Aruba 无线控制器配置手册

Aruba3400无线控制器配置手册1.初始化配置1.1.无线控制器初始化配置Enter System name [Aruba3400]:Enter VLAN 1 interface IP address [172.16.0.254]:Enter VLAN 1 interface subnet mask [255.255.255.0]:Enter IP Default gateway [none]:Enter Switch Role, (master|local) [master]: ————————————控制器角色Enter Country code (ISO-3166), <ctrl-I> for supported list: cn———————控制器所在国家代码，此选项影响You have chosen Country code CN for China (yes|no)?: yes可用RF channel及功率参数Enter Time Zone [PST-8:0]: UTC8:0——————————————－时区系统（UTC、PST等）及所在时区Enter Time in UTC [06:07:59]: 6:11:30——————————————所选时区系统的标准时间而不是本地时间，Enter Date (MM/DD/YYYY) [8/14/2011]: 否则控制器的时钟可能就不对了。

Enter Password for admin login (up to 32 chars): ******Re-type Password for admin login: ******Enter Password for enable mode (up to 15 chars): ******Re-type Password for enable mode: ******Do you wish to shutdown all the ports (yes|no)? [no]:Current choices are:System name:VLAN 1 interface IP address: 172.16.0.254VLAN 1 interface subnet mask: 255.255.255.0IP Default gateway: noneSwitch Role: masterCountry code: cnTime Zone: UTC8:0Ports shutdown: noIf you accept the changes the switch will restart!Type <ctrl-P> to go back and change answer for any questionDo you wish to accept the changes (yes|no)yesCreating configuration... Done.System will now restart!Shutdown processing started1.2.恢复出厂设置－无线控制器注意以下两条command的区别：(Aruba3400) #write eraseAll the configuration will be deleted. Press 'y' to proceed :Write Erase successful(Aruba3400) #(Aruba3400) #write erase allSwitch will be factory defaulted. All the configuration and databases will be deleted. Press 'y' to proceed :(Aruba3400) #(Aruba3400) #(Aruba3400) #reloadDo you really want to reset the system(y/n): ySystem will now restart!write erase只删除配置文件。

Aruba 无线控制器内部试验文档2010年06月目录第一章.Aruba售后基础.................................................................................................. - 4 -一.Aruba产品简介 .................................................................................................................... - 4 -1.Aruba 无线控制器（AC） ................................................................................................. - 4 -2.Aruba 无线接入点（AP） ................................................................................................. - 5 -二.组网方式 ............................................................................................................................. - 6 -1.与有线网二层连接............................................................................................................. - 6 -2.与有线网三层连接............................................................................................................. - 7 -三.控制器登陆方式 .................................................................................................................. - 7 -第二章.控制器Web基本管控 ......................................................................................... - 8 -1.登陆控制器............................................................................................................................ - 8 -2.修改登录密码........................................................................................................................ - 9 -3.查看控制器状态 .................................................................................................................. - 12 -4.查看接口状态...................................................................................................................... - 13 -5.查看AP状态.......................................................................................................................... - 15 -6.查看用户状态...................................................................................................................... - 17 -7.添加/清除黑名单 ................................................................................................................ - 19 -第三章.控制器CLI配置调试 .......................................................................................... - 21 -一.Aruba基础配置 .................................................................................................................. - 21 -1.Console登陆...................................................................................................................... - 21 -2.恢复出厂配置 .................................................................................................................. - 22 -3.初始化配置 ...................................................................................................................... - 22 -4.保存配置参数 .................................................................................................................. - 23 -5.Image升级 ........................................................................................................................ - 23 -6.备份与恢复配置文件 ....................................................................................................... - 23 -7.DHCP配置 ......................................................................................................................... - 24 -8.配置AP ............................................................................................................................. - 25 -9.为无线终端用户单独配置VLAN ....................................................................................... - 29 -二.Aruba无线认证加密方式................................................................................................... - 31 -1.OPEN ................................................................................................................................ - 31 -2.PSK 认证 .......................................................................................................................... - 32 -3.MAC地址认证................................................................................................................... - 33 -4.Dot1x （802.1x）认证： ................................................................................................. - 34 -5.Captive-portal认证............................................................................................................ - 35 -三.Aruba无线安全策略 .......................................................................................................... - 37 -1.Captive Portal界面定制 .................................................................................................... - 37 -2.Demo License .................................................................................................................... - 38 -3.PEF license ........................................................................................................................ - 39 -4.role 应用.......................................................................................................................... - 42 -5.利用role做带宽限制策略 ................................................................................................. - 43 -6.Radius服务器.................................................................................................................... - 44 -7.Master Local ..................................................................................................................... - 46 -8.VRRP ................................................................................................................................. - 47 -第四章.控制器Web配置调试 ....................................................................................... - 49 -1.AP更改组配置...................................................................................................................... - 49 -2.AP更改名字配置 .................................................................................................................. - 50 -第五章.Troubleshooting........................................................................................... - 52 -1.AP指示灯说明...................................................................................................................... - 52 -2.AP未启动故障检查 .............................................................................................................. - 52 -第一章.Aruba售后基础一.Aruba产品简介这里只是把Aruba全套产品线构成做简单展现，以便了解使用Aruba设备，详细产品说明请查看产品详细资料。

