VPN servislerini engellemek günümüzde moda olmuş durumda. Genel yöntem olarak FW cihazları üzerinde yapılan düzenlemeler ile birlikte bu işlem yapılabiliyor. Fakat FW üzerinde yapılan bu işlemler Wi-fi tarafındaki client’ın VPN servisinin havada kesilmesini sağlamıyor. Ek olarak FW üzerinde bir yük yaratıyor. L7 – L4 seviyesinde FW özellikleri bulunan bir Controller cihazınız var ise bu işlemi hava rahat bir şekilde yapabilirsiniz. Aruba Controller cihazı buna örnek bir Controller. Ben yapmış olduğum testlerde başarılı oldum. Örnek olarak aşağıdaki Access Role tanımını paylaşıyorum.

Kolay Gelsin.

Download the instant AP image from support.arubanetworks.com
Start a TFTP server on your PC
Make sure that the TFTP server root is where your image file is
Boot the AP with a serial cable attached
CTRL + C to break to the prompt if necessary

Now use this command to upgrade the AP image.

upgrade os :

E.g.

 

 

 

 

There are two ways to restore admin access to the GUI

1) CLI – requires root access to the AMP

a. Login to the CLI and access the database using ‘db’
b. Run the query as shown below

airwave=> select login_attempts,is_enabled from users where username = ‘admin’;
-[ RECORD 1 ]–+—
login_attempts | 10
is_enabled | 0

As you can see the value of is_enabled = 0 indicates that the account has been disabled after 10 incorrect login attemps

c. To restore access, update the column in the db as shown below

airwave=> update users set is_enabled = 1 where username = ‘admin’;
UPDATE 1

This will restore the access to the AMP GUI for the admin user

2) Login to the GUI using another admin account. If you do not have another admin account then the above step is the only way to restore access

a. Go to AMP Setup > Users
b. Edit the user account that has been disabled to enable access again.

From the CLI:

# dbc “update users set password=’2cf94b0aea63ebf7bf41c90fe500603e’ where username =’admin’;”

If you use a name other than admin, you can change your user’s password by modifying the where clause above. For example, to change merterdil’s password to admin, this would work:

# dbc “update users set password=’2cf94b0aea63ebf7bf41c90fe500603e’ where username =”merterdil;”

Configure 802.1X Wireless Clients Running Windows Vista with Group Policy

Applies To: Windows Server 2008

Use the procedures in this topic to configure the Wireless Network (IEEE 802.11) Policies for client computers running Windows Vista® that connect to your wireless network through 802.1X authenticating wireless access points (APs).

This document provides the detailed steps to create and configure the Windows Vista Wireless Network (IEEE 802.11) Policies and wireless configuration profiles for wireless computers running Windows Vista.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Configure wireless clients running Windows Vista by using the Wireless Network (IEEE 802.11) Policies

The New Vista Wireless Network (IEEE 802.11) Policies enables you to configure, prioritize and manage multiple wireless profiles that each use different profile names and different wireless settings, while using the same Service Set Identifier (SSID). For example, you can configure two (or more) profiles using the same SSID; one profile to use Smart Cards and one profile to use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), or one using Wi-Fi Protected Access version 2 (WPA2)-Enterprise and one using WPA-Enterprise. The ability to configure mixed-mode deployments using a common SSID is one of the enhancements in the Wireless Network (IEEE 802.11) Policies for Windows Vista.

noteNote
You can use the Windows Vista Wireless Network (IEEE 802.11) Policies to configure wireless computers running Windows Vista and Windows Server 2008. You cannot use this policy to configure computers running Windows XP. Computers running Windows XP cannot interpret settings in a Windows Vista Wireless Network (IEEE 802.11) Policies.

You can use these features to configure security and authentication settings, manage wireless profiles, and specify permissions for wireless networks that are not configured as preferred networks.

Opening the Wireless Network (IEEE 802.11) Policies properties

Use this procedure to access the Wireless Network (IEEE 802.11) Policies.

To open the Wireless Network (IEEE 802.11) Policies properties

  1. Open the Group Policy Management Console (GPMC).
  2. In Default Domain Policy, open Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.
    • If there is a Wireless Network Policy shown in the details pane, with the Type listed as Vista, right-click that policy, and then click Properties, to access the properties of the wireless policy.
      noteNote
      The wireless policy is not necessarily listed as New Vista Wireless Network Policy in the details pane of the GPMC. If the default policy name was previously changed from New Vista Wireless Network Policy to another name, the name change is reflected in the GPMC details pane.
    • If there is not a Wireless Network Policy shown in the details pane, with the Type listed as Vista, right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Windows Vista Policy to activate and open New Vista Wireless Network Policy Properties.
      noteNote
      After the Windows Vista wireless policy is added, it is only listed in the GPMC details pane, when Wireless Network (IEEE 802.11) Policies is selected.

