ARUBA无线网络基础培训

李海彬

hli@

ARUBA无线网络基础培训

Peoplemove.Networksmustfollow.™ARUBA无线网络的组网架构EmailServer10/100MbpsL2/3DHCPServer1.3.4.通讯过程：AP连接到现有网络的交换机端口，加电起动后，获得IP地址AP通过以下各种方式获得ARUBA控制器的IP地址（静态获得、DHCP返回、组播、广播、DNS解析）AP与控制器之间建立PAPI隧道（UDP8211），通过FTP或TFTP到ARUBA控制器上比对并下载AP的image软件和配置文件，并根据配置信息建立AP与控制器之间的GRE隧道，同时向无线用户提供无线接入服务无线用户通过SSID连接无线网络，所有的用户流量都通过AP与ARUBA控制器之间的GRE隧道直接传递到ARUBA控制器上，进行相应的加解密、身份验证、授权、策略和转发2.配置ARUBA无线控制器管理员登陆(admin/saic_admin)CliWeb管理帐号网络配置VlanIPaddressIProuteIPdhcp安全配置PolicyRoleAAA无线配置SSIDVirtualAP配置ARUBA无线控制器管理员登陆登陆ARUBA无线控制器CommandlineUser:adminPassword:*****(Aruba800)>enPassword:******(Aruba800)#configuretEnterConfigurationcommands,oneperline.EndwithCNTL/ZWebUI

https://<Controller’sIPaddress>Admin帐号管理#mgmt-user<username><role>

(Aruba800)(config)#mgmt-useradminrootPassword:*****Re-Typepassword:*****(Aruba800)(config)#配置ARUBA无线控制器ARUBA无线控制器的初始设置初始化之前的准备工作查看并保存控制器软件许可(Aruba200)#showlicenseverboseLicenseTableKeyInstalledExpiresFlagsServiceType

Xw2K4EGT-qWpz5YLM-Ouw7wpRt-kQPUrJMM-x8fB27hP-1Zg2010-07-08NeverEPolicyEnforcementFirewall

12:53:50Wnm8I0AK-bhAPAsim-pd8gS573-oJ4YHCWG-5ghonB8G-x8w2010-07-08NeverEWirelessIntrusionProtection

12:53:504gCv4bFb-JDfaSPiN-YNV/TLoP-1od3XEI3-wxj+0can-NFE2010-07-08NeverERemoteAccessPoints:1

12:53:52LicenseEntries:3Flags:A-auto-generated;E-enabled;R-rebootrequiredtoactivate恢复控制器出厂配置恢复控制器出厂配置(Aruba200)#writeeraseallSwitchwillbefactorydefaulted.Alltheconfigurationanddatabaseswillbedeleted.Press'y'toproceed:Cannotdeletetheconfiguration,Alreadydeleted重启控制器(Aruba200)#reloadDoyoureallywanttoresetthesystem(y/n):ySystemwillnowrestart!ShutdownprocessingstartedSyncingdatadone.ThesystemisgoingdownNOW!!SendingSIGTERMtoallprocesses.SendingSIGKILLtoallprocesses.Pleasestandbywhilerebootingthesystem.Restartingsystem.恢复控制器出厂配置EnterSystemname[Aruba200]:EnterVLAN1interfaceIPaddress[54]:54EnterVLAN1interfacesubnetmask[]:EnterIPDefaultgateway[none]:EnterSwitchRole,(master|local)[master]:EnterCountrycode(ISO-3166),<ctrl-I>forsupportedlist:cnYouhavechosenCountrycodeCNforChina(yes|no)?:yEnterTimeZone[PST-8:0]:cht+8:0EnterTimeinUTC[06:58:59]:07:01:30EnterDate(MM/DD/YYYY)[7/12/2010]:EnterPasswordforadminlogin(upto32chars):**********Re-typePasswordforadminlogin:**********EnterPasswordforenablemode(upto15chars):******Re-typePasswordforenablemode:******Doyouwishtoshutdownalltheports(yes|no)?[no]:……Ifyouacceptthechangestheswitchwillrestart!Type<ctrl-P>togobackandchangeanswerforanyquestionDoyouwishtoacceptthechanges(yes|no)yCreatingconfiguration...Done.Systemwillnowrestart!添加控制器软件许可(Aruba200)User:adminPassword:**********(Aruba200)>enPassword:******(Aruba200)#licenseaddXw2K4EGT-qWpz5YLM-Ouw7wpRt-kQPUrJMM-x8fB27hP-1ZgPleasereloadtheswitchforthenewservicekeytotakeeffect.(Aruba200)#licenseaddWnm8I0AK-bhAPAsim-pd8gS573-oJ4YHCWG-5ghonB8G-x8wPleasereloadtheswitchforthenewservicekeytotakeeffect.(Aruba200)#reloadDoyoureallywanttoresetthesystem(y/n):ySystemwillnowrestart!Lab1：完成控制器初始配置任务：清空控制器原有配置对控制器进行初始设置为控制器添加软件许可相关配置参数：组号第1组第2组第X组IP地址01020X子网掩码网关地址545454配置ARUBA无线控制器ARUBA无线控制器的网络配置ARUBA无线控制器的网络配置配置Vlan(Aruba800)(config)#vlan200(Aruba800)(config)#interfacefastethernet1/0接入模式：(Aruba800)(config-if)#switchportaccessvlan200 (Aruba800)(config-if)#switchportmodeaccess中继模式：(Aruba800)(config-if)#switchporttrunkallowedvlanall (Aruba800)(config-if)#switchportmodetrunk(Aruba800)(config-if)#showvlanVLANCONFIGURATIONVLANNamePorts

