Aruba Airwave 8.2.4 User Manual

Download

Page 1

AirWave 8.2.4

User Guide

Page 2

Open Source Code

This product includes codelicensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expirethree years following the date of the final distribution of this product version by HewlettPackard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:

Hewlett-Packard Enterprise Company Attn: General Counsel 3000 Hanover Street Palo Alto, CA 94304 USA

Please specify the product and version for which you are requesting source code.

You may also request a copy of this source code free of charge at: http://hpe.com/software/opensource.

December 2017 | Rev. 01 AirWave 8.2.4 | User Guide

Page 3

Contents

Introduction 13

A Unified Wireless Network Command Center 13

AirWave Management Platform 13 Controller Configuration 13 Instant Configuration 14 Switch Configuration 14 VisualRF 14

RAPIDS 14

Supporting Multiple AirWave Servers 15 Integrating AirWave into the Network and Organizational Hierarchy 15

Administrative Roles 16

Contacting Support 16

Configuring AirWave 18

Before You Begin 18 Formatting the Top Header 18 Customizing Columns in Lists 19 Resetting Pagination Records 21 Using the Pagination Widget 22 Using Export CSV for Lists and Reports 22 Defining Graph Display Preferences 22 Customizing the Dashboard 23

Adding Widgets 24

Available Widgets 24

Search Preferences 28

How to Use Search 29

Setting Severe Alert Warning Behavior 30 Defining General AirWave Server Settings 30

AMP Setup > General 30

General Settings 31 Automatic Authorization Settings 31 Aruba Instant Settings 32 Top Header Settings 33 Search Method 33 Home Overview Preferences 34 Display Settings 34 Device Configuration Settings 35 AMP Features 36 External Logging Settings 36 Historical Data Retention Settings 37 Firmware Upgrade Defaults 39 Additional AMP Services 40 Performance Settings 42

Defining AirWave Network Settings 44

Primary Network Interface Settings 44 Secondary Network Interface Settings 45

AirWave 8.2.4 | User Guide Contents | iii

Page 4

Network Time Protocol (NTP) Settings 45

Static Routes 46 Creating AirWave Users 46 AirWave User Roles 48

User Roles and VisualRF 48

Creating AirWave User Roles 49 Configuring Login Message, TACACS+, RADIUS, and LDAP Authentication 54

Setting Up Login Configuration Options 54

Setting Up Certificate Authentication 55

Configuring Whitelists 55

Setting Up Single Sign-On 56

Specifying the Authentication Priority 56

Configuring RADIUS Authentication and Authorization 56

Integrating a RADIUS Accounting Server 58

Configuring TACACS+ Authentication 59

Configuring LDAP Authentication and Authorization 60 Enabling AirWave to Manage Your Devices 63

Configuring Communication Settings for Discovered Devices 63

Loading Device Firmware Onto the AirWave Server (optional) 65 Setting Up DeviceTypes 69

Configuring Cisco WLSE and WLSE Rogue Scanning 70

Introduction to Cisco WLSE 70 Initial WLSE Configuration 71

Adding an ACS Server for WLSE 71

Enabling Rogue Alerts for Cisco WLSE 71

Configuring WLSE to Communicate with APs 71

Discovering Devices 72

Managing Devices 72

Inventory Reporting 72

Defining Access 72

Grouping 72 Configuring IOS APs for WDS Participation 72

WDS Participation 73

Primary or Secondary WDS 73 Configuring ACS for WDS Authentication 73 Configuring Cisco WLSE Rogue Scanning 74

Configuring ACS Servers 75 Integrating NMS Servers 76

Add an NMS Server 76 Download the MIB Files 76

PCI Compliance Monitoring 76

Check Compliance 76 Enabling PCI Compliance Monitoring 77

Supported PCI Requirements 78

Deploying WMS Offload 79

WMS Offload Configuration 79

Integrating External Servers 80

Add a Juniper Network Director 80 Add a Brocade Network Advisor 80 Add an HPE Intelligent Management Center 80

iv | Contents AirWave 8.2.4 | User Guide

Page 5

Configuring and Using Device Groups 82

AirWave Groups Overview 84

Viewing All Defined Device Groups 85

Configuring Basic Group Settings 87

Basic Configuration Settings 87 Global Group Settings 88 SNMP Polling Periods 88 Routers and Switches 89 Notes 90 GroupDisplay Options 90 Automatic Static IP Assignment 91 Spanning Tree Protocol 91 NTP 92 HPE Aruba/OfficeConnect Switch Configuration 92 Aruba 93 Aruba Instant 93 Cisco IOS/Catalyst 94 Cisco WLC 95 Proxim/ Avaya 95 HP ProCurve 96 Symbol 96 Juniper/3Com/Enterasys/Nortel/Trapeze 97 Universal Devices, Routers and Switches 97 Automatic Authorization 97

Adding and Configuring Group AAA Servers 97 Configuring Group Security Settings 99 Configuring Group SSIDs and VLANs 103 Configuring Radio Settings for Device Groups 107 Cisco WLC Group Configuration 111

Accessing Cisco WLC Configuration 111 Navigating Cisco WLC Configuration 111 Configuring WLANs for Cisco WLC Devices 112 Defining and Configuring LWAPP AP Groups for Cisco Devices 116 Viewing and Creating Cisco AP Groups 116 Configuring Cisco Controller Settings 116 Configuring Wireless Parameters for Cisco Controllers 117 Configuring Cisco WLC Security Parameters and Functions 117 Configuring Management Settings for Cisco WLC Controllers 118

Configuring Group PTMP Settings 118 Configuring Proxim Mesh Radio Settings 119 Configuring Group MAC Access Control Lists 121 Specifying Minimum Firmware Versions for Devices in a Group 121 Comparing Device Groups 123 Deleting a Group 125 Changing Multiple Group Configurations 125 Modifying Multiple Devices 127 Using Global Groups for Group Configuration 129

Creating a Global Group 130 Subscribing other Groups to a Global Group 131

AirWave 8.2.4 | User Guide Contents | v

Page 6

Discovering and Adding Devices 132

SNMP/HTTP Scanning Overview 132

Adding Networks for SNMP/HTTP Scanning 132

Adding Credentials for Scanning 133

Defining a Scan Set 134

Running a Scan Set 134 The Cisco Discovery Protocol (CDP) 136 Manually Adding Devices 136

Adding Universal Devices 138

Adding Multiple Devices from a CSV File 139

Auditing Device Configuration 140 Management Modes 140 Ignoring Discovered Devices 141

Unignoring a Device 142

Troubleshooting a Newly Discovered Down Device 142

Monitoring the Network 145

Monitoring Basics 145

Customizing the Monitoring Page 146

First 25 Results 146

Creating Filtered Views 146

Editing Filtered Views 147

Showing Filters, Clearing Filters, Resetting Grouping 147 Using Device Folders 147

Adding device folders 147

Moving folders 147

Expanding folders 148

Monitoring Access Points, Mesh Devices, and Controllers 148

Device Information for Access Points, Mesh Devices, and Controllers 148 Radios 150 Wired Interfaces 151 Graphs for Access Points, Mesh Devices, and Controllers 151 Location 152 Connected Clients 153 AirMesh Links 154 RF Neighbors 154 CDPNeighbors 154 Evaluating Radio Statistics for an AP 154

Overview of the Radio Statistics Page 155

Viewing Real-Time ARM or AirMatch Statistics 155

Issues Summary section 155

802.11 Radio Counters Summary 156

Radio Statistics Interactive Graphs 156

Recent ARM Events Log 158

Detected Interfering Devices Table 159

Active BSSIDs Table 160 Monitoring Mesh Devices 160 Setting up Spectrum Analysis 161

Spectrum Configurations and Prerequisites 161 Setting up a Permanent Spectrum Aruba AP Group 161

Configuring an Individual AP to run in Spectrum Mode 162

vi | Contents AirWave 8.2.4 | User Guide

Page 7

Configuring a Controller to use the Spectrum Profile 163

Monitoring Switches and Routers 164

Device Information for Switches and Routers 164 Graphs for Switches and Routers 165 Detailed Summary Tables 165

Neighbors 165

Connected Devices 167

Interfaces 168

Monitoring Controller Clusters 170

Sorting and Filtering Controller Cluster Data 170 Viewing Controller Cluster Details 170

Viewing Capacity Graphs 171

Viewing Controller Statistics 171 Monitoring Cluster Events 172 Where to Find Additional Cluster Information 172

Monitoring Clients 173

Monitoring Wired and Wireless Clients 174 Monitoring Rogue Clients 176 Supporting Wireless Guest Users 177 Supporting VPN Users 180 Monitoring RFID Tags 181

Troubleshooting Client Issues 182

Evaluating User Status 182

Enabling Mobile Device Access Control 183

Classifying Aruba Devices 184

Quick Links for Clients on Aruba Devices 184

Using the Deauthenticate Client Feature 185

Viewing the Client Association History 185

Viewing the Rogue Association History 186 Diagnosing Status and Connectivity 186

Using Topology 187

Navigate the Map 188 Change the Root Node 188 Change the Layout 188 Search for a Device 189 Respond to Alerts 189 Take Action from Quick Links 190

Tooltips 190

Device Details 190 Filter the Map 191 Status Icons 192

Configuring and Managing Devices 193

Moving a Device from Monitor Only to Manage Read/Write Mode 193 Configuring AP Settings 194 Setting a Maintenance Window for a Device 202 Configuring Device Interfaces for Switches 203 Individual Device Support and Firmware Upgrades 204

Creating and Using Templates 208

Group Templates 208

Supported Device Templates 208

AirWave 8.2.4 | User Guide Contents | vii

Page 8

Template Variables 209

Viewing and Adding Templates 210 Configuring General Template Files and Variables 214

Configuring General Templates 214

IOS Configuration File Template 215

Device Configuration File on APs/Devices > Audit Configuration Page 215 Using Template Syntax 216 Using AP-Specific Variables 216 Using Directives to Eliminate Reporting of Configuration Mismatches 216

Ignore_and_do_not_push Command 217

Push_and_exclude Command 217 Using Conditional Variables in Templates 217 Using Substitution Variables in Templates 218

Configuring Templates for Aruba Instant 219 Configuring Templates for AirMesh 221 Configuring Cisco IOS Templates 221

Applying Startup-config Files 221 WDS Settings in Templates 222 SCP Required Settings in Templates 222 Supporting Multiple Radio Types via a Single IOS Template 222 Configuring Single and Dual-Radio APs via a Single IOS Template 223

Configuring Cisco Catalyst Switch Templates 223 Configuring Symbol Controller / HPE WESM Templates 223 Configuring a Global Template 225

Using RAPIDS and Rogue Classification 228

Introduction to RAPIDS 228 Viewing RAPIDS Summary 228 Setting Up RAPIDS 230

RAPIDS Setup 230

Basic Configuration 230

Classification Options 232

Containment Options 232

Filtering Options 233 Additional Settings 234

Defining RAPIDS Rules 234

Controller Classification with WMS Offload 234 Device OUI Score 235 Rogue Device Threat Level 235 Viewing and Configuring RAPIDS Rules 235

RAPIDS Classification Rule Properties 237

Deleting or Editing a Rule 239

Changing the Rule Priority 239 Recommended RAPIDS Rules 239 Using RAPIDS Rules with Additional AirWave Functions 239

Viewing Rogues 240

Predefined, Default Views for Rogue Devices 240 Filtered Views for RogueDevices 241

Overview of the RAPIDS > Detail Page 243

Important Considerations 244 Filter the Device Data 244

viii | Contents AirWave 8.2.4 | User Guide

Page 9

Update Rogue Devices 244 Viewing Ignored Rogue Devices 245 Using RAPIDS Workflow to Process Rogue Devices 245

Score Override 245 Using the Audit Log 246 Additional Resources 247

Performing Daily Administration in AirWave 248

Using the System Pages 248

Checking the Status of AirWave Services 248

About the Tar Files 248

Important Log Files 248 Viewing Device Events 249 Using the Event Log 250 Viewing Triggers 251

Creating New Triggers 252

Types of Triggers 253

Device Triggers 254

Interface and Radio Triggers 256

Discovery Trigger 258

RADIUS Authentication Triggers 260

RADIUS Accounting Triggers 260

IDS Event Triggers 260

Health Triggers 261 About Alerts 261

Viewing System Alerts 262

Delivering Triggered Alerts 263

Responding to Alerts 264

Backing Up Your Data 264

Viewing and Downloading Backups 264

Monitoring Firmware Upgrade Jobs 264 Manage Configuration Change Jobs 265 Monitoring System Performance 266

Troubleshoot System Performance 269

Managing Mobile Devices with SOTI MobiControl and AirWave 269

Overview of SOTI MobiControl 269 Prerequisites for Using MobiControl with AirWave 270 Adding a Mobile Device Management Server for MobiControl 270 Accessing MobiControl from the Clients > Client Detail Page 271

About the Home Page 271

Monitoring Your Network Health 271 Monitoringwith AppRF 273 Using the UCC Dashboard 275

Viewing Call Details 275

Viewing UCC Charts, Graphs, and Tables 275

Viewing End-to-End Call Details 277

Get Call Summary 278

Using the UCCReport 279 Viewing RF Performance 279 Viewing RFCapacity 281 Viewing Network Deviations 283

AirWave 8.2.4 | User Guide Contents | ix

Page 10

How Standard Deviation is Calculated 285 Accessing AirWave Documentation 285

Licensing in AirWave 285

Adding licenses 286 Viewing licenses 286

Configuring License Expiration Email Notifications 287 Configuring Your User Information 287

Supporting Multiple AirWave Servers 290

Using the Public Portal on Master Console 290 Adding a Managed AMP with the Master Console 291 Using Global Groups with Master Console 292

Logging out of AirWave 293

Creating, Running, and Sending Reports 294

What You Can Do With Reports 294

Track licenses 294

Improve Network Efficiency and User Experience 294

Monitor Clients and Devices 294

Show Compliance 295

Troubleshoot Device and Network Issues 295 Sorting Reports 296

About the Default Reports 296

Using the License Report 296 Using the Capacity Planning Report 297

Example Custom Report 297 Using the Memory and CPU Utilization Report 299 Using the Network Usage Report 299 Using the Port Usage Report 301 Using the RF Health Report 303 Using the Client Inventory Report 304

Example Custom Report 305 Using the Client Session Report 306 Using the Configuration Audit Report 308 Using the Device Summary Report 310 Using the Device Uptime Report 311 Using the Inventory Report 312

Example Custom Report 312 Using the Rogue Containment Audit Report 314 Using the PCI Compliance Report 315 Using the IDS Events Report 316 Using the Match Event Report 317 Using the New Clients Report 319 Using the New Rogue Devices Report 320 Using the RADIUS Reports 322

RADIUS Authentication Issues 322

RADIUSAccounting Issues 323 Using the Rogue Clients Report 324 Using the VPN Session Report 326

Creating Reports 327

Tips for Restricting Time Ranges 327 Reports > Generated Page Overview 327

x | Contents AirWave 8.2.4 | User Guide

Page 11

Sending Reports 329

Sending Reports to a Smart Host 329

Using VisualRF 330

Features 331 Useful Terms 331 Starting VisualRF 332 Basic VisualRF Navigation 332

Network View Navigation 332 Customize Your Floor Plan View 333

Devices 334

Client Overlays 334

AP Overlays 334

Relation Lines 335

Floor Plan Features 335 Mesh View Navigation 335

Advanced VisualRF Settings 337

Server Settings 337 Location Settings 338 Location Calculation Timer Settings 339 Wall Attenuation Settings 342

Adding a Wall Attenuation 342 VisualRF Resource Utilization 343

Planning and Provisioning 343

Creating a New Campus 344 Creating a New Building 344 Adding a Floor Plan 345 Editing a Floor Plan Image 346

Cropping the Floor Plan Image 346

Copying a Floor Plan in the Same Building 347

Sizing a Non-CAD Floor Plan 347

Defining Floor Plan Boundaries 347 Defining Floor Plan Regions 347

Adding Region to a New Floor using the Floor Upload Wizard 347

Adding a Region to an Existing Floor Plan 348 Editing a Planning Region 349 Floor Plan Properties 349 Adding Deployed Access Points onto the Floor Plan 350 Adding Planned APs onto the Floor Plan 351 Auto-Matching Planned Devices 352 Printing a Bill of Materials Report 352

Increasing Location Accuracy 352

Adding Exterior Walls 353 Defining Stationary Devices 354 Fine-Tuning Location Service in VisualRF > Setup 355

Decreasing Grid Size 355

Enabling Dynamic Attenuation 355

Configuring Infrastructure 355

Deploying APs for Client Location Accuracy 356

Using VisualRF to Assess RF Environments 357

Viewing a Wireless User’s RF Environment 357

AirWave 8.2.4 | User Guide Contents | xi

Page 12

Tracking Location History 358

Checking Signal Strength to Client Location 359 Viewing an AP’s Wireless RF Environment 359 Viewing a Floor Plan’s RF Environment 360 Viewing a Network, Campus, Building’s RF Environment 361 Viewing Campuses, Buildings, or Floors from a List View 361

Importing and Exporting in VisualRF 362

Exporting a campus 362 Importing from CAD 362 Batch Importing CAD Files 363

Requirements 363

Pre Processing Steps 363

Upload Processing Steps 363

Post Processing Steps 364

Sample Upload Instruction XML File 364

Common Importation Problems 364 Importing from an Aruba Controller 364

Pre-Conversion Checklist 365

Process on Controller 365

Process on AirWave 365

VisualRF Location APIs 365

Sample Device Location Response 365 Sample Site Inventory Response 366

About VisualRF Plan 366

Overview 366 Minimum requirements 367 VisualRF Plan Installation 367 Differences between VisualRF and VisualRF Plan 367

Appendix A Using FIPS Encryption NE

Enabling FIPS 140-2 Approved Mode NE

Appendix B AMP Command Line Interface NF

About the Command Line Interface NF

CLI Access NF Custom Modules NF How to Reset Your Password NF

CLI Options NF

Index NI

xii | Contents AirWave 8.2.4 | User Guide

Page 13

Chapter 1

Introduction

Thank you for choosing AirWave 8.2.4.AirWave makes it easy and efficient to manage your wireless network by combining industry-leading functionality with an intuitive user interface, enabling network administrators and helpdesk staff to support and control even the largest wireless networks.

The User Guide provides instructions for the configuration and operation of AirWave. This section includes the following topics:

l "A Unified Wireless Network Command Center" on page 13

l "Integrating AirWave into the Network and Organizational Hierarchy " on page 15

Referto the AirWave Installation Guide for information on installing and upgrading AirWave.

A Unified Wireless Network Command Center

AirWave 8.2.4 is the only network management software that offers you a single intelligent console from which to monitor, analyze, and configure wireless networks in automatic fashion. Whether your wireless network is simple or a large, complex, multi-vendor installation, AirWave manages it all.

AirWave supports hardware from leading wireless vendors including: Aruba Networks®, ProCurve™ by HPE®, Avaya™, Cisco® (Aironet and WLC), Dell Networking W-Series, Enterasys®, Juniper Networks®, LANCOM Systems, Meru Networks®, Nortel Networks™, Proxim®, Symbol™, Trapeze™, Tropos™, and many others.

The components of AirWave are described in the next section.

AirWave Management Platform

The AirWave Management Platform (AirWave), provides the following functions and benefits:

l Core network management functionality, including network discovery, configuration of access points (APs) &

controllers, automated compliance audits, firmware distribution, monitoring of all devices and users connected to the network, and reports showing real-time and historical trends.

l Granular administrative access that is role-based and network-based. For more information about roles, see

"Administrative Roles" on page 16.

l Flexible device support for thin, thick, or mesh network architecture; multiple vendors; and current or legacy

hardware.

Controller Configuration

AirWave supports global and group-level configuration of ArubaOS (AOS), the operating system, software suite, and application engine that operates mobility and centralizes control over the entire mobile environment. For a complete description of ArubaOS, refer to the ArubaOS User Guide for your specific version.

AirWave consolidates and pushes global controller configurations from within AirWave.

Two pages in AirWave support controller configuration:

l Device Setup > Aruba Configuration for global Aruba Configuration. This page is available if Use Global Aruba

Configuration is set to Yes in AMP Setup > General.

l Groups > Controller Config for group-level configuration.

AirWave 8.2.4 | User Guide Introduction | 13

Page 14

For additional information that includes a comprehensive inventory of all pages and settings that support Aruba Configuration, refer to the AirWave 8.2 Controller Configuration Guide.

Instant Configuration

Aruba Instant (Instant) is a system of access points in a Layer 2 subnet. The Instant APs (IAPs) are controlled by a single IAP that serves a dual role as both an IAP and primary Virtual Controller (VC), eliminating the need for dedicated controller hardware. This system can be deployed through a simplified setup process appropriate for smaller organizations, or for multiple geographically dispersed locations without an on-site administrator.

With AirWave, IT can centrally configure, monitor, and troubleshoot ArubaInstant WLANs, upload new software images, track devices, generate reports, and perform other vital management tasks, all from a remote location.

A Virtual Controller or Instant AP can authenticate to the AirWave server using a pre-shared key, or using twoway certificate-based authentication using an SSL certificate sent from AirWave to the Instant device. Virtual Controllers push data to AirWave via HTTPS. If your enterprise has a security policy that restricts the use of port 443 for inbound communication, you can change the port AirWave uses to communicate with Instant devices.

For additional information that includes a comprehensive inventory of all pages and settings that support Instant Configuration, refer to the Aruba Instant in AirWave 8.2 Deployment Guide.

Switch Configuration

AirWave supports group-level configuration of an Aruba Mobility Access Switch (MAS), the operating system, software suite, and application engine that operates mobility and centralizes control over the entire network environment. For a complete description of ArubaOS, refer to the ArubaOS User Guide for your specific Aruba Mobility Access Switch version.

