Aruba 控制器操作配置模版 中文文档格式.docx
- 文档编号:6147393
- 上传时间:2023-05-06
- 格式:DOCX
- 页数:18
- 大小:22.08KB
Aruba 控制器操作配置模版 中文文档格式.docx
《Aruba 控制器操作配置模版 中文文档格式.docx》由会员分享,可在线阅读,更多相关《Aruba 控制器操作配置模版 中文文档格式.docx(18页珍藏版)》请在冰点文库上搜索。
1.root-superuserrole
2.guest-provisioning-guestprovisioningrole
3.network-operations-Networkoperatorrole
4.read-only-Readonlyrole
5.location-api-mgmt-LocationAPIManagementRole
aaaauthentication-servertacacsTACACS-SERVER
hostTACACS_SERVER_IP
keyPRESHARE_KEY
session-authorization
!
aaaserver-groupTACACS-SERVER-GRP
auth-serverTACACS-SERVER
aaatacacs-accountingserver-groupTACACS-SERVER-GRPmodeenablecommand[all|action|configuration|show]
server-groupTACACS-SERVER-GRP
enable
2.系统默认的角色与策略:
默认的策略:
ipaccess-listsessioncontrol,validuser,allowall,icmp-acl,logon-control,captiveportal,
tftp-acl,https-acl,http-acl,dhcp-acl,ap-acl,
默认的角色:
user-roleap-role,voice,guest-logon(portal认证),guest,authenticated,logon
――――――――――――――――――――――――――――――――――――
3.本地数据库操作
local-userdbexport<
filename>
local-userdbimport<
local-userdbadd{generate-username|username<
name>
}{generate-password|password<
password>
}
――――――――――――――――――――――――――――――――――――――――
4.配置DHCP服务:
ipdhcppooluser-pool
default-router192.168.100.1
dns-server192.168.100.1
network192.168.100.0255.255.255.0
servicedhcp
ipdhcpexcluded-address192.168.100.1192.168.100.10
5.配置带宽:
aaabandwidth-contractBC512_upkbps512
user-roleweb-guest
bw-contractBC512_upper-userupstream
―――――――――――――――――――――――――――――――――――――
6.策略:
限制访问内网
netdestination“InternalNetwork”
network10.0.0.0255.0.0.0
network172.16.0.0255.255.0.0
network192.168.0.0255.255.0.0
ipaccess-listsessionblock-internal-access
useralias“InternalNetwork”anydeny
7.配置portal认证:
外置portal时:
netdestinationportal-server
host10.50.22.221
ipaccess-listsessionabc-portal-acl
useraliasportral-serversvc-httppermit
aaaauthenticationcaptive-portalc-portal
default-roleemployee
server-groupcp-srv
login-pagehttp:
//192.168.100.10/test.php
user-rolelogon
captive-portalc-portal
session-aclabc-portal-acl
aaaprofileaaa_c-portal
initial-rolelogon
wlanssid-profilessid_c-portal
essidc-portal-ap
wlanvirtual-apvp_c-portal
aaa-profileaaa_c-portal
ssid-profilessid_c-portal
vlan20
portal下增加白名单:
(host)(config)#netdestination"
Mywhite-list"
(host)(config)#name
(host)(config)#aaaauthenticationcaptive-portaldefault
(host)(CaptivePortalAuthenticationProfile"
default"
)#white-listMywhite-list
注意:
如果在一台控制器配置多个captiveportal的VirtaulAP时,每个captiveportal必须分别配置不同的initialrole和userrole、cpprofile、AAAprofile与ssidprofile;
8.配置Airtimefair
(Aruba651)(Trafficmanagementprofile"
test"
)#shaping-policyfair-access
)#exit
(Aruba651)(config)ap-groupdemo-group
(Aruba651)(APgroup"
demo-group"
)#dot11g-traffic-mgmt-profiletest
demo-group"
)#
9.配置LACP:
LACP默认不生效
每台设备最多创建8个组(0-7),每个组最多允许8个端口加入,所有端口的属性要相同;
1、EnableLACPandconfiguretheper-portspecificLACP.Thegroupnumberrangeis0to7.
lacpgroup<
group_number>
mode{active|passive}
?