1DefaultFE1/1-7100VLAN0100GE1/8200VLAN0200FE1/0配置IPaddress(Aruba800)(config)#interfacevlan200(Aruba800)(config-subif)#ipaddress54(vlaninterface)(Aruba800)(config-subif)#iphelper-address(DHCPrelay)ARUBA无线控制器的网络配置配置IProute配置缺省路由:(Aruba800)(config)#ipdefault-gateway

配置静态路由：(Aruba800)(config)#iproute(Aruba800)(config)#showiprouteCodes:C-connected,O-OSPF,R-RIP,S-staticM-mgmt,U-routeusable,*-candidatedefaultGatewayoflastresortistonetworkS*/0[1/0]via*S/24[1/0]via*Cisdirectlyconnected,VLAN1Cisdirectlyconnected,VLAN100Cisdirectlyconnected,VLAN200配置dhcpserver(Aruba800)(config)#ipdhcppooluser_pool(Aruba800)(config-dhcp)#default-router54(Aruba800)(config-dhcp)#dns-server(Aruba800)(config-dhcp)#network(Aruba800)(config-dhcp)#exit(Aruba800)(config)#servicedhcpLab2：完成控制器网络配置任务：为控制器配置1个APVLAN和2个用户VLAN为上述VLAN配置端口和IP地址在控制器中配置3个DHCP

Pool相关配置参数：组号第1组第2组第X组AP

VLANVLANID=1154/24VLANID=1254/24VLANID=1X172.16.1X.254/24用户VLAN101VLANID=10154/24VLANID=10254/24VLANID=10X172.16.10X.254/24用户VLAN2VLANID=20154/24VLANID=20254/24VLANID=20X172.16.20X.254/24DHCP池~40~40~40~40~40~40172.16.1X.1~172.16.1X.240172.16.10X.1~172.16.10X.240172.16.20X.1~172.16.20X.240配置ARUBA无线控制器ARUBA无线控制器的安全配置ARUBA控制器的安全配置Rule1Rule2Rule3RulenRule1Rule2Rule1Rule1Rule2Rule3Rule4Rule1Rule2Rule3Rule4Policy1Policy2Policy3Policy4Policy5Role1Policy1Policy2Role2Policy1Policy3Policy4Role3Policy4Policy5Role4Policy4User1User2User3User4User5User6…………UserNRoleDerivation:1)LocallyDerived2)ServerAssigned3)DefaultRoleAssignsuserstoaroleMethods:PoliciesRolesDerivation<source><destination><service><action><extendedaction>ARUBA控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1passignmentTOSTimeRange策略示例：ipaccess-listsessionInternet_Only useranyudp68deny useranysvc-dhcppermit userhostsvc-dnspermit userhostsvc-dnspermit useraliasInternal-Networkdenylog useranyanypermit防火墙策略：一组按照特定次序排列的规则的集合别名的定义：1)网络别名netdestinationInternal-Networknetwork networknetdestinationExternal-networknetwork networkinvert2)服务别名 netservicesvc-httptcp80<source><destination><service><action><extendedaction>ARUBA控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1passignmentTOSTimeRange防火墙策略：一组按照特定次序排列的规则的集合ARUBA无线控制器的安全配置用户角色（Role）决定了每个用户的访问权限每一个role都必须与一个或多个policy绑定防火墙策略按次序执行最后一个隐含的缺省策略是“denyall”可以设定role的带宽限制和会话数限制用户角色（Role）的分配可以通过多种方式实现基于接入认证方式的缺省角色(i.e.802.1x,VPN,WEP,etc.)由认证服务器导出的用户角色(i.e.RADIUS/LDAP属性)本地导出规则ESSIDMACEncryptiontypeEtc.ARUBA控制器中的每一个用户都会被分配一个Role!ARUBA无线控制器的安全配置(Aruba800)#showrightsRoleTableNameACLBandwidthACLListType

