Aruba無(wú)線網(wǎng)絡(luò)配置培訓(xùn)

1、CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線網(wǎng)絡(luò)培訓(xùn)無(wú)線網(wǎng)絡(luò)培訓(xùn)People move. Networks must follow.CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved公司簡(jiǎn)介公司簡(jiǎn)介 市場(chǎng)形象： 全球領(lǐng)先的安全無(wú)線網(wǎng)絡(luò)供應(yīng)商 全球唯一的WLAN專(zhuān)業(yè)上市公司 硅谷技術(shù)公司排名(#1 ranking) 全球客戶數(shù)量：6500+CONFIDENTIAL Copyright 2007. Aru

2、ba Networks, Inc. All rights reserved連接性連接性Aruba產(chǎn)品的市場(chǎng)定位產(chǎn)品的市場(chǎng)定位融合的移動(dòng)應(yīng)用QoS, Roaming, Handovers, Location, RFID安全接入Authentication, Encryption, Intrusion Prevention移動(dòng)設(shè)備管理Security, Battery Life, Device ManagementWireless LAN 覆蓋RF Management, Rogue AP Detection安全性安全性移動(dòng)性移動(dòng)性用戶分級(jí)Employees, Contractors, Guest

3、sCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA以用戶為中心的網(wǎng)絡(luò)以用戶為中心的網(wǎng)絡(luò) q 高性能無(wú)線園區(qū)網(wǎng)q 即插即用的遠(yuǎn)程接入點(diǎn)q 適合各種規(guī)模的分支辦公室網(wǎng)絡(luò)q 安全的企業(yè)無(wú)線網(wǎng)狀網(wǎng)q RFprotect 無(wú)線入侵防范Who, What, Where, When, How?q 基于角色的安全策略q 疊加的網(wǎng)絡(luò)安全特性q 整合的網(wǎng)絡(luò)準(zhǔn)入控制q 安全訪客接入q 持續(xù)的話音呼叫 q 數(shù)據(jù)會(huì)話的永續(xù)性q 應(yīng)用感知的服務(wù)質(zhì)量q 基于定位的應(yīng)用q 視頻優(yōu)化自適應(yīng)無(wú)線局域網(wǎng)基于身份的安全性應(yīng)用層質(zhì)量保證

4、Follow-MeApplicationsFollow-MeSecurityFollow-MeManagementFollow-Me Connectivity q 多廠商設(shè)備管理 q 用戶級(jí)管理和報(bào)表q 可視的無(wú)線熱區(qū)圖q 非法AP識(shí)別和定位q 故障診斷專(zhuān)家系統(tǒng)統(tǒng)一的用戶網(wǎng)絡(luò)管理CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved自動(dòng)優(yōu)化：不需要人工干預(yù)的智能網(wǎng)絡(luò)自動(dòng)優(yōu)化：不需要人工干預(yù)的智能網(wǎng)絡(luò) 自適應(yīng)射頻管理（Adaptive Radio Management ）基于可用頻譜對(duì)WLAN進(jìn)行持續(xù)優(yōu)化1.對(duì)頻

5、譜進(jìn)行實(shí)時(shí)掃描和監(jiān)視2.自動(dòng)選擇最佳信道和功率，降低網(wǎng)絡(luò)沖突和干擾，并在AP失效時(shí)自動(dòng)對(duì)盲區(qū)進(jìn)行覆蓋3.基于用戶和流量進(jìn)行負(fù)載均衡4.對(duì)雙頻段用戶提供頻段指引5.公平接入快速和慢速客戶端6.基于負(fù)載感知的射頻掃描物理位置時(shí)間可用信道 挑戰(zhàn) 動(dòng)態(tài)射頻環(huán)境 在一個(gè)期望的覆蓋范圍，可以使用的工作信道并不是一成不變的，與環(huán)境中存在的干擾和用戶密度、流量負(fù)載等有關(guān)大廳大廳自習(xí)室自習(xí)室會(huì)議室會(huì)議室辦公室辦公室/公位公位CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved便于擴(kuò)展：隨時(shí)隨地對(duì)無(wú)線網(wǎng)絡(luò)進(jìn)行擴(kuò)展便于擴(kuò)展：隨時(shí)隨

