Cert0101: HPE6-A42 &

HPE6-A70
This guide is not to meant to replace “Implementing Aruba Wireless”
course. Students are advise to go through the IAW guide before using
this material.
Module 1
WLAN Fundamentals and RF Basics
2.4 GHz, interference
An AP operates on channel 6, wireless security camera operating on channel 8 will cause
interference
2.4 GHz Minimum Spacing
Minimum spacing to prevent overlap: 5 channels
Compare 802.11a/b/g/n/ac Data Standards
highest transmission rates in the 2.4GHz : 802.11n
Antenna Gain
high-gain omni-directional antenna provide more horizontal coverage and less vertical
coverage compare to a typical omni-directional antenna
MIMO
typical office environment with many surfaces where the signal can bounce increase
wireless speeds with MIMO
MU-MIMO
Unique in 802.11ac Wave 2 AP
dBm and mW Relationships
loss of 3 dBm equal of loss of 50%
Module 2
Mobile First Architecture
IAP Convert to CAP
Convert the IAPs to Campus APs controlled by the new MCs.
Controllers Model
determine number of supported users and firewall throughput
7010 vs 7024
7024 support more POE devices directly connected to MC
Controller Portfolio
7030 support 64 AP
Controller Portfolio
Aruba Controllers deployment is new to ArubaOS 8: virtual appliances
IAP
IAPs operate in an autonomous or standalone mode
Master-Local Mode
The company already has a partially hierarchical deployment based on the 6.x code and
wants to keep the current architecture.
Mobility Master
It manages VLAN and routing configuration for multiple Mobility Controllers (MCs).
MM (8.x) vs Master (6.x)
Master cannot put interface setting to MC.
AP Failover
Cluster of Mobility Controllers provide high availability for APs
RAP Split tunnel
It sends traffic designed to the corporate network in an IPsec tunnel to a central Mobility
Controller (MC), and it bridges other traffic locally.
License Pool
All licenses install in MM.
Enable License
Enable feature in the Global Usage window
Calculating License Requirements
Licensing
Max number of AP supported (32)
License Redundancy
MC retains its current licenses for 30 days when MM is not reachable.
Controller Matrix
AP count, User count, Firewall throughput
Module 3
Mobility Master Mobility Controller Configuration
GUI Hierarchy
MM Sync config with MC
removes any commands that are not supported on that MC or have dependency errors
Module 4
Secure WLAN Configuration
AP Group
Place APs in different buildings in different AP Groups to have different config.
Profiles
AAA profile to assign an authentication server group
WLAN Creation
No Broadcast SSID: Hidden SSID
Forwarding Mode
Decrypt-tunnel: User traffic decrypt at AP
Default Forwarding Mode
Tunnel to Mobility Controller, in MM or Master-Local architecture.
Setup Preshared key (PSK)
Click Personal in the slide bar
Module 5
AP Provisioning
Radius Authentication
Mobility Controller exchanges RADIUS packets with the RADIUS server
AirMatch
With new AP run
Controller Discovery
Map the Mobility Controller (MC not MM) IP addresses to the aruba-master name on the
network DNS server.
Module 6
WLAN Security
WPA/WPA2 Negotiation
Keys are generated and distributed securely during each wireless user authentication
process.
MAC Authentication
Authorized MAC addresses are visible in plaintext in the air and can be easily spoofed
Two way authentication
issue: The user clients do not trust the RADIUS server certificate and are configured not to
prompt users to trust new certificates.
Authentication Methods
802.1X authentication occurs at Layer 2, while captive portal authentication occurs at Layer
3.
WPA2-Enterpise
Require Radius Server
Radius Shared key
Authentication with EAP-TLS
Authenticator forward the authentication requests to Radius Server.
Authentication with 802.1x/EAP
Radius Server determine the EAP Type, not the controller
EAP-TLS
unique digital certificates installed on user devices to authenticate wireless users
Machine Authentication
authenticate the Windows clients as well, based on the client Computer Names.