The Aruba 6000 is a modular, full-featured wireless LAN mobility controller that aggregates up to 512 controlled Access Points (APs) and delivers mobility, centralized control, convergence services and security for wireless deployments. The Aruba 6000 is designed to support large deployments in a scaleable manner, and can be easily deployed as an overlay without any disruption to the existing wired network. The device is managed using the ArubaOS or Aruba Mobility Management System.The Aruba 6000 can be deployed as an identity-based security gateway to authenticate wired and wireless users, enforce role-based access control policies and quarantine unsafe endpoints from accessing the corporate network. Guest users can be easily and safely supported with the built-in captive portal server and advanced network services. Features that allow the Aruba 6000 to create a secure networking environment without requiring additional VPN/firewall devices include integrated site-to-site VPN, split-tunneling, ICSA-compliant stateful firewall and NAT. Site-to-site VPN can be integrated with all leading VPN concentrators to provide seamless integration into existing corporate VPNs. In addition, advanced convergence features such as Call Admission Control (CAC), voice-aware RF management and strict over-the-air QoS allow the Aruba 6000 to deliver mobile VoIP capabilities.Controller Performance and CapacityControlled APs Up to 512 Users Up to 8192 MAC addresses Up to 128,000 VLAN IP interfaces 128 Fast Ethernet ports (10/100) Up to 72 Gigabit Ethernet ports (GBIC) Up to 6 Active firewall sessions Up to 512,000 Concurrent IPSEC tunnels Up to 8,192 Firewall throughput Up to 8 Gbps Encrypted throughput (3DES & AES-CCM) Up to 7.2Gbps Wireless LAN Security and Control Features• 802.11i security (WFA certified WPA2 and WPA)• 802.1X user and machine authentication• EAP-PEAP, EAP-TLS, EAP-TTLS support• Centralized AES-CCM, TKIP and WEP encryption• 802.11i PMK caching for fast roaming applications• EAP offload for AAA server scalability and survivability• Stateful 802.1X authentication for standalone APs• MAC address, SSID and location based authentication• Per-SSID bandwidth contracts• SSID-based RADIUS server selection• Secure AP control and management over IPSEC or GRE• CAPWAP compatible and upgradeable• Distributed WLAN mode for remote AP deployments• Simultaneous centralized and distributed WLAN supportIdentity-based Security Features• Wired and wireless user authentication• Captive portal, 802.1X and MAC address authentication• Username, IP address, MAC address and encryption keybinding for strong network identity creation• Per-packet identity verification to prevent impersonation• Endpoint posture assessment, quarantine and remediation• Microsoft NAP, Cisco NAC, Symantec SSE support• RADIUS and LDAP based AAA server support• Internal user database for AAA server failover protection• Role-based authorization for eliminating excess privilege• Robust policy enforcement with stateful packet inspection• Role-based MAC/Ethertype ACLs• Per-user session accounting for usage auditing• Web-based guest enrollment with Aruba GuestConnect™• Configurable acceptable use policies for guest access • XML-based API for external captive portal integration • xSec option for wired LAN authentication and encryption (802.1X authentication, 256-bit AES-CBC encryption)Convergence Features• Voice and data on a single SSID for converged devices • Flow-based QoS using Voice Flow Classification™• SIP, Spectralink SVP, Cisco SCCP and Vocera ALGs • Strict priority queuing for over-the-air QoS• 802.11e support – WMM, U-APSD and T-SPEC• QoS policing for preventing network abuse via 802.11e • SIP authentication tracking• Diffserv marking and 802.1p support for network QoS • On-hook and off-hook VoIP client detection• Voice-aware 802.1x authentication• VoIP call admission control (CAC) using VFC• Call reservation thresholds for mobile VoIP calls• Voice-aware RF management for ensuring voice quality • Fast roaming support for ensuring mobile voice quality • SIP early media and ringing tone generation (RFC 3960)• Per-user and per-role rate limits (bandwidth contracts)Adaptive Radio Management™ (ARM) Features • Automatic channel and power settings for controlled APs • Simultaneous air monitoring and end user services• Self-healing coverage based on dynamic RF conditions • Dense deployment options for capacity optimization• AP load balancing based on number of users• AP load balancing based on bandwidth utilization• Coverage hole and RF interference detection• 802.11h support for radar detection and avoidance• Automated location detection for Active RFID tags• Built-in XML based Location API for RFID applicationsThe Aruba 6000 Mobility ControllerWireless Intrusion Protection Features• Integration with WLAN infrastructure• Simultaneous or dedicated air monitoring capabilities • Rogue AP detection and built-in location visualization • Automatic rogue, interfering and valid AP classification • Over-the-air and over-the-wire rogue AP containment • Adhoc WLAN network detection and containment • Windows client bridging and wireless bridge detection • Denial of service attack protection for APs and stations • Misconfigured standalone AP detection and containment • 3rd party AP performance monitoring and troubleshooting • Flexible attack signature creation for new WLAN attacks • EAP handshake and sequence number analysis • Valid AP impersonation detection• Frame floods, Fake AP and Airjack attack detection• ASLEAP , death broadcast, null probe response detection • Netstumbler-based network probe detectionStateful Firewall Features• Stateful packet inspection tied to user identity or ports • Location and time-of-day aware policy definition • 802.11 station awareness for WLAN firewalling• Over-the-air policy enforcement and station blacklisting • Session mirroring and per-packet logs for forensic analysis • Detailed firewall traffic logs for usage auditing • ICSA corporate firewall 4.1 compliance• Application Layer Gateway (ALG) support for SIP , SCCP , RTSP , Vocera, FTP , TFTP , PPTP• Source and destination Network Address Translation (NAT)• Dedicated flow processing hardware for high performance • TCP , ICMP denial of service attack detection and protection • Policy-based forwarding into GRE tunnels for guest traffic • External service interface for 3rd party security integration for inline anti-virus, anti-spam and content filtering apps • Heath checking and load balancing for external servicesVPN Server Features• Site-to-site VPN support for branch office deployments• Site-to-site interoperability with 3rd party VPN servers • VPN server emulation for easy integration into WLAN • L2TP/IPSEC VPN termination for Windows VPN clients • Mobile edge client shim for roaming with RSA Tokens • XAUTH/IPSEC VPN termination for 3rd Party clients • PPTP VPN termination for legacy VPN integration• RADIUS and LDAP server support for VPN authentication • PAP , CHAP , MS-CHAP and MS-CHAPv2 authentication • Hardware encryption for DES, 3DES, AES, MPPE • Secure point-to-point xSec tunnels for L2 VPNs • RFC 3706 IKE Dead Peer DetectionNetworking Features and Advanced Services• L2 and L3 switching over-the-air and over-the-wire • VLAN pooling for easy, scalable network designs • VLAN mobility for seamless L2 roaming• Proxy mobile IP and proxy DHCP for L3 roaming • Built-in DHCP server and DHCP relay• VRRP based N+1 controller redundancy (L2)• AP provisioning based N+1 controller redundancy (L3)• Wired access concentrator mode for centralized security • Etherchannel support for link redundancy • 802.1d Spanning Tree ProtocolController-based Management Features• RF Planning and AP Deployment Toolkit• Centralized AP provisioning and image management • Live coverage visualization with RF heat maps • Detailed statistics visualization for monitoring • Remote packet capture for RF troubleshooting• Interoperable with Ethereal, Airopeek and AirMagnet analyzers • Multi-controller configuration management • Location visualization and device tracking • System-wide event collection and reportingController Administration Features• Web-based user interface access over HTTP and HTTPS • Quickstart screens for easy controller configuration • CLI access using SSH, Telnet and console port• Role-based access control for restricted admin access • Authenticated access via RADIUS, LDAP or Internal DB • SNMPv3 and SNMPv2 support for controller monitoring • Standard MIBs and private enterprise MIBs• Detailed message logs with syslog event notificationController Power Supply Options • Power Consumption Max. 466 Watts per PSU • HW-PSU-200 AC power supplies deliver 200W of power• AC Input Voltage 90-132VAC, 170-264VAC • AC Input Frequency 47-63 Hz • AC input current 5A @ 110VAC • HW-PSU-400 AC power supplies deliver 400W of power • AC Input Voltage 85-264 VAC, Auto-sensing • AC Input Frequency 47-63 Hz • AC input current: 5A @ 110VACOperating Specifications and Dimensions • Operating temperature range0° to 40° C• Storage temperature range10° to 70° C • Humidity, non-condensing 5 to 95% • Height 5.75˝ (146 mm) • Width 17.4˝ (444 mm) • Depth 12.5˝ (317.5 mm) • Weight30 lbs. (unboxed)Warranty• Hardware 1 year parts/labor• Software90 daysRegulatory and Safety Compliance• FCC part 15 Class A CE • Industry Canada Class A • VCCI Class A (Japan)• EN 55022 Class A (CISPR 22 Class A), EN 61000-3,• EN 61000-4-2, EN 61000-4-3, EN 61000-4-4, • EN 61000-4-5, EN 61000-4- 6, EN 61000-4-8, • EN 61000-4-11, EN 55024, AS/NZS 3548• UL 60950• CAN/CSA 22.2 #609501322 Crossman AvenueSunnyvale, California 94089Tel: 408.227.4500 • Fax: 408.227.4550 © 2007 Aruba Networks, Inc. All rights reserved. Specifications are subject to change without notice.Ordering InformationPart number Description6000-BASE-2PSU-200 Aruba 6000 Base System (Standard Power) 6000-BASE-2PSU-400 Aruba 6000 Base System (SPOE Power)SC-48-C1 Aruba Supervisor Card I (48 AP Support)SC-128-C1 Aruba Supervisor Card I (128 AP Support)SC-256-C2 Aruba Supervisor Card II (256 AP Support)LC-2G Aruba 2xGE Line CardLC-2G24F Aruba 2xGE/24FE Line CardLC-2G24FP Aruba 2xGE/24 FE Line Card SPOELC-GBIC-T Aruba GBIC Interface Adapter - TLC-GBIC-SX Aruba GBIC Interface Adapter - SXLC-GBIC-LX Aruba GBIC Interface Adapter – LXHW-CHAS Aruba 5000 & 6000 Series Base 4-SlotChassis Excludes Fan Tray)HW-PSU-200 Aruba 5000 & 6000 Series Power Supply200 WattHW-PSU-400 Aruba 5000 & 6000 Series Power Supply400 WattHW-FT Aruba 5000 & 6000 Series ReplacementFan TrayHW-SC-LC-BLANK Aruba 5000 & 6000 Series Supervisor /Line Card Slot Blank PanelHW-PSU-BLANK Aruba 5000 & 6000 Series Power SupplyUnit Slot Blank PanelAK-5000-NA Aruba 5000 & 6000 Accessory Kit(HW Installation Guide & 19” Rack Mount Kit) HW-MNT-19 Aruba 5000 & 6000 Series Replacement19” Equipment Rack Mounting KitSC-48-C1-UG-128 Aruba Supervisor Card I System Upgrade(48 AP to 128 AP Support)LIC-SC1-SEC-48* Security Software Bundle for Supervisor Card I (48 AP License)LIC-SC1-ADV-48** Advanced Security Software Bundle forSupervisor card I (48 AP License)LIC-SC1-PEF-48 Policy Enforcement Firewall Module for Aruba Supervisor Card I (48 AP)LIC-SC1-VPN-48 VPN Server Module for Aruba Supervisor Card I (48 AP)LIC-SC1-WIP-48 Wireless Intrusion Protection Module for Aruba Supervisor Card I (48 AP)LIC-SC1-VOC-48 Voice Services Module for ArubaSupervisor Card I (48 AP)LIC-SC1-ESI-48 External Services Interface Module for Aruba Supervisor Card I (48 AP)LIC-SC1-CIM-48 Client Integrity Module for ArubaSupervisor Card I (48 AP)LIC-SC1-XSC-48 xSec Module for Aruba SupervisorCard I (48 AP)LIC-SC1-SEC* Security Software Bundle for Supervisor Card I (128 AP License)LIC-SC1-ADV** Advanced Security Software Bundle forSupervisor Card I (128 AP License)LIC-SC1-PEF Policy Enforcement Firewall Module for Aruba Supervisor Card I (128 AP)LIC-SC1-VP VPN Server Module for Aruba SupervisorCard I (128 AP)LIC-SC1-WIP Wireless Intrusion Protection Module forAruba Supervisor Card I (128 AP)LIC-SC1-VOC Voice Services Module for Aruba Supervisor Card I (128 AP)LIC-SC1-ESI External Services Interface Module for Aruba Supervisor Card I (128 AP)LIC-SC1-CIM Client Integrity Module for Aruba Supervisor Card I (128 AP)LIC-SC2-SEC* Security Software Bundle for Supervisor Card II(256 AP License)LIC-SC2-ADV** Advanced Security Software Bundle for Supervisor Card II (256 AP License)LIC-SC2-PEF Policy Enforcement Firewall Module for ArubaSupervisor Card II (256 AP)LIC-SC2-VPN VPN Server Module for Aruba Supervisor Card II (256 AP)LIC-SC2-WIP Wireless Intrusion Protection Module for ArubaSupervisor Card II (256 AP)LIC-SC2-VOC Voice Services Module for Aruba SupervisorCard II (256 AP)LIC-SC2-ESI External Services Interface Module for ArubaSupervisor Card II (256 AP)LIC-SC2-CIM Client Integrity Module for Aruba Supervisor Card II (256 AP)LIC-SC1-SEC-UG-1* Security Software for Supervisor Card I(Upgrade 48 AP to 128 AP)LIC-SC1-ADV-UG-1** Advanced Security Software for Supervisor Card I (Upgrade 48 AP to 128 AP)LIC-SC1-PEF-UG-1 Policy Enforcement Firewall for Supervisor Card I (Upgrade 48 AP to 128 AP)LIC-SC1-VPN-UG-1 VPN Server Module for Supervisor Card I(Upgrade 48 AP to 128 AP)LIC-SC1-WIP-UG-1 Wireless Intrusion Protection for Sup. Card I(Upgrade 48 AP to 128 AP)LIC-SC1-VOC-UG-1 Advanced AAA Module for Supervisor Card I(Upgrade 48 AP to 128 AP)LIC-SC1-ESI-UG-1 External Services Interface for Supervisor Card I (Upgrade 48 AP to 128 AP)LIC-SC1-CIM-UG-1 Client Integrity Module for Supervisor Card I(Upgrade 48 AP to 128 AP)LIC-1-RAP Remote Access Point License (Single AP License) LIC-4-RAP Remote Access Point License (4 AP License)LIC-6-RAP Remote Access Point License (6 AP License)LIC-8-RAP Remote Access Point License (8 AP License)LIC-16-RAP Remote Access Point License (16 AP License)LIC-24-RAP Remote Access Point License (24 AP License)LIC-48-RAP Remote Access Point License (48 AP License)LIC-64-RAP Remote Access Point License (64 AP License)LIC-128-RAP Remote Access Point License (128 AP License) LIC-256-RAP Remote Access Point License (256 AP License)*Includes Policy Enforcement Firewall (PEF) and Wireless IntrusionProtection (WIP)**Includes Policy Enforcement Firewall (PEF), Wireless Intrusion Protection (WIP) and VPN Server (VPN)Please contact your Aruba Networks Sales representative for more information on configuring and ordering this productSS_6000_US_070611。

