1、CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线网络培训无线网络培训People move.Networks must follow.CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved公司简介公司简介 市场形象:全球领先的安全无线网络供应商 全球唯一的WLAN专业上市公司 硅谷技术公司排名(#1 ranking)全球客户数量:6500+CONFIDENTIAL Copyright 2007.Aruba Network
2、s,Inc.All rights reserved连接性连接性Aruba产品的市场定位产品的市场定位融合的移动应用QoS,Roaming,Handovers,Location,RFID安全接入Authentication,Encryption,Intrusion Prevention移动设备管理Security,Battery Life,Device ManagementWireless LAN 覆盖RF Management,Rogue AP Detection安全性安全性移动性移动性用户分级Employees,Contractors,GuestsCONFIDENTIAL Copyright
3、 2007.Aruba Networks,Inc.All rights reservedARUBA以用户为中心的网络以用户为中心的网络 q 高性能无线园区网q 即插即用的远程接入点q 适合各种规模的分支办公室网络q 安全的企业无线网状网q RFprotect 无线入侵防范Who,What,Where,When,How?q 基于角色的安全策略q 叠加的网络安全特性q 整合的网络准入控制q 安全访客接入q 持续的话音呼叫 q 数据会话的永续性q 应用感知的服务质量q 基于定位的应用q 视频优化自适应无线局域网基于身份的安全性应用层质量保证Follow-MeApplicationsFollow-Me
4、SecurityFollow-MeManagementFollow-Me Connectivity q 多厂商设备管理 q 用户级管理和报表q 可视的无线热区图q 非法AP识别和定位q 故障诊断专家系统统一的用户网络管理CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved自动优化:不需要人工干预的智能网络自动优化:不需要人工干预的智能网络 自适应射频管理(Adaptive Radio Management)基于可用频谱对WLAN进行持续优化对频谱进行实时扫描和监视自动选择最佳信道和功率,降低网络冲突和干扰,并在AP
5、失效时自动对盲区进行覆盖基于用户和流量进行负载均衡对双频段用户提供频段指引公平接入快速和慢速客户端1.基于负载感知的射频扫描物理位置时间可用信道 挑战 动态射频环境 在一个期望的覆盖范围,可以使用的工作信道并不是一成不变的,与环境中存在的干扰和用户密度、流量负载等有关大厅大厅自习室自习室会议室会议室办公室办公室/公位公位CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved便于扩展:随时随地对无线网络进行扩展便于扩展:随时随地对无线网络进行扩展6分支机构分支机构/办公室办公室公司总部公司总部Internet 服务服务
6、来客来客Internet 访问访问DMZINTERNETGUESTCORPCORP语音语音VOICEDSL路由器路由器GUESTVLANInternet 服服务务分割隧道分割隧道用于传输互联网流量的分割隧道以用户为中心的内置防火墙防火防火墙墙/NATFan TrayUp to 4 M3 Mark IRedundant PSUs40 x 1000Base-X(SFP)8x 10GBase-X(XFP)业界最强大的无线控制器业界最强大的无线控制器 单台支持单台支持80G线速转发线速转发 单台管理单台管理2048个无线个无线AP从室内向室外扩展从室内向室外扩展向更加广阔的向更加广阔的Internet
7、扩展扩展CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved基于身份的访问控制和带宽管理基于身份的访问控制和带宽管理用户权限管理Who(用户认证)+What(认证方式)+When(接入时间)+Where(接入位置)+How(接入终端)CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved基于用户的无线状态防火墙基于用户的无线状态防火墙 单一物理网络设施 任意对用户进行分组 不同组或用户设定不同L2-L7策略控制 不同用户设定不同的上下行带
8、宽分配 不同用户设定的不同QOS级别Aruba的的Firewall可以检测到可以检测到ICMP,TCP Sync,IP Session,IP Spoofing,RST Relay,ARP等多种潜在网络攻击等多种潜在网络攻击,并自动将攻击者放入黑名单并自动将攻击者放入黑名单,断开无线连接断开无线连接 Virtual AP 2SSID:VOICE标准客户标准客户免费客户免费客户路由器路由器WEB门户门户移动性控制器移动性控制器接入点接入点VIP唯一权限、唯一权限、QoS,策略策略免费客户语音普通客户VIP客户话音客户话音客户AAA 基础设施基础设施入门客户入门客户相同或不同的VLANCONFIDE
9、NTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线网络的组网架构无线网络的组网架构Email Server10/100 MbpsL2/3DHCP Server1.3.4.通讯过程:AP连接到现有网络的交换机端口,加电起动后,获得IP地址AP通过各种方式获得ARUBA控制器的Loop IP地址(静态获得、DHCP返回、DNS解析、组播、广播)AP与控制器之间建立PAPI隧道(UDP 8211),通过FTP或TFTP到ARUBA控制器上比对并下载AP的image软件和配置文档,并根据配置信息建立AP与控制器之间的GR
10、E隧道,同时向无线用户提供无线接入服务1.无线用户通过SSID连接无线网络,所有的用户流量都通过AP与ARUBA控制器之间的GRE隧道直接传递到ARUBA控制器上,进行相应的加解密、身份验证、授权、策略和转发2.CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved配置配置ARUBA无线控制器无线控制器 管理员登陆(admin/saic_admin)Cli Web 管理帐号 网络配置 Vlan IP address IP route IP dhcp 安全配置 Policy Role AAA 无线配置 SSID Vir
11、tual APCONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved配置配置ARUBA无线控制器无线控制器管理员登陆管理员登陆CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved登陆登陆ARUBA无线控制器无线控制器 Command lineUser:adminPassword:*(Aruba800)enPassword:*(Aruba800)#configure tEnter Configuration commands,one per
12、 line.End with CNTL/Z Web UIhttps:/Admin帐号管理#mgmt-user (Aruba800)(config)#mgmt-user admin root Password:*Re-Type password:*(Aruba800)(config)#CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved配置配置ARUBA无线控制器无线控制器ARUBA无线控制器的网络配置无线控制器的网络配置CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.A
