Omniaccess Stellar Wlan For Exp - Alcatel-Lucent Enterprise

OMNIACCESS STELLAR WLAN
OMNIACCESS STELLAR WLAN FOR

EXPERIENCED - ISSUE 05
PARTICIPANT'S GUIDE
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan – Training offer for newcomers
OmniAccess Stellar OmniAccess Stellar

ACSE ACSE
Wlan Enterprise Wlan Enterprise
DT00TC2W16 DT00TC2W16
Online exam Online exam
OmniAccess Stellar Wlan

Enterprise Advanced
V=5 h
(virtual) OmniVista 2500 NMS &
DT00VTE269 OmniAccess Stellar
C= 3days
Wlan
OmniAccess Stellar DT00CTE270
Network for SMB ACFE ACFE
Wlan Enterprise
DT00TC1W16 DT00TC1W17
Online exam Online exam
OmniAccess Stellar OmniAccess Stellar Wlan I=2,5 h

Wlan EXPRESS I= 45min Enterprise Basic +lab DIY=
DT00WTE255 DT00WTE268 3,5h
Lan/Wlan for SMB OmniVista 2500 NMS-E I= 75min

(w/Stellar) R4.2 (e-Learning) +lab DIY=
DT00XTE200 DT00WTE211 6 to 7 h
Full remote or Classroom
Small market segment Medium market segment

OmniAccess Stellar Wireless Lan – Training offer for experienced on OmniAccess Wlan
ACFE /ACSE OmniAccess

Stellar Wlan Enterprise
embedded in the course
I = 2,5 h OmniVista 2500 NMS &

OmniAccess Stellar for OmniAccess Stellar for
OmniAccess Stellar I = 2,5 hrs
experienced +lab DIY experienced (virtual) V= 7,5 hrs
Wlan C= 3days
DT00WTE263 =5h DT00VTE263
DT00CTE270
OmniVista 2500 NMS-E I= 75min OmniVista 2500 NMS-E I= 75min

R4.2 (e-Learning) +lab DIY= R4.2 (e-Learning) +lab DIY=
DT00WTE211 6 to 7 h DT00WTE211 6 to 7 h
Online or Virtual or Classroom
Medium market segment

OmniAccess Stellar Wireless Lan
Solution Overview
Lesson summary
• Understand and choose the Stellar mode on the APs.
• Understand the planes of operation and the traffic
generated by the AP
• Understand the network topology recommended
• Identify the network limitations
STELLAR WLAN - MODES
Stellar Modes
WiFi Express WiFi Enterprise

Standalone mode, up to 64 APs Managed mode, up to 4000 APs
Evolutive design
grow your WiFi at your own pace
Market position
 WiFi Express  WiFi Enterprise
 Mutually exclusive with WiFi Enterprise  Mutually exclusive with WiFi Express
 All APs models supported  All APs models supported
 Virtual Controller Management with Web  Centralized Management with OmniVista 2500
Interface  4000 APs managed
 Cluster of 64 APs (cluster limitation of 32 AP1101)  Access Switch required (PoE model if possible)
 Access Switch required (PoE model if possible)  DHCP server required
 DHCP server required  OmniVista 2500 server and licenses required
Access Point PoE Switch DHCP Server + OmniVista 2500

Wifi Express – Standalone cluster deployment
 Self managed standalone cluster

 Integrated secure Web managed
 Wizard driven configuration
 Integrated Guest captive portal
 External Guest Captive Portal support
 Distributed intelligence control
 Self configured AP cluster, up to 64 APs*
 Optimal RF management
* Hardware limitation
Easy deployment, scaling up to 64 APs

Wifi Express – Features List
Management Security Radio System
 GuestOperator Restricted  Authentication 802.1X,  Dynamic Frequency  Daylight-Saving time

Role GUI WPA, WPA2 Selection  Syslog support
 HTTP and Secure Access via  Encryption WEP, TKIP,  Transmit Power Control  NTP Client
HTTPS AES  Extensive Country Code  Built-in DHCP/DNS/NAT
 English, simplified Chinese,  Built-in User Database list
German , French, Spanish  Wireless MESH
 External Radius Server  Channel & Transmission
Korean, Turkish Language  Certificate Management
Support power manual assignment
Support
 ACLs per SSID
 OXO Connect R2.1 ZTP
integration using secure HTTPS  Disconnect/ Blacklist
Clients
 Scale up to 32 APs (AP1101
ONLY Cluster)  WIPS protection
 Scale up to 64 APs in mixed AP
Cluster (minimum: 4x AP12xx)
 Remote Cluster Management
All Stellar APs can be part of the web managed AP-cluster

Wifi Enterprise – Central managed deployment
 OmniVista 2500
 Cloud ready (for future release)
 Unified wired-wireless
 Access Management (Guest/BYOD)
 Role based policy enforcement
 Smart Analytics
 Distributed intelligence control
 Up to 4000 APs
 Scale to support 100K clients per devices
 Advanced wireless features

 WLAN topology on a map and heat map
 Wireless security (wIDS/wIPS)
Central unified management for larger deployments, up to 4000 APs

Wifi Enterprise – Features List
Secure Unified policy Wireless

Strategic access authentication manager management
 Controller-less  Secure NAC with  Employee - Supplicant/  RF Management

Architecture Unified Access AG 2.0 Non-supplicant secure  wIDS/ wIPS – Rogue
Integration authentication
 OmniVista integrated Containment/ Attack
Unified Policy  Automated deployment  Guest Access – Self Detection
Authentication Manager with ALE OmniSwitch Registration/ Employee  Floor Plan/ Heatmap
(UPAM) Integration sponsored/ Social Login - Planning &
 Simplified Management of  Smart Analytics  BYOD deployment tools to
AP Groups Application Monitoring simplify deployment
 Strategy based Policy
& Enforcement/ DPI while improving QoE
 No limit on AP Group Count Enforcement
 Max 4000 APs spread  UPnP/ Bonjour Service  Extensive Captive Portal  Reports – Uptime,
Sharing Usage, etc. Reports
across one or more AP Customization
Groups  External Captive portal  MESH topology
 OmniVista High Availability support
All Stellar APs can be part of the OV managed AP-groups
Mode Selection
 WiFi Express is the default mode
 AP requests and receives an IP address from the DHCP server.
 DHCP option 138 equals the IP address of the OmniVista 2500 Server
subnet 192.168.10.0 netmask 255.255.255.0 subnet 192.168.10.0 netmask 255.255.255.0

{ {
dynamic-dhcp range 192.168.10.10 192.168.10.20 dynamic-dhcp range 192.168.10.10 192.168.10.20
{ {
option subnet-mask 255.255.255.0; option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255; option broadcast-address 192.168.10.255;
option routers 192.168.10.1; option routers 192.168.10.1;
option dhcp-lease-time 6000; option dhcp-lease-time 6000;
option domain-name-servers 192.168.10.1; option domain-name-servers 192.168.10.1;
option domain-name "vlan10.home"; option domain-name "vlan10.home";
} option 138 192.168.0.61;
} }
}
WiFi Express WiFi Enterprise

Mode changes
 Mode can be changed :
 Manually in Express mode with a "Convert to Enterprise" button
 Or requires a factory reset (push button) and reboot
 Migrate an existing Cluster (WiFi Express) to OV mode (WiFi Enterprise)

 Load the new firmware from the Web interface (optional)
 Add option 138 in the DHCP server for the AP management scope
Option 138
dhcpd.conf
 Perform a factory reset/reboot or change the mode manually
No configuration migration, AP « cluster » configuration is lost

Planes of Operation
Planes of operation
 Management Plane
 No controller
 WiFi Express: Centralized management on one Primary Virtual Controller (PVC)
 WiFi Enterprise: Centralized management on OmniVista 2500
 Control and Data Plane per AP

Mgmt Mgmt
Data
Plane
Control
Plane
Plane Plane
PVC
Control
Plane Control Data
Control Plane Plane
Plane Control
Data
Data Plane
Plane
Plane
Data Control Data
Plane Plane Plane
Management Plane
 Management plane – Type of Traffic
 Configuration traffic (SSID creation,..)
 Monitoring and troubleshooting (client monitoring,…)
 AP management traffic is always untagged
 Use the native vlan of the upstream switch and the subnet got from the DHCP scope
OmniVista
Edge Switches Edge Switches
“Management” VLAN
“Management” VLAN Untagged
Untagged
WiFi WiFi
Express PVC
Enterprise
Management Plane – AP Group OmniVista
AP Group: Group 1, Group2
 Management on AP Group only AP <-> AP Group mapping

AP Registration
 AP Group
 No limits & restrictions but total number of AP
limited to 4000 (Enterprise) or 64 (Express)
 Can mix any AP type: AP1101, AP1201(H), LAN / L3
AP12xx, AP123x, AP125x
Edge Switches
Edge Switches Edge Switches
AP-Group
PVC AP Group 1 AP Group 2
WiFi-Express WiFi-Enterprise
Control Plane
 Control Plane – Type of Traffic
 Manages network protocols, Forwarding Information Base (FIB)
 Manages authentication, packet inspection, load balancing
Over the Air
Control Plane
 Control plane traffic

 AP to AP protocol over the air
OmniAccess WLAN OmniAccess WLAN
 Usedfor Access Point Access Point
 RF Management Over the LAN
 Neighbor AP discovery Control Plane
Edge Switche Edge Switche
 AP to AP protocol over the LAN infrastructure

 Usedfor
 RF Management Layer 2/3
 Roaming client context sharing Network Infrastructure
Data Plane
 Data Plane – Type of traffic
 Forward data user traffic Guest
 Manages the QoS and ACLs SSID
Employee Voice
SSID SSID
 Data Plane Traffic OmniAccess WLAN

Access Point
 Wireless data converted to Ethernet in the AP
and sent to the AP uplink Vlans Tagged
 Wireless traffic always tagged on the AP uplink Data Traffic
 No tunnel mode to OV or Virtual Controller
Edge Switche
 Data Plane is only L2 Data Center

 No routing for data user traffic
 Routing provided by LAN infrastructure
Layer 2/3
Network Infrastructure
One tagged VLAN per SSID
Network Architecture
Network Topolgy
OmniVista
Internet DHCP Scope for

•All AP Mgt VLANs
Require option 138 for OV IP address
DHCP
WAN Router •All SSID VLANs
DNS
Optional
DNS Server for
•All AP Mgt subnets
•All SSID subnets
Core L3 protocols / Routing
LAN
IP interfaces / Routers for
Distribution •All AP Mgt VLANs
•All SSID VLANs
All AP Management VLANS and SSID VLANs
Access
Trunk Port with POE

•Untagged/Native vlan = AP Mgt VLAN
•Tagged VLANs = SSID VLANs
Stellar Access
Points
Network Topology - Configuration
AP : acts as a bridge
 Management traffic: Untagged VLAN
 Wireless client data: Tagged VLANS
Each VLAN : must be configured in the network

 No Vlan creation on AP – Implicit from Access Role Profile vlan mapping configuration
Network devices : IP interfaces and routing configuration
DHCP server needed and DNS server optional

 DHCP scope : one for each AP management vlan (option 138) & each “WLAN” vlan
ALE vs non ALE Switch

 Mixed together with generic network configuration
 AOS offers WLAN integration feature
OmniSwitch LAN – Value Added
 Stellar deployment with OmniSwitch recommended
OmniVista UPAM
 Key Benefits
 Unified Access for ALE wired and wireless networks
 OV Unified Policy Access Manager (UPAM) RADIUS Guest / BYOD
Server Access Policies
 UPAM acts a the main RADIUS Server for both wired and wireless users
 Unified Guest and BYOD access policies for both wired and wireless users
 Unified access features supported:

 Automatic VLAN creation
Alcatel
 Guest Access for wired users with OV UPAM: AOS 8.4.1R02 & 6.7.2R02 OmniSwitch
Stellar
Access Point
 BYOD Access for wired users with OV UPAM: AOS 8.4.1R02 & 6.7.2R02
 Network Access with Access Guardian: AOS 8.4.1R02 & 6.7.2R02
 mDNS: 841r02 & 672r02 -- UPnP relay: AOS 8.4.1R03 and 6.7.2R03
 Guest Tunneling: OS6860E/OS6900 in 8.4.1R02; OS6560/OS9900 in
8.4.1R03
Network Guidelines
 AP Management VLANs
 AP Management VLANs and LAN Management /
Data VLANs should be different "Management" VLAN
 It is recommended to have dedicated VLAN ID for
AP management
 It is recommended to have a max of 512 APs per
vlan 512 APs
 WLAN VLANs
 Same VLAN ID could be used for both wireless and
wired clients "Employee" VLAN
 However, it is recommended to have reserved
VLAN ID for wireless clients
 Up to 256 wireless clients in the same WLAN
256 Clients
Network Resiliency
AP does not support Linkagg or dual home attachment
 If AP is plugged on 2 switches, only one uplink is active
 If the active uplink provides POE and goes down, AP will reboot
 Either Port can be connected, but it is recommended not to connect both ports
Active
OmniSwitch
OmniSwitch Stellar Stellar

Access Point Access Point
Inactive
OmniSwitch
Convergence time
Appendix
Option 138 for DHCP Server
Appendix
BLE Beaconing
BLE Beaconing ready for the AP1230 series and AP1201 with a built-in BLE
 Stellar APs ready for Asset Tracking Solution

 Asset: people or equipment (wheel chair, medical devices, laptop,…)
OAW-AP1201
 Reducing time to find assets: improves employees/customer satisfaction
 BLE Beacon is configured per AP Group

 Turned OFF by default
OAW-AP1230 Series
 Configurable parameters are
 Beaconing Mode : iBeacon per default
 Transmission Power
 Frequency/Emission Period
 UUID (Universal Unique Identifier) – ALE specific UUID for all ALE products
 Major and Minor values – used for greater accuracy than UUID alone
Appendix
Integration with AeroScout Location Engine
AeroScout RTLS (Real Time Location Services) provides location services.
 i.g: Tracking of employees in the building at the plant
AeroScout tags
 AeroScout solution utilize standard WiFi (802.11) technologies as a
communication infrastructure
 Customers use the Stellar AP to communicate with AeroScout tags and
deliver information to the AeroScout Location Engine
 AeroScout LBS Architecture

 AeroScout Tags: Device generating 802.11 messages at a predefined interval
 Stellar APs: Delivers RSSI measurements of tags and WiFi clients to the AeroScout
Engine
 AeroScout Engine Server (AES): Location Engine. Based on RSSI measurements (from
the Stellar AP), determine position of the clients
 AeroScout Engine Manager (AEM): Configuration of the AES. Displays clients on the Stellar AP
map, heatmaps, analytics, Geofencing alerts
Appendix
Example Configuration (ISC-DHCP-Server)
 Linux open source DHCP server
#
# Classify OmniAccess Stellar AP as STELLAR
#
class "STELLAR" {
match if substring (option vendor-class-identifier, 0, 4) = "HAP.";
}
#
# Create custom option 138 as it is not known to isc-dhcp-server
#
option ovwma code 138 = ip-address;
Appendix
Example Configuration (ISC-DHCP-Server)
subnet 192.168.10.0 netmask 255.255.255.0 {
option routers 192.168.10.1;
option broadcast-address 192.168.10.255;
option domain-name-servers 192.168.10.1;
option domain-name "vlan10.home";
default-lease-time 6000;
max-lease-time 72000;
# Pool for OmniAccess Stellar AP
pool {
allow members of "STELLAR";
range 192.168.10.10 192.168.10.20;
option ovwma 192.168.0.61;
}
pool {
range 192.168.10.21 192.168.10.50;
allow unknown-clients;
}
}
Appendix
Example Configuration (OmniSwitch DHCPD)
 OmniSwitch used as DHCP server
 Dhcpd.conf file configuration:
subnet 192.168.10.0 netmask 255.255.255.0

{
dynamic-dhcp range 192.168.10.10 192.168.10.20
{
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option routers 192.168.10.1;
option dhcp-lease-time 6000;
option domain-name-servers 192.168.10.1;
option domain-name "vlan10.home";
option 138 192.168.0.61;
}
}
Appendix
Example Configuration (pfSense)
192.168.0.61
Appendix
DHCP Discover from AP1221
14:50:03.732118 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 34:e7:0b:03:d0:60, length 300, xid
0xed131e0c, Flags [none] (0x0000)
Client-Ethernet-Address 34:e7:0b:03:d0:60
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
MSZ Option 57, length 2: 576
Parameter-Request Option 55, length 12:
Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
Domain-Name, BR, NTP, Vendor-Option
TFTP, BF, Option 138, Option 212
Vendor-Class Option 60, length 19: "HAP.1-OAW-AP1221-RW"
END Option 255, length 0
PAD Option 0, length 0, occurs 17
Appendix
DHCP Offer to AP1221
14:50:04.734289 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 333)
192.168.10.1.67 > 192.168.10.13.68: [udp sum ok] BOOTP/DHCP, Reply, length 305, xid 0xed131e0c, Flags [none]
(0x0000)
Your-IP 192.168.10.13
Client-Ethernet-Address 34:e7:0b:03:d0:60
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.10.1
Lease-Time Option 51, length 4: 6000
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.10.1
Domain-Name-Server Option 6, length 4: 192.168.10.1
Domain-Name Option 15, length 11: "vlan10.home"
BR Option 28, length 4: 192.168.10.255
NTP Option 42, length 4: 192.168.10.1
3232235581 (decimal) = 0xC0A8003D (hexadecimal)
T138 Option 138, length 4: 3232235581 =>(C0, A8, 00, 3D) =>192.168.0.61
END Option 255, length 0
Follow us on…
Follow us on: www.al-enterprise.com
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
Stellar Hardware Presentation
Lesson summary
• List the Stellar Access points per capacity
• Position the Stellar Access Point in the market
OMNIACCESS STELLAR WLAN
Access Points Overview
OmniAccess Stellar AP Lineup
AP1101 AP1201H AP1221/AP1222 AP1231/AP1232 AP1251

