Professional Documents
Culture Documents
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Proprietary Ownership Declaration
I agree not to copy, produce, reproduce, transfer, distribute, decode and/or modify any
ALE material (including any and all documentation, manuals, software presentation,
student book and software files) made available and/or used as part of the ALE training.
I acknowledge that sharing of any kind of courseware and media used are strictly forbidden
without approval from ALE Training Services.
I represent and warrant that I will not use or not permit to use the courseware and\or
educational tools supplied by ALE to provide trainings in a private capacity or for my
employer or any third party.
I also acknowledge and agree that ALE owns and reserves all copyright in and all other
intellectual property rights relating to the ALE training material (including courseware and
all associated documentation) provided during the training.
I understand that any breach or threat of breach of the above shall entitle ALE to injunctive
and other appropriate equitable relief (without the necessity of proving actual damages),
in addition to whatever remedies ALE may have at law.
Furthermore, I acknowledge and agree that ALE will be entitled to cancel immediately any
and all of my Certifications in case of any breach of the above.
Maintenance – eBook
The eBook is available on the Knowledge Hub training platform. Internet access is required
to download the eBook.
Participants should be informed that they must bring their laptop for the classroom or
virtual session.
In case of issue for downloading the eBook, the user can open a ticket with the ALE
Welcome Center for assistance.
ALE technical support will be provided on an "AS IS" and "AS AVAILABLE" basis without
warranty of any kind.
OmniAccess Stellar Wireless LAN
Troubleshooting Methodology
Lesson Summary
Troubleshooting methodology
At the end of this module you will be able to:
• Understand potential root causes of Wireless issues
• Understand and apply the process steps when
troubleshooting a case
Potential WLAN Troubleshooting Causes
End User
LAN
Stellar AP Switch WAN Router
Different skills
End User Knowledge perception
Device on/off
Drivers
Radio Capabilities
Wi-Fi Device 802.1X Profile
Client Minimum requested Data Rates
Roaming algorithm
802.11n
• Association (Beacon, probes request/response, 802.11k/v/r)
RF Medium • Authentication (Open, Pre-Shared Key, 802.1X/RADIUS)
• Encryption (No encryption, TKIP, AES/CPPM)
• Upper Layers (DHCP, IP, DNS, VLAN, Gateway, Captive Portal)
RF Media (RSSI, SNR, Radio Coverage)
Stellar AP
Configuration, SSIDs, Minimum basic rates, Band steering,
Radio capabilities, Roaming, QoS
Potential WLAN Troubleshooting Causes – Local Network
External DNS
Internet External Captive Portal
Issues independant from the network administrator
Troubleshooting process
Use Case
Troubleshooting Process Steps
If you can’t recreate this issue, Identify OSI Layer, Specific Extensive testing to confirm
return to step one and ask devices, Specific locations, and verify the solution did
more questions Driver versions indeed solve the issue at hand
Use Case
Isolate Locate Identify
“Building_A”
Access switch
“Building_A”
Use Case
Re-create
End User
LAN
Stellar AP Switch WAN Router
3
Wi-Fi Device RF Medium
Client
1 2
DHCP OmniVista DNS Radius
LDAP/AD
Use Case
Verify Solve
Status
Issue has been identified as the wrong « Employee » VLAN configured on the access switch « Building_A ».
Reproduction of the customer’s setup didn’t show an alternate root cause of this issue.
Resolution
Reconfigure the VLAN « Employee » on the Access Switch « Building_A ». VLAN 10
“Employee”
VLAN
VLAN 10
Verification
Test the solution in your environment.
Access switch
“Building_A”
Apply the correction in the customer environment.
Ask the client to test their day-to-day wireless applications (Rainbow,
voice, mail,…) and wireless devices to check the solution stability.
Use Case
Documentation
▪ Document the troubleshooting case:
▪ Issue description
▪ Topology
▪ Firmware versions
▪ Diagnostic
▪ Resolution
▪ Configuration fixes
▪ Firmware version to be used
▪ Hardware replacement
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Troubleshooting Process
Interview - Use Case
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Interview - Use Case
1 Interview
The following table contains the questions, answers, deduction from the answers and analyze results.
Description of the issue from the customer: “Wifi client can not log into the SSID Employee”
2 Configuration analysis
In a second step, request to the customer the AP log file from one of the Stellar AP impacted.
Request also the configuration file from the access switch “Building_A”.
Root cause:
Wrong VLAN configuration on the Access switch “Building_A”
Resolution:
Update the tagged VLAN with the ID = 20.
VLAN 10
“Employee”
VLAN
VLAN 20
Access switch
“Building_A”
OmniAccess Stellar Wireless Lan
Troubleshooting Tools
Lesson summary
Troubleshooting Tools
At the end of this module you will be able to:
• Understand and use the internal troubleshooting tools
• Understand and list the external tools used to analyze
the wireless network and issues
Integrated Diagnostic Tools
Before Troubleshooting
◼ NTP server configured in the network
NTP synchronization
Wi-Fi Device
Client
AP Logs
11/11/2019 12:09:34 : OmniVista NTP
Error 10 server
Access Switch Logs
15/11/2019 13:15:30 : OmniVista Logs
15/11/2019 13:15:30 :
Error 10 Error 10 10/11/2019 08:15:30 : • No NTP server
Error 10 • NTP server
15/11/2019 13:15:30 :
Error 10 15/11/2019 13:15:30 :
Error 10
Console connection to the Stellar AP
◼ Check: Serial port connection
ssh_connect = 1 ssh_connect = 0
SSH enabled SSH disabled
AP Log collection – Express mode
◼Login to the AP web UI: https://<AP_IP> or http://<AP_IP>:8080
1
4a
3
or
4b
2
AP Log collection – Enterprise mode
◼In OmniVista
3a
or
3b
2
AP Log collection
1
2
3
=
OmniVista Log collection
◼In OmniVista
⚫ Download all the logs from OmniVista
◼ Step 3 – PC/laptop
⚫ Open the file on Wireshark
Air Capture on Stellar AP – Enterprise mode
◼Stellar AP captures the surrounding wireless ⚫ Click on Start Capture
traffic on the selected channel ⚫ Select the Channel
⚫ Enter the TFTP server where the capture will be
sent
◼Step 1 – OmniVista
⚫ Option: Filter the capture (MAC, Frame type)
⚫ Activate “AP Web” in the AP Group
◼Step 2 – Stellar AP
⚫ Log in
⚫ Start/Stop the capture
⚫ In RF Environment, select the Radio to
Warning: Capture file limited to 10MB or 5min of
capture capture
◼ Step 3 – PC/laptop
⚫ Open the file on Wireshark
Stellar AP configuration Backup – Express mode
◼Backup the configuration of one or multiple ◼ Step 2 – Re-create the issue
Stellar AP ⚫ In your own setup, “Restore All
⚫ Used to re-create the issue Configuration” using the .tar file.
⚫ Shared with the technical support
InSSIDer on Windows
◼Wireless Air capture (>5 minutes)
Wifi Analyzer
⚫ Windows: Wifi card supporting On Android
monitor mode
⚫ MacBook: Native
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
BASIC TROUBLESHOOTING
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:
Troubleshoot:
The hardware of the Stellar Access Points
The system of the Stellar Access Points
The Captive Portal solution
A cluster in Express mode
HARDWARE TROUBLESHOOTING
HARDWARE – LEDS – AP1201/1230 SERIES / 13XX / 14XX
• Single tri-color LED (Red, Blue, Green)
Solid Red Solid Blue
• System startup • System Running
• Dual band working
2.4 GHz
STARTUP AND
5 GHz
2.4G ON 5G ON
• 2.4GHz SSID created and running • 5GHz SSID created and running
2.4 GHz 5 GHz
ENET0 ON ENET1 ON
• Ethernet0 Link Up • Ethernet1 Link Up
ENET0 ENET1
UP UP
SFP ON PSE ON
• SFP Link Up • PSE Enabled
SFP PSE
ON ON
CLI TROUBLESHOOTING
• Uptime
support@AP-0E:E0:~$ uptime
21:10:20 up 11 days, 17:45, load average: 0.47, 0.37, 0.40
• Specific process
support@AP-0E:E0:~$ ps | grep cluster
3593 support 1304 S grep cluster
6173 root 7056 S /sbin/cluster_mgt -I 100 -p 0
6174 root 6372 S /sbin/cluster_cor -I 100 -p 0
• Check List:
• Is the client authenticated on the Captive Portal? → Entry in the list
• For how long is the client connected? → SessionTime
• Does the client send/receive data to the network? → OutputFlow and InputFlow
CAPTIVE PORTAL LOGS support@AP-83:60:~$ cat /var/log/eag.log
• Captive Portal related logs [2019-12-03 07:59:32]: eag_stamsg.c:1132:stamsg_recieive usermac D4:6E:0E:18:60:38,userip
0.0.0.0, OP: 0
Client first connection to the …
Captive Portal. [2019-12-03 07:59:32]: eag_stamsg.c:510:Receive USER_ADD msg status:NotAuthed, apmac:
DC:08:56:09:83:60,usermac:D4:6E:0E:18:60:38,userip 0.0.0.0, wlan service name:guest0,
Client IP address unknown. ssid:guest0 ,vlanid:20, ARP name: __guest0, redirect URL: https://ov2500-upam-cportal.al-
Redirection URL can not be sent. enterprise.com:443/portal_UI/c0212f425f33993753226f9ddeb55bd1/login.html?mac=D46E0E186038
redirect ipv6 URL:https://ov2500-upam-cportal.al-
enterprise.com:443/portal_UI/c0212f425f33993753226f9ddeb55bd1/login.html?mac=D46E0E186038
[2019-12-03 07:59:33]: appconn.c:1103:eag_ipinfo_get before userip=10.7.0.39
[2019-12-03 07:59:33]: appconn.c:1112:eag_ipinfo_get after
userip=10.7.0.39,usermac=D4:6E:0E:18:60:38,interface=br-vlan20
[2019-12-03 07:59:33]: appconn.c:1115:appconn_check_is_conflict eag_ipinfo_get userip
Client information gathered. 10.7.0.39, interface(br-vlan20), usermac(D4:6E:0E:18:60:38)
[2019-12-03 07:59:33]: eag_ipinfo.c:1457:[ip -6 neigh |grep d4:6e:0e:18:60:38|grep br-vlan20
Client IP address retrieved. |awk '{print $1}' |grep fe80::]:[addr:]
[2019-12-03 07:59:33]: appconn.c:355:user local llink address is null
[2019-12-03 07:59:33]: eag_redir.c:3011:user ip = 10.7.0.39
[2019-12-03 07:59:33]: eag_redir.c:3055:reget local link addr mac:d4:6e:0e:18:60:38 bridge:br-
vlan20
[2019-12-03 07:59:33]: eag_ipinfo.c:1457:[ip -6 neigh |grep d4:6e:0e:18:60:38|grep br-vlan20
|awk '{print $1}' |grep fe80::]:[addr:]
[2019-12-03 07:59:33]: appconn.c:355:user local llink address is null
[2019-12-03 07:59:33]: eag_ins.c:7349:the custon file not exist
Stellar AP sends redirection [2019-12-03 07:59:33]: eag_redir.c:1774:PortalRedirect___UserIP:10.7.0.39,UserMAC:D4-6E-0E-18-
URL to the client. 60-38,ApMAC:DC-08-56-09-83-
60,SSID:guest0,NasIP:10.7.0.103,Interface:ath12,NasID:,redirURL:https://ov2500-upam-
cportal.al-enterprise.com: 443/portal_UI/c0212f425f33993753226f9ddeb55bd1
/login.html?mac=D46E0E186038&url=http://www.msftconnecttest.com/connecttest.txt
CLUSTER TROUBLESHOOTING
EXPRESS MODE
CLUSTER CONFIGURATION - ROLE
• Check the AP role and status in the cluster • Check the status of the PVC in the cluster
• Is the Stellar AP supposed to be the Primary • Is a PVC found in the cluster? Is it supposed to
Virtual Controller? be this PVC?
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Wireless Troubleshooting
Lesson summary
Wireless Troubleshooting
At the end of this module you will be able to:
• Troubleshoot wireless issues
• Understand wireless troubleshooting through use cases
Wireless Configuration
◼ Check wireless configuration support@AP-0E:E0:~$ iwconfig
gre0 no wireless extensions.
...
ath01 IEEE 802.11ng ESSID:"employee0"
◼ Check List Mode:Master Frequency:2.437 GHz Access Point: DC:08:56:09:83:61
Bit Rate:192 Mb/s Tx-Power=17 dBm
⚫ SSID broadcasted on the selected radio(s)? RTS thr:off Fragment thr:off
Encryption key:CE75-5424-2E7F-9C74-B8AD-83F4-14EC-03A
Power Management:off
⚫ Transmission Power as selected in the RF profile? Link Quality=94/94 Signal level=-48 dBm Noise level=-95 dBm
Rx invalid nwid:12078 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
⚫ Encryption activated?
ath11 IEEE 802.11ac ESSID:"employee0"
Mode:Master Frequency:5.5 GHz Access Point: DC:08:56:09:83:69
Bit Rate:1.7333 Gb/s Tx-Power=24 dBm
⚫ BSSID is present? RTS thr:off Fragment thr:off
If there is no MAC address for « Access Point », the SSID is not Encryption key:3F97-C66B-A3DC-2714-DE7C-1986-072E-5356 [2]
broadcasted Power Management:off
Link Quality=94/94 Signal level=-97 dBm Noise level=-95 dBm
Rx invalid nwid:13766 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
athXY
X = 0 : 2.4GHz Radio
X = 1 : 5GHz Radio
Y = [1…16] : SSID ID
support@AP-0E:E0:~$ cat /tmp/config/rfprofile.conf
RF Profile Configuration {
"RFService":[
{
◼ Check the RF configuration applied on the AP "bandSteering":"enable",
"bandSteeringForce5g":"disable",
"LoadBalance":"enable",
"backgroundScanning":"enable",
◼ Check List
"scanningEnhance":"disable",
"countryCode":"FR",
"scanningInterval":20,
⚫ Global parameters: same as configured?
"scanningDuration":50,
Band Steering "voiceVedioAwareness":"disable",
Load Balance "airtimeFairnessAt2G":"disable",
Scanning "airtimeFairnessAt5G":"disable",
"perBandInfo":{
Country Code
"2.4G":{
Air Time Fairness "band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
⚫ Per Radio parameters: same as configured? "autoChannelWidth":"enable",
Channel selection: auto or manual? "powerSetting":"AUTO",
Channel Width? "shortGuardInterval":"enable",
"signalStrengthThreshold":0,
Power selection: auto or manual?
