-
TechnologySolutionGuideDeployingAscomi62withArubaNetworks
SecureMobilitySolution
Ascomi62HandsetandOEMderivativesSoftwareversion5.1.30Aruba600/3000/6000/7200MobilityControllersAOSversion6.3.1.3ArubaAP92/93/104/105/124/125/134/135AP114/115/224/225April14th2014
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
1
WARRANTYDISCLAIMER
THEFOLLOWINGDOCUMENT,ANDTHEINFORMATIONCONTAINEDHEREINISPROVIDEDONAN"ASIS"BASIS.ARUBAMAKESNOREPRESENTATIONS,WARRANTIES,CONDITIONSORGUARANTEESASTOTHEUSEFULNESS,QUALITY,SUITABILITY,TRUTH,ACCURACYORCOMPLETENESSOFTHISDOCUMENTANDTHEINFORMATIONCONTAINEDINTHISDOCUMENT.
DISCLAIMEROFLIABILITY
ArubaNetworks,Inc.disclaimsliabilityforanypersonalinjury,propertyorotherdamagesofanynaturewhatsoever,whetherspecial,indirect,consequentialorcompensatory,directlyorindirectlyresultingfromthecertificationprogramortheactsoromissionsofanycompanyortechnologythathasbeencertifiedbyArubaNetworks.
CertificationdoesnotmeanthatthecompanyisasubcontractororunderthetechnicalcontrolordirectionofArubaNetworks.InconductingthecertificationprogramArubaNetworksisnotundertakingtorenderprofessionalorotherservicesfororonbehalfofanypersonorentity.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
2
TableofContentsIntroduction..................................................................................................................................................3SolutionComponents...................................................................................................................................3
ArubaCampusWLANSolution.................................................................................................................3
AscomSolution.........................................................................................................................................4
ArubaEdgeSolutionQualification.................................................................................................................6QualificationObjective.............................................................................................................................6
NetworkTopology....................................................................................................................................6
TestMethodology....................................................................................................................................8
SummaryTestResults..............................................................................................................................8
KnowLimitations....................................................................................................................................10
Conclusion...................................................................................................................................................10Appendix1..................................................................................................................................................11
Generalsettings(SSID,RadioandQoS).............................................................................................11
EncryptionandAuthenticationSettings............................................................................................14
Ascomi62SettingSummary..............................................................................................................17
APPENDIXB.................................................................................................................................................19TestSummary.........................................................................................................................................19
ArubaTestConfigurationFile.................................................................................................................20
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
3
IntroductionThisdocumentdescribesthestepsandguidelinesnecessarytoconfigureArubaswirelessLAN(AOSversion.6.3.1.3)infrastructuretoworkinteroperablewithAscomsi62handsets.
TheguideisintendedtobeusedinconjunctionwithArubaandAscomconfigurationguides.Pleasecontacttherespectivecompanyssalesengineeringorsupportgroupsshouldadditionalinformationberequired.
SolutionVerified: AscomPhones
ArubaProduct: ArubaCampusWLANSolutionOSversion6.3.x.x
PartnerSolutionTested: Ascomi62Handset;Softwareversion5.1.30
SolutionComponents
ArubaCampusWLANSolutionSecureandreliablemobilityistheresponsibilityoftheenterprisenetwork,whichmustsupportawiderangeofconvergedclientsoverwireless,wired,andremoteaccessnetworks.Laptopsandsmartphonesarecapableofsimultaneouslyrunningvoice,data,andnowvideoapplications,anoperatingmodelthatbreakstraditionaldedicatedVLANandSSIDarchitectures.Deliveringthequalityofservice(QoS),bandwidth,andmanagementtoolsnecessarytoaccommodatethesedevicesonagrandscalewithinacampusenvironment,tousersontheroad,andinbranchofficesrequiresaspeciallytailoredsystemdesign.
Arubasuniqueapplicationanddevicefingerprintingenablethesystemtodetectthetypesoftrafficflows,andthedevicesfromwhichtheyoriginate.ThenetworkcanthenbedynamicallyconditionedtodeliverQoSonanapplicationbyapplication,devicebydevicebasisasneededtoensurehighlyreliableapplicationdelivery.Arubasintegratedpolicyenforcementfirewallisolatesapplicationsfromoneanothertoessentiallycreatemultiplededicatedvirtualnetworks,andthenallocatesthenecessarybandwidthforeachuserandapplication.
ToensurereliableapplicationdeliveryinchangingRFenvironments,ArubasAdaptiveRadioManagement(ARM)technologyforcesclientdevicestoshiftawayfromthenoisy2.4GHzbandtothequieter5GHzband,adjustsradiopowerlevelstoblanketcoverageareas,loadbalancebyshiftingclientsbetweenaccesspoints,andevenallocatesairtimebasedonthecapabilitiesofeachclientdevice.Theresultisasuperbuserexperiencewithoutanyuserinvolvement.
Theseservicesarecomplementedbysecuritysystemsthatensuretheintegrityofthenetwork.Roguedetection,wirelessintrusionandprevention,accesscontrol,remotesiteVPN,contentsecurityscanning,endtoenddataencryption,andotherservicesprotectthenetworkandusersatalltimes.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
4
Arubasextensiveportfolioofcampus,branch/teleworker,andmobilesolutionssimplifyoperationsandsecureaccesstounifiedcommunicationsapplicationsandservicesregardlessoftheuser'sdevice,location,ornetwork.Thisdramaticallyimprovesproductivity,loweringcapitalandoperationalcostswhileprovidingasuperioruninterrupteduserexperience.
AscomSolution
TheAscomi62offersahighclasstelephony,messagingandalarmsolutionforenterprisebusinessbasedontheWiFitechnology.WithofferingVoiceOverWiFi,onlyonenetworkisneededtobeinstalledandmaintainedforallapplicationsrunning,suchasInternetaccess,email,voiceandotherbusinessrelatedapplications.
Thelatest802.11nstandardprovidesthebenefitsofhigherthroughputandlongerrangepossibilitieswhichwillincreasetheabilitytointegratetoothersystemsandbuildefficientapplications.Withthenewgenerationnetworksandhandsetsthecapacityandversatilityoutperformsanyotheronsitewirelesstechnology.TheAscomi62offersauniquemanagementtoolwithcentralmanagementconceptenablingremotemanagementandSWupgradesofthehandsetsovertheair.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
5
CertifiedProductSummary
Manufacturer AscomWirelessSolutions
ProductsCertified Ascomi62andOEMderivatives
HardwareModelNumbers WH1xxxx
SoftwareVersionNumbers 5.1.30
RFFeaturesTested
RadioSupported 802.11a/b/g/n
QoSFeaturesSupported/Tested WMM
PowersaveFeaturesTested UAPSD
EncryptionSupported
WEP64/128,WPAPSK,WPA2PSK,PEAPMSCHAPv2,EAPTLS
EncryptionTested WPAPSK,WPA2PSK,PEAPMSCHAPv2,EAPTLS
802.11hSupported Yes
KeyCachingSupportforOptimizedRoaming
OKCandPMK
VoiceSpecificFeatures
ProtocolsSupported SIPUDP,SIPTCP,SIPTLS,H.323
ControlTrafficPattern HandsettoServerandviceversa
VoiceTrafficPattern Peertopeer(betweenhandsets)
#ofCallsperAPTested 18 calls(notAPcapacitylimited)
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
6
ArubaEdgeSolutionQualification
QualificationObjectiveValidatetheinteroperabilityoftheAscomi62withtheArubaswirelessLANinfrastructure(version6.3.1.3).
NetworkTopology
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
7
SettingsontheArubaWLAN
EnableSNMPv2ontheArubaMobilityController,andconfigurethecommunitystringasfollows:
ThefollowingArubaMobilityControllerconfigurationsettingsarerecommendedforusewithAscomi62handsets:
RFRecommendedSettingsforAscomo BeaconInterval:100mso
DTIMPeriod:5o WMM/UAPSDEnabledo
802.11dRegulatoryDomain:Countryspecific
EncryptionandAuthenticationo
ThehandsetandtheWLANinfrastructuresupportandweretestedwithWPA/WPA2
enterpriseandPSK.PleaserefertheArubaconfigurationguideforadditionalinformationonhowtheSSIDsandencryption/authenticationmethodsshouldbeconfigured.
