ARUBA无线网络培训ppt课件.ppt

,ARUBA无线网络培训People move.Networks must follow.,公司简介,市场形象：全球领先的安全无线网络供应商全球唯一的WLAN专业上市公司硅谷技术公司排名(#1 ranking)全球客户数量：6500+,连接性,Aruba产品的市场定位,安全性,移动性,ARUBA以用户为中心的网络,高性能无线园区网 即插即用的远程接入点 适合各种规模的分支办公室网络 安全的企业无线网状网 RFprotect 无线入侵防范,Who,What,Where,When,How?,基于角色的安全策略 叠加的网络安全特性 整合的网络准入控制 安全访客接入,持续的话音呼叫 数据会话的永续性 应用感知的服务质量 基于定位的应用 视频优化,自适应无线局域网,基于身份的安全性,应用层质量保证,Follow-MeApplications,Follow-MeSecurity,Follow-MeManagement,Follow-Me Connectivity,User-CentricNetworks,多厂商设备管理 用户级管理和报表 可视的无线热区图 非法AP识别和定位 故障诊断专家系统,统一的用户网络管理,自动优化：不需要人工干预的智能网络,自适应射频管理（Adaptive Radio Management）基于可用频谱对WLAN进行持续优化对频谱进行实时扫描和监视自动选择最佳信道和功率，降低网络冲突和干扰，并在AP失效时自动对盲区进行覆盖基于用户和流量进行负载均衡对双频段用户提供频段指引公平接入快速和慢速客户端基于负载感知的射频扫描,挑战 动态射频环境在一个期望的覆盖范围，可以使用的工作信道并不是一成不变的，与环境中存在的干扰和用户密度、流量负载等有关,便于扩展：随时随地对无线网络进行扩展,6,业界最强大的无线控制器 单台支持80G线速转发 单台管理2048个无线AP,从室内向室外扩展,向更加广阔的Internet扩展,基于身份的访问控制和带宽管理,基于用户的无线状态防火墙,单一物理网络设施 任意对用户进行分组 不同组或用户设定不同L2-L7策略控制 不同用户设定不同的上下行带宽分配 不同用户设定的不同QOS级别,Aruba的Firewall可以检测到ICMP,TCP Sync,IP Session,IP Spoofing,RST Relay,ARP等多种潜在网络攻击,并自动将攻击者放入黑名单,断开无线连接,Virtual AP 2SSID:VOICE,标准客户,免费客户,路由器,WEB门户,移动性控制器,接入点,VIP,唯一权限、QoS,策略,免费客户,语音,普通客户,VIP客户,话音客户,AAA 基础设施,入门客户,相同或不同的VLAN,ARUBA无线网络的组网架构,Email Server,10/100 Mbps,L2/3,DHCP Server,通讯过程：AP连接到现有网络的交换机端口，加电起动后，获得IP地址AP通过各种方式获得ARUBA控制器的Loop IP地址（静态获得、DHCP返回、DNS解析、组播、广播）AP与控制器之间建立PAPI隧道（UDP 8211），通过FTP或TFTP到ARUBA控制器上比对并下载AP的image软件和配置文档，并根据配置信息建立AP与控制器之间的GRE隧道，同时向无线用户提供无线接入服务无线用户通过SSID连接无线网络，所有的用户流量都通过AP与ARUBA控制器之间的GRE隧道直接传递到ARUBA控制器上，进行相应的加解密、身份验证、授权、策略和转发,配置ARUBA无线控制器,管理员登陆(admin/saic_admin)CliWeb管理帐号网络配置VlanIP addressIP routeIP dhcp安全配置PolicyRoleAAA无线配置SSIDVirtual AP,配置ARUBA无线控制器,管理员登陆,登陆ARUBA无线控制器,Command lineUser:adminPassword:*(Aruba800)enPassword:*(Aruba800)#configure tEnter Configuration commands,one per line.End with CNTL/ZWeb UIhttps:/Admin帐号管理#mgmt-user(Aruba800)(config)#mgmt-user admin root Password:*Re-Type password:*(Aruba800)(config)#,配置ARUBA无线控制器,ARUBA无线控制器的网络配置,ARUBA无线控制器的网络配置,配置Vlan(Aruba800)(config)#vlan 200(Aruba800)(config)#interface fastethernet 1/0接入模式：(Aruba800)(config-if)#switchport access vlan 200(Aruba800)(config-if)#switchport mode access中继模式：(Aruba800)(config-if)#switchport trunk allowed vlan all(Aruba800)(config-if)#switchport mode trunk(Aruba800)(config-if)#show vlanVLAN CONFIGURATION-VLAN Name Ports-1 Default FE1/1-7 100 VLAN0100 GE1/8 200 VLAN0200 FE1/0 配置IP address(Aruba800)(config)#interface vlan 200(Aruba800)(config-subif)#ip address 192.168.202.254 255.255.255.0(vlan interface)(Aruba800)(config-subif)#ip helper-address 10.10.10.1(DHCP relay),ARUBA无线控制器的网络配置,配置IP route配置缺省路由:(Aruba800)(config)#ip default-gateway 192.168.1.1 配置静态路由：(Aruba800)(config)#ip route 10.10.10.0 255.255.255.0 172.16.0.1(Aruba800)(config)#show ip route Codes:C-connected,O-OSPF,R-RIP,S-static M-mgmt,U-route usable,*-candidate defaultGateway of last resort is 192.168.1.1 to network 0.0.0.0S*0.0.0.0/0 1/0 via 192.168.1.1*S 10.10.10.0/24 1/0 via 172.16.0.1*C 172.16.0.0 is directly connected,VLAN1C 192.168.1.0 is