Aruba OS 6.3 User Guide

0511321-02 | August 2013 ArubaOS 6.3 | User Guide
Copyright Information
© 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba
Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®,
Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved.
All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. Includes software fro Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox,
Inc. All rights reserved.This product includes software developed by Lars Fenneberg et al. The Open Source code
used can be found at this site
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information,
refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.

ArubaOS 6.3 | User Guide Contents | 3
Contents
Contents 3
About this Guide 69
What’s New In ArubaOS 6.3 69
Fundamentals 73
WebUI 73
CLI 73
Related Documents 74
Conventions 74
Contacting Aruba Networks 75
The Basic User-Centric Networks 76
Understanding Basic Deployment and Configuration Tasks 76
Deployment Scenario #1: Controller and APs on Same Subnet 76
Deployment Scenario #2: APs All on One Subnet Different from Controller Subnet 77
Deployment Scenario #3: APs on Multiple Different Subnets from Controllers 78
Configuring the Controller 79
Running Initial Setup 79
Connecting to the Controller after Initial Setup 80
Aruba7200 Series Controller 80
New Port Numbering Scheme 80
Individual Port Behavior 81
Using the LCD Screen 81
Using the LCD and USB Drive 82
Upgrading an Image 82
Uploading a Pre-saved Configuration 83
Disabling LCD Menu Functions 83
Configuring a VLAN to Connect to the Network 83
Creating, Updating, and Viewing VLANs and Associated IDs 84
Creating, Updating, and Deleting VLAN Pools 84

4 | Contents ArubaOS 6.3| User Guide
Assigning and Configuring the Trunk Port 85
In the WebUI 85
In the CLI 85
Configuring the Default Gateway 85
In the WebUI 85
In the CLI 86
Configuring the Loopback IP Address for the Controller 86
In the WebUI 86
In the CLI 86
Configuring the System Clock 87
Installing Licenses 87
Connecting the Controller to the Network 87
Enabling Wireless Connectivity 87
Configuring Your User-Centric Network 87
Control Plane Security 89
Control Plane Security Overview 89
Configuring Control Plane Security 90
In the WebUI 90
In the CLI 91
Managing AP Whitelists 91
Adding APs to the Campus and Remote AP Whitelists 92
Viewing Whitelist Status 93
Modifying an AP in the Campus AP Whitelist 95
Revoking an AP via the Campus AP Whitelist 96
Deleting an AP Entry from the Campus AP Whitelist 96
Purging the Campus AP Whitelist 96
Managing Whitelists on Master and Local Controllers 97
Campus AP Whitelist Synchronization 98
Viewing and Managing the Master or Local Switch Whitelists 98
Viewing the Master or Local Switch Whitelist 98
Deleting an Entry from the Master or Local Switch Whitelist 99
Purging the Master or Local Switch Whitelist 99

Working in Environments with Multiple Master Controllers 100
Configuring Networks with a Backup Master Controller 100
Configuring Networks with Clusters of Master Controllers 100
Creating a Cluster Root 101
Creating a Cluster Member 102
Viewing Controller Cluster Settings 102
Replacing a Controller on a Multi-Controller Network 103
Replacing Controllers in a Single Master Network 103
Replacing a Local Controller 103
Replacing a Master Controller with No Backup 104
Replacing a Redundant Master Controller 104
Replacing Controllers in a Multi-Master Network 105
Replacing a Local Controller in a Multi-Master Network 105
Replacing a Cluster Member Controller with no Backup 105
Replacing a Redundant Cluster Member Controller 105
Replacing a Cluster Root Controller with no Backup Controller 106
Replacing a Redundant Cluster Root Controller 106
Configuring Control Plane Security after Upgrading 106
Troubleshooting Control Plane Security 107
Identifying Certificate Problems 107
Verifying Certificates 108
Disabling Control Plane Security 108
Verifying Whitelist Synchronization 108
Supported APs 109
Rogue APs 109
Software Licenses 110
Understanding License Terminology 110
Working with Licenses 111
Centralized Licensing in a Multi-Controller Network 112
Primary and Backup Licensing Servers 113
Communication between the License Server and License Clients 113
Adding and Deleting licenses 115

Replacing a Controller 115
Failover Behaviors 115
Client is Unreachable 116
Server is Unreachable 116
Configuring Centralized Licensing 116
Pre-Configuration Setup in an All-Master Deployment 116
Pre-Configuration Setup in a Master/Local Topology 117
Enabling Centralized Licensing 117
Using the WebUI 117
Using the CLI 117
Monitoring and Managing Centralized Licenses 118
License server Table 118
License Client Table 118
License Client(s) Usage Table 119
Aggregate License Table 119
License Heartbeat Table 120
Using Licenses 120
Understanding License Interaction 121
License Installation Best Practices and Exceptions 122
Installing a License 122
Enabling a new license on your controller 122
Requesting a Software License in Email 122
Locating the System Serial Number 123
Obtaining a Software License Key 123
Creating a Software License Key 123
Applying the Software License Key in the WebUI 123
Applying the Software License Key in the License Wizard 124
Deleting a License 124
Moving Licenses 124
Resetting the Controller 124
Network Configuration Parameters 125
Configuring VLANs 125

Creating and Updating VLANs 125
In the WebUI 125
In the CLI 126
Creating Bulk VLANs In the WebUI 126
In the CLI 126
Creating a VLAN Pool 126
Using the WebUI 126
Distinguishing Between Even and Hash Assignment Types 127
Updating a VLAN Pool 127
Deleting a VLAN Pool 128
Creating a VLAN Pool Using the CLI 128
Viewing and Adding VLAN IDs Using the CLI 128
Role Derivation for Named VLAN Pools 128
In the CLI 129
In the WebUI 129
Creating a Named VLAN not in a Pool 129
In the WebUI 129
In the CLI 130
Adding a Bandwidth Contract to the VLAN 130
Optimizing VLAN Broadcast and Multicast Traffic 131
Using the CLI 131
Using the WebUI 131
Configuring Ports 132
Classifying Traffic as Trusted or Untrusted 132
About Trusted and Untrusted Physical Ports 132
About Trusted and Untrusted VLANs 132
Configuring Trusted/Untrusted Ports and VLANs 133
In the WebUI 133
In the CLI 133
Configuring Trusted and Untrusted Ports and VLANs in Trunk Mode 133
In the WebUI 133
In the CLI 134

Understanding VLAN Assignments 134
VLAN Derivation Priorities for VLAN types 135
How a VLAN Obtains an IP Address 135
Assigning a Static Address to a VLAN 135
In the WebUI 135
In the CLI 136
Configuring a VLAN to Receive a Dynamic Address 136
Configuring Multiple Wired Uplink Interfaces (Active-Standby) 136
Enabling the DHCP Client 136
In the WebUI 136
In the CLI 137
Enabling the PPPoE Client 137
In the WebUI 137
In the CLI 138
Default Gateway from DHCP/PPPoE 138
In the WebUI 138
In the CLI 138
Configuring DNS/WINS Server from DHPC/PPPoE 138
In the WebUI 138
In the CLI 138
Configuring Source NAT to Dynamic VLAN Address 139
In the WebUI 139
In the CLI 139
Configuring Source NAT for VLAN Interfaces 139
Example Configuration 139
In the WebUI 140
In the CLI 140
Inter-VLAN Routing 140
Using the WebUI to restrict VLAN routing 141
Using the CLI 141
Configuring Static Routes 141
In the WebUI 141

In the CLI 142
Configuring the Loopback IP Address 142
In the WebUI 142
In the CLI 142
Configuring the Controller IP Address 143
Using the CLI 143
Configuring GRE Tunnels 143
Creating a Tunnel Interface 144
In the WebUI 144
In the CLI 144
Directing Traffic into the Tunnel 144
Static Routes 144
Firewall Policy 145
In the WebUI 145
In the CLI 145
Tunnel Keepalives 145
In the WebUI 145
In the CLI 145
Configuring GRE Tunnel Group 145
Creating a Tunnel Group 146
In the WebUI 146
In the CLI 146
Jumbo Frame Support 147
Limitations for Jumbo Frame Support 147
Configuring Jumbo Frame Support 147
Using the WebUI 147
Using the CLI 148
Viewing the Jumbo Frame Support Status 148
IPv6 Support 151
Understanding IPv6 Notation 151
Understanding IPv6 Topology 151
Enabling IPv6 152

Enabling IPv6 Support for Controller and APs 152
Configuring IPv6 Addresses 154
In the WebUI 155
To Configure Link LocalAddress 155
To Configure GlobalUnicast Address 155
To Configure Loopback Interface Address 155
In the CLI 155
Configuring IPv6 Static Neighbors 155
In the WebUI 155
In the CLI 156
Configuring IPv6 Default Gateway and Static IPv6 Routes 156
In the WebUI 156
To Configure IPv6 Default Gateway 156
To Configure Static IPv6 Routes 156
In the CLI 156
Managing Controller IP Addresses 156
In the WebUI 156
In the CLI 157
Configuring Multicast Listener Discovery (MLD) 157
In the WebUI 157
To Modify IPv6 MLD Parameters 157
In the CLI 157
Debugging an IPv6 Controller 158
In the WebUI 158
In the CLI 158
Provisioning an IPv6 AP 158
In the WebUI 158
In the CLI 159
Filtering an IPv6 Extension Header (EH) 159
Configuring a Captive Portal over IPv6 159
Working with IPv6 Router Advertisements (RAs) 159
Configuring an IPv6 RA on a VLAN 160
Using WebUI 161

Using CLI 161
Configuring Optional Parameters for RAs 161
In the WebUI 162
In the CLI 162
Viewing IPv6 RA Status 163
RADIUS Over IPv6 163
In the CLI 163
In the WebUI 164
TACACS Over IPv6 164
In the CLI 165
In the WebUI 165
DHCPv6 Server 165
Points to Remember 165
DHCP Lease Limit 165
Configuring DHCPv6 Server 166
In the WebUI 166
In the CLI 166
Sample Configuration 167
Viewing DHCPv6 Server Information 167
Viewing DHCPv6 Server Settings 167
Viewing DHCPv6 Binding Information 168
Viewing DHCPv6 Statistics 169
Understanding ArubaOS Supported Network Configuration for IPv6 Clients 169
Supported Network Configuration 169
Understanding the Network Connection Sequence for Windows IPv6 Clients 169
Understanding ArubaOS Authentication and Firewall Features that Support IPv6 170
Understanding Authentication 170
Working with Firewall Features 170
Understanding Firewall Policies 172
Creating an IPv6 Firewall Policy 174
Assigning an IPv6 Policy to a User Role 175
Understanding DHCPv6 Passthrough/Relay 175

Managing IPv6 User Addresses 175
Viewing or Deleting User Entries 175
Understanding User Roles 175
Viewing Datapath Statistics for IPv6 Sessions 175
Understanding IPv6 Exceptions and Best Practices 176
Link Aggregation Control Protocol (LACP) 177
Understanding LACP Best Practices and Exceptions 177
Configuring LACP 177
In the CLI 178
In the WebUI 179
LACP Sample Configuration 179
OSPFv2 181
Understanding OSPF Deployment Best Practices and Exceptions 181
Understanding OSPFv2 by Example using a WLAN Scenario 182
WLAN Topology 182
WLAN Routing Table 183
Understanding OSPFv2 by Example using a Branch Office Scenario 183
Branch Office Topology 183
Branch Office Routing Table 184
Configuring OSPF 185
Exporting VPN Client Addresses to OSPF 186
In the WebUI 186
In the CLI 187
Sample Topology and Configuration 187
Remote Branch 1 187
Remote Branch 2 188
3200XM Central Office Controller—Active 189
3200XM Central Office Controller—Backup 191
Topology 192
Observation 193
Configuring 3600-UP Controller 193
Configuring 3600-DOWN Controller 194

