ProCloud Quick Deployment Guide

Version 3

    Adtran_logo.gif

     

      1. Introduction
      2. Implementation
        1. Locations and Location Groups
        2. Services and Destinations
        3. Roles
        4. Service Set Identifiers (SSIDs)
        5. AP Templates
      3. Useful Links

    Introduction

     

    This document covers quick deployment options for ProCloud installations. This guide will cover what ProCloud administrators should know in order to get their domains setup for WiFi access. The ProCloud service is built on top of ADTRAN's vWLAN software, and therefore many of the vWLAN deployment principles still apply to ProCloud. For this reason, administrators who need more complex features such as 802.1X, Captive Portal, etc. can still use the vWLAN General Deployment Guide.

     

    Each feature should be configured in the order shown in this document.

     

        1. Locations and Location Groups
        2. Services and Destinations
        3. Roles
        4. Service Set Identifiers (SSIDs)
        5. AP Templates

     

    This guide assumes that your ProCloud domain has been activated by your ProStart Project Engineer. During the activation, the Project Engineer will license your APs and assign some default settings. If you have not been provided with the login information for your domain or your APs are not licensed, please follow up with your Project Manager to get a status of your deployment.


    Implementation



    Locations and Location Groups

     

    A location in ProCloud is directly related to the network address, mask, and VLAN tag (when applicable) of a subnet that exists in the network infrastructure. For instance, if a corporate network and guest network are required, these would each have a location in vWLAN corresponding to their particular subnet in the infrastructure.

     

    Best practices suggest that Locations should be created in ProCloud prior to pointing the APs to the ProCloud server, and this includes the native VLANs. However, if the native VLAN is not configured, then each AP will automatically create a corresponding location named vLoc. For instance, when using a single network for wireless access, no locations would need to be manually created if the native VLAN will be used.

     

    Locations in ProCloud are found under Configuration > Role Based Access Control > Locations. To create a location, click Create Location, or click the location name if you need to edit an existing location.

     

    config_wireless_locations.png

     

    Input an appropriate Name for the location, assign the VLAN ID, and input the CIDR (this will be in <ip address>/<bit mask> as shown below)

     

    create_location.png

     

    Locations will be INACTIVE until at least one AP discovers that location. You can use the Status > Locations screen to see which locations are ACTIVE and which of the BSAPs have discovered which locations. If a location is not ACTIVE or a BSAP does not appear in the Access Points list, then check the switch configurations to make sure ports have been properly configured to support 802.1Q. Also verify that a DHCP scope has been created for the subnet (see How does location discovery work on the vWLAN? for more details).

     

     

    Services and Destinations

     

     

    ProCloud possesses the ability to control client traffic at the edge of network by utilizing a firewall process within each AP. In other words, client traffic is not tunneled back to the ProCloud server. Instead, the client traffic is processed locally at the AP. The firewall rules are determined be who a client and what role they have been assigned. Roles will be discussed in the next section, but services (the protocol being specified) and destinations (IP address or network the traffic is destined for) are building blocks of the firewall rules. ProCloud comes with various default services and destinations. As a ProCloud administrator, you may want to be create some additional services and destinations.

     

    Note: If you already have an external firewall configured for these subnets, you may not need to add any additional services and destinations.

     

    Services are protocols and ports. They are located under Configuration > Role Based Access Control > Services. To create a new one, click Create Service at the bottom. Input an appropriate Name for the service. The Protocol drop-down menu will list the supported protocols available. If the protocol selected requires a port number, then fill out the Port field. Add any Notes which might help describe the service, and click Create or Update service.

    create_service.png

     

     

    There are three (3) types of destinations (host, hostname, and network), all of which can be configured under Configuration > Role Based Access Control > Destinations. Click the name of existing destination to edit, or choose one of the Create links for the appropriate type.

    destination_examples.png

     

    A destination host is a single IP address, or host, but not a hostname. A destination host is the most basic type. You can configure a Name and Address for destination hosts. The address should be a single IP address.

    destination_host.png

     

    A destination hostname is generally used if configuring a captive portal. For more information, please see the vWLAN General Deployment Guide.

    destination_hostname.png

     

    A Destination Network requires a Name, network Address, and Netmask. The Address must be a valid network address, not a host address, for the Netmask being used. For example, 10.10.10.0 is a valid entry when using 255.255.255.0, but 10.10.10.128 is not. Even though 10.10.10.128 is a valid host address, it is not the network address given the Netmask of 255.255.255.0.

    destination_network.png

     

     

    Roles

     

     

    Roles determine which location a client will be assigned to as well as what access that client will have while using the wireless network. In the most basic configuration, a role will have a 1:1 relationship with an SSID. For instance, the corporate SSID might have a role called “Corporate” allowing full access, while a Guest SSID would have a role called “Guest” allowing access only to the internet or certain web pages.