Aruba无线控制器用户初始配置手册(suning)苏宁电器Aruba无线控制器用户配置手册Version 1.3苏宁电器Aruba无线控制器用户配置手册一、连接Aruba无线控制器1．将console线RJ45一端连接至无线控制器的SERIAL端口，另一端连接至电脑COM口（笔记本没有COM口的可以使用USB-COM线）。

2．打开相应的配置终端软件（可以使用Secure-CRT或者使用系统自带的超级终端软件，建议使用Secure-CRT这款第三方终端软件）3．配置终端软件的参数Secure-CRT配置步骤：协议选择Serial，点击“下一步”端口选择好本电脑上使用的COM接口，波特率选择“9600”，数据流控制选型将前面的勾全部去掉，其它选项保持不变，点击“下一步”点击“完成”即可登录到配置界面。

超级终端配置步骤：点击“开始”>“所有程序”>“附件”>“通讯”>“超级终端”在名称一栏自定义输入一个名称，例如：“suning”，点击“确定”在连接时使用选择好相应的COM接口，点击“确定”点击“还原为默认值”，再点击“确定”即可登录到配置界面。

二、配置向导第一次登录控制器会出现配置向导进行简单的配置开机运行到如下图所示，即到了配置向导界面配置如下：Enter System name [Aruba200]:此处直接回车即选择[]内的内容，例如此处回车即选择设备名称为：Aruba200，也可自己自定义系统名称Enter VLAN 1 interface IP address [172.16.0.254]:此处直接回车即选择VLAN 1的IP地址为：172.16.0.254，一般此处直接回车，后面可以另行更改Enter VLAN 1 interface subnet mask [255.255.255.0]:此处直接回车即选择VLAN1的IP地址的子网掩码为：255.255.255.0 Enter IP Default gateway [none]:此处为指定控制器的网关地址，即路由地址，一般这边不指定，等进入系统后重新配置指定Enter Switch Role, (master|local) [master]:此处为指定控制器角色，一般默认为master，可直接回车到下一步Enter Country code (ISO-3166), <ctrl-I> for supported list:此处为指定国家代码，中国即输入“CN”You have chosen Country code CN for China (yes|no)?:此处为让您确认是否为中国，可直接“yes”到下一步Enter Time Zone [PST-8:0]:此处为指定时区，一般我们指定为“GMT+8:0”Enter Time in UTC [11:44:55]:此处为指定时间，我们可根据当时北京时间进行配置Enter Date (MM/DD/YYYY) [11/22/2010]:此处为配置日期，月/日/年份Enter Password for admin login (up to 32 chars):此处为配置admin登录密码，自定义Re-type Password for admin login:重新确认admin登录密码Enter Password for enable mode (up to 15 chars):指定enable密码Re-type Password for enable mode:重新确认enable密码Do you wish to shutdown all the ports (yes|no)? [no]:此处为询问您是否想shutdown所有端口，默认配置为“no”，一般选择默认配置直接回车Do you wish to accept the changes (yes|no)此处询问你是否接受刚才的配置，直接“yes”此时控制器会重新启动，启动完之后便可进入系统。