Viewing the Status of Instant AP VPN 195
RAPNG AP-1 195
RAPNG AP-3 196
Tunneled Nodes 198
Understanding Tunneled Node Configuration 198
Configuring a Wired Tunneled Node Client 199
Configuring an Access Port as a Tunneled Node Port 200
Configuring a Trunk Port as a Tunneled Node Port 200
Sample Output 201
Authentication Servers 202
Understanding Authentication Server Best Practices and Exceptions 202
Understanding Servers and Server Groups 202
Configuring Servers 203
Configuring a RADIUS Server 203
Using the WebUI 203
Using the CLI 203
RADIUS Server VSAs 204
RADIUS Server Authentication Codes 207
RADIUS Server Fully Qualified Domain Names 207
DNS Query Intervals 208
Using the WebUI 208
Using the CLI 208
Configuring an RFC-3576 RADIUS Server 208
Using the WebUI 208
Using the CLI 208
Configuring an LDAP Server 209
Using the WebUI 209
Using the CLI 210
Configuring a TACACS+ Server 210
Using the WebUI 210
Using the CLI 210
Configuring a Windows Server 211

Using the WebUI 211
Using the CLI 211
Managing the Internal Database 211
Configuring the Internal Database 211
Using the WebUI 212
Using the CLI 212
Managing Internal Database Files 212
Exporting Files in the WebUI 213
Importing Files in the WebUI 213
Exporting and Importing Files in the CLI 213
Working with Internal Database Utilities 213
Deleting All Users 213
Repairing the Internal Database 213
Configuring Server Groups 214
Configuring Server Groups 214
Using the WebUI 214
Using the CLI 214
Configuring Server List Order and Fail-Through 214
Using the WebUI 215
Using the CLI 215
Configuring Dynamic Server Selection 215
Using the WebUI 216
Using the CLI 217
Configuring Match FQDN Option 217
Using the WebUI 217
Using the CLI 217
Trimming Domain Information from Requests 217
Using the WebUI 218
Using the CLI 218
Configuring Server-Derivation Rules 218
Using the WebUI 219
Using the CLI 219

Configuring a Role Derivation Rule for the Internal Database 219
Using the WebUI 220
Using the CLI 220
Assigning Server Groups 220
User Authentication 220
Management Authentication 220
Using the WebUI 221
Using the CLI 221
Accounting 221
RADIUS Accounting 221
Using the WebUI 223
Using the CLI 223
TACACS+ Accounting 223
Configuring Authentication Timers 223
Setting an Authentication Timer 224
Using the WebUI 224
Using the CLI 224
MAC-based Authentication 225
Configuring MAC-Based Authentication 225
Configuring the MAC Authentication Profile 225
Using the WebUI to configure a MAC authentication profile 226
Using the CLI to configure a MAC authentication profile 226
Configuring Clients 226
In the WebUI 226
In the CLI 226
802.1X Authentication 227
Understanding 802.1X Authentication 227
Supported EAP Types 227
Configuring Authentication with a RADIUS Server 228
Configuring Authentication Terminated on Controller 229
Configuring 802.1X Authentication 229
In the WebUI 230

In the CLI 234
Configuring and Using Certificates with AAA FastConnect 235
In the WebUI 235
In the CLI 236
Configuring User and Machine Authentication 236
Working with Role Assignment with Machine Authentication Enabled 236
Enabling 802.1x Supplicant Support on an AP 238
Prerequisites 238
Provisioning an AP as a 802.1X Supplicant 238
In the WebUI 238
In the CLI 239
Sample Configurations 239
Configuring Authentication with an 802.1X RADIUS Server 239
Configuring Roles and Policies 240
Creating the Student Role and Policy 240
In the WebUI 240
In the CLI 241
Creating the Faculty Role and Policy 241
Using the WebUI 241
In the CLI 242
Creating the Guest Role and Policy 242
In the WebUI 242
In the CLI 243
Creating Roles and Policies for Sysadmin and Computer 243
In the WebUI 243
In the CLI 243
Using the WebUI to create the computer role 244
Creating an Alias for the Internal Network Using the CLI 244
Configuring the RADIUS Authentication Server 244
In the WebUI 244
In the CLI 244
Configuring 802.1X Authentication 245
In the WebUI 245

In the CLI 245
In the WebUI 246
In the CLI 246
Configuring the WLANs 247
Configuring the Guest WLAN 247
In the WebUI 247
In the CLI 247
Configuring the Non-Guest WLANs 248
In the WebUI 248
In the CLI 249
Configuring Authentication with the Controller’s Internal Database 249
Configuring the Internal Database 249
In the WebUI 249
In the CLI 249
Configuring a Server Rule Using the WebUI 250
Configuring a Server Rule Using the CLI 250
Configuring 802.1x Authentication 250
In the WebUI 250
In the CLI 251
In the WebUI 251
In the CLI 251
Configuring WLANs 252
Configuring the Guest WLAN 252
In the WebUI 252
In the CLI 253
Configuring the Non-Guest WLANs 253
In the WebUI 253
In the CLI 254
Configuring Mixed Authentication Modes 254
In the CLI 255

Performing Advanced Configuration Options for 802.1X 255
Configuring Reauthentication with Unicast Key Rotation 255
In the WebUI 255
In the CLI 256
Stateful and WISPr Authentication 257
Working With Stateful Authentication 257
Working With WISPr Authentication 257
Understanding Stateful Authentication Best Practices 258
Configuring Stateful 802.1x Authentication 258
In the WebUI 258
In the CLI 259
Configuring Stateful NTLM Authentication 259
In the WebUI 259
In the CLI 260
Configuring Stateful Kerberos Authentication 260
In the WebUI 260
In the CLI 261
Configuring WISPr Authentication 261
In the WebUI 261
In the CLI 262
Certificate Revocation 264
Understanding OCSP and CRL 264
Configuring a Controller as OCSP and CRL Clients 264
Configuring an OCSPController as a Responder 265
Configuring the Controller as an OCSP Client 265
In the WebUI 265
In the CLI 267
Configuring the Controller as a CRL Client 267
In the WebUI 267
In the CLI 268
Configuring the Controller as an OCSP Responder 268
In the WebUI 268

In the CLI 269
Certificate Revocation Checking for SSH Pubkey Authentication 269
Configuring the SSH Pubkey User with RCP 269
In the WebUI 269
In the CLI 269
Displaying Revocation Checkpoint for the SSH Pubkey User 270
Configuring the SSH Pubkey User with RCP 270
In the WebUI 270
In the CLI 270
Removing the SSH Pubkey User 270
In the WebUI 270
In the CLI 270
Captive Portal Authentication 271
Understanding Captive Portal 271
Policy Enforcement Firewall Next Generation (PEFNG) License 271
Controller Server Certificate 272
Configuring Captive Portal in the Base Operating System 272
In the WebUI 273
In the CLI 274
Using Captive Portal with a PEFNG License 274
Configuring Captive Portal in the WebUI 275
Configuring Captive Portal in the CLI 276
Sample Authentication with Captive Portal 277
Creating a Guest User Role 277
Creating an Auth-guest User Role 277
Configuring Policies and Roles in the WebUI 278
Creating a Time Range 278
Creating Aliases 279
Creating an Auth-Guest-Access Policy 279
Creating an Block-Internal-Access Policy 280
Creating a Drop-and-Log Policy 281
Creating a Guest Role 281

Creating an Auth-Guest Role 281
Configuring Policies and Roles in the CLI 282
Defining a Time Range 282
Creating Aliases 282
Creating a Guest-Logon-Access Policy 282
Creating an Auth-Guest-Access Policy 282
Creating a Block-Internal-Access Policy 283
Creating a Drop-and-Log Policy 283
Creating a Guest-Logon Role 283
Creating an Auth-Guest Role 283
Configuring Guest VLANs 283
In the WebUI 283
In the CLI 284
Configuring Captive Portal Authentication Profiles 284
Modifying the Initial User Role 285
Configuring the AAA Profile 285
Configuring the WLAN 285
Managing User Accounts 286
Configuring Captive Portal Configuration Parameters 286
Enabling Optional Captive Portal Configurations 288
Uploading Captive Portal Pages by SSID Association 289
Changing the Protocol to HTTP 289
Configuring Redirection to a Proxy Server 290
Redirecting Clients on Different VLANs 291
Web Client Configuration with Proxy Script 292
Personalizing the Captive Portal Page 292
Creating and Installing an Internal Captive Portal 295
Creating a New Internal Web Page 295
Username Example 296
Password Example 296
FQDN Example 296
Basic HTML Example 297

Installing a New Captive Portal Page 297
Displaying Authentication Error Messages 297
Reverting to the Default Captive Portal 298
Configuring Localization 298
Customizing the Welcome Page 301
Customizing the Pop-Up box 303
Customizing the Logged Out Box 303
Creating Walled Garden Access 304
In the WebUI 305
In the CLI 305
Enabling Captive Portal Enhancements 305
Configuring the Redirect-URL 306
Configuring the Login URL 306
Defining Netdestination Descriptions 306
Configuring a Whitelist 307
Configuring the Netdestination for a Whitelist: 307
Associating a Whitelist to Captive Portal Profile 307
Applying a Captive Portal Profile to a User-Role 307
Verifying a Whitelist Configuration 307
Verifying a Captive Portal Profile Linked to a Whitelist 307
Verifying Dynamic ACLs for a Whitelist 308
Verifying DNS Resolved IP Addresses for Whitelisted URLs 309
Virtual Private Networks 310
Planning a VPN Configuration 310
Selecting an IKE protocol 311
Understanding Suite-B Encryption Licensing 311
Working with IKEv2 Clients 312
Understanding Supported VPN AAA Deployments 312
Working with Certificate Groups 312
Working with VPN Authentication Profiles 313
Configuring a Basic VPN for L2TP/IPsec in the WebUI 314
Defining Authentication Method and Server Addresses 314

Defining Address Pools 315
RADIUS Framed-IP-Address for VPN Clients 315
Enabling Source NAT 315
Selecting Certificates 315
Defining IKEv1 Shared Keys 316
Configuring IKE Policies 316
Setting the IPsec Dynamic Map 317
Finalizing WebUI changes 318
Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI 318
Defining Authentication Method and Server Addresses 319
Defining Address Pools 319
Enabling Source NAT 319
Selecting Certificates 319
Configuring IKE Policies 320
Setting the IPsec Dynamic Map 321
Finalizing WebUI changes 321
Configuring a VPN for Smart Card Clients 322
Working with Smart Card clients using IKEv2 322
Working with Smart Card Clients using IKEv1 323
Configuring a VPN for Clients with User Passwords 323
In the WebUI 323
In the CLI 324
Configuring Remote Access VPNs for XAuth 324
Configuring VPNs for XAuth Clients using Smart Cards 324
Configuring a VPN for XAuth Clients Using a Username and Password 326
Working with Remote Access VPNs for PPTP 326
In the WebUI 327
In the CLI 327
Working with Site-to-Site VPNs 327
Working with Third-Party Devices 327
Working with Site-to-Site VPNs with Dynamic IP Addresses 328
Understanding VPN Topologies 328

Configuring Site-to-Site VPNs 328
In the WebUI 328
In the CLI 330
Detecting Dead Peers 331
Understanding Default IKE policies 331
Working with VPN Dialer 332
Configuring VPN Dialer 332
In the WebUI 333
In the CLI 333
Assigning a Dialer to a User Role 333
In the WebUI 333
In the CLI 334
Roles and Policies 335
Configuring Firewall Policies 335
Working With Access Control Lists (ACLs) 336
Support for Desktop Virtualization Protocols 336
Creating a Firewall Policy 336
In the WebUI 338
In the CLI 339
Creating a Network Service Alias 339
In the WebUI 339
In the CLI 340
Creating an ACL White List 340
In the WebUI 340
Configuring the ACL White List in the WebUI 340
Configuring the White List Bandwidth Contract in the CLI 340
Configuring the ACL White List in the CLI 341
Creating User Roles 341
Creating a User Role 342
In the WebUI 342
In the CLI 342
Bandwidth Contracts 343