802.11ac: Wave 1 802.11ac: Wave 2 802.11ac: Wave 2 802.11ac Wave 2 802.11ac Wave 2
Emerging / SMB Hospitality Mid-Range High-Range Outdoor
AP1201
802.11ac: Wave 2
OmniAccess Stellar AP1101
OAW-AP1101 – 802.11ac Wave 1 Entry Level AP
Dual radio, 802.11ac 2x2:2SS VHT80

 2.4GHz and 5GHz band support
 Up to 867Mbps 5 GHz
 Up to 300Mbps 2.4 GHz
 Up to 16 SSID (8 SSID per radio)
 1xGbE network interface, RJ-45 console, reset
 802.3af POE / 48V DC
 Enterprise temperature range, plenum rated
 Built-in antenna (OAW-AP1101)
OAW-AP1201 – 802.11ac Wave 2 Entry Level AP

 1.2 Gbps throughput
 Up to 867 Mbps 5 GHz
 Up to 400 Mbps 2.4 GHz
 512 client devices per AP
 1xGbE network interface, RJ-45 console, reset
 802.3af POE / 48V DC
 Built-in OMNI directional antenna
 BLE 5.0, 802.15.4 (Zigbee) HW Ready
OmniAccess Stellar AP1201H
OAW-AP1201H – Hospitality AP
Dual radio, 802.11ac 2x2:2SS

 1.2 Gbps throughput
 Limited RF coverage (single room)
 256 client devices per AP
 Uplink – 1 x GE with PoE 802.3 af/at
 Downlink – 3 x GE interfaces with PoE 802.3af
29mm 95mm  1 x RJ45 Pass-Through (Analog phone)

 Built-in antenna
 Built-in wall box mount
 BLE radio via USB (secured port)
161.5mm  PoE or DC Power
 Separate Desk mount
 No Logo
OmniAccess Stellar AP1220 Series
OAW-AP1221/1222 – 802.11ac Wave 2 Mid-range AP

 5GHz radio: 1,733Mbps (with 4SS/VHT80 clients or 2SS/VHT160 clients)
 2.4GHz radio: 400Mbps 2.4GHz (2SS/VHT40)
 MU-MIMO
 Optional BLE radio through USB port
 1xGbE network interfaces, RJ-45 console, USB port, reset
 802.3at POE compliant/ 48V DC (function reduced when powered by 802.3af source)
 External antenna connectors (OAW-AP1222)
OmniAccess Stellar AP1230 Series
OAW-AP1231/1232 – 802.11ac Wave 2 High-range AP
Tri radio, 802.11ac 4x4:4SS VHT160 and Integrated BLE

 First 5GHz radio: 1,733Mbps (with 4SS/VHT80 clients or 2SS/VHT160 clients)
 Second Multiband radio: 1,733Mbps (with 4SS/VHT80 clients or 2SS/VHT160 clients)
 Third 2.4GHz radio: 800Mbps 2.4GHz (4SS/VHT40)
 MU-MIMO
 Integrated BLE radio
 1xGbE + 1x2.5GbE network interfaces, RJ-45 console, USB port, reset
 802.3at POE (4pair - 60W) compliant/ 48V DC (function reduced when powered by
802.3at 2pair source)
 External antenna connectors (OAW-AP1232)
OAW-AP1251 – 802.11ac Wave 2 Outdoor AP
Dual radio, 802.11ac 2x2:2S

 5GHz radio: 867 Mbps (with 2SS/VHT160 clients)
 2.4GHz radio: 400Mbps 2.4GHz (2SS/VHT40)
 MU-MIMO
 2xGbE network interfaces, micro-USB console, reset
 1xGbE uplink
 1xGbE for connecting downstream device (IoT)
 802.3af POE compliant/ 48V DC
 IP67/66
 Temperature range -40 to +65 degree C
 Built-in Omni Directional antenna
OMNIACCESS STELLAR
ACCESSORIES
Indoor AP Mounting Kits
 Indoor Mounting kits OAW-AP-MNT-B (Standard Shipping) OAW-AP-MNT-W
OAW-AP-MNT-C
Ceiling Mount
Ceiling Mount Wall Mount
(All White) (for T-shaped rail mounting)
(for all other rail mounts)
 All indoor mounting kits can be applied to (OAW-AP-MNT-B mounting kit ships by default with
each AP)
 OAW-AP1101
 OAW-AP1221
 OAW-AP1222
 OAW-AP1231
 OAW-AP1232
Outdoor AP Mounting Kits
 Outdoor Mounting kit
AP-MNT-OUT
Pole or Wall mount
 AP-MNT-OUT mounting kit ships by default with each AP

 OAW-AP1251
PoE Injectors
PD-3501G/AC PD-9001GR/AT/AC PD-9501-GR/AC PD-9001GO/AC

Indoor Indoor Indoor Outdoor
* No support for 2.5GE
Power Adapters
 Power Adapter (Indoor ONLY)
 ADP-30HRBD
 AC100-240V input, 48V DC output, 30W; Compatible with
802.3af/at; Applicable to
• OAW-AP1101
• OAW-AP1221
• OAW-AP1222
 ADP-60GRBC
 AC100-240V input, 48V DC output, 60W; Compatible with
802.3af/at; Applicable to
• OAW-AP1101
• OAW-AP1221
• OAW-AP1222
• OAW-AP1231
• OAW-AP1232
Antenna & Cables
 Antennas (Applicable to Indoor AP ONLY)
 Omnidirectional antenna that can be mounted directly on AP
 Omnidirectional ceiling mount antenna
 Directional antenna with 60 degree sector coverage
ANT-O-6 Dual band 2.4/5GHz, 1-element, direct mount , omni-directional, 6dBi (4x)
Dual band 2.4/5GHz, 4-element, Ceiling-mount , Downtilt omni-directional antenna, >5dBi (1x);
ANT-O-M4-5 includes 4* 30-35in RF cable
Dual band 2.4/5GHz, 4-element, Wall-mount, sector antenna , >5dBi, 60°Hx60°V (1x); includes 4*
ANT-S-M4-60 30-35in RF cable
Dual band 2.4/5GHz, 4-element, Wall-mount, sector antenna , >5dBi, 90°Hx90°V (1x); includes 4*
ANT-S-M4-90 30-35in RF cable
Dual band 2.4/5GHz, 4-element, Wall-mount, sector antenna , >5dBi, 120°V (1x); includes 4* 30-
ANT-S-M4-120 35in RF cable
Antenna & Cables Connection
Follow us on…
WiFi Enterprise – Requirements
Lesson summary
• Identify the setup required in the WiFi Enterprise mode
• Configure the OmniVista 2500 server
• Configure the OmniSwitch
Initial Setup
Initial Setup
Hardware requirement
Access Point PoE Switch DHCP Server OmniVista 2500

Initial Setup
Minimal configuration required
 Stellar Access Point
 Release 3.0 required
 Purged AP with default factory configuration
 Alcatel OmniSwitch
 PoE
 Management VLAN
 "ip helper" for external DHCP server
 DHCP server
 Option 138 on Management VLAN
 Addresses Plan for Service VLAN
 OmniVista 2500 server

 IP configuration
 Licenses
OmniVista 2500 NMS
OmniVista 2500 NMS and Stellar
OmniVista Release 4.2.2 R01 or higher required
 OV 4.2.2 R01 is the first Release to support Stellar
New Applications included to support Stellar

 WLAN
 RF Management
 WiPS
 Heatmap
OmniVista as a Virtual Appliance. Open Virtualization Format (OVF) file runs on:
 VMware ESXi 5.5 and above
 Vmware Player 4.0 and above
 Vmware vCenter Server 5.5 and above
OmniVista 2500 Licenses
OmniVista Core License - required

 Network devices: OmniSwitch or 3rd party devices
OmniVista VMM License - optional
 Manageable VMs
OmniVista AP License count – NEW since OV 4.2.2 R01
 Stellar Access Point: Per AP License model - 10, 20, 50, 100 or 500 APs
OmniVista Guest Management License count – NEW since OV 4.2.2 R01
 Per device license model – 10, 20, 50, 100, 500 or 1000 Guest Devices
OmniVista BYOD License count – NEW since OV 4.2.2 R01
 Per device license model – 10, 20, 50, 100, 500 or 1000 Devices
OmniVista High Availability (HA) License – NEW since OV 4.3.1 R01
 One License per set of OmniVista servers
OmniVista 2500 Licenses – Add-on
In case of network growth, additional APs must be deployed:

 The AP License count is greater than the total number of Aps to be deployed
 Deploy and register the APs
 Or, the license AP count is smaller than the total number of APs to be deployed
 Import an additional AP license count. The number of APs from this license is added to the existing
number of APs supported.
 Deploy and register the Aps
+
Initial AP Additional AP Updated AP
License count License count License count
= 100 = 50 = 150
OmniVista 2500 Configuration
OmniVista 2500 installed
 IP address and network mask
 OmniVista Network size configuration
 Default Gateway
 Timezone, DNS server,… (optional)
Network Devices discovered

OmniVista 2500 High Availability (HA)
Laptop switch AP Laptop

Network devices must
communicate to Virtual IP
Virtual IP
Services Services
Databases Databases
Sync
Stand-by
Main OVOV Stand-by OV
Main OV
Laptop switch AP Laptop
Network devices must
OmniVista 2500 High Availability (HA)

communicate to Virtual IP
Virtual IP
Services Services
Databases Databases
 Introduces in OmniVista 4.3.1 R01 Sync
Main OV Stand-by OV
High Availability (HA) creates a redundant (Stand-by) OmniVista which will take aver if the
primary (Main) OmniVista becomes unavailable
 With HA, 2 instances of OV are constantly running

 Connection across a Layer 2 network
 Extension to Layer 3 network, if VxLAN or SPB are used.
When control is moved from Main to Stand-by all services and operations are transferred
 E.g. UPAM functions including BYOD and Guest Access is handled by Stand-by
 All network monitoring services are taken over by Stand-by
Dedicated OmniVista HA license.

OmniSwitch
OmniSwitch Manual Configuration
Manual configuration
 PoE activation - if no power injector or power adapter is used
 Untagged "Management VLAN"
-> lanpower start 1

-> vlan 10 name "Management"
-> vlan 10 port default 1/1 – R6
-> vlan 10 member port 1/1 untagged – R8
 SNMP configuration
 Example in SNMPv2
-> aaa authentication snmp local
-> user snmpuser read-write all password snmpuser no auth
-> snmp security no-security
-> snmp community-map mode enable
-> snmp community-map public user snmpuser enable
-> snmp station OV_ip_address snmpuser v2 enable
OmniSwitch Automatic Configuration
Reduce the configuration steps on the Edge switch
 No need to set a trunk port
 No need to know in advance where the AP will be connected
 On the same port, AP, Phone, Camera, PC can be plugged
 No need to tag the “WLAN” vlan
Support of advanced LLDP features

 Switch can advertise the vlan ID used for the AP management vlan
 Switch can advertise an AP Location TLV
Available in
 AOS 8.4.1.R02
 AOS 6.7.2.R02
AOS 8.4.1.R02
Edge Ports of the OmniSwitch are set as UNP port with type bridge
-> unp port slot/port port-type bridge
1
 By default, the UNP port is set to “bridgeDefaultPortTemplate” port template

 802.1x, MAC authentication and classification enabled
 Trust-tag is enabled
 For security reasons, a UNP port can not accept and classify any tagged traffic
 Trust-tag must be disabled on the “bridgeDefaultPortTemplate” port template
-> no unp port-template bridgeDefaultPortTemplate trust-tag
2
Implicit and built-in classification rule for AP, based on LLDP capabilities and MED device type
-> unp classification lldp med-endpoint access-point profile1 defaultWLANProfile
 AP is by default classified in the “defaultWLANProfile” UNP Profile

AOS 8.4.1.R02
“defaultWLANProfile” is the UNP profile for WLAN
 The AP management VLAN must be mapped to the profile
-> unp profile defaultWLANProfile map vlan vlan_id
OmniVista will classify the AP in “defaultWLANProfile”. The UNP “defaultWLANProfile” and AP

Management VLAN are pushed to the OmniSwitch.
Automatic trust-tag for wireless traffic

 The port of the OmniSwitch is dynamically tagged for the AP service VLAN (Guest, Employee,…)
Automatic LLDP advertisement

 As soon as an AP is learned on the UNP port, LLDP TLVs are automatically sent
 The “defaultWLANProfile” vlan is advertised in the LLDP "Port Vlan ID" TLV
 The Location is advertised in a ALE “Location” TLV
OmniSwitch Automatic Configuration – AP Provisioning DHCP
LAN Scope 10.255.125.0/24
Scope 10.255.10.0/24
Stellar AP OS 6860-A OS 6860-B
1/1/1 1/1/24
1 AP sends LLDP
SSID AP classified in defaultWLANProfile 6860-A Configuration

GUEST 2 -> VLAN 125 assigned vlan 1 member port 1/1/1 untagged
VLAN – Not Required with MVRP
6a 3
AP sends untagged DHCP vlan 125
Get IP on vlan 125 vlan 10
Client connects to vlan 125 members port 1/1/24 tagged
SSID Guest Switch sends LLDP with vlan 10 members port 1/1/24 tagged
ip interface "vlan10" address 10.255.10.1/24 vlan 10
Sends DHCP request 4 • Port LAN ID = 125 ip interface "vlan125" address 10.255.125.1/24 vlan 125
• AP Location = "Building1:1/1/1
Location
AP update system location Building1
5 • Management VLAN = 125 UNP

• AP Location = "Building1:1/1/1 unp port 1/1/1 port-type bridge
no unp port-template bridgeDefaultPortTemplate trust-tag
Client DHCP Request unp classification lldp med-endpoint access-point profile1 defaultWLANProfile
6b Tagged 10 unp profile defaultWLANProfile map vlan 125
Get IP on vlan 10
6c Trust-tag enable, port dynamically tagged for VLAN 10

OmniSwitch Automatic VLAN creation with MVRP
No VLAN configuration on the Edge Switch LAN
 Automatic VLAN creation MVRP/Static VLANs
 AP Management VLAN
 VLAN for SSID 6
Dynamic VLAN
 VLANs dynamically created on uplink as advertised by MVRP Tagging
1
MVRP VLAN
 Automatic VLAN assignment Advertisement
5
MVRP VLAN
 MVRP advertised VLANs automatically tagged on the uplink Advertisement
 AP Management VLAN assigned on UNP port (UNP profile vlan 2 Uplink Port
mapping) Dynamic VLAN Creation
Dynamic VLAN Tagging
 VLAN for SSID automatically tagged on the UNP (trust-tag) UNP Port
4
Dynamic VLAN Tagging
Upstream MVRP advertisement from Edge Switch
 AP Management & SSID VLANs automatically advertised by MVRP
3
Client Traffic
Available in AOS 8.4.1.R02 & 6.7.2.R02
Backup Slides
If you want to know more
OmniSwitch Automatic Configuration – AP Location Logic
If port alias (“interfaces chassis/slot/port alias <string>”) is configured on the port
 => AP Location = Port Alias
If system location (“system location <string>”) is configured on the OmniSwitch

 => AP Location = “System Location” :“PortID”
If the system name (“system name <string>”) is configured on the OmniSwitch
 => AP Location = “System Name”:“PortID”
By default
 => AP Location = “Chassis ID”:“PortID”
 Chassis ID is the Chassis Mac address

 Port ID is the actual port number in the chassis/slot/port format
Follow us on…
Stellar OmniAccess Wlan
Lab: Initial Stellar Access Point deployment
How to
✓ How to deploy a Stellar Access Point in Enterprise mode
Contents
1 Objectives ...................................................................................... 3
2 Design and setup Lab information .......................................................... 3
2.1. Equipment List ......................................................................................... 3
3 State of your Lab equipment ................................................................ 3
3.1. LAN OmniSwitch ........................................................................................ 3
3.2. OmniVista 2500/UPAM ................................................................................ 4
3.2.1. Start the OV500 VM ........................................................................................ 4
3.2.2. Connect to OV2500 ......................................................................................... 5
3.2.3. AP Registration ............................................................................................. 5
3.2.4. Managed devices............................................................................................ 5
3.3. WLAN OmniAccess AP ................................................................................. 6
4 Configuring the LAN infrastructure for AP to OV2500 connectivity .................... 7
4.1. Topology ................................................................................................. 7
4.2. OmniSwitch 6860 configuration ..................................................................... 8
4.2.1. Access port .................................................................................................. 8
4.2.2. Backbone vlan ports ........................................................................................ 8
4.2.3. SNMP ......................................................................................................... 8
4.3. OmniSwitch 6560 configuration ..................................................................... 9
4.3.1. Access port .................................................................................................. 9
2
4.3.2. Backbone vlan ports ........................................................................................ 9

4.3.3. SNMP ......................................................................................................... 9
4.4. Test ....................................................................................................... 9
4.5. OmniVista LAN switch Discovery .................................................................. 10
5 OmniAccess Stellar Access Point deployment ........................................... 11
5.1. Access Point deployment ........................................................................... 11
5.2. AP Registration ....................................................................................... 11
6 Test ........................................................................................... 14
3
Implementation
1 Objectives
• Identify the hardware
• Reset your equipment to initial settings
• LAN infrastructure pre-configuration
• Stellar AP deployment
2 Design and setup Lab information
2.1. Equipment List

Here is the list of equipment needed for the labs (X = your pod number)
1 Access switch deployed at the edge with PoE

OS6560-P24Z8 (@IP: 10.130.5.220+X)
1 Core switch deployed at the edge with PoE
OS6860E-P24 (@IP: 10.130.5.200+X)
2 Stellar Aps
AP1101
AP1221
4 user VLANS:
Backbone: 1305
Enterprise: vlan 40
GUEST: vlan 30
Employee: vlan 20
Connections
Port 2 of each switch carries (802.1q) all four VLANs
Port 3 of each switch has vlan 40 as default vlan (for Stellar Enterprise mode APs)
OmniVista 2500 4.2.2 server: 10.130.5.(50+X)
Default passwords for switches and OV2500
3 State of your Lab equipment
3.1. LAN OmniSwitch
Reset the OS6560 and OS6860 to initial configuration, using the script “reset_PODX” on the desktop.
Once the switch boots, verify that it booted from the working directory
->show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : MONO CMM,
Current CMM Slot : A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED,
4
3.2. OmniVista 2500/UPAM
3.2.1. Start the OV500 VM

