1、ARUBA無線網(wǎng)絡(luò)培訓(xùn)People move. Networks must follow.公司簡介市場籠統(tǒng)：全球領(lǐng)先的平安無線網(wǎng)絡(luò)供應(yīng)商全球獨一的WLAN專業(yè)上市公司硅谷技術(shù)公司排名(#1 ranking)全球客戶數(shù)量：6500+銜接性Aruba產(chǎn)品的市場定位交融的挪動運用QoS, Roaming, Handovers, Location, RFID平安接入Authentication, Encryption, Intrusion Prevention挪動設(shè)備管理Security, Battery Life, Device ManagementWireless LAN 覆蓋RF Managem

2、ent, Rogue AP Detection平安性挪動性用戶分級Employees, Contractors, GuestsARUBA以用戶為中心的網(wǎng)絡(luò) 高性能無線園區(qū)網(wǎng) 即插即用的遠程接入點 適宜各種規(guī)模的分支辦公室網(wǎng)絡(luò) 平安的企業(yè)無線網(wǎng)狀網(wǎng) RFprotect 無線入侵防備Who, What, Where, When, How? 基于角色的平安戰(zhàn)略 疊加的網(wǎng)絡(luò)平安特性 整合的網(wǎng)絡(luò)準入控制 平安訪客接入 繼續(xù)的話音呼叫 數(shù)據(jù)會話的永續(xù)性 運用感知的效力質(zhì)量 基于定位的運用 視頻優(yōu)化自順應(yīng)無線局域網(wǎng)基于身份的平安性運用層質(zhì)量保證Follow-MeApplicationsFollow-MeSe

3、curityFollow-MeManagementFollow-Me Connectivity User-CentricNetworks 多廠商設(shè)備管理 用戶級管理和報表 可視的無線熱區(qū)圖 非法AP識別和定位 缺點診斷專家系統(tǒng)一致的用戶網(wǎng)絡(luò)管理自動優(yōu)化：不需求人工干涉的智能網(wǎng)絡(luò)自順應(yīng)射頻管理Adaptive Radio Management 基于可用頻譜對WLAN進展繼續(xù)優(yōu)化對頻譜進展實時掃描和監(jiān)視自動選擇最正確信道和功率，降低網(wǎng)絡(luò)沖突和干擾，并在AP失效時自動對盲區(qū)進展覆蓋基于用戶和流量進展負載平衡對雙頻段用戶提供頻段指引公平接入快速和慢速客戶端基于負載感知的射頻掃描物理位置時間可用信道挑戰(zhàn)

4、 動態(tài)射頻環(huán)境在一個期望的覆蓋范圍，可以運用的任務(wù)信道并不是一成不變的，與環(huán)境中存在的干擾和用戶密度、流量負載等有關(guān)大廳自習室會議室辦公室/公位便于擴展：隨時隨地對無線網(wǎng)絡(luò)進展擴展6分支機構(gòu)/辦公室公司總部Internet 效力來客Internet 訪問DMZINTERNETGUESTCORPCORP語音VOICEDSL路由器GUESTVLANInternet 效力分割隧道用于傳輸互聯(lián)網(wǎng)流量的分割隧道以用戶為中心的內(nèi)置防火墻防火墻/NATFan TrayUp to 4 M3 Mark IRedundant PSUs40 x 1000Base-X (SFP)8x 10GBase-X (XFP)業(yè)

5、界最強大的無線控制器 單臺支持80G線速轉(zhuǎn)發(fā) 單臺管理2048個無線AP從室內(nèi)向室外擴展向更加寬廣的Internet擴展基于身份的訪問控制和帶寬管理用戶權(quán)限管理Who(用戶認證)+What(認證方式) +When(接入時間)+Where(接入位置)+How(接入終端)基于用戶的無線形狀防火墻 單一物理網(wǎng)絡(luò)設(shè)備 恣意對用戶進展分組 不同組或用戶設(shè)定不同L2-L7戰(zhàn)略控制 不同用戶設(shè)定不同的上下行帶寬分配 不同用戶設(shè)定的不同QOS級別Aruba的Firewall可以檢測到ICMP,TCP Sync,IP Session,IP Spoofing, RST Relay,ARP等多種潛在網(wǎng)絡(luò)攻擊,并自動