AdaptiveRadioManagemento
EnableARM,voiceawarescanning,WMM/UAPSD,andbandsteering.
UserRolesandPoliciesTheAscomphonessupportSIPandH.323.SoenablethevoiceACLortheSIPandH.323ACLs
AscomSettings
ThefollowingAscomi62HandsetconfigurationsettingsarerecommendedforusewithArubaMobilityControllers
Ascomi62Configuration:
WorldModeRegulatoryDomainsettoWorldmode.
IPDSCPforVoice:0xC0(46)ExpeditedForwarding
IPDSCPforSignaling:0x68(26)AssuredForwarding31
TransmitGratuitousARP:Enable
RefertoAppendixAforadditionaldetails.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
8
TestMethodology
SummaryTestResultsThefeaturesandfunctionslistedbelowwereassessedduringinteroperabilitytesting.Thetestresultsarepresentedintherightmostcolumn
WLANControllerFeatures
HighLevelFunctionality Result
Association,OpenwithNoEncryption OK
Association,OpenwithStaticWEP64/128 Nottested
Association,WPAPSK,TKIP OK
Association,WPA2PSK,TKIP/AESEncryption OK
Association,PEAPMSCHAPv2Auth.,TKIPEncryption OK
Association,PEAPMSCHAPv2Auth.,AESEncryption OK
Association,EAPTLS OK
Association,MultipleESSIDs OK
BeaconIntervalandDTIMPeriod OK
Preauthentication N/A
PMKSACaching OK
WPA2Opportunistic/ProactiveKeyCaching OK
WMMPrioritization OK
ActiveMode(loadtest) OK
802.11PowerSaveMode OK
802.11eUAPSD OK
802.11eUAPSD(loadtest) OK
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
9
Roaming
HighLevelFunctionality Result
Roaming,OpenwithNoEncryption OK(Avgroamingtime24ms)*
Roaming,WPAPSK,TKIPEncryption OK(Avgroamingtime50ms)*
Roaming,WPA2PSK,AESEncryption OK(Avgroamingtime56ms)*
Roaming,PEAPMSCHAPv2Auth,AESEncryption
OK(Avgroamingtime60ms)*/**
*)Statedroamingtimesweremeasuredusing802.11bg(n)AP225.RefertoAppendixBfordetailedtestrecords.
**)ResultsobservedwithOpportunisticKeyCachingenabled.Resultsaverage400mswithoutOpportunisticKeyCaching.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
10
KnowLimitations
Minorvoicedisturbancesduetoincorrecthandlingofserviceperiodafterretransmission.ThevoicedisturbanceoccursprimarilywhenBAR(blockackrequests)areresentmultipletimes.AP224/225onlyWorkaround/solution:Use11bgor11a(legacy)modetopreventframeaggregationandBARframes.Problemisaddressedandsolvedandwillbeincorporatedinnexti62release.Note:AP224/225onlyRefertoAscomticket24687fordetails.
NotethatAP224/225onlysupportsDTIM1.Thiswillreducethestandby(idle)timefromapproximately100hoursto60hours.
ConclusionTheverification,includingassociation,authentication,roaming,andloadtestproducedverygoodresultsoverall.Roamingtimeswereingeneralgoodwithroamingtimesofaround4060msbothwhenusingWPA2PSK/AESandPEAPMSCHAPv2(WPA2/AES).
Loadtestingshowedthatmorethan16Ascomi62HandsetscouldmaintainacallviaasingleArubaaccesspointwhentestedbothinactiveandUAPSDmodes.Notethatthenumberof18wasthemaximumnumberofdevicestestedandnotthecapacitylimit.
2011ArubaNetworks,Inc.ArubaNetworkstrademarksinclude,ArubaNetworks,ArubaWirelessNetworks,theregisteredArubatheMobileEdgeCompanylogo,ArubaMobilityManagementSystem,MobileEdgeArchitecture,PeopleMove.NetworksMustFollow,RFProtect,andGreenIsland.Allrightsreserved.Allothertrademarksarethepropertyoftheirrespectiveowners.
Specificationsaresubjecttochangewithoutnotice.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
11
Appendix1ThissectionincludesscreenshotsandexplanationsofbasicsettingsrequiredtouseAscomi62HandsetswithanAruba3400MobilityController.Pleasenotethesecuritysettingsofeachtestcase,astheyweremodifiedaccordingtoneedsofthetestcases.
Theconfigurationfileisfoundattheendofthisappendix
Generalsettings(SSID,RadioandQoS)
SetDTIMIntervalto5(forAP224/335onlyvalue1issupported).Thisvalueisrecommendedformaximumbatteryconservationwithoutimpactingcallquality.Usingalowervaluewillalsodecreasethestandbytimeslightly.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
12
Ascomrecommendsdisablingthelowestratesandrecommendsthat11mbitsisthelowestsupportedrate.
EnsurethatWMMandUAPSDareenabled.Tomatchthedefaultvaluesinthei62ensuretouseDSCP46forVoice,26forvideoand0forbesteffort.ItisalsorecommendedthatMaxTransmitAttemptsbesetto4.
Note:Tofurtheroptimizeperformanceitisrecommendedthat802.11bclientsisdisallowedfromassociatingbysettingthe6Mbpsor12MbpsasBasicRatesinthe802.11gconfiguration.
SetMaximumTransmitFailuresto25.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
13
Highthroughputenableenables802.11ncapabilitiesthataresupportedincombinationwithOpenencryptionandWPA2AES(PSKorEnterprise).
Ascomdoessupportbothusageof40MHZandVeryHighthroughputenabledSSIDincluding80MHzchannels.
AscomrecommendsaBeaconIntervalof100msandadvertising802.11d/hcapabilities.
GeneralguidelineswhendeployingAscomi62handsets(SWversion2.5.7orlater)in802.11a/nenvironments:
1.
Enablingmorethan8channelswilldegraderoamingperformance.Ascomstronglyrecommendsagainstgoingabovethislimit.
2.
Using40MHzchannels(orchannelbonding)willreducethenumberofnonDFS*channelstotwoinETSIregions(Europe).InFCCregions(NorthAmerica),40MHzisamoreviableoptionbecauseoftheavailabilityofadditionalnonDFSchannels.Thehandsetcancoexistwith40MHzstationsinthesameESS.
3.
MakesurethatallnonDFSchannelaretakenbeforeresortingtoDFSchannels.ThehandsetcancopeinmixednonDFSandDFSenvironments;however,duetounpredictabilityintroducedbyradardetectionprotocols,voicequalitymaybecomedistortedandroamingdelayed.HenceAscomrecommendsavoidingtheuseofDFSchannelsinVoWIFIdeployments.
*)DynamicFrequencySelection(radardetection)
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
14
AscomrecommendsaBeaconIntervalof100msandadvertising802.11d/hcapabilities.For802.11b/g/nuseonlychannels1,6and11.For802.11a/n,usechannelsinaccordancewithArubasguidelinesandincompliancewithlocalregulations.
EncryptionandAuthenticationSettings
WPA2PSK.SetthesecurityprofiletoWPA2PSK,AESencryption.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
15
Enterprise/.1Xauthentication.
Step1:WhenconfiguringtheauthenticationmodeusingaRadiussever,theIPaddressandthesecretmustcorrespondtotheIPaddressandthecredentialusedbytheRadiusserver.TheRADIUSservershouldbeaddedtoaServerGroup.
Step2:Createan802.1XAuthenticationProfile.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
16
Step3:Choosethe802.1XAuthenticationprofilecreatedinpreviousstepandconfiguretheAuthenticationServergroup.
ChooseconfiguredAAAProfileandsetWPA2/AESasthesecuritymode.