- Open the vSphere client and Log into vCenter. Use the User Name “StellarPodX” (replace X by your POD
number) and the Password “alcatel”.
- Click on Login button to login into Vcenter
- According to your Pod number, select the Virtual Machine OV2500-4.3R1-b47-StellarX, then right-click on
it and select Snapshot -> Snapshot Manager.
- In the Snapshot Manager window Select OV2500 – Fresh Install and click on Go to.
- Click Yes to confirm it.
5
Notes:
The Virtual Machine is already configured:
IP: 10.130.5.50+X/24, replace X by your Pod number
UPAM IP: 10.130.5.70+X
Console credentials: cliadmin / Alcatel.0
3.2.2. Connect to OV2500

- Open a web browser and type the IP address of OmniVista https://10.130.5.50+X
- Depending on the type of web browser being used a warning regarding the website’s security certificate
will be shown. Skip this warning and continue to log into OmniVista
- Use the following credentials to log into Omnivista
o Username: admin
o Password: switch
3.2.3. AP Registration
- In OV Network->AP Registration
- Check the Access Point List Managed and Unmanaged
- Delete all AP if present
3.2.4. Managed devices

- In OV Network->Managed Devices
- Check the OmniSwitch list
- Delete all OmniSwitch if present
6
3.3. WLAN & Stellar AP
- On the OS6560 and OS6860, activate the port 1/1/3 and turn on the lanpower. This will power on the APs
OS6560
-> interfaces 1/1/3 admin-state enable
-> lanpower slot 1/1 service start
OS6860
- The APs should have been purged at the end of the previous session. Open the console on both APs and log
in with the default credentials:
AP1101 & AP1221
Login: support
Password: aos2016
- If you can log in, then the AP is already purged and you can go to the section 4.
- If the log in is incorrect, enter the following credentials (configured later in the lab):
AP1101 & AP1221
Login: support
Password: Alcatel.0
- Enter these commands to reset the configuration to factory default and reboot the APs:
AP1101 & AP1221
support@AP-<MAC@>:”$ ssudo firstboot
This will erase all settings and remove any installed packages. Are you sure [N/y] y
support@AP-<MAC@>:”$ ssudo reboot
- The APs are now purged and have a factory default configuration.
Notes:
If you cannot reset the Stellar AP with the credentials listed above, use this alternate procedure:
- Open a console connection on the Stellar AP and restart the Stellar APs with the command “lanpower
slot …” of the OmniSwitch where the Stellar AP is connected.
- On an AP1221, 23sec after the reboot of the AP, the following message is displayed “Press the [f]
key and hit [enter] to enter failsafe mode”.
- Hit [f] and then [Enter]
- When you enter the failsafe mode, enter “mount_root”
- Then, enter “firstboot –y”
- And finally “reboot”
7
4 Configuring the LAN infrastructure for AP to OV2500 connectivity
4.1. Topology
DHCP OmniVista / UPAM
P: 10.130.5.50+X
P: 10.130.5.7 P: 10.130.5.70+X
Backbone
10.130.5.253
VLAN 1305
1/1/1 10.130.5.200+X
OS6860 2
1/1/2
1/1/3
VLAN 40
10.7.X.126
AP 2X
Client 2X 1221
Default
VLAN 999
TAG
Vlan 40
1/1/2
OS6560 VLAN 1305

1 10.130.5.220+X
1/1/3
VLAN 40
AP 1X
Client 1X 1101
Notes:
DHCP Option 138 in the management VLAN (40) is mandatory for the AP’s contact the OV2500
The management vlan is untagged and the SSID vlans are tagged on the switch port where the AP’s
are connected.
8
4.2. OmniSwitch 6860 configuration
4.2.1. Access port
- Create AP management VLAN

- AP ports:
Configure as trunks
Set AP management VLAN as default
Enable POE on access port 1/1/3
OS6860
-> vlan 40 name “Enterprise”
-> vlan 40 members port 1/1/3 untagged
-> ip interface Enterprise address 10.7.X.126/27 vlan 40
-> interfaces 1/1/3 alias “AP2X”
-> interfaces 1/1/3 admin-state disable
Notes: Enable LLDP if previously disabled (is enabled by default on AOS)
4.2.2. Backbone vlan ports
- Trunk port 2:
Tag vlan 40 (carrying AP data traffic)
Tag vlan 1305 (carrying traffic between OS6560 and OV2500)
- Port 1/1/1: connects LAN to backbone
OS6860
-> vlan 999 name “Trash”
-> vlan 40 members port 1/1/2 tagged
-> vlan 1305 name “Backbone”
-> ip interface Backbone address 10.130.5.200+X/24 vlan 1305
-> ip static-route 0.0.0.0/0 gateway 10.130.5.253
-> ip helper address 10.130.5.7
-> interfaces 1/1/1-2 alias “Backbone”
-> interfaces 1/1/1-3 admin-state enable
-> write memory
4.2.3. SNMP
- Setup SNMP for later discovery through OV2500

OS6860
-> aaa authentication default local
-> user snmpuser password snmpuserv2 read-write all no auth
-> snmp station 10.130.5.50+X 162 snmpuser v2 enable
9
4.3. OmniSwitch 6560 configuration
4.3.1. Access port

- Create AP management VLAN
- AP ports:
Configure as trunks
Set AP management VLAN as default
OS6560
-> vlan 40 name “Enterprise”
-> interfaces 1/1/3 alias “AP1X”
-> interfaces 1/1/3 admin-state disable
Notes: Enable LLDP if previously disabled (is enabled by default on AOS)
4.3.2. Backbone vlan ports

- Trunk port 2:
Tag vlan 40 (carrying AP data traffic)
Tag vlan 1035 (carrying traffic between OS6560 and OV2500)
OS6560
-> vlan 999 name “Trash”
-> vlan 1305 name “Backbone”
-> ip interface Backbone address 10.130.5.220+X/24 vlan 1305
-> ip static-route 0.0.0.0/0 gateway 10.130.5.253
-> interfaces 1/1/2 alias Backbone
-> interfaces 1/1/2-3 admin-state enable
4.3.3. SNMP
- Setup SNMP for later discovery through OV2500
OS6560
-> aaa authentication default local
-> user snmpuser password snmpuserv2 read-write all no auth
-> snmp station 10.130.5.50+X 162 snmpuser v2 enable
-> write memory
4.4. Test
- Verifying Backbone and LAN Switch connectivity
OS6560 / OS6860
-> ping 10.130.5.7 (DHCP server)
-> ping 10.130.5.(50+X) (OV 2500 server)
OS6560
-> ping 10.7.X.126 (vlan40 OS6860)
10
4.5. OmniVista LAN switch Discovery
- Discovering OmniSwitch 1 and 2 through OV2500 application

- Launch a Web Browser from the access server and enter the URL of OmniVista https://10.130.5.(50+X) and
enter admin for the user name and switch for the password and click OK.
- Select Network, then Discovery to open the discovery application
- On the Discovery main page, select Managed Devices.
- Click on Discover New Devices
- In the new page, click on the + button to add a single IP Address (OS6860)
Enter IP information:
- Start IP: 10.130.5.(200+X)
- End IP: 10.130.5.(200+X)
- Subnet Mask: 255.255.255.0
- Select the Default profile from Choose Discovery Profiles and click on + so that it will move to the
right
- Click Create
- Click on the + button to add the second single IP Address (OS6560)
Enter IP information
- Start IP: 10.130.5.(220+X)
- End IP: 10.130.5.(220+X)
- Subnet Mask: 255.255.255.0
- Select the Default profile from Choose Discovery Profiles and click on + so that it will move to the
right
- Click Create
- Select the two ranges created and then press on Discover Now. Once the Discovery process is completed,
click on Finish.
- You should display as follow:
11
5 OmniAccess Stellar Access Point deployment
5.1. Access Point deployment
Booting the Access Points AP1x and AP2x

AP 1x and AP2x are connected to the port 1/1/3 on the switch 1 and 2.
OS6560
OS6860
5.2. AP Registration
- In Network > AP Registration, see the two Access Points UP in UnManaged List
Notes: If you go to the AP Registration page for the first time, you will be prompted to define a
country/region. Select “FR – France” or any other country and click on OK. Do not choose the
country code USA, Japan or Israel as the APs used in the Remote Lab are not compatible with
these country codes.
- Verify the AP connectivity, select both APs and trust them
- See the two Access Points UP in Managed List

12
- In the AP Group submenu, click on the “+” button to create an AP group named “APGx” (x is your POD
number)
- Keep the default parameters. In the “SSH” section of your AP-Group “APGx”, turn on SSH Login and set
the password to “Alcatel.0” and confirm it. This password will be used at the end of the session to reset
the AP.
Notes: APs in an AP Group share common options like RF Profile, Timezone, NTP, Syslog and PMD
(TFTP) servers
- Go to the Access Points submenu. In the Managed tab, select the two APs and click on the “Edit” button.
- In the contextual window, click on “Change Group”.
- Move new two APs to AP Group “APGx” and click on Apply.

13
The two Access Points should be displayed on OmniVista Dashboard in AP Management widget and group
APGx in AP Groups widget.
By clicking on More, you can access to the configuration page of the AP group and the Access Points.
Your Lab is now completed.

14
6 Test
1. What DHCP parameter is delivering IP address to the Stellar Access points?
2. Which VLAN is always untagged on Stellar AP wired interface?
3. Which information are shared among APs having the same RF profile?
Lab: Create a secure Employee SSID
How to
✓ How to create a secure SSID for Employee in an Enterprise mode with
Stellar Access Points
Contents
1 Creation & Deployment of an SSID.......................................................... 2
1.1. Topology ................................................................................................. 2
1.2. Service Vlans ............................................................................................ 2
1.2.1. Creation of an SSID EmployeeX .......................................................................... 4
1.2.2. Creation of a WLAN Service profile (SSID) .............................................................. 5
1.2.3. AAA Server Profile .......................................................................................... 5
1.2.4. Access Role Profile ......................................................................................... 6
1.2.5. Apply the Access Role Profile to the APs ................................................................ 6
1.2.6. Authentication Strategy ................................................................................... 7
1.2.7. Access Policy configuration ............................................................................... 8
1.2.8. Create an Employee Account ............................................................................. 9
1.2.9. Apply Profile(s) to AP Group(s) ......................................................................... 10
2 Testing Employee Wireless Access with Internal UPAM RADIUS Authentication .... 11
2.1.1. Test wireless connectivity............................................................................... 11
2.1.2. Setup the client to connect to the SSID EmployeeX ................................................. 11
2.1.3. OmniVista 2500/UPAM monitoring ..................................................................... 15
3 Test ........................................................................................... 18
2
1 Creation & Deployment of an SSID
1.1. Topology
P: 10.130.5.50+X
P: 10.130.5.7 P: 10.130.5.70+X
Backbone
10.130.5.253
1/1/1 VLAN 1305

10.130.5.200+X
OS6860 2
EmployeeX 1/1/2
1/1/3
Vlan 20 VLAN 40
10.7.X.126
10.7.X.62 AP 2X
Client 2X 1221
Default
VLAN 999
TAG
Employee Vlan 20
TAG
Vlan 40
1/2
OS6560 VLAN 1305

1 10.130.5.220+X
EmployeeX
1/1/3
Vlan 20
VLAN 40
10.7.X.61 AP 1X
Client 1X 1101
1.2. Service Vlans
We need first to create the VLAN 20 (needed to service the SSID “EmployeeX”) and tagged it towards the AP
from the Switch and over the trunk link between access and core switches.
Create WLAN service VLANs

AP ports:
Configure as trunks
3
Add tagged WLAN service VLANs
OS6560
-> vlan 20 name “EmployeeX”
-> ip interface EmployeeX address 10.7.X.61/27 vlan 20 ,Replace X by your POD number
OS6860
-> vlan 20 name “EmployeeX”
-> ip interface EmployeeX address 10.7.X.62/27 vlan 20 ,Replace X by your POD number
4
1.2.1. Creation of an SSID EmployeeX
- The deployment of an SSID consists in several steps:

- Creation of a "WLAN Service" profile (SSID)
- Creation of an "AAA Server Profile" (if do not exist)
- Creation of an "Access Role Profile" (if do not exist)
- Creation of an Access Policy (if do not exist)
- Definition of an Authentication Strategy (if do not exist)
- Create a Radius local employee account (if do not exist)
- Deployment of the profiles (templates) to AP-Group(s)
5
1.2.2. Creation of a WLAN Service profile (SSID)
OV2500 -> WLAN -> WLAN Service -> + (Create icon)
- Enter a Service Name and configure the profile as described below:

ESSID - EmployeeX
Hide SSID - Disable
Enable SSID - Enable
Allowed Band - All
Security Level - Enterprise
Encryption type - WPA2_AES
AAA Profile - AAA-Server-PODX
Default Access Role Profile - Access-role-employeeX
Notes: AAA server and Access role profiles can be created first prior to setup WLAN services but for
this exercise you will create specific profiles through the WLAN Service configuration screen.
1.2.3. AAA Server Profile
Tips: UPAM supports both captive portal and RADIUS server and can be used to implement multiple
authentication methods: MAC, 802.1X and captive portal authentication. User Profiles can be
supported in the OmniVista database or on external servers.
AAA Server Profile

- In the Security section, click on the “AAA Profile” field, select “+ Add New” and create the following
AAA Server Profile “AAA-Server-PODX”:
Authentication Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
MAC
Accounting Servers
802.1X
Captive Portal
MAC
Click on the Create icon.

You are then sent back to the WLAN Service page. In the Security section, select “AAA-Server-PODX” as the AAA
Profile.
6
Notes: In UPAM, there is a system-defined NAS Client Item (All Managed Devices). It cannot be
deleted and is used to indicate that all the devices managed by OmniVista are automatically added
into the NAS Client Database of UPAM and perform the AAA process.
The shared secret in the system-defined “All Managed Devices” NAS profile is “123456”.
1.2.4. Access Role Profile
Access Role Profile

Notes: In this exercise you will create a specific access role “Access-role-employeeX” profile even
if the use of the “defaultWLANprofile” should be enough for the test.
- In the Security section, click on the “Default Access Role Profile” field, select “+ Add New” and create
the Access Role Profile Access-role-employeeX.
- Keep the default values for all parameters.
- Click on the Create icon.
- Back to the WLAN Service page, in the Security section, select “Access-role-employeeX” as the Default
Access Role Profile.
1.2.5. Apply the Access Role Profile to the Stellar APs
- Go to the submenu Access Role Profile on the left Panel.

- Select the checkbox next to the Access role profile “Access-role-employeeX” and click on the Apply to
Devices button to assign this profile to your APs.
- Do not change the Mapping method and enter the Vlan number “20” which is the EmployeeX VLAN.
- Click on AP Group “Add”.

- Select the AP Group APGX from the list on the left, add it to the section on the right and click on OK.
- Click on Apply.
7
- Check for success message.
- This is how the AP will map the Employee VLAN (20) to the EmployeeX SSID.
When the SSID uses Enterprise authentication, assign a AAA Server Profile and then create an Authentication
Strategy and Access Policy.
At this step, the AAA Server Profile is already assigned to the SSID. The Authentication policy and Access Policy
must be created.
1.2.6. Authentication Strategy
Notes: Authentication Strategy is used to set up a user profile source and login method (web page
or not) for authentication, as well as the network attributes applied after a successful
authentication.
OV2500 -> UPAM -> Authentication -> Authentication Strategy -> + (Create icon)
- Name the Strategy “User-PODX”, select the Authentication source as “local database”, “Access-role-
employeeX” as the default Access role profile and keep Web Authentication to none:
8
1.2.7. Access Policy configuration
Notes: Authentication Access Policies are used to define the mapping conditions for an
authentication strategy. Through Access Policy configuration, authentication strategy can be
applied to different user groups, which can be divided by SSID or other attributes.
OV2500 -> UPAM -> Authentication -> Access Policy -> + (Create icon)
- Create the access policy “User-PODX” that will define the previous strategy to apply for employee
authentication connected to SSID “EmployeeX”. The employeeX profile will use 802.1X with the UPAM
internal RADIUS server.
- In the Mapping Condition, select the SSID attribute and EmployeeX. Click on the + button.
- Keep “User-PODX” as the Authentication Strategy and click on Create.
9
1.2.8. Create an Employee Account

In order to create a login account for employeeX users in the local UPAM Database, click on the Create icon to
bring up the Create Employee Account Screen.
OV2500 -> UPAM -> Authentication -> Employee Account -> + (Create icon)
User: EmployeeX
Password: password
User is bound to the Access role “Access-role-employeeX”.
Click on Create.
Notes: You can automatically import a xls/csv/xlsx file containing Employee Account information
by clicking on the Import button at the top of the screen. You can also download a template by
clicking on the import button then clicking on the template Download button.
10
1.2.9. Apply Profile(s) to AP Group(s)
The newly created SSID must be applied to the Stellar Access Points, otherwise the configuration is kept locally.
OV2500 -> WLAN -> WLAN Service
- Select the checkbox next to the SSID “EmployeeX” and click on the Apply to Devices button to assign the
profile to the Stellar APs of the network.
- Click on Add AP Group.

- Move the AP Group “APGX” to the right and click on OK.
- Click on Apply and check the success message.

11
2 Testing Employee Wireless Access with Internal UPAM RADIUS

Authentication
2.1.1. Test wireless connectivity
Open vSphere Client, using the login “StellarPodX” and the password “alcatel”. Start the
VM “StellarClientX”.
2.1.2. Setup the client to connect to the SSID EmployeeX
X is you pod number.

