today I will talk about how you can setup a WPA2/3 enterprise wifi with aruba Instant On Access Points.

Because I don’t have an AD integrated notebook in my private test environment, I limit myself to username / password and don’t do any authentication by computer account.

Settings in the Instant On Portal

Create a new SSID

I have named the SSID Wifi-Enterprise. Under NAS identifier I used the name of the SSID as the identifier. You can also enter something else, but it makes it easier to set up the policies for the individual SSIDs later.

As a last step, we need the IP addresses of the individual access points.

AP01:

AP02:

The NPS Settigns

First, we must create the Radius-Clients. (the two Instant On APs)

Next, the network policy must be created. I have it named like the SSID Wifi-Enterprise.

Under conditions, I specify the Windows group for the wifi users and the NAS identifier so that the policy for the correct SSID takes effect. With Instant On this is not a problem because I can specify the NAS identifier per SSID.

Under Restrictions, please configure the following:

And under settings just leave the default values as they are.

Check the Results:

I checked the wifi with my iPhone and my Windows notebook.

Under Networks you can see the devices per SSID.

And here I see my iPhone and my notebook :)

Anyone who wants great Wi-Fi for little money should take a closer look at Instant On World. For homes like mine or small businesses, the APs are just right. :D

If you are interested once the links

Aruba AP11

Aruba AP11D

Aruba AP12

Aruba AP15

Aruba AP17 (Outdoor)

Aruba AP22 (Wifi 6)

And 3 recommended Aruba PoE switches

1930 8P

1930 24P

1930 48P

Have a nice day!

The post Aruba Instant On how to setup 802.1x with Windows NPS appeared first on Network Guy.

today I will talk about how to configuring a guest Wifi with a Aruba Mobility Controller and the Sophos hotspot solution.

In this example I will using the Sophos SG hotspot solution. With Sophos XG, it’s basically the same.

Sophos SG

Create a new Interface

It’s recommandet, to use a own interface for the guests. If you use a hardware interface or a VLAN interface, it’s your choice. I using VLAN interfaces.

Create a firewall rule for the web access 

To avoid problems with VIP visitors, I recommend allowing any service to access the internet. I will come to the topic of proxy in a moment.

masquerading rule

Without it, the package also gets on the internet, but not back :D

The DHCP 

Do not use your AD DHCP server. If you still have a server at all thanks to Azure. Always keep guest solutions as far away as possible from your infrastructure. That’s why I use the DHCP server from the Sophos SG and also send DNS queries directly to google DNS. Do not use the SG as DNS server for guest solutions. Because most UTMs have a query route to their own domain and the guest user can query your SG/XG via DNS queries about your environment.

hotspot portal

Here you have to put in the new interface and activate the hotspot type of your choice. I prefer the voucher solution.

And finally the proxy

For the guests, only the transparent proxy comes into consideration. No guest user wants to enter a static proxy into the system first. You should also only activate URL filtering, because no one wants to import the proxy CA. Now you have to define the policy and that’s it for the UTM configuration.

What web categories you allow via policy, you have to decide yourself.

Aruba Mobility Controller

My recommendation, configure everything under Mobility Controller level and not on the individual controller.

Add a new VLAN interface

We only need a VLAN interface with the same VLAN ID as the guest interface on the Sophos SG. No IP configuration is required on the mobility controller.

Create the SSID

I recommend using the tunnel mode. This way I don’t have to maintain all VLANs at the access points. Instead, I let the traffic first break out at the Mobility Controller.

We need a simple open WLAN.
Because we are using the Sophos SG guest solution in this example, I won’t go into detail about the possible Aruba solutions.

Now we have to remember the name of the default role. Because we have to edit these right away.

Edit  the role

For simplicity, we could write an Any rule because the Sophos SG takes care of security. But for the good feeling, we restrict the traffic a bit.

Because it’s a bit hard to read, here’s the content: We only allow the client to talk to the Sophos SG on the guest interface. Forbid the rest of the private IP address ranges and then allow Any for the Internet access.

Have a nice day!

The post Aruba Mobility Controller with Sophos SG/XG hotspot Portal appeared first on Network Guy.

today I want to tell you how to create a redundant point-to-point connection with Aruba 387 access points.

Update

for this setup the firmware version 8.6.0.6 or newer is absolutely needed. Because in the older versions the bug AOS-216445 is not fixed yet.

AOS-216445
Clients connected to the mesh portal AP were unable to reach devices connected to the mesh point AP and vice versa. This issue occurred when the client roamed from a source mesh AP to another mesh AP and back to the source mesh AP. The fix ensures that clients communicate with devices in the mesh network as expected. This issue was observed in AP-387 access points running Aruba Instant 8.6.0.6 or later versions.

Let’s look at the background

The customer has 2 warehouses which are about 150 meters apart and connected by WLAN. The previous WLAN solution manages the redundancy with cold standby devices. Unfortunately the problem was that there is no IT staff at this location to connect the backup APs in case of failure.