Configure PEAP-MS-CHAP v2 and EAP-TLS wireless infrastructure profiles

The procedures in this section provide the steps to configure the Windows Vista Wireless Network (IEEE 802.11) Policies to create one or more wireless profiles that wireless clients running Windows Vista will use to connect to your wireless network. The first procedure provides the steps to use Windows Vista Wireless Network (IEEE 802.11) Policies to configure a wireless profile for PEAP-MS-CHAP v2. The second procedure provides the steps to use Windows Vista Wireless Network (IEEE 802.11) Policies to configure a wireless profile for EAP-TLS.

noteNote
PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). PEAP does not require the deployment of a public key infrastructure (PKI); only a Remote Authentication Dial-In User Service (RADIUS) server is required to provide a certificate. Additionally, PEAP does not require the deployment of an infrastructure, such as smart cards or another type of client certificates, to validate connecting clients.
Configuring a PEAP-MS-CHAP v2 wireless profile

This procedure provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile.

To configure a PEAP-MS-CHAP v2 wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do one of the following:
    • To add a new profile, click Add, and then select Infrastructure.
    • To modify an existing profile, select the profile, and then click Edit.
    noteNote
    For more information about the settings on any tab, press F1 while viewing that tab.
  2. On the Connection tab, do the following:
    1. In Profile Name, type a name for this wireless profile.
    2. In Network Name(s) (SSID), type the SSID that corresponds to the SSID configured on your wireless APs, and then click Add.
    3. If present, select NEWSSID, and then click Remove.
    4. If your wireless access point is configured to suppress its broadcast beacon, select Connect even if the network is not broadcasting.
      noteNote
      Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.
  3. Click the Security tab, click Advanced, and then configure the following:
    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.
      noteNote
      When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start MsgsHeld PeriodStart Period, and Auth Period are sufficient for most wireless deployments.
    2. To enable Single Sign On, select Enable Single Sign On for this network.
      noteNote
      The remaining default values in Single Sign On are sufficient for most wireless deployments.
    3. In Fast Roaming, select This network uses pre-authentication, if your wireless AP is configured for pre-authentication.
  4. Click OK to return to the Security tab, and then configure the following:
    1. In Select the security methods for this network, for Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. Otherwise, select WPA-Enterprise.
    2. In Encryption, select AES, if it is supported by your wireless AP and wireless client network adapters. Otherwise, select TKIP.
      noteNote
      The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication ModeMax Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for most wireless deployments.
  5. In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. In the Protected EAP Properties dialog box, configure the following:
    1. Verify that Validate server certificate is selected.
    2. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your Network Policy server.
      noteNote
      This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store.
    3. In the Select Authentication Method list, select Secured password (EAP-MS-CHAP v2).
    4. Select Enable Fast Reconnect.
    5. Clear Enable Quarantine checks.
  6. Click Configure. In the EAP MSCHAPv2 Properties dialog box, verify Automatically use my Windows logon name and password (and domain if any) is selected, click OK, and then click OK to close Protected EAP Properties.
  7. Click OK to close the Security tab.
Configuring an EAP-TLS wireless profile

This procedure provides the steps required to configure an EAP-TLS wireless profile.

To configure an EAP-TLS wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, click Add, and then select Infrastructure.
    noteNote
    For more information about the settings on any tab, press F1 while viewing that tab.
  2. On the Connection tab, do the following:
    1. In Profile Name, type a name for the EAP-based profile.
    2. In Network Name(s) (SSID), type the SSID that corresponds to the SSID configured on your wireless APs, and then click Add.
    3. If present, select NEWSSID, and then click Remove.
    4. If your wireless access point is configured to suppress its broadcast beacon, select Connect even if the network is not broadcasting.
      noteNote
      Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.
  3. Select the Security tab, click Advanced, and then configure the following:
    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.
      noteNote
      When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start MsgsHeld periodStart Period, and Auth Period are sufficient for most wireless deployments.
    2. In Single Sign On, select Enable Single Sign On for this network.
      noteNote
      The remaining default values in Single Sign On are sufficient for most wireless deployments.
    3. In Fast Roaming, select This network uses pre-authentication if your wireless AP is configured for pre-authentication.
  4. Click OK to return to the Security tab, and then configure the following:
    1. In Select the security methods for this network, for Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. Otherwise, select WPA-Enterprise.
    2. In Encryption, select AES (preferred) if it is supported by your wireless AP and wireless client network adapters. Otherwise, select TKIP.
      noteNote
      The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication ModeMax Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for most wireless deployments.
  5. In Select a network authentication method, select Smart Card or other certificate (EAP-TLS). On the Security tab, click Properties, and then configure the following:
    1. In When connecting, verify that Use a certificate on this computer and Use simple certificate selection are selected.
    2. Verify that Validate server certificate is selected.In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).
      noteNote
      This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store.
  6. Click OK to close Smart Card or other Certificate Properties, and then click OK again to close the EAP Profile.