13、ll rights reservedARUBA无线控制器的网络配置无线控制器的网络配置 配置Vlan(Aruba800)(config)#vlan 200(Aruba800)(config)#interface fastethernet 1/0接入模式:(Aruba800)(config-if)#switchport access vlan 200 (Aruba800)(config-if)#switchport mode access中继模式:(Aruba800)(config-if)#switchport trunk allowed vlan all (Aruba800)(config-i
14、f)#switchport mode trunk(Aruba800)(config-if)#show vlanVLAN CONFIGURATION-VLAN Name Ports-1 Default FE1/1-7 100 VLAN0100 GE1/8 200 VLAN0200 FE1/0 配置IP address(Aruba800)(config)#interface vlan 200(Aruba800)(config-subif)#ip address 192.168.202.254 255.255.255.0(vlan interface)(Aruba800)(config-subif)
15、#ip helper-address 10.10.10.1(DHCP relay)CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的网络配置无线控制器的网络配置 配置IP route配置缺省路由:(Aruba800)(config)#ip default-gateway 192.168.1.1 配置静态路由:(Aruba800)(config)#ip route 10.10.10.0 255.255.255.0 172.16.0.1(Aruba800)(config)#show ip rou
16、te Codes:C-connected,O-OSPF,R-RIP,S-static M-mgmt,U-route usable,*-candidate defaultGateway of last resort is 192.168.1.1 to network 0.0.0.0S*0.0.0.0/0 1/0 via 192.168.1.1*S 10.10.10.0/24 1/0 via 172.16.0.1*C 172.16.0.0 is directly connected,VLAN1C 192.168.1.0 is directly connected,VLAN100C 192.168.
17、202.0 is directly connected,VLAN200 配置dhcp server(Aruba800)(config)#ip dhcp pool user_pool(Aruba800)(config-dhcp)#default-router 172.16.1.254(Aruba800)(config-dhcp)#dns-server 202.96.209.5(Aruba800)(config-dhcp)#network 172.16.1.0 255.255.255.0(Aruba800)(config-dhcp)#exit(Aruba800)(config)#service d
18、hcpCONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved配置配置ARUBA无线控制器无线控制器ARUBA无线控制器的安全配置无线控制器的安全配置CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA控制器的安全配置控制器的安全配置Rule 1Rule 2Rule 3Rule nRule 1Rule 2Rule 1Rule 1Rule 2Rule 3Rule 4Rule 1Rule 2Rule 3Rule 4Policy 1Po
19、licy 2Policy 3Policy 4Policy 5Role 1 Policy 1 Policy 2Role 2 Policy 1 Policy 3 Policy 4Role 3 Policy 4 Policy 5Role 4 Policy 4User1 User2 User3 User4 User5 User6 UserNRole Derivation:1)Locally Derived2)Server Assigned3)Default RoleAssigns usersto a roleMethods:PoliciesRolesDerivationCONFIDENTIAL Cop
20、yright 2007.Aruba Networks,Inc.All rights reserved ARUBA控制器的安全配置控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range策略示例:ip access-list session Internet_Only user any udp 68 deny user any svc-dhcp permituser host 172.16.15.2 svc-dns permituser host 172.16.16.2 svc-dns pe
21、rmituser alias Internal-Network deny loguser any any permit 防火墙策略:一组按照特定次序排列的规则的集合别名的定义:1)网络别名netdestination Internal-Network network 172.16.0.0 255.255.0.0network 192.168.100.0 255.255.255.0netdestination External-network network 172.16.0.0 255.255.0.0network 192.168.100.0 255.255.255.0 invert2)服务别
22、名netservice svc-http tcp 80CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved ARUBA控制器的安全配置控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range 防火墙策略:一组按照特定次序排列的规则的集合CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedCreating RolesCONFIDENT
23、IAL Copyright 2007.Aruba Networks,Inc.All rights reservedCreating Policies212-21CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置用户角色(用户角色(Role)决定了每个用户的访问权限)决定了每个用户的访问权限每一个role都必须与一个或多个policy绑定防火墙策略按次序执行最后一个隐含的缺省策略是“deny all”可以设定role的带宽限制和会话数限制用户角色(用户角色(Role
24、)的分配可以通过多种方式实现)的分配可以通过多种方式实现基于接入认证方式的缺省角色(i.e.802.1x,VPN,WEP,etc.)由认证服务器导出的用户角色(i.e.RADIUS/LDAP属性)本地导出规则ESSIDMACEncryption typeEtc.ARUBA控制器中的每一个用户都会被分配一个控制器中的每一个用户都会被分配一个Role!CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置(Aruba800)#show rights RoleTable-N
25、ame ACL Bandwidth ACL List Type-ap-role 4 Up:No Limit,Dn:No Limit control,ap-acl Systemauthenticated 39 Up:No Limit,Dn:No Limit allowall,v6-allowall Userdefault-vpn-role 37 Up:No Limit,Dn:No Limit allowall,v6-allowall Userguest 3 Up:No Limit,Dn:No Limit http-acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v
