Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Aruba and Alcatel Wireless Controllers Integration

    Home FortiNAC-F 7.4.0 Aruba and Alcatel Wireless Controllers Integration
    7.4.0
    7.6.0
    7.4.0
    7.2.0

    Aruba Sample Configuration

    Aruba Sample Configuration

    This section contains a sample running configuration for this wireless device and the attributes you should consider when configuring it to communicate with the FortiNAC appliance. You can configure the device through its UI or the CLI.

    Note: This information is provided only for the purposes of illustration. There is no guarantee that this configuration will work in your environment.

    This configuration applies to Alcatel Wireless devices as well.

    Sample Configuration Using Firewall Rules

    version 3.4

    enable secret "d85e6b8d016f7aad463fe61d0140b832ee59fed7d1f6dbed18"

    prompt ArubaMaster loginsession timeout 60 hostname "ArubaMaster"

    clock summer-time EDT recurring 2 sunday march 02:00 first sunday november 02:00 -4

    clock timezone EST -5 location "IT Lab"

    mms config 0

    controller config 1201

    crypto-local pki ServerCert arubacontroller2009 arubacontrollerkey2009a.pem

    ip access-list eth validuser permit any

    !

    netservice svc-snmp-trap udp 162

    netservice "Accounting-4610 to 4625" tcp 4610 4625 netservice svc-smb-tcp tcp 445

    netservice svc-ike udp 500 netservice svc-l2tp udp 1701 netservice svc-syslog udp 514

    netservice svc-dhcp udp 67 68 alg dhcp netservice svc-https tcp 443 netservice svc-pptp tcp 1723

    netservice svc-Pharos-LPD tcp 515 netservice svc-telnet tcp 23 netservice svc-sccp tcp 2000 alg sccp

    netservice Accounting-Dept-2000 tcp 2000 2001 netservice svc-tftp udp 69 alg tftp netservice svc-sip-tcp tcp 5060

    netservice svc-kerberos udp 88 netservice svc-pop3 tcp 110 netservice svc-adp udp 8200 netservice svc-cfgm-tcp tcp 8211 netservice svc-noe udp 32512 alg noe netservice svc-http-proxy3 tcp 8888

    netservice Accounting-Dept tcp 1030 1031

    netservice "LabAdmin 40000s" tcp 40000 40200

    netservice svc-msrpc-tcp tcp 135 139 netservice svc-rtsp tcp 554 alg rtsp netservice svc-dns udp 53 alg dns netservice svc-vocera udp 5002 alg vocera netservice svc-h323-tcp tcp 1720 netservice svc-h323-udp udp 1718 1719 netservice svc-http tcp 80

    netservice svc-nterm tcp 1026 1028 netservice svc-sip-udp udp 5060 netservice svc-http-proxy2 tcp 8080

    netservice svc-Pharos-Notify tcp 28201 28207 netservice svc-papi udp 8211

    netservice svc-noe-oxo udp 5000 alg noe netservice svc-ftp tcp 21 alg ftp netservice svc-natt udp 4500

    netservice svc-Pharos-SignUp tcp 2351 2355 netservice svc-svp 119 alg svp

    netservice svc-gre 47 netservice svc-smtp tcp 25 netservice LabAdmin tcp 1111

    netservice "Dept - 4625" tcp 4625

    netservice svc-smb-udp udp 445 netservice svc-sips tcp 5061 alg sips netservice svc-esp 50

    netservice svc-bootp udp 67 69 netservice svc-snmp udp 161 netservice svc-v6-dhcp udp 546 547

    netservice svc-icmp 1 netservice svc-ntp udp 123

    netservice svc-msrpc-udp udp 135 139 netservice svc-ssh tcp 22

    netservice Accounting-Dept-4600 tcp 4600 4601 netservice svc-http-proxy1 tcp 3128 netservice svc-v6-icmp 58

    netdestination cm-dns host 192.20.130.100

    host 192.20.190.100

    !

    netdestination PrivateNet network 192.0.0.0 255.0.0.0

    network 192.168.0.0 255.255.0.0

    network 172.16.0.0 255.240.0.0

    !

    netdestination ProtectedServers host 192.3.0.6

    host 192.3.0.7

    host 192.3.1.28

    !

    ip access-list session control user any udp 68 deny

    any any svc-icmp permit any any svc-dns permit any any svc-papi permit

    any any svc-cfgm-tcp permit any any svc-adp permit

    any any svc-tftp permit

    any any svc-dhcp permit any any svc-natt permit

    !

    ip access-list session ChemLab any any LabAdmin permit

    any any "LabAdmin 40000s" permit any any udp 1111 permit

    !

    ip access-list session validuser any any any permit

    !

    ip access-list session vocera-acl any any svc-vocera permit queue high

    !

    ip access-list session icmp-acl any any svc-icmp permit

    !

    ip access-list session Secure

    any alias ProtectedServers any deny log any any any permit

    !

    ip access-list session captiveportal

    user alias mswitch svc-https dst-nat 8081 user any svc-http dst-nat 8080

    user any svc-https dst-nat 8081

    user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088

    !

    ip access-list session allowall any any any permit

    !

    ip access-list session SecureExecutive any alias ProtectedServers any deny log any any any permit

    !

    ip access-list session cm-dns-block any alias cm-dns svc-dns deny

    any any svc-dns permit

    !

    ip access-list session https-acl any any svc-https permit

    !

    ip access-list session sip-acl

    any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high

    !

    ip access-list session cm-dns-allow any alias cm-dns svc-dns permit

    any any svc-dns deny

    !

    ip access-list session dns-acl any any svc-dns permit

    !

    ip access-list session tftp-acl any any svc-tftp permit

    !

    ip access-list session skinny-acl any any svc-sccp permit queue high

    !

    ip access-list session srcnat user any any src-nat

    !

    ip access-list session vpnlogon user any svc-ike permit

    user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit

    !

    ip access-list session logon-control user any udp 68 deny

    any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit

    !

    ip access-list session cplogout

    user alias mswitch svc-https dst-nat 8081

    !

    ip access-list session guest

    !

    ip access-list session http-acl any any svc-http permit

    !

    ip access-list session dhcp-acl any any svc-dhcp permit

    !

    ip access-list session BlockRogueDHCP user any udp 68 deny

    !

    ip access-list session noe-acl any any svc-noe permit queue high

    !

    ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit

    !

    ip access-list session ap-acl any any svc-gre permit

    any any svc-syslog permit any user svc-snmp permit

    user any svc-snmp-trap permit user any svc-ntp permit

    !

    ip access-list session TechAccounting any any svc-telnet permit

    any any Lirary-Dept permit

    any any Accounting-Dept-2000 permit any any svc-snmp-trap permit

    any any "Accounting-4610 to 4625" permit

    !

    ip access-list session TechPrint

    any host 192.3.1.192 svc-http permit any any svc-Pharos-SignUp permit log any any svc-Pharos-Notify permit log any any svc-Pharos-LPD permit log

    !

    ip access-list session BASS

    any host 192.3.1.11 svc-http-proxy2 permit

    !

    ip access-list session h323-acl

    any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high

    !

    ip access-list session TechGuest any any svc-dns permit

    any any svc-dhcp permit

    any alias PrivateNet any deny log any any any permit

    !

    ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit

    !

    ipv6 access-list session v6-https-acl any any svc-https permit

    !

    ipv6 access-list session v6-control user any udp 68 deny

    any any svc-v6-icmp permit

    any any svc-v6-dhcp permit any any svc-dns permit

    any any svc-tftp permit

    !

    ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit

    !

    ipv6 access-list session v6-dns-acl any any svc-dns permit

    !

    ipv6 access-list session v6-allowall any any any permit

    !

    ipv6 access-list session v6-http-acl any any svc-http permit

    !

    ipv6 access-list session v6-tftp-acl any any svc-tftp permit

    !

    ipv6 access-list session v6-logon-control user any udp 68 deny

    any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit

    !

    vpn-dialer default-dialer ike authentication PRE-SHARE

    195cc8274528de580a34ac6b7686dcd474a13c386373fb99

    !

    user-role ap-role session-acl control session-acl ap-acl

    !

    user-role DeadEnd

    session-acl BlockRogueDHCP

    !

    user-role Secure

    session-acl BlockRogueDHCP session-acl cm-dns-block session-acl Secure

    !

    user-role Registration session-acl BlockRogueDHCP session-acl cm-dns-allow session-acl allowall

    !

    user-role trusted-ap session-acl allowall

    !

    user-role default-vpn-role session-acl allowall

    ipv6 session-acl v6-allowall

    !

    user-role Quarantine session-acl BlockRogueDHCP session-acl cm-dns-allow session-acl allowall

    !

    user-role SecureExecutive session-acl BlockRogueDHCP session-acl cm-dns-block session-acl SecureExecutive

    !

    user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl

    session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl

    !

    user-role guest-logon captive-portal "default" session-acl logon-control session-acl captiveportal

    !

    user-role guest session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl icmp-acl session-acl dns-acl

    ipv6 session-acl v6-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl

    !

    user-role stateful-dot1x

    !

    user-role authenticated session-acl allowall

    ipv6 session-acl v6-allowall

    !

    user-role stateful session-acl control

    !

    user-role TechGuest_CM session-acl BlockRogueDHCP session-acl cm-dns-block session-acl TechPrint

    session-acl ChemLab session-acl TechGuest

    !

    user-role SecureAdmin session-acl BlockRogueDHCP session-acl cm-dns-block session-acl allowall

    !

    user-role logon

    session-acl logon-control session-acl captiveportal session-acl vpnlogon

    ipv6 session-acl v6-logon-control

    !

    user-role TechGuest session-acl BlockRogueDHCP session-acl cm-dns-block session-acl TechPrint session-acl ChemLab session-acl TechGuest

    !

    ip radius source-interface loopback

    !

    aaa timers dead-time 2 no spanning-tree interface mgmt

    dhcp

    !

    interface loopback

    ip address 192.70.192.13

    !

    dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777

    !

    dialer group gsm_us

    init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"

    dial-string ATD*99#

    !

    dialer group vivo_br

    init-string AT+CGDCONT=1,"IP","zap.vivo.com.br" dial-string ATD*99#

    !

    vlan

    192

    vlan

    221

    vlan

    222

    vlan

    223

    vlan

    224

    vlan

    225

    vlan

    226

    vlan

    227

    vlan

    228

    vlan

    231

    vlan

    232

    vlan

    233

    vlan

    234

    vlan

    235

    vlan

    236

    vlan

    237

    vlan

    238

    vlan

    333

    vlan

    444

    vlan

    911

    vlan

    999

    vlan-name anslem pool vlan anslem 221-228

    interface gigabitethernet 0/0 description "GE0/0"

    trusted

    trusted vlan 1-4094

    switchport mode trunk no spanning-tree

    !

    interface gigabitethernet 0/1 description "GE0/1"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/2 description "GE0/2"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/3 description "GE0/3"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/4 description "GE0/4"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/5 description "GE0/5"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/6 description "GE0/6"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/7 description "GE0/7"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/8 description "GE0/8"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/9 description "GE0/9"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/10 trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/11 trusted

    trusted vlan 1-4094

    !

    interface vlan 1

    !

    interface vlan 192

    ip address 192.70.192.12 255.255.252.0

    !

    interface vlan 221

    ip address 192.20.221.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 222

    ip address 192.20.222.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 223

    ip address 192.20.223.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 224

    ip address 192.20.224.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 225

    ip address 192.20.225.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 226

    ip address 192.20.226.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 227

    ip address 192.20.227.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 228

    ip address 192.20.228.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 231

    ip address 192.20.231.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 232

    ip address 192.20.232.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 233

    ip address 192.20.233.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 234

    ip address 192.20.234.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 235

    ip address 192.20.235.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 236

    ip address 192.20.236.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 237

    ip address 192.20.237.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 238

    ip address 192.20.238.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    vrrp 165

    priority 110 authentication aruba

    ip address 192.70.192.16 description "MasterPrimary" vlan 192

    preempt

    no shutdown

    !

    vrrp 166 authentication aruba

    ip address 192.70.192.17 description "LocalPrimary" vlan 192

    preempt

    !

    ip default-gateway 192.70.192.1

    ap mesh-recovery-profile cluster Recovery-gV-3AZLbc-bbo+5 wpa-hexkey 07b466a81428afd382a1c22dc0fd6fdf8bae046f19f89d7ef511537c4082 0727a12e