AirWave consolidates and pushes group switch configurations from within AirWave using the Groups > Switch Config page. This page is available if Use Global Aruba Configuration is set to No in AMP Setup > General.

For additional information that includes a comprehensive inventory of all pages and settings that support Switch Configuration, refer to the AirWave8.2 Switch Configuration Guide available at support.arubanetworks.com.

VisualRF

VisualRF monitors and manages radio frequency (RF) dynamics within your wireless network. Visual RF provides:

l Accurate location information for all wireless users and devices.

l Up-to-date heat maps and channel maps for RF diagnostics; it adjusts for building materials and supports multiple

antenna types.

l Floor plan, building, and campus views.

l Visual display of errors and alerts.

l Easy importing of existing floor plans and building maps.

l Planning of new floor plans and AP placement recommendations.

RAPIDS

RAPIDS is a powerful and easy-to-use tool for monitoring and managing security on your wireless network. RAPIDs provides:

l Automatic detection of unauthorized wireless devices.

l Rogue device classification that supports multiple methods of rogue detection.

l Wireless detection, using authorized wireless APs to report other devices within range to calculate and display rogue

location on a VisualRF map.

14 | Introduction AirWave 8.2.4 | User Guide

Page 15

l Wired network detection of rogue APs located beyond the range of authorized APs and sensors, routers, and

switches. RAPIDs ranks devices according to the likelihood they are rogues, runs multiple tests to eliminate false positive results, and identifies the switch and port to which a rogue device is connected.

Supporting Multiple AirWave Servers

You can monitor multiple AirWave servers using the Master Console. After you add the AirWave servers to Master Console, they will be polled for basic AirWave information.

The Overview page in the Master Console provides summary statistics for the entire network at a glance.

l Reports can be run from the Master Console to display information from multiple AirWave stations; because such

reports can be extremely large, reports can also be run as summary only so that they generate more quickly and finish as a manageable file size.

l The Master Console can also be used to populate group-level configuration on managed AirWave installations using

the Global Groups feature.

l The Master Console offers a display of devices that are in a Down or Error state anywhere on the network. This

information is supported on Master Console pages that display device lists such as Home > Overview and APs Devices > List.

l The Master Console and Failover servers can be configured with a Managed AMP Down trigger that generates an

alert if communication is lost to a managed or watched AirWave station. The Master Console or Failover server can also send email or NMS notifications about the event.

XMLAPIsare not supported on the Master Console.

If you have the Master Console license, you can also monitor your multiple AirWave servers using [[[Undefined variable airwave.Glass]]]. For more information, see the [[[Undefined variable airwave.Glass]]] 1.0.0 User Guide.

Integrating AirWave into the Network and Organizational Hierarchy

AirWave generally resides in the network operations center and communicates with various components of your WLAN infrastructure. In basic deployments, AirWave communicates solely with indoor wireless access points (and WLAN controllers over the wired network. In more complex deployments, AirWave seamlessly integrates and communicates with authentication servers, accounting servers, TACACS+ servers, LDAP servers, routers, switches, network management servers, wireless IDS solutions, helpdesk systems, indoor wireless access points, mesh devices. AirWave has the flexibility to manage devices on local networks, remote networks, and networks using Network Address Translation (NAT). AirWave communicates over-the-air or over-the-wire using a variety of protocols.

The power, performance, and usability of AirWave become more apparent when considering the diverse components within a WLAN. Table 1 itemizes some example network components.

Table 1: Components of a WLAN

Component Description

Autonomous AP Standalone device which performs radio and authentication functions

Thin AP Radio-only device coupled with WLAN controller to perform authentication

WLAN Controller Used in conjunction with thin APs to coordinate authentication and roaming

AirWave 8.2.4 | User Guide Introduction | 15

Page 16

Table 1: Components of a WLAN (Continued)

Component Description

NMS Network Management Systems and Event Correlation (OpenView, Tivoli, and so forth)

RADIUS Authentication

RADIUS Accounting AirWave itself serves as a RADIUS accounting client

Wireless Gateways Provide HTML redirect and/or wireless VPNs

TACACS+ and LDAP Used to authenticate AirWave administrative users

Routers/Switches Provide AirWave with data for user information and AP and Rogue discovery

Help Desk Systems Remedy EPICOR

Rogue APs Unauthorized APs not registered in the AirWave database of managed APs

RADIUS authentication servers (ClearPass, Funk, FreeRADIUS, ACS, or IAS)

Administrative Roles

The flexibility of AirWave enables it to integrate seamlessly into your business hierarchy as well as your network topology. AirWave facilitates various administrative roles to match each individual user's role and responsibility:

l A Help Desk user can be given read-only access to monitoring data without being permitted to make configuration

changes.

l A U.S.-based network engineer can be given read-write access to manage device configurations in North America,

but not to control devices in the rest of the world.

l A security auditor can be given read-write access to configure security policies across the entire WLAN.

l NOC personnel can be given read-only access to monitoring all devices from the Master Console.

Contacting Support

Main Site arubanetworks.com

Support Site support.arubanetworks.com

Airheads Social Forums and Knowledge Base community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site hpe.com/networking/support

End-of-life Information arubanetworks.com/support-services/end-of-life/

16 | Introduction AirWave 8.2.4 | User Guide

Page 17

Security Incident Response Team (SIRT) Site: arubanetworks.com/support-services/security-bulletins/

Email: aruba-sirt@hpe.com

AirWave 8.2.4 | User Guide Introduction | 17

Page 18

Configuring AirWave

This section contains the following procedures to deploy initial AirWave configuration:

l "Formatting the Top Header" on page 18

l "Customizing Columns in Lists" on page 19

l "Resetting Pagination Records" on page 21

l "Using the Pagination Widget" on page 22

l "Defining Graph Display Preferences" on page 22

l "Customizing the Dashboard" on page 23

l "Setting Severe Alert Warning Behavior" on page 30

l "Defining General AirWave Server Settings" on page 30

l "Defining AirWave Network Settings" on page 44

l "Creating AirWave User Roles" on page 49

l "Creating AirWave Users" on page 46

l "Configuring Login Message, TACACS+, RADIUS, and LDAP Authentication" on page 54

l "Enabling AirWave to Manage Your Devices" on page 63

l "Setting Up Device Types" on page 69

l "Configuring Cisco WLSE and WLSE Rogue Scanning" on page 70

l "Configuring ACS Servers" on page 75

l "Integrating NMS Servers" on page 76

l "PCI Compliance Monitoring" on page 76

l "Deploying WMS Offload" on page 79

Chapter 2

Additionalconfigurations are available after basic configuration is complete.

Before You Begin

Remember to complete the required configurations in this chapter before proceeding. Aruba support remains available to you for any phase of AirWave installation.

Formatting the Top Header

The AirWave interface centers around a horizontal row of tabs with nested subtabs. A row of statistics hyperlinks called Top Header Stats above the tabs represents commonly used subtabs. These hyperlinks provide the ability to view certain key statistics by mousing over, such as number and type of Down devices, and serve as shortcuts to frequently viewed subtabs.

Figure 1 illustrates the navigation bar. More information on hyperlinks, tabs, and subtabs is a available in the

AirWave 8.2.4 Installation Guide.

AirWave 8.2.4 | User Guide Configuring AirWave | 18

Page 19

Figure 1: Navigation Bar Displaying Down Device Statistics

You can control the Top Header Stats links that appear from the AMP Setup > General page, as described in

"Defining General AirWave Server Settings" on page 30. Top Header Stats can also be customized for individual

users on the Home > User Info page. There you can select the statistics to display for certain device types and override the AMP Setup page.

All possible display options for users are show in Figure 2.

Aconfirmation message does not appear when you make modifications to the Top Header Stats.

Refer to "Configuring Your User Information" on page 287 for more information.

Figure 2: Home > User Info Top Header Stats Display Options

You can also set the severity level of critical alerts displayed for a user role. For details including a description of what constitutes a severe alert, see "Setting Severe Alert Warning Behavior" on page 30.

Customizing Columns in Lists

Customize the columns for any list table selecting drop-down list below the view name. Select the New option to create a new view with custom columns, or select Edit to change the columns in an existing view, as shown in the figure below.

Thedefault table views cannot be edited.

19 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 20

Figure 3: Edit View Drop down List

Drag and drop column headings from the Available Columns field to the desired location in the Current Columns field. The available columns vary, depending upon the list type.

Figure 4: Selecting Available List columns

Some tables allow you to control which column heads appear for each user role. Navigate to Home > User Info >Display Preferences , and then select Yes in the Customize Columns for Other Roles field. This exposes the Choose Columns for Roles drop down menu in all tables that support this feature.

The first column shows the user roles that were customized, if any. The second column allows you to establish left-to-right columns and order them using the arrows.

AirWave 8.2.4 | User Guide Configuring AirWave | 20

Page 21

Figure 5: Table with Choose Columns for Roles Menu Selected

Resetting Pagination Records

To control the number of records in any individual list, select the link with Records Per Page mouseover text at the top left of the table, as shown in Figure 6. AirWave remembers each list’s pagination preferences.

Figure 6: Records Per Page Drop Down Menu

To reset all Records Per Page preferences, click the Reset reset button in the Display Preferences section of the Home > User Info page, as shown in Figure 7.

Figure 7: Home > User Info > Display Preferences section

21 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 22

Using the Pagination Widget

The pagination widget is located at the top and bottom of every list table, as shown in Figure 8.

Figure 8: Pagination Widget

Enter a page number into the Page field to jump to any portion of the table, or select the > symbol to advance to the next page, and >| to return to the previous page.

Using Export CSV for Lists and Reports

Some tables have a Export CSV ( ) option you can use to export the data as a spreadsheet. SeeFigure 9 for an example of a list with the Export CSV icon selected.

Figure 9: List with CSV Export Selected

AirWave also enables CSV exporting of all report types. For more information, see "Sending Reports" on page

329.

Defining Graph Display Preferences

Many of the graphs in AirWave are Highcharts, which allow you to adjust the graph settings attributes as shown in Figure 10.

AirWave 8.2.4 | User Guide Configuring AirWave | 22

Page 23

Figure 10: Interactive Graphs on the Home > Overview Page

Highcharts are built with JavaScript, so the graphs can run directly through your browser without the need for additional client-side plugins. This makes it possible to view your AirWave charts on a mobile device.

These charts can be used and customized as follows.

l A Time Range selector in the upper right portion of the charts (including pop-up charts) allows you to select a

common or a custom date range for your data. The preconfigured ranges for AirWave charts are current 2 hours, 1 day, 1 week, and 1 year.

l Drop-down menus are available for viewing client and usage for specific SSIDs and/or all SSIDs. A search field is

available to help you quickly find a specific WLAN.

You can select up to six options from each drop-down menu. Once selected, each option will appear in the color-coded legend below the chart. Clicking on an option in this legend will disable or enable that information in the graph. Note that even if an option is disabled from viewing in the graph, that option will still remain in the legend until you deselect it from the drop-down menu.

l Max and Avg options allow you to change the chart view to show the maximum or average client and usage

information.

l Plot points display within the chart at varying intervals, depending on the selected time range. Tooltips and a plot line

appear as you hover over each plot point, showing you the detailed information for that specific time.

l Click on any chart to view a pop-up version. In this version, you can easily zoom in on a range of data by using your

mouse to drag a rectangle in the chart. While you are zoomed in, a Reset zoom button appears, enabling you to return to the original view. The pop-up charts also include a legend that displays the Last, Min, Max, and Avg values for the selected graph.

l Some charts include a drop-down option next to the graph title. For example, on the APs/Devices > Monitor page for

Radio Statistics, you can select the drop-down beside the graph title to view a graph for Client, Usage, Radio Channel, Radio Noise, Radio Power, Radio Errors, and 802.11 Counters information. In prior versions of AirWave, these graphs appeared as separate tabs.

Customizing the Dashboard

Click to customize the widgets that appear on your dashboard so you see only what you want in your reports. Figure11 shows an example where you drag the "Clients by Network" widget to the dashboard.

23 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 24

Figure 11: Drag a Widget to the Dashboard

Adding Widgets

The Home > Overview page displays the currently selected widgets (charts/graphs). You can change the widgets on this page by selecting the Customize link in the upper-right corner.

The Available Widgets section on the left holds all available graphical elements (widgets). Select any blue widget tile with a verbal description enclosed, and it immediately turns into a graphical element with a description.

Drag the widgets you want to appear on the Home > Overview dashboard across to the gridlines and arrange them in the right section, within the gridlines. A widget snaps back to the nearest available gridline if you drop it across two or more lines and turns red if you attempt to place it over gridlines already occupied by widgets. Widgets with a green top banner are properly placed and set to appear when you select Save. Widgets that remain in the left section will not appear; although they can be reinstated by selecting Restore Defaults.

Available Widgets

Table 2 describes the list of available widgets along with a description for each. Note that when a widget is

enabled, the information that displays can vary based on the user’s permission level. Certain roles, for example, limit the top folder that a user can view.

AirWave 8.2.4 | User Guide Configuring AirWave | 24

Page 25

Table 2: Available Widgets

Widget Description

Client/Usage Graphs The Client graph is enabled by default and, by default, shows the

maximum number of attached clients over the last two hours. Select the Show All link to view more specific client information on the graph, such as the total and average clients for a specific SSID, the maximum VPN sessions, etc. The available check boxes within this graph are determined by the SSIDs that AirWave is aware of from polling the device.

The Usage graph is enabled by default and, by default, shows the average bits-per-second in/out information and average VPN in/out information. Select the Show All link to view usage information for specific SSIDs. The available checkboxes within this graph are determined by the SSIDs that AirWave is aware of from polling the device.

The information in these graphs is color coded to match the selected check boxes.

Monitoring and Config Pie The Monitoring Status pie shows the percentage of total devices that are

up and the number and percentage of devices that are currently down. Clicking within this pie chart takes you to the APs/Devices > Down page.

The Configuration Compliance pie shows the percentage of devices that are mismatched, good, unknown, and those with auditing disabled. It also provides a summary of the total number of devices that are mismatched. Clicking within this pie chart takes you to the APs/Devices > Mismatch page.

These pie charts are enabled by default.

Alert Summary The Alert Summary table is enabled by default and provides the number

of AirWave alerts, IDS events, and RADIUS authentication issues over the last 2 hours, the last 24 hours, and the total since the last AirWaveserver reboot.

l Click on AMP Alerts to drill down to more detailed alert information.

This information displays in the current page. You can return to the Alert Summary graph by selecting the Home Overview link.

l Click on IDS Events to drill to more detailed event information. This link

takes you to the RAPIDS > IDS Events page.

l Click on RADIUS Authentication Issues to drill to more detailed

RADIUS authentication information. This information displays in the current page. You can return to the Alert Summary graph by selecting the Home Overview link.

Quick Links The Quick Links section is enabled by default. This section provides the

user with easy navigation to a specific folder, group, report, or common task.

RAPIDS: Acknowledged The Acknowledged RAPIDS Devices pie chart shows the percentage of

acknowledged and unacknowledged RAPIDS that the user has visibility into. The RAPIDS information appears from the moment a rogue is discovered until it is deleted. Ignored rogues, however, are not included in this chart.

This chart also displays on the RAPIDS > Overview page.

25 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 26

Table 2: Available Widgets (Continued)

Widget Description

RAPIDS: Classification Pie The RAPIDS: Classification Pie shows the percentage of devices

classified as Valid, Suspected Neighbor, Suspected Valid, Suspected Rogue, Rogue, and Neighbor that are attached to AirWave. The RAPIDS information appears from the moment a rogue is discovered until it is deleted. Ignored rogues, however, are not included in this chart.

This pie chart can also be viewed on the RAPIDS > Overview page.

RAPIDS: Classification Summary

IDS Events The IDS Events table shows the number and type of attacks logged by the

RAPIDS: OS Pie The RAPIDS: OS Pie chart shows the top 9 rogue devices by OS, Others,

RAPIDS: OS Summary The RAPIDS: OS Summary table shows the top 9 rogue devices by OS,

The RAPIDS: Classification Summary table shows the number of devices classified as Valid, Suspected Valid, Neighbor, Suspected Neighbor, Suspected Rogue, Rogue, and Unclassified that are attached to AirWave. In addition, contained rogue information will appear if Manage rogue AP containment is set to Yes on the RAPIDS > Setup page.

The RAPIDS information appears from the moment a rogue is discovered until it is deleted. Note that ignored rogues are not included in this chart.

This table can also be viewed on the RAPIDS > Overview page.

intrusion detection system over the last 2 hours, the last 24 hours, and the total since the last AirWave server reboot. This is the same table that displays on the RAPIDS > Overview page.

Unknown, and Not Scanned. The RAPIDS information appears from the moment a rogue is discovered until it is deleted. Note that ignored rogues are not included in this chart.

This pie chart can also be viewed on the RAPIDS > Overview page.

Others, Unknown, and Not Scanned. The RAPIDS information appears from the moment a rogue is discovered until it is deleted. Note that ignored rogues are not included in this chart.

This table can also be viewed on the RAPIDS > Overview page.

Top Folders By AP Usage This chart lists the folders and the number of APs in each folder whose

usage is greater than the cutoff (or usage threshold). The cutoff represents 75% of the maximum usage, where the maximum usage is the AP with the highest usage regardless of the folder in which it resides. The cutoff value is displayed within the title, and this value can vary. The chart takes into account approved APs with radios based on the last 24 hours. In addition, this chart is updated every hour.

AirWave 8.2.4 | User Guide Configuring AirWave | 26

Page 27

Table 2: Available Widgets (Continued)

Widget Description

Top Folders By A Radio Channel Usage

Top Folders By BG Radio Channel Usage

Top Folders By A Radio Client Count

This chart shows the folders and the number of 802.11a radios (5GHz) in each folder whose channel usage is greater than the cutoff (or usage threshold) as measured by Mbps. This cutoff is on the on the AMP Setup > General page using the Configure Channel Busy Threshold option. If this option is not configured, then the cutoff is 75% of the ‘maximum,’ where the ‘maximum’ refers to the AP that has the highest usage regardless of the folder in which it resides. The cutoff value is displayed within the title, and this value can vary. This chart takes into account approved APs with ‘A’ radios based on the last 24 hours. In addition, this chart is updated every hour.

This chart shows the folders and the number of 802.11b/g radios (2.4GHz) in each folder whose channel usage is greater than the cutoff (or usage threshold) as measured by Mbps. This cutoff is on the on the AMP Setup > General page using the Configure Channel Busy Threshold option. If this option is not configured, then the cutoff is 75% of the ‘maximum,’ where the ‘maximum’ refers to the AP that has the highest usage regardless of the folder in which it resides. The cutoff value is displayed within the title, and this value can vary. This chart takes into account approved APs with ‘BG’ radios based on the last 24 hours. In addition, this chart is updated every hour.

This chart shows the folders and the number of 802.11a radios (5GHz) in each folder whose client count is greater than the cutoff. The cutoff represents 75% of the ‘maximum,’ where the ‘maximum’ is the radio that has the highest client count regardless of the folder. The cutoff value is displayed within the title and can vary. This chart takes into account approved APs with A radios based on the last 24 hours. In addition, this chart is updated every hour.

Top Folders By BG Radio Client Count

Top Clients By Total Traffic The widget looks at currently connected clients as well has client historical

Clients By AOS Device Type This pie chart shows the percentage of clients that have attached to

Clients By Device Type This pie chart shows the percentage of clients that have attached to

This chart shows the folders and the number of 802.11b/g radios (2.4GHz) in each folder whose client count is greater than the cutoff. The cutoff represents 75% of the ‘maximum,’ where the ‘maximum’ is the radio that has the highest client count regardless of the folder. The cutoff value is displayed within the title and can vary. This chart takes into account approved APs with BG radios based on the last 24 hours. In addition, this chart is updated every hour.

information over the past 24 hours and then displays the top 10 clients with the must usage. You can click on a MAC address to view more information about any of the clients that display on this table. This table is updated every hour.

AirWave over the last 24 hours based on the AOS device type.

AirWave over the last 24 hours based on the device type (such as a specific operating system or smart phone type).

27 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 28

Table 2: Available Widgets (Continued)

Widget Description

Clients By Device Mfgr This pie chart shows the percentage of clients that have attached to

AirWave over the last 24 hours based on the client manufacturer.

Clients By Device Model This pie chart shows the percentage of clients that have attached to

AirWave over the last 24 hours based on the device model (such as the smart phone type).

Clients By Mfgr & Model This pie chart shows the percentage of clients that have attached to

AirWave over the last 24 hours based on the client manufacturer and model.

Clients By Device OS This pie chart shows the percentage of clients that have attached to

AirWave over the last 24 hours based on the device operating system (such as Windows or Android).

Clients By Device OS Detail This pie chart shows the percentage of clients that have attached to

AirWave over the last 24 hours based on the device operating system version (such as Windows NT 6.1).

Clients By Network Vendor This pie chart shows the percentage of clients that have attached to

AirWave over the last 24 hours based on each device’s network interface vendor.

Client Signal Distribution The Client Signal Distribution chart shows the number of attached

devices that have a signal quality within a set of ranges.

Search Preferences

For each user, you can customize the search results to display only desired categories of matches on the Home > User Info page. Go to the Search Preferences section and select the desired search type from the Search Method drop down. This search type will be used when a user types an entry in the Search field and then clicks

Enter without selecting a specific search type.

l Use System Defaults: The Search Method will be based on the system-wide configuration setting. This method is

configured on the AMP Setup > General page.

l Active clients + historical clients (exact match) + all devices: Commonly referred to as Quick Search, this looks at all

active and historical clients and all devices. This search is not case-sensitive. The results of this search display in a pop up window rather than on the Home > Search page. This pop up window includes top-level navigation that allows you to filter the results based on Clients, APs, Controllers, and Switches.

l Active clients + all categories: This looks at all active clients (not historical) and all categories. This search is not case-

sensitive. This search returns results on partial matches for user names if that user name is included in either the beginning or the end of a user name string

l Active clients + all categories (exact match): This looks at all active clients (not historical) and all categories. This

search returns only matches that are exactly as typed (IP, user name, device name, etc). This search is case-sensitive for all searched fields.

l Active + historical clients + all categories: This looks at all active and historical clients and all categories. This search is

not case-sensitive.