6、將攻擊者放入黑名單,斷開無線銜接 Virtual AP 1SSID: ABCVirtual AP 2SSID: VOICE規(guī)范客戶免費客戶路由器WEB門戶挪動性控制器接入點VIP獨一權(quán)限、QoS, 戰(zhàn)略免費客戶語音普通客戶VIP客戶話音客戶AAA 根底設(shè)備入門客戶一樣或不同的VLANARUBA無線網(wǎng)絡(luò)的組網(wǎng)架構(gòu) Server10/100 MbpsL2/3DHCP Server1.3.4.通訊過程：AP銜接到現(xiàn)有網(wǎng)絡(luò)的交換機端口，加電起動后，獲得IP地址AP經(jīng)過各種方式獲得ARUBA控制器的Loop IP地址靜態(tài)獲得、DHCP前往、DNS解析、組播、廣播AP與控制器之間建立PAPI隧道UDP 8

7、211，經(jīng)過FTP或TFTP到ARUBA控制器上比對并下載AP的image軟件和配置文檔，并根據(jù)配置信息建立AP與控制器之間的GRE隧道，同時向無線用戶提供無線接入效力無線用戶經(jīng)過SSID銜接無線網(wǎng)絡(luò)，一切的用戶流量都經(jīng)過AP與ARUBA控制器之間的GRE隧道直接傳送到ARUBA控制器上，進展相應(yīng)的加解密、身份驗證、授權(quán)、戰(zhàn)略和轉(zhuǎn)發(fā)2.配置ARUBA無線控制器管理員登陸(admin/saic_admin)CliWeb管理帳號網(wǎng)絡(luò)配置VlanIP addressIP routeIP dhcp平安配置PolicyRoleAAA無線配置SSIDVirtual AP配置ARUBA無線控制器管理員登陸登

8、陸ARUBA無線控制器Command lineUser: adminPassword: *(Aruba800) enPassword:*(Aruba800) #configure tEnter Configuration commands, one per line. End with CNTL/ZWeb UIhttpsAdmin帳號管理#mgmt-user (Aruba800) (config) #mgmt-user admin root Password:*Re-Type password:*(Aruba800) (config) #配置ARUBA無線控制器ARUBA無線控制器的網(wǎng)絡(luò)配置A

9、RUBA無線控制器的網(wǎng)絡(luò)配置配置Vlan(Aruba800) (config) #vlan 200(Aruba800) (config) #interface fastethernet 1/0接入方式：(Aruba800) (config-if)#switchport access vlan 200 (Aruba800) (config-if)#switchport mode access中繼方式：(Aruba800) (config-if)#switchport trunk allowed vlan all (Aruba800) (config-if)#switchport mode tru

10、nk (Aruba800) (config-if)#show vlanVLAN CONFIGURATIONVLAN Name Ports 1 Default FE1/1-7 100 VLAN0100 GE1/8 200 VLAN0200 FE1/0 配置IP address(Aruba800) (config) #interface vlan 200(Aruba800) (config-subif)#ip address 54 (vlan interface)(Aruba800) (config-subif)#ip helper-address (DHCP relay)ARUBA無線控制器的網(wǎng)

11、絡(luò)配置配置IP route配置缺省路由: (Aruba800) (config) #ip default-gateway 配置靜態(tài)路由：(Aruba800) (config) #ip route (Aruba800) (config) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate defaultGateway of last resort is to network S* /0 1/0 via *S /24 1/0 via

12、*C is directly connected, VLAN1C is directly connected, VLAN100C is directly connected, VLAN200配置dhcp server(Aruba800) (config) #ip dhcp pool user_pool(Aruba800) (config-dhcp)#default-router 54(Aruba800) (config-dhcp)#dns-server (Aruba800) (config-dhcp)#network (Aruba800) (config-dhcp)#exit(Aruba800

13、) (config) #service dhcp配置ARUBA無線控制器ARUBA無線控制器的平安配置ARUBA控制器的平安配置Rule 1Rule 2Rule 3Rule nRule 1Rule 2Rule 1Rule 1Rule 2Rule 3Rule 4Rule 1Rule 2Rule 3Rule 4Policy 1Policy 2Policy 3Policy 4Policy 5Role 1 Policy 1 Policy 2Role 2 Policy 1 Policy 3 Policy 4Role 3 Policy 4 Policy 5Role 4 Policy 4User1 User