Activemode—theinterfaceisinactivenegotiatingstate.LACPrunsonanylinkthatisconfiguredtobeintheactivestate.Theportinanactivemodealsoautomaticallyinitiatesnegotiationswithother
portsbyinitiatingLACPpackets.
Passivemode—theinterfaceisnotinanactivenegotiatingstate.LACPrunsonanylinkthatisconfiguredinapassivestate.Theportinapassivemoderespondstonegotiationsrequestsfromotherportsthatareinanactivestate.PortsinpassivestaterespondtoLACPpackets.
passive模式的端口不能与另一个passive模式的端口建立起来;
2.SetthetimeoutfortheLACPsession.Thetimeoutvalueistheamountoftimethataport-channel
interfacewaitsforaLACPDUfromtheremotesystembeforeterminatingtheLACPsession.Thedefault
timeoutvalueislong(90seconds);
shortis3seconds,默认为long
lacptimeout{long|short}
3.Settheportpriority.
lacpport-priority<
priority_value>
Thehigherthepriorityvaluethelowerthepriority.Rangeis1to65535anddefaultis255.
4.加入端口中
interfacefastethernet1/1
lacptimeoutshort
lacpgroup0modeactive
―――――――――――――――――――――――――――――――――――――――――
10.配置RAP(remoteap)
在控制器上配置VPN、AP通过认证后的地址池,及isakmp的共享密码;
注意地址池为RAP的管理地址,如其他网管要直接ping通RAP,需要将此地址段配置静态路由;
vpdngroupl2tp
pppauthenticationPAP
iplocalpool<
pool>
start-ipaddr>
end-ipaddr>
cryptoisakmpkey<
key>
address0.0.0.0netmask0.0.0.0
在控制器上配置服务器组,RAP通过username/password方式接入,并在服务器上增加用户名与密码,此用户名/密码用于L2TP/PAP认证(如果采用证书方式,此步可以省略)
aaaserver-group<
group>
auth-server<
server>
aaaauthenticationvpndefault-rap
default-role<
server-group<
local-userdbaddusernamerapuser1password<
配置remoteap的VAP:
wlanssid-profile<
profile>
essid<
opmode<
method>
wpa-passphrase<
string>
(ifnecessary)
配置用户角色,用于dot1x-default-role
(cli)#netdestinationcorp
(cli)(config-dest)#network10.3.10.0255.255.255.0
(cli)(config-dest)#
ipaccess-listsessionRemote_Enterprise_acl
anyanysvc-dhcppermit
useraliascorpanypermit
aliascorpuseranypermit
usernetwork224.0.0.0255.0.0.0anypermit
aliascoopraliascorpanypermit
useranyanyroutesrc-nat
(cli)#user-rolecorpsplit
(cli)(config-role)#session-aclRemote_Enterprise_acl
(cli)(config-role)#
配置aaaprofile可用于split-tunnel时用户角色策略指定
aaaprofile<
authentication-dot1x<
dot1x-default-role<
dot1x-server-group<
(cli)#wlanvirtual-apsplit
(cli)#vlanX<
--ClientsgetIPaddr.fromVLANX
(cli)#forward-modesplit-tunnel
aaa-profile<
rap-operation{always|backup|persistent}
配置RAP的有线端口:
apwired-ap-profileWired_Branch_ap_profile
wired-ap-enable
forward-modesplit-tunnel
switchportaccessvlan128
apwired-port-profileWired_Branch_port_profile
aaa-profileRemote_Ent_aaa_profile
wired-ap-profileWired_Branch_ap_profile
配置RAP做DHCPserver
apsystem-profileAPGroup1_sys_profile
lms-ip63.82.214.194
rap-dhcp-server-vlan177
rap-dhcp-server-id192.168.177.1
rap-dhcp-default-router192.168.177.1