Open the Control Panel and click on Network and Sharing Center
Click on Set up a new connection or network and then Manually connect to a wireless network
Click ‘Next’
12
Configure as follows:
Network name: EmployeeX (X is your POD number)

Security type: WPA2-Enterprise
Encryption type: AES
1. Click ‘Next’
Click ‘Change Connection Settings’
2. Click on ‘Security’ tab

13
Click on ‘Settings’
Uncheck ‘Validate Server Certificate’.
Click on ‘Configure’ and uncheck ‘Automatically use my Windows logon name…’. This will make sure
your windows login credentials are not used for the authentication.
3. Click ‘Ok’ and ‘Ok’ again.
4. Click on ‘Advanced Settings’ and Check ‘Specify Authentication Mode’ and select ‘User
Authentication’
14
Click ‘Ok’ and ‘Ok’ again
5. Click ‘Close’ on the ‘Manually Create Wireless Network’ window
At this point, your configuration is complete. It’s time to test it!
6. Connect to your SSID.
You should see a popup asking for credentials. It should

automatically open a Windwos Security window where
you can enter the credentials. If not click the
“Enter/select additional logon information” link.
Connect to your EmployeeX SSID using the credentials that you have entered in the local user database:
User: EmployeeX
Passwd: password
Click inside this pop-up.
Once a successful connection has been established, you should have an IP address in the
10.7.X.32/27 network (not the self asigned 169.254.x.x address). You should be able to ping
the DHCP (10.130.5.7) and OV2500/UPAM (10.130.5.50+X) IP addresses as well as Internet.
15
2.1.3. OmniVista 2500/UPAM monitoring
Login to the OmniVista 2500/UPAM at 10.130.5.(50+X)
Navigate to OV2500 -> UPAM -> Authentication -> Authentication Record
Answer the following questions:

Name of User : _________________
Client MAC address: __________________
Access Role: _____________________
AP-Name: _______________________
OV2500 -> Administrator -> Audit -> UPAM -> Radius

Display log information in case of failure.
OV2500 -> WLAN -> Client -> Client List
Check for clients associated with your Stellar access points.

16

Name of User : _________________
Client IP address: __________________
SSID: _____________________
Radio
Channel: ______
Band: ______
Throughput: ___________
AP name: ___________
OV2500 -> Network -> Locator -> Locate
With the Locator application, you can click on Search by to locate a “user” based on criteria as Auth user, Mac
Address or IP Address or Hostname.
Here you can specify as auth user name: EmployeeX and click on Locate to run the research within the network.
17
In the Netforward Results Table, Locator reports all equipment that meet both of the criteria. The table display
will vary depending on the view option you choose - Location (default), Classification, Data Center, or Template,
which is used to create custom views.

18
3 Test
1. Can you update automatically any parameter modification from OV to the APs?
2. Which profile determine the wireless user authentication mechanism?
3. What is the main role of the Strategy profile?

Lab: Create a secure Employee-AD SSID using Active Directory
How to
✓ How to create a secure SSID for Employee in Enterprise mode with an
Active Directory
Contents
1 Creation & Deployment of an SSID.......................................................... 2
1.1. Topology ................................................................................................. 2
1.2. Service Vlans ............................................................................................ 2
1.2.1. Creation of an SSID Employee-ADX ...................................................................... 3
1.2.2. Creation of a WLAN Service profile (SSID) .............................................................. 4
1.2.3. Create the AD server ....................................................................................... 4
1.2.4. Authentication Strategy ................................................................................... 5
1.2.5. Policy List Web-Services ................................................................................... 6
1.2.6. Create the Access-Role “Access-Role-Contractor” .................................................... 7
1.2.7. AD Role Mapping ............................................................................................ 8
1.2.8. Access Policy configuration ............................................................................... 9
1.2.9. Apply Profile(s) to AP Group(s) ........................................................................... 9
2 Testing Employee-AD Wireless Access with Internal UPAM RADIUS Authentication and AD
database ...................................................................................... 11
2.1.1. Test wireless connectivity............................................................................... 11
2.1.2. Setup the client to connect to the SSID Employee-ADX ............................................. 11
3 Test ........................................................................................... 16
2
1 Creation & Deployment of an SSID
1.1. Topology
P: 10.130.5.50+X
P: 10.130.5.7 P: 10.130.5.70+X
Backbone
10.130.5.253
1/1/1 VLAN 1305

10.130.5.200+X
OS6860 2
Employee-ADX 1/1/2
1/1/3
Vlan 20 VLAN 40
10.7.X.126
10.7.X.62 AP 2X
Client 2X 1221
Default
VLAN 999
TAG
Employee Vlan 20
TAG
Vlan 40
1/2
OS6560 VLAN 1305

1 10.130.5.220+X
Employee-ADX
1/1/3
Vlan 20
VLAN 40
10.7.X.61 AP 1X
Client 1X 1101
1.2. Service Vlans
The Employee-ADX SSID will use the same VLAN 20 than the Employee SSID.
Employees will then have two SSIDs to connect to the corporate network with the same network access rights.
No new VLAN required.
3
1.2.1. Creation of an SSID Employee-ADX

- Creation of a Policy List
- Creation of an Access Role Profile (dedicated to the Contractors)
- Configuration of the Active Directory server
- Creation of a Role Mapping for LDAP/AD
4
1.2.2. Creation of a WLAN Service profile (SSID)
- Enter the Service Name Employee-ADX and replace X by your POD number.
- In the Basic section configure the following parameters :
ESSID - Employee-ADX
Hide SSID - Disable
Allowed Band - All
- In the Security section configure the following parameters :
Security Level - Enterprise
Encryption type - WPA2_AES
AAA Profile - AAA-Server-PODX
Default Access Role Profile - Access-role-employeeX
- Keep the default values for all the other parameters and click on Apply.
Notes: We will use the same AAA Profile and Default Access Role Profile than the EmployeeX SSID.
The type of authentication and Radius server do not change here. It is the user Database that will
be later selected to point to the Active Directory.
1.2.3. Create the AD server
The AD is hosted on a Windows Server VM common to all the PODs.

On your OV2500 server, configure the AD so that it can be used as the user database.
Go to:
OV2500 -> UPAM -> Settings -> LDAP/AD Configuration
- In the LDAP/AD configuration page, Enable the LDAP/AD Server parameter.

- Configure the following parameters:
Server Type - AD (click on the switch LDAP/AD to change the value)
NETBIOS Domain Name - COMPANY
DNS Domain Name - company.com
FQDN/IP address of Domain Controller - 10.130.5.130
Username - OV2500
Password - Alcatel.0
AD Port - 389
5
- Click on Test Connection and check that you get the following message :
- If the connection to the AD server is successful, click on Apply.
1.2.4. Authentication Strategy
or not) for authentication, as well as the network attributes applied after a successful
authentication.
- Name the Strategy “EmployeeAD-PODX” and set the Authentication source as “External LDAP/AD”.
- Enable the Role Mapping, set “Access-role-employeeX” as the default Access role profile and keep the
Web Authentication to none:
6
1.2.5. Policy List Web-Services
In this lab, two different type of users can be authenticated on the Employee-ADX SSID. The company
employees and the contractor. Each company employee will use its own credentials whereas the
contractors will use a unique login and password to access the network.
Based on the Department parameter returned by the AD server, the company employees will be given a
full access to the network and the contractor will have a restricted access to the network.
The restricted access to the network is defined by a policy List and will deny access to HTTP(S) traffic.
Go to:
OV2500 -> Unified Access -> Unified Policy -> Users & Groups -> Unified Policy List -> + (Create icon)
- Name the Policy List “ContractorX-Policy-List”.
- For the Add Unified Policies parameter, click on the Add button .
- In the Policy configuration page, configure the following parameters:

- Step 1 - Config
Name : Deny-http-PODX
Precedence : 30001
- Step 2 – Device Selection

Click on ADD in front of 0 AP Groups. Select the AP Group APGX and move it to the right part of the
table. Click on OK.
- Step 3 – Set Condition

Click on L4 Services and then on Group. As the HTTP(S) services have not been defined yet, click on
the Add button .
- In the Create Service Group page, you will find an empty table as customized services have not been
defined yet. Click on the Add button on the right side of the table and in the create service page
enter the following:
o Service Name: Web-Service
o Protocol: TCP
o Source Port: Enter http in the search field and click on click on Select all (HTTP, HTTP-alt
and HTTP-SSL).
o Destination Port: Do not modify this field.
o Click on Create to complete the creation of the “Web-Service” and then on Finish.
- Back to the Service Group page, name the Group Web-Services.

- Move all three Services to the right part of the table and click on Create.
Back to the Set Condition page, select Web-Services in Service Group.
- Step 4 – Set Action

Click on QOS and make sure that Disposition is checked and select DROP.
- Click on Create to complete the creation of the policy. Then confirm the creation by clicking on OK.
7
- Back to the Policy List configuration page, select the Policy Deny-http-PODX in the Add Unified
Policies field and click on Next.
- In the device selection page, click on ADD in front of “0 AP Groups”. Move the AP Group APGX to the
right side of the table and click on OK.
- Click on Create and then on OK.
1.2.6. Create the Access-Role “Access-Role-Contractor”
The Policy-List “ContractorX-Policy-List” must then be contained in an Access Role Profile that will be
assigned to the Contractor users.
Go to:
OV2500 -> Unified Access -> Unified Profile -> Template -> Access Role Profile -> + (Create icon)
- Name the Access Role Profile “Access-Role-Contractor”.

- Set the Policy List to “Contractor0-Policy-List”.
- Click on Create.
- Once created, select Access-Role-Contractor and click on Apply To Devices.

- In the new window, keep the Mapping Method as Map to VLAN and enter the VLAN number 20.
- Click on ADD AP Group.
- Move your APX on the right side of the table and click on OK.
- Click finally on Apply to push the Access Role Profile to the APs.
8
1.2.7. AD Role Mapping
Based on the Department name returned by the AD for each user, the network access behavior will be
changed.
A company employee user will have a full access to the network. No Role mapping configuration is
performed for the Employee users, so they will get the Access Role Profile “Access-Role-Employee0”
configured in the Employee-ADX SSID.
The AD will return the Department name “Contractor” for the contractor users. Based on this parameter,
the contractors will be assigned to Access Role Profile “Access-Role-Contractor” - created earlier - that
will deny their HTTP(S) traffic.
Go to :
OV2500 -> UPAM -> Authentication -> Role Mapping LDAP/AD -> + (Create icon)
- Name the Role Mapping Role-Mapping-Contractor and keep the priority to 5.

- In the LDAP/AD Attributes section, click first on Fetch, otherwise, you won’t find any attributes from
the list. OmniVista will gather the attributes from the AD server.
- Select the Attribute department, set the value to Contractor and click on the Add button .
- Set the Default Access Role Profile to Access-Role-Contractor and click on Create.
9
1.2.8. Access Policy configuration
- Create the access policy “EmployeeAD-PODX” that will define the previous strategy to apply for
employee authentication connected to SSID “Employee-ADX”. This profile will use 802.1X with the UPAM
internal RADIUS server.
- In the Mapping Condition, select the SSID attribute and Employee-ADX. Click on the button.
- Keep “EmployeeAD-PODX” as the Authentication Strategy and click on Create.
1.2.9. Apply Profile(s) to AP Group(s)
- Select the checkbox next to the SSID “Employee-ADX” and click on the Apply to Devices button to assign
the profile to the Stellar APs of the network.
- Click on Add AP Group.

- Move the AP Group “APGX” to the right and click on OK.
10
- Click on Apply and check the success message.

11
2 Testing Employee-AD Wireless Access with Internal UPAM RADIUS

Authentication and AD database
2.1.1. Test wireless connectivity
Open vSphere Client, using the login “StellarPod0” and the password “alcatel”. Start the
2.1.2. Setup the client to connect to the SSID Employee-ADX
X is you pod number.

Open the Control Panel and click on Network and Sharing Center
Click on Set up a new connection or network and then Manually connect to a wireless network
Click ‘Next’
12
Configure as follows:
Network name: Employee-ADX (X is your POD number)

Security type: WPA2-Enterprise
Encryption type: AES
1. Click ‘Next’
Click ‘Change Connection Settings’
2. Click on ‘Security’ tab and uncheck “Remember my credentials…”

13
Click on ‘Settings’
Uncheck ‘Validate Server Certificate’.
Click on ‘Configure’ and uncheck ‘Automatically use my Windows logon name…’. This will make sure
your windows login credentials are not used for the authentication.
3. Click ‘Ok’ and ‘Ok’ again.
4. Click on ‘Advanced Settings’ and Check ‘Specify Authentication Mode’ and select ‘User
Authentication’
14
Click ‘Ok’ and ‘Ok’ again
5. Click ‘Close’ on the ‘Manually Create Wireless Network’ window
At this point, your configuration is complete. It’s time to test it!
6. Connect to your SSID.
You should see a popup asking for credentials. It should

automatically open a Windwos Security window where
you can enter the credentials. If not click the
“Enter/select additional logon information” link.
Connect to your Employee-ADX SSID using first the Employee account saved on the AD:
User: Employee
Passwd: Alcatel.0
Click inside this pop-up.
Once a successful connection has been established, you should have an IP address in the 10.7.X.32/27
network (not the self asigned 169.254.x.x address). You should be able to ping the DHCP (10.130.5.7)
and OV2500/UPAM (10.130.5.50+X).
Open a web browser and enter the URL https://10.7.X.62 (OV2500 IP address).
As the Employees have full access to the network, you can join the web interface of the OmniSwitch.
Log out from the SSID Employee-ADX and log in, using this time the Contractor account:
User: Contractor
Passwd: Alcatel.0
15
Once a successful connection has been established, check that you have an IP address in the same
subnet as earlier : 10.7.X.32/27 (and not the self asigned 169.254.x.x address).
Open a web browser and enter the URL https://10.7.X.62 (OS6860 IP address).
As the Contractors have limited access to the network (no web traffic allowed), the HTTPS request will
fail here – as intended.
Notes: Complex network access restrictions can be configured and applied to the Access Role
Profile, such as Bandwidth restriction, traffic restriction based on IP addresses, type of traffic.

16
3 Test
1. The authentication source (AD here) is configured in the WLAN service?
2. The AD users must also be configured locally on the OV2500?
3. What is the purpose of the Role Mapping for LDAP/AD?

WLAN Service – Advanced options
Lesson summary
• Understand and configure the advanced options of the
WLAN Service.
WLAN Service – Advanced options
WLAN Service and SSID
Section SSID Settings – Basic
 SSID Name – Automatically filled with the WLAN service
Name
 Hide and Enable SSID
 Allowed Band : All, 2.4GHz, 5GHz
Section SSID Settings – Security

 Security Level (Enterprise, Personal, Open)
 Enterprise Encryption: WPA2_AES, WPA2_TKIP, WPA_AES, WPA_TKIP, ,
DYNAMIC_WEP
 Personal Encryption Type: WPA_PSK_AES, WPA_PSK_TKIP, WPA_PSK_AES_TKIP,
WPA2_PSK_AES, WPA2_PSK_TKIP
 Mac Authentication (Personal and Open)

 AAA Profile for RADIUS authentication
 Default Access Role Profile
 Mandatory as vlan is set in the Access Role Profile
WLAN Service – SSID Optimization
Section QOS Settings
Bandwidth Contract
 Upstream (Ingress) bandwidth (and depth) for the SSID
 Downstream (Egress) bandwidth (and depth) for the SSID
Maximum number of Clients

 Maximum clients per band for this SSID on this AP
AP 1101 AP 122x AP123x AP 1251

AP1201H AP1201
WLAN Service – Broadcast & Multicast Optimization
Broadcast Key rotation with the frequency
 Only applicable for Enterprise
 WPA, WP2 and Dynamic WEP
 A unicast key (PTK) and a group key (GTK) are used to
encrypt traffic
 Rotate the keys periodically to avoid key cracking
 Default period: 15 min – Range 1 min – 24 hours
Broadcast Optimization
 Broadcast Filter All
 Drop all broadcast packets except DHCP & ARP.
 Broadcast Filter ARP
 Convert broadcast ARP to unicast ARP
 Recommended if no specific multicast application is used
WLAN Service – Broadcast & Multicast Optimization
Multicast Optimization / IGMP Snooping
 Multicast normally sent on the “Group” (GTK key) to reach all stations
 Uses the lowest data rate (which is typically 1 Mbps for the 802.11 b/g/n and 6 Mbps for 802.11 a/n)
 Enabling Multicast Optimization = Convert multicast to unicast

 Unicast key PTK used
 Uses the highest data rate (unicast)
 Limited to IP Multicast and IGMP Snooping

 IGMP Snooping implicitly enabled with Multicast Optimization
 Multicast Optimization automatically stops on high load

 Upper limit of multicast optimization:
Channel Utilization (RF environment too poor to have optimization) : default
value 90, range 85~95
Number of Clients (CPU load too high to support optimization) : default value
32 , range 16~64
WLAN Service – WMM QoS
802.11e
Ex: DSCP Mapping
WMM has 4 categories
 Background
 Best Effort
 Video
 Voice
For each category, can set the QOS treatment
 Uplink 802.1p
 802.1p value that needs to be stamped on the outgoing Ethernet packet
 Uplink DSCP
 DSCP value that needs to be stamped on the outgoing IP packet
 Downlink 802.1p
 Incoming packet on the uplink with this value are mapped into to corresponding WMM category
 Downlink DSCP
 Incoming packet on the uplink with this value are mapped into to corresponding WMM category
WLAN Service – WMM QoS Recommendation
Recommended Settings
WMM 802.1p DSCP
Best Effort 0 0
Background 2 18 - AF 21
Voice 5 46 – EF
Video 4 34 – AF41
Default OV Settings
WMM 802.1p DSCP
Best Effort 0,3 0x00, 0x18 – 0, 24
Background 1,2 0x08, 0x10 – 8, 16
Voice 6,7 0x30, 0x38 – 48, 56
Video 4,5 0x20, 0x28 – 32, 40
WLAN Service - Others
WMM Power Save
 Always enabled on AP
 As per 802.11e
 WMM also features a Power Save certification that helps small devices on a network conserve battery
life. Power Save allows small devices, such as phones and PDAs, to transmit data while in a low-power
"dozing" status.
Voice and Video identification