    042962fcff6a348830b9618171d2ffb2bf5fa7f40813f687876a12ad07d5 a52f83d5

    d4bfd8e9c83f0854e00d450d wms

    general poll-interval 60000

    general poll-retries 3

    general ap-ageout-interval 30

    general sta-ageout-interval 30 general learn-ap disable

    general persistent-known-interfering enable general propagate-wired-macs enable

    general stat-update enable general collect-stats disable

    !

    crypto isakmp policy 20 encryption aes256

    !

    crypto isakmp key "aac98ba6f2bb9a92a0c8b4023e6d23065fcd47a8dc508a54" address

    0.0.0.0 netmask 0.0.0.0

    crypto ipsec transform-set default-aes esp-aes256 esp-sha- hmac

    crypto dynamic-map default-dynamicmap 10000

    set transform-set default-transform default-aes

    !

    localip 0.0.0.0 ipsec f595067b48ac1e12ae7840bd5f2ba84c2a497571632b510d

    localip 192.70.192.15 ipsec 577e1271980e8a1d0715645a16751fe85026eb0674619a83

    ip local pool "RAP-pool" 192.90.1.3 192.90.1.254 vpdn group l2tp

    !

    ip dhcp default-pool private

    !

    syslocation "IT Lab"

    snmp-server community Fortinet vpdn group pptp

    !

    mux-address 0.0.0.0 adp discovery enable adp igmp-join enable adp igmp-vlan 0

    voip prioritization disable voip rtcp-inactivity disable

    voip sip-midcall-req-timeout disable ssh mgmt-auth username/password

    mgmt-user admin root 07ea2ecd010712fb4c1470a58dcbfdc5c4cf335b506ce875b6

    ntp server 192.3.1.37 no database synchronize

    database synchronize rf-plan-data ip mobile domain default

    !

    ip igmp

    !

    no firewall attack-rate cp 1024

    !

    firewall cp

    !

    firewall cp

    packet-capture-defaults tcp disable udp disable sysmsg disable other disable

    !

    ip domain lookup

    !

    country US

    aaa authentication mac "CMmacAuth"

    delimiter colon

    !

    aaa authentication mac "default"

    !

    aaa authentication dot1x "Tech_802.1x" termination enable

    termination eap-type eap-peap termination inner-eap-type eap-mschapv2 server-cert "arubacontroller2009"

    !

    aaa authentication dot1x "default"

    !

    aaa authentication-server radius "Tech_IAS" host 192.3.1.37

    key f865d7ba8915205eb12773b41b502a7cd3798492ee759176

    !

    aaa authentication-server radius "CAMPUSMANAGER" host 192.3.1.105

    key 8dea4674f0e0ce9928fdda605609020d5d0104f9126c83ac

    !

    aaa server-group "Tech_Server_Group" auth-server Tech_IAS

    set role condition Filter-Id equals "ExecutiveDL" set-value Secure

    set role condition Filter-Id equals "StaffDL" set-value Secure

    set role condition Filter-Id equals "WirelessAdminDL" set- value SecureAdmin

    !

    aaa server-group "CMServerGroup" auth-server CAMPUSMANAGER

    !

    aaa server-group "default" auth-server Internal

    set role condition role value-of

    !

    aaa profile "Tech_Guest_AAA" initial-role "TechGuest"

    mac-default-role "TechGuest"

    !

    aaa profile "Tech_Guest_CM_AAA" initial-role "Quarantine" authentication-mac "CMmacAuth" mac-default-role "TechGuest_CM" mac-server-group "CMServerGroup"

    !

    aaa profile "Tech_Secure_AAA" authentication-dot1x "Tech_802.1x" dot1x-default-role "SecureExecutive" dot1x-server-group "Tech_Server_Group"

    !

    aaa profile "default"

    !

    aaa authentication captive-portal "default"

    !

    aaa authentication wispr "default"

    !

    aaa authentication vpn server-group "internal"

    !

    aaa authentication mgmt

    !

    aaa authentication stateful-ntlm "default"

    !

    aaa authentication stateful-dot1x

    !

    aaa authentication wired

    !

    web-server

    switch-cert "arubacontroller2009"

    !

    papi-security

    !

    guest-access-email

    !

    aaa password-policy mgmt

    !

    ap system-profile "default"

    !

    ap system-profile "LocalFirst" lms-ip 192.70.192.17

    !

    ap system-profile "MasterFirst" lms-ip 192.70.192.16

    !

    ap system-profile "RemoteAP" lms-ip 66.155.211.15

    !

    ap regulatory-domain-profile "default" country-code US

    valid-11g-channel 1

    valid-11g-channel 6

    valid-11g-channel 11

    valid-11a-channel 36

    valid-11a-channel 40

    valid-11a-channel 44

    valid-11a-channel 48

    valid-11a-channel 149

    valid-11a-channel 153

    valid-11a-channel 157

    valid-11a-channel 161

    valid-11a-channel 165

    valid-11g-40mhz-channel-pair 1+

    valid-11g-40mhz-channel-pair 5-

    valid-11g-40mhz-channel-pair 7+

    valid-11g-40mhz-channel-pair 11-

    valid-11a-40mhz-channel-pair 36+

    valid-11a-40mhz-channel-pair 40-

    valid-11a-40mhz-channel-pair 44+

    valid-11a-40mhz-channel-pair 48-

    valid-11a-40mhz-channel-pair 149+

    valid-11a-40mhz-channel-pair 153-

    valid-11a-40mhz-channel-pair 157+

    valid-11a-40mhz-channel-pair 161-

    !

    ap wired-ap-profile "default"

    !

    ap enet-link-profile "default"

    !

    ap mesh-ht-ssid-profile "default"

    !

    ap mesh-cluster-profile "TechMeshCluster1" cluster "TechCluster1"

    opmode wpa2-psk-aes

    wpa-passphrase cc4940f33598e1dded9ef2be7faaa0b3d01c7ba9c1852589

    !

    ap mesh-cluster-profile "TechMeshCluster2" cluster "TechCluster2"

    opmode wpa2-psk-aes

    wpa-passphrase ca4f03111febbcd97ca5e2df49bed22147d26f6d0a6f32f3

    !

    ap mesh-cluster-profile "default"

    !

    ap mesh-radio-profile "TechMeshRadio"

    !

    ap mesh-radio-profile "AcctMeshRadio"