"roamingSignalStrengthThreshold":0,
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"3",
"clientAwareness":"disable"
},
Wireless Interface Configuration
◼ Use « iwconfig » to identify the wireless interface to monitor:
ath01 for the employee0 SSID in 2.4GHz
⚫ Check the channel used for the SSID in 2.4GHz ⚫ Check the power of transmission used for the SSID
in 2.4GHz.
support@AP-0E:E0:~$ iwlist ath01 channel
ath01 57 channels in total; available frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
support@AP-0E:E0:~$ iwlist ath01 txpower
ath01 8 available transmit-powers :
Channel 03 : 2.422 GHz
0 dBm (1 mW)
Channel 04 : 2.427 GHz
5 dBm (3 mW)
Channel 05 : 2.432 GHz
7 dBm (5 mW)
Channel 06 : 2.437 GHz
9 dBm (7 mW)
Channel 07 : 2.442 GHz
11 dBm (12 mW)
Channel 08 : 2.447 GHz
13 dBm (19 mW)
Channel 09 : 2.452 GHz
15 dBm (31 mW)
Channel 10 : 2.457 GHz
17 dBm (50 mW)
Channel 11 : 2.462 GHz
Current Tx-Power=17 dBm (50 mW)
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.437 GHz (Channel 6)
Wireless Troubleshooting
Use Case
AP can’t generate Heat Map (1/2)
◼ Reminder
⚫ AP needs a wireless interface to send/receive a wireless signal and so, generate a Heat Map.
◼ 1) There is no Heat Map generated on OmniVista. Check if the AP has a wireless interface:
support@AP-83:60:~$ iwconfig
gre0 no wireless extensions.
ath01-20 no wireless extensions.
ath11-untag no wireless extensions.
br-wan no wireless extensions.
wifi0 no wireless extensions.
eth0-20 no wireless extensions.
ath02-untag no wireless extensions.
sit0 no wireless extensions.
ath11-20 no wireless extensions.
Wireless interface exists
ath12 IEEE 802.11ac ESSID:"guest0"
for the 5GHz radio Mode:Master Frequency:5.3 GHz Access Point: DC:08:56:00:0E:E2
Bit Rate:1.7333 Gb/s Tx-Power=3 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=94/94 Signal level=-31 dBm Noise level=-95 dBm
Rx invalid nwid:536 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
AP can’t generate Heat Map (2/2)
◼ Reminder:
⚫ To create a Heat Map for a specific radio (ex:2.4GHz), a wireless interface must exist for this radio.
◼ 2) Heat Map can’t be created for the 2.4GHz radio. Check AP WLAN configuration:
⚫ Heat Map can’t be generated for the 2.4GHz radio. Select the 5GHz radio:
Bad signal
from neighbor
Roaming - Neighbor AP
◼ In some cases, Stellar APs are geographical
neighbors but can’t see each other (i.e: radio
waves blocked by corridor with right
angles,…). No client
context
⚫ The client context can't be shared. No roaming. sharing
◼ Solution:
⚫ On both AP, add statically the neighbor Stellar AP
from the list of known AP.
⚫ The client context can be shared through the LAN
and the client can roam.
◼ Select the AP in the AP Registration > Access
Point view and click on the hyperlink
"Neighbor AP"
⚫ Click on the Edit button and select the neighbor
AP from the list
⚫ Repeat the process for the second AP
Check Roaming success
◼From AP Log collection, open wam.log
L3 roaming
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Client Troubleshooting
Lesson summary
Client Troubleshooting
At the end of this module you will be able to:
• Troubleshoot client issues in a Stellar solution
• Understand client troubleshooting through use cases
Client List
◼ List all the clients associated to the AP
⚫ Check List:
Client in the correct VLAN? Client got an IP address in the correct subnet? → VLAN and IPv4
Stability of the client connection. What is the uptime value of the client? → OnlineTime
Client receives/transmits data with the Stellar AP? → RX and TX counters
Correct authentication method used by the client? → AUTH
Correct Access Role Profile assigned to the client? → Final_role
Client OS type
◼Check the OS type of the clients on the AP
⚫ Check List:
Isthe client listed? No connectivity issue?
Identification of the client: IP address, Mac address, Hostname.
Verification of the operating system (ostype).
support@AP-83:60:~$ ssudo wam_debug sta_list
Stellar AP to Client Attributes {
"status": "Success!!!",
"wlanServiceData": [
{
◼ List the detailed attributes that AP sends to "iface": "ath02",
"ssid": "guest0",
the client "freq": "2.4GHz",
"security": "Open",
"wlanService": "guest0",
"staData": [
⚫ Check List: {
Same parameters as the sta_list command → IP address, "staMAC": "d4:6e:0e:18:60:38",
"staIP": "10.7.0.39",
VLAN, Association Time, AccessRole Profile assigned,… "staGlobalIPv6": "::",
Depending on the authentication method used (802.1X, MAC, "staLocalIPv6": "::",
Captive Portal), does the client receives the correct "associationTime": 53,
"mappingType": 0,
parameters from the Stellar AP? "assignedVLAN": 20,
Correct Captive Portal URL? "assignedAR": "__guest0",
"assignedPL": "",
Is the Authentication a success? "macAuthResult": "SUCCESS",
Correct Access Role Profile after authentication success? "ARFromMACAuth": "",
"PLFromMACAuth": "",
"redirectURLFromMACAuth": "https:\/\/ov2500-upam-cportal.al-
enterprise.com:443…”
"ARFrom8021xAuth": "",
"PLFrom8021xAuth": "",
"redirectURLFrom8021xAuth": "",
"CPAuthResult": “SUCCESS",
"ARFromCPAuth": “__guest0",
"PLFromCPAuth": "",
"ARFromRoaming": "",
"PLFromRoaming": "",
"redirectURLFromRoaming": "",
"classificationMatched": "none"
}
]
},
List clients on a wireless interface
◼ A list of all clients on a specific wireless interface
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : Yes
MU capable : No
SNR : 57
Operating band : 5GHz
Current Operating class :0
Supported Rates : 12 18 24 36 48 72 96 108
⚫ Check List:
Does the signal received by the client has enough strength? → RSSI, MINRSSI, MAXRSSI
For VoWLAN deployment in 802.11ac: RSSI must be -67dBm (or better). Meaning RSSI ≥ 29
Is the signal-to-noise too high and degrades the data transmission? → SNR
For VoWLAN deployment in 802.11AC: SNR ≥ 25
RSSI values
RSSI dBm RSSI dBm RSSI dBm
10 -86 21 -75 29 -67
11 -85 22 -74 30 -66
24 -72 32 -64
13 -83
33 -63
14 -82 25 -71
34 -62
15 -81 26 -70
35 -61
16 -80 27 -69
36 -60
17 -79 28 -68
37 -59
18 -78 38 -58
OK
19 -77 39 -57
For most applications
20 -76 40 -56
Quality impact for voice and
41 -55
real-time applications
Bad - too many packets loss 42 -54
KO: Voice or real-time applications 43 -53
OK: Mail or Internet applications
Perfect
Recommendation for voice and
real-time application
Client Access Logs
◼ Check the access logs of a specific client
support@AP-83:60:~$ cat /proc/kes_syslog | grep <client-MAC>
⚫ Check List:
Check association / disassociation exchange between Stellar AP and client
Check the disassociation reason in case of an unexpected disconnection of the client.
Client Troubleshooting
Use Case
Client cannot see the SSID
◼ 1) Is the SSID broadcasted by the AP?
support@AP-83:60:~$ iwconfig
…
◼ 2) Which radio does the client support? Compatible with the SSID
broadcasted?
support@AP-83:60:~$ tcpdump –i eth0 –s0 –w trace.pcap Capture all traffic on the LAN interface
802.1X
◼ 1) On Client side:
⚫ Check:
Username and password
Encryption type
Security type/key
Certificate on client (if any)
802.1X authentication not working (2/3)
◼ 2) On AP side: ⚫ Correct Radius server attached to the SSID?
⚫ Compare Radius configuration to Radius server support@AP-83:60:~$ cat /var/config/wlanservice.conf
"WLANService":[
IP and ports {
Shared Secret key "name":"employee0",
"essid":"employee0",
…
support@AP-83:60:~$ cat /var/config/AAA_server.conf "securityLevel":"Enterprise",
"UnifiedAAAServer":[ "encryptionType":"wpa2-aes",
{ …
"accountingPort":1813, "aaaProfile":"employee0",
"hostName":null,
"retries":2,
"ipAddress":"10.130.5.250",
"name":“radius", support@AP-83:60:~$ cat /var/config/AAA_profile.conf
"type":"Radius", "name":"employee0",
"timeout":5, "macOpts":{
"authenticationPort":1812, …
"secret":"a006a626d46117ba078e0ca9ffd5b859" "e02d1xAccServer":{
} ] "secondaryServer":null,
"callingStationIdType":"MAC",
"syslogUpdPort":null,
"syslogIpAddress":null,
"primaryServer":“radius“,
802.1X authentication not working (3/3)
◼ 3) On Radius server side: ⚫ Sample of FreeRadius server configuration:
⚫ Compare Radius configuration and database to
client and AP configuration:
Username/password
Shared Secret
Radius client IP
Radius station IP (IP address of the Stellar AP)
Certificate
Authentication and accounting ports
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Network Troubleshooting
Lesson summary
Network Troubleshooting
At the end of this module you will be able to:
• Troubleshoot network related issues in a Stellar solution
• Understand network troubleshooting through use cases
IP Configuration
◼IP configuration of the LAN interface of the AP
support@AP-83:60:~$ ifconfig br-wan
br-wan Link encap:Ethernet HWaddr DC:08:56:09:83:60
inet addr:10.7.0.103 Bcast:10.7.0.127 Mask:255.255.255.224
inet6 addr: fe80::de08:56ff:fe09:8360/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:688102 errors:0 dropped:0 overruns:0 frame:0
TX packets:391717 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:65241621 (62.2 MiB) TX bytes:77268512 (73.6 MiB)
⚫ What is the gateway of the default route? Is it the correct default route?
Network Troubleshooting Tools
◼Ping another network device from the AP
support@AP-83:60:~$ ssudo ping 10.130.5.50
PING 10.130.5.50 (10.130.5.50): 56 data bytes
64 bytes from 10.130.5.50: seq=0 ttl=62 time=0.818 ms
64 bytes from 10.130.5.50: seq=1 ttl=62 time=0.950 ms
64 bytes from 10.130.5.50: seq=2 ttl=62 time=0.587 ms
AP managed by
0: 2.4GHz Great signal.
the same OV
1: 5GHz Close neighbor.
⚫ Look for the Stellar APs managed by the same OV or in the same cluster
⚫ If a geographic neighbor :
Is not seen, move it closer or increase it’s transmission power.
Is seen with a weak power signal (RSSI), move it or increase it’s transmission power.
RSSI < 20 is considered bad signal
⚫ Roaming issue (client disconnection) if the Neighbor AP is not seen or the signal is too weak
Servers configuration
◼Check the DNS server information
support@AP-83:60:~$ cat /etc/resolv.conf
# Interface wan
nameserver 10.0.0.51
search ale-training.com
◼ 1) Stellar AP mode? OV or CLUSTER? ⚫ If not, modify the option 138 in the DHCP server
support@AP-83:60:~$ getmode
CLUSTER Should be “OV” mode
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Wifi Survey
Lesson summary
Wifi Survey
At the end of this module you will be able to:
• Understand the multiple types of site survey
• Understand and identify the causes of Wifi signal issues
• Troubleshoot based on the site survey result
• Learn how to perform and analyze a passive site survey
with Ekahau mapper
Wifi Site Survey
◼ Goal:
⚫ Analyze Radio Frequency (RF) environment
⚫ Identify Radio Frequency (RF) interferences
⚫ Find optimum locations for Access Points
Offices
Open offices
Walls,
High density of
attenuation
population
Industry Healthcare
(Factory, Warehouse) (Hospital, Clinic)
Shelves, machine tools Walls, RF interferences
Wifi Signal issues - Causes
◼Access Point placement: bad location (wall, pillar) Ekahau Site Survey on Windows
Concrete
pillar
Dead
zone
Add a new AP Concrete wall
Placement of AP in front of obstructing object Place an AP on both side of the obstructing wall
Wifi Signal issues - Causes
◼ Physical obstruction: Environment (multiple ◼ Signal degrades when going
walls, materials). through:
⚫ Concrete (walls)
⚫ Wood (doors)
• Distance = 4 meters ⚫ Metal (cabinet, shelves,…)
⚫ Steel (building structure)
⚫ Glass & Mirrors
Directional
Omnidirectional
antenna
antenna
20 meters
Small No
Area covered Area covered
Adjacent channel
◼Access Point placement: RF interference Interference
- Packets loss
Co-channel - Corrupted data
Interference
- Loss of throughput → Change AP channel
OR
→ Change AP channel
Obstacles
Access Points
On-site troubleshooting
◼Step 2 – Site Survey observation
⚫ Identify Access Point model : same as original design?
⚫ Identify RF overlap between Access Points : Co/Adjacent channel interference?
⚫ Identify areas with no radio coverage : Access Point down? No Access Point placed?
⚫ Access Point transmission power: Default or customized value?
⚫ Access Point location: Troublesome placement?
Stellar AP1221
1 As originally planned
Obstructed
areas
No coverage Move AP to
3 Default transmit power (17dBm)
AP missing 4 Increase for best coverage optimize RF 5
coverage
On-site troubleshooting
◼Step 3 – Corrective actions
⚫ Change Access Point model : AP with better antenna, outdoor AP,…
⚫ Rework RF wireless design : modify transmit powers, change radio channels,…
⚫ Rework channel width : limit adjacent / co-channel interference
⚫ Remove lower data rates : force devices to use closer APs with better signal strength
⚫ Improve AP placement : improve RF signal delivery
◼Use Case:
⚫ Modify transmit power of an AP
⚫ Add a new Stellar AP
⚫ Move a Stellar AP
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
TECHNICAL KNOWLEDGE CENTER
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:
• https://myportal.al-enterprise.com/
TKC - TECHNICAL SUPPORT ACCESS
2
HOME PAGE
1
Search
Dates 3
Filters 2
HOME PAGE - DOCUMENTATION 1
Video
Article
SEARCH OPTIONS Article Types:
• Alert: Communication about known issue
• How To / General Information:
Configuration guide, procedure,
explanation
• Solve My Issue : Cases
• Technical Communications: Guidelines
Stellar Categories:
• Network > OmniAccess Stellar
• OmniVista 2500
• UPAM
Published Dates:
• All Dates
• Within last day
• Within last week
• Within last month
• Within last year
USE CASE STRUCTURE
Use Case name
Case Description:
• Topology
• Scenario
• Environment
• Diagnosis
• …
Version build : Stellar, OmniVista
Resolution:
• Configuration
• Hot Fix
• Firmware upgrade
RESEARCH A USE CASE IN TKC
RESEARCH A USE CASE IN TKC
• Issue description
• After replacing the legacy wifi network with a Wireless LAN Stellar solution, some clients
experience disconnections while roaming in the building.
