Dell W-Airwave User Manual

Dell Networking W-Instant

in W-AirWave 8.0

Deployment Guide

Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. You may request a copy of this source code free of charge at

dl-gplquery@arubanetworks.com. Please specify the product and version for which you arerequesting source

code.

August 2015 | 0511176-04 Dell Networking W-Instant in W-Air Wave 8.0 | Deployment Guide

Contents

About this Document 5

Overview of Dell Networking W-Instant 5 Instant Management with AirWave 5

AirWave Security Options 5 Intrusion Detection System 6 Firmware Image Management 6

Using Instant with AirWave 6

Secure Access to AirWave 7

AirWave Pages with Instant-Specific Features 7 Supported Firmware 8

Setting up Dell Networking W-Instant 9

Overview 9 Setting up Instant Manually 9

Creating your Organization String 9

Authenticating to the AirWave Server 10

Shared Key Authentication 10

Whitelist Authentication 10

Manually Create a Whitelist 11 Import a Whitelist CSV file 11

Entering the Organization String and AirWave Information into the IAP 11

Setting up Instant Automatically 12 Verifying the Shared Secret 13 Completing the Setup 13

Using Template Configuration 15

Adding the First Instant Device to AirWave 15

Updating the Instant Template 15 Adding Additional Instant APs to AirWave 16

Adding Multiple Devices from a File 17

Changing the Mode to Monitor Only for New Instant Devices 18 Editing Variables 19

Editing Individual Virtual Controller Values 20

Bulk Editing of Multiple Virtual Controllers 20

Using Custom Variables 21

Applying Changes 22

Using Instant Config 23

Enabling Instant Config 23 Buttons and Icons in Instant Config 24 Importing Devices for Instant Config 25

Add Newly Discovered Devices to a Group 25

The Instant Config UI 26

Group Focus 26

Virtual Controller Focus 27

Network Focus 27

Instant Config > AirWave 28

Mismatches 28

Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide Contents | 3

AP Events 28 Config History 28 Config Archive 29 AirWave Settings 29

Where to Get Additional Information 30

Field-Level Help 30

Additional Documentation 30

Other Available Tasks 33

Resolving Mismatches 33

Resolving Mismatches when Instant Config is Disabled 33

Resolving Mismatches when Instant Config is Enabled 34

Enabling the IAP Role 35 Monitoring Devices 36 Run Commands 36

Best Practices and Known Issues 39

Best Practices 39 Known Issues with the Instant Integration with AirWave 39

4 | Contents Dell Networking W-Instant in W-AirWave 8.0 | Deployment Guide

Chapter 1

About this Document

This document describes the Dell Networking W-Instant access point and Virtual Controller system as well as the procedure to integrate this system with W-AirWave. This section contains the following points:

l "Overview of Dell Networking W-Instant" on page 5

l "Instant Management with AirWave" on page 5

l "Using Instant with AirWave" on page 6

l "AirWave Pages with Instant-Specific Features" on page 7

l "Supported Firmware" on page8

Overview of Dell Networking W-Instant

Dell Networking W-Instant (Instant) is a system of access points in a Layer 2 subnet. The IAPs are controlled by a single IAP that serves a dual role as an IAP and primary Virtual Controller (VC), eliminating the need for dedicated controller hardware. This system can be deployed through a simplified setup process appropriate for smaller organizations, or for multiple geographically dispersed locations without an on-site administrator.

Only the first IAP/Virtual Controller you add to the network must be configured; the subsequent IAPs will all inherit the necessary configuration information from the Virtual Controller. Dell Networking W-Instant continually monitors the network to determine the IAP that should function as the Virtual Controller at any time, and the Virtual Controller will move from IAP to IAP as necessary without impacting network performance.

The Virtual Controller technology in Dell Networking W-Instant is capable of IAP auto discovery, 802.1X authentication, role-based and device-based policy enforcement, rogue detection, and Adaptive Radio Management (ARM).

Instant Management with AirWave

Unlike other WLAN management products, AirWave eliminates the need to configure and troubleshoot individual APs or dispatch IT personnel on-site. With AirWave, IT can centrally configure, monitor, and troubleshoot Dell Networking W-Instant WLANs, upload new software images, track devices, generate reports, and perform other vital management tasks, all from a remote location.

AirWave Security Options

A Virtual Controller or Instant AP can authenticate to the AirWave server using a pre-shared key, or using twoway certificate-based authentication using an SSL certificate sent from AirWave to the Instant device.