Configuring a Bandwidth Contract in the WebUI 343
Assigning a Bandwidth Contract to a User Role in the WebUI 343
Configuring and Assigning Bandwidth Contracts in the CLI 344
Bandwidth Contract Exceptions 344
Viewing the Current Exceptions List 344
Configuring Bandwidth Contract Exceptions 344
Assigning User Roles 344
Assigning User Roles in AAA Profiles 345
In the WebUI 345
In the CLI 345
Working with User-Derived VLANs 345
Understanding Device Identification 346
Configuring a User-derived VLAN in the WebUI 347
Configuring a User-derived Role or VLAN in the CLI 347
User-Derived Role Example 347
RADIUS Override of User-Derived Roles 348
Configuring a Default Role for Authentication Method 348
In the WebUI 349
In the CLI 349
Configuring a Server-Derived Role 349
Configuring a VSA-Derived Role 349
Understanding Global Firewall Parameters 350
Virtual APs 354
Configuring Virtual AP Profiles 354
Excluding a Virtual AP Profile From an AP in the WebUI 355
Excluding a Virtual AP Profile From an AP in the CLI 355
Configuring a Virtual AP 355
Configuring the WLAN 356
Configuring the User Role 356
In the WebUI 356
In the CLI 356
Configuring Authentication Servers 357

In the WebUI 357
In the CLI 357
Configuring Authentication 357
In the WebUI 357
In the CLI 359
Applying the Virtual AP 359
In the WebUI 359
In the CLI 363
Creating a new SSID Profile 364
In the WebUI 364
In the CLI 368
Configuring an SSID for Suite-B Cryptography 369
Configuring a Guest WLAN 369
Configuring a VLAN 369
In the WebUI 369
In the CLI 369
Configuring a Guest Role 370
In the WebUI 370
In the CLI 370
Configuring a Guest Virtual AP 370
In the WebUI 370
In the CLI 371
Enabling bSec SSID Support 371
In the CLI 371
In the WebUI 372
Enabling 802.11k Support 372
In the WebUI 373
In the CLI 375
375
Working with Radio Resource Management Information Elements 375
Working with Beacon Report Requests 377

Working with a Traffic Stream Measurement Report 378
802.11v Support 380
Interaction between 802.11k and 802.11v clients 381
Configuring a High-Throughput Virtual AP 381
In the WebUI 381
In the CLI 385
Managing High-Throughput Profiles 386
Support for 802.11r Standard 386
Important Points to Remember 387
Configuring Fast BSS Transition 387
In the WebUI 387
In the CLI 387
Troubleshooting Fast BSS Transition 388
Adaptive Radio Management (ARM) 389
ARM Feature Overviews 389
Configuring ARM Settings 389
ARM Troubleshooting 389
Understanding ARM 389
ARM Support for 802.11n 390
Monitoring Your Network with ARM 390
Maintaining Channel Quality 390
Configuring ARM Scanning 390
Understanding ARM Application Awareness 390
Client Match 391
ARM Coverage and Interference Metrics 392
Configuring ARM Profiles 392
Creating and Configuring a New ARM Profile 392
In the WebUI 393
In the CLI 398
Modifying an Existing Profile 399
Copying an Existing Profile 399
Deleting a Profile 400

Assigning an ARM Profile to an AP Group 400
In the WebUI 400
In the CLI 401
Using Multi-Band ARM for 802.11a/802.11g Traffic 401
Band Steering 401
Steering Modes 402
Enabling Band Steering 402
In the WebUI 402
In the CLI 403
Enabling Traffic Shaping 403
Enabling Traffic Shaping 403
In the WebUI 404
In the CLI 404
Enabling or Disabling the Hard Limit Parameter in Traffic Management Profile 405
Using the WebUI 405
Using the CLI 405
Spectrum Load Balancing 405
Reusing Channels to Control RX Sensitivity Tuning 406
Configuring Non-802.11 Noise Interference Immunity 406
Troubleshooting ARM 407
Too many APs on the Same Channel 407
Wireless Clients Report a Low Signal Level 407
Transmission Power Levels Change Too Often 407
APs Detect Errors but Do Not Change Channels 407
APs Don’t Change Channels Due to Channel Noise 407
Wireless Intrusion Prevention 408
Working with the Reusable Wizard 408
Understanding Wizard Intrusion Detection 409
Understanding Wizard Intrusion Protection 410
Protecting Your Infrastructure 410
Protecting Your Clients 410
Monitoring the Dashboard 411

Detecting Rogue APs 412
Understanding Classification Terminology 412
Understanding Classification Methodology 413
Understanding Match Methods 413
Understanding Match Types 413
Understanding Suspected Rogue Confidence Level 414
Understanding AP Classification Rules 414
Understanding SSID specification 414
Understanding SNR specification 414
Understanding Discovered-AP-Count specification 414
Sample Rules 415
Understanding Rule Matching 415
Working with Intrusion Detection 415
Understanding Infrastructure Intrusion Detection 415
Detecting an 802.11n 40MHz Intolerance Setting 418
Detecting Active 802.11n Greenfield Mode 418
Detecting Ad hoc Networks 419
Detecting an Ad hoc Network Using a Valid SSID 419
Detecting an AP Flood Attack 419
Detecting AP Impersonation 419
Detecting AP Spoofing 419
Detecting Bad WEP Initialization 419
Detecting a Beacon Frame Spoofing Attack 419
Detecting a Client Flood Attack 419
Detecting a CTS Rate Anomaly 419
Detecting an RTS Rate Anomaly 420
Detecting Devices with an Invalid MAC OUI 420
Detecting an Invalid Address Combination 420
Detecting an Overflow EAPOL Key 420
Detecting Overflow IE Tags 420
Detecting a Malformed Frame-Assoc Request 420
Detecting Malformed Frame-Auth 420

Detecting a Malformed Frame-HT IE 420
Detecting a Malformed Frame-Large Duration 420
Detecting a Misconfigured AP 421
Detecting a Windows Bridge 421
Detecting a Wireless Bridge 421
Detecting Broadcast Deauthentication 421
Detecting Broadcast Disassociation 421
Detecting Netstumbler 421
Detecting Valid SSID Misuse 421
Detecting Wellenreiter 421
Understanding Client Intrusion Detection 421
Detecting a Block ACK DoS 423
Detecting a ChopChop Attack 423
Detecting a Disconnect Station Attack 424
Detecting an EAP Rate Anomaly 424
Detecting a FATA-Jack Attack Structure 424
Detecting a Hotspotter Attack 424
Detecting a Meiners Power Save DoS Attack 424
Detecting an Omerta Attack 424
Detecting Rate Anomalies 424
Detecting a TKIP Replay Attack 424
Detecting Unencrypted Valid Clients 425
Detecting a Valid Client Misassociation 425
Detecting an AirJack Attack 425
Detecting ASLEAP 425
Detecting a Null Probe Response 425
Configuring Intrusion Protection 425
Understanding Infrastructure Intrusion Protection 426
Protecting 40MHz 802.11 High Throughput Devices 427
Protecting 802.11n High Throughput Devices 427
Protecting Against Adhoc Networks 427
Protecting Against AP Impersonation 428

Protecting Against Misconfigured APs 428
Protecting Against Wireless Hosted Networks 428
Protecting SSIDs 428
Protecting Against Rogue Containment 428
Protecting Against Suspected Rogue Containment 428
Protection against Wired Rogue APs 428
Understanding Client Intrusion Protection 428
Protecting Valid Stations 429
Protecting Windows Bridge 429
Configuring the WLAN Management System (WMS) 429
In the WebUI 429
In the CLI 430
Configuring Local WMS Settings 430
Managing the WMS Database 430
Understanding Client Blacklisting 431
Methods of Blacklisting 431
Blacklisting Manually 431
Blacklisting by Authentication Failure 432
Enabling Attack Blacklisting 432
Setting Blacklist Duration 433
Removing a Client from Blacklisting 433
Working with WIP Advanced Features 433
Configuring TotalWatch 434
Understanding TotalWatch Channel Types and Qualifiers 434
Understanding TotalWatch Monitoring Features 435
Understanding TotalWatch Scanning Spectrum Features 435
Understanding TotalWatch Channel Dwell Time 435
Understanding TotalWatch Channel Visiting 435
Understanding TotalWatch Age out of Devices 436
Administering TotalWatch 436
Configuring Per Radio Settings 436
Configuring Per AP Setting 436

Licensing 437
Tarpit Shielding Overview 437
Configuring Tarpit Shielding 438
EnablingTarpit Shielding 438
Understanding Tarpit Shielding Licensing CLI Commands 438
Access Points (APs) 439
Basic Functions and Features 439
Naming and Grouping APs 440
Creating an AP group 441
In the WebUI 441
In the CLI 441
Assigning APs to an AP Group 441
In the WebUI 441
In the CLI 442
Understanding AP Configuration Profiles 442
442
AP Profiles 442
RF Management Profiles 443
Wireless LAN Profiles 444
Mesh Profiles 446
QoS Profiles 447
IDS Profiles 447
HA Group profiles 447
Other Profiles 447
Profile Hierarchy 448
Viewing Profile Errors 448
Deploying APs 448
Verifying that APs Can Connect to the Controller 449
Configuring Firewall Settings 449
Enabling Controller Discovery 449
Configuring DNS Resolution 450
Configuring DHCP Server Communication with APs 450

Using the Aruba Discovery Protocol (ADP) 450
Verifying that APs Are Receiving IP Addresses 451
In the WebUI 451
In the CLI 451
Provisioning APs for Mesh 451
Provisioning 802.11n APs for Single-Chain Transmission 452
Installing APs on the Network 453
Provisioning Installed APs 453
Designation an AP as Remote (RAP) versus Campus (CAP) 454
Working with the AP Provisioning Wizard 454
Provisioning an Individual AP 454
Provisioning Multiple APs using a Provisioning Profile 457
Assigning Provisioning Profiles 459
Troubleshooting 459
Configuring a Provisioned AP 460
AP Installation Modes 460
Using the WebUI 460
Using the CLI 460
Renaming an AP 461
Using the WebUI 461
Using the CLI 461
Optimize APs Over Low-Speed Links 461
Configuring the Bootstrap Threshold 462
Prioritizing AP heartbeats 465
Enabling or Disabling the Spanning Tree Parameter in AP System Profile 465
Using the WebUI 465
Using the CLI 466
466
AP Redundancy 466
Using the WebUI 466
Using the CLI 466
AP Maintenance Mode 467

Using the WebUI 467
Using the CLI 467
Energy Efficient Ethernet 467
Using the WebUI 467
Using the CLI 468
Managing AP LEDs 468
Using the WebUI 469
Using the CLI 469
RF Management 469
802.11a and 802.11g RF Management Profiles 469
Managing 802.11a/802.11g Profiles Using the WebUI 470
Creating or Editing a Profile 470
Assigning an 802.11a/802.11g Profile 474
Assigning a High-throughput Profile 474
Assigning an ARM Profile 475
Managing 802.11a/802.11g Profiles Using the CLI 476
Creating or Modifying a Profile 476
Viewing RF Management Settings 477
Assigning a 802.11a/802.11g Profile 477
RF Optimization 477
Using the WebUI 477
Using the CLI 478
RF Event Configuration 478
Using the WebUI 478
Using the CLI 480
Configuring AP Channel Assignments 480
Using the WebUI 480
Using the CLI 481
Channel Switch Announcement (CSA) 481
Using the WebUI 482

Using the CLI 482
Automatic Channel and Transmit Power Selection 482
Managing AP Console Settings 482
Secure Enterprise Mesh 484
Understanding Mesh Access Points 484
Mesh Portals 485
Mesh Points 485
Mesh Clusters 486
Understanding Mesh Links 486
Link Metrics 487
Optimizing Links 487
Understanding Mesh Profiles 488
Mesh Cluster Profile 488
Mesh Radio Profile 488
RF Management (802.11a and 802.11g) Profiles 488
Adaptive Radio Management Profiles 489
High-Throughput Profiles 489
Mesh High-Throughput SSID Profile 489
Wired AP Profile 489
Mesh Recovery Profile 490
Understanding Mesh Solutions 490
Thin AP Services with Wireless Backhaul Deployment 490
Point-to-Point Deployment 491
Point-to-Multipoint Deployment 491
High-Availability Deployment 492
Planning Deployment 492
Pre-Deployment Considerations 493
Outdoor-Specific Deployment Considerations 493
Configuration Considerations 493
Post-Deployment Considerations 493
Dual-Port AP Considerations 494
Working with Mesh Radio Profiles 494