AirWave 8.2.4 | User Guide Configuring AirWave | 28

Page 29

l Active + historical clients + all categories (exact match): This looks at all active and historical clients and all categories.

This search returns only matches that are exactly as typed (IP, user name, device name, etc). This search is casesensitive for all searched fields.

Aconfirmation message does not appear after you make modifications to Search Preferences.

Figure 12: Home > User Info Search Preferences

How to Use Search

The Search field at the top of every AirWave page provides a simple way to find devices, clients, groups, and rogues. You can search for things like notes, versions, serial numbers, IP addresses (IPv4 or IPv6), and MAC addresses.

To find something using the Search field:

1. Click .

2. In the Search field, type a keyword or the first few letters and numbers. For example, Figure 13 shows the the search results for "00:".

3. Select one of the following search methods:

n Press Enter. You can change this default search method preference in the Home >User Info page.

n Click the down arrow and select a method from the list of search options.

n Click to see quick search results, showing connected clients, which might already be your default

search method.

Results include hypertext links to additional pages, and the Filter icon over some columns allows for additional filtering of search returns.

Figure 13: Home > Search Page Illustration with Sample Hits on 00: (partial view)

For information on how to customize your search results, see "Configuring Your User Information" on page 287.

29 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 30

Setting Severe Alert Warning Behavior

You can control the alert levels you can see on the Alerts top header stats link using the Severe Alert Threshold drop down menu located in the Top Header Stats section of the Home > User Info page. The Severe Alert Threshold determines the severity level that results in a Severe Alert. Specify either Normal, Warning, Minor, Major, or Critical as the severity alert threshold value. These threshold values are tied to

triggers that are created on the System > Triggers page. For example, if a trigger is defined to result in a Critical alert, and if the Severe Alert Threshold here is defined as Major, then the list of Severe Alerts will include all Major and Critical alerts. Similarly, if this value is set to Normal, which is the lowest threshold, then the list of Severe Alerts will include all alerts.

When a Severe Alert exists, a new component named Severe Alerts will appear at the right of the Status field in bold red font. This field is hidden if there are no Severe Alerts. In addition, only users who are enabled for viewing Severe Alerts on the Home > User Info page can see severe alerts.

Defining General AirWave Server Settings

This section describes all pages accessed from the AMP Setup tab. It also describes two pages in the Device Setup tab: the Communication and Upload Files pages. After required and optional configuration tasks in this

chapter are complete, continue to later chapters in this document to create and deploy device groups and device configuration and discovery on the network.

Refer to the following topics for configuration information:

l "AMP Setup > General" on page 30

l "Defining AirWave Network Settings" on page 44

l "AirWave User Roles" on page 48

l "Creating AirWave Users" on page 46

l "Configuring Login Message, TACACS+, RADIUS, and LDAP Authentication" on page 54

l "Enabling AirWave to Manage Your Devices" on page 63

l "Setting Up Device Types" on page 69

AMP Setup > General

The first step in configuring AirWave is to specify the general settings for the AirWave server . illustrates the AMP Setup > General page. Select Save when the General Server settings are complete and whenever making

subsequent changes. These settings are applied globally across the product (for all users).

Refer to the following sections for information about the available settings:

l "General Settings" on page 31

l "Automatic Authorization Settings" on page 31

l "Aruba Instant Settings" on page 32

l "Top Header Settings" on page 33

l "Search Method" on page 33

l "Home Overview Preferences" on page 34

l "Display Settings" on page 34

l "Device Configuration Settings" on page 35

l "AMP Features" on page 36

l "External Logging Settings" on page 36

l "Historical Data Retention Settings" on page 37

l "Firmware Upgrade Defaults" on page 39

AirWave 8.2.4 | User Guide Configuring AirWave | 30

Page 31

l "Additional AMP Services" on page 40

l "Performance Settings" on page 42

General Settings

Browse to the AMP Setup > General page, locate the General section, and enter the information described in

Table 3:

Table 3: AMP Setup >General > General Section Fields and Default Values

Setting Default Description

System Name Defines your name for your AirWave server using alphanumeric

characters.

Default Group Access

Points

Device Configuration Audit Interval

Automatically repair misconfigured devices

Help improve AirWave by sending anonymous usage data

Daily This setting defines the interval of queries which compares actual

Disabled If enabled, this setting automatically reconfigures the settings on the

Disabled If enabled, AirWave will send anonymous data to Aruba, which may be

Sets the device group that this AirWave server uses as the default for device-level configuration. Select a device group from the drop-down menu. A group must first be defined on the Groups > List page to appear in this drop-down menu. For additional information, refer to

"Configuring and Using Device Groups" on page 82.

device settings to the Group configuration policies stored in the AirWave database. If the settings do not match, the AP is flagged as mismatched and AirWave sends an alert via email, log, or SNMP.

NOTE: Enabling this feature with a frequency of Daily or more frequently is recommended to ensure that your AP configurations comply with your established policies. Specifying Never is not recommended.

device when the device is in Manage mode and AirWave detects a variance between actual device settings and the Group configuration policy in the AirWave database.

used to improve the AirWave software. To view an example of the data that will be sent, click the preview link.

Nightly Maintenance Time (00:00 23:59)

License APs Usage Threshold

Check for software updates

04:15 Specifies the local time of day AirWave should perform daily

maintenance. During maintenance, AirWave cleans the database, performs backups, and completes a few other housekeeping tasks. Such processes should not be performed during peak hours of demand.

Yes Enables AirWave to check automatically for multiple update types.

Sets a threshold to display an alert on the controller monitor page when the license usage has reached this number.

Check daily for AirWave updates, to include enhancements, device template files, important security updates, and other important news. This setting requires a direct Internet connection via AirWave.

Automatic Authorization Settings

On the AMP Setup > General page, locate the Automatic Authorization section. These settings allow you to control the conditions by which devices are automatically authorized into AP groups and folders. AirWave

31 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 32

validates the Folder and Group to ensure that both settings have been set to valid drop down options. Table 4 describes the settings and default values in this section.

Table 4: AMP Setup > General > Automatic Authorization Fields and Default Values

Setting Default Description

Add New

New Device List Globally add new controllers and autonomous devices to: Controllers and Autonomous Devices Location

Add New Thin APs

New Device List Globally add new thin APs to: Location

Automatically Authorized Virtual

Manage

Read/Write Controller Mode

Aruba Instant Settings

l The New Device List (located in APs/Devices > New). l The same folder and group as the discovering device. l The same group and folder of their closest IP neighbor on the

same subnet.

l Choose a group and folder. If you select this option, enter the

folder/group in the Auto Authorization Group and Auto Authorization Folder fields that display.

NOTE: This setting can be overridden in Groups > Basic.

l The New Devices list. l The same folder and group as the discovering device. l The same group and folder of their closest IP neighbor on the

same subnet.

l Choose a group and folder. If you select this option, enter the

folder/group in the Auto Authorization Group and Auto Authorization Folder fields that display.

NOTE: This setting can be overridden in Groups > Basic.

Specify whether Virtual Controller mode for Instant APs will be in Manage Read/Write mode or Monitor Only mode.

A Virtual Controller can communicate with the AirWave server over a configurable communication port, and authenticate to the server using a pre-shared key, and/or two-way certificate-based authentication using an SSL certificate sent from AirWave to the Instant device.

The AMP Setup > General > Aruba Instant Options page includes the following Configuration settings:

Table 5: AMP Setup > General > ArubaInstantOptions Fields and Default Values

Setting Default Description

Communication port (443,1000-

65534):

Security method for adding new Virtual Controllers:

443 By default, an Instant Virtual Controller communicates with AirWave

over port 443. If your enterprise has a security policy that restricts the use of port 443 for inbound communication, use this field to change the port the Virtual Controller uses to communicate with AirWave.

PSK Only

AirWave can use the following security methods to authenticate a Virtual Controller to the AirWave server:

l PSK Only l PSK and Certificate l Certificate Only

If you enable certificate-based authentication, you are directed to the AMP Setup > General > Upload SSLCertificate page, where you are prompted to upload an certificate file in PEM format that contains both a private key and certificate.

AirWave 8.2.4 | User Guide Configuring AirWave | 32

Page 33

Table 5: AMP Setup > General > ArubaInstantOptions Fields and Default Values (Continued)

Setting Default Description

Allow None-TPM Devices

Configuration Only No By default, AirWave will push Instant configuration settings as well as

Yes If certificate-based authentication is enabled for the Virtual Controller,

AirWave allows low assurance, non-TPM device. This setting is unavailable when PSK authentication is used.

AirWave settings such as RAPIDS settings and traps from an AirWave group to a Virtual Controller assigned to that group. Select the Yes option to push Instant configuration settings only.

If you select a security method that includes Certificate-based authentication, you must upload the a certificate from a supported certificate authority to the AirWave server, as the default AirWave certificate will not be recognized by the Instant AP, and will cause the SSL handshake to fail. Certificate authentication also requires that the AMP IPaddress information configured on the Instant AP is a domain name, and not an IP address.

AirWave supports the following trusted certificate authorities:

l Chain 1: Trusted Root CA: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root

Intermediate CA: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA

l Chain 2: Trusted Root CA: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Intermediate CA: Subject: C=US,

O=Google Inc, CN=Google Internet Authority G2

authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Intermediate CA: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3

l Root CA: Trusted Root CA: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

If you enable certificate authentication, you are prompted to upload an SSLcertificate. you can view the current AirWave certificate using the View Certificate link on that page, or click Change to upload a new certificate file to the AirWave server.

Top Header Settings

On the AMP Setup > General page, locate the Top Header section to select the Top Header Stats to be displayed at the top of the interface.

Search Method

On the AMP Setup > General page, locate the Search Method section. Select one of the following drop down options as the system-wide default search method. This default search type will be used when a user types an entry in the Search field and then clicks Enter without selecting a specific search type.

l Active clients + historical clients (exact match) + all devices: Commonly referred to as Quick Search, this looks at all

l Active clients + all categories: This looks at all active clients (not historical) and all categories. This search is not case-

sensitive.

l Active clients + all categories (exact match): This looks at all active clients (not historical) and all categories. This

search returns only matches that are exactly as typed (IP, user name, device name, etc). This search is case-sensitive for all searched fields.

33 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 34

l Active + historical clients + all categories: This looks at all active and historical clients and all categories. This search is

not case-sensitive.

l Active + historical clients + all categories (exact match): This looks at all active and historical clients and all categories.

This search returns only matches that are exactly as typed (IP, user name, device name, etc). This search is casesensitive for all searched fields.

Per-user search preferences can be set in the Home > User Info page; refer to "Search Preferences" on page 28.

Home Overview Preferences

On the AMP Setup > General page, locate the Home Overview Preferences section. Table 6 describes the settings and default values in this section.

Table 6: AMP Setup > General > Home Overview Preferences Fields and Default Values

Setting Default Description

Configure Channel Busy Threshold

Channel Busy Threshold (%)

Yes Whether you want to configure the threshold at which a channel is

considered to be busy at the Top Folders By Radio Channel Usage Overview widget.

n/a The threshold percent at which the radio channel is considered busier

than normal. This field is only available if the Configure Channel Busy Threshold setting is Yes.

Display Settings

On the AMP Setup > General page, locate the Display section and select the options to appear by default in new device groups.

Changes to this section apply across all of AirWave. These changes affect all users and all new device groups.

Table 7 describes the settings and default values in this section.

Table 7: AMP Setup > General > Display Fields and Default Values

Setting Default Description

AP Fully Qualified Domain Name Options

No Sets AirWave to use fully qualified domain names for APs instead of the

AP name. For example, ‘testap.yourdomain.com; would be used instead of ‘testap.’ Select one of the following options:

l Don’t use FQDN - This default value specifies that the fully qualified

domain name will not be used.

l Use AP Name with FQDN - The AP name will prepend the FQDN, for

example “somehostname (my.hostname.com).” Note that if the AP name is not present, then the FQDN will still appear in parenthesis.

l Use only FQDN - Only the fully qualified domain name will be used.

NOTE: This option is supported only for Cisco IOS, Dell Networking WSeries, Aruba Networks, and Alcatel-Lucent devices.

AirWave 8.2.4 | User Guide Configuring AirWave | 34

Page 35

Table 7: AMP Setup > General > Display Fields and Default Values (Continued)

Setting Default Description

Show vendorspecific device settings for

Look up device and wireless user hostnames

DNS Hostname Lifetime

All Devices Displays a drop-down menu that determines which Group tabs and

options are viewable by default in new groups, and selects the device types that use fully qualified domain names. This field has three options, as follows:

l All devices—When selected, AirWave displays all Group tabs and

setting options.

l Only devices on this AMP—When selected, AirWave hides all

options and tabs that do not apply to the APs and devices currently on AirWave.

l Selected device type—When selected, a new field appears listing

many device types. This option allows you to specify the device types for which AirWave displays group settings. You can override this setting.

Yes Enables AirWave to look up the DNS for new user hostnames. This setting

can be turned off to troubleshoot performance issues.

24 hours Defines the length of time, in hours, for which a DNS server hostname

remains valid on AirWave, after which AirWave refreshes DNS lookup:

l 1 hour l 2 hours l 4 hours l 12 hours l 24 hours

Device Troubleshooting Hint

N/A The message included in this field is displayed along with the Down if a

device’s upstream device is up. This applies to all APs and controllers but not to routers and switches.

Device Configuration Settings

Locate the Device Configuration section and adjust the settings. Table 8 describes the settings and default values of this section.

Table 8: AMP Setup > General > Device Configuration Section Fields and Default Values

Setting Default Description

Guest User Configuration

Allow WMS Offload configuration in monitor-only mode

Allow disconnecting users while in monitor-only mode

Disabled Enables or prevents guest users to/from pushing configurations to

devices. Options are Disabled (default), Enabled for Devices in Manage(Read/Write), Enabled for all Devices.

No When Yes is selected, you can enable the ArubaOS WMS offload

feature on the Groups > Basic page for WLAN switches in Monitor Only mode. Enabling WMS offload does not cause a controller to reboot. This option is supported only for Aruba and Dell Networking W-Series devices.

No Sets whether you can deauthenticate a user for a device in monitor-

only mode. If set to No, the Deauthenticate Client button for in a Clients > Client Detail page is enabled only for Managed devices.

35 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 36

Table 8: AMP Setup > General > Device Configuration Section Fields and Default Values (Continued)

Setting Default Description

Use Global Aruba Configuration

No Enables Aruba configuration profile settings to be globally configured

and then assigned to device groups. If disabled, settings can be defined entirely within Groups > Controller Configand Groups

>Switch Config instead of globally.

NOTE: Changing this setting may require importing configuration on

your devices. When an existing Aruba configuration setup is to be converted from global to group, follow these steps:

1. Set all the devices to Monitor Only mode before setting the flag.

2. Each device Group will need to have an import performed from the Audit page of a controller in the AMP group.

3. All of the thin APs need to have their settings imported after the device group settings have finished importing.

4. If the devices were set to Monitor Only mode, set them back to Managed mode.

AMP Features

Locate the AMPFeatures section and adjust settings to enable or disable VisualRF and RAPIDS. Table 9 describes these settings and default values.

Table 9: AMP Setup Setup > General > AMP Features Fields and Default Values

Setting Default Description

Display VisualRF No Enable or disable the VisualRF navigation tab.

Display RAPIDS No Enable or disable the RAPIDS navigation tab.

Hide setup pages from non-admin users

Allow role based report visibility

Yes Restrict access to following pages to users with the AMP Administration

role only:

l VisualRF > Setup l AMP Setup > NMS l RAPIDS > Score Override l RAPIDS > Rules l RAPIDS > Setup l System > Triggers

Yes Enable or disable role-based reporting in AMP. When disabled, reports

can only be generated with by-subject visibility.

External Logging Settings

Locate the External Logging section and adjust settings to send audit and system events to an external syslog server. Table 10 describes these settings and default values. You can also send a test message using the Send Test Message button after enabling any of the logging options.

AirWave 8.2.4 | User Guide Configuring AirWave | 36

Page 37

Table 10: AMP Setup > General > External Logging Section Fields and Default Values

Setting Default Description

Syslog Server N/A Enter the IP address of the syslog server. Note that this field is hidden if

both "Include event log messages" and "Include audit log messages" are set to No.

Syslog Port 514 Enter the port of the syslog server. Note that this field is hidden if both

"Include event log messages" and "Include audit log messages" are set to No.

Include event log messages

Event log facility local1 Select the facility for the event log from the drop-down menu. This field is

Include audit log messages

Audit log facility local1 Select the facility for the audit log from the drop-down menu. This field is

Send Test Message N/A If messaging is enabled and a server and port are configured, click this

No Select Yes to send event log messages to an external syslog server.

only available if the "Include event log messages" setting is Yes.

No Select Yes to send audit log messages to an external syslog server.

only available if the "Include audit log messages" setting is Yes

button to send a test message. Upon completion, a message will appear at the top of this page indicating that the message was sent successfully.

Historical Data Retention Settings

Locate the Historical Data Retention section and specify the number of days you want to keep client session records and rogue discovery events. Table 11 describes the settings and default values of this section. Many settings can be set to have no expiration date.

Table 11: AMP Setup > General > Historical Data Retention Fields and Default Values

Setting Default Description

Inactive Client and VPN User Data (01500 days, zero disables)

Client Association and VPN Session History (0-550 days, zero disables)

Tag History (0-550 days, zero disables)

37 | Configuring AirWave AirWave 8.2.4 | User Guide

60 Defines the number of days AirWave stores basic information about

inactive clients and VPN users. A shorter setting of 60 days is recommended for customers with high user turnover such as hotels. The longer you store inactive user data, the more hard disk space you require.

14 Defines the number of days AirWave stores client and VPN session

records. The longer you store client session records, the more hard disk space you require.

14 Sets the number of days AirWave retains location history for Wi-Fi tags.

Page 38

Table 11: AMP Setup > General > Historical Data Retention Fields and Default Values (Continued)

Setting Default Description

Rogue AP Discovery Events (14-550 days, zero disables)

Reports (0-550 days, zero disables)

Automatically Acknowledge Alerts(0-550 days, zero disables)

Acknowledged Alerts(0-550 days, zero disables)

Radius/ARM/IDS Events(0-550 days, zero disables)

Archived Device Configurations (0100, zero disables)

14 Defines the number of days AirWave stores Rogue Discovery Events. The

longer you store discovery event records, the more hard disk space you require.

60 Defines the number of days AirWave stores Reports. Large numbers of

reports, over 1000, can cause the Reports > Generated page to be slow to respond.

14 Defines automatically acknowledged alerts as the number of days AirWave

retains alerts that have been automatically acknowledged. Setting this value to 0 disables this function, and alerts will never expire or be deleted from the database.

60 Defines the number of days AirWave retains information about

acknowledged alerts. Large numbers of Alerts, over 2000, can cause the System > Alerts page to be slow to respond.

14 Defines the number of days AirWave retains information about RADIUS,

ARM, and IDS events. Setting this value to 0 disables this function, and the information will never expire or be deleted from the database.

10 Defines the number of configurations that will be retained for archived

devices. Whether rogue information is included depends on the setting of the Archive device configs even if they only have rogue classifications setting.

Archive device configs even if they only have rogue classifications

Guest Users (0-550 days, zero disables)

Inactive SSIDs (0550 days, zero disables)

Inactive Interfaces (0-550 days, zero disables)

Interface Status History (0-550 days, zero disables)

No Sets whether to archive device configurations even if the device only has

rogue classifications.

30 Sets the number of days that AirWave is to support any guest user. A value

of 0 disables this function, and guest users will never expire or be deleted from the AirWave database.

425 Sets the number of days AirWave retains historical information after

AirWave last saw a client on a specific SSID. Setting this value to 0 disables this function, and inactive SSIDs will never expire or be deleted from the database.

425 Sets the number of days AirWave retains inactive interface information

after the interface has been removed or deleted from the device. Setting this value to 0 disables this function, and inactive interface information will never expire or be deleted from the database.

425 Sets the number of days AirWave retains historical information on

interface status. Setting this value to 0 disables this function.

AirWave 8.2.4 | User Guide Configuring AirWave | 38

Page 39

Table 11: AMP Setup > General > Historical Data Retention Fields and Default Values (Continued)

Setting Default Description

Interfering Devices (0-550 days, zero disables)

Device Events (Syslog, Traps)(131 days)

Mesh Link History (0-550 days)

Device Uptime (0120 months, zero disables)

Client Data Retention Interval (1-425 days)

UCC Call History (1-30 days)

UCC Call Details (1-7 days)

14 Sets the number of days AirWave retains historical information on

interfering devices. Setting this value to 0 disables this function.

2 Sets the number of days AirWave retains historical information on device

events such as syslog entries and SNMP traps. Setting this value to 0 disables this function. Refer to "Viewing Device Events" on page 249.

NOTE: If your data table has more than 5 million rows, AirWave will truncate the device event retention data. In this case, the "number of days" setting becomes "number of hours."

30 Sets the number of days AirWave retains historical information for mesh

links.

60 Sets the number of months AirWave retains historical information on

device uptime. Setting this value to 0 disables this function.

425 Sets the number of days AirWave retains historical information for clients.

30 Sets the number of days that calls remain in AirWave's call history.

2 Sets the number if days that the AirWave retains details for individual calls.

Partial Config Job Retention Interval (1-31 days)

31 Sets the number of days AirWave retains information about partial

configuration jobs.