26、6-http-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-acl Userguest-logon 6 Up:No Limit,Dn:No Limit logon-control,captiveportal Userlogon 1 Up:No Limit,Dn:No Limit logon-control,captiveportal,vpnlogon,v6-logon-control Userstateful-dot1x 5 Up:No Limit,Dn:No Limit Systemvoice 38 Up:No Limit,Dn:No Lim
27、it sip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-acl,tftp-acl,dns-acl,icmp-acl UserCONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置(Aruba800)#show rights authenticatedDerived Role=authenticated Up BW:No Limit Down BW:No Limit L2TP Pool=default
28、-l2tp-pool PPTP Pool=default-pptp-pool Periodic reauthentication:Disabled ACL Number=39/0 Max Sessions=65535access-list List-Position Name Location-1 allowall 2 v6-allowall allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan-1 any any an
29、y permit Low v6-allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan-1 any any any permit Low Expired Policies(due to time constraints)=0CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置定义用户角色(rol
30、e)(Aruba800)(config)#user-role visitors(Aruba800)(config-role)#access-list session internet-only(Aruba800)(config-role)#max-sessions 100(Aruba800)(config-role)#exit(Aruba800)(config)#CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置基于接入认证方式的缺省角色(role)分配(Arub
31、a800)(config)#show aaa profile defaultAAA Profile default-Parameter Value-Initial role logonMAC Authentication Profile N/AMAC Authentication Default Role guestMAC Authentication Server Group default802.1X Authentication Profile N/A802.1X Authentication Default Role guest802.1X Authentication Server
32、Group N/ARADIUS Accounting Server Group N/AXML API server N/ARFC 3576 server N/AUser derivation rules N/AWired to Wireless Roaming EnabledSIP authentication role N/A(Aruba800)(config)#show aaa authentication captive-portal defaultCaptive Portal Authentication Profile default-Parameter Value-Default
33、Role guestServer Group defaultRedirect Pause 10 secUser Login EnabledGuest Login DisabledLogout popup window EnabledUse HTTP for authentication DisabledLogon wait minimum wait 5 secLogon wait maximum wait 10 seclogon wait CPU utilization threshold 60%Max Authentication failures 0Show FQDN DisabledUs
34、e CHAP(non-standard)DisabledSygate-on-demand-agent DisabledLogin page /auth/index.htmlWelcome page /auth/welcome.htmlShow Welcome Page YesAdding switch ip address in redirection URL DisabledCONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置基于接入认证方式的缺省角色(role)
35、分配CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置基于服务期返回规则的角色(role)分配(Aruba800)(config)#aaa server-group test(Aruba800)(Server Group test)#set role condition memberOf contains student set-value student说明:从LDAP服务器获取用户属性,并以此为依据分配用户角色时,只能通过CLI进行配置CONFIDENTIAL
36、 Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的安全配置无线控制器的安全配置基于用户定义规则的角色(role)分配(Aruba800)(config)#aaa derivation-rules user test_rule(Aruba800)(user-rule)#set role condition encryption-type equals dynamic-aes set-value authenticated position 1(Aruba800)(user-rule)#set role conditi
37、on encryption-type equals dynamic-tkip set-value guest position 2CONFIDENTIAL Copyright 2009.Aruba Networks,Inc.All rights reservedBlacklisting ClientsCONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedWhat Is Blacklisting?Deauthenticated from the network If a client is connected to t
38、he network when it is blacklisted,a deauthentication message is sent to force the client to disconnect.Blocked from associating to APs Blacklisting prevents a client from associating with any AP in the network for a specified amount of time.Blocked from other SSIDs While blacklisted,the client canno
