OMNIACCESS STELLAR WLAN

DEPLOYMENT WITH OMNIVISTA 2500 -

EDITION 33
PARTICIPANT'S GUIDE

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Proprietary Ownership Declaration
I agree not to copy, produce, reproduce, transfer, distribute, decode and/or modify any
ALE material (including any and all documentation, manuals, software presentation,
student book and software files) made available and/or used as part of the ALE training.
I acknowledge that sharing of any kind of courseware and media used are strictly forbidden
without approval from ALE Training Services.
I represent and warrant that I will not use or not permit to use the courseware and\or
educational tools supplied by ALE to provide trainings in a private capacity or for my
employer or any third party.
I also acknowledge and agree that ALE owns and reserves all copyright in and all other
intellectual property rights relating to the ALE training material (including courseware and
all associated documentation) provided during the training.
I understand that any breach or threat of breach of the above shall entitle ALE to injunctive
and other appropriate equitable relief (without the necessity of proving actual damages),
in addition to whatever remedies ALE may have at law.
Furthermore, I acknowledge and agree that ALE will be entitled to cancel immediately any
and all of my Certifications in case of any breach of the above.

Maintenance – eBook
The eBook is available on the Knowledge Hub training platform. Internet access is required
to download the eBook.
Participants should be informed that they must bring their laptop for the classroom or
virtual session.
In case of issue for downloading the eBook, the user can open a ticket with the ALE
Welcome Center for assistance.
ALE technical support will be provided on an "AS IS" and "AS AVAILABLE" basis without
warranty of any kind.
 OmniVista 2500 NMS &
OmniAccess Stellar WLAN
DT00XTE270

Introduction
1
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 Summary
Training Objectives

Organization & Agenda

Training Methodology

Internet Resources

2
Training Objectives, Organization & Agenda

• OBJECTIVES
• Install & Configure the OmniVista 2500 NMS Server
• Deploy & Configure the OmniAccess Stellar APs in Enterprise Mode
• Create & Configure SSIDs for different types of Users, using different Authentication Methods
• Understand & Configure Advanced Features (Mobility & Roaming, WIPS…)

DURATION & METHODS

• Duration: 3 days

• Methods
- Live Sessions > Theoritical Presentations
- Asynchronous Sessions > Tutored labs, done from a Remote-Labs (R-Labs)

3
Agenda
DAY 1 Estimated Duration: 8h

Introduction Introduction 9:00 – 9:15

OmniVista 2500 > Solution Overview Live Session 9:15 – 9:45

ALE Remote-Labs > Connection & Reinitialization Lab 9:45 – 10:30

Coffee Break Break 10:30 – 10:45

OmniVista 2500 > Server Installation + AOS Disc. Live Session + Lab 10:45 – 12:45

Lunch Break Break 12:45 – 1:45

OmniAccess Stellar > Portfolio & On Boarding Live Session 1:45 – 2:30

OmniAccess Stellar > Discovery in the OV2500 Live Session + Lab 2:30 – 3:30

Coffee Break Break 3:30 – 3:45

SSID Creation > Employee SSID (UPAM) Live Session + Lab 3:45 – 4:45

SSID Creation > Employee SSID (AD) Live Session 4:45 – 5:15

4
Agenda
DAY 2 Estimated Duration: 8h

SSID Creation > Guest SSID Live Session + Lab 9:00 – 10:30

Coffee Break Break 10:30 – 10:45

Web Content Filtering Lab 10:45 – 12:00

Lunch Break Break 12:00 – 1:00

SSID Creation > BYOD SSID Live Session + Lab 1:00 – 2:15

Radio Frequency Settings Management Live Session + Lab 2:15 – 3:15

L2 & L3 Roaming Live Session 3:15 – 3:30

Wi-Fi Intrusion & Prevention System (WIPS) Live Session 3:30 – 4:00

Coffee Break Break 4:00 – 4:15

OmniVista Cirrus > Solution Overview Live Session 4:15 – 5:00

5
Agenda
DAY 3 Estimated Duration: 7h

OmniVista 2500 > Maintenance Live Session + Lab 9:00 – 11:30

Coffee Break Break <10:30 – 10:45>

OmniVista 2500 > Heat Map & Floor Plan Live Session + Lab 11:30 – 12:30

Lunch Break Break 12:30 – 1:30

Mesh Topology Live Session 1:30 – 1:50

Wi-Fi Survey Live Session 1:50 – 2:20

Remote Access Point (RAP) Live Session 2:20 – 2:50

Coffee Break Break 2:50 – 3:00

Internet of Things (IoT) Live Session 3:00 – 3:15

Spacewalkers Live Session 3:15 – 3:30

ProActive Lifecycle Management (PALM) Live Session 3:30 – 3:50

Conclusion & Wrap-Up Conclusion 3:50 – 4:00

6
Internet Resources

General ALE Websites

ALE Official Website Alcatel-Lucent Enterprise (ALE) Official Website

ALE Knowledge Hub Alcatel-Lucent Enterprise (ALE) Training Platform « Knowledge Hub »

Technical ALE Websites

MyPortal Alcatel-Lucent Enterprise Official Website dedicated to Business Partners

Spacewalkers Community ALE Community (Site & Technical Forum)

OmniSwitch Switches Datasheets Technical Datasheets for each ALE OmniSwitch switch

OmniAccess Stellar Datasheets Technical Datasheets for each ALE OmniAccess Stellar access point

NMS Solutions Datasheets Technical Datasheets for each ALE OmniVista solution

Other Useful Websites

Website containing the official documentations regarding the protocols that will be
RFC
setup during this training.
7
OmniAccess Stellar Wireless Lan – Training offer for newcomers

OmniAccess Stellar OmniAccess Stellar

ACSE ACSE
Wlan Enterprise Wlan Enterprise
DT00TC2W16 DT00TC2W16
Online exam Online exam

OmniAccess Stellar Wlan

Enterprise Advanced
V=5 h
(virtual) OmniVista 2500 NMS &
DT00VTE269 OmniAccess Stellar
C= 3days
Wlan
OmniAccess Stellar DT00CTE270
Network for SMB ACFE ACFE
Wlan Enterprise
DT00TC1W16 DT00TC1W17
Online exam Online exam

OmniAccess Stellar OmniAccess Stellar Wlan I=2,5 h

Wlan EXPRESS I= 45min Enterprise Basic +lab DIY=
DT00WTE255 DT00WTE268 3,5h

Lan/Wlan for SMB OmniVista 2500 NMS-E I= 75min

(w/Stellar) R4.2 (e-Learning) +lab DIY=
DT00XTE200 DT00WTE211 6 to 7 h

Full remote or Classroom

Small market segment Medium market segment

OMNIVISTA 2500 NMS
S O L U T I O N O V E RV I E W

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Describe the OmniVista 2500 Purpose

• List the OmniVista 2500 Main Features
INTRODUCTION

• OmniVista 2500
• Network Management System (NMS)
• Unified Management / Monitoring / Provisioning of LAN & WLAN devices:
• ALE OmniSwitch Switches
• ALE OmniAccess Stellar Access Points
• 3rd Party Devices

ALE OMNISWITCH
• PROVISION
• MANAGE
• MAINTAIN

OMNIVISTA 2500

3RD 3RD PARTY DEVICES

ALE STELLAR APS

INSTALLATION & ADMINISTRATION

• Installation • Administration
• OmniVista 2500 = Virtual Appliance • Web Interface

OmniVista 2500 NMS

Hypervisors
• VMware ESXi
• VirtualBox
• MS Hyper-V
• KVM
HOME PAGE

• Applications
• Accessible via
a drop down menu

• Dashboard
• Applications widgets
• OV 2500 Home Page
• Quick overview
• Customizable
(add/remove…)
APPLICATIONS

NETWORK CONFIGURATION UNIFIED ACCESS ADMINISTRATION WLAN

- DISCOVERY - VLANS - UNIFIED PROFILE - CONTROL PANEL - SSIDS
- TOPOLOGY - VXLANS - UNIFIED POLICY - PREFERENCES - WIRELESS INTRUSION
- AP REGISTRATION - IP MULTICAST - MULTIMEDIA SERVICES - AUDIT PROTECTION SYSTEM
- SAA - CLI SCRIPTING - PAID ACCOUNT SERVICES - LICENSE (WIPS)
- LOCATOR - POLICYVIEW - OV SYSTEM HEALTH - RF MANAGEMENT
- NOTIFICATIONS - SIP - HEAT MAP
- VM MANAGER - CAPTIVE PORTAL SECURITY UPAM - FLOOR PLAN
- ANALYTICS - GROUPS - USERS AND USER GROUPS - SUMMARY - CLIENT
- APPLICATION VISIBILITY - APP LAUNCH - AUTHENTICATION SERVERS - AUTHENTICATION
- PROVISIONING - REPORT - QUARANTINE MANAGER - GUEST ACCESS
- I OT - RESOURCE MANAGER - BYOD ACCESS
- SETTINGS
MAIN FEATURES

• Unified LAN & WLAN Management

• Essential configuration functions
• Simplified user interface

• Device Inventory / Software Update

• Network devices inventory • PROVISION • BACKUP
• MANAGE • RESTORE
• Devices backup/restore/update • MAINTAIN • UPDATE
MAIN FEATURES

ADMIN

• Notifications
• Display traps generated by the devices
• Perform an action when receiving urgent /
important traps
(send a mail, run an application, forward the trap…)

• Topology
• Topology view of all the discovered devices
• View information about a specific device
• Perform certain actions
(edit/telnet/reboot a device)
MAIN FEATURES

APPLICATION BANDWITH

ANALYTICS

• Analytics
• View of network resources utilization (users, R
devices, applications)
• Reports generation (usage trends, predictive
analysis of future network utilization…)

• Application Visibility
• Identify and restrict usage of applications
that are used by users (ex. Facebook)
• Uses the DPI feature (Deep Packet Inspection)
MAIN FEATURES

HEAT MAP

FLOOR PLAN

• Floor Plan
• Determine optimal placement of access
points in a location
• Heat Map
• Create & Organize Wi-Fi coverage maps
(“Heat Maps”)
 GUESTS VLAN, EMPLOYEES VLAN,

MAIN FEATURES RESTRICTED ACCESS FULL ACCESS

• Guest Access & BYOD (Bring Your Own Device)

• Secured guest access management
• BYOD: On boarding of employees' devices

• Captive Portal
• Integrated captive portal with credentials CAPTIVE PORTAL

management (email, social login, Rainbow...)

• External captive portal redirection

GUESTS
EMPLOYEE
DEVICE (BYOD)
MAIN FEATURES

STANDBY

VLAN + RULES
MASTER « CAMERAS »
• High Availability
• 1 OV2500 Master / 1 OV2500 Standby
• Avoid loss of service

• Internet of Things (IoT)

• Automatic discovery of all IoT devices across
the network
VLAN + RULES
• Virtual network segmentation « DOOR LOCKS »

• Information on each IoT device connected

(device type, vendor, network location…)
• Real-time and historical summary of IoT
activity
MAIN FEATURES

3RD PARTY APPLICATION

OMNIVISTA 2500

• Troubleshooting
• Embedded troubleshooting tools
• Rapid isolation of network issues

• APIs
• Northbound RESTful APIs
• Integration of network management functions
with 3rd party ecosystem application
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Stellar OmniAccess WLAN
Connection & Use of the Stellar Remote Lab

Objectives
✓ Learn how to connect to the Stellar Remote Lab (R-Lab)
✓ Discover the equipment available in the Stellar Remote Lab (R-Lab)

Contents
1 Connecting to the Remote Desktop......................................................... 1
1.1. Connection Method ................................................................................. 1
1.2. Rlab access URL: .................................................................................... 1
2 Discovering the Remote Lab Environment ................................................. 3
2.1. Topology of the Stellar Remote Lab Pod ........................................................ 3
2.2. Switch/Access Point Console ..................................................................... 3
2.3. Wi-Fi Client .......................................................................................... 4

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Connection & Use of the Stellar Remote Lab

1 Connecting to the Remote Desktop

This document lists the usable accounts per POD to use to connect to the Rlab.

Warning
The POD ID or POD list assigned to you (or to your Training session) will be sent by email
(from: [email protected] )

You will need the information from the tables given below to set up the connection.

1.1. Connection Method

A web browser is required to connect to the Rlab

Notes
Recommended web browsers:
- Chrome
- Edge
Other web browser may have some issue with copy/paste from a lab guide to the remote
terminal session
Known workaround for FireFox: https://sudoedit.com/firefox-async-clipboard/

1.2. Rlab access URL:

 https://rdp.al-mydemo.com/

- Username: Refer to the table below to get the corresponding “User Account” to the Rlab type you are using
- Password: unique per session – sent from our LMS to the Instructor
 2
Connection & Use of the Stellar Remote Lab

Use the following table to get the login name of your POD. As well as the correspondence with the
variable X = [1-8] you will use during the labs.

Value of the variable X POD names Login(a) to use

1 StelLAN - Pod 25 lanpod25a
2 StelLAN - Pod 26 lanpod26a
3 StelLAN - Pod 27 lanpod27a
4 StelLAN - Pod 28 lanpod28a
5 StelLAN - Pod 29 lanpod29a
6 StelLAN - Pod 30 lanpod30a
7 StelLAN - Pod 31 lanpod31a
8 StelLAN - Pod 32 lanpod32a

Ex: If you are connected to the StelLAN POD 25 and asked to configure the IP address 10.130.5.200+X, enter the
value 10.130.5.201 (X=1).
 3
Connection & Use of the Stellar Remote Lab

2 Discovering the Remote Lab Environment

In this part, you will find an explanation about the Remote Lab environment that you are going to use during this
training.

2.1. Topology of the Stellar Remote Lab Pod

Take a careful look at the topology displayed, as it shows all the equipment that you will use during this
training.
AR U R

2.2. Switch/Access Point Console

On the R-Lab Windows Desktop, you will find multiple console shortcuts. Each one allows you to connect
to one of your Lab’s equipment (switch or access point).

- Open one of the switch Console terminals used during this training: SW7-OS-6860A,
SW5-OS-6360A, SW4-OS-2360
- Check that some messages are displayed
 4
Connection & Use of the Stellar Remote Lab

R-Lab Windows Desktop

Double-click on one shortcut
to open a switch console:
• SW7-OS-6860A
• SW5-OS-6360A
• SW4-OS-2360
You have now access to the
switch console.

Tips
If you get a message “Hunting Group usy” when you open a era erm console, it means that another
TeraTerm session has already been opened (from your account or another account). Check the console sessions
currently opened on your session or ask the instructor for help.

2.3. Wi-Fi Client

During this Lab, you will have to use a wireless client for tests purpose. This client is a Raspberry Pi and
you can access it’s remote desktop R via the shortcut RealVNC Viewer on the desktop.

- Check the connection to the “WifiClient ” on the Raspberry Pi.

R-Lab Windows Desktop

Double click on the shortcut
“WifiClientX”
Replace X by your POD
number, X=[1-8]
 5
Connection & Use of the Stellar Remote Lab

The authentication window of

the VNC Viewer application
opens.
Enter the credentials:
Username: user
Password: superuser

Click OK.

You are now connected to the

Raspberry Pi WifiClientX.

Tips
The language of the keyboard of the Raspberry Pi is set by the keyboard language of the remote desktop on
which you are connected.
Stellar OmniAccess WLAN
Reinitialization of the Stellar Remote Lab

Objective
✓ Reinitialize the R-Lab equipment to its default configuration

Contents
1 Reinitializing the Switches & Access Points ............................................... 1
2 Reinitializing the OmniVista 2500........................................................... 3
3 Reinitializing the PC Client .................................................................. 5

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Reinitialization of the Stellar Remote Lab

1 Reinitializing the Switches & Access Points

On the R-Lab Windows Desktop, a shortcut Reset PODX is available on the desktop to reinitialize all the
equipment (both switches and access points) to their default configuration.

In the diagram below, in red, you can see all the equipment that will be reinitialized by using this shortcut:
TELLAR POD ( P OD NU ER)

Warning
THE SWITCHES DEFAULT CONFIGURATION IS NOT AN EMPTY CONFIGURATION!
WHEN CLICKING ON THE SHORTCUT:
- A SPECIFIC CONFIGURATION IS APPLIED TO THE SWITCHES
- ALL THE INTERFACES ARE PUT DOWN. DURING THE LABS, IT WILL BE ASKED TO ENABLE THE INTERFACES
THAT YOU WILL USE.
- THE OMNISWITCH 6860 IS PRE-CONFIGURED (VLAN, IP INTERFACE,…)

Reset all the R-Lab Pod’s equipment by using the Reset PodX script
 2
Reinitialization of the Stellar Remote Lab

R-Lab Windows Desktop

On the desktop, double click
on the Reset PodX shortcut (X
= Pod number)

Some Windows command

terminals are displayed, wait
for them to disappear.

@Switch > The reinitialization

process takes around 5
minutes

@Access Point > The

reinitialization takes around
1min30 – 2min

Notes
It is also possible to reset each equipment (switch/access point) separately. Check the dedicated addon parts
(Switch Reinitialization / Access Point Reinitialization) if you want to learn more.
 3
Reinitialization of the Stellar Remote Lab

2 Reinitializing the OmniVista 2500

In this part, we are going to reinitialize the OmniVista 2500 NMS.
In the diagram below:
- In red, the equipment that will be reinitialized during this part.
- In gray, the equipment that have been reinitialized in the previous part.
TELLAR POD ( P OD NU ER)

Reinitialize the OmniVista 2500 to its initial configuration

The OmniVista 2500 is installed in a virtual machine. Therefore, to access and reinitialize it, we will have to
use the VMware vSphere Client.
 4
Reinitialization of the Stellar Remote Lab

R-Lab Windows Desktop

Double click on the vSphere
Web Console shortcut

Enter the credentials

- Username: stellarpodX (X =
R-Lab number)
- Password: alcatel

Click on Login

Click on the VMs and

Templates (top left and
corner)

Browse the tree structure to

reach the virtual machines,
then select the OV2500

means that the client is

powered off

means that the client is

powered on

Click on ACTIONS > Snapshots

> Manage Snapshots

Select the snapshot

DT00CTE270 - Initial State

Click on REVERT TO

Click on OK

Restart the VM > click on the

button
We will continue to configure the OmniVista 2500 in a dedicated lab, later in this course.

Tips
All VM are configured with an English US keyboard, your current keyboard layout is not taken into account.
Take care of that when you’re typing a command.

Notes > What is a snapshot?

A snapshot preserves the state and data of a virtual machine at a specific point in time. We use it to easily
revert the OV 2500 back to its initial configuration, to wipe all the previous training configuration.
 5
Reinitialization of the Stellar Remote Lab

3 Reinitializing the PC Client

In this part, we are going to set up the PC Client. This Linux environment will be used throughout this course
to test and access the Wi-Fi networks and features that the Stellar products offer.
In the diagram below:
- In red, the equipment that will be set up during this part.
- In gray, the equipment that have been reinitialized in the previous parts.
TELLAR POD ( P OD NU ER)

Set up the Wi-Fi Linux client: Starting it et resetting the wireless networks
previously saved.

To access and set up the wireless client, we will have to use a shortcut on the desktop.

R-Lab Windows Desktop

Double click on the
“ ifi lientX” shortcut.
 6
Reinitialization of the Stellar Remote Lab

Type the following

credentials:
- Username : user
- Password: superuser

Click on OK

You have now access to the

Linux desktop.

On the desktop, double click

on the shortcut “Clean
ireless etworks”

Select Execute in the new

window.

This will delete all the known

wireless networks on this
client.
OMNIVISTA 2500 NMS
S E RV E R I N S TA L L AT I O N

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• Server Installation

• List the supported hypervisors

• Identify the hardware required

• Summarize the installation steps

• Memorize how to access the OmniVista 2500 NMS

administration interface
HYPERVISORS

• OmniVista 2500 = Virtual Appliance

• No standalone installers

Hypervisors
• VMware ESXi
• VirtualBox
• MS Hyper-V
• KVM
1

OmniVista 2500 NMS

2
HARDWARE REQUIREMENTS

This table contents vary depending on the OmniVista 2500 NMS version used. For more information, please consult the official installation
guide (1 installation guide for each version)
INSTALLATION STEPS
• Deployment on an Hypervisor
• Download the OmniVista 2500 Server virtual
appliance from the Business Portal Website
(BPWS)
• Deploy the virtual appliance on the chosen
hypervisor
• Power on the virtual appliance

Prerequisite: Deploy the desired Hypervisor

Deploy the OmniVista 2500 NMS virtual appliance

Power on the OmniVista 2500 NMS virtual appliance

INSTALLATION STEPS

• From the Hypervisor Console

• Fill the Initial Settings
• Keyboard layout
• Technical support code
• Administrative password

OMNIVISTA 2500 VIRTUAL APPLIANCE > CONSOLE

INSTALLATION STEPS
OV WEB

ADDITIONAL OV WEB
• From the Hypervisor Console
• Fill the IP Settings
• OmniVista 2500 NMS IP & Ports
• Captive Portal IP & Ports (if used)
• Additional OV Web IP & Ports (optional) CAPTIVE PORTAL

OMNIVISTA 2500 VIRTUAL APPLIANCE > CONSOLE

INSTALLATION STEPS

Network Size Number of Devices

Low Lower than 500

• From the Hypervisor Console
Medium 500 – 2000
• Select the Network Size High 2000 – 5000
• Number of devices that the OmniVista 2500 NMS Very High 5000 – 10000
will manage

OMNIVISTA 2500 VIRTUAL APPLIANCE > CONSOLE

INSTALLATION STEPS
• From the Hypervisor Console
• Configure the OV2500 Additional Options
• Hostname
• DNS Server
• Timezone
• Routes
• …

OMNIVISTA 2500 VIRTUAL APPLIANCE > CONSOLE

INSTALLATION STEPS

• From the Hypervisor Console

• Exit & Reboot
• Exit the Additional Options menu
• Virtual Appliance automatically reboots

OMNIVISTA 2500 VIRTUAL APPLIANCE > CONSOLE

1ST TIME CONNECTION TO WEB & LICENSE MGMT

• Web Interface & License

• OmniVista 2500 NMS = Administration via a Web
Interface
• 1rst time connection to the Web Interface = License
window to insert the OV2500 license
URL <IP@ OV WEB>

« LICENSE NOT FOUND » PAGE HOME PAGE

THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Stellar OmniAccess WLAN
OmniVista 2500 NMS Server Installation

Objective
✓ Install the OmniVista 2500 NMS Server

Contents
1 Briefing ......................................................................................... 1
2 Accessing the VMware ESXi .................................................................. 2
3 Configuring the OmniVista 2500 NMS Settings ............................................ 2
3.1. Post Installation Wizard ........................................................................... 2
3.2. First Login ........................................................................................... 5
4 Generating & Installing an Evaluation License ............................................ 5
4.1. Generating the Evaluation License ............................................................... 5
4.2. Installing the Evaluation License ................................................................. 6
4.2.1. Inserting the License File.................................................................................. 6
4.2.2. Inserting the License Keys................................................................................. 7
4.3. Deleting the License File .......................................................................... 7
5 Debriefing ...................................................................................... 8

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
 1
OmniVista 2500 NMS Server Installation

1 Briefing
The OmniVista 2500 NMS is distributed as a Virtual Appliance only. There are no other standalone installers
(e.g., Windows/Linux).
The OmniVista 2500 Virtual Appliance has already been downloaded from the Business Partner Website
(BPWS, official ALE website to download software and documentations) and deployed on a VMware ESXi
server.
In this lab, you will learn how to perform the post installation of the OmniVista 2500 NMS.

CURRENT
TOPOLOGY

END OF LAB
TOPOLOGY
 2
OmniVista 2500 NMS Server Installation

2 Accessing the VMware ESXi

The OmniVista 2500 NMS virtual appliance has already been downloaded and deployed on a VMware ESXi
Server.

Access the VMware ESXi application

First, let’s access to the ware i application:

R-Lab Windows Desktop

Select the OV2500 virtual
machine

Click Launch Web Console,

then Web Console

3 Configuring the OmniVista 2500 NMS Settings

n this part, we will configure all the mni ista settings address, password… .

Follow the installation wizard to continue with the OmniVista 2500 installation.

3.1. Post Installation Wizard

OmniVista 2500 Console

Select the keyboard layout
(default: us)
 3
OmniVista 2500 NMS Server Installation

Enter the code Alcatel.0

Press Enter

This code is used by the ALE

Technical Support for
troubleshooting purposes

Enter the password Alcatel.0

Keyboard is QWERTY

Press Enter

Enter the IP settings:

- IPv4: 10.130.5.5X (X=R-Lab
Number)
- Subnet Mask: 255.255.255.0

- Select the NIC: eth0

Keep the default HTTP and

HTTPS ports

- [y|n]: y

Press Enter
The Captive Portal has its own
IP address.

Select:
- Option 1
- IPv4: 10.130.5.7X (X=R-Lab
Number)
- Subnet mask: 255.255.255.0
– IPv6: n

Keep the default HTTP and

HTTPS ports

- Confirm (y) then press Enter

Additional OV Web IP
- Option 2: Disable Additional
OV Web IP
- Confirm (y) then press Enter

Check that the configuration

has been applied
 4
OmniVista 2500 NMS Server Installation

Select the network size

- Option 1: Low
- Would you like to set the
number of devices? [y|n]: y

Press Enter

Select the default language

- Option 1: English
- Confirm (y) then press Enter
Configure the Default Gateway
- Choose Option: [4]
- Default gateway:
10.130.5.253
- [y|n]: y
Press Enter
Configure the Hostname

- Choose Option: [5]

- hostname: StellarPodX (X=R-
Lab Number)
- [y|n]: y

Press Enter
- Choose Option: [6]
- [y|n]: y
- dns server 1: 10.130.5.130
- dns server 2 [y|n]: y
- dns server 2: 10.0.0.51

Press Enter

Select 0 to Exit this menu

SERVICES RESTART
AFTER EXITING THE MENU, IT TAKES A COUPLE OF MINUTES FOR THE OMNIVISTA 2500 TO RESTART ITS SERVICES. PLEASE WAIT BEFORE
GOING ON WITH THE NEXT PART.

Notes > What is the cliadmin account?

The password entered during the installation wizard is the cliadmin account password. This account is used for
the initial OV configuration and for advanced troubleshooting.

Notes > What is UPAM?

The Unified Policy Authentication Manager (UPAM) is a module embedded in the OmniVista 2500 NMS, which
provides advanced authentication functionalities, especially for authenticating Guest or BYOD devices.
 5
OmniVista 2500 NMS Server Installation

3.2. First Login

From the Windows Desktop, login to the OmniVista 2500 Web Admin Interface:

R-Lab Windows Desktop

Open a web browser (ex.
Mozilla Firefox or Google
Chrome)

Enter the OV 2500 IP address

in the URL bar: 10.130.5.5X
(X = Pod number)

Username: admin
Password: switch

Depending on the type of web

browser being used, a warning
regarding the website’s
security certificate will be
shown. Skip this warning and
continue to the OmniVista
login page.
A prompt appears to add the
license(s)

Go to the next part to learn

how to generate an
evaluation license

4 Generating & Installing an Evaluation License

An Evaluation License provides full OmniVista 2500 NMS feature functionality, but is valid only
for 90 Days (starting from the date the license is generated). There is one file that contains all of
the Device (AOS, Third-Party, Stellar APs) and Service Licenses (VM, Guest, BYOD).
In this part, you will learn how to generate and install an evaluation license

- Generate an Evaluation License

- Install it in your OmniVista 2500

Tips > Evaluation License

his part is dedicated for training. on’t hesitate to use the same process if you need to generate an
evaluation license for testing purpose lab… .

Warning
BEFORE THIS STEP, ENSURE THAT NO LICENSE GENERATED IN A PREVIOUS TRAINING IS AVAILABLE TO AVOID ANY
POSSIBLE CONFUSION.
D D ,D Y “-EVAL- …”

4.1. Generating the Evaluation License

From the Windows Desktop, open a new web browser tab/window:
 6
OmniVista 2500 NMS Server Installation

R-Lab Windows Desktop

Copy & Paste the following
URL in your RDP session:
https://lds.al-
enterprise.com/

Click on OmniVista 2500 NMS

Enter:
- Customer ID: 99999
- Order Number: evaluation

Leave the Customer Email

field blank

Click on Submit
Select the License Type:
EVAL-OV2500-ALL-TYPE_1

Enter the Passcode: omnivista

Click on Submit Entry

Enter Company Name: ALE (or

something else)
Click on Generate License
Save the file locally
The sole purpose of entering
your mail is to receive the
license information by mail.

4.2. Installing the Evaluation License

2 possibilities:
- Inserting directly the license file obtained in the previous part
- Inserting the license keys

on’t do both!

4.2.1. Inserting the License File

- Go back in the OmniVista 2500 NMS webpage:

> Go back to the OV 2500 Web Admin Interface

> Click on Add License
> License File: click on Browse
> Select the license file downloaded in the previous part
> Click on Open
> Click on Submit

Software and/or documentation End-User License Agreement “EULA”

> Check OK (don’t check Enable ProActive Lifecycle Management)
 7
OmniVista 2500 NMS Server Installation

4.2.2. Inserting the License Keys

- pen the file with a text editor notepad, notepad++… . he licence keys are in clear text.
- Go back in the OmniVista 2500 NMS webpage:

> Open a Web Browser

> Type the following IP address in the URL bar: 10.130.5.5X
> Username/Password: admin/switch

> Go to ADMINISTRATION > LICENSE > Add or Import License

> In the License Key field, enter all the licenses keys that are in the license file generated in the
previous step (/!\ remove the license name before inserting them, look at the warning below /!\)
> Click on Submit

Warning
COPY AND PASTE ONLY THE LICENSE KEYS AND NOT THE ENTIRE LINES! (HIGHLIGHTED THE INFO THAT YOU HAVE
TO COPY AND PASTE):

EVAL-NM-EX-20-N, KEQWEXRH-VXDJBEUM-4EX$299Z-BBXS7G#4-JC!GW81R-$C8YWB1K-DBE#$LDX-AXVRMLM#
EVAL-VMM-100-N, WWITUJ#W-EWBU@BSM-@EX$299Z-BBXS7G#4-JC!GWL1R-$CFYWB1L-X5#PC4WT-5UDJU7B#
EVAL-AP-NM-20-N, G1CUNONJ-YFZ%JX2W-JEX$299Z-BB@S7G#4-JC!GW81R-$CHYWB1L-WAPB3U7!-GDFXMHV&
EVAL-GA-20-N, VTP@GOKN-E53P8#@E-NEX$299Z-BB@S7G#4-JC!GW81R-$C#YWB1L-CJD%PRTF-9GTXNX!1
EVAL-BYOD-20-N, JSQRU%HH-GFFCJUGB-ZEX$299Z-BB@S7G#4-JC!GW81R-$CRYWB1L-EBX5WUFB-8X7HF@5G

Disable Enable ProActive

Lifecycle Management

Click on OK

4.3. Deleting the License File

Once the license file correctly inserted, please delete the file “ …” from the
computer.
 8
OmniVista 2500 NMS Server Installation

5 Debriefing
During this lab, we have learned how to install the OmniVista 2500 NMS. We have also learned how to
generate an evaluation license.
Remember that you can use the last part (Generating an Evaluation License) if you want to get a license for
your own lab! This is not reserved for training purpose.
OmniAccess Stellar WLAN
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

Objective
✓ Learn how to discover the OmniSwitches in the OmniVista 2500 NMS

Contents
1 Briefing ......................................................................................... 1
2 Backbone VLAN ................................................................................ 2
2.1. Backbone VLAN ..................................................................................... 2
2.2. Backbone VLAN IP Interfaces ..................................................................... 3
3 SNMP v3 ......................................................................................... 4
4 Discovering the OmniSwitches on the OmniVista 2500 NMS ............................. 5
5 Debriefing ...................................................................................... 6
6 Troubleshooting ............................................................................... 7
6.1. Troubleshooting the Level 2 ...................................................................... 7
6.1.1. Checking the cables ........................................................................................ 7
6.1.2. Checking the VLAN(s) ...................................................................................... 8
6.2. L3 Troubleshooting ................................................................................. 8
6.2.1. Checking the IP Interfaces ................................................................................ 8
6.2.2. Checking the OmniVista 2500 IP Settings ............................................................... 8
6.2.3. Pinging the Equipment ..................................................................................... 9
6.3. Checking the SNMP Configuration ............................................................... 10
6.4. Discovering the OmniSwitch ..................................................................... 10

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

1 Briefing
Before using all the features offered by the OmniVista 2500 NMS, the network devices must be discovered
first. In this lab, we are going to discover the 3 OmniSwitches in the OmniVista 2500 NMS. The discovery of
the 2 Access Points will be covered in another lab.

CURRENT
TOPOLOGY

END OF LAB
TOPOLOGY
 2
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

2 Backbone VLAN
The Backbone VLAN is used to interconnect the network equipment together (OmniSwitches, OmniVista 2500,
DHCP Server). The SNMP traffic is carried over the Backbone VLAN.

The Backbone VLAN and IP Interfaces are pre-configured on each OmniSwitch.

2.1. Backbone VLAN

The backbone VLAN (VLAN 1305) is pre-configured and connects the following network devices:
- The 3 OmniSwitches;
- The OmniVista 2500 (10.130.5.5X);
- The DHCP Server (10.130.5.7).

Tips > Console Shortcuts

To access to the OmniSwitches consoles, a shortcut is available for each switch on the Windows Desktop.
The shortcut will be used in the troubleshooting part:

Notes
The VLAN 1305 is already assigned to the OmniVista 2500 and the DHCP Server.
 3
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

2.2. Backbone VLAN IP Interfaces

Each OmniSwitch requires an IP interfaces on the Backbone VLAN to be able to communicate with the
OmniVista and DHCP server. These IP interfaces are pre-configured on the OmniSwitches:

Check that the Access OmniSwitches can reach the core OmniSwitch 6860, and can reach
the servers:

OS-6360A
6360A -> ping 10.130.5.20X (OmniSwitch 6860)
6360A -> ping 10.130.5.7 (DHCP Server)
6360A -> ping 10.130.5.5X (OmniVista 2500 NMS)

OS-2360
2360 -> ping 10.130.5.20X (OmniSwitch 6860)
2360 -> ping 10.130.5.7 (DHCP Server)
2360 -> ping 10.130.5.5X (OmniVista 2500 NMS)
 4
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

3 SNMP v3
The OmniVista 2500 uses the SNNMP protocol to discover the network devices and communicate with them.
The SNMP version 1,2 and 3 are supported.
In this part, we are going to configure an SNMP version 3 profile on each OmniSwitch.

Configure an SNMP v3 profile on all OmniSwitches.

To create the SNMP v3 profile on the OmniSwitches, use the following command:

OS6860, OS6360, OS2360:

-> user snmpuserv3 read-write all password “Superuser=1” sha+des
-> snmp station 10.130.5.5X 162 snmpuserv3 v3 enable
 5
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

4 Discovering the OmniSwitches on the OmniVista 2500 NMS

In this part, we are going to configure an SNMP version 3 profile on the OmniVista 2500, then we will discover
the 3 OmniSwitches in the OmniVista 2500 (once discovered, OmniSwitches can be managed and supervised
from the OmniVista 2500 NMS).

Configure an SNMP v3 profile on the OmniVista 2500 NMS.

To create the SNMP v3 profile on the OmniVista 2500:

> Open a Web Browser

> Type the OV2500 IP address in the URL bar: 10.130.5.5X (X = R-Lab Number)
> Username/Password: admin/switch

> Select NETWORK > DISCOVERY > Managed Devices

> Click Discover New Devices
> Click on the + button (top right)
> Enter IP information
> Start IP: 10.130.5.20X
6860 > End IP: 10.130.5.20X
> Subnet Mask: 255.255.255.0
> Choose Discovery Profiles: click on the button to create an SNMPv3 profile

> SNMPv3 Profile Parameters (leave other parameters blank)

> Name: SNMPv3
> SNMP Version: SNMPv3
> Timeout (msec): 5000
> Retry Count: 3
> User Name: snmpuserv3
> Auth & Priv Protocol: SHA+DES
> Auth Password: Superuser=1
> Priv Password: Superuser=1
> Click on Create

> Choose Discovery Profiles: select the SNMPv3 profile, click on + to move it to the right
> Click on Create

> Click on the + button to add a new range

> Enter IP information
> Start IP: 10.130.5.22X
> End IP: 10.130.5.22X
6360 > Subnet Mask: 255.255.255.0
> Choose Discovery Profiles: select the SNMPv3 profile, click on + to move it to the right
> Click Create

> Click on the + button to add a new range

> Enter IP information
> Start IP: 10.130.5.24X
> End IP: 10.130.5.24X
2360 > Subnet Mask: 255.255.255.0
> Choose Discovery Profiles: select the SNMPv3 profile, click on + to move it to the right
> Click Create

> Select the three ranges by clicking on the checkboxes on the left
> Click on Discover Now to launch the discovery process, then click on Finish.
 6
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

At the end of this part, the 3 OmniSwitches are discovered and are now manageable from the OmniVista
2500 NMS:

5 Debriefing
The reset script from the previous lab created the “ ackbone” . his is used to interconnect the
network equipment together (OmniSwitches, OmniVista 2500, DHCP Server). The SNMP settings were also
configured with the reset script. And finally, we have discovered the OmniSwitches in the OmniVista 2500
NMS. These OmniSwitches can now be managed from the OmniVista 2500 GUI.
 7
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

6 Troubleshooting
In this part, we will cover the process to follow if an OmniSwitch is not discovered in the OmniVista 2500. We
will use the exact same infrastructure as in the lab:

6.1. Troubleshooting the Level 2

6.1.1. Checking the cables

First, make sure that the cables are correctly plugged and recognized:

OMNISWITCH
AOS -> show interfaces 1/1/11
Operational Status : up,
Last Time Link Changed : Thu Oct 17 06:13:56 2019,
Number of Status Change: 1,
Type : Ethernet,
SFP/XFP : N/A,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 2c:fa:a2:1b:18:56,
BandWidth (Megabits) : 1000, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 9216,
Inter Frame Gap(Bytes) : 12,
 8
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

6.1.2. Checking the VLAN(s)

Then, check that the VLAN(s) is/are correctly configured on each involved port (in this example, the
management VLAN is the VLAN 1305, and all the equipment are in this VLAN):

OMNISWITCH
AOS -> show vlan members port 1/1/11
vlan type status
--------+-----------+---------------
1305 default forwarding

6.2. L3 Troubleshooting

6.2.1. Checking the IP Interfaces

Check that the IP interface is correctly configured on the OmniSwitch, and that its status is UP:

OMNISWITCH
AOS -> show ip interface
Total 6 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
int_backbone 10.130.5.200 255.255.255.0 UP YES vlan 1305

6.2.2. Checking the OmniVista 2500 IP Settings

Open the OmniVista 2500 CLI (from the VMware vSphere Web Console), then:

OmniVista 2500 Console

Select the OV2500 virtual
machine

Click Launch Web Console,

then Web Console

Enter the credentials defined

during the OmniVista 2500
installation:
- login: cliadmin
- password: Alcatel.0
 9
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

A menu is displayed.

