wlan ssid-profile "default"wpa-passphrase 1234567890 ---tkip设置provision-ap copy-provisioning-params ip-addr 192.168.102.250 provision-ap no ipaddrprovision-ap a-ant-gain 2provision-ap g-ant-gain 2provision-ap a-antenna 1provision-ap g-antenna 1provision-ap external-antennaprovision-ap master 192.168.102.100provision-ap server-ip 192.168.102.100provision-ap ap-group "default"provision-ap ap-name "00:0b:86:cb:bd:62"provision-ap no syslocationprovision-ap fqln ""provision-ap reprovision ip-addr 192.168.102.250interface loopback ip address "192.168.30.200"apboot> helpboot - run bootcmd or boot AP image or elf file or from flashcd - cfg register displaycw - cfg register writedis - disassemble instructionsdhcp - invoke DHCP client to obtain IP/boot paramseloop - loopback received ethernet framesflash - FLASH sub-systemgo - start application at address 'addr'help - print online helpmc - memory copymd - memory displaymii - MII sub-systemmtest - simple RAM testnetstat - net statisticsmw - memory writeping - ping net hostprintenv - env displaypurgeenv - purge envregs - display various regsreset - reset processorrun - run commands in an environment variablesaveenv - save environment variables to persistent storagesetenv - set variable in env (ipaddr/netmask/gatewayip/master/serverip) setenv ipaddr x.x.x.xsetenv netmask x.x.x.xsetenv gatewayip x.x.x.xsetenv serverip x.x.x.xsetenv master x.x.x.xtcpdump - dump received packetstcpsend - send TCP packettftpboot - boot via tftptlb - dump TLBtrace - dump trace bufferversion - print monitor versionwdog - stop refreshing watchdog timerapboot>No spanning-tree 关闭spanning-treeAdp discover disable 关闭ADPAdp imgp-join disable 关闭im-j一、WEB页面认证1、wlan ssid-profile (staff-ssid-profile) ：定义ssid配置文件1.1 essid staff ：定义ssid下的essid—显示出来的ssid2、wlan virtual-ap (staff-vap-profile) ：定义virtual-ap的配置文件2.1 ssid-profile (staff-ssid-profile) :在virtual-ap下引用定义过SSID2.2 vlan ID aa，bb :把virtual-ap加入到要ssid所属VLAN3、aaa profile staff-aaa-profile ：定义AAA认证配置文件4、aaa server-group (staff-servergroup) ：定义server-group配置文件4.1 auth-server internal ：定义认证服务器为本地认证4.2 set role condition role value-of 设置角色set role condition <condition> set-value <role> position <number>5、aaa authentication captive-portal (staff-auth-profile) ：captive-portal配置5.1 server-group staff-servergroup ：在下面引用定义过的server-group6、user-role staff-logon ：定义用户登陆前权限的配文件6.1 access-list session logon-control position 1定义用户登陆前的权限--位置16.2 access-list session captiveportal position 2 定义用户登陆前的权限--26.3 Captive-Portal staff-auth-profile position 3定义过captive-portalRe-authentication interval 480 再次认证间隔480秒默认3600秒7、user-role vip-role ：定义用户成功登陆后的配置文件7.1session-acl allowall 赋予所有允许权限session-acl http-acl 只有http8、wlan virtual-ap staff-vap-profile ：进入定义过的virtual-ap配置文件8.1 aaa-profile staff-aaa-profile ：引用定义过的AAA配置文件9、ap-group default ：定义ap-group，最好用默认的9.1 virtual-ap staff-vap-profile ：引用定义过的Virtual-ap配置文件10、aaa profile staff-aaa-profile ：进入定义过的AAA配置文件10.1 initial-role staff-logon ：把initial-role改为定义过用户登陆前配置11、aaa authentication-server internal use-local-switch ：定义认证SERVER为本地交换机12、local-userdb add username staff password 123456 role vip-role :定义用户的登陆的用户名和密码及权限二、MAC 地址认证配置1、wlan ssid-profile (staff-ssid-profile) ：定义ssid配置文件1.1 essid staff ：定义ssid下的essid2、wlan virtual-ap (staff-vap-profile) ：定义virtual-ap的配置文件2.1 ssid-profile (staff-ssid-profile) :virtual-ap下引用定义过的SSID配置文件2.2 vlan ID :把virtual-ap加入到要ssid所属的VLAN3、aaa profile staff-aaa-mac-profile ：定义AAA认证配置文件4、aaa authentication mac staff-mac-profile :定义mac配置文件4.1 Delimiter dash ：定义mac地址的格式4.2 Case upper （upper/lower）：定义mac地址的大/小写备注：aaa authentication mac staff-mac-profileclone <profile>delimiter {colon|dash|none}max-authentication-failures 数字aaa authentication mac mac-blacklist MAC黑名单max-authentication-failures 5 最多认证失败次数5、aaa server-group (staff-macservergroup) ：定义server-group配置文件5.1 auth-server internal ：定义认证服务器为本地认证5.2 set role condition role value-of6、user-role staff-logon ：定义用户登陆前权限的配文件6.1 access-list session logon-control ：定义用户登陆前的权限6.2 access-list session captiveportal ：定义用户登陆前的权限7、user-role vip-role ：定义用户成功登陆后的配置文件7.1session-acl allowall ：赋予权限8、wlan virtual-ap staff-vap-profile ：进入定义过的virtual-ap配置文件8.1 aaa-profile staff-aaa-mac-profile ：引用定义过的AAA配置文件9、ap-group default ：定义ap-group，最好用默认的9.1 virtual-ap staff-vap-profile ：引用定义过的Virtual-ap配置文件10、aaa profile staff-aaa-mac-profile ：进入定义过的AAA配置文件10.1 initial-role staff-logon ：把initial-role改为定义过的用户登陆前的配置文件10.2 authentication-mac staff-mac-profile :把定义的authentication mac文件引用10.3 mac-server-group staff-macservergroup :把定义的servergroup加入11、aaa authentication-server internal use-local-switch ：定义认证SERVER为本地交换机12、local-userdb add username mac地址password mac地址 role vip-role :定义用户的登陆的用户名和密码及权限注意：如果是有线直接连在端口上的话要进行认证必须把连接口设为UNTRUSTED.同时在设定：进入aaa authentication wired 后设定：profile (staff-aaa-profile) 为你设定认证的AAA profileBlacklist：5次错误就拒绝访问show aaa authentication captive-portal default：Max authentication failures 改为5次show aaa authentication dot1x default：Max authentication failures 改为5次1、aaa bandwidth-contract "256" kbits "256"2、aaa bandwidth-contract "256" kbits 256ip access-list session "pass"any any any permit queue low!user-role "ap512"access-list "pass" position 1bw-contract "256" per-user upstreambw-contract "256" per-user downstreamaaa bandwidth-contract "2M-BW" mbits "2" 带宽2M控制aaa bandwidth-contract 128_up kbits 128 带宽128k控制aaa bandwidth-contract 512 kbits 512aaa bandwidth-contract 64 kbits 64aaa bandwidth-contract 256 kbits 256aaa bandwidth-contract 1 mbits 1 带宽1M控制aaa bandwidth-contract 128_up kbits 128user-role 128bw-contract 128_up per-user upstreamuser-role ap-rolesession-acl controlsession-acl ap-acl!user-role pre-employeesession-acl allowallMaster mobility controller configuration1Initial setup of Aruba-master2Core VLAN configuration and IP addressing3Core VLAN port assignment4Loopback IP address ----- interface loopback ip address 设置环回地址Deploy APs5配置AP VLAN6配置 AP VLAN DHCP Server7Connect Aruba APs8Provisioning Aruba APs(Aruba-master) (config-if)#write mSaving Configuration...ip dhcp pool "userpool" 定义pool的名字default-router 192.168.11.254 定义默认路由网关—loopback地址dns-server 192.168.11.254---202.106.0.20 定义DNS网关lease 8 0 0network 192.168.11.0 255.255.255.0service dhcp 启动dhcpinterface gigabitethernet 1/1no muxportswitchport mode trunkip default-gateway 192.168.0.254interface vlan 1no ip addressno ip igmpinterface gigabitethernet 1/1no switchport access vlaninterface loopback ip address "192.168.0.100"(Aruba800-4) (config) # show ip interface briefInterface IP Address / IP Netmask Admin Protocolvlan 1 172.16.0.254 / 255.255.255.0 up upvlan 10 192.168.0.1 / 255.255.255.0 up upvlan 30 192.168.30.200 / 255.255.255.0 up uploopback unassigned / unassigned up up(Aruba800-4) (config) # rf arm-profile default ----------关闭ARM后调整channel---ok (Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #assignment disable (Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #no scan(Aruba800-4) (Adaptive Radio Management (ARM) profile "default") #write memoryrf dot11g-radio-profile "default"tx-power 20 ------------------------发射功率调整rf dot11g-radio-profile "default"channel 11 ------------------------调整AP信道interface vlan 20ip address 192.168.0.1 255.255.255.0ip nat insideno ip igmp存配置：24 (Aruba2400) #configure t25(Aruba2400) (config) #copy tftp: 172.16.0.100 aruba2400-0904.cfg flash: 2400.bak 26(Aruba2400) (config) #copy flash: 2400.bak flash: 2400.cfg27(Aruba2400) # copy running-config tftp: 192.168.4.100 aruba2400-0904.cfgRadius配置：aaa authentication-server radius Radius1host <ipaddr>key <key>enableaaa server-group