Aruba 控制器操作配置模版 中文.docx
《Aruba 控制器操作配置模版 中文.docx》由会员分享,可在线阅读,更多相关《Aruba 控制器操作配置模版 中文.docx(18页珍藏版)》请在冰豆网上搜索。
Aruba控制器操作配置模版中文
1.Mgmt用户设置
设置mgmt用户ssh登录的方式:
是证书还是用户名与密码
sshmgmt-auth[public-key|username/password]
mgmt-userssh-pubkeyclient-cert
mgmt用户验证使用外部认证服务器:
aaaauthentication-serverradiusrad1
host
key
――――
aaaserver-groupcorp_rad
auth-serverrad1
-------------------------
aaaauthenticationmgmt
default-roleroot
enable
server-groupcorp_rad
禁用本地认证数据库
mgmt-userlocalauth-disable
设置用户超时退出
loginsessiontimeout//CLI下
web-serversessiontimeout//webUI下
1.1配置mgmt的tacacs认证
Thepre-definedrolesforthecontrollersare:
1.root-superuserrole
2.guest-provisioning-guestprovisioningrole
3.network-operations-Networkoperatorrole
4.read-only-Readonlyrole
5.location-api-mgmt-LocationAPIManagementRole
aaaauthentication-servertacacsTACACS-SERVER
hostTACACS_SERVER_IP
keyPRESHARE_KEY
session-authorization
!
aaaserver-groupTACACS-SERVER-GRP
auth-serverTACACS-SERVER
!
aaatacacs-accountingserver-groupTACACS-SERVER-GRPmodeenablecommand[all|action|configuration|show]
aaaauthenticationmgmt
server-groupTACACS-SERVER-GRP
enable
!
2.系统默认的角色与策略:
默认的策略:
ipaccess-listsessioncontrol,validuser,allowall,icmp-acl,logon-control,captiveportal,
tftp-acl,https-acl,http-acl,dhcp-acl,ap-acl,
默认的角色:
user-roleap-role,voice,guest-logon(portal认证),guest,authenticated,logon
――――――――――――――――――――――――――――――――――――
3.本地数据库操作
local-userdbexport
local-userdbimport
local-userdbadd{generate-username|username}{generate-password|password}
――――――――――――――――――――――――――――――――――――――――
4.配置DHCP服务:
ipdhcppooluser-pool
default-router192.168.100.1
dns-server192.168.100.1
network192.168.100.0255.255.255.0
!
servicedhcp
ipdhcpexcluded-address192.168.100.1192.168.100.10
――――――――――――――――――――――――――――――――――――
5.配置带宽:
aaabandwidth-contractBC512_upkbps512
user-roleweb-guest
bw-contractBC512_upper-userupstream
―――――――――――――――――――――――――――――――――――――
6.策略:
限制访问内网
netdestination“InternalNetwork”
network10.0.0.0255.0.0.0
network172.16.0.0255.255.0.0
network192.168.0.0255.255.0.0
ipaccess-listsessionblock-internal-access
useralias“InternalNetwork”anydeny
―――――――――――――――――――――――――――――――――――――
7.配置portal认证:
外置portal时:
netdestinationportal-server
host10.50.22.221
ipaccess-listsessionabc-portal-acl
useraliasportral-serversvc-httppermit
aaaauthenticationcaptive-portalc-portal
default-roleemployee
server-groupcp-srv
login-pagehttp:
//192.168.100.10/test.php
user-rolelogon
captive-portalc-portal
session-aclabc-portal-acl
aaaprofileaaa_c-portal
initial-rolelogon
wlanssid-profilessid_c-portal
essidc-portal-ap
wlanvirtual-apvp_c-portal
aaa-profileaaa_c-portal
ssid-profilessid_c-portal
vlan20
portal下增加白名单:
(host)(config)#netdestination"Mywhite-list"
(host)(config)#name
(host)(config)#name
(host)(config)#aaaauthenticationcaptive-portaldefault
(host)(CaptivePortalAuthenticationProfile"default")#white-listMywhite-list
注意:
如果在一台控制器配置多个captiveportal的VirtaulAP时,每个captiveportal必须分别配置不同的initialrole和userrole、cpprofile、AAAprofile与ssidprofile;
8.配置Airtimefair
(Aruba651)(Trafficmanagementprofile"test")#shaping-policyfair-access
(Aruba651)(Trafficmanagementprofile"test")#exit
(Aruba651)(config)ap-groupdemo-group
(Aruba651)(APgroup"demo-group")#dot11g-traffic-mgmt-profiletest
(Aruba651)(APgroup"demo-group")#
9.配置LACP:
LACP默认不生效
每台设备最多创建8个组(0-7),每个组最多允许8个端口加入,所有端口的属性要相同;
1、EnableLACPandconfiguretheper-portspecificLACP.Thegroupnumberrangeis0to7.