Logical structure

We have 2 Aruba 2930 24G PoE switches in the VSF stack on each side. One AP 387 is connected to each stack member. The access points are in standalone mode and form a point to point connection in pairs. AP01 + AP03 and AP02 + AP04. To prevent a switching loop, one of the two connections is switched off via Spannig Tree.

Configuration

Since the article is more about the point-to-point connection, I will only roughly describe the switch configuration.

Switches

Build the stacks, activate Spanning Tree on the switches. Configure the switch facing the Internet (SW-Stack-01) as STP root. Otherwise, configure the typical switch configuration such as management IP, management user and password, etc.

Access Points

Basic configuration

The APs are all connected to SW-Stack-01. Alternatively you can also use a lan cable between SW-Stack-01 and SW-Stack-02. Convert all APs to standalone access points (no IAP cluster). Assign a fixed IP, gateway and DNS address on all APs.

Do the following on all APs:

Edit the default_wired:port_profile:

Activate extended view (last button at the very bottom) and do the following.

Edit the Access Point profile

Example based on AP01 (still perform on all APs)

Now reboot all APs.

Configure the mesh links

After the reboot we continue on the shell.

If you can’t access it via SSH, you can also do the steps via the Com Port of the AP.

link between AP01 and AP03

Perform the following configuration on AP01 and AP03

no mesh-disable
mesh-cluster-name Link-A
mesh-cluster-key MyPassword123

example AP01:

The mesh cluster name is freely selectable.

The mesh cluster key is also freely selectable.

Now you can reboot AP01 and AP03.

link between AP02 and AP04

On AP02 and AP04 the configuration is almost identical. Only a different mesh cluster name and mesh key is used.

example AP02:


Now you can also reboot AP02 and AP04.

Turn AP03 and AP04 into mesh points

The following steps must be performed on AP03 and AP04.

example AP03:

Then connect AP03 and AP04 to switch SW-Stack-02. Or remove the LAN cable between SW-Stack-01 and SW-Stack-02 if you have connected both switches for a test setup.

checking the result

The mesh is not visible in the Web GUI.

show ap-env

show ap mesh cluster status

show ap mesh cluster topology

Here you can see that AP03 is the mesh point (child) of AP01 the mesh portal.

show ap mesh link

The 60Ghz WLAN runs automatically in parallel to the 5GHz. In this example the 60GHz network runs on channel 2.

Example how the mesh link between 2 APs must look like. (AP01 and AP03)

During a failover test with this configuration I had 0 to 1 ping drop out during a continuous ping

Have a nice day!

The post How to setup a redundant WLAN point-to-point connection with aruba AP 387 appeared first on Network Guy.

Below you can find the changelog of ekahau Site Survey:

Version 10.0.1

Release Date: April 24th, 2019

• Improvements:
  • Antenna linking introduced to Ekahau Pro! Now antenna direction, height and tilt are linked by default in APs. When you change one of the aforementioned parameters in one radio, it will also change in all other radios of the AP as well! If you want to break the linking, you can freely unlink APs in the Actions-menu.
  • Improved AP icon sizes in reporting and image export. We noticed that AP icons often appeared too large in the reporting, so we put them on a diet and now they should be much more modestly sized and consistent across the board.
  • Improved label sizes in reporting and image export. What’s Hardy without his Laurel? Label sizes were somewhat too small and slim in the previous version, so we made them bigger and more in line with the new AP icon sizes.
  • Improved and more robust building coordinate system. Among other things, differently angled floors now work better, and you can also use only two alignment points to align your floors.
  • You can now assign any available AP model to surveyed access points. Previously you were able to select only models from the detected vendor’s selection, which proved too limiting in practice.
  • Streamlined Channel Interference visualization options: Adjacent channel mode selection is removed (new default: Loose) and Max Operating Channel (new default: Max bandwidth).
  • White survey handles are now hidden when using Survey Inspector to examine the survey measurements on the map. Previously measurement points could get lost under the survey handles – but no more!
• Fixed issues:
  • Fixed a critical issue where you weren’t able to do surveys in Ekahau Standard version of the application. No jokes here, we’re just very sorry for this oversight.
  • Rectangular attenuation areas can now be saved to again to the project files. No, we don’t think this feature is too “square” for our new and hip Ekahau Pro.
  • Scale tool no longer multiplies values with decimals by 10 when using Ekahau Pro in German or French.
  • Insta-tool tip toggle introduced in 10.0.0 now works better on Windows. Holding the toggle (shortcut key: T) down now allows you to immediately display tool tips on the map wherever you poke your cursor!
  • Heatmap slots no longer get stretched and distorted in certain type of projects with an aligned building. While we like to stay flexible, but we don’t want our heatmaps to take up after us.
  • Reporting and image export no longer fail if attenuation area labels are toggled OFF.
  • Exception fixed in Data Rate visualization which could occasionally send our reporting to a never-ending journey. And not one those magical and fantastical journeys – just a journey that. Never. Ends.
  • Fixed an issue where certain type of SVG images made our reporting fail on macOS.
  • Image export no longer runs out of memory with certain type of higher resolution images.
  • Hybrid projects with both measured and simulated access points sometimes produced odd heatmaps or disregarded some access points. Now we’ve injected an added dose of sense into this release, fixing this problem.
  • Access point power and height fields no longer show up in wrong colors after changing unit of measurements.
  • Helped BLE labels to make up their mind when the beacon is disabled. Previously we were showing both OFF and Bluetooth icon in the radio label and it got messy! Now BLE radios show only OFF label, like their Wi-Fi cousins.
  • Improved Cloud project download reliability.
  • AP text and model fields now keep their focus properly and don’t split it up with other elements.
  • Other miscellaneous fixes.
• New access points, antennas and BLE beacons:
  • Cisco AP1840
  • Aerohive AP30
  • Aruba AP-535
  • AccelTex ATS-OP-245-6-4
  • Netgear WAC540
  • Terrawave M6045055DMD1820, M6040060O2D1802RS, M060060M1D43607C, M6060060D3D3620T, M6060060D3D3607T, M6060060D3D3602T, M60600060P3D63602, M6085085D3D1220, M6090012D3D41806, T58185D0006 and T58125DM0006D
• Notes:
  • Because a dog ate our homework, we forgot to mention in 10.0.0 release notes that we have now relocated the GPS surveys to their own survey mode under Continuous and Stop & Go survey modes. Just select “GPS Survey” in the survey tool and you’ll find all the familiar GPS related tools there!