 SIP and H.323 only
Follow us on…
User Role and Bandwidth Control
Lesson summary
• Understand a user role
• Configure the bandwidth contracts and understand the
precedence system
User Role
User Role - Overview
Policy List:
 User Role = Policy List
"Policy-Guest"
 List of Policy Rules (ACLs)
 Action can be • Rule : "http-traffic"
 Accept/drop ➢ Action: Accept
 Bandwidth control • Rule: "Network-traffic"
 Priority, 802.1p, DSCP marking ➢ Action: Deny
 Application Policy Rules (DPI) • Rule: "Guest-speed"
 In Application Visibility, application/application ➢ Action: 1Mb/s
group Policy Rules can be set in a Policy List • Rule: "Guest-priority"
 Enforcement is bidirectional ➢ Action: 802.1p=3
 Policy List Assignment
 From RADIUS
 From Access Role Profile (Default Policy List)
 Built-in roles
 Redirection (UPAM)
Access Role
 Unauthorized (Time and Location based policy) Profile
RADIUS Server
User Role - Considerations
 No Policy List / ACL on SSID
 Can not be directly assigned on the WLAN Service/SSID
 Assigned in the Access Role Profile set for the WLAN Service/SSID
 Access Role Profile can also be returned by RADIUS
 Direct Assignment from RADIUS
 AP support
 Policy Rules / ACL
AP 1101 AP 1221/22 AP 1231/32 AP 1251

Number of Policy Rules 1K 2K 3K 2K
 Full Application Visibility signature kit (~2K application)

 Not supported on AP1101
User Role example – Deny access to devices
Deny access to the network for a set of devices (or MAC addresses)
 Solution: Assign a Policy List to the Access Role Profile of the SSID
 The device is still authenticated on the network, but its requests are discarded
Policy "Forbidden_MAC" Policy List "Forbid-MAC"
Access Role Profile

"access-role-guest0"
SSID "Guest0"
Bandwidth Control
User Role – Bandwidth Control
 Bandwidth contract at WLAN Service / SSID level
 Upstream (Ingress) bandwidth (and depth) for the SSID
 Downstream (Egress) bandwidth (and depth) for the SSID
 Bandwidth shared for all user, per radio
 Bandwidth contract at Access Role Profile level

 Upstream (Ingress) bandwidth (and depth)
 Downstream (Egress) bandwidth (and depth)
 For each user in this profile – Not shared
 Bandwidth contract at Role level

 Based on the Policy List associated to the user
 Policy List can have an Application/DPI rule with bandwidth control
 Policy List can have a generic ACL with bandwidth control
User Role – User Bandwidth control Precedence
User Context
• Role / Policy List
• Access Role Profile
• WLAN Service /SSID
Matches a
Matches N
DPI N Access Role N N
User an ACL in SSID set with No BW
application set with BW
Traffic the Policy BW Control ? Limitation
in the Policy Control ?
List ?
List? All User
Other User Other User
Traffic Traffic Y Traffic Y
Y
Y
User BW
Application Specific ACL Specific BW Enforcement Shared BW Enforced
BW Enforcement Enforcement
as per DPI Rule as per Access Role as per WLAN Service/SSID
as per Policy List Profile
User Role /Policy List Access Role Profile WLAN Service / SSID
Per User & Application BW Control Per User BW Control All Users shared BW
Follow us on…
Unified Policy Authentication Manager (UPAM) - Guest
Lesson summary
• Understand the UPAM application.
• Configure a UPAM Guest access and the Guest operator
UPAM
Overview
Unified Policy Authentication Manager
OmniVista 4.2.2R01 has 2 new optional applications
 Guest Access – Guest License required
 BYOD Access – BYOD License required
UPAM consists of
 Guest Access
 BYOD Access
 A built-in RADIUS Server
 A built-in MAC Authentication Server
UPAM – Wired and Wireless user services
BYOD GUEST ACCESS
BYOD – Automation – Captive Portal

Captive Portal – Admin credentials
Registration
managed & maintained from OV
Device Registration
Guest account generation & Guest Portal
Authentication Servers for Employee Customization
 Strategy based Policy Enforcement

 Extensive Captive Portal Customization
UPAM - Overview
Authentication Server
 UPAM used for RADIUS Server for 802.1x and MAC authentication
E-mail server configuration

 Guest sponsor approval
External Log Server

 UPAM logs can be redirected to an external syslog server
Guest Access Management

 Web Redirection / Registration for Guest Access
 Customizable portal pages
 Guest Access License : per device license model (not per account)
BYOD Access Management

 Web Redirection / Registration for BYOD Access
 Customizable portal pages
 BYOD Access License : per device license model (not per account)
UPAM – Authentication server
Guests and Employees are authenticated by:
 Internal RADIUS Server (Local Database)
 External LDAP/AD and RADIUS servers

 LDAP Role Mapping: Option to assign Access Role Profile & Policy List based on AD attributes
Specify the authentication source in the Authentication Strategy

UPAM – Authentication Strategy
The Authentication Strategy determines
 Which Authentication Server will be
used for the Authentication
 None
 Local Database
 External LDAP/AD
 External RADIUS
 Network Enforcement
 What is the default Role of the user if the
Authentication server doesn’t return a role
 Web Redirection
 Web Authentication – which Captive Portal
template is returned
 Guest Access Strategy
UPAM – Location Based Policy Control
New Access Policy parameters New Authentication Strategy Location Policy
 Access Policy based on NAS Client Location  Reload Enforcement – Apply new Policy when
 Access Policy based on AP Group
moving from Lobby Guest to Hotel Room Guest
 Overwrite enforcement – Keep Hotel Room Guest
Policy even when moving ton Lobby
UPAM
Guest Access
UPAM – Guest Access
WEB Redirection/Registration
 Authentication Strategy can impose a Web Redirection for Guest Access
 Registered & Remembered device/MAC address database
 Post Web Network Enforcement
Guest Access Strategy
 Registration Strategy
 Account Validity Period
 Device Validity Period
 Max number of devices per account
 Self-registration strategy
 Only for Username & Password
 Notification with Web, Email or SMS: E-mail server and SMS gateway configuration in UPAM
 Employee Sponsor
Guest Account
 Local Guest Account Database
 Created by Admin, employee sponsored, or from a Self-Registration
UPAM – Guest Access Strategy
Registration
Strategy
Login Strategy
Self-Registration
Strategy
Guest Tunneling
Guest Tunneling
Overlay Guest network while preserving Enterprise

security
 Control what traffic needs to be tunneled 6860/6900

 Tunnel per Access Role Profile from Access Point to
a OS6860/E or OS6900
 L2 GRE tunnel over L2/L3 networks
 OmniSwitch simplifies deployment with automatic
tunnel creation to AP IP
 Max 16 tunnel starts per AP AP AP
 6860/E  750 tunnel terminations
 6900  1000 tunnel termination
Guest 1 Guest 2
UPAM - Guest
Click on the image above to visualize the video

UPAM - Guest Operator

UPAM - Guest Self Registration

UPAM - Guest Sponsor Approval

UPAM - Captive Portal Customization

Appendix
UPAM Guest Workflow
Appendix
UPAM – Guest Access Workflow
Appendix
UPAM – Active Directory (AD/LDAP) Authentication with Role Mapping
 Setup Process
 Create an AD/LDAP server. And Test connection.
Appendix
 Setup Process
 Create an Authentication Strategy with External LDPA/AD as the source.
Appendix
 Setup Process
 Create an Authentication Strategy with External LDPA/AD as the source.
 Setup AD attribute / value based policies for granular control of role based access.
Follow us on…
Lab: Create a Guest SSID
How to
✓ How to create a Guest SSID for Visitor in an Enterprise mode with
Stellar Access Points
Contents
1 Creation and Deployment of a Gest SSID .................................................. 2
1.1. Topology ................................................................................................. 2
1.2. Service Vlans ............................................................................................ 2
1.3. Creation of an SSID GuestX ........................................................................... 3
Creation of a WLAN Service profile (SSID) .............................................................. 4
AAA Server Profile .......................................................................................... 4
Access Role Profile ......................................................................................... 5
Apply the Access Role Profile to the Stellar APs ....................................................... 5
Activate Server Redirection ............................................................................... 6
Authentication Strategy ................................................................................... 7
Access Policy configuration ............................................................................... 8
Create a Guest Account ................................................................................... 9
Guest Access Strategy ..................................................................................... 9
Captive Portal Customization ...................................................................... 10
Apply Profile(s) to AP Group(s) .................................................................... 11
Mail Server Configuration .......................................................................... 13
2 Testing Guest Wireless Access with Captive Portal Authentication .................. 14

2.1. Test wireless connectivity .......................................................................... 14
2.2. Connection to the SSID GuestX .................................................................... 14
2.3. OmniVista 2500/UPAM monitoring ................................................................ 17
3 Test ........................................................................................... 19
1 Creation and Deployment of a Gest SSID
1.1. Topology
P: 10.130.5.50+X
P: 10.130.5.7 P: 10.130.5.70+X
Backbone
10.130.5.253
1/1/1 VLAN 1305

10.130.5.200+X
OS6860
2
GuestX
1/1/2
Vlan 30 1/1/3
VLAN 40
AP 2X 10.7.X.126
10.7.X.94 Client 2X 1221
Default
VLAN 999
TAG
Guest Vlan 30
TAG
Vlan 40
1/2
OS6560 VLAN 1305

1 10.130.5.220+X
GuestX
Vlan 30 1/1/3
VLAN 40
AP 1X
10.7.X.93 Client 1X 1101
1.2. Service Vlans
We need first to create the VLAN 30 (needed to service the SSID “GuestX”) and tagged it towards the AP from
the Switch and over the trunk between access and core switches.
Create WLAN service VLANs

AP ports:
Configure as trunks
Add tagged WLAN service VLANs
OS6560
-> vlan 30 name “GuestX”
-> ip interface GuestX address 10.7.X.93/27 vlan 30 ,Replace X by your POD number
OS6860
-> vlan 30 name “GuestX”
-> ip interface GuestX address 10.7.X.94/27 vlan 30 ,Replace X by your POD number
1.3. Creation of an SSID GuestX

- Creation of an "Access Role Profile" (if do not exist)
- Definition of the "Redirect Server IP" (if do not exist)
- Create a Radius local Guest account (if do not exist)
- Configuration of the “Guest Access Strategy”
- Customization of the Captive Portal (if necessary)
- Configuration of the Mail Server (if necessary)
4
Creation of a WLAN Service profile (SSID)
Enter a Service Name and configure the profile as described below:

ESSID - GuestX
Hide SSID - Disable
Allowed Band - All
Security Level - Open
Mac-Auth - Enable
AAA Profile - guestX-AAA-profile
Default Access Role Profile - access-role-guestX
Notes: AAA servers and Access role profiles can be created first prior to setup WLAN services but
for this exercise you will create specific profiles through the WLAN Service configuration screen.
AAA Server Profile
Tips: UPAM supports both captive portal server and RADIUS server; and can be used to implement
multiple authentication methods, such as MAC authentication, 802.1X authentication, and captive
portal authentication. User Profiles can be supported in the OmniVista database or on external
servers.
AAA Server Profile

- In the Security section, click on the “AAA Profile” field, select “+ Add New” and create the following AAA
Server Profile “guestX-AAA-profile”:
802.1X
Captive Portal
MAC
Accounting Servers
802.1X
Captive Portal
MAC

- Back to the WLAN Service page, select “guestX-AAA-profile” in the AAA Profile field.
5
Access Role Profile
Access Role Profile

Notes: In this exercise you will create a specific access role “Access-role-guestX” profile even if
the use of the “defaultWLANprofile” should be enough for the test.
- In the Security section, click on the “Default Access Role Profile” field, select “+ Add New” and create the
Access Role Profile access-role-guestX.
- Set the Redirect Status parameter to Enable as the Guest traffic will be redirected to the Captive Portal.
- Back to the WLAN Service page, in the Security section, select “access-role-guest” as the Default Access
Role Profile.
Apply the Access Role Profile to the Stellar APs

- Select the checkbox next to the Access role profile “access-role-guestX” and click on the Apply to Devices
button to assign the profile to wireless devices on the network.
- Do not change the mapping Method and enter the Vlan number “30” which is the GuestX VLAN.

- Click then on Apply.

6
- Check for success message.
- This is how the AP will map the Guest VLAN (30) to the GuestX SSID.
Activate Server Redirection

Notes: In order to redirect the http/https traffic from the Guest, the secondary IP address of the
OmniVista server must be configured (during the installation process of the server). This secondary
– or UPAM – IP address will receive all the redirected traffic and send back the captive portal
authentication web page.
OV2500 -> Unified Access -> Unified Profile -> Template -> Global Configuration -> Setting
- Select the default profile “upamGlobalConfigurationl” and click on the Edit button.
- In the Redirect Server Host field, check that you have the secondary IP address “10.130.5.70(+Pod
Number)”. If not, enter this value.
- Click on Apply.
- This configuration must then be applied to the Stellar APs

- Select upamGlobalConfiguration and click on “Apply to Devices”.
- Click on Add AP Group, move the AP Group APGX to the right and click on OK.
- Click on Apply and check the Result Page.
When the SSID uses the Captive Portal authentication, assign a AAA Server Profile and then create an
Authentication Strategy and Access Policy.
At this step, the AAA Server Profile is already assigned to the SSID. The Authentication policy and Access Policy
must be created.
7
Authentication Strategy
or not) for authentication, as well as the network attributes applied after passing the
authentication.
- Name the strategy “Guest-PODX”, select the Authentication source as “None”. As the initial
Authentication is set to “Open”, it does not require an Authentication source.
- Set the Web authentication to “Guest” and the Guest Access Strategy to “Default Guest”.
Notes: By setting the Web authentication to “Guest”, the UPAM server will return the “Guest”
Captive Portal pages. The Guest Access Strategy is the Guest Captive Portal template that will
define how the Captive Portal Authentication will be performed.
8
Access Policy configuration
- Name the Policy Name “Guest-PODX” that will define the previous strategy to apply for guest
authentication connected to SSOD “GuestX”. The guestX profile will use an Open Authentication and a
Guest Web Authentication.
- In the Mapping Condition, select the SSID attribute and GuestX. Click on the + button.
- Select “Guest-PODX” as the Authentication Strategy and click on Create.
9
Create a Guest Account
OV2500 -> UPAM -> Guest Access -> Guest Account -> + (Create icon)
- In order to create a login account for a guestX users in the local UPAM Database enter the following
parameters:
User: GuestX
Password: password
Guest Strategy: Default Guest.
- Click on Create.
Notes: Another way to create a Guest account is via a Guest Operator web page. Once a Guest
Operator account has been created, log in with the provided URL and create a Guest account. A
Guest operator has no other rights on the OmniVista Server.
Guest Access Strategy
When the Captive portal Authentication is used to authenticate Guest users, the Guest Access Strategy will
define multiple parameters, such as:
- The validity period of the Guest accounts and the maximum number of devices authorized per guest account
- The login strategy: username & password, Terms & Conditions or Access Code
- Post Portal Authentication Enforcement
- Self-registration strategy
In this scenario, you can keep the default values for most of the parameters, but the self-registration will be
activated as well as the approval by sponsor.
That way, an employee acting as the approver has to validate any new Guest request.
OV2500 -> UPAM -> Guest Access -> Guest Access Strategy
- Select the default guest strategy “Default Guest” and Edit it.
- Keep the default values in Registration Strategy.
- In Login Strategy, select Username & Password and set the Success Redirect URL to Go to Success Page.
- Keep the default values in Post Portal Authentication Enforcement.
10
- In Self-Registration Strategy, Enable Self-Registration and select “Approve By Employee Sponsor” in the
Approval field.
- Set the Email Suffix Restriction to “@company.com” and click on the “+” button to add the suffix.
- Click on Apply.
Captive Portal Customization
At this time the guest user page, seen by guest users, is the Alcatel-Lucent default page. This section will show
you how to modify the actual Captive Portal page seen by the guest users by using your own logos / graphics,
welcome text and advertisement panels.
OV2500 -> UPAM -> Settings -> Captive Portal Page
- Select the DefaultPortal profile and click on the Edit button.

- Multiple pre-defined “Welcome” and “Success” pages can be chosen from the drop down menu.
- Select a new template for the “Welcome Template Name”: WelcomeLayout2 and the “Success Template
Name”: SuccessLayout5 and click on Apply.
- Once the templates have been selected, select the DefaultPortal profile and click on the Customization
button.
11
- Click on Edit Welcome Portal Page.

- On the panel on the right, change the Welcome Message to “Welcome to Alcatel Lucent Enterprise”.
- Keep the Logo as it is.
- Expand the First Advertisement Panel and click on Browse.
- Go to C:\Resources and select the picture “ap1101.png” and Open it.
- One of the two advertisement section is now filled.
Notes: The size of the picture should match the size of the Advertisement section, otherwise, the
picture will be scaled and deformed.
The link to a URL can be used instead of a picture.
- Click on Apply.
- Click on Edit Success Portal Page on the right panel.

- Once again, only the first Advertisement section will be modified, and the Logo will be kept.
- Click on the second Advertisement Panel and click on Browse. Go to C:\ressources and select the picture
“ap1101.png” and Open it.
- Observe the result and click on Apply.
Both Welcome and Success pages of the “DefaultProfile” template are now customized and will be seen by the
guest users.
Notes: A new template can be defined, with different Welcome and Success pages.
In UPAM -> Guest Access -> Guest Access Strategy, select the new template in the “Redirect
Strategy” field.
The look and feel of the Captive Portal can then be quickly modified for the Guest users.
Apply Profile(s) to AP Group(s)
- Select the checkbox next to the SSID “GuestX” and click on the Apply to Devices button to assign the
profile to the Stellar APs of the network.
12
- Click on Apply and check for success messages.