SeeAppendixBforthecontrollerconfigurationusedforthecertificationprocess.
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
17
Ascomi62SettingSummary
NetworksettingsforWPA2PSK
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
18
Networksettingsfor.1Xauthentication(PEAPMSCHAPv2)
802.1XAuthenticationrequiresarootcertificatetobeuploadedtothephonebyrightclicking>Editcertificates.EAPTLSwillrequirebotharootandaclientcertificate.
NotethatbotharootandaclientcertificateareneededforTLS.Otherwiseonlyarootcertificateisneeded.Servercertificatevalidationcanbeoverriddeninversion4.1.12andaboveperhandsetsetting(ValidateservercertificateunderNetworksettings).
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
19
APPENDIXB
TestSummary
Description Runs
Testspassed 27
TestsNotRun 6
Testsfail 1(AP224/225)
TestNA 1
TotalNumberofTests 35
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
20
ArubaTestConfigurationFileversion6.3enablesecret"7d3988e20126db68084797bcc038534bffc2ced01c24555806"hostname"Aruba3400"clocktimezonePST8location"Building1.floor1"controllerconfig714ipNATpooldynamicsrcnat0.0.0.00.0.0.0ipaccesslistethvaliduserethaclpermitany!netservicesvcpcoip2tcptcp4172netservicesvcsnmptrapudp162netservicesvcnetbiosdgmudp138netservicesvccitrixtcp2598netservicesvcsmbtcptcp445netservicesvcikeudp500netservicesvcl2tpudp1701netservicesvcsyslogudp514netservicesvcdhcpudp6768algdhcpnetservicesvchttpstcp443netservicesvcicatcp1494netservicesvcpptptcp1723netservicesvctelnettcp23netservicesvchttpaccltcp88netservicesvcsccptcp2000algsccpnetservicesvcsecpapiudp8209netservicesvctftpudp69algtftpnetservicesvckerberosudp88netservicesvcsiptcptcp5060netservicesvcnetbiosssntcp139netservicesvcpcoipudpudp50002netservicesvcpcoiptcptcp50002netservicesvcpop3tcp110netservicesvcadpudp8200netservicesvccfgmtcptcp8211netservicesvcnoeudp32512algnoenetservicesvchttpproxy3tcp8888netservicesvclpdtcptcp631netservicesvcmsrpctcptcp135139netservicesvcrtsptcp554algrtspnetservicesvcdnsudp53algdnsnetservicevnctcp59005905netservicesvcvoceraudp5002algvoceranetservicesvch323tcptcp1720netservicesvch323udpudp17181719netservicesvchttptcp80netservicesvcntermtcp10261028netservicesvcsipudpudp5060netservicesvchttpproxy2tcp8080netservicesvcnoeoxoudp5000algnoenetservicesvcpapiudp8211netservicesvcftptcp21algftpnetservicesvcnattudp4500netservicesvcsvp119algsvpnetservicesvcmicrosoftdstcp445netservicesvcgre47netservicesvcsmtptcp25netservicewebtcplist"80443"netservicesvcsmbudpudp445netservicesvcsipstcp5061algsipsnetservicesvcnetbiosnsudp137netservicesvcesp50
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
21
netservicesvccupstcp515netservicesvcpcoip2udpudp4172netservicesvcbootpudp6769netservicesvcsnmpudp161netservicesvcv6dhcpudp546547netservicesvcicmp1netservicesvcntpudp123netservicesvcmsrpcudpudp135139netservicesvcsshtcp22netservicesvchttpproxy1tcp3128netservicesvcv6icmp58netservicesvclpdudpudp631netservicesvcvmwarerdptcp3389netdestination6ipv6reservedrangeinvertnetwork2000::/3!netexthdrdefault!timerangenighthoursperiodicweekday18:01to23:59weekday00:00to07:59!timerangeweekendperiodicweekend00:00to23:59!timerangeworkinghoursperiodicweekday08:00to18:00!ipaccesslistsessionallowdiskservicesanyanysvcnetbiosdgmpermitanyanysvcnetbiosssnpermitanyanysvcmicrosoftdspermitanyanysvcnetbiosnspermit!ipaccesslistsessioncontrolanyanysvcpapipermitanyanysvcsecpapipermituseranyudp68denyanyanysvcicmppermitanyanysvcdnspermitanyanysvccfgmtcppermitanyanysvcadppermitanyanysvctftppermitanyanysvcdhcppermitanyanysvcnattpermit!ipaccesslistsessionv6icmpacl!ipaccesslistsessionvalidusernetwork169.254.0.0255.255.0.0anyanydenynetwork127.0.0.0255.0.0.0anyanydenynetwork224.0.0.0240.0.0.0anyanydenyhost255.255.255.255anyanydenynetwork240.0.0.0240.0.0.0anyanydenyanyanyanypermitipv6hostfe80::anyanydenyipv6networkfc00::/7anyanypermitipv6networkfe80::/64anyanypermitipv6aliasipv6reservedrangeanyanydenyipv6anyanyanypermit!ipaccesslistsessionvoceraaclanyanysvcvocerapermitqueuehigh!ipaccesslistsessionv6httpsacl
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
22
!ipaccesslistsessionvmwareaclanyanysvcvmwarerdppermittos46dot1ppriority6anyanysvcpcoiptcppermittos46dot1ppriority6anyanysvcpcoipudppermittos46dot1ppriority6anyanysvcpcoip2tcppermittos46dot1ppriority6anyanysvcpcoip2udppermittos46dot1ppriority6!ipaccesslistsessionv6controlipv6anyanysvcpapipermitipv6anyanysvcsecpapipermitipv6useranyudp547denyipv6anyanysvcv6icmppermitipv6anyanysvcdnspermitipv6anyanysvccfgmtcppermitipv6anyanysvcadppermitipv6anyanysvctftppermitipv6anyanysvcdhcppermitipv6anyanysvcnattpermit!ipaccesslistsessionicmpaclanyanysvcicmppermit!ipaccesslistsessioncaptiveportaluseraliascontrollersvchttpsdstnat8081useranysvchttpdstnat8080useranysvchttpsdstnat8081useranysvchttpproxy1dstnat8088useranysvchttpproxy2dstnat8088useranysvchttpproxy3dstnat8088!ipaccesslistsessionv6dhcpacl!ipaccesslistsessionallowallanyanyanypermit!ipaccesslistsessionv6dnsacl!ipaccesslistsessionlyncaclanyanysvcsipspermitqueuehigh!ipaccesslistsessiontest!ipaccesslistsessionsipaclanyanysvcsipudppermitqueuehighanyanysvcsiptcppermitqueuehigh!ipaccesslistsessionhttpsaclanyanysvchttpspermit!ipaccesslistsessioncitrixaclanyanysvccitrixpermittos46dot1ppriority6anyanysvcicapermittos46dot1ppriority6!ipaccesslistsessiondnsaclanyanysvcdnspermit!ipaccesslistsessionascomanyanyanypermit!ipaccesslistsessionraguardipv6useranyicmpv6rtradvdeny!ipaccesslistsessionallowprintservicesanyanysvccupspermitanyanysvclpdtcppermit
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
23
anyanysvclpdudppermit!ipaccesslistsessionlogoncontroluseranyudp68denyanyanysvcicmppermitanyanysvcdnspermitanyanysvcdhcppermitanyanysvcnattpermitanynetwork169.254.0.0255.255.0.0anydenyanynetwork240.0.0.0240.0.0.0anydeny!ipaccesslistsessionvpnlogonuseranysvcikepermituseranysvcesppermitanyanysvcl2tppermitanyanysvcpptppermitanyanysvcgrepermit!ipaccesslistsessionsrcnatuseranyanysrcnat!ipaccesslistsessionskinnyaclanyanysvcsccppermitqueuehigh!ipaccesslistsessiontftpaclanyanysvctftppermit!ipaccesslistsessionv6allowall!ipaccesslistsessioncplogoutuseraliascontrollersvchttpsdstnat8081!ipaccesslistsessiondhcpaclanyanysvcdhcppermit!ipaccesslistsessionhttpaclanyanysvchttppermit!ipaccesslistsessionv6httpacl!ipaccesslistsessioncaptiveportal6ipv6useraliascontroller6svchttpscaptiveipv6useranysvchttpcaptiveipv6useranysvchttpscaptiveipv6useranysvchttpproxy1captiveipv6useranysvchttpproxy2captiveipv6useranysvchttpproxy3captive!ipaccesslistsessionapuplinkaclanyanyudp68permitanyanysvcicmppermitanyhost224.0.0.251udp5353permit!ipaccesslistsessionapaclanyanysvcgrepermitanyanysvcsyslogpermitanyusersvcsnmppermituseranysvchttppermituseranysvchttpacclpermituseranysvcsmbtcppermituseranysvcmsrpctcppermituseranysvcsnmptrappermituseranysvcntppermituseraliascontrollersvcftppermit!ipaccesslistsessionsvpacl
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
24