6、地對(duì)無(wú)線網(wǎng)絡(luò)進(jìn)行擴(kuò)展6分支機(jī)構(gòu)分支機(jī)構(gòu)/辦公室辦公室公司總部公司總部Internet 服務(wù)服務(wù)來(lái)客來(lái)客Internet 訪問(wèn)訪問(wèn)DMZINTERNETGUESTCORPCORP語(yǔ)音語(yǔ)音VOICEDSL路由器路由器GUESTVLANInternet 服服務(wù)務(wù)分割隧道分割隧道用于傳輸互聯(lián)網(wǎng)流量的分割隧道以用戶為中心的內(nèi)置防火墻防火防火墻墻/NATFan TrayUp to 4 M3 Mark IRedundant PSUs40 x 1000Base-X (SFP)8x 10GBase-X (XFP)業(yè)界最強(qiáng)大的無(wú)線控制器業(yè)界最強(qiáng)大的無(wú)線控制器 單臺(tái)支持單臺(tái)支持80G線速轉(zhuǎn)發(fā)線速轉(zhuǎn)發(fā) 單臺(tái)管理單臺(tái)管

7、理2048個(gè)無(wú)線個(gè)無(wú)線AP從室內(nèi)向室外擴(kuò)展從室內(nèi)向室外擴(kuò)展向更加廣闊的向更加廣闊的Internet擴(kuò)展擴(kuò)展CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved基于身份的訪問(wèn)控制和帶寬管理基于身份的訪問(wèn)控制和帶寬管理用戶權(quán)限管理Who(用戶認(rèn)證)+What(認(rèn)證方式) +When(接入時(shí)間)+Where(接入位置)+How(接入終端)CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved基于用戶的無(wú)線狀態(tài)防火墻基于用戶的無(wú)線狀態(tài)

8、防火墻 單一物理網(wǎng)絡(luò)設(shè)施 任意對(duì)用戶進(jìn)行分組 不同組或用戶設(shè)定不同L2-L7策略控制 不同用戶設(shè)定不同的上下行帶寬分配 不同用戶設(shè)定的不同QOS級(jí)別Aruba的的Firewall可以檢測(cè)到可以檢測(cè)到ICMP,TCP Sync,IP Session,IP Spoofing, RST Relay,ARP等多種潛在網(wǎng)絡(luò)攻擊等多種潛在網(wǎng)絡(luò)攻擊,并自動(dòng)將攻擊者放入黑名單并自動(dòng)將攻擊者放入黑名單,斷開(kāi)無(wú)線連接斷開(kāi)無(wú)線連接 Virtual AP 1SSID: ABC.COMVirtual AP 2SSID: VOICE標(biāo)準(zhǔn)客戶標(biāo)準(zhǔn)客戶免費(fèi)客戶免費(fèi)客戶路由器路由器WEB門(mén)戶門(mén)戶移動(dòng)性控制器移動(dòng)性控制器接入點(diǎn)接

9、入點(diǎn)VIP唯一權(quán)限、唯一權(quán)限、QoS, 策略策略免費(fèi)客戶語(yǔ)音普通客戶VIP客戶話音客戶話音客戶AAA 基基礎(chǔ)設(shè)礎(chǔ)設(shè)施施入門(mén)客戶入門(mén)客戶相同或不同的VLANCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線網(wǎng)絡(luò)的組網(wǎng)架構(gòu)無(wú)線網(wǎng)絡(luò)的組網(wǎng)架構(gòu)Email Server10/100 MbpsL2/3DHCP Server1.3.4.通訊過(guò)程：1.AP連接到現(xiàn)有網(wǎng)絡(luò)的交換機(jī)端口，加電起動(dòng)后，獲得IP地址2.AP通過(guò)各種方式獲得ARUBA控制器的Loop IP地址（靜態(tài)獲得、DHCP返回、DNS解析、組播、