Choose option [2] Configure

The Virtual Appliance
Choose option [2] Display
Current Configuration to
display all the IP configuration
(IP@, Mask, Gateway, DNS
erver…

Or display each information

one by one, by using the
options [2] to [8]

It is also possible to use the

options [14] and [15] to
check the Proxy and NTP
configuration.

6.2.3. Pinging the Equipment

Once the equipment IP configuration checked, make sure that the OmniVista 2500 can ping the
OmniSwitch:

OmniVista 2500 Console

Ping from the OmniVista
2500 to the OmniSwitch

From the Virtual Appliance

Menu, select [10] Advanced
Mode

From the CLI, launch a ping to

the OmniSwitch IP interface
address

Once the equipment IP configuration checked, make sure that the OmniSwitch can ping the OmniVista
2500:

PING FROM THE OMNISWITCH 6860 TO OMNIVISTA 2500

AOS -> ping 10.130.5.5X
PING 10.130.5.50 (10.130.5.50) 56(84) bytes of data.
64 bytes from 10.130.5.50: icmp_seq=1 ttl=64 time=0.613 ms
64 bytes from 10.130.5.50: icmp_seq=2 ttl=64 time=0.571 ms
64 bytes from 10.130.5.50: icmp_seq=3 ttl=64 time=0.550 ms
64 bytes from 10.130.5.50: icmp_seq=4 ttl=64 time=0.617 ms
 10
AOS OmniSwitches Discovery in the OmniVista 2500 NMS

6.3. Checking the SNMP Configuration

nce the configuration checked, let’s make sure that the parameters have been correctly
entered.
- On the OmniSwitch, check that the SNMP is enabled:

OMNISWITCH
AOS -> show aaa authentication
[…]
Service type = Snmp
Authentication = Use Default,
1st authentication server = local
[…]

- On the OmniSwitch, check that the SNMP station and username have been correctly configured:

OMNISWITCH
AOS -> show snmp station
ipAddress/port status protocol user
---------------------------------------------------+---------+--------+-------
10.130.5.50/162 enable v3 snmpuserv3

- On the OmniSwitch, re-enter the SNMP password to make sure that this password and the auth&priv
protocol are the correct ones:

OMNISWITCH
AOS -> user snmpuserv3 read-write all password Superuser=1 sha+des

- In the OmniVista 2500, re-enter the SNMP settings:

> Open a Web Browser

> Type the OV2500 IP address in the URL bar: 10.130.5.5X (X = R-Lab Number)
> Username/Password: admin/switch

> Select NETWORK > DISCOVERY > Discovery Profiles

> Select the previously created SNMP Profile (ex. SNMPv3) or create a new one
> Name: SNMPv3
> SNMP Version: SNMPv3
> Timeout (msec): 5000
> Retry Count: 3
> User Name: snmpuserv3
> Auth & Priv Protocol: SHA+DES
> Auth Password: Superuser=1
> Priv Password: Superuser=1
> Click on Apply

6.4. Discovering the OmniSwitch

To launch a new discovery:

> Open a Web Browser

> Type the OV2500 IP address in the URL bar: 10.130.5.5X (X = R-Lab Number)
> Username/Password: admin/switch

> Select NETWORK > DISCOVERY > Managed Devices

> Click Discover New Devices
> Click on the + button (top right)
> Enter IP information
> Start IP: 10.130.5.20X (X = R-Lab Number)
> End IP: 10.130.5.20X (X = R-Lab Number)
> Subnet Mask: 255.255.255.0
> Choose Discovery Profiles: select the SNMPv3 profile created previously
> Click on Discover Now to launch the discovery process, then click on Finish.
OMNIACCESS STELLAR WLAN
S O L U T I O N O V E RV I E W

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Understand and choose the Stellar mode on the

APs
• Understand the planes of operation and the
traffic generated by the AP
• Understand the network topology recommended
• Identify the network limitations
STELLAR WLAN - MODES
NETWORK MANAGEMENT MODES - OVERVIEW
Move from Express to Enterprise/Cloud when/if needed

Wi-Fi Express Wi-Fi Enterprise Wi-Fi Cloud

Standalone mode - In Premise - Cloud based
- Managed mode with OmniVista 2500 NMS - Managed mode with OmniVista Cirrus NMS
STELLAR EXPRESS MODE
WIFI EXPRESS – STANDALONE CLUSTER DEPLOYMENT
✓ Self managed standalone cluster
✓ Integrated secure Web managed
✓ Wizard driven configuration
✓ Integrated Guest captive portal
✓ External Guest Captive Portal support
✓ Distributed intelligence control
✓ Self configured AP cluster, up to 255 APs
✓ Optimal RF management
 WIFI EXPRESS – FEATURES LIST • Authentication 802.1X, WPA, WPA2, WPA3

• Guest Operator Restricted Role GUI • Encryption WEP, TKIP, AES

• HTTP and Secure Access via HTTPS • Built-in User Database

• English, simplified Chinese, German, French, • External Radius Server Support

Spanish, Korean, Turkish Language Support • ACLs per SSID
• OXO Connect R2.1 ZTP integration with • Disconnect/ Blacklist Clients
HTTPS • WIPS protection
• Remote Cluster Management
Management Security

WiFi Express
• Syslog & Syslog over TLS support
• NTP Client
System
• Dynamic Frequency Selection • Built-in DHCP/DNS/NAT
Radio
• Transmit Power Control • MESH
• Extensive Country Code list • Certificate Management
• Channel & Transmission power manual
assignment
WIFI EXPRESS – ACCESS GROUP
Another AP is responsible for rescuing the
Primary Virtual Manager (PVM). It is called
Secondary Virtual Manager (SVM)

In an AP group, one AP supports the

role of centralized management. It is PVM SVM
called PVM (Primary Virtual Manager) Primary Virtual Secondary Virtual
Manager Manager

The group is identified by an

"group ID" and all APs that have or
will have the same ID are put
An AP-Group consists of under management of the PVM.
several APs connected via the
LAN in "overlay" mode and
without infrastructure
modification All other APs are under
management of the PVM of the
group. They are called Members
WIFI EXPRESS – ACCESS GROUP PVM ELECTION
In the case of a VLAN with several APs
started at the same time an election
process is perform to select the PVM AP with the second highest MAC is
designated as the SVM

Highest Model Type PVM

SVM
Primary Virtual
Secondary Virtual
Manager
Manager
Highest MAC address

All other APs become members

mywifi-0102
of the group with up to 255 APs
in a group.

Once the PVM is designated, it

sends an SSID for the
configuration of the AP-group

Group ID
WIFI EXPRESS – CLUSTER SIZING

• PVM/SVM =
AP1230/1301/1301H/1311/1320/1331/1351
/1360/1411/1431/1451/1511/1521

• Cluster Max. Size: 255

WIFI EXPRESS – RESILIENCY

WAN

Distribution/Aggregation
Switch
• Cluster size > 64
• Resiliency in the network design

Access Stack • Recommendations

Switch • Max Up to 32 APs per OmniSwitch
• Max Up to 64 APs per stack
STELLAR ENTERPRISE MODE
WIFI ENTERPRISE – CENTRAL MANAGED DEPLOYMENT

• OmniVista 2500
• Unified wired-wireless
• Access Management (Guest/BYOD)
• Role based policy enforcement
• Smart Analytics
• Distributed intelligence control
• Up to 4000 APs
• Scale to support 100K clients per devices
• Advanced wireless features
• WLAN topology on a map and heat map
• Wireless security (wIDS/wIPS)
 • Secure NAC with Unified Access AG 2.0
WIFI ENTERPRISE – FEATURES LIST Integration
• Automated deployment with ALE
• Controller-less Architecture OmniSwitch Integration
• OmniVista integrated Unified Policy • Smart Analytics Application Monitoring
Authentication Manager (UPAM) & Enforcement/ DPI
• Simplified Management of AP Groups • UPnP/ Bonjour Service Sharing
• No limit on AP Group Count • Stellar AP authentication with 802.1X
• Max 4000 APs spread across one or Management Security • MACSEC Support for AP Wireless
more AP Groups
• OmniVista High Availability • Unified Policy Authentication Manager
• Support of NaaS Stellar Access Point • Employee - Supplicant/ Non-supplicant
WiFi secure authentication
Enterprise • Guest Access - Self Registration/
• RF Management Employee sponsored/ Social Login
• wIDS/ wIPS - Rogue Containment/ • BYOD
Attack Detection
• Strategy based Policy Enforcement
• Floor Plan/ Heatmap - Planning & Radio System
• Extensive Captive Portal Customization
deployment tools to simplify
deployment while improving QoE • External Captive Portal support
• Reports - Uptime, Usage, etc. Reports • Syslog and syslog over TLS support
• MESH Topology
MODE SELECTION
• WiFi Express is the default mode
• AP requests and receives an IP address from the DHCP server.
• DHCP option 138 equals the IP address of the OmniVista 2500 Server

subnet 192.168.10.0 netmask 255.255.255.0 subnet 192.168.10.0 netmask 255.255.255.0

{ {
dynamic-dhcp range 192.168.10.10 192.168.10.20 dynamic-dhcp range 192.168.10.10 192.168.10.20
{ {
option subnet-mask 255.255.255.0; option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255; option broadcast-address 192.168.10.255;
option routers 192.168.10.1; option routers 192.168.10.1;
option dhcp-lease-time 6000; option dhcp-lease-time 6000;
option domain-name-servers 192.168.10.1; option domain-name-servers 192.168.10.1;
option domain-name "vlan10.home"; option domain-name "vlan10.home";
} option 138 192.168.0.61;
} }
}

WiFi Express WiFi Enterprise

CHANGING THE MODE
• Mode can be changed:
• Manually in Express mode with a "Convert to Enterprise" button
• Or requires a factory reset (push button) and reboot

• Migrate an existing Cluster (WiFi Express) to OV mode (WiFi Enterprise)

• Add option 138 in the DHCP server for the AP management scope

Option 138
dhcpd.conf
• Perform a factory reset/reboot or change the mode manually

No configuration migration, AP « cluster » configuration is lost

PLANES OF OPERATION
PLANES OF OPERATION
• Management Plane
• No controller
• WiFi Express: Centralized management on the Primary Virtual Manager (PVM)
• WiFi Enterprise: Centralized management on OmniVista
• Control and Data Plane per AP
Mgmt
Plane Mgmt
Data Control Plane
Plane Plane

PVM
Control
Control
Plane
Plane Control Data
Plane Plane
Data Data Control
Data Plane Plane
Plane Plane
Control Data
Plane Plane
MANAGEMENT PLANE
• Type of Traffic
• Configuration traffic (SSID creation,..)
• Monitoring and troubleshooting (client monitoring,…)
• AP management traffic is always untagged
OmniVista

Edge Switchs Edge Switchs

“Management” VLAN
“Management” VLAN Untagged
Untagged

WiFi WiFi
Express PVM Enterprise
MANAGEMENT PLANE – AP GROUP
OmniVista
AP Group: Group 1, Group2

AP <-> AP Group mapping

• Management on AP Group only AP Registration
• AP Group
• Multiple APs in the same AP Group, sharing the
same configuration
LAN / L3
• Mix of any AP type & total number of AP
limited to 4000 (Enterprise) or 255 (Express)
Edge Switchs Edge Switchs Edge Switchs

AP-Group
PVM
AP Group 1 AP Group 2

WiFi-Express WiFi-Enterprise
CONTROL PLANE
• Type of Traffic
• Manages network protocols, Forwarding Information Base (FIB)
• Manages authentication, packet inspection, load balancing Over the Air
Control Plane

• Control plane traffic

• AP to AP protocol over the air OmniAccess WLAN OmniAccess WLAN
Access Point Access Point
• Used for Over the LAN
• RF Management Control Plane

• Neighbor AP discovery Edge Switch Edge Switch

• AP to AP protocol over the LAN infrastructure

• Used for
• RF Management
• Roaming client context sharing Layer 2/3
Network Infrastructure

Internal traffic, managed by the Stellar APs

DATA PLANE

• Type of traffic Guest

SSID
• Forward data user traffic Employee Voice
SSID SSID
• Manages the QoS and ACLs
OmniAccess WLAN
Access Point
• Data Plane Traffic
Tagged VLANs
• Wireless data converted to Ethernet in the AP
Data Traffic
and sent to the AP uplink
• Wireless traffic always tagged on the AP uplink Edge Switch
• No tunnel mode to OV or Virtual Controller
Data Center

• Data Plane is only L2

• No routing for data user traffic
Layer 2/3
• Routing provided by LAN infrastructure
Network Infrastructure
NETWORK TOPOLOGY OmniVista

Internet DHCP Scope for

•All AP Mgt VLANs
Require option 138 for OV IP address
DHCP
WAN Router •All SSID VLANs
DNS
Optional
DNS Server for
•All AP Mgt subnets
•All SSID subnets
Core L3 protocols / Routing

LAN
IP interfaces / Routers for
Distribution •All AP Mgt VLANs
•All SSID VLANs

All AP Management VLANS and SSID VLANs

Access

Trunk Port with POE

•Untagged/Native vlan = AP Mgt VLAN
•Tagged VLANs = SSID VLANs

Stellar Access
Points
STELLAR CLOUD MODE
WI-FI CLOUD - OVERVIEW

AP Group 1 AP Group 2

• Central & Unified Management

(OmniVista Cirrus)

• Up to 4000 APs

• Similar operation to OmniVista 2500NMS

OmniVista Cirrus
CENTRALIZED MANAGEMENT WITH OMNIVISTA CLOUD NMS

• Single LAN and WLAN management system

• Centralized Image Upgrade
• Configurations synchronization
• AP-Group Management Interface
• Notifications
• Integrated Captive Portal
• External Captive Portal support
• BYOD
• Unified access policy management
for user and IoT
• Unified network role
• Consistent QoS
• Embedded authentication server
• Corporate credentials for single sign-on
SUPPORTED DEVICES
IOT - ZIGBEE

• Zigbee
• IoT protocol commonly used for home and AP1321/22 AP1361/D/62
BLE 5.1/ Zigbee BLE 5.1/ Zigbee
building automation
• Aim
• Manage the Zigbee endpoints from the
OmniVista
• Advantages
• Improved guest experience (ex. digital key
management)
• Improved security controls
• Automation in IT services
USE CASE : INTEGRATION WITH DOOR LOCKS
• Compatible Stellar APs (CENTRALIZED MANAGEMENT OF GUESTROOM DIGITAL DOOR LOCKS)

• AP1300 family (built-in zigbee radio)

BLE BEACONING
• BLE Beaconing ready for the AP1230, AP13XX series with a built-in BLE
• Stellar APs ready for Asset Tracking Solution
• Asset: people or equipment (wheel chair, medical devices, laptop,…)
• Reducing time to find assets: improves employees/customer satisfaction
• BLE Beacon is configured per AP Group
• Turned OFF by default
• Configurable parameters are
• Beaconing Mode : iBeacon per default OAW-AP1230 Series
• Transmission Power
• Frequency/Emission Period
• UUID (Universal Unique Identifier) – ALE specific UUID for all ALE products
• Major and Minor values – used for greater accuracy than UUID alone
INTEGRATION WITH AEROSCOUT LOCATION ENGINE
• AeroScout RTLS (Real Time Location Services) provides location services.
• i.g: Tracking of employees in the building at the plant AeroScout tags
• AeroScout solution utilize standard WiFi (802.11) technologies as
a communication infrastructure
• Customers use the Stellar AP to communicate with AeroScout tags
and deliver information to the AeroScout Location Engine
• AeroScout LBS Architecture
• AeroScout Tags: Device generating 802.11 messages at a predefined interval
• Stellar APs: Delivers RSSI measurements of tags and WiFi clients
to the AeroScout Engine
• AeroScout Engine Server (AES): Location Engine. Based on RSSI measurements
(from the Stellar AP), determine position of the clients
• AeroScout Engine Manager (AEM): Configuration of the AES. Stellar AP
Displays clients on the map, heatmaps, analytics, Geofencing alerts
EXAMPLE CONFIGURATION (ISC-DHCP-SERVER)
• Linux open source DHCP server • OmniSwitch used as DHCP server
# Classify OmniAccess Stellar AP as STELLAR
• Dhcpd.conf file configuration:
class "STELLAR" {
match if substring (option vendor-class- subnet 192.168.10.0 netmask 255.255.255.0
identifier, 0, 4) = "HAP."; {
} dynamic-dhcp range 192.168.10.10 192.168.10.20
{
# Create custom option 138 as it is not known option subnet-mask 255.255.255.0;
to isc-dhcp-server option broadcast-address 192.168.10.255;
option ovwma code 138 = ip-address; option routers 192.168.10.1;
option dhcp-lease-time 6000;
DHCP Pool option domain-name-servers 192.168.10.1;
subnet 192.168.10.0 netmask 255.255.255.0 { option domain-name "vlan10.home";
… option 138 192.168.0.61;
# Pool for OmniAccess Stellar AP
pool {
allow members of "STELLAR";
range 192.168.10.10 192.168.10.20;
option ovwma 192.168.0.61;
}
}
IPV6 CLIENT SUPPORT – EXPRESS MODE
• IPv6 required for specific verticals • IPv6 supported on Client side
• Education (Research) • IPv6 Policies supported
• Healthcare (IoT) • IPv6 QoS/ACL rules to filter client traffic
• Government (Security)

• IPv6 address on AP management

interface
• AP get IPv6 address & gateway
• AP get other parameters (DNS) from
DHCPv6 Server

• Wireless Client Forwarding

IPv6 IPv6 IPv6
• Client IPv6 traffic forwarded between IPv6
clients and to IPv6 Gateway
IPV6 CLIENT SUPPORT – ENTERPRISE MODE
• AP Management through IPv6

• Client MAC/1X Authentication

• Client authentication request to AP through IPv6
• Radius communication between AP and UPAM
through IPv4

• Client Portal Authentication

• Client to portal server through IPv6
• Portal server to Radius Server through IPv4

• Wireless Client Forwarding

• Client IPv6 traffic forwarded between IPv6 clients
and to IPv6 Gateway
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WLAN
H A R D WA R E O V E RV I E W

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Understand the OmniAccess Stellar WLAN

Portfolio
• Understand the OmniAccess Stellar WLAN
Accessories
OVERVIEW
MLE

Indoor

Wi-Fi 5

AP123x

OMNIACCESS STELLAR LINEUP – WI-FI 5

OVERVIEW
Rugged

Outdoor
MLE MLE MLE
Wi-Fi 6
Indoor Indoor Indoor
AP136x
Wi-Fi 6 Wi-Fi 6 Wi-Fi 6
SMB
SMB Hosp. AP1331 AP1351
AP132x
Indoor
Indoor Indoor
Wi-Fi 6
Wi-Fi 6 Wi-Fi 6
AP1311
AP1301 AP1301H

OMNIACCESS STELLAR LINEUP – WI-FI 6

OVERVIEW
MLE

Indoor
MLE
Wi-Fi 6E
Indoor
AP1451
Wi-Fi 6E
SMB AP1431
Indoor

Wi-Fi 6E

AP1411

OMNIACCESS STELLAR LINEUP – WI-FI 6E

OVERVIEW

MLE

Indoor

Wi-Fi 7

SMB AP1521

Indoor

Wi-Fi 7

AP1511

OMNIACCESS STELLAR LINEUP – WI-FI 7

CHARACTERISTICS
OMNIACCESS STELLAR AP1230 SERIES

• Tri radio
• OAW-AP1231/1232
• First 5GHz radio: 1,733Mbps (with 4SS/VHT80 clients or
• High-end AP 2SS/VHT160 clients)
• 802.11ac Wave 2 MU-MIMO • Second Multiband radio: 1,733Mbps (with 4SS/VHT80
• 802.11ac 4x4:4SS VHT160 and Integrated BLE clients or 2SS/VHT160 clients)
• Third 2.4GHz radio: 800Mbps 2.4GHz (4SS/VHT40)
• MU-MIMO
• Integrated BLE radio
• Up to 24 SSID (8 per radio)
OAW-AP1231
• 768 client devices per AP
• 1xGbE + 1x2.5GbE network interfaces, RJ-45
console, USB port, reset button
• 802.3at POE (4pair - 60W) compliant/ 48V DC
Wi-Fi 5 (function reduced when powered by 802.3at 2 pair source)
• Enterprise temperature range, plenum rated
• Operating Temp: 0°C to 45°C
OAW-AP1232 • Built-in antenna (OAW-AP1231)
• External antenna connectors (OAW-AP1232)
OMNIACCESS STELLAR AP1301

• OAW-AP1301 • Dual radio

• Wi-Fi 6 entry level Access Point • 2.4GHz radio: 573Mbps (2x2:2SS/HE40)
• 802.11ax (Wi-Fi 6) - Indoor AP • 5GHz radio: 1.2Gbps (2x2:2SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• Improving network security and Wi-Fi quality
• MU-MIMO
• Up to 16 SSID (8 per radio)
• 512 clients per AP
• 2 x 1GE, 1 x RS-232 console, USB2.0
• PoE 802.3af compliant
• Full function at 802.3af PoE source
Wi-Fi 6 • Enterprise temperature range, plenum rated
• Operating Temp: 0°C to 45°C

OAW-AP1301 • Built-in OMNI directional antenna

OMNIACCESS STELLAR AP1301H

• OAW-AP1301H • Dual radio

• Indoor Hospitality Wi-Fi 6 Access Point • 2.4GHz radio: 573.5Mbps (2x2:2SS/HE40)
• 5GHz radio: 1.2Gbps (2x2:2SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• Improving network security and Wi-Fi quality
• MU-MIMO
• Up to 32 SSID (16 per radio)
• 1024 clients per AP
• 1 x 1GE PoE (802.3at/af) uplink port
• 1 x 1GE PoE-PSE (802.3af) downlink port
• 3 x 1GE downlink port
Wi-Fi 6
• 1 x USB2.0, 1 x RJ45 console passthrough
• PoE 802.3at/af compliant
OAW-AP1301H • Enterprise temperature range, plenum rated
• Operating Temp: 0°C to 45°C
• Built-in OMNI directional antenna
OMNIACCESS STELLAR AP1311

• OAW-AP1311 • Dual radio

• Wi-Fi 6 entry level AP • 2.4GHz radio: 573Mbps (2x2:2SS/HE40)
• 802.11ax (Wi-Fi 6) - Indoor AP • 5GHz radio: 1.2Gbps (2x2:2SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• Improving network security and Wi-Fi quality
• Integrated BLE 5.1 / ZigBee radio
• MU-MIMO
• Up to 16 SSID (8 per radio)
• 512 clients per AP
• 2 x 1GE uplink, 1 x 1GE downlink, 1 x RS-232
console/Modbus IoT, USB2.0
Wi-Fi 6 • PoE 802.3af/at compliant
• Full function at 802.3at PoE source
• Disable private PSE and USB with 802.3af PoE source
OAW-AP1311
• Enterprise temperature range, plenum rated
• Operating Temp: 0°C to 45°C
• Built-in OMNI directional antenna
OMNIACCESS STELLAR AP1320 SERIES

• OAW-AP1321/1322 • Dual radio

• Mid-range AP • 2.4GHz radio: 573.5Mbps (2x2:2SS/HE40)
• 802.11ax (Wi-Fi 6) • 5GHz radio: 2.402Gbps (4x4:4SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• MU-MIMO
• Up to 32 SSID (16 per radio)
OAW-AP1321 • 1024 clients per AP
• Integrated BLE 5.1 / ZigBee radio
• 1 x 2.5GE & 1 x 1GE uplink, RJ45 console, USB2.0
• Support 802.3at PoE (with PoE backup)
OAW-AP1322 • Enterprise temperature range, plenum rated
Wi-Fi 6 • Operating Temp: 0°C to 45°C
• Built-in antenna (OAW-AP1321)
• External antenna connectors (OAW-AP1322)
OMNIACCESS STELLAR AP1331

• OAW-AP1331 • Dual radio

• Mid-range AP • 2.4GHz radio: 1.15Gbps (4x4:4SS/HE40)
• 802.11ax (Wi-Fi 6) • 5GHz radio: 2.4Gbps (4x4:4SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• MU-MIMO
• Up to 32 SSID (16 per radio)
• 1024 clients per AP
• Integrated BLE 5.1 / ZigBee radio
• 2 x 5GE PoE (802.3bt/at)
• RJ45 console, 1 x USB3.0
• Support 802.3bt/at PoE
Wi-Fi 6
• Enterprise temperature range, plenum rated
• Operating Temp: 0°C to 45°C
OAW-AP1331 • Built-in OMNI directional antenna
OMNIACCESS STELLAR AP1351

• OAW-AP1351 • Tri radio

• High-end Wi-Fi 6 AP • 2.4GHz radio: 1.147 Gbps (4x4:4SS/HE40)
• 802.11ax (Wi-Fi 6) - Indoor AP • 5GHz Low radio : 4.8 Gbps (4x4:4SS/HE160)
• 5GHz High radio: 4.8 Gbps (8x8:8SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• Improving network security and Wi-Fi quality
• Integrated BLE 5.1 / ZigBee radio
• Up to 24 SSID (8 per radio)
• 1536 clients per AP
• 2 x 10GE uplink, 1 x RS-232 console, USB3.0
• PoE 802.3at/bt compliant
Wi-Fi 6 • Full function at 802.3bt PoE source
• Enterprise temperature range, plenum rated
OAW-AP1351 • Operating Temp: 0°C to 45°C
• Built-in OMNI directional antenna
• No mount kit in box
OMNIACCESS STELLAR AP1360 SERIES

• OAW-AP1361/62/D • Dual radio

• Rugged outdoor AP • 2.4GHz radio: 573.5Mbps (2x2:2SS/HE40)
• 802.11ax (Wi-Fi 6) • 5GHz radio: 2.402Gbps (4x4:4SS/HE80)
• 1 full band (radio) dedicated to radio scanning
• MU-MIMO
• Up to 32 SSID (16 per radio)
• 1024 clients per AP
• Integrated BLE 5.1 / ZigBee radio
• 1 x 2.5GE uplink, 802.3at PoE
• 1 x 1GE downlink, 802.3at PoE
• 1 x SFP
Wi-Fi 6
• 1x USB2.0, reset button
OAW-AP1361 • Temperature range -40 to +65 degree C
• Built-in omni-antenna (OAW-AP1361)
• Built-in directional antenna (OAW-AP1361D)
• External antenna connectors (OAW-AP1362)
OMNIACCESS STELLAR AP1411

• OAW-AP1411 • Dual radio

• Entry level Wi-Fi 6E AP • 2.4GHz radio: 574Mbps (2x2:2SS/HE40)
• 802.11ax (Wi-Fi 6E) – Indoor AP • 5GHz radio: 1.2Gbps (2x2:2SS/HE80)
• OR (configurable)
• 6GHz radio: 2.4Gbps (2x2:2SS/HE160)
• Up to 16 SSID
• 512 clients per AP
• Integrated BLE5.1 / ZigBee radio
• 2 x 1/2.5GE uplink + 1 x 1GE uplink (IoT)
• 1 x RJ45 Console
• 1x USB3.0 Type A, reset button
Wi-Fi 6E
• Temperature range 0 to +45 degree C
• Built-in omni-antenna
OAW-AP1411
• Cert: Generic global cert, WFA 6E, EN60601-1-1,
EN60601-1-2, UL2043
OMNIACCESS STELLAR AP1431

• OAW-AP1431 • Tri radio

• Mid range Wi-Fi 6E AP • 2.4GHz radio: 574Mbps (2x2:2SS/HE40)
• 802.11ax (Wi-Fi 6E) – Indoor AP • 5GHz radio: 1.2Gbps (2x2:2SS/HE80)
• 6GHz radio: 2.4Gbps (2x2:2SS/HE160)
• Up to 16 SSID
• 512 clients per AP
• Integrated BLE5.1 / ZigBee radio
• 2 x 2.5GE uplink (multi speed port: 1/2.5 gigabit)
• PoE IEEE 802.3bt Type 3 compliant
• 1 x RJ45 Console
• 1x USB3.0, reset button
Wi-Fi 6E
• Temperature range 0 to +45 degree C
OAW-AP1431 • Built-in omni-antenna
• Cert: Generic global cert, WFA 6E, EN60601-1-1,
EN60601-1-2, UL2043
OMNIACCESS STELLAR AP1451

• OAW-AP1451 • Tri radio

• High-end Wi-Fi 6E AP • 2.4GHz radio: 1.147Gbps (4x4:4SS/HE40)
• 802.11ax (Wi-Fi 6E) – Indoor AP • 5GHz radio: 4.8Gbps (8x8:8SS/HE80)
• 6GHz radio: 4.8Gbps (4x4:4SS/HE160)
• 1 full band (radio) dedicated to radio scanning
• MU-MIMO
• Up to 48 SSID (16 BSSID per radio)
• 1536 clients per AP
• Integrated BLE5.1 / ZigBee radio
• 2 x 10GE uplink, PoE IEEE 802.3bt compliant
• 1 x RJ45 Console
Wi-Fi 6E
• 1x USB3.0, reset button
OAW-AP1451 • Temperature range 0 to +45 degree C
• Built-in omni-antenna
OMNIACCESS STELLAR AP1511

• OAW-AP1511 • Tri radio

• Wi-Fi 7 Premium entry range AP • 2.4GHz radio: 688Mbps (2x2:2SS/EHT40)
• 802.11be (Wi-Fi 7) – Indoor AP • 5GHz radio: 2.88Gbps (2x2:2SS/EHT160)
• 6GHz radio: 5.76Gbps (2x2:2SS/ EHT320)
• Up to 32 SSID (16 BSSID per radio)
• 512 clients per AP
• Integrated BLE5.1 / ZigBee radio
• 1 x 1/2.5/5GE multi-gigabit uplink, PoE IEEE 802.3bt
compliant
• 1 x USB type C Console
• 1x USB2.0, reset button
Wi-Fi 7 • 802.3at/bt POE (up to 35W) compliant
• Temperature range 0 to +50 degree C
OAW-AP1511
• Built-in OMNI antenna
OMNIACCESS STELLAR AP1521

• OAW-AP1521 • Tri radio

• Mid-range Wi-Fi 7 AP • 2.4GHz radio: 688Mbps (2x2:2SS/EHT40)
• 802.11be (Wi-Fi 7) – Indoor AP • 5GHz radio: 2.88Gbps (4x4:4SS/EHT160)
• 6GHz radio: 5.76Gbps (2x2:2SS/ EHT320)
• Up to 32 SSID (16 BSSID per radio)
• 512 clients per AP
• Integrated BLE5.1 / ZigBee radio
• 1 x 1/2.5/5/10GE multi-gigabit uplink, PoE IEEE
802.3bt compliant
• 1 x 1GE downlink
• 1 x USB type C Console
Wi-Fi 7 • 1x USB2.0, reset button
• 802.3bt POE (up to 60W) compliant
OAW-AP1521
• 802.3at (up to 15W) in low power mode
• Temperature range 0 to +50 degree C
• Built-in OMNI antenna
PRODUCT LINE MATRIX

Click on this icon to view the full Product Line Matrix documentation
ACCESSORIES
ACCESSORIES > POE INJECTORS & POWER ADAPTERS
POWER OUTLET

• PoE Injector AP

• A PoE injector, also called midspan or PoE adapter, NON-POE SWITCH

SWITCH
Letacla

can be implemented to provide power to an

1 3 5 7
POE 1 2 3 4 5 6 7 8 9 10
SPEED/LINK/ACT

POE

SPEED/LINK/ACT
POWER RESET 2 4 6 8 9 10

OmniAccess Stellar Access Point, if it is connected to

a non-PoE compatible network device. DATA POWER + DATA

• Power Adapter AP
• A power adapter is plugged into a power outlet and
provide power to OmniAccess Stellar Access Points. POWER
OUTLET

• A list of PoE Injectors and Power Adapters models compatible with each OmniAccess
Stellar Access Point can be found in the Access Point’s datasheet:

EXAMPLE > OMNIACCESS STELLAR AP1331 DATASHEET

ACCESSORIES > MOUNTING KITS
CEILING MOUNT
• Mounting Kit WALL MOUNT

• A mounting kit is used to install an OmniAccess Stellar Access Point on a surface

(ceiling, wall, desk…)
• The Mounting Kit(s) compatible with each OmniAccess Stellar Access Point can be found in each
Access Point’s datasheet:

EXAMPLE > OMNIACCESS STELLAR AP1331 DATASHEET

• Some OmniAccess Stellar Access Points are shipped with a mounting kit.
Please refer to the Product Line Matrix document to learn more
CLICK HERE
FOR MORE
DETAILS

PRODUCT LINE MATRIX EXTRACT

ACCESSORIES > EXTERNAL ANTENNAS
• External Antennas
• Some OmniAccess Stellar Access Points can be equipped with external antennas to:
• Gain more control over the energy radiated
• Tailor the shape based on the coverage needed
• Access points compatible with external antennas have their reference ends with “2” (ex. AP1322,
AP1362)
• The external antenna(s) compatible with each OmniAccess Stellar Access Point can be found in
each Access Point’s datasheet:

EXAMPLE > OMNIACCESS STELLAR AP1322 DATASHEET

• Note: All OmniAccess Stellar Access Points are equipped with an internal antenna
(omni-directional coverage pattern)
ACCESSORIES > EXTERNAL ANTENNAS
• The External Antennas models and details can also be found in the Product Line Matrix
documentation:

Click on this icon to view the full Antennas Matrix documentation (p. 4)
WI-FI TECHNOLOGY
 WI-FI 6 TECHNOLOGY
Wi
Fi
6E
11ax .11be

20 20 7
21 23

24 years evolution
24 years evolution

• Wi-Fi 6 - Improvements • Wi-Fi 6 – Challenges

• Increased network throughput • Designed to address dense growing capacity and IoT
• Increased efficiency in dense environments efficiency needs for the next generation of
• Increased robustness outdoors Enterprise wireless network.
• Reduced power consumption • Stellar WLAN brings integrated Bluetooth/Zigbee,
dedicated Wi-Fi scanning radio technology providing
• Enhanced Wi-Fi coexistence
a framework for expanded IoT, security and location
• Reduced overhead (user/device contention) analytic services.
WI-FI 7 TECHNOLOGY

6GHz

5GHz R R R
U U U
2.4GHz 320 MHz AFC 1 2 3

Multi-Link MU-MIMO Wider 4096-QAM Automated Multi Preamble

Operation up to Channel Frequency Resource Puncturing
(MLO) (16x16:16) Bandwidth Coordination Unit (MRU)

More Capacity, Coordinating Reduced

Reliability, Increased Improved
More Devices Higher Data Latency,
Efficiency & Throughput, Channel Spectrum
Simultaneously Rates Increased
Performance 5x faster Mechanism Efficiency
Capacity
Better quality +20% raw
Enhanced 46 Gbps vs. 9.6 Effective use Enhanced Reduced
in dense speed
Efficiency in Wi-Fi 6E of the 6 GHz Efficiency Latency
areas increase

Increased Wireless Efficiency for Enhanced Speed & Seamless Connectivity

 WI-FI GENERATION PERFORMANCES

Wi-Fi Generations
Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6E Wi-Fi 7
Higher Data Rates
Launch date 2007 2013 2019 2021 2024
Higher Capacity
IEEE std. 802.11n 802.11ac 802.11ax 802.11be
Higher Efficiency
Latency/Resiliency MLO
Higher Performance
Max data rate 1.2 Gbps 3.5 Gbps 9.6 Gbps 46 Gbps

Higher Power Efficiency

Bands 2.4/5 GHz 2.4/5 GHz 2.4/5 GHz 2.4/5/6 GHz 2.4/5/6 GHz

Higher Spectrum Efficiency

Security WPA 2 WPA 2 WPA 3 WPA 3

20,40,80,80+80, More Connected Devices

Channel width 20,40 MHz
160 MHz
20,40,80,80+80,160 MHz Up to 320 MHz
Improved Reliability
64-QAM,
Modulation OFDM
256-QAM, OFDM 1024-QAM, OFDMA 4096-QAM, OFDMA
Interference Management
4x4 MIMO,
MIMO 4x4 MIMO
DL MU-MIMO
8x8 UL/DL MU-MIMO 16x16 MU-MIMO
Lower latency
Power Saving TWT RTWT
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WIRELESS LAN
ACCESS POINTS ON BOARDING

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• Access Points On Boarding

• List 3 methods to onboard an OmniAccess Stellar

Access Point in the OmniVista 2500:

• Manual Classification

• On Boarding with UNP (no 802.1x)

• On Boarding with UNP and 802.1x

 METHOD 1
MANUAL CLASSIFICATION
METHOD 1 > MANUAL CLASSIFICATION

• Switch Configuration
• VLAN Configuration
• Create a VLAN that will serve as the management VLAN for the Stellar AP devices.
• This VLAN must then be manually configured as default/untagged VLAN on all ports where an AP is connected.

