Wireless

The Wireless view presents the scaffolds associated with configuring the wireless distribution layer of your network, and monitoring/configuring the access points throughout your infrastructure.

WLAN Controllers

An entry in the WLAN controllers scaffold defines a piece of wireless equipment with which the rXg will communicate for the purpose of effecting dynamic VLAN changes when necessary due to a policy shift for a device on the network.

When a device's VLAN assignment has changed due to a policy shift, the rXg will connect to the WLAN controller associated with the device's RADIUS realm via the protocol specified in the configuration, and force a disconnect/reconnect, which will reinitiate the RADIUS authentication process, thereby resulting in the new VLAN assignment being applied to the client device.

The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.

The device field specifies the type of equipment being configured. Choose the appropriate option from the supported device types drop-down menu.

The Instrument from telemetry checkbox results in the rXg using telemetry data to instrument the Zones, Profiles, Access Points and Radios for this controller, instead of the regular API integration.

Enabling the Monitoring checkbox results in the rXg attempting to import and synchronize Access Points from the device, as well as perform ping monitoring of the Infrastructure Device itself, and collect CPU and Memory statistics, where possible.

The SNMP community field specifies the SNMP community string that will be used when attempting to gather CPU and/or Memory information, or Access Point data from WLAN controllers where an API is not available.

The NB portal password and NB portal usernames are used when executing API calls against RUCKUS's northbound portal interface. These must correlate with what is configured in the controller.

The Telemetry username and Telemetry password are used when authenticating an MQTT session with this WLAN Controller. These must correlate with what is configured in the controller's northbound data streaming subscriptions.

For Infrastructure Devices which support configuration management, the Config sync status column contains a link that allows the operator to access bootstrap instructions and enable synchronization.

When enabling automatic WLAN controller configuration management, the operator should ensure that the timezone and country code set in the Device Options scaffold are accurate as they will be used when configuring wireless infrastructure.

After initial bootstrapping and network connectivity is established, the operator may download a running configuration backup or compare the current running configuration to the expected configuration, based on the associated configuration elements. If changes are needed, they may be pushed to the controller. After successfully synchronizing manually the first time, future configuration changes will be pushed to the device whenever relevant configuration changes are made in the database.

The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.

WLANs

An entry in the WLANs scaffold defines a wireless network that you wish to deploy on a supported WLAN controller.

The SSID field specifies the WLAN SSID that will be broadcast and visible to users.

The Encryption selection specifies the encryption algorithm which will be used for this WLAN.

The Authentication selection specifies the type of authentication that should take place in order for users to join the network. In order for Dynamic VLANs to be assigned, authentication must utilize MAC Authentication Bypass or one of the 802.1X methods.

The Default VLAN field specifies the VLAN that users should be placed into, assuming it is not overriden by Dynamic VLAN behavior.

The Tunnel checkbox instructs access points to build a tunnel to the controller or some other location, depending on the vendor, instead of locally bridging the client traffic.

Application Examples: - RUCKUS SoftGRE Tunnel

The Enabled checkboxes allow the operator to enable or disable a WLAN for a particular radio across all profiles where it is utilized.

Dynamic VLANs require the association of at least one VLAN record which is tied to a RADIUS Realm.

The RADIUS Accounting checkbox instructs the Access Point to send accounting information to the RADIUS server as users join, use, and leave the network.

The Access Point Profiles selection specifies which Profiles should include this WLAN.

Access Point Profiles

An entry in the Access Point Profiles scaffold defines a set of common configuration parameters to be applied to a set of Access Points.

The Default checkbox indicates that this Profile will be the default Profile for this Infrastructure Device. Any Access Point which has not been explicitly assigned to a Profile will be placed into this Profile.

The WLANs association defines whoch WLANs will be broadcast on Access Points that fall into this Profile.

The Access Points association allows the operator to explicitly assign a profile to one or more Access Points. Selected Access Points which do not belong to the Infrastructure Device that the Profile is assigned to will be automatically deselected upon saving.

The Management VLAN field specifies which VLAN the Access Points in this profile will use to attempt to obtain an IP address via DHCP.

The 2.4GHz Data Rates and 5GHz Data Rates fields allow the operator to restrict the types of devices that may join the network to only those supporting a specific subset of data rates. By default, 802.11b rates are disabled to improve network performance.

The 2.4GHz Antenna Gain and 5GHz Antenna Gain fields allow the operator to specify antenna gain values (in dBi) that will be applied to Access Points which use external antennas.

The Outdoor APs checkbox instructs the system to enable or disable outdoor power and channel tables for the radios in order to be compliant with regulatory rules.

Access Points

Entries in the Access Points scaffold are created automatically by enabling the Monitoring checkbox on a supported wireless controller's Infrastructure Device. Status and statistics are gathered on an ongoing basis via API and/or SNMP.

After creation, the operator may reassign an Access Point's Access Point Profile in order to control the WLAN and radio settings applied to it. Access Point details are updated on a regular basis via background interaction with the Infrastructure Device.

Access Point Radios

Entries in the Access Point Radios scaffold are created automatically by enabling the Monitoring checkbox on a supported wireless controller's Infrastructure Device. Status and statistics are gathered on an ongoing basis via API and/or SNMP.

Access Point Radio Profiles

Entries in the Access Point Radio Profiles scaffold can be assigned to WLANS in the Access Point Profiles scaffold. The HW Mode Preference field ia a comma separated listing of supported radio type, 'A' (5 Ghz, 802.11 A and 802.11 AC), 'B' (2.4 Ghz 802.11 B), or 'G' (2.4 Ghz 802.11 G). The order matters, as HW Modes are preferred as listed, left to right. Selected Channels is a list of numbers associated with the HW Mode Preference. The list can be a comma separated list of individual channels, or ranges of channels (i.e. '1,2,3,4,5,6,7,8,10,11' can be represented as '1-11').