13
Mail Server Configuration
The last step is to configure the parameters related to the mail server. The OmniVista server will send emails to
the sponsor when a Guest requests an account.
OV2500 -> UPAM -> Settings -> Email Server
- A mail server is already configured in the remote lab. Enter the following parameters:
- SMTP Server : mail.company.com
- Port : 25
- Send From : sponsorX@company.com , Replace X by your POD number
- Password : password
- Security Type : TLS
- Click on Apply.
14
2 Testing Guest Wireless Access with Captive Portal Authentication
2.1. Test wireless connectivity
Open vSphere Client, using the login “StellarPodX” and the password “alcatel”. Start the
2.2. Connection to the SSID GuestX
Connect to your SSID “GuestX”.
Once a successful connection has been established,

you should have an IP address in the 10.7.X.64/27
network (not the self asigned 169.254.x.x address).
You should be able to ping the DHCP and

OV2500/UPAM @IP addresses.
Open now a web browser on the Client and enter any valid IP address or URL.
The traffic is redirected by the OmniVista server to the UPAM server and the Captive Portal Guest page is
returned.
Notes: If the web redirection does not work and indicates a DNS failure, restart both Stellar APs.
Use the “lanpower” command on the OS6560 and 6860.
The reason is that the Stellar AP requires a reload for the redirection URL to be applied.
In the log-in window, the guest can log-in with two different ways:
- Using the Guest log-in and password created in the guest local database (GuestX/password)
15
Notes: Check the Terms of use before login.
- Create your own username and password by clicking on “Create new one if don’t have an account”.
- In the new window, enter the username and password desired for the new guest as well as the email
address of the sponsor and click on Register.
Username : NewGuest
Password : password
Sponsor address : sponsorX@company.com , Replace X by your POD number
A Successful Register message is then returned and a summary of the Guest account request is displayed.
Notes: The validation of the account can be seen by the Guest when the Account status is set to
Enabled and the “Back to Login” button is disabled.
16
- On the Remote Desktop Connection, open a new tab in the web browser and enter the URL:
mail.company.com
- Log in with the username sponsorX@company.com and the password password. (Replace X by your POD
number)
Open the last mail received “Sponsor Request Notification” and click on the Approve link.
Notes: You might get a certificate error page after clicking on Accept. Proceed anyway in order to
get the answer from the OmniVista server.
- The UPAM server sends back a confirmation message: “Approve the registration request successfully”.
- Back on the Guest web page, click on the Back to Login button and login with the new credentials
NewGuest and password.
17
2.3. OmniVista 2500/UPAM monitoring
- Login to the OmniVista 2500/UPAM at 10.130.5.(50+X)
- Navigate to OV2500 -> UPAM -> Authentication -> Authentication Record
- Answer the following questions:

Name of User : _________________
AP-Name: _______________________
18
Notes: The same details can be found in OV2500 -> UPAM -> Guest Access -> Guest Device.
- Navigate to OV2500 -> UPAM -> Authentication -> Captive Portal Access Record

Name of User : _________________
Auth Result: _______________________
Device Category: _______________________
AP-Name: _______________________

- Check for clients associated with your Stellar access points.

Client Name : _________________
SSID: _____________________
Radio Channel: ______
Band: ______
19
AP name: ___________
Here you can specify as IP address: <Guest_IP_address> and click on Locate to run the research within the
network.
3 Test
1. In which profile do you specify the Web redirection?
2. What is the role of the “Approved by Sponsor” option?
3. Who can create a Guest user?

Unified Policy Authentication Manager (UPAM) - BYOD
Lesson Summary
Unified Policy Authentication Manager (UPAM) - BYOD

At the end of this module, you will be able to:
• Understand and configure a BYOD access for employee personnal devices.
UPAM
BYOD Access
UPAM – BYOD Access
WEB Redirection/Registration
 Authentication Strategy can impose a Web Redirection for BYOD Access
 Registered & Remembered device/MAC address database
 Employee must provided its credential to registered its device mac address
 Post Web Network Enforcement
 Keep initial network enforcement or change Access Role Profile, Policy-List, Session Timeout, Acct
interval
BYOD Access Strategy

 Registration Strategy
 DeviceValidity Period
 Max number of devices per account
Employee Account
 Usually not created, used LDAP/AD
 Employee Account can be locally created
UPAM – BYOD Access and Employee Property
Alternate solution, BYOD device can be created by admin
 Referred as Company Property
Not accounted for the BYOD License count

UPAM – BYOD Access Strategy
Registration
Strategy
Login Strategy
Post web
authentication
strategy
UPAM - BYOD Access – Part 1

UPAM - BYOD Access – Part 2

Follow us on…
Lab: Create a BYOD SSID
How to
✓ How to create a BYOD SSID for Employees with personal devices
Contents
1 Creation & Deployment of a BYOD SSID .................................................... 2
1.1. Topology ................................................................................................. 2
1.2. Service Vlans ............................................................................................ 2
1.3. Creation of an SSID BYODX ........................................................................... 3
Creation of a WLAN Service profile (SSID) .............................................................. 4
AAA Server Profile .......................................................................................... 4
Access Role Profile ......................................................................................... 5
Apply the Access Role Profile to the Stellar APs ....................................................... 5
Post Captive Portal - Access Role Profile ............................................................... 6
Authentication Strategy ................................................................................... 6
Access Policy configuration ............................................................................... 7
Create an Employee Account ............................................................................. 8
BYOD Access Strategy ...................................................................................... 8
Apply Profile(s) to AP Group(s) ...................................................................... 9
2 Testing BYOD Wireless Access with Captive Portal Authentication .................. 11

2.1. Test wireless connectivity .......................................................................... 11
2.2. Connection to the SSID BYODX .................................................................... 11
2.3. OmniVista 2500/UPAM monitoring ................................................................ 12
3 Test ........................................................................................... 15
1 Creation & Deployment of a BYOD SSID
1.1. Topology
P: 10.130.5.50+X
P: 10.130.5.7 P: 10.130.5.70+X
Backbone
10.130.5.253
1/1/1 VLAN 1305

10.130.5.200+X
EmployeeX
Vlan 20
OS6860 2
10.7.X.62
1/1/2
1/1/3
VLAN 40
GuestX 10.7.X.126
AP 2X
Vlan 30 Client 2X 1221
10.7.X.94
Default
VLAN 999
TAG
Employee Vlan 20
TAG
Guest Vlan 30
TAG
Vlan 40
EmployeeX 1/1/2
Vlan 20
OS6560 VLAN 1305

10.7.X.61 1 10.130.5.220+X
1/1/3
GuestX
Vlan 30 VLAN 40
AP 1X
Client 1X 1101
10.7.X.93
1.2. Service Vlans
The VLANs used for the BYOD access have already been created in the previous labs: VLAN 20 and 30.
Check that the VLANs 20 and 30 are already created and attached to the 1/1/3 and 1/1/2 on the
OS6560 and on the ports 1/1/3 and 1/1/2 on the OS6860.
OS6560
-> show vlan
-> show vlan 20 members
OS6860
-> show vlan
1.3. Creation of an SSID BYODX
- The deployment of an BYOD SSID consists in several steps:

- Creation of an "Access Role Profile" Pre Portal authentication (if do not exist)
- Definition of an "Access Role Profile" Post Portal authentication (if do not exist)
- Create a Radius local Employee account (if do not exist)
- Configuration of the “BYOD Access Strategy”
"BYOD" SSID
• Open
• Web
Redirection
• BYOD Strategy
Pre Authentication Captive Portal Post Authentication

"Guest" VLAN 30 Authentication "Employee" VLAN 20
4
Creation of a WLAN Service profile (SSID)
Enter a Service Name and configure the profile as described below:

ESSID - BYODX
Hide SSID - Disable
Allowed Band - All
Security Level - Open
MAC Auth - Enabled
AAA Profile - ByodX-AAA-profile
Default Access Role Profile - access-role-byodX
Notes: AAA servers and Access role profiles can be created first prior to setup WLAN services but
for this exercise you will create specific profiles through the WLAN Service configuration screen.
AAA Server Profile
Tips: UPAM supports both captive portal server and RADIUS server; and can be used to implement
multiple authentication methods, such as MAC authentication, 802.1X authentication, and captive
portal authentication. User Profiles can be supported in the OmniVista database or on external
servers.
AAA Server Profile

- In the Security section, click on the “AAA Profile” field, select “+ Add New” and create the following AAA
Server Profile “byodX-AAA-profile”:
802.1X
Captive Portal
MAC
Accounting Servers
802.1X
Captive Portal
MAC
- Back to the WLAN Service page, select “byod-AAA-profile” in the AAA Profile field.
Notes: In UPAM, there is a system-defined NAS Client Item (All Managed Devices). It cannot be
deleted and is used to indicate that all the devices managed by OmniVista are automatically added
into the NAS Client Database of UPAM and perform the AAA process.
The shared secret in the system-defined “All Managed Devices” NAS profile is “123456”.
5
Access Role Profile
Access Role Profile

Notes: In this exercise you will create a specific access role “Access-role-guestX” profile even if
the use of the “defaultWLANprofile” should be enough for the test.
- In the Security section, click on the “Default Access Role Profile” field, select “+ Add New” and create the
Access Role Profile “access-role-byodX”.
- Set the Redirect Status parameter to Enable as the Employee traffic will be redirected to the Captive
Portal.
- Back to the WLAN Service Page, in the Security section, select “access-role-byodX” as the Default Access
Role Profile.
- Click on Create.
Apply the Access Role Profile to the Stellar APs

- Select the checkbox next to the Access role profile “Access-role-byodX” and click on the Apply to Devices
button to assign the profile to wireless devices on the network.
- Do not change the Mapping Method and enter the Vlan number “30” which is the GuestX VLAN.

6
- Click then on Apply and check the Success messages.
Post Captive Portal - Access Role Profile
When the employee authenticates himself on the Captive Portal, he is considered as trusted and thus, an Access
Role – attached to the “Employee” VLAN – will be assigned to the employee.
The Access Role Profile “Access-role-employeeX” created in a previous lab will be used later for that reason.
- This Access Role Profile is already attached to the “Employee” VLAN (20).
- The redirect status is also disabled as we don’t need the captive portal redirection anymore.
Authentication Strategy
or not) for authentication, as well as the network attributes applied after passing the
authentication.
- Name the strategy “BYOD-PODX” and set the Authentication source to “None”. As the initial
Authentication is “Open”, it does not require an Authentication source.
- Set the Web authentication to “Employee” and the BYOD Access Strategy to “Default BYOD”.
- Click on Create.
7
Notes: By setting the Web authentication to “Employee”, the UPAM server will return the
“Employee” Captive Portal pages. The BYOD Access Strategy is the BYOD Captive Portal template
that will define how the Captive Portal Authentication will be performed.
Access Policy configuration
- Name the Policy Name “BYOD-PODX” that will define the previous strategy to apply for guest
authentication connected to SSID “BYODX”. The BYODX profile will use an Open Authentication and a
BYOD Web Authentication.
- In the Mapping Condition, select the SSID attribute and BYODX. Click on the + button.
- Select “BYOD-PODX” as the Authentication Strategy and click on Create.
8
Create an Employee Account
OV2500 -> UPAM -> Authentication -> Employee Account -> + (Create icon)
- In order to create a login account for BYODX users in the local UPAM Database, enter the following
parameters:
User: BYODX
Password: password
- Click on Create.
Notes: The Access Role Profile Employee0 can be set in the Employee account. But we will set it in
the BYOD Access Strategy.
BYOD Access Strategy
When the Captive portal Authentication is used for the BYOD users, the BYOD Access Strategy will define
multiple parameters, such as:
- The validity period of the Guest accounts and the maximum number of devices authorized per account
- The login strategy: URL redirection for a successful authentication
- Post Portal Authentication Enforcement
In this scenario, most of the parameters can keep their default values.
OV2500 -> UPAM -> BYOD Access -> BYOD Access Strategy
- Select the default guest strategy “Default BYOD” and Edit it.
- Keep the default values in Registration Strategy.
- In Login Strategy, set the Success Redirect URL to Go to Success Page.
- In Post Portal Authentication Enforcement, set the Fixed Access Role Profile to “Access-role-employeeX”.
- Click on Apply.
9
Apply Profile(s) to AP Group(s)
- Select the checkbox next to the SSID “BYODX” and click on the Apply to Devices button to assign the
profile to wireless devices on the network.
10
- Click on Apply and check the success messages.

11
2 Testing BYOD Wireless Access with Captive Portal Authentication
2.1. Test wireless connectivity
Open vSphere Client, using the login “StellarPodX” and the password “alcatel”. Start the VM
“StellarClientX”.
2.2. Connection to the SSID BYODX
Connect to your SSID.
Once a successful connection has been established,

you should have an IP address in the 10.7.X.90/27
network (not the self asigned 169.254.x.x address).
This is the “Guest” network.
You should be able to ping the DHCP and

OV2500/UPAM @IP addresses.
Open now a web browser on the Client and enter any valid IP address or URL.
The traffic is redirected by the OmniVista server to the UPAM server and the Captive Portal BYOD page is
returned.
Log in, using the BYOD user from the local database: BYOD0 / password
Notes: Check the Terms of use before login.
After a successful Login, check the IP address of the client. You should have an IP in the range [10.7.X.37 –
10.7.X.62], which is the “Employee” subnet.
12
2.3. OmniVista 2500/UPAM monitoring
- Login to the OmniVista 2500/UPAM at 10.130.5.(50+X)
Navigate to OV2500 -> UPAM -> Authentication -> Authentication Record

Name of User : _________________
Authentication Type: __________________
Authentication Result: __________________
Access Role: _____________________
AP-Name: _______________________
Notes: The Access Role assigned to the client is the Fixed Access Role Profile “Access-role-
employeeX”. After a successful authentication, the OmniVista server changed the initial “Guest”
Access Role profile to this new profile. The Access VLAN and client IP address are then changed to
the “Employee” VLAN (20) in the subnet 10.7.X.64/27.
Notes: The same details can be found in OV2500 -> UPAM -> BYOD Access -> BYOD Device.
13
Navigate to OV2500 -> UPAM -> Authentication -> Captive Portal Access Record

Name of User : _________________
Auth Result: _______________________
Device Category: _______________________
AP-Name: _______________________
Identify the AP on which the client is connected.

Open a console session to the OmniSwitch attached to this AP and enter the following command:
OS6560
-> show mac-learning
OS6860
-> show mac-learning
Look for the MAC address of the client in the table and check that it is assigned to the Employee VLAN (20).

Check for clients associated with your Stellar access points.

Client Name : _________________
SSID: _____________________
14

Band: ______
AP name: ___________
Here you can specify as auth user name: <BYOD_IP_address> and click on Locate to run the research within the
network.

15
3 Test
1. What is the purpose of the Fixed Access Role Profile in the Post Portal
Authentication Enforcement?
2. Which other database can be chosen as BYOD User Authentication source?
3. In which monitoring page can you check the Captive Portal Authentication
result?
RF Management and Optimization
Lesson Summary
RF Management and Optimization

• Understand and configure the RF profile
RF Management
Distributed Radio Management - DRM
Fully distributed control Plane
 Each AP communicates with its neighbor APs
 Over to air protocol : neighbor AP discovery
 Over the LAN protocol : RF management
 RF context sharing
Channel utilization & interference, number or clients per band, radio & AP, power…
 Each AP can take RF action (try, wait, retry mechanism)
 Limited to neighbor APs
Does no rely on AP Group or AP management vlan
Concept of RF Profile
 Default RF Profile
 Can create RF Profile
 RF Profile applied to AP Group or at AP level
 Country Code set in the RF Profile
Distributed Radio Management - DRM
OmniVista
AP Group 1: AP 1,2,3,4,6 => RF Profile Profile1
AP Group 2: AP 5,7 => RF Profile Profile2
AP7 explicitly assigned to RF Profile Profile2
LAN
RF App
MGT VLAN 1 MGT VLAN 2 Over the LAN RF management
Scope = Adjacent APs
AP Group 2
AP 2
AP 1
AP 3 AP 5
AP 4
AP 6 AP 7
AP Group 1
Over the Air Discovery

RF Management – OmniVista
RF Profile configuration
 Name / Description & Country Code
 Smart Load Balance
 Scanning
 Band , Channel & Power

RF Management – OmniVista
Dynamic Radio Management

(DRM) channel list selection
Admin can specify a list of

channels that will be used by the
Auto Channel Selection (ACS)
 Only for the 5GHz band (and
5GHz Low and High)
 Select enough channels to avoid
interferences between APs
SMART Air Share
Granular controls to improve the WiFi

experience for 802.11a/n clients (High quality
WiFi)
802.11b/g: Allow/Deny 11b/g clients (legacy

clients)
2.4G client minimum data rate control 

Advanced control (recommended value 12)
5G client minimum data rate control
Advanced control (recommended value 24)
2.4G MGMT beacon rate control

5G MGMT beacon rate control
SMART Load Balance
Band Steering
 Steer client to 2.4Ghz or 5Ghz Radio/Band
 5GHz always preferred
 Or forced with the 5GHz enforcement option
 Decision based on
 Client count per Radio/Band & Channel utilization (overloaded)
Dynamic Load Balance

 Clients Load Sharing between AP
 Decision based on client count per AP
Client SNR Threshold

 Client Signal to Noise Ratio in db (noise floor ~95dbm)
 Deny connection to APs when signal of client is too weak
 Disconnect a client when the signal of this client becomes weak
 Default value : 2.4G =18db , 5G = 12db - Range 0-40 db
SMART Load Balance – Band Steering
DUAL RADIO
Diff. = 5G Client Number – 2.4G Client Number
(Threshold:10)
AP
TRI RADIO
• Pri-Diff. = 5G High Client # – 2.4G Client #
(Threshold:10)
• Sec-Diff. = 5G Low Client # – 2.4G Client #
(Threshold:10)
Overloaded: A channel is considered overloaded when its average medium utilization over the span of a minute exceeds 70%.
SMART Load Balance – Dynamic Load Balance
AP1 New Client AP2

1 Broadcast Join Request 1 Broadcast Join Request
AP 2 Reply to Client
3 New Client joins AP2
1 Broadcast Join Request
 Every AP learns the neighboring information through

Neighbor Management Protocol AP3
 When a new client appears, Each AP will set up a timer
based on its connecting clients
 When the timer ends, AP will respond to the new client
 The new client is guided to connect to the lightest
loaded AP
Scanning
Background scanning
 Each radio can periodically scan the air – One channel at the time
 During scanning wireless clients are impacted – no 802.11 data
 Scanning required for WIPS (and spectrum analysis in future release)
 Interfering& Rogue AP detection
 Wireless attack detection
Scanning Interval and duration