10、廣播）3.AP與控制器之間建立PAPI隧道（UDP 8211），通過(guò)FTP或TFTP到ARUBA控制器上比對(duì)并下載AP的image軟件和配置文檔，并根據(jù)配置信息建立AP與控制器之間的GRE隧道，同時(shí)向無(wú)線用戶提供無(wú)線接入服務(wù)4.無(wú)線用戶通過(guò)SSID連接無(wú)線網(wǎng)絡(luò)，所有的用戶流量都通過(guò)AP與ARUBA控制器之間的GRE隧道直接傳遞到ARUBA控制器上，進(jìn)行相應(yīng)的加解密、身份驗(yàn)證、授權(quán)、策略和轉(zhuǎn)發(fā)2.CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無(wú)線控制器無(wú)線控制器 管理員登陸(admin/

11、saic_admin) Cli Web 管理帳號(hào) 網(wǎng)絡(luò)配置 Vlan IP address IP route IP dhcp 安全配置 Policy Role AAA 無(wú)線配置 SSID Virtual APCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無(wú)線控制器無(wú)線控制器管理員登陸管理員登陸CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved登陸登陸ARUBA無(wú)線控制器無(wú)線控制器 Command l

12、ineUser: adminPassword: *(Aruba800) enPassword:*(Aruba800) #configure tEnter Configuration commands, one per line. End with CNTL/Z Web UIhttps:/ Admin帳號(hào)管理#mgmt-user (Aruba800) (config) #mgmt-user admin root Password:*Re-Type password:*(Aruba800) (config) #CONFIDENTIAL Copyright 2007. Aruba Networks,

13、 Inc. All rights reserved配置配置ARUBA無(wú)線控制器無(wú)線控制器ARUBA無(wú)線控制器的網(wǎng)絡(luò)配置無(wú)線控制器的網(wǎng)絡(luò)配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的網(wǎng)絡(luò)配置無(wú)線控制器的網(wǎng)絡(luò)配置 配置Vlan(Aruba800) (config) #vlan 200(Aruba800) (config) #interface fastethernet 1/0接入模式：(Aruba800) (config-if)#switchport access vlan 200

14、 (Aruba800) (config-if)#switchport mode access中繼模式：(Aruba800) (config-if)#switchport trunk allowed vlan all (Aruba800) (config-if)#switchport mode trunk (Aruba800) (config-if)#show vlanVLAN CONFIGURATION-VLAN Name Ports- - -1 Default FE1/1-7 100 VLAN0100 GE1/8 200 VLAN0200 FE1/0 配置IP address(Aruba80

15、0) (config) #interface vlan 200(Aruba800) (config-subif)#ip address 54 (vlan interface)(Aruba800) (config-subif)#ip helper-address (DHCP relay)CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的網(wǎng)絡(luò)配置無(wú)線控制器的網(wǎng)絡(luò)配置 配置IP route配置缺省路由: (Aruba

16、800) (config) #ip default-gateway 配置靜態(tài)路由：(Aruba800) (config) #ip route (Aruba800) (config) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate defaultGateway of last resort is to netwo

17、rk S* /0 1/0 via *S /24 1/0 via *C is directly connected, VLAN1C is directly connected, VLAN100C is directly connected, VLAN200 配置dhcp server(Aruba800) (config) #ip dhcp pool user_pool(Aruba800) (config-dhcp)#default-r

18、outer 54(Aruba800) (config-dhcp)#dns-server (Aruba800) (config-dhcp)#network (Aruba800) (config-dhcp)#exit(Aruba800) (config) #service dhcpCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無(wú)線控制器無(wú)線控制器ARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置CO

19、NFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA控制器的安全配置控制器的安全配置Rule 1Rule 2Rule 3Rule nRule 1Rule 2Rule 1Rule 1Rule 2Rule 3Rule 4Rule 1Rule 2Rule 3Rule 4Policy 1Policy 2Policy 3Policy 4Policy 5Role 1 Policy 1 Policy 2Role 2 Policy 1 Policy 3 Policy 4Role 3 Policy 4 Policy 5R

20、ole 4 Policy 4User1 User2 User3 User4 User5 User6 UserNRole Derivation:1) Locally Derived2) Server Assigned3) Default RoleAssigns usersto a roleMethods:PoliciesRolesDerivationCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved ARUBA控制器的安全配置控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNa

21、tLogQueue802.1p assignmentTOSTime Range策略示例：ip access-list session Internet_Only user any udp 68 deny user any svc-dhcp permituser host svc-dns permituser host svc-dns permituser alias Internal-Network deny loguser any any permit 防火墻策略：一組按照特定次序排列的規(guī)則的集合別名的定義：1)網(wǎng)絡(luò)別名netdestinati

22、on Internal-Network network network netdestination External-network network network invert2)服務(wù)別名netservice svc-http tcp 80CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved ARUBA控制器的

23、安全配置控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range 防火墻策略：一組按照特定次序排列的規(guī)則的集合CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedCreating RolesCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedCreating Policies212-21CONFIDENTIAL Copy

24、right 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置用戶角色（用戶角色（Role）決定了每個(gè)用戶的訪問(wèn)權(quán)限）決定了每個(gè)用戶的訪問(wèn)權(quán)限每一個(gè)role都必須與一個(gè)或多個(gè)policy綁定防火墻策略按次序執(zhí)行最后一個(gè)隱含的缺省策略是“deny all”可以設(shè)定role的帶寬限制和會(huì)話數(shù)限制用戶角色（用戶角色（Role）的分配可以通過(guò)多種方式實(shí)現(xiàn)）的分配可以通過(guò)多種方式實(shí)現(xiàn)基于接入認(rèn)證方式的缺省角色 (i.e. 802.1x, VPN, WEP, etc.)由認(rèn)證服務(wù)器導(dǎo)出的用戶角色(i.e. RADI

25、US/LDAP屬性)本地導(dǎo)出規(guī)則ESSIDMACEncryption typeEtc.ARUBA控制器中的每一個(gè)用戶都會(huì)被分配一個(gè)控制器中的每一個(gè)用戶都會(huì)被分配一個(gè)Role!CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置(Aruba800) #show rights RoleTable-Name ACL Bandwidth ACL List Type- - - - -ap-role 4 Up: No Limit,Dn: No Limit control,

26、ap-acl Systemauthenticated 39 Up: No Limit,Dn: No Limit allowall,v6-allowall Userdefault-vpn-role 37 Up: No Limit,Dn: No Limit allowall,v6-allowall Userguest 3 Up: No Limit,Dn: No Limit http-acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-http-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-acl Userguest

27、-logon 6 Up: No Limit,Dn: No Limit logon-control,captiveportal Userlogon 1 Up: No Limit,Dn: No Limit logon-control,captiveportal,vpnlogon,v6-logon-control Userstateful-dot1x 5 Up: No Limit,Dn: No Limit Systemvoice 38 Up: No Limit,Dn: No Limit sip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dh

28、cp-acl,tftp-acl,dns-acl,icmp-acl UserCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置(Aruba800) #show rights authenticatedDerived Role = authenticated Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic re

29、authentication: Disabled ACL Number = 39/0 Max Sessions = 65535access-list List-Position Name Location- - -1 allowall 2 v6-allowall allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan- - - - - - - - - - - - - -1 any any any permit Low v6

30、-allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan- - - - - - - - - - - - - -1 any any any permit Low Expired Policies (due to time constraints) = 0CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控

31、制器的安全配置定義用戶角色（role）(Aruba800) (config) #user-role visitors(Aruba800) (config-role) #access-list session internet-only(Aruba800) (config-role) #max-sessions 100(Aruba800) (config-role) #exit(Aruba800) (config) #CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控制器的

32、安全配置基于接入認(rèn)證方式的缺省角色（role）分配(Aruba800) (config) #show aaa profile defaultAAA Profile default-Parameter Value- -Initial role logonMAC Authentication Profile N/AMAC Authentication Default Role guestMAC Authentication Server Group default802.1X Authentication Profile N/A802.1X Authentication Default Role

33、guest802.1X Authentication Server Group N/ARADIUS Accounting Server Group N/AXML API server N/ARFC 3576 server N/AUser derivation rules N/AWired to Wireless Roaming EnabledSIP authentication role N/A(Aruba800) (config) #show aaa authentication captive-portal defaultCaptive Portal Authentication Prof