Access Point Zones

An entry in the Access Point Zones scaffold defines the configuration common throughout this site.

Entries in the Access Point Zones scaffold are populated automatically after enabling the monitoring checkbox for a supported WLAN controller Infrastructure Device.

The Enable DFS channels checkbox instructs the Access Points in this Access Point Zone to broadcast at the 5GHz frequencies that are generally reserved for radars. Disabling the Dynamic Frequency Selection (DFS) prevents the use of 5GHz channels 52 - 140.

The 5GHz Channel Width option allows the configuration of channel width for the 5GHz radio for Access Points in this Access Point Zone.

Example Aruba Setup

Connecting Aruba IAP to rXg

Steps to connect Aruba IAP

1. Create InfDev for Aruba IAP
2. Generate and apply bootstrap configuration to Aruba IAP
3. Import pre-existing WLAN's if needed

4. Enable sync

5. Create InfDev for Aruba IAP

Navigate to Network::Wireless and create a new WLAN Controller.

The Name field is arbitrary and can be set to anything. The Type field should be set to Aruba IAP. The Host field is the IP address we want the virtual controller to have. If the controller is local to the rXg then the Subnet mask and Gateway IP fields can be left blank. Set the API port field to the correct port, by default it is set to 4343 and shouldn't be changed the Aruba IAP has been configured to use a different port. Set the Username and Password field with the correct username and password and click Create.

Note: If the Host IP is already set in the Aruba IAP, then it will not show the commands that need to be run. The commands will be provided in a step below.

1. Generate and apply bootstrap configuration to Aruba IAP.

Click on the Sync not enabled link.

This will provide the Bootstrap Configuration that must be run on the IAP to allow API commands as well as set the virtual controller IP.

Note: If the virtual controller IP has been set and the Aruba IAP shows as online it will not show the Bootstrap commands. If this is the case the virtual controller IP does not need to be set so only the following commands should be run on the AP by first SSH'ing to it.

configure** allow-rest-api** end commit apply

SSH to the controller IP and run the Bootstrap Configuration commands.

1. Import pre-existing WLAN's if needed

To import any existing WLANs that may already exist, click the import link on the WLAN Controllers scaffold.

Any WLANs that exist will then be shown on the WLANs scaffold.

1. Enable sync.

This step will allow the rXg sync with the Aruba IAP so that any configuration done on the rXg will be pushed (synchronized) to the Aruba IAP. To enable sync click the Sync not enabled link in the WLAN Controller scaffold.

Next click on the Enable Config Synchronization button.

The rXg has now been configured to take control of the Aruba IAP, configuration changes to the WLANs from the admin gui of the rXg will be pushed automatically to the Aruba IAP.

Aruba MPSK Setup

A WLAN must exist that matches the SSID of the WLAN in the Aruba controller, the rXg can import this information by creating a WLAN Controller. Configure a WLAN Controller by navigating to Network::Wireless and click create new on the WLAN Scaffold. This will allow the rXg to import the WLAN's from the Aruba controller.

Enter a name in the Name field, the Name is arbitrary. The Type field should be set to either ArubaOS or Aruba IAP depending on the type of controller the rXg is connecting to. The Host field is the IP address or domain name of the controller. If the Controller is local, setting a value in the Subnet mask and Gateway IP field is not needed. The Disconnect method , SSH port and API port fields can be left on the default values unless the controller is using non default ports. Enter the Username and Password in the Username and Password fields. Click Create.

The rXg will import the WLANs and AP's from the Aruba controller.

Next the RADIUS Server Realms must be configured to use MPSK. Navigate to Services::Radius.

In order to use MPSK the correct RADIUS Server Attributes must be tied the to the RADIUS Server Realms. By default there is a RADIUS server attribute for use with Aruba MPSK. This Attribute must be tied to each realm that will use MPSK typically this will be the POST auth realms, but for certain locations with pre-setup accounts this may be attached to both POST and PRE auth realms. For this example there will be a RADIUS server attribute created that will have a known PSK and this will be attached to the Onboarding realm. This allows anyone to connect with the known PSK and after account creation they will be able to use their unique MPSK to connect. In the RADIUS Server Attributes scaffold, click edit on the Aruba-MPSK-Passphrase entry.

Select the RADIUs realms that will use the variable MPSK attribute, in this example only the Account Realm will be selected in the RADIUS Server Realms field. Click Update.

Next create a new RADIUS Server Attribute. In the Name field enter Aruba-MPSK-Passphrase. In the Value field enter in the known PSK, in this example lab01admin! will be used as the known PSK. In the RADIUS Server Realms field make sure that only the realms that are using the known PSK are selected in this case only the Onboarding Realm will be selected. Click Create.

With this setup, a user connecting for the first time would connect to the SSID using the known PSK of lab01admin!. This will connect them to the network and they will get redirected to the captive portal where they can then sign up for an account. During account creating the end user will create their own PSK, at this point the end user will need to forget the wireless network on their device and connect using the PSK they set during account creation. The advantage to using MPSK is that now the end user can connect a device and have it attached to their account by simply connecting to the network using their unique PSK. This means that headless devices can be added to an account by connecting to the network and using the unique PSK for the account. The end user will not need to enter the MAC address of the headless device to their account this will be done automatically when connecting to the network. This also means devices with MAC randomization will be added back to the correct account if the MAC address changes without the end user even being aware.