The Certificate-based authentication feature requires you upload the a certificate from a supported certificate authority to the AirWave server, as the default AirWave certificate will not be recognized by the Instant AP, and will cause the SSL handshake to fail. Certificate authentication also requires that the AirWave IPaddress information configured on the Instant AP is a domain name, and not an IP address.

AirWave supports the following trusted certificate authorities:

l Chain 1: Trusted Root CA: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External

CA Root Intermediate CA: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA

l Chain 2: Trusted Root CA: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Intermediate CA: Subject: C=US,

O=Google Inc, CN=Google Internet Authority G2

Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide About this Document | 5

For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Intermediate CA: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3

l Root CA: Trusted Root CA: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

By default, AirWave supports only pre-shared key authentication. To enable support for certificate authentication with a failthrough to pre-shared key authentication or certificate authentication only, navigate to

AMP Setup>General>Dell Networking W Instant Options (may be available as Dell PowerConnect W Instant Options), and select the option PSK and Certificate or Certificate only. If you enable certificate authentication, you can view the current AirWave certificate using the View Certificate link on that page, or click Change to upload a new certificate file to the AirWave server.

Virtual Controllers push data to AirWave via HTTPS. If your enterprise has a security policy that restricts the use of port 443 for inbound communication, you can change the port AirWave uses to communicate with Instant devices on the AMP Setup>General>Dell Networking W Instant Options.

Intrusion Detection System

AirWave automatically detects rogue IAPs irrespective of their location in the network. It prevents authorized IAPs from being detected as rogue IAPs, and tracks and correlates the IDS events to provide a comprehensive picture of your network’s security.

Firmware Image Management

AirWave pushes firmware to the Dell Networking W-Instant Virtual Controller, and the Virtual Controller pushes the firmware to the rest of its IAPs. When using AirWave to manage IAPs, you can upgrade the firmware by loading the firmware onto AirWave, and then scheduling an upgrade from AirWave.

If you have a mixed deployment with multiple Instant products, AirWave allows you to upload firmware for each of the device types.

Using Instant with AirWave

AirWave can be used to provision and manage a multi-site deployment of Dell Networking W-Instant networks. For example, if you have 100 retail offices that require Instant to provide WLAN connectivity at each office, AirWave can be used to provision all the 100 offices from a central site. AirWave also provides the administrator with the ability to monitor these geographically dispersed Instant networks using an AirWave server (depending on the scalability recommendations for AirWave).

With a distributed deployment where multiple locations have aVirtual Controller and IAPs, AirWave serves as a centralized management console. AirWave provides all functionality for normal WLAN deployments, including long-term trend reporting, PCI compliance, configuration auditing, role-based administration, location services, RF visualization, and many other features.

Integrating Instant systems into AirWave is unique from the setup of any other device class due to the following considerations:

l Discovery: AirWave does not discover Instant devices via scanning (SNMP or HTTP) the network. Each

Instant deployment will automatically check-in to the AirWave configured within the IAP’s user interface. The first Virtual Controller for an organization will automatically appear as a new device in AirWave. Subsequent IAPs are discovered via the Virtual Controller, just like standard controller/thin AP deployments.

l Auto-provisioning: The first authorized Virtual Controller requires manual authorization into AirWave via

shared secret to ensure security. Along with the shared secret, the Virtual Controller sends an Organization String which automatically initializes and organizes the IAPs in AirWave. Unlike the traditional infrastructure of

6 | About thisDocument Dell Networki ng W-Instant i n W-Ai rWav e 8.0 | Deployment Guide

a physical controller and thin APs, Instant automates many tedious steps of developing a complex hierarchical structure of folders, config groups, templates, admin users, and admin roles for Instant.

l Communication via HTTPS: Because Instant devices may be deployed behind NAT-enabled firewalls, Virtual

Controllers push data to AirWave via HTTPS. AirWave initiates no connections to Instant devices via SNMP, TFTP, SSH, and the like. This enables quick remote setup without having to modify firewall rules.

l Virtual controller listed as separate device: The Virtual Controller is listed as an additional device, even

though it is part of the existing set of IAPs. If you have 10 physical IAPs, AirWave will list 10 Instant IAPs and one Instant Virtual Controller. An asterisk icon (*) beside the device name indicates that a device is acting as a Virtual Controller. You can also identify the IAP acting as the Virtual Controller by the identical LAN MAC addresses on the APs/Devices > List page, Device Inventory reports, and any other AirWave pages that list your network devices.