14、2 User3 User4 User5 User6 UserNRole Derivation:1) Locally Derived2) Server Assigned3) Default RoleAssigns usersto a roleMethods:PoliciesRolesDerivation ARUBA控制器的平安配置AddressesFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range戰(zhàn)略例如：ip access-list session Internet_Only user any udp 68 deny use

15、r any svc-dhcp permituser host svc-dns permituser host svc-dns permituser alias Internal-Network deny loguser any any permit防火墻戰(zhàn)略：一組按照特定次序陳列的規(guī)那么的集合別名的定義：1)網(wǎng)絡(luò)別名netdestination Internal-Network network network netdestination External-network network network invert2)效力別名netservice svc- tcp 80 ARUBA控制器的平

16、安配置AddressesFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range防火墻戰(zhàn)略：一組按照特定次序陳列的規(guī)那么的集合Creating RolesCreating Policies212-21ARUBA無線控制器的平安配置用戶角色Role決議了每個用戶的訪問權(quán)限每一個role都必需與一個或多個policy綁定防火墻戰(zhàn)略按次序執(zhí)行最后一個隱含的缺省戰(zhàn)略是“deny all可以設(shè)定role的帶寬限制和會話數(shù)限制用戶角色Role的分配可以經(jīng)過多種方式實現(xiàn)基于接入認證方式的缺省角色 (i.e. 802.1x, VPN, WEP,

17、etc.)由認證效力器導(dǎo)出的用戶角色(i.e. RADIUS/LDAP屬性)本地導(dǎo)出規(guī)那么ESSIDMACEncryption typeEtc.ARUBA控制器中的每一個用戶都會被分配一個Role!ARUBA無線控制器的平安配置(Aruba800) #show rights RoleTableName ACL Bandwidth ACL List Type ap-role 4 Up: No Limit,Dn: No Limit control,ap-acl Systemauthenticated 39 Up: No Limit,Dn: No Limit allowall,v6-allowall

18、 Userdefault-vpn-role 37 Up: No Limit,Dn: No Limit allowall,v6-allowall Userguest 3 Up: No Limit,Dn: No Limit -acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-acl Userguest-logon 6 Up: No Limit,Dn: No Limit logon-control,captiveportal Userlogon 1 Up: No Lim

19、it,Dn: No Limit logon-control,captiveportal,vpnlogon,v6-logon-control Userstateful-dot1x 5 Up: No Limit,Dn: No Limit Systemvoice 38 Up: No Limit,Dn: No Limit sip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-acl,tftp-acl,dns-acl,icmp-acl UserARUBA無線控制器的平安配置(Aruba800) #show rights authentic

20、atedDerived Role = authenticated Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled ACL Number = 39/0 Max Sessions = 65535access-list ListPosition Name Location 1 allowall 2 v6-allowall allowallPriority Source Destination S

21、ervice Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan 1 any any any permit Low v6-allowallPriority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan 1 any any any permit Low Expired Policies (due to time constraints) = 0ARUBA無線控制器

22、的平安配置定義用戶角色role(Aruba800) (config) #user-role visitors(Aruba800) (config-role) #access-list session internet-only(Aruba800) (config-role) #max-sessions 100(Aruba800) (config-role) #exit(Aruba800) (config) #ARUBA無線控制器的平安配置基于接入認證方式的缺省角色role分配(Aruba800) (config) #show aaa profile defaultAAA Profile def

23、aultParameter Value Initial role logonMAC Authentication Profile N/AMAC Authentication Default Role guestMAC Authentication Server Group default802.1X Authentication Profile N/A802.1X Authentication Default Role guest802.1X Authentication Server Group N/ARADIUS Accounting Server Group N/AXML API ser

24、ver N/ARFC 3576 server N/AUser derivation rules N/AWired to Wireless Roaming EnabledSIP authentication role N/A(Aruba800) (config) #show aaa authentication captive-portal defaultCaptive Portal Authentication Profile defaultParameter Value Default Role guestServer Group defaultRedirect Pause 10 secUs