& Search
• Warning: Do you have the access and rights on the equipment (Stellar AP and client)?
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Hardware Overview
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Portfolio
Stellar
WLAN Agenda
LAN
Campus Stellar WLAN Portfolio
Mobile
Campus OmniAccess Stellar WLAN Portfolio
WLAN
OmniAccess Stellar Access Points - Overview
Rugged
MLE Outdoor
Indoor Wi-Fi 5
Indoor AP123x
SMB
Wi-Fi 5
Indoor
AP1201H
Wi-Fi 5
AP1201
Rugged
Outdoor
MLE MLE MLE
Wi-Fi 6
Indoor Indoor Indoor
AP136x
Wi-Fi 6 Wi-Fi 6 Wi-Fi 6
SMB
SMB Hosp. AP1331 AP1351
AP132x
Indoor
Indoor Indoor
Wi-Fi 6
Wi-Fi 6 Wi-Fi 6
AP1311
AP1301 AP1301H
MLE
Indoor
MLE
Wi-Fi 6E
Indoor
AP1451
Wi-Fi 6E
SMB AP1431
Indoor
Wi-Fi 6E
AP1411
161.5mm
OmniAccess Stellar AP1230 Series
◼ OAW-AP1231/1232 ◼ Tri radio
⚫ High-end AP ⚫ First 5GHz radio: 1,733Mbps (with 4SS/VHT80 clients or
⚫ 802.11ac Wave 2 MU-MIMO 2SS/VHT160 clients)
⚫ 802.11ac 4x4:4SS VHT160 and Integrated BLE ⚫ Second Multiband radio: 1,733Mbps (with 4SS/VHT80
clients or 2SS/VHT160 clients)
⚫ Third 2.4GHz radio: 800Mbps 2.4GHz (4SS/VHT40)
⚫ MU-MIMO
⚫ Integrated BLE radio
OAW-AP1231 ⚫ 768 client devices per AP
⚫ 1xGbE + 1x2.5GbE network interfaces, RJ-45 console,
USB port, reset button
⚫ 802.3at POE (4pair - 60W) compliant/ 48V DC (function
Wi-Fi 5 reduced when powered by 802.3at 2 pair source)
⚫ Enterprise temperature range, plenum rated
Operating Temp: 0°C to 45°C
⚫ Built-in antenna (OAW-AP1231)
OAW-AP1232
⚫ External antenna connectors (OAW-AP1232)
OmniAccess Stellar AP1251
◼ OAW-AP1251 ◼ Dual radio
⚫ Rugged Outdoor AP ⚫ 5GHz radio: 867 Mbps (with 2SS/VHT160 clients)
⚫ 802.11ac Wave 2 MU-MIMO ⚫ 2.4GHz radio: 400Mbps 2.4GHz (2SS/VHT40)
⚫ 802.11ac 802.11ac 2x2:2S ⚫ MU-MIMO
⚫ 2xGbE network interfaces, micro-USB console, reset
button
⚫ 1xGbE uplink
⚫ 1xGbE for connecting downstream device (IoT)
⚫ 802.3af POE compliant/ 48V DC
⚫ IP67/66
⚫ Temperature range -40 to +65 degree C
⚫ Built-in Omni Directional antenna
Wi-Fi 5
OAW-AP1251
OmniAccess Stellar AP1301
◼ OAW-AP1301 ◼ Dual radio
⚫ Wifi 6 entry level access point ⚫ 2.4GHz radio: 573Mbps (2x2:2SS/HE40)
⚫ 802.11ax (Wifi 6) - Indoor AP ⚫ 5GHz radio: 1. 2Gbps (2x2:2SS/HE80)
⚫ 1 full band (radio) dedicated to radio scanning
Improving network security and Wi-Fi quality
⚫ MU-MIMO
⚫ Up to 16 SSID (8 per radio)
⚫ 512 clients per AP
⚫ 2 x 1GE, 1 x RS-232 console, USB2.0
⚫ PoE 802.3af compliant
Full function at 802.3af PoE source
Wi-Fi 6
Click on this icon to view the full Product Line Matrix documentation
Appendix
OmniAccess Stellar WLAN - Accessories
Appendix
Accessories > PoE Injectors & Power Adapters
◼ PoE Injector POWER OUTLET
1 3 5 7
POE
Letacla
POE
SPEED/LINK/ACT
POWER RESET 2 4 6 8 9 10
◼ The Mounting Kit(s) compatible with each OmniAccess Stellar access point can be found in each
access point’s datasheet:
◼ Some OmniAccess Stellar access points are shipped with a mounting kit. Please refer to the Product Line Matrix
document to learn more
CLICK HERE
FOR MORE
DETAILS
⚫ Access points compatible with external antennas have their reference ends with “2” (ex.
AP1322, AP1362)
⚫ The external antenna(s) compatible with each OmniAccess Stellar access point can be found in
each access point’s datasheet:
Note: All OmniAccess Stellar access points are equipped with an internal antenna (omni-directional coverage pattern)
Appendix
Accessories > External Antennas
◼ The External Antennas models and details can also be found in the Product Line Matrix
documentation:
Click on this icon to view the full Antennas Matrix documentation (p. 4)
Appendix
Wi-Fi 6
Appendix
Wi-Fi 6 Technology
2 Mbps 10 Gbps
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
F E AT U R E S U P D AT E
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:
Click on the image above to start the first video of the playlist
OMNIACCESS STELLAR WLAN
SOLUTION
NETWORK MANAGEMENT MODES - OVERVIEW
Move from Express to Enterprise/Cloud when/if needed
WiFi Express
◼ Syslog & Syslog over TLS support
◼ NTP Client
System ◼ Built-in DHCP/DNS/NAT
◼ Dynamic Frequency Selection
Radio
◼ Transmit Power Control ◼ MESH
◼ Extensive Country Code list ◼ Certificate Management
◼ Channel & Transmission power manual
assignment
WIFI EXPRESS – RESILIENCY
Access Stack
Switch • Recommendations
• Max Up to 32 APs per OmniSwitch
• Max Up to 64 APs per stack
• Minimum 2xAP1201, AP123X,
AP1251, AP13xx or 14xx in each
Stack
STELLAR ENTERPRISE MODE
WIFI ENTERPRISE – CENTRAL MANAGED DEPLOYMENT
✓ OmniVista 2500/Cirrus
▪ Unified wired-wireless
▪ Access Management (Guest/BYOD)
▪ Role based policy enforcement
✓ Smart Analytics
✓ Distributed intelligence control
▪ Up to 4000 APs
▪ Scale to support 100K clients per
devices
✓ Advanced wireless features
▪ WLAN topology on a map and heat map
▪ Wireless security (wIDS/wIPS)
WIFI ENTERPRISE – FEATURES LIST ◼ Secure NAC with Unified Access AG 2.0
Integration
◼ Controller-less Architecture ◼ Automated deployment with ALE
◼ OmniVista integrated Unified Policy OmniSwitch Integration
Authentication Manager (UPAM) ◼ Smart Analytics Application Monitoring &
◼ Simplified Management of AP Groups Enforcement/ DPI
◼ No limit on AP Group Count ◼ UPnP/ Bonjour Service Sharing
◼ Max 4000 APs spread across one or ◼ Stellar AP authentication with 802.1X
more AP Groups
◼ OmniVista High Availability ◼ Unified Policy Authentication Manager
Management Security
◼ Support of NaaS Stellar Access Point ◼ Employee - Supplicant/ Non-supplicant
secure authentication
◼ RF Management ◼ Guest Access - Self Registration/ Employee
WiFi sponsored/ Social Login
◼ wIDS/ wIPS - Rogue Containment/ Enterprise
Attack Detection ◼ BYOD
◼ Floor Plan/ Heatmap - Planning & ◼ Strategy based Policy Enforcement
System
deployment tools to simplify Radio
◼ Extensive Captive Portal Customization
deployment while improving QoE ◼ External Captive Portal support
◼ Reports - Uptime, Usage, etc. Reports ◼ Syslog and syslog over TLS support
◼ MESH Topology
NETWORK FEATURE
IPV6 CLIENT SUPPORT – EXPRESS MODE
Authentication Strategy
• Select the RADIUS server in the Authentication Web redirection « Guest » CP
Strategy
• Create a Guest account if the UPAM internal
RADIUS server is used Guest Access Strategy
Login Method, Post Portal enforcement,
self-registration
• In the Guest Access Strategy, define the login
method (username and password) and Post Optional
portal enforcement to restrict Guest traffic Guest account creation in the local DB
Optional
Employee account creation in the local DB
RSSI
RECEIVED SIGNAL STRENGTH INDICATOR (RSSI)
CLI
-> wlanconfig ath01 list
CLIENT LIST
RSSI VALUES
RSSI dBm RSSI dBm RSSI dBm
10 -86 21 -75 29 -67
11 -85 22 -74 30 -66
12 -84 23 -73 31 -65
13 -83 24 -72 32 -64
14 -82 25 -71 33 -63
15 -81 26 -70 34 -62
16 -80 27 -69 35 -61
17 -79 28 -68 36 -60
18 -78 37 -59
OK – not bad
19 -77 38 -58
20 -76 39 -57
40 -56
Bad
Not recommended for Video or Audio 41 -55
applications 42 -54
Desired and recommended 43 -53
ROAMING GUIDELINES
IDENTIFY THE ROAMING MODE
No overlap
Overlap
KO OK
No Radio overlap, no Roaming Radio overlap, Roaming available
NEIGHBOR AP
• Solution:
• On both AP, add statically the neighbor Stellar AP from
the list of known AP.
• The client context can be shared through the LAN and
the client can roam.
• The Roaming RSSI Threshold controls the signal strength a client needs to see before
searching for another site.
• If the RSSI threshold is too low, the client remains on a low signal strength site, even with a
stronger site nearby.
• If the RSSI threshold is too high, the client roams too much that could result to packet loss.
MISCELLANEOUS
• Background scanning
• When a user roams, his real time traffic can be
interrupted if the new AP on which he is
connected is using the background scanning.
• No impact on the voice traffic.
• The AP is voice aware and will deactivate the
background scanning when a voice call is detected.
• Other real-time traffic can be impacted.
• Solution:
• Deactivate the Background scanning on the Stellar
APs
• Install new Stellar APs in the network, acting as
dedicated scanning APs
• Please note that this solution requires
additional Stellar APs in the network
APPENDIX - ADDITIONAL FEATURES
BLE BEACONING
BLE Beaconing ready for the AP1230, AP13XX series and AP1201 with a
built-in BLE
OAW-AP1201
• Stellar APs ready for Asset Tracking Solution
• Asset: people or equipment (wheel chair, medical devices, laptop,…)
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
Objective
✓ Learn how to discover the OmniSwitches in the OmniVista 2500 NMS
Contents
1 Briefing ......................................................................................... 1
2 Backbone VLAN ................................................................................ 2
2.1. Backbone VLAN ..................................................................................... 2
2.2. Backbone VLAN IP Interfaces ..................................................................... 3
3 SNMP v3 ......................................................................................... 4
4 Discovering the OmniSwitches on the OmniVista 2500 NMS ............................. 5
5 Debriefing ...................................................................................... 6
6 Troubleshooting ............................................................................... 7
6.1. Troubleshooting the Level 2 ...................................................................... 7
6.1.1. Checking the cables ........................................................................................ 7
6.1.2. Checking the VLAN(s) ...................................................................................... 8
6.2. L3 Troubleshooting ................................................................................. 8
6.2.1. Checking the IP Interfaces ................................................................................ 8
6.2.2. Checking the OmniVista 2500 IP Settings ............................................................... 8
6.2.3. Pinging the Equipment ..................................................................................... 9
6.3. Checking the SNMP Configuration ............................................................... 10
6.4. Discovering the OmniSwitch ..................................................................... 10
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
1 Briefing
Before using all the features offered by the OmniVista 2500 NMS, the network devices must be discovered
first. In this lab, we are going to discover the 3 OmniSwitches in the OmniVista 2500 NMS. The discovery of
the 2 Access Points will be covered in another lab.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
2
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
2 Backbone VLAN
The Backbone VLAN is used to interconnect the network equipment together (OmniSwitches, OmniVista 2500,
DHCP Server). The SNMP traffic is carried over the Backbone VLAN.
Notes
The VLAN 1305 is already assigned to the OmniVista 2500 and the DHCP Server.
3
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
Check that the Access OmniSwitches can reach the core OmniSwitch 6860, and can reach
the servers:
OS-6360A
6360A -> ping 10.130.5.20X (OmniSwitch 6860)
6360A -> ping 10.130.5.7 (DHCP Server)
6360A -> ping 10.130.5.5X (OmniVista 2500 NMS)
OS-2360
2360 -> ping 10.130.5.22X (OmniSwitch 6860)
2360 -> ping 10.130.5.7 (DHCP Server)
2360 -> ping 10.130.5.5X (OmniVista 2500 NMS)
4
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
3 SNMP v3
The OmniVista 2500 uses the SNNMP protocol to discover the network devices and communicate with them.
The SNMP version 1,2 and 3 are supported.
In this part, we are going to configure an SNMP version 3 profile on each OmniSwitch.
To create the SNMP v3 profile on the OmniSwitches, use the following command:
> Choose Discovery Profiles: select the SNMPv3 profile, click on + to move it to the right
> Click on Create
> Select the three ranges by clicking on the checkboxes on the left
> Click on Discover Now to launch the discovery process, then click on Finish.
6
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
At the end of this part, the 3 OmniSwitches are discovered and are now manageable from the OmniVista
2500 NMS:
5 Debriefing
The reset script from the previous lab created the “ ackbone” . his is used to interconnect the
network equipment together (OmniSwitches, OmniVista 2500, DHCP Server). The SNMP settings were also
configured with the reset script. And finally, we have discovered the OmniSwitches in the OmniVista 2500
NMS. These OmniSwitches can now be managed from the OmniVista 2500 GUI.