Firmware Upgrade Defaults

Locate the Firmware Upgrade Defaults section and adjust settings as required. This section allows you to configure the default firmware upgrade behavior for AirWaveTable 12 describes the settings and default values of this section.

Table 12: AMP Setup > General > Firmware Upgrade Defaults Fields and Default Values

Setting Default Description

Allow firmware upgrades in monitor-only mode

No If Yes is selected, AirWave upgrades the firmware for APs in Monitor

Only mode. When AirWave upgrades the firmware in this mode, the desired configuration are not be pushed to AirWave. Only the firmware is applied. The firmware upgrade may result in configuration changes AirWave does not correct those changes when the AP is in Monitor Only mode.

39 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 40

Table 12: AMP Setup > General > Firmware Upgrade Defaults Fields and Default Values (Continued)

Setting Default Description

Maximum Interleaved Jobs (1-

20)

Maximum Interleaved Devices Per Job (1-1000)

Failures before stopping (0-20, zero disables)

20 Defines the number of jobs AirWave runs at the same time. A job can

include multiple APs. When jobs are started by multiple users, AirWave will interleave upgrades so that one user's job does not completely block another’s.

20 Defines the number of devices that can be in the process of upgrading at

the same time. Within a single job, AirWave may start the upgrade process for up to this number of devices at the same time. However, only one device will be actively downloading a firmware file at any given time.

1 Sets the default number of upgrade failures before AirWave pauses the

upgrade process. User intervention is required to resume the upgrade process. Setting this value to 0 disables this function.

Additional AMP Services

Locate the AdditionalAMP Services section, and adjust settings as required. Table 13 describes the settings and default values of this section.

Table 13: AMP Setup > General > Additional AMP Services Fields and Default Values

Setting Default Description

Enable FTP Server No Enables or disables the FTP server on AirWave. The FTP server is only

used to manage Aruba AirMesh and Cisco Aironet 4800 APs. Best practice is to disable the FTP server if you do not have any supported devices in the network.

Enable RTLS Collector

No Enables or disables the RTLS Collector, which is used to allow

ArubaOScontrollers to send signed and encrypted RTLS (real time locating system) packets to VisualRF; in other words, AirWave becomes the acting RTLS server. The RTLS server IP address must be configured on each controller. This function is used for VisualRF to improve location accuracy and to locate chirping asset tags. This function is supported only for Dell Networking W-Series, Alcatel-Lucent, and Aruba Networks devices.

If Yes is specified, the following additional fields appear. These configuration settings should match the settings configured on the controller:

l RTLS Port—Specify the port for the AirWave RTLS server. l RTLS Username—Enter the user name used by the controller to

decode RTLS messages.

l RTLS Password—Enter the RTLS server password that matches the

controller’s value.

l Confirm RTLS Password—Re-enter the RTLS server password.

AirWave 8.2.4 | User Guide Configuring AirWave | 40

Page 41

Table 13: AMP Setup > General > Additional AMP Services Fields and Default Values (Continued)

Setting Default Description

Use embedded Mail Server/ Mail Relay Server

Process user roaming traps from Cisco WLC

Enable AMON data collection

Enable Clarity Data Collection

Enable AppRF Data Collection

Yes Enables or disables the embedded mail server that is included with

AirWave. If Yes is specified, then enter information for an optional mail relay server.

This field supports a Send Test Email button for testing server functionality. Clicking this button prompts you with To and From fields in which you must enter valid email addresses.

Yes Whether AirWave should parse client association and authentication traps

from Cisco WLC controllers to give real time information on users connected to the wireless network.

Yes Allows AirWave to collect enhanced data from Aruba devices on certain

firmware versions. See the Best Practices Guide on the Home >

Documentation page for more details

NOTE: When enabling AMON, auditing should be set to daily and have

been successful at least once to allow AirWave to calculate the proper BSSIDs per radio. If these BSSIDs do not exist, clients are dropped because they do not have any corresponding BSSIDs in the AirWave database. Auditing should be set to daily because the BSSIDs are kept in cache memory and cleared every 24 hours.

Yes Allows AirWave to collect enhanced Clarity Monitoring data from Aruba

devices running ArubaOS 6.4.3 and later versions

Yes If AMON is enabled for a controller, you can enable this flag to instruct

AirWave to collect AppRF data from the controller. If this is enabled, then the Home > AppRF page will display.

AppRF Storage Allocated (Greater than or equal to 2 GB)

Enable UCC Data Collection

Enable UCC Calls Stitching (Heuristics)

50 If AppRF Data Collection is enabled, specify the amount of storage to

allocate.

Yes Enables controllers to send UCC data to AirWave. For this feature to work,

AirWave must be a management server on the controller, the AMON port is set up for UDP port 8211, and the controller profile has UCC monitoring enabled.

Yes Enables caller-to-callee call stitching for non-SDN deployments. You

should turn off this option for NATand BOC deployments.

41 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 42

Table 13: AMP Setup > General > Additional AMP Services Fields and Default Values (Continued)

Setting Default Description

Prefer AMONvs SNMP Polling

Enable Syslog and SNMP Trap Collection

Require SSH host key verification

SNMP Polling

Yes This option specifies whether traps used to detect roaming events, auth

Prefer AMON is a configuration setting which causes AirWave to use an AMON feed to obtain client monitoring information from a controller rather than polling it via SNMP. When you enable this setting, values such as AP lists and rogue AP lists are still polled via SNMP, but the bulk of client monitoring information is delivered via AMON.

Before enabling the Prefer AMON setting, please note the following:

l Auditing needs to have been successful at least once to allow AirWave

to calculate the proper BSSIDs per radio.

l When Prefer AMON is enabled, the controller must be configured to

send AMON to AirWave.

l The network path from the controller to the AirWave server must allow

traffic on UDP port 8211.

l The controller routinely sends AMON in large UDP packets, (up to 30K

bytes). Before enabling this setting, ensure the network path from the controller to AirWave can pass such large packets intact.

l This setting should only be used in a network environment with low

levels of UDPpacket loss, as the loss of a single Ethernet frame will potentially result in the loss of up to 30K bytes worth of data.

failures, AP up/down status, and IDS events will still be collected if they are sent by managed devices.

This setting reserved for future use.

Validate PAPI key No Security improvements in AirWave 8.2.1 and later releases allow you to

specify a custom PAPIkey and require PAPI key validation. If you select the Yes option, you are prompted to enter a custom PAPI key

Disable TLS 1.0 and

1.1

Yes This option is set to Yes by default. In order for Aruba switches to

automatically check-in to AirWave by ZTP, you must change this option to No. If you select No, you must restart AMP.

Performance Settings

Locate the Performance section. Performance tuning is unlikely to be necessary for many AirWave deployments, and likely provides the most improvements for customers with extremely large Pro or Enterprise installations. Please contact Aruba support if you think you might need to change any of these settings. Table 14 describes the settings and default values of this section.

Table 14: AMP Setup> General > Performance Fields and Default Values

Setting Default Description

Monitoring Processes

Based on the number of cores for your server

Optional setting configures the throughput of monitoring data. Increasing this setting allows AirWave to process more data per second, but it can take resources away from other AirWave processes. Contact Aruba support if you think you might need to increase this setting for your network. Also note that the value range varies based on the number of available process cores.

AirWave 8.2.4 | User Guide Configuring AirWave | 42

Page 43

Table 14: AMP Setup> General > Performance Fields and Default Values (Continued)

Setting Default Description

Maximum number of configuration processes

Maximum number of audit processes

SNMP Fetcher Count (2-6)

Verbose Logging of SNMP Configuration

SNMP Rate Limiting for Monitored Devices

5 Increases the number of processes that are pushing configurations

to your devices, as an option. The optimal setting for your network depends on the resources available, especially RAM. Contact Aruba support if you think you might need to increase this setting for your network.

3 Increases the number of processes that audit configurations for

your devices, as an option. The optimal setting for your network depends on the resources available, especially RAM. Contact Aruba support if you are considering increasing this setting for your network.

2 Specify the number of SNMPv2 fetchers.

No Enables or disables logging detailed records of SNMP configuration

information.

No When enabled, AirWave fetches SNMP data more slowly, potentially

reducing device CPU load.

We recommend enabling this global setting if your network contains a majority of legacy controllers (800, 2400, 5000, or controllers that use Supervisor Module II). If your network mainly uses newer (30000 Series, 600 Series, or the M3 module in the 6000 series), we strongly recommend disabling this setting.

Client Association Relevance Factor

RAPIDS Processing Priority

0 days (disabled)

Low Defines the processing and system resource priority for RAPIDS in

Use this setting to hide old client information from clients lists and client search results. For example, a setting of 3 limits the historical client data displayed in client lists and search results to client sessions that have been disconnected within the last three days. When this value is set to 1, client lists and search results display only the client history for the previous day.

This time range can be set from 0-550 days, where a value of zero disables this feature and makes available all historical client data. A shorter time period improves search performance and allows client lists to display more rapidly, though it will also display fewer results.

relation to AirWave as a whole.

When AirWave is processing data at or near its maximum capacity, reducing the priority of RAPIDS can ensure that processing of other data (such as client connections and bandwidth usage) is not adversely impacted.

The default priority is Low. You can also tune your system performance by changing group poll periods.

If you select Custom for the priority, then also specify the RAPIDS custom process limit.

43 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 44

Table 14: AMP Setup> General > Performance Fields and Default Values (Continued)

Setting Default Description

RAPIDS custom process limit (1-

16)

1 when Custom is specified for the RAPIDS Processing Priority.

Sets the maximum number of monitoring process assigned to RAPIDS work. Note that this option is only available if Custom is specified for the RAPIDS Processing Priority.

Defining AirWave Network Settings

The next steps in setting up AirWave are to configure the network interface, DNS settings, NTP servers, and static routes.

Figure 14 illustrates the contents of the AMP Setup > Network page when setting up an IPv4 interface.

Optionally, you can configure an IPv6 interface. For information, see "Primary Network Interface Settings" on

page44.

Figure 14: Network Page

Specify the network configuration options described in the sections that follow to define the AirWave network settings. Select Save when you have completed all changes on the AMP Setup > Network page, or select Revert to return to the last settings. Save restarts any affected services and may temporarily disrupt your network connection.

Primary Network Interface Settings

Locate the Primary Network Interface section. The information in this sections should match what you defined during initial network configuration and should not require changes. Table 15 describes the settings and default values.

AirWave 8.2.4 | User Guide Configuring AirWave | 44

Page 45

Table 15: Primary Network Interface Fields and Default Values

Setting Default Description

IPv4 Address None Sets the IPv4 address of the AirWave network interface.

NOTE: This address must be a static IP address.

Hostname None Sets the DNS name assigned to the AirWave server.

Subnet Mask None Sets the subnet mask for the primary network interface.

IPv4 Gateway None Sets the default gateway for the network interface.

IPv6 Enabled No By selecting Yes, you can enter an optional IPv6 address and gateway

address.

IPv6 Address None Sets the IPv6 address of the AirWave network interface.

IPv6 Gateway None Sets the default gateway for the network interface.

Primary DNS IP None Sets the primary DNS IP address for the network interface.

Secondary DNS IP None Sets the secondary DNS IP address for the network interface.

Secondary Network Interface Settings

Locate the Secondary Network Interface section. The information in this section should match what you defined during initial network configuration and should not require changes. Table 16 describes the settings and default values.

Table 16: Secondary Network Interface Fields and Default Values

Setting Default Description

Enabled No Select Yes to enable a secondary network interface. You will be

prompted to define the IP address and subnet mask.

IP Address None Specify the IP address of the AirWave secondary network.

NOTE: This address must be a static IP address. AirWave supports IPv4 and IPv6 addresses.

Subnet Mask None Specify the subnet mask for the secondary network interface.

Network Time Protocol (NTP) Settings

On the AMP Setup > Network page, locate the Network Time Protocol (NTP) section. The Network Time Protocol is used to synchronize the time between AirWave and your network’s NTP server. NTP servers synchronize with external reference time sources, such as satellites, radios, or modems.

SpecifyingNTP servers is optional. NTP servers synchronize the time on the AirWave server, not on individual accesspoints.

To disable NTP services, clear both the Primary and Secondary NTP server fields. Any problem related to communication between AirWave and the NTP servers creates an entry in the event log. Table 17 describes the settings and default values in more detail. For more information on ensuring that AirWave servers have the correct time, please see http://support.ntp.org/bin/view/Servers/NTPPoolServers.

45 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 46

Table 17: AMP Setup > Network > Secondary Network Fields and Default Values

Setting Default Description

Primary ntp1.yourdomain.com Sets the IP address or DNS name for the primary NTP server.

Secondary ntp2.yourdomain.com Sets the IP address or DNS name for the secondary NTP server.

Static Routes

On the AMP Setup > Network page, locate the Static Routes area. This section displays network, subnet mask, and gateway settings that you have defined elsewhere from a command-line interface.

This section does not enable you to configure new routes or remove existing routes.

What Next?

l Go to additional tabs in the AMP Setup section to continue additional setup configurations. The next section describes

AirWave roles.

l Complete the required configurations in this chapter before proceeding. Aruba support remains available to you for

any phase of AirWave configuration.

Creating AirWave Users

AirWave installs with only one user—the admin, who is authorized to perform the following functions:

l Define additional users with varying levels of privilege, be it manage read/write or monitoring.

l Limit the viewable devices as well as the level of access a user has to the devices.

Each general user that you add must have a user name, a password, and a role. Use unique and meaningful user names as they are recorded in the log files when you or other users make changes in AirWave.

Username and password are not required if you configure AirWave to use RADIUS, TACACS, or LDAP authentication. You do not need to add individual users to the AirWave server if you use RADIUS, TACACS, or LDAP authentication.

The user role defines the user type, access level, and the top folder for that user. User roles are defined on the AMP Setup > Roles page. Refer to the previous procedure in this chapter for additional information, "Creating

AirWave User Roles" on page 49.

The admin user can provide optional additional information about the user, including the user's real name, email address, phone number, and so forth.

Perform the following steps to display, add, edit, or delete AirWave users of any privilege level. You must be an admin user to complete these steps.

1. Go to the AMP Setup > Users page. This page displays all users currently configured in AirWave, as shown in

Figure 15.

AirWave 8.2.4 | User Guide Configuring AirWave | 46

Page 47

Figure 15: AMP Setup > Users Page

2. Select Add to create a new user, select the pencil icon to edit an existing user, or select a user and select Delete to remove that user from AirWave. When you select Add or the edit icon, the Add User page appears,

illustrated in Figure 16.

Current users cannot change their own role. The Role drop-down field is disabled to prevent this.

Figure 16: AMP Setup > Users > Add/Edit User Page Illustration

3. Enter or edit the settings on this page. Table 18 describes thesesettings in additional detail.

Table 18: AMP Setup > Users > Add/Edit User Fields and Default Values

Setting Default Description

Username None Sets the user name for the user who logs in to AirWave. This user name is

displayed in AirWave log files.

47 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 48

Table 18: AMP Setup > Users > Add/Edit User Fields and Default Values (Continued)

Setting Default Description

Role None Specifies the user’s Role, which defines the Top viewable folder as well as the

type and access level of the user specified in the previous field.

The admin user defines user roles on the AMP Setup > Roles page, and each user in the system is assigned to a role.

Password None Sets the password for the user being created or edited. Enter an alphanumeric

string without spaces, and enter the password again in the Confirm Password field.

NOTE: Because the default user's password is identical to the Name, you should change this password. You will be logged out and asked to enter your new password.

Name None Allows you to define an optional and alphanumeric text field that takes note of the

user's actual name.

Email Address

Phone None Allows you to enter an optional phone number for the user.

Notes None Enables you to cite any additional notes about the user, including the reason they

None Allows you to specify a specific email address that will propagate throughout

many additional pages in AirWave for that user, including reports, triggers, and alerts.

were granted access, the user's department, or job title.

4. Select Add to create the new user, Save to retain changes to an existing user, or Cancel to cancel out of this screen. The user information you have configured appears on the AMP Setup > Users page, and the user propagates to all other AirWave pages and relevant functions.

AirWaveenables user roles to be created with access to folders within multiple branches of the overall hierarchy. This feature assists non-administrator users who support a subset of accounts or sites within a single AirWavedeployment, such as help desk or IT staff.

What Next?

l Go to additional tabs in the AMP Setup section to continue additional setup configurations.

l Complete the required configurations in this chapter before proceeding. Aruba support remains available to you for

any phase of AirWave installation.

AirWave User Roles

The AMP Setup > Roles page defines the viewable devices, the operations that can be performed on devices, and general AirWave access. User roles can be created that provide users with access to folders within multiple branches of the overall hierarchy. This feature assists non-administrative users, such as help desk or IT staff, who support a subset of accounts or sites within a single AirWave deployment. You can restrict user roles to multiple folders within the overall hierarchy even if they do not share the same top-level folder. Non-admin users are only able to see data and users for devices within their assigned subset of folders.

User Roles and VisualRF

VisualRF uses the same user roles as defined for AirWave. Users can see floor plans that contain an AP to which they have access in AirWave, although only visible APs appear on the floor plan. VisualRF users can also see any building that contains a visible floor plan and any campus that contains a visible building.

AirWave 8.2.4 | User Guide Configuring AirWave | 48

Page 49

In VisualRF > Setup > Server Settings, the Restrict visibility of empty floor plans to the user that created them configuration option allows you to restrict the visibility of empty floor plans to the role of the

user who created them. By default, this setting is set to No.

When a new role is added to AirWave, VisualRF must be restarted for the new user to be enabled.

Creating AirWave User Roles

Roles define the capabilities a user has access to and the privileges and views available for device groups and devices in AirWave. The available configuration options differ for each role type.

Most users will see two sections on this page: Role and Guest User Preferences. The Guest User Preferences section appears only if Guest User Configuration is enabled in AMP Setup > General.

If you want to create a user role, log in to AirWave as admin and follow thesesteps:

1. Go to the AMP Setup > Roles and click Add.

2. Enter a name for the user role, select options, and click Add. For example, Figure 17shows a role named AppRF being created.

Figure 17: Adding a Non-Admin Role Named AppRF

3. Enter additional settings on this page.

Figure 18 shows the newly created AppRF Admin role in the Role page.

49 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 50

Figure 18: Newly Created AppRF Admin Role

The following tables describe the available settings and default values for each role type.

Table 19: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for AMP Administrator Role

Setting Default Description

Name None Sets the administrator-definable string that names the role. The role

name should indicate the devices and groups that are viewable, as well as the privileges granted to that role.

Enabled Yes Disables or enables the role. Disabling a role prevents all users of that

role from logging in to AirWave.

Type AP/Device

Manager

Aruba Controller Role

Allow user to disable timeout

Custom Message none A custom message can also be included.

Disabled Enables or disables Single Sign-On for the role. If enabled, allows the

No Whether a user can disable AirWave’s timeout feature.

Defines the type of role.

AirWave Administrator—The AirWave Administrator has full access to AirWave and all of the devices. Only theAirWave Administrator can create new users or access the AMP Setup page, the VisualRF > Setup page, VisualRF > Audit Log page, System > Event Log, and System > Performance.

role to directly access Aruba controller UIs from the Quick Links or IP Address hypertext throughout AirWave without having to enter credentials for the controller.

Table 20: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for AP/Device Manager Role

Setting Default Description

Name None Sets the administrator-definable string that names the role. The role name

should indicate the devices and groups that are viewable, as well as the privileges granted to that role.

Enabled Yes Disables or enables the role. Disabling a role prevents all users of that role

from logging in to AirWave.

AirWave 8.2.4 | User Guide Configuring AirWave | 50

Page 51

Table 20: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for AP/Device Manager Role (Continued)

Setting Default Description

Type AP/Device

Manager

Defines the type of role.

AP/Device Manager—AP/Device Managers have access to a limited number of devices and groups based on the Top folder and varying levels of control based on the Access Level.

AP/Device Access Level

Monitor (Read Only)

Defines the privileges the role has over the viewable APs. AirWave supports three privilege levels, as follows:

l Manage (Read/Write)—Manage users can view and modify devices and

Groups. Selecting this option causes a new field, Allow authorization of APs/Devices, to appear on the page, and is enabled by default.

l Audit (Read Only)—Audit users have read only access to the viewable

devices and Groups. Audit users have access to the APs/Devices > Audit page, which may contain sensitive information including AP passwords.

l Monitor (Read Only)—Monitor users have read-only access to devices

and groups and VisualRF. Monitor users cannot view the APs/Devices > Audit page which may contain sensitive information, including passwords.

Top Folder Top Defines the highest viewable folder for the role. The role is able to view all

devices and groups contained by the specified top folder. The top folder and its subfolders must contain all of the devices in any of the groups it can view.

User roles can be restricted to multiple folders within the overall hierarchy, even if they do not share the same top-level folder. Non-administrator users are only able to see data and users for devices within their assigned subset of folders.

Allow authorization

Yes

NOTE: This option is only available when the AP/Device Access Level is specified as Manage (Read/Write).

of APs/Devices

RAPIDS None Sets the RAPIDS privileges, which are set separately from the APs/Devices.

This field specifies the RAPIDS privileges for the role, and options are as follows:

l None— Cannot view the RAPIDS tab or any Rogue APs. l Read Only—The user can view the RAPIDS pages but cannot make any

changes to rogue APs or perform OS scans.

l Read/Write—The user may edit individual rogues, classification, threat

levels and notes, and perform OS scans.

l Administrator—Has the same privileges as the Read/Write user, but can

also set up RAPIDS rules, override scores and is the only user who can access the RAPIDS > Setup page.

51 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 52

Table 20: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for AP/Device Manager Role (Continued)

Setting Default Description

VisualRF Read Only Sets the VisualRF privileges, which are set separately from the APs/Devices.

Options are as follows:

l Read Only—The user can view the VisualRF pages but cannot make any

changes to floor plans.

l Read/Write—The user may edit individual floor plans, buildings, and

campuses.