directly connected,VLAN100C 192.168.202.0 is directly connected,VLAN200配置dhcp server(Aruba800)(config)#ip dhcp pool user_pool(Aruba800)(config-dhcp)#default-router 172.16.1.254(Aruba800)(config-dhcp)#dns-server 202.96.209.5(Aruba800)(config-dhcp)#network 172.16.1.0 255.255.255.0(Aruba800)(config-dhcp)#exit(Aruba800)(config)#service dhcp,配置ARUBA无线控制器,ARUBA无线控制器的安全配置,ARUBA控制器的安全配置,Rule 1Rule 2Rule 3Rule n,Rule 1Rule 2,Rule 1,Rule 1Rule 2Rule 3Rule 4,Rule 1Rule 2Rule 3Rule 4,Policy 1,Policy 2,Policy 3,Policy 4,Policy 5,Role 1 Policy 1 Policy 2,Role 2 Policy 1 Policy 3 Policy 4,Role 3 Policy 4 Policy 5,Role 4 Policy 4,User1 User2 User3 User4 User5 User6 UserN,Role Derivation:,1)Locally Derived2)Server Assigned3)Default Role,Assigns usersto a role,Methods:,Policies,Roles,Derivation,ARUBA控制器的安全配置,Addresses,HTTPFTPDNSetc,DenyPermitNat,LogQueue802.1p assignmentTOSTime Range,策略示例：ip access-list session Internet_Only user any udp 68 deny user any svc-dhcp permituser host 172.16.15.2 svc-dns permituser host 172.16.16.2 svc-dns permituser alias Internal-Network deny loguser any any permit,防火墙策略：一组按照特定次序排列的规则的集合,别名的定义：1)网络别名netdestination Internal-Network network 172.16.0.0 255.255.0.0network 192.168.100.0 255.255.255.0netdestination External-network network 172.16.0.0 255.255.0.0network 192.168.100.0 255.255.255.0 invert2)服务别名netservice svc-http tcp 80,ARUBA控制器的安全配置,Addresses,HTTPFTPDNSetc,DenyPermitNat,LogQueue802.1p assignmentTOSTime Range,防火墙策略：一组按照特定次序排列的规则的集合,Creating Roles,Creating Policies,21,2-21,ARUBA无线控制器的安全配置,用户角色（Role）决定了每个用户的访问权限每一个role都必须与一个或多个policy绑定防火墙策略按次序执行最后一个隐含的缺省策略是“deny all”可以设定role的带宽限制和会话数限制用户角色（Role）的分配可以通过多种方式实现基于接入认证方式的缺省角色(i.e.802.1x,VPN,WEP,etc.)由认证服务器导出的用户角色(i.e.RADIUS/LDAP属性)本地导出规则ESSIDMACEncryption typeEtc.ARUBA控制器中的每一个用户都会被分配一个Role!,ARUBA无线控制器的安全配置,(Aruba800)#show rights RoleTable-Name ACL Bandwidth ACL List Type-ap-role 4 Up:No Limit,Dn:No Limit control,ap-acl Systemauthenticated 39 Up:No Limit,Dn:No Limit allowall,v6-allowall Userdefault-vpn-role 37 Up:No Limit,Dn:No Limit allowall,v6-allowall Userguest 3 Up:No Limit,Dn:No Limit http-acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-http-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-acl Userguest-logon 6 Up:No Limit,Dn:No Limit logon-control,captiveportal Userlogon 1 Up:No Limit,Dn:No Limit logon-control,captiveportal,vpnlogon,v6-logon-control Userstateful-dot1x 5 Up:No Limit,Dn:No Limit Systemvoice 38 Up:No Limit,Dn:No Limit sip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-acl,tftp-acl,dns-acl,icmp-acl User,ARUBA无线控制器的安全配置,(Aruba800)#show rights authenticatedDerived Role=authenticated Up BW:No Limit Down BW:No Limit L2TP Pool=default-l2tp-pool PPTP Pool=default-pptp-pool Periodic reauthentication:Disabled ACL Number=39/0 Max Sessions=65535access-list List-Position Name Location-1 allowall 2 v6-allowall allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan-1 any any any permit Low v6-allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan-1 