ap-role4Up:NoLimit,Dn:NoLimitcontrol,ap-aclSystemauthenticated39Up:NoLimit,Dn:NoLimitallowall,v6-allowallUserdefault-vpn-role37Up:NoLimit,Dn:NoLimitallowall,v6-allowallUserguest3Up:NoLimit,Dn:NoLimithttp-acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-http-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-aclUserguest-logon6Up:NoLimit,Dn:NoLimitlogon-control,captiveportalUserlogon1Up:NoLimit,Dn:NoLimitlogon-control,captiveportal,vpnlogon,v6-logon-controlUserstateful-dot1x5Up:NoLimit,Dn:NoLimitSystemvoice38Up:NoLimit,Dn:NoLimitsip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-acl,tftp-acl,dns-acl,icmp-aclUserARUBA无线控制器的安全配置(Aruba800)#showrightsauthenticatedDerivedRole='authenticated'UpBW:NoLimitDownBW:NoLimitL2TPPool=default-l2tp-poolPPTPPool=default-pptp-poolPeriodicreauthentication:DisabledACLNumber=39/0MaxSessions=65535access-listListPositionNameLocation

1allowall2v6-allowallallowallPrioritySourceDestinationServiceActionTimeRangeLogExpiredQueueTOS8021PBlacklistMirrorDisScan

1anyanyanypermitLowv6-allowallPrioritySourceDestinationServiceActionTimeRangeLogExpiredQueueTOS8021PBlacklistMirrorDisScan

1anyanyanypermitLowExpiredPolicies(duetotimeconstraints)=0ARUBA无线控制器的安全配置定义用户角色（role）(Aruba800)(config)#user-rolevisitors(Aruba800)(config-role)#access-listsessioninternet-only(Aruba800)(config-role)#max-sessions100(Aruba800)(config-role)#exit(Aruba800)(config)#ARUBA无线控制器的安全配置基于接入认证方式的缺省角色（role）分配(Aruba800)(config)#showaaaprofiledefaultAAAProfile"default"ParameterValue

InitialrolelogonMACAuthenticationProfileN/AMACAuthenticationDefaultRoleguestMACAuthenticationServerGroupdefault802.1XAuthenticationProfileN/A802.1XAuthenticationDefaultRoleguest802.1XAuthenticationServerGroupN/ARADIUSAccountingServerGroupN/AXMLAPIserverN/ARFC3576serverN/AUserderivationrulesN/AWiredtoWirelessRoamingEnabledSIPauthenticationroleN/A(Aruba800)(config)#showaaaauthenticationcaptive-portaldefaultCaptivePortalAuthenticationProfile"default"ParameterValue