• Configuration
• Create a VLAN for AP Management.
• Configure this VLAN as default/untagged VLAN on
all ports where an AP is connected.
 METHOD 1 > MANUAL CLASSIFICATION
SWITCH CONFIGURATION

• How does it work? •

•
AP Management VLAN (ex. VLAN 40).
VLAN 40 configured as untagged VLAN on port 1/1/1.
• DHCP & OV Exchanges
AP DHCP SERVER OV2500
VLAN 40
SWITCH

1/1/1 10.130.5.50

1 1
The AP sends a DHCP request.

2
2 The DHCP Server sends back an IP address to the AP + the IP address
of the OV2500 Server via the Option 138 (must be configured in the
DHCP server).

The AP device connects to the OV2500

3
Server via the MQTT protocol.
Once the AP device is trusted, the OV
4 4 sends management information to the AP
via the MQTT protocol.
METHOD 1 > MANUAL CLASSIFICATION

• Limitations
• The AP Management VLAN must be manually configured on the port(s) where the AP devices are connected to.
• If a new AP is connected on a port, the AP Management VLAN AND the VLAN mapped to SSIDs must be assigned
to this port manually.

EMPLOYEES SSID AP ACTUAL SWITCH CONFIGURATION

VLAN 40
SWITCH • AP Management VLAN (ex. VLAN 40), untagged on port 1/1/1.
GUESTS SSID
• Employees VLAN (ex. VLAN 20), tagged on port 1/1/1.
1/1/1 • Guests VLAN (ex. VLAN 30), tagged on port 1/1/1.
LAB SSID 1/1/2 • Labs VLAN (ex. VLAN 50), tagged on port 1/1/1.
VLAN 20
VLAN 30
VLAN 50
NEW SWITCH CONFIGURATION
• AP Management VLAN (ex. VLAN 40), untagged on port 1/1/2.
• Employees VLAN (ex. VLAN 20), tagged on port 1/1/2.
NEW AP • Guests VLAN (ex. VLAN 30), tagged on port 1/1/2.
EMPLOYEES SSID
• Labs VLAN (ex. VLAN 50), tagged on port 1/1/2.
VLAN 40
GUESTS SSID

LAB SSID
VLAN 20
VLAN 30
VLAN 50
 METHOD 2
ON BOARDING WITH UNP (NO 802.1X)
METHOD 2 > ON BOARDING WITH UNP (NO 802.1X)

• Switch Configuration
• Switch Built-In/Default Configuration
• Built-In/Default Configuration • defaultWLANProfile UNP created.
• “defaultWLANProfile” UNP
• UNP LLDP Classification rule created.
• Designated for classifying AP devices.
• Automatically assigned to a built-in UNP LLDP classification rule
that recognize and classify AP devices into the
• Configuration
“defaultWLANProfile” UNP. • Create a VLAN for AP Management.
• Configure the port(s) where is/are connected the
AP devices as UNP ports.
• VLAN Configuration
• Map this VLAN to the defaultWLANProfile UNP.
• Create a VLAN that will serve as the management VLAN
for the Stellar AP devices.

• UNP Configuration (VLAN Assignment)

• Configure the port(s) where is/are connected the AP
devices as UNP ports.
• Map the “AP Management” VLAN to the
“defaultWLANProfile” UNP.
METHOD 2 > ON BOARDING WITH UNP (NO 802.1X)
• How does it work? SWITCH CONFIGURATION

AP • AP Management VLAN (ex. VLAN 40).

• LLDP Exchange VLAN 999
SWITCH • “Dummy” VLAN > 999.
• Port 1/1/1 configured as UNP port.
• VLAN 40 mapped to the defaultWLANProfile UNP.
1/1/1
UNP • UPAM (OV Module) is declared as 802.1x Server.

1
The AP sends a LLDP-MED TLV that 1
identifies the device as an AP. 2
When the AP is detected on the UNP port, it is automatically
classified in the UNP “defaultWLANProfile” via the UNP LLDP rule.

3
3 The switch sends to the AP device the LLDP Port VLAN ID (VLAN which is
mapped to the defaultWLANProfile UNP) and AP Location (derived from
the switch information i.e. system location, system name…) TLVs.

This step is performed only if

the AP Mode feature is
enabled (enabled by default).
AP
VLAN 40
SWITCH
UNP
1/1/1 DEFAULTWLANPROFILE
 METHOD 2 > ON BOARDING WITH UNP (NO 802.1X)
• How does it work?
• DHCP & OV Exchanges UNP
DEFAULTWLANPROFILE
AP DHCP SERVER OV2500
VLAN 40 SWITCH

1/1/1 10.130.5.50

4 4
The AP sends a DHCP request.

5
5 The DHCP Server sends back an IP address to the AP + the IP address
of the OV2500 Server via the Option 138 (must be configured in the
DHCP server).

6
The AP device connects to the OV2500
6
Server via the MQTT protocol.
7
7 Once the AP device is trusted, the OV
sends management information to the AP
via the MQTT protocol.
METHOD 2 > ON BOARDING WITH UNP (NO 802.1X)

• Limitations
• The AP device is not 802.1x authenticated
• If 802.1x is enabled on the port where the AP device is connected, and the AP device fails 802.1x authentication, the VLAN-
tagged client traffic is trusted and forwarded on the UNP port:

ROGUE AP 802.1X SERVER

SWITCH

1/1/1

2 1 1
If the AP device does not respond to the EAP
The switch sends an EAP “Identity
frame, the switch identifies the AP device as
Request” frame to authenticate the AP.
non-802.1x (or non-supplicant) BUT the VLAN-
tagged client traffic is still forwarded.

EMPLOYEES SSID

3
The VLAN-tagged client traffic is still
trusted and forwarded on the network.
CLIENT DEVICE
 METHOD 3
ON BOARDING WITH UNP & 802.1X
 METHOD 3 > ON BOARDING WITH UNP & 802.1X
• Security Configuration
• Switch Configuration
• Enable the AP Mode Secure
• Built-In/Default Configuration
• The AP will answer to 802.1x authentication requests (802.1x
• “defaultWLANProfile” UNP client)
• Designated for classifying Stellar AP devices. • If the AP’s 802.1x authentication succeeds, the switch will
• Automatically assigned to a built-in UNP LLDP classification rule trust the traffic coming from the AP device.
that recognize and classify AP devices into the • Declare the 802.1x Server which will be used to authenticate AP
“defaultWLANProfile” UNP.
devices.

• VLAN Configuration • Switch Built-In/Default Configuration

• Create a VLAN that will serve as the management VLAN • defaultWLANProfile UNP created.
for the Stellar AP devices. • UNP LLDP Classification rule created.

• UNP Configuration (VLAN Assignment) • Configuration

• Configure the port(s) where is/are connected the AP • Enable the AP Mode Secure feature*.
devices as UNP ports. • Create a VLAN for AP Management.
• Map the “AP Management” VLAN to the • Configure the port(s) where is/are connected the
“defaultWLANProfile” UNP. AP devices as UNP ports.
• Map this VLAN to the defaultWLANProfile UNP.
* Note: the OmniAccess Stellar AP1101 does • Declare the 802.1x Server.
not support the AP Mode Secure feature.
METHOD 3 > ON BOARDING WITH UNP & 802.1X
• How does it work? SWITCH CONFIGURATION

AP • AP Management VLAN (ex. VLAN 40).

• LLDP Exchange VLAN 999 • “Dummy” VLAN > 999.
SWITCH • AP Mode Secure feature enabled.
• Port 1/1/1 configured as UNP port.
1/1/1 • VLAN 40 mapped to the defaultWLANProfile UNP.
UNP
• 802.1x Server is declared (ex. UPAM).
1
The AP sends a LLDP-MED TLV that 1
identifies the device as an AP. 2
When the AP is detected on the UNP port, it is automatically
classified in the UNP “defaultWLANProfile” via the UNP LLDP rule.

3
3 The switch sends to the AP device the LLDP Port VLAN ID (VLAN which is
mapped to the defaultWLANProfile UNP) and AP Location (derived from
the switch information i.e. system location, system name…) TLVs.

This step is performed only if

the AP Mode feature is
enabled (enabled by default).
AP
VLAN 40
SWITCH
UNP
1/1/1 DEFAULTWLANPROFILE
 METHOD 3 > ON BOARDING WITH UNP & 802.1X
• How does it work?
UNP
• 801.1x Exchange AP
DEFAULTWLANPROFILE
802.1X SERVER
VLAN 40 SWITCH

1/1/1

4 4
The switch sends an EAP “Identity
Request” frame to authenticate the AP
The AP responds to 802.1x device.
authentication requests only if the AP
Mode Secure feature is enabled
(disabled by default).

5 5
The AP device responds with an EAP
“Identity Response” frame.

6 6
The 802.1x server sends the authentication
result (ex. Success).

AP MAC@

5
If the AP device does not respond to the EAP frames, the switch
identifies the AP device as non-802.1x (or non-supplicant) and will
attempt to authenticate the AP with other methods (if configured).
METHOD 3 > ON BOARDING WITH UNP & 802.1X
• Additional Information
• AP Authentication AP 802.1X SERVER
SWITCH

1/1/1

1 1
EAP Identity Request & Response exchange.

2 2
The 802.1x server sends the authentication
EMPLOYEES SSID
result (ex. Success).

3
3
The VLAN-tagged client traffic is trusted and
forwarded on the network (trust-tag = enabled).

2 2
CLIENT DEVICE The 802.1x authentication fails (AP device
does not respond to EAP frames, or is not
identified).

EMPLOYEES SSID 3
The AP is not recognized as an AP by the switch. As a
result, the VLAN-tagged client traffic is not trusted and
thus, not forwarded on the network (trust-tag = disabled).
 METHOD 3 > ON BOARDING WITH UNP & 802.1X
• How does it work?
• DHCP & OV Exchanges UNP
DEFAULTWLANPROFILE
AP DHCP SERVER OV2500
VLAN 40 SWITCH

1/1/1 10.130.5.50

7 7
The AP sends a DHCP request.

8
8 The DHCP Server sends back an IP address to the AP + the IP address
of the OV2500 Server via the Option 138 (must be configured in the
DHCP server).

9 9
The AP device connects to the OV2500
Server via MQTT protocol.
10
10 Once the AP device is trusted, the OV
sends management information to the AP
via MQTT protocol.
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WLAN
A P R E G I S T R AT I O N

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Register an AP with the manual Trust method

• Register an AP with the white list method
• Use the Discovery and Topology application
AP DISCOVERY
Access Point DHCP Server OmniVista 2500

AP is connected to the network and powered on

1
AP sends a DHCP request
AP selects the Management VLAN through LLDP

AP determines IP of OV2500 if option "138" is returned by DHCP server

2
AP is set in "Enterprise" mode

3 AP contacts OV2500 for registration

OV2500 assigns an AP Group to the AP

4
OV2500 applies the configuration to the AP
AP REGISTRATION
AP AP

Successful Registration Failed Registration

MANAGED UNMANAGED
• AP always connects to the AP Registration AP
Component in OV
• Same address as OV (DHCP option) N
Trusted
• AP is managed when Registration succeeds ?
Un-Trusted

• AP is Trusted Y
N
• Manually or automatically Licensed
Un-Licensed
• AP is Licensed ?

• Enough AP Licenses on OV Y

• Country Code matches RF profile CC CC N

CC Mismatch
Match?
• AP is unmanaged when Registration fails
Y
• AP is not Trusted
Assign
• AP is not Licensed
AP Group
• Country Code does not match the Country Code
from the RF Profile Apply
Configuration

 Configuration not applied & All Radios are off

AP REGISTRATION

• The Registered APs are located under the Managed AP tab in Network > AP registration >
Access Point

• In case of Network growth, new APs are seen under the Unmanaged AP tab

• Trust the APs in order to register them

• Manually, with the Trust button
• Dynamically, by pre provisioning the MAC address of the APs with the Add button

• The Trusted APs are then displayed under the Managed AP tab.
AP REGISTRATION - TRUST

Click on the image above to visualize the video

AP REGISTRATION - WHITELIST

Click on the image above to visualize the video

AP REGISTRATION - IMPORT

Click on the image above to visualize the video

AP REGISTRATION - DISCOVERY & TOPOLOGY APPLICATION

Click on the image above to visualize the video

TROUBLESHOOTING
AP IS NOT SEEN IN THE « UNREGISTERED AP » TAB

• Check the Managed tab • Check the network infrastructure

• The AP has been manually added and is • Management VLAN is missing
automatically moved to the “Managed AP” tab • Missing route in a L3 network
• “ip dhcp-relay” (IP of the DHCP server) not
configured on the OmniSwitch
• The AP did not contact OmniVista • OmniVista 2500 is not ready
• Check option 138 on the DHCP Server: • Check that all the OmniVista services are
• Option 138 is missing
started from the Watchdog
• Wrong IP address in the option 138 • Expect a Status “Running” for all services
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Stellar Access Points Discovery in the OmniVista 2500 NMS

Objective
✓ Learn how to discover the Stellar Access Points in the OmniVista 2500 NMS

Contents
1 Briefing ......................................................................................... 2
2 Configuring the VLANs & IP Interface ...................................................... 3
2.1. Creating the VLANs ................................................................................. 3
2.1.1. Creating the MANAGEMENT VLAN (VLAN 40) ............................................................ 3
2.1.2. Verifying the VLAN Creation .............................................................................. 4
2.2. Management VLAN IP Interface ................................................................... 5
2.2.1. Verifying the IP interface Creation ...................................................................... 5

3 OmniSwitch additional Features ............................................................ 6

3.1. About the IP DHCP Relay address ................................................................ 6
3.2. About the Interfaces ............................................................................... 6
3.3. Configuring the Features .......................................................................... 6
3.3.1. On the Core Switch OS6860 ............................................................................... 6
3.3.2. On the OS6360 .............................................................................................. 7
3.3.3. On the OS2360 .............................................................................................. 7

4 Discovering the Stellar Access Points ...................................................... 7

4.1. Registering the Stellar Access Points ............................................................ 7
4.2. Adding the Stellar Access Points into an AP Group ............................................ 8
5 Debriefing ...................................................................................... 9
6 Troubleshooting ............................................................................. 10
6.1. Troubleshooting the Level 2 ..................................................................... 10
6.1.1. Checking the PoE ......................................................................................... 10
6.1.2. Checking the cables ...................................................................................... 10
6.1.3. Checking the VLAN(s) .................................................................................... 11

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Stellar Access Points Discovery in the OmniVista 2500 NMS

6.2. Troubleshooting the Stellar AP .................................................................. 11

6.2.1. Reseting the Stellar AP .................................................................................. 11
6.2.2. Checking the Stellar AP Mode (OV/Cluster) .......................................................... 11
6.2.3. Checking the Stellar AP DHCP Mode (DHCP/Static) .................................................. 12
6.2.4. Checking the Option 138/43 in the DHCP Server..................................................... 12
6.2.5. Checking the Stellar AP IP Address ..................................................................... 12
6.2.6. Checking the OV information on the Stellar AP ...................................................... 13
6.3. Troubleshooting the Level 3 ..................................................................... 13
6.3.1. Checking the IP Interface ............................................................................... 13
6.3.2. Pinging the Equipment ................................................................................... 13
6.4. Discovering the Stellar AP ........................................................................ 14
7 Annex: Configuring the Option 138 ....................................................... 15
7.1. On Windows Server ................................................................................ 15
 2
Stellar Access Points Discovery in the OmniVista 2500 NMS

1 Briefing
The OmniSwitches are now discovered by the OmniVista 2500, and ready to be configured. During this lab, we
will first setup some basic settings (VLAN, IP Interface, PoE…) on the Access OmniSwitches, then we will
launch the discovery process for the Access Points to be discovered in the OmniVista 2500.
ELLA P ( P N E )

CURRENT
TOPOLOGY
NI I E
I VE E IN
V

ELLA P ( P N E )

END OF LAB
NI I E
TOPOLOGY AN AP
I VE E
 3
Stellar Access Points Discovery in the OmniVista 2500 NMS

2 Configuring the VLANs & IP Interface

2.1. Creating the VLANs

First, let’s create the VLAN:
- VLAN 40 > MANAGEMENT: dedicated VLAN for the Stellar Access Points management.

Notes
The VLAN 1305 (BACKBONE) has already been created in a previous lab. It contains all the management
equipment ( V , P erver…).

ELLA P ( P N E )

To create this VLAN on the OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature.

Configure the VLAN on the Access OmniSwitches 6860, 6360 and 2360.

2.1.1. Creating the MANAGEMENT VLAN (VLAN 40)

> Select CONFIGURATION > VLANS > VLAN

> Click on Create VLAN by Devices button

1. Devices Selection
> VLAN Overwrite: ENABLED
> VLAN IDs: 40
> VLAN(s) Description: MANAGEMENT
> Click on the Add/Remove Devices
> click on Add All
> Click on OK
> Click on Next

2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next

3. Default Port Assignment

> For the OS6360 and OS2360, click on Add Port
 4
Stellar Access Points Discovery in the OmniVista 2500 NMS

> Select the port 1/1/6

> Click on OK
> Click on Next

4. Q-Tagged Port Assignment

> For the OS6860, click on Add Port
> Select the ports 1/1/3 and 1/1/8
> Click on OK
> For the OS2360, click on Add Port
> Select the port 1/1/8
> Click on OK
> For the OS6360, click on Add Port
> Select the port 1/1/3
> Click on OK
> Click on Next

5. Review
> Review the information
> Click on Create

Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of a lot of OmniSwitches, and the same VLANs
must be created on some (or all) of them.

2.1.2. Verifying the VLAN Creation

> Select CONFIGURATION > VLANS > VLAN

> Next to the information “0 Devices”, click on ADD > Use Switch Picker
> Select 1 OmniSwitch (6360 or 2360)
> Click on Add
> Click on OK

> Check that the VLAN 40 appears in the list

> The VLAN 1305, created in the previous lab, should
also appear.
 5
Stellar Access Points Discovery in the OmniVista 2500 NMS

2.2. Management VLAN IP Interface

The reset script used earlier has already configured an IP interface for the Management VLAN on the core
switch OS6860. This will be the IP interface for the management VLAN.

OS6860 > name: int_management | IP@: 10.7.X.126/27 | VLAN: 40

ELLA P ( P N E )

Notes
No IP interface is configured on the OmniSwitch 6360 and 2360 for the VLAN 40 (they will act as a “level ”
switch and will redirect all the level 3 traffic to the OmniSwitch 6860).

2.2.1. Verifying the IP interface Creation

> Select CONFIGURATION > VLANS > IP Interface

> Click on Select a device
> Select the OmniSwitch 6860
> Click on OK

The following result should be displayed:

 6
Stellar Access Points Discovery in the OmniVista 2500 NMS

3 OmniSwitch additional Features

The Stellar Access Points that we are going to use during this training need to:
- Receive an IP Address from the DHCP Server > IP DHCP Relay;
- Forward the Wi-Fi clients traffic to a default route > Static route;
- Have the switch interface where they are connected enabled;
- Receive power from the OmniSwitches > The Power over Ethernet (PoE) feature must be enabled.

Enable the interfaces where the Stellar Access Points are connected;
Restart the PoE feature on the OmniSwitches 6360 and 2360 to force the Stellar Access
Points to reboot.

3.1. About the IP DHCP Relay address

Once powered on, the Stellar Access Points will send a DHCP request on the VLAN 40. This request will be
relayed by the core switch 6860 to the DHCP Server on the VLAN 1305.
The DHCP Server will then send a DHCP Offer with the option 138 (IP address of the OmniVista 2500). Once
this option received, the Stellar Access Point will work in Enterprise mode.

Notes
The DHCP relay feature is not configured on the OmniSwitch 6360 and 2360. These access OmniSwitches will
act as a “level ” switch and will send the P request to the mni witch 686 , which will relay it to the
DHCP Server.

Tips > Option 138

To learn how to configure the Option 138 on a Windows Server, click here.

3.2. About the Interfaces

The Stellar Access Points are connected to the interface 1/1/6 of each OmniSwitch.

3.3. Configuring the Features

3.3.1. On the Core Switch OS6860

The OS6860 is pre-configured with the DHCP relay and static route.

Notes
For your information, the CLI commands used to configure these two features are the following:
> ip dhcp relay destination 10.130.5.7
> ip dhcp relay admin-state enable
> ip static-route 0.0.0.0/0 gateway 10.130.5.253
 7
Stellar Access Points Discovery in the OmniVista 2500 NMS

3.3.2. On the OS6360

> Select CONFIGURATION > CLI SCRIPTING > Terminal

> Click on Browse
> Select 10.130.5.22X (OS6360)
> Click on OK
> Enter the username/password: admin/switch
> Click on OK
You are now connected to the OS6360. Enter the following command to enable the PoE:
> interfaces 1/1/6 admin-state enable
> lanpower slot 1/1 service stop
Stop/Start the PoE to force the AP to reboot
> lanpower slot 1/1 service start

3.3.3. On the OS2360

> Select CONFIGURATION > CLI SCRIPTING > Terminal
> Click on Browse
> Select 10.130.5.24X (OS2360)
> Click on OK
> Enter the username/password: admin/switch
> Click on OK
You are now connected to the OS2360. Enter the following command to enable the PoE:
> interfaces 1/1/6 admin-state enable
> lanpower slot 1/1 service stop
Stop/Start the PoE to force the AP to reboot
> lanpower slot 1/1 service start

The Access OmniSwitches are now completely configured. In the next part, we will discover the Stellar Access
Points in the OmniVista 2500 NMS.

4 Discovering the Stellar Access Points

Discover the Stellar Access Points in the OmniVista 2500
Add the tellar Access Points in a new AP Group “APGX” (X = R-Lab Number)

4.1. Registering the Stellar Access Points

Now, let’s discover the tellar Access Points.

> Select NETWORK > AP REGISTRATION > Access Points

> Select Country/Region = FR-France (selecting your own country code here may lead to compatibility
problem with the Stellar APs used in this infrastructure! See the WARNING section below to learn why)
> Select your Timezone
> Click on OK

Warning
DO NOT CHOOSE THE COUNTRY CODE USA, JAPAN OR ISRAEL AS THE STELLAR ACCESS POINTS USED IN THE
REMOTE LAB ARE NOT COMPATIBLE WITH THESE COUNTRY CODES.
 8
Stellar Access Points Discovery in the OmniVista 2500 NMS

> Click on Managed AP

> Check that 2 APs are displayed (AP1301 & AP1321: 10.7.X… with X = R-Lab number)

IF THEY DON’T APPEAR IN THE MANAGED AP TAB

> Click on Unmanaged AP

> Check that 2 APs are displayed (AP1301 & AP1321: 10.7.X… with X = R-Lab number)
> Select both
> Click on Change to Trust Status
> Click on OK
> Check that the Operation Status = Successful, then click on OK

4.2. Adding the Stellar Access Points into an AP Group

OmniVista does not manage individual APs. You must first add APs to AP Groups. The attributes configured
for the AP Group (e.g., Management VLAN, RF Profile) are applied to all APs in the group.
Once the APs are assigned to a group, you configure the APs in OmniVista (e.g., Notification traps,
Resource Manager backups) by applying the configuration to the AP Group.
In OmniVista applications (e.g., Notifications, Resource Manager), rather than presenting the user with
individual APs when applying a configuration (as is done with AOS Devices), OmniVista presents the user
with the option of applying a configuration to AOS Devices and/or AP Groups.
Any configuration applied to an AP Group is applied to all APs in the group.

When an AP initially registers with OmniVista, the AP is placed into a pre-configured “Default” AP Group.
Let’s begin by creating the AP Group:

> Select NETWORK > AP REGISTRATION > AP Group

> Click on the + button
> Group name: APGX (X = R-Lab number)
> skip all the other parameters, read the Tips section below
> Click on Create

Tips
As you can see, several settings can be managed in the AP Group properties. Take the time to learn more about
each of them by clicking on the Help button

WARNING
DO NOT ENABLE THE “ L GIN” SETTING

Now, let’s insert the APs in the AP Group:

> Select NETWORK > AP REGISTRATION > Access Points

> Select both APs

> Click on then Change Group

> Group name: APGX (X = R-Lab number)
> Click on Apply
> Check the status, then click on OK
 9
Stellar Access Points Discovery in the OmniVista 2500 NMS

5 Debriefing
During this lab, we have created the Management VLAN, which contains all the management data used by the
Access Points. e have also created a “trash” VLAN, which will contain all the “faulty” devices (not
authenticated, quarantined…). hen, we have enabled the PoE on the OmniSwitches to provide power to the
Access Points, and the IP Helper feature to redirect the APs DHCP requests to the DHCP Server. And finally,
we have discovered the Stellar Access Points in the OmniVista 2500 NMS. These Access Points can now be
managed from the OmniVista 2500 GUI.

ELLA P ( P N E )

NI I E
AN AP
I VE E
 10
Stellar Access Points Discovery in the OmniVista 2500 NMS

6 Troubleshooting
In this part, we will cover the process to follow if the Stellar AP is not discovered in the OmniVista 2500. We
will use the exact same infrastructure as above:

ELLA P ( P N E )

NI I E
AN AP
I VE E

6.1. Troubleshooting the Level 2

6.1.1. Checking the PoE

Make sure that the PoE is enabled on the port where the Stellar AP is plugged:

OMNISWITCH
AOS -> show lanpower slot 1/1
Port Maximum(mW) Actual Used(mW) Status Priority On/Off Class Type
----+-----------+---------------+-----------+---------+--------+-------+----------
1 60000 0 Searching Low ON *
2 60000 0 Searching Low ON *
6 60000 6800 Powered On Low ON *

6.1.2. Checking the cables

Make sure that the cables are correctly plugged and recognized:

OMNISWITCH
AOS -> show interfaces 1/1/6
Chassis/Slot/Port 1/1/6 :
Operational Status : up,
Last Time Link Changed : Thu Oct 17 13:26:55 2019,
Number of Status Change: 23,
Type : Ethernet,
SFP/XFP : N/A,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 2c:fa:a2:1b:18:58,
 11
Stellar Access Points Discovery in the OmniVista 2500 NMS

BandWidth (Megabits) : 1000, Duplex : Full,

Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 9216,

6.1.3. Checking the VLAN(s)

Then, check that the Management VLAN is set as default VLAN on the port where the Stellar AP is plugged
(in this example, the Management VLAN is the VLAN 40):

OMNISWITCH 6860
AOS -> show vlan members port 1/1/6
vlan type status
--------+-----------+---------------
40 default forwarding

6.2. Troubleshooting the Stellar AP

The Stellar console access is deactivated in Enterprise mode for the application Configuration > CLI
Scripting > Terminal.
To activate the SSH console connection on OV2500, go to Network > AP Registration >AP Group, edit the
AP Group and change the support and root passwords.

Use the APs console connections on the desktop and do not change the passwords in the AP Group.

6.2.1. Reseting the Stellar AP

A good way to start the troubleshooting of a Stellar AP is to ensure that it has been reset to its factory
settings.
- If you can access to the Stellar AP:
Stellar AP
> Plug the AP to a PoE port
> Press 6 seconds on the Reset button available at the rear of the AP (until the led blinks red)

- If you can’t access to the tellar AP, but have access to its Serial port:
PC
> Open a serial connection (via a software as Putty, Teraterm…)
> Baud rate: 115200
> Data bits: 8
> Parity: None
> Stop bits: 1

> login: support

> password: aos2016

Reset the Stellar AP to its factory settings

support@AP-0E:E0:~$ ssudo firstboot
This will erase all settings and remove any installed packages. Are you sure [N/y]? y
support@AP-0E:E0:~$ ssudo reboot

6.2.2. Checking the Stellar AP Mode (OV/Cluster)

To register to the OmniVista, the Stellar AP must run in OV mode:

Stellar Serial Console (logged as support)

support@AP-0E:E0:~$ getmode
OV
 12
Stellar Access Points Discovery in the OmniVista 2500 NMS

6.2.3. Checking the Stellar AP DHCP Mode (DHCP/Static)

The DHCP Server sends the OmniVista IP address to the Stellar AP via a specific option (138/43). To ensure
that the Stellar AP is in DHCP mode:

Stellar Serial Console (logged as support)

support@AP-0E:E0:~$ cat /etc/config/network

config interface 'loopback'

option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'

option ula_prefix 'fd66:ce37:fd0b::/48'

config interface 'wan'

option ifname 'eth0'
option type 'bridge'
option proto 'dhcp'
option force_link '1'

6.2.4. Checking the Option 138/43 in the DHCP Server

Make sure that the option 138/43 has been configured in the DHCP Server, and its value corresponds to
the OmniVista Server IP address:

Notes
If at the end of this step, the result of the “getovmode” command is not the IP address of the mniVista erver
2500:
- Launch a tcpdump trace: cd /tmp, then tcpdump -i br-wan -s0 -w trace.pcap
- Transfer the trace via TFTP on a computer, to open it with Wireshark: tftp -pl trace.pcap 10.130.5.123
- Check that the option 138 or 43 is available in the DHCP Offer sent to the Stellar AP

6.2.5. Checking the Stellar AP IP Address

Stellar Serial Console (logged as support)
support@AP-0E:E0:~$ ssudo ifconfig br-wan
br-wan Link encap:Ethernet HWaddr DC:08:56:00:0E:E0
inet addr:10.7.0.101 Bcast:10.7.0.127 Mask:255.255.255.224
inet6 addr: fe80::de08:56ff:fe00:ee0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:344756 errors:0 dropped:0 overruns:0 frame:0
TX packets:163725 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24497756 (23.3 MiB) TX bytes:27208952 (25.9 MiB)
 13
Stellar Access Points Discovery in the OmniVista 2500 NMS

6.2.6. Checking the OV information on the Stellar AP

Once configured in DHCP mode, the Stellar AP should receive the OmniVista IP address information from
the DHCP server (via the option 138 or 43).
Make sure that the OmniVista IP address is the correct one on the Stellar AP:

Stellar Serial Console (logged as support)

support@AP-0E:E0:~$ getovinfo
10.130.5.50

6.3. Troubleshooting the Level 3

6.3.1. Checking the IP Interface

Check that the IP interface is correctly configured on the OmniSwitch, and that its status is UP:

OMNISWITCH 6860
AOS(R6/R8) -> show ip interface
Total 6 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
int_management 10.7.0.126 255.255.255.224 UP YES vlan 40

6.3.2. Pinging the Equipment

Once the equipment IP configuration checked, make sure that the equipment can ping each other:
- Ping from the Stellar AP to the OmniVista 2500:

PING FROM THE STELLAR AP TO THE OMNIVISTA 2500

support@AP-0E:E0:~$ ssudo ping 10.7.0.126
PING 10.7.0.126 (10.7.0.126): 56 data bytes
64 bytes from 10.7.0.126: seq=0 ttl=64 time=1.055 ms
64 bytes from 10.7.0.126: seq=1 ttl=64 time=1.065 ms
64 bytes from 10.7.0.126: seq=2 ttl=64 time=1.121 ms
64 bytes from 10.7.0.126: seq=3 ttl=64 time=1.075 ms

- Ping from the OmniVista 2500 Server to the Stellar AP:

OmniVista 2500 Console

From the Virtual Appliance
Menu, select [10] Advanced
Mode

From the CLI, launch a ping to

the Stellar AP IP address
 14
Stellar Access Points Discovery in the OmniVista 2500 NMS

6.4. Discovering the Stellar AP

To launch a new discovery:

> Open a Web Browser

> Type the OV2500 IP address in the URL bar: 10.130.5.5X (X = R-Lab Number)
> Username/Password: admin/switch

> Select NETWORK > AP REGISTRATION > Access Points

> Click on Managed AP
> Check that 2 APs are displayed (AP1301 & AP1321: 10.7.X… with X = R-Lab number)

IF THEY DON’T APPEAR IN THE MANAGED AP TAB

> Click on Unmanaged AP

> Check that 2 APs are displayed (AP1301 & AP1321: 10.7.X… with X = R-Lab number)
> Select both
> Click on Change to Trust Status
> Click on OK
> Check that the Operation Status = Successful, then click on OK
 15
Stellar Access Points Discovery in the OmniVista 2500 NMS

7 Annex: Configuring the Option 138

7.1. On Windows Server

> Go to Control Panel > Administrative Tools

> Double click on DHCP
> Right click on IPv4
> Select Set Predefined Options…

> Click on Add…

> Name: Stellar-AP
> Data type: IP Address
> Code: 138
> Click on OK

> Select <Server FQDN> > Scope > Scope Options

> Right click on the main area > Configure Options
> Select the option 138
> Enter the OmniVista 2500 IP Address
> Click on OK
OMNIACCESS STELLAR WIRELESS LAN
S S I D C R E AT I O N

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• SSID Creation
- At the end of this presentation you will be able to:
Understand the SSID Usage profile
Create a new SSID
SSID CREATION

• How to create a new SSID?

• WLAN → « SSID » or « WLAN service (expert) »

• SSID
• Wizard driven tool.
• Pre-defined Usage (Guest, Employee, BYOD,…).
• All the configuration is performed from the wizard.
 Recommended mode

• WLAN service (expert)

• Manual configuration.
• Profiles, policies, users configured independently and assigned then to the WLAN service.
 Limited usage for specific SSIDs.
SSID
SSID WIZARD – STEP 1 « CREATE SSID »
• Name the « SSID Service »
• Unique name to identify a wireless service
• Multiple SSID service can share the same SSID name

• Name the SSID

• Unique SSID name broadcasted in the air

• Select the SSID Usage

• Each usage leads to a predefined template

• Depending on the usage selected, one of these

option can be enabled:
• Enable BYOD Registration
• Use the Captive Portal
 SSID USAGE TEMPLATES
Usage
Protected
Enterprise
GuestNetwork Employee BYOD Protected Network for
Network for
Network Network Employees
Employees
(BYOD))

PSK followed by
Captive Portal 802.1X followed by
Captive Portal
Guest Captive Portal BYOD
Guest
Y Y Y
Captive Portal PSK followed by
Captive Captive
BYOD BYOD? Captive Portal BYOD
Portal? Portal?
N N N
802.1X
Open Pre-Shared Key
or MAC followed by
or MAC 802.1X (PSK)

SSID Security Level

 SSID WIZARD – STEP 2 « CUSTOMIZE SSID »
• SSID Usage defines the parameters displayed.

• Minimal configuration contains:

• Basic Parameters
• Allowed Band: 2.4GHz, 5GHz, 6GHz
• Optional - Security Settings (Pre-Share Key, Encryption type,…)

• Default VLAN/Network
• VLAN assigned to the SSID
• Optional - ACL/QoS rules applied to the SSID

• Authentication Strategy
• Select the Authentication source in «Advanced Configuration»
(Local Database, External Radius, LDAP/AD)
• Optional - Use the links «Manage Guest Accounts» to create new
users in the local database
• Optional – Select the RADIUS server used by the SSID
SSID WIZARD – STEP 2 « CUSTOMIZE SSID »
• VLAN options:

• Default VLAN
• Single VLAN assigned to the SSID

VLAN 20

• VLAN Pooling
• Pool of VLAN assigned to the SSID
• Avoid large broadcast domain with a single VLAN
VLAN 20

VLAN 30

VLAN 40
SSID WIZARD – STEP 2 - ACCESS ROLE PROFILE
• VLAN ID : Employee (20)
Guest

• QoS :
Employee
• Policy List : Full-Access
New User • Bandwidth : 10Mbit/s max
« Employee »
BYOD

Access Role
Profile
SSID WIZARD – STEP 2 « CUSTOMIZE SSID »

• Based on the SSID Usage, optional strategies:

• Guest Access Strategy

• Configure access attributes for guest users:
• Link Customize Portal Page to change the appearance of the
Captive Portal
• Customize: Set the Login method (login & password, Access
code, Terms & Conditions), self registration.