anyanysvcsvppermitqueuehighuserhost224.0.1.116anypermit!ipaccesslistsessionnoeaclanyanysvcnoepermitqueuehigh!ipaccesslistsessionv6apaclipv6anyanysvcgrepermitipv6anyanysvcsyslogpermitipv6anyusersvcsnmppermitipv6useranysvcsnmptrappermitipv6useranysvcntppermitipv6useraliascontroller6svcftppermit!ipaccesslistsessionh323aclanyanysvch323tcppermitqueuehighanyanysvch323udppermitqueuehigh!ipaccesslistsessionv6logoncontrolipv6anynetworkfc00::/7anypermitipv6anynetworkfe80::/64anypermitipv6anyaliasipv6reservedrangeanydeny!vpndialerdefaultdialerikeauthenticationPRESHARE085bc5a72755c71f779cfff49b5d892e33f7d65ebe691ad8!dot1xhighwatermark60dot1xlowwatermark57userroleaproleaccesslistsessionraguardaccesslistsessioncontrolaccesslistsessionapaclaccesslistsessionv6controlaccesslistsessionv6apacl!userroledenyall!userroledefaultvpnroleaccesslistsessionraguardaccesslistsessionallowallaccesslistsessionv6allowall!userrolecpbase!userrolevoiceaccesslistsessionraguardaccesslistsessionsipaclaccesslistsessionnoeaclaccesslistsessionsvpaclaccesslistsessionvoceraaclaccesslistsessionskinnyaclaccesslistsessionh323aclaccesslistsessiondhcpaclaccesslistsessiontftpaclaccesslistsessiondnsaclaccesslistsessionicmpacl!userroleascomaccesslistsessionascom!userroledefaultviaroleaccesslistsessionallowallaccesslistsessionv6allowall!userroleguestlogoncaptiveportal"default"
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
25
accesslistsessionraguardaccesslistsessionlogoncontrolaccesslistsessioncaptiveportalaccesslistsessionv6logoncontrolaccesslistsessioncaptiveportal6!userroleguestaccesslistsessionraguardaccesslistsessionhttpaclaccesslistsessionhttpsaclaccesslistsessiondhcpaclaccesslistsessionicmpaclaccesslistsessiondnsaclaccesslistsessionv6httpaclaccesslistsessionv6httpsaclaccesslistsessionv6dhcpaclaccesslistsessionv6icmpaclaccesslistsessionv6dnsacl!userrolestatefuldot1x!userroleauthenticatedaccesslistsessionraguardaccesslistsessionallowallaccesslistsessionv6allowall!userrolelogonaccesslistsessionraguardaccesslistsessionlogoncontrolaccesslistsessioncaptiveportalaccesslistsessionvpnlogonaccesslistsessionv6logoncontrolaccesslistsessioncaptiveportal6!!interfacemgmt
shutdown!dialergroupevdo_usinitstringATQ0V1E0dialstringATDT#777!dialergroupgsm_usinitstringAT+CGDCONT=1,"IP","ISP.CINGULAR"dialstringATD*99#!dialergroupgsm_asiainitstringAT+CGDCONT=1,"IP","internet"dialstringATD*99***1#!dialergroupvivo_brinitstringAT+CGDCONT=1,"IP","zap.vivo.com.br"dialstringATD*99#!nospanningtreeinterfacegigabitethernet1/0
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
26
description"GE1/0" trusted
trustedvlan14094!interfacegigabitethernet1/1 description"GE1/1"
trusted trustedvlan14094!interfacegigabitethernet1/2
description"GE1/2" trusted
trustedvlan14094!interfacegigabitethernet1/3 description"GE1/3"
trusted trustedvlan14094!interfacevlan1
ipaddress192.168.0.13255.255.255.0!ipdefaultgateway172.20.106.1ipdefaultgateway192.168.0.50uplinkdisableapmeshrecoveryprofileclusterRecovery3YY7svy9npuyoWT2wpahexkeyd25a708d7d02f5ec290fd3f63c7469a82956f320e49128942716f6e08bd3aeeb42497de39eef46f812270211997d9c92de5bf2af6fea707e475e6429147af7ab955f0b3a8ad44819aee39f97fd035ac9cryptoisakmppolicy20encryptionaes256!cryptoipsectransformsetdefaultbocbmtransformesp3desespshahmaccryptoipsectransformsetdefaultraptransformespaes256espshahmaccryptoipsectransformsetdefaultaesespaes256espshahmaccryptodynamicmapdefaultdynamicmap10000settransformset"defaulttransform""defaultaes"!cryptoisakmpeappassthrougheaptlscryptoisakmpeappassthrougheappeapcryptoisakmpeappassthrougheapmschapv2vpdngroupl2tp!!vpdngrouppptp!tunnelednodeaddress0.0.0.0adpdiscoveryenableadpigmpjoinenableadpigmpvlan0
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
27
voicertcpinactivitydisablevoicealgbasedcacenablevoicesipmidcallreqtimeoutdisableapapblacklisttime3600apflushr1onnewr0disablemgmtuseradminroot5436b5a101681372db26d314e974065944317cd3e1fe6a5534nodatabasesynchronizeipmobiledomaindefault!!!airgroup"enable"!airgrouplocationdiscovery"enable"!!airgroupactivewirelessdiscovery"disable"!airgroupservice"airplay"id"_airplay._tcp"id"_raop._tcp"id"_appletvv2._tcp"description"AirPlay"!airgroupservice"airprint"id"_ipp._tcp"id"_pdldatastream._tcp"id"_printer._tcp"id"_scanner._tcp"id"_universal._sub._ipp._tcp"id"_universal._sub._ipps._tcp"id"_printer._sub._http._tcp"id"_http._tcp"id"_httpalt._tcp"id"_ipptls._tcp"id"_faxipp._tcp"id"_riousbprint._tcp"id"_cups._sub._ipp._tcp"id"_cups._sub._faxipp._tcp"id"_icanetworking._tcp"id"_ptp._tcp"id"_canonbjnp1._tcp"id"_ipps._tcp"id"_icanetworking2._tcp"description"AirPrint"!airgroupservice"itunes"id"_homesharing._tcp"id"_applemobdev._tcp"id"_daap._tcp"id"_dacp._tcp"description"iTunes"!airgroupservice"remotemgmt"id"_ssh._tcp"id"_sftpssh._tcp"id"_ftp._tcp"id"_telnet._tcp"id"_rfb._tcp"id"_netassistant._tcp"
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
28
description"Remotemanagement"!airgroupservice"sharing"id"_odisk._tcp"id"_afpovertcp._tcp"id"_xgrid._tcp"description"Sharing"!airgroupservice"chat"id"_presence._tcp"description"Chat"!airgroupservice"allowall"description"RemainingServices"!airgroupservice"airplay"enable!airgroupservice"airprint"enable!airgroupservice"itunes"disable!airgroupservice"remotemgmt"disable!airgroupservice"sharing"disable!airgroupservice"chat"disable!airgroupservice"allowall"disable!ipigmp!ipv6mld!nofirewallattackratecp1024ipv6firewallexthdrparselen100!!firewallcp!ipdomainlookup!countryUSaaaauthenticationmac"default"!aaaauthenticationdot1x"ArubaIntopdot1x_prof"!aaaauthenticationdot1x"ascom"machineauthenticationenablemachineauthenticationmachinedefaultrole"ascom"machineauthenticationuserdefaultrole"authenticated"reauthenticationterminationenableterminationeaptypeeappeapterminationinnereaptypeeapmschapv2!aaaauthenticationdot1x"default"!aaaauthenticationdot1x"Freeradius"machineauthenticationenablemachineauthenticationmachinedefaultrole"ascom"machineauthenticationuserdefaultrole"authenticated"
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
29
!aaaauthenticationserverradius"Intop"host"192.168.0.2"keybbdf593b6398e54784c19d823672ab7d!aaaservergroup"ascom"authserverInternal!aaaservergroup"default"authserverInternalsetroleconditionrolevalueof!aaaservergroup"intop"authserverIntop!aaaprofile"ascom"initialrole"ascom"authenticationdot1x"ascom"dot1xdefaultrole"authenticated"dot1xservergroup"ascom"!aaaprofile"default"!aaaprofile"defaultdot1x"initialrole"ascom"authenticationdot1x"Freeradius"dot1xdefaultrole"authenticated"dot1xservergroup"intop"!aaaprofile"defaultdot1xpsk"initialrole"ascom"authenticationdot1x"defaultpsk"dot1xdefaultrole"authenticated"!aaaauthenticationcaptiveportal"default"!aaaauthenticationwispr"default"!aaaauthenticationvpn"default"!aaaauthenticationvpn"defaultrap"!aaaauthenticationmgmt!aaaauthenticationstatefulntlm"default"!aaaauthenticationstatefulkerberos"default"!aaaauthenticationstatefuldot1xservergroup"intop"!aaaauthenticationwired!webserver!guestaccessemail!voicelogging!voicedialplanprofile"default"!voicerealtimeconfig!voicesip!aaapasswordpolicymgmt
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
30