    !

    ap mesh-radio-profile "default"

    !

    ap mesh-radio-profile "HodginsMeshRadio"

    !

    ap mesh-radio-profile "GordonMeshRadio"

    !

    ids general-profile "default"

    !

    ids unauthorized-device-profile "default"

    !

    ids profile "default"

    !

    rf arm-profile "default"

    !

    rf arm-profile "no_arm_enable_MeSh" assignment disable

    !

    rf optimization-profile "default"

    !

    rf event-thresholds-profile "default"

    !

    rf dot11a-radio-profile "TechMeshRadio_MeSh" no radio-enable

    channel 165

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "AcctMeshRadio_MeSh" no radio-enable

    channel 40

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "default"

    !

    rf dot11a-radio-profile "default_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "HodginsMeshRadio_MeSh" no radio-enable

    channel 36

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "mode_am" mode am-mode

    !

    rf dot11a-radio-profile "GordonMeshRadio_MeSh" no radio-enable

    channel 44

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "TechMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "AcctMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "default" no high-throughput-enable

    !

    rf dot11g-radio-profile "default_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "HodginsMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "mode_am" mode am-mode

    !

    rf dot11g-radio-profile "GordonMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    wlan dot11k-profile "default"

    !

    wlan voip-cac-profile "default"

    !

    wlan ht-ssid-profile "default"

    !

    wlan edca-parameters-profile station "default"

    !

    wlan edca-parameters-profile ap "default"

    !

    wlan ssid-profile "Tech_Guest_SSID" essid "TechWZONE"

    mcast-rate-opt

    !

    wlan ssid-profile "Tech_Secure_SSID" essid "TechWZONESecure"

    opmode wpa-tkip wpa2-aes mcast-rate-opt

    !

    wlan ssid-profile "default"

    !

    wlan ssid-profile "TEST-SSID"

    essid "TEST"

    !

    wlan virtual-ap "Tech_Guest_CM_VAP" aaa-profile "Tech_Guest_CM_AAA" ssid-profile "Tech_Guest_SSID"

    vlan 221-228 multi-association vlan-mobility

    broadcast-filter arp band-steering

    !

    wlan virtual-ap "Tech_Guest_VAP" aaa-profile "Tech_Guest_AAA" ssid-profile "Tech_Guest_SSID" vlan 222-228

    multi-association vlan-mobility broadcast-filter arp band-steering

    !

    wlan virtual-ap "Tech_Guest_VAP_Mixed" aaa-profile "Tech_Guest_AAA"

    ssid-profile "Tech_Guest_SSID" vlan 444

    multi-association vlan-mobility broadcast-filter arp band-steering

    !

    wlan virtual-ap "Tech_Secure_VAP" aaa-profile "Tech_Secure_AAA" ssid-profile "Tech_Secure_SSID" vlan 231-238

    multi-association vlan-mobility

    broadcast-filter arp band-steering

    !

    wlan virtual-ap "default"

    !

    wlan traffic-management-profile "bandwidth_use" shaping-policy fair-access

    !

    ap-group "Blue"

    virtual-ap "Tech_Guest_CM_VAP"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Area51"

    virtual-ap "Tech_Secure_VAP" virtual-ap "Tech_Guest_CM_VAP"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Area_MeSh"

    virtual-ap "Tech_Secure_VAP" virtual-ap "Tech_Guest_CM_VAP" dot11a-radio-profile "default_MeSh"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Jones"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Office-1st"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "Kitchen"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Smith"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Acct"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Acct Mesh"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    mesh-radio-profile "AcctMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Acct Mesh_MeSh" virtual-ap "Tech_Guest_CM_VAP"

    dot11a-radio-profile "AcctMeshRadio_MeSh" ap-system-profile "MasterFirst"

    mesh-radio-profile "AcctMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Elkins"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "default" virtual-ap "default"

    dot11a-radio-profile "mode_am" dot11g-radio-profile "mode_am" ap-system-profile "MasterFirst"

    !

    ap-group "Butterfly"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Hodges"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Hodgins Mesh" virtual-ap "Tech_Guest_CM_VAP"

    ap-system-profile "MasterFirst"

    mesh-radio-profile "HodginsMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Hodgins Mesh_MeSh" virtual-ap "Tech_Guest_CM_VAP"

    dot11a-radio-profile "HodginsMeshRadio_MeSh" dot11g-radio-profile "mode_am"

    ap-system-profile "MasterFirst"

    mesh-radio-profile "HodginsMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Francois"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Accounting"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "NHTI"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Open > Local-1st" virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "Open > Master-1st" virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    !

    ap-group "Open+Secure>Local-1st" virtual-ap "Tech_Guest_CM_VAP" virtual-ap "Tech_Secure_VAP"

    ap-system-profile "LocalFirst"

    !

    ap-group "Fish"

    virtual-ap "Tech_Secure_VAP" virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "RemoteAP"

    virtual-ap "Tech_Guest_VAP" virtual-ap "Tech_Secure_VAP" ap-system-profile "RemoteAP"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "RemoteAPLocal" virtual-ap "Tech_Guest_VAP" virtual-ap "Tech_Secure_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "Engineering"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "QA_Lab"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    !

    ap-group "Gordon Mesh"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use" mesh-radio-profile "GordonMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Gordon Mesh_MeSh" virtual-ap "Tech_Guest_CM_VAP"

    dot11a-radio-profile "GordonMeshRadio_MeSh" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use" mesh-radio-profile "GordonMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-name "Monitor"

    dot11a-radio-profile "mode_am" dot11g-radio-profile "mode_am"

    !

    logging level debugging network subcat all logging level debugging network subcat dhcp logging level debugging security

    logging level debugging security subcat all logging level debugging system subcat all logging level debugging user subcat all logging level debugging wireless subcat all

    logging level debugging user-debug 00:19:d2:6d:26:15 snmp-server enable trap

    snmp-server host 192.3.1.3 version 1 Fortinet udp-port 162 process monitor log

    end

    Previous
    Next

    Aruba Sample Configuration

    Aruba Sample Configuration

    This section contains a sample running configuration for this wireless device and the attributes you should consider when configuring it to communicate with the FortiNAC appliance. You can configure the device through its UI or the CLI.

    Note: This information is provided only for the purposes of illustration. There is no guarantee that this configuration will work in your environment.