UCC Yes

AppRF Yes

Aruba

Disabled Enables or disables Single Sign-On for the role. If enabled, allows the role to Controller Role

Display client

No Sets the role to support helpdesk users with parameters that are specific to the diagnostics screens by default

Allow user to

No Whether a user can disable AirWave’s timeout feature. disable timeout

Allow

Yes If this option is enabled, users with an assigned role of Monitoring or Audit can creation of Guest Users

Permits access to UCC views and tables. Monitoring and managing privileges are set at the AP/Device level.

Permits access to AppRF views and tables. Monitoring and managing privileges are set at the AP/Device level.

directly access Aruba controller UIs from the Quick Links or IP Address hypertext throughout AirWave without having to enter credentials for the controller

needs of helpdesk personnel supporting users on a wireless network.

be given access to guest user account creation along with the option to allow a sponsor to change its user name.

NOTE: This option is not available if the AP/Device Access Level is specified as Manage (Read/Write).

Allow accounts

Yes Specifies whether to allow accounts that have no expiration set. If this is set to

No, then enter the amount of time that can elapse before the access expires. with no expiration

Allow

No Specifies whether a sponsor can change the sponsorship user name. sponsor to change sponsorship user name

Custom

none A custom message can also be included. Message

AirWave 8.2.4 | User Guide Configuring AirWave | 52

Page 53

Table 21: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for AirWave Management Client Role

Setting Default Description

Name None Sets the administrator-definable string that names the role. The role name

should indicate the devices and groups that are viewable, as well as the privileges granted to that role.

Enabled Yes Disables or enables the role. Disabling a role prevents all users of that role

from logging in to AirWave.

Type AP/Device

Manager

Defines the type of role.

AirWave Management Client—The AirWave Management Client (AMC) software allows Wi-Fi-enabled devices to serve as additional sensors to gather data for RAPIDS. Use this role type to set up a client to be treated as a user with the AMC role. The user information defined in AMC must match the user with the AirWave Management Client type.

Allow user

No Whether a user can disable AirWave’s timeout feature. to disable timeout

Table 22: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for Guest Access Sponsor Role

Setting Default Description

Name None Sets the administrator-definable string that names the role. The role name

should indicate the devices and groups that are viewable, as well as the privileges granted to that role.

Enabled Yes Disables or enables the role. Disabling a role prevents all users of that role

from logging in to AirWave.

Type AP/Device

Manager

Defines the type of role.

Guest Access Sponsor—Limited-functionality role to allow helpdesk or reception desk staff to grant wireless access to temporary personnel. This role only has access to the defined top folder of APs.

Top Folder Top Defines the Top viewable folder for the role. The role is able to view all devices

and groups contained by the Top folder. The top folder and its subfolders must contain all of the devices in any of the groups it can view.

NOTE: AirWave enables user roles to be created with access to folders within multiple branches of the overall hierarchy. This feature assists nonadministrator users who support a subset of accounts or sites within a single AirWave deployment, such as help desk or IT staff. User roles can be restricted to multiple folders within the overall hierarchy, even if they do not share the same top-level folder. Non-administrator users are only able to see data and users for devices within their assigned subset of folders.

53 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 54

Table 22: AMP Setup > Roles > Add/Edit Roles Fields and Default Values for Guest Access Sponsor Role (Continued)

Setting Default Description

Allow user

No Whether a user can disable AirWave’s timeout feature. to disable timeout

Allow accounts

Yes Specifies whether to allow accounts that have no expiration set. If this is set to

No, then enter the amount of time that can elapse before the access expires. with no expiration

Allow

No Specifies whether a sponsor can change the sponsorship user name. sponsor to change sponsorship user name

Custom

none A custom message can also be included. Message

What Next?

l Go to additional tabs in the AMP Setup section to continue additional setup configurations. The next section

describes how to set up AirWave users.

l Complete the required configurations in this chapter before proceeding. Aruba support remains available to you for

any phase of AirWave configuration.

Configuring Login Message, TACACS+, RADIUS, and LDAP Authentication

AirWave uses session-based authentication with a configurable login message and idle timeout. As an option, you can set AirWave to use an external user database to simplify password management for AirWave administrators and users. This section contains the following procedures to be followed in AMP Setup > Authentication:

l "Setting Up Login Configuration Options" on page 54

l "Configuring Whitelists" on page 55

l "Setting Up Certificate Authentication" on page 55

l "Setting Up Single Sign-On" on page 56

l "Specifying the Authentication Priority" on page 56

l "Configuring RADIUS Authentication and Authorization" on page 56

l "Integrating a RADIUS Accounting Server" on page 58

l "Configuring TACACS+ Authentication" on page 59

l "Configuring LDAP Authentication and Authorization" on page 60

Setting Up Login Configuration Options

On the AMP Setup > Authentication page, administrators can optionally configure the AirWave user's idle timeout or a message-of-the-day that appears on the AirWave login screen.

1. Go to AMP Setup > Authentication > Login Configuration.

2. Complete the fields described inTable 23:

AirWave 8.2.4 | User Guide Configuring AirWave | 54

Page 55

Table 23: Login Configuration section of AMP Setup > Authentication

Field Default Description

Max AMP User Idle Timeout

240 Number of minutes of idle time until AirWave automatically ends the user

session. Affects all users of this AirWave. The range is 5-240 minutes.

they log in.

3. Select Save when you are finished or follow the next procedure to configure Whitelists, Certificate Authentication, Single Sign-On, TACACS+, LDAP, and RADIUS Authentication options.

Setting Up Certificate Authentication

On the AMP Setup > Authentication page, administrators can specify whether to require a certificate during authentication and whether to use two-factor authentication. A PEM-encoded certificate bundleis required for this feature.

This feature must be enabled per role in AMP Setup > Roles.

Perform the following steps to enable this feature for this AMP.

1. Locate the Certificate Authentication section in AMP Setup > Authentication.

2. In the Enable Certificate Authentication field, select Yes.

3. Specify whether to require a certificate in order to authenticate. If Yes, then you can also specify whether to use two-factor authentication.

4. Enter the PEM-encoded CA certificate bundle.

5. Select Save if you are finished or follow the next procedure to specify the authentication priority.

Configuring Whitelists

On the AMP Setup >Authentication page, you can now include a list of subnets that are able to log in to AirWave. If this option is enabled, then by default, the current client network will appear as the first entry in the list of subnets. Additional entries can be added, one per line, in the text entry box.

For Instant devices that are managed by AirWave, this option must be enabled if Certificate Authentication is also enabled.

Do not delete the current client network line from the AirWave whitelist. Doing so can result in the loss of access to the AirWave user interface.

55 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 56

Figure 19: Enabling AirWave Whitelists

Setting Up Single Sign-On

On the AMP Setup > Authentication page, administrators can set up single sign-on (SSO) for users that have access to AirWave controllers. This allows users to log in to AirWave and use the IP Address or Quick Links hypertext links across AirWave to access the controller’s WebUI without having to enter credentials again. The links the user can select to access a controller can be found on the APs/Devices > Monitor page in the Device Info section, and on device list pages.

Perform the following steps to enable this feature for this AirWave.

1. Locate the Single Sign-On section in AMP Setup > Authentication.

2. In the Enable Single Sign-On field, select Yes.

3. Select Save if you are finished or follow the next procedure to specify the authentication priority.

Specifying the Authentication Priority

To specify the authentication priority for this AirWave server, locate the Authentication Priority section in AMP Setup > Authentication, and select either Local or Remote as the priority.

If Local is selected, then remote will be attempted if a user is not available. If Remote is selected, then the local database is searched if remote authentication fails. The order of remote authentication is RADIUS first, followed by TACACS, and finally LDAP.

Select Save if you are finished or follow the next procedure to configure RADIUS, TACACS+, and LDAP Authentication options.

Configuring RADIUS Authentication and Authorization

For RADIUS capability, you must configure the IP/Hostname of the RADIUS server, the TCP port, and the server shared secret. Perform these steps to configure RADIUS authentication:

1. Go to the AMP Setup > Authentication page. This page displays current status of RADIUS. Figure 20 illustrates this page.

AirWave 8.2.4 | User Guide Configuring AirWave | 56

Page 57

Figure 20: AMP Setup > Authentication Page Illustration for RADIUS

2. Select No to disable or Yes to enable RADIUS authentication. If you select Yes, several new fields appear. Complete the fields described in Table 24.

Table 24: AMP Setup > Authentication Fields and Default Values for RADIUS Authentication

Field Default Description

Primary Server Hostname/IP Address

Primary Server Port (1-65535)

Primary Server Secret N/A Specify and confirm the primary shared secret for the primary RADIUS

Confirm Primary Server Secret

Secondary Server Hostname/IP Address

Secondary Server Port (1-65535)

Secondary Server Secret

Confirm Secondary Server Secret

N/A Enter the IP address or the hostname of the primary RADIUS server.

1812 Enter the TCP port for the primary RADIUS server.

server.

N/A Re-enter the primary server secret.

N/A Enter the IP address or the hostname of the secondary RADIUS server.

1812 Enter the TCP port for the secondary RADIUS server.

N/A Enter the shared secret for the secondary RADIUS server.

N/A Re-enter the secondary server secret.

57 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 58

Table 24: AMP Setup > Authentication Fields and Default Values for RADIUS Authentication (Continued)

Field Default Description

Authentication Method PAP Select one of the following authentication methods:

l PAP l PEAP-MSCHAPv2

If you use the PEAP-MSCHAPv2 authentication method with the default "Read-Only Monitoring and Auditing" user role, note that the name of this role has been slightly modified in AirWave 8.2.3 to allow support the PEAP-MSCHAPv2 authentication method: the ampersand (&) symbol has been changed to the word and.

l Role Name in 8.2.2.x and earlier releases: Read-Only Monitoring

& Auditing

l Role Name in AirWave 8.2.3: Read-Only Monitoring and Auditing

If you used the Read-Only Monitoring & Auditing user role prior to upgrading to AirWave 8.2.3 or later releases, you must modify the user role name on the RADIUS server to ensure that the user role name on the RADIUS server exactly matches the user role name in AirWave.

3. Select Save to retain these configurations, and continue with additional steps in the next procedure.

Integrating a RADIUS Accounting Server

AirWavechecks the local user name and password before checking with the RADIUS server. If the user is found locally,the local password and role apply. When using RADIUS, it’s not necessary or recommended to define userson the AirWave server. The only recommended user is the backup admin, in case the RADIUS server goes down.

Optionally, you can configure RADIUS server accounting on AMP Setup > RADIUS Accounting. This capability is not required for basic AirWave operation, but can increase the user-friendliness of AirWave administration in large networks. Figure 21 illustrates the settings of this optional configuration interface.

Perform the following steps and configurations to enable AirWave to receive accounting records from a separate RADIUS server. Figure 21 illustrates the display of RADIUS accounting clients already configured.

Figure 21: AMP Setup > RADIUS Accounting Page Illustration

1. To define a the RADIUS authentication server or network, browse to the AMP Setup > RADIUS Accounting page, select Add, and provide the information in Table 25.

AirWave 8.2.4 | User Guide Configuring AirWave | 58

Page 59

Table 25: AMP Setup > Radius Accounting Fields and Default Values for LDAP Authentication

Setting Default Description

IP/Network None Specify the IP address for the authentication server if you only want to accept

packets from one device. To accept packets from an entire network enter the IP/Netmask of the network (for example, 10.51.0.0/24).

Nickname None Sets a user-defined name for the authentication server.

Shared Secret (Confirm)

None Sets the Shared Secret that is used to establish communication between

AirWave and the RADIUS authentication server.

2. Click Add to save your settings.

Configuring TACACS+ Authentication

For TACACS+ capability, you must configure the IP/Hostname of the TACACS+ server, the TCP port, and the server shared secret. This TACACS+ configuration is for AirWave users and does not affect APs or users logging into APs.

1. Go to the AMP Setup > Authentication page. This page displays current status of TACACS+. Figure 22 illustrates this page when neither TACACS+, LDAP, nor RADIUS authentication is enabled in AirWave.

Figure 22: AMP Setup > Authentication Page Illustration for TACACS+

2. Select No to disable or Yes to enable TACACS+ authentication. If you select Yes, several new fields appear. Complete the fields described in Table 26.

Table 26: AMP Setup > Authentication Fields and Default Values for TACACS+ Authentication

Field Default Description

Primary Server Hostname/IP Address

Primary Server Port (1-65535) 49 Enter the port for the primary TACACS+ server.

59 | Configuring AirWave AirWave 8.2.4 | User Guide

N/A Enter the IP address or the hostname of the primary TACACS+

server.

Page 60

Table 26: AMP Setup > Authentication Fields and Default Values for TACACS+ Authentication (Continued)

Field Default Description

Primary Server Secret N/A Specify and confirm the primary shared secret for the primary

TACACS+ server.

Confirm Primary Server Secret

Secondary Server Hostname/IP Address

Secondary Server Port (1-

65535)

Secondary Server Secret N/A Enter the shared secret for the secondary TACACS+ server.

Confirm Secondary Server Secret

N/A Re-enter the primary server secret.

N/A Enter the IP address or hostname of the secondary TACACS+

server.

49 Enter the port for the secondary TACACS+ server.

N/A Re-enter the secondary server secret.

3. Select Save and continue with additional steps.

Configuring Cisco ACS to Work with AirWave

To configure Cisco ACS to work with AirWave, you must define a new service named AMP that uses HTTPS on the ACS server.

1. The AMP HTTPS service is added to the TACACS+ (Cisco) interface under the Interface Configuration tab.

2. Select a checkbox for a new service.

3. Enter AMP in the service column and https in the protocol column.

4. Select Save.

5. Edit the existing groups or users in TACACS to use the AMP service and define a role for the group or user.

l The role defined on the Group Setup page in ACS must match the exact name of the role defined on the

AMP Setup > Roles page.

n The defined role should use the format: role=<name_of_AMP_role>. For example role=DormMonitoring.

As with routers and switches, AirWave does not need to know user names.

6. AirWave also needs to be configured as an AAA client.

l On the Network Configuration page, select Add Entry.

l Enter the IP address of AirWave as the AAA Client IP Address.

l The secret should be the same value that was entered on the AMP Setup > TACACS+ page.

7. Select TACACS+ (Cisco IOS) in the Authenticate Using drop down menu and select submit + restart.

AirWavechecks the local user name and password store before checking with the TACACS+ server. If the user is found locally, the local password and local role apply. When using TACACS+, it is not necessary or recommended to defineusers on the AirWave server. The only recommended user is the backup administrator, inthe event that the TACACS+ server goes down.

Configuring LDAP Authentication and Authorization

LDAP (Lightweight Directory Access Protocol) provides users with a way of accessing and maintaining distributed directory information services over a network. When LDAP is enabled, a client can begin a session by authenticating against an LDAP server which by default is on TCP port 389.

AirWave 8.2.4 | User Guide Configuring AirWave | 60

Page 61

Perform these steps to configure LDAP authentication:

1. Go to the AMP Setup> Authentication page.

2. Select the Yes radio button to enable LDAP authentication and authorization. Once enabled, the available LDAP configuration options will display. Figure 23 illustrates this page.

Figure 23: AMP Setup > Authentication Page Illustration for LDAP

3. Complete the fields described in Table 27.

Table 27: AMP Setup > Authentication Fields and Default Values for LDAP Authentication

Field Default Description

Primary Server Hostname/IP Address

Primary Server Port (1-65535)

Secondary Server Hostname/IP Address

Secondary Server Port (1-65535)

Connection Type clear-text Specify one of the following connection types AirWave and

none Enter the IP address or the hostname of the primary LDAP

server.

389 Enter the port where the LDAP server is listening. The default

port is 389.

none Optionally enter the IP address or hostname of the

secondary LDAP server. This server will be contacted in the event that the primary LDAP server is not reachable.

389 Enter the port where the LDAP service is listening on the

secondary LDAP server. The default port is 389.

the LDAP server:

l clear-text results in unencrypted communication. l ldap-s results in communication over SSL. l start-tls uses certificates to initiate encrypted

communication.

61 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 62

Table 27: AMP Setup > Authentication Fields and Default Values for LDAP Authentication (Continued)

Field Default Description

View Server Certificate

none If Connection Type is configured as start-tls, then also

specify whether the start-tls connection type uses a certificate.

l none - The server may provide a certificate, but it will not

be verified. This may mean that you are connected to the wrong server.

l optional - Verifies only when the servers offers a valid

certificate.

l require - The server must provide a valid certificate.

A valid LDAP Server CA Certificate must be provided in case of optional or require. Certificates uploaded on the Device Setup > Certificates page with a type of Intermediate CA or Trusted CA are listed in the drop down for LDAP Server CA Certificate.

LDAP Server CA Certificate

none Specify the LDAP server certificate to use to initiate

encrypted communication. Only certificates that have been uploaded with a type of Intermediate CA or Trusted CA will appear in this drop down.

NOTE: This LDAP Server CA Certificate drop down menu only appears if View Server Certificate is specified as optional or require.

Bind DN none Specify the Distinguished Name (DN) of the administrator

account, such as ‘cn=admin01,cn=admin,dn=domain,dn=com’. Note that for the Active directory, the bind DN can also be in the administrator@domain format (for example, administrator@acme.com).

Bind Password none Specify the bind DN account password.

Confirm Bind

none Re-enter the bind password.

Password

Base DN none The DN of the node in your directory tree from which to start

searching for records. Generally, this would be the node that contains all the users who may access AirWave, for example cn=users,dc=domain,dc=com.

Key Attribute sAMAccountName The LDAP attribute that identifies the user, such as

‘sAMAccountName’ for Active Directory

Role Attribute none The LDAP attribute that contains the AirWave role. Users

who log in to AirWave using this LDAP authentication will be granted permissions based on this role. Refer to AirWave

User Roles for more information about AirWave User Roles.

Filter (objectclass=*) This option limits the object classes in which the key,role

attributes would be searched.

AirWave 8.2.4 | User Guide Configuring AirWave | 62

Page 63

Table 27: AMP Setup > Authentication Fields and Default Values for LDAP Authentication (Continued)

Field Default Description

Add New LDAP Rule none The LDAP rule parameters are

Operation,Value

LDAP rules, rules are processed in order based on the rule position value, so the position you assign to the LDAP rule represents the order in which the LDAP rule is applied to determine the AirWave role. LDAP rules can only be configured and applied after LDAP authentication is enabled. The LDAP rules are similar to the rules used by the controller to derive the AirWave role.

, and

AirWave

Position,Role Attribute

role. If you create multiple

4. Select Save to retain these configurations, and continue with additional steps in the next procedure.

What Next?

l Go to additional subtabs in AMP Setup to continue additional setup configurations.

l Complete the required configurations in this chapter before proceeding. Aruba support remains available to you for any

phase of AirWave configuration.

Enabling AirWave to Manage Your Devices

Once AirWave is installed and active on the network, the next task is to define the basic settings that allow AirWave to communicate with and manage your devices. Device-specific firmware files are often required or are highly desirable. Furthermore, the use of Web Auth bundles is advantageous for deployment of Cisco WLC wireless LAN controllers when they are present on the network.

This section contains the following procedures:

l "Configuring Communication Settings for Discovered Devices" on page 63

l "Loading Device Firmware Onto the AirWave Server (optional)" on page 65

Configuring Communication Settings for Discovered Devices

You can configure AirWave to communicate with your devices by defining default shared secrets and SNMP settings.

To define the default credentials and SNMP settings:

1. On the Device Setup > Communication page, enter the default credentials for each device model on your network. AirWave assigns default credentials to all discovered devices.

The Edit button edits the default credentials for newly discovered devices. To modify the credentials for existing devices, use the APs/Devices > Manage page or the Modify Devices link on the APs/Devices > List page.

Community strings and shared secrets must have read-write access for AirWave to configure the devices. Withoutread-write access, AirWave may be able to monitor the devices but cannot apply any configuration changes.

2. Enter the SNMP timeout and retries settings. Table 28 lists the settings and default values.

63 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 64

Table 28: Device Setup > Communication > SNMP Settings Fields and Default Values

Setting Default Description

SNMP Timeout (3-60 sec)

SNMP Retries (1-40)

3 Sets the time, in seconds, that AirWave waits for a response from a device

after sending an SNMP request.

3 Sets the number of times AirWave tries to poll a device when it does not

receive a response within the SNMP Timeout Period or the Group's Missed SNMP Poll Threshold setting (1-100). If AirWave does not receive an SNMP response from the device after the specified number of retries, AirWave classifies that device as Down.

NOTE: Although the upper limit for this value is 40, some SNMP libraries still have a hard limit of 20 retries. In these cases, any retry value that is set above 20 will still stop at 20.

3. Click Add and enter the following information :

l Username - User name of the SNMP v3 user as configured on the controller.

l Auth Protocol - MD5 or SHA. The default setting is SHA.

l Auth and Priv Protocol Passphrases - Authentication and privilege protocol passphrases for the user,

as configured on the controller.

l Priv Protocol - DES or AES. The default setting is DES.

TheSNMP Inform receiver will restart when users are changed or added to the controller.

4. Enter or adjust the default value for the Telnet/SSH timeout. Table 29 shows the setting and default value.

Table 29: Device Setup > Communication > Telnet/SSH Settings Fields and Default Values

Setting Default Description

Telnet/SSH Timeout (3-120 sec)

5. Locate the HTTP Discovery Settings section and adjust the default value. Table 30 shows the setting and default value.

Table 30: Device Setup > Communication > HTTP Discovery Settings Fields and Default Values

10 Sets the timeout period in seconds used when performing Telnet and SSH

commands.

Setting Default Description

HTTP Timeout (3-120 sec)

6. Locate the ICMP Settings section and adjust the default value as required. Table 31 shows the setting and default value.