lacpgroupmode{active|passive}
?
Activemode—theinterfaceisinactivenegotiatingstate.LACPrunsonanylinkthatisconfiguredtobeintheactivestate.Theportinanactivemodealsoautomaticallyinitiatesnegotiationswithother
portsbyinitiatingLACPpackets.
?
Passivemode—theinterfaceisnotinanactivenegotiatingstate.LACPrunsonanylinkthatisconfiguredinapassivestate.Theportinapassivemoderespondstonegotiationsrequestsfromotherportsthatareinanactivestate.PortsinpassivestaterespondtoLACPpackets.
注意:
passive模式的端口不能与另一个passive模式的端口建立起来;
2.SetthetimeoutfortheLACPsession.Thetimeoutvalueistheamountoftimethataport-channel
interfacewaitsforaLACPDUfromtheremotesystembeforeterminatingtheLACPsession.Thedefault
timeoutvalueislong(90seconds);shortis3seconds,默认为long
lacptimeout{long|short}
3.Settheportpriority.
lacpport-priority
Thehigherthepriorityvaluethelowerthepriority.Rangeis1to65535anddefaultis255.
4.加入端口中
interfacefastethernet1/1
lacptimeoutshort
lacpgroup0modeactive
―――――――――――――――――――――――――――――――――――――――――
10.配置RAP(remoteap)
在控制器上配置VPN、AP通过认证后的地址池,及isakmp的共享密码;注意地址池为RAP的管理地址,如其他网管要直接ping通RAP,需要将此地址段配置静态路由;
vpdngroupl2tp
pppauthenticationPAP
iplocalpool
cryptoisakmpkeyaddress0.0.0.0netmask0.0.0.0
在控制器上配置服务器组,RAP通过username/password方式接入,并在服务器上增加用户名与密码,此用户名/密码用于L2TP/PAP认证(如果采用证书方式,此步可以省略)
aaaserver-group
auth-server
aaaauthenticationvpndefault-rap
default-role
server-group
local-userdbaddusernamerapuser1password
配置remoteap的VAP:
wlanssid-profile
essid
opmode
wpa-passphrase(ifnecessary)
配置用户角色,用于dot1x-default-role
(cli)#netdestinationcorp
(cli)(config-dest)#network10.3.10.0255.255.255.0
(cli)(config-dest)# !
ipaccess-listsessionRemote_Enterprise_acl
anyanysvc-dhcppermit
useraliascorpanypermit
aliascorpuseranypermit
usernetwork224.0.0.0255.0.0.0anypermit
aliascoopraliascorpanypermit
useranyanyroutesrc-nat
(cli)#user-rolecorpsplit
(cli)(config-role)#session-aclRemote_Enterprise_acl
(cli)(config-role)# !
配置aaaprofile可用于split-tunnel时用户角色策略指定
aaaprofile
authentication-dot1x
dot1x-default-role
dot1x-server-group
(cli)#wlanvirtual-apsplit
(cli)#vlanX<--ClientsgetIPaddr.fromVLANX
(cli)#forward-modesplit-tunnel
aaa-profile
rap-operation{always|backup|persistent}
配置RAP的有线端口:
apwired-ap-profileWired_Branch_ap_profile
wired-ap-enable
forward-modesplit-tunnel
switchportaccessvlan128
!
apwired-port-profileWired_Branch_port_profile
aaa-profileRemote_Ent_aaa_profile
wired-ap-profileWired_Branch_ap_profile
配置RAP做DHCPserver
apsystem-profileAPGroup1_sys_profile
lms-ip63.82.214.194
rap-dhcp-server-vlan177
rap-dhcp-server-id192.168.177.1
rap-dhcp-default-router192.168.177.1
rap-dhcp-pool-start192.168.177.100
rap-dhcp-pool-end192.168.177.254
!