    This configuration applies to Alcatel Wireless devices as well.

    Sample Configuration Using Firewall Rules

    version 3.4

    enable secret "d85e6b8d016f7aad463fe61d0140b832ee59fed7d1f6dbed18"

    prompt ArubaMaster loginsession timeout 60 hostname "ArubaMaster"

    clock summer-time EDT recurring 2 sunday march 02:00 first sunday november 02:00 -4

    clock timezone EST -5 location "IT Lab"

    mms config 0

    controller config 1201

    crypto-local pki ServerCert arubacontroller2009 arubacontrollerkey2009a.pem

    ip access-list eth validuser permit any

    !

    netservice svc-snmp-trap udp 162

    netservice "Accounting-4610 to 4625" tcp 4610 4625 netservice svc-smb-tcp tcp 445

    netservice svc-ike udp 500 netservice svc-l2tp udp 1701 netservice svc-syslog udp 514

    netservice svc-dhcp udp 67 68 alg dhcp netservice svc-https tcp 443 netservice svc-pptp tcp 1723

    netservice svc-Pharos-LPD tcp 515 netservice svc-telnet tcp 23 netservice svc-sccp tcp 2000 alg sccp

    netservice Accounting-Dept-2000 tcp 2000 2001 netservice svc-tftp udp 69 alg tftp netservice svc-sip-tcp tcp 5060

    netservice svc-kerberos udp 88 netservice svc-pop3 tcp 110 netservice svc-adp udp 8200 netservice svc-cfgm-tcp tcp 8211 netservice svc-noe udp 32512 alg noe netservice svc-http-proxy3 tcp 8888

    netservice Accounting-Dept tcp 1030 1031

    netservice "LabAdmin 40000s" tcp 40000 40200

    netservice svc-msrpc-tcp tcp 135 139 netservice svc-rtsp tcp 554 alg rtsp netservice svc-dns udp 53 alg dns netservice svc-vocera udp 5002 alg vocera netservice svc-h323-tcp tcp 1720 netservice svc-h323-udp udp 1718 1719 netservice svc-http tcp 80

    netservice svc-nterm tcp 1026 1028 netservice svc-sip-udp udp 5060 netservice svc-http-proxy2 tcp 8080

    netservice svc-Pharos-Notify tcp 28201 28207 netservice svc-papi udp 8211

    netservice svc-noe-oxo udp 5000 alg noe netservice svc-ftp tcp 21 alg ftp netservice svc-natt udp 4500

    netservice svc-Pharos-SignUp tcp 2351 2355 netservice svc-svp 119 alg svp

    netservice svc-gre 47 netservice svc-smtp tcp 25 netservice LabAdmin tcp 1111

    netservice "Dept - 4625" tcp 4625

    netservice svc-smb-udp udp 445 netservice svc-sips tcp 5061 alg sips netservice svc-esp 50

    netservice svc-bootp udp 67 69 netservice svc-snmp udp 161 netservice svc-v6-dhcp udp 546 547

    netservice svc-icmp 1 netservice svc-ntp udp 123

    netservice svc-msrpc-udp udp 135 139 netservice svc-ssh tcp 22

    netservice Accounting-Dept-4600 tcp 4600 4601 netservice svc-http-proxy1 tcp 3128 netservice svc-v6-icmp 58

    netdestination cm-dns host 192.20.130.100

    host 192.20.190.100

    !

    netdestination PrivateNet network 192.0.0.0 255.0.0.0

    network 192.168.0.0 255.255.0.0

    network 172.16.0.0 255.240.0.0

    !

    netdestination ProtectedServers host 192.3.0.6

    host 192.3.0.7

    host 192.3.1.28

    !

    ip access-list session control user any udp 68 deny

    any any svc-icmp permit any any svc-dns permit any any svc-papi permit

    any any svc-cfgm-tcp permit any any svc-adp permit

    any any svc-tftp permit

    any any svc-dhcp permit any any svc-natt permit

    !

    ip access-list session ChemLab any any LabAdmin permit

    any any "LabAdmin 40000s" permit any any udp 1111 permit

    !

    ip access-list session validuser any any any permit

    !

    ip access-list session vocera-acl any any svc-vocera permit queue high

    !

    ip access-list session icmp-acl any any svc-icmp permit

    !

    ip access-list session Secure

    any alias ProtectedServers any deny log any any any permit

    !

    ip access-list session captiveportal

    user alias mswitch svc-https dst-nat 8081 user any svc-http dst-nat 8080

    user any svc-https dst-nat 8081

    user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088

    !

    ip access-list session allowall any any any permit

    !

    ip access-list session SecureExecutive any alias ProtectedServers any deny log any any any permit

    !

    ip access-list session cm-dns-block any alias cm-dns svc-dns deny

    any any svc-dns permit

    !

    ip access-list session https-acl any any svc-https permit

    !

    ip access-list session sip-acl

    any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high

    !

    ip access-list session cm-dns-allow any alias cm-dns svc-dns permit

    any any svc-dns deny

    !

    ip access-list session dns-acl any any svc-dns permit

    !

    ip access-list session tftp-acl any any svc-tftp permit

    !

    ip access-list session skinny-acl any any svc-sccp permit queue high

    !

    ip access-list session srcnat user any any src-nat

    !

    ip access-list session vpnlogon user any svc-ike permit

    user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit

    !

    ip access-list session logon-control user any udp 68 deny

    any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit

    !

    ip access-list session cplogout

    user alias mswitch svc-https dst-nat 8081

    !

    ip access-list session guest

    !

    ip access-list session http-acl any any svc-http permit

    !

    ip access-list session dhcp-acl any any svc-dhcp permit

    !

    ip access-list session BlockRogueDHCP user any udp 68 deny

    !

    ip access-list session noe-acl any any svc-noe permit queue high

    !

    ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit

    !

    ip access-list session ap-acl any any svc-gre permit

    any any svc-syslog permit any user svc-snmp permit

    user any svc-snmp-trap permit user any svc-ntp permit

    !

    ip access-list session TechAccounting any any svc-telnet permit

    any any Lirary-Dept permit

    any any Accounting-Dept-2000 permit any any svc-snmp-trap permit

    any any "Accounting-4610 to 4625" permit

    !

    ip access-list session TechPrint

    any host 192.3.1.192 svc-http permit any any svc-Pharos-SignUp permit log any any svc-Pharos-Notify permit log any any svc-Pharos-LPD permit log

    !

    ip access-list session BASS

    any host 192.3.1.11 svc-http-proxy2 permit

    !

    ip access-list session h323-acl

    any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high

    !

    ip access-list session TechGuest any any svc-dns permit

    any any svc-dhcp permit

    any alias PrivateNet any deny log any any any permit

    !

    ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit

    !

    ipv6 access-list session v6-https-acl any any svc-https permit

    !

    ipv6 access-list session v6-control user any udp 68 deny

    any any svc-v6-icmp permit

    any any svc-v6-dhcp permit any any svc-dns permit

    any any svc-tftp permit

    !

    ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit

    !

    ipv6 access-list session v6-dns-acl any any svc-dns permit

    !

    ipv6 access-list session v6-allowall any any any permit

    !

    ipv6 access-list session v6-http-acl any any svc-http permit

    !

    ipv6 access-list session v6-tftp-acl any any svc-tftp permit

    !

    ipv6 access-list session v6-logon-control user any udp 68 deny

    any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit

    !

    vpn-dialer default-dialer ike authentication PRE-SHARE

    195cc8274528de580a34ac6b7686dcd474a13c386373fb99

    !

    user-role ap-role session-acl control session-acl ap-acl

    !

    user-role DeadEnd

    session-acl BlockRogueDHCP

    !

    user-role Secure

    session-acl BlockRogueDHCP session-acl cm-dns-block session-acl Secure

    !

    user-role Registration session-acl BlockRogueDHCP session-acl cm-dns-allow session-acl allowall

    !

    user-role trusted-ap session-acl allowall

    !

    user-role default-vpn-role session-acl allowall

    ipv6 session-acl v6-allowall

    !

    user-role Quarantine session-acl BlockRogueDHCP session-acl cm-dns-allow session-acl allowall

    !

    user-role SecureExecutive session-acl BlockRogueDHCP session-acl cm-dns-block session-acl SecureExecutive

    !

    user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl

    session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl

    !

    user-role guest-logon captive-portal "default" session-acl logon-control session-acl captiveportal

    !

    user-role guest session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl icmp-acl session-acl dns-acl

    ipv6 session-acl v6-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl

    !

    user-role stateful-dot1x

    !

    user-role authenticated session-acl allowall

    ipv6 session-acl v6-allowall

    !

    user-role stateful session-acl control

    !

    user-role TechGuest_CM session-acl BlockRogueDHCP session-acl cm-dns-block session-acl TechPrint

    session-acl ChemLab session-acl TechGuest

    !

    user-role SecureAdmin session-acl BlockRogueDHCP session-acl cm-dns-block session-acl allowall

    !

    user-role logon

    session-acl logon-control session-acl captiveportal session-acl vpnlogon

    ipv6 session-acl v6-logon-control

    !

    user-role TechGuest session-acl BlockRogueDHCP session-acl cm-dns-block session-acl TechPrint session-acl ChemLab session-acl TechGuest

    !

    ip radius source-interface loopback

    !

    aaa timers dead-time 2 no spanning-tree interface mgmt

    dhcp

    !

    interface loopback

    ip address 192.70.192.13

    !

    dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777

    !

    dialer group gsm_us

    init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"

    dial-string ATD*99#

    !

    dialer group vivo_br

    init-string AT+CGDCONT=1,"IP","zap.vivo.com.br" dial-string ATD*99#

    !

    vlan

    192

    vlan

    221

    vlan

    222

    vlan

    223

    vlan

    224

    vlan

    225

    vlan

    226

    vlan

    227

    vlan

    228

    vlan

    231

    vlan

    232

    vlan

    233

    vlan

    234

    vlan

    235

    vlan

    236

    vlan

    237

    vlan

    238

    vlan

    333

    vlan

    444

    vlan

    911

    vlan

    999

    vlan-name anslem pool vlan anslem 221-228

    interface gigabitethernet 0/0 description "GE0/0"

    trusted

    trusted vlan 1-4094

    switchport mode trunk no spanning-tree

    !

    interface gigabitethernet 0/1 description "GE0/1"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/2 description "GE0/2"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/3 description "GE0/3"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/4 description "GE0/4"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/5 description "GE0/5"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/6 description "GE0/6"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/7 description "GE0/7"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/8 description "GE0/8"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/9 description "GE0/9"

    trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/10 trusted

    trusted vlan 1-4094

    !

    interface gigabitethernet 0/11 trusted

    trusted vlan 1-4094

    !

    interface vlan 1

    !

    interface vlan 192

    ip address 192.70.192.12 255.255.252.0

    !

    interface vlan 221

    ip address 192.20.221.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 222

    ip address 192.20.222.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 223

    ip address 192.20.223.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 224

    ip address 192.20.224.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 225

    ip address 192.20.225.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 226

    ip address 192.20.226.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 227

    ip address 192.20.227.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 228

    ip address 192.20.228.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 231

    ip address 192.20.231.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 232

    ip address 192.20.232.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 233

    ip address 192.20.233.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 234

    ip address 192.20.234.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 235

    ip address 192.20.235.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 236

    ip address 192.20.236.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 237

    ip address 192.20.237.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    interface vlan 238

    ip address 192.20.238.2 255.255.255.0

    ip helper-address 192.3.1.37

    !

    vrrp 165

    priority 110 authentication aruba

    ip address 192.70.192.16 description "MasterPrimary" vlan 192

    preempt

    no shutdown

    !

    vrrp 166 authentication aruba

    ip address 192.70.192.17 description "LocalPrimary" vlan 192

    preempt

    !

    ip default-gateway 192.70.192.1

    ap mesh-recovery-profile cluster Recovery-gV-3AZLbc-bbo+5 wpa-hexkey 07b466a81428afd382a1c22dc0fd6fdf8bae046f19f89d7ef511537c4082 0727a12e

    042962fcff6a348830b9618171d2ffb2bf5fa7f40813f687876a12ad07d5 a52f83d5

    d4bfd8e9c83f0854e00d450d wms

    general poll-interval 60000

    general poll-retries 3

    general ap-ageout-interval 30

    general sta-ageout-interval 30 general learn-ap disable

    general persistent-known-interfering enable general propagate-wired-macs enable

    general stat-update enable general collect-stats disable

    !