• BYOD Access Strategy

• Configure access attributes for BYOD users:
• Link Manage Employee Account creates new users in the
local database
• Link Customize Portal Page to change the appearance of the
Captive Portal
• Customize: Set the Portal Page template, the Employee
Database used for the authentication, URL Redirection on
success
 SSID WIZARD – STEP 3 « AP GROUP ASSIGNMENT &
SCHEDULE »
• Apply the SSID to one or multiple AP Group(s) • Schedule the SSID broadcast: when is the SSID
broadcasted by the AP?
• Always available by default
WLAN SERVICE - PREREQUISITE

Click on the image above to visualize the video

WLAN SERVICE - ENTERPRISE

Click on the image above to visualize the video

WLAN SERVICE - MAC

Click on the image above to visualize the video

AUTHENTICATION
AUTHENTICATION SECURITY LEVEL - REMINDER

• Open + Captive Portal

• Cons: No Security
• Pros: Followed by Captive Portal, any type of device can be
authenticated

Level of Trust
• MAC authentication
• Cons: MAC can be spoofed, no traffic encryption
• Pros: Available for basic wireless devices (printers, scanners,…)
• WPA/WPA2/WPA3 Personal = Pre-Shared Key (PSK)
• Pros: Easy set up, strong keys can be difficult to hack
Authentication Method
• Cons: But all keys can be hacked or stolen (key shared by all
users)
• WPA/WPA2/WPA3 Enterprise = 802.1X
• Pros: Strongest security, ease of Management, scalability
• Cons: More configuration during initial setup (server, users)
 SECURITY – WPA3
◼Wi-Fi Alliance new Security Standard

◼Released in 2018, available on new end-user devices in 2019

◼All Stellar APs are WPA3 compatible with software upgrade

WLAN ENTERPRISE
WLAN PERSONAL
◼ WPA/WPA2-Enterprise replaced by WPA3-
◼ WPA/WPA2-Personal PSK (Pre-Shared Key)
Enterprise
replaced by WPA3-Personal SAE (Simultaneous
⚫ Optional 192-bit security mode (CNSA option)
Authentication of Equals) □ CNSA enabled: Only wpa3 client authorized on the
⚫ Stronger Encryption Key (128 bits) SSID
⚫ Offline dictionary attack resistance □ CNSA disabled: wpa2 or wpa3 clients authorized on
⚫ No additional complexity to connect (user side) the SSID
□ CNSA option not enabled on AP1101 only
WLAN SERVICE (EXPERT)
PROFILE AND SERVICE LIST
WLAN Service
Access Policy
SSID
Authentication Associate to
Access AAA Authentication
• Open SSID name
Role Profile Strategy
• Personal
802.1X or
• Enterprise Profile MAC
802.1X or MAC
Map to Assign
VLAN ID

AP Group

RF Profile
Specific
RF Profile

Assign Assign Assign

WLAN SERVICE (EXPERT)
• WLAN Service is used to create specific
SSIDs not listed in the Simple SSID
tools. It contains the following
attributes
• Basic
• Enable SSID
• Hide SSID
• Set the Allowed Bands (2.4G , 5G)
• Security Settings
• Level (Open, Enterprise, Personal)
• MAC Auth
• AAA Profile
• Classification Status
• MAC Pass Alt
• Default Access Role Profile
• Advanced
• QoS Settings
WLAN SERVICE SECURITY SETTINGS

• In the Security Settings Section you must choose a Security Level

• Open, Enterprise, Personal

• You must also set a Default Access Role Profile

• A default WLAN Profile already exists
• You can create additional Profiles as needed

• Optional Security Settings are

• MAC Auth
• AAA Profile
• Classification Status
• MAC Pass Alt
 WLAN SERVICE SECURITY SETTINGS PARAMETERS

• The input fields for the Security Settings changes

depending on which security Level you choice
• Enterprise
• Need to Specify Encryption Type
• DYNAMIC_WEP, WPA_TKIP, WPA_EAS, WPA2__TKIP, WPA2_AES,
WPA3_AES
• 802.1x Bypass is option field
• MAC Allow EAP is option
• AAA Profile is a mandatory fields
• Personal
• Encryption type is Mandatory
• WPA_PSK_TKIP, WPA_PSK_AES, WPA_PSK_AES_TKIP, WPA2_PSK_TKIP,
WPA2_PSK_AES, WPA3_SAE_AES, WPA3_PSK_SAE_AES
• Passphrase is mandatory
• Key Format
• AAA Profile is Mandatory
WLAN SERVICE AND ACCESS ROLE PROFILE

• The field Default Access Role Profile is mandatory in the WLAN Service
• An Access Role Profile contains the various UNP properties for the users assigned to this
profile
• QOS Policy List
• Captive Portal Authentication
• Bandwidth Controls
• The Default Access Role Profile is assigned to the VLAN ID of the SSID
• Ex: If Guest SSID uses the VLAN 10 → Assign the Access Role Profile to the VLAN 10
WLAN SERVICE AND AAA SERVER PROFILE

• An AAA Server Profile is mandatory when the security level is set to Enterprise or Personal
• The AAA Server Profile defines
• 802.1x Authentication Servers
• MAC Authentication Servers
• Captive Portal Authentication Servers
• Accounting Servers
• The Default UPAM Server can be chosen by default
EXTERNAL CAPTIVE PORTAL INTEGRATION

• Leading hotel groups, large retail chains, restaurant chains, and shopping malls re-enforce
their brands by leveraging their existing Wi-Fi networks to provide better in-door mobile
experiences.

• Both Stellar Express and Enterprise supports External Captive Portal with External Captive
Portal and MAC authentication enabled.
CONFIGURATION REQUIRED
Both External Captive Portal and MAC authentication enabled
⚫ If MAC authentication fails : Captive Portal Enforcement
⚫ If MAC authentication succeeds : No Captive Portal enforcement

• WLAN Service • Access Role Profile

THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of a Secured Employee SSID

Objective
✓ Learn how to create a secured Employee SSID

Contents
1 Briefing ......................................................................................... 2
2 Creating the Service VLAN & IP Interface ................................................. 3
2.1. Creating the Service VLAN ........................................................................ 3
2.2. Employee IP Interface ............................................................................. 4
3 Creating the Employees SSID ................................................................ 4
3.1. Creating the EmployeesX SSID .................................................................... 5
3.2. Creating an Employee Account ................................................................... 5
3.3. Back to… Creating the EmployeesX SSID ........................................................ 6
3.4. Assigning the SSID to the AP Group .............................................................. 6
4 Testing the Employees SSID .................................................................. 6
4.1. Setting Up the Linux Client to Connect to the EmployeesX SSID ............................ 6
4.2. Verifying the connection .......................................................................... 7
5 Monitoring the Connections.................................................................. 8
5.1. UPAM Monitoring .................................................................................... 8
5.2. WLAN Menu .......................................................................................... 9
5.2.1. Wireless Client List ......................................................................................... 9
5.2.2. Client Session ............................................................................................... 9

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Creation of a Secured Employee SSID

6 Debriefing .................................................................................... 10
7 Troubleshooting ............................................................................. 11
7.1. Troubleshooting the Stellar AP .................................................................. 11
7.1.1. Checking the wireless configuration ................................................................... 12
7.1.2. Checking the Wi-Fi Channel ............................................................................. 12
7.1.3. Checking the interface transmission power .......................................................... 12
7.1.4. Checking the interface bitrate ......................................................................... 12
7.2. Client Information ................................................................................. 13
7.2.1. Listing the client(s) associated with the AP .......................................................... 13
7.2.2. Checking the access logs of a specific client ......................................................... 14
7.2.3. Checking the 802.1x Authentication ................................................................... 14

8 Annex: WLAN Service (Expert) ............................................................ 16

8.1.1. Creation of a WLAN Service profile (SSID) ............................................................ 17
8.1.2. AAA Server Profile ........................................................................................ 17
8.1.3. Access Role Profile ....................................................................................... 18
8.1.4. Apply the Access Role Profile to the Stellar APs ..................................................... 18
8.1.5. Authentication Strategy ................................................................................. 19
8.1.6. Access Policy configuration ............................................................................. 20
 2
Creation of a Secured Employee SSID

1 Briefing
Now that all the devices have been discovered in the OmniVista 2500 NMS, let’s create multiple SSIDs
(employee, guest…). In this first lab, we will focus on how to create a secured Employee SSID.

S E OD X (X OD N MBE )

CURRENT OMNIS I C ES
TOPOLOGY ND S
DISCOVE ED

S E OD X (X OD N MBE )

END OF LAB OMNIS I C ES

ND S
TOPOLOGY DISCOVE ED
 3
Creation of a Secured Employee SSID

Creating an SSID can be decomposed in several steps:

1. Create the V N 20. his V N will service the SSID “EmployeeX” (X -Lab Number). It will be
tagged from the Access Points to the Access OmniSwitches (2360 and 6360), and over the link to the
OmniSwitch 6860.
2. Create the SSID and configure its options.

2 Creating the Service VLAN & IP Interface

Before creating the Employee SSID, let’s create the V N and I interface that will be associated to this SSID
EmployeeX (X= R-Lab number) and that will carry the employee traffic.

2.1. Creating the Service VLAN

Create the VLAN 20 on the OmniSwitches 6860, 6360 and 2360.

To create the VLAN 20 on both OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature:

> Select CONFIGURATION > VLANS > VLAN

> Click on Create VLAN by Devices button

1. Devices Selection
> VLAN Overwrite: ENABLED
> VLAN IDs: 20
> VLAN(s) Description: EMPLOYEES
> Click on the Add/Remove Devices
> Click on Add All
> Click on OK
> Click on Next

2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next

3. Default Port Assignment

> Skip this step (click Next)

4. Q-Tagged Port Assignment

> For the OS6860, click on Add Port
> Select the ports 1/1/3 & 1/1/8
> Click on OK
 4
Creation of a Secured Employee SSID

> For the OS6360, click on Add Port

> Select the ports 1/1/3 & 1/1/6
> Click on OK
> For the OS2360, click on Add Port
> Select the ports 1/1/8 & 1/1/6
> Click on OK
> Click on Next

5. Review
> Review the information
> Click on Create

Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of several OmniSwitches, and the same VLANs
must be created on some/all of them.

2.2. Employee IP Interface

The core OmniSwitch 6860 is pre-configured with an IP interface 10.7.X.62/27 for the VLAN Employee.
This IP interface is required to forward the DHCP requests from the clients to the DHCP server.

The IP interface “int_employee” is pre-configured on the OmniSwitch 6860.

3 Creating the Employees SSID

Now that we have the Employee VLAN and the associated I interface, let’s create the Employee SSID:
 5
Creation of a Secured Employee SSID

3.1. Creating the EmployeesX SSID

Create the SSID EmployeesX (X = R-Lab Number)

> Select WLAN > SSIDs > SSIDs

> Click on the + button
> SSID Service Name: EmployeesX (X = R-Lab number)
> SSID: <filled automatically>
> Usage: Enterprise Network for Employees (802.1X)
> Click on Create & Customize

Notes > bout the “Usage”

During the SSID creation, a “ sage” is asked. hen you select a sage, relevant related default configurations
( ccess olicy, uthentication Strategy, …) are automatically created.
Of course, these configurations can be customized. Check the OV2500 dedicated Help for more information.

> Allowed Band: 2.4GHz and 5GHz

> Encryption Type: WPA3_AES

Tips > Help Menu

As you can see, several settings can be managed in the SSID Creation properties. Take the time to learn more
about each of them by clicking on the Help button

Notes > UPAMRadiusServer

In this lab, for all the types of authentication, we will use the UPAM platform (Unified Policy Authentication
Manager) embedded in the OmniVista 2500.
UPAM is a unified access management platform for both AOS Switch Series devices and Stellar AP Series
devices. UPAM supports both captive portal server and RADIUS server; and can be used to implement multiple
authentication methods, such as MAC authentication, 802.1X authentication, and captive portal authentication.

Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Employee Accounts

3.2. Creating an Employee Account

Create the Employee account

> Click on the + button

> Username: Employee
> Password: password
> Repeat Password: password
> Click on Create
> Click on Close

Tips > Importing Employee Accounts Information

You can automatically import a xls/csv/xlsx file containing Employee Account information
by clicking on the Import button at the top of the screen. You can also download a template by
clicking on the import button then clicking on the template Download button.
 6
Creation of a Secured Employee SSID

3.3. Back to… Creating the EmployeesX SSID

Default VLAN/Network
> VLAN ID: 20
> Click on Save and Apply to AP Group

3.4. Assigning the SSID to the AP Group

Assign the freshly created SSID EmployeesX to the AP Group APGX created in the
previous lab

Now that the SSID EmployeeX has been created, the last step consists in assigning it to one or several AP
Group(s):

AP Group Assignment and Schedule

> Click on Change Selection
> Remove default group from the SELECTED tab
> Move APGX (X = R-Lab Number) from AVAILABLE to SELECTED
> Click on OK
> Click on Apply
> Check the result on the page that is displayed

Tips > Setting a Schedule

By default, the availability schedule for AP Groups is set to "Always Available". However, you can schedule
availability for specific times/days of the week. You can set the same availability schedule for all selected AP
Groups, or set different schedules for each group.

Now that we have finished the configuration of the SSID, let’s test it!

4 Testing the Employees SSID

Test the EmployeesX SSID by connecting on it via the Employee account

4.1. Setting Up the Linux Client to Connect to the EmployeesX SSID

Connect to the SSID EmployeesX:

StellarClientX Raspberry Pi

Left-click on the icon

(top right)

Select the SSID EmployeesX

(X = R-Lab Number)
Check under “More Networks”
if it is not displayed.
 7
Creation of a Secured Employee SSID

Configure the SSID parameters

with:

Authentication: ProtectedEAP
Check No CA certificate
PEAP version: Automatic
Inner Auth: MSCHAPv2

Enter the credentials:

Username: Employee
Password: password

Click on Connect

A Notification informs you

that the client is connect to
the SSID

4.2. Verifying the connection

From the Stellar Wireless Client, check that the connection has been successfully established:
- The IP Address of the Wi-Fi network card should be in the 10.7.X.32/27 range
- Ping the DHCP Server (10.130.5.7) and the OmniVista 2500 (10.130.5.5X)

Open a terminal with the icon (top left corner).

Enter the commands:
 8
Creation of a Secured Employee SSID

5 Monitoring the Connections

Display the EmployeesX authentication record

5.1. UPAM Monitoring

The UPAM platform (Unified Policy Authentication Manager) is embedded in the OmniVista 2500 NMS. This
module is used to implement authentication (M C authentication, 802.1x, Captive ortal…)

The Authentication Record Screen displays authentication information for all devices authenticated
through UPAM:

> Select UPAM > AUTHENTICATION > Authentication Record

In the Authentication Record List information, find the Stellar Access Point where your
Client Virtual machine (StellarClientX) is connected.

Notes > Client associated to a Stellar Access Point

The information asked in the question above can also be found in the WLAN > CLIENT > Client List
menu. Go check it out!

Tips > Employee Account Creation

Do you remember the Employee account that you have created? You have done it via a shortcut, during the
SSID creation process. his shortcut leads to the … UPAM > Authentication > Employee Account menu! Go and
have a look at this menu. You will find the Employee account that you have created previously. From there,
you can easily create a new Employee account.
 9
Creation of a Secured Employee SSID

Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.

5.2. WLAN Menu

5.2.1. Wireless Client List

The Wireless Client List Screen displays real time information for wireless clients associated with APs. By
default, the Distribution of Clients per AP chart at the top of the screen provides a graphical overview of
the number of clients associated with each AP:

> Select WLAN > Client > Client List

From the Client List page, find on which Stellar Access Point the account Employee is
connected

5.2.2. Client Session

The Wireless Client Session Screen displays information about current wireless clients associated with APs.
By default, all wireless client sessions are displayed in the list.

> Select WLAN > Client > Client Session

 10
Creation of a Secured Employee SSID

6 Debriefing
During this lab, you have learned how to create a secured Employee SSID, and an Employee account. You
have also used the OmniVista 2500 features to get more information about the account that are connected to
the Employee SSID.

S E OD X (X OD N MBE )

OMNIS I C ES
ND S
DISCOVE ED
 11
Creation of a Secured Employee SSID

7 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the connection to an Employee
SSID (802.1x). We will use the exact same infrastructure as in the lab:
S E OD X (X OD N MBE )

OMNIS I C ES
ND S
DISCOVE ED

Notes > Before Beginning

Before beginning this part, we assume that all the steps available in this lab have been followed correctly and
checked: SSID creation, employee account creation…

7.1. Troubleshooting the Stellar AP

The Stellar console access is deactivated in Enterprise mode for the application Configuration > CLI
Scripting > Terminal.
To activate the SSH console connection on OV2500, go to Network > AP Registration >AP Group, edit the
AP Group and change the support and root passwords.

Use the APs console connections on the desktop and do not change the passwords in the AP Group.
 12
Creation of a Secured Employee SSID

7.1.1. Checking the wireless configuration

support@AP-0E:E0:~$ iwconfig
[…]
ath01 IEEE 802.11ng ESSID:"Employees0"
Mode:Master Frequency:2.437 GHz Access Point: DC:08:56:00:0E:E1
Bit Rate:192 Mb/s Tx-Power=17 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=94/94 Signal level=-43 dBm Noise level=-95 dBm
Rx invalid nwid:68 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

eth1 no wireless extensions.

ath11 IEEE 802.11ac ESSID:"Employees0"

Mode:Master Frequency:5.22 GHz Access Point: DC:08:56:00:0E:E9
Bit Rate:800 Mb/s Tx-Power=19 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=47/94 Signal level=-77 dBm Noise level=-95 dBm
Rx invalid nwid:101 Rx invalid crypt:8 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
[…]

7.1.2. Checking the Wi-Fi Channel

To check which channel is used (ex. ath01 interface):

support@AP-0E:E0:~$ iwlist ath01 channel

ath01 57 channels in total; available frequencies:
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.437 GHz (Channel 6)

7.1.3. Checking the interface transmission power

support@AP-0E:E0:~$ iwlist ath01 txpower
ath01 8 available transmit-powers :
0 dBm (1 mW)
5 dBm (3 mW)
7 dBm (5 mW)
9 dBm (7 mW)
11 dBm (12 mW)
13 dBm (19 mW)
15 dBm (31 mW)
17 dBm (50 mW)
Current Tx-Power=17 dBm (50 mW)

7.1.4. Checking the interface bitrate

support@AP-0E:E0:~$ iwlist ath01 bitrate
ath01 12 available bit-rates :
1 Gb/s
2 Gb/s
 13
Creation of a Secured Employee SSID

5.5 Gb/s
11 Gb/s
6 Gb/s
9 Gb/s
12 Gb/s
18 Gb/s
24 Gb/s
36 Gb/s
48 Gb/s
54 Gb/s
Current Bit Rate:192 Mb/s

7.2. Client Information

7.2.1. Listing the client(s) associated with the AP

It is possible to list:
- All the clients associated with the AP:
support@AP-0E:E0:~$ ssudo sta_list
SSID:Employees0

STA_MAC IPv4 IPv6 OnlineTime RX TX

d4:6e:0e:18:60:38 10.7.0.37 89 14869 66489
FREQ AUTH Final_role VLANID TUNNELID FARENDIP
2.4GHz 802.1X __Employees0 20 0

- All the clients associated with a specific interface (ex. ath01 corresponding to the SSID Employees0 in
2.4 Ghz):
support@AP-0E:E0:~$ wlanconfig ath01 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 6 72M 72M 63 62 67 0 0 65535 EPSs cORI

ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 f 0 P 0gR 00:03:20 RSN WME IEEE80211_MODE_11NG_HT20

RXNSS TXNSS
0 1 1

Minimum Tx Power : 5
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : No
MU capable : No
SNR : 63
Operating band : 2.4 GHz
Current Operating class : 0
Supported Rates : 2 4 11 12 18 22 24 36 48 72 96 108

- The parameters sent from the AP to the Wi-Fi Client(s):

support@AP-83:60:~$ ssudo wam_debug sta_list
{
"status": "Success!!!",
"wlanServiceData": [
{
"iface": "ath01",
"ssid": "Employees0", SSID Name
"freq": "2.4GHz", Frequency
"security": "Enterprise(WPA3_AES)", Security
"wlanService": "Employees0", Assoc. WLAN Service
"staData": [
{
"staMAC": "d4:6e:0e:18:60:38", Wi-Fi Client MAC@
"staIP": "10.7.0.37", Wi-Fi Client IP@
 14
Creation of a Secured Employee SSID

"staGlobalIPv6": "::",
"staLocalIPv6": "::",
"associationTime": 473, Assoc. Time (seconds)
"mappingType": 0,
"assignedVLAN": 20, Wi-Fi Client Assigned VLAN
"assignedAR": "__Employees0", Wi-Fi Client Assigned ARP
"assignedPL": "",
"macAuthResult": "",
"ARFromMACAuth": "",
"PLFromMACAuth": "",
"redirectURLFromMACAuth": "",
"ARFrom8021xAuth": "",
"PLFrom8021xAuth": "",
"redirectURLFrom8021xAuth": "",
"CPAuthResult": "FAILED",
"ARFromCPAuth": "",
"PLFromCPAuth": "",
"ARFromRoaming": "",
"PLFromRoaming": "",
"redirectURLFromRoaming": "",
"classificationMatched": "none"
}
[…]

7.2.2. Checking the access logs of a specific client

Find the MAC address of the client (ex. d4:6e:0e:18:60:38), then:

support@AP-0E:E0:~$ cat /proc/kes_syslog | grep “d4:6e:0e:18:60:38”

7.2.3. Checking the 802.1x Authentication

Notes > Before Beginning

Before beginning this part, we assume that all the settings on the Client side (802.1x enabled, credentials
correct…) and OmniVista 2500 side (account created, M settings checked…) have been verified (if not sure,
go back to the client settings instructions available in this lab)

- Check that the Radius configuration and AAA server profile have been correctly retrieved by the Stellar
AP:
support@AP-83:60:~$ cat /var/config/wlanservice.conf
{
"WLANService":[
{
"wlanDeviceConfigType":"SSIDs",
"upstreamBurst":0,
"maxClientsPerBand":64,
"downstreamBandwidth":0,
"multicastOptimization":"enable",
"macAuthPassProfileName":"",
"wepKeyIndex":null,
"broadcastKeyRotation":"disable",
"dscpMappingEnable":"enable",
"clientsNumber":6,
"minBasicDataRate5G":6000,
"dot1pUplinkBestEffort":0,
"bypassStatus":"disable",
"dot1pDownlinkVideo":[
4,
5
],
"minSupportedDataRate24GStatus":"disable",
"downstreamBurst":0,
"a_msdu":"enable",
"e0211gClientSupport":"enable",
 15
Creation of a Secured Employee SSID

"broadcastFilterAll":"disable",
"defaultARPName":"__Employees0",
"dot1pDownlinkBackground":[
1,
2
],
"essid":"Employees0",

[…]

"operationName":null,
"broadcastFilterARP":"disable",
"trustOriginalDSCP":"disable",
"dscpUplinkBackground":8,
"aaaProfile":"Employees0",
"dscpDownlinkBackground":[
8,
16

support@AP-83:60:~$ cat /var/config/AAA_profile.conf

{
"AAAProfile": [

[...]

"e02d1xAuthServer":{
"secondaryServer":null,
"primaryServer":"UPAMRadiusServer",
"thirdServer":null,
"fourthServer":null

support@AP-83:60:~$ cat /var/config/AAA_server.conf

{
"UnifiedAAAServer":[
{
"accountingPort":1813,
"hostName":null,
"retries":2,
"ipAddress":"10.130.5.50",
"name":"UPAMRadiusServer",
"secret":"a006a626d46117ba078e0ca9ffd5b859",
"type":"Radius",
"timeout":5,
"authenticationPort":1812,
"deviceId":{
"inc":-1501300046,
"timeSecond":1571817254,
"machine":-458191393,
"new":false,
"time":1571817254000,
"timestamp":1571817254,
"date":1571817254000
[…]

Notes > Still a Problem?

If the radius authentication still fails:
- Capture and analyze the data by using the following command: tcpdump -i br-wan –s 0 host radiusIP
- Check the Radius server configuration
 16
Creation of a Secured Employee SSID

-ANNEXES-

8 Annex: WLAN Service (Expert)

- The deployment of an SSID consists in several steps:
- Creation of a "WLAN Service" profile (SSID)
- Creation of an "AAA Server Profile" (if do not exist)
- Creation of an "Access Role Profile" (if do not exist)
- Creation of an Access Policy (if do not exist)
- Definition of an Authentication Strategy (if do not exist)
- Create a Radius local employee account (if do not exist)
- Deployment of the profiles (templates) to AP-Group(s)
 17
Creation of a Secured Employee SSID

8.1.1. Creation of a WLAN Service profile (SSID)

OV2500 -> WLAN -> WLAN Service -> + (Create icon)

- Enter a Service Name and configure the profile as described below:

ESSID - EmployeeX
Hide SSID - Disable
Enable SSID - Enable
Allowed Band - 2.4GHz and 5GHz
Security Level - Enterprise
Encryption type - WPA2_AES
AAA Profile - AAA-Server-PODX
Default Access Role Profile - Access-role-employeeX

Notes: AAA server and Access role profiles can be created first prior to setup WLAN services but for
this exercise you will create specific profiles through the WLAN Service configuration screen.

8.1.2. AAA Server Profile

Tips: UPAM supports both captive portal and RADIUS server and can be used to implement multiple
authentication methods: MAC, 802.1X and captive portal authentication. User Profiles can be
supported in the OmniVista database or on external servers.

AAA Server Profile

- In the Security section, click on the “ rofile” field, select “+ Add New” and create the following
AAA Server Profile “AAA-Server-PODX”:

Authentication Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
Primary: UPAMRadiusServer
MAC
Primary: UPAMRadiusServer

Accounting Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
Primary: UPAMRadiusServer
MAC
Primary: UPAMRadiusServer

Click on the Create icon.

You are then sent back to the WLAN Service page. In the Security section, select “AAA-Server-PODX” as the AAA
Profile.
 18
Creation of a Secured Employee SSID

Notes: In UPAM, there is a system-defined NAS Client Item (All Managed Devices). It cannot be
deleted and is used to indicate that all the devices managed by OmniVista are automatically added
into the NAS Client Database of UPAM and perform the AAA process.
The shared secret in the system-defined “ ll Managed Devices” N S profile is “123456”.

8.1.3. Access Role Profile

Access Role Profile

Notes: In this exercise you will create a specific access role “ ccess-role-employeeX” profile even
if the use of the “default Nprofile” should be enough for the test.

- In the Security section, click on the “Default ccess ole rofile” field, select “+ Add New” and create
the Access Role Profile Access-role-employeeX.
- Keep the default values for all parameters.
- Click on the Create icon.

- Back to the WLAN Service page, in the Security section, select “Access-role-employeeX” as the Default
Access Role Profile.
- Click on the Create icon.

8.1.4. Apply the Access Role Profile to the Stellar APs

- Go to the submenu Access Role Profile on the left Panel.

- Select the checkbox next to the ccess role profile “ ccess-role-employeeX” and click on the Apply to
Devices button to assign this profile to your APs.

- Do not change the Mapping method and enter the Vlan number “20” which is the EmployeeX VLAN.

- Click on Group “Add”.

- Select the AP Group APGX from the list on the left, add it to the section on the right and click on OK.

- Click on Apply.
 19
Creation of a Secured Employee SSID

- Check for success message.

- This is how the AP will map the Employee VLAN (20) to the EmployeeX SSID.

When the SSID uses Enterprise authentication, assign a AAA Server Profile and then create an Authentication
Strategy and Access Policy.
At this step, the AAA Server Profile is already assigned to the SSID. The Authentication policy and Access Policy
must be created.

8.1.5. Authentication Strategy

Notes: Authentication Strategy is used to set up a user profile source and login method (web page
or not) for authentication, as well as the network attributes applied after a successful
authentication.

OV2500 -> UPAM -> Authentication -> Authentication Strategy -> + (Create icon)

- Name the Strategy “User-PODX”, select the uthentication source as “local database”, “Access-role-
employeeX” as the default ccess role profile and keep Web Authentication to none:
 20
Creation of a Secured Employee SSID

8.1.6. Access Policy configuration

Notes: Authentication Access Policies are used to define the mapping conditions for an
authentication strategy. Through Access Policy configuration, authentication strategy can be
applied to different user groups, which can be divided by SSID or other attributes.

OV2500 -> UPAM -> Authentication -> Access Policy -> + (Create icon)

- Create the access policy “User-PODX” that will define the previous strategy to apply for employee
authentication connected to SSID “EmployeeX”. The employeeX profile will use 802.1X with the UPAM
internal RADIUS server.

- In the Mapping Condition, select the SSID attribute and EmployeeX. Click on the + button.
- Keep “User-PODX” as the uthentication Strategy and click on Create.
Stellar OmniAccess WLAN
Microsoft Active Directory Authentication

Objective
✓ Learn how to configure Microsoft Active Directory Authentication

Contents
1 Briefing ......................................................................................... 1
2 Declaring the Active Directory Server ...................................................... 2
3 Modifying the Authentication Strategy ..................................................... 2
4 Testing the AD Authentication .............................................................. 3
4.1. Verifying the connection .......................................................................... 4
5 Monitoring the Connections.................................................................. 5
5.1. UPAM Monitoring .................................................................................... 5
6 Debriefing ...................................................................................... 5

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Microsoft Active Directory Authentication

1 Briefing
In the previous lab, we have learned how to create an Employee SSID, with the UPAM Server (embedded in
the OmniVista 2500) in charge of authenticating the clients.
In this lab, we will learn how to declare the Active Directory in the OmniVista 2500, and we will use it during
the authentication of clients on the SSID Employee.

CURRENT
TOPOLOGY

END OF LAB
TOPOLOGY
 2
Microsoft Active Directory Authentication

During this lab, we will:

- Reuse the Employee SSID
- Use an Active Directory already installed and configured to test this feature.

2 Declaring the Active Directory Server

First, let’s declare the icrosoft ctive irectory erver in the mni ista 2500 :

odify the mployee ’s authentication strategy to use the ctive irectory as

Authentication Server.

> Select UPAM > SETTINGS > LDAP/AD Configuration

> LDAP/AD Server: Enable
> Server Type: AD
> TLS/LDAPS: NS
> NETBIOS Domain Name: COMPANY
> DNS Domain Name: company.com
> FQDN/IP address of Domain Controller: 10.130.5.130
> Username: ov2500
> Password: Alcatel.0
> AD Port: 389

> Click on Test Connection to test the connection to the AD

> If OK (result on top of the screen), click on Apply

3 Modifying the Authentication Strategy

Now that the Active Directory server has been declared, go back Employee SSID settings and modify the
Authentication Strategy.

odify the mployee ’s authentication strategy to use the ctive irectory as

Authentication Server.

> Select WLAN > SSIDs > SSIDs

> In the EmployeesX SSID column, click on the link Authentication Strategy Name: EmployeeX
> Click on Edit
> Select External LDAP/AD
> Click on Apply
> Click on Close
 3
Microsoft Active Directory Authentication

4 Testing the AD Authentication

o test that the ctive irectory authentication is working correctly, let’s try to connect to the mployeesX
SSID.
First, remove the SSID EmployeesX from the known networks:

On the desktop, double click

on the shortcut “Clean
ireless etworks”

Select Execute in the new

window.

This will delete all the known

wireless networks on this
client.

Then, login with the account Employee, already created in the Active Directory database.

Left-click on the icon

(top right)

Select the SSID EmployeesX

(X = R-Lab Number)
heck under “ ore etworks”
if it is not displayed.
 4
Microsoft Active Directory Authentication

Configure the SSID parameters

with:

Authentication: ProtectedEAP
Check No CA certificate
PEAP version: Automatic
Inner Auth: MSCHAPv2

Enter the credentials:

Username: Employee
Password: Alcatel.0

Click on Connect

A Notification informs you

that the client is connect to
the SSID

4.1. Verifying the connection

From the Stellar Client virtual machine, check that the connection has been successfully established:
- The IP Address of the Wi-Fi network card should be in the 10.7.X.32/27 range
- Ping the DHCP Server (10.130.5.7) and the OmniVista 2500 (10.130.5.5X)

Open a terminal with the icon (top left corner).

Enter the commands:
 5
Microsoft Active Directory Authentication

5 Monitoring the Connections

Display the Employee authentication record

5.1. UPAM Monitoring

The UPAM Authentication Record Screen displays authentication information for all devices authenticated
through UPAM:

> Select UPAM > AUTHENTICATION > Authentication Record

6 Debriefing
In this lab, we have learned how to declare the Active Directory in the OmniVista 2500. Then, we have
modified the Employee SSID settings in order to use the Active Directory to authenticate the clients which
connect to this SSID.
OMNIACCESS STELLAR WLAN
U N I F I E D P O L I C Y A U T H E N T I C AT I O N M A N A G E M E N T
( U PA M ) - G U E S T A C C E S S

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• Understand the UPAM application

• Configure a UPAM Guest access and the Guest
operator
OVERVIEW
UNIFIED POLICY AUTHENTICATION MANAGER - UPAM

• UPAM applications
• Guest Access – Guest License required
• BYOD Access – BYOD License required

• UPAM consists of
• Guest Access
• BYOD Access
• A built-in RADIUS Server
• A built-in MAC Authentication Server
UPAM – GUEST AND BYOD ACCESS

BYOD GUEST ACCESS

• Employee user access the corporate network • Guest user are granted limited access
with it’s personal device to the corporate network
• Authentication via a « BYOD » Captive Portal
• Authentication via « Guest » Captive
• Captive Portal and employee users managed in Portal
UPAM BYOD
• Captive Portal and guests users
managed in UPAM Guest
UPAM - SERVICES

• Authentication Server
• Internal RADIUS server used to authenticate both Guest and BYOD users
• E-mail server configuration
• Guest sponsor approval
• External Log Server
• UPAM logs can be redirected to an external syslog server
• Guest Access Management
• Dedicated Captive Portal and database
• Guest Access License : per device license model (not per account)
• BYOD Access Management
• Dedicated Captive Portal and database
• BYOD Access License : per device license model (not per account)
UPAM – AUTHENTICATION STRATEGY

• Guests and Employees are authenticated by:

• Internal RADIUS Server (with Local Database)
• External LDAP/AD and RADIUS servers
• LDAP Role Mapping: Option to assign Access Role Profile & Policy List based on AD attributes
• In Authentication Strategy, specify the authentication server that will be used
UPAM – AUTHENTICATION STRATEGY

• Advanced Options
• Network Enforcement
• Default Role of the user if the Authentication server
doesn’t return a role
• Other attributes
• Session timeout, Accounting Interim Interval,
Upstream/Downstream bandwidth

• Web Redirection
• Web Authentication – which Captive Portal template is returned
• Guest Access Strategy
• How the guest is managed (login strategy, self-registration,…)
• Location Policy
GUEST ACCESS STRATEGY
UPAM – GUEST ACCESS STRATEGY

• Guest Access Strategy defines:

• Login Strategy
• How the Guest is authenticated:
credentials, access code, Terms & conditions.

• Post Portal Enforcement

• Provide a new Role to the guest after
the portal authentication.

• Self-registration strategy
• The sponsor can create it’s own username &
password
• An Employee can validate the guest account
creation

•
UPAM GUEST - SID CREATION
UPAM – GUEST ACCESS SSID

• How it works • Workflow

• Create a Guest SSID with the usage « Guest
Network » Guest SSID
• Activate the Captive portal option Usage « Guest Network »

• Select the RADIUS server in the Authentication Authentication Strategy

Strategy Web redirection « Guest » CP
• Create a Guest account if the UPAM internal
RADIUS server is used
Guest Access Strategy
• In the Guest Access Strategy, define the login Login Method, Post Portal enforcement,
method (username and password) and Post self-registration
portal enforcement to restrict Guest traffic
• Assign a VLAN to the Guest SSID Optional
Guest account creation in the local DB
GUEST TUNNELING
GUEST TUNNELING

• Overlay Guest network while preserving

Enterprise security
• Control what traffic needs to be tunneled
• Tunnel per Access Role Profile from Access
Point to a switch/router/controller.
• L2 GRE tunnel over L2/L3 networks
• OmniSwitch simplifies deployment with
automatic tunnel creation to AP IP
AP AP

• Supported switches: OS6860, OS6900.