ap-group
virtual-ap
在webUI界面对AP进行provision,从AC上获取IP,修改为remote模式,AP会重启
11.配置MAC认证完整例子
RADIUSServerDefinition:
服务器认证
aaaauthentication-serverradius"amigopod"
host"172.16.0.20"
keyf0e40f33109cd5f863a77327072720aaa4785eff2ca57800
nas-identifier"Aruba651"
nas-ip172.16.0.254
!
aaaserver-group"amigopod-srv"
auth-serveramigopod
!
aaarfc-3576-server"172.16.0.20"
key10795ff19c00465dd0b0824e562103bee537be631e5bc876
MACAuthenticationProfile:
MAC认证
aaaauthenticationmac"amigopod-mac"
caseupper
delimiterdash
AAAProfile:
aaaprofile"amigopod-aaa"
authentication-mac"amigopod-mac"
mac-default-role"authenticated"
mac-server-group"amigopod-srv"
radius-accounting"amigopod-srv"
rfc-3576-server"172.16.0.20"
CaptivePortalProfile:
aaaauthenticationcaptive-portal"amigopod-cp"
server-group"amigopod-srv"
redirect-pause3
nologout-popup-window
protocol-http
login-page"http:
//172.16.0.20/aruba_login.php"
NetdestinationAliasforAmigopod:
netdestinationamigopod
host172.16.0.20
AccessPolicytoallowredirecttoAmigopod:
允许的acl
ipaccess-listsessionallow-amigopod
useraliasamigopodsvc-httppermit
useraliasamigopodsvc-httpspermit
InitialRolewithCaptivePortalenabled:
配置initial角色
user-rolelogon
captive-portal"amigopod-cp"
access-listsessionlogon-control
access-listsessionallow-amigopod
access-listsessioncaptiveportal
PostAuthenticationRoleforMACAuthentication:
配置MAC认证角色
user-roleMAC-Guest
access-listsessionallowall
SSIDProfile:
wlanssid-profile"MAC-Auth-CP"
essid"amigo-MAC-CP"
VirtualAP:
wlanvirtual-ap"MAC-Auth-CP"
aaa-profile"amigopod-aaa"
ssid-profile"MAC-Auth-CP"
12.配置LDAP认证服务器
Portal认证
aaaauthentication-serverldap"aruba-ldap"
host10.1.1.50
admin-dn"cn=ldapquery2,cn=Users,dc=arubanetworks,dc=com"
admin-passwd"Zaq1xsw2"
base-dn"ou=Corp,dc=arubanetworks,dc=com"
!
aaaserver-group"aruba-ldap"
auth-serveraruba-ldap
setroleconditionmemberOfcontains"dl-seonly"set-valueroot
!
如果将ldap认证应用于无线用户802.1x,必须使用eap-gtc方式
aaaauthenticationdot1x"dot1x_prof-yxy03"
terminationenable
terminationeap-typeeap-peap
terminationinner-eap-typeeap-gtc
!
aaaauthenticationmgmt//应用在管理用户
default-role"no-access"
server-group"aruba-ldap"
enable
!
注意:
使用802.1x认证时不能用LDAP认证服务器;但portal认证时可以;
13.有线端口NAT
!
ipNATpoolDell-AirWave63.80.98.5663.80.98.56172.16.0.246
ipNATpoolSE-WebServer63.80.98.5963.80.98.59172.16.0.16
ipNATpoolPDL-eTips63.80.98.6163.80.98.61172.16.0.15
ipNATpoolPDL-Clearpass63.80.98.6063.80.98.60172.16.0.13
ipNATpoolPDL-AirWave63.80.98.4963.80.98.49172.16.0.252
!
netdestinationPDL-Airwave-Live
host63.80.98.49
!
netdestinationIPComms
host64.154.41.150
!
netdestinationSE-WebServer
host63.80.98.59
!
netdestinationLive-IP
host63.80.98.41
!
netdestinationPDL-eTips
host63.80.98.61
!
netdestinationDe
升级会员 