7
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
6 Troubleshooting
In this part, we will cover the process to follow if an OmniSwitch is not discovered in the OmniVista 2500. We
will use the exact same infrastructure as in the lab:
OMNISWITCH
AOS -> show interfaces 1/1/11
Operational Status : up,
Last Time Link Changed : Thu Oct 17 06:13:56 2019,
Number of Status Change: 1,
Type : Ethernet,
SFP/XFP : N/A,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 2c:fa:a2:1b:18:56,
BandWidth (Megabits) : 1000, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 9216,
Inter Frame Gap(Bytes) : 12,
8
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
OMNISWITCH
AOS -> show vlan members port 1/1/11
vlan type status
--------+-----------+---------------
1305 default forwarding
6.2. L3 Troubleshooting
OMNISWITCH
AOS -> show ip interface
Total 6 interfaces
Flags (D=Directly-bound)
A menu is displayed.
Once the equipment IP configuration checked, make sure that the OmniSwitch can ping the OmniVista
2500:
OMNISWITCH
AOS -> show aaa authentication
[…]
Service type = Snmp
Authentication = Use Default,
1st authentication server = local
[…]
- On the OmniSwitch, check that the SNMP station and username have been correctly configured:
OMNISWITCH
AOS -> show snmp station
ipAddress/port status protocol user
---------------------------------------------------+---------+--------+-------
10.130.5.50/162 enable v3 snmpuserv3
- On the OmniSwitch, re-enter the SNMP password to make sure that this password and the auth&priv
protocol are the correct ones:
OMNISWITCH
AOS -> user snmpuserv3 read-write all password Superuser=1 sha+des
Objective
✓ Learn how to discover the Stellar Access Points in the OmniVista 2500 NMS
Contents
1 Briefing ......................................................................................... 2
2 Configuring the VLANs & IP Interface ...................................................... 3
2.1. Creating the VLANs ................................................................................. 3
2.1.1. Creating the MANAGEMENT VLAN (VLAN 40) ............................................................ 3
2.1.2. Verifying the VLAN Creation .............................................................................. 4
2.2. Management VLAN IP Interface ................................................................... 5
2.2.1. Verifying the IP interface Creation ...................................................................... 5
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Stellar Access Points Discovery in the OmniVista 2500 NMS
1 Briefing
The OmniSwitches are now discovered by the OmniVista 2500, and ready to be configured. During this lab, we
will first setup some basic settings (VLAN, IP Interface, PoE…) on the Access OmniSwitches, then we will
launch the discovery process for the Access Points to be discovered in the OmniVista 2500.
ELLA P ( P N E )
CURRENT
TOPOLOGY
NI I E
I VE E IN
V
ELLA P ( P N E )
END OF LAB
NI I E
TOPOLOGY AN AP
I VE E
3
Stellar Access Points Discovery in the OmniVista 2500 NMS
Notes
The VLAN 1305 (BACKBONE) has already been created in a previous lab. It contains all the management
equipment ( V , P erver…).
ELLA P ( P N E )
To create this VLAN on the OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature.
Configure the VLAN on the Access OmniSwitches 6860, 6360 and 2360.
1. Devices Selection
> VLAN Overwrite: ENABLED
> VLAN IDs: 40
> VLAN(s) Description: MANAGEMENT
> Click on the Add/Remove Devices
> click on Add All
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of a lot of OmniSwitches, and the same VLANs
must be created on some (or all) of them.
ELLA P ( P N E )
Notes
No IP interface is configured on the OmniSwitch 6360 and 2360 for the VLAN 40 (they will act as a “level ”
switch and will redirect all the level 3 traffic to the OmniSwitch 6860).
Enable the interfaces where the Stellar Access Points are connected;
Restart the PoE feature on the OmniSwitches 6360 and 2360 to force the Stellar Access
Points to reboot.
Notes
The DHCP relay feature is not configured on the OmniSwitch 6360 and 2360. These access OmniSwitches will
act as a “level ” switch and will send the P request to the mni witch 686 , which will relay it to the
DHCP Server.
The OS6860 is pre-configured with the DHCP relay and static route.
Notes
For your information, the CLI commands used to configure these two features are the following:
> ip dhcp relay destination 10.130.5.7
> ip dhcp relay admin-state enable
> ip static-route 0.0.0.0/0 gateway 10.130.5.253
7
Stellar Access Points Discovery in the OmniVista 2500 NMS
The Access OmniSwitches are now completely configured. In the next part, we will discover the Stellar Access
Points in the OmniVista 2500 NMS.
Warning
DO NOT CHOOSE THE COUNTRY CODE USA, JAPAN OR ISRAEL AS THE STELLAR ACCESS POINTS USED IN THE
REMOTE LAB ARE NOT COMPATIBLE WITH THESE COUNTRY CODES.
8
Stellar Access Points Discovery in the OmniVista 2500 NMS
OmniVista does not manage individual APs. You must first add APs to AP Groups. The attributes configured
for the AP Group (e.g., Management VLAN, RF Profile) are applied to all APs in the group.
Once the APs are assigned to a group, you configure the APs in OmniVista (e.g., Notification traps,
Resource Manager backups) by applying the configuration to the AP Group.
In OmniVista applications (e.g., Notifications, Resource Manager), rather than presenting the user with
individual APs when applying a configuration (as is done with AOS Devices), OmniVista presents the user
with the option of applying a configuration to AOS Devices and/or AP Groups.
Any configuration applied to an AP Group is applied to all APs in the group.
When an AP initially registers with OmniVista, the AP is placed into a pre-configured “Default” AP Group.
Let’s begin by creating the AP Group:
Tips
As you can see, several settings can be managed in the AP Group properties. Take the time to learn more about
each of them by clicking on the Help button
WARNING
DO NOT ENABLE THE “ L GIN” SETTING
5 Debriefing
During this lab, we have created the Management VLAN, which contains all the management data used by the
Access Points. e have also created a “trash” VLAN, which will contain all the “faulty” devices (not
authenticated, quarantined…). hen, we have enabled the PoE on the OmniSwitches to provide power to the
Access Points, and the IP Helper feature to redirect the APs DHCP requests to the DHCP Server. And finally,
we have discovered the Stellar Access Points in the OmniVista 2500 NMS. These Access Points can now be
managed from the OmniVista 2500 GUI.
ELLA P ( P N E )
NI I E
AN AP
I VE E
10
Stellar Access Points Discovery in the OmniVista 2500 NMS
6 Troubleshooting
In this part, we will cover the process to follow if the Stellar AP is not discovered in the OmniVista 2500. We
will use the exact same infrastructure as above:
ELLA P ( P N E )
NI I E
AN AP
I VE E
OMNISWITCH
AOS -> show lanpower slot 1/1
Port Maximum(mW) Actual Used(mW) Status Priority On/Off Class Type
----+-----------+---------------+-----------+---------+--------+-------+----------
1 60000 0 Searching Low ON *
2 60000 0 Searching Low ON *
6 60000 6800 Powered On Low ON *
OMNISWITCH
AOS -> show interfaces 1/1/6
Chassis/Slot/Port 1/1/6 :
Operational Status : up,
Last Time Link Changed : Thu Oct 17 13:26:55 2019,
Number of Status Change: 23,
Type : Ethernet,
SFP/XFP : N/A,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 2c:fa:a2:1b:18:58,
11
Stellar Access Points Discovery in the OmniVista 2500 NMS
OMNISWITCH 6860
AOS -> show vlan members port 1/1/6
vlan type status
--------+-----------+---------------
40 default forwarding
Use the APs console connections on the desktop and do not change the passwords in the AP Group.
- If you can’t access to the tellar AP, but have access to its Serial port:
PC
> Open a serial connection (via a software as Putty, Teraterm…)
> Baud rate: 115200
> Data bits: 8
> Parity: None
> Stop bits: 1
Notes
If at the end of this step, the result of the “getovmode” command is not the IP address of the mniVista erver
2500:
- Launch a tcpdump trace: cd /tmp, then tcpdump -i br-wan -s0 -w trace.pcap
- Transfer the trace via TFTP on a computer, to open it with Wireshark: tftp -pl trace.pcap 10.130.5.123
- Check that the option 138 or 43 is available in the DHCP Offer sent to the Stellar AP
OMNISWITCH 6860
AOS(R6/R8) -> show ip interface
Total 6 interfaces
Flags (D=Directly-bound)
◼ SSID
⚫ Wizard driven tool.
⚫ Pre-defined Usage (Guest, Employee, BYOD,…).
⚫ All the configuration is performed from the
wizard.
Recommended mode
Enterprise Protected
Employee BYOD Protected
Guest Network Network for Network for
Network Network
Employees Employees (BYOD)
PSK followed by
Captive Portal 802.1X followed by
Captive Portal
Guest Captive Portal BYOD
Guest
Y Y Y
Captive Portal PSK followed by
Captive Captive
BYOD BYOD? Captive Portal BYOD
Portal? Portal?
N N N
802.1X
Open Pre-Shared Key
or MAC followed by
or MAC 802.1X (PSK)
⚫ Default VLAN/Network
VLAN assigned to the SSID
Optional - ACL/QoS rules applied to the SSID
⚫ Authentication Strategy
Select the Authentication source in « Advanced
Configuration » (Local Database, External Radius, LDAP/AD)
Optional - Use the links « Manage Guest Accounts » to create
new users in the local database
Optional – Select the RADIUS server used by the SSID
SSID Wizard – Step 2 « Customize SSID »
◼ VLAN options:
⚫ Default VLAN
Single VLAN assigned to the SSID
VLAN 20
⚫ VLAN Pooling
Pool of VLAN assigned to the SSID
Avoid large broadcast domain with a single VLAN
VLAN 20
VLAN 30
VLAN 40
SSID Wizard – Step 2 - Access Role Profile
• QoS :
Employee
• Policy List : Full-Access
New User • Bandwidth : 10Mbit/s max
« Employee »
BYOD
Access Role
Profile
SSID Wizard – Step 2 « Customize SSID »
◼ Based on the SSID Usage, optional strategies:
Level of Trust
⚫ Cons: MAC can be spoofed, no traffic encryption
⚫ Pros: Available for basic wireless devices (printers,
scanners,…)
◼WPA/WPA2/WPA3 Personal = Pre-Shared Key (PSK)
⚫ Pros: Easy set up, strong keys can be difficult to hack
⚫ Cons: But all keys can be hacked or stolen (key shared by
Authentication Method
all users)
◼WPA/WPA2/WPA3 Enterprise = 802.1X
⚫ Pros: Strongest security, ease of Management, scalability
⚫ Cons: More configuration during initial setup (server,
users)
Security – WPA3
◼Wi-Fi Alliance new Security Standard
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Appendix
WLAN Service (expert)
Appendix
Profile and Service List
WLAN Service
Access Policy
SSID
Authentication Associate to
Access AAA Authentication
• Open SSID name
Role Profile Strategy
• Personal
802.1X or
• Enterprise Profile MAC
802.1X or MAC
Map to Assign
VLAN ID
AP Group
RF Profile
Specific
RF Profile
◼ Both Stellar Express and Enterprise supports External Captive Portal with External Captive Portal
and MAC authentication enabled.
CONFIGURATION REQUIRED
Both External Captive Portal and MAC authentication enabled
⚫ If MAC authentication fails : Captive Portal Enforcement
⚫ If MAC authentication succeeds : No Captive Portal enforcement
◼Basic
⚫ Hide SSID
⚫ UAPSD
Unscheduled Automatic Power Save Delivery is a QoS facility
defined in IEEE 802.11e that extends the battery life of mobile
clients
◼Security
⚫ Classification Status
Role assignement if 802.1X/MAC authentication does not return
a role
⚫ Client Isolation
Traffic between clients on the same AP (in the SSID) is blocked
Advanced WLAN Service Configuration
◼QoS Setting ◼ Broadcast Optimization
⚫ Bandwidth Contract ⚫ Broadcast Key rotation
Bandwidth limitation shared for all users, per Only applicable for Enterprise
A unicast key (PTK) and a group key (GTK) are used
radio
to encrypt traffic
Rotate the keys periodically to avoid key cracking
Default period: 15 min – Range 1 min – 24 hours
⚫ Broadcast Optimization
Broadcast Filter All
Drop all broadcast packets except DHCP & ARP.
Broadcast Filter ARP
Convert broadcast ARP to unicast ARP
Recommended if no specific multicast application is
used
Advanced WLAN Service Configuration
◼Multicast Optimization
⚫ Enabling Multicast Optimization = Convert
multicast to unicast
Unicast key PTK used
Uses the highest data rate (unicast)
⚫ Four categories
⚫ QOS treatment per category
Uplink802.1p/DSCP
Downlink 802.1p/DSCP
DSCP=56
DSCP=56 DSCP=46
◼Default OV Settings
WMM 802.1p DSCP
Best Effort 0,3 0x00, 0x18 – 0, 24
Background 1,2 0x08, 0x10 – 8, 16
Voice 6,7 0x30, 0x38 – 48, 56
Video 4,5 0x20, 0x28 – 32, 40
Hotspot 2.0 & WIFI4EU Hotspot 2.0 Network
NAT
DHPC
Firewall
Facebook.com/ALUEnterprise
Youtube.com/user/enterpriseALU
Linkedin.com/company/alcatellucententerprise
Slideshare.net/Alcatel-Lucent_Enterprise
Storify.com/ALUEnterprise
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless LAN
User Role and Bandwidth Control
Lesson summary
User Role and Bandwidth Control
At the end of this module, you will be able to:
• Understand a user role
• Configure the bandwidth contracts and understand the
precedence system
• Configure the Web Content Filtering
User Role
User Role - Overview
Policy List:
◼ User Role = Policy List
"Policy-Guest"
⚫ List of Policy Rules (QoS, ACLs)
⚫ Action can be
Accept/drop
• Rule : "http-traffic"
Bandwidth control ✓ Action: Accept
Priority, 802.1p, DSCP marking • Rule: "Network-traffic"
⚫ Application Policy Rules (DPI) ✓ Action: Deny
In Application Visibility, application/application • Rule: "Guest-speed"
group Policy Rules can be set in a Policy List
✓ Action: 1Mb/s
⚫ Enforcement is bidirectional
• Rule: "Guest-priority"
◼ Policy List Assignment ✓ Action: 802.1p=3
⚫ From RADIUS
⚫ From Access Role Profile (Default Policy List)
◼ Built-in roles
⚫ Redirection (UPAM)
Access Role
⚫ Unauthorized (Time and Location based policy) Profile
User Role - Considerations
◼ Policy List configuration
⚫ From the application Unified Access – Unified Policy
⚫ From the SSID wizard – in Default WLAN Support “ACL/QoS”
◼ AP support
⚫ Full Application Visibility signature kit (~2000 applications)
Creation of Policy List, based on the L7 Application (Google, Facebook, …)
User Context
• Role / Policy List
• Access Role Profile
• SSID
Matches a
Matches N
DPI N Access Role N N
User an ACL in SSID set with No BW
application set with BW
Traffic the Policy BW Control ? Limitation
in the Policy Control ?