 Default interval = 5 sec – Range = 5-10 sec
 Default Duration = 20 ms – Range = 20-110 ms
Dedicated AP scanning mode

 AP only used to scan the air in order to the quality of the wireless environment
Voice and Video Awareness
 Bypass scanning when the AP has an active voice or video session from a client
 SIP and H.323 only
Band, Channel and Power settings
Per band configuration (2.4G, 5G (all), 5G High and 5G Low)
Channel and Power settings mode
 Auto mode
 The Channel number and power setting are automatically set & adjusted
 Optimal settings to minimize interferences and maximize wifi coverage
 Decision based on the RF context shared between neighbor APs
 Does not depend on background scanning configuration status
 Channel width still needs to be set
 Explicit mode
 The Channel number, channel width and power setting are manually set
 Channel number restriction per Country Code
 Channel width for 2.4G: 20Mhz (default) or 40 Mhz
 Channel width for 5G, 5G Low, 5G High: 20Mhz , 40 Mhz (default), 80Mhz or 160 Mhz
 Power: Auto or value in 3-23Dbm
Short Guard Interval

 Used to improve the overall throughput of the AP
RF Optimization and Recommendation
Smart Load Balance Per Band Info
Band Steering Enable

Short Guard Interval Enabled
If RF environment it not good and clients are crowded,
Signal Strength/Client SNR Keep default threshold then it should be disabled
Threshold • Low value recommendation is 10, many weak client
can associated, overall throughput is low.
• High value recommendation 25, weak client cannot
Channel & Power Auto Mode
associate, overall throughput is better.
It is recommended to use auto channel & power
instead of static setting.
Dynamic Load Balance Enabled In R3.0, Heatmap will have different view if the power
is changed in RF Profile, but channel setting is not
Scanning reflected in heat map
Background scanning Enabled Channel Width Keep Default settings

Only required for WIPS Narrow width for dense AP deployment
Scanning Interval Keep default setting Large width for sparse AP deployment
Scanning Duration Keep default setting

•Higher scanning interval or lower scanning duration means
intrusions are less likely being detected but client performance
will be better
•Lower scanning interval or higher scanning duration
means intrusions are more likely being detected but client
performance will be lower.
Voice and Video Enabled

Awareness
Follow us on…
Lab: Configure the RF Profile
How to
✓ How to modify the RF Profile assigned to the Stellar AP
Contents
1 2
1.1. Erreur ! Signet non défini.
1.1.1. Erreur ! Signet non défini.
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
2
Implementation
1 Client SNR Threshold
1.1. Client SNR Threshold
The Client SNR Threshold is part of the RF profile and will deny new client connections to the AP if the signal
strength of the client received by the Stellar AP is greater than the threshold.
In this example a client is connected to a SSID (I.E: Employee0) and the RSSI (Received Signal Strength
Indication) will be observed.
A RSSI threshold will then be set with a higher value, thus avoiding any new connection attempts from the
client.
1.2. EmployeeX Monitoring
Connect the client to the SSID “EmployeeX”.

Use the username and password EmployeeX/password created in the Employee Account database.
Once the connection has been established, monitor the client “EmployeeX”
3
Select the client “Employee0” and check the fields RSSI and Attached Band.
In this case, the client is using the 5GHz band and has the RSSI value 53.
Notes: Because of the short distance between the client and the Stellar AP in this environment, the
RSSI value is much higher than what you should get in a real deployment.
1.3. Modify RF Profile
The RSSI Threshold is included in the RF Profile.

OV2500 -> WLAN -> RF -> RF Profile
Select the RF profile “defaultProfile” and click on Edit.

In the Smart Load Balance section, increase the Association RSSI Threshold for the appropriate band.
In this example, the client was connected to the 5GHz band with a RSSI of 53.
Increase the Association RSSI Threshold to 75 for both the 5GHz and 2.4GHz band (otherwise, the client will try
the association on the 2.4GHz band if it is not working on the 5GHz band).
Notes: If one of the Stellar AP used a different and specific RF Profile, the RSSI Threshold change
won’t impact the Stellar AP. The RF profile attached to this AP must also be modified.
Click on Apply.
Notes: The RSSI measured in the client list view is not static and could vary. This is why the RSSI
Threshold has been increased by around 20.
4
1.4. Test the RSSI Threshold
On the client, reset the “EmployeeX” connection by clicking Disconnect and Connect.
As the RSSI of the client “EmployeeX” is now lower than the threshold set in the RF Profile, the client is unable
to connect to the SSID.
Even after a couple of minutes, the connection can’t be established.
Although the username and password are correct, no clients are listed on this page, which means that the RSSI
threshold does not accept the client connection attempt.
OV2500 -> Administrator -> Audit -> UPAM -> upam
Notice that the authentication process is performed by the OV2500 server. The RSSI Threshold check is
performed after the authentication.
Notes: Tests using the Band Steering or Dynamic Load Balance parameters can be performed in an
environment with a higher client density.
5
1.5. Initialize the RF Profile
Once the test has been done, set the RSSI Threshold back to its initial value “0” for the 2.4GHz or 5GHz band.
Otherwise, the client can no longer connect to the “EmployeeX” SSID.
2 Test
1. Can you assign individual RF Profiles to APs in the same AP Group?
2. What will happen if the RSSI value measured on the AP is higher than the RSSI
Threshold on the OV2500 server?
3. If the client signal is too weak the authentication process is not performed?
Layer 2 Mobility and Roaming
Lesson summary
• Understand the Layer 2 Roaming.
• Configure the Fast Roaming
Overview
Overview
WiFi Enterprise only
 In WiFi Express, roaming is limited to L2 only within the same cluster
Fast Roaming
L2 Roaming L2 Roaming
L3 Roaming
Roaming relies on client context sharing between over the air adjacent APs
L2 or L3 Roaming selection based on the client VLAN between "home" and "foreign" AP
L3 Roaming based on L2 GRE tunnel between "home" and "foreign" AP
Configuration
L2 Roaming always enabled
L3 Roaming disabled by default

 L3 Roaming configured on the WLAN service
Fast Roaming disabled by default

 Fast Roaming configured on the WLAN Service
 OKC only for Enterprise and WPA2
 802.11r only for WPA2 (both Personal and
Enterprise)
Client Context Sharing
AP Discovery Protocol
 Each AP learns about its “over-the-air” adjacent APs and their IP addresses
 No dependency on AP Groups and Management VLAN
 Limited to AP managed by the same OmniVista
Client context shared with adjacent APs

 Over the LAN infrastructure
 IP based protocol
 Add/Del Message
 On Client Association, AP sends a Add message to all adjacent APs
 On Client Dis-association, AP sends a Del message to all adjacent APs
Upon Roaming, client context removal mechanism

 Del Message triggered on the “old” AP upon Add Message from the “new” AP
Network OmniVista
Over-the-LAN Client
Context sharing
Edge Switch
Access Point
Over-the-air AP discovery
Client Client Client Client

Context Context Context Context
Client
OV2500
AP-Group: Building AP-Group: Campus
Management VLAN: 100 Management VLAN: 400
WLAN Service 1: SSID:”Lab”; VLAN:10 WLAN Service 4: SSID:”Lab”; VLAN:11
WLAN Service 2: SSID:”Classroom”;VLAN:20 Client WLAN Service 3: SSID:”Classroom”;VLAN:21
Context
AP-4
AP-2
Client
Context
AP-Group: Campus
Management VLAN: 100
Client WLAN Service 4: SSID:”Lab”; VLAN:11
Context AP-1 WLAN Service 3: SSID:”Classroom”;VLAN:21
AP-5 AP-3
Client
AP-Group: Library Context AP-Group: Building
Management VLAN: 400 Management VLAN: 300
WLAN Service 1: SSID:”Lab”; VLAN:12 WLAN Service 1: SSID:”Lab”; VLAN:10
CLIENT CONTEXT
WLAN Service 2: SSID:”Classroom” SSID & WLAN service – “Classroom” WLAN Service 2: SSID:”Classroom”;VLAN:20
MAC Address
IP Address
Currently assigned Unified Access
…
Client Context
Client Context Content
Client network Content AP Context Fast Roaming

• SSID & WLAN service • MAC Address • PMKSA cache
• MAC Address • IP Address • FT PMK R0/R1 cache
• IP Address • OV IP Address
• Currently assigned Unified Access
- VLAN ID
- Access Role Profile
- Policy List
- Redirect-URL
- Captive Portal status
On Receiving AP, Add/Del Message discarded when

 AP is not managed by the same OV
 AP does not have the WLAN service
Roaming conditions
Client Context exists on WLAN service and Access Client Context VLAN ID = Roaming Results
the new AP? Role Profile exist in the VLAN ID mapped to the
Client Context on the Access Role Profile on
new AP? the new AP?
No - - No Roaming, new client
Yes No - No Roaming, new client
Yes Yes Yes L2 Roaming
Yes Yes No L3 Roaming
Layer 2 and Layer 3 selection based on the management VLAN between the "home" and "foreign"
AP.
FAST Roaming
FAST Roaming
Improve handoff times during roaming
 Remove RADIUS authentication
 Optimize authentication handshake
 Require key caching
Support OKC (802.11k) and 802.11r

Configurable on the WLAN Service
 OKC only for Enterprise and WPA2
 802.11r only for WPA2 (both Personal and Enterprise)
If Fast Roaming not enabled, standard Roaming

FAST Roaming
OKC / 802.11k
 PMK (Pairwise Master Key) caching
 Client can provide the PMKID in the association request (802.11k)
 If 802.11k not supported by client, AP uses the cached PMK
 Re-auth reduced to 4-way handshake to establish transient keys PTK/GTK (Pairwise/Group
Transient Key)
 PMK caching always stored in client context even when OK disabled
802.11r / Fast BSS Transition (FT)

 Initial handshake for PTK/GTK with the new AP is done before the client roams to the target AP
 New capability in the 802.11 authentication request
 FT protocol modes
 Over-the-AirFT Roaming
 Over-the-DS (Distribution System) FT Roaming
 Eliminates much of the handshaking overhead while roaming, thus reducing the handoff times
 FT PMK R01/R01 only cached when 802.11r enabled
Sticky Client Avoidance
Sticky Client avoidance
Goal: Optimize client distribution among APs
 In case of user roaming, force the client to disassociate from its actual Access Point and
associate him to the best Access Point, based on availability and RSSI.
Roaming RSSI: Guiding to roam threshold 802.11v (BSS Transition Management):

 Located in the RF Profile Obtain Roaming target APs
802.11k: Guide client to roam to best
connection AP
L2 Roaming
L2 Client Roaming

Guidelines
Identify the Roaming mode
 Check the roaming conditions
 Based on the VLAN ID between the "home" and
"foreign" AP, select either:
 Layer 2 Roaming
 Layer 3 Roaming
 Check the security level of the SSID

(WPA/WPA2, Enterprise/Personnal)
 With WPA2 Enterprise only, OKC can be activated
 With WPA2 only, 802.11r (Fast Roaming) can be
activated (recommended)
Check the Radio coverage
Use the Heat Map application to check the radio coverage
 Select the 2.4GHz and 5GHz in the filters as they don't have exactly the same radio coverage
No overlap
Overlap
KO OK
No Radio overlap, no Roaming Radio overlap, Roaming available
Neighbor AP
Radio
coverage
 In some cases, the Stellar APs are hole
geographical neighbors but can't see each
other through the air (i.e: corridor with right No client
context
angles,…). sharing
 The client context can't be shared. No roaming.
 Solution:
 On both AP, add statically the neighbor Stellar AP
from the list of known AP.
 The client context can be shared through the LAN
and the client can roam.
 Select the AP in the AP Registration > Access
Point view and click on the hyperlink
"Neighbor AP"
 Click on the Edit button and select the neighbor
AP from the list
 Repeat the process for the second AP
Sticky client avoidance
The roaming decision is made by the client device.
 But some devices will stick to the AP they were previously associated to.
Use the Roaming RSSI Threshold in the RF profile.

 Use in conjuction with 802.11k and 802.11v
 Value range is 0-100
 Recommended value for 2.4GHz : RSSI = 10
 Recommended value for 5GHz : RSSI = 15
The Roaming RSSI Threshold controls the signal strength a client needs to see before searching for
another site.
 If the RSSI threshold is too low, the client remains on a low signal strength site, even with a
stronger site nearby.
 If the RSSI threshold is too high, the client roams too much that could result to packet loss.
Miscellaneous
Background scanning
 When a user roams, his real time traffic can be interrupted if the new AP on which he is
connected is using the background scanning.
 No impact on the voice traffic.
The AP is voice aware and will deactivate the background scanning when a voice call is detected.
 Other real-time traffic can be impacted.
Solution:
 Deactivate the Background scanning on the Stellar APs
 Install new Stellar APs in the network, acting as dedicated scanning APs
Please note that this solution requires additional Stellar APs in the network
Follow us on…
Layer 3 Mobility and Roaming
Lesson Summary
• Understand and configure the Layer 3
Roaming
L3 Roaming
L3 Client Roaming

L3 Roaming - Home AP & limitations
L2 GRE tunnel established between Foreign AP and Home AP at early stage of roaming
All network enforcement done in the Home AP
 Foreign AP transparently tunnels the client data to the Home AP
 Home AP terminates the tunnel and process the client data locally
 Incoming traffic received & processed by the Home AP, then tunneled to the foreign AP
One L2 GRE tunnel per SSID
Any number of Roaming Clients can Use the tunnel
Limit Comment
Client Cache per AP 1K -
L2 GRE tunnel per AP 16 -
Client Cache Removal - During Roaming
L2 GRE tunnel Removal - On last client disconnection
Follow us on…
WIPS
Lesson Summary
 Classify an AP as Interfering, Rogue or Friendly
 Configure the WIPS
WIPS
WIPS Overview
Stellar APs monitors the radio spectrum for the presence of unauthorized
 AP
 Users
Automatically take countermeasures
Global configuration applied to all APs managed by OV
Require AP with scanning activated
WIPS – Interfering / Rogue / Friendly AP
Interfering AP
 The “scanning” Stellar AP discovers any other AP over the air
 Such AP are marked as Interfering
 AP managed by the same OV are excluded
Rogue AP
 An interfering AP is marked as Rogue based on the configured of Rogue AP Policy
 AP managed by the same OV are excluded
 Rogue AP Containment – enabled by default
 The scanning Stellar AP sends de-auth request to all clients associated to the rogue AP
Friendly AP
 Friendly AP is not reported as Interfering or Rogue
 An Interfering or Rogue AP can be set as Friendly AP manually
 Friendly AP OUI can be set – ALE OUI set by default
 Friendly AP can be added
WIPS – Rogue AP Policy
Policy Description
Signal Strength Threshold The detected AP signal in dbm is too strong and above the threshold
Default: – 70 dbm Range -95 to -50 dbm
Detect Valid SSID The detected AP is advertising a SSID that is configured in OmniVista and set in your WLAN network
(An AP not managed by OV is adverting a SSID set in OV)
Detect Rogue SSID Keyword The detected AP is advertising a SSID name that matches a string set in this policy
(SSID blacklist)
Rogue OUI The detected AP has a OUI that matches one of the OUI set in this policy
If an interfering AP matches one of these Policies, it is classified as Rogue.

WIPS – Wireless Attack Detection
Enabled by default
AP attack Detection Policy
 The scanning Stellar AP is detecting a wireless attack that seems to be originated from an AP
Client Attack Detection Policy
 The scanning Stellar AP is detecting a wireless attack that seems to be originated from a client
Set the detection level to:

 Custom
 High
 Medium
 Low
WIPS – Wireless Attack Containment
Containment & Client Blacklist Policy
 Disabled by default
 Puts the attacker source MAC in the client blacklist
 This MAC is not allowed to associate anymore on any of the Stellar AP
 A blacklist duration is also configurable
 Limitations
 The attacker source MAC can be anything (an AP mac, a BSSID mac, a wireless NIC card mac..)
 Blacklisting the attacker source MAC is only relevant when the source MAC is an actual wireless client
Follow us on…
Heat Map & Floor Plan
Lesson Summary
Heat Map & Floor Plan
• Create and visualize the Heat Map of the deployed AP
• Create a Floor Plan and visualize the automatic
deployment of APs
Heat Map and Floor Plan
Wireless Monitoring Applications
Heat Map
 Visual Heat Map of Deployed AP
Floor Plan
 Visual Heat Map of Estimated Aps before Deployment
Heat Map – Use Case
Insufficient Radio coverage
 Identify network weaknesses and fix it (move/add APs)
Radio Add new AP1221

coverage
hole
Floor Plan – Use case
AP deployment plannification (e.g: warehouse)
 Creation of custom obstacles (shelves with 18dBm signal decline – assume the worst case)
 Manual (or automatic) deployment on the plan
Custom
obstacle
Manual AP
deployment
Heat Map

Floor Plan

Follow us on…
Lab: Heat Map and Floor Plan
How to
✓ How to create a Heat Map and Floor Plan
Contents
1 Heat Map ....................................................................................... 2
1.1. Heat Map ................................................................................................ 2
1.2. Profile Creation ........................................................................................ 2
1.3. Plan Configuration ..................................................................................... 3
1.4. Heat Map Monitoring .................................................................................. 5
2 Floor Plan ...................................................................................... 6
2.1. Floor Plan ............................................................................................... 6
2.2. Profile Creation ........................................................................................ 6
2.3. Plan Configuration ..................................................................................... 6
2.4. Floor Plan Monitoring ................................................................................. 7
3 Test ............................................................................................. 8
2
1 Heat Map
1.1. Heat Map
The Heat map function is to display the current work of the AP signal intensity distribution, through different
colors showing the signal coverage.
The Heat Map feature permits the administrator to create Campus, Building and floor map, to set up obstacles
in the Map and put APs into the Floor in order to observe the wireless signal coverage.
In this lab, the Stellar APs will be placed on a custom map.
1.2. Profile Creation
OV2500 -> WLAN -> HeatMap
The Heat Map always respect the following structure:

Campus
Building
Floor Map
Create first a Campus by clicking on Add “+” and give the campus name “MyCampus”.
Then double-click on the “MyCampus” icon in order to create a new building.
Create then a new Building by clicking on Add “+” and give the Building Name “Building A”.
Then double-click on the “Building A” icon in order to add a new floor.
Finally, create a Floor for this building by clicking on Add “+”, give the Floor Name “1st Floor” and the Floor
Number “1”.
A Floor Plan must also be assigned to the Floor. Click on “Select File” and select in C:/Resources the Floor Plan
“Office-plan”.
3
Click on OK to create the Floor and double-click then on the 1st Floor icon to access the plan.
1.3. Plan Configuration
From this point, three main actions are required to visualize the wireless signal: scaling the plan, laying down
obstacle and placing the APs.
In order to scale the plan, Click on Edit Floor Map in the Operation section and then on Scale the Map.
Trace a line one the map and enter a distance for this segment. In the example bellow, the red line is 5 meters
long.
Notes: The scale is here increased because in reality, the APs are very close to each other and the
plan used does not match the actual one. By increasing the scale, the end result is much better. In
practice, use the actual scale.
The next step is to lay down the obstacles on the map. Click on the button “Draw:WallsHeavy” to start drawing
the obstacles on the map. Pre-defined obstacles can be selected by clicking on the button and each one
with a different absorption coefficient (dB). “WallsHeavy” – or concrete wall – will absorb more signal power
than a regular Glass obstacle.
4
Notes: New obstacles can be created with the Custom Obstacle link. Name, Signal decline (in dB),
Color and line width are configurable.
Select the obstacles and place them on the map.