wlan ssid-profile "default"wpa-passphrase 1234567890 ---tkip设置provision-ap copy-provisioning-params ip-addr 192.168.102.250 provision-ap no ipaddrprovision-ap a-ant-gain 2provision-ap g-ant-gain 2provision-ap a-antenna 1provision-ap g-antenna 1provision-ap external-antennaprovision-ap master 192.168.102.100provision-ap server-ip 192.168.102.100provision-ap ap-group "default"provision-ap ap-name "00:0b:86:cb:bd:62"provision-ap no syslocationprovision-ap fqln ""provision-ap reprovision ip-addr 192.168.102.250interface loopback ip address "192.168.30.200"apboot> helpboot - run bootcmd or boot AP image or elf file or from flashcd - cfg register displaycw - cfg register writedis - disassemble instructionsdhcp - invoke DHCP client to obtain IP/boot paramseloop - loopback received ethernet framesflash - FLASH sub-systemgo - start application at address 'addr'help - print online helpmc - memory copymd - memory displaymii - MII sub-systemmtest - simple RAM testnetstat - net statisticsmw - memory writeping - ping net hostprintenv - env displaypurgeenv - purge envregs - display various regsreset - reset processorrun - run commands in an environment variablesaveenv - save environment variables to persistent storagesetenv - set variable in env (ipaddr/netmask/gatewayip/master/serverip) setenv ipaddr x.x.x.xsetenv netmask x.x.x.xsetenv gatewayip x.x.x.xsetenv serverip x.x.x.xsetenv master x.x.x.xtcpdump - dump received packetstcpsend - send TCP packettftpboot - boot via tftptlb - dump TLBtrace - dump trace bufferversion - print monitor versionwdog - stop refreshing watchdog timerapboot>No spanning-tree 关闭spanning-treeAdp discover disable 关闭ADPAdp imgp-join disable 关闭im-j一、WEB页面认证1、wlan ssid-profile (staff-ssid-profile) ：定义ssid配置文件1.1 essid staff ：定义ssid下的essid—显示出来的ssid2、wlan virtual-ap (staff-vap-profile) ：定义virtual-ap的配置文件2.1 ssid-profile (staff-ssid-profile) :在virtual-ap下引用定义过SSID2.2 vlan ID aa，bb :把virtual-ap加入到要ssid所属VLAN3、aaa profile staff-aaa-profile ：定义AAA认证配置文件4、aaa server-group (staff-servergroup) ：定义server-group配置文件4.1 auth-server internal ：定义认证服务器为本地认证4.2 set role condition role value-of 设置角色set role condition <condition> set-value <role> position <number>5、aaa authentication captive-portal (staff-auth-profile) ：captive-portal配置5.1 server-group staff-servergroup ：在下面引用定义过的server-group6、user-role staff-logon ：定义用户登陆前权限的配文件6.1 access-list session logon-control position 1定义用户登陆前的权限--位置16.2 access-list session captiveportal position 2 定义用户登陆前的权限--26.3 Captive-Portal staff-auth-profile position 3定义过captive-portalRe-authentication interval 480 再次认证间隔480秒默认3600秒7、user-role vip-role ：定义用户成功登陆后的配置文件7.1session-acl allowall 赋予所有允许权限session-acl http-acl 只有http8、wlan virtual-ap staff-vap-profile ：进入定义过的virtual-ap配置文件8.1 aaa-profile staff-aaa-profile ：引用定义过的AAA配置文件9、ap-group default ：定义ap-group，最好用默认的9.1 virtual-ap staff-vap-profile ：引用定义过的Virtual-ap配置文件10、aaa profile staff-aaa-profile ：进入定义过的AAA配置文件10.1 initial-role staff-logon ：把initial-role改为定义过用户登陆前配置11、aaa authentication-server internal use-local-switch ：定义认证SERVER为本地交换机12、local-userdb add username staff password 123456 role vip-role :定义用户的登陆的用户名和密码及权限二、MAC 地址认证配置1、wlan ssid-profile (staff-ssid-profile) ：定义ssid配置文件1.1 essid staff ：定义ssid下的essid2、wlan virtual-ap (staff-vap-profile) ：定义virtual-ap的配置文件2.1 ssid-profile (staff-ssid-profile) :virtual-ap下引用定义过的SSID配置文件2.2 vlan ID :把virtual-ap加入到要ssid所属的VLAN3、aaa profile staff-aaa-mac-profile ：定义AAA认证配置文件4、aaa authentication mac staff-mac-profile :定义mac配置文件4.1 Delimiter dash ：定义mac地址的格式4.2 Case upper （upper/lower）：定义mac地址的大/小写备注：aaa authentication mac staff-mac-profileclone <profile>delimiter {colon|dash|none}max-authentication-failures 数字aaa authentication mac mac-blacklist MAC黑名单max-authentication-failures 5 最多认证失败次数5、aaa server-group (staff-macservergroup) ：定义server-group配置文件5.1 auth-server internal ：定义认证服务器为本地认证5.2 set role condition role value-of6、user-role staff-logon ：定义用户登陆前权限的配文件6.1 access-list session logon-control ：定义用户登陆前的权限6.2 access-list session captiveportal ：定义用户登陆前的权限7、user-role vip-role ：定义用户成功登陆后的配置文件7.1session-acl allowall ：赋予权限8、wlan virtual-ap staff-vap-profile ：进入定义过的virtual-ap配置文件8.1 aaa-profile staff-aaa-mac-profile ：引用定义过的AAA配置文件9、ap-group default ：定义ap-group，最好用默认的9.1 virtual-ap staff-vap-profile ：引用定义过的Virtual-ap配置文件10、aaa profile staff-aaa-mac-profile ：进入定义过的AAA配置文件10.1 initial-role staff-logon ：把initial-role改为定义过的用户登陆前的配置文件10.2 authentication-mac staff-mac-profile :把定义的authentication mac文件引用10.3 mac-server-group staff-macservergroup :把定义的servergroup加入11、aaa authentication-server internal use-local-switch ：定义认证SERVER为本地交换机12、local-userdb add username mac地址password mac地址 role vip-role :定义用户的登陆的用户名和密码及权限注意：如果是有线直接连在端口上的话要进行认证必须把连接口设为UNTRUSTED.同时在设定：进入aaa authentication wired 后设定：profile (staff-aaa-profile) 为你设定认证的AAA profileBlacklist：5次错误就拒绝访问show aaa authentication captive-portal default：Max authentication failures 改为5次show aaa authentication dot1x default：Max authentication failures 改为5次1、aaa bandwidth-contract "256" kbits "256"2、aaa bandwidth-contract "256" kbits 256ip access-list session "pass"any any any permit queue low!user-role "ap512"access-list "pass" position 1bw-contract "256" per-user upstreambw-contract "256" per-user downstreamaaa bandwidth-contract "2M-BW" mbits "2" 带宽2M控制aaa bandwidth-contract 128_up kbits 128 带宽128k控制aaa bandwidth-contract 512 kbits 512aaa bandwidth-contract 64 kbits 64aaa bandwidth-contract 256 kbits 256aaa bandwidth-contract 1 mbits 1 带宽1M控制aaa bandwidth-contract 128_up kbits 128user-role 128bw-contract 128_up per-user upstreamuser-role ap-rolesession-acl controlsession-acl ap-acl!user-role pre-employeesession-acl allowallMaster mobility controller configuration1Initial setup of Aruba-master2Core VLAN configuration and IP addressing3Core VLAN port assignment4Loopback IP address ----- interface loopback ip address 设置环回地址Deploy APs5配置AP VLAN6配置 AP VLAN DHCP Server7Connect Aruba APs8Provisioning Aruba APs1 Default5 VLAN0004 Fa2/0-23 Gig2/24 Gig2/25(Aruba-master) (config-if)#write mSaving Configuration...ip dhcp pool "userpool" 定义pool的名字default-router 192.168.11.254 定义默认路由网关—loopback地址dns-server 192.168.11.254---202.106.0.20 定义DNS网关lease 8 0 0network 192.168.11.0 255.255.255.0service dhcp 启动dhcpinterface gigabitethernet 1/1no muxportswitchport mode trunkip default-gateway 192.168.0.254interface vlan 1no ip addressno ip igmpinterface gigabitethernet 1/1no switchport access vlaninterface loopback ip address "192.168.0.100"(Aruba800-4) (config) # show ip interface briefInterface IP Address / IP Netmask Admin Protocolvlan 1 172.16.0.254 / 255.255.255.0 up upvlan 10 192.168.0.1 / 255.255.255.0 up upvlan 30 192.168.30.200 / 255.255.255.0 up uploopback unassigned / unassigned up up(Aruba800-4) (config) # rf arm-profile default ----------关闭ARM后调整channel---ok (Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #assignment disable (Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #no scan(Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #write memoryrf dot11g-radio-profile "default"tx-power 20 ------------------------发射功率调整rf dot11g-radio-profile "default"channel 11 ------------------------调整AP信道interface vlan 20ip address 192.168.0.1 255.255.255.0ip nat insideno ip igmp存配置：24 (Aruba2400) #configure t25(Aruba2400) (config) #copy tftp: 172.16.0.100 aruba2400-0904.cfg flash: 2400.bak 26(Aruba2400) (config) #copy flash: 2400.bak flash: 2400.cfg27(Aruba2400) # copy running-config tftp: 192.168.4.100 aruba2400-0904.cfgRadius配置：aaa authentication-server radius Radius1host <ipaddr>key <key>enableaaa server-group corpnetauth-server Radius1dot1x配置：aaa authentication dot1x corpnetaaa profile corpnetauthentication-dot1x corpnetdot1x-default-role employeedot1x-server-group corpnetvirtual AP:wlan ssid-profile corpnetessid Corpnetopmode wpa2-aeswlan virtual-ap corpnetvlan 1aaa-profile corpnetssid-profile corpnetap-group defaultvirtual-ap corpnet时间设定：time-range workhours periodic周期weekday 09:00 to 17:00ip access-list session restricted 受限制any any svc-http permit time-range workhoursany any svc-https permit time-range workhoursuser-role guestsession-acl restrictedmesh设置：ap mesh-radio-profile <profile-name>11a-portal-channel <11a-portal-channel>11g-portal-channel <11g-portal-channel>a-tx-rates [6|9|12|18|24|36|48|54]beacon-period <beacon-period>children <children>clone <source-profile-name>g-tx-rates [1|2|5|6|9|11|12|18|24|36|48|54]heartbeat-threshold <count>hop-count <hop-count>link-threshold <count>max-retries <max-retries>metric-algorithm {best-link-rssi|distributed-tree-rssi mpv <vlan-id>rts-threshold <rts-threshold>tx-power <tx-power>ap mesh-radio-profile <profile-name>clone <source-profile-name>ap-group <group>mesh-radio-profile <profile-name>ap-name <name>mesh-radio-profile <profile-name>wlan ssid-profile <profile>essid <name>opmode <method> 方式wpa-passphrase <string> (if necessary)wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>virtual-ap <name># ip access-list session "Employee-Policy"any any any permit queue lowRemote AP配置The firewall must be configured to pass NAT-T traffic (UDP port 4500) to the controller.)1、Configure a public IP address for the controller.2、Configure the VPN server on the controller. The remote AP will be a VPN client to the server.3、Configure the remote AP role.4、Configure the authentication server that will validate the username and password for the remote AP.5、Provision the AP with IPSec settings, including the username and passwordfor the AP, before you install it at the remote location.1、Cli：vlan <id>interface fastethernet <slot>/<port>switchport access vlan <id>interface vlan <id>ip address <ipaddr> <mask>2、Using the CLI to configure VPN server:vpdn group l2tpppp authentication PAPip local pool <pool> <start-ipaddr> <end-ipaddr>crypto isakmp key <key> address <ipaddr> netmask <mask>3、Using the CLI to configure the user role:(table1) (config) # user-role remote(table1) (config-role) #session-acl allowallip access-list session <policy>any any svc-papi permitany any svc-gre permitany any svc-l2tp permitany alias mswitch svc-tftp permitany alias mswitch svc-ftp permit4、Using the CLI to configure the VPN authentication profile:4.1 aaa server-group <group>auth-server <server>4.2 aaa authentication vp ndefault-role <role>server-group <group>5、Using the CLI to enable double encryption:ap system-profile <profile>double-encryptap-name <name> 需要插上远端AP后配置ap-system-profile <profile>Using the CLI to enable double encryption:ap system-profile <profile>double-encryptap-name <name>ap-system-profile <profile>Using the CLI to configure the AAA profile:aaa profile <name>initial-role <role>authentication-dot1x <dot1x-profile>dot1x-default-role <role>dot1x-server-group <group>Using the CLI to define the backup configuration in the virtual AP profile: wlan ssid-profile <profile>essid <name>opmode <method>wpa-passphrase <string> (if necessary)wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>virtual-ap <name>orap-name <name>virtual-ap <name>Using the CLI to configure the DHCP server on the AP:ap system-profile <name>lms-ip <ipaddr>master-ip <ipaddr>rap-dhcp-server-vlan <vlan>wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>ap-system-profile <name>virtual-ap <name>or如不慎侵犯了你的权益，请联系告知！ap-name <name>ap-system-profile <name>virtual-ap <name>（本资料素材和资料部分来自网络，仅供参考。