List ?
List? All User
Other User Other User
Traffic Traffic Y Traffic Y
Y
Y
User BW
Application Specific ACL Specific BW Enforcement Shared BW Enforced
BW Enforcement Enforcement
as per DPI Rule as per Access Role as per WLAN Service/SSID
as per Policy List Profile
User Role /Policy List Access Role Profile WLAN Service / SSID
Per User & Application BW Control Per User BW Control All Users shared BW
Web Content Filtering - WCF
Web Content Filtering - WCF
BRIGHTCLOUD SDK
FQDN
Create Block ACL rule 3 « Social
category ? Network »
to IP of the FQDN 4
Not supported:
⚫ DNS -> WCF in Service • AP1101
• AP1201H
Web Content Filtering - Configuration
◼ WCF Profile creation ◼ Assign WCF profile to Access Role Profile
⚫ UPAM > Web Content Filtering ⚫ Unified Access > Unified Profile > Template >
Access Role Profile
⚫ Edit the Access Role Profile
Of the SSID
Or Enforced Post-authentication
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of a Secured Employee SSID
Objective
✓ Learn how to create a secured Employee SSID
Contents
1 Briefing ......................................................................................... 2
2 Creating the Service VLAN & IP Interface ................................................. 3
2.1. Creating the Service VLAN ........................................................................ 3
2.2. Employee IP Interface ............................................................................. 4
3 Creating the Employees SSID ................................................................ 4
3.1. Creating the EmployeesX SSID .................................................................... 5
3.2. Creating an Employee Account ................................................................... 5
3.3. Back to… Creating the EmployeesX SSID ........................................................ 6
3.4. Assigning the SSID to the AP Group .............................................................. 6
4 Testing the Employees SSID .................................................................. 6
4.1. Setting Up the Linux Client to Connect to the EmployeesX SSID ............................ 6
4.2. Verifying the connection .......................................................................... 7
5 Monitoring the Connections.................................................................. 8
5.1. UPAM Monitoring .................................................................................... 8
5.2. WLAN Menu .......................................................................................... 9
5.2.1. Wireless Client List ......................................................................................... 9
5.2.2. Client Session ............................................................................................... 9
6 Debriefing .................................................................................... 10
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Creation of a Secured Employee SSID
7 Troubleshooting ............................................................................. 11
7.1. Troubleshooting the Stellar AP .................................................................. 11
7.1.1. Checking the wireless configuration ................................................................... 12
7.1.2. Checking the Wi-Fi Channel ............................................................................. 12
7.1.3. Checking the interface transmission power .......................................................... 12
7.1.4. Checking the interface bitrate ......................................................................... 12
7.2. Client Information ................................................................................. 13
7.2.1. Listing the client(s) associated with the AP .......................................................... 13
7.2.2. Checking the access logs of a specific client ......................................................... 14
7.2.3. Checking the 802.1x Authentication ................................................................... 14
1 Briefing
Now that all the devices have been discovered in the OmniVista 2500 NMS, let’s create multiple SSIDs
(employee, guest…). In this first lab, we will focus on how to create a secured Employee SSID.
S E OD X (X OD N MBE )
CURRENT OMNIS I C ES
TOPOLOGY ND S
DISCOVE ED
S E OD X (X OD N MBE )
To create the VLAN 20 on both OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature:
1. Devices Selection
> VLAN Overwrite: ENABLED
> VLAN IDs: 20
> VLAN(s) Description: EMPLOYEES
> Click on the Add/Remove Devices
> Click on Add All
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of several OmniSwitches, and the same VLANs
must be created on some/all of them.
Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Employee Accounts
Assign the freshly created SSID EmployeesX to the AP Group APGX created in the
previous lab
Now that the SSID EmployeeX has been created, the last step consists in assigning it to one or several AP
Group(s):
Now that we have finished the configuration of the SSID, let’s test it!
StellarClientX Raspberry Pi
Authentication: ProtectedEAP
Check No CA certificate
PEAP version: Automatic
Inner Auth: MSCHAPv2
Click on Connect
The Authentication Record Screen displays authentication information for all devices authenticated
through UPAM:
In the Authentication Record List information, find the Stellar Access Point where your
Client Virtual machine (StellarClientX) is connected.
Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
From the Client List page, find on which Stellar Access Point the account Employee is
connected
6 Debriefing
During this lab, you have learned how to create a secured Employee SSID, and an Employee account. You
have also used the OmniVista 2500 features to get more information about the account that are connected to
the Employee SSID.
S E OD X (X OD N MBE )
OMNIS I C ES
ND S
DISCOVE ED
11
Creation of a Secured Employee SSID
7 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the connection to an Employee
SSID (802.1x). We will use the exact same infrastructure as in the lab:
S E OD X (X OD N MBE )
OMNIS I C ES
ND S
DISCOVE ED
Use the APs console connections on the desktop and do not change the passwords in the AP Group.
12
Creation of a Secured Employee SSID
5.5 Gb/s
11 Gb/s
6 Gb/s
9 Gb/s
12 Gb/s
18 Gb/s
24 Gb/s
36 Gb/s
48 Gb/s
54 Gb/s
Current Bit Rate:192 Mb/s
- All the clients associated with a specific interface (ex. ath01 corresponding to the SSID Employees0 in
2.4 Ghz):
support@AP-0E:E0:~$ wlanconfig ath01 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 6 72M 72M 63 62 67 0 0 65535 EPSs cORI
ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 f 0 P 0gR 00:03:20 RSN WME IEEE80211_MODE_11NG_HT20
RXNSS TXNSS
0 1 1
Minimum Tx Power : 5
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : No
MU capable : No
SNR : 63
Operating band : 2.4 GHz
Current Operating class : 0
Supported Rates : 2 4 11 12 18 22 24 36 48 72 96 108
"staGlobalIPv6": "::",
"staLocalIPv6": "::",
"associationTime": 473, Assoc. Time (seconds)
"mappingType": 0,
"assignedVLAN": 20, Wi-Fi Client Assigned VLAN
"assignedAR": "__Employees0", Wi-Fi Client Assigned ARP
"assignedPL": "",
"macAuthResult": "",
"ARFromMACAuth": "",
"PLFromMACAuth": "",
"redirectURLFromMACAuth": "",
"ARFrom8021xAuth": "",
"PLFrom8021xAuth": "",
"redirectURLFrom8021xAuth": "",
"CPAuthResult": "FAILED",
"ARFromCPAuth": "",
"PLFromCPAuth": "",
"ARFromRoaming": "",
"PLFromRoaming": "",
"redirectURLFromRoaming": "",
"classificationMatched": "none"
}
[…]
- Check that the Radius configuration and AAA server profile have been correctly retrieved by the Stellar
AP:
support@AP-83:60:~$ cat /var/config/wlanservice.conf
{
"WLANService":[
{
"wlanDeviceConfigType":"SSIDs",
"upstreamBurst":0,
"maxClientsPerBand":64,
"downstreamBandwidth":0,
"multicastOptimization":"enable",
"macAuthPassProfileName":"",
"wepKeyIndex":null,
"broadcastKeyRotation":"disable",
"dscpMappingEnable":"enable",
"clientsNumber":6,
"minBasicDataRate5G":6000,
"dot1pUplinkBestEffort":0,
"bypassStatus":"disable",
"dot1pDownlinkVideo":[
4,
5
],
"minSupportedDataRate24GStatus":"disable",
"downstreamBurst":0,
"a_msdu":"enable",
"e0211gClientSupport":"enable",
15
Creation of a Secured Employee SSID
"broadcastFilterAll":"disable",
"defaultARPName":"__Employees0",
"dot1pDownlinkBackground":[
1,
2
],
"essid":"Employees0",
[…]
"operationName":null,
"broadcastFilterARP":"disable",
"trustOriginalDSCP":"disable",
"dscpUplinkBackground":8,
"aaaProfile":"Employees0",
"dscpDownlinkBackground":[
8,
16
[...]
"e02d1xAuthServer":{
"secondaryServer":null,
"primaryServer":"UPAMRadiusServer",
"thirdServer":null,
"fourthServer":null
-ANNEXES-
Notes: AAA server and Access role profiles can be created first prior to setup WLAN services but for
this exercise you will create specific profiles through the WLAN Service configuration screen.
Tips: UPAM supports both captive portal and RADIUS server and can be used to implement multiple
authentication methods: MAC, 802.1X and captive portal authentication. User Profiles can be
supported in the OmniVista database or on external servers.
Authentication Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
Primary: UPAMRadiusServer
MAC
Primary: UPAMRadiusServer
Accounting Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
Primary: UPAMRadiusServer
MAC
Primary: UPAMRadiusServer
Notes: In UPAM, there is a system-defined NAS Client Item (All Managed Devices). It cannot be
deleted and is used to indicate that all the devices managed by OmniVista are automatically added
into the NAS Client Database of UPAM and perform the AAA process.
The shared secret in the system-defined “ ll Managed Devices” N S profile is “123456”.
- In the Security section, click on the “Default ccess ole rofile” field, select “+ Add New” and create
the Access Role Profile Access-role-employeeX.
- Keep the default values for all parameters.
- Click on the Create icon.
- Back to the WLAN Service page, in the Security section, select “Access-role-employeeX” as the Default
Access Role Profile.
- Click on the Create icon.
- Do not change the Mapping method and enter the Vlan number “20” which is the EmployeeX VLAN.
- Click on Apply.
19
Creation of a Secured Employee SSID
- This is how the AP will map the Employee VLAN (20) to the EmployeeX SSID.
When the SSID uses Enterprise authentication, assign a AAA Server Profile and then create an Authentication
Strategy and Access Policy.
At this step, the AAA Server Profile is already assigned to the SSID. The Authentication policy and Access Policy
must be created.
Notes: Authentication Strategy is used to set up a user profile source and login method (web page
or not) for authentication, as well as the network attributes applied after a successful
authentication.
OV2500 -> UPAM -> Authentication -> Authentication Strategy -> + (Create icon)
- Name the Strategy “User-PODX”, select the uthentication source as “local database”, “Access-role-
employeeX” as the default ccess role profile and keep Web Authentication to none:
20
Creation of a Secured Employee SSID
Notes: Authentication Access Policies are used to define the mapping conditions for an
authentication strategy. Through Access Policy configuration, authentication strategy can be
applied to different user groups, which can be divided by SSID or other attributes.
OV2500 -> UPAM -> Authentication -> Access Policy -> + (Create icon)
- Create the access policy “User-PODX” that will define the previous strategy to apply for employee
authentication connected to SSID “EmployeeX”. The employeeX profile will use 802.1X with the UPAM
internal RADIUS server.
- In the Mapping Condition, select the SSID attribute and EmployeeX. Click on the + button.
- Keep “User-PODX” as the uthentication Strategy and click on Create.
Stellar OmniAccess WLAN
Microsoft Active Directory Authentication
Objective
✓ Learn how to configure Microsoft Active Directory Authentication
Contents
1 Briefing ......................................................................................... 1
2 Declaring the Active Directory Server ...................................................... 2
3 Modifying the Authentication Strategy ..................................................... 2
4 Testing the AD Authentication .............................................................. 3
4.1. Verifying the connection .......................................................................... 4
5 Monitoring the Connections.................................................................. 5
5.1. UPAM Monitoring .................................................................................... 5
6 Debriefing ...................................................................................... 5
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Microsoft Active Directory Authentication
1 Briefing
In the previous lab, we have learned how to create an Employee SSID, with the UPAM Server (embedded in
the OmniVista 2500) in charge of authenticating the clients.
In this lab, we will learn how to declare the Active Directory in the OmniVista 2500, and we will use it during
the authentication of clients on the SSID Employee.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
2
Microsoft Active Directory Authentication
Then, login with the account Employee, already created in the Active Directory database.
Authentication: ProtectedEAP
Check No CA certificate
PEAP version: Automatic
Inner Auth: MSCHAPv2
Click on Connect
6 Debriefing
In this lab, we have learned how to declare the Active Directory in the OmniVista 2500. Then, we have
modified the Employee SSID settings in order to use the Active Directory to authenticate the clients which
connect to this SSID.
OmniAccess Stellar WLAN
Creation of a Guest SSID
Objective
✓ Learn how to create a Guests SSID
Contents
1 Briefing ......................................................................................... 2
2 Creating the Guest VLAN ..................................................................... 3
2.1. Creating the Service VLAN ........................................................................ 3
2.2. Guest IP Interface .................................................................................. 4
3 Creating the Guests SSID ..................................................................... 4
3.1. Creating the GuestsX SSID ......................................................................... 5
3.2. Creating a Guest Account ......................................................................... 5
3.1. Back to… Creating the GuestsX SSID ............................................................. 6
3.2. Assigning the SSID to the AP Group .............................................................. 6
4 Testing the Guests SSID ...................................................................... 6
4.1. Connecting to the “WifiClient” Raspberry Pi ................................................... 6
4.2. Setting Up the Wifi Client to Connect to the GuestXs SSID ................................... 7
4.3. Verifying the connection .......................................................................... 7
5 Monitoring the Connections.................................................................. 9
5.1. Monitoring the UPAM ............................................................................... 9
5.1.1. Viewing the Authentication Record ...................................................................... 9
5.1.2. Checking the Captive Portal Access Record ............................................................ 9
5.2. WLAN Menu ......................................................................................... 10
5.2.1. Wireless Client List ....................................................................................... 10
5.2.2. Client Session ............................................................................................. 10
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Creation of a Guest SSID
1 Briefing
In the previous Lab, we have learned how to create a secured Employee SSID, dedicated for the company’s
employee. Now, let’s see how to create a Guests SSID, dedicated for the guests.
S ELL R P D X X P D N BER
CURRENT
NISWI C ES
TOPOLOGY ND P S
DISC ERED
S ELL R P D X X P D N BER
NISWI C ES
END OF LAB ND P S
Creating an SSID can be decomposed in several steps same way as in the previous lab “Creation of a Secured
Employee SSID” :
1. Create the VLAN 30. This VLAN will service the SSID “GuestsX” X R-Lab Number). It will be tagged
from the Access Points to the access OmniSwitches (OS2360 and OS6360), and over the link towards
the core OmniSwitch (OS6860).
2. Create the SSID and configure its options.
To create the VLAN 30 on the OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature:
1. Devices Selection
> VLAN Overwrite: ENABLED
> VLAN IDs: 30
> VLAN(s) Description: GUESTS
> Click on the Add/Remove Devices
> Click Add All
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of several OmniSwitches, and the same VLANs
must be created on some/all of them.
Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Guest Accounts
Default VLAN/Network
> VLAN ID: 30
> Click on Save and Apply to AP Group
Assign the freshly created SSID GuestsX to the AP Group APGX created in the previous
lab
Now that the SSID GuestsX has been created, assign it to the AP Group(s) APGX:
Now that we have finished the configuration of the SSID, let’s test it!
WifiClientX Raspberry Pi
In the Authentication Record List information, find the Stellar Access Point where your
Client Virtual machine (StellarClientX) is connected.
> Select UPAM > AUTHENTICATION > Captive Portal Access Record
Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
10
Creation of a Guest SSID
From the Client List page, find on which Stellar Access Point the Guest account is
connected
6 Kicking/Banning a Device
Now that we are sure that the StellarClient virtual machine is correctly connected to the Guests SSID, let’s
see how to kick him out from the network, and blacklist it.
- Try to kick out the StellarClient. Check that you can reconnect to the Guest SSID
- Try to ban/blacklist the StellarClient. Check that it is not possible to reconnect to
the Guests SSID until the StellarClient is removed from the blacklist.
> Select WLAN > CLIENT > Client List > Wireless Client List
> Scroll down to the List of Clients on All APs section
> Select the Client
> Click on Add to Blocklist
> Click OK to confirm
11
Creation of a Guest SSID
7 Debriefing
During this lab, we have created a VLAN dedicated for the Guests data traffic. Then, we have created the
Guests SSID and configured it to force the Guests to authenticate via a Captive Portal. Finally, we have
monitored the Guest (StellarClient virtual machine connection, and we’ve seen that it was possible de
kick/ban a device from the OmniVista 2500.
S ELL R P D X X P D N BER
NISWI C ES
ND P S
DISC ERED
12
Creation of a Guest SSID
8 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the connection to a Guests SSID.
We will use the exact same infrastructure as in the lab:
S ELL R P D X X P D N BER
NISWI C ES
ND P S
DISC ERED
The Stellar console access is deactivated in Enterprise mode for the application Configuration > CLI
Scripting > Terminal.
To activate the SSH console connection on OV2500, go to Network > AP Registration >AP Group, edit the
AP Group and change the support and root passwords.
Use the APs console connections on the desktop and do not change the passwords in the AP Group.
support@AP-0E:E0:~$ date
Thu Oct 24 09:25:08 2019
- All the clients associated with a specific interface (ex. ath12 corresponding to the SSID Guests0 in 5
Ghz):
support@AP-0E:E0:~$ wlanconfig ath12 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 44 6M 72M 64 63 67 0 0 65535 Es OI
ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 b 0 WPS 2gGR 00:10:10 WME IEEE80211_MODE_11AC_VHT40 0
RXNSS TXNSS
1 1
Minimum Tx Power : 5
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : Yes
MU capable : No
SNR : 64
Operating band : 5GHz
Current Operating class : 0
Supported Rates : 12 18 24 36 48 72 96 108
16
Creation of a Guest SSID
support@AP-83:60:~$ eag_cli show user all //or// eag_cli show user list
user num : 1
ID UserName UserIP UserMAC SessionTime
1 Guest 10.7.0.69 D4:6E:0E:18:60:38 0:16:18
OutputFlow InputFlow AuthType ESSID
3091809 659705 PORTAL Guests0
-ANNEXES-
Create a policy which will regroup the forbidden services: telnet, SSH
Let’s begin with the creation of the Policy. In this Policy, we will deny the telnet and SS protocols:
1. Config
> Name: DeniedServ
> Click on Next
2. Device Selection
> Click on both ADD buttons to apply the policy on the network device OS6860E and AP Group APGX.
Note: OS2360 and OS6360 are not supported.
> Click on Next
3. Set Condition
> Select L4 Services
> Select Group
> Service Group: click on
Service Group
> Group Name: DeniedSrv
Services
> Click on
> Service Name: telnet
> Destination Port: select TELNET (23)
> Click on Create
> Click on Finish
19
Creation of a Guest SSID
Services
> Click on
> Service Name: SSH
> Protocol: TCP
> Destination Port: select
> Name: SSH
> Port Number: 22
> Click on Create
> Click on Finish
Service Group
> Select Services: Click on to add all the services
> Click on Create
3. Set Condition
> Service Group: DeniedSrv
> Click on Next
4. Set Action
> Click on QOS
> Disposition: DROP
> Click on Next
5. Validity Period
> Validity Periods: AllTheTime
> Click on Next
6. Review
> Review the information, then click on Create
> Click on OK
At the end of this step, a Policy has been created. This Policy contains the services that will be denied to
the users, when they will be authenticated. Creating a list of authorized services is not necessary, as one
“ ccept llPolicy” is created by default we will use it in the next part).
> In the drop-down list at the bottom of the area (“Device-Default”), select OV-L3-AcceptAllPolicy
> Click on Next
2. Device Selection
> Click on ADD, then add the devices OS6860E and the AP Group APGX
> Click on Create, then OK
9.4. Pushing the Policy List & Policies on the Network Devices
Once the Policies and the Policy List created, they must be pushed to the network devices:
We have also pushed them on the network devices (OmniSwitch 6860E and Stellar APs contained in the
AP Group APGX).
21
Creation of a Guest SSID
WIRELESS CLIENT VM
> Use Teraterm or CMD
> Choose Telnet > 10.7.X.62 (X = R-Lab Number)
> Choose SSH > 10.7.X.62 (X = R-Lab Number)
Warning
BEFORE PERFORMING THE TEST, BE SURE TO DISCONNECT AND RECONNECT THE VIRTUAL MACHINE FROM THE
NETWORK TO FORCE THE RE AUTHENTICATION AS THE POLICY IS APPLIED ONCE THE CLIENT AUTHENTICATION IS
SUCCESSFUL.
Stellar OmniAccess WLAN
Web Content Filtering
Objective
✓ Learn how to configure the Web Content Filtering
Contents
1 Briefing ......................................................................................... 1
2 Activate Web Content Filtering ............................................................. 2
3 Configure Web Content Filtering ........................................................... 3
3.1. WCF operational status ............................................................................ 3
3.2. WCF Profile creation ............................................................................... 3
3.3. Assign WCF Profile to Access Role Profile ....................................................... 4
4 Test and validation ........................................................................... 5
4.1. Connect to the GuestsX SSID ...................................................................... 5
4.2. Verifying the connection > On the WLAN Client ............................................... 5
4.3. Verify the Web Content Filtering ................................................................ 7
5 Debriefing ...................................................................................... 8
6 Troubleshooting ............................................................................... 9
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Web Content Filtering
1 Briefing
Now that the Stellar solution is broadcasting the EmployeesX and GuestsX SSID, the company wants to filter
the guest traffic from specific websites.
In this example, “Social Network” and “Gambling” traffic will be rejected, whereas all the other internet
traffic will be accepted on the GuestsX SSID.
The WCF feature will be implemented on the network and will be then tested.
S N
S N
G est
2
Web Content Filtering
Web Content Filtering can either be activated per AP Group or per Access Point.
It will be activated per AP Group in this lab but look at the tip to know how to activate
it per Access Point.
We will activate the WCF feature for the AP Group APGX – attached to all our Access Points.
As the WCF is now active for all the Access Points in our AP Group APGX, we will configure it. We will create
a profile, select the categories of web traffic to be rejected and assign this profile to our users.
> Select UPAM > Web Content Filtering > WCF Profile
In this lab, we will create a profile that will reject all the traffic categorized as “Social Networking”
Facebook, witter, inkedin,… and “Gambling” nibet, bet 365,… .
All the traffic that does not belong to one of these categories will be accepted.
> Select UPAM > WEB CONTENT FILTERING > WCF Profile
> Click on
> Name: WCF-guests
> Category: Social Networking
> Action: Reject
> Click on to add this rule
By default, all the traffic is accepted. It means that on the traffic from these two
categories are rejected.
The WCF profile is assigned to one – or multiple – Access Role Profile. All the users
assigned to this Access Role Profile can have their web traffic filtered.
For o r G ests SSI , the sers are attached to the ccess ole rofile “__G ests ”. he WCF profile will
therefore be attached to this Access Role Profile.
As we have modified the Access Role Profile, we must apply it to the AP Group.
Otherwise, the modification is just changed locally on the OmniVista server and not pushed to the Access
Points.
> Select __GuestsX and click on the button Apply to Devices (in the Access Role Profile window)
> In the Mapping Method, select Map to VLAN
> In the VLAN(s), select “30” (the Guests VLAN)
> Click on ADD in front of “0 AP Groups”
> Move the AP Group APGX to the column on the right and click on OK
> Click on Apply
> Review the success logs, click on OK and then on Close
The WCF profile is assigned to the Access Role Profile __GuestsX, which is then applied
to the AP Groups. All the Guests authenticated are assigned to this Access Role Profile
and will have their Social Network and Gambling web traffic filtered.
5
Web Content Filtering
We will use the StellarClient, connect to the GuestsX SSID and use our Guest credentials.
We will then generate web traffic for different websites google, facebook, bet 365,… and observe the
behavior of the traffic.
WifiClientX Raspberry Pi
Click on Connect
5 Debriefing
At the end of this lab, the Guest’s web traffic for the Social Network and Gambling categories is rejected.
These rules, rejecting this traffic, are applied to all the users belonging to the Access Role Profile __GuestsX.
S N
G est
9
Web Content Filtering
6 Troubleshooting
The Web Content Filtering feature requires the DNS configuration on the OmniVista server.
If the NS config ration is missing in the mniVista 2500, the stat s of the WCF feat re will be “Not in
service” and the mniVista won’t be able to join the rightclo d I.
Check that the DNS servers are configured on the OmniVista server.
Objective
✓ Learn how to create an SSID dedicated for Employees with personal
devices (BYOD: Bring Your Own Device)
Contents
1 Briefing ......................................................................................... 2
2 Creating the BYOD SSID ...................................................................... 3
2.1. Creating the BYODX SSID .......................................................................... 3
2.2. Back to… Creating the BYODX SSID............................................................... 4
2.3. Assigning the SSID to the AP Group .............................................................. 4
3 Testing the BYOD SSID ........................................................................ 5
3.1. Setting Up the Linux Client to Connect to the BYODX SSID ................................... 5
3.2. Verifying the connection > After the Web Authentication ................................... 6
4 Monitoring the Connections.................................................................. 6
4.1. UPAM Monitoring .................................................................................... 7
4.1.1. Authentication Record ..................................................................................... 7
4.1.2. Captive Portal Access Record ............................................................................. 7
5 Debriefing ...................................................................................... 8
6 Troubleshooting ............................................................................... 9
6.1. Troubleshooting the Stellar AP ................................................................... 9
6.1.1. Checking the DNS configuration .......................................................................... 9
6.1.2. Checking the wireless configuration ................................................................... 11
6.1.3. Checking the Wi-Fi Channel ............................................................................. 11
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Creation of an Employee SSID for BYOD
1 Briefing
In the previous Labs, we have learned how to create a secured Employees SSID and a Guests SSID. Now, let’s
see how to create an Employees BYOD SSID, dedicated for the employees who want to bring and use their
personal device within the company network.
S OD X X OD N B
CURRENT O NIS I C S
TOPOLOGY ND
DISCO
S
D
S OD X X OD N B
O NIS I C S
END OF LAB ND S
DISCO D
TOPOLOGY
3
Creation of an Employee SSID for BYOD
Assign the freshly created SSID BYODX to the AP Group APGX created in the previous lab
Now that the SSID BYODX has been created, assign it to one or several AP Group(s):
Now that we have finished the configuration of the SSID, let’s test it!
5
Creation of an Employee SSID for BYOD
StellarClientX Raspberry Pi
Ouvrez un navigateur
Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
8
Creation of an Employee SSID for BYOD
5 Debriefing
In this Lab, we have learned how to create an Employee SSID, dedicated for the employees who want to use
their personal device within the company network (BYOD, Bring Your Own Device).
S OD X X OD N B
O NIS I C S
ND S
DISCO D
9
Creation of an Employee SSID for BYOD
6 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the connection to a BYOD SSID.
We will use the exact same infrastructure as in the lab:
S OD X X OD N B
O NIS I C S
ND S
DISCO D
- All the clients associated with a specific interface (ex. ath03 corresponding to the SSID BYOD0 in 2.4
Ghz):
support@AP-0E:E0:~$ wlanconfig ath03 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 6 72M 86M 63 60 64 0 0 65535 ESs cORI
ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 f 0 P 0gR 00:07:01 WME IEEE80211_MODE_11NG_HT20 0
RXNSS TXNSS
1 1
Minimum Tx Power : 5
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : No
MU capable : No
SNR : 63
Operating band : 2.4 GHz
Current Operating class : 0
Supported Rates : 2 4 11 12 18 22 24 36 48 72 96 108.
13
Creation of an Employee SSID for BYOD
Objective
✓ Learn how to configure the RF (Radio Frequency) Settings
Contents
1 Briefing ......................................................................................... 2
2 Creating an RF Profile ........................................................................ 2
2.1. General Settings .................................................................................... 2
2.2. Smart Load Balance ................................................................................ 2
2.2.1. Band Steering ............................................................................................... 2
2.2.2. Exclude MAC OUI ........................................................................................... 2
2.2.3. Force 5 GHz ................................................................................................. 2
2.2.4. Association RSSI Threshold ................................................................................ 3
2.2.5. Roaming RSSI Threshold ................................................................................... 4
2.3. Per Band Info ........................................................................................ 4
2.3.1. Default Setting .............................................................................................. 4
2.3.2. Band .......................................................................................................... 4
2.3.3. Channel Setting ............................................................................................. 4
2.3.4. Client-aware ................................................................................................ 4
2.3.5. Channel DRM ................................................................................................ 4
2.3.6. Channel List ................................................................................................. 4
2.3.7. Channel Width .............................................................................................. 4
2.3.8. Power Setting ............................................................................................... 4
2.3.9. Minimum and Maximum TX Power........................................................................ 4
2.3.10. External Antenna Gain ................................................................................ 4
2.3.11. Beacon interval ........................................................................................ 4
2.3.12. Short Guard Interval .................................................................................. 5
2.3.13. MU-MIMO ................................................................................................ 5
2.3.14. High Efficiency ......................................................................................... 5
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Radio Frequency Settings Configuration
1 Briefing
In the OmniVista 2500, and for Stellar Access Points, the Radio Frequency settings management is done via
“RF Profiles”. A RF Profile contains all the radio frequency settings. Once created, it must be assigned to an
AP or AP Group.
2 Creating an RF Profile
It can also cause problems. For example, a 5 GHz-capable device is automatically redirected to the 5 Ghz band
by the band steering feature, even if the 5 GHz signal is low.
