6/11/19

Cert0101: HPE6-A42
This guide is not to meant to replace “Implementing Aruba Wireless”
course. Students are advise to go through the IAW guide before using
this material.

1
 6/11/19

Module 1
WLAN Fundamentals and RF Basics

2.4 GHz, interference

An AP operates on channel 6, wireless security camera operating on channel 8 will cause
interference

2
 6/11/19

2.4 GHz Minimum Spacing

Minimum spacing to prevent overlap: 5 channels

Compare 802.11a/b/g/n/ac Data Standards

highest transmission rates in the 2.4GHz : 802.11n

3
 6/11/19

Antenna Gain
high-gain omni-directional antenna provide more horizontal coverage and less vertical
coverage compare to a typical omni-directional antenna

MIMO
typical office environment with many surfaces where the signal can bounce increase
wireless speeds with MIMO

4
 6/11/19

MU-MIMO
Unique in 802.11ac Wave 2 AP

dBm and mW Relationships

loss of 3 dBm equal of loss of 50%

5
 6/11/19

Module 2
Mobile First Architecture

IAP Convert to CAP

Convert the IAPs to Campus APs controlled by the new MCs.

6
 6/11/19

Controllers Model
determine number of supported users and firewall throughput

7010 vs 7024
7024 support more POE devices directly connected to MC

7
 6/11/19

Controller Portfolio
7030 support 64 AP

Controller Portfolio
Aruba Controllers deployment is new to ArubaOS 8: virtual appliances

8
 6/11/19

IAP
IAPs operate in an autonomous or standalone mode

Master-Local Mode
The company already has a partially hierarchical deployment based on the 6.x code and
wants to keep the current architecture.

9
 6/11/19

Mobility Master
It manages VLAN and routing configuration for multiple Mobility Controllers (MCs).

MM (8.x) vs Master (6.x)

Master cannot put interface setting to MC.

10
 6/11/19

AP Failover
Cluster of Mobility Controllers provide high availability for APs

RAP Split tunnel

It sends traffic designed to the corporate network in an IPsec tunnel to a central Mobility
Controller (MC), and it bridges other traffic locally.

11
 6/11/19

License Pool
All licenses install in MM.

Enable License
Enable feature in the Global Usage window

12
 6/11/19

Calculating License Requirements

Licensing
Max number of AP supported (32)

13
 6/11/19

License Redundancy
MC retains its current licenses for 30 days when MM is not reachable.

Controller Matrix
AP count, User count, Firewall throughput

14
 6/11/19

Module 3
Mobility Master Mobility Controller Configuration

GUI Hierarchy

15
 6/11/19

MM Sync config with MC

removes any commands that are not supported on that MC or have dependency errors

Module 4
Secure WLAN Configuration

16
 6/11/19

AP Group
Place APs in different buildings in different AP Groups to have different config.

Profiles
AAA profile to assign an authentication server group

17
 6/11/19

WLAN Creation
No Broadcast SSID: Hidden SSID

18
 6/11/19

Forwarding Mode
Decrypt-tunnel: User traffic decrypt at AP

Default Forwarding Mode

Tunnel to Mobility Controller, in MM or Master-Local architecture.

19
 6/11/19

Setup Preshared key (PSK)

Click Personal in the slide bar

Module 5
AP Provisioning

20
 6/11/19

Radius Authentication
Mobility Controller exchanges RADIUS packets with the RADIUS server

AirMatch
With new AP run

21
 6/11/19

Controller Discovery
Map the Mobility Controller (MC not MM) IP addresses to the aruba-master name on the
network DNS server.

Module 6
WLAN Security

22
 6/11/19

WPA/WPA2 Negotiation
Keys are generated and distributed securely during each wireless user authentication
process.

MAC Authentication
Authorized MAC addresses are visible in plaintext in the air and can be easily spoofed

23
 6/11/19

Two way authentication

issue: The user clients do not trust the RADIUS server certificate and are configured not to
prompt users to trust new certificates.

Authentication Methods
802.1X authentication occurs at Layer 2, while captive portal authentication occurs at Layer
3.

24
 6/11/19

WPA2-Enterpise
Require Radius Server

Radius Shared key

25
 6/11/19

Authentication with EAP-TLS

Authenticator forward the authentication requests to Radius Server.

Authentication with 802.1x/EAP

Radius Server determine the EAP Type, not the controller

26
 6/11/19

EAP-TLS
unique digital certificates installed on user devices to authenticate wireless users

Machine Authentication
authenticate the Windows clients as well, based on the client Computer Names.