Managing Mesh Profiles In the WebUI 494
Creating a New Profile 494
Assigning a Profile to a Mesh AP or AP Group 497
Editing a Profile 497
Managing Mesh Profiles In the CLI 498
Viewing Profile Settings 499
Assigning a Profile to an AP Group 499
Deleting a Mesh Radio Profile 499
Working with Mesh High Throughput SSID Profiles 499
Managing Profiles In the WebUI 499
Creating a Profile 499
Managing Profiles In the CLI 503
Viewing High-throughput SSID Settings 504
Understanding Mesh Cluster Profiles 504
Deployments with Multiple Mesh Cluster Profiles 504
Managing Mesh Cluster Profiles In the WebUI 505
Creating a Profile 505
Associating a Profile to Mesh APs 506
Deleting a Mesh Cluster Profile 507
Managing Mesh Cluster Profiles In the CLI 507
Viewing Mesh Cluster Profile Settings 508
Associating Mesh Cluster Profiles 508
Excluding a Mesh Cluster Profile from a Mesh Node 508

Deleting a Mesh Cluster Profile 509
Configuring Ethernet Ports for Mesh 509
Configuring Bridging on the Ethernet Port 509
Configuring Ethernet Ports for Secure Jack Operation 510
In the WebUI 510
In the CLI 510
Extending the Life of a Mesh Network 511
In the WebUI 511
In the CLI 511
Provisioning Mesh Nodes 511
Outdoor AP Parameters 512
Provisioning Caveats 512
Provisioning Mesh Nodes 513
In the WebUI 513
In the CLI 513
Understanding the AP Boot Sequence 514
Booting the Mesh Portal 514
Booting the Mesh Point 514
Air Monitoring and Mesh 514
Verifying the Network 514
Verification Checklist 515
CLI Examples 515
Configuring Remote Mesh Portals (RMPs) 516
How RMP Works 516
Creating a Remote Mesh Portal In the WebUI 517
Provisioning the AP 517
Defining the Mesh Private VLAN 518
Selecting a Mesh Radio Profile 518
Selecting an RF Management Profile 519
Adding a Mesh Cluster Profile 519
Configuring a DHCP Pool 520
Configuring the VLAN ID of the Virtual AP Profile 520

Provisioning a Remote Mesh Portal In the CLI 521
Additional Information 521
Redundancy and VRRP 522
High Availability:Fast Failover 522
VRRP-Based Redundancy 522
Configuring Redundancy Parameters 522
Configuring the Local Controller for Redundancy 524
In the WebUI 524
In the CLI 524
Configuring the LMS IP 524
In the WebUI 524
In the CLI 525
Configuring the Master Controller for Redundancy 525
Configuring Database Synchronization 526
In the WebUI 526
In the CLI 526
Enabling Incremental Configuration Synchronization (CLI Only) 527
Configuring Master-Local Controller Redundancy 527
Configuring High Availability:Fast Failover 529
Active/Active Deployment model 529
1:1 Active/Standby Deployment model 530
N:1 Active/Standby Deployment model 530
AP Communication with Controllers 531
Configuring High Availability: Fast Failover 531
Using the WebUI 531
Using the CLI 532
Migrating from another Redundancy Solution 532
Migrating from VRRP Redundancy 532
Migrating from Backup-LMS Redundancy 533
RSTP 534
Understanding RSTP Migration and Interoperability 534
Working with Rapid Convergence 534

Edge Port and Point-to-Point 536
Configuring RSTP 536
In the WebUI 536
In the CLI 537
Monitoring RSTP 537
Troubleshooting RSTP 538
PVST+ 540
Understanding PVST+ Interoperability and Best Practices 540
Enabling PVST+ in the CLI 540
Enabling PVST+ in the WebUI 541
IP Mobility 542
Understanding Aruba Mobility Architecture 542
Configuring Mobility Domains 543
Configuring a Mobility Domain 544
Using the WebUI 544
Using the CLI 544
Joining a Mobility Domain 545
In the WebUI 545
In the CLI 545
Configuring Mobility using the WebUI 545
Configuring Mobility using the CLI 546
Tracking Mobile Users 547
Mobile Client Roaming Status 547
Viewing mobile client status using the WebUI 547
Viewing mobile client status using the CLI 547
Viewing user roaming status using the CLI 548
Viewing specific client information using the CLI 548
Mobile Client Roaming Locations 548
In the WebUI 548
In the CLI 548
HA Discovery on Association 548

Setting up mobility association Using the CLI 549
Configuring Advanced Mobility Functions 549
In the WebUI 549
In the CLI 550
Proxy Mobile IP 551
Revocations 551
IPv6 L3 Mobility 551
Multicast Mobility 552
Understanding Bridge Mode Mobility Deployments 558
Enabling Mobility Multicast 559
Working with Proxy IGMP and Proxy Remote Subscription 559
Working with Inter controller Mobility 560
Configuring Mobility Multicast 561
In the WebUI 561
In the CLI 561
Example 562
External Firewall Configuration 563
Understanding Firewall Port Configuration Among Aruba Devices 563
Enabling Network Access 564
Ports Used for Virtual Internet Access (VIA) 564
Configuring Ports to Allow Other Traffic Types 564
Remote Access Points 565
About Remote Access Points 565
Configuring the Secure Remote Access Point Service 567
Configure a Public IP Address for the Controller 567
Using the WebUI to create a DMZ address 567
Using CLI 567
Configure the NAT Device 568
Configure the VPN Server 568
Using the WebUI 568
Using CLI 568

CHAP Authentication Support over PPPoE 568
Using the WebUI to configure CHAP 568
Using the CLI to configure the CHAP 569
Configuring Certificate RAP 569
Using WebUI 569
Using CLI 569
Creating a Remote AP Whitelist 569
Configuring PSK RAP 570
Add the user to the internal database 570
Using WebUI 570
Using CLI 570
RAP Static Inner IP Address 570
Using the WebUI 570
Using the CLI 571
Provision the AP 571
Deploying a Branch Office/Home Office Solution 572
Provisioning the Branch Office AP 573
Configuring the Branch Office AP 573
Troubleshooting Remote AP 573
Local Debugging 573
Remote AP Summary 573
Multihoming on remote AP (RAP) 575
Seamless failover from backup link to primary link on RAP 575
Remote AP Connectivity 576
Remote AP Diagnostics 576
Enabling Remote AP Advanced Configuration Options 576
Understanding Remote AP Modes of Operation 577
Working in Fallback Mode 579
Backup Configuration Behavior for Wired Ports 580
Configuring Fallback Mode 580
Configuring the AAA Profile for Fallback Mode in the WebUI 580
Configuring the AAA Profile for Fallback Mode in the CLI 581

Configuring the Virtual AP Profile for Fallback Mode in the WebUI 581
Configuring the Virtual AP Profile for Fallback Mode in the CLI 582
Configuring the DHCP Server on the Remote AP 582
Using the WebUI 582
Using CLI 583
Configuring Advanced Backup Options 583
Configuring the Session ACL in the WebUI 584
Configuring the AAA Profile in the WebUI 585
Defining the Backup Configuration in the WebUI 585
Configuring the Session ACL in the CLI 586
Using the CLI to configure the AAA profile 586
Defining the Backup Configuration in the CLI 586
Specifying the DNS Controller Setting 587
In the WebUI 587
Backup Controller List 588
Configuring the LMS and backup LMS IP addresses in the WebUI 588
Configuring the LMS and backup LMS IP addresses in the CLI 588
Configuring Remote AP Failback 589
In the WebUI 589
In the CLI 589
Enabling RAP Local Network Access 589
In the WebUI 589
In the CLI 590
Configuring Remote AP Authorization Profiles 590
Adding or Editing a Remote AP Authorization Profile 590
Working with Access Control Lists and Firewall Policies 591
Understanding Split Tunneling 591
Configuring Split Tunneling 591
Configuring the Session ACL Allowing Tunneling 592
Using the WebUI 592
Using the CLI 593
Configuring an ACL to Restrict Local Debug Homepage Access 594

In the WebUI 594
In the CLI 594
Configuring the AAA Profile for Tunneling 595
In the WebUI 595
Inthe CLI 595
Configuring the Virtual AP Profile 596
In the WebUI 596
In the CLI 596
Defining Corporate DNS Servers 597
In the WebUI 597
In the CLI 597
Understanding Bridge 597
Configuring Bridge 597
Configuring the Session ACL 598
Using the WebUI 598
Using the CLI 599
Configuring the AAA Profile for Bridge 599
In the WebUI 600
Inthe CLI 600
Configuring Virtual AP Profile 600
In the WebUI 600
In the CLI 601
Provisioning Wi-Fi Multimedia 601
Reserving Uplink Bandwidth 601
Understanding Bandwidth Reservation for Uplink Voice Traffic 602
Configuring Bandwidth Reservation 602
In the WebUI 602
In the CLI 602
Provisioning 4G USB Modems on Remote Access Points 603
4G USB Modem Provisioning Best Practices and Exceptions 603
Provisioning RAP for USB Modems 603
In the WebUI 603

In the CLI 604
RAP 3G/4G Backhaul Link Quality Monitoring 604
Provisioning RAPs at Home 605
Prerequisites 605
Provisioning RAP Using Zero-Touch Provisioning 605
Provisioning the RAP using a Static IP Address 606
Provision the RAP on a PPPoE Connection 606
Using 3G/EVDO USB Modems 607
Configuring RAP-3WN and RAP-3WNP Access Points 608
Using the WebUI 609
Using the CLI 609
Converting an IAP to RAP or CAP 609
Converting IAP to RAP 609
Converting an IAP to CAP 610
Enabling Bandwidth Contract Support for RAPs 610
Configuring Bandwidth Contracts for RAP 610
Defining Bandwidth Contracts 610
Applying Contracts 611
Applying Contracts Per-Role 611
Applying Contracts Per-User 611
Verifying Contracts on AP 611
Verifying Contracts Applied to Users 612
Verifying Bandwidth Contracts During Data Transfer 612
Virtual Intranet Access 614
Understanding VIA Connection Manager 614
How it Works 614
Installing the VIA Connection Manager 615
On Microsoft Windows Computers 615
On Apple MacBooks 615
Upgrade Workflow 616
Minimal Upgrade 616
Complete Upgrade 616

VIA Compatibility 616
Configuring the VIA Controller 616
Before you Begin 617
Supported Authentication Mechanisms 617
Authentication mechanisms supported in VIA 1.x 617
Authentication mechanisms supported in VIA 2.x 617
Other authentication methods: 617
Suite B Cryptography Support 617
802.11 Suite-B 618
Configuring VIA Settings 618
Using the WebUI to Configure VIA 619
Enable VPN Server Module 619
Create VIA User Roles 619
Create VIA Authentication Profile 619
Create VIA Connection Profile 620
Configure VIA Web Authentication 624
Associate VIA Connection Profile to User Role 625
Configure VIA Client WLAN Profiles 626
Rebranding VIA and Downloading the Installer 628
Download VIA Installer and Version File 628
Customize VIA Logo 629
Customize the Landing Page for Web-based Login 629
Using the CLI to Configure VIA 629
Create VIA roles 629
Create VIA authentication profiles 629
Create VIA connection profiles 629
Configure VIA web authentication 630
Associate VIA connection profile to user role 630
Configure VIA client WLAN profiles 630
Customize VIA logo, landing page and downloading installer 630
Downloading VIA 630
Pre-requisites 630