ARUBA 无线控制器用户配置手册苏宁电器Aruba 无线控制器用户配置手册Version 1.3苏宁电器 Aruba 无线控制器用户配置手册一、连接 Aruba 无线控制器1．将 console 线 RJ45 一端连接至无线控制器的SERIAL端口，另一端连接至电脑COM 口（笔记本没有COM 口的可以使用USB-COM线）。

2．打开相应的配置终端软件（可以使用Secure-CRT或者使用系统自带的超级终端软件，建议使用Secure-CRT这款第三方终端软件）3．配置终端软件的参数Secure-CRT配置步骤：协议选择Serial，点击“下一步”端口选择好本电脑上使用的 COM 接口，波特率选择“ 9600 ”，数据流控制选型将前面的勾全部去掉，其它选项保持不变，点击“下一步”点击“完成”即可登录到配置界面。

超级终端配置步骤：点击“开始” >“所有程序” >“附件” >“通讯” >“超级终端”在名称一栏自定义输入一个名称，例如：“ suning ”，点击“确定”在连接时使用选择好相应的COM 接口，点击“确定”点击“还原为默认值” ，再点击“确定”即可登录到配置界面。

二、配置向导第一次登录控制器会出现配置向导进行简单的配置开机运行到如下图所示，即到了配置向导界面配置如下：Enter System name [Aruba200]: 此处直接回车即选择 []内的内容，例如此处回车即选择设备名称为： Aruba200 ，也可自己自定义系统名称Enter VLAN 1 interface IP address [172.16.0.254]: 此处直接回车即选择 VLAN 1 的 IP 地址为：172.16.0.254，一般此处直接回车，后面可以另行更改Enter VLAN 1 interface subnet mask [255.255.255.0]: 此处直接回车即选择 VLAN 1 的 IP 地址的子网掩码为： 255.255.255.0Enter IP Default gateway [none]: 此处为指定控制器的网关地址，即路由地址，一般这边不指定，等进入系统后重新配置指定Enter Switch Role, (master|local) [master]:此处为指定控制器角色，一般默认为master ，可直接回车到下一步Enter Country code (ISO-3166), <ctrl-I> for supported list: 此处为指定国家代码，中国即输入“ CN”You have chosen Country code CN for China (yes|no)?: 此处为让您确认是否为中国，可直接“ yes”到下一步Enter Time Zone [PST-8:0]:此处为指定时区，一般我们指定为“GMT+8:0”Enter Time in UTC [11:44:55]: 此处为指定时间，我们可根据当时北京时间进行配置Enter Date (MM/DD/YYYY) [11/22/2010]:此处为配置日期，月/ 日 / 年份Enter Password for admin login (up to 32 chars): 此处为配置admin 登录密码，自定义Re-type Password for admin login: 重新确认admin 登录密码Enter Password for enable mode (up to 15 chars): 指定 enable 密码Re-type Password for enable mode: 重新确认enable 密码Do you wish to shutdown all the ports (yes|no)? [no]:此处为询问您是否想shutdown 所有端口，默认配置为“no”，一般选择默认配置直接回车Do you wish to accept the changes (yes|no) 此处询问你是否接受刚才的配置，直接“ yes”此时控制器会重新启动，启动完之后便可进入系统。

ARUBA无线控制器的基本网络配置本章主要描述有关控制器的基本的网络配置，主要内容如下：一、VLANs 配置二、配置端口三、VLAN 协议四、配置静态路由五、环回IP地址配置六、控制器IP地址配置七、GRE隧道配置第一部分：VLANs配置/虚拟局域网配置2层交换机控制器的操作运用是以VLAN作为广播域，作为2层交换机，控制器要求需要外界的路径来实现与VLANs的路径连通。

该控制器还可以作为第三层交换机，可以定义VLAN 之间的交通路线的控制器。

你可以在控制器上配置一个/多个物理端口实现一个虚拟局域网。

另外，每个无线客户端口关联是连接到一个特定的虚拟局域网的端口控制器上。

你可以根据你的网络需要替换所有经认证授权的无线用户到单个VLAN或者替换到不同的VLANs。

VLANs可以单独存在在控制器里面或者可以通过802.1q VLAN标签存在在控制器外部。

你可以选择在控制器上为VLAN配置一个IP地址和子网掩码，当VLAN上最近的物理端口被激活的同时，该IP地址也被激活。

该VLAN IP地址可以作为外部设备的一个接入点，指向虚拟局域网IP地址的数据包不是为控制器指定的而是根据控制器的IP路由表来转发的。

创建和更新VLANs：创建和更新单个/多个VLANs1. 通过WEBUI 来创建或者修改单个VLAN1)打开2)点击“ADD新建”按钮创建一个新的VLAN。

（若需要修改，点击Edit按钮）具体参照58页创建一系列的VLANs。

3)为VLAN增加一个物理端口，点击选项4)点击2. 通过CLI(命令）创建或者修改VLAN3.通过WEBUI 来创建或者修改多个VLAN1)一次性增加并联的VLANs，点击2)在弹出的窗口，输入你想要创建的VLANs 序列。

例如，增加一个ID号码为200-300和302-350的VLAN，输入200-300，302-350。

3)点击“OK”4)为VLAN增加物理端点，点击“EDIT”进入你想要配置的VLAN页面，点击“PortSelection”选项设置端口。

ARUBA无线控制器的基本网络配置本章主要描述有关控制器的基本的网络配置，主要容如下：一、VLANs 配置二、配置端口三、VLAN 协议四、配置静态路由五、环回IP地址配置六、控制器IP地址配置七、GRE隧道配置第一部分：VLANs配置/虚拟局域网配置2层交换机控制器的操作运用是以VLAN作为广播域，作为2层交换机，控制器要求需要外界的路径来实现与VLANs的路径连通。

