ARUBA無線網(wǎng)絡(luò)培訓(xùn)課件

ARUBA無線網(wǎng)絡(luò)培訓(xùn)課件公司簡介市場形象：全球領(lǐng)先的安全無線網(wǎng)絡(luò)供應(yīng)商全球唯一的WLAN專業(yè)上市公司硅谷技術(shù)公司排名(#1ranking)全球客戶數(shù)量：6500+連接性Aruba產(chǎn)品的市場定位融合的移動應(yīng)用QoS,Roaming,Handovers,Location,RFID安全接入Authentication,Encryption,IntrusionPrevention移動設(shè)備管理Security,BatteryLife,DeviceManagementWirelessLAN覆蓋RFManagement,RogueAPDetection安全性移動性用戶分級Employees,Contractors,GuestsARUBA以用戶為中心的網(wǎng)絡(luò)高性能無線園區(qū)網(wǎng)

即插即用的遠程接入點

適合各種規(guī)模的分支辦公室網(wǎng)絡(luò)

安全的企業(yè)無線網(wǎng)狀網(wǎng)RFprotect?無線入侵防范Who,What,Where,When,How?基于角色的安全策略疊加的網(wǎng)絡(luò)安全特性整合的網(wǎng)絡(luò)準入控制安全訪客接入

持續(xù)的話音呼叫

數(shù)據(jù)會話的永續(xù)性應(yīng)用感知的服務(wù)質(zhì)量基于定位的應(yīng)用視頻優(yōu)化自適應(yīng)無線局域網(wǎng)基于身份的安全性應(yīng)用層質(zhì)量保證Follow-MeApplicationsFollow-MeSecurityFollow-MeManagementFollow-MeConnectivityUser-CentricNetworks

多廠商設(shè)備管理

用戶級管理和報表可視的無線熱區(qū)圖非法AP識別和定位故障診斷專家系統(tǒng)統(tǒng)一的用戶網(wǎng)絡(luò)管理自動優(yōu)化：不需要人工干預(yù)的智能網(wǎng)絡(luò)自適應(yīng)射頻管理（AdaptiveRadioManagement?）基于可用頻譜對WLAN進行持續(xù)優(yōu)化對頻譜進行實時掃描和監(jiān)視自動選擇最佳信道和功率，降低網(wǎng)絡(luò)沖突和干擾，并在AP失效時自動對盲區(qū)進行覆蓋基于用戶和流量進行負載均衡對雙頻段用戶提供頻段指引公平接入快速和慢速客戶端基于負載感知的射頻掃描物理位置時間可用信道挑戰(zhàn)–動態(tài)射頻環(huán)境在一個期望的覆蓋范圍，可以使用的工作信道并不是一成不變的，與環(huán)境中存在的干擾和用戶密度、流量負載等有關(guān)大廳自習室會議室辦公室/公位便于擴展：隨時隨地對無線網(wǎng)絡(luò)進行擴展6分支機構(gòu)/辦公室公司總部Internet服務(wù)來客Internet訪問DMZINTERNETGUESTCORPCORP語音VOICEDSL路由器GUESTVLANInternet服務(wù)分割隧道用于傳輸互聯(lián)網(wǎng)流量的分割隧道以用戶為中心的內(nèi)置防火墻防火墻/NATFanTrayUpto4M3MarkIRedundantPSUs40x1000Base-X(SFP)8x10GBase-X(XFP)業(yè)界最強大的無線控制器單臺支持80G線速轉(zhuǎn)發(fā)單臺管理2048個無線AP從室內(nèi)向室外擴展向更加廣闊的Internet擴展基于身份的訪問控制和帶寬管理用戶權(quán)限管理Who(用戶認證)+What(認證方式)

+When(接入時間)+Where(接入位置)+How(接入終端)基于用戶的無線狀態(tài)防火墻單一物理網(wǎng)絡(luò)設(shè)施任意對用戶進行分組不同組或用戶設(shè)定不同L2-L7策略控制不同用戶設(shè)定不同的上下行帶寬分配不同用戶設(shè)定的不同QOS級別Aruba的Firewall可以檢測到ICMP,TCPSync,IPSession,IPSpoofing,RSTRelay,ARP等多種潛在網(wǎng)絡(luò)攻擊,并自動將攻擊者放入黑名單,斷開無線連接