Downloading VIA 631
Installing VIA 632
Using VIA 632
Connection Details Tab 632
Diagnostic Tab 633
Settings Tab 633
Troubleshooting 633
Spectrum Analysis 634
Understanding Spectrum Analysis 634
Spectrum Analysis Clients 637
Hybrid AP Channel Changes 638
Hybrid APs Using Mode-Aware ARM 638
Creating Spectrum Monitors and Hybrid APs 639
Converting APs to Hybrid APs 639
In the WebUI 639
In the CLI 639
Converting an Individual AP to a Spectrum Monitor 640
In the WebUI 640
In the CLI 640
Converting a Group of APs to Spectrum Monitors 640
In the WebUI 641
In the CLI 641
Connecting Spectrum Devices to the Spectrum Analysis Client 641
View Connected Spectrum Analysis Devices 642
Disconnecting a Spectrum Device 643
Configuring the Spectrum Analysis Dashboards 644
Selecting a Spectrum Monitor 644
Changing Graphs within a Spectrum View 645
Renaming a Spectrum Analysis Dashboard View 645
Saving a Dashboard View 646
Resizing an Individual Graph 647
Customizing Spectrum Analysis Graphs 647

Spectrum Analysis Graph Configuration Options 648
Active Devices 648
Active Devices Table 649
Active Devices Trend 652
Channel Metrics 653
Channel Metrics Trend 655
Channel Summary Table 657
Device Duty Cycle 658
Channel Utilization Trend 660
Devices vs Channel 661
FFT Duty Cycle 663
Interference Power 664
Quality Spectrogram 666
Real-Time FFT 668
Swept Spectrogram 669
Working with Non-Wi-Fi Interferers 673
Understanding the Spectrum Analysis Session Log 674
Viewing Spectrum Analysis Data 674
Recording Spectrum Analysis Data 675
Creating a Spectrum Analysis Record 675
Saving the Recording 676
Playing a Spectrum Analysis Recording 677
Playing a Recording in the Spectrum Dashboard 677
Playing a Recording Using the RFPlayback Tool 677
Troubleshooting Spectrum Analysis 678
Verifying Spectrum Monitors Support for One Client per Radio 678
Converting a Spectrum Monitor Back to an AP or Air Monitor 678
Troubleshooting Browser Issues 678
Loading a Spectrum View 679
Troubleshooting Issues with Adobe Flash Player 10.1 or Later 679
Understanding Spectrum Analysis Syslog Messages 679
Playing a Recording in the RFPlayback Tool 679

Dashboard Monitoring 680
Performance 680
Clients 680
APs 680
Using Dashboard Histograms 681
Usage 681
Security 682
Potential Issues 682
WLANs 682
Access Points 683
Clients 684
Firewall 685
In the WebUI 685
In the CLI 685
Element View 685
Details View 687
Element Tab 687
Element Summary View 687
Usage Breakdown 688
Aggregated Sessions 689
Automatic Reporting 691
Understanding SMTP Requirements 691
Configuring Weekly Automatic Reporting 691
In the WebUI 691
In the CLI 692
Generating and Sending an Individual Report 692
In the WebUI 692
In the CLI 693
Viewing Report Status 693
In the WebUI 693
In the CLI 693

Management Access 694
Configuring Certificate Authentication for WebUI Access 694
In the WebUI 694
In the CLI 695
Enabling Public Key Authentication for SSH Access 695
In the WebUI 695
In the CLI 696
Enabling RADIUS Server Authentication 696
Configuring RADIUS Server Username and Password Authentication 696
In the WebUI 696
In the CLI 696
Configuring RADIUS Server Authentication with VSA 697
Configuring RADIUS Server Authentication with Server Derivation Rule 697
In the WebUI 697
In the CLI 698
Configuring a set-value server-derivation rule 698
In the WebUI 698
In the CLI 699
Disabling Authentication of Local Management User Accounts 699
In the WebUI 699
In the CLI 699
Verifying the configuration 699
Resetting the Admin or Enable Password 699
Bypassing the Enable Password Prompt 700
Setting an Administrator Session Timeout 701
In the WebUI 701
In the CLI 701
Connecting to an AirWave Server 701
Custom Certificate Support for RAP 702
Suite-B Support for ECDSA Certificate 702
Setting the Default Server Certificate 703
In the CLI 703

Importing a Custom Certificate 703
In the WebUI 703
Generating a CSR 703
Uploading the Certificate 703
Implementing a Specific Management Password Policy 703
Defining a Management Password Policy 703
In the WebUI 704
Management Authentication Profile Parameters 705
Configuring AP Image Preload 706
Enable and Configure AP Image Preload 707
In the WebUI 707
In the CLI 707
View AP Preload Status 708
Configuring Centralized Image Upgrades 708
Configuring Centralized Image Upgrades 709
Using the WebUI 709
In the CLI 710
Viewing Controller Upgrade Statistics 710
Managing Certificates 711
About Digital Certificates 712
Obtaining a Server Certificate 712
In the WebUI 712
In the CLI 713
Obtaining a Client Certificate 713
Importing Certificates 713
In the WebUI 714
In the CLI 714
Viewing Certificate Information 714
Imported Certificate Locations 714
Checking CRLs 715
Certificate Expiration Alert 715
Chained Certificates on the RAP 715

Support for Certificates on USB Flash Drives 716
Marking the USB Device Connected as a Storage Device 716
RAP Configuration Requirements 716
Configuring SNMP 716
SNMP Parameters for the Controller 716
In the WebUI 717
In the CLI 718
Enabling Capacity Alerts 718
In the WebUI 719
In the CLI 719
Examples 719
Configuring Logging 719
In the WebUI 721
In the CLI 721
Enabling Guest Provisioning 721
Configuring the Guest Provisioning Page 722
In the WebUI 722
Configuring the Guest Fields 722
Configuring the Page Design 724
Configuring EmailMessages 725
Configuring the SMTP Server and Port in the WebUI 725
Configuring an SMTP server and port in the CLI 726
Creating Email Messages in the WebUI 726
Configuring a Guest Provisioning User 727
In the WebUI 727
Username and Password Authentication Method 727
Static Authentication Method 727
Smart Card Authentication Method 728
In the CLI 728
Username and Password Method 728
Static Authentication Method 728
Smart Card Authentication Method 728
Customizing the Guest Access Pass 729

Creating Guest Accounts 729
Guest Provisioning User Tasks 730
Importing Multiple Guest Entries 731
Creating Multiple Guest Entries in a CSV File 731
Importing the CSV File into the Database 732
Printing Guest Account Information 734
Optional Configurations 735
Restricting one Captive Portal Session for each Guest 735
Using the CLI to restrict one Captive Portalsession for each guest 735
Setting the Maximum Time for Guest Accounts 735
Using the WebUI to set the maximum time for guest accounts 736
Using the CLI to set the maximum time for guest accounts 736
Managing Files on the Controller 736
Transferring ArubaOS Image Files 737
In the WebUI 737
In the CLI 737
Backing Up and Restoring the Flash File System 737
Backup the Flash File System in the WebUI 737
Backup the Flash File System in the CLI 738
Restore the Flash File System in the WebUI 738
Restore the Flash File System in the CLI 738
Copying Log Files 738
In the WebUI 738
In the CLI 738
Copying Other Files 738
In the WebUI 739
In the CLI 739
Setting the System Clock 739
Manually Setting the Clock 739
In the WebUI 739
In the CLI 739
Clock Synchronization 739
In the WebUI 740

In the CLI 740
Configuring NTP Authentication 740
In the WebUI 740
In the CLI 740
Timestamps in CLI Output 741
ClearPass Profiling with IF-MAP 741
In the WebUI 741
In the CLI 741
Whitelist Synchronization 742
In the WebUI 742
In the CLI 742
Adding Local Controllers 743
Configuring Local Controllers 743
Using the Initial Setup 743
Using the Web UI 743
Using the CLI 744
Configuring Layer-2/Layer-3 Settings 744
Configuring Trusted Ports 744
Configuring Local Controller Settings 744
Configuring APs 745
Using the WebUI to configure the LMS IP 745
Using the CLI to configure the LMS IP 745
Moving to a Multi-Controller Environment 745
Configuring a Preshared Key 746
Using the WebUI to configure a Local Controller PSK 746
Using the WebUI to configure a Master Controller PSK 747
Using the CLI to configure a PSK 747
Master Controller 747
LocalController 747
Configuring a Controller Certificate 747
Using the CLI to configure a Local Controller Certificate 747
Using the CLI to configure the Master Controller Certificate 748

Advanced Security 749
Securing Client Traffic 749
Securing Wireless Clients 750
In the WebUI 750
In the CLI 751
Securing Wired Clients 751
In the WebUI 752
In the CLI 752
Securing Wireless Clients Through Non-Aruba APs 753
In the WebUI 753
In the CLI 754
Securing Clients on an AP Wired Port 754
In the WebUI 754
In the CLI 755
Enabling or Disabling the Spanning Tree Parameter in AP Wired Port Profile 756
Using the WebUI 756
Using the CLI 756
Securing Controller-to-Controller Communication 756
Configuring Controllers for xSec 756
In the WebUI 757
In the CLI 757
Configuring the Odyssey Client on Client Machines 757
Installing the Odyssey Client 757
Voice and Video 764
Voice and Video License Requirements 764
Configuring Voice and Video 764
Setting up Net Services 764
Using Default Net Services 764
Creating Custom Net Services 765
Configuring User Roles 765
Using the Default User Role 765
Creating or Modifying Voice User Roles 766

Using the WebUI to configure user roles 766
Using the CLI to configure a user role 767
Using the User-Derivation Roles 768
Using the WebUI to derive the role based on SSID 768
Using the CLI to derive the role based on SSID 768
Using the WebUI to derive the role based on MAC OUI 768
Using the CLI to derive the role based on MAC OUI 768
Configuring Firewall Settings for Voice and Video ALGs 768
In the WebUI 769
In the CLI 769
Additional Video Configurations 769
Configuring Video over WLAN enhancements 769
Pre-requisites 770
In the CLI 770
In the WebUI 773
Working with QoS for Voice and Video 776
Understanding VoIP Call Admission Control Profile 777
In the WebUI 777
In the CLI 778
Understanding Wi-Fi Multimedia 778
Enabling WMM 779
In the WebUI 779
In the CLI 779
Configuring WMM AC Mapping 779
Using the WebUI to map between WMM AC and DSCP 780
Using the CLI to map between WMM AC and DSCP 781
Configuring DSCP Priorities 781
Configuring Dynamic WMM Queue Management 782
Enhanced Distributed ChannelAccess 782
Using the WebUI to configure EDCA parameters 783
Using the CLI to configure EDCA parameters 784
Enabling WMM Queue Content Enforcement 784
In the WebUI 784

In the CLI 784
Lync Visibility and Granular QoS Prioritization 785
Overview 785
Lync ALG Compatibility Matrix 785
Configuration Prerequisites 785
Configuring Lync ALG 786
Configuring Lync Listening Port 786
Using the WebUI 786
Using the CLI 786
Configuring Lync ALG Status 786
Enabling Lync ALG 786
Disabling Lync ALG 787
Default ACLs for Lync Calls 787
Apply QoS for Lync Traffic 787
Using the WebUI 787
Using the CLI 787
Recommended DSCP Mapping for Lync Traffic in Aruba Controller 788
Disable Media Classification 788
Controller Dashboard Monitoring 789
Viewing Lync ALG Statistics using the CLI 790
Viewing the list of Lync Clients 790
Viewing Call Detail Record for Lync Calls 791
Viewing Call Quality for Lync Calls 792
Viewing Lync Call Trace Buffer 794
Viewing Lync Voice Client Message Statistics 795
Viewing Lync Signaling Message Trace 796
Viewing Lync ALG Statistics using the WebUI 797
Viewing Voice Status 797
Viewing Call Performance Report 797
Viewing Call Density Report 798
Viewing Call Detail Report 798
Viewing Voice Client Call Statistics 798
Viewing Voice Client HandOff Information 798