DefaultRoleguestServerGroupdefaultRedirectPause10secUserLoginEnabledGuestLoginDisabledLogoutpopupwindowEnabledUseHTTPforauthenticationDisabledLogonwaitminimumwait5secLogonwaitmaximumwait10seclogonwaitCPUutilizationthreshold60%MaxAuthenticationfailures0ShowFQDNDisabledUseCHAP(non-standard)DisabledSygate-on-demand-agentDisabledLoginpage/auth/index.htmlWelcomepage/auth/welcome.htmlShowWelcomePageYesAddingswitchipaddressinredirectionURLDisabledARUBA无线控制器的安全配置基于接入认证方式的缺省角色（role）分配ARUBA无线控制器的安全配置基于服务期返回规则的角色（role）分配(Aruba800)(config)#aaaserver-grouptest(Aruba800)(ServerGroup"test")#setroleconditionmemberOfcontainsstudentset-valuestudent说明：从LDAP服务器获取用户属性，并以此为依据分配用户角色时，只能通过CLI进行配置ARUBA无线控制器的安全配置基于用户定义规则的角色（role）分配(Aruba800)(config)#aaaderivation-rulesuser"test_rule"(Aruba800)(user-rule)#setroleconditionencryption-typeequals"dynamic-aes"set-value"authenticated"position1(Aruba800)(user-rule)#setroleconditionencryption-typeequals"dynamic-tkip"set-value"guest"position2Lab3：定义用户角色和相关策略任务：定义角色1：没有访问权限，只能弹出Portal认证页面定义角色2：认证通过后的角色，访问权限不受任何限制定义角色3：认证通过后的角色，禁止ICMP，其余不限相关配置参数：组号第1组第2组第X组角色1T1-logon1）只允许dhcp和dns服务2）Http服务重定向到captiveportal3）MaxSession=504）captiveportaldefaultT2-logon1）只允许dhcp和dns服务2）Http服务重定向到captiveportal3）MaxSession=504）captiveportaldefaultTX-logon1）只允许dhcp和dns服务2）Http服务重定向到captiveportal3）MaxSession=504）captiveportaldefault角色2T1-authenticated1）允许所有服务2）MaxSession=200T2-authenticated1）允许所有服务2）MaxSession=200TX-authenticated1）允许所有服务2）MaxSession=200角色3T1-notping1）不允许ICMP服务2）允许其它所有服务3）MaxSession=200T2-notping1）不允许ICMP服务2）允许其它所有服务3）MaxSession=200TX-notping1）不允许ICMP服务2）允许其它所有服务3）MaxSession=200配置ARUBA无线控制器ARUBA无线控制器的无线配置ARUBA无线控制器的无线配置APGroupWirelessLANRFManagementAPQoSIDSVirtualAPPropertiesSSIDAAAa/gRadioSettingsRFOptimizationsSystemProfileEthernetRegulatoryVoIPa/gManagementVirtualAPPropertiesSSIDAAAVLANVLANARUBA无线控制器的无线配置加密方法确保数据在空中传输时的私密性可以选择不加密(open)、二层加密(WEP,TKIP,AES)或者三层加密(VPN)认证方式确保接入无线网络的用户都是合法用户认证方式可以选择不认证，或者MAC、EAP、captiveportal、VPN等认证方式访问控制对接入无线网络的合法用户流量进行有效控制，包括可以访问的网络资源、带宽、时间等WLAN服务的配置要点SSIDProfileAAAProfileRoleARUBA无线控制器的无线配置(Aruba800)#showwlanvirtual-apdefaultVirtualAPprofile"default"Parameter

Value

VirtualAPenable

EnabledAllowedband

allSSIDProfile

defaultVLAN

100Forwardmode

tunnelDenytimerange

N/AMobileIP

EnabledHADiscoveryon-association

DisabledDoSPrevention

DisabledStationBlacklisting

EnabledBlacklistTime

3600secAuthenticationFailureBlacklistTime

3600secFastRoaming

DisabledStrictCompliance

DisabledVLANMobility

DisabledAAAProfile

defaultRemote-APOperation

standardARUBA无线控制器的无线配置SSIDProfile的定义(Aruba800)(config)#wlanssid-profiletest(Aruba800)(SSIDProfile“test”)#essidtest（WLAN显示的SSID名称）(Aruba800)(SSIDProfile“test”)#opmode?（WLAN可以选用的加密方式）dynamic-wep WEPwithdynamickeysopensystem Noencryptionstatic-wep WEPwithstatickeyswpa-aes WPAwithAESencryptionanddynamickeysusing802.1Xwpa-psk-aes WPAwithAESencryptionusingapre-sharedkeywpa-psk-tkip WPAwithTKIPencryptionusingapre-sharedkeywpa-tkip WPAwithTKIPencryptionanddynamickeysusing802.1Xwpa2-aes WPA2withAESencryptionanddynamickeysusing802.1Xwpa2-psk-aes WPA2withAESencryptionusingapre-sharedkeywpa2-psk-tkip WPA2withTKIPencryptionusingapre-sharedkeywpa2-tkip WPA2withTKIPencryptionanddynamickeysusing802.1XxSec xSecencryption<cr>(Aruba800)(SSIDProfile“test”)#opmodeopensystemARUBA无线控制器的无线配置SSIDProfile的定义ARUBA无线控制器的无线配置AAAProfile的定义配置基于Open的AAAProfile(Aruba800)(config)#aaaprofiletest(Aruba800)(AAAProfile"test")#clonedefault配置基于Portal认证的CaptivePortalProfile(Aruba800)(config)#aaaauthenticationcaptive-portaltest(Aruba800)(CaptivePortalAuthenticationProfile"test")#clonedefault(Aruba800)(CaptivePortalAuthenticationProfile"test")#default-roleguest(Aruba800)(CaptivePortalAuthenticationProfile"test")#noenable-welcome(Aruba800)(CaptivePortalAuthenticationProfile"test")#server-grouptestARUBA无线控制器的无线配置配置LDAP服务器(Aruba800)(config)#aaaauthentication-serverldaptest(Aruba800)(LDAPServer"test")#host0(Aruba800)(LDAPServer"test")#admin-dnadmin(Aruba800)(LDAPServer"test")#admin-passwdadmin(Aruba800)(LDAPServer"test")#base-dncn=users,dc=qa,dc=domain,dc=com(Aruba800)(LDAPServer"test")#allow-cleartext(Aruba800)(LDAPServer"test")#exit对LDAP服务器进行测试(Aruba800)#aaaquery-user