34、ile default-Parameter Value- -Default Role guestServer Group defaultRedirect Pause 10 secUser Login EnabledGuest Login DisabledLogout popup window EnabledUse HTTP for authentication DisabledLogon wait minimum wait 5 secLogon wait maximum wait 10 seclogon wait CPU utilization threshold 60 %Max Authen

35、tication failures 0Show FQDN DisabledUse CHAP (non-standard) DisabledSygate-on-demand-agent DisabledLogin page /auth/index.htmlWelcome page /auth/welcome.htmlShow Welcome Page YesAdding switch ip address in redirection URL DisabledCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved

36、ARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置基于接入認(rèn)證方式的缺省角色（role）分配CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置基于服務(wù)期返回規(guī)則的角色（role）分配(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #set role condition memberOf contains student set-value student說(shuō)明：從

37、LDAP服務(wù)器獲取用戶屬性，并以此為依據(jù)分配用戶角色時(shí)，只能通過(guò)CLI進(jìn)行配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的安全配置無(wú)線控制器的安全配置基于用戶定義規(guī)則的角色（role）分配(Aruba800) (config) #aaa derivation-rules user test_rule(Aruba800) (user-rule) #set role condition encryption-type equals dynamic-aes set-value auth

38、enticated position 1(Aruba800) (user-rule) #set role condition encryption-type equals dynamic-tkip set-value guest position 2CONFIDENTIAL Copyright 2009. Aruba Networks, Inc. All rights reservedBlacklisting ClientsCONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedWhat Is Blacklisti

39、ng? Deauthenticated from the network If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect. Blocked from associating to APs Blacklisting prevents a client from associating with any AP in the network for a specified amount

40、 of time. Blocked from other SSIDs While blacklisted, the client cannot associate with another SSID in the network.2-31CONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedMethods Of Blacklisting Manually blacklist Admin user can blacklist a specific client via the clients screen at M

41、onitoring Clients Firewall policy A firewall Policy can result in the client being blacklisted Fails to Authenticate A client fails to successfully authenticate for a configured number of times for a specified authentication method. The client is automatically blacklisted. IDS Attack The detection o

42、f a denial of service or man in the middle (MITM) attack in the network. 2-32CONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedDuration Of Blacklisting Blacklist Duration on Per-SSID basis Configured in Virtual AP Profile2-33CONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All righ

43、ts reservedRule based BlacklistingConfiguration - Access control - PoliciesCONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedConfiguring Firewall Policy Blacklisting This rule set is used to blacklist clients attaching to the controller IP address2-35CONFIDENTIAL Copyright 2009 Aru

44、ba Networks, Inc. All rights reservedViewing Blacklist Clients Monitoring Blacklist Clients This screen allows clients to be put back into production/logon roles by removing them from the blacklist2-36CONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedConsiderations When Blacklistin

45、g Clients Policy enforcement Devices with weak encryption Deny Guest from corporate access May be disruptive to employees2-37CONFIDENTIAL Copyright 2009. Aruba Networks, Inc. All rights reservedBandwidth ContractsCONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedBandwidth Contracts

46、 Applied to Roles Specified in Kbps or Mbps Upstream - Downstream For all Users or Per User 2-39CONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedBandwidth Contracts2-40CONFIDENTIAL Copyright 2009 Aruba Networks, Inc. All rights reservedApply BW-Contract To The Role2-41CONFIDENTIAL

47、 Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無(wú)線控制器無(wú)線控制器ARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置AP GroupWireless LANRF ManagementAPQoSIDSVirtual APPropertiesSSIDAAAa/g RadioSettingsRFOptimizationsSyste

48、m ProfileEthernetRegulatorySNMPVoIPa/g ManagementVirtual APPropertiesSSIDAAAVLANVLANCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置 加密方法加密方法確保數(shù)據(jù)在空中傳輸時(shí)的私密性可以選擇不加密(open)、二層加密(WEP, TKIP, AES) 或者三層加密 (VPN) 認(rèn)證方式認(rèn)證方式確保接入無(wú)線網(wǎng)絡(luò)的用戶都是合法用戶認(rèn)證方式可以選擇不認(rèn)證，或者M(jìn)AC、EAP、capt