• Supported controllers: OmniAccess WLAN, HPE. Guest 1 Guest 2
• Supported routers: Nokia 7750
CONFIGURATION
UPAM - GUEST

Click on the image above to visualize the video

UPAM - GUEST OPERATOR

Click on the image above to visualize the video

UPAM - GUEST SELF REGISTRATION

Click on the image above to visualize the video

UPAM - GUEST SPONSOR APPROVAL

Click on the image above to visualize the video

UPAM - CAPTIVE PORTAL CUSTOMIZATION

Click on the image above to visualize the video

AD ROLE MAPPING PROCEDURE
UPAM – ACTIVE DIRECTORY (AD/LDAP) AUTHENTICATION
WITH ROLE MAPPING
• Setup Process
• Create an AD/LDAP server and test connection.
UPAM – ACTIVE DIRECTORY (AD/LDAP) AUTHENTICATION
WITH ROLE MAPPING
• Setup Process
• Create an AD/LDAP server and test connection.
• Create an Authentication Strategy with External LDPA/AD as the source.
UPAM – ACTIVE DIRECTORY (AD/LDAP) AUTHENTICATION
WITH ROLE MAPPING
• Create an AD/LDAP server and test connection.
• Create an Authentication Strategy with External LDPA/AD as the source.
• Setup AD attribute / value based policies for granular control of role based access.
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
USER ROLE AND BANDWIDTH CONTROL

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• User Role and Bandwidth Control

- At the end of this module, you will be able to:
Understand a user role
Configure the bandwidth contracts and understand the
precedence system
Configure the Web Content Filtering
USER ROLE
USER ROLE - OVERVIEW Policy List:
• User Role = Policy List "Policy-Guest"
• List of Policy Rules (QoS, ACLs)
• Rule : "http-traffic"
• Action can be
✓ Action: Accept
• Accept/drop
• Rule: "Network-traffic"
• Bandwidth control
✓ Action: Deny
• Priority, 802.1p, DSCP marking • Rule: "Guest-speed"
• Application Policy Rules (DPI) ✓ Action: 1Mb/s
• In Application Visibility, application/application group Policy • Rule: "Guest-priority"
Rules can be set in a Policy List ✓ Action: 802.1p=3
• Enforcement is bidirectional
• Policy List Assignment
• From RADIUS
• From Access Role Profile (Default Policy List) Access Role
• Built-in roles Profile
• Redirection (UPAM)
• Unauthorized (Time and Location based policy)
USER ROLE - CONSIDERATIONS

• Policy List configuration

• From the application Unified Access – Unified Policy
• From the SSID wizard – in Default WLAN Support “ACL/QoS”

• AP support
• Full Application Visibility signature kit (~2000 applications)
• Creation of Policy List, based on the L7 Application (Google, Facebook, …)

• The Application Visibility feature is supported on:

• OS6860N & OS6860E switches
• All Stellar APs models (except AP1101 and AP1201H)
BANDWIDTH CONTROL
USER ROLE – BANDWIDTH CONTROL

• Bandwidth contract at SSID level

• Configured in “Advanced WLAN Service
Configuration”
• Bandwidth shared for all user, per radio

• Bandwidth contract at Access Role Profile level

• Configured in “Advanced Access Role Configuration”
• Bandwidth assigned per user of the profile – Not
shared

• Bandwidth contract at Role level

• A Policy List (ACL/QoS) can restrict the Bandwidth as
an action
• Bandwidth limited by the ACL/QoS Rule
 USER ROLE – USER BANDWIDTH CONTROL PRECEDENCE
User Context
• Role / Policy List
• Access Role Profile
• SSID

Matches a
Matches N
DPI N Access Role N N
User an ACL in SSID set with No BW
application set with BW
Traffic the Policy BW Control ? Limitation
in the Policy Control ?
List ?
List? All User
Other User Other User
Traffic Traffic Y Traffic Y
Y
Y

User BW
Application Specific ACL Specific BW Enforcement Shared BW Enforced
BW Enforcement Enforcement
as per DPI Rule as per Access Role as per WLAN Service/SSID
as per Policy List Profile
User Role /Policy List Access Role Profile WLAN Service / SSID
Per User & Application BW Control Per User BW Control All Users shared BW
WEB CONTENT FILTERING - WCF
 WEB CONTENT FILTERING - WCF
BRIGHTCLOUD SDK
Client assigned
to Address
Role Profile FQDN
Create Block ACL rule 3 « Social
« Guest » category ? Network »
to IP of the FQDN 4
6 2 FQDN filtered ?
DNS request ARP Guest

Social Network Reject

STELLAR AP 5 Send action to AP
P2P Reject
OMNIVISTA
FQDN :
1
www.facebook.com ARP Employee

Social Network Accept

1 Stellar AP DNS Snooping 4 Get status based on ARP/Category
P2P Reject

2 Get Allow/Block status 5 Send Allow/Block status to Stellar AP

Web Content Filtering
3 Categorization of FQDN 6 ACL allow/block IP destination
 WEB CONTENT FILTERING - CONFIGURATION
• Configure DNS • Activate WCF
• No DNS -> WCF not in Service • Per AP Group
• All Stellars AP from the AP Group have WCF activated
❑ Edit the AP Group

• In the OmniVista CLI, configure DNS

• Or per Access Point

❑ Select the Stellar AP, Edit > Web Content Filtering

• DNS -> WCF in Service

Not supported:
• AP1101
• AP1201H
WEB CONTENT FILTERING - CONFIGURATION

• WCF Profile creation • Assign WCF profile to Access Role Profile

• Unified Access > Unified Profile > Template > Access Role Profile
• UPAM > Web Content Filtering • Edit the Access Role Profile
• Of the SSID
• Or Enforced Post-authentication

• Apply the Access Role Profile to the AP Group

• Multiple categories
• Action: Accept or Reject • One WCF profile per Access Role Profile
 THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of a Guest SSID

Objective
✓ Learn how to create a Guests SSID

Contents
1 Briefing ......................................................................................... 2
2 Creating the Guest VLAN ..................................................................... 3
2.1. Creating the Service VLAN ........................................................................ 3
2.2. Guest IP Interface .................................................................................. 4
3 Creating the Guests SSID ..................................................................... 4
3.1. Creating the GuestsX SSID ......................................................................... 4
3.2. Creating a Guest Account ......................................................................... 5
3.3. Back to… Creating the GuestsX SSID ............................................................. 5
3.4. Assigning the SSID to the AP Group .............................................................. 6
4 Testing the Guests SSID ...................................................................... 7
4.1. Connecting to the “WifiClient” Raspberry Pi ................................................... 7
4.2. Setting Up the Wifi Client to Connect to the GuestXs SSID ................................... 7
4.3. Verifying the connection .......................................................................... 8
5 Monitoring the Connections.................................................................. 9
5.1. Monitoring the UPAM ............................................................................... 9
5.1.1. Viewing the Authentication Record ...................................................................... 9
5.1.2. Checking the Captive Portal Access Record ............................................................ 9
5.2. WLAN Menu ......................................................................................... 10
5.2.1. Wireless Client List ....................................................................................... 10
5.2.2. Client Session ............................................................................................. 10

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Creation of a Guest SSID

6 Kicking/Banning a Device .................................................................. 10

6.1. Kicking out a Device .............................................................................. 10
6.2. Banning/Blacklisting a Device ................................................................... 10
7 Debriefing .................................................................................... 11
8 Troubleshooting ............................................................................. 12
8.1. Troubleshooting the OmniVista 2500 ........................................................... 12
8.1.1. Checking the date and time ............................................................................ 12
8.2. Troubleshooting the Stellar AP .................................................................. 13
8.2.1. Checking the date and time ............................................................................ 13
8.2.2. Checking the DNS configuration ........................................................................ 13
8.2.3. Checking the wireless configuration ................................................................... 14
8.2.4. Checking the Wi-Fi Channel ............................................................................. 14
8.2.5. Checking the interface transmission power .......................................................... 14
8.2.6. Checking the interface bitrate ......................................................................... 15
8.3. Client Information ................................................................................. 15
8.3.1. Listing the client(s) associated with the AP .......................................................... 15
8.3.2. Checking the access logs of a specific client ......................................................... 16
8.4. Checking the Captive Portal settings ........................................................... 16
8.4.1. Checking the Captive Portal process .................................................................. 16
8.4.2. Listing the clients authenticated via the Captive Portal ............................................ 17
8.4.3. Checking the Captive Portal logs ....................................................................... 17

9 Annex: Restricting the Services ........................................................... 18

9.1. Creating Policies ................................................................................... 18
9.1.1. Service Group ............................................................................................. 18
9.1.2. Create & Select the Services ........................................................................... 18
9.1.3. Back to… Service Group ................................................................................. 19
9.2. Back to… Create a new Policy ................................................................... 19
9.3. Creating a Policy List ............................................................................. 19
9.4. Pushing the Policy List & Policies on the Network Devices .................................. 20
9.5. Applying the Policy List to a User ............................................................... 21
9.6. Testing the Configuration ........................................................................ 21
 2
Creation of a Guest SSID

1 Briefing
In the previous Lab, we have learned how to create a secured Employee SSID, dedicated for the company’s
employee. Now, let’s see how to create a Guests SSID, dedicated for the guests.

S E RP D X X P D N BER

CURRENT
NISWI C ES
TOPOLOGY ND P S
DISC ERED

S E RP D X X P D N BER

NISWI C ES
END OF LAB ND P S

TOPOLOGY DISC ERED

 3
Creation of a Guest SSID

Creating an SSID can be decomposed in several steps same way as in the previous lab “Creation of a Secured
Employee SSID” :
1. Create the N 30. his N will service the SSID “GuestsX” X R-Lab Number). It will be tagged
from the Access Points to the access OmniSwitches (OS2360 and OS6360), and over the link towards
the core OmniSwitch (OS6860).
2. Create the SSID and configure its options.

2 Creating the Guest VLAN

Before creating the Guests SSID, let’s create the N that will be associated to this SSID GuestsX (X= R-Lab
number) and that will carry the guests’ traffic.

2.1. Creating the Service VLAN

Create the VLAN 30 on the OmniSwitches OS6860, OS6360 and OS2360.

To create the VLAN 30 on the OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature:

> Select CONFIGURATION > VLANS > VLAN

> Click on Create VLAN by Devices button

1. Devices Selection
> VLAN Overwrite: ENABLED
> VLAN IDs: 30
> VLAN(s) Description: GUESTS
> Click on the Add/Remove Devices
> Click Add All
> Click on OK
> Click on Next

2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next

3. Default Port Assignment

> Skip this step (click Next)

4. Q-Tagged Port Assignment

> For the OmniSwitch OS6860, click on Add Port
> Select the ports 1/1/3 & 1/1/8
> Click on OK
> For the OmniSwitch OS6360, click on Add Port
> Select the ports 1/1/3 & 1/1/6
> Click on OK
 4
Creation of a Guest SSID

> For the OmniSwitch OS2360, click on Add Port

> Select the ports 1/1/8 & 1/1/6
> Click on OK
> Click on Next

5. Review
> Review the information
> Click on Create

Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of several OmniSwitches, and the same VLANs
must be created on some/all of them.

2.2. Guest IP Interface

The core OmniSwitch 6860 is pre-configured with an IP interface 10.7.X.94/27 for the VLAN Guest.
This IP interface is required to forward the DHCP requests from the clients to the DHCP server.

he IP interface “int_guest” is pre-configured on the OmniSwitch 6860.

3 Creating the Guests SSID

Now that we have the Guest N and associated IP interface managed, let’s create the GuestsX SSID:

3.1. Creating the GuestsX SSID

Create the SSID GuestsX (X = R-Lab Number)

> Select WLAN > SSIDs > SSIDs

> Click on the + button
> SSID Service Name: GuestsX (X = R-Lab number)
> SSID: <filled automatically>
> Usage: Guest Network (Open or Captive Portal)
> Do you want users to go through a Captive Portal? YES
> Captive Portal Type: OV-UPAM Captive Portal
> Click on Create & Customize
 5
Creation of a Guest SSID

otes > bout the “ sage”

During the SSID creation, a “ sage” is asked. When you select a sage, relevant related default configurations
ccess Policy, uthentication Strategy, … are automatically created.
Guest Network creates a network for Guest Users. It is suitable for setting up an Open Network with or without
a Captive Portal. This is typically used for Guests.
Of course, these configurations can be customized. Check the OV2500 dedicated Help for more information.

> Allowed Band: 2.4GHz and 5GHz

Tips > Help Menu

As you can see, several settings can be managed in the SSID Creation properties. Take the time to learn more
about each of them by clicking on the Help button

Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Guest Accounts

Notes > UPAMRadiusServer

In this lab, for all the types of authentication, we will use the UPAM platform (Unified Policy Authentication
Manager) embedded in the OmniVista 2500.
UPAM is a unified access management platform for both AOS Switch Series devices and Stellar AP Series
devices. UPAM supports both captive portal server and RADIUS server; and can be used to implement multiple
authentication methods, such as MAC authentication, 802.1X authentication, and captive portal authentication.

3.2. Creating a Guest Account

Create the Guest account

> Click on the + button

> Guest name: Guest
> Password: password
> Repeat Password: password
> Data Quota: Disable
> Click on Create
> Click on Close

3.3. Back to… Creating the GuestsX SSID

Guest Access Strategy
> Portal Page: DefaultPortal
> Login by: Username & Password

Default VLAN/Network
> VLAN ID: 30
> Click on Save and Apply to AP Group

Tips > Customize Portal Page

The Captive Portal (the webpage where the guests are redirected when they try to connect to the network) is
customizable. By clicking on the Customize Portal Page option, you can choose between different templates
(=predefined Captive Portal styles). To fully customize the Captive Portal, go to UPAM > SETTINGS > Captive
Portal.
You can test it if you are ahead of schedule!
 6
Creation of a Guest SSID

3.4. Assigning the SSID to the AP Group

Assign the freshly created SSID GuestsX to the AP Group APGX created in the previous
lab

Now that the SSID GuestsX has been created, assign it to the AP Group(s) APGX:

AP Group Assignment and Schedule

> Click on Change Selection
> Remove default group from the SELECTED tab
> Move APGX (X = R-Lab Number) from AVAILABLE to SELECTED
> Click on OK
> Click on Apply
> Check the result on the page that is displayed (notice the differences between EmployeesX and GuestsX
SSIDs)

Now that we have finished the configuration of the SSID, let’s test it!
 7
Creation of a Guest SSID

4 Testing the Guests SSID

Test the GuestsX SSID by connecting on it via the Guest account

4.1. Connecting to the “WifiClient” Raspberry Pi

R-Lab Windows Desktop

Double click on the Real VNC
Viewer shortcut

4.2. Setting Up the Wifi Client to Connect to the GuestXs SSID

WifiClientX Raspberry Pi

Left-click on the icon

(top right)

Select the SSID GuestsX (X =

R-Lab Number)
Check under “ ore Networks”
if it is not displayed.

Open a Web Browser with the

icon in the top left

corner.
Enter any non-https URL (ex:
http://2.2.2.2) and you are
redirected to the Captive
Portal
Enter the credentials:
Username: Guest
Password: password
Check I accept the Terms of
Use
Click on Login
 8
Creation of a Guest SSID

Notes > Web redirection

Depending on the Operating System you are using, a web browser can automatically be opened when you
connect to the Guest SSID.
With the Raspberry Pi (running on a Debian OS), it is not the case. This is why you have to open your web
browser manually and open any non-https URL to be redirected to the Captive Portal.

4.3. Verifying the connection

From the Stellar Client, check that the connection has been successfully established:
- The IP Address of the Wi-Fi network card should be in the 10.7.X.64/27 range
- Ping the DHCP Server (10.130.5.7), the OmniVista 2500 (10.130.5.5X) and the UPAM Server
(10.130.5.7X)

Open a terminal with the icon (top left corner).

Enter the commands:
 9
Creation of a Guest SSID

5 Monitoring the Connections

Display the Guest authentication record

5.1. Monitoring the UPAM

5.1.1. Viewing the Authentication Record

The Authentication Record Screen displays authentication information for all devices authenticated
through UPAM:

> Select UPAM > AUTHENTICATION > Authentication Record

In the Authentication Record List information, find the Stellar Access Point where your
Client Virtual machine (StellarClientX) is connected.

Notes > Client associated to a Stellar Access Point

The information asked in the question above can also be found in the WLAN > CLIENT > Client List
menu. Go check it out!

Tips > Guest Account Creation

Do you remember the Guest account that you have created? You have done it via a shortcut, during the SSID
creation process. his shortcut leads to the … UPAM > Guest Account menu! Go and have a look at this menu.
You will find the Guest account that you have created previously. From there, you can easily create a new
Guest account.

5.1.2. Checking the Captive Portal Access Record

To monitor the Captive Portal access:

> Select UPAM > AUTHENTICATION > Captive Portal Access Record

Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
 10
Creation of a Guest SSID

5.2. WLAN Menu

5.2.1. Wireless Client List

The Wireless Client List Screen displays real time information for wireless clients associated with APs. By
default, the Distribution of Clients per AP chart at the top of the screen provides a graphical overview of
the number of clients associated with each AP:

> Select WLAN > Client > Client List

> Scroll down to the List of Clients on All APs section

From the Client List page, find on which Stellar Access Point the Guest account is
connected

5.2.2. Client Session

The Wireless Client Session Screen displays information about current wireless clients associated with APs.
By default, all wireless client sessions are displayed in the list.

> Select WLAN > Client > Client Session

6 Kicking/Banning a Device
Now that we are sure that the StellarClient virtual machine is correctly connected to the Guests SSID, let’s
see how to kick him out from the network, and blacklist it.

- Try to kick out the StellarClient. Check that you can reconnect to the Guest SSID
- Try to ban/blacklist the StellarClient. Check that it is not possible to reconnect to
the Guests SSID until the StellarClient is removed from the blacklist.

6.1. Kicking out a Device

Use the Kickoff option to de-authenticate a user from the SSID he is connected to :

> Select UPAM > GUEST ACCESS > Guest Device

> Select the Client
> Click on KickOff
> Click OK to confirm

6.2. Banning/Blacklisting a Device

If you have kicked out the StellarClient, reconnect it to the Guest SSID before testing the blacklist
feature.

To blacklist a device from the OmniVista 2500:

> Select WLAN > CLIENT > Client List > Wireless Client List
> Scroll down to the List of Clients on All APs section
> Select the Client
> Click on Add to Blocklist
> Click OK to confirm
 11
Creation of a Guest SSID

To remove the client from the blacklist:

> Select WLAN > CLIENT > Client BlockList

> Select the Client
> Click on

7 Debriefing
During this lab, we have created a VLAN dedicated for the Guests data traffic. Then, we have created the
Guests SSID and configured it to force the Guests to authenticate via a Captive Portal. Finally, we have
monitored the Guest StellarClient virtual machine connection, and we’ve seen that it was possible de
kick/ban a device from the OmniVista 2500.

S E RP D X X P D N BER

NISWI C ES
ND P S
DISC ERED
 12
Creation of a Guest SSID

8 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the connection to a Guests SSID.
We will use the exact same infrastructure as in the lab:

S E RP D X X P D N BER

NISWI C ES
ND P S
DISC ERED

Notes > Before Beginning

Before beginning this part, we assume that all the steps available in this lab have been followed correctly and
checked: SSID creation, guest account creation…

8.1. Troubleshooting the OmniVista 2500

8.1.1. Checking the date and time

A guest account has an expiration date. It is important to check that the date and time are correctly set
up:

OmniVista 2500 Console

Select the OV2500 virtual
machine
 13
Creation of a Guest SSID

Click Launch Web Console,

then Web Console

Enter the credentials defined

during the OmniVista 2500
installation:
- login: cliadmin
- password: Alcatel.0
A menu is displayed.

Choose option [10] Advanced

Mode

From the CLI, use the

command date

8.2. Troubleshooting the Stellar AP

The Stellar console access is deactivated in Enterprise mode for the application Configuration > CLI
Scripting > Terminal.
To activate the SSH console connection on OV2500, go to Network > AP Registration >AP Group, edit the
AP Group and change the support and root passwords.

Use the APs console connections on the desktop and do not change the passwords in the AP Group.

8.2.1. Checking the date and time

A guest account has an expiration date. It is important to check that the date and time are correctly set
up:

support@AP-0E:E0:~$ date
Thu Oct 24 09:25:08 2019

8.2.2. Checking the DNS configuration

A valid DNS configuration is mandatory in order to redirect successfully the client(s) to the Captive Portal
page:

support@AP-0E:E0:~$ cat /etc/resolv.conf

# Interface wan
nameserver 10.0.0.51
search ale-training.com
 14
Creation of a Guest SSID

8.2.3. Checking the wireless configuration

support@AP-0E:E0:~$ iwconfig
[…]
ath02 IEEE 802.11ng ESSID:"Guests0"
Mode:Master Frequency:2.437 GHz Access Point: DC:08:56:00:0E:E2
Bit Rate:192 Mb/s Tx-Power=17 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=94/94 Signal level=-42 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

gretap0 no wireless extensions.

ath12 IEEE 802.11ac ESSID:"Guests0"

Mode:Master Frequency:5.22 GHz Access Point: DC:08:56:00:0E:EA
Bit Rate:800 Mb/s Tx-Power=19 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=50/94 Signal level=-76 dBm Noise level=-95 dBm
Rx invalid nwid:4 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
[…]

8.2.4. Checking the Wi-Fi Channel

To check which channel is used (ex. ath12 interface):

support@AP-0E:E0:~$ iwlist ath12 channel

ath12 157 channels in total; available frequencies:
Channel 36 : 5.18 GHz
Channel 40 : 5.2 GHz
Channel 44 : 5.22 GHz
Channel 48 : 5.24 GHz
Channel 52 : 5.26 GHz
Channel 56 : 5.28 GHz
Channel 60 : 5.3 GHz
Channel 64 : 5.32 GHz
Channel 100 : 5.5 GHz
Channel 104 : 5.52 GHz
Channel 108 : 5.54 GHz
Channel 112 : 5.56 GHz
Channel 116 : 5.58 GHz
Channel 120 : 5.6 GHz
Channel 124 : 5.62 GHz
Channel 128 : 5.64 GHz
Channel 132 : 5.66 GHz
Channel 136 : 5.68 GHz
Channel 140 : 5.7 GHz
Current Frequency:5.22 GHz (Channel 44)

8.2.5. Checking the interface transmission power

support@AP-0E:E0:~$ iwlist ath12 txpower
ath12 8 available transmit-powers :
0 dBm (1 mW)
7 dBm (5 mW)
9 dBm (7 mW)
11 dBm (12 mW)
13 dBm (19 mW)
15 dBm (31 mW)
17 dBm (50 mW)
19 dBm (79 mW)
Current Tx-Power=19 dBm (79 mW)
 15
Creation of a Guest SSID

8.2.6. Checking the interface bitrate

support@AP-0E:E0:~$ iwlist ath12 bitrate
ath12 8 available bit-rates :
6 Gb/s
9 Gb/s
12 Gb/s
18 Gb/s
24 Gb/s
36 Gb/s
48 Gb/s
54 Gb/s
Current Bit Rate:800 Mb/s

8.3. Client Information

8.3.1. Listing the client(s) associated with the AP

It is possible to list:
- All the clients associated with the AP:
support@AP-0E:E0:~$ ssudo sta_list
SSID:Employees0

STA_MAC IPv4 IPv6 OnlineTime RX TX

d4:6e:0e:18:60:38 10.7.0.69 326 280008 830034
FREQ AUTH Final_role VLANID TUNNELID FARENDIP
5GHz OPEN __Guests0 30 0

- All the clients associated with a specific interface (ex. ath12 corresponding to the SSID Guests0 in 5
Ghz):
support@AP-0E:E0:~$ wlanconfig ath12 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 44 6M 72M 64 63 67 0 0 65535 Es OI

ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 b 0 WPS 2gGR 00:10:10 WME IEEE80211_MODE_11AC_VHT40 0
RXNSS TXNSS
1 1

Minimum Tx Power : 5
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : Yes
MU capable : No
SNR : 64
Operating band : 5GHz
Current Operating class : 0
Supported Rates : 12 18 24 36 48 72 96 108
 16
Creation of a Guest SSID

- The parameters sent from the AP to the Wi-Fi Client(s):

support@AP-83:60:~$ ssudo wam_debug sta_list
{
"status": "Success!!!",
"wlanServiceData": [
{
"iface": "ath12",
"ssid": "Guests0", SSID Name
"freq": "5GHz", Frequency
"security": "Open", Security
"wlanService": "Guests0", Assoc. WLAN Service
"staData": [
{
"staMAC": "d4:6e:0e:18:60:38", Wi-Fi Client MAC@
"staIP": "10.7.0.69", Wi-Fi Client IP@
"staGlobalIPv6": "::",
"staLocalIPv6": "::",
"associationTime": 724, Assoc. Time (seconds)
"mappingType": 0,
"assignedVLAN": 30, Wi-Fi Client Assigned VLAN
"assignedAR": "__Guests0", Wi-Fi Client Assigned ARP
"assignedPL": "",
"macAuthResult": "SUCCESS",
"ARFromMACAuth": "",
"PLFromMACAuth": "",
"redirectURLFromMACAuth": "https:\/\/2.zoppoz.workers.dev:443\/https\/ov2500-upam-cportal.al-
enterprise.com:443\/portal_UI\/27d977d4f77a4a0783d5a76a8d5ab077\/login.html?mac=D46E0E186038",
"ARFrom8021xAuth": "",
"PLFrom8021xAuth": "",
"redirectURLFrom8021xAuth": "",
"CPAuthResult": "SUCCESS",
"ARFromCPAuth": "__Guests0",
"PLFromCPAuth": "",
"ARFromRoaming": "",
"PLFromRoaming": "",
"redirectURLFromRoaming": "",
"classificationMatched": "none"
[…]

8.3.2. Checking the access logs of a specific client

Find the MAC address of the client (ex. d4:6e:0e:18:60:38), then:

support@AP-0E:E0:~$ cat /proc/kes_syslog | grep “d4:6e:0e:18:60:38”

8.4. Checking the Captive Portal settings

Notes > Before Beginning

Before beginning this part, we assume that all the settings on the Client side (Wi-Fi network card up and
running, firewall checked… and mni ista 2500 side account created, Captive Portal settings… have been
verified (if not sure, go back to the client settings instructions available in this lab)

8.4.1. Checking the Captive Portal process

support@AP-83:60:~$ ps |grep eag
4499 support 1300 S grep eag
4662 root 7860 S /usr/sbin/eag_app
 17
Creation of a Guest SSID

8.4.2. Listing the clients authenticated via the Captive Portal

support@AP-83:60:~$ eag_cli show user all //or// eag_cli show user list
user num : 1
ID UserName UserIP UserMAC SessionTime
1 Guest 10.7.0.69 D4:6E:0E:18:60:38 0:16:18
OutputFlow InputFlow AuthType ESSID
3091809 659705 PORTAL Guests0

Notes > Kicking a Client

It is also possible to kick a client authenticated via the Captive Portal from the Stellar AP CLI (to use this
command, the user ID must be known: it is displayed by using the eag_cli command (see above)):

support@AP-83:60:~$ eag_cli kick user index 1

the command is successful!

8.4.3. Checking the Captive Portal logs

The Captive Portal logs can be displayed:

support@AP-83:60:~$ tail -f /tmp/log/eag.log

support@AP-83:60:~$ cat /proc/kes_syslog |grep eag
support@AP-83:60:~$ cat /var/log/eag.log
 18
Creation of a Guest SSID

-ANNEXES-

9 Annex: Restricting the Services

To configure network access control, we need to:
• Create policies to define what we will be authorized and what will not (telnet, SSH).
• Create a policy list which will contain the policies, and a precedence for each.
• Apply automatically the policy list to the guests

9.1. Creating Policies

Create a policy which will regroup the forbidden services: telnet, SSH

et’s begin with the creation of the Policy. In this Policy, we will deny the telnet and SS protocols:

> Select UNIFIED ACCESS > UNIFIED POLICY

> Click on to add a new Policy

1. Config
> Name: DeniedServ
> Click on Next

2. Device Selection
> Click on both ADD buttons to apply the policy on the network device OS6860E and AP Group APGX.
Note: OS2360 and OS6360 are not supported.
> Click on Next

3. Set Condition
> Select L4 Services
> Select Group
> Service Group: click on

9.1.1. Service Group

Now, let’s create a group containing the denied services:

Service Group
> Group Name: DeniedSrv

9.1.2. Create & Select the Services

Services
> Click on
> Service Name: telnet
> Destination Port: select TELNET (23)
> Click on Create
> Click on Finish
 19
Creation of a Guest SSID

Services
> Click on
> Service Name: SSH
> Protocol: TCP
> Destination Port: select
> Name: SSH
> Port Number: 22
> Click on Create
> Click on Finish

> Destination Port: SSH

> Click on Create
> Click on Finish

9.1.3. Back to… Service Group

Service Group
> Select Services: Click on to add all the services
> Click on Create

9.2. Back to… Create a new Policy

3. Set Condition
> Service Group: DeniedSrv
> Click on Next

4. Set Action
> Click on QOS
> Disposition: DROP
> Click on Next

5. Validity Period
> Validity Periods: AllTheTime
> Click on Next

6. Review
> Review the information, then click on Create
> Click on OK

At the end of this step, a Policy has been created. This Policy contains the services that will be denied to
the users, when they will be authenticated. Creating a list of authorized services is not necessary, as one
“ ccept llPolicy” is created by default (we will use it in the next part).

9.3. Creating a Policy List

Now that we have created the policy containing the denied services, let’s create a policy list that will
regroup and order the policies (1 – Deny services chosen in the previous part, 2 – Authorized the other
services)
 20
Creation of a Guest SSID

> Select Unified Policy List in the left menu

> Click on to create a new Policy List

1. Config for Policy List

> Name: GuestsPolicy
> Add Unified Policy: select DeniedServ

> In the drop-down list at the bottom of the area (“Device-Default”), select OV-L3-AcceptAllPolicy
> Click on Next

2. Device Selection
> Click on ADD, then add the devices OS6860E and the AP Group APGX
> Click on Create, then OK

9.4. Pushing the Policy List & Policies on the Network Devices
Once the Policies and the Policy List created, they must be pushed to the network devices:

> On the left menu, select:

> Unify Policies
> Click on Notify All (top right corner)
> Click on OK

> Unify Policy List

> Click on Notify All (top right corner)
> Click on OK

At the end of this step, we have:

- Created the Policy
- Created the Policy List

We have also pushed them on the network devices (OmniSwitch 6860E and Stellar APs contained in the
AP Group APGX).
 21
Creation of a Guest SSID

9.5. Applying the Policy List to a User

Once all the settings are configured, we will set up the OmniVista 2500 to apply the Access Role Profile
to the authenticated users (WLAN or LAN):
- Once authenticated, an Access Role Profile is applied to the guest;
- We want, in this part, to apply the policies to the guest, once authenticated;
- Hence, we are going to insert the Policy List created previously in the Access Role Profile which is
automatically applied to the guests, once authenticated. 30

> Select UNIFIED ACCESS > UNIFIED PROFILE > Template

> Select Access Role Profile
> Select the Access Role Profile “__GuestsX” (X = R-Lab Number)
> Click on
> Select Policy List = GuestsPolicy
> Click on Apply
> Click on Apply to Devices (top right and corner)
> Insert VLAN Number = 30
> Select the OmniSwitchs OS6860E and the AP Group APGX (X = R-Lab Number)
> Click on Apply

At the end of this step, we have:

- Created a Policy
- Created a Policy List
- The Policy List has been inserted in the Access Role Profile
which is applied to the employees once authenticated on the
SSID « EmployeeX » (X = R-Lab Number)

9.6. Testing the Configuration

Connect to GuestsX and try to perform a telnet and SSH connection to the gateway:

WIRELESS CLIENT VM
> Open PuTTY, under Start > Internet > PuTTY SSH Client
> Choose Telnet (port 23) > Host name (or IP) 10.7.X.62 (X = R-Lab Number)
> Choose SSH (port 22) > Host name (or IP) 10.7.X.62 (X = R-Lab Number)

Warning
BEFORE PERFORMING THE TEST, BE SURE TO DISCONNECT AND RECONNECT THE VIRTUAL MACHINE FROM THE
NETWORK TO FORCE THE RE AUTHENTICATION AS THE POLICY IS APPLIED ONCE THE CLIENT AUTHENTICATION IS
SUCCESSFUL.
Stellar OmniAccess WLAN
Web Content Filtering

Objective
✓ Learn how to configure the Web Content Filtering

Contents
1 Briefing ......................................................................................... 1
2 Activate Web Content Filtering ............................................................. 2
3 Configure Web Content Filtering ........................................................... 3
3.1. WCF operational status ............................................................................ 3
3.2. WCF Profile creation ............................................................................... 3
3.3. Assign WCF Profile to Access Role Profile ....................................................... 4
4 Test and validation ........................................................................... 5
4.1. Connect to the GuestsX SSID ...................................................................... 5
4.2. Verifying the connection > On the WLAN Client ............................................... 5
4.3. Verify the Web Content Filtering ................................................................ 7
5 Debriefing ...................................................................................... 8
6 Troubleshooting ............................................................................... 9

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Web Content Filtering

1 Briefing
Now that the Stellar solution is broadcasting the EmployeesX and GuestsX SSID, the company wants to filter
the guest traffic from specific websites.
In this example, “Social Network” and “Gambling” traffic will be rejected, whereas all the other internet
traffic will be accepted on the GuestsX SSID.
The WCF feature will be implemented on the network and will be then tested.

S N

S N

G est
 2
Web Content Filtering

2 Activate Web Content Filtering

Web Content Filtering can either be activated per AP Group or per Access Point.
It will be activated per AP Group in this lab but look at the tip to know how to activate
it per Access Point.

We will activate the WCF feature for the AP Group APGX – attached to all our Access Points.

> Select NETWORK > AP REGISTRATION > AP Group

> Select APGX – replace X by your pod n°.
> Click on
> In the category Web Content Filtering, activate WCF:

> Click on Commit

> Review the Success logs and click on OK

Alternate Method: WCF Activation per Access Point

> Select NETWORK > AP REGISTRATION > Access Point
> Select the Access Points where the WCF must be activated.
> Click on > Web Content Filtering
> Activate Use Private Config and Web Content Filtering:

> Click on Apply

 3
Web Content Filtering

3 Configure Web Content Filtering

As the WCF is now active for all the Access Points in our AP Group APGX, we will configure it. We will create
a profile, select the categories of web traffic to be rejected and assign this profile to our users.

3.1. WCF operational status

Check the status of the WCF feature.

> Select UPAM > Web Content Filtering > WCF Profile

3.2. WCF Profile creation

In this lab, we will create a profile that will reject all the traffic categorized as “Social Networking”
Facebook, witter, inkedin,… and “Gambling” nibet, bet 365,… .
All the traffic that does not belong to one of these categories will be accepted.

> Select UPAM > WEB CONTENT FILTERING > WCF Profile
> Click on
> Name: WCF-guests
> Category: Social Networking
> Action: Reject
> Click on to add this rule

> Category: Gambling

> Action: Reject
> Click on to add this rule

> Click on Create

 4
Web Content Filtering

By default, all the traffic is accepted. It means that on the traffic from these two
categories are rejected.

3.3. Assign WCF Profile to Access Role Profile

The WCF profile is assigned to one – or multiple – Access Role Profile. All the users
assigned to this Access Role Profile can have their web traffic filtered.

For o r G ests SSI , the sers are attached to the ccess ole rofile “__G ests ”. he WCF profile will
therefore be attached to this Access Role Profile.

> Select WLAN > SSIDs > SSID

> In the GuestsX column, click on the Access Role Profile “__GuestsX” – replace X by your POD n°.

> Select “__GuestsX” and click on

> Under the category Web Content Filtering (WCF), select WCF-Guests from the drop-down menu

> Click on Apply

As we have modified the Access Role Profile, we must apply it to the AP Group.
Otherwise, the modification is just changed locally on the OmniVista server and not pushed to the Access
Points.

> Select __GuestsX and click on the button Apply to Devices (in the Access Role Profile window)
> In the Mapping Method, select Map to VLAN
> In the VLAN(s), select “30” (the Guests VLAN)
> Click on ADD in front of “0 AP Groups”
> Move the AP Group APGX to the column on the right and click on OK
> Click on Apply
> Review the success logs, click on OK and then on Close

The WCF profile is assigned to the Access Role Profile __GuestsX, which is then applied
to the AP Groups. All the Guests authenticated are assigned to this Access Role Profile
and will have their Social Network and Gambling web traffic filtered.
 5
Web Content Filtering

4 Test and validation

We will use the StellarClient, connect to the GuestsX SSID and use our Guest credentials.
We will then generate web traffic for different websites google, facebook, bet 365,… and observe the
behavior of the traffic.

4.1. Connect to the GuestsX SSID

WifiClientX Raspberry Pi

Left-click on the icon

(top right)

Select the SSID GuestsX (X =

R-Lab Number)
Check nder “ ore Networks”
if it is not displayed.

Click on Connect

Open a Web Browser with the

icon in the top left

corner.

Enter any non-https URL (ex:

http://2.2.2.2) and you are
redirected to the Captive
Portal

Enter the credentials:

Username: Guest
Password: password
Check I accept the Terms of
Use
Click on Login

4.2. Verifying the connection > On the WLAN Client

From the Stellar Client virtual machine, check that the connection has been successfully established:
- The IP Address of the Wi-Fi network card should be in the 10.7.X.94/27 range
- Ping the DHCP Server (10.130.5.7) and the OmniVista 2500 (10.130.5.5X)
 6
Web Content Filtering

Open a terminal with the icon (top left corner).

Enter the commands:
 7
Web Content Filtering

4.3. Verify the Web Content Filtering

On the StellarClient, open a new tab in your web browser for each of these URLs:
- www.google.com : OK, can be reached.
o Google.com is not part of the Social Network or Gambling category. As all the traffic (not
part of these categories) is accepted by default, the URL can be reached.
- www.facebook.com: K , can’t be reached.

URL Facebook (Social Network category) is rejected

The ACL used to reject the traffic for this URL has been pushed to the Access Point. Any HTTP/HTTPS request
for this URL is rejected by the Access Point.
The Access Point will not forward anymore the DNS requests of the client for this website. This is why you can
see this error message in your browser.
- www.twitter.com: K , can’t be reached.
o he r le that rejects the g est’s traffic for this category has been applied and yo can’t
reach the website.
- www.unibet.com : K , can’t be reached.
o The ACL rule rejecting the traffic for the Gambling websites has been written. And all the
subsequent Gambling traffic is rejected by the Access Point.
 8
Web Content Filtering

5 Debriefing
At the end of this lab, the G est’s web traffic for the Social Network and Gambling categories is rejected.
These rules, rejecting this traffic, are applied to all the users belonging to the Access Role Profile __GuestsX.