Try to alternate the materials in order to have a realistic Floor plan.
The last step is to lay the Stellar APs to the Floor. Click on the link “Adding AP to the Flooor”, select the two
APs from the list and click on OK.
The two APs are now located on the top left corner of the map and are identified by their Management IP
address. Drag and Drop the APs and place them on the map.
As this is not the real deployment map, place the APs where they should be best located.
Click on “Stop” in the Edit Floor Map section and click on “Yes” when you are asked to Save the layout.
5
1.4. Heat Map Monitoring
Once the Layout has been saved, the Heat Map Application will display the signal power on the map based on the
actual signal power transmitted by the APs.
Observe the Heat Map as well as the absorption of the different materials.
Go back to Edit Floor Map and place the APs in different places in order to cover the cold areas.
Changing the APs on the map will simulate the new WiFi coverage based on the real band and power of emission
of the APs.
6
2 Floor Plan
2.1. Floor Plan
The main functions of the Floor Plan are to import the floor map and mark the relevant obstacle. Then,
calculate the placement of the AP by a relevant algorithm, and automatically generate the functions of the AP
plan.
With Floor Plan, the admin can import a map into a floor plan, scale it and perform the AP auto Deployment.
2.2. Profile Creation
OV2500 -> WLAN -> Floor Plan -> + (Create icon)
Give the name “My Floor Plan” for the Floor Plan Name, select the map “Office-plan.jpg” in C:/Resources and
click on Create.
2.3. Plan Configuration
From this point, three main actions are required to visualize the wireless signal: scaling the plan, laying down
obstacle and Auto Deploy the APs.
In order to scale the plan, Click on Edit Floor Plan in the Operation section and then on Scale the Map.
Notes: The scale is here increased because in reality, the APs are very close to each other and the
plan used does not match the actual one. By increasing the scale, the end result is much better. In
practice, use the actual scale.
The next step is to lay down the obstacles on the map. Click on the button “Draw:WallsHeavy” to start drawing
the obstacles on the map. Pre-defined obstacles can be selected by clicking on the button and each one
with a different absorption coefficient (dB). “WallsHeavy” – or concrete wall – will absorb more signal power
than a regular Glass obstacle.
Notes: New obstacles can be created with the Obstacle Manage link. Name, Signal decline (in dB),
Color and line width are configurable.
Select the obstacles and place them on the map.

Try to alternate the materials in order to have a realistic Floor plan.
7
The last step is to deploy automatically the Stellar APs on the plan. Click on Auto Deployment.
In the new window, the deployment quality can be chosen between General, Good and Excellent.
Select the Excellent quality as the Floor Plan application will deploy more APs to cover all the cold areas.
Select the AP Model OAW-AP1231, based on the environment (office). Keep the default Tx Power.
Click on OK.
2.4. Floor Plan Monitoring
The Floor Plan application calculates and places the APs required to cover the plan.
8
The result will vary based on the following parameters:

- Scale of the map
- Number and type of obstacles placed
- AP Model
- Quality (General, Good, Excellent)
Change some of these parameters and click on Save the Layout.
In this example, the scale has been reduced, the quality lowered to “General” and the AP model changed to
AP1101:
Notes: In Edit Floor Plan, APs can added manually on the map to fill the cold areas. After clicking
on “Save The Layout”, the Floor Plan application will process and display the Wifi coverage based
on all the APs located on the map.
3 Test
1. Which application (Heat Map or Floor Plan) simulates the signal coverage?
2. In the Heat Map application, once an AP has been assigned to a Floor, can it be
used in another Floor?
Operation and Maintenance
Lesson Summary
Operation and Maintenance
Monitor the clients, APs, guest and BYOD devices
Maintain the AP and upgrade its firmware
Monitoring
Monitoring - Clients
Wireless Clients Monitoring
Monitoring – Client Behavior Tracking
Administrator tool for effective monitoring & troubleshooting of clients
Parameters tracked
 View user ONLINE/OFFLINE status
 View TCP/UDP flow context
 View HTTP(S) domain flow context
ONLINE/OFFLINE LOG
Monitoring – Client Behavior Tracking How To
 In Unified Access  Unified Profile
 Template Access Role Profile
 Enable/Disable "Client Session
Logging" per Access Role Profile
 Choose "HTTP/HTTPS", AP will
log client HTTP/HTTPS
connections. Choose "ALL", AP
will log client all TCP/UDP
connections including
HTTP/HTTPS connection
 In Network  AP Registration  AP
Group
 Control per AP Group  Client
Behavior Tracking – Upload to
Server
OR
 In Network  AP Registration  AP
Group
 Control per AP Group  Client
Behavior Tracking – Upload to
Server
 Config the TFTP or SFTP server
 IP & server port, optional
Remote Path,
"Username/Password"
 Choose Cycle time and Save, or
Upload Now
Monitoring - APs
APs Monitoring
Monitoring – Guest and BYOD Devices
Monitoring – Summary
Maintenance
Maintenance – Topology Map
In Network > Topology
 Edit Device
 AP name
 Group Name
 RF Profile
 Reboot
 Save to Running
 Backup Device
 View AP Logs
Maintenance – Resource Manager
Backup / Restore
 Backup
 Full
 Config
 Image
 Restore
Maintenance – Resource Manager
In Configuration > Resource Manager > Upgrade Image
 Import AOS or Stellar AP Firmware (zip format)
 Install Firmware on OmniSwitch or Stellar AP

Maintenance – Web Interface
Activate the AP Web option in the AP Group
Connect to https://AP_IP_Address
 Light version
 AP Maintenance
 Mesh configuration
Monitoring

Maintenance

Follow us on…
Lab: Operation and Maintenance
How to
✓ How to Monitor the clients and APs and maintain the Stellar APs
Contents
1 Monitoring Tools ............................................................................... 2
1.1. Clients Monitoring ..................................................................................... 2
1.2. Authentication Record ................................................................................ 3
1.3. Captive Portal Access Record ........................................................................ 3
1.4. Summary Pages ......................................................................................... 4
1.5. AP Monitoring ........................................................................................... 5
1.6. Audit ..................................................................................................... 6
2 Maintenance Tools ............................................................................ 7
2.1. AP Maintenance ........................................................................................ 7
2.2. Backup and Restore Device .......................................................................... 7
2.3. Upgrade image ......................................................................................... 8
3 Reset the Pod .................................................................................. 9
Once all the labs have been performed, Reset the devices of the POD and follow this order: . 9
4 Test ............................................................................................. 9
2
1 Monitoring Tools
1.1. Clients Monitoring
Make sure that the client is connected to one of the SSIDs broadcasted by the Stellar AP.
If not, connect the client to the SSID GuestX and use the guest account GuestX / password.
OV2500 -> WLAN -> Client-> Client List
In the List, select the client you have connected.

Name of User : _________________
SSID: _____________________
Band: ______
AP name: ___________
3
1.2. Authentication Record
The clients authentication record is stored and contains all the related information such as account name,
authentication result, time and date,..
OV2500 -> UPAM -> Authentication-> Authentication Record
Select the latest entry from the list, which is the GuestX entry.
Account Name : _________________
Authentication Type: __________________
Auth Ressource: _____________________
Authentication Result: ______
Session Start: ______
AP name: ___________
1.3. Captive Portal Access Record
BYOD and Guest Access use Captive Portal as authentication method. Records of these authentications are
stored in the following page
OV2500 -> UPAM -> Authentication-> Captive Portal Access Record
Select the latest Captive Portal Authentication from the list.

Account Name : _________________
SSID: __________________
Auth Result: ______
Portal Type: ______
Portal Page: ___________
Browser Type: ___________
Device OS: ___________
Device Category: ___________
Note that the browser type, device OS and category information are logged and can be reviewed in the Summary
pages.
4
1.4. Summary Pages
The Summary pages are located in:
OV2500 -> UPAM -> Authentication / Guest Access / BYOD Access -> Summary
The Summary Pages compile relevant parameters from the different authentication methods and are displayed
to the administrator through statistics and graphs.
How many Guest account are active on your system?

Which web browser did you used to join the Captive Portal?
Compare these answers with the details from the Guest Summary page.
5
1.5. AP Monitoring
Stellar APs can be monitored in:
OV2500 -> Network -> AP Registration -> Access Point
Select one of the two APs from the list.

AP Name :_________________
Group Name: __________________
Client Count: ______
IP Address: ______
Status: ___________
AP Model: ___________
Country Code: ___________
RF Profile: ___________
Parameters about the AP can be found: AP Model, AP Version, Last Registration Time, Country Code.
As well as parameters set during the configuration: Group Name, RF Profile.
Find to which AP the Guest client is connected: the AP with “Client Count : 1”.
Click on the number of client, this will open a new page, similar to the Client List page.
Can you see new relevant parameters from this Client View?
6
1.6. Audit
The Audit application monitors client and server activity :
OV2500 -> Administrator -> Audit
Select the UPAM category and select the UPAM logs.

You can find details about the authentication packets received by the OmniVista server.
Log out the GuestX client and log in again, but with the wrong username and password.
Refresh the UPAM logs page and analyze the authentication packets received by the server.
The reason of the “Access-Reject” message from the OmniVista server is also explained.
7
2 Maintenance Tools
2.1. AP Maintenance
Stellar APs can be maintained from the Topology view:
OV2500 -> Network -> Topology
Select one of the two APs from the topology. The operations are listed in the new
window.
In the Device section, click on Edit Device, rename it “AP1” and Apply.
The modification is applied on the OmniVista server.
In the Notifications section, click on View Traps.

In the new window, all the traps generated by the AP will be listed. Expand one of the trap by clicking on it and
look at the trap details.
2.2. Backup and Restore Device
In the Operations panel, click on Backup Devices.

The same operation can be performed through another menu:
OV2500 -> Configuration-> Resource Manager -> Backup/Restore

8
Click on Backup.
Let’s Backup the APs by selecting Backup By AP Groups and click on Next.
Click on Add, select the AP Group “APGX” and click on OK.
In the “Configuration” step, select Configuration Only for the Backup type and press Backup to complete the
process.
Review the Result page and click on OK.
The configuration of the Stellar AP is now saved on the OmniVista server and can be applied to the Stellar AP at
any time.
Notes: A Backup is restored on the same AP. Informations about the IP address, device type,
version and Date are contained in the backup file so it means that the backup can’t get applied on
any AP.
2.3. Upgrade image
The Firmware version of the Stellar AP can be applied on the AP from the Resource Manager Application.
OV2500 -> Configuration-> Resource Manager -> Upgrade Image
The first step is to import the newest firmware version on the OmniVista server by clicking on Import.
Choose the file from the directory and click on OK.
Select the new Firmware and click on Install.
Select the Device to upgrade and make sure that the appropriate binary file is contained in the firmware.
i.e: OAW-AP1101_3.0.0.50.bin for an OAW AP1101.
Click finally on Install Software.
9
3 Reset the Pod
Once all the labs have been performed, Reset the devices of the POD and follow this order:
1) Reset the APs: On the Desktop, launch the shortcuts “AP-1101” and “AP-1221” to established a
console connection.
AP1101 & AP1221
Login: support
Password: Alcatel.0
This password has been set during the first lab, while activating the SSH connection.
Once logged in, enter the command ”ssudo firstboot” which will reset the configuration to factory
default:
AP1101 & AP1221
support@AP-<MAC@>:”$ ssudo firstboot
This will erase all settings and remove any installed packages. Are you sure [N/y] y
Notes: The command “ssudo reboot” can be used while logged in as support.
This command is not used here, because after the AP reboots, it is still connected to the switch
and the DHCP server will provide an IP address and the option 138.
2) Reset the OmniSwitches: On the Desktop, launch the script “reset_PODX”.

3) Shut down the OmniVista 2500 Virtual Machine in vCenter.
4 Test
1. In the Client List View, the authentication method can be found as one of the
parameters?
2. The audit application gather logs sent by the Stellar APs?
3. The backup of an AP1231 can be restored on an AP1101?

MESH
Lesson Summary
MESH
Understand the difference between Mesh and Bridge
topology
Configure the Mesh and Bridge topology
Wireless MESH
2,4 GHz
Reaching areas where 5 GHz high
cabling is not available
5 GHz low
Mesh link
Extend network with Wireless links

Provide connectivity even when LAN cable cannot be extended
Supported on all Stellar APs
Self healing Mesh network
Wireless MESH – Design "Bridge – Point to point design"
 Connect two distant sites over wireless
 No client WLAN broadcast
 Pure site to site BRIDGE

Wireless MESH – Design "Bridge – Point to multipoint design"
 Connect multiple distant sites over wireless

 The LAN connected AP is the Root
 All APs also broadcast client WLAN services (max 5)
Root  If there are two roots configured in the setup, the

Connector downlink APs will connect to the root with BEST RSSI
Backhaul
Backhaul
 If Root fails the downlink APs will try to search for
Root
next best Root
Limits
 MAX 16 APs in a single MESH to Root
 MAX 5 APs in a single hop P2MP connection
Enterprise MESH

Enterprise Bridge

Follow us on…
Book your remote demo
through the
eDemo website!
• What’s in for you FREE SERVICE to conduct remote

 Demonstration booking forms
demonstrations on your premises or
 User guides
 Requirement lists the customer’s from our data center
 Videos on selected ALE Communications and
 Access to the help desk (from 9am to 6pm CET – PST) Network solutions
 And much more!
http://edemo.al-mydemo.com/
• Specific demonstrations can be handled upon request

Omniaccess Stellar Wlan For Exp - Alcatel-Lucent Enterprise

Uploaded by

Copyright:

Available Formats

Omniaccess Stellar Wlan For Exp - Alcatel-Lucent Enterprise

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Omniaccess Stellar Wlan For Exp - Alcatel-Lucent Enterprise

Uploaded by

Copyright:

Available Formats

OMNIACCESS STELLAR WLAN

OMNIACCESS STELLAR WLAN FOR

OmniAccess Stellar OmniAccess Stellar

OmniAccess Stellar Wlan

OmniAccess Stellar OmniAccess Stellar Wlan I=2,5 h

Lan/Wlan for SMB OmniVista 2500 NMS-E I= 75min

Full remote or Classroom

Small market segment Medium market segment

ACFE /ACSE OmniAccess

I = 2,5 h OmniVista 2500 NMS &

OmniVista 2500 NMS-E I= 75min OmniVista 2500 NMS-E I= 75min

Online or Virtual or Classroom

Medium market segment

WiFi Express WiFi Enterprise

Access Point PoE Switch DHCP Server + OmniVista 2500

 Self managed standalone cluster

Easy deployment, scaling up to 64 APs

Management Security Radio System

 GuestOperator Restricted  Authentication 802.1X,  Dynamic Frequency  Daylight-Saving time

All Stellar APs can be part of the web managed AP-cluster

 Advanced wireless features

Central unified management for larger deployments, up to 4000 APs

Secure Unified policy Wireless

 Controller-less  Secure NAC with  Employee - Supplicant/  RF Management

subnet 192.168.10.0 netmask 255.255.255.0 subnet 192.168.10.0 netmask 255.255.255.0

WiFi Express WiFi Enterprise

 Migrate an existing Cluster (WiFi Express) to OV mode (WiFi Enterprise)

No configuration migration, AP « cluster » configuration is lost

 Control and Data Plane per AP

Edge Switches Edge Switches

 Management on AP Group only AP <-> AP Group mapping

 Control plane traffic

Edge Switche Edge Switche

 AP to AP protocol over the LAN infrastructure

 Data Plane Traffic OmniAccess WLAN

 Data Plane is only L2 Data Center

Internet DHCP Scope for

All AP Management VLANS and SSID VLANs

Trunk Port with POE

Each VLAN : must be configured in the network

Network devices : IP interfaces and routing configuration

DHCP server needed and DNS server optional

ALE vs non ALE Switch

 Unified access features supported:

OmniSwitch Stellar Stellar

 Stellar APs ready for Asset Tracking Solution

 Reducing time to find assets: improves employees/customer satisfaction

 BLE Beacon is configured per AP Group

 AeroScout LBS Architecture

 Dhcpd.conf file configuration:

subnet 192.168.10.0 netmask 255.255.255.0

Follow us on: www.al-enterprise.com

AP1101 AP1201H AP1221/AP1222 AP1231/AP1232 AP1251

Emerging / SMB Hospitality Mid-Range High-Range Outdoor

Dual radio, 802.11ac 2x2:2SS VHT80

Dual radio, 802.11ac 2x2:2SS VHT80

Dual radio, 802.11ac 2x2:2SS

29mm 95mm  1 x RJ45 Pass-Through (Analog phone)

Dual radio, 802.11ac 4x4:4SS VHT160