27
 6/11/19

ClearPass
RADIUS Authentication Server

LDAP
Authenticate directly against an Active Directory (AD) domain controller without NPS or IAS

28
 6/11/19

Access Points, Air Monitors, Spectrum Monitors

An AM detects threats such as rogue APs, while an SA analyzes RF conditions.

Access Points, Air Monitors, Spectrum Monitors

AM help to detect rogue APs in the environment
Prevent client connections to rogue APs.

29
 6/11/19

WIDS
Protect attack at Layer 2

Spectrum Monitor (SM)

Analyze RF signals to determine the cause of non-802.11 interference.

30
 6/11/19

Testing Communication Between Mobility

Controller and RADIUS Server

Module 7
Firewall Roles and Policies

31
 6/11/19

Aruba Firewall Role

Set bandwidth limit

Aruba Firewall Role

Create a policy with these rules, and then apply that policy to the roles

32
 6/11/19

Aruba Role Derivation from Radius Server

RADIUS server send different roles for users in different departments. Apply role-based
firewall policies.

Firewall Rule
user any any permit rule It permits traffic from wireless clients as long as the packet has a
source IP.

33
 6/11/19

Application Rule
prevent wireless users from accessing shopping web sites with a bad reputation.

Firewall Policy to allow DHCP

DHCP setting: source = any and destination = any

34
 6/11/19

Global Rule
It immediately applies to the guest role and other roles, as part of the first policy applied to
the role.

WLAN Default Role

users who successfully authenticate and are not assigned a different role by the RADIUS
server

35
 6/11/19

AAA Profile, Default Role

The RADIUS server is not correctly set up to send a user role, default role will be used.

Module 8
Dynamic RF Management

36
 6/11/19

AirMatch
MM generates the channel and power plan for an AP

AirMatch Solution does not get deployed

New Plan did not offer significantly improved quality

37
 6/11/19

AirMatch LSM Upgrade

Upgrade Client Match as part of a global software upgrade, and upgrade AirMatch separately as a
loadable service module (LSM).

38
 6/11/19

AirMatch FAQ
Disable ARM profile does not affect AirMatch

Client Match
balance wireless devices across APs on different channels

39
 6/11/19

Module 9
Guest Access

Guest Network with NAT

Enable NAT on the VLAN assigned to the guest WLAN.

40
 6/11/19

L3 Deployment
VLAN interfaces on the Mobility Controllers (MCs) as the default gateway for wireless users

Captive Portal Process

FW permits them to send any DHCP traffic and DNS and web traffic to the Internet. It
redirects web traffic destined to the private network to a login portal.

41
 6/11/19

PEFNG with Captive Portal

addition of custom rules to control access for authenticated guests

Captive Portal without authentication

use of internal captive portal with email registration

42
 6/11/19

Internal Captive Portal

Administrators can modify the default internal captive portal pages or upload pages
developed externally.

Guest Provisioning Account

create guest user accounts

43
 6/11/19

Guest-logon role
allows DHCP, DNS, and internal captive portal redirection for a guest WLAN

WebUI Certificate

44
 6/11/19

Guest Access
Add ClearPass as Radius Server

45
 6/11/19

ClearPass Guest
Option for Guest to create own account

Module 10
Network Monitoring and Troubleshooting

46
 6/11/19

Top Banner
list of alerts about a variety of issues on the MM or managed devices

Client Dashboard
Display roles to which these users are actually assigned

47
 6/11/19

Client Health
50% means the AP about twice as long to send data to the client as expected if all
transmissions succeeded.

Performance Dashboard
monitor the health status of all APs, and clients

48
 6/11/19

Traffic Analysis
The solution must have active PEFNG licenses.

Filter View
To see the break down for only roles, destinations, WLANs and devices that use this application

49
 6/11/19

Security Analysis Dashboard

list of rogue AP and Interfering AP

AirWave vs MM
AirWave collect and analyze information about client and AP over extended periods of time

50
 6/11/19

AirWave Monitoring Devices

Click “Poll Controller Now” to get real time info.

AirWave vs Mobility Master

51
 6/11/19

MM Dashboard
to analyze short terms trends in network usage by client, AP, and application

MM: Potential Issues

Low SNR problem of below 30

52
 6/11/19

Traffic Analysis Dashboard

show types of applications in use in the wireless network

AirWave
Configuration Status: Error (Communication Issues)

53
 6/11/19

Security of Data in the Air

WPA2 provides both data integrity and privacy with AES.

Different between WPA and WPA2 encryption

WPA encryption uses TKIP by default, and WPA2 encryption uses AES by default .

54
 6/11/19

AirWave: Monitor Clients

AirWave combines information from more sources, such as RADIUS authenticating servers
and APs.

55