Configuring connection preference order for wireless networks

Wireless clients running Windows Vista attempt to connect to wireless networks in the order specified in Windows Vista Wireless Policy. This procedure demonstrates how to specify the order of wireless profiles to which domain clients running Windows Vista will attempt to connect.

To specify the order of wireless networks

  1. Open the Windows Vista Wireless Network (IEEE 802.11) Policies Properties. On the General tab, in Connect to available networks in the order of profiles listed below, select any profile, then click the “up arrow” or the “down arrow” to move the profile to the desired location in the list.
  2. Click OK to save the change, and then close the Windows Vista Wireless Policy.

Defining network permissions

You can configure the following on the Network Permissions tab to specify network permissions:

  • To block your domain members running Windows Vista from gaining access to ad hoc networks, select Prevent connections to ad-hoc networks.
  • To block your domain members running Windows Vista from gaining access to infrastructure networks, select Prevent connections to infrastructure networks.
  • To allow your domain members running Windows Vista to view network types (ad hoc or infrastructure) to which they are denied access, select Allow user to view denied networks.
    noteNote
    The Remove button on the Network Permissions tab allows you to remove only those networks that you have defined by using the Add feature. Networks that are defined on the General tab, in Connect to available networks in the order of profiles listed below, cannot be removed from the permissions list.
Adding wireless networks to the Deny list

For a variety of reasons, you might want to block managed wireless computers from connecting to other wireless networks that are within range of the organization’s wireless network. For example, an adjoining building might have a wireless AP broadcasting, which can be seen on your network wireless client computers running Windows Vista.

This procedure demonstrates how to use the Windows Vista Wireless Network (IEEE 802.11) Policies to allow or deny permissions for wireless networks.

To add a wireless network to the Deny list

  1. Open the Windows Vista Wireless Policy.
  2. On the Network Permissions tab, click Add.
  3. On the New Permission Entry dialog box, configure the following:
    1. In Network Name (SSID) type the SSID of a wireless network.
    2. In Network Type, select Infrastructure or Ad-hoc.
      noteNote
      If you are unsure whether the broadcasting network is an infrastructure or ad hoc network, you can configure a network permission entry for both types.
    3. In Permission, select Deny.
  4. Click OK. On the Network Permissions tab, select Allow user to view denied networks, and then click OK.
To prevent users from viewing blocked networks

To prevent users from seeing broadcasting networks to which you want to deny access. This procedure demonstrates how to prevent your wireless clients from displaying wireless networks to which you have denied access.

To prevent users from viewing networks in the Deny list

  1. Open the Windows Vista Wireless Policy.
  2. On the Network Permissions tab, clear the Allow user to view denied networks check box, and then click OK.
Exporting wireless profiles

In addition to creating a backup of configured profiles, the export and import features are used to support independent hardware vendor (IHV) extensibility. An administrator can include IHV-specific connectivity or security settings in an Extensible Markup Language (XML) profile and then import this profile to wireless Group Policy. Because these settings do not display onscreen in Windows Vista, importing them is the only way that a profile can include these settings in wireless Group Policy.

This procedure demonstrates how to export a wireless profile.

To export a wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, in Connect to available networks in the order of profiles listed below, select the profile you want to export, and then click Export.
  2. In the Save exported profile as dialog box, verify that Save as type is (*.xml), and then click Save.
    noteNote
    By default, the profile is saved as an XML file in the Documents folder of the current user. The profile name is automatically provided in its file name. If you specify a different name for the exported file, such as “Backup.xml,” when imported the profile will appear in “Connect to available networks” in the order of profiles listed below with the original profile name and the original SSID.
Importing a wireless profile

This procedure demonstrates how to import a wireless profile. You can use the import feature to restore profiles that have been deleted. You can also use the import feature to restore a profile that was changed after a backup copy was exported.

To import a wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, in Connect to available networks in the order of profiles listed below, click Import.
  2. In Import a profile, navigate to the profile that you want to import, and then click Open.
    noteNote
    By default, the Open to import a profile dialog box opens the most recent directory that has been accessed using the import and export features.
  3. Select the profile, and then click Open.

Reference https://technet.microsoft.com

Enabling AppRF visibility allows you to view the AppRF statistics for an IAP or the clients associated with an IAP. When visibility is enabled, the AppRF link appears on the dashboard area of the main window. On clicking this link, you can view the client traffic flow based on the enforcements.