    crypto isakmp policy 20 encryption aes256

    !

    crypto isakmp key "aac98ba6f2bb9a92a0c8b4023e6d23065fcd47a8dc508a54" address

    0.0.0.0 netmask 0.0.0.0

    crypto ipsec transform-set default-aes esp-aes256 esp-sha- hmac

    crypto dynamic-map default-dynamicmap 10000

    set transform-set default-transform default-aes

    !

    localip 0.0.0.0 ipsec f595067b48ac1e12ae7840bd5f2ba84c2a497571632b510d

    localip 192.70.192.15 ipsec 577e1271980e8a1d0715645a16751fe85026eb0674619a83

    ip local pool "RAP-pool" 192.90.1.3 192.90.1.254 vpdn group l2tp

    !

    ip dhcp default-pool private

    !

    syslocation "IT Lab"

    snmp-server community Fortinet vpdn group pptp

    !

    mux-address 0.0.0.0 adp discovery enable adp igmp-join enable adp igmp-vlan 0

    voip prioritization disable voip rtcp-inactivity disable

    voip sip-midcall-req-timeout disable ssh mgmt-auth username/password

    mgmt-user admin root 07ea2ecd010712fb4c1470a58dcbfdc5c4cf335b506ce875b6

    ntp server 192.3.1.37 no database synchronize

    database synchronize rf-plan-data ip mobile domain default

    !

    ip igmp

    !

    no firewall attack-rate cp 1024

    !

    firewall cp

    !

    firewall cp

    packet-capture-defaults tcp disable udp disable sysmsg disable other disable

    !

    ip domain lookup

    !

    country US

    aaa authentication mac "CMmacAuth"

    delimiter colon

    !

    aaa authentication mac "default"

    !

    aaa authentication dot1x "Tech_802.1x" termination enable

    termination eap-type eap-peap termination inner-eap-type eap-mschapv2 server-cert "arubacontroller2009"

    !

    aaa authentication dot1x "default"

    !

    aaa authentication-server radius "Tech_IAS" host 192.3.1.37

    key f865d7ba8915205eb12773b41b502a7cd3798492ee759176

    !

    aaa authentication-server radius "CAMPUSMANAGER" host 192.3.1.105

    key 8dea4674f0e0ce9928fdda605609020d5d0104f9126c83ac

    !

    aaa server-group "Tech_Server_Group" auth-server Tech_IAS

    set role condition Filter-Id equals "ExecutiveDL" set-value Secure

    set role condition Filter-Id equals "StaffDL" set-value Secure

    set role condition Filter-Id equals "WirelessAdminDL" set- value SecureAdmin

    !

    aaa server-group "CMServerGroup" auth-server CAMPUSMANAGER

    !

    aaa server-group "default" auth-server Internal

    set role condition role value-of

    !

    aaa profile "Tech_Guest_AAA" initial-role "TechGuest"

    mac-default-role "TechGuest"

    !

    aaa profile "Tech_Guest_CM_AAA" initial-role "Quarantine" authentication-mac "CMmacAuth" mac-default-role "TechGuest_CM" mac-server-group "CMServerGroup"

    !

    aaa profile "Tech_Secure_AAA" authentication-dot1x "Tech_802.1x" dot1x-default-role "SecureExecutive" dot1x-server-group "Tech_Server_Group"

    !

    aaa profile "default"

    !

    aaa authentication captive-portal "default"

    !

    aaa authentication wispr "default"

    !

    aaa authentication vpn server-group "internal"

    !

    aaa authentication mgmt

    !

    aaa authentication stateful-ntlm "default"

    !

    aaa authentication stateful-dot1x

    !

    aaa authentication wired

    !

    web-server

    switch-cert "arubacontroller2009"

    !

    papi-security

    !

    guest-access-email

    !

    aaa password-policy mgmt

    !

    ap system-profile "default"

    !

    ap system-profile "LocalFirst" lms-ip 192.70.192.17

    !

    ap system-profile "MasterFirst" lms-ip 192.70.192.16

    !

    ap system-profile "RemoteAP" lms-ip 66.155.211.15

    !

    ap regulatory-domain-profile "default" country-code US

    valid-11g-channel 1

    valid-11g-channel 6

    valid-11g-channel 11

    valid-11a-channel 36

    valid-11a-channel 40

    valid-11a-channel 44

    valid-11a-channel 48

    valid-11a-channel 149

    valid-11a-channel 153

    valid-11a-channel 157

    valid-11a-channel 161

    valid-11a-channel 165

    valid-11g-40mhz-channel-pair 1+

    valid-11g-40mhz-channel-pair 5-

    valid-11g-40mhz-channel-pair 7+

    valid-11g-40mhz-channel-pair 11-

    valid-11a-40mhz-channel-pair 36+

    valid-11a-40mhz-channel-pair 40-

    valid-11a-40mhz-channel-pair 44+

    valid-11a-40mhz-channel-pair 48-

    valid-11a-40mhz-channel-pair 149+

    valid-11a-40mhz-channel-pair 153-

    valid-11a-40mhz-channel-pair 157+

    valid-11a-40mhz-channel-pair 161-

    !

    ap wired-ap-profile "default"

    !

    ap enet-link-profile "default"

    !

    ap mesh-ht-ssid-profile "default"

    !

    ap mesh-cluster-profile "TechMeshCluster1" cluster "TechCluster1"

    opmode wpa2-psk-aes

    wpa-passphrase cc4940f33598e1dded9ef2be7faaa0b3d01c7ba9c1852589

    !

    ap mesh-cluster-profile "TechMeshCluster2" cluster "TechCluster2"

    opmode wpa2-psk-aes

    wpa-passphrase ca4f03111febbcd97ca5e2df49bed22147d26f6d0a6f32f3

    !

    ap mesh-cluster-profile "default"

    !

    ap mesh-radio-profile "TechMeshRadio"

    !

    ap mesh-radio-profile "AcctMeshRadio"

    !

    ap mesh-radio-profile "default"

    !

    ap mesh-radio-profile "HodginsMeshRadio"

    !

    ap mesh-radio-profile "GordonMeshRadio"

    !

    ids general-profile "default"

    !

    ids unauthorized-device-profile "default"

    !

    ids profile "default"

    !