rap-dhcp-pool-start192.168.177.100
rap-dhcp-pool-end192.168.177.254
ap-group<
virtual-ap<
在webUI界面对AP进行provision,从AC上获取IP,修改为remote模式,AP会重启
11.配置MAC认证完整例子
RADIUSServerDefinition:
服务器认证
aaaauthentication-serverradius"
amigopod"
host"
172.16.0.20"
keyf0e40f33109cd5f863a77327072720aaa4785eff2ca57800
nas-identifier"
Aruba651"
nas-ip172.16.0.254
aaaserver-group"
amigopod-srv"
auth-serveramigopod
aaarfc-3576-server"
key10795ff19c00465dd0b0824e562103bee537be631e5bc876
MACAuthenticationProfile:
MAC认证
aaaauthenticationmac"
amigopod-mac"
caseupper
delimiterdash
AAAProfile:
aaaprofile"
amigopod-aaa"
authentication-mac"
mac-default-role"
authenticated"
mac-server-group"
radius-accounting"
rfc-3576-server"
CaptivePortalProfile:
aaaauthenticationcaptive-portal"
amigopod-cp"
server-group"
redirect-pause3
nologout-popup-window
protocol-http
login-page"
http:
//172.16.0.20/aruba_login.php"
NetdestinationAliasforAmigopod:
netdestinationamigopod
host172.16.0.20
AccessPolicytoallowredirecttoAmigopod:
允许的acl
ipaccess-listsessionallow-amigopod
useraliasamigopodsvc-httppermit
useraliasamigopodsvc-httpspermit
InitialRolewithCaptivePortalenabled:
配置initial角色
captive-portal"
access-listsessionlogon-control
access-listsessionallow-amigopod
access-listsessioncaptiveportal
PostAuthenticationRoleforMACAuthentication:
配置MAC认证角色
user-roleMAC-Guest
access-listsessionallowall
SSIDProfile:
wlanssid-profile"
MAC-Auth-CP"
essid"
amigo-MAC-CP"
VirtualAP:
wlanvirtual-ap"
aaa-profile"
ssid-profile"
12.配置LDAP认证服务器
Portal认证
aaaauthentication-serverldap"
aruba-ldap"
host10.1.1.50
admin-dn"
cn=ldapquery2,cn=Users,dc=arubanetworks,dc=com"
admin-passwd"
Zaq1xsw2"
base-dn"
ou=Corp,dc=arubanetworks,dc=com"
auth-serveraruba-ldap
setroleconditionmemberOfcontains"
dl-seonly"
set-valueroot
如果将ldap认证应用于无线用户802.1x,必须使用eap-gtc方式
aaaauthenticationdot1x"
dot1x_prof-yxy03"
terminationenable
terminationeap-typeeap-peap
terminationinner-eap-typeeap-gtc
!
aaaauthenticationmgmt//应用在管理用户
default-role"
no-access"
使用802.1x认证时不能用LDAP认证服务器;
但portal认证时可以;
13.有线端口NAT
ipNATpoolDell-AirWave63.80.98.5663.80.98.56172.16.0.246
ipNATpoolSE-WebServer63.80.98.5963.80.98.59172.16.0.16
ipNATpoolPDL-eTips63.80.98.6163.80.98.61172.16.0.15
ipNATpoolPDL-Clearpass63.80.98.6063.80.98.60172.16.0.13
ipNATpoolPDL-AirWave63.80.98.4963.80.98.49172.16.0.252
netdestinationPDL-Airwave-Live
host63.80.98.49
netdestinationIPComms
host64.154.41.150
netdestinationSE-WebServer
host63.80.98.59
netdestinationLive-IP
host63.80.98.41
netdestinationPDL-eTips
host63.80.98.61
netdestinationDe
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Aruba 控制器操作配置模版 中文 控制器 操作 配置 模版