!controlplanesecuritynocpsecenable!idswmsgeneralprofilepollretries3!idswmslocalsystemprofile!validnetworkouiprofile!upgradeprofile!licenseprofile!activateservicewhitelist!ifmapcppm!apsystemprofile"default"!apregulatorydomainprofile"default"countrycodeUSvalid11gchannel1valid11gchannel6valid11gchannel11valid11achannel36valid11achannel40valid11achannel44valid11achannel48valid11achannel149valid11achannel153valid11achannel157valid11achannel161valid11achannel165valid11g40mhzchannelpair15valid11g40mhzchannelpair711valid11a40mhzchannelpair3640valid11a40mhzchannelpair4448valid11a40mhzchannelpair149153valid11a40mhzchannelpair157161!apwiredapprofile"default"!apenetlinkprofile"default"!apmeshhtssidprofile"default"!aplldpmednetworkpolicyprofile"default"!apmeshclusterprofile"default"!aplldpprofile"default"!apmeshradioprofile"default"!apwiredportprofile"default"!idsgeneralprofile"default"!idsunauthorizeddeviceprofile"default"!idsprofile"default"!rfarmprofile"default"assignmentdisable
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
31
!rfarmprofile"disable"assignmentdisablenoscanningnomultibandscan!rfoptimizationprofile"default"!rfeventthresholdsprofile"default"!rfamscanprofile"default"!rfdot11aradioprofile"ch36"channel36Etxpower12dot11harmprofile"disable"!rfdot11aradioprofile"ch40"channel40txpower50!rfdot11aradioprofile"ch149"channel149Etxpower13!rfdot11aradioprofile"ch44"channel44txpower16!rfdot11aradioprofile"default"armprofile"disable"!rfdot11gradioprofile"channel1"channel1txpower13dot11harmprofile"disable"!rfdot11gradioprofile"channel11"channel11txpower30dot11harmprofile"disable"!rfdot11gradioprofile"channel6"channel6txpower16dot11harmprofile"disable"!rfdot11gradioprofile"default"!wlanhandovertriggerprofile"default"!wlanrrmieprofile"default"!wlanbcnrptreqprofile"default"!wlandot11rprofile"default"!wlantsmreqprofile"default"!wlanvoipcacprofile"default"calladmissioncontrolbandwidthcapacity1200
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
32
callhandoffreservation30!wlanhtssidprofile"default"!wlanhotspotanqpvenuenameprofile"default"!wlanhotspotanqpnwkauthprofile"default"!wlanhotspotanqproamconsprofile"default"!wlanhotspotanqpnairealmprofile"default"!wlanhotspotanqp3gppnwkprofile"default"!wlanhotspoth2qpoperatorfriendlynameprofile"default"!wlanhotspoth2qpwanmetricsprofile"default"!wlanhotspoth2qpconncapabilityprofile"default"!wlanhotspoth2qpopclprofile"default"!wlanhotspotanqpipaddravailprofile"default"!wlanhotspotanqpdomainnameprofile"default"!wlanwmmtrafficmanagementprofile"Ascom"enableshaping!wlanedcaparametersprofilestation"default"voiceaifsn2ecwmin2ecwmax3txop47acm1!wlanedcaparametersprofileap"default"voiceaifsn1ecwmin2ecwmax3txop47acm1!wlandot11kprofile"default"!wlanssidprofile"NEW"essid"ArubaIntop2"wmmvodscp"56"wmmvidscp"40"wmmbedscp"24"wmmbkdscp"8"!wlanssidprofile"default"essid"ArubaIntop"opmodewpa2pskaesdtimperiod5gbasicrates6gtxrates121824364854maxretries4wmmwmmvodscp"46"wmmvidscp"40"wmmbedscp"26"wmmbkdscp"0"wepkey114ceffb539b44c2c4e50928edbe578b3efe117c19e0d93c5wpapassphrasee4069775e5237233abf77e826c95ba34cd6816b8b43f6d2cmaxtxfail25edcaparametersprofilestation"default"edcaparametersprofileap"default"!wlanssidprofile"test"opmodewpa2pskaeswmmvodscp"56"wmmvidscp"40"
-
DeployingAscomsi62VoWiFihandsetwithArubaNetworksSecureMobilitySolution
33
wmmbedscp"24"wmmbkdscp"8"wpapassphrase01f99aa9676847ef32e5781a52a9dccc5c33204e22e1a4b6!wlanhotspotadvertisementprofile"default"!wlanhotspoths2profile"default"!wlanvirtualap"default"aaaprofile"defaultdot1x"!approvisioningprofile"default"!rfarmrfdomainprofilearmrfdomainkey"49868e8b02680a8f03980ea4288197a4"!apgroup"default"virtualap"default"dot11aradioprofile"ch40"dot11gradioprofile"channel6"!apname"00:1a:1e:ca:2c:1a"dot11aradioprofile"ch36"dot11gradioprofile"channel11"!apname"00:1a:1e:ca:2c:76"dot11aradioprofile"ch36"dot11gradioprofile"channel1"!apname"00:24:6c:cb:f8:b1"!apname"00:24:6c:cb:f9:00"dot11aradioprofile"ch44"dot11gradioprofile"channel11"!apname"24:de:c6:ca:ca:bc"dot11aradioprofile"ch149"dot11gradioprofile"channel1"!apname"3400ap61a"dot11gradioprofile"channel6"!apname"3400ap61b"dot11gradioprofile"channel6"!apname"9c:1c:12:c0:c3:bc"dot11aradioprofile"ch36"dot11gradioprofile"channel6"!apname"d8:c7:c8:c0:a1:68"dot11aradioprofile"ch36"dot11gradioprofile"channel1"!airgroupcppmserveraaa!logginglevelwarningssecuritysubcatidslogginglevelwarningssecuritysubcatidsapsnmpserverenabletrapfirewallvisibilityprocessmonitorlogend
WLAN TR
WLAN Interoperability Test ReportWLAN configuration:
Beacon Interval: 100ms
Test object - Handset:DTIM Interval: 5
Ascomi62 sw version 5.1.30802.11d Regulatory Domain: XX
Test object - WLAN system:WMM Enabled (Auto/WMM)
Aruba 3400, version 6.3.1.3No Auto-tune
AP110, 225, 105, 135AP110AP225AP105AP135Single Voice VLAN
2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz
Test
CaseDescriptionVerdictVerdictVerdictVerdictVerdictVerdictVerdictVerdictComment
TEST AREA ASSOCIATION / AUTHENTICATION
#101Association with open authentication, no
encryptionPASSPASSPASSPASSPASSPASSPASSPASS
#104Association with WPA-PSK authentication, TKIP
encryptionPASSPASSPASSPASSPASSPASSPASSPASS
#105Association with WPA-PSK authentication, AES-CCMP
encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTED
#106Association with WPA2-PSK authentication, TKIP encryptionNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTED
#107Association with WPA2-PSK authentication, AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASS
#110Association with PEAP-MSCHAPv2 auth, AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASSFreeRadiusFAIL
#115Association with multiple ESSIDs on
APPASSPASSPASSPASSPASSPASSPASSPASSSee Comment
#116Association with EAP-TLS
authenticationPASSPASSPASSPASSPASSPASSPASSPASSFreeRadius
TEST AREA POWER-SAVE AND QOSPASS
#150802.11 Power-save
modePASSPASSPASSPASSPASSPASSPASSPASSFAIL
#151Beacon period and DTIM intervalPASSPASSSee CommentSee
CommentNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDOnly DTIM 1
availible on Ap225NOT TESTED
#152802.11e U-APSDPASSPASSPASSPASSPASSPASSPASSPASSSee
Comment
#202WMM prioritizationPASSPASSPASSPASSNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTED
TEST AREA "PERFORMANCE"
#301Active mode - unencryptedPASSPASSPASSPASSNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTED18 handset in call on 1 AP
#303Active mode encrypted with WPA2-PSKPASSPASSPASSPASSNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTED18 handset in call on 1 AP
#308Power-save mode U-APSD WPA2-PSKPASSPASSPASSPASSNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTED18 handset in call on 1 AP
#309Power-save mode U-APSD WPA2-PSK / AES, background
loadPASSPASSPASSPASSNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED18
handset in call on 1 AP
#310CAC - TSPECPASSPASSPASSPASSPASSPASSPASSPASS
TEST AREA ROAMING AND HANDOVER TIMES
#401Handover with open authentication and no
encryptionPASSPASSPASSPASSNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTED110: an:16ms bgn:25ms 225: an15ms bgn:24ms
#403Handover with WPA-PSK authentication and TKIP
encryptionPASSPASSPASSPASSNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTED110: an:42ms bgn:51ms 225: an50ms bgn:50ms
#404Handover with WPA2-PSK auth and AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASS110: an:51ms bgn:49ms
225: an:52ms bgn:55ms 105: an: 55ms bgn: 51 135: an: 51ms bgn:
53
#408Handover with PEAP-MSCHAPv2 authentication and AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASS110: an:57ms bgn:48ms
225: an:52ms bgn:60ms 105: an: 55ms bgn: 68 135: an:57ms bgn:
62
#410Handover using PMKSA
cachingPASSPASSPASSPASSPASSPASSPASSPASSSee #408, PMKSA always
on
#411Handover using PMKSA and opportunistic/proactive key
cachingPASSPASSPASSPASSPASSPASSPASSPASSSee #408, OKC always on
#412PreauthenticationNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTED
TEST AREA BATTERY LIFETIME
#501Battery lifetime in idlePASSPASSSee CommentSee CommentNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTEDAP115: 80-100h (DTIM 5), AP225:
approx 60h idle (DTIM1 limitation)
#502Battery lifetime in call with no power
savePASSPASSPASSPASSNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTED3-4h
#504Battery lifetime in call with power save mode
U-APSDPASSPASSPASSPASSNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTED11-13h
TEST AREA STABILITY
#601Duration of call Active
modePASSPASSPASSPASSPASSPASSPASSPASS24h + call maintained
#602Duration of call U-APSD
modePASSPASSPASSPASSPASSPASSPASSPASS24h + call maintained
TEST AREA 802.11n
#801Frame aggregation A-MSDUNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#802Frame aggregation A-MPDUNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#80440Mhz channelsSee CommentPASSSee CommentPASSSee
CommentPASSSee CommentPASSN/A for 2.4GHz band. 225: 80Mhz ch
verified. Otherwise 20/40mhz
#805802.11n ratesPASSPASSFAILFAILPASSPASSPASSPASSIssues with BAR
not beeing recieved. Refer to Ascom ticket 24687
version 6.3enable secret
"7d3988e20126db68084797bcc038534bffc2ced01c24555806"hostname
"Aruba3400"clock timezone PST -8location "Building1.floor1"
controller config 714ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0ip
access-list eth validuserethacl permit any !netservice
svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice
svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice
svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp
udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68
alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp
1494netservice svc-pptp tcp 1723netservice svc-telnet tcp
23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg
sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg
tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp
5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp
50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp
110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp
8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3
tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp
135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp
53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp
5002 alg voceranetservice svc-h323-tcp tcp 1720netservice
svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice
svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice
svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg
noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg
ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg
svpnetservice svc-microsoft-ds tcp 445netservice svc-gre
47netservice svc-smtp tcp 25netservice web tcp list "80
443"netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg
sipsnetservice svc-netbios-ns udp 137netservice svc-esp
50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp
4172netservice svc-bootp udp 67 69netservice svc-snmp udp
161netservice svc-v6-dhcp udp 546 547netservice svc-icmp
1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135
139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp
3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp
631netservice svc-vmware-rdp tcp 3389netdestination6
ipv6-reserved-range invert network 2000::/3!netexthdr
default!time-range night-hours periodic weekday 18:01 to 23:59
weekday 00:00 to 07:59!time-range weekend periodic weekend 00:00 to
23:59!time-range working-hours periodic weekday 08:00 to 18:00!ip
access-list session allow-diskservices any any svc-netbios-dgm
permit any any svc-netbios-ssn permit any any svc-microsoft-ds
permit any any svc-netbios-ns permit !ip access-list session
control any any svc-papi permit any any svc-sec-papi permit user
any udp 68 deny any any svc-icmp permit any any svc-dns permit any
any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp
permit any any svc-dhcp permit any any svc-natt permit !ip
access-list session v6-icmp-acl!ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny network 127.0.0.0
255.0.0.0 any any deny network 224.0.0.0 240.0.0.0 any any deny
host 255.255.255.255 any any deny network 240.0.0.0 240.0.0.0 any
any deny any any any permit ipv6 host fe80:: any any deny ipv6
network fc00::/7 any any permit ipv6 network fe80::/64 any any
permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any
permit !ip access-list session vocera-acl any any svc-vocera permit
queue high !ip access-list session v6-https-acl!ip access-list
session vmware-acl any any svc-vmware-rdp permit tos 46
dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority
6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any
svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any
svc-pcoip2-udp permit tos 46 dot1p-priority 6 !ip access-list
session v6-control ipv6 any any svc-papi permit ipv6 any any
svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any
svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any
svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any
svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt
permit !ip access-list session icmp-acl any any svc-icmp permit !ip
access-list session captiveportal user alias controller svc-https
dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https
dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any
svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088
!ip access-list session v6-dhcp-acl!ip access-list session allowall
any any any permit !ip access-list session v6-dns-acl!ip
access-list session lync-acl any any svc-sips permit queue high !ip
access-list session test!ip access-list session sip-acl any any
svc-sip-udp permit queue high any any svc-sip-tcp permit queue high
!ip access-list session https-acl any any svc-https permit !ip
access-list session citrix-acl any any svc-citrix permit tos 46
dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 !ip
access-list session dns-acl any any svc-dns permit !ip access-list
session ascom any any any permit !ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny !ip access-list session
allow-printservices any any svc-cups permit any any svc-lpd-tcp
permit any any svc-lpd-udp permit !ip access-list session
logon-control user any udp 68 deny any any svc-icmp permit any any
svc-dns permit any any svc-dhcp permit any any svc-natt permit any
network 169.254.0.0 255.255.0.0 any deny any network 240.0.0.0
240.0.0.0 any deny !ip access-list session vpnlogon user any
svc-ike permit user any svc-esp permit any any svc-l2tp permit any