A device that is added as a Virtual Controller does not count as a license for AirWave.

Refer to the IAP product data sheet for full operational and regulatory specifications, hardware capabilities, antenna plots, and radio details.

Secure Access to AirWave

By default, virtual controllers use a pre-shared key to authenticate to AirWave. To enable support for a different security method, navigate to AMP Setup>General>Dell Networking W Instant Options, and select PSK, PSK and Certificate or Certificate only. If you select a security method that supports certificate authentication, you can view the currently valid certificate using the View Certificate link in AMP Setup>General>Dell Networking W Instant Options, or click Change to upload a new certificate file.

AirWave Pages with Instant-Specific Features

The following is a summary of AirWave pages affected by Dell Networking W-Instant support:

l APs/Devices > New: When aDell Networking W-Instant device appears in the APs/Devices > New page,

an admin user can mouseover the value on the Type column to display the device's Shared Secret with AirWave.

l APs/Devices > List: The Virtual Controller is listed as an additional device, even though it is part of the

existing set of IAPs. An asterisk icon ( ) beside a device name indicates that the device is acting as a Virtual Controller. You can also identify the IAP acting as the Virtual Controller by the identical LAN MAC addresses on the APs/Devices > List page, Device Inventory reports, and any other AirWave pages that list your network devices.

l Clients > Client Detail: Once IAPs are serving clients, the IAPs can use user-agent strings to extract

operating systems and device descriptions of its clients, and then populate the Device Description and Device OS fields in Clients > Client Detail.

l APs/Devices > Audit: Dell Networking W-Instant configuration fetching can be performed in APs/Devices

> Audit. When template configuration is used to manage devices, the running configuration is stored on the

IAP and verified by the template.

l APs/Devices > Monitor > Radio Statistics: The Radio Statistics page for Dell Networking W-Instant

devices displays Clients, Usage, Radio Channel, Radio Noise, Radio Power, Radio Errors, and Channel Utilization.

l Groups > Instant Config: This feature is available if Enable Instant GUIConfig is enabled on the Groups

> Basic page. This feature allows you to use AirWave as a management console with the same UI as the IAP

device.

Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide About this Document | 7

l RAPIDS: Because Instant does not support mitigation or high-level rogue reporting, it does not synchronize

classification. All rogue devices are reported and stored in AirWave for evaluation based on high-level rule sets. Instant currently does not match wireless BSSIDs to local MAC addresses within an IAP's ARP table, and does not currently support IDS event notification.

l Reports: Instant Virtual Controllers appear as a separate device in the Device Inventory Report and most

other reports that list devices.

AirWave does not provide a Device Uptime report for Dell Networking W-Instant devices.

Supported Firmware

Dell IAPs running software versions 6.4.3.x-4.2.0.0 and prior are also supported, including the management of configuration settings and software upgrades. The following table shows when each new version of Instant was initially supported in AirWave.

Table 1: Instant support in AirWave

InstantVersion Support Introduced In

6.4.3.x-4.2.0.0 AirWave 8.0.9

6.4.2.3-4.1.2.0 AirWave 8.0.9 Yes

6.4.2.0-4.1.1.0 AirWave 8.0.4 Yes

6.4.0.0-4.1.0.0 AirWave 8.0

6.3.1.0-4.0.0.0 AirWave 8.0 and 7.7.10

6.2.1.0-3.4.0.0 AirWave 7.7.2 Yes

6.2.0.0-3.3.0.0 AirWave 7.6.4 Yes

6.2.0.0-3.2.0.0 AirWave 7.6.1 Yes

6.1.3.4-3.1.0.0 AirWave 7.5.6 No

6.1.3.1-3.0.0.0 AirWave 7.5.0 No

*Instant Config is fully supported in Instant 3.2. New features in troduced in Instant 3.3 and 3.4 are not currently supported.

Support for Instant Config

Yes

Support for Instant Config introduced in AirWave 8.0.4

Yes

8 | About thisDocument Dell Networki ng W-Instant i n W-Ai rWav e 8.0 | Deployment Guide

Chapter 2

Setting up Dell Networking W-Instant

Overview

You can set up Dell Networking W-Instant in one of the following ways:

l Manually. See "Setting up Instant Manually" on page 9.

l Automatically (through DHCP). See "Setting up Instant Automatically" on page 12.