S N

G est
 9
Web Content Filtering

6 Troubleshooting

The Web Content Filtering feature requires the DNS configuration on the OmniVista server.
If the NS config ration is missing in the mniVista 2500, the stat s of the WCF feat re will be “Not in
service” and the mniVista won’t be able to join the rightclo d I.

Check that the DNS servers are configured on the OmniVista server.

OmniVista 2500 Console

On the left panel of vSphere
Client, select the OmniVista
2500 VM.

To open the virtual machine,

click on the link Launch Web
Console in the summary page

Log in with the credentials

entered earlier:
• Login: cliadmin
• Password: Alcatel.0
 10
Web Content Filtering

Enter the option [2] to check

the configuration of the
server.

Enter the option [6] to check

the DNS configuration of the
server.

Would you like to use dns

server: y

Please input dns server 1:

- If 10.130.5.130 is
configured, press
Enter.
- If nothing is
configured, type
10.130.5.130 and
Enter.
Would you like to use dns
server 2: y

Please input dns server 2:

- If 10.0.0.51 is
configured, press
Enter.
- If nothing is
configured, type
10.0.0.51 and
Enter.

Would you like to configure: y

Press Enter to complete the
configuration.

As the service was already

running, it must now restart
to take effect.
Press y to validate.
OMNIACCESS STELLAR WIRELESS LAN
U N I F I E D P O L I C Y A U T H E N T I C AT I O N M A N A G E R ( U PA M ) - B Y O D

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

Unified Policy Authentication Manager (UPAM) –

BYOD

• Understand and configure a BYOD access

for employee personal devices.
 UPAM
BYOD ACCESS
UPAM – BYOD ACCESS
• Workflow

• How it works BYOD SSID

• Employee connects to the BYOD SSID Usage « Employee BYOD Network »
and is redirected to the Captive Portal
• BYOD SSID is open with network access Authentication Strategy
restrictions Web redirection « Employee » CP

• Employee provides its corporate

credentials to register his personal BYOD Access Strategy
device Authentication source (local DB,
external LDAP/AD, Radius)

• Employee is now allowed to access the

corporate network Optional
Employee account creation in the local
DB
UPAM – BYOD ACCESS AND COMPANY PROPERTY

• Alternate solution to Employee Account, BYOD device (MAC address) can be created by
admin
• Referred as Company Property

• Not accounted for the BYOD License count

UPAM – BYOD ACCESS STRATEGY

• BYOD Access Strategy defines:

• Authentication Source

• Registration Strategy
• BYOD user account attributes

• Login Strategy
• Redirection URL after successful authentication.

• Post Portal Enforcement

• New Role provided to the employee after portal
authentication.
UPAM - BYOD ACCESS

Click on the image above to visualize the video

THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of an Employee SSID for BYOD

Objective
✓ Learn how to create an SSID dedicated for Employees with personal
devices (BYOD: Bring Your Own Device)

Contents
1 Briefing ......................................................................................... 2
2 Creating the BYOD SSID ...................................................................... 3
2.1. Creating the BYODX SSID .......................................................................... 3
2.2. Back to… Creating the BYODX SSID............................................................... 4
2.3. Assigning the SSID to the AP Group .............................................................. 4
3 Testing the BYOD SSID ........................................................................ 5
3.1. Setting Up the Linux Client to Connect to the BYODX SSID ................................... 5
3.2. Verifying the connection > After the Web Authentication ................................... 6
4 Monitoring the Connections.................................................................. 6
4.1. UPAM Monitoring .................................................................................... 7
4.1.1. Authentication Record ..................................................................................... 7
4.1.2. Captive Portal Access Record ............................................................................. 7

5 Debriefing ...................................................................................... 8
6 Troubleshooting ............................................................................... 9
6.1. Troubleshooting the Stellar AP ................................................................... 9
6.1.1. Checking the DNS configuration .......................................................................... 9
6.1.2. Checking the wireless configuration ................................................................... 11
6.1.3. Checking the Wi-Fi Channel ............................................................................. 11

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Creation of an Employee SSID for BYOD

6.1.4. Checking the interface transmission power .......................................................... 11

6.1.5. Checking the interface bitrate ......................................................................... 12
6.2. Client Information ................................................................................. 12
6.2.1. Listing the client(s) associated with the AP .......................................................... 12
6.2.2. Checking the access logs of a specific client ......................................................... 13
 2
Creation of an Employee SSID for BYOD

1 Briefing
In the previous Labs, we have learned how to create a secured Employees SSID and a Guests SSID. Now, let’s
see how to create an Employees BYOD SSID, dedicated for the employees who want to bring and use their
personal device within the company network.

S OD X X OD N B

CURRENT O NIS I C S
TOPOLOGY ND
DISCO
S
D

S OD X X OD N B

O NIS I C S
END OF LAB ND S
DISCO D
TOPOLOGY
 3
Creation of an Employee SSID for BYOD

Creating a BYOD SSID can be decomposed in several steps:

1. For this SSID, no additional VLANs need to be created: we will reuse the VLAN 20 (Employee) and 30
(Guest). The BYOD employee device will be placed first in the Guest VLAN (pre-authentication). Once
authenticated via a Captive Portal, it will be moved to the Employee VLAN(post-authentication).

2. Create the SSID and configure its options.

2 Creating the BYOD SSID

et’s create the BYODX SSID:

2.1. Creating the BYODX SSID

Create the SSID BYODX (X = R-Lab Number)

> Select WLAN > SSIDs > SSIDs

> Click on the + button
> SSID Service Name: BYODX (X = R-Lab number)
> SSID: <filled automatically>
> Usage: Employee BYOD Network
> Enable BYOD Registration: YES
> Click on Create & Customize

Notes > bout the “ sage”

During the SSID creation, a “ sage” is asked. hen you select a sage, a relevant related default configuration
ccess olicy, uthentication Strategy, … is automatically created.
Employee BYOD Network > create a network for employees connecting with their own devices. Suitable for
setting up an Open Network for Employee BYOD devices. Access to the network is granted after BYOD portal
authentication.
 4
Creation of an Employee SSID for BYOD

> Allowed Band: 2.4GHz and 5 GHz

Tips > Help Menu

As you can see, several settings can be managed in the SSID Creation properties. Take the time to learn more
about each of them by clicking on the Help button.

BYOD Access Strategy

> Click on Customize
> Scroll down to the Post Portal Authentication Enforcement section
> Select Fixed Access Role Profile: _EmployeesX (X = R-Lab Number)
> click Apply

Tips > Fixed Access Role Profile

Access Role Profile assigned to the BYOD device after it is authorized. After being authenticated, the client will
have the “employee rights”. It will be, for example, moved to the N mployee N 20

Tips > Employee Account

During this lab, we will not create a new employee account, as we already have created one “ mployeeX” in
the “secured mployee SSID” lab.

2.2. Back to… Creating the BYODX SSID

Default VLAN/Network
> VLAN ID: 30
> Click on Save and Apply to AP Group

Notes > VLAN ID

The VLAN ID to insert is the default VLAN: by default, the personal device will be put in the VLAN
30 (Guest VLAN). Then, after the authentication via the Captive Portal, the personal device will be
transferred to the VLAN 20 (Employee VLAN).

2.3. Assigning the SSID to the AP Group

Assign the freshly created SSID BYODX to the AP Group APGX created in the previous lab

Now that the SSID BYODX has been created, assign it to one or several AP Group(s):

AP Group Assignment and Schedule

> Click on Change Selection
> Remove default group from the SELECTED tab
> Move APGX (X = R-Lab Number) from AVAILABLE to SELECTED
> Click on OK
> Click on Apply
> Check the result on the page that is displayed

Now that we have finished the configuration of the SSID, let’s test it!
 5
Creation of an Employee SSID for BYOD

3 Testing the BYOD SSID

Test the BYODX SSID by connecting on it via the BYODX account

3.1. Setting Up the Linux Client to Connect to the BYODX SSID

StellarClientX Raspberry Pi

Left-click on the icon

(top right)

Select the SSID BYODX (X = R-

Lab Number)
Check under “ ore Networks”
if it is not displayed.

Ouvrez un navigateur

Internet avec l’icône

dans le coin en haut à gauche.

ntrez n’importe quelle

non-https (ex: http://2.2.2.2)
et vous êtes redirigé vers le
portail captif.

Entrez les identifiants:

Username: Employee
Password: password
Cochez I accept the Terms of
Use
Cliquer sur OK
The following message is then
displayed
 6
Creation of an Employee SSID for BYOD

Notes > Add more personal devices

By clicking on this link, it is possible for the employee to manually add additional devices in the
OmniVista 2500 database. After clicking this link:
- Login with the employee credentials:

Once logged, a page appears, where 2 tabs are available:

- The Online Devices tab which displays all authenticated devices currently connected with this
account
- The Remembered Devices which displays all authenticated BYOD devices saved in UPAM. It is
also possible to manually add new Remembered devices by clicking on the button (useful for
headless devices, for example).

3.2. Verifying the connection > After the Web Authentication

From the OmniVista 2500, check that the StellarClientX virtual machine is now in the VLAN 20 (Employee):

> Select WLAN > CLIENT > Client List

> Browse to the List of Clients on All APs section
> Locate the Client StellarClientX, then find the VLAN information

4 Monitoring the Connections

Display the BYODX authentication record

 7
Creation of an Employee SSID for BYOD

4.1. UPAM Monitoring

4.1.1. Authentication Record

The UPAM platform (Unified Policy Authentication Manager) is embedded in the OmniVista 2500 NMS. This
module is used to implement authentication C authentication, 802.1x, Captive ortal…
The Authentication Record Screen displays authentication information for all devices authenticated
through UPAM:
> Select UPAM > AUTHENTICATION > Authentication Record

4.1.2. Captive Portal Access Record

To monitor the Captive Portal access:
> Select UPAM > AUTHENTICATION > Captive Portal Access Record

Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
 8
Creation of an Employee SSID for BYOD

5 Debriefing
In this Lab, we have learned how to create an Employee SSID, dedicated for the employees who want to use
their personal device within the company network (BYOD, Bring Your Own Device).

S OD X X OD N B

O NIS I C S
ND S
DISCO D
 9
Creation of an Employee SSID for BYOD

6 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the connection to a BYOD SSID.
We will use the exact same infrastructure as in the lab:

S OD X X OD N B

O NIS I C S
ND S
DISCO D

Notes > Before Beginning

Before beginning this part, we assume that all the steps available in this lab have been followed correctly and
checked: SSID creation, employee account creation…

6.1. Troubleshooting the Stellar AP

The Stellar console access is deactivated in Enterprise mode.

To activate it, go to Network > AP Registration >AP Group, select APGX and click the Edit button.
Under the Category SSH, activate the SSH Login option and enter:

Use exactly the following passwords:

For Support Account:
Password: Superuser=1
For Root Account:
Password: Stellar

Click on Commit. Review the Success logs and click OK.

6.1.1. Checking the DNS configuration

A valid DNS configuration is mandatory in order to redirect successfully the client(s) to the Captive Portal
page. To check the DNS configuration:
 10
Creation of an Employee SSID for BYOD

support@AP-0E:E0:~$ cat /etc/resolv.conf

# Interface wan
nameserver 10.0.0.51
search ale-training.com
 11
Creation of an Employee SSID for BYOD

6.1.2. Checking the wireless configuration

support@AP-0E:E0:~$ iwconfig
[…]
ath03 IEEE 802.11ng ESSID:"BYOD0"
Mode:Master Frequency:2.437 GHz Access Point: DC:08:56:00:0E:E3
Bit Rate:192 Mb/s Tx-Power=17 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=94/94 Signal level=-51 dBm Noise level=-95 dBm
Rx invalid nwid:6 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

ath01-30 no wireless extensions.

ath01-20 no wireless extensions.

ath13 IEEE 802.11ac ESSID:"BYOD0"

Mode:Master Frequency:5.22 GHz Access Point: DC:08:56:00:0E:EB
Bit Rate:800 Mb/s Tx-Power=19 dBm
RTS thr:off Fragment thr:off
Power Management:off
Link Quality=94/94 Signal level=-28 dBm Noise level=-95 dBm
Rx invalid nwid:9 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0 […]

6.1.3. Checking the Wi-Fi Channel

To check which channel is used (ex. ath03 interface):

support@AP-0E:E0:~$ iwlist ath03 channel

ath03 57 channels in total; available frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.437 GHz (Channel 6)

6.1.4. Checking the interface transmission power

support@AP-0E:E0:~$ iwlist ath03 txpower
ath03 8 available transmit-powers :
0 dBm (1 mW)
5 dBm (3 mW)
7 dBm (5 mW)
9 dBm (7 mW)
11 dBm (12 mW)
13 dBm (19 mW)
15 dBm (31 mW)
17 dBm (50 mW)
Current Tx-Power=17 dBm (50 mW)
 12
Creation of an Employee SSID for BYOD

6.1.5. Checking the interface bitrate

support@AP-0E:E0:~$ iwlist ath03 bitrate
ath03 12 available bit-rates :
1 Gb/s
2 Gb/s
5.5 Gb/s
11 Gb/s
6 Gb/s
9 Gb/s
12 Gb/s
18 Gb/s
24 Gb/s
36 Gb/s
48 Gb/s
54 Gb/s
Current Bit Rate:192 Mb/s

6.2. Client Information

6.2.1. Listing the client(s) associated with the AP

It is possible to list:
- All the clients associated with the AP:
support@AP-0E:E0:~$ ssudo sta_list
SSID:Employees0

STA_MAC IPv4 IPv6 OnlineTime RX TX

d4:6e:0e:18:60:38 10.7.0.38 242 237758 2121880
FREQ AUTH Final_role VLANID TUNNELID FARENDIP
2.4GHz OPEN __Employees0 20 0

- All the clients associated with a specific interface (ex. ath03 corresponding to the SSID BYOD0 in 2.4
Ghz):
support@AP-0E:E0:~$ wlanconfig ath03 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 6 72M 86M 63 60 64 0 0 65535 ESs cORI

ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 f 0 P 0gR 00:07:01 WME IEEE80211_MODE_11NG_HT20 0
RXNSS TXNSS
1 1

Minimum Tx Power : 5
Maximum Tx Power : 18
HT Capability : Yes
VHT Capability : No
MU capable : No
SNR : 63
Operating band : 2.4 GHz
Current Operating class : 0
Supported Rates : 2 4 11 12 18 22 24 36 48 72 96 108.
 13
Creation of an Employee SSID for BYOD

- The parameters sent from the AP to the Wi-Fi Client(s):

support@AP-83:60:~$ ssudo wam_debug sta_list
{
"status": "Success!!!",
"wlanServiceData": [
{
"iface": "ath03",
"ssid": "BYOD0", SSID Name
"freq": "2.4GHz", Frequency
"security": "Open", Security
"wlanService": "BYOD0", Assoc. WLAN Service
"staData": [
{
"staMAC": "d4:6e:0e:18:60:38", Wi-Fi Client MAC@
"staIP": "10.7.0.38", Wi-Fi Client IP@
"staGlobalIPv6": "::",
"staLocalIPv6": "::",
"associationTime": 539, Assoc. Time (seconds)
"mappingType": 0,
"assignedVLAN": 20, Wi-Fi Client Assigned VLAN
"assignedAR": "__Employees0", Wi-Fi Client Assigned ARP
"assignedPL": "",
"macAuthResult": "SUCCESS",
"ARFromMACAuth": "__Employees0",
"PLFromMACAuth": "",
"redirectURLFromMACAuth": "",
"ARFrom8021xAuth": "",
"PLFrom8021xAuth": "",
"redirectURLFrom8021xAuth": "",
"CPAuthResult": "FAILED",
"ARFromCPAuth": "",
"PLFromCPAuth": "",
"ARFromRoaming": "",
"PLFromRoaming": "",
"redirectURLFromRoaming": "",
"classificationMatched": "none"
[…]

6.2.2. Checking the access logs of a specific client

Find the MAC address of the client (ex. d4:6e:0e:18:60:38), then:

support@AP-0E:E0:~$ cat /proc/kes_syslog | grep “d4:6e:0e:18:60:38”

OMNIACCESS STELLAR WIRELESS LAN
R F M A N A G E M E N T A N D O P T I M I Z AT I O N

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

Understand and configure the RF profile

RF MANAGEMENT
 DISTRIBUTED RADIO MANAGEMENT - DRM
• Fully distributed control Plane Over the Air
• Each AP communicates with its neighbor APs Control Plane

• Over the air protocol : neighbor AP discovery

• Over the LAN protocol : RF management
Stellar AP Stellar AP
• RF context sharing
• Channel utilization & interference, number or clients per band, radio Over the LAN
& AP, power… Control Plane

• Each AP can take RF action (try, wait, retry mechanism) Edge Switch Edge Switch

• Limited to neighbor APs

• Does not rely on AP Group or AP management

vlan Layer 2/3
Network Infrastructure

• Concept of RF Profile
• Use default or new RF Profile
• RF Profile applied to AP Group or at AP level
• Country Code set in the RF Profile
DISTRIBUTED RADIO MANAGEMENT - DRM
OmniVista
AP Group 1: AP 1,2,3,4,6 => RF Profile Profile1
AP Group 2: AP 5,7 => RF Profile Profile2
AP7 explicitly assigned to RF Profile Profile2
LAN
RF App
MGT VLAN 1 MGT VLAN 2 Over the LAN RF management
Scope = Adjacent APs

AP Group 2
AP 2

AP 1

AP 3 AP 5
AP 4

AP 6 AP 7
AP Group 1

Over the Air Discovery

 RF MANAGEMENT – OMNIVISTA

• RF Profile configuration
• Name / Description & Country Code

• Smart Load Balance

• Scanning

• Band , Channel & Power

RF MANAGEMENT – OMNIVISTA

• RF Profile
• Dynamic Radio
Management (DRM)
channel list selection

• Admin can specify a list of

channels that will be used
by the Auto Channel
Selection (ACS)
• For the 5GHz (including
5GHz Low and High) and
6GHz band
• Select enough channels to
avoid interferences
between APs
SMART AIR SHARE
• In SSID, Advanced WLAN Service configuration
• Granular controls to improve the WiFi
experience for 802.11a/n clients (High quality
WiFi)

• 2.4G client minimum data rate control →

Advanced control (recommended value 12)
• 5G client minimum data rate control →Advanced
control (recommended value 24)
• 6G client minimum data rate control →Advanced
control (recommended value 24)

• 2.4G MGMT beacon rate control

• 5G MGMT beacon rate control
• 6G MGMT beacon rate control
SMART LOAD BALANCE

• Band Steering
• Steer client to 2.4Ghz, 5Ghz or 6GHz
Radio/Band
• Option: Force steering to 5 or 6 GHz

• Dynamic Load Balance

RSSI = 20 Threshold = 10

• Association RSSI Threshold

• Deny connection to APs when wireless signal of
client is too weak (RSSI) RSSI = 6 Threshold = 10
• Disconnect a client when the signal of this
client becomes weak
• Recommended value: 2.4G = 5 , 5G = 10
SMART LOAD BALANCE – BAND STEERING

DUAL RADIO
Diff. = 5G Client Number – 2.4G Client Number
(Threshold:10)

AP
TRI RADIO
• Pri-Diff. = 5G High Client # – 2.4G Client #
(Threshold:10)
• Sec-Diff. = 5G Low Client # – 2.4G Client #
(Threshold:10)

Overloaded: A channel is considered overloaded when its average medium utilization over the span of a minute exceeds 70%.
SMART LOAD BALANCE – DYNAMIC LOAD BALANCE

AP1 New Client AP2

1. Broadcast Join Request 1. Broadcast Join Request

AP 2. Reply to Client
3. New Client joins AP2
1. Broadcast Join Request

• Every AP learns the neighboring

• When a new client appears, each AP will set up a AP3
timer based on its connecting clients
• When the timer ends, AP will respond to the new
client
• The new client is guided to connect to the lightest
loaded AP
SCANNING Stellar AP

• All AP13xx and AP14xx have a dedicated scanning Radio Employee (5GHz)
Guest (2.4GHz, 5GHz)
• No background scanning for these models BYOD (5GHz)

• Background scanning 5 sec

• Each radio periodically scan the air – One channel at the time Employee (5GHz)
Guest (2.4GHz, 5GHz)
• During scanning wireless clients are impacted – no 802.11 data BYOD (5GHz)
• Scanning is required for WIPS
• Interfering & Rogue AP detection, Wireless attack detection 2.4GHz 5GHz 6GHz
20 ms
• Scanning Interval and duration
• Default interval = 5 sec – Range = 5-10 sec
• Default Duration = 20 ms – Range = 20-110 ms Dedicated AP
scanning mode
• Dedicated AP scanning mode Employee (5GHz)
• AP only used to scan the air in order to the quality of the wireless Guest (2.4GHz, 5GHz)
BYOD (5GHz)
environment
• Voice and Video Awareness
2.4GHz 5GHz 6GHz
• Bypass scanning when the AP has an active voice or video session from a
client
• SIP and H.323 traffic detected
BAND, CHANNEL AND POWER SETTINGS
• Per band configuration (2.4G, 5G (all), 5G High and 5G Low, 6G)
• Channel and Power settings mode
• Auto mode
• Channel number and power setting automatically set & adjusted
• Optimal settings to minimize interferences and maximize wifi coverage
• Decision based on the RF context shared between neighbor APs
• Does not depend on background scanning configuration status
• Channel width still needs to be set
• Explicit mode
• Channel number, channel width and power setting manually set
• Channel number restriction per Country Code
• Channel width for 2.4G: 20Mhz (default) or 40 Mhz
• Channel width for 5G, 5G Low, 5G High: 20Mhz , 40 Mhz (default), 80Mhz or 160
Mhz
• Channel width for 6G: 20Mhz , 40 Mhz, 80Mhz or 160 Mhz
• Power: Auto or value in 3-23Dbm
• Short Guard Interval
• Used to improve the overall throughput of the AP
 RF OPTIMIZATION AND RECOMMENDATION
Smart Load Balance Per Band Info

Band Steering Enable

Short Guard Interval Enabled
If RF environment it not good and clients are crowded,
Signal Strength/Client SNR Keep default threshold then it should be disabled
Threshold • Low value recommendation is 10, many weak client
can associated, overall throughput is low.
• High value recommendation 25, weak client cannot
Channel & Power Auto Mode
associate, overall throughput is better.
It is recommended to use auto channel & power
instead of static setting.
Dynamic Load Balance Enabled In R3.0, Heatmap will have different view if the power
is changed in RF Profile, but channel setting is not
reflected in heat map
Scanning

Background scanning Enabled Channel Width Keep Default settings

Only required for WIPS Narrow width for dense AP deployment
Large width for sparse AP deployment
Scanning Interval Keep default setting

Scanning Duration Keep default setting

•Higher scanning interval or lower scanning duration means
intrusions are less likely being detected but client performance
will be better
•Lower scanning interval or higher scanning duration
means intrusions are more likely being detected but client
performance will be lower.

Voice and Video Enabled

Awareness
RSSI
RECEIVED SIGNAL STRENGTH INDICATOR (RSSI)

• How well a device can hear a signal from an access point

• Indicates the quality of the signal received by the access point

CLI
-> wlanconfig ath01 list

CLIENT LIST
 RSSI VALUES
RSSI dBm RSSI dBm RSSI dBm
10 -86 21 -75 29 -67
11 -85 22 -74 30 -66
12 -84 23 -73 31 -65
13 -83 24 -72 32 -64
14 -82 25 -71 33 -63
15 -81 26 -70 34 -62
16 -80 27 -69 35 -61
17 -79 28 -68 36 -60
18 -78 37 -59
OK – not bad
19 -77 38 -58
20 -76 39 -57
40 -56
Bad
Not recommended for Video or Audio 41 -55
applications 42 -54
Desired and recommended 43 -53
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Radio Frequency Settings Configuration

Objective
✓ Learn how to configure the RF (Radio Frequency) Settings
Contents
1 Briefing ......................................................................................... 2
2 Creating an RF Profile ........................................................................ 2
2.1. General Settings .................................................................................... 2
2.2. Smart Load Balance ................................................................................ 2
2.2.1. Band Steering ............................................................................................... 2
2.2.2. Exclude MAC OUI ........................................................................................... 2
2.2.3. Force 5 GHz ................................................................................................. 2
2.2.4. Association RSSI Threshold ................................................................................ 3
2.2.5. Roaming RSSI Threshold ................................................................................... 4
2.3. Per Band Info ........................................................................................ 4
2.3.1. Default Setting .............................................................................................. 4
2.3.2. Band .......................................................................................................... 4
2.3.3. Channel Setting ............................................................................................. 4
2.3.4. Client-aware ................................................................................................ 4
2.3.5. Channel DRM ................................................................................................ 4
2.3.6. Channel List ................................................................................................. 4
2.3.7. Channel Width .............................................................................................. 4
2.3.8. Power Setting ............................................................................................... 4
2.3.9. Minimum and Maximum TX Power........................................................................ 4
2.3.10. External Antenna Gain ................................................................................ 4
2.3.11. Beacon interval ........................................................................................ 4
2.3.12. Short Guard Interval .................................................................................. 5
2.3.13. MU-MIMO ................................................................................................ 5
2.3.14. High Efficiency ......................................................................................... 5

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Radio Frequency Settings Configuration

3 Assigning the RF Profile to an AP/AP Group ............................................... 5

3.1. Assigning the RF Profile ........................................................................... 5
3.2. Connect to an SSID ................................................................................. 6
3.3. Revert the RF Profile configuration .............................................................. 6
4 Debriefing ...................................................................................... 6
5 Troubleshooting ............................................................................... 7
5.1. Troubleshooting the Stellar AP ................................................................... 7
5.1.1. Checking the RF Profile configuration ................................................................... 7
5.1.2. Displaying the client(s) RSSI value: ...................................................................... 9
5.1.3. Checking the ACS and APC logs ........................................................................... 9
 2
Radio Frequency Settings Configuration

1 Briefing
In the OmniVista 2500, and for Stellar Access Points, the Radio Frequency settings management is done via
“RF Profiles”. A RF Profile contains all the radio frequency settings. Once created, it must be assigned to an
AP or AP Group.

2 Creating an RF Profile

2.1. General Settings

> Select WLAN > RF > RF Profile

> Click on the + button
> Name: My_RF_Profile
> Country/Region: <select your country/region>

2.2. Smart Load Balance

Smart Load Balance (SLB) is a feature that improves the user experience when accessing wireless
connectivity by guiding a user's client device to connect to a free wireless channel or AP and denying
access to APs with weak signal.

2.2.1. Band Steering

Band Steering controls the behavior of dual band clients and encourage them to use the 5 GHz band,
which is generally less congested and provides higher speed.

Warning > Why Band Steering is disabled by default?

To function properly, band steering generally assumes that the coverage areas on both the 2.4 GHz bands and 5
GHz bands are the same, or at least roughly equivalent. However, band steering will prove problematic if
coverage on 5 GHz is significantly weaker and has coverage holes, as compared to coverage for 2.4 GHz.

It can also cause problems. For example, a 5 GHz-capable device is automatically redirected to the 5 Ghz band
by the band steering feature, even if the 5 GHz signal is low.

Solution:
- Design your networks for simultaneous 5 GHz and 2.4 GHz coverage.
- For existing deployments where this may not be feasible, and your coverage is quite different on both bands,
avoid using band steering or use the Exclude MAC OUI feature explained below.

2.2.2. Exclude MAC OUI

Excludes MAC OUI for band-steering (if Band Steering is enabled). The client will not utilize Band Steering
and will be allowed to connect to the wireless band. This setting may be preferable for certain legacy and
latency sensitive clients (e.g., scanners, MIPT Phones).

2.2.3. Force 5 GHz

With force 5 GHz, a dual-band client device will only be allowed to connect to the network on the 5 GHz
band, and any requests to connect on the 2.4 GHz band will be ignored. This mode works quite well when
the signal strength is good on the 5 GHz band but will prove problematic if there are weak coverage areas
on 5 GHz because the network will not allow the client device to “fall back” to the 2.4 GHz network.
 3
Radio Frequency Settings Configuration

2.2.4. Association RSSI Threshold

This feature is used to set thresholds to optimize connectivity when associating with an AP by forbidding
client access to networks with a weak wireless signal (RSSI, Received Signal Strength Indicator). Clients
with an RSSI value lower that the Association RSSI Threshold will not be allowed to connect to the AP.

- Find the RSSI value of your StellarClient virtual machine (we will consider in the lab
that this RSSI value is too low to connect to the SSIDs created previously)
- Modify the Association RSSI Threshold to make StellarClient RSSI too low to connect
the SSIDs created previously

- Find the StellarClient signal strength Value

> Before doing this, be sure that the StellarClientX virtual machine is connected to one of the SSIDs
created in the previous labs!

> Select WLAN > CLIENT > Client List

> Click on the Client in List of Clients on All APs
> Check (and note) the RSSI value (ex. -18 dBm)

- Now, we are going to assume that the StellarClient signal strength (ex. -18 dBm) must be considered
too weak to connect to the AP. To do so, we will set the Association RSSI Threshold to a value greater
than the client RSSI value:
Notes > RSSI vs dBm
dBm and RSSI are different units of measurement that both represent the same thing: signal strength. The
difference is that RSSI is a relative index, while dBm is an absolute number representing power levels in mW
(milliwatts).

In the OmniVista 2500 NMS:

- The clients signal strength is given in dBm
- The Stellar AP’s RF settings are configured in RSSI

For this exercise, we need to translate the client signal strength from dBm to RSSI. To do so, please refer to
the following table (to convert the RSSI value to dBm you just need to subtract 96 to the RSSI value):

dBm -20 -19 -18 -17 -16 -15 … -10

RSSI 76 77 78 79 80 81 … 86

> Go back to WLAN > RF > RF Profile

> Select the profile My_RF_Profile
> Scroll down to the Smart Load Balance section
> Modify the Association RSSI Threshold for all the bands to a value much higher than the Client
value (ex. 90, which is higher than -18 dBm = 78) and click Apply

Notes
We will test this feature in the next section, as the RF Profile must be first applied to the desired AP or AP
Group.
 4
Radio Frequency Settings Configuration

2.2.5. Roaming RSSI Threshold

This feature is used to set thresholds to optimize connectivity when roaming by forbidding client access to
networks with a weak wireless signal (RSSI). Clients with an RSSI value lower than the Roaming RSSI
Threshold value will be guided to roam to another AP with a better transmission signal.

2.3. Per Band Info

Disable all the 5G Band (All, Low, High)

2.3.1. Default Setting

Disable it to set custom bandwidth settings. Enable it to reset bandwidth settings to default values.

2.3.2. Band
Configures the working radio for the AP.

2.3.3. Channel Setting

Configures the working channel of the radio (auto = dynamically assigned via ACS, Auto Channel Selection)

2.3.4. Client-aware
When enabled, the Auto Channel Selection does not change channels for Stellar APs with connected client.
When disabled, the Stellar AP may change to a more optimal channel but may disrupt connected clients.

2.3.5. Channel DRM

Enables/Disables the channel scope specification definition that will be applicable for Auto-Channel
Selection.

2.3.6. Channel List

Specifies the channel list that will be applicable for Auto-Channel Selection.

2.3.7. Channel Width

Configures the channel width for 2.5 and 5G radio. Channel width is used to control how broad the signal
is for transferring data. By increasing the channel width, you can increase the speed and throughput of a
wireless broadcast. However, larger channel width brings more unstable transmission in crowded areas
with a lot of frequency noise and interference.

2.3.8. Power Setting

Configures the transmit power of the wireless radio.

2.3.9. Minimum and Maximum TX Power

Specify the minimum and maximum transmit power for auto power setting.

2.3.10. External Antenna Gain

Specify the gain value of the external AP antenna. Only the Stellar APs with external antennas (AP1222,
AP1332,…) will be configured with this attribute.

2.3.11. Beacon interval

Beacon period for the AP. Indicates how often the 802.11 beacon management frames are transmitted by
the AP.
 5
Radio Frequency Settings Configuration

2.3.12. Short Guard Interval

Guard Interval is used to ensure that distinct transmissions occur between the successive data symbols
transmitted by a device. This would provide approximately an 11% increase in data rates. However, using
the Short Guard Interval will result in higher packet error rates when the delay spread of the RF channel
exceeds the Short Guard Interval, or if timing synchronization between the transmitter and receiver is not
precise.

Validate the creation of the RF Profile:

> Click on Create

2.3.13. MU-MIMO
Enables/Disables Multi-User, Multiple-Input, Multiple-Output feature. If enabled, the AP can communicate
with multiple users simultaneously. It decreases the time each device has to wait for a signal and speeds
up the network

2.3.14. High Efficiency

Enables/Disables 802.11ax high efficiency wireless feature. If disabled, a High Efficiency mode capable AP
will downgrade to VHT (Very High Throughput) mode.

3 Assigning the RF Profile to an AP/AP Group

3.1. Assigning the RF Profile

> Select NETWORK > AP REGISTRATION > AP Group

> Select the AP Group APGX (X = R-Lab Number)
> Click on Edit
> In the General section:
> RF Profile: My_RF_Profile
> Click on Commit

Notes
Note that it is also possible to assign an RF Profile to a specific AP (instead of an AP Group). To do so, go to the
NETWORK > AP REGISTRATION > Access Points menu.

Tips
The RF Profile can also be created directly from the AP/AP Group, in the Edit mode, by clicking on Add New:

Now that the RF Profile My_RF_Profile is applied to the APGX Group, try to connect to
one SSID from the StellarClient virtual machine.
 6
Radio Frequency Settings Configuration

3.2. Connect to an SSID

As the StellarClient RSSI = 70 is less than the Association RSSI Threshold = 90, then it is not possible for the
StellarClient (and other devices with a RSSI less than 90) to connect to any SSID broadcasted by the APGX
Group.

Connect you Wi-Fi client to one of your SSID.

The client tries to associate to the SSID but is not able to. The Stellar AP will ignore all association requests
from the Wi-Fi client as the power of its signal is lower than the threshold.

3.3. Revert the RF Profile configuration

In the current state, no Wi-Fi clients can connect to any of your SSID.
Assign the default RF Profile back to the AP Group APGX:

> Select NETWORK > AP REGISTRATION > AP Group

> Select the AP Group APGX (X = R-Lab Number)
> Click on Edit
> In the General section:
> RF Profile: default profile
> Click on Commit

4 Debriefing
During this lab, we have learned that the OmniVista 2500 provides an easy way to manage the Stellar Access
Points radio frequency settings.
We have also learned that a lot of settings are available and can be enabled or disabled depending on the
infrastructure deployed.
 7
Radio Frequency Settings Configuration

5 Troubleshooting
In this part, we will cover the process to follow if there is an issue regarding the RF Profile and RF Profile
settings assignment. We will use the exact same infrastructure as in the lab:

AR PO PO R)

O H
A AP
O R

5.1. Troubleshooting the Stellar AP

The Stellar console access is deactivated in Enterprise mode.

To activate it, go to Network > AP Registration >AP Group, select APGX and click the Edit button.
Under the Category SSH, activate the SSH Login option and enter:

Use exactly the following passwords:

For Support Account:
Password: Superuser=1
For Root Account:
Password: Stellar

Click on Commit. Review the Success logs and click OK.

5.1.1. Checking the RF Profile configuration

support@AP-83:60:/tmp$ cat /tmp/config/rfprofile.conf

{
"RFService":[
{
 8
Radio Frequency Settings Configuration

"bandSteering":"disable",
"bandSteeringForce5g":"disable",
"LoadBalance":"disable",
"backgroundScanning":"enable",
"scanningEnhance":"disable",
"countryCode":"FR",
"scanningInterval":20,
"scanningDuration":50,
"voiceVedioAwareness":"enable",
"airtimeFairnessAt2G":"disable",
"airtimeFairnessAt5G":"disable",
"perBandInfo":{
"2.4G":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
"autoChannelWidth":"enable",
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"3",
"clientAwareness":"disable"
},
"5G_high":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
"autoChannelWidth":"enable",
"globalChannelWidth":20,
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"4",
"clientAwareness":"disable"
},
"5G_low":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":20,
"autoChannelWidth":"enable",
"globalChannelWidth":20,
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"4",
"clientAwareness":"disable"
},
"5G_all":{
"band":"enable",
"channelSetting":"AUTO",
"channelWidth":40,
"autoChannelWidth":"enable",
"globalChannelWidth":20,
"powerSetting":"AUTO",
"shortGuardInterval":"enable",
 9
Radio Frequency Settings Configuration

"signalStrengthThreshold":90,
"roamingSignalStrengthThreshold":0,
"powerValMax":"0",
"powerValMin":"0",
"radioMode":"normal",
"scanDuration":"normal",
"Gain":"4",
"chainmask":15,
"clientAwareness":"disable"
}
},
"scanRadioInfo":{
"radioMode":"normal",
"scanDuration":"normal"
[…]

5.1.2. Displaying the client(s) RSSI value:

support@AP-0E:E0:~$ wlanconfig ath12 list
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS XCAPS
d4:6e:0e:18:60:38 1 44 6M 72M 64 63 67 0 0 65535 Es OI

ACAPS ERP STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME IEs MODE PSMODE
0 b 0 WPS 2gGR 00:10:10 WME IEEE80211_MODE_11AC_VHT40 0
RXNSS TXNSS
1 1
[…]

5.1.3. Checking the ACS and APC logs

support@AP-83:60:/tmp$ cat /proc/kes_syslog | grep DRM

OMNIACCESS STELLAR WLAN
L AY E R 2 M O B I L I T Y A N D R O A M I N G

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Understand the Layer 2 Roaming.