<LDAP-Server-Name><Username>ARUBA无线控制器的无线配置配置Radius服务器(Aruba800)(config)#aaaauthentication-serverradiustest(Aruba800)(RADIUSServer"test")#host0(Aruba800)(RADIUSServer"test")#key123456(Aruba800)(RADIUSServer"test")#exit对Radius服务器进行测试(Aruba800)#aaatest-servermschapv2<Radius-Server-Name><Username><Password>ARUBA无线控制器的无线配置配置Server-Group(Aruba800)(config)#aaaserver-grouptest(Aruba800)(ServerGroup"test")#auth-servertest(Aruba800)(ServerGroup"test")#setroleconditionmemberOfcontainsguestset-valueguest(Aruba800)(config)#showaaaserver-grouptestFailThrough:NoAuthServersNameServer-Typetrim-FQDNMatch-TypeMatch-OpMatch-Str

testLdapNoRole/VLANderivationrulesPriorityAttributeOperationOperandTypeActionValueValid

1memberOfcontainsguestStringsetroleguestNoLab4：配置两个Server-Group步骤：定义一个RadiusServer并测试通过定义一个RadiusServerGroup定义一个LDAPServer并测试通过定义一个LDAPServerGroup相关配置参数：组号第1组第2组第X组Radius-ServerT1-radius-server1）host002）key123456T2-radius-server1）host002）key123456TX-radius-server1）host002）key123456Radius-Server-GroupT1-radius-servergroup1）auth-serverT1-radius-server2）setroleconditionrolevalue-ofT2-radius-servergroup1）auth-serverT1-radius-server2）setroleconditionrolevalue-ofTX-radius-servergroup1）auth-serverT1-radius-server2）setroleconditionrolevalue-ofLdap-ServerT1-ldap-server1）host002）admin-dnadmin3）admin-pass1qaz@wsx4）base-dndc=mylab,dc=netT2-ldap-server1）host002）admin-dnadmin3）admin-pass1qaz@wsx4）base-dndc=mylab,dc=netTX-ldap-server1）host002）admin-dnadmin3）admin-pass1qaz@wsx4）base-dndc=mylab,dc=netLdap-Server-GroupT1-ldap-servergroup1）auth-serverT1-ldap-serverT2-ldap-servergroup1）auth-serverT2-ldap-serverTX-radius-servergroup1）auth-serverTX-ldap-serverARUBA无线控制器的无线配置在用户初始角色（initialrole）中调用CaptivePortalProfile(Aruba800)(config)#user-rolelogon(Aruba800)(config-role)#captive-portaltest(Aruba800)(config-role)#exitARUBA无线控制器的无线配置VirtualAPAAAVLANSSIDESSIDOpenSystemCaptivePortalDefaultRoleServerGroupInitialRoleLDAPServerRadiusServerDerivedRolePolicyPolicyLab5：配置一个Open的SSID步骤：定义SSIDProfile定义AAAProfile定义VAPProfile(引用SSID-Profile,AAA-Profile,并指定用户VLAN)将VAP

Profile加入AP-Group（default）用Laptop连接无线网络，观察获得的IP地址以及用户的角色和权限改变AAAProfile中的initialrole，重新连接，观察并体会用户权限的变化相关配置参数：组号第1组第2组第X组SSID-ProfileT1-ssid-profile1）ESSID=T1-aruba2）opmode=opensystemT2-ssid-profile1）ESSID=T2-aruba2）opmode=opensystemTX-ssid-profile1）ESSID=TX-aruba2）opmode=opensystemAAA-ProfileT1-aaa-profile1）initial-role=T1-authenticatedT2-aaa-profile1）initial-role=T2-authenticatedTX-aaa-profile1）initial-role=TX-authenticatedVAP-ProfileT1-vap-profile1）T1-ssid-profile2）T1-aaa-profile3）VLAN101T2-vap-profile1）T2-ssid-profile2）T2-aaa-profile3）VLAN102TX-vap-profile1）TX-ssid-profile2）TX-aaa-profile3）VLAN10XLab6