Solution:
- Design your networks for simultaneous 5 GHz and 2.4 GHz coverage.
- For existing deployments where this may not be feasible, and your coverage is quite different on both bands,
avoid using band steering or use the Exclude MAC OUI feature explained below.
- Find the RSSI value of your StellarClient virtual machine (we will consider in the lab
that this RSSI value is too low to connect to the SSIDs created previously)
- Modify the Association RSSI Threshold to make StellarClient RSSI too low to connect
the SSIDs created previously
> Before doing this, be sure that the StellarClientX virtual machine is connected to one of the SSIDs
created in the previous labs!
- Now, we are going to assume that the StellarClient signal strength (ex. -18 dBm) must be considered
too weak to connect to the AP. To do so, we will set the Association RSSI Threshold to a value greater
than the client RSSI value:
Notes > RSSI vs dBm
dBm and RSSI are different units of measurement that both represent the same thing: signal strength. The
difference is that RSSI is a relative index, while dBm is an absolute number representing power levels in mW
(milliwatts).
For this exercise, we need to translate the client signal strength from dBm to RSSI. To do so, please refer to
the following table (to convert the RSSI value to dBm you just need to subtract 96 to the RSSI value):
Notes
We will test this feature in the next section, as the RF Profile must be first applied to the desired AP or AP
Group.
4
Radio Frequency Settings Configuration
2.3.2. Band
Configures the working radio for the AP.
2.3.4. Client-aware
When enabled, the Auto Channel Selection does not change channels for Stellar APs with connected client.
When disabled, the Stellar AP may change to a more optimal channel but may disrupt connected clients.
2.3.13. MU-MIMO
Enables/Disables Multi-User, Multiple-Input, Multiple-Output feature. If enabled, the AP can communicate
with multiple users simultaneously. It decreases the time each device has to wait for a signal and speeds
up the network
Notes
Note that it is also possible to assign an RF Profile to a specific AP (instead of an AP Group). To do so, go to the
NETWORK > AP REGISTRATION > Access Points menu.
Tips
The RF Profile can also be created directly from the AP/AP Group, in the Edit mode, by clicking on Add New:
Now that the RF Profile My_RF_Profile is applied to the APGX Group, try to connect to
one SSID from the StellarClient virtual machine.
6
Radio Frequency Settings Configuration
4 Debriefing
During this lab, we have learned that the OmniVista 2500 provides an easy way to manage the Stellar Access
Points radio frequency settings.
We have also learned that a lot of settings are available and can be enabled or disabled depending on the
infrastructure deployed.
7
Radio Frequency Settings Configuration
5 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the RF Profile and RF Profile
settings assignment. We will use the exact same infrastructure as in the lab:
AR PO PO R)
O H
A AP
O R
"bandSteering":"disable",
"bandSteeringForce5g":"disable",
"LoadBalance":"disable",
"backgroundScanning":"enable",
"scanningEnhance":"disable",
"countryCode":"FR",
"scanningInterval":20,
"scanningDuration":50,
"voiceVedioAwareness":"enable",
"airtimeFairnessAt2G":"disable",
"airtimeFairnessAt5G":"disable",
"perBandInfo":{
"2.4G":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
"autoChannelWidth":"enable",
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"3",
"clientAwareness":"disable"
},
"5G_high":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
"autoChannelWidth":"enable",
"globalChannelWidth":20,
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"4",
"clientAwareness":"disable"
},
"5G_low":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
"autoChannelWidth":"enable",
"globalChannelWidth":20,
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"4",
"clientAwareness":"disable"
},
"5G_all":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":40,
"autoChannelWidth":"enable",
"globalChannelWidth":20,
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
9
Radio Frequency Settings Configuration
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"4",
"chainmask":15,
"clientAwareness":"disable"
}
},
"scanRadioInfo":{
"radioMode":"normal",
"scanDuration":"normal"
[…]
ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 b 0 WPS 2gGR 00:10:10 WME IEEE80211_MODE_11AC_VHT40 0
RXNSS TXNSS
1 1
[…]
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Remote Access Point (RAP)
At the end of this presentation, you will be able
to:
• Identify the role and advantages of the RAP
feature
• List the equipment required for the
deployment of the RAP feature
• Summarize the steps to configure the RAP
feature
Introduction
◼ RAP = Remote Access Point ◼ Use Cases
⚫ Shops > Access to the corporate network to
◼ Goal : check the inventory
⚫ Booth > Events (forum, exhibition…)
⚫ Extend the corporate network to remote site(s)
CORPORATE SSID
CORPORATE SSID
CORPORATE
INTERNET
NETWORK
USER ROUTER
FIREWALL
STELLAR AP (RAP)
PREMIUM FREEMIUM
CLOUD CLOUD
PREMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS
2 – Configuration Settings Retrieval
CLOUD
3 - VPN Tunnel (Client Traffic) Establishment
4 – Client Connection
INTERNET
ALE VPN
SERVER
COMPANY HQ
STELLAR AP
(RAP)
BRANCH/HOME OFFICE
[PRE] – Settings to be Entered by the Administrator
4 – Client Connection
INTERNET
ALE VPN
SERVER
COMPANY HQ
BRANCH/HOME OFFICE
1 – Stellar Access Point Startup & Registration
STELLAR AP
(RAP)
BRANCH/HOME OFFICE
2 – Configuration Settings Retrieval
4 – Client Connection
PREMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS
2 – Configuration Settings Retrieval
CLOUD
3 - VPN Tunnel (Client Traffic) Establishment
COMPANY HQ
VPN TUNNEL
PREMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CORPORATE
CIRRUS
2 – Configuration Settings Retrieval NETWORK
CLOUD
3 - VPN Tunnel (Client Traffic) Establishment
4 – Client Connection
VPN TUNNEL
FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS
2 - VPN & OmniVista 2500 Settings Retrieval
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment
COMPANY HQ
STELLAR AP
(RAP)
BRANCH/HOME OFFICE
[PRE] – Settings to be Entered by the Administrator
COMPANY HQ
COMPANY HQ
4 – Configuration Settings Retrieval • MAC ADDRESS
STELLAR AP
(RAP)
BRANCH/HOME OFFICE
2 – VPN & OmniVista 2500 Settings Retrieval
FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS
2 – VPN & OmniVista 2500 Settings Retrieval
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment
COMPANY HQ
5 – VPN Tunnel (Clients Traffic) & Client Connection
VPN TUNNEL
FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS SETTINGS (OV 2500)
2 – VPN & OmniVista 2500 Settings Retrieval
• AP SETTINGS
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment
FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CORPORATE
CIRRUS
2 – VPN & OmniVista 2500 Settings Retrieval NETWORK
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment
EMPLOYEE STELLAR AP
CORPORATE SSID
(RAP)
BRANCH/HOME OFFICE
Use Case > RAP & Remote Working
EMPLOYEES SSID
EMPLOYEES SSID
CORPORATE
INTERNET
NETWORK
EMPLOYEES VLAN
LAB VLAN
VLAN tagging
Local Breakout
Configuration Steps
Configuration Steps – OmniVista Cirrus (Premium Account)
STELLAR AP
> Connecting the
(RAP)
Remote AP
BRANCH/HOME OFFICE
Configuration Steps – OmniVista Cirrus (Freemium Account) & OmniVista 2500
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
WIFI BRIDGE & WIFI MESH
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:
PROPERTIES PROPERTIES
• VLANs can be used to separate & secure traffic over the • VLANs can be used to separate & secure traffic coming
bridge* from Wi-FI clients connected on different SSID.
• Cannot provide service (WiFi) to WiFi clients • Can provide service (WiFi) to WiFi clients
WIFI BRIDGE
* AP1101, AP1201 & AP1201H are not compatible with VLAN tagging over a bridge.
WIFI BRIDGE - ATTRIBUTES
• SSID
• WLAN used to setup wireless bridge connection
• Must be the same on both APs
WIFI BRIDGE
• Band
• Wireless bridge working frequency
• Must be the same on both APs
• Is Root
• Specify the root AP of the wireless bridge
SSID: STELLAR-BRIDGE SSID: STELLAR-BRIDGE
• 1 AP doit être définie comme Root BAND: 5 GHZ BAND: 5 GHZ
IS ROOT: YES IS ROOT: NO
PASSPHRASE: ALCATEL123! PASSPHRASE: ALCATEL123!
• Passphrase
• Password of the WLAN
• Must be the same on both APs
• Band
• Wireless Mesh working frequency
• Must be the same on both APs
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
PROACTIVE LIFECYCLE MANAGEMENT
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:
• Do you know what • Is it time for a • Does the vendor still • Can you afford, with
LAN switches/ WLAN end-customer support equipment technical experts, to
controllers, WLAN network refresh ? (HW/SW support) ? manually complete an
APs are running on inventory of
• Does it take you too
networks ? equipment ?
long to know when
• Do you know support expires on
LAN/WLAN each equipment ?
equipment partners
have in stock ?
KEY BENEFITS
• Ease of management
• Full inventory view of ALE Wi-Fi and LAN
products
PALM – FIRST STEPS
• Fill in the:
• Support model, type, duration
THANK YOU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless LAN
OmniVista Cirrus
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Lesson Summary
OmniVista Cirrus
At the end of this module, you will be able to:
• Understand the OmniVista Cirrus subscription and
licensing model
• Register a network device on OmniVista Cirrus
Overview
OmniVista Cirrus?
◼ Cloud based OmniVista NMS OmnVista®Cirrus
instances in Cloud
OmniAccess® Stellar
Subscription Model
Freemium Premium
LAN Core
OS6900
Premium
Restarting Activation Process
Device
Product
Software
OS6560, OS6860, OS6860E,
AOS 8.4.1.R03 +
◼ Freemium or Premium account created OS6865, OS6900
AOS 6.7.2.R03 + OS6350, OS6450
AOS 5.1R1 + OS2260, OS2360
1
2
OmniVista Cirrus
Stellar AP
Device Registration
Restarting Activation Process &
Completion
OmniVista Cirrus
Restarting Activation Process Device Registration Completion
Managed devices
Registered
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Backup, Restore & Upgrade
Objective
✓ Backup & Restore and Upgrade the Network Devices
Contents
1 Briefing ......................................................................................... 2
2 Saving the Current Configuration ........................................................... 3
2.1. From the Notification Area........................................................................ 3
3 Backing Up the Devices Configuration ..................................................... 4
3.1.1. Backing Up AOS OmniSwitches............................................................................ 4
3.1.2. Backing Up Stellar APs Devices ........................................................................... 5
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Backup, Restore & Upgrade
1 Briefing
At this stage of the training, we have a fully operational infrastructure with the devices deployed, SSID
broadcasted, and QoS & ACLs setup. In this lab, we will learn how to backup and restore the devices
configuration.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
3
Backup, Restore & Upgrade
Save all the management done during this training as Running configuration
> Click on the bell icon on the top right and corner
> Click on the floppy icon Save All
> Click on OK to confirm
Check that the operation has been successfully completed. Then click on Finish
1. Backup Method
> Select Backup By Devices
> Click on Next
2. Device Selection
> Click on ADD > Use Switch Picker
> Click on Add All to add all the OmniSwitches
> Click on OK
> Click on Add FTP Authentication
> Username: admin
> Password: switch
> Check Apply FTP Authentication for all missed devices
> Click on Apply
> Click on Close
> Click on Next
3. Configuration
> Backup Type: Configuration Only
> Click on Next
4. Review
> Review the information, then click on Backup to launch the backup process
Check that the 3 lines “SUCCESS” appear in the Result screen. Click on OK.
1. Backup Method
> Select Backup By AP Groups
> Click on Next
2. AP Group Selection
> Click on ADD
> Select the APGX (X = R-Lab Number), then click on Add >
> Click on OK
3. Configuration
> Backup Type: Configuration Only
> Click on Next
4. Review
> Review the information, then click on Backup to launch the backup process
Check that the 2 lines “SUCCESS” appear in the Result screen. Click on OK.
4.1.1. Briefing
In this part, we are going to:
- Create VLANs 70 to 80 on the OmniSwitch OS6860
- Restore the backup
- Check that the VLANs 70 to 80 have been removed
1. Devices Selection
> VLAN IDs: 70-80
> VLAN(s) Description: TEMP-VLANS
> Click on the Add/Remove Devices
> Select the Add the OS6860
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
You can check that the VLANs have been created by connecting on the OS6860 CLI console, or via the CLI
Scripting.
1. File Selection
> Click on OmniSwitch 6860
7
Backup, Restore & Upgrade
Check that the restore is successful in the Result page, then click OK
As you may have guessed, the configuration files are transferred in the WORKING and CERTIFIED folders
but are NOT applied on the RUNNING configuration (could cause major problems in real cases scenarios if
it was the case).
To force the configuration restored in the WORKING directory to be used by the OmniSwitch, launch the
following command (via the console, or the OV 2500 CLI SCRIPTING application):
Wait for the OmniSwitch to reboot (~3 min), then use the VLAN Manager application to check that the
VLANs 70-80 have been correctly removed:
5 Debriefing
During this lab, we have learned how to backup the configuration of each device (AOS or Stellar) available in
the network. We have also learned that it is possible to schedule the backup operation, and that the restore
operation can be done only on AOS Devices (not on Stellar APs).
9
Backup, Restore & Upgrade
-ANNEXES-
The list of uploaded firmware is displayed in the Upgrade Image main page:
2. Devices Selection
> In case of AP upgrade
> To install a firmware only on specific AP(s): Click on ADD > Use Switch Picker
> To install a firmware on all the APs of an AP Group: Click on ADD
> In case of OmniSwitch upgrade
> Select one or several OmniSwitch(es)
3. Software Installation
> Review the information, then click on Install Software
10
Backup, Restore & Upgrade
> Go to System
> Select Image File (or Image File URL if the Image File/Firmware is located on a web server)
> Click on Browse, then select the firmware/image file
OmniAccess Stellar WLAN
Monitoring the Network Infrastructure
Objective
✓ Monitor the Network Devices from the OmniVista 2500
Contents
1 Briefing ......................................................................................... 1
2 Checking the Topology & Devices Status .................................................. 2
2.1. Saving the Configuration .......................................................................... 3
2.2. Monitoring the Devices & Links Status ........................................................... 4
2.2.1. Device Information ......................................................................................... 4
2.2.2. Device Status................................................................................................ 4
2.2.3. Notification Status ......................................................................................... 5
2.2.4. Links Status.................................................................................................. 5
4 Debriefing .................................................................................... 10
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Monitoring the Network Infrastructure
1 Briefing
Let’s see how to monitor all the network devices from one platform, the OmniVista 2500. 2 applications will
be used:
- The Topology Application which provides a view of all discovered devices in the network;
- The Notification Application which displays the notification generated by the network devices.