any any any permit Low Expired Policies(due to time constraints)=0,ARUBA无线控制器的安全配置,定义用户角色（role）(Aruba800)(config)#user-role visitors(Aruba800)(config-role)#access-list session internet-only(Aruba800)(config-role)#max-sessions 100(Aruba800)(config-role)#exit(Aruba800)(config)#,ARUBA无线控制器的安全配置,基于接入认证方式的缺省角色（role）分配(Aruba800)(config)#show aaa profile defaultAAA Profile default-Parameter Value-Initial role logonMAC Authentication Profile N/AMAC Authentication Default Role guestMAC Authentication Server Group default802.1X Authentication Profile N/A802.1X Authentication Default Role guest802.1X Authentication Server Group N/ARADIUS Accounting Server Group N/AXML API server N/ARFC 3576 server N/AUser derivation rules N/AWired to Wireless Roaming EnabledSIP authentication role N/A,(Aruba800)(config)#show aaa authentication captive-portal defaultCaptive Portal Authentication Profile default-Parameter Value-Default Role guestServer Group defaultRedirect Pause 10 secUser Login EnabledGuest Login DisabledLogout popup window EnabledUse HTTP for authentication DisabledLogon wait minimum wait 5 secLogon wait maximum wait 10 seclogon wait CPU utilization threshold 60%Max Authentication failures 0Show FQDN DisabledUse CHAP(non-standard)DisabledSygate-on-demand-agent DisabledLogin page/auth/index.htmlWelcome page/auth/welcome.htmlShow Welcome Page YesAdding switch ip address in redirection URL Disabled,ARUBA无线控制器的安全配置,基于接入认证方式的缺省角色（role）分配,ARUBA无线控制器的安全配置,基于服务期返回规则的角色（role）分配(Aruba800)(config)#aaa server-group test(Aruba800)(Server Group test)#set role condition memberOf contains student set-value student,说明：从LDAP服务器获取用户属性，并以此为依据分配用户角色时，只能通过CLI进行配置,ARUBA无线控制器的安全配置,基于用户定义规则的角色（role）分配(Aruba800)(config)#aaa derivation-rules user test_rule(Aruba800)(user-rule)#set role condition encryption-type equals dynamic-aes set-value authenticated position 1(Aruba800)(user-rule)#set role condition encryption-type equals dynamic-tkip set-value guest position 2,Blacklisting Clients,What Is Blacklisting?,Deauthenticated from the networkIf a client is connected to the network when it is blacklisted,a deauthentication message is sent to force the client to disconnect.Blocked from associating to APsBlacklisting prevents a client from associating with any AP in the network for a specified amount of time.Blocked from other SSIDsWhile blacklisted,the client cannot associate with another SSID in the network.,2-31,Methods Of Blacklisting,Manually blacklist Admin user can blacklist a specific client via the clients screen at Monitoring ClientsFirewall policy A firewall Policy can result in the client being blacklistedFails to AuthenticateA client fails to successfully authenticate for a configured number of times for a specified authentication method.The client is automatically blacklisted.IDS AttackThe detection of a denial of service or man in the middle(MITM)attack in the network.,2-32,Duration Of Blacklisting,Blacklist Duration on Per-SSID basisConfigured in