该控制器还可以作为第三层交换机，可以定义VLAN 之间的交通路线的控制器。

你可以在控制器上配置一个/多个物理端口实现一个虚拟局域网。

另外，每个无线客户端口关联是连接到一个特定的虚拟局域网的端口控制器上。

你可以根据你的网络需要替换所有经认证授权的无线用户到单个VLAN或者替换到不同的VLANs。

VLANs可以单独存在在控制器里面或者可以通过802.1q VLAN标签存在在控制器外部。

你可以选择在控制器上为VLAN配置一个IP地址和子网掩码，当VLAN上最近的物理端口被激活的同时，该IP地址也被激活。

该VLAN IP地址可以作为外部设备的一个接入点，指向虚拟局域网IP地址的数据包不是为控制器指定的而是根据控制器的IP路由表来转发的。

创建和更新VLANs：创建和更新单个/多个VLANs1. 通过WEBUI 来创建或者修改单个VLAN1)打开2)点击“ADD新建”按钮创建一个新的VLAN。

（若需要修改，点击Edit按钮）具体参照58页创建一系列的VLANs。

3)为VLAN增加一个物理端口，点击选项4)点击2. 通过CLI(命令）创建或者修改VLAN3.通过WEBUI 来创建或者修改多个VLAN1)一次性增加并联的VLANs，点击2)在弹出的窗口，输入你想要创建的VLANs 序列。

例如，增加一个ID为200-300和302-350的VLAN，输入200-300，302-350。

3)点击“OK”4)为VLAN增加物理端点，点击“EDIT”进入你想要配置的VLAN页面，点击“PortSelection”选项设置端口。

ARUBA无线控制器基本配置手册一、连接ARUBA无线控制器1、使用CONSOLE线连接到核心交换机CONSOLE口。

2、开启SecureCRT软件，登录ARUBA无线控制器二、基本参数配置1、初始化配置-设置无线控制器基本参数及访问密码2、初始化配置-保存初始化配置并重启AC3、常用基本配置-恢复出厂配置4、常用基本配置-image升级5、常用基本配置-开启TELNET连接三、AC控制器基本配置1、在浏览器输入初始化配置的IP地址，登录ARUBA无线控制器2、点击Configuration Controller键进入控制器基本配置引导3、设置无线控制器名，管理员密码和时区后，点击Next下一步4、输入ARUBA防火墙及AP接入等LICENSES后点击ADD，添加LICENSES，添加完后点击Next进入下一步5、根据客户需求，设置VLAN及IP地址，并绑定端口6、配置ARUBA无线控制器管理VLAN及默认网关7、确认上连核心交换机的物理接口，并勾选TRUNK MODE8、确认以上配置，点击Finish &Reboot Now应用并重启AC控制器四、配置普通密码认证1、点击Configuration Campus WLAN进入WLAN配置引导界面2、新建AP组及SSID名称，并点击Next下一步3、选择AP转发模式，默认选择TUNNEL模式4、设置射频卡及SSID广播方式，设定对应VLAN5、设置WLAN初始化角色，如需设为密码认证，请选择Internet6、选择shared-key模式，aes加密方式，并设置无线密码7、去除Enable Captive Portal勾选项，关闭PORTAL认证8、设置无线认证用户角色，见意使用默认设置9、完成以上所有配置，并应用所有配置五、配置外部PORTAL认证1、配置白名单netdestination hoko-white-listhost 172.16.20.5exit2、配置认证服务器及密钥aaa authentication-server radius hoko-radiushost 172.16.20.5key ipva07exit3、配置认证服务器组aaa server-group hoko-radius-servergroupauth-server hoko-radiusexit4、配置访问控制根限组ip access-list session open-httpsuser alias hoko-white-list svc-https permituser alias hoko-white-list svc-http permitexitip access-list session hoko-captive-white-listuser alias hoko-white-list any permitexitip access-list session captiveportaluser any svc-http dst-nat 8080user any svc-https dst-nat 8081user any svc-http-proxy1 dst-nat 8088user any svc-http-proxy2 dst-nat 8088user any svc-http-proxy3 dst-nat 8088exitip access-list session v6-allowallipv6 any any any permitexit5、配置PORTAL认证aaa authentication captive-portal hoko-cp-profiledefault-role guestserver-group hoko-radius-servergroupredirect-pause 1no logout-popup-windowslogin-page http://172.16.20.5/portal.do?wlanacname=portalwhite-list hoko-white-listexit6、配置PORTAL认证用户角色权限user-role hoko-guest-logoncaptive-portal hoko-cp-profileaccess-list session global-saclaccess-list session open-httpsaccess-list session hoko-captive-white-listaccess-list ssession logon-controlaccess-list session captiveportalaccess-list session v6-allowallexit7、配置AAA认证角色aaa profile hoko-cap-aaainitial-role hoko-guest-logonexit8、配置用户访问SSIDwlan ssid-profile hoko-cap-ssidessid CTFHOKOexit9、绑定该SSID对应配置文件及工作VLANwlan virtual-ap hoko-cap-vapaaa-profile hoko-cap-aaassid-profile hoko-cap-ssidvlan 64exit10、配置AP对应工作组ap-group hoko-capvirtual-ap hoko-cap vapexit六、添加AP到对应的工作组1、勾选所有要添加到对应工作组的AP2、点击PROVISION键进入AP组设定界面3、在AP GROUP中选择对应添加的AP组4、点击右下角Apply and Reboot,加入AP组并重启AP七、常见问题1、AP无法注册成功，DHCP等配置无任何问题，关闭控制器CPS功能。

苏宁电器Aruba无线控制器用户配置手册Version 1.3苏宁电器Aruba无线控制器用户配置手册一、连接Aruba无线控制器1．将console线RJ45一端连接至无线控制器的SERIAL端口，另一端连接至电脑COM口（笔记本没有COM口的可以使用USB-COM线）。

2．打开相应的配置终端软件（可以使用Secure-CRT或者使用系统自带的超级终端软件，建议使用Secure-CRT这款第三方终端软件）3．配置终端软件的参数Secure-CRT配置步骤：协议选择Serial，点击“下一步”端口选择好本电脑上使用的COM接口，波特率选择“9600”，数据流控制选型将前面的勾全部去掉，其它选项保持不变，点击“下一步”点击“完成”即可登录到配置界面。

超级终端配置步骤：点击“开始”>“所有程序”>“附件”>“通讯”>“超级终端”在名称一栏自定义输入一个名称，例如：“suning”，点击“确定”在连接时使用选择好相应的COM接口，点击“确定”点击“还原为默认值”，再点击“确定”即可登录到配置界面。

二、配置向导第一次登录控制器会出现配置向导进行简单的配置开机运行到如下图所示，即到了配置向导界面配置如下：Enter System name [Aruba200]:此处直接回车即选择[]内的内容，例如此处回车即选择设备名称为：Aruba200，也可自己自定义系统名称Enter VLAN 1 interface IP address [172.16.0.254]:此处直接回车即选择VLAN 1的IP地址为：172.16.0.254，一般此处直接回车，后面可以另行更改Enter VLAN 1 interface subnet mask [255.255.255.0]:此处直接回车即选择VLAN 1的IP地址的子网掩码为：255.255.255.0Enter IP Default gateway [none]:此处为指定控制器的网关地址，即路由地址，一般这边不指定，等进入系统后重新配置指定Enter Switch Role, (master|local) [master]:此处为指定控制器角色，一般默认为master，可直接回车到下一步Enter Country code (ISO-3166), <ctrl-I> for supported list:此处为指定国家代码，中国即输入“CN”You have chosen Country code CN for China (yes|no)?:此处为让您确认是否为中国，可直接“yes”到下一步Enter Time Zone [PST-8:0]:此处为指定时区，一般我们指定为“GMT+8:0”Enter Time in UTC [11:44:55]:此处为指定时间，我们可根据当时北京时间进行配置Enter Date (MM/DD/YYYY) [11/22/2010]:此处为配置日期，月/日/年份Enter Password for admin login (up to 32 chars):此处为配置admin登录密码，自定义Re-type Password for admin login:重新确认admin登录密码Enter Password for enable mode (up to 15 chars):指定enable密码Re-type Password for enable mode:重新确认enable密码Do you wish to shutdown all the ports (yes|no)? [no]:此处为询问您是否想shutdown所有端口，默认配置为“no”，一般选择默认配置直接回车Do you wish to accept the changes (yes|no)此处询问你是否接受刚才的配置，直接“yes”此时控制器会重新启动，启动完之后便可进入系统。