VirtualAP1SSID:ABC.COMVirtualAP2SSID:VOICE標準客戶免費客戶路由器WEB門戶移動性控制器接入點VIP唯一權(quán)限、QoS,策略免費客戶語音普通客戶VIP客戶話音客戶AAA基礎(chǔ)設(shè)施入門客戶相同或不同的VLANARUBA無線網(wǎng)絡(luò)的組網(wǎng)架構(gòu)EmailServer10/100MbpsL2/3DHCPServer1.3.4.通訊過程：AP連接到現(xiàn)有網(wǎng)絡(luò)的交換機端口，加電起動后，獲得IP地址AP通過各種方式獲得ARUBA控制器的LoopIP地址（靜態(tài)獲得、DHCP返回、DNS解析、組播、廣播）AP與控制器之間建立PAPI隧道（UDP8211），通過FTP或TFTP到ARUBA控制器上比對并下載AP的image軟件和配置文檔，并根據(jù)配置信息建立AP與控制器之間的GRE隧道，同時向無線用戶提供無線接入服務(wù)無線用戶通過SSID連接無線網(wǎng)絡(luò)，所有的用戶流量都通過AP與ARUBA控制器之間的GRE隧道直接傳遞到ARUBA控制器上，進行相應(yīng)的加解密、身份驗證、授權(quán)、策略和轉(zhuǎn)發(fā)2.配置ARUBA無線控制器管理員登陸(admin/saic_admin)CliWeb管理帳號網(wǎng)絡(luò)配置VlanIPaddressIProuteIPdhcp安全配置PolicyRoleAAA無線配置SSIDVirtualAP配置ARUBA無線控制器管理員登陸登陸ARUBA無線控制器CommandlineUser:adminPassword:*****(Aruba800)>enPassword:******(Aruba800)#configuretEnterConfigurationcommands,oneperline.EndwithCNTL/ZWebUI

https://<Controller’sIPaddress>Admin帳號管理#mgmt-user<username><role>

(Aruba800)(config)#mgmt-useradminrootPassword:*****Re-Typepassword:*****(Aruba800)(config)#配置ARUBA無線控制器ARUBA無線控制器的網(wǎng)絡(luò)配置ARUBA無線控制器的網(wǎng)絡(luò)配置配置Vlan(Aruba800)(config)#vlan200(Aruba800)(config)#interfacefastethernet1/0接入模式：(Aruba800)(config-if)#switchportaccessvlan200 (Aruba800)(config-if)#switchportmodeaccess中繼模式：(Aruba800)(config-if)#switchporttrunkallowedvlanall (Aruba800)(config-if)#switchportmodetrunk(Aruba800)(config-if)#showvlanVLANCONFIGURATIONVLANNamePorts