5 Sets the timeout period in seconds used when running an HTTP discovery scan.

AirWave 8.2.4 | User Guide Configuring AirWave | 64

Page 65

Table 31: Device Setup > Communication > ICMP Settings Fields and Default Values

Setting Default Description

Attempt to ping devices that were unreachable via SNMP

Yes

l When Yes is selected, AirWave attempts to ping the AP device. l Select No if performance is affected in negative fashion by this function. If a

large number of APs are unreachable by ICMP, likely to occur where there is

in excess of 100 APs, the timeouts start to impede network performance. NOTE: If ICMP is disabled on the network, select No to avoid the performance penalty caused by numerous ping requests.

7. Locate the Symbol 4131 and Cisco Aironet IOS SNMP Initialization area. Select one of the options listed.

Table 32 describes the settings and default values

Table 32: Device Setup > Communication > Symbol 4131 and Cisco Aironet IOS SNMP Initialization Fields and Default Values

Setting Default Description

Do Not Modify SNMP Settings

Enable readwrite SNMP

Yes When selected, specifies that AirWave will not modify any SNMP settings. If

SNMP is not already initialized on the Symbol, Nomadix, and Cisco IOS APs, AirWave is not able to manage them.

No When selected, and when on networks where the Symbol, Nomadix, and Cisco

IOS APs do not have SNMP initialized, this setting enables SNMP so the devices can be managed by AirWave.

Loading Device Firmware Onto the AirWave Server (optional)

AirWave enables automated firmware distribution to the devices on your network. Once you have downloaded the firmware files from the vendor, you can upload this firmware to AirWave for distribution to devices via the Device Setup > Upload Firmware & Files page.

Formore information about specifying firmware versions for devices in a group, see "Specifying Minimum

FirmwareVersions for Devices in a Group" on page121.

This page lists all firmware files on AirWave with file information. This page also enables you to add new firmware files, to delete firmware files, and to add New Web Auth Bundle files.

The following additional pages support firmware file information:

l Firmware files uploaded to AirWave appear as an option in the drop-down menu on the Groups > Firmware page

and as a label on individual APs/Devices > Manage pages.

l Use the AMP Setup page to configure AirWave-wide default firmware options.

Table 33 below itemizes the contents, settings, and default values for the Upload Firmware & Files page.

Table 33: Device Setup > Upload Firmware & Files Fields and Default Values

Setting Default Description

Type Aruba Networks

Controller(any model)

Displays a drop-down list of the primary AP makes and models that AirWave supports with automated firmware distribution.

65 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 66

Table 33: Device Setup > Upload Firmware & Files Fields and Default Values (Continued)

Setting Default Description

Owner Role None Displays the user role that uploaded the firmware file. This is

the role that has access to the file when an upgrade is attempted.

Description None Displays a user-configurable text description of the firmware

file.

Server Protocol None Displays the file transfer protocol by which the firmware file

was obtained from the server. This can be FTP, TFTP, HTTP, HTTPS. or SCP.

Use Group File Server

Firmware Filename

Firmware MD5 Checksum

Firmware File Size

Firmware Version

HTML Filename None Supporting HTML, displays the name of the file that was

HTML MD5 Checksum

None If enabled, displays the name of the file server supporting the

group.

None Displays the name of the file that was uploaded to AirWave

and to be transferred to an AP when the file is used in an upgrade.

None Displays the MD5 checksum of the file after it was uploaded to

AirWave. The MD5 checksum is used to verify that the file was uploaded to AirWave without issue. The checksum should match the checksum of the file before it was uploaded.

None Displays the size of the firmware file in bytes.

None Displays the firmware version number. This is a user-

configurable field.

uploaded to AirWave and to be transferred to an AP when the file is used in an upgrade.

None Supporting HTML, displays the MD5 checksum of the file after

it was uploaded to AirWave. The MD5 checksum is used to verify that the file was uploaded to AirWave without issue. The checksum should match the checksum of the file before it was uploaded.

HTML File Size None Supporting HTML, displays the size of the file in bytes.

HTML Version None Supporting HTML, displays the version of HTML used for file

transfer.

Desired Firmware File for Specified Groups

None The firmware file is set as the desired firmware version on the

Groups > Firmware Files page of the specified groups. You cannot delete a firmware file that is set as the desired firmware version for a group.

Loading Firmware Files onto AirWave

Perform the following steps to load a devicefirmware file onto AirWave:

1. Go to the Device Setup > Upload Firmware & Files page.

AirWave 8.2.4 | User Guide Configuring AirWave | 66

Page 67

2. Select Add by the New Firmware File option. The Add Firmware File page appears. Figure 24 illustrates this page.

Figure 24: Device Setup > Upload Firmware and Files > Add Page Illustration

3. Select the Supported Firmware Versions and Features link to view supported firmware versions.

Unsupportedand untested firmware may cause device mismatches and other problems. Please contact Aruba support before installing non-certified firmware.

4. Enter the appropriate information and select Add. The file uploads to AirWave and once complete, this file appears on the Device Setup > Upload Firmware & Files page. This file also appears on additional pages that display firmware files (such as the Group > Firmware pageand on individual APs/Devices > Manage pages).

5. You can also import a CSV list of groups and their external TFTP firmware servers. Table 34 itemizes the settings of this page.

Table 34: Supported Firmware Versions and Features Fields and Default Values

Setting Default Description

Type Aruba Networks

controller

Firmware Version None Provides a user-configurable field to specify the firmware

Description None Provides a user-configurable text description of the

Upload firmware files (and use built-in firmware)

Use an external firmware file server

Enabled Allows you to select a firmware from your local machine

N/A You can also choose to assign the external TFTP server on

Indicates the firmware file is used with the specified type.

With selection of some types, particularly Cisco controllers, you can specify the boot software version.

version number. This open appears if Use an external firmware file server is enabled.

firmware file.

and upload it via TFTP or FTP.

a per-group basis. If you select this option, you must enter the IP address on the Groups > Firmware page. Complete the Firmware File Server IP Address field.

67 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 68

Table 34: Supported Firmware Versions and Features Fields and Default Values (Continued)

Setting Default Description

Server Protocol TFTP Specify whether to use a built-in TFTP server or FTP, HTTP,

or HTTPS to upload a firmware file. TFTP is recommended. If you select FTP, AirWave uses an anonymous user for file upload.

Use Group File Server

Firmware File Server IP Address

Firmware Filename

HTMLFilename None Browse to the HTMLfile that will accompany the firmware

Patch Filename None If you selected Symbol WS5100 as the Firmware File Type,

Boot Software Version

Disabled If you opt to use an external firmware file server, this

additional option appears. This setting instructs AirWave to use the server that is associated with the group instead of defining a server.

None Provides the IP address of the External TFTP Server (like

SolarWinds) used for the firmware upgrade. This option displays when the user selects the Use an external firmware file option.

None Enter the name of the firmware file that needs to be

uploaded. Ensure that the firmware file is in the TFTP root directory. If you are using a non-external server, you select Choose File to find your local copy of the file.

upload. Note that this field is only available for certain Firmware File Types (for example, Symbol 4121).

and you are upgrading from version 3.0 to 3.1, then browse to the path where the patch file is located.

None If you specified a Cisco WLC device as the Firmware File

Type, then also enter the boot software version.

Additionalfields may appear for multiple device types. AirWave prompts you for additional firmware informationas required. For example, Intel and Symbol distribute their firmware in two separate files: an image fileand an HTML file. Both files must be uploaded to AirWave for the firmware to be distributed successfully viaAirWave.

6. Select Add to import the firmware file.

To delete a firmware file that has already been uploaded to AirWave, return to the Device Setup > Upload Firmware & Files page, select the checkbox for the firmware file and select Delete.

Afirmware file may not be deleted if it is the desired version for a group. Use the Group > Firmware pageto investigatethis potential setting and status.

Using Web Auth Bundles in AirWave

Web authentication bundles are configuration files that support Cisco WLC wireless LAN controllers. This procedure requires that you have local or network access to a Web Auth configuration file for Cisco WLC devices.

Perform these steps to add or edit Web Auth bundles in AirWave.

1. Go to the Device Setup > Upload Firmware & Files page.

AirWave 8.2.4 | User Guide Configuring AirWave | 68

Page 69

2. Click Add by the New Web Auth Bundle option. This page displays any existing Web Auth bundles that are currently configured in AirWave, and allows you to add or delete Web Auth bundles.

3. Select Add to create a new Web Auth bundle (seeFigure 25), or select the pencil icon next to an existing bundle to edit. You may also delete Web Auth bundles by selecting that bundle with the checkbox, and selecting Delete.

Figure 25: Add Web Auth Bundle Page Illustration

4. Enter a descriptive label in the description field. This is the label used to identify and track Web Auth bundles on the page.

5. Enter the path and filename of the Web Auth configuration file in the Web Auth Bundle field or select Choose File to locate the file.

6. Select Add to complete the Web Auth bundle creation, or Save if replacing a previous Web Auth configuration file, or Cancel to abort the Web Auth integration.

For additional information and a case study that illustrates the use of Web Auth bundles with Cisco WLC controllers, refer to the following document on Cisco’s Web site:

l Wireless LAN controller Web Authentication Configuration Example, Document ID: 69340

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ example09186a008067489f.shtml

Setting Up Device Types

On the AMP Setup > Device Type Setup page, you can define how the device types displayed for users on your network is calculated from available data. The first matching property is used. These rules cannot be edited or deleted, but only reordered or enabled.

You can change the priority order of rules by clicking on a row and dragging and dropping it into a new location, as shown in Figure 26.

Select the checkbox under the Enabled column to turn on device setup rules.

Refer to "Monitoring Wired and Wireless Clients" on page 174 for more information on the Device Type column that appears in Clients list tables.

69 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 70

Figure 26: AMP Setup > Device Type Setup Page Illustration

Configuring Cisco WLSE and WLSE Rogue Scanning

The Cisco Wireless LAN Solution Engine (WLSE) includes rogue scanning functions that AirWave supports. This section contains the following topics and procedures, and several of these sections have additional subprocedures:

l "Introduction to Cisco WLSE" on page 70

l "Initial WLSE Configuration" on page 71

l "Configuring IOS APs for WDS Participation" on page 72

l "Configuring ACS for WDS Authentication" on page 73

l "Configuring Cisco WLSE Rogue Scanning" on page 74

You must enter one or more CiscoWorks WLSE hosts to be polled for discovery of Cisco devices and rogue AP information.

Introduction to Cisco WLSE

Cisco WLSE functions as an integral part of the Cisco Structured Wireless-Aware Network (SWAN) architecture, which includes IOS Access Points, a Wireless Domain Service, an Access Control Server, and a WLSE. In order for AirWave to obtain Rogue AP information from the WLSE, all SWAN components must be properly configured.

Table 35 describes thesecomponents.

Table 35: Cisco SWAN Architecture Components

SWAN Component

Requirements

WDS (Wireless Domain Services)

AirWave 8.2.4 | User Guide Configuring AirWave | 70

l WDS Name l Primary and backup IP address for WDS devices (IOS AP or WLSM) l WDS Credentials APs within WDS Group

NOTE: WDS can be either a WLSM or an IOS AP. WLSM (WDS) can control up to 250 access points. AP (WDS) can control up to 30 access points.

Page 71

Table 35: Cisco SWAN Architecture Components (Continued)

SWAN

Requirements

Component

WLSE (Wireless LAN Solution Engine)

ACS (Access Control Server)

APs

l IP Address l Login

l APs within WDS Group

Initial WLSE Configuration

Use the following general procedures to configure and deploy a WLSE device in AirWave:

l "Adding an ACS Server for WLSE" on page 71

l "Enabling Rogue Alerts for Cisco WLSE" on page 71

l "Configuring WLSE to Communicate with APs" on page 71

l "Discovering Devices" on page 72

l "Managing Devices" on page 72

l "Inventory Reporting" on page 72

l "Defining Access" on page 72

l "Grouping" on page 72

Adding an ACS Server for WLSE

1. Go to the Devices > Discover > AAA Server page.

2. Select New from the drop-down list.

3. Enter the server name, server port (default 2002), user name, password, and a secret.

4. Select Save.

Enabling Rogue Alerts for Cisco WLSE

1. Go to the Faults > Network Wide Settings > Rogue AP Detection page.

2. Select the Enable.

3. Select Apply.

Additional information about rogue device detection is available in "Configuring Cisco WLSE Rogue Scanning" on

page74.

Configuring WLSE to Communicate with APs

1. Go to the Device Setup > Discover page.

2. Configure SNMP Information.

3. Configure HTTP Information.

4. Configure Telnet/SSH Credentials

5. Configure HTTP ports for IOS access points.

6. Configure WLCCP credentials.

7. Configure AAA information.

71 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 72

Discovering Devices

The following three methods can be used to discover access points within WLSE:

l Using Cisco Discovery Protocol (CDP)

l Importing from a file

l Importing from CiscoWorks

Perform these steps to discover access points.

1. Go to the Device > Managed Devices > Discovery Wizard page.

2. Import devices from a file.

3. Import devices from Cisco Works.

4. Import using CDP.

Managing Devices

Prior to enabling radio resource management on IOS access points, the access points must be under WLSE management.

AirWavebecomes the primary management/monitoring vehicle for IOS access points, but for AirWave to gather Rogueinformation, the WLSE must be an NMS manager to the APs.

Use these pages to make such configurations:

1. Go to Device > Discover > Advanced Options.

2. Select the method to bring APs into management Auto, or specify via filter.

Inventory Reporting

When new devices are managed, the WLSE generates an inventory report detailing the new APs. AirWave accesses the inventory report via the SOAP API to auto-discover access points. This is an optional step to enable another form of AP discovery in addition to AirWave, CDP, SNMP scanning, and HTTP scanning discovery for Cisco IOS access points. Perform these steps for inventory reporting.

1. Go to Devices > Inventory > Run Inventory.

2. Run Inventory executes immediately between WLSE polling cycles.

Defining Access

AirWave requires System Admin access to WLSE. Use these pages to make these configurations.

1. Go to Administration > User Admin.

2. Configure Role and User.

Grouping

It’s much easier to generate reports or faults if APs are grouped in WLSE. Use these pages to make such configurations.

1. Go to Devices > Group Management.

2. Configure Role and User.

Configuring IOS APs for WDS Participation

IOS APs (1100, 1200) can function in threeroles within SWAN:

l Primary WDS

l Backup WDS

AirWave 8.2.4 | User Guide Configuring AirWave | 72

Page 73

l WDS Member

AirWave monitors AP WDS role and displays this information on AP Monitoring page.

APsfunctioning as WDS Master or Primary WDS will no longer show up as Down is the radios are enabled.

WDS Participation

Perform these steps to configure WDS participation.

1. Log in to the AP.

2. Go to the Wireless Services > AP page.

3. Select Enable participation in SWAN Infrastructure.

4. Select Specified Discovery, and enter the IP address of the Primary WDS device (AP or WLSM).

5. Enter the user name and password for the WLSE server.

Primary or Secondary WDS

Perform these steps to configure primary or secondary functions for WDS.

1. Go to the Wireless Services > WDS > General Setup page.

2. If the AP is the Primary or Backup WDS, select Use the AP as Wireless Domain Services.

n Select Priority (set 200 for Primary, 100 for Secondary).

n Configure the Wireless Network Manager (configure the IP address of WLSE).

3. If the AP is Member Only, leave all options unchecked.

4. Go to the Security > Server Manager page.

5. Enter the IP address and Shared Secret for the ACS server and select Apply.

6. Go to the Wireless Services > WDS > Server Group page.

7. Enter the WDS Group of the AP.

8. Select the ACS server in the Priority 1 drop-down menu and select Apply.

Configuring ACS for WDS Authentication

ACS authenticates all components of the WDS and must be configured first. Perform thesesteps to make this configuration.

1. Login to the ACS.

2. Go to the System Configuration > ACS Certificate Setup page.

3. Install a New Certificate by selecting the Install New Certificate button, or skip to the next step if the certificate was previously installed.

4. Select User Setup in the left frame.

5. Enter the user name that will be used to authenticate into the WDS and select Add/Edit.

6. Enter the password that will be used to authenticate into the WDS and select Submit.

7. Go to the Network Configuration > Add AAA Client page.

8. Add the host name and IP address associated with the AP and the key.

9. Enter the password that will be used to authenticate into the WDS and select Submit.

For additional and more general information about ACS, refer to "Configuring ACS Servers" on page 75.

73 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 74

Configuring Cisco WLSE Rogue Scanning

The AMP Setup > WLSE page allows AirWave to integrate with the Cisco Wireless LAN Solution Engine (WLSE). AirWave can discover APs and gather rogue scanning data from the Cisco WLSE.

Perform the following steps for optional configuration of AirWave for support of Cisco WLSE rogue scanning.

1. To add a Cisco WLSE server to AirWave , navigate to the AMP Setup > WLSE page and select Add. Complete the fields in this page. Table 36 describes the settings and default values.

Table 36: AMP Setup > WLSE Fields and Default Values

Setting Default Description

Hostname/IP Address None Designates the IP address or DNS Hostname for the WLSE server,

which must already be configured on the Cisco WLSE server.

Protocol HTTP Specify whether to use HTTP or HTTPS when polling the WLSE.

Port 1741 Defines the port AirWave uses to communicate with the WLSE

server.

Username None Defines the user name AirWave uses to communicate with the WLSE

server. The user name and password must be configured the same way on the WLSE server and on AirWave.

The user needs permission to display faults to discover rogues and inventory API (XML API) to discover manageable APs. As derived from a Cisco limitation, only credentials with alphanumeric characters (that have only letters and numbers, not other symbols) allow AirWave to pull the necessary XML APIs.

Password None Defines the password AirWave uses to communicate with the WLSE

server. The user name and password must be configured the same way on the WLSE server and on AirWave.

As derived from a Cisco limitation, only credentials with alphanumeric characters (that have only letters and numbers, not other symbols) allow AirWave to pull the necessary XML APIs.

Poll for AP Discovery; Poll for Rogue Discovery

Polling Period 10

Yes Sets the method by which AirWave uses WLSE to poll for discovery of

new APs and/or new rogue devices on the network.

Determines how frequently AirWave polls WLSE to gather rogue

minutes

scanning data.

2. After you have completed all fields, select Save. AirWave is now configured to gather rogue information from WLSE rogue scans. As a result of this configuration, any rogues found by WLSE appear on the RAPIDS > List page.

What Next?

l Go to additional tabs in the AMP Setup section to continue additional setup configurations.

l Complete the required configurations in this chapter before proceeding. Aruba support remains available to you for

any phase of AirWave installation.

AirWave 8.2.4 | User Guide Configuring AirWave | 74

Page 75

Configuring ACS Servers

This is an optional configuration. The AMP Setup > ACS page allows AirWave to poll one or more Cisco ACS servers for wireless user name information. When you specify an ACS server, AirWave gathers information about your wireless users. Refer to "Setting Up DeviceTypes" on page 69 if you want to use your ACS server to manage your AirWave users.

Perform these steps to configure ACS servers:

1. Go to the AMP Setup > ACS page. This page displays current ACS setup, as illustrated in Figure27.

Figure 27: AMP Setup > ACS Page Illustration

2. Select Add to create a new ACS server, or select a pencil icon to edit an existing server. To delete an ACS server, select that server and select Delete. When selecting Add or Edit, the Details page appears.

3. Complete the settings on AMP Setup > ACS > Add/Edit Details. Table 37 describes these fields:

Table 37: AMP Setup > ACS > Add/Edit Details Fields and Default Values

Field Default Description

IP/Hostname None Sets the DNS name or the IP address of the ACS Server.

Protocol HTTP Launches a drop-down menu specifying the protocol AirWave uses when it polls

the ACS server.

Port 2002 Sets the port through which AirWave communicates with the ACS. AirWave

generally communicates over port 2002.

Username None Sets the user name of the account AirWave uses to poll the ACS server.

Password None Sets the password of the account AirWave uses to poll the ACS server.

Polling Period 10 min Launches a drop-down menu that specifies how frequently AirWave polls the

ACS server for user name information.

4. Select Add to finish creating the new ACS server, or Save to finish editing an existing ACS server.

5. The ACS server must have logging enabled for passed authentications. Enable the Log to CSV Passed Authentications report option, as follows:

n Log in to the ACS server, select System Configuration, then in the Select frame, select Logging.

n Under Enable Logging, select CSV Passed Authentications. The default logging options include the

two columns AirWave requires: User-Name and Caller-ID.

What Next?

l Go to additional tabs in the AMP Setup section to continue additional setup configurations.

75 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 76

l Complete the required configurations in this chapter before proceeding. Aruba support remains available to you for

any phase of AirWave installation.

Integrating NMS Servers

You can integrate AirWave with Network Management System (NMS) servers. Doing so enables AirWave to forward SNMP traps to the NMS.

Add an NMS Server

AirWave communicates with the NMS server using the SNMPv1, SNMPv2c, or SNMPv3 protocol over Port 162.

To integrate an NMS server with AirWave:

1. Go to AMP Setup > NMS, then click Add.

2. Enter the NMS server hostname or IP address.

3. Use the default port, or you can enter a new port number.

4. Select the SNMP version:

n SNMPv1 or SNMPv2c, then enter the community string and confirm the string.

n SNMPv3, then enter the advanced security options (authentication and privacy protocols and

passphrases).

5. Click Add.

Download the MIB Files

The necessary AMP MIB files are available to download from the AMP Setup > NMS page.

AirWaveprovides integration with HP ProCurve Manager (PCM). For help loading the integration files, navigate to AMP Setup > NMS, then click the HP ProCurve Manager Integration link.

PCI Compliance Monitoring

AirWave provides compliance monitoring tools that can help your organization be prepared for a PCI Data Security Standard (DSS) audit. With use of AirWave, your organization can monitor firewalls, network devices, and other services to show PCI compliance.