any svc-pptp permit any any svc-gre permit !ip access-list session
srcnat user any any src-nat !ip access-list session skinny-acl any
any svc-sccp permit queue high !ip access-list session tftp-acl any
any svc-tftp permit !ip access-list session v6-allowall!ip
access-list session cplogout user alias controller svc-https
dst-nat 8081 !ip access-list session dhcp-acl any any svc-dhcp
permit !ip access-list session http-acl any any svc-http permit !ip
access-list session v6-http-acl!ip access-list session
captiveportal6 ipv6 user alias controller6 svc-https captive ipv6
user any svc-http captive ipv6 user any svc-https captive ipv6 user
any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive
ipv6 user any svc-http-proxy3 captive !ip access-list session
ap-uplink-acl any any udp 68 permit any any svc-icmp permit any
host 224.0.0.251 udp 5353 permit !ip access-list session ap-acl any
any svc-gre permit any any svc-syslog permit any user svc-snmp
permit user any svc-http permit user any svc-http-accl permit user
any svc-smb-tcp permit user any svc-msrpc-tcp permit user any
svc-snmp-trap permit user any svc-ntp permit user alias controller
svc-ftp permit !ip access-list session svp-acl any any svc-svp
permit queue high user host 224.0.1.116 any permit !ip access-list
session noe-acl any any svc-noe permit queue high !ip access-list
session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any
svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any
svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias
controller6 svc-ftp permit !ip access-list session h323-acl any any
svc-h323-tcp permit queue high any any svc-h323-udp permit queue
high !ip access-list session v6-logon-control ipv6 any network
fc00::/7 any permit ipv6 any network fe80::/64 any permit ipv6 any
alias ipv6-reserved-range any deny !vpn-dialer default-dialer ike
authentication PRE-SHARE
085bc5a72755c71f779cfff49b5d892e33f7d65ebe691ad8!dot1x
high-watermark 60dot1x low-watermark 57user-role ap-role
access-list session ra-guard access-list session control
access-list session ap-acl access-list session v6-control
access-list session v6-ap-acl!user-role denyall!user-role
default-vpn-role access-list session ra-guard access-list session
allowall access-list session v6-allowall!user-role cpbase!user-role
voice access-list session ra-guard access-list session sip-acl
access-list session noe-acl access-list session svp-acl access-list
session vocera-acl access-list session skinny-acl access-list
session h323-acl access-list session dhcp-acl access-list session
tftp-acl access-list session dns-acl access-list session
icmp-acl!user-role ascom access-list session ascom!user-role
default-via-role access-list session allowall access-list session
v6-allowall!user-role guest-logon captive-portal "default"
access-list session ra-guard access-list session logon-control
access-list session captiveportal access-list session
v6-logon-control access-list session captiveportal6!user-role guest
access-list session ra-guard access-list session http-acl
access-list session https-acl access-list session dhcp-acl
access-list session icmp-acl access-list session dns-acl
access-list session v6-http-acl access-list session v6-https-acl
access-list session v6-dhcp-acl access-list session v6-icmp-acl
access-list session v6-dns-acl!user-role stateful-dot1x!user-role
authenticated access-list session ra-guard access-list session
allowall access-list session v6-allowall!user-role logon
access-list session ra-guard access-list session logon-control
access-list session captiveportal access-list session vpnlogon
access-list session v6-logon-control access-list session
captiveportal6!!
interface mgmtshutdown!
dialer group evdo_us init-string ATQ0V1E0 dial-string
ATDT#777!
dialer group gsm_us init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
dial-string ATD*99#!
dialer group gsm_asia init-string AT+CGDCONT=1,"IP","internet"
dial-string ATD*99***1#!
dialer group vivo_br init-string
AT+CGDCONT=1,"IP","zap.vivo.com.br" dial-string ATD*99#!
no spanning-tree
interface gigabitethernet 1/0description "GE1/0"trustedtrusted
vlan 1-4094!
interface gigabitethernet 1/1description "GE1/1"trustedtrusted
vlan 1-4094!
interface gigabitethernet 1/2description "GE1/2"trustedtrusted
vlan 1-4094!
interface gigabitethernet 1/3description "GE1/3"trustedtrusted
vlan 1-4094!
interface vlan 1ip address 192.168.0.13 255.255.255.0!
ip default-gateway 172.20.106.1ip default-gateway
192.168.0.50uplink disable
ap mesh-recovery-profile cluster Recovery3YY7svy9npuyoWT2
wpa-hexkey
d25a708d7d02f5ec290fd3f63c7469a82956f320e49128942716f6e08bd3aeeb42497de39eef46f812270211997d9c92de5bf2af6fea707e475e6429147af7ab955f0b3a8ad44819aee39f97fd035ac9crypto
isakmp policy 20 encryption aes256!
crypto ipsec transform-set default-boc-bm-transform esp-3des
esp-sha-hmaccrypto ipsec transform-set default-rap-transform
esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes
esp-aes256 esp-sha-hmaccrypto dynamic-map default-dynamicmap 10000
set transform-set "default-transform" "default-aes" !
crypto isakmp eap-passthrough eap-tlscrypto isakmp
eap-passthrough eap-peapcrypto isakmp eap-passthrough
eap-mschapv2
vpdn group l2tp!
!
vpdn group pptp!
tunneled-node-address 0.0.0.0
adp discovery enableadp igmp-join enableadp igmp-vlan 0
voice rtcp-inactivity disablevoice alg-based-cac enablevoice
sip-midcall-req-timeout disableap ap-blacklist-time 3600ap
flush-r1-on-new-r0 disable
mgmt-user admin root
5436b5a101681372db26d314e974065944317cd3e1fe6a5534
no database synchronizeip mobile domain default!!!airgroup
"enable"!airgroup location-discovery "enable"!!airgroup
active-wireless-discovery "disable"!airgroupservice "airplay" id
"_airplay._tcp" id "_raop._tcp" id "_appletv-v2._tcp" description
"AirPlay"!airgroupservice "airprint" id "_ipp._tcp" id
"_pdl-datastream._tcp" id "_printer._tcp" id "_scanner._tcp" id
"_universal._sub._ipp._tcp" id "_universal._sub._ipps._tcp" id
"_printer._sub._http._tcp" id "_http._tcp" id "_http-alt._tcp" id
"_ipp-tls._tcp" id "_fax-ipp._tcp" id "_riousbprint._tcp" id
"_cups._sub._ipp._tcp" id "_cups._sub._fax-ipp._tcp" id
"_ica-networking._tcp" id "_ptp._tcp" id "_canon-bjnp1._tcp" id
"_ipps._tcp" id "_ica-networking2._tcp" description
"AirPrint"!airgroupservice "itunes" id "_home-sharing._tcp" id
"_apple-mobdev._tcp" id "_daap._tcp" id "_dacp._tcp" description
"iTunes"!airgroupservice "remotemgmt" id "_ssh._tcp" id
"_sftp-ssh._tcp" id "_ftp._tcp" id "_telnet._tcp" id "_rfb._tcp" id
"_net-assistant._tcp" description "Remote
management"!airgroupservice "sharing" id "_odisk._tcp" id
"_afpovertcp._tcp" id "_xgrid._tcp" description
"Sharing"!airgroupservice "chat" id "_presence._tcp" description
"Chat"!airgroupservice "allowall" description
"Remaining-Services"!airgroup service "airplay" enable!airgroup
service "airprint" enable!airgroup service "itunes"
disable!airgroup service "remotemgmt" disable!airgroup service
"sharing" disable!airgroup service "chat" disable!airgroup service
"allowall" disable!
ip igmp!
ipv6 mld!
no firewall attack-rate cp 1024ipv6 firewall ext-hdr-parse-len
100
!