• Configure the Fast Roaming
OVERVIEW
OVERVIEW

• WiFi Enterprise only

• In WiFi Express, roaming is limited to L2 only within the same cluster

Fast Roaming
L2 Roaming L2 Roaming
L3 Roaming

• Roaming relies on client context sharing between over the air adjacent APs
• L2 or L3 Roaming selection based on the client VLAN between "home" and "foreign" AP
• L3 Roaming based on L2 GRE tunnel between "home" and "foreign" AP
CONFIGURATION

• L2 Roaming always enabled

• L3 Roaming disabled by default

• L3 Roaming configured in the Advanced WLAN Service
Configuration

• Fast Roaming disabled by default

• Fast Roaming feature configured per SSID
• OKC can be enabled with WPA2/WPA3 Enterprise only
• 802.11r (Fast Roaming) can be enabled with WPA2/WPA3
encryption only (Personal or Enterprise)
CLIENT CONTEXT SHARING
CLIENT CONTEXT SHARING

• AP Discovery Protocol
• Each AP learns about its “over-the-air” adjacent APs and their IP addresses
• No dependency on AP Groups and Management VLAN
• Limited to AP managed by the same OmniVista

• Client context shared with adjacent APs

• Over the LAN infrastructure
• IP based protocol
• Add/Del Message
• On Client Association, AP sends a Add message to all adjacent APs
• On Client Dis-association, AP sends a Del message to all adjacent APs

• Upon Roaming, client context removal mechanism

• Del Message triggered on the “old” AP upon Add Message from the “new” AP
CLIENT CONTEXT SHARING

Network OmniVista
Over-the-LAN Client
Context sharing

Edge Switch

Access Point
Over-the-air AP discovery

Client Client Client Client

Context Context Context Context

Client
CLIENT CONTEXT

• Client Context Content

Client network Content AP Context Fast Roaming

• SSID & WLAN service • MAC Address • PMKSA cache
• MAC Address • IP Address • FT PMK R0/R1 cache
• IP Address • OV IP Address
• Currently assigned Unified Access
- VLAN ID
- Access Role Profile
- Policy List
- Redirect-URL
- Captive Portal status

• On Receiving AP, Add/Del Message discarded when

• AP is not managed by the same OV
• AP does not have the WLAN service
 ROAMING CONDITIONS

Client Context exists on WLAN service and Access Client Context VLAN ID = Roaming Results
the new AP? Role Profile exist in the VLAN ID mapped to the
Client Context on the Access Role Profile on
new AP? the new AP?
No - - No Roaming, new client
Yes No - No Roaming, new client
Yes Yes Yes L2 Roaming
Yes Yes No L3 Roaming

• Layer 2 and Layer 3 selection based on the management VLAN between the "home" and
"foreign" AP.
FAST ROAMING
FAST ROAMING

• Improve handoff times during roaming

• Remove RADIUS authentication
• Optimize authentication handshake
• Require key caching

• Support OKC (802.11k) and 802.11r

• Configurable on the WLAN Service

• OKC can be enabled with WPA2/WPA3 Enterprise only
• 802.11r (Fast Roaming) can be enabled with WPA2/WPA3 encryption only (Personal or Enterprise)

• If Fast Roaming not enabled, standard Roaming

FAST ROAMING

• OKC / 802.11k
• PMK (Pairwise Master Key) caching
• Client can provide the PMKID in the association request (802.11k)
• If 802.11k not supported by client, AP uses the cached PMK
• Re-auth reduced to 4-way handshake to establish transient keys PTK/GTK (Pairwise/Group
Transient Key)
• PMK caching always stored in client context even when OK disabled
• 802.11r / Fast BSS Transition (FT)
• Initial handshake for PTK/GTK with the new AP is done before the client roams to the target AP
• New capability in the 802.11 authentication request
• FT protocol modes
• Over-the-Air FT Roaming
• Over-the-DS (Distribution System) FT Roaming
• Eliminates much of the handshaking overhead while roaming, thus reducing the handoff times
• FT PMK R01/R01 only cached when 802.11r enabled
STICKY CLIENT AVOIDANCE
STICKY CLIENT AVOIDANCE
• Goal: Optimize client distribution among APs
• In case of user roaming, suggest to the client to best new Access Point,
based on availability and RSSI.

• Roaming RSSI: Guiding to roam threshold • 802.11v (BSS Transition Management):

• Located in the RF Profile Obtain Roaming target APs
• 802.11k: Guide client to roam to best connection AP
L2 ROAMING
L2 CLIENT ROAMING

Click on the image above to visualize the video

GUIDELINES
IDENTIFY THE ROAMING MODE

• Check the roaming conditions

• Based on the VLAN ID between the "home" and "foreign" AP,
select either:
• Layer 2 Roaming (default)
• Layer 3 Roaming

• Check the security level of the SSID

(WPA/WPA2/WPA3, Enterprise/Personal)
• OKC can be enabled with WPA2/WPA3 Enterprise only
• 802.11r (Fast Roaming) can be enabled with WPA2/WPA3 encryption only (Personal or Enterprise)
CHECK THE RADIO COVERAGE

• Use the Heat Map application to check the radio coverage

• Select the 2.4, 5 and 6 GHz filters as they don't have exactly the same radio coverage

No overlap
Overlap

KO OK
No Radio overlap, no Roaming Radio overlap, Roaming available
NEIGHBOR AP

• In some cases, Stellar APs are geographical neighbors

but can’t see each other No client
(i.e: radio waves blocked by corridor with right angles,…). context
sharing
• The client context can't be shared. No roaming.
• Solution:
• On both AP, add statically the neighbor Stellar AP
from the list of known AP.
• The client context can be shared through the LAN
and the client can roam.
• Select the AP in the AP Registration > Access Point view
and click on the hyperlink "Neighbor AP"
• Click on the Edit button and select the neighbor AP
from the list
• Repeat the process for the second AP
STICKY CLIENT AVOIDANCE

• The roaming decision is made by the client device.

• But some devices will stick to the AP they were previously associated to.

• Use the Roaming RSSI Threshold in the RF profile.

• Use in conjuction with 802.11k and 802.11v
• Value range is 0-100
• Recommended value for 2.4GHz : RSSI = 10
• Recommended value for 5GHz : RSSI = 15

• The Roaming RSSI Threshold controls the signal strength a client needs to see before
searching for another site.
• If the RSSI threshold is too low, the client remains on a low signal strength site, even with a
stronger site nearby.
• If the RSSI threshold is too high, the client roams too much that could result to packet loss.
MISCELLANEOUS

• Background scanning
• When a user roams, his real time traffic can be interrupted if the new AP
on which he is connected is using the background scanning.
• No impact on the voice traffic.
• The AP is voice aware and will deactivate the background
scanning when a voice call is detected.
• Other real-time traffic can be impacted.

• Solution:
• Deactivate the Background scanning on the Stellar APs
• Install new Stellar APs in the network,
acting as dedicated scanning Aps

• Please note that this solution requires additional Stellar APs in the network
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WIRELESS LAN
L AY E R 3 R O A M I N G & FA S T R O A M I N G

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Layer 3 Roaming & Fast Roaming

• Understand & Configure Layer 3 Roaming

• Understand & Configure Fast Roaming

L3 ROAMING
L3 CLIENT ROAMING

Click on the image above to visualize the video

L3 ROAMING - HOME AP & LIMITATIONS

• L2 GRE tunnel established between Foreign AP and Home AP at early stage of roaming
• All network enforcement done in the Home AP
• Foreign AP transparently tunnels the client data to the Home AP
• Home AP terminates the tunnel and process the client data locally
• Incoming traffic received & processed by the Home AP, then tunneled to the foreign AP
• One L2 GRE tunnel per SSID
• Any number of Roaming Clients can Use the tunnel

Limit Comment
Client Cache per AP 1K -
L2 GRE tunnel per AP 16 -
Client Cache Removal - During Roaming
L2 GRE tunnel Removal - On last client disconnection
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WIRELESS LAN
WIPS

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• Wireless Intrusion Prevention System

• Classify an AP as Interfering, Rogue or Friendly

• Configure the WIPS
WIPS OVERVIEW

• Stellar APs monitors the radio

spectrum for the presence of
unauthorized
• AP
• Users

• Automatically take countermeasures

• Global configuration applied to all APs

managed by OV

• Require AP with scanning activated

WIPS – INTERFERING / ROGUE / FRIENDLY AP
• Interfering AP
• The “scanning” Stellar AP discovers any other AP over the air
• Such AP are marked as Interfering
• AP managed by the same OV are excluded
• Rogue AP
• An interfering AP is marked as Rogue based on the configuration of Rogue AP
Policy
• AP managed by the same OV are excluded
• Rogue AP Containment – enabled by default
• The scanning Stellar AP sends de-auth request to all clients associated to the rogue
AP
• Friendly AP
• Friendly AP is not reported as Interfering or Rogue
• An Interfering or Rogue AP can be set as Friendly AP manually
• Friendly AP OUI can be set – ALE OUI set by default
• Friendly AP can be added
WIPS – ROGUE AP POLICY

Policy Description
Signal Strength Threshold The detected AP signal in dbm is too strong and above the threshold
Default: – 70 dbm ; Range -95 to -50 dbm
Detect Valid SSID The detected AP is advertising a SSID that is configured in OmniVista and set in your WLAN network
(An AP not managed by OV is adverting a SSID set in OV)
Detect Rogue SSID Keyword The detected AP is advertising a SSID name that matches a string set in this policy
(SSID blacklist)
Rogue OUI The detected AP has a OUI that matches one of the OUI set in this policy

◼If an interfering AP matches one of these Policies, it is classified as Rogue.

WIPS – WIRELESS ATTACK DETECTION

• Enabled by default
• AP attack Detection Policy
• The scanning Stellar AP is detecting a wireless attack that seems to be originated from an AP
• Client Attack Detection Policy
• The scanning Stellar AP is detecting a wireless attack that seems to be originated from a client

• Set the detection level to:

• Custom
• High
• Medium
• Low
WIPS – WIRELESS ATTACK CONTAINMENT

• Containment & Client Blacklist Policy

• Disabled by default
• Puts the attacker source MAC in the client blacklist
• This MAC is not allowed to associate anymore on any of the Stellar AP
• A blacklist duration is also configurable

• Limitations
• The attacker source MAC can be anything (an AP mac, a BSSID mac, a wireless NIC card mac..)
• Blacklisting the attacker source MAC is only relevant when the source MAC is an actual wireless client
WIPS MONITORING

• Rogue APs and Blocklist Clients

• Rogue Client Association provides an overview of detected Rogue APs and Clients.
• Blocklist Clients provides an overview of clients that have been automatically and manually added
to the Blocklist.

• Top N Attacks
• Displays a list of attacks from foreign APs and Clients
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WIRELESS LAN
O M N I V I S TA C I R R U S

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

OmniVista Cirrus

• Understand the OmniVista Cirrus

subscription and licensing model

• Register a network device on OmniVista

Cirrus
OVERVIEW
OMNIVISTA CIRRUS?
OmnVista®Cirrus
instances in Cloud
• Cloud based OmniVista NMS

• Software as a Service (SaaS) mode

• Subscription based service Web
Client

• Zero Deployment/Zero Footprint

Secured Internet
(HTTPs & VPN tunnels)

• Full Network Control

• Unified LAN & WLAN management
• Central Management for Provisioning, Maintenance, OmniSwitch®

Monitoring,…
• Limit per OmniVista instance:
OmniAccess® Stellar
• Up to 5000 devices
• Up to 4000 APs
SUBSCRIPTION MODEL
Freemium Premium

Self Registration All OV Cirrus capabilities

Free of charge Based on OV Cirrus Subscription
No device capacity limitation Flexible Device type, capacity and Duration
No duration limitation Subscription done through
No network Configuration ALE Business Store/CPQ or eBUY/OVCirrus
On-time Network Device Upgrade Max amount of licenses: 5000 included
Restricted OV Cirrus capabilities Stellar APs and OmniSwitch
Can be upgraded to Premium Subscription Expansion, reduction or renewal
 LICENSES

LAN Core
OS6900

LAN Essential LC Duration of 1, 3 or 5 Years

OS2260
OS2360
OS6360 LE
OS6465
OS6560 Stellar AP
OV Cirrus All AP models
SA

LAN Advanced OV Cirrus Premium Subscription

OS6860E Max 5000 Device licences
OS6860N LA
OS6865 4000 AP licences

• 1 license per Access Point

• 50xGuest and 50xBYOD
licenses included per AP
license
NETWORK DEPLOYMENT
DEVICE REGISTRATION STEPS

OV Cirrus Account Creation

Network device required OS upgrade

Customer Network
Freemium
Customer network minimum configuration

Adding devices to OV Catalog

Restarting Activation Process

OmniVista Cirrus

Assigning OV Cirrus Licenses to devices

Setting Pre-Provisioning parameters

Premium
Restarting Activation Process

Device Registration Completion

CUSTOMER NETWORK
OV Cirrus Account creation OS version required on Network Device

• OmniVista Cirrus Subscription validated

• Minimal Software version

Device
Product
Software
OS6560, OS6860, OS6860E,
AOS 8.4.1.R03 +
• Freemium or Premium account created OS6865, OS6900
AOS 6.7.2.R03 + OS6350, OS6450
AOS 5.1R1 + OS2260, OS2360

All Stellar Access Point

AWOS 3.0.2 +
models
CUSTOMER NETWORK

Customer network minimum configuration

Factory default Factory default

(DHCP process) (DHCP process)
or
Manual Configuration
or Auto-config
(greenfield)
or
Pre-configured
(brownfield)
ADDING DEVICES TO OV CATALOG

Click on the image above to visualize the video

RESTARTING ACTIVATION PROCESS
AP Powered on
After ~20s of the boot sequence
Press the [f] key and it [enter] # firstboot –y
to enter failsafe mode # reboot

Waiting For First Contact

Device Re-activation
AOS Registered

Restart the Cloud Agent or Manually Reboot the Device

-> cloud-agent admin-state disable force -> reload from working no rollback-timeout
ASSIGNING OV CIRRUS LICENSES TO DEVICES

1
2
SETTING PRE-PROVISIONING PARAMETERS

Click on the image above to visualize the video

 SETTING PRE-PROVISIONING PARAMETERS

Stellar AP
 REGISTRATION PROCESS

Restarting Activation Process Device Registration Completion

AOS Device Catalog

Managed devices

Waiting For First Contact

Registered
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR WIRELESS LAN
O P E R AT I O N A N D M A I N T E N A N C E

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

Operation and Maintenance

• Monitor the clients, APs, guest and BYOD

devices

• Maintain the AP and upgrade its firmware

MONITORING
MONITORING – CLIENTS

• Wireless Clients Monitoring

• List of clients connected to any AP Group
• Client details
• Radio
• Authentication status
• IP configuration
CLIENT SESSION

• Monitoring of wireless client sessions

• Provides more details about the session (association time, connection time, ...)
MONITORING – CLIENT BEHAVIOR TRACKING

• Administrator tool for effective monitoring & troubleshooting clients

• Parameters tracked
• View user ONLINE/OFFLINE status
• View TCP/UDP flow context
• View HTTP(S) domain flow context

ONLINE/OFFLINE LOG
MONITORING - APS

• APs Monitoring
• AP details
• Name, AP Group, MAC address
• Client count
• IP configuration
• Radio details
MONITORING – GUEST AND BYOD DEVICES

• Dedicated monitoring for either Guest or BYOD clients

• Basic
• Enforcement Policy
• Authentication
• Accounting
MONITORING – SUMMARY
AUTHENTICATION RECORD

• UPAM > Authentication Record

• Lists all authentication requests received by the UPAM server
• Session details, authentication result and reason for refusal, user details,
profiles used, ...
CAPTIVE PORTAL ACCESS RECORD

• UPAM > Captive Portal Access Record

• Lists all authentication requests received by the UPAM Captive Portal server
• Details of user sessions, authentication result, information on the user's
equipment, ...
GUEST SELF-REGISTRATION REQUEST

• UPAM > Self-Registration

Request

• List approved / rejected /

unverified registration requests
from guests

• Approve / Reject buttons

• Session and user details, approver

name, ...
LOGS

• ADMINISTRATION > AUDIT > UPAM

• Logs generated by the OV2500 server
• radius: result of the authentication of wired / wireless users
• upam: list of executed UPAM tasks
MAINTENANCE
MAINTENANCE – TOPOLOGY MAP

• In Network > Topology

• Edit Device
• AP name
• Group Name
• RF Profile

• Reboot
• Save to Running
• Backup Device
• View AP Logs
MAINTENANCE – RESOURCE MANAGER

• Backup / Restore
• Backup
• Full
• Config
• Image

• Restore
IMAGE UPGRADE

• Image/Firmware Upgrade of:

• AOS OmniSwitches
• OmniAccess Stellar APs
FIRMWARE

OMNIVISTA 2500
• Can be : CLIENT PC
• Executed immediatly
• Scheduled
MAINTENANCE – WEB INTERFACE

• Activate the AP Web option in the AP Group

• Connect to https://AP_IP_Address
• AP Maintenance
• Mesh configuration
MONITORING

Click on the image above to visualize the video

MAINTENANCE

Click on the image above to visualize the video

PACKET CAPTURE
 PACKET CAPTURE ON STELLAR AP - TCPDUMP
• Step 1 • Step 2
• CLI connection on the AP with « support » • Transfer the capture file on your PC/laptop
account
SFTP tool
• Enter in CLI: (WinSCP)
ssudo tcpdump –i 3 –w test-capture.pcap udp port 53 SFTP

Use the TCPdump Save the capture in the file « test-

tool capture.pcap »
Test-capture.pcap Test-capture.pcap
Select the traffic
UDP port 53 = DNS
Select the interface n°3 « br-wan »
You are listening to the interface br-wan – which is the
wired interface - where all the traffic is going through.
• Step 3
Capture the DNS traffic on the wired • Open and read the file with Wireshark
interface of the access point
 PACKET CAPTURE FROM STELLAR AP – AP WEB INTERFACE
• Stellar AP captures the surrounding wireless • Click on Start Capture
traffic on the selected channel • Select the Channel
• Enter the TFTP server where the capture will
• Step 1 - OmniVista be sent
• Activate “AP Web” in the AP Group and • Option: Filter the capture (MAC, Frame type)
commit the change

• Step 2 – Stellar AP
• Log in on the Stellar AP • Start/Stop the capture
• In RF Environment, select the Radio to capture
• Step 3 – PC/laptop
• Open the file on Wireshark
CLIENT BEHAVIOR TRACKING
PROCEDURE
MONITORING – CLIENT BEHAVIOR TRACKING HOW TO

• In Unified Access →
Unified Profile →
Template →Access Role
Profile
• Enable/Disable "Client
Session Logging" per
Access Role Profile
• Choose "HTTP/HTTPS",
AP will log client
HTTP/HTTPS
connections. Choose
"ALL", AP will log client
all TCP/UDP
connections including
HTTP/HTTPS connection
MONITORING – CLIENT BEHAVIOR TRACKING HOW TO

• In Unified Access → Unified

Profile → Template
→Access Role Profile
• Enable/Disable "Client
Session Logging" per
Access Role Profile
• Choose "HTTP/HTTPS",
AP will log client
HTTP/HTTPS
connections. Choose
"ALL", AP will log client
all TCP/UDP connections
including HTTP/HTTPS
connection

◼ In Network → AP
Registration → AP Group
⚫ Control per AP Group →
Client Behavior
Tracking – Upload to
MONITORING – CLIENT BEHAVIOR TRACKING HOW TO
• In Unified Access →
Unified Profile → Template
→Access Role Profile
• Enable/Disable "Client
Session Logging" per
Access Role Profile
• Choose "HTTP/HTTPS",
AP will log client
HTTP/HTTPS
connections. Choose
"ALL", AP will log client OR
all TCP/UDP connections
including HTTP/HTTPS
connection

◼ In Network → AP
Registration → AP
Group
⚫ Control per AP
Group → Client
Behavior Tracking –
Upload to
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Backup, Restore & Upgrade

Objective
✓ Backup & Restore and Upgrade the Network Devices

Contents
1 Briefing ......................................................................................... 2
2 Saving the Current Configuration ........................................................... 3
2.1. From the Notification Area........................................................................ 3
3 Backing Up the Devices Configuration ..................................................... 4
3.1.1. Backing Up AOS OmniSwitches............................................................................ 4
3.1.2. Backing Up Stellar APs Devices ........................................................................... 5

4 Restoring the Devices Configuration ....................................................... 5

4.1. Restoring an AOS Device Configuration ......................................................... 6
4.1.1. Briefing ...................................................................................................... 6
4.1.2. Modifying the OmniSwitches Configuration ............................................................. 6
4.1.3. Restoring the OmniSwitch 6860 Configuration ......................................................... 6
4.1.4. Checking the Result ........................................................................................ 7
4.2. Restoring a Stellar Device Configuration ........................................................ 7
5 Debriefing ...................................................................................... 8
6 Annex: Upgrading an Image (Resource Manager) ......................................... 9
6.1. Importing the Upgrade Files ...................................................................... 9
6.2. Installing the Upgrade Files ....................................................................... 9

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Backup, Restore & Upgrade

7 Annex: Upgrading an Image (Access Point Web Page) ................................. 10

7.1. Enabling the Web Management .................................................................. 10
7.2. Accessing to the Web Management Interface ................................................. 10
7.3. Upgrading the Firmware .......................................................................... 10
 2
Backup, Restore & Upgrade

1 Briefing
At this stage of the training, we have a fully operational infrastructure with the devices deployed, SSID
broadcasted, and QoS & ACLs setup. In this lab, we will learn how to backup and restore the devices
configuration.

CURRENT
TOPOLOGY

END OF LAB
TOPOLOGY
 3
Backup, Restore & Upgrade

2 Saving the Current Configuration

Save all the management done during this training as Running configuration

2.1. From the Notification Area

et’s begin by saving the current configuration as unning.

> Click on the bell icon on the top right and corner
> Click on the floppy icon Save All
> Click on OK to confirm

Check that the operation has been successfully completed. Then click on Finish

Notes > Save to Running

It is also possible to save the configuration to the running directory from the Topology application. This feature
will be covered in the next lab.
 4
Backup, Restore & Upgrade

3 Backing Up the Devices Configuration

A dedicated application is available in the OmniVista 2500 to perform the backup and restore operations of
AOS: The Resource Manager.

Backup the configuration files of all the devices

3.1.1. Backing Up AOS OmniSwitches

> Select CONFIGURATION > RESOURCE MANAGER > Backup/Restore

> Click on the BACKUP button

1. Backup Method
> Select Backup By Devices
> Click on Next

2. Device Selection
> Click on ADD > Use Switch Picker
> Click on Add All to add all the OmniSwitches
> Click on OK
> Click on Add FTP Authentication
> Username: admin
> Password: switch
> Check Apply FTP Authentication for all missed devices
> Click on Apply
> Click on Close
> Click on Next

3. Configuration
> Backup Type: Configuration Only
> Click on Next

4. Review
> Review the information, then click on Backup to launch the backup process

Check that the 3 lines “SUCCESS” appear in the Result screen. Click on OK.

Tips > Summary View

The CONFIGURATION > RESOURCE MANAGER > Backup/Restore > Summary View displays the list of the backups
that have been performed on each device, and their result.

Notes > Backup Method

3 Backup Methods are available:
- Backup by Devices: select specific AOS Devices from a list of discovered devices.
- Backup by Maps: select a map(s) to backup all devices in the map(s). Note that if a map contains AOS
Devices and Stellar APs, the Stellar APs will not be backed up. Stellar APs can only be backed up by
AP Group.
- Backup by AP Group: backup Stellar AP Series Devices.

Notes > Backup Types

3 Backup Types are available:
- Full Back up: backs up both configuration files and image files.
- Configuration Only: backs up all configuration-related files in all directories (including user
credentials, banner, time zone, etc.).
- Images Only: backs up image files only. Image files will not be FTPed from a device. OmniVista will
only record file version(s).
 5
Backup, Restore & Upgrade

Tips > Schedule Setting

During the Backup configuration (AOS or Stellar Devices), it is possible to enable the Schedule Setting option.
This option allows you to schedule a single or recurring backup. Several options are available:
- Start At to select the time when you want to begin the scheduled backup
- ecurrence attern daily, weekly, monthly…
- Range of Recurrence (start date of the recurring backup, end date of the recurring backup)

3.1.2. Backing Up Stellar APs Devices

> Select CONFIGURATION > RESOURCE MANAGER > Backup/Restore

> Click on the BACKUP button

1. Backup Method
> Select Backup By AP Groups
> Click on Next

2. AP Group Selection
> Click on ADD
> Select the APGX (X = R-Lab Number), then click on Add >
> Click on OK

3. Configuration
> Backup Type: Configuration Only
> Click on Next

4. Review
> Review the information, then click on Backup to launch the backup process

Check that the 2 lines “SUCCESS” appear in the Result screen. Click on OK.

4 Restoring the Devices Configuration

To test the Restore operation feature, we will first modify the configuration of one OmniSwitch (ex. 6860),
then we will restore the backup created in the previous part.

- Modify the configuration of the OmniSwitch 6860 (create VLAN 70-80)

- Restore the backup created in the previous part
 6
Backup, Restore & Upgrade

4.1. Restoring an AOS Device Configuration

4.1.1. Briefing
In this part, we are going to:
- Create VLANs 70 to 80 on the OmniSwitch OS6860
- Restore the backup
- Check that the VLANs 70 to 80 have been removed

4.1.2. Modifying the OmniSwitches Configuration

> Select CONFIGURATION > VLANS > VLAN

> Click on Create VLAN by Devices button

1. Devices Selection
> VLAN IDs: 70-80
> VLAN(s) Description: TEMP-VLANS
> Click on the Add/Remove Devices
> Select the Add the OS6860
> Click on OK
> Click on Next

2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next

4. Q-Tagged Port Assignment

> Click on Next (skip this part)

5. Review
> Review the information
> Click on Create

Tips
You can check that the VLANs have been created by connecting on the OS6860 CLI console, or via the CLI
Scripting.

4.1.3. Restoring the OmniSwitch 6860 Configuration

ow that we have created s, let’s restore the previous backup. After this step, the VLANs 70 to 80
should be removed:

> Select CONFIGURATION > RESOURCE MANAGER > Backup/Restore

> Select the OS6860 in the list
> Click on the RESTORE button

1. File Selection
> Click on OmniSwitch 6860
 7
Backup, Restore & Upgrade

> Select only the 2 vcboot.cfg files

> Click on Restore

Check that the restore is successful in the Result page, then click OK

4.1.4. Checking the Result

Now, the backup has been restored in the WORKING and CERTIFIED status, let’s check that the temporary
VLANs have been deleted:

> Select CONFIGURATION > VLANS > VLAN

> Click on ADD > Switch Picker
> Select the OS6860, then click on Add >
> Click on OK

And the VLANs 70 to 80 are … still here!

Why are the VLANs 70-80 still displayed?

As you may have guessed, the configuration files are transferred in the WORKING and CERTIFIED folders
but are NOT applied on the RUNNING configuration (could cause major problems in real cases scenarios if
it was the case).

To force the configuration restored in the WORKING directory to be used by the OmniSwitch, launch the
following command (via the console, or the OV 2500 CLI SCRIPTING application):

CLI SCRIPTING application or CONSOLE

> reload from working no rollback-timeout
Confirm Activate (Y/N): y

Wait for the OmniSwitch to reboot (~3 min), then use the VLAN Manager application to check that the
VLANs 70-80 have been correctly removed:

> Select CONFIGURATION > VLANS > VLAN

> Click on ADD > Switch Picker
> Select the OS6860, then click on Add >
> Click on OK

And the VLANs 70 to 80 are … deleted!

Notes > VLANs are still here?

To force the VLAN Manager to update, you can click on the Poll option on the left menu. It will force the
OmniVista 2500 to poll the selected device(s) and retrieve the updated information.

4.2. Restoring a Stellar Device Configuration

It is not possible to perform a restore on a Stellar AP, as most of the configuration is pushed when the
Access Points is inserted in an AP Group. However, backup files of Stellar APs can be used to
analyze/troubleshoot problems with APs. See the Troubleshooting lab for more information.
 8
Backup, Restore & Upgrade

5 Debriefing
During this lab, we have learned how to backup the configuration of each device (AOS or Stellar) available in
the network. We have also learned that it is possible to schedule the backup operation, and that the restore
operation can be done only on AOS Devices (not on Stellar APs).
 9
Backup, Restore & Upgrade

-ANNEXES-

6 Annex: Upgrading an Image (Resource Manager)

From the Resource Manager, it is also possible to upgrade an OmniSwitch or an Access Point.

6.1. Importing the Upgrade Files

All upgrade files supplied by Alcatel-Lucent Enterprise Customer Service are packaged as WinZip
executables and have a *.zip file extension. Do not attempt to unzip the firmware files manually. When
you Import the WinZip executable, OmniVista automatically unzips the executable as part of the import
process.

> Go to RESOURCE MANAGER > Upgrade Image

> Click on Import
> Click on Browse and select the desired firmware file
> Once the upload finish, click on OK

The list of uploaded firmware is displayed in the Upgrade Image main page:

6.2. Installing the Upgrade Files

> Go to RESOURCE MANAGER > Upgrade Image

> Select the firmware to install with the Import button
> Click on install

1. Firmware File Selection

> Check that the Access Points models that you have are available in the list
> Click on Next

2. Devices Selection
> In case of AP upgrade
> To install a firmware only on specific AP(s): Click on ADD > Use Switch Picker
> To install a firmware on all the APs of an AP Group: Click on ADD
> In case of OmniSwitch upgrade
> Select one or several OmniSwitch(es)

3. Software Installation
> Review the information, then click on Install Software
 10
Backup, Restore & Upgrade

7 Annex: Upgrading an Image (Access Point Web Page)

The upgrade of an Access Point can also be done via its webpage.

7.1. Enabling the Web Management

The Web Management must be enabled in order to be able to access the Access Point webpage:

> Go to NETWORK > AP REGISTRATION > AP Group

> Select the AP Group APGX (X=R-Lab Number)
> AP Web: ON
> Password: Alcatel.0

7.2. Accessing to the Web Management Interface

Check what is the IP address of the Access Point:

> Go to NETWORK > AP REGISTRATION > Access Points

> Note the IP address of the desired AP

> Open a web browser

> URL: https://<IP address of the AP>
> Username: Administrator
> Password: Alcatel.0
> Click on Login

7.3. Upgrading the Firmware

Finally, upload the firmware to be installed:

> Go to System
> Select Image File (or Image File URL if the Image File/Firmware is located on a web server)
> Click on Browse, then select the firmware/image file
OmniAccess Stellar WLAN
Monitoring the Network Infrastructure

Objective
✓ Monitor the Network Devices from the OmniVista 2500

Contents
1 Briefing ......................................................................................... 1
2 Checking the Topology & Devices Status .................................................. 2
2.1. Saving the Configuration .......................................................................... 3
2.2. Monitoring the Devices & Links Status ........................................................... 4
2.2.1. Device Information ......................................................................................... 4
2.2.2. Device Status................................................................................................ 4
2.2.3. Notification Status ......................................................................................... 5
2.2.4. Links Status.................................................................................................. 5

3 Being Notified in case of Critical Event .................................................... 7

3.1. Using the Notification Application ............................................................... 7
3.1.1. Using the Filters ............................................................................................ 7
3.2. Using the Trap Responder ......................................................................... 8
3.2.1. Setting Up the Trap Responder ........................................................................... 8
3.2.2. Declaring the Mail Server .................................................................................. 8
3.2.3. Testing the Mail Server Configuration ................................................................... 8
3.2.1. Testing the Notification ................................................................................... 9

4 Debriefing .................................................................................... 10

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
Monitoring the Network Infrastructure

1 Briefing
Let’s see how to monitor all the network devices from one platform, the OmniVista 2500. 2 applications will
be used:
- The Topology Application which provides a view of all discovered devices in the network;
- The Notification Application which displays the notification generated by the network devices.

O O

CURRENT
TOPOLOGY
O

OV

O O

END OF LAB
TOPOLOGY O

OV

O O O O
 2
Monitoring the Network Infrastructure

2 Checking the Topology & Devices Status

The Topology application enables you to view the topology of all discovered devices in the network, view
information about a specific device and perform certain actions on those devices (e.g., edit a device, telnet
to a device, reboot a device).

> Select NETWORK > TOPOLOGY

> Click on Create Site (top right corner)
> Site Name: <your company name> (ex. ALE)
> Location: <your company address> (ex. Rue Antoine de St Exupéry, 29490 Guipavas, France)
> Devices: click on >> to add all the devices (5)
> Click on Create

A pointer indicates the location entered with the number of devices:

> Click on Go To Topology

The network topology containing all the previously discovered devices is displayed:
 3
Monitoring the Network Infrastructure

2.1. Saving the Configuration

Save all the management done during this training as Running configuration

To save the management of all the devices at once:

> Click on the Select All button

> Select Action > Device
> Click on Save to Running

> A new tab is automatically opened

> Check that the task is completed successfully, then click on Finish

Notes
It is also possible to save the management of each device (one by one):

OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Device
> Click on Copy Working/Running to Certified
> Check that the save process has been completed successfully
> Click on Finish

STELLAR ACCESS POINT

> Click on the Stellar AP
> Click on Actions > Device
> Click on Save to Running
> Check that the save process has been completed successfully
> Click on Finish

Notes
If the links between the Omni witches and the tellar ccess oints don’t appear in the
diagram, manually poll the links:

> Select both Stellar Access Points by clicking on Multiple Selection

> Select Action > Device
> Select Poll Link

> A new tab is automatically opened

> Check that the task is completed successfully, then click on Finish

Result: the links should now appear:

 4
Monitoring the Network Infrastructure

2.2. Monitoring the Devices & Links Status

From the Topology application, it is also possible to check the Devices & Links Status.

2.2.1. Device Information

Display the MAC Address, version and device model of the OmniSwitch 6360.

To display detailed device information, click on the device. A Detail panel appears on the right. A list of
information is displayed. The information displayed may vary depending on the device:

2.2.2. Device Status

- Discover why the OmniSwitch are in Warning state, and solve the problem;
- Display the OmniSwitches & Access Points notifications
- Check that the links are ups, and that the correct ports are used;

Device status is displayed by the device status circle around the device:
• Green = Up (Device is up)
• Orange = Warning (indicates that traps have been received on the device. The highest level of
trap received by the device is displayed (Green, Orange, Red) in the Notifications Status).
• Red = Down (Device is down)

otice that your Omni witches are in the Orange “ arning” state, meaning that a notification has been
generated on these devices. The Notification Status part (next part) shows how to acknowledge the(se)
notification(s).
 5
Monitoring the Network Infrastructure

2.2.3. Notification Status

Notifications status displayed in the small circle in the upper right corner of the device, indicating the
highest level of trap received by the device:
• No Circle = Alarm status is Normal.
• Orange = Alarm status is Warning.
• Purple = Alarm status is Minor.
• Yellow = Alarm status is Major.
• Red = Alarm status is Critical.

To clear/acknowledge the notification and pass the Device & Notification status to Green status:

OMNISWITCH
> Click on the OmniSwitch (ex: 6360)
> Click on Actions > Notifications > View Traps
> Select the first checkbox to select all the lines
> Click on ACK (blue button) to acknowledge the notifications or CLEAR (red button) to delete the
notifications from the database
You may have to repeat the operation to acknowledge/clear all the notifications. A maximum of 1000
notifications can be acknowledged/cleared at the same time.

The OmniSwitch 6360 should now be displayed in Green:

In order to clear all the notifications, you could use the following procedure:
OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Notifications > View Traps
> On the top right corner, click the button Actions
> Click Ack All to acknowledge the notifications and click OK to validate.
You can then click Clear All to delete all the notifications from the database

2.2.4. Links Status

Links between devices are displayed as a single line, whether there is a single link or multiple links.
• Green - Link is up. If there are multiple links, Green indicates all the links are up.
• Orange - There are multiple links and at least one of the links is down.
• Red - Link is down. If there are multiple links, Red indicates all the links are down.
• Blue - Link status is unknown.
 6
Monitoring the Network Infrastructure

To display link information, move the mouse over the link until the pointer turns into a finger. Link
information will be displayed in table form as shown below:

You can also click on a link to display link information:

Tips
Several shortcuts to the other OmniVista 2500
applications are available when a device (OmniSwitch,
Access Point) is selected or by right clicking on a device.
We will discover these applications and learn
how to use them in the next labs.
 7
Monitoring the Network Infrastructure

3 Being Notified in case of Critical Event

During the last part, we saw that notifications are sent from the devices to the OmniVista 2500. These
notifications are displayed in the Topology application. In this part, we are going to learn how to perform an
action send a mail, execute a script… when a notification is received.