1DefaultFE1/1-7100VLAN0100GE1/8200VLAN0200FE1/0配置IPaddress(Aruba800)(config)#interfacevlan200(Aruba800)(config-subif)#ipaddress54(vlaninterface)(Aruba800)(config-subif)#iphelper-address(DHCPrelay)ARUBA無線控制器的網(wǎng)絡(luò)配置配置IProute配置缺省路由:(Aruba800)(config)#ipdefault-gateway配置靜態(tài)路由：(Aruba800)(config)#iproute(Aruba800)(config)#showiprouteCodes:C-connected,O-OSPF,R-RIP,S-staticM-mgmt,U-routeusable,*-candidatedefaultGatewayoflastresortistonetworkS*/0[1/0]via*S/24[1/0]via*Cisdirectlyconnected,VLAN1Cisdirectlyconnected,VLAN100Cisdirectlyconnected,VLAN200配置dhcpserver(Aruba800)(config)#ipdhcppooluser_pool(Aruba800)(config-dhcp)#default-router54(Aruba800)(config-dhcp)#dns-server(Aruba800)(config-dhcp)#network(Aruba800)(config-dhcp)#exit(Aruba800)(config)#servicedhcp配置ARUBA無線控制器ARUBA無線控制器的安全配置ARUBA控制器的安全配置Rule1Rule2Rule3RulenRule1Rule2Rule1Rule1Rule2Rule3Rule4Rule1Rule2Rule3Rule4Policy1Policy2Policy3Policy4Policy5Role1Policy1Policy2Role2Policy1Policy3Policy4Role3Policy4Policy5Role4Policy4User1User2User3User4User5User6…………UserNRoleDerivation:1)LocallyDerived2)ServerAssigned3)DefaultRoleAssignsuserstoaroleMethods:PoliciesRolesDerivation<source><destination><service><action><extendedaction>ARUBA控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1passignmentTOSTimeRange策略示例：ipaccess-listsessionInternet_Only useranyudp68deny useranysvc-dhcppermit userhostsvc-dnspermit userhostsvc-dnspermit useraliasInternal-Networkdenylog useranyanypermit防火墻策略：一組按照特定次序排列的規(guī)則的集合別名的定義：1)網(wǎng)絡(luò)別名netdestinationInternal-Networknetwork networknetdestinationExternal-networknetwork networkinvert2)服務(wù)別名 netservicesvc-httptcp80<source><destination><service><action><extendedaction>ARUBA控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1passignmentTOSTimeRange防火墻策略：一組按照特定次序排列的規(guī)則的集合CreatingRolesCreatingPolicies212-21ARUBA無線控制器的安全配置用戶角色（Role）決定了每個用戶的訪問權(quán)限每一個role都必須與一個或多個policy綁定防火墻策略按次序執(zhí)行最后一個隱含的缺省策略是“denyall”可以設(shè)定role的帶寬限制和會話數(shù)限制用戶角色（Role）的分配可以通過多種方式實現(xiàn)基于接入認證方式的缺省角色(i.e.802.1x,VPN,WEP,etc.)由認證服務(wù)器導(dǎo)出的用戶角色(i.e.RADIUS/LDAP屬性)本地導(dǎo)出規(guī)則ESSIDMACEncryptiontypeEtc.ARUBA控制器中的每一個用戶都會被分配一個Role!ARUBA無線控制器的安全配置(Aruba800)#showrightsRoleTableNameACLBandwidthACLListType

ap-role4Up:NoLimit,Dn:NoLimitcontrol,ap-aclSystemauthenticated39Up:NoLimit,Dn:NoLimitallowall,v6-allowallUserdefault-vpn-role37Up:NoLimit,Dn:NoLimitallowall,v6-allowallUserguest3Up:NoLimit,Dn:NoLimithttp-acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-http-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-aclUserguest-logon6Up:NoLimit,Dn:NoLimitlogon-control,captiveportalUserlogon1Up:NoLimit,Dn:NoLimitlogon-control,captiveportal,vpnlogon,v6-logon-controlUserstateful-dot1x5Up:NoLimit,Dn:NoLimitSystemvoice38Up:NoLimit,Dn:NoLimitsip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-acl,tftp-acl,dns-acl,icmp-aclUserARUBA無線控制器的安全配置(Aruba800)#showrightsauthenticatedDerivedRole='authenticated'UpBW:NoLimitDownBW:NoLimitL2TPPool=default-l2tp-poolPPTPPool=default-pptp-poolPeriodicreauthentication:DisabledACLNumber=39/0MaxSessions=65535access-listListPositionNameLocation

1allowall2v6-allowallallowallPrioritySourceDestinationServiceActionTimeRangeLogExpiredQueueTOS8021PBlacklistMirrorDisScan

1anyanyanypermitLowv6-allowallPrioritySourceDestinationServiceActionTimeRangeLogExpiredQueueTOS8021PBlacklistMirrorDisScan

1anyanyanypermitLowExpiredPolicies(duetotimeconstraints)=0ARUBA無線控制器的安全配置定義用戶角色（role）(Aruba800)(config)#user-rolevisitors(Aruba800)(config-role)#access-listsessioninternet-only(Aruba800)(config-role)#max-sessions100(Aruba800)(config-role)#exit(Aruba800)(config)#ARUBA無線控制器的安全配置基于接入認證方式的缺省角色（role）分配(Aruba800)(config)#showaaaprofiledefaultAAAProfile"default"ParameterValue