49、ive portal、VPN等認(rèn)證方式 訪問(wèn)控制訪問(wèn)控制對(duì)接入無(wú)線網(wǎng)絡(luò)的合法用戶流量進(jìn)行有效控制，包括可以訪問(wèn)的網(wǎng)絡(luò)資源、帶寬、時(shí)間等WLAN服務(wù)的配置要點(diǎn)服務(wù)的配置要點(diǎn)SSID ProfileAAA ProfileRoleCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置(Aruba800) #show wlan virtual-ap defaultVirtual AP profile default-Parameter Value- -Virtual A

50、P enable EnabledAllowed band allSSID Profile defaultVLAN 100Forward mode tunnelDeny time range N/AMobile IP EnabledHA Discovery on-association DisabledDoS Prevention DisabledStation Blacklisting EnabledBlacklist Time 3600 secAuthentication Failure Blacklist Time3600 secFast Roaming DisabledStrict Co

51、mpliance DisabledVLAN Mobility DisabledAAA Profile defaultRemote-AP Operation standardCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置SSID Profile的定義(Aruba800) (config) #wlan ssid-profile test(Aruba800) (SSID Profile “test”) #essid test（WLAN顯示的SSID名稱(chēng)）(Ar

52、uba800) (SSID Profile “test”) #opmode ? （WLAN可以選用的加密方式）dynamic-wep WEP with dynamic keysopensystem No encryptionstatic-wep WEP with static keyswpa-aes WPA with AES encryption and dynamic keys using 802.1Xwpa-psk-aes WPA with AES encryption using a pre-shared keywpa-psk-tkip WPA with TKIP encryption

53、using a pre-shared keywpa-tkip WPA with TKIP encryption and dynamic keys using 802.1Xwpa2-aes WPA2 with AES encryption and dynamic keys using 802.1Xwpa2-psk-aes WPA2 with AES encryption using a pre-shared keywpa2-psk-tkip WPA2 with TKIP encryption using a pre-shared keywpa2-tkip WPA2 with TKIP encry

54、ption and dynamic keys using 802.1XxSec xSec encryption(Aruba800) (SSID Profile “test”) #opmode opensystemCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置SSID Profile的定義CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)

55、線控制器的無(wú)線配置AAA Profile的定義配置基于Open的AAA Profile(Aruba800) (config) #aaa profile test (Aruba800) (AAA Profile test) #clone default配置基于Portal認(rèn)證的CaptivePortal Profile(Aruba800) (config) #aaa authentication captive-portal test(Aruba800) (Captive Portal Authentication Profile test) #clone default(Aruba800) (

56、Captive Portal Authentication Profile test) #default-role guest(Aruba800) (Captive Portal Authentication Profile test) #no enable-welcome-page(Aruba800) (Captive Portal Authentication Profile test) #server-group testCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置

57、無(wú)線控制器的無(wú)線配置配置LDAP服務(wù)器(Aruba800) (config) #aaa authentication-server ldap test(Aruba800) (LDAP Server test) # host 0(Aruba800) (LDAP Server test) #admin-dn admin(Aruba800) (LDAP Server test) #admin-passwd admin(Aruba800) (LDAP Server test) #base-dn cn=users,dc=qa,dc=domain,dc=com(Aruba800) (L

58、DAP Server test) #allow-cleartext (Aruba800) (LDAP Server test) #CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置配置Server-Group(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #auth-server test(Aruba800) (Server Group test) #set r

59、ole condition memberOf contains guest set-value guest (Aruba800) (config) #show aaa server-group testFail Through:NoAuth Servers-Name Server-Type trim-FQDN Match-Type Match-Op Match-Str- - - - - -test Ldap No Role/VLAN derivation rules -Priority Attribute Operation Operand Type Action Value Valid- -

60、 - - - - - -1 memberOf contains guest String set role guest NoCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無(wú)線控制器的無(wú)線配置無(wú)線控制器的無(wú)線配置在用戶初始角色（initial role）中調(diào)用CaptivePortal Profile(Aruba800) (config) #user-role logon(Aruba800) (config-role) #captive-portal test(Aruba800) (config