Viewing Voice Client Troubleshooting Information 798
Troubleshooting Lync ALG Issues 798
Enabling Lync ALG Debug Logs 798
Viewing Lync ALG Debug Logs 798
Important Points on Call Admission Control in Lync ALG 799
Understanding Extended Voice and Video Features 799
Understanding QoS for Microsoft Lync and Apple Facetime 799
Microsoft Lync 799
Apple Facetime 799
Enabling WPA Fast Handover 800
In the WebUI 800
In the CLI 800
Enabling Mobile IP Home Agent Assignment 801
Scanning for VoIP-Aware ARM 801
In the WebUI 801
In the CLI 801
Disabling Voice-Aware 802.1x 801
In the WebUI 801
In the CLI 802
Configuring SIP Authentication Tracking 802
In the WebUI 802
In the CLI 802
Enabling Real Time Call Quality Analysis 802
Important Points to Remember 802
In the Web UI 803
Viewing RealTime CallQuality Reports 803
In the CLI 803
Enabling SIP Session Timer 804
In the WebUI 804
In the CLI 805
Enabling Voice and Video Traffic Awareness for Encrypted Signaling Protocols 805
In the WebUI 805

In the CLI 806
Enabling Wi-Fi Edge Detection and Handover for Voice Clients 806
In the WebUI 807
In the CLI 807
Working with Dial Plan for SIP Calls 807
Understanding Dial Plan Format 807
Configuring Dial Plans 808
In the WebUI 808
In the CLI 810
Enabling Enhanced 911 Support 811
Working with Voice over Remote Access Point 812
Understanding Battery Boost 812
In the WebUI 812
In the CLI 813
Enabling LLDP 813
In the WebUI 813
In the CLI 817
Advanced Voice Troubleshooting 818
Viewing Troubleshooting Details on Voice Client Status 818
In the WebUI 818
In the CLI 818
Viewing Troubleshooting Details on Voice Call CDRs 820
In the WebUI 820
In the CLI 820
Enabling Voice Logs 821
In the WebUI 821
Enabling Logging for a Specific Client 821
In the CLI 821
Viewing Voice Traces 822
In the WebUI 822
In the CLI 822
Viewing Voice Configurations 822

In the CLI 822
AirGroup 824
Zero Configuration Networking 824
AirGroup Solution 824
AirGroup Services 825
The AirGroup Solution Components 825
AirGroup and ClearPass Policy Manager 825
Typical Deployment Models 826
Integrated Deployment Model 826
Overlay Deployment Model 827
Upgrade Instructions 829
AirGroup with ClearPass Policy Manager 829
What's New 830
Multi-Controller AirGroup Cluster 830
Multi-Controller AirGroup Cluster—Terminologies 830
AirGroup Domain 830
AirGroup Cluster 830
Active-Domain 830
Sample AirGroup Cluster Topology 830
Domain Definition 831
Active-Domain Definition 831
AirGroup Controller Communication 831
AirGroup Server Discovery 831
Scalability 832
Master-Local Controller Synchronization 832
Pre-configured AirGroup Services 832
AirGroup Enhancements 833
AirGroup IPv6 Support 833
Limitations 833
Dashboard Monitoring Enhancements 833
ClearPass Policy Manager and ClearPass Guest Features 833
Best Practices and Limitations 833
Firewall Configuration Changes 833

Disable Inter-User Firewall Settings 833
ValidUser ACL Configuration 834
Allow GRE and UDP 5353 834
Recommended Ports 834
Ports for AirPlay Service 834
Ports for AirPrint Service 834
AirGroup Services for Large Deployments 835
Recommendations for Deploying an Overlay Model 835
Limitations of Deploying Overlay Model 835
AirGroup Scalability Limits 835
Memory Utilization 836
CPU Utilization 836
General AirGroup Limitations 837
Integrated Deployment Model 837
Master-Local Controller Synchronization 837
Configuring an AirGroup Integrated Deployment Model 838
Enabling or Disabling AirGroup Global Setting 838
Using the WebUI 838
Using the CLI 839
Viewing AirGroup Global Setting on Controller 839
Using the WebUI 839
Using the CLI 839
Defining an AirGroup Service 840
Using the WebUI 841
Using the CLI 841
Enabling the allowall Service 844
Using the WebUI 844
Using the CLI 844
Enabling or Disabling an AirGroup Service 845
Using the WebUI 845
Using the CLI 845
Viewing AirGroup Service Status 845
Using the WebUI 845

Using the CLI 845
Viewing Blocked Services 845
Using the CLI 845
Viewing AirGroup Service Details 846
Using the WebUI 846
Using the CLI 846
Configuring an AirGroup Domain 846
Using the WebUI 846
Using the CLI 846
Viewing an AirGroup Domain 847
Using the WebUI 847
Using the CLI 847
Configuring an AirGroup active-domain 847
Using the WebUI 847
Using the CLI 848
Viewing an AirGroup active-domains 848
Using the WebUI 848
Using the CLI 848
Viewing AirGroup VLAN Table 848
Using the WebUI: 848
Using the CLI 848
Viewing AirGroup Multi-Controller Table 849
Using the CLI 849
Controller Dashboard Monitoring 850
Overlay Deployment Model 852
Configuring the WLAN Controller 853
Configuring the AirGroup Controller 854
Configuring the AirGroup-CPPM Interface 854
Configuring CPPM Query Interval 854
Using the WebUI 854
Using the CLI 855
Viewing CPPM Query Interval 855
Using the WebUI 855
Using the CLI 855

Defining CPPM and RFC3576 Server 855
Configuring a CPPM Server 856
Using the WebUI 857
Using the CLI 857
Configuring the CPPM Server Group 857
Using the WebUI 857
Using the CLI 857
Configuring an RFC 3576 Server 857
Using the WebUI 857
Using the CLI 858
Assigning CPPM and RFC 3576 Servers to AirGroup 858
Using the WebUI 858
Using the CLI 858
Viewing the CPPM Server Configuration 859
Using the WebUI 859
Using the CLI 859
Verifying CPPM Device Registration 859
Configuring CPPM to Enforce Registration 860
Using the WebUI 860
Using the CLI 861
Troubleshooting and Log Messages 861
Controller Troubleshooting Steps 861
ClearPass Guest Troubleshooting Steps 862
ClearPass Policy Manager Troubleshooting Steps 862
Log Messages 862
Show Commands 863
Viewing AirGroup mDNS Cache 863
Viewing AirGroup mDNS Statistics 863
Viewing AirGroup VLANs 864
Viewing AirGroup Servers 865
Viewing AirGroup Users 866
Viewing Service Queries Blocked by AirGroup 867

Viewing Blocked Services 868
AirGroup Global Tokens 868
Instant AP VPN Support 870
Overview 870
Improved DHCP Pool Management 870
Termination of Instant AP VPN Tunnels 870
Termination of IAP GRE Tunnels 870
L2/L3 Network Mode Support 871
Instant AP VPN Scalability Limits 871
Instant AP VPN OSPF Scaling 871
VPN Configuration 873
Whitelist DB Configuration 873
Controller Whitelist DB 873
External Whitelist DB 873
VPN Local Pool Configuration 873
Role Assignment for the Authenticated IAPs 874
VPN Profile Configuration 874
Viewing Branch Status 874
Example 874
600 Series Controllers 876
Understanding 600 Series Best Practices and Exceptions 876
Connecting with a USB Cellular Modems 876
How it Works 877
Switching Modes 877
Finding USB Modem Commands 877
Uplink Manager 878
Cellular Profile 878
Dialer Group 879
Configuring a Supported USB Modem 880
Configuring a New USB Modem 881
Configuring the Profile and Modem Driver 882
Configuring the TTY Port 882

Testing the TTY Port 883
Selecting the Dialer Profile 884
Linux Support 885
Setting Up NAS (Network-Attached Storage) Devices 885
NAS Device Setup 885
Configuring in the CLI 885
Managing NAS Devices 886
Mounting and Unmounting Devices 887
Connecting to a Print Server 887
Printer Setup Using the CLI 887
Additional Commands for Managing Printers 888
600 Series Sample Topology and Configuration 888
Remote Branch 1—650 Controller 889
Remote Branch 2—650 Controller 890
3200XM Central Office Controller—Active 891
3200XM Central Office Controller—Backup 892
Upgrading and Migrating 894
External Services Interface 895
Sample ESI Topology 895
Understanding the ESI Syslog Parser 897
ESI Parser Domains 897
Peer Controllers 898
Syslog Parser Rules 899
Condition Pattern Matching 899
User Pattern Matching 899
Configuring ESI 899
Configuring Health-Check Method, Groups, and Servers 900
In the WebUI 900
In the CLI 901
Defining the ESI Server 901
In the WebUI 901
In the CLI 901

Defining the ESI Server Group 902
In the WebUI 902
In the CLI 902
Redirection Policies and User Role 902
In the WebUI 902
In the CLI 903
ESI Syslog Parser Domains and Rules 903
Managing Syslog Parser Domains in the WebUI 903
Adding a new syslog parser domain 903
Deleting an existing syslog parser domain 904
Editing an existing syslog parser domain 904
Managing Syslog Parser Domains in the CLI 904
Adding a new syslog parser domain 904
Showing ESI syslog parser domain information 904
Deleting an existing syslog parser domain 904
Editing an existing syslog parser domain 904
Managing Syslog Parser Rules 905
In the WebUI 905
Adding a new parser rule 905
Deleting a syslog parser rule 905
Editing an existing syslog parser rule 906
Testing a Parser Rule 906
In the CLI 906
Adding a new parser rule 906
Showing ESI syslog parser rule information: 907
Deleting a syslog parser rule: 907
Editing an existing syslog parser rule 907
Testing a parser rule 907
Monitoring Syslog Parser Statistics 907
In the WebUI 907
In the CLI 907
Sample Route-mode ESI Topology 907

ESI server configuration on controller 908
IP routing configuration on Fortinet gateway 908
Configuring the Example Routed ESI Topology 908
Health-Check Method, Groups, and Servers 909
Defining the Ping Health-Check Method 909
In the WebUI 909
In the CLI 909
Defining the ESI Server 909
In the WebUI 909
In the CLI 910
Defining the ESI Server Group 910
In the WebUI 910
In the CLI 910
Redirection Policies and User Role 911
In the WebUI 911
In the CLI 911
Syslog Parser Domain and Rules 912
Add a New Syslog Parser Domain in the WebUI 912
Adding a New Parser Rule in the WebUI 912
In the CLI 913
Sample NAT-mode ESI Topology 913
ESI server configuration on the controller 914
Configuring the Example NAT-mode ESI Topology 915
Configuring the NAT-mode ESI Example in the WebUI 915
In the WebUI 915
Configuring the ESI Group in the WebUI 915
Configure the ESI Servers in the WebUI 916
Configuring the Redirection Filter in the WebUI 916
Configuring the Example NAT-mode Topology in the CLI 916
Configuring a Health-Check Ping 916
Configuring ESI Servers 917
Configure an ESI Group, Add the Health-Check Ping and ESI Servers 917

Using the ESI Group in a Session Access Control List 917
CLI Configuration Example 1 917
CLI Configuration Example 2 918
Understanding Basic Regular Expression (BRE) Syntax 918
Character-Matching Operators 918
Regular Expression Repetition Operators 919
Regular Expression Anchors 919
References 920
External User Management 921
Overview 921
Before you Begin 921
Working with the ArubaOS XML API Works 921
Creating an XML Request 921
Adding a User 922
Deleting a User 922
Authenticating a User 922
Blacklisting a User 923
Querying for User Status 923
XML Response 923
Default Response Format 923
Response Codes 924
Query Command Response Format 925
Using the XML API Server 926
Configuring the XML API Server 926
Associating the XML API Server to a AAA profile 927
Set up Captive Portal profile 928
Associating the Captive Portal Profile to an Initial Role 929
Creating an XML API Request 929
Monitoring External Captive Portal Usage Statistics 930
Sample Code 931
Using XML API in C Language 931
Understanding Request and Response 934