Check Compliance

The PCI compliance report displays which requirements AirWave monitors, provides links to device management pages, and displays any actions required to resolve compliance failures. In addition to displaying pass or fail status, AirWave provides diagnostic information and recommends actions required to achieve Pass status when sufficient information is available.

AirWave 8.2.4 | User Guide Configuring AirWave | 76

Page 77

Figure 28: PCI Compliance Report Example

You can find the PCI compliance report for a device by navigating to APs/Devices > List, hovering the pointer over a device, and clicking Compliance from the shortcut menu, as shown in . If you created a PCI compliance report from the Reports Definition page, AirWave displays the report on the Generated Reports page when it is available. For information, see "Reports > Generated Page Overview" on page 327.

You can schedule, view, and re-run custom PCI compliance reports. For information about working with reports, see "Creating, Running, and Sending Reports" on page 294.

Enabling PCI Compliance Monitoring

When you enable PCI compliance monitoring, AirWave displays real-time information and generates PCI compliance reports that can be used to verify whether a merchant is compliant with a PCI requirement.

For information security standards, refer to the PCI Quick Reference Guide, accessible online from the PCI

Security Council Document Library or see "Supported PCI Requirements" on page 78.

To enable PCI auditing:

1. Navigate to the AMP Setup > PCI Compliance page.

2. Find the PCI requirement that you want to monitor.

77 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 78

3. Click to open the Default Credential Compliance page. The compliance settings vary depending on the PCIrequirement.

4. Select Save.

5. To view and monitor PCI auditing on the network, use generated or daily reports. See "Creating, Running, and

Sending Reports" on page 294. In addition, you can view the real-time PCI auditing of any given device online.

Perform these steps:

a. Go to the APs/Devices > List page.

b. Select a specific device. The Monitor page for that device displays. The APs/Devices page also displays a

Compliance subtab in the menu bar.

c. Select Compliance to view complete PCI compliance auditing for that specific device.

Supported PCI Requirements

AirWave currently supports the PCI 3.0. requirements described in Table 38. When the requirements are disabled, AirWave does not check for PCI compliance or report on status.

AirWaveusers without RAPIDS visibility will not see the 11.1 PCI requirements in the PCI compliance report.

Table 38: PCI Requirements

Requirement Description

1.1 Establishes firewall and router configuration standards. A device fails if there are mismatches between the desired configuration and the configuration on the device.

1.2.3 Monitors firewall installation between any wireless networks and the cardholder data environment. A device fails if the firewall is not stateful.

2.1 Changes vendor-supplied default passwords before a device connects to the cardholder data environment or transmits data in the network. A device fails if the user name, passwords or SNMP credentials used by AirWave are on the list of forbidden default credentials. The list includes common vendor default passwords.

2.1.1 Changes vendor-supplied defaults for wireless environments. A device fails if the passwords, SSIDs, or other security-related settings are on a list of forbidden values that AirWave establishes and tracks. The list includes common vendor default passwords. The user can input new values to achieve compliance.

4.1.1 Uses strong encryption in wireless networks before sending payment cardholder data across open public networks. A device fails if the desired or actual configuration reflect that WEP is enabled on the network, or if associated users can connect with WEP.

11.1 Uses RAPIDS to identify unauthorized devices. A device fails when a rogue device is detected and unacknowledged, or when there are no rogues discovered in the last three months.

11.4 Uses intrusion-detection or intrusion-prevention systems to monitor traffic. Recent IDS events are summarized in the PCI compliance report or the IDS report.

AirWave 8.2.4 | User Guide Configuring AirWave | 78

Page 79

Deploying WMS Offload

The Wireless LAN Management Server (WMS) feature is an enterprise-level hardware device and server architecture with managing software for security and network policy.

WMS components include:

l Air monitor. This operating mode provides wireless IDS, rogue detection and containment.

l WMS server. This server manages devices and network activity, such as rogue detection and network policy

enforcement.

l AirWave WebUI. This graphical user interface (GUI) provides access to the WMS offload feature.

Refer to the Aruba and AirWave 8.2.4 Best Practices Guide for additional information, including detailed concepts, configuration procedures, restrictions, ArubaOS infrastructure, and AirWave version differences in support of WMS Offload.

WMS Offload Configuration

WMS offload places the burden of the WMS server data and GUI functions on AirWave. WMS master controllers provide this data so that AirWave can support rigorous network monitoring capabilities.

WMS Offload is supported with ArubaOS Version 2.5.4 or later and AirWave Version 6.0 or later

Follow these steps to configure WMS offload:

1. Configure WLAN switches for optimal AirWave monitoring:

a. Disable debugging.

b. Ensurethe AirWave server is a trap receiver host.

c. Ensure proper traps are enabled.

2. Configure AirWave to optimally monitor the AirWave infrastructure:

a. Enable WMS offload on the AMP Setup > General page.

b. Configure SNMP communication.

c. Create a proper policy for monitoring the AirWave infrastructure.

d. Discover the infrastructure.

3. Configure device classification:

a. Set up rogue classification.

b. Set up rogue classification override.

c. Establish user classification override devices.

4. Deploy ArubaOS-specific monitoring features:

a. Enable remote AP and wired network monitoring.

b. View controller license information.

5. Convert existing floor plans to VisualRF to include the following elements:

l ArubaOS

l RF Plan

6. Use RTLS for increasing location accuracy (optional):

a. Enable RTLS service on the AirWave server.

b. Enable RTLS on ArubaOS infrastructure.

79 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 80

Integrating External Servers

AirWave supports integration with Juniper, Brocade or HPE Intelligent Management Center (IMC) servers. When a device is monitored by AirWave and an external server, the APs/Devices > Monitor page for that device provides a link to that external server.

Add a Juniper Network Director

AirWave supports integration with Juniper Network Director (ND) 2.0. Once integrated, the APs/Devices > Monitor page for that device provides access to a link the Juniper Network Director WebUI.

To integrate Juniper Network Director with AirWave:

1. Log in to AirWave, then navigate to AMP Setup > External server.

2. In the Juniper Network Director section, enter the IP address or hostname of the Juniper Network Director.

3. Click Save.

Add a Brocade Network Advisor

AirWave can monitor and secure Brocade wired networks, while Brocade Network Advisor monitors Aruba networks. Once integrated, the Brocade Network Advisor appears in the Devices list on the AirWave APs/Devices > List page, and the APs/Devices > Monitor page for that device provides access to the Brocade Network Advisor home page.

To integrate Brocade Network Advisor with AirWave:

1. Log in to AirWave, then navigate to AMP Setup > External server.

2. In the Brocade Network Advisor section, enter the IP address or hostname of the Brocade Network Advisor.

3. Click Save.

Add an HPE Intelligent Management Center

When a managed device is monitored by both AirWave and the HPE Intelligent Management Center (IMC) Enterprise Software Platform, the APs/Devices > Monitor pagefor that device includes a link to the IMC server.

Figure 29: IMC Link on the APs/Devices > Monitor page

To integrate an IMC server with AirWave:

1. Log in to AirWave, then navigate to AMP Setup > External server.

2. In the Intelligent Management Center section, enter the IP address or hostname of the IMC server.

3. (Optional) Click the IMCProtocol drop down list and select the HTTPS or HTTP protocol. The default setting is HTTPS.

4. (Optional) Enter a port number in the IMC Port field. The default port number is 8443.

5. Enter the user name for accessing the IMC server, then confirm this password.

AirWave 8.2.4 | User Guide Configuring AirWave | 80

Page 81

6. Click Save.

81 | Configuring AirWave AirWave 8.2.4 | User Guide

Page 82

Chapter 3

Configuring and Using Device Groups

This section describes the deployment of devicegroups within AirWave. The section below describes the pages or focused submenus available when you select a group using the Groups > List page. Note that the available subtabs can vary significantly from one device group to another. One or more subtabs may not appear, depending on the Default Group display option selected on the AMP Setup > General page and the types of devices you add to AirWave.

If the any of the Groups pages described in Table 39 do not appear in the navigation bar, and you want to configure settings on a hidden page, select the group from the Groups > List page, navigate to Groups > Basic, then choose the Show Device Settings for: All Devices option in the Group Display Options section of the Groups > Basic page. The next time you select the group from the Groups > List page, all available configuration options appear

Figure 30: Subtabs under the Group tab

Table 39: Groups pages

Description Refer to

Item

List This page is the default page in the Groups section of AirWave. It lists all groups

currently configured in AirWave and provides the foundation for all group-level configurations.

Monitor This page displays client and bandwidth usage information, lists devices in a given

group, provides an Alert Summary table for monitoring alerts for the group, and provides a detailed Audit Log for group-level activity.

Basic This page appears when you create a new group on the Groups > List page. Once you

define a group name, AirWave displays the Basic page from which you configure many group-level settings. This page remains available for any device group configured in AirWave.

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 82

"Viewing All Defined Device Groups" on page 85

"Monitoring Basics" on page 145

"Configuring Basic Group Settings" on page 87

Page 83

Table 39: Groups pages (Continued)

Description Refer to

Item

Templates This page manages templates for any device group. Templates allow you to manage the

configuration of Dell Networking W-Series, 3Com, Alcatel-Lucent, Aruba Networks, Cisco Aironet IOS, Cisco Catalyst switches, Enterasys, HPE, Nortel, Symbol and Trapeze devices in a given group using a configuration file. Variables in such templates configure device-specific properties, such as name, IP address and channel. Variables also define group-level properties.

Security This page defines general security settings for device groups, to include RADIUS,

encryption, and additional security settings on devices.

SSID This page sets SSIDs, VLANs, and related parameters in device groups. Use this

submenu is available when you configure RADIUS servers on the Groups > AAA Servers page.

AAA Servers

This page configures authentication, authorization, and accounting settings in support of RADIUS servers for device groups.

"Creating and Using Templates" on page 208

"Configuring Group Security Settings" on page 99

"Configuring Group SSIDs and VLANs" on page 103

"Adding and Configuring Group AAA Servers" on page 97

Radio This page defines general 802.11 radio settings for device groups. "Configuring

Radio Settings for Device Groups" on page 107

Controller Config

Switch Config

Instant Config

This page manages ArubaOS Device Groups, AP Overrides, and other profiles specific to Aruba devices on the network. Use this page as an alternative to the Device Setup > Aruba >Configuration page. The appearance of this page varies depending on whether AirWave is configured for global configuration or group configuration.

This page manages ArubaOS Device Groups, AP Overrides, and other profiles specific to Aruba switches on the network.

This page manages Aruba Instant devices on the network. Aruba Instant

Aruba Controller Configuration Guide

Aruba Aruba Switch Configuration Guide

User Guide

83 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 84

Table 39: Groups pages (Continued)

Description Refer to

Item

Cisco WLC Config

PTMP This page defines settings specific to Proxim MP devices when present. As such, this

Proxim Mesh

MACACL This page defines MAC-specific settings that apply to Proxim, Symbol, and ProCurve 520

The Groups > Cisco WLC page appears in the navigation bar if the you navigate to Groups > List and select a group that contains Cisco WLC devices.

This page consolidates controller-level settings from the Group Radio, Security, SSIDs, Cisco WLC Radio and AAA Server pages into one navigation tree that is easier to navigate, and has familiar layout and terminology. Bulk configuration for thin AP settings, previously configured on the Group LWAPP APs tab, can now be performed from Modify Devices on the APs/Devices > List page. .

page is only available when a Proxim MP device is added to this group.

This page defines mesh AP settings specific to Proxim devices when present. "Configuring

devices when present.

"Cisco WLC Group Configuration" on page 111

"Configuring Group PTMP Settings" on page 118.

Proxim Mesh Radio Settings" on page 119

"Configuring Group MAC Access Control Lists" on page 121

Firmware This page manages firmware files for many device types. "Specifying

Minimum Firmware Versions for Devices in a Group" on page 121

Compare This page allows you to compare line item-settings between two device groups. On the

Groups > List page, select the Compare two groups link, select the two groups from the drop-down menus, and then select Compare.

"Comparing Device Groups" on page 123

This section also provides the following additional procedures for group-level configurations:

l "Deleting a Group" on page 125

l "Changing Multiple Group Configurations " on page 125

l "Modifying Multiple Devices" on page 127

l "Using Global Groups for Group Configuration" on page 129

AirWave Groups Overview

Enterprise APs, controllers, routers, and switches have hundreds of variable settings that must be configured precisely in order to achieve optimal performance and network security. Configuring all settings on each device

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 84

Page 85

individually is time consuming and error prone. AirWave addresses this challenge by automating the processes of device configuration and compliance auditing. At the core of this approach is the concept of Device Groups, which have the following functions and benefits:

l AirWave allows certain settings to be managed efficiently at the Group level, while others are managed at an

individual device level.

l AirWave defines a Group as a subset of the devices on the wireless LAN, ranging in size from one device to hundreds

of devices that share certain common configuration settings.

l Groups can be defined based on geography (such as 5th Floor APs), usage or security policies (such as Guest Access

APs), function (such as Manufacturing APs), or any other appropriate variable.

l Devices within a group may originate from different vendors or hardware models, but all devices within a Group share

certain basic configuration settings.

Typical group configuration variables includethe following settings:

l Basic settings - SSID, SNMP polling interval, and so forth

l Security settings - VLANs, WEP, 802.1X, ACLs, and so forth

l Radio settings - data rates, fragmentation threshold, RTS threshold, DTIM, preamble, and so forth.

When configuration changes are applied at a group level, they are assigned automatically to every device within that group. Such changes must be applied with every device in Managed mode. Monitor mode is the more common mode.

Always review the Audit page before pushing configurations to a device or group.

Individual device settings—such as device name, RF channel selection, RF transmission power, antenna settings, and so forth—typically should not be managed at a group level and must be individually configured for optimal performance. Individual AP settings are configured on the APs/Devices > Manage page.

You can create as many different groups as required. Administrators usually establish groups that range in size from five to 100 wireless devices.

Group configuration can be enhanced with the AirWave Global Groups feature, which lets you create Global Groups with configurations that are pushed to individual Subscriber Groups.

The default view of the Groups > Monitor page is predefined and cannot be modified. However, you can create a new view, or edit and copy a view, and save the view to access information you frequently use. For more information on filtering data from your view, see "Creating Filtered Views" on page 146.

Viewing All Defined Device Groups

To display a list of all defined groups, browse to the Groups > List page, illustrated in Figure 31.

Figure 31: Groups > List Page Illustration (partial view)

Table 40 describes the columns in the Groups > List page.

85 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 86

Table 40: Groups > List Columns

Column Description

Add New Group

Manage (wrench icon)

Name Uniquely identifies the group by location, vendor, department or any other identifier (such

Up/Down Status Polling Period

Total Devices Total number of devices contained in the group including APs, controllers, routers, or

Changes Displays when a group has unapplied changes.

Is Global Group If a group is designated as global, it may not contain APs but it may be used as a template

Launches a page that enables you to add a new group by name and to define group parameters for devices in that group. For additional information, refer to "Configuring Basic

Group Settings" on page 87.

Goes to the Groups > Basic configuration page for that group. Hover your mouse over the icon to see a list of shortcuts to group-specific subtabs that would appear across the navigation section if this group is selected. (See Figure 32 in "Configuring Basic Group

Settings" on page 87.)

as ‘Accounting APs,’ ‘Floor 1 APs,’ ‘Cisco devices,’ ‘802.1X APs,’ and so forth).

The time between Up/Down SNMP polling periods for each device in the group. Detailed SNMP polling period information is available on the Groups > Basic configuration page. Note that by default, most polling intervals do not match the up/down period.

switches.

for other groups. This column may also indicate Yes if this group has been pushed to AirWave from a Master Console.

Global Group Specifies which group this Subscriber Group is using as its template.

SSID The SSID assigned to supported device types within the group.

Down The number of access points within the group that are not reachable via SNMP or are no

longer associated to a controller. Note that thin APs are not directly polled with SNMP, but are polled through the controller. That controller may report that the thin AP is down or is no longer on the controller. At this point, AirWave classifies the device as down.

Mismatched The number of devices within the group that are in a mismatched state.

Ignored The number of ignored devices in that group.

Clients The number of mobile users associated with all access points within the group. To avoid

double counting of clients, clients are only listed in the group of the AP with which they are associated. Note that device groups with only controllers in them report no clients.

Usage A running average of the sum of bytes in and bytes out for the managed radio page.

VPN Sessions Number of active (connected) VPN sessions under this group.

Duplicate Creates a new group with the name Copy of <Group Name> with identical configuration

settings. (Aruba configuration settings will have to be manually added back.)

When you first configure AirWave, there is only one default group labeled Access Points. If you have no other groups configured, refer to "Configuring Basic Group Settings" on page 87.

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 86

Page 87

Configuring Basic Group Settings

The first default device group set up in AirWave is the Access Points group, but you can use this procedure to add and configure any device group. Perform these steps to configure basic group settings, then continue to additional procedures to define additional settings as required.

There are three ways to navigate to the Basic Group Settings page.

l Select Add on the Groups > List page to create a new group, then enter a group name and click Add. The Groups >

Basic page appears.

l Navigate to Groups > List, select a group from the Groups table, then navigate to Groups > Basic.

l Navigate to Groups > List and select the manage (wrench) icon next to the group. If you mouse over an existing

group’s wrench, a pop up menu displays, allowing you to select options such as Basic, Templates, Security, SSIDs, AAA Servers, Radio, Controller Config, Switch Config, Instant Config, and Cisco WLC Config. See Figure 32.

Themouse-over list can vary based on a group's settings.

Figure 32: Pop-up When Hovering over Wrench Icon in the Groups > List Page

Basic Configuration Settings

Table 41 describes the available settings and default values in the Basic section of the Group > Basic page.

Table 41: Basic Group Fields and Default Values

Setting Default Description

Name Defined

when first adding the group

Missed SNMP Poll Threshold (1-100)

87 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

1 Sets the number of Up/Down SNMP polls that must be missed before

Displays or changes the group name. As desired, use this field to set the name to uniquely identify the group by location, vendor, department, or any other identifier (such as Accounting APs, Cisco devices, 802.1x APs, and so forth).

AirWave considers a device to be down. The number of SNMP retries and the SNMP timeout of a poll can be set on the Device Setup > Communication page.

Page 88

Table 41: Basic Group Fields and Default Values (Continued)

Setting Default Description

Regulatory Domain

Timezone AMP System

Allow One-toOne NAT

Audit Configuration on Devices

United States Sets the regulatory domain in AirWave, limiting the selectable channels for

APs in the group.

Allows group configuration changes to be scheduled relative to the time zone

Time

No Allows AirWave to talk to the devices on a different IP address than the one

Yes Auditing and pushing of configuration to devices can be disabled on all the

in which the devices are located. This setting is used for scheduling grouplevel configuration changes.

configured on the device.

NOTE: If enabled, the LAN IP Address listed on the AP/Devices > Manage configuration page under the Settings area is different than the IP Address under the Device Communication area.

devices in the group. Once disabled, all the devices in the groups will not be counted towards mismatched devices.

Global Group Settings

The AirWave group configuration feature allows you to push configurations defined on a global group to other managed groups subscribed to that global group. describes the settings and default values of in the Global Groups section of the Group> Basic page.

Table 42: Global Groups Fields and Default Values

Setting Default Description

Is Global Group No If set to Yes, then this group can be selected in the Use Global Group

drop down menu for future group configurations. For more information, refer to"Using Global Groups for Group Configuration"

on page 129 .

Global Group No If you have defined one or more global groups, this field appears in

the Global Settings for for the other (non-global) groups. Click this drop-down list select a global group to which this (non-global) group should be associated. For more information, refer to "Subscribing

other Groups to a Global Group" on page 131 .

SNMP Polling Periods

Use the configuration options in the SNMPPolling Periods section of the Groups > Basic page to override default SNMP polling settings. Table 43 describes the SNMP polling options.

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 88

Page 89

Table 43: SNMP Polling Periods Fields and Default Values

Setting Default Description

Up/Down Status Polling Period

Override Polling Period for Other Services

AP Interface Polling Period

Client Data Polling Period 10

Thin AP Discovery Polling Period

Device-to-Device link Polling Period

802.11 Counters Polling Period

5 minutes Sets time between Up/Down SNMP polling for each device in the

No Enables or disables overriding the base SNMP Polling Period. If you

10 minutes

minutes

15 minutes

5 minutes Sets time between SNMP polls for Device-to-Device link polling.

15 minutes

group.

The Group SNMP Polling Interval overrides the global parameter configured on the Device Setup > Communication page. An initial polling interval of 5 minutes is best for most networks.

select Yes, the other settings in the SNMP Polling Periods section are activated, and you can override default values.

Sets the interval at which AirWave polls for radio monitoring and bandwidth being used by a device.

Sets time between SNMP polls for client data for devices in the group.

Sets time between SNMP polls for Thin AP Device Discovery. Controllers are the only devices affected by this polling interval.

Mesh APs are the only devices affected by this polling interval.

Sets time between SNMP polls for 802.11 Counter information.

Rogue AP and Device Location Data Polling Period

CDP Neighbor Data Polling Period

Mesh Discovery Polling Period

30 minutes

15 minutes

Sets time between SNMP polls for Rogue AP and Device Location Data polling.

Sets the frequency in which this group polls the network for Cisco Discovery Protocol (CDP) neighbors.

Sets time between SNMP polls for Mesh Device Discovery.

Routers and Switches

The settings in the Routers and Switches section of the Groups > Basic page define the frequency in which AirWave polls all devices in the group. These options can be disabled entirely as desired. Table 44 describes the configurable poll settings for routers and switches.

Table 44: Routers and Switches Fields and Default Values

Setting Default Description

Read ARP Table 4 hours Sets the frequency in which devices poll routers and switches for

Address Resolution Protocol (ARP) table information. This setting can be disabled, or set to poll for ARP information in a range from every 15 seconds to 12 hours.