The automatic setup is most suited for a multi-site Instant deployment. Both options are summarized here, but refer to the Dell Networking W-Instant documentation for more information on setting up the hardware and configuring the network.

For each remote location, an on-site installer is required to physically mount the IAPs, connect to the Dell Networking W-Instant SSID, configure the WLAN, configure the names of the IAPs, and enter the information in the first IAP’s user interface that will enable communication with AirWave. The first Instant network that is added to AirWave includes the ‘golden’ configuration that is used as a template to provision other Instant networks at other locations as the locations are brought online. It is recommended that the ‘golden’ configuration is validated and pre-tested in a non-production environment prior to applying it to a production network.

Users have the option to add additional devices into managed mode automatically by setting the Automatically Authorized Virtual Controller Mode option to Manage Read/Write on the AMP Setup > General page. Refer to the Dell Networking W-AirWave 8.0 User Guide for more information. It is also important to note that any changes that are made to the template variables will have to be manually applied to each deployed device.

Setting up Instant Manually

When setting up Dell Networking W-Instant manually, you will be requested to provide an Organization string, the AirWave IP address, and a Shared Key. The steps to create this information are described in the following sections:

l "Creating your Organization String" on page 9

l "Authenticating to the AirWave Server" on page 10

l "Entering the Organization String and AirWave Information into the IAP" on page 11

Creating your Organization String

The Organization String is a set of colon-separated strings created by the AirWave administrator to accurately represent the deployment of each Dell Networking W-Instant system. This string is entered into the Dell Networking W-Instant UI by the on-site installer.

The format of the Organization String is Org:subfolder1:subfolder2... and so on, up to 31 characters long. Org, the top-level string, is generally the name of your organization and is used to automatically generate the following (if not already present) in AirWave:

l AirWave Role: Org Admin (initially disabled)

l AirWave User: Org Admin (assigned to the role Org Admin)

l Folder: Org (under the Top folder in AirWave)

l Configuration Group: Org

Additional strings in the Organization String are used to create a hierarchy of subfolders under the folder named Org:

Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide Setting up Dell Networking W-Instant | 9

l subfolder1 would be a folder under the Org folder

l subfolder2 would be a folder under subfolder1

To create your Organization String, consider the plan of how your Dell Networking W-Instant IAPs are to be physically distributed. As a best practice, the Organization String should mirror your company's geographical or internal reporting structure. For example, if you plan to deploy Dell Networking W-Instant in four stores in two different cities for Acme Corporation, your Organization Strings might look like these:

l Acme:New York:Times Square Store

l Acme:New York:Queens Store

l Acme:San Francisco:Sunset Store

l Acme:San Francisco:SOMA Store

Authenticating to the AirWave Server

When the AirWave administrator manually authorizes the first Virtual Controller for an organization, Dell Networking W-AirWave uses the Virtual Controller's shared key or authentication certificate to authenticate other Instant devices on the network. Once individual Instant access points successfully completed authentication, they can also be validated against a predefined whitelist before they appear in the APs/Devices > New list.

Shared Key Authentication

The AirWave administrator can use a shared key to manually authorize the first Virtual Controller for an organization. Any string is acceptable, but this string must be the same for all devices in your organization.

The AirWave administrator sends the shared secret key, Organization String and the AirWave IP address to the on-site installer setting up the Virtual Controller and other Instant devices on the network. The AirWave administrator then manually authorizes the Virtual Controller shared secret key when it appears in the APs/Devices > New list. After the VC has been validated, other Instant devices using that shared key will automatically authenticate with the AirWave server, and appear in the APs/Devices > New list.

Always ensure the protection of your organization’s shared secret. Knowledge of this shared secret, the organization string, and communication protocol could allow a rogue device to masquerade as aDell Networking W-Instant device.

Whitelist Authentication

The Instant whitelist database is a list of the Instant APs that are allowed to access the AirWave server after completing pre-shared key or certificate authentication. Whitelist authentication is disabled by default, but can be enabled in the Authorize Dell InstantAPs connecting to AirWave section of the AMP Setup > General page. Best practices is to create your whitelist before enabling the whitelist authentication feature.

The Instant AP whitelist can be manually configured using the AirWave UI, or imported into AirWave in commaseparated values (CSV) format.