You can enable AppRF visibility through the Instant UI or CLI:

In the Instant UI

1. Navigate to System>General.
2. Select Enabled from the AppRF visibility drop-down.
3. Click OK.

In the CLI

To enable AppRF visibility:

(Instant AP)(config)# dpi

(Instant AP)(config)# end

(Instant AP)# commit apply

Brocade switch upgrade etmek için aşağıdaki adımları sırasıyla takip edebilirsiniz.

Öncelikle bilgisayarınız üzerinde TFTP Server programını çalıştırarak ROOT klasörü altına ilgili version .bin dosyasını atmanız gerekiyor. Switch üzerinde sırasıyla yapmanız gerekenler aşağıdaki gibidir.

 

Aşağıdaki komut yardımı ile TFTP server’ımız üzerindeki version dosyasını switch üzerinde bulunan flash altında primary bölümüne kopyalamış oluyoruz.

 

Yukarıdaki komutu çalıştırdıktan sonra TFTP Server üzerinden version dosyasını atmış oluyoruz. Bu işlemi yaptıktan sonra config mode altında cihazın hangi partition üzerinden boot olacağını belirliyoruz. Bu işlem için aşağıdaki komutu kullanıyoruz. (Yeni version hangi partition altına atılmış ise o partition ile reboot etmemiz gerekir. Bu aynı partition da olabilir.)

 

Bu komutu yazdıkdan sonra yaptığımız işlemleri kaydettikten sonra cihazı reload komudu ile reboot ediyoruz.

 

Kolay Gelsin.

Communication Between Aruba Devices

This section describes the network ports that need to be configured on the firewall to allow proper operation of the Aruba network.

Between any two controllers:

  • IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controlleris encapsulated in IPsec .
  • IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
  • GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
  • IKE (UDP 500).
  • ESP (protocol 50).
  • NAT-T (UDP 4500).

Between an AP and the master controller:

  • PAPI (UDP port 8211).If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
  • PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.

From an AP to the LMS controller:

  • FTP (TCP port 21).
  • TFTP (UDP port 69) for AP-52. For all other APs, if there is no local image on the AP (for example, a brand new AP) the AP will use TFTP to retrieve the initial image.
  • NTP (UDP port 123).
  • SYSLOG (UDP port 514).
  • PAPI (UDP port 8211).
  • GRE (protocol 47).

Between a Remote AP (IPsec) and a controller:

  • NAT-T (UDP port 4500).
  • TFTP (UDP port 69)
    note TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image.

    .

Network Management Access

This section describes the network ports that need to be configured on the firewall to manage the Arubanetwork.

For WebUI access between the network administrator’s computer (running a Web browser) and a controller:

  • HTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343).
  • SSH (TCP port 22) or TELNET (TCP port 23).

For ArubaMobility Management System (MMS) access between the network administrator’s computer (running a Web browser) and the MMS Server:

  • HTTPS (TCP port 443).
  • HTTP (TCP port 80).
  • SSH (TCP port 22) for troubleshooting.

For SSL tunnels between MMS Servers in high availability configuration:

  • TCP 11312 (used for application messages).
  • TCP 11315 (used for database synchronization).
  • TCP 11873 (used for file synchronization).

For MMSaccess between the MMSServer and controllers:

  • SNMP (UDP ports 161 and 162).
  • PAPI (UDP port 8211 and TCP port 8211).
  • HTTPS (TCP port 443).

Other Communications

This section describes the network ports that need to be configured on the firewall to allow other types of traffic in the Aruba network. You should only allow traffic as needed from these ports.

  • For logging: SYSLOG (UDP port 514) between the controller and syslog servers.
  • For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP (TCP ports 21 and 22) between the controller and a software distribution server.
  • If the controlleris a PPTP VPN server, allow PPTP (UDP port 1723) and GRE (protocol 47) to the controller.
  • If the controlleris an L2TP VPN server, allow NAT-T (UDP port 4500), ISAKMP (UDP port 500) and ESP (protocol 50) to the controller.
  • If a third-party network management system is used, allow SNMP (UDP ports 161 and 162) between the network management system and all controllers. If the ArubaOSversion is earlier than 2.5, allow SNMP traffic between the network management system and APs.
  • For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812 and 813, or 1645 and 1646) between the controller and the RADIUS server.
  • For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP port 636) between the controller and the LDAP server.
  • For authentication with a TACACS+ server: TACACS (TCP port 49) between the controllerand the TACACS+ server.
  • For NTP clock setting: NTP (UDP port 123) between all controllersand the MMS server and NTP server.
  • For packet captures: UDP port 5555 from an AP to an Ethereal packet-capture station; UDP port 5000 from an AP to a Wildpackets packet-capture station.
  • For telnet access: Telnet (TCP port 23) from the network administrator’s computer to any AP,if “telnet enable” is present in the “ap location 0.0.0″ section of the controller configuration.
  • For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a controller and any ESI servers.
  • For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a controllerand an XML-API client.