per-port specific LACP. The group number range is 0 to 7.lacp group mode active | passive? Active modethe interface is in active negotiating state. LACP runs on any link that is configured to be in the active state. The port in an active mode also automatically initiates negotiations with otherports by initiating LACP packets.? Passive modethe interface is not in an active negotiating state. LACP runs on any link that is configured in a passive state. The port in a passive mode responds to negotiations requests from other ports that are in an active state. Ports in passive state respond to LACP packets.注意：passive模式的端口不能与另一个passive 模式的端口建立起来；2. Set the timeout for the LACP session. The timeout value is the amount of time that a port-channelinterface waits for a LACPDU from the remote system before terminating the LACP session. The defaulttime out value is long (90 seconds); short is 3 seconds,默认为longlacp timeout long | short3. Set the port priority.lacp port-priority The higher the priority value the lower the priority. Range is 1 to 65535 and default is 255.4.加入端口中interface fastethernet 1/1lacp timeout shortlacp group 0 mode active10. 配置RAP（remote ap）在控制器上配置VPN、AP通过认证后的地址池，及isakmp的共享密码；注意地址池为RAP的管理地址，如其他网管要直接ping通RAP，需要将此地址段配置静态路由；vpdn group l2tp ppp authentication PAPip local pool crypto isakmp key address netmask 在控制器上配置服务器组，RAP通过username/password方式接入，并在服务器上增加用户名与密码，此用户名/密码用于L2TP/PAP认证 (如果采用证书方式，此步可以省略)aaa server-group auth-server aaa authentication vpn default-rap default-role server-group local-userdb add username rapuser1 password 配置remote ap的VAP：wlan ssid-profile essid opmode wpa-passphrase (if necessary)配置用户角色，用于dot1x-default-role(cli) #netdestination corp(cli) (config-dest) # network (cli) (config-dest) #!ip access-list session Remote_Enterprise_aclany any svc-dhcp permituser alias corp any permitalias corp user any permituser network any permitalias coopr alias corp any permituser any any route src-nat (cli) # user-role corpsplit(cli) (config-role) # session-acl Remote_Enterprise_acl(cli) (config-role) #!配置aaa profile可用于split-tunnel时用户角色策略指定aaa profile authentication-dot1x dot1x-default-role dot1x-server-group (cli) # wlan virtual-ap split(cli) # vlan X - Clients get IP addr. from VLAN X(cli) # forward-mode split-tunnel aaa-profile rap-operation always|backup|persistent配置RAP的有线端口：ap wired-ap-profile Wired_Branch_ap_profilewired-ap-enableforward-mode split-tunnelswitchport access vlan 128!ap wired-port-profile Wired_Branch_port_profileaaa-profile Remote_Ent_aaa_profilewired-ap-profile Wired_Branch_ap_profile配置RAP做DHCP serverap system-profile APGroup1_sys_profilelms-ip 94rap-dhcp-server-vlan 177rap-dhcp-server-id rap-dhcp-default-router rap-dhcp-pool-start 00rap-dhcp-pool-end 54!ap-group virtual-ap 在webUI界面对AP进行provision，从AC上获取IP，修改为remote模式，AP会重启11. 配置MAC认证完整例子RADIUS Server Definition:服务器认证aaa authentication-server radius amigopod host 0 key f0e40f33109cd5f863a77327072720aaa4785eff2ca57800 nas-identifier Aruba651 nas-ip 54!aaa server-group amigopod-srv auth-server amigopod!aaa rfc-3576-server 0key 10795ff19c00465dd0b0824e562103bee537be631e5bc876MAC Authentication Profile：MAC认证aaa authentication mac amigopod-mac case upper delimiter dashAAA Profile：aaa profile amigopod-aaa authentication-mac amigopod-mac mac-default-role authenticated mac-server-group amigopod-srv radius-accounting amigopod-srv rfc-3576-server 0Captive Portal Profile：aaa authentication captive-portal amigopod-cp server-group amigopod-srv redirect-pause 3 no logout-popup-window protocol-http login-page 0/aruba_login.phpNetdestination Alias for Amigopod：netdestination amigopod host 0Access Policy to allow redirect to Amigopod：允许的aclip access-list session allow-amigopod user alias amigopod svc-http permit user alias amigopod svc-https permitInitial Role with Captive Portal enabled:配置initial角色user-role logon captive-portal amigopod-cp access-list session logon-control access-list session allow-amigopod access-list session captiveportalPost Authentication Role for MAC Authentication：配置MAC认证角色user-role MAC-Guest access-list session allowallSSID Profile:wlan ssid-profile MAC-Auth-CP essid amigo-MAC-CPVirtual AP:wlan virtual-ap MAC-Auth-CP aaa-profile amigopod-aaa ssid-profile MAC-Auth-CP12. 