InitialrolelogonMACAuthenticationProfileN/AMACAuthenticationDefaultRoleguestMACAuthenticationServerGroupdefault802.1XAuthenticationProfileN/A802.1XAuthenticationDefaultRoleguest802.1XAuthenticationServerGroupN/ARADIUSAccountingServerGroupN/AXMLAPIserverN/ARFC3576serverN/AUserderivationrulesN/AWiredtoWirelessRoamingEnabledSIPauthenticationroleN/A(Aruba800)(config)#showaaaauthenticationcaptive-portaldefaultCaptivePortalAuthenticationProfile"default"ParameterValue

DefaultRoleguestServerGroupdefaultRedirectPause10secUserLoginEnabledGuestLoginDisabledLogoutpopupwindowEnabledUseHTTPforauthenticationDisabledLogonwaitminimumwait5secLogonwaitmaximumwait10seclogonwaitCPUutilizationthreshold60%MaxAuthenticationfailures0ShowFQDNDisabledUseCHAP(non-standard)DisabledSygate-on-demand-agentDisabledLoginpage/auth/index.htmlWelcomepage/auth/welcome.htmlShowWelcomePageYesAddingswitchipaddressinredirectionURLDisabledARUBA無線控制器的安全配置基于接入認證方式的缺省角色（role）分配ARUBA無線控制器的安全配置基于服務(wù)期返回規(guī)則的角色（role）分配(Aruba800)(config)#aaaserver-grouptest(Aruba800)(ServerGroup"test")#setroleconditionmemberOfcontainsstudentset-valuestudent說明：從LDAP服務(wù)器獲取用戶屬性，并以此為依據(jù)分配用戶角色時，只能通過CLI進行配置ARUBA無線控制器的安全配置基于用戶定義規(guī)則的角色（role）分配(Aruba800)(config)#aaaderivation-rulesuser"test_rule"(Aruba800)(user-rule)#setroleconditionencryption-typeequals"dynamic-aes"set-value"authenticated"position1(Aruba800)(user-rule)#setroleconditionencryption-typeequals"dynamic-tkip"set-value"guest"position2BlacklistingClientsWhatIsBlacklisting?DeauthenticatedfromthenetworkIfaclientisconnectedtothenetworkwhenitisblacklisted,adeauthenticationmessageissenttoforcetheclienttodisconnect.BlockedfromassociatingtoAPsBlacklistingpreventsaclientfromassociatingwithanyAPinthenetworkforaspecifiedamountoftime.BlockedfromotherSSIDsWhileblacklisted,theclientcannotassociatewithanotherSSIDinthenetwork.2-31MethodsOfBlacklistingManuallyblacklistAdminusercanblacklistaspecificclientviatheclientsscreenatMonitoring>ClientsFirewallpolicyAfirewallPolicycanresultintheclientbeingblacklistedFailstoAuthenticateAclientfailstosuccessfullyauthenticateforaconfigurednumberoftimesforaspecifiedauthenticationmethod.Theclientisautomaticallyblacklisted.IDSAttackThedetectionofadenialofserviceormaninthemiddle(MITM)attack

inthenetwork.2-32DurationOfBlacklistingBlacklistDurationonPer-SSIDbasisConfiguredinVirtualAPProfile2-33RulebasedBlacklistingConfiguration->Accesscontrol->PoliciesConfiguringFirewallPolicyBlacklistingThisrulesetisusedtoblacklistclientsattachingtothecontrollerIPaddress2-35ViewingBlacklistClientsMonitoring>BlacklistClientsThisscreenallowsclientstobeputbackintoproduction/logonrolesbyremovingthemfromtheblacklist2-36ConsiderationsWhenBlacklistingClientsPolicyenforcementDeviceswithweakencryptionDenyGuestfromcorporateaccessMaybedisruptivetoemployees2-37BandwidthContractsBandwidthContractsAppliedtoRolesSpecifiedinKbpsorMbpsUpstream-DownstreamForallUsersorPerUser