O O
CURRENT
TOPOLOGY
O
OV
O O
END OF LAB
TOPOLOGY O
OV
O O O O
2
Monitoring the Network Infrastructure
The network topology containing all the previously discovered devices is displayed:
3
Monitoring the Network Infrastructure
Save all the management done during this training as Running configuration
Notes
It is also possible to save the management of each device (one by one):
OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Device
> Click on Copy Working/Running to Certified
> Check that the save process has been completed successfully
> Click on Finish
Notes
If the links between the Omni witches and the tellar ccess oints don’t appear in the
diagram, manually poll the links:
Display the MAC Address, version and device model of the OmniSwitch 6360.
To display detailed device information, click on the device. A Detail panel appears on the right. A list of
information is displayed. The information displayed may vary depending on the device:
- Discover why the OmniSwitch are in Warning state, and solve the problem;
- Display the OmniSwitches & Access Points notifications
- Check that the links are ups, and that the correct ports are used;
Device status is displayed by the device status circle around the device:
• Green = Up (Device is up)
• Orange = Warning (indicates that traps have been received on the device. The highest level of
trap received by the device is displayed (Green, Orange, Red) in the Notifications Status).
• Red = Down (Device is down)
otice that your Omni witches are in the Orange “ arning” state, meaning that a notification has been
generated on these devices. The Notification Status part (next part) shows how to acknowledge the(se)
notification(s).
5
Monitoring the Network Infrastructure
To clear/acknowledge the notification and pass the Device & Notification status to Green status:
OMNISWITCH
> Click on the OmniSwitch (ex: 6360)
> Click on Actions > Notifications > View Traps
> Select the first checkbox to select all the lines
> Click on ACK (blue button) to acknowledge the notifications or CLEAR (red button) to delete the
notifications from the database
You may have to repeat the operation to acknowledge/clear all the notifications. A maximum of 1000
notifications can be acknowledged/cleared at the same time.
In order to clear all the notifications, you could use the following procedure:
OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Notifications > View Traps
> On the top right corner, click the button Actions
> Click Ack All to acknowledge the notifications and click OK to validate.
You can then click Clear All to delete all the notifications from the database
To display link information, move the mouse over the link until the pointer turns into a finger. Link
information will be displayed in table form as shown below:
Tips
Several shortcuts to the other OmniVista 2500
applications are available when a device (OmniSwitch,
Access Point) is selected or by right clicking on a device.
We will discover these applications and learn
how to use them in the next labs.
7
Monitoring the Network Infrastructure
The Notifications Home Screen displays all traps received from network devices and provides basic trap
information (e.g., severity level, date/time received). You can also use this screen to acknowledge,
renounce, and clear traps, as well as poll devices for traps.
In the result, the reboot operations done during this training should be displayed.
8
Monitoring the Network Infrastructure
1. Agent
> Agent Type: AP Group
> AP Group Selection: APGX (X=Remote-Lab Number)
> Click on Next
2. Trap Type
> Traps which match these severities: Critical
> Click on Next
3. Response
> Action: Send an e-mail
> E-mail To: adminX@company.com (X = R-Lab Number)
> Click on Next
For example, you can use the following fields and variables:
- E-mail Subject: Warning! Critical Trap Received on $TrapAgent$ ($TrapAgentName$)!
Check that a notification has been generated by the AP and sent to the OmniVista 2500:
> In the Action panel (on the right), click on Actions > Notification > View Traps
Now, check that a mail has been send to adminX@company.com (wait a few minutes if needed, as the
mail server doesn’t send mails in real time :
10
Monitoring the Network Infrastructure
4 Debriefing
In this lab, we saw that the OmniVista 2500 provides powerful application to monitor the network devices
(OmniSwitches/Access Points).
O O
OV
O O O O
OmniAccess Stellar WLAN
Configuring Heat Map & Floor Plan
Objective
✓ Learn how to create and configure a Heat Map and a Floor Plan
Contents
1 Configuring a Heat Map ...................................................................... 1
1.1. Creating the Building Hierarchy .................................................................. 1
1.2. Configuring the Plan Map .......................................................................... 1
1.2.1. Scaling the Plan ............................................................................................. 1
1.2.2. Laying Down the Obstacles ................................................................................ 2
1.2.3. Placing the Access Points .................................................................................. 2
1.2.4. Displaying the Result ....................................................................................... 3
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Configuring Heat Map & Floor Plan
Campus
> Click on the + button
> Campus Name: My_Campus
> Double click on the My_Campus that is now displayed
Building
> Click on the + button
> Building Name: My_Building
> Double click on the My_Building that is now displayed
Floor
> Click on the + button
> Floor Name: First_Floor
> Floor Number: 1
> File Name: click on Select File > Select the Office-Plan.jpg file in the C:\Resources folder
> Click on OK
> Double click on the First_Floor that is now displayed to access the Floor map
Tips
Pre-defined obstacles can be selected by clicking on the button and each one with a different absorption
coefficient (dB).
It is also possible to create custom obstacles via the Operation > Obstacle Manage link.
Notes
Go back to Edit Floor Map and place the APs in different places to cover the cold areas.
Changing the APs on the map will simulate the new Wi-Fi coverage based on the real
band and power of emission of the APs.
With Floor Plan, the admin can import a map into a floor plan, scale it and perform the AP auto Deployment.
Tips
Pre-defined obstacles can be selected by clicking on the button and each one with a different absorption
coefficient (dB).
It is also possible to create custom obstacles via the Operation > Obstacle Manage link.
Tips
The result will vary based on the following parameters:
- Scale of the map
- Number and type of obstacles placed
- AP Model
- Quality (General, Good, Excellent)
Change some of these parameters (AP Model, Quality…) and click on Save the Layout.
Notes
In Edit Floor Plan, APs can be added manually on the map to fill the cold areas. After clicking on
“Save The Layout”, the Floor Plan application will process and display the Wi-Fi coverage based on
all the APs located on the map.
OmniAccess Stellar WLAN
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Objective
✓ Learn how to setup the different equipment in order to deploy an
OmniAccess Stellar Access Point as Remote Access Point (RAP)
Contents
1 Topology ........................................................................................ 2
2 Configuring the OmniVista Cirrus ........................................................... 2
2.1. Logging into the OmniVista Cirrus ................................................................ 3
2.2. Declaring the OmniAccess Stellar AP as Remote AP Point .................................... 3
2.2.1. Retrieving the Stellar AP Serial Number & MAC Address .............................................. 3
2.2.2. Declaring the Stellar AP in the OmniVista Cirrus ....................................................... 4
2.3. Configuring the VPN Settings ..................................................................... 5
3 Connecting the OmniAccess Stellar Access Point ......................................... 6
4 Importing the VPN Configuration ........................................................... 6
5 Configuring the VPN Server Virtual Appliance ............................................ 7
5.1. Configuring the VPN Server Virtual Appliance Basic Settings ................................ 8
5.2. Configuring the VPN Server Virtual Appliance Settings ....................................... 8
5.2.1. Configuring the Network Interfaces...................................................................... 9
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
1 Topology
During this lab, we will use the following topology:
VPN Server
OMNIVISTA - Public IP@: x.x.x.x (hidden)
CIRRUS - Private IP@: 10.130.5.251
- VPN Server IP@ (vpn_mgmt): 192.168.0.1
- VPN Client IP@ (vpn_mgmt): 192.168.0.2-20
- VPN Server IP@ (vpn_data): 10.7.0.61
FREEMIUM - VPN Client IP@ (vpn_data): 10.7.0.55-60
CLOUD
192.168.1.76 192.168.1.1
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE 10.130.5.50
MAIN SITE
OMNIVISTA
CIRRUS
FREEMIUM
CLOUD
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE
MAIN SITE
The OmniAccess Stellar Access Point to be deployed as Remote Access Point (RAP) must be first declared in
the OmniVista Cirrus.
3
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
The OmniVista Cirrus is a cloud-based network management system. To log into this application, an account
is necessary. 2 types of accounts are available:
- Freemium: free account that provides limited features for an unlimited number of registered devices.
- Paid: full OmniVista Cirrus functionalities for the subscribed number of devices and services for the length
of your contract.
In this lab, we will use a Freemium account. To learn how to create a freemium account, please refer to the
dedicated part available in the add-on section of this lab.
Web Browser
Access to the OmniVista Cirrus https://registration.ovcirrus.com/
webpage
Enter your credentials
(Freemium account)
ROUTER
AP
OMNIVISTA 2500
VPN SETTINGS : VPN SERVER
REMOTE SITE - CLIENT IP@ RANGE: 192.168.0.2 TO .20
- SERVER IP@: 192.168.0.1
MAIN SITE
OMNIVISTA
CIRRUS
FREEMIUM
CLOUD
192.168.1.79 192.168.1.1
ROUTER
AP
REMOTE SITE OMNIVISTA 2500
VPN SERVER
MAIN SITE
Connect the OmniAccess Stellar Access Point that must act as Remote Access Point to Internet. After a few
moments, the OmniAccess Stellar Access Point is seen as registered on the OmniVista Cirrus:
OMNIVISTA
CIRRUS
FREEMIUM
CLOUD
VPN SETTINGS
(.CONF FILE)
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE
MAIN SITE
Now that the Remote Access Point has been registered in the OmniVista Cirrus, let’s export the VPN settings.
In the next part (5 - Configuring the VPN Server Virtual Appliance), we will import these VPN settings in order
to configure the VPN server.
7
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Click on Export
Warning
KEEP THE CONF FILE PRECIOUSLY, AS WE WILL NEED TO IMPORT IT IN THE VPN SERVER VIRTUAL APPLIANCE AT
THE END OF THE NEXT PART.
OMNIVISTA
CIRRUS
FREEMIUM
CLOUD
10.130.5.251
PUBLIC IP@
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE
MAIN SITE
Tips
To learn how to deploy the ALE “VPN Server” virtual appliance, please refer to the dedicated add-on part
available at the end of this lab.
8
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Web Browser
Enter y to confirm
The virtual machine reboots to take the basic settings into account.
Press Enter
10
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Press Enter
Press Enter
Press Enter
Select ssh
Press Enter
11
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
- Now that the SSH/SFTP is enabled, upload the VPN server configuration (.conf file) to the VPN server
VM:
Windows
Open FileZilla Client
Click Quickconnect
12
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
/opt/OmniVista_2500_NMS/d
ata/vpn_conf/vpn_profile
Press Enter
Select vpn_
Press Enter
Press Enter
IP@: 192.168.0.2
AP IP@: 192.168.0.1
OMNIVISTA 2500
VPN > MGMT TRAFFIC VPN SERVER
REMOTE SITE
MAIN SITE
- Now that the VPN Server configuration is complete, reboot the OmniAccess Stellar Access Point to
reinitialize the VPN connection process.
15
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Select Maintenance…
Press Enter
Press Enter
Notes
In this part, we consider that the OmniVista 2500 NMS Virtual Appliance has already been deployed and that the
initial configuration has already been done (IP address, gateway, password…)
If not done, please refer to the lab dedicated to the installation of the OmniVista 2500 NMS.
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
16
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Web Browser
Select the OV2500 VA, then
Enter y to confirm
7.2. Discovering the Remote Access Point in the OmniVista 2500 NMS
Go to NETWORK > AP
REGISTRATION > Access
Points
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE VPN SETTINGS (VPN > CLIENT DATA TRAFFIC):
- CLIENT IP@ RANGE: 10.7.0.55 TO .60
- SERVER IP@: 10.7.0.61 MAIN SITE
Click Apply
19
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Warning
KEEP THE CONF FILE PRECIOUSLY, AS WE WILL NEED TO IMPORT IT IN THE VPN SERVER VIRTUAL APPLIANCE AT
THE END OF THE NEXT PART.
Click Commit
20
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Tips
During this lab, the default AP Group is used. If desired, it is also possible to create an AP Group dedicated for
Remote Access Points and insert in it all the settings that will be sent to these Remote APs.
Notes
This part is designed as a quick reminder, as the Employee SSID creation is viewed in details in a dedicated lab.
Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Employee Accounts
Default VLAN/Network
VPN SETTINGS
(.CONF FILE)
ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE
MAIN SITE
- As in one of the previous steps, upload the VPN server configuration (.conf file) to the VPN server VM:
Windows
Open FileZilla Client
- Username: admin
- Password: VPN Server
password (ex. Alcatel.0)
- Port : 22
Click Quickconnect
Transfer the <VPN Server
name>.conf file in the folder
/opt/OmniVista_2500_NMS/d
ata/vpn_conf/vpn_profile
Press Enter
Select vpn_
Press Enter
CLIENTS NETWORK
> VLAN 30
PUBLIC INTERFACE > 10.7.0.X
> X.X.X.X (HIDDEN)
ETH2
ETH0
ETH1 MGMT NETWORK
> VLAN 1305
VPN SERVER > 10.130.5.X
VPN Server
- Public IP@: x.x.x.x (hidden) OMNIVISTA 2500
MAIN SITE - Private IP@: 10.130.5.251
- VPN Server IP@ (vpn_mgmt): 192.168.0.1 10.130.5.50
- VPN Client IP@ (vpn_mgmt): 192.168.0.2-20
- VPN Server IP@ (vpn_data): 10.7.0.61
- VPN Client IP@ (vpn_data): 10.7.0.55-60
Press Enter
Click on Connect
Username: Employee
Password: password
Click on OK
26
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Click on Connect
In our example, the client has received an IP address in the range dedicated to the employees:
27
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500
Web Browser
Access to the OmniVista Cirrus https://registration.ovcirrus.com/
webpage
Click Create New Account
Mail
Click the link GO TO VERIFY
ACCOUNT
Click on Browse…
Click Next
Review the details
Click Next
Check the box “I accept all
license agreements”
Click Next
Select a storage (depends on
your infrastructure)
Click Next
Select the destination
network for the network cards
Click Next
• Search for the training course by the reference provided by your instructor
ACCESS TO THE ONLINE EVALUATION SURVEY (2/2)
• From the session, select Evaluate in the dropdown menu and follow the instructions
OR
• From the curriculum, select Open Curriculum
• Then select Evaluate in the dropdown menu associated to the session and follow the
instructions
THANK YOU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Find a Course
Browse our catalog available on https://enterprise-education.csod.com/ to find your training path
and course detail.
Feedback
In order to improve the quality of the documentation, please report any feedback and address to:
Alcatel-Lucent Enterprise
115-225 rue Antoine de Saint-Exupéry
ZAC Prat Pip – Guipavas
29806 BREST CEDEX 9 – France
FAX: (33) 2 98 28 50 03