Virtual AP Profile,2-33,Rule based Blacklisting,Configuration-Access control-Policies,Configuring Firewall Policy Blacklisting,This rule set is used to blacklist clients attaching to the controller IP address,2-35,Viewing Blacklist Clients,Monitoring Blacklist ClientsThis screen allows clients to be put back into production/logon roles by removing them from the blacklist,2-36,Considerations When Blacklisting Clients,Policy enforcementDevices with weak encryptionDeny Guest from corporate accessMay be disruptive to employees,2-37,Bandwidth Contracts,Bandwidth Contracts,Applied to RolesSpecified in Kbps or MbpsUpstream-DownstreamFor all Users or Per User,2-39,Bandwidth Contracts,2-40,Apply BW-Contract To The Role,2-41,配置ARUBA无线控制器,ARUBA无线控制器的无线配置,ARUBA无线控制器的无线配置,ARUBA无线控制器的无线配置,加密方法确保数据在空中传输时的私密性可以选择不加密(open)、二层加密(WEP,TKIP,AES)或者三层加密(VPN)认证方式确保接入无线网络的用户都是合法用户认证方式可以选择不认证，或者MAC、EAP、captive portal、VPN等认证方式访问控制对接入无线网络的合法用户流量进行有效控制，包括可以访问的网络资源、带宽、时间等,WLAN服务的配置要点,SSID Profile,AAA Profile,Role,ARUBA无线控制器的无线配置,(Aruba800)#show wlan virtual-ap defaultVirtual AP profile default-Parameter Value-Virtual AP enable EnabledAllowed band allSSID Profile defaultVLAN 100Forward mode tunnelDeny time range N/AMobile IP EnabledHA Discovery on-association DisabledDoS Prevention DisabledStation Blacklisting EnabledBlacklist Time 3600 secAuthentication Failure Blacklist Time3600 secFast Roaming DisabledStrict Compliance DisabledVLAN Mobility DisabledAAA Profile defaultRemote-AP Operation standard,ARUBA无线控制器的无线配置,SSID Profile的定义(Aruba800)(config)#wlan ssid-profile test(Aruba800)(SSID Profile“test”)#essid test（WLAN显示的SSID名称）(Aruba800)(SSID Profile“test”)#opmode?（WLAN可以选用的加密方式）dynamic-wep WEP with dynamic keysopensystem No encryptionstatic-wep WEP with static keyswpa-aes WPA with AES encryption and dynamic keys using 802.1Xwpa-psk-aes WPA with AES encryption using a pre-shared keywpa-psk-tkip WPA with TKIP encryption using a pre-shared keywpa-tkip WPA with TKIP encryption and dynamic keys using 802.1Xwpa2-aes WPA2 with AES encryption and dynamic keys using 802.1Xwpa2-psk-aes WPA2 with AES encryption using a pre-shared keywpa2-psk-tkip WPA2 with TKIP encryption using a pre-shared keywpa2-tkip WPA2 with TKIP encryption and dynamic keys using 802.1XxSec xSec encryption(Aruba800)(SSID Profile“test”)#opmode opensystem,ARUBA无线控制器的无线配置,SSID Profile的定义,ARUBA无线控制器的无线配置,AAA Profile的定义配置基于Open的AAA Profile(Aruba800)(config)#aaa profile test(Aruba800)(AAA Profile test)#clone default配置基于Portal认证的CaptivePortal Profile(Aruba800)(config)#aaa authentication captive-portal test(Aruba800)(Captive Portal Authentication Profile test)#clone default(Aruba800)(Captive Portal Authentication Profile test)#default-role guest(Aruba800)(Captive Portal Authentication Profile test)#no enable-welcome-page(Aruba800)(Captive Portal Authentication Profile test)#server-group test,ARUBA无线控制器的无线配置,配置LDAP服务器(Aruba800)(config)#aaa authentication-server ldap test(Aruba800)(LDAP Server test)#host 