25、er Login EnabledGuest Login DisabledLogout popup window EnabledUse for authentication DisabledLogon wait minimum wait 5 secLogon wait maximum wait 10 seclogon wait CPU utilization threshold 60 %Max Authentication failures 0Show FQDN DisabledUse CHAP (non-standard) DisabledSygate-on-demand-agent Disa

26、bledLogin page /auth/index.htmlWelcome page /auth/welcome.htmlShow Welcome Page YesAdding switch ip address in redirection URL DisabledARUBA無線控制器的平安配置基于接入認證方式的缺省角色role分配ARUBA無線控制器的平安配置基于效力期前往規(guī)那么的角色role分配(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #set role condition memb

27、erOf contains student set-value student闡明：從LDAP效力器獲取用戶屬性，并以此為根據(jù)分配用戶角色時，只能經(jīng)過CLI進展配置ARUBA無線控制器的平安配置基于用戶定義規(guī)那么的角色role分配(Aruba800) (config) #aaa derivation-rules user test_rule(Aruba800) (user-rule) #set role condition encryption-type equals dynamic-aes set-value authenticated position 1(Aruba800) (user-

28、rule) #set role condition encryption-type equals dynamic-tkip set-value guest position 2Blacklisting ClientsWhat Is Blacklisting?Deauthenticated from the networkIf a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect.Blocke

29、d from associating to APsBlacklisting prevents a client from associating with any AP in the network for a specified amount of time.Blocked from other SSIDsWhile blacklisted, the client cannot associate with another SSID in the network.2-31Methods Of BlacklistingManually blacklist Admin user can blac

30、klist a specific client via the clients screen at Monitoring ClientsFirewall policy A firewall Policy can result in the client being blacklistedFails to AuthenticateA client fails to successfully authenticate for a configured number of times for a specified authentication method. The client is autom

31、atically blacklisted.IDS AttackThe detection of a denial of service or man in the middle (MITM) attack in the network. 2-32Duration Of BlacklistingBlacklist Duration on Per-SSID basisConfigured in Virtual AP Profile2-33Rule based BlacklistingConfiguration - Access control - PoliciesConfiguring Firew

32、all Policy BlacklistingThis rule set is used to blacklist clients attaching to the controller IP address2-35Viewing Blacklist ClientsMonitoring Blacklist ClientsThis screen allows clients to be put back into production/logon roles by removing them from the blacklist2-36Considerations When Blacklisti

33、ng ClientsPolicy enforcementDevices with weak encryptionDeny Guest from corporate accessMay be disruptive to employees2-37Bandwidth ContractsBandwidth ContractsApplied to RolesSpecified in Kbps or MbpsUpstream - DownstreamFor all Users or Per User 2-39Bandwidth Contracts2-40Apply BW-Contract To The

34、Role2-41配置ARUBA無線控制器ARUBA無線控制器的無線配置ARUBA無線控制器的無線配置AP GroupWireless LANRF ManagementAPQoSIDSVirtual APPropertiesSSIDAAAa/g RadioSettingsRFOptimizationsSystem ProfileEthernetRegulatorySNMPVoIPa/g ManagementVirtual APPropertiesSSIDAAAVLANVLANARUBA無線控制器的無線配置加密方法確保數(shù)據(jù)在空中傳輸時的私密性可以選擇不加密(open)、二層加密(WEP, TKIP

35、, AES) 或者三層加密 (VPN)認證方式確保接入無線網(wǎng)絡(luò)的用戶都是合法用戶認證方式可以選擇不認證，或者MAC、EAP、captive portal、VPN等認證方式訪問控制對接入無線網(wǎng)絡(luò)的合法用戶流量進展有效控制，包括可以訪問的網(wǎng)絡(luò)資源、帶寬、時間等WLAN效力的配置要點SSID ProfileAAA ProfileRoleARUBA無線控制器的無線配置(Aruba800) #show wlan virtual-ap defaultVirtual AP profile defaultParameter Value Virtual AP enable EnabledAllowed band

36、 allSSID Profile defaultVLAN 100Forward mode tunnelDeny time range N/AMobile IP EnabledHA Discovery on-association DisabledDoS Prevention DisabledStation Blacklisting EnabledBlacklist Time 3600 secAuthentication Failure Blacklist Time3600 secFast Roaming DisabledStrict Compliance DisabledVLAN Mobili