Understanding XML API Request Parameters 934
Understanding XMl API Response 935
Adding a Client 935
Response from the controller 936
View the updated details of the client on the controller 936
Deleting a Client 936
Authenticating a Client 937
Status of the client before authentication 937
Sending the authentication command 937
Status of the client after authentication 938
Querying for Client Details 938
Blacklisting a Client 939
Behavior and Defaults 941
Understanding Mode Support 941
Understanding Basic System Defaults 942
Network Services 942
Policies 944
Validuser and Logon-control ACLs 947
Roles 947
Understanding Default Management User Roles 949
Understanding Default Open Ports 953
DHCP with Vendor-Specific Options 956
Configuring a Windows-Based DHCP Server 956
Configuring Option 60 956
To configure option 60 on the Windows DHCP server 956
To configure option 43 on the Windows DHCP server: 957
Enabling DHCP Relay Agent Information Option (Option 82) 959

In the WebUI 959
In the CLI 959
Enabling Linux DHCP Servers 960
802.1X Configuration for IAS and Windows Clients 961
Configuring Microsoft IAS 961
RADIUS Client Configuration 961
Remote Access Policies 962
Active Directory Database 962
Configuring Policies 963
Configuring RADIUS Attributes 965
Configuring Management Authentication using IAS 967
Creating a Remote Policy 968
Defining Properties for Remote Policy 968
Creating a User Entry in Windows Active Directory 968
Configure the Controller to use IAS Management Authentication 969
Verify Communication between the Controller and the RADIUS Server 970
Window XP Wireless Client Sample Configuration 970
Acronyms and Terms 977
Acronyms 977
Terms 983

ArubaOS 6.3 | User Guide About this Guide | 69
About this Guide
This User Guide describes the features supported by ArubaOS 6.3 and provides instructions and examples for
configuring controllers and Access Points (APs). This guide is intended for system administrators responsible for
configuring and maintaining wireless networks and assumes you are knowledgeable in Layer 2 and Layer 3
networking technologies.
This chapter covers the following topics:
l What’s New In ArubaOS 6.3 on page 69
l Fundamentals on page 73
l Related Documents on page 74
l Conventions on page 74
l Related Documents on page 74
What’s New In ArubaOS 6.3
The following features have been added in the ArubaOS 6.3.0.0 release:
Feature Description
802.11ac Support With the introduction of the AP-220 Series, Aruba now supports 802.11ac.
See Provisioning Installed APs and RF Management for configuration inform-
ation.
AirGroup AirGroup is a unique enterprise-class capability that leverages zero
configuration networking to allow mobile device technologies, such as the
AirPrint™ wireless printer service and the AirPlay™ mirroring service, to
communicate over a complex access network topology.
Centralized Licensing Centralized licensing simplifies licensing management by distributing
licenses installed on one controller to other controllers on the network. One
controller to act as a centralized license database for all other controllers
connected to it, allowing all controllers to share a pool of unused licenses.
The primary and backup licensing server can share single set of licenses,
eliminating the need for a redundant license set on the backup server. Local
licensing client controllers maintain information sent from the licensing
server even if licensing client controller and licensing server controller can
no longer communicate.
AP Image Preload The AP image preload feature minimizes the downtime required for a
controller upgrade by allowing the APs associated to that controller to
download the new images before the controller actually starts running the
new version.
Table 1: New Features in ArubaOS 6.3

70 | About this Guide ArubaOS 6.3| User Guide
Feature Description
High Availability:Fast Failover This WLAN redundancy solution allows a campus AP to rapidly fail over from
a active to a standby controller without needing to rebootstrap, and
significantly reduces network downtime and client traffic disruption during
network upgrades or unexpected failures. APs using the High Availability:
Fast Failover feature regularly communicate with the standby controller, so
the standby controller has only a light workload to process if an AP failover
occurs. This results in very rapid failover times, and a shorter client
reconnect period.
WebUI over SSL Enhancement Both HTTPS ports 4343 and 443 are supported. If port 4343 is used it
redirects to port 443. If port 443 is used it continues to connect using this
port.
Delegated Trust Model for
OCSP
Both the Delegated Trust Model and the Direct Trust Model are now
supported to verify digitally signed OCSP responses.
Certificate Expiration Alert Sends alerts when installed certificates, which correspond to trust chains,
OCSP responder certificates, and any other certificates installed on the
device.
Support for Certificates on USB
Flash Drives
Supports the USB storing of the RAP certificate. This ensures that the RAP
certificate is activated only when the USB with the corresponding certificate
is connected to the RAP.
Custom Certificate Support for
RAP ECDSA certificates for security, this feature allows you to upload custom
RSA and ECDSA certificates to a RAP. This allows custom certificates to be
used for IKEv2 negotiation which establishes a tunnel between the RAP and
the controller.
Timestamps in CLI Output The timestamp feature can include a timestamp in the output of each show
command issued in the command-line interface, indicating the date and time
the command was issued.
RAP 3G/4G Backhaul Link Qual-
ity Monitoring
The RAP is enhanced to support link monitoring on 2G, 3G, and 4G modems
to provide information about the state of USB modem and cellular network.
VLAN derivation from Named
VLAN Pools
Named VLANs (single VLAN IDs or VLAN pools) can only be assigned to
tunnel mode VAP’s and wired profiles. They can also be assigned to user
roles, user rule derivation, server derivation, and VSA for tunnel and bridge
mode.
RADIUS Override of User-
Derived Roles
A RADIUS vendor specific attribute (VSA) named “Aruba-No-DHCP-Finger-
print,” value 14. This attribute signals the RADIUS Client (controller) to
ignore the DHCP Fingerprint user role and VLAN change post L2 authen-
tication. This applies to both CAP and RAP in tunnel mode and for the L2
authenticated role only.
ClearPass Profiling with IF-MAP This feature is used in conjunction with ClearPass Policy Manager. It sends
HTTP User Agent Strings and mDNS broadcast information to ClearPass so
that it can make more accurate decisions about what types of devices are
connecting to the network.
Spanning Tree Support on APs
and Multi-Port Remote APs
The mobility controller is enhanced to support Spanning Tree Protocol (STP)
on APs and multi-port Remote Access Points.This feature is an enhance-
ment to the existing STP and supports APs with 3 or more ports. Now, you

Feature Description
can enable or disable STP on ap-system profile and ap-wired port profile.
SSID Airtime Bandwidth Alloc-
ation Limit
Starting with ArubaOS 6.3, administrator can set a hard limit on Over the Air
(OTA) bandwidth for a specific Service Set Identifier (SSID). Currently, the
bandwidth allocation process is activated, when the bandwidth is completely
saturated. The new enhancement allows you to limit an SSID to consume
more bandwidth, when some unused bandwidth is available from other
SSIDs. You can limit the bandwidth allocation to low priority SSIDs and allot
the bandwidth to other high priority SSIDs.
Volume-Based SA Lifetime for
IPsec
The IPsec security association (SA) lifetime is now supported in both
seconds and kilobytes. Previously, only the seconds parameter was sup-
ported.
Diffie-Hellman Group 14 support
for the IKE Policy
Diffie-Hellman Group 14 for the IKE policy is supported. This is the 2048-bit
random prime modulus group. Diffie-Hellman is a specific method of exchan-
ging cryptographic keys that allows two parties that have no prior knowledge
of each other to jointly establish a shared secret key over an insecure com-
munications channel.
Enhanced MultiMode Modem
Provisioning
This release introduces a new method of provisioning a multimode USB
modem (such as a Verizon UML290) for a remote AP. These changes sim-
plify modem provisioning for both 3G and 4G networks
Improved DHCP Pool Man-
agement for Instant AP VPN
Instant AP (IAP) allows you to configure the DHCP address assignment for
the branches connected to the corporate network through VPN. In distributed
DHCP mode, ArubaOS 6.3 allows designated blocks of IP addresses for
static IP users by excluding them from the DHCP scope. In addition, it allows
creation of scope of any required size, thereby enabling more efficient
utilization of IP address across branches.
MSCHAPv2 authentication sup-
port for VIA
This release introduces a new protocol support MSCHAPv2 for authen-
ticating VIA users. In previous releases, only PAP protocol was used to
authenticate VIA users. In this release, the backend server can either use
PAP or MSCHAPv2 for RADIUS authentication, depending on the con-
figuration provided in the auth-profile for VIA.
Lync Visibility and Granular QoS
Prioritization
This release of ArubaOS provides a seamless user experience for Microsoft
Lync users using voice or video calls, desktop sharing, and file transfer in a
wireless environment.
Support for 802.11r Standard This release of ArubaOS provides support for Fast BSS Transition as part of
the 802.11r implementation. Fast BSS Transition mechanism minimizes the
delay when a voice client transitions from one BSS to another within the
same ESS.
IPv6 L3 Mobility This release of ArubaOS provides support for IPv6 L3 Mobility functionality.
The existing L3 mobility solution has been enhanced to support dual
stacked (IPv4 and IPv6) and pure IPv6 mobile clients. The IPv6 L3 mobility
allows the wireless clients to retain their IPv4 or IPv6 addresses across dif-
ferent VLANs within a controller and between different controllers. In the pre-
vious release, the Aruba Mobility Controllers supported the L3 mobility only
for single stacked IPv4 clients.
802.11v Support ArubaOS provides support for BSS Transition Management which is part of

Feature Description
the 802.11v implementation. BSS Transition Management enables an AP to
request a voice client to transition to a specific AP, or suggest a set of pre-
ferred APs to a voice client, due to network load balancing or BSS ter-
mination. This helps the voice client to choose an AP for transition that
provides the best service as it roams.
Jumbo Frame Support Jumbo frame functionality is enabled on ArubaOS 7200 Series controllers to
support up to 9216 bytes of payload. Jumbo frames are larger than the stand-
ard Ethernet frame size of 1518 bytes, which includes the Layer 2 header
and Frame Check Sequence (FCS).
Instant AP VPN OSPF Scaling This release of ArubaOS provides support for each IAP VPN to define a sep-
arate subnet derived from corporate intranet pool to allow IAP VPN devices
to work independently.
DHCPv6 Server DHCPv6 server enables network administrators to configure
stateful/stateless options and manage dynamic IPv6 users connecting to a
network.
Channel Quality Aware ARM Channel Quality Aware enables ARM to select channels for the APs based
on the channel quality. When the channel quality of an AP goes down and
remains below the threshold value for a specified wait time, the ARM moves
the AP to a better channel.
RADIUS over IPv6 ArubaOS provides support for RADIUS authentication server over IPv6. You
can configure an IPv6 host or specify an FQDN that can resolve to an IPv6
address for RADIUS authentication.
TACACS over IPv6 ArubaOS provides support for TACACS authentication server over IPv6. You
can configure the global IPv6 address as the host for TACACS
authentication.
Instant AP VPN Scalability Lim-
its
ArubaOS provides enhancements to the scalability limits for the IAP VPN
branches terminating on the controller.
Firewall Reject Source Routing Permits the firewall to reject and log packets with the specified IP options
loose source routing, strict source routing, and record route.
Default Firewall Ruleset New default firewall rules have been added to both the validuser and logon-
control ACLs. To prevent malicious users from ip spoofing source addresses
the default firewall rule in the validuser ACL causes the packet to be
dropped.
GRE Tunnel Redundancy ArubaOS provides redundancy for L3 generic routing encapsulation (GRE)
tunnels. This feature enables automatic redirection of the user traffic to a
standby tunnel when the primary tunnel goes down.
RADIUS Accounting Support for
RAP’s Bridge-Mode VAP
This release of ArubaOS supports RADIUS accounting for bridge mode.
Profile Based User Idle Timeout This release of ArubaOS provides support for configuring the user idle time
out value for authentication profiles apart from the global configuration under
the AAA timers. This option is added for the following profiles:
l aaa profile <profile>
l aaa authentication captive-portal <profile>
l aaa authentication vpn default
l aaa authentication via connection-profile <profile>