wlan ssid-profile "default"wpa-passphrase 1234567890 ---tkip设置provision-ap copy-provisioning-params ip-addr 192.168.102.250 provision-ap no ipaddrprovision-ap a-ant-gain 2provision-ap g-ant-gain 2provision-ap a-antenna 1provision-ap g-antenna 1provision-ap external-antennaprovision-ap master 192.168.102.100provision-ap server-ip 192.168.102.100provision-ap ap-group "default"provision-ap ap-name "00:0b:86:cb:bd:62"provision-ap no syslocationprovision-ap fqln ""provision-ap reprovision ip-addr 192.168.102.250interface loopback ip address "192.168.30.200"apboot> helpboot - run bootcmd or boot AP image or elf file or from flashcd - cfg register displaycw - cfg register writedis - disassemble instructionsdhcp - invoke DHCP client to obtain IP/boot paramseloop - loopback received ethernet framesflash - FLASH sub-systemgo - start application at address 'addr'help - print online helpmc - memory copymd - memory displaymii - MII sub-systemmtest - simple RAM testnetstat - net statisticsmw - memory writeping - ping net hostprintenv - env displaypurgeenv - purge envregs - display various regsreset - reset processorrun - run commands in an environment variablesaveenv - save environment variables to persistent storagesetenv - set variable in env (ipaddr/netmask/gatewayip/master/serverip) setenv ipaddr x.x.x.xsetenv netmask x.x.x.xsetenv gatewayip x.x.x.xsetenv serverip x.x.x.xsetenv master x.x.x.xtcpdump - dump received packetstcpsend - send TCP packettftpboot - boot via tftptlb - dump TLBtrace - dump trace bufferversion - print monitor versionwdog - stop refreshing watchdog timerapboot>No spanning-tree 关闭spanning-treeAdp discover disable 关闭ADPAdp imgp-join disable 关闭im-j一、WEB页面认证1、wlan ssid-profile (staff-ssid-profile) ：定义ssid配置文件1.1 essid staff ：定义ssid下的essid—显示出来的ssid2、wlan virtual-ap (staff-vap-profile) ：定义virtual-ap的配置文件2.1 ssid-profile (staff-ssid-profile) :在virtual-ap下引用定义过SSID2.2 vlan ID aa，bb :把virtual-ap加入到要ssid所属VLAN3、aaa profile staff-aaa-profile ：定义AAA认证配置文件4、aaa server-group (staff-servergroup) ：定义server-group配置文件4.1 auth-server internal ：定义认证服务器为本地认证4.2 set role condition role value-of 设置角色set role condition <condition> set-value <role> position <number>5、aaa authentication captive-portal (staff-auth-profile) ：captive-portal配置5.1 server-group staff-servergroup ：在下面引用定义过的server-group6、user-role staff-logon ：定义用户登陆前权限的配文件6.1 access-list session logon-control position 1定义用户登陆前的权限--位置16.2 access-list session captiveportal position 2 定义用户登陆前的权限--26.3 Captive-Portal staff-auth-profile position 3定义过captive-portalRe-authentication interval 480 再次认证间隔480秒默认3600秒7、user-role vip-role ：定义用户成功登陆后的配置文件7.1session-acl allowall 赋予所有允许权限session-acl http-acl 只有http8、wlan virtual-ap staff-vap-profile ：进入定义过的virtual-ap配置文件8.1 aaa-profile staff-aaa-profile ：引用定义过的AAA配置文件9、ap-group default ：定义ap-group，最好用默认的9.1 virtual-ap staff-vap-profile ：引用定义过的Virtual-ap配置文件10、aaa profile staff-aaa-profile ：进入定义过的AAA配置文件10.1 initial-role staff-logon ：把initial-role改为定义过用户登陆前配置11、aaa authentication-server internal use-local-switch ：定义认证SERVER为本地交换机12、local-userdb add username staff password 123456 role vip-role :定义用户的登陆的用户名和密码及权限二、MAC 地址认证配置1、wlan ssid-profile (staff-ssid-profile) ：定义ssid配置文件1.1 essid staff ：定义ssid下的essid2、wlan virtual-ap (staff-vap-profile) ：定义virtual-ap的配置文件2.1 ssid-profile (staff-ssid-profile) :virtual-ap下引用定义过的SSID配置文件2.2 vlan ID :把virtual-ap加入到要ssid所属的VLAN3、aaa profile staff-aaa-mac-profile ：定义AAA认证配置文件4、aaa authentication mac staff-mac-profile :定义mac配置文件4.1 Delimiter dash ：定义mac地址的格式4.2 Case upper （upper/lower）：定义mac地址的大/小写备注：aaa authentication mac staff-mac-profileclone <profile>delimiter {colon|dash|none}max-authentication-failures 数字aaa authentication mac mac-blacklist MAC黑名单max-authentication-failures 5 最多认证失败次数5、aaa server-group (staff-macservergroup) ：定义server-group配置文件5.1 auth-server internal ：定义认证服务器为本地认证5.2 set role condition role value-of6、user-role staff-logon ：定义用户登陆前权限的配文件6.1 access-list session logon-control ：定义用户登陆前的权限6.2 access-list session captiveportal ：定义用户登陆前的权限7、user-role vip-role ：定义用户成功登陆后的配置文件7.1session-acl allowall ：赋予权限8、wlan virtual-ap staff-vap-profile ：进入定义过的virtual-ap配置文件8.1 aaa-profile staff-aaa-mac-profile ：引用定义过的AAA配置文件9、ap-group default ：定义ap-group，最好用默认的9.1 virtual-ap staff-vap-profile ：引用定义过的Virtual-ap配置文件10、aaa profile staff-aaa-mac-profile ：进入定义过的AAA配置文件10.1 initial-role staff-logon ：把initial-role改为定义过的用户登陆前的配置文件10.2 authentication-mac staff-mac-profile :把定义的authentication mac文件引用10.3 mac-server-group staff-macservergroup :把定义的servergroup加入11、aaa authentication-server internal use-local-switch ：定义认证SERVER为本地交换机12、local-userdb add username mac地址password mac地址 role vip-role :定义用户的登陆的用户名和密码及权限注意：如果是有线直接连在端口上的话要进行认证必须把连接口设为UNTRUSTED.同时在设定：进入aaa authentication wired 后设定：profile (staff-aaa-profile) 为你设定认证的AAA profileBlacklist：5次错误就拒绝访问show aaa authentication captive-portal default：Max authentication failures 改为5次show aaa authentication dot1x default：Max authentication failures 改为5次1、aaa bandwidth-contract "256" kbits "256"2、aaa bandwidth-contract "256" kbits 256ip access-list session "pass"any any any permit queue low!user-role "ap512"access-list "pass" position 1bw-contract "256" per-user upstreambw-contract "256" per-user downstreamaaa bandwidth-contract "2M-BW" mbits "2" 带宽2M控制aaa bandwidth-contract 128_up kbits 128 带宽128k控制aaa bandwidth-contract 512 kbits 512aaa bandwidth-contract 64 kbits 64aaa bandwidth-contract 256 kbits 256aaa bandwidth-contract 1 mbits 1 带宽1M控制aaa bandwidth-contract 128_up kbits 128user-role 128bw-contract 128_up per-user upstreamuser-role ap-rolesession-acl controlsession-acl ap-acl!user-role pre-employeesession-acl allowallMaster mobility controller configuration1Initial setup of Aruba-master2Core VLAN configuration and IP addressing3Core VLAN port assignment4Loopback IP address ----- interface loopback ip address 设置环回地址Deploy APs5配置AP VLAN6配置 AP VLAN DHCP Server7Connect Aruba APs8Provisioning Aruba APs(Aruba-master) (config-if)#write mSaving Configuration...ip dhcp pool "userpool" 定义pool的名字default-router 192.168.11.254 定义默认路由网关—loopback地址dns-server 192.168.11.254---202.106.0.20 定义DNS网关lease 8 0 0network 192.168.11.0 255.255.255.0service dhcp 启动dhcpinterface gigabitethernet 1/1no muxportswitchport mode trunkip default-gateway 192.168.0.254interface vlan 1no ip addressno ip igmpinterface gigabitethernet 1/1no switchport access vlaninterface loopback ip address "192.168.0.100"(Aruba800-4) (config) # show ip interface briefInterface IP Address / IP Netmask Admin Protocolvlan 1 172.16.0.254 / 255.255.255.0 up upvlan 10 192.168.0.1 / 255.255.255.0 up upvlan 30 192.168.30.200 / 255.255.255.0 up uploopback unassigned / unassigned up up(Aruba800-4) (config) # rf arm-profile default ----------关闭ARM后调整channel---ok (Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #assignment disable (Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #no scan(Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #write memoryrf dot11g-radio-profile "default"tx-power 20 ------------------------发射功率调整rf dot11g-radio-profile "default"channel 11 ------------------------调整AP信道interface vlan 20ip address 192.168.0.1 255.255.255.0ip nat insideno ip igmp存配置：24 (Aruba2400) #configure t25(Aruba2400) (config) #copy tftp: 172.16.0.100 aruba2400-0904.cfg flash: 2400.bak 26(Aruba2400) (config) #copy flash: 2400.bak flash: 2400.cfg27(Aruba2400) # copy running-config tftp: 192.168.4.100 aruba2400-0904.cfgRadius配置：aaa authentication-server radius Radius1host <ipaddr>key <key>enableaaa server-group corpnetauth-server Radius1dot1x配置：aaa authentication dot1x corpnetaaa profile corpnetauthentication-dot1x corpnetdot1x-default-role employeedot1x-server-group corpnetvirtual AP:wlan ssid-profile corpnetessid Corpnetopmode wpa2-aeswlan virtual-ap corpnetvlan 1aaa-profile corpnetssid-profile corpnetap-group defaultvirtual-ap corpnet时间设定：time-range workhours periodic周期weekday 09:00 to 17:00ip access-list session restricted 受限制any any svc-http permit time-range workhoursany any svc-https permit time-range workhoursuser-role guestsession-acl restrictedmesh设置：ap mesh-radio-profile <profile-name>11a-portal-channel <11a-portal-channel>11g-portal-channel <11g-portal-channel>a-tx-rates [6|9|12|18|24|36|48|54]beacon-period <beacon-period>children <children>clone <source-profile-name>g-tx-rates [1|2|5|6|9|11|12|18|24|36|48|54]heartbeat-threshold <count>hop-count <hop-count>link-threshold <count>max-retries <max-retries>metric-algorithm {best-link-rssi|distributed-tree-rssimpv <vlan-id>rts-threshold <rts-threshold>tx-power <tx-power>ap mesh-radio-profile <profile-name>clone <source-profile-name>ap-group <group>mesh-radio-profile <profile-name>ap-name <name>mesh-radio-profile <profile-name>wlan ssid-profile <profile>essid <name>opmode <method> 方式wpa-passphrase <string> (if necessary)wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>virtual-ap <name># ip access-list session "Employee-Policy"any any any permit queue lowRemote AP配置The firewall must be configured to pass NAT-T traffic (UDP port 4500) to the controller.)1、Configure a public IP address for the controller.2、Configure the VPN server on the controller. The remote AP will be a VPN client to the server.3、Configure the remote AP role.4、Configure the authentication server that will validate the username and password for the remote AP.5、Provision the AP with IPSec settings, including the username and passwordfor the AP, before you install it at the remote location.1、Cli：vlan <id>interface fastethernet <slot>/<port>switchport access vlan <id>interface vlan <id>ip address <ipaddr> <mask>2、Using the CLI to configure VPN server:vpdn group l2tpppp authentication PAPip local pool <pool> <start-ipaddr> <end-ipaddr>crypto isakmp key <key> address <ipaddr> netmask <mask>3、Using the CLI to configure the user role:(table1) (config) # user-role remote(table1) (config-role) #session-acl allowallip access-list session <policy>any any svc-papi permitany any svc-gre permitany any svc-l2tp permitany alias mswitch svc-tftp permitany alias mswitch svc-ftp permit4、Using the CLI to configure the VPN authentication profile:4.1 aaa server-group <group>auth-server <server>4.2 aaa authentication vp ndefault-role <role>server-group <group>5、Using the CLI to enable double encryption:ap system-profile <profile>double-encryptap-name <name> 需要插上远端AP后配置ap-system-profile <profile>Using the CLI to enable double encryption:ap system-profile <profile>double-encryptap-name <name>ap-system-profile <profile>Using the CLI to configure the AAA profile:aaa profile <name>initial-role <role>authentication-dot1x <dot1x-profile>dot1x-default-role <role>dot1x-server-group <group>Using the CLI to define the backup configuration in the virtual AP profile: wlan ssid-profile <profile>essid <name>opmode <method>wpa-passphrase <string> (if necessary)wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>virtual-ap <name>orap-name <name>virtual-ap <name>Using the CLI to configure the DHCP server on the AP:ap system-profile <name>lms-ip <ipaddr>master-ip <ipaddr>rap-dhcp-server-vlan <vlan>wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>ap-system-profile <name>virtual-ap <name>orap-name <name>ap-system-profile <name> virtual-ap <name>。