    rf arm-profile "default"

    !

    rf arm-profile "no_arm_enable_MeSh" assignment disable

    !

    rf optimization-profile "default"

    !

    rf event-thresholds-profile "default"

    !

    rf dot11a-radio-profile "TechMeshRadio_MeSh" no radio-enable

    channel 165

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "AcctMeshRadio_MeSh" no radio-enable

    channel 40

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "default"

    !

    rf dot11a-radio-profile "default_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "HodginsMeshRadio_MeSh" no radio-enable

    channel 36

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11a-radio-profile "mode_am" mode am-mode

    !

    rf dot11a-radio-profile "GordonMeshRadio_MeSh" no radio-enable

    channel 44

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "TechMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "AcctMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "default" no high-throughput-enable

    !

    rf dot11g-radio-profile "default_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "HodginsMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    rf dot11g-radio-profile "mode_am" mode am-mode

    !

    rf dot11g-radio-profile "GordonMeshRadio_MeSh" no radio-enable

    tx-power 127

    arm-profile "no_arm_enable_MeSh"

    !

    wlan dot11k-profile "default"

    !

    wlan voip-cac-profile "default"

    !

    wlan ht-ssid-profile "default"

    !

    wlan edca-parameters-profile station "default"

    !

    wlan edca-parameters-profile ap "default"

    !

    wlan ssid-profile "Tech_Guest_SSID" essid "TechWZONE"

    mcast-rate-opt

    !

    wlan ssid-profile "Tech_Secure_SSID" essid "TechWZONESecure"

    opmode wpa-tkip wpa2-aes mcast-rate-opt

    !

    wlan ssid-profile "default"

    !

    wlan ssid-profile "TEST-SSID"

    essid "TEST"

    !

    wlan virtual-ap "Tech_Guest_CM_VAP" aaa-profile "Tech_Guest_CM_AAA" ssid-profile "Tech_Guest_SSID"

    vlan 221-228 multi-association vlan-mobility

    broadcast-filter arp band-steering

    !

    wlan virtual-ap "Tech_Guest_VAP" aaa-profile "Tech_Guest_AAA" ssid-profile "Tech_Guest_SSID" vlan 222-228

    multi-association vlan-mobility broadcast-filter arp band-steering

    !

    wlan virtual-ap "Tech_Guest_VAP_Mixed" aaa-profile "Tech_Guest_AAA"

    ssid-profile "Tech_Guest_SSID" vlan 444

    multi-association vlan-mobility broadcast-filter arp band-steering

    !

    wlan virtual-ap "Tech_Secure_VAP" aaa-profile "Tech_Secure_AAA" ssid-profile "Tech_Secure_SSID" vlan 231-238

    multi-association vlan-mobility

    broadcast-filter arp band-steering

    !

    wlan virtual-ap "default"

    !

    wlan traffic-management-profile "bandwidth_use" shaping-policy fair-access

    !

    ap-group "Blue"

    virtual-ap "Tech_Guest_CM_VAP"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Area51"

    virtual-ap "Tech_Secure_VAP" virtual-ap "Tech_Guest_CM_VAP"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Area_MeSh"

    virtual-ap "Tech_Secure_VAP" virtual-ap "Tech_Guest_CM_VAP" dot11a-radio-profile "default_MeSh"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Jones"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Office-1st"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "Kitchen"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Smith"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Acct"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Acct Mesh"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    mesh-radio-profile "AcctMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Acct Mesh_MeSh" virtual-ap "Tech_Guest_CM_VAP"

    dot11a-radio-profile "AcctMeshRadio_MeSh" ap-system-profile "MasterFirst"

    mesh-radio-profile "AcctMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Elkins"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "default" virtual-ap "default"

    dot11a-radio-profile "mode_am" dot11g-radio-profile "mode_am" ap-system-profile "MasterFirst"

    !

    ap-group "Butterfly"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Hodges"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Hodgins Mesh" virtual-ap "Tech_Guest_CM_VAP"

    ap-system-profile "MasterFirst"

    mesh-radio-profile "HodginsMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Hodgins Mesh_MeSh" virtual-ap "Tech_Guest_CM_VAP"

    dot11a-radio-profile "HodginsMeshRadio_MeSh" dot11g-radio-profile "mode_am"

    ap-system-profile "MasterFirst"

    mesh-radio-profile "HodginsMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Francois"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Accounting"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "NHTI"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "Open > Local-1st" virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "Open > Master-1st" virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    !

    ap-group "Open+Secure>Local-1st" virtual-ap "Tech_Guest_CM_VAP" virtual-ap "Tech_Secure_VAP"

    ap-system-profile "LocalFirst"

    !

    ap-group "Fish"

    virtual-ap "Tech_Secure_VAP" virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "RemoteAP"

    virtual-ap "Tech_Guest_VAP" virtual-ap "Tech_Secure_VAP" ap-system-profile "RemoteAP"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use"

    !

    ap-group "RemoteAPLocal" virtual-ap "Tech_Guest_VAP" virtual-ap "Tech_Secure_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "Engineering"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "LocalFirst"

    !

    ap-group "QA_Lab"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    !

    ap-group "Gordon Mesh"

    virtual-ap "Tech_Guest_CM_VAP" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use" mesh-radio-profile "GordonMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-group "Gordon Mesh_MeSh" virtual-ap "Tech_Guest_CM_VAP"

    dot11a-radio-profile "GordonMeshRadio_MeSh" ap-system-profile "MasterFirst"

    dot11a-traffic-mgmt-profile "bandwidth_use" dot11g-traffic-mgmt-profile "bandwidth_use" mesh-radio-profile "GordonMeshRadio"

    mesh-cluster-profile "TechMeshCluster1" priority 1 mesh-cluster-profile "TechMeshCluster2" priority 2

    !

    ap-name "Monitor"

    dot11a-radio-profile "mode_am" dot11g-radio-profile "mode_am"

    !

    logging level debugging network subcat all logging level debugging network subcat dhcp logging level debugging security

    logging level debugging security subcat all logging level debugging system subcat all logging level debugging user subcat all logging level debugging wireless subcat all

    logging level debugging user-debug 00:19:d2:6d:26:15 snmp-server enable trap

    snmp-server host 192.3.1.3 version 1 Fortinet udp-port 162 process monitor log

    end

    Previous
    Next