!firewall cp!ip domain lookup!country USaaa authentication mac
"default"!aaa authentication dot1x "ArubaIntop-dot1x_prof"!aaa
authentication dot1x "ascom" machine-authentication enable
machine-authentication machine-default-role "ascom"
machine-authentication user-default-role "authenticated"
reauthentication termination enable termination eap-type eap-peap
termination inner-eap-type eap-mschapv2!aaa authentication dot1x
"default"!aaa authentication dot1x "Freeradius"
machine-authentication enable machine-authentication
machine-default-role "ascom" machine-authentication
user-default-role "authenticated"!aaa authentication-server radius
"Intop" host "192.168.0.2" key bbdf593b6398e54784c19d823672ab7d!aaa
server-group "ascom" auth-server Internal!aaa server-group
"default" auth-server Internal set role condition role value-of!aaa
server-group "intop" auth-server Intop!aaa profile "ascom"
initial-role "ascom" authentication-dot1x "ascom"
dot1x-default-role "authenticated" dot1x-server-group "ascom"!aaa
profile "default"!aaa profile "default-dot1x" initial-role "ascom"
authentication-dot1x "Freeradius" dot1x-default-role
"authenticated" dot1x-server-group "intop"!aaa profile
"default-dot1x-psk" initial-role "ascom" authentication-dot1x
"default-psk" dot1x-default-role "authenticated"!aaa authentication
captive-portal "default"!aaa authentication wispr "default"!aaa
authentication vpn "default"!aaa authentication vpn
"default-rap"!aaa authentication mgmt!aaa authentication
stateful-ntlm "default"!aaa authentication stateful-kerberos
"default"!aaa authentication stateful-dot1x server-group
"intop"!aaa authentication
wired!web-server!guest-access-email!voice logging!voice
dialplan-profile "default"!voice real-time-config!voice sip!aaa
password-policy mgmt!control-plane-security no cpsec-enable!ids
wms-general-profile poll-retries 3!ids
wms-local-system-profile!valid-network-oui-profile!upgrade-profile!license
profile!activate-service-whitelist!ifmap cppm!ap system-profile
"default"!ap regulatory-domain-profile "default" country-code US
valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11
valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44
valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153
valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165
valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11
valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair
44-48 valid-11a-40mhz-channel-pair 149-153
valid-11a-40mhz-channel-pair 157-161!ap wired-ap-profile
"default"!ap enet-link-profile "default"!ap mesh-ht-ssid-profile
"default"!ap lldp med-network-policy-profile "default"!ap
mesh-cluster-profile "default"!ap lldp profile "default"!ap
mesh-radio-profile "default"!ap wired-port-profile "default"!ids
general-profile "default"!ids unauthorized-device-profile
"default"!ids profile "default"!rf arm-profile "default" assignment
disable!rf arm-profile "disable" assignment disable no scanning no
multi-band-scan!rf optimization-profile "default"!rf
event-thresholds-profile "default"!rf am-scan-profile "default"!rf
dot11a-radio-profile "ch 36" channel 36E tx-power 12 dot11h
arm-profile "disable"!rf dot11a-radio-profile "ch 40" channel 40
tx-power 50!rf dot11a-radio-profile "ch149" channel 149E tx-power
13!rf dot11a-radio-profile "ch44" channel 44 tx-power 16!rf
dot11a-radio-profile "default" arm-profile "disable"!rf
dot11g-radio-profile "channel-1" channel 1 tx-power 13 dot11h
arm-profile "disable"!rf dot11g-radio-profile "channel-11" channel
11 tx-power 30 dot11h arm-profile "disable"!rf dot11g-radio-profile
"channel-6" channel 6 tx-power 16 dot11h arm-profile "disable"!rf
dot11g-radio-profile "default"!wlan handover-trigger-profile
"default"!wlan rrm-ie-profile "default"!wlan bcn-rpt-req-profile
"default"!wlan dot11r-profile "default"!wlan tsm-req-profile
"default"!wlan voip-cac-profile "default" call-admission-control
bandwidth-capacity 1200 call-handoff-reservation 30!wlan
ht-ssid-profile "default"!wlan hotspot anqp-venue-name-profile
"default"!wlan hotspot anqp-nwk-auth-profile "default"!wlan hotspot
anqp-roam-cons-profile "default"!wlan hotspot
anqp-nai-realm-profile "default"!wlan hotspot anqp-3gpp-nwk-profile
"default"!wlan hotspot h2qp-operator-friendly-name-profile
"default"!wlan hotspot h2qp-wan-metrics-profile "default"!wlan
hotspot h2qp-conn-capability-profile "default"!wlan hotspot
h2qp-op-cl-profile "default"!wlan hotspot
anqp-ip-addr-avail-profile "default"!wlan hotspot
anqp-domain-name-profile "default"!wlan
wmm-traffic-management-profile "Ascom" enable-shaping!wlan
edca-parameters-profile station "default" voice aifsn 2 ecw-min 2
ecw-max 3 txop 47 acm 1!wlan edca-parameters-profile ap "default"
voice aifsn 1 ecw-min 2 ecw-max 3 txop 47 acm 1!wlan dot11k-profile
"default"!wlan ssid-profile "--NEW--" essid "ArubaIntop2"
wmm-vo-dscp "56" wmm-vi-dscp "40" wmm-be-dscp "24" wmm-bk-dscp
"8"!wlan ssid-profile "default" essid "ArubaIntop" opmode
wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 12 18 24 36
48 54 max-retries 4 wmm wmm-vo-dscp "46" wmm-vi-dscp "40"
wmm-be-dscp "26" wmm-bk-dscp "0" wepkey1
14ceffb539b44c2c4e50928edbe578b3efe117c19e0d93c5 wpa-passphrase
e4069775e5237233abf77e826c95ba34cd6816b8b43f6d2c max-tx-fail 25
edca-parameters-profile station "default" edca-parameters-profile
ap "default"!wlan ssid-profile "test" opmode wpa2-psk-aes
wmm-vo-dscp "56" wmm-vi-dscp "40" wmm-be-dscp "24" wmm-bk-dscp "8"
wpa-passphrase
01f99aa9676847ef32e5781a52a9dccc5c33204e22e1a4b6!wlan hotspot
advertisement-profile "default"!wlan hotspot hs2-profile
"default"!wlan virtual-ap "default" aaa-profile "default-dot1x"!ap
provisioning-profile "default"!rf arm-rf-domain-profile
arm-rf-domain-key "49868e8b02680a8f03980ea4288197a4"!ap-group
"default" virtual-ap "default" dot11a-radio-profile "ch 40"
dot11g-radio-profile "channel-6"!ap-name "00:1a:1e:ca:2c:1a"
dot11a-radio-profile "ch 36" dot11g-radio-profile
"channel-11"!ap-name "00:1a:1e:ca:2c:76" dot11a-radio-profile "ch
36" dot11g-radio-profile "channel-1"!ap-name
"00:24:6c:cb:f8:b1"!ap-name "00:24:6c:cb:f9:00"
dot11a-radio-profile "ch44" dot11g-radio-profile
"channel-11"!ap-name "24:de:c6:ca:ca:bc" dot11a-radio-profile
"ch149" dot11g-radio-profile "channel-1"!ap-name "3400-ap-61-a"
dot11g-radio-profile "channel-6"!ap-name "3400-ap-61-b"
dot11g-radio-profile "channel-6"!ap-name "9c:1c:12:c0:c3:bc"
dot11a-radio-profile "ch 36" dot11g-radio-profile
"channel-6"!ap-name "d8:c7:c8:c0:a1:68" dot11a-radio-profile "ch
36" dot11g-radio-profile "channel-1"!airgroup cppm-server
aaa!logging level warnings security subcat idslogging level
warnings security subcat ids-ap
snmp-server enable trapfirewall-visibility
process monitor logend