2-39BandwidthContracts2-40ApplyBW-ContractToTheRole2-41配置ARUBA無線控制器ARUBA無線控制器的無線配置ARUBA無線控制器的無線配置APGroupWirelessLANRFManagementAPQoSIDSVirtualAPPropertiesSSIDAAAa/gRadioSettingsRFOptimizationsSystemProfileEthernetRegulatorySNMPVoIPa/gManagementVirtualAPPropertiesSSIDAAAVLANVLANARUBA無線控制器的無線配置加密方法確保數(shù)據(jù)在空中傳輸時的私密性可以選擇不加密(open)、二層加密(WEP,TKIP,AES)或者三層加密(VPN)認證方式確保接入無線網(wǎng)絡(luò)的用戶都是合法用戶認證方式可以選擇不認證，或者MAC、EAP、captiveportal、VPN等認證方式訪問控制對接入無線網(wǎng)絡(luò)的合法用戶流量進行有效控制，包括可以訪問的網(wǎng)絡(luò)資源、帶寬、時間等WLAN服務(wù)的配置要點SSIDProfileAAAProfileRoleARUBA無線控制器的無線配置(Aruba800)#showwlanvirtual-apdefaultVirtualAPprofile"default"Parameter Value

VirtualAPenable EnabledAllowedband allSSIDProfile defaultVLAN 100Forwardmode tunnelDenytimerange N/AMobileIP EnabledHADiscoveryon-association DisabledDoSPrevention DisabledStationBlacklisting EnabledBlacklistTime 3600secAuthenticationFailureBlacklistTime 3600secFastRoaming DisabledStrictCompliance DisabledVLANMobility DisabledAAAProfile defaultRemote-APOperation standardARUBA無線控制器的無線配置SSIDProfile的定義(Aruba800)(config)#wlanssid-profiletest(Aruba800)(SSIDProfile“test”)#essidtest（WLAN顯示的SSID名稱）(Aruba800)(SSIDProfile“test”)#opmode?（WLAN可以選用的加密方式）dynamic-wep WEPwithdynamickeysopensystem Noencryptionstatic-wep WEPwithstatickeyswpa-aes WPAwithAESencryptionanddynamickeysusing802.1Xwpa-psk-aes WPAwithAESencryptionusingapre-sharedkeywpa-psk-tkip WPAwithTKIPencryptionusingapre-sharedkeywpa-tkip WPAwithTKIPencryptionanddynamickeysusing802.1Xwpa2-aes WPA2withAESencryptionanddynamickeysusing802.1Xwpa2-psk-aes WPA2withAESencryptionusingapre-sharedkeywpa2-psk-tkip WPA2withTKIPencryptionusingapre-sharedkeywpa2-tkip WPA2withTKIPencryptionanddynamickeysusing802.1XxSec xSecencryption<cr>(Aruba800)(SSIDProfile“test”)#opmodeopensystemARUBA無線控制器的無線配置SSIDProfile的定義ARUBA無線控制器的無線配置AAAProfile的定義配置基于Open的AAAProfile(Aruba800)(config)#aaaprofiletest(Aruba800)(AAAProfile"test")#clonedefault配置基于Portal認證的CaptivePortalProfile(Aruba800)(config)#aaaauthenticationcaptive-portaltest(Aruba800)(CaptivePortalAuthenticationProfile"test")#clonedefault(Aruba800)(CaptivePortalAuthenticationProfile"test")#default-roleguest(Aruba800)(CaptivePortalAuthenticationProfile"test")#noenable-welcome(Aruba800)(CaptivePortalAuthenticationProfile"test")#server-grouptestARUBA無線控制器的無線配置配置LDAP服務(wù)器(Aruba800)(config)#aaaauthentication-serverldaptest(Aruba800)(LDAPServer"test")#host0(Aruba800)(LDAPServer"test")#admin-dnadmin(Aruba800)(LDAPServer"test")#admin-passwdadmin(Aruba800)(LDAPServer"test")#base-dncn=users,dc=qa,dc=domain,dc=com(Aruba800)(LDAPServer"test")#allow-cleartext(Aruba800)(LDAPServer"test")#ARUBA無線控制器的無線配置配置Server-Group(Aruba800)(config)#aaaserver-grouptest(Aruba800)(ServerGroup"test")#auth-servertest(Aruba800)(ServerGroup"test")#setroleconditionmemberOfcontainsguestset-valueguest(Aruba800)(config