ClearPass
RADIUS Authentication Server
LDAP
Authenticate directly against an Active Directory (AD) domain controller without NPS or IAS
Access Points, Air Monitors, Spectrum Monitors
An AM detects threats such as rogue APs, while an SA analyzes RF conditions.
Access Points, Air Monitors, Spectrum Monitors
AM help to detect rogue APs in the environment
Prevent client connections to rogue APs.
WIDS
Protect attack at Layer 2
Spectrum Monitor (SM)
Analyze RF signals to determine the cause of non-802.11 interference.
Testing Communication Between Mobility
Controller and RADIUS Server
Module 7
Firewall Roles and Policies
Aruba Firewall Role
Set bandwidth limit
Aruba Firewall Role
Create a policy with these rules, and then apply that policy to the roles
Aruba Role Derivation from Radius Server
RADIUS server send different roles for users in different departments. Apply role-based
firewall policies.
Firewall Rule
user any any permit rule It permits traffic from wireless clients as long as the packet has a
source IP.
Application Rule
prevent wireless users from accessing shopping web sites with a bad reputation.
Firewall Policy to allow DHCP
DHCP setting: source = any and destination = any
Global Rule
It immediately applies to the guest role and other roles, as part of the first policy applied to
the role.
WLAN Default Role
users who successfully authenticate and are not assigned a different role by the RADIUS
server
AAA Profile, Default Role
The RADIUS server is not correctly set up to send a user role, default role will be used.
Module 8
Dynamic RF Management
AirMatch
MM generates the channel and power plan for an AP
AirMatch Solution does not get deployed
New Plan did not offer significantly improved quality
AirMatch LSM Upgrade
Upgrade Client Match as part of a global software upgrade, and upgrade AirMatch separately as a
loadable service module (LSM).
AirMatch FAQ
Disable ARM profile does not affect AirMatch
Client Match
balance wireless devices across APs on different channels
Module 9
Guest Access
Guest Network with NAT
Enable NAT on the VLAN assigned to the guest WLAN.
L3 Deployment
VLAN interfaces on the Mobility Controllers (MCs) as the default gateway for wireless users
Captive Portal Process
FW permits them to send any DHCP traffic and DNS and web traffic to the Internet. It
redirects web traffic destined to the private network to a login portal.
PEFNG with Captive Portal
addition of custom rules to control access for authenticated guests
Captive Portal without authentication
use of internal captive portal with email registration
Internal Captive Portal
Administrators can modify the default internal captive portal pages or upload pages
developed externally.
Guest Provisioning Account
create guest user accounts
Guest-logon role
allows DHCP, DNS, and internal captive portal redirection for a guest WLAN
WebUI Certificate
Guest Access
Add ClearPass as Radius Server
ClearPass Guest
Option for Guest to create own account
Module 10
Network Monitoring and Troubleshooting
Top Banner
list of alerts about a variety of issues on the MM or managed devices
Client Dashboard
Display roles to which these users are actually assigned
Client Health
50% means the AP about twice as long to send data to the client as expected if all
transmissions succeeded.
Performance Dashboard
monitor the health status of all APs, and clients
Traffic Analysis
The solution must have active PEFNG licenses.
Filter View
To see the break down for only roles, destinations, WLANs and devices that use this application
Security Analysis Dashboard
list of rogue AP and Interfering AP
AirWave vs MM
AirWave collect and analyze information about client and AP over extended periods of time
AirWave Monitoring Devices
Click “Poll Controller Now” to get real time info.
AirWave vs Mobility Master
MM Dashboard
to analyze short terms trends in network usage by client, AP, and application
MM: Potential Issues
Low SNR problem of below 30
Traffic Analysis Dashboard
show types of applications in use in the wireless network
AirWave
Configuration Status: Error (Communication Issues)
Security of Data in the Air
WPA2 provides both data integrity and privacy with AES.
Different between WPA and WPA2 encryption
WPA encryption uses TKIP by default, and WPA2 encryption uses AES by default .
AirWave: Monitor Clients
AirWave combines information from more sources, such as RADIUS authenticating servers
and APs.
Aruba AP Mesh
mesh portal
Aruba Multizone
Usecase: multiple controller with different administrative domain