39、t associate with another SSID in the network.2-31CONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedMethods Of Blacklisting Manually blacklist Admin user can blacklist a specific client via the clients screen at Monitoring Clients Firewall policy A firewall Policy can result in the cl
40、ient being blacklisted Fails to Authenticate A client fails to successfully authenticate for a configured number of times for a specified authentication method.The client is automatically blacklisted.IDS Attack The detection of a denial of service or man in the middle(MITM)attack in the network.2-32
41、CONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedDuration Of Blacklisting Blacklist Duration on Per-SSID basis Configured in Virtual AP Profile2-33CONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedRule based BlacklistingConfiguration-Access control-PoliciesCONFIDENTI
42、AL Copyright 2009 Aruba Networks,Inc.All rights reservedConfiguring Firewall Policy Blacklisting This rule set is used to blacklist clients attaching to the controller IP address2-35CONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedViewing Blacklist Clients Monitoring Blacklist Clien
43、ts This screen allows clients to be put back into production/logon roles by removing them from the blacklist2-36CONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedConsiderations When Blacklisting Clients Policy enforcement Devices with weak encryption Deny Guest from corporate access
44、May be disruptive to employees2-37CONFIDENTIAL Copyright 2009.Aruba Networks,Inc.All rights reservedBandwidth ContractsCONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedBandwidth Contracts Applied to Roles Specified in Kbps or Mbps Upstream-Downstream For all Users or Per User 2-39CO
45、NFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedBandwidth Contracts2-40CONFIDENTIAL Copyright 2009 Aruba Networks,Inc.All rights reservedApply BW-Contract To The Role2-41CONFIDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reserved配置配置ARUBA无线控制器无线控制器ARUBA无线控制器的无线配置无线控制器的无线配置CONF
46、IDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的无线配置无线控制器的无线配置AP GroupWireless LANRF ManagementAPQoSIDSVirtual APPropertiesSSIDAAAa/g RadioSettingsRFOptimizationsSystem ProfileEthernetRegulatorySNMPVoIPa/g ManagementVirtual APPropertiesSSIDAAAVLANVLANCONFIDENTIAL Copyright 2
47、007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的无线配置无线控制器的无线配置 加密方法加密方法确保数据在空中传输时的私密性可以选择不加密(open)、二层加密(WEP,TKIP,AES)或者三层加密(VPN)认证方式认证方式确保接入无线网络的用户都是合法用户认证方式可以选择不认证,或者MAC、EAP、captive portal、VPN等认证方式 访问控制访问控制对接入无线网络的合法用户流量进行有效控制,包括可以访问的网络资源、带宽、时间等WLAN服务的配置要点服务的配置要点SSID ProfileAAA ProfileRoleCONF
48、IDENTIAL Copyright 2007.Aruba Networks,Inc.All rights reservedARUBA无线控制器的无线配置无线控制器的无线配置(Aruba800)#show wlan virtual-ap defaultVirtual AP profile default-Parameter Value-Virtual AP enable EnabledAllowed band allSSID Profile defaultVLAN 100Forward mode tunnelDeny time range N/AMobile IP EnabledHA Disc
49、overy on-association DisabledDoS Prevention DisabledStation Blacklisting EnabledBlacklist Time 3600 secAuthentication Failure Blacklist Time3600 secFast Roaming DisabledStrict Compliance DisabledVLAN Mobility DisabledAAA Profile defaultRemote-AP Operation standardCONFIDENTIAL Copyright 2007.Aruba Ne
50、tworks,Inc.All rights reservedARUBA无线控制器的无线配置无线控制器的无线配置SSID Profile的定义(Aruba800)(config)#wlan ssid-profile test(Aruba800)(SSID Profile“test”)#essid test(WLAN显示的SSID名称)(Aruba800)(SSID Profile“test”)#opmode?(WLAN可以选用的加密方式)dynamic-wep WEP with dynamic keysopensystem No encryptionstatic-wep WEP with sta
