>
> Most of the issues that needed to be solved were related to
> having one SSID for the entire campus and making that work
> with individual requirements for specific departments. For
> example, we wanted students in the residence halls to go
> through CCA, but not every department on campus. Currently,
> there also isn't good distributed management of APs so that
> individual departments can control their APs (and nobody
> else's). However, this is *supposed* to work in the next
> release of ArubaOS (and MMS--the management platform).
Kyle,
(Ignore this if you are NOT using 802.1x)
One thing you should check on is 802.1x override, aka radius server
overide, aka dynamic vlan.
Reading aruba's networkspeak, it sounds like they call this either
"Policy" or "Roles"
The radius server returns an attribute based on group membership, this
attribe is the VLAN number (or rolename) you want the client to be
"tagged" with. It's an older techology. (Our Enterasys R2's from 2000
did this, as well as our new Cisco LWAPP AP's)
I found a few reference on the web that seems like it might do what your
looking for:
Email on how to make SNORT change the role a user is in to blacklist
them based on some IDS alert
http://cvs.snort.org/viewcvs.cgi/snort/doc/README.ARUBA?rev=1.2
(THIS was taken from Bradford's Campus Manager page, and it mentions
that they are for version 2.0 of Aruba, not Version 3.0)
Aruba Device Configuration
Setup the Aruba Wireless Controller device by logging in using a web
browser.
Requirements:
* Firmware Version - The parameters in this setup document are for the
Aruba5000 firmware version 2.5.3.x. These instructions are not for 3.0
and above.
* Software Modules - Wireless Intrusion Protection (WIP) module and
Policy Enforcement Firewall (PEF)
1. Click on the Configuration tab and select Advanced settings.
2. On the Switch > General > VLAN tab, set the VLAN ID with associated
ports for the Registration, Remediation, DeadEnd, Authentication, and
other VLANs as necessary. Setting the IP addresses is optional.
3. On the Switch > Management > SNMP tab, set community strings and
click Apply.
Note: It is not necessary to set the Trap Receivers.
4. On the WLAN > Network tab, add any SSIDs that will be supported and
click Apply. Broadcasting of the SSID is optional.
Important: If adding an SSID for 802.1x set the following:
- Forward Mode = Tunnel
- Encryption Type = WPA TKIP
- SSID Default VLAN = Registration VLAN (enter the VLAN ID)
BRADFORD CAMPUS MANAGER :: Wireless Integration with Campus Manager Page
5
5. On the Security > AAA Servers > Radius Servers tab, add Campus
Manager as the RADIUS server using port 1812. Enter the shared secret,
set the source interface by entering the Aruba Controller IP Address in
the NAS Source IP Address field, set the mode to
Enable, and then click Apply.
6. For MAC Authentication, on the Security> Authentication Methods> MAC
Address tab, select Authentication Enabled and add Campus Manager as the
Authentication Server. Click Apply.
For 802.1x Authentication, on the Security> Authentication Methods>
802.1x tab, select Authentication Enabled, add Campus Manager as the
Authentication Server, and click Apply.
7. On the Security > Roles, add each role (i.e., Registration,
Remediation, DeadEnd, and other VLANs) and include its VLAN ID. On the
Add Role dialog set the Firewall Policy to allowall, and click Done.
Note: After entering the corresponding VLAN, click Change before
clicking Apply.
When all the settings have been configured for the role being added,
click Apply and then add another role(s) if desired.
8. On the Security > Policies tab, add any policies for existing VLANs.
9. Ensure that the Aruba device can be accessed from the Campus Manager
appliance via ssh. By default the device is set to trusted. However, if
the device cannot be accessed then it is possible that the port on the
Aruba device has been set to not "trusted." The following
command will configure the port to be "trusted".
config terminal interface fastethernet x/y (slot/port) trusted
Important: Be sure to save the configuration.
10. On the RF Management > Protection tab enable Client DoS protection
and set the DoSClient Block Time = 20 seconds.
Note: Setting these parameters may also accomplished from the CLI by
using the following commands: configure terminal stm sta-dos-prevention
enable configure terminal stm sta-dos-block-time <time_in_seconds>
11. Click Save Configuration before logging out.
|