     

    Note: If you already have an external firewall configured, you may not want to apply additional policies at the AP. In these cases the ProCloud administrator can set the role with a policy that allows any service both ways to any destination.


    To create a role, click Create Role on the Configuration > Role Based Access Control > Roles page.

     

    roles.png

     

    Start off by choosing an appropriate Name and Location for the role. In this example

     

    Roles-Name_Location snip.JPG

     

    Next, the Firewall Rules need to be defined. New firewall rules can be added by clicking Append Firewall Rule, and each row can be moved up or down by clicking and dragging the arrows to the left of each row. Each column is presented as a drop-down menu where defined values or previously configured items can be selected. There is an implicit deny rule at the bottom of the firewall rules, so it is not required to explicitly define a rule for this.

     

    roles02.png

     

    The firewall rules are processed in a top-down fashion, so it is important keep track of what is being allowed or denied above any additional rules that are configured. For example, if the desire is to deny traffic to a single network, but allow all traffic to any other destination, this can be done by configuring a deny rule first followed by an allow any rule.

    roles03.png

     

     

    Service Set Identifiers (SSIDs)

     

     

    SSIDs are located under Configuration > Wireless > SSIDs. The Name/ESSID is the most noticeable and familiar aspect of a wireless network. This is the name that will display in a client’s wireless network list. The Broadcast SSID option does not enable/disable the SSID, but rather it hides the SSID.

    ssid01.png

     

    Note: Even though an SSID can be configured such that it does not broadcast, the SSID can still be found through various means. Hiding an SSID does not provide any protection from intruders. It only makes the network hidden to casual users.

     

    Authentication controls access to the network. The Cipher determines how client traffic will be encrypted. For the purposes of this document, WPA-2PSK with AES-CCM is being configured.

    ssid02.png

     

    Note: The Wi-Fi Alliance, which provides certifications for interoperability of Wi-Fi products, maintains strict guidelines for Wi-Fi Protected Access authentication. Adtran strives to follow these guidelines, and therefore WPA or WPA+PSK is not allowed by itself. Also, WPA2 with TKIP only is not allowed. WPA version 1 is still supported so long as it operates in a mixed mode with WPA2.

     

    Note: TKIP only allows data transfer rates up to 54Mbps. The higher data rates provided by 802.11n and 802.11ac cannot be realized using TKIP.


    Role defines which set of firewall rules are applied to an authenticated user, as well as configure the AP to tag the traffic into the correct Location. By default, when a new SSID is created it is assigned to the Un-registered Role until the value is changed. The Un-registered is a special role that is required for captive portal authentication.

    SSID-Role snip.JPG

     

    If you need more sophisticated authentications like LDAP, 802.1X, or Captive Portal please see please see the vWLAN General Deployment Guide.

     

     

    AP Templates

     

     

    The AP template is the actual BSAP configuration. AP templates can be edited or configured under Configuration > Wireless > AP Templates. For basic deployments, just use the default template as it will be automatically assigned to all APs. You will start by supplying a Name and SSH Password. The default SSH password may have been changed by your Project Engineer. If the default password, blue1socket, does not work, then you can update the password here. The Login Form here will act as a default for all SSIDs unless the SSID has been explicitly configured with a unique form. The DNS Server(s) For NAC Users refers to Un-registered users who must use Captive Portal authentication.

    ap_temp01.png

     

    The AP firmware will be maintained by ADTRAN, and firmware should already be applied to your default AP template. If you are creating a new template,then be sure to select the AP firmware in the AP template. If the firmware is not selected in the template, then the BSAPs or clients may experience degraded service until the BSAP is assigned the correct firmware version. If you do not see any available AP firmware in the drop-down list, then contact ProCloud Support to have them add the AP firmware to your domain.

    ap_temp02.png

     

    After selecting the firmware, confirm the Per Radio Setting fields. The Radio Mode should be set to “AP Mode” to allow client connections. The following settings are recommended.

     

    ap_template_settings.png

     

    Finally, add the SSIDs in the AP template by clicking the plus sign in the right pane of the SSID field and then save the template. Once this is done, you should see a “1” next to the section labeled “Domain Tasks” in the top right corner. Click this link and you will see a domain task asking to

    update the configuration on the APs. Click this and it will automatically update the APs and wireless service should be configured. Status of the APs, locations, etc. can be checked in the Status section of ProCloud.

     

     

    Useful Links