第二卷安装Aruba移动边缘系统第2章部署基本移动边缘系统这章主要介绍如何将Aruba移动控制器和Aruba AP接入你的有线网络。

看完这章的介绍以后，你就可以配置AP,同样的介绍在第3卷里。

这章主要介绍了以下几部分：⏹“配置的介绍” 第48页⏹“配置Aruba移动控制器” 第52页⏹“部署APs” 第57页⏹“附加的配置” 第61页配置的介绍这个部分介绍了典型的部署情况和任务，你必须把Aruba移动控制器和Aruba AP接入到你的有线网络。

部署环境一：路由器是控制器和客户端的默认网关在这个部署环境中，Aruba AP和移动控制器连接在相同的子网上，并且使用被指定的子网IP地址。

在AP与控制器中间没有路由器。

AP能够被物理的连接到控制器上。

控制器上的上行端口被连接到2层交换机或者路由器上。

你必须完成下列任务：1. 进行初始化设置●设置VLAN 1的IP地址●设置默认网关的IP地址，将控制器连接到上行的路由器2. 把移动控制器上的上行端口连接到交换机或者路由器的端口上，默认的，控制器上的所有端口都是Access端口并且所有端口都属于同一个VLAN3. 部署AP。

所有的AP会使用Aruba Discovery Protocol（ADP）协议来发现移动控制器。

为所有用户指定VLAN并且配置VLAN 1的SSID。

部署环境二：对于所有客户端来说移动控制器是默认网关在这个部署环境中，Aruba移动控制器和AP在不同的子网中，而且AP在多个子网中。

移动控制器将作为无线网络的一个路由器（移动控制器作为无线客户端的默认网关）。

控制器上的上行端口被连接到2层交换机或路由器上；这是一个属于VLAN 1的Access 端口。

你必须完成下列任务：1. 进行初始化设置●设置VLAN 1的IP地址●设置默认网关的IP地址，将控制器连接到上行的路由器2. 把移动控制器上的接口连接到交换机或者路由器的接口上3. 部署AP。

所有的AP会使用DNS或DHCP来发现移动控制器。

1.实验环境说明1.1.实验拓扑本次实验只使用一个AP1.2.实验目的测试并学习ARUBA Controller的配置方法，了解ARUBA Controller的功能特性和特点B所需的环境●Cisco Switch 3560-POE（可支持POE供电，并给AP供电），一台●ARUBA Controller 3200，一台●ARUBA AP-105，一颗●WinRadius（模拟Radius Server用，），一台●测试用PC，2台网线若干，Console线一根2.ARUBA Controller的功能设定与配置2.1.Controller的初始化1.在拿到一台设备之后，不管是不是新的还是旧的设备，我们都要清空配置，首先在清空配置之前我们必须备份license可以在console界面直接看：也可以在web界面查看将license复制备份之后，就可以彻底清除配置了重启后我们可以配置最基本的name，管理地址，时间，密码等。

重启完成后输入用户名和密码就可以进入设备了此时查看licence，是没有的我们要加入我们备份的licenceAdd licence之后需要重启重启后可以看到licence2.配置DHCP Server这个POOL是给AP和测试PC提供地址的3.完成后，保存配置4.给交换机配置管理地址，因为所有的的接口都属于vlan1，为vlan1配置地址可以是AP获得IP地址2.2.控制器配置文件的保存恢复以及OS升级1.使用以下命令：●Dir-----查看保存在flash中的所有文件●Show boot-----查看设备启动时读取的配置文件●Show image version-----查看Partition 0 & 1的image信息，和每次设备启用会从那个Partition去读取image2.如果需要导出Controller的配置，需要在PC 1去运行TFTP Server（本LAB使用Cisco TFTP），使用以下命令去把配置文件导出到PC 1中3.成功导出后，在Cisco TFTP可以看到导出的配置文件的信息4.导出来的configuration5.如果需要导入configuration到controller里的话，使用以下命令如上图，导入到flash时，需要重建一个新名字：3400.bak，并把其导入到backup 文件里，然后再把backup文件覆盖掉原来的3400.cfg文件，启动时读取这个配置文件：3400.cfg，最后重启一次controller2.3.使用WEB登录和AP的初始化配置1.使用web登录，我们设置的管理地址是172.16.1.254点击登录2.在Monitoring-->Network Summary，我们可以找到AP。

WLC基础配置（初始化完成后自动填充数据默认vlan1 可手动更改更改后重启控制器）
相同界面下License查看
可添加vlan 并将接口划入vlan
图为添加好的vlan2 点击configuration下NETWORK->VLANs->Edit 点击数字即可将相应接口划入vlan
点击Port可配置具体接口
如图可配置DHCP地址池
在wireless里可配置AP 如图在相应位置填入控制器IP和AP本身的IP以及网管和掩码
最下面可以选择AP所在的组以及配置AP的名字（可获取AP的mac地址和序列号）
在本页面输入用户名密码
配置SSID信息
信道调整
查看AP状态包括用户接入数流量丢包率等
注意：途中标蓝处为AP接入终端数默认为64 根据需求修改。