You can download the full version here.

The post ekahau Site Survey 10.x released! appeared first on Network Guy.

If you want/have to implement wireless networks in companies you need to secure them more than your home WLAN. In this case, you need to use a radius server for this (so called WPA-Enterprise or WPA2-Enterprise Authentication with Protected EAP. I will use a Microsoft NPS (network policy server) on a Microsoft Windows Server 2016 OS. This is my test environment:

• NPS Server 192.168.91.23
• aruba IAP-205H 192.168.91.201
• aruba IAP-205H 192.168.91.202
• aruba Virtual Controller IP 192.168.91.200
• SSID “Networkguy-Office” with authentication of computer-group “Domain Computers”
• SSID “Networkguy-BYOD” with authentication of user-group “GL_WLAN-Access-BYOD”

I combined the aruba access points to a virtual controller and configured the radius server “PUCK” under “Security”. The presharedkey secures the connection between the AP and the NPS:

configure the WLAN controller or the instant access points as Radius Clients on the NPS:

choose WPA2 Enterprise in your SSID options:

do differ the SSIDs at the authentication, we need to manually configure the called-station-id at the aruba virtual controller. Cisco Aironet WLCs do this automatically. To configure the called-station-id, we need to connect via SSH to the virtual controller IP address because you can’t configure this by GUI. We will use a colon as the delimiter:

00:0b:86:fe:31:da# configure terminal
We now support CLI commit model, please type "commit apply" for configuration to take effect.
00:0b:86:fe:31:da (config) # wlan ssid-profile Networkguy-BYOD
00:0b:86:fe:31:da (SSID Profile "Networkguy-BYOD") # called-station-id include-ssid delimiter :
00:0b:86:fe:31:da (SSID Profile "Networkguy-BYOD") # end
00:0b:86:fe:31:da# commit apply
committing configuration…
configuration committed.

now we can configure the NPS rules. I used “aruba” as a NAS-identifier and .*:Networkguy-BYOD$ as the called-station-id. Change “Networkguy-BYOD” with your SSID name:

your NPS server needs an computer-auth-certificate, typically from the Domain Root Certification Authority:

our Bring your own Device (BYOD) policy is ready.

You can now configure your computerbased-auth policy. I always configure a network for all domain computers with access to internal LAN and a “Bring your own device” WLAN for employee-devices with internet-only access based an an active directory group.

I connected my iPhone to the “Networkguy-BYOD” WLAN with success:

Feel free to ask in the comments. Have a nice day :)

The post WLAN with 802.1x Radius/NPS Authentication appeared first on Network Guy.

So people can say “hey my new iPhone can ROCK Wi-Fi Generation 5” instead of “hey I can use 802.11ac wlan access points”. They are also showing version 6 for the new upcoming standard 802.11ax. There are some devices on the market which already provide this standard. Keep in mind that the real standard isn’t passed already! The projectgroup for “802.11” at the Institute of Electrical and Electronics is planing to release the final standard at December 2019. I’m very relaxed at this point. Most customers are using already devices with 802.11ac but don’t use the capability/potential of the 5Ghz band speed. I will explain the advantages and disadvantages of the WiFi standards in another blog entry.

Happy Monday!

The post WiFi Alliance and their new naming-standards appeared first on Network Guy.