Whitelist files can include the following data columns. The Name field is mandatory, and each entry must also contain either a serial number or a LAN MAC address.

l name

l LAN MAC Address

10 | Setting up Dell Networking W-Instant Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide

l serial number

l Virtual Controller name

l group name

l folder name

l custom_variable_1...custom_variable_10

An example of a whitelist entry using this format is as follows:

Name,LAN MAC Address,Serial Number,Virtual Controller Name,Group Name,Folder Name IAP_Canada_ 1,ff:c7:c8:c4:21:ff,BD0086086,Canada-Office,Canada,Vancouver:Downtown IAP_US_ 1,F0:0B:86:CF:93:FF,BE0542245,US-Office,US,San Fancisco:CenterTown:HillTop

When this feature is enabled and a Instant AP attempts to connect to AirWave, AirWave checks the MAC address or serial number of the Instant AP against this whitelist, and authorizes the device if it's MAC address or serial number matches a whitelist entry. Once authorized, that device appears in the APs/Devices > New page, where it can be assigned to an Dell Networking W-AirWave group and folder.

Manually Create a Whitelist

To enable whitelist authentication and add Instant APs to a whitelist:

1. Navigate to AMP Setup > General

2. In the Authorize Dell InstantAPs connecting to AirWave section, click the Whitelist option.

3. Next, navigate to APs/Devices > New.

4. Click the Instant AP Whitelist drop-down list at the top of the page, and select Add an Instant AP to the Whitelist.

5. Enter whitelist information for the Instant AP. Each whitelist entry must have an Instant AP name and either a serial number or a MAC address.

6. Click Add. You are prompted to confirm changes. Click Apply Changes Now, or specify a time that the device should be added to the whitelist.

Import a Whitelist CSV file

To import a whitelist CSV file to the AirWave server:

1. Navigate to AMP Setup > General > Automatic Authorization

2. In the Authorize Dell InstantAPs connecting to AirWave section, click the Whitelist option.

3. Next, navigate to APs/Devices > New.

4. Click the Instant AP Whitelist drop-down list at the top of the page, and select Import Instant AP Whitelist from CSV. The Upload Options page opens. This page describes the required fields and format for the whitelist file.

5. Select one of the following upload modes.

l Update: Add new information to the existing whitelist database

l Replace: Delete the existing whitelist database, and replace it with the new file.

6. ClickBrowse to select the CSV file, then click Upload.

Entering the Organization String and AirWave Information into the IAP

For the initial IAP/Virtual Controller set up in each location, the on-site installer logs in to the first IAP's web interface via the Dell Networking W-Instant configuration SSID, and navigates to Settings > AirWave. The installer then enters the correct Organization String, the AirWave IP address, and the Shared Secret key, as shown in Figure 1. Perform the following steps to set up AirWave in Instant.

1. Log into your IAP.

Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide Setting up Dell Networking W-Instant | 11

2. Click on either the Set up Now at the bottom of the UI or on the Settings tab in the top right corner. This opens the Settings menu.

3. Locate the Dell Networking W-AirWave section on the Admin tab.

Figure 1:Dell Networking W-Instant > Settings page

4. Enter the Organization string, the AirWave IP address, and the Shared key.

5. Click OK when you are finished.

Setting up Instant Automatically

Instant can be configured automatically using DHCP options 60 and 43.

The Dell Networking W-Instant Virtual Controller initiates a DHCP request with the DHCP option 60 string 'Dell Networking W-Instant.’ If the DHCP server is configured to recognize this option 60 string, it will return an option 43 string containing the organization, AirWave IP, and pre-shared key (Organization is optional). The three pieces of information should be specified using comma separators without any spaces. For example,

option 43 text "TME-Instant,10.169.240.8,dell123"

The AirWave information in the option 43 will be used to connect to AirWave, if AirWave is not otherwise configured manually on the Virtual Controller.

The organization string can be hierarchical and define sub-folders for different stores. This supports an architecture that is required to manage multiple branches or stores where individual stores can be managed by local administrators.

DHCP server options:

ip dhcp pool IAP-Pool

default-router 10.169.241.1 option 60 text "DellInstantAP" option 43 text "Acme:Store1,10.169.240.8,dell123" network 10.169.241.0 255.255.255.0 authoritative

12 | Setting up Dell Networking W-Instant Dell Network ing W-Ins tant in W-AirWave 8.0 | Deployment Guide

+ 28 hidden pages