89 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 90

Table 44: Routers and Switches Fields and Default Values (Continued)

Setting Default Description

Read CDP Table for Device Discovery

Read Bridge Forwarding Table

Interface Up/Down Polling Period

Interface Bandwidth Polling Period

Interface Error Counter Polling Period

Poll 802.3 error counters No Sets whether 802.3 error counters should be polled.

4 hours For Cisco devices, sets the frequency in which devices poll routers

and switches for Cisco Discovery Protocol (CDP) information. This setting can be disabled, or set to poll for CDP neighbor information in a range from every 15 seconds to 12 hours.

4 hours Sets the frequency in which devices poll the network for bridge

forwarding information. This setting can be disabled, or set to poll bridge forwarding tables from switches in a range from every 15 seconds to 12 hours.

5 minutes Sets the frequency in which network interfaces are polled for

up/down status. This setting can be disabled, or set to poll from switches in a range from every 15 seconds to 30 minutes.

15 minutes

30 minutes

Sets the frequency in which network interfaces are polled for bandwidth usage. This setting can be disabled, or set to poll from switches in a range from every 5 minutes to 30 minutes.

Sets the frequency in which network interfaces are polled for up/down status. This setting can be disabled, or set to poll bridge forwarding tables from switches in a range from every 5 minutes to 30 minutes.

Poll Cisco interface error counters

No Sets whether the interface error counters for Cisco devices should

be polled.

Notes

Use this optional section to record additional information and comments about the group.

GroupDisplay Options

The available AirWave configuration settings for a group of managed or monitored devices can vary, depending upon the type of device being configured. Use the Group DisplayOptions section of the Groups > Basic page to define the types of configuration settings that will appear for the selected group. Table 45 describes these settings and their default values.

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 90

Page 91

Table 45: Group Display Options Fields and Default Values

Setting Default Description

Show device settings for

Selected Device Types

Only devices on this AMP

N/A This option appears if you chose to display selected device types, allowing you to

Drop-down menu determines which Group tabs and options are to be viewable by default in new groups. Settings include the following:

l All Devices—AirWave displays all Group tabs and setting options. l Only devices in this group—AirWave hides all options and tabs that do not

apply to the devices in the group. If you use this setting, then to get the group list to display the correct SSIDs for the group, you must Save and Apply on the group.

l Only devices on this AMP— hides all options and tabs that do not apply to

the APs and devices currently on AirWave.

l Use system defaults—Use the default settings on AMP Setup > General l Selected device types—Allows you to specify the device types for which

AirWave displays Group settings.

select the device types to display group settings. Use Select devices in this group to display only devices in the group being configured.

Automatic Static IP Assignment

Use the Automatic Static IP Assignment section on the Groups > Basic configuration page to automatically assign a range of static IP addresses to new devices as they are added into the group. If you select Yes for the Assign Static IP Addresses to Devices option, additional fields appear. Table 46 describes the settings and default values. This section is only relevant for a small number of device types, and will appear when they are present.

Table 46: Automatic Static IP Assignment Fields and Default Values

Setting Default Description

Assign Static IP Addresses to Devices

Start IP Address

Number of Addresses

Subnet Mask none Sets the subnet mask to be assigned to the devices in the Group.

Subnet Gateway

Next IP Address

No Specify whether to enable AirWave to statically assign IP addresses from a

specified range to all devices in the Group. If this value is set to Yes, then the additional configuration fields described in this table will become available.

none Sets the first address AirWave assigns to the devices in the Group.

none Sets the number of addresses in the pool from which AirWave can assign IP

addresses.

none Sets the gateway to be assigned to the devices in the Group.

none Defines the next IP address queued for assignment. This field is disabled for the

initial Access Points group.

Spanning Tree Protocol

Use the Spanning Tree Protocol settings on the Groups > Basic pageto configure the Spanning Tree Protocol on Wireless LANController (WLC) devices and Proxim APs. Table 47 describes the settings and default values in this section.

91 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 92

Table 47: Spanning Tree Protocol Fields and Default Values

Setting Default Description

Spanning Tree Protocol

Bridge Priority 32768 Sets the priority for the AP. Values range from 0 to 65535. Lower values have

Bridge Maximum Age

Bridge Hello Time

Bridge Forward Delay

No Specify whether to enable or disable Spanning Tree Protocol on Proxim APs. If

this value is set to Yes, then the additional configuration fields described in this table will become available.

higher priority. The lowest value is the root of the spanning tree. If all devices are at default the device with the lowest MAC address will become the root.

20 Sets the maximum time, in seconds, that the device stores protocol

information. The supported range is from 6 to 40.

2 Sets the time, in seconds, between Hello message broadcasts.

15 Sets the time, in seconds, that the port spends in listening and learning mode if

the spanning tree has changed.

NTP

Use the NTP Settings section of the Groups > Basic page to definean NTP server and configure Network Time Protocol (NTP) settings. Table 48 describes the NTP settings and default values.

Table 48: NTP Fields and Default Values

Setting Default Description

NTP Server #1,2,3

UTC Time Zone

Daylight Saving Time

None Sets the IP address of the NTP servers to be configured on the AP.

0 Sets the hour offset from UTC time to local time for the AP. Times displayed in

AirWave graphs and logs use the time set on the AirWave server.

No Enables or disables the advanced daylight saving time settings in the Proxim

section of the Groups > Basic configuration page.

HPE Aruba/OfficeConnect Switch Configuration

AirWave automates provisioning of several models of HPEOfficeConnect (Comware) switches, using templatebased configuration, zero-touch provisioning (ZTP), and configuration snippets. By default, the full configuration mode is enabled whenever you create a device group. When in full configuration mode, AirWave pushes a complete set of changes using a template to the group of devices. With partial configuration mode, you can push a golden configuration to a group that contains factory-default ZTP devices. You can also push any command supported by the switch CLI to the device group regardless of their device state (factory or non-factory).

Table 49: HPE Aruba/OfficeConnect Switch Fields and Default Values

Setting Default Description

NTP Server #1,2,3

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 92

None Sets the IP address of the NTP servers to be configured on the AP.

Page 93

Table 49: HPE Aruba/OfficeConnect Switch Fields and Default Values (Continued)

Setting Default Description

UTC Time Zone

Daylight Saving Time

0 Sets the hour offset from UTC time to local time for the AP. Times displayed in

AirWave graphs and logs use the time set on the AirWave server.

No Enables or disables the advanced daylight saving time settings in the Proxim

section of the Groups > Basic configuration page.

Aruba

To configure settings specific to Aruba locate the Aruba section and adjust these settings as required. Table 50 describes the settings and default values of this section of the Groups > Basic page.

Table 50: Aruba Fields and Default Values

Setting Default Description

SNMP Version 2c The version of SNMP used by AirWave to communicate to the AP.

Offload WMS Database

No Configures commands previously documented in the AirWave 8.2.4 Best

Practices Guide. When enabled, this feature allows AirWave to display historical information for WLAN switches.

Changing the setting to Yes pushes commands via SSH to all WLAN switches in Monitor Only mode without rebooting the controller. The command can be pushed to controllers in manage mode (also without rebooting the controller) if the Allow WMS Offload setting on AMP Setup > General is changed to Yes.

Aruba GUI Config

Manage local configuration on controllers

Ignore Rogues Discovered by Remote APs

Delete Certificates On Controller

Yes This setting selects whether you'd like to configure your devices using the

Groups > Controller method (either global or group) or using Templates.

No Enables or disables the management of local configuration including audit,

push, and import operations.

No Configures whether to turn off RAPIDS rogue classification and rogue

reporting for RAPs in this group.

No Specifies whether to delete the current certificates on an ArubaOScontroller.

Aruba Instant

To specify the Aruba Instant settings to be applied to this group, locate the Aruba Instant settings section of the Groups > Basic page and adjust these settings as desired. Table 51 describes the settings and default values.

93 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 94

Table 51: Virtual Controller Certificate Fields and Default Values

Setting Default Description

Enable Instant GUI Config

Configure AirWave communication settings:

Disable auto join mode

HTTPStimeout 5 minutes the HTTPS timeout for Instant devices is the period for which AirWave

CA Cert None Specify a CA certificate for the Instant virtual controller. The fields in this

No Select this option to configure your Instant APs via the IGC feature on the

Groups > Instant Config pages of the AirWave WebUI, rather than via Instant template configuration.

No If the Enable Instant GUIConfig setting is set to No, you can use this

option to configure t6he primary (and optionally, secondary) AirWave server settings on an Instant AP via template configuration.

No If you enable the Disable auto join mode setting, then Instant APs will not

automatically join a group of Instant APs in AirWave when that device becomes active on the network.

waits for an Instant heartbeat message.

The Missed SNMPPoll Threshold in the Basic Settings section at the top of the Groups > Basic page sets the number of Up/Down SNMP polls that must be missed before AirWave considers a device to be down.

If, for example, a group of Instant APs your group settings has a Missed SNMP Poll Threshold of 1, then an instant AP is considered to be down if there is 1 missed heartbeat during this HTTPS timeout period, which could be anywhere between 1-30 min.

drop down will populate when a certificate of type Intermediate CA or Trusted CA is added in the Device Setup > Certificates page.

Server Cert None Specify a server certificate for the virtual controller. The fields in this drop

down will populate when a certificate of type Server Cert is added in the Device Setup > Certificates page.

Captive Portal Cert None Specify a Captive portal certificate for the virtual controller. The fields in

this drop down will populate when a certificate of type Captive Portal Cert is added in the Device Setup > Certificates page.

Captive Portal Logo None You can use AirWave to download a captive portal logo to your Instant

APs. Upload the image (which must be 16k bytes or less) on the Device Setup > Upload page, then click the Captive Portal Logo drop down list on the Groups > Basic page to select the image to send to the IAPs.

RadSec Server Cert None Specify a RadSec server certificate for the virtual controller. The fields in

this drop down will populate when a certificate of type Server Cert is added in the Device Setup > Certificates page.

RadSec CA Cert None Specify a RadSec CA certificate for the virtual controller. The fields in this

drop down will populate when a certificate of type Intermediate CA or Trusted CA is added in the Device Setup > Certificates page.

Cisco IOS/Catalyst

Configure settings specific to Cisco IOS/Catalyst. Table 52 describes the settings and default values in this section of the Groups > Basic page.

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 94

Page 95

Table 52: Cisco IOS/Catalyst Fields and Default Values

Setting Default Description

SNMP Version 2c The version of SNMP used by AirWave to communicate to the AP.

Cisco IOS CLI Communication

Cisco IOS Config File Communication

Telnet The protocol AirWave uses to communicate with Cisco IOS devices.

Selecting SSH uses the secure shell for command line page (CLI) communication and displays an SSH Version option. Selecting Telnet sends the data in clear text via Telnet.

TFTP The protocol AirWave uses to communicate with Cisco IOS devices.

Selecting SCP uses the secure copy protocol for file transfers and displays an SCP Version option. Selecting TFTP will use the insecure trivial file transfer protocol. The SCP login and password should be entered in the Telnet user name and password fields.

Cisco WLC

Use the Cisco WLC section of the Groups > Basic page to configure settings specific to a Cisco Wireless LANControllers (WLC). Table 53 describes the settings and default values in this section.

Table 53: Cisco WLC Fields and Default Values

Setting Default Description

SNMP Version 2c Sets the version of SNMP used by AirWave to communicate to WLC

controllers.

CLI Communication SSH Sets the protocol AirWave uses to communicate with Cisco IOS devices.

Selecting SSH uses the secure shell for command line page (CLI) communication. Selecting Telnet sends the data in clear text via Telnet.

When configuring Cisco WLC controllers, refer to "Configuring Wireless Parameters for Cisco Controllers" on

page117.

Proxim/ Avaya

To configure Proxim/Avaya specific settings locate the Proxim/Avaya section of the Groups > Basic page and adjust these settings as required. The following tabledescribes the settings and default values.

Table 54: Proxim/Avaya Settings

Setting Default Description

SNMP Version

Enable DNS Client

Primary DNS server

1 Sets the version of SNMP used by AMP to communicate to the AP.

No Enables the DNS client on the AP. Enabling the DNS client allows you to set some values on

the AP by hostname instead of IP address. If you select Yes for this setting, additional DNS fields display.

Blank Sets the IP address of the Primary DNS server.

95 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 96

Table 54: Proxim/Avaya Settings (Continued)

Setting Default Description

Secondary DNS server

Default DNS domains

HTTP Server Port

Country Code

Blank Sets the IP address of the Secondary DNS server.

Blank Sets the default DNS domain used by the AP.

80 Sets this port as the HTTP server port on all Proxim APs in the group.

United States

Configures AMP to derive its time settings based on the country of location, as specified in this field.

HP ProCurve

To configure HP ProCurve specific settings, locate the HP ProCurve section of the Groups > Basic page and adjust these settings as required. The following tabledescribes the settings and default values.

Table 55: HP ProCurve Settings

Setting Default Description

SNMP Version 2c Sets the version of SNMP used by AirWaveto communicate to the AP.

ProCurve XL/ZWeSM CLI Communication

Telnet Sets the protocol AirWave uses to communicate with ProCurve XLWeSM devices.

Selecting SSH will use the secure shell for command line (CLI) communication. Selecting Telnet will send the data in clear text via telnet.

ControllerSNMP Version

2c Specifies the version of SNMP used by AirWaveto communicate to the controller.

Symbol

To configure settings for Symbol controllers, , locate the Symbol section of the Groups > Basic page and adjust these settings as required. The following table describes the settings and default values.

Table 56: Symbol Settings

Setting Default Description

SNMP Version 2c Specifies the version of SNMP used by AWMS to communicate to the device.

Symbol Client Inactivity Timeout (3-600 min)

Symbol Controller CLI Communication

Web Config Interface

Telnet The connection type to support the command-line interface (CLI) connection. The

Yes Enables or disables the http/https configuration page for the Symbol 4131 devices.

Sets the minutes of inactivity after which a client associated to a Symbol AP will be considered "inactive." A lower value typically provides a more accurate representation of current WLAN usage.

NOTE: For other APs, AWMS has more precise methods to determine when inactive clients are no longer associated to an AP.

options are Telnet and secure shell (SSH). This is supported for WS5100, RFS4000, RFS6000 and RFS7000 devices only.

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 96

Page 97

Juniper/3Com/Enterasys/Nortel/Trapeze

To configure SNMP settings for 3Com, Enterasys, Nortel, or Trapeze devices, locate the Juniper/3Com/Enterasys/Nortel/Trapeze section of the Groups > Basic page and click the SNMP Version drop-down list to define the version of SNMP to be supported. The default setting is SNMPv2c.

Universal Devices, Routers and Switches

To configure settings for universal devices on the network, including routers and switches that support both wired and wireless networks,, locate the Juniper/3Com/Enterasys/Nortel/Trapeze section of the Groups > Basic page and click the SNMP Version drop-down list to define the version of SNMP to be supported. The default setting is SNMPv2c.

Automatic Authorization

To control the conditions by which devices areautomatically authorized into this group, locate the Automatic Authorization settings section of the Groups > Basic page and adjust these settings as required. Table 57

describes the settings and default values.

Table 57: Automatic Authorization Fields and Default Values

Setting Default Description

Add New Controllers and Autonomous Devices Location

Add New Thin APs Location

Ignore Device's Configured Folder

Use Global Setting

No Enable this option to ignore the folder in the provisioning rule for Aruba

Whether to auto authorize new controllers to the New Devices List, the same Group/Folder as the discovering devices, the same Group/Folder as the closest IP neighbor, and/or a specified auto-authorization group and folder. The Current Global Setting set in AMP Setup > General is shown below this field. Selecting a different option overrides the global setting.

Whether to auto authorize new thin APs to the New Devices List, the same Group/Folder as the discovering devices, the same Group/Folder as the closest IP neighbor, and/or a specified auto-authorization group and folder. The Current Global Setting set in AMP Setup > General is shown below. Selecting a different option overrides the global setting for this group.

switches configured via Activate, DHCP, or the switch comand-line interface.

1. To automate putting multiple devices in this group into Manage mode at once so that changes can be applied and have the devices revert to Monitor-Only mode after the maintenance period is over, locate the Maintenance Windows option and define a new AP Group Maintenance Window.

2. Select Save when the configurations of the Groups > Basic configuration page are complete to retain these settings without pushing these settings to all devices in the group. Save is a good option if you intend to make additional device changes in the group, and you want to wait until all configurations are complete before you push all configurations at one time. Select Save and Apply to make the changes permanent, or select Revert to discard all unapplied changes.

Adding and Configuring Group AAA Servers

Configure RADIUS servers on the Groups > AAA Servers page. Once defined on this page, the Groups > Security and Groups > SSIDs menus appear in the navigation bar, allowing you to select and configure your

RADIUS servers.

97 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 98

If the Groups > AAA Servers page does not appear in the navigation bar, select the group from the Groups > List page, select the Groups > Basic page, then choose the Show Device Settings for : All Devices option

inthe Group Display Options section of the Groups > Basic page.

1. Go to the Groups > List page and select the group for which to define AAA servers by selecting the group name. The Monitor page appears.

2. Select the AAA Servers page. The AAA Servers page appears, enabling you to add a RADIUS server.

3. To add a RADIUS server or edit an existing server, select Add New RADIUS Server or the corresponding pencil icon to edit an existing server. Table 58 describes the settings and default values of the Add/Edit page.

Table 58: Adding a RADIUS Server Fields and Default Values

Setting Default Description

Hostname/IP Address

Secret and Confirm Secret

Authentication No Sets the RADIUS server to perform authentication when this setting is

Authentication Port (1-65535)

Accounting No Sets the RADIUS server to perform accounting functions when enabled with

Accounting Port (1-

65535)

Timeout (0-86400) None Sets the time (in seconds) that the access point waits for a response from

Max Retries (0-20)

None Sets the IP Address or DNS name for RADIUS Server.

NOTE: IP Address is required for Proxim/ORiNOCO and Cisco Aironet IOS APs.

None Sets the shared secret that is used to establish communication between

AirWave and the RADIUS server.

NOTE: The shared secret entered in AirWave must match the shared secret on the server.

enabled with Yes.

1812 Appears when Authentication is enabled. Sets the port used for

communication between the AP and the RADIUS server.

Yes.

1813 Appears when Accounting is enabled. Sets the port used for

communication between the AP and the RADIUS server.

the RADIUS server.

None Sets the number of times a RADIUS request is resent to a RADIUS server

before failing.

NOTE: If a RADIUS server is not responding or appears to be responding slowly, consider increasing the number of retries.

4. Select Add to complete the creation of the RADIUS server, or select Save if editing an existing RADIUS server. The Groups > AAA Servers page displays this new or edited server. You can now reference this server on the Groups > Security page.

AirWave supports reports for subsequent RADIUS Authentication. These are viewable by selecting Reports >

Generated, scrolling to the bottom of the page, and selecting Latest RADIUS Authentication Issues Report.

5. To make additional RADIUS configurations for device groups, use the Groups > Security page and continue to the next topic.

TACACS+ servers are configurable only for Cisco WLC devices. Refer to "Configuring Cisco WLC Security

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 98

Page 99

Parametersand Functions" on page 117.

Configuring Group Security Settings

The Groups > Security page allows you to set security policies for APs in a device group.

This page appears in the WebUI after you configure RADIUS servers on the Groups > AAA Servers page. Once RADIUS servers are defined, the Groups> Security and Groups > SSIDs menus appear in the navigation bar, allowing you to select and configure your RADIUS servers.

1. Select the device group for which to define security settings from the Groups > List page.

2. Go to Groups > Security. Some controls on this page interact with additional AirWave pages. Figure 33 illustrates this page and Table 59 explains the fields and default values.

Figure 33: Groups > Security Page Illustration (partial)

99 | Configuring and Using Device Groups AirWave 8.2.4 | User Guide

Page 100

Table 59: Groups > Security Page Fields and Default Values

Setting Default Description

VLANs Section

VLAN Tagging and Multiple SSIDs

Enabled This field enables support for VLANs and multiple SSIDs on the

wireless network. If this setting is enabled, define additional VLANs and SSIDs on the Groups > SSIDs page. Refer to "Configuring Group SSIDs

and VLANs" on page 103. If this setting is disabled, then you can

specify the Encryption Mode in the Encryption section that displays. Refer to "Groups > Security Encryption Mode settings" on page 101 for information on configuring Encryption.

Management VLAN ID Untagged This setting sets the ID for the management VLAN when VLANs are

enabled in AirWave . This setting is supported only for the following devices:

l Proxim AP-600, AP-700, AP-2000, AP-4000 l Avaya AP-3, Avaya AP-7, AP-4/5/6, AP-8 l ProCurve520WL

General Section

Create Closed Network No If enabled, the APs in the Group do not broadcast their SSIDs.

NOTE: Creating a closed network will make it more difficult for intruders to detect your wireless network.

Block All Inter-client Communication

No If enabled, this setting blocks client devices associated with an AP from

communicating with other client devices on the wireless network.

NOTE: This option may also be identified as PSPF (Publicly Secure Packet Forwarding), which can be useful for enhanced security on public wireless networks.

EAP Options Section

WEP Key Rotation Interval

300 Sets the frequency at which the Wired Equivalent Privacy (WEP) keys

are rotated in the device group being configured. The supported range is from 0 to 10,000,000 seconds.

RADIUS Authentication Servers Section

RADIUS Authentication Server #1 - #4

Not selected

Defines one or more RADIUS Authentication servers to be supported in this device group. Select up to four RADIUS authentication servers from the four drop-down menus.

Authentication Profile Name

AirWaveDefined

For Proxim devices only, this field sets the name of the authentication profile to be supported in this device group.

Server #1

Authentication Profile Index

1 For Proxim devices only, this field sets the name of the authentication

profile index to be supported in this device group.

RADIUS Accounting Servers Section

AirWave 8.2.4 | User Guide Configuring and Using Device Groups | 100