corpnetauth-server Radius1dot1x配置：aaa authentication dot1x corpnetaaa profile corpnetauthentication-dot1x corpnetdot1x-default-role employeedot1x-server-group corpnetvirtual AP:wlan ssid-profile corpnetessid Corpnetopmode wpa2-aeswlan virtual-ap corpnetvlan 1aaa-profile corpnetssid-profile corpnetap-group defaultvirtual-ap corpnet时间设定：time-range workhours periodic周期weekday 09:00 to 17:00ip access-list session restricted 受限制any any svc-http permit time-range workhoursany any svc-https permit time-range workhoursuser-role guestsession-acl restrictedmesh设置：ap mesh-radio-profile <profile-name>11a-portal-channel <11a-portal-channel>11g-portal-channel <11g-portal-channel>a-tx-rates [6|9|12|18|24|36|48|54]beacon-period <beacon-period>children <children>clone <source-profile-name>g-tx-rates [1|2|5|6|9|11|12|18|24|36|48|54]heartbeat-threshold <count>hop-count <hop-count>link-threshold <count>max-retries <max-retries>metric-algorithm {best-link-rssi|distributed-tree-rssimpv <vlan-id>rts-threshold <rts-threshold>tx-power <tx-power>ap mesh-radio-profile <profile-name>clone <source-profile-name>ap-group <group>mesh-radio-profile <profile-name>ap-name <name>mesh-radio-profile <profile-name>wlan ssid-profile <profile>essid <name>opmode <method> 方式wpa-passphrase <string> (if necessary)wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>virtual-ap <name># ip access-list session "Employee-Policy"any any any permit queue lowRemote AP配置The firewall must be configured to pass NAT-T traffic (UDP port 4500) to the controller.)1、Configure a public IP address for the controller.2、Configure the VPN server on the controller. The remote AP will be a VPN client to the server.3、Configure the remote AP role.4、Configure the authentication server that will validate the username and password for the remote AP.5、Provision the AP with IPSec settings, including the username and passwordfor the AP, before you install it at the remote location.1、Cli：vlan <id>interface fastethernet <slot>/<port>switchport access vlan <id>interface vlan <id>ip address <ipaddr> <mask>2、Using the CLI to configure VPN server:vpdn group l2tpppp authentication PAPip local pool <pool> <start-ipaddr> <end-ipaddr>crypto isakmp key <key> address <ipaddr> netmask <mask>3、Using the CLI to configure the user role:(table1) (config) # user-role remote(table1) (config-role) #session-acl allowallip access-list session <policy>any any svc-papi permitany any svc-gre permitany any svc-l2tp permitany alias mswitch svc-tftp permitany alias mswitch svc-ftp permit4、Using the CLI to configure the VPN authentication profile:4.1 aaa server-group <group>auth-server <server>4.2 aaa authentication vp ndefault-role <role>server-group <group>5、Using the CLI to enable double encryption:ap system-profile <profile>double-encryptap-name <name> 需要插上远端AP后配置ap-system-profile <profile>Using the CLI to enable double encryption:ap system-profile <profile>double-encryptap-name <name>ap-system-profile <profile>Using the CLI to configure the AAA profile:aaa profile <name>initial-role <role>authentication-dot1x <dot1x-profile>dot1x-default-role <role>dot1x-server-group <group>Using the CLI to define the backup configuration in the virtual AP profile: wlan ssid-profile <profile>essid <name>opmode <method>wpa-passphrase <string> (if necessary)wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>virtual-ap <name>orap-name <name>virtual-ap <name>Using the CLI to configure the DHCP server on the AP:ap system-profile <name>lms-ip <ipaddr>master-ip <ipaddr>rap-dhcp-server-vlan <vlan>wlan virtual-ap <name>ssid-profile <profile>vlan <vlan>forward-mode bridgeaaa-profile <name>rap-operation {always|backup|persistent}ap-group <name>ap-system-profile <name>virtual-ap <name>orap-name <name>ap-system-profile <name> virtual-ap <name>。