配置LDAP认证服务器 Portal认证aaa authentication-server ldap aruba-ldap host 0 admin-dn cn=ldapquery2, cn=Users, dc=arubanetworks, dc=com admin-passwd Zaq1xsw2 base-dn ou=Corp, dc=arubanetworks, dc=com!aaa server-group aruba-ldap auth-server aruba-ldap set role condition memberOf contains dl-seonly set-value root !如果将ldap认证应用于无线用户802.1x，必须使用eap-gtc方式aaa authentication dot1x dot1x_prof-yxy03 termination enable termination eap-type eap-peap termination inner-eap-type eap-gtc！aaa authentication mgmt /应用在管理用户 default-role no-access server-group aruba-ldap enable!注意： 使用802.1x认证时不能用LDAP认证服务器；但portal认证时可以；13. 有线端口NAT!ip NAT pool Dell-AirWave 6 6 46ip NAT pool SE-WebServer 9 9 6ip NAT pool PDL-eTips 1 1 5ip NAT pool PDL-Clearpass 0 0 3ip NAT pool PDL-AirWave 9 9 52!netdestination PDL-Airwave-Live host 9!netdestination IPComms host 50!netdestination SE-WebServer host 9!netdestination Live-IP host 1!netdestination PDL-eTips host 1!netdestination Dell-Airwave-Live host 6!netdestination PDL-ClearPass host 0!ip access-list session OUTSIDE-POLICY alias IPComms alias Live-IP udp 4569 dst-nat ip 1 4569 classify-media queue high alias IPComms alias Live-IP udp 5060 dst-nat ip 1 5060 classify-media queue high alias IPComms alias Live-IP udp 5061 dst-nat ip 1 5061 classify-media queue high alias IPComms alias Live-IP udp 5062 dst-nat ip 1 5062 classify-media queue high any alias Live-IP tcp 4343 permit any alias Live-IP udp 4500 permit any alias Live-IP svc-ssh permit any alias Live-IP svc-http permit any alias Live-IP svc-https permit any alias Live-IP udp 500 permit any alias Live-IP svc-icmp permit any alias Live-IP tcp 4345 dst-nat ip 42 443 any alias Live-IP tcp 4346 dst-nat ip 42 22 any alias Dell-Airwave-Live svc-https dst-nat ip 46 443 any alias Dell-Airwave-Live svc-http dst-nat ip 46 80 any alias PDL-Airwave-Live svc-https dst-nat ip 52 443 any alias PDL-Airwave-Live svc-http dst-nat ip 52 80 any alias SE-WebServer svc-http dst-nat ip 6 80 any alias SE-WebServer svc-https dst-nat ip 6 443 any alias SE-WebServer svc-ssh dst-nat ip 6 22 any alias SE-WebServer udp 5900 dst-nat ip 6 5900 any alias PDL-eTips svc-http dst-nat ip 5 80 any alias PDL-eTips svc-https dst-nat ip 5 443 any alias PDL-ClearPass svc-https dst-nat ip 3 443 any alias PDL-ClearPass svc-http dst-nat ip 3 80 !interface fastethernet 2/0description OUTSIDE-INTERNETtrustedip access-group OUTSIDE-POLICY sessionswitchport access vlan 10!14. 用户通过有线端口portal认证，不同的IP用户可以分别认证，所有有线口共用一个认证方式aaa profile cppm initial-role cp-guest radius-accounting amigopod-sg radius-interim-accounting rfc-3576-server 86 /amigopod地址aaa authentication wired /有线端口启用认证 profile cppminterface gigabitethernet 1/6 /有张端口untrusted vlan 1000 description connect_to_H3C trusted vlan 1-999,1001-4094 switchport access vlan 1000针对某一vlan启用portal认证vlan 20 wired aaa-profile cppm15. 配置AP以太口对于有两个以太口的AP，如125与135系列，除了一个以太口用于AC互连外，另外一个以太口可以连接终端或串联AP；（1） 连接终端 时：创建wired-ap profileap wired-ap-profile cppm wired-ap-enable switchport access vlan 11 trusted创建wired-port profileap wired-port-profile cppm wired-ap-profile cppm将profile加入到group中ap-group test enet1-port-profile cppm注意：如果端口为untrusted，需要在wired-port profile中加入aaa profile16. 配置VIA(host) (config)# license add (1) Create VIA roles(host) (config) #user-role example-via-role(host) (config-role) #access-list session allowall position 1(host) (config-role) #ipv6 session-acl v6-allowall position 2(2) Create VIA authentication profiles(host) (config) #aaa server-group via-server-group(host) (Server Group via-server-group) #auth-server Internal position 1(host) (config) #aaa authentication via auth-profile default(host) (VIA Authentication Profile default) #default-role example-via-role(host) (VIA Authentication Profile default) #desc Default VIA AuthenticationProfile(host) (VIA Authentication Profile default) #server-group via-server-group(3) Create VIA connection profiles(host) (config) #aaa authentication via connection-profile via(host) (VIA Connection Profile via) #server addr 00 internal-ip3 desc VIA Primary Controller position 0(host) (VIA Connection Profile via) #auth-profile default position 0(host)