37、ty DisabledAAA Profile defaultRemote-AP Operation standardARUBA無線控制器的無線配置SSID Profile的定義(Aruba800) (config) #wlan ssid-profile test(Aruba800) (SSID Profile “test) #essid testWLAN顯示的SSID稱號(Aruba800) (SSID Profile “test) #opmode ? WLAN可以選用的加密方式dynamic-wep WEP with dynamic keysopensystem No encryptions

38、tatic-wep WEP with static keyswpa-aes WPA with AES encryption and dynamic keys using 802.1Xwpa-psk-aes WPA with AES encryption using a pre-shared keywpa-psk-tkip WPA with TKIP encryption using a pre-shared keywpa-tkip WPA with TKIP encryption and dynamic keys using 802.1Xwpa2-aes WPA2 with AES encry

39、ption and dynamic keys using 802.1Xwpa2-psk-aes WPA2 with AES encryption using a pre-shared keywpa2-psk-tkip WPA2 with TKIP encryption using a pre-shared keywpa2-tkip WPA2 with TKIP encryption and dynamic keys using 802.1XxSec xSec encryption(Aruba800) (SSID Profile “test) #opmode opensystemARUBA無線控

40、制器的無線配置SSID Profile的定義ARUBA無線控制器的無線配置AAA Profile的定義配置基于Open的AAA Profile(Aruba800) (config) #aaa profile test (Aruba800) (AAA Profile test) #clone default配置基于Portal認證的CaptivePortal Profile(Aruba800) (config) #aaa authentication captive-portal test(Aruba800) (Captive Portal Authentication Profile test

41、) #clone default(Aruba800) (Captive Portal Authentication Profile test) #default-role guest(Aruba800) (Captive Portal Authentication Profile test) #no enable-welcome(Aruba800) (Captive Portal Authentication Profile test) #server-group testARUBA無線控制器的無線配置配置LDAP效力器(Aruba800) (config) #aaa authenticati

42、on-server ldap test(Aruba800) (LDAP Server test) # host 0(Aruba800) (LDAP Server test) #admin-dn admin(Aruba800) (LDAP Server test) #admin-passwd admin(Aruba800) (LDAP Server test) #base-dn cn=users,dc=qa,dc=domain,dc=com(Aruba800) (LDAP Server test) #allow-cleartext (Aruba800) (LDAP Server test) #A

43、RUBA無線控制器的無線配置配置Server-Group(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #auth-server test(Aruba800) (Server Group test) #set role condition memberOf contains guest set-value guest (Aruba800) (config) #show aaa server-group testFail Through:NoAuth ServersName Server-Type

44、trim-FQDN Match-Type Match-Op Match-Str test Ldap No Role/VLAN derivation rules Priority Attribute Operation Operand Type Action Value Valid 1 memberOf contains guest String set role guest NoARUBA無線控制器的無線配置在用戶初始角色initial role中調(diào)用CaptivePortal Profile(Aruba800) (config) #user-role logon(Aruba800) (con

45、fig-role) #captive-portal test(Aruba800) (config-role) #exitARUBA無線控制器的無線配置Virtual APAAAVLANSSIDESSIDOpenSystemCaptive PortalDefault RoleServer GroupInitial RoleLDAP ServerRadius ServerDerived RolePolicyPolicyThank YouFollow-Me Connectivity.Follow-Me Security.Follow-Me Applications.Follow-Me Managem

46、ent.WEBTable X1AP1AP2MasterMgmt VLAN 1X = 10.1.1X.2/24Loopback = 10.1.1X.100Employee VLAN 10XTableXWEPMasterMgmt VLAN 11 = /24Loopback = 00Employee VLAN 101AP1AP2Table1WEPTable 1RADIUS, DHCP, DNS , Corp WEB1L3 Switch(Native VLAN) Mgmt VLAN 11 = /24(Trunk VLAN) VLAN 101 = /24L3 Switch(Native VLAN) Mgmt VLAN 1X = 10.1.1X.1/24(Trunk VLAN) VLAN 10X = 172.16.10X.1/24Lab Topology - Basic InstallMasterMgmt VLAN 11 = /24Loopback = 00Employee VLAN 101Voice VLAN 701WEB And Corporate SIP ServerTable 1MasterMgmt VLAN 1X = 10.1.1X.2/24Loopb