10.10.10.10(Aruba800)(LDAP Server test)#admin-dn admin(Aruba800)(LDAP Server test)#admin-passwd admin(Aruba800)(LDAP Server test)#base-dn cn=users,dc=qa,dc=domain,dc=com(Aruba800)(LDAP Server test)#allow-cleartext(Aruba800)(LDAP Server test)#,ARUBA无线控制器的无线配置,配置Server-Group(Aruba800)(config)#aaa server-group test(Aruba800)(Server Group test)#auth-server test(Aruba800)(Server Group test)#set role condition memberOf contains guest set-value guest,(Aruba800)(config)#show aaa server-group testFail Through:NoAuth Servers-Name Server-Type trim-FQDN Match-Type Match-Op Match-Str-test Ldap No Role/VLAN derivation rules-Priority Attribute Operation Operand Type Action Value Valid-1 memberOf contains guest String set role guest No,ARUBA无线控制器的无线配置,在用户初始角色（initial role）中调用CaptivePortal Profile(Aruba800)(config)#user-role logon(Aruba800)(config-role)#captive-portal test(Aruba800)(config-role)#exit,ARUBA无线控制器的无线配置,Virtual AP,AAA,VLAN,SSID,ESSID,OpenSystem,Captive Portal,Default Role,Server Group,Initial Role,LDAP Server,Radius Server,Derived Role,Policy,Policy,Thank YouFollow-Me Connectivity.Follow-Me Security.Follow-Me Applications.Follow-Me Management.,WEB,Table X,11.2.1.21,AP1,AP2,MasterMgmt VLAN 1X=10.1.1X.2/24Loopback=10.1.1X.100Employee VLAN 10X,TableXWEP,MasterMgmt VLAN 11=10.1.11.2/24Loopback=10.1.11.100Employee VLAN 101,AP1,AP2,Table1WEP,Table 1,RADIUS,DHCP,DNS EMAIL,Corp WEB,10.254.1.21,L3 Switch(Native VLAN)Mgmt VLAN 11=10.1.11.1/24(Trunk VLAN)VLAN 101=172.16.101.1/24,L3 Switch(Native VLAN)Mgmt VLAN 1X=10.1.1X.1/24(Trunk VLAN)VLAN 10X=172.16.10X.1/24,Lab Topology-Basic Install,MasterMgmt VLAN 11=10.1.11.2/24Loopback=10.1.11.100Employee VLAN 101Voice VLAN 701,WEB And Corporate SIP Server,Table 1,MasterMgmt VLAN 1X=10.1.1X.2/24Loopback=10.1.1X.100Employee VLAN 10XVoice VLAN 70X,Table X,AP1,AP2,AP1,AP2,Table1WEP,VoiceXWEP,TableXWEP,Voice1WEP,11.2.1.21,RADIUS,DHCP,DNS EMAIL,Corp WEB,10.254.1.21,L3 Switch(Native VLAN)Mgmt VLAN 11=10.1.11.1/24(Trunk VLAN)VLAN 101=172.16.101.1/24(Trunk VLAN)VLAN 701=172.16.111.2/24,L3 Switch(Native VLAN)Mgmt VLAN 1X=10.1.1X.1/24(Trunk VLAN)VLAN 10X=172.16.10X.1/24(Trunk VLAN)VLAN 70X=172.16.11X.2/24,Lab Topology-Roles and Firewall,MasterMgmt VLAN 11=10.1.11.2/24Loopback=10.1.11.100Employee VLAN 101Voice VLAN 701,Table 1,MasterMgmt VLAN 1X=10.1.1X.2/24Loopback=10.1.1X.100Employee VLAN 10XVoice VLAN 70X,Table X,AP1,AP2,AP1,AP2,Table1802.1x,TableX802.1x,VoiceXWEP,Voice1WEP,WEB And Corporate SIP Server,11.2.1.21,RADIUS,DHCP,DNS EMAIL,Corp WEB,10.254.1.21,L3 Switch(Native VLAN)Mgmt VLAN 11=10.1.11.1/24(Trunk VLAN)VLAN 101=172.16.101.1/24(Trunk VLAN)VLAN 701=172.16.111.2/24,L3 Switch(Native VLAN)Mgmt VLAN 1X=10.1.1X.1/24(Trunk VLAN)VLAN 10X=172.16.10X.1/24(Trunk VLAN)VLAN 70X=172.16.11X.2/24,Lab Topology-Auth and Encryption,MasterMgmt VLAN 11=10.1.11.2/24Loopback=10.1.11.100Employee VLAN 101Voice VLAN 701Guest VLAN 901=192.168.0.0/16Guest DHCP=192.168.1.0/24,Table 1,MasterMgmt VLAN 1X=10.1.1X.2/24Loopback=10.1.1X.100Employe