Feature Description
AP-220 Series The new AP-220 Series of access points support 802.11ac on the 5GHz
band using 80 MHz channels. The following new features and con-
figuration parameters have been introduced to support configuration of
Very High Throughput (VHT) settings.
RAP-155/ RAP-155P The RAP-155 and RAP-155P are dual-radio, dual-band wireless access
points (AP) that offer wired and wireless network access, zero-touch pro-
visioning, identity-based access control, policy based forwarding, air mon-
itoring, and wireless intrusion protection across the 2.4 GHz and 5 GHz
(802.11a/b/g and 802.11n) bands.
The RAP-155 and RAP-155P ship with the Aruba Instant software. There-
fore, out of the box, the RAP-155 and RAP-155P operate as a Virtual Con-
troller (VC) or an Instant AP. However, the RAP-155 and RAP-155P can be
converted to operate as a Remote AP (RAP).
Table 2: New Hardware Platforms introduced with ArubaOS 6.3
Fundamentals
Configure your controller and AP using either the Web User Interface (WebUI) or the command line interface (CLI).
WebUI
Each controller supports up to 320 simultaneous WebUI connections. The WebUI is accessible through a standard
Web browser from a remote management console or workstation. The WebUI includes configuration wizards that
step you through easy-to-follow configuration tasks. The wizards are:
l AP Wizard—basic AP configuration
l Controller Wizard—basic controller configuration
l LAN Wizard—creating and configuring new WLAN(s) associated with the “default” ap-group
l License Wizard—installation and activation of software licenses
l AirWave Wizard —Controllers running ArubaOS 6.3 and later can use the AirWave wizard to quickly and easily
connect the controller to an AirWave server.
In addition to the wizards, the WebUI includes a Dashboard monitoring feature that provides enhanced visibility into
your wireless network’s performance and usage. This allows you to easily locate and diagnose WLAN issues. For
details on the WebUI Dashboard, see Dashboard Monitoring.
CLI
The CLI is a text-based interface accessible from a local console connected to the serial port on the controller or
through a Telnet or Secure Shell (SSH) session.
By default, you access the CLI from the serial port or from an SSH session. You must explicitly enable Telnet on your
controller in order to access the CLI via a Telnet session.
When entering commands remember that:
l commands are not case sensitive
l the space bar will complete your partial keyword
l the backspace key will erase your entry one letter at a time
l the question mark ( ? ) will list available commands and options

Related Documents
The following guides are part of the complete documentation for the Aruba user-centric network:
l Aruba Controller Installation Guides
l Aruba Access Point Installation Guides
l ArubaOS Quick Start Guide
l ArubaOS User Guide
l ArubaOS Command Line Reference Guide
l ArubaOS MIB Reference Guide
l ArubaOS Release Notes
Conventions
The following conventions are used throughout this document to emphasize important concepts:
Type Style Description
Italics This style is used to emphasize important terms and to mark the titles of books.
System items This fixed-width font depicts the following:
l Sample screen output
l System prompts
l Filenames, software devices, and specific commands when mentioned in the text
Commands In the command examples, this bold font depicts text that you must type exactly as shown.
<Arguments> In the command examples, italicized text within angle brackets represents items that you
should replace with information appropriate to your specific situation. For example:
# send <text message>
In this example, you would type “send” at the system prompt exactly as shown, followed by
the text of the message you wish to send. Do not type the angle brackets.
[Optional] Command examples enclosed in brackets are optional. Do not type the brackets.
{Item A |
Item B}
In the command examples, items within curled braces and separated by a vertical bar
represent the available choices. Enter only one choice. Do not type the braces or bars.
Table 3: Typographical Conventions
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.

Contacting Aruba Networks
Website Support
Main Site http://www.arubanetworks.com
Support Site https://support.arubanetworks.com
Airheads Social Forums and Knowledge
Base
http://community.arubanetworks.com
North American Telephone 1-800-943-4526 (Toll Free)
1-408-754-1200
International Telephone http://www.arubanetworks.com/support-services/aruba-support-
program/contact-support/
Support Email Addresses
Americas and APAC support@arubanetworks.com
EMEA emea_support@arubanetworks.com
Wireless Security Incident Response
Team (WSIRT)
.
wsirt@arubanetworks.com
Table 4: Contact Information

ArubaOS 6.3 | User Guide The Basic User-Centric Networks | 76
Chapter 1
The Basic User-Centric Networks
This chapter describes how to connect an Aruba controller and Aruba AP to your wired network. After completing the
tasks described in this chapter, see Access Points (APs) on page 439 for information on configuring APs.
This chapter describes the following topics:
l Configuring Your User-Centric Network on page 87
l Understanding Basic Deployment and Configuration Tasks on page 76
l Configuring the Controller on page 79
l Configuring a VLAN to Connect to the Network on page 83
l Enabling Wireless Connectivity on page 87
Understanding Basic Deployment and Configuration Tasks
This section describes typical deployment scenarios and the tasks you must perform while connecting to a Aruba
controller and Aruba AP to your wired network. For details on performing the tasks mentioned in these scenarios,
refer to the other procedures within the Basic User-Centric Networks section of this document.
Deployment Scenario #1: Controller and APs on Same Subnet
Figure 1 Controller and APs on Same Subnet
In this deployment scenario, the APs and controller are on the same subnetwork and will use IP addresses assigned
to the subnetwork. The router is the default gateway for the controller and clients.There are no routers between the
APs and the controller. APs can be physically connected directly to the controller. The uplink port on the controller is
connected to a layer-2 switch or router.
For this scenario, you must perform the following tasks:
1. Run the initial setup wizard.
l Set the IP address of VLAN 1.
l Set the default gateway to the IP address of the interface of the upstream router to which you will connect the
controller.
2. Connect the uplink port on the controller to the switch or router interface. By default, all ports on the controller are
access ports and will carry traffic for a single VLAN.
3. Deploy APs. The APs will use the Aruba Discovery Protocol (ADP) to locate the controller.
4. Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users.

77 | The Basic User-Centric Networks ArubaOS 6.3| User Guide
Deployment Scenario #2: APs All on One Subnet Different from Controller Subnet
Figure 2 APs All on One Subnet Different from Controller Subnets
In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on multiple
subnetworks. The controller acts as a router for the wireless subnetworks (the controller is the default gateway for
the wireless clients). The uplink port on the controller is connected to a layer-2 switch or router; this port is an access
port in VLAN 1.
1. Run the initial setup wizard.
l Set the IP address for VLAN 1.
l Set the default gateway to the IP address of the interface of the upstream router to which you will connect the
controller.
2. Connect the uplink port on the controller to the switch or router interface.
3. Deploy APs. The APs will use DNS or DHCP to locate the controller.

4. Configure VLANs for the wireless subnetworks on the controller.
5. Configure SSIDs with the VLANs assigned for each wireless subnetwork.
Each wireless client VLAN must be configured on the controller with an IP address. On the uplink switch or router, you
must configure static routes for each client VLAN, with the controller’s VLAN 1 IP address as the next hop.
Deployment Scenario #3: APs on Multiple Different Subnets from Controllers
Figure 3 APs on Multiple Different Subnets from Controllers
In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on multiple
subnetworks. There are routers between the APs and the controller. The controller is connected to a layer-2 switch or
router through a trunk port that carries traffic for all wireless client VLANs. An upstream router functions as the
default gateway for the wireless users.

79 | The Basic User-Centric Networks ArubaOS 6.3| User Guide
This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The
initial setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you
configure the appropriate VLAN to connect to the switch or router as well as the default gateway.
1. Run the initial setup.
l Use the default IP address for VLAN 1. Since VLAN 1 is not used to connect to the layer-2 switch or router
through the trunk port, you must configure the appropriate VLAN in a later step.
l Do not specify a default gateway (use the default “none”). In a later step, you configure the default gateway.
2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will connect the
controller. Add the uplink port on the controller to this VLAN and configure the port as a trunk port.
3. Add client VLANs to the trunk port.
4. Configure the default gateway on the controller. This gateway is the IP address of the router to which you will
connect the controller.
5. Configure the loopback interface for the controller.
6. Connect the uplink port on the controller to the switch or router interface.
7. Deploy APs. The APs will use DNS or DHCP to locate the controller.
8. Now configure VLANs on the controller for the wireless client subnetworks and configure SSIDs with the VLANs
assigned for each wireless subnetwork.
Configuring the Controller
The tasks in deploying a basic user-centric network fall into two main areas:
l Configuring and connecting the controller to the wired network (described in this section)
l Deploying APs (described later in this section)
To connect the controller to the wired network:
1. Run the initial setup to configure administrative information for the controller.
Initial setup can be done using the browser-based Setup Wizard or by accessing the initial setup dialog via a
serial port connection. Both methods are described in the ArubaOS Quick Start Guide and are referred to
throughout this chapteras “initial setup.”
2. (Deployment #3) Configure a VLAN to connect the controller to your network. You do not need to perform this
step if you are using VLAN 1 to connect the controller to the wired network.
3. (Optional) Configure a loopback address for the controller. You do not need to perform this step if you are using
the VLAN 1 IP address as the controller’s IP address. Disable spanning tree on the controller if necessary.
4. Configure the system clock.
5. (Optional) Install licenses; refer to Software Licenses on page 110.
6. Connect the ports on the controller to your network.
This section describes the steps in detail.
Running Initial Setup
When you connect to the controller for the first time using either a serial console or a Web browser, the initial setup
requires you to set the role (master or local) for the controller and passwords for administrator and configuration
access.

Do not connect the controller to your network when running the initial setup. The factory-default controller boots up with
a default IP address and both DHCP server and spanning tree functions are not enabled. Once you have completed the
initial setup, you can use either the CLI or WebUI for further configuration before connecting the controller to your
network.
The initial setup might require that you specify the country code for the country in which the controller will operate;
this sets the regulatory domain for the radio frequencies that the APs use.
You cannot change the country code for controllers designated for certain countries, such as the U.S. Improper country
code assignment can disrupt wireless transmissions. Many countries impose penalties and sanctions for operators of
wireless networks with devices set to improper country codes. If none of the channels supported by the AP you are
provisioning have received regulatory approval by the country whose country code you selected, the AP will revert to Air
Monitor mode.
The initial setup requires that you configure an IP address for the VLAN 1 interface, which you can use to access and
configure the controller remotely via an SSH or WebUI session. Configuring an IP address for the VLAN 1 interface
ensures that there is an IP address and default gateway assigned to the controller upon completion of the initial
setup.
Connecting to the Controller after Initial Setup
After you complete the initial setup, the controller reboots using the new configuration. (See the ArubaOS Quick Start
Guide for information about using the initial setup.) You can then connect to and configure the controller in several
ways using the administrator password you entered during the initial setup:
l You can continue to use the connection to the serial port on the controller to enter the command line interface
(CLI). (Refer to Management Access on page 694 for information on how to access the CLI and enter
configuration commands.)
l You can connect an Ethernet cable from a PC to an Ethernet port on the controller. You can then use one of the
following access methods:
n Use the VLAN 1 IP address to start an SSH session where you can enter CLI commands.
n Enter the VLAN 1 IP address in a browser window to start the WebUI.
n WebUi Wizards.
This chapter and the user guide in general focus on CLI and standard WebUI configuration examples. However, basic
controller configuration and WLAN/LAN creation can be completed using the alternative wizards from within the WebUI. If
you wish to use a configuration wizard, navigate to Configuration > Wizards, click on the desired wizard, and follow the
imbedded help instructions within the wizard.
Aruba7200 Series Controller
The Aruba7200 Series controller is a new controller platform that was introduced in conjunction with ArubaOS 6.2.
This controller provides new functionality and improved capabilities over previous Aruba controllers. However, the
7200 Series also introduces some changes that you must keep in mind when adding it to your network.
New Port Numbering Scheme
The 7200 Series uses a different port numbering scheme from previous controllers. All other controller platforms use
a slot/port numbering scheme. The 7200 uses slot/module/port instead.

Aruba OS 6.3 User Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (10)

Similar to Aruba OS 6.3 User Guide

Similar to Aruba OS 6.3 User Guide (20)

More from Aruba, a Hewlett Packard Enterprise company

More from Aruba, a Hewlett Packard Enterprise company (20)

Recently uploaded

Recently uploaded (20)

Aruba OS 6.3 User Guide