3.1. Using the Notification Application

Open the Notification Home menu:

> Go to NETWORK > NOTIFICATIONS > Notifications Home

The Notifications Home Screen displays all traps received from network devices and provides basic trap
information (e.g., severity level, date/time received). You can also use this screen to acknowledge,
renounce, and clear traps, as well as poll devices for traps.

3.1.1. Using the Filters

Filter the traps to display only traps:

- Coming from the AP Group AGPX (X=Remote-Lab Number);
- With a severity = Critical

> Go to NETWORK > NOTIFICATIONS > Notifications Home

> Click on the Filters area (top)
> Filter By: AP Group
> Select APGX
> Select Severity: Critical
> Click on Apply to apply the filter

In the result, the reboot operations done during this training should be displayed.
 8
Monitoring the Network Infrastructure

3.2. Using the Trap Responder

3.2.1. Setting Up the Trap Responder

A Trap Responder enables you to specify a response (send a mail, execute a program, forward trap) that
you want OmniVista to take when specified traps are received by OmniVista. In this Lab, we will learn how
to automatically send a mail when a critical alarm is generated by a network device.

- Configure the OmniVista 2500 to send an e-mail if a critical alarm is generated by an

AP
- Test your management

> Go to NETWORK > NOTIFICATIONS > Trap Responder

> Click on

1. Agent
> Agent Type: AP Group
> AP Group Selection: APGX (X=Remote-Lab Number)
> Click on Next

2. Trap Type
> Traps which match these severities: Critical
> Click on Next

3. Response
> Action: Send an e-mail
> E-mail To: [email protected] (X = R-Lab Number)
> Click on Next

> Click on Next to review the information, then click on Create

Notes > Trap Variables

Trap variables can be used to customize the E-mail Subject and E-mail Body fields.

For example, you can use the following fields and variables:
- E-mail Subject: Warning! Critical Trap Received on $TrapAgent$ ($TrapAgentName$)!

The $TrapAgent$ displays the IP address of the device.

The $TrapAgentName$ displays the name of the device.

3.2.2. Declaring the Mail Server

The next step consists in declaring the mail server in the OmniVista 2500:

> Go to ADMINISTRATION > PREFERENCES > System Settings

> Click on Email (left menu)
> SMTP Server: 10.130.5.6
> ‘From’ Address: [email protected]
> SMTP Authentication: OFF
> ‘To’ Address to Test: [email protected]
> Click on Apply

3.2.3. Testing the Mail Server Configuration

ow, let’s test the configuration. et’s begin by testing the mail server configuration:

> Open a Web Browser (or a new tab/page)

> URL: mail.company.com
> Name: [email protected]
> Password: password

he “test” mail sent by the OmniVista 2500 should be in the nbox:

 9
Monitoring the Network Infrastructure

3.2.1. Testing the Notification

First, let’s force the generation of a ritical notification by restarting one of the :

> Go to NETWORK > TOPOLOGY

> Select an AP
> In the Action panel (on the right), click on Device > Reboot…
> Are you sure? Yes

Notes > Trap Responder on OmniSwitches

The same steps can be followed in order to be notified by mail if an OmniSwitch generates a critical
notification (except 4.2.1: Agent Type: Device instead of AP).

Check that a notification has been generated by the AP and sent to the OmniVista 2500:

> In the Action panel (on the right), click on Actions > Notification > View Traps

Now, check that a mail has been send to [email protected] (wait a few minutes if needed, as the
mail server doesn’t send mails in real time :
 10
Monitoring the Network Infrastructure

4 Debriefing
In this lab, we saw that the OmniVista 2500 provides powerful application to monitor the network devices
(OmniSwitches/Access Points).

O O

OV

O O O O
OMNIACCESS STELLAR WIRELESS LAN
H E AT M A P & F L O O R P L A N

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

Heat Map & Floor Plan

• Create and visualize the Heat Map of the

deployed AP

• Create a Floor Plan and visualize the

automatic deployment of APs
HEAT MAP AND FLOOR PLAN

• Wireless Monitoring Applications

• Heat Map
• Visual Heat Map of Deployed AP
• Floor Plan
• Visual Heat Map of Estimated Aps before Deployment
HEAT MAP – USE CASE

• Insufficient Radio coverage

• Identify network weaknesses and fix it (move/add APs)

Add new AP1221

Radio
coverage
hole
FLOOR PLAN – USE CASE

• AP Deployment (e.g: warehouse)

• Creation of custom obstacles (shelves with 18dBm signal decline – assume the worst case)
• Manual (or automatic) deployment on the plan

Custom
obstacle

Manual AP
deployment
HEAT MAP

Click on the image above to visualize the video

FLOOR PLAN

Click on the image above to visualize the video

THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Configuring Heat Map & Floor Plan

Objective
✓ Learn how to create and configure a Heat Map and a Floor Plan

Contents
1 Configuring a Heat Map ...................................................................... 1
1.1. Creating the Building Hierarchy .................................................................. 1
1.2. Configuring the Plan Map .......................................................................... 1
1.2.1. Scaling the Plan ............................................................................................. 1
1.2.2. Laying Down the Obstacles ................................................................................ 2
1.2.3. Placing the Access Points .................................................................................. 2
1.2.4. Displaying the Result ....................................................................................... 3

2 Configuring a Floor Plan ...................................................................... 3

2.1. Creating the Floor Plan ............................................................................ 4
2.2. Configuring the Plan Map .......................................................................... 4
2.2.1. Scaling the Plan ............................................................................................. 4
2.2.2. Laying Down the Obstacles ................................................................................ 4
2.2.3. Launching the Auto Deployment ......................................................................... 5
2.2.4. Displaying the Result ....................................................................................... 5

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
 1
Configuring Heat Map & Floor Plan

1 Configuring a Heat Map

The Heat map function is to display the current work of the AP signal intensity distribution, through different
colors showing the signal coverage.
The Heat Map feature permits the administrator to create Campus, Building and floor map, to set up obstacles in
the Map and put APs into the Floor to observe the wireless signal coverage.

In this lab, the Stellar APs will be placed on a custom map.

Create a Heat Map with the given office plan document.

1.1. Creating the Building Hierarchy

The Heat Map always respect the following structure:
Campus
> Building
> Floor Map

Let’s create each level:

> Select WLAN > HEAT MAP

Campus
> Click on the + button
> Campus Name: My_Campus
> Double click on the My_Campus that is now displayed

Building
> Click on the + button
> Building Name: My_Building
> Double click on the My_Building that is now displayed

Floor
> Click on the + button
> Floor Name: First_Floor
> Floor Number: 1
> File Name: click on Select File > Select the Office-Plan.jpg file in the C:\Resources folder
> Click on OK
> Double click on the First_Floor that is now displayed to access the Floor map

1.2. Configuring the Plan Map

From this point, 3 main actions are required to visualize the wireless signal:
- Scaling the plan;
- Laying down obstacle;
- Placing the APs.

1.2.1. Scaling the Plan

From the Floor Map Editor

> Click on Operation > Edit Floor Map
> Click on Scale the Map
> Trace a line on the map
> Enter a distance for this segment. In the example below, the red line is 5 meters long.
 2
Configuring Heat Map & Floor Plan

1.2.2. Laying Down the Obstacles

The next step is to lay down the obstacles on the map.

From the Floor Map Editor

> Click on Operation > Edit Floor Map
> Click on Draw:WallsHeavy
> Start drawing the obstacles on the map to obtain the result below:

Tips
Pre-defined obstacles can be selected by clicking on the button and each one with a different absorption
coefficient (dB).
It is also possible to create custom obstacles via the Operation > Obstacle Manage link.

1.2.3. Placing the Access Points

The last step is to lay the Stellar APs to the Floor.

From the Floor Map Editor

> Click on Operation > Adding AP To The Floor
> Select both Aps
> Click on OK
> Place the APs on the Map
> In Edit Floor Map, click on Stop to exit from the Edit Floor Map menu

> Do you want to save the modified heat map? Yes

 3
Configuring Heat Map & Floor Plan

1.2.4. Displaying the Result

Once the Layout has been saved, the Heat Map Application will display the signal power on the map based on the
actual signal power transmitted by the APs.

Observe the Heat Map as well as the absorption of the walls.

Notes
Go back to Edit Floor Map and place the APs in different places to cover the cold areas.
Changing the APs on the map will simulate the new Wi-Fi coverage based on the real
band and power of emission of the APs.

- Go back to the Survey Toggle section

- Select the Frequency 2.4 Ghz only, then 5GHz only. Notice the difference between
the 2. Read the explanation below. It will be mentioned again in another lab (RF
Profile).

Important > Difference Between 2.4 GHz and 5 GHz

- The 2.4 GHz band is quite crowded, because it is used by more than just Wi-Fi (old cordless doors, baby
monitors…). The longer waves used by the 2.4 GHz band are better suited to longer ranges and transmission
through walls and solid objects.
- The 5 GHz band is much less congested, which means you will likely get more stable connections, and higher
speeds. On the other hand, the shorter waves used by the 5 GHz band makes it less able to penetrate walls and
solid objects.

2 Configuring a Floor Plan

The main functions of the Floor Plan are to import the floor map and mark the relevant obstacle. Then,
calculate the placement of the AP by a relevant algorithm, and automatically generate the functions of the AP
plan.
 4
Configuring Heat Map & Floor Plan

With Floor Plan, the admin can import a map into a floor plan, scale it and perform the AP auto Deployment.

2.1. Creating the Floor Plan

> Select WLAN > FLOOR PLAN

> Click on the + button

> Floor Plan Name: My Floor Plan
> File Name: click on Select File > Select the Office-Plan.jpg file in the C:\Resources folder
> Click on Create

2.2. Configuring the Plan Map

From this point, 3 main actions are required to visualize the wireless signal:
- Scaling the plan;
- Laying down obstacle;
- Placing the APs.

2.2.1. Scaling the Plan

From the Floor Map Editor

> Click on Operation > Edit Floor Plan
> Click on Scale the Map
> Trace a line on the map
> Enter a distance for this segment. In the example below, the red line is 5 meters long.

2.2.2. Laying Down the Obstacles

The next step is to lay down the obstacles on the map.

From the Floor Map Editor

> Click on Operation > Edit Floor Plan
> Click on Draw:WallsHeavy
> Start drawing the obstacles on the map to obtain the result below:
 5
Configuring Heat Map & Floor Plan

Tips
Pre-defined obstacles can be selected by clicking on the button and each one with a different absorption
coefficient (dB).
It is also possible to create custom obstacles via the Operation > Obstacle Manage link.

2.2.3. Launching the Auto Deployment

Now, let’s auto deploy the Access Points on the map:

From the Floor Map Editor

> Click on Operation > Auto Deployment
> Quality: Excellent
> AP Model: OAW-AP1231
> TX Power: 14
> Click on OK

2.2.4. Displaying the Result

Once the Auto Deployment done, the Access Points are automatically placed on different location to
provide the optimal coverage:

Tips
The result will vary based on the following parameters:
- Scale of the map
- Number and type of obstacles placed
- AP Model
- Quality (General, Good, Excellent)

Change some of these parameters (AP Model, Quality…) and click on Save the Layout.

Notes
In Edit Floor Plan, APs can be added manually on the map to fill the cold areas. After clicking on
“Save The Layout”, the Floor Plan application will process and display the Wi-Fi coverage based on
all the APs located on the map.
OMNIACCESS STELLAR
WIRELESS LAN
WIFI SURVEY

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• Wifi Survey
- At the end of this module you will be able to:
Understand the multiple types of site survey
Understand and identify the causes of Wifi signal issues
Troubleshoot based on the site survey result
Learn how to perform and analyze a passive site survey with
Ekahau mapper
WIFI SITE SURVEY
• Goal:
• Analyze Radio Frequency (RF) environment
• Identify Radio Frequency (RF) interferences
• Find optimum locations for Access Points

• Non-existent Wifi network:

• Installing a Wifi network is possible?
• RF environment and interferences
• Plan and design a wireless infrastructure ?
• Best AP location ?
?
• Existing Wifi network ? ?
• Assess wireless performance
• Troubleshooting
• Area coverage, weak signal strength, network interferences
 TYPES OF SITE SURVEY

No field measurements On-site survey

Predictive Passive Active

• Simulation tool • Listen WLAN traffic • Associate survey tool to

• Import site plan & RF • No authentication and (multiple) access point
characteristics of 802.11 association
objects • All frequencies are • Same measures as
• Model RF environment scanned passive survey
• Measure packets loss
• Deploy (automatically) • Detects Access Points • Measure retransmission
AP on the map • Measure signal strength • Measure physical rates
• Measure noise
SITE SURVEY PROJECT

Deploying New Replacing Wireless Troubleshooting

Wireless Network Network Wireless Network

Site Survey: Passive Site survey:

RF analysis
Predictive: Pre-deployment, place new APs
Passive: Post-deployment, RF analysis
Active: Post-deployment, clients performance Active Site Survey:
analysis Performance analysis
ENVIRONMENT AND CHALLENGES
Offices
Open offices
Walls,
High density of
attenuation
population

Industry Healthcare
(Factory, Warehouse) (Hospital, Clinic)
Shelves, machine tools Walls, RF interferences
 WIFI SIGNAL ISSUES - CAUSES

• Access Point placement: bad location (wall, pillar)

Ekahau Site Survey on Windows

Concrete
pillar
Dead
zone
Add a new AP Concrete wall

Placement of AP in front of obstructing object Place an AP on both side of the obstructing wall
WIFI SIGNAL ISSUES - CAUSES • Signal degrades when going
through:
• Concrete (walls)
• Wood (doors)
• Physical obstruction: Environment (multiple walls, materials). • Metal (cabinet, shelves,…)
• Steel (building structure)
• Glass & Mirrors
• Brick (fireplace)
• Distance = 4 meters • Water (liquid: fish tank; vapor:
bathroom)

• 1 to 4 walls crossed

• RSSI = -70dBm
• Not enough for
VoWLAN
Ekahau Site Survey on Windows
WIFI SIGNAL ISSUES - CAUSES

• Access Point Antennas: directional or omnidirectional

Directional Omnidirectional
antenna antenna

20 meters

No
Small
Area covered
Area covered

Wrong type of antennas

Use the appropriate type of antenna based on the environment

 WiFi Analyzer on Android
WIFI SIGNAL ISSUES - CAUSES Adjacent channel
• Access Point placement: RF interference Interference
- Packets loss
Co-channel - Corrupted data
Interference
- Loss of throughput → Change AP channel
OR
→ Change AP channel

Ekahau Site Survey

on Windows
ON-SITE SURVEY GUIDE
ON-SITE TROUBLESHOOTING
• Issue definition: “Wifi network is underperforming”
• Where? When? Who? How?
• Define the issue, scope and test locations

• Step 1 – Get the floor plans

• Identify potential issues: obstacles, walls, ceiling height,…
• Identify areas where Wifi is required: offices, labs, welcome desk,…
• Locate Access Point
High
priority area
Medium
priority area

Obstacles

Access Points
ON-SITE TROUBLESHOOTING

• Step 2 – Site Survey observation

• Identify Access Point model : same as original design?
• Identify RF overlap between Access Points : Co/Adjacent channel interference?
• Identify areas with no radio coverage : Access Point down? No Access Point placed?
• Access Point transmission power: Default or customized value?
• Access Point location: Troublesome placement?

Ekahau Site Survey on Windows

 ON-SITE TROUBLESHOOTING
No Adjacent / Co-channel
• Step 2 – Site Survey observation 2 Interference

Stellar AP1221
1 As originally planned

Obstructed
areas

No coverage Move AP to
Default transmit power (17dBm)
AP missing 4 Increase for best coverage optimize RF 5
coverage
3
ON-SITE TROUBLESHOOTING

• Step 3 – Corrective actions

• Change Access Point model : AP with better antenna, outdoor AP,…
• Rework RF wireless design : modify transmit powers, change radio channels,…
• Rework channel width : limit adjacent / co-channel interference
• Remove lower data rates : force devices to use closer APs with better signal strength
• Improve AP placement : improve RF signal delivery

• Use Case:
• Modify transmit power
of an AP
• Add a new Stellar AP
• Move a Stellar AP
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
WIFI BRIDGE & WIFI MESH

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
LESSON SUMMARY
Upon completion this module,
you will be able to:

• Define the purpose of a WiFi Bridge topology

• Define the purpose of a WiFi Mesh topology
• Discover the Auto Mesh feature
• Configure a WiFi Bridge or WiFi Mesh topology on
OmniAccess Stellar Access Points
 WIFI BRIDGE VS WIFI MESH

AIM • WiFi Bridge • WiFi Mesh

• Replace physical cabling

PROPERTIES PROPERTIES
• VLANs can be used to separate & secure traffic over the • VLANs can be used to separate & secure traffic coming
bridge* from Wi-FI clients connected on different SSID.
• Cannot provide service (WiFi) to WiFi clients • Can provide service (WiFi) to WiFi clients

USE CASE USE CASE

• Buildings separated by a street • Coverage of a camping

WIFI BRIDGE

LAN EXTENSION NOT POSSIBLE

* AP1101, AP1201 & AP1201H are not compatible with VLAN tagging over a bridge.
WIFI BRIDGE - ATTRIBUTES
• SSID
• WLAN used to setup wireless bridge connection
• Must be the same on both APs

WIFI BRIDGE
• Band
• Wireless bridge working frequency
• Must be the same on both APs

• Is Root
• Specify the root AP of the wireless bridge
SSID: STELLAR-BRIDGE SSID: STELLAR-BRIDGE
• 1 AP doit être définie comme Root BAND: 5 GHZ BAND: 5 GHZ
IS ROOT: YES IS ROOT: NO
PASSPHRASE: ALCATEL123! PASSPHRASE: ALCATEL123!
• Passphrase
• Password of the WLAN
• Must be the same on both APs

WIFI MESH – BEST PRACTICE

• BAND: 5 GHZ (OR 6GHZ)
• CHANNEL > 100
 WIFI MESH - ATTRIBUTES
• SSID
• WLAN used to setup wireless Mesh connection
• Must be the same on both APs

• Band
• Wireless Mesh working frequency
• Must be the same on both APs

• Is Root SSID: STELLAR-MESH SSID: STELLAR-MESH

• Specify the root node of the wireless Mesh BAND: 5 GHZ BAND: 5 GHZ
IS ROOT: YES IS ROOT: NO
• Multiple APs can be defined as root PASSPHRASE: ALCATEL123! PASSPHRASE: ALCATEL123!

SSID: WIFI GUESTS SSID: WIFI GUESTS

• Passphrase BAND: 2.4 GHZ & 5 GHZ BAND: 2.4 GHZ & 5 GHZ
• Password of the WLAN SECURITY: OPEN SECURITY: OPEN
• Must be the same on both APs
WIFI MESH – LIMITATIONS
• UP TO 4 HOPS
• UP TO 5 APS IN A SINGLE HOP IN A PEER TO MULTI PEER CONNECTION WIFI MESH – BEST PRACTICE
• UP TO 16 APS IN THE MESH NETWORK • BAND: 5 GHZ (OR 6GHZ)
• ALL APS CAN BROADCAST UP TO 5 SSIDS FOR CLIENTS • CHANNEL > 100
AUTO MESH
• Aim : quick & easy deployment of a Mesh topology

• If a Stellar AP is: • If a Stellar AP is:

• Connected to the LAN • Not connected to the LAN
• Configured as MESH root
• It will
• It will • Have MESH enabled as non-root
• Broadcast an hidden SSID « Stellar-MESH » • Broadcast an hidden SSID « Stellar-MESH »
• Band: 5 GHz • Band: 5 GHz

DEFAULT SSID: STELLAR-MESH

DEFAULT BAND: 5 GHZ

DEFAULT SSID: STELLAR-MESH

ROOT DEFAULT BAND: 5 GHZ
CONFIGURATION
 EXPRESS MODE - MESH & BRIDGE CONFIGURATION VIDEOS

Bridge Configuration MESH Configuration Auto MESH Configuration

ENTERPRISE MODE - MESH & BRIDGE CONFIGURATION
VIDEOS
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OMNIACCESS STELLAR
WIRELESS LAN
REMOTE ACCESS POINT (RAP)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OBJECTIVES
Upon completion this module,
you will be able to:

• Remote Access Point (RAP)

• At the end of this presentation, you will be able to:
Identify the role and advantages of the RAP feature
• List the equipment required for the deployment of
the RAP feature
• Summarize the steps to configure the RAP feature
INTRODUCTION

• RAP = Remote Access Point • Use Cases

• Shops > Access to the corporate network to check the
inventory
• Booth > Events (forum, exhibition…)
• Goal :
• Extend the corporate network to remote site(s)

CORPORATE SSID
CORPORATE SSID

CORPORATE
INTERNET
NETWORK
USER ROUTER
FIREWALL
STELLAR AP (RAP)

BRANCH/HOME OFFICE COMPANY HQ

EQUIPMENTS
• OmniVista Cirrus > Freemium Account
• OmniVista Cirrus > Premium Account
⚫ With OmniVista 2500

STELLAR AP (RAP)* STELLAR AP (RAP)*

ALE VPN SERVER ALE VPN SERVER OMNIVISTA 2500

BRANCH/HOME OFFICE COMPANY HQ BRANCH/HOME OFFICE COMPANY HQ

PREMIUM FREEMIUM

OMNIVISTA CIRRUS OMNIVISTA CIRRUS

CLOUD CLOUD

* AP1101 not compatible with the RAP Feature

 COMMISSIONING
> OMNIVISTA CIRRUS (PREMIUM ACCOUNT)
 COMMISSIONING STEPS & TOPOLOGY
[PRE] – Settings to be Entered by the Administrator
PREMIUM

1 – Stellar Access Point Startup & Registration OMNIVISTA

CIRRUS

2 – Configuration Settings Retrieval CLOUD

3 - VPN Tunnel (Client Traffic) Establishment

4 – Client Connection INTERNET

ALE VPN
SERVER

COMPANY HQ

STELLAR AP
(RAP)

BRANCH/HOME OFFICE
 [PRE] – SETTINGS TO BE ENTERED BY THE ADMINISTRATOR
SETTINGS (OV CIRRUS)
• STELLAR AP MAC@ • VPN CLIENT IP@
[PRE] – Settings to be Entered by the Administrator PREMIUM • VPN SERVER PUB. IP@ • AP SETTINGS
OMNIVISTA
1 – Stellar Access Point Startup & Registration CIRRUS

CLOUD
2 – Configuration Settings Retrieval

3 - VPN Tunnel (Client Traffic) Establishment

4 – Client Connection INTERNET

ALE VPN
SERVER

COMPANY HQ

SETTINGS (VPN SERVER)

• PUBLIC IP@
• PRIVATE IP@
• VPN SETTINGS (KEYS…)
STELLAR AP
(RAP)

BRANCH/HOME OFFICE
 1 – STELLAR ACCESS POINT STARTUP & REGISTRATION
SETTINGS (OV CIRRUS)
[PRE] – Settings to be Entered by the Administrator • STELLAR AP MAC@
PREMIUM
1 – Stellar Access Point Startup & Registration OMNIVISTA
CIRRUS
• The Stellar AP starts up
• The Stellar AP automatically tries to reach the CLOUD
OmniVista Cirrus
• The OmniVista Cirrus identify the Stellar AP by its MAC
address.

2 – Configuration Settings Retrieval INTERNET

ALE VPN
SERVER
3 - VPN Tunnel (Management Traffic) Establishment
COMPANY HQ
• MAC ADDRESS
4 – Client Connection

STELLAR AP
(RAP)

BRANCH/HOME OFFICE
 2 – CONFIGURATION SETTINGS RETRIEVAL
[PRE] – Settings to be Entered by the Administrator SETTINGS (OV CIRRUS)
• STELLAR AP MAC@ • VPN CLIENT IP@
PREMIUM • VPN SERVER PUB. IP@ • AP SETTINGS
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS
2 – Configuration Settings Retrieval
CLOUD
• The Stellar AP connects to the OmniVista Cirrus
• The OmniVista Cirrus sends to the Stellar AP:
• VPN Server public IP Address
• IP Address (VPN Client) • IP@ (CLIENT VPN)
• AP Settings (SSID(s) to broadcast , radiofrequency • VPN SERVER PUBLIC IP@
INTERNET
settings…) • AP CONFIG. SETTINGS ALE VPN
SERVER

3 - VPN Tunnel (Client Traffic) Establishment COMPANY HQ

4 – Client Connection

INFORMATION RECEIVED BY THE AP

• IP@ (CLIENT VPN) STELLAR AP

• VPN SERVER PUBLIC IP@ (RAP)
• AP SETTINGS
BRANCH/HOME OFFICE
 3 - VPN TUNNEL (CLIENT TRAFFIC) ESTABLISHMENT
[PRE] – Settings to be Entered by the Administrator
PREMIUM
1 – Stellar Access Point Startup & Registration OMNIVISTA
CIRRUS
2 – Configuration Settings Retrieval
CLOUD

3 - VPN Tunnel (Client Traffic) Establishment

• The Access Point connects to the VPN Server

• A VPN is established between the RAP <> VPN Server
INTERNET
ALE VPN
SERVER
4 – Client Connection
COMPANY HQ

VPN TUNNEL

INFORMATION RECEIVED BY THE AP

• IP@ (CLIENT VPN) STELLAR AP

• VPN SERVER PUBLIC IP@ (RAP)
• AP SETTINGS
BRANCH/HOME OFFICE
 4 – CLIENT CONNECTION
[PRE] – Settings to be Entered by the Administrator

1 – Stellar Access Point Startup & Registration PREMIUM

OMNIVISTA
CORPORATE
2 – Configuration Settings Retrieval CIRRUS
NETWORK
CLOUD
3 - VPN Tunnel (Client Traffic) Establishment

4 – Client Connection

• Client on remote site INTERNET

ALE VPN
• Connection on the SSID reserved for employees
SERVER
• Access to the corporate network
• Client’s data traffic > VPN tunnel COMPANY HQ

VPN TUNNEL

INFORMATION RECEIVED BY THE AP

EMPLOYEE STELLAR AP • IP@ (CLIENT VPN)

CORPORATE SSID • VPN SERVER PUBLIC IP@
(RAP)
• AP SETTINGS
BRANCH/HOME OFFICE
 COMMISSIONING
> OMNIVISTA 2500
> OMNIVISTA CIRRUS (FREEMIUM ACCOUNT)
 COMMISSIONING STEPS & TOPOLOGY
[PRE] – Settings to be Entered by the Administrator
FREEMIUM
1 – Stellar Access Point Startup & Registration OMNIVISTA
CIRRUS
2 - VPN & OmniVista 2500 Settings Retrieval
CLOUD

3 - VPN Tunnel (Management Traffic) Establishment

4 – Configuration Settings Retrieval

INTERNET
ALE VPN OMNIVISTA
5 – VPN Tunnel (Clients Traffic) & Client Connection SERVER 2500

COMPANY HQ

STELLAR AP
(RAP)

BRANCH/HOME OFFICE
 [PRE] – SETTINGS TO BE ENTERED BY THE ADMINISTRATOR
[PRE] – Settings to be Entered by the Administrator SETTINGS (OV CIRRUS)
• STELLAR AP MAC@ • VPN SERVER PUB. IP@
FREEMIUM • MODE > RAP • OV 2500 SERVER IP@
1 – Stellar Access Point Startup & Registration
OMNIVISTA • VPN CLIENT IP@
CIRRUS
2 – VPN & OmniVista 2500 Settings Retrieval
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment

4 – Configuration Settings Retrieval

INTERNET
ALE VPN OMNIVISTA
5 – VPN Tunnel (Clients Traffic) & Client Connection SERVER 2500

COMPANY HQ

SETTINGS (VPN SERVER)

• PUBLIC IP@
• PRIVATE IP@
• VPN SETTINGS (KEYS…)
STELLAR AP
(RAP)
SETTINGS (OV 2500)
• AP SETTINGS
BRANCH/HOME OFFICE
 1 – STELLAR ACCESS POINT STARTUP & REGISTRATION
[PRE] – Settings to be Entered by the Administrator SETTINGS (OV CIRRUS)
• STELLAR AP MAC@
FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
• The Stellar AP starts up CIRRUS
• The Stellar AP automatically tries to reach the
OmniVista Cirrus CLOUD
• The OmniVista Cirrus identify the Stellar AP by its MAC
address.

2 – VPN & OmniVista 2500 Settings Retrieval

INTERNET
ALE VPN OMNIVISTA
3 - VPN Tunnel (Management Traffic) Establishment SERVER 2500

COMPANY HQ
4 – Configuration Settings Retrieval • MAC ADDRESS

5 – VPN Tunnel (Clients Traffic) & Client Connection

STELLAR AP
(RAP)

BRANCH/HOME OFFICE
 2 – VPN & OMNIVISTA 2500 SETTINGS RETRIEVAL
[PRE] – Settings to be Entered by the Administrator SETTINGS (OV CIRRUS)
• STELLAR AP MAC@ • VPN SERVER PUB. IP@
FREEMIUM • MODE > RAP • OV 2500 SERVER IP@
1 – Stellar Access Point Startup & Registration
OMNIVISTA • VPN CLIENT IP@
CIRRUS
2 – VPN & OmniVista 2500 Settings Retrieval
CLOUD
• The Stellar AP connects to the OmniVista Cirrus
• The OmniVista Cirrus sends to the Stellar AP:
• Mode (RAP)
• IP Address (Client VPN) • Mode = RAP
• VPN Server public IP Address • IP@ (VPN Client)
INTERNET
• OmniVista 2500 NMS Server IP Address • VPN Server pub. IP@ ALE VPN OMNIVISTA
• IP@ OV 2500 SERVER 2500
3 - VPN Tunnel (Management Traffic) Establishment
COMPANY HQ
4 – Configuration Settings Retrieval

5 – VPN Tunnel (Clients Traffic) & Client Connection

INFORMATION RECEIVED BY THE AP

• MODE = RAP STELLAR AP

• IP@ (VPN CLIENT) (RAP)
• VPN SERVER PUB. IP@
• OV 2500 IP@ BRANCH/HOME OFFICE
 3 - VPN TUNNEL (MANAGEMENT TRAFFIC) ESTABLISHMENT
[PRE] – Settings to be Entered by the Administrator

FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS
2 – VPN & OmniVista 2500 Settings Retrieval
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment

• The Remote Access Point (RAP) connects to the VPN Server

• A VPN is established between the RAP <> VPN Server
INTERNET
ALE VPN OMNIVISTA
4 – Configuration Settings Retrieval SERVER 2500

COMPANY HQ
5 – VPN Tunnel (Clients Traffic) & Client Connection
VPN TUNNEL

INFORMATION RECEIVED BY THE AP

• MODE = RAP STELLAR AP

• IP@ (VPN CLIENT) (RAP)
• VPN SERVER PUB. IP@
• OV 2500 IP@ BRANCH/HOME OFFICE
 4 – CONFIGURATION SETTINGS RETRIEVAL
[PRE] – Settings to be Entered by the Administrator

FREEMIUM
1 – Stellar Access Point Startup & Registration
OMNIVISTA
CIRRUS SETTINGS (OV 2500)
2 – VPN & OmniVista 2500 Settings Retrieval
• AP SETTINGS
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment

4 – Configuration Settings Retrieval

• RAP connects to the OmniVista 2500 server INTERNET

ALE VPN OMNIVISTA
• The OmniVista 2500 sends its configuration to the RAP: SERVER 2500
• SSID(s) to broadcast
• Radio frequency settings COMPANY HQ
• …
VPN TUNNEL
5 – VPN Tunnel (Clients Traffic) & Client Connection

INFORMATION RECEIVED BY THE AP

• MODE = RAP STELLAR AP

• IP@ (VPN CLIENT) (RAP)
• VPN SERVER PUB. IP@
• OV 2500 IP@ BRANCH/HOME OFFICE
• AP SETTINGS
 5 – VPN TUNNEL (CLIENTS TRAFFIC) & CLIENT CONNECTION
[PRE] – Settings to be Entered by the Administrator

1 – Stellar Access Point Startup & Registration FREEMIUM

OMNIVISTA
CORPORATE
2 – VPN & OmniVista 2500 Settings Retrieval CIRRUS
NETWORK
CLOUD
3 - VPN Tunnel (Management Traffic) Establishment

4 – Configuration Settings Retrieval

INTERNET
5 – VPN Tunnel (Clients Traffic) & Client Connection ALE VPN OMNIVISTA
SERVER 2500
• 2nd VPN tunnel is established (clients data traffic)
• Client on remote site COMPANY HQ
• Connects to the Clients SSID
• Access to the corporate network
• Client data traffic > VPN Tunnel

EMPLOYEE STELLAR AP
CORPORATE SSID
(RAP)

BRANCH/HOME OFFICE
USE CASE > RAP & REMOTE WORKING

EMPLOYEES SSID
EMPLOYEES SSID
CORPORATE
INTERNET
NETWORK

RAP VPN TUNNEL ALE VPN LAB SSID

LAB SSID
SERVER
VISITORS SSID
REMOTE WORKERS COMPANY HQ

EMPLOYEES VLAN
LAB VLAN
VLAN tagging
Local Breakout
CONFIGURATION STEPS
 CONFIGURATION STEPS – OMNIVISTA CIRRUS (PREMIUM
ACCOUNT)
1 – Configuring the OmniVista Cirrus
PREMIUM
• Declaring the Remote AP (Serial Nb / MAC@)
• Configuring the VPN settings (VPN > clients traffic) OMNIVISTA
• Public IP@ / Port CIRRUS
• VPN Server IP@
• IP@ / IP@ range of VPN clients CLOUD
• Exporting the VPN settings (VPN > clients traffic)
• Configuring the AP settings
• SSID(s) to broadcast
• Radio frequency settings
• … INTERNET
ALE VPN
SERVER
2 – Deploying & Configuring the "VPN Server" VM
COMPANY HQ
• Deploying the « VPN Server » VM (provided by ALE)
• Configuring the network interfaces
• Interface 1 (ex. eth0) > public IP@
• Importing the VPN settings
• Interface 2 (ex. eth1) > VPN « clients traffic »

STELLAR AP
> Connecting the
(RAP)
Remote AP
BRANCH/HOME OFFICE
 CONFIGURATION STEPS – OMNIVISTA CIRRUS (FREEMIUM
ACCOUNT) & OMNIVISTA 2500
1 – Configuring the OmniVista Cirrus

• Declaring the Remote AP (Serial Nb / MAC@) FREEMIUM

• Configuring the VPN settings (management traffic)
OMNIVISTA
• Public IP@ / Port CIRRUS
• VPN Server IP@
• IP@ / IP@ range of VPN clients CLOUD
• Exporting the VPN settings

2 – Deploying & Configuring the "VPN Server" VM

INTERNET
ALE VPN OMNIVISTA
• Deploying the « VPN Server » VM (provided by ALE) SERVER 2500
• Configuring the network interfaces
• Interface 1 (ex. eth0) > public IP@ COMPANY HQ
• Interface 2 (ex. eth1) > private IP@
• Importing the VPN settings

3 – Configuring the OmniVista 2500

• Configuring the 2nd VPN (clients traffic) settings in the

OV2500 and importing it in the VPN server (Interface 3, ex.
STELLAR AP
eth2)
(RAP)
• Configuring the AP settings
• SSID(s) to broadcast
BRANCH/HOME OFFICE
• Radio frequency settings
• …

> Connecting the Remote AP

THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniVista 2500 NMS Release 4
Internet of Things

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Lesson Summary

In this module you will be able to:

• Describe IoT Device Profiling feature
• Describe IoT implementation in OmniVista
• Understand IoT Inventory and Category in OmniVista
• Learn how to create a new custom category
IoT Device Profiling
IoT Device Profiling
• OmniVista monitors network packets to track these devices and presents detailed information
on the devices connected to AOS Switches and Stellar APs.

IoT Inventory
End Point MAC / IP

Status (Active / Offline)

End Point Category

OmniSwitch®
OmniVista 2500/Cirrus ...
IoT Inventory Details
• Endpoint MAC / IP - The MAC / IP Address of the device • Port/ESSID - The switch port or ESSID through which the
device is connected to the network.
• Status - The operational status of the device on the
network. • Start / End Time - The time the device first accessed /
• Active - The device is currently active on the network. disconnected from the network.
• Offline - The device is not currently active on the network.
• Error - There was an error in retrieving status information. • Last Updated - The time the device information was last
Status is unknown. updated by OmniVista.

• Category - The device category (e.g., Datacenter

Appliance, Phone/Table/Wearable)

• Manufacturer - The device manufacturer.

• Switch/AP Name - The IP address of the switch/AP through

which the device is connected to the network.
 IoT Implementation in OmniVista
• To Identify an IoT device, OmniVista uses the following:
• MAC OUI: allows devices to be recognized by identifying their MAC addresses.
• DHCP FingerPrinting: allows to track the devices on the network
- It also helps in analyzing the future growth by accessing the trending information.

Endpoints
Local Cache
DATA PROFILING
OmniSwitch COLLECTION API

OmniVista 2500/Cirrus
UNP Device Profile
ENFORCEMENT Endpoint IoT Phase 1
Services
Stellar AP Inventory

Device Category

DHCP client request

Enforcement IoT Phase 2
Policy
DHCP option 55 (the parameter request list)
Local Cache
and option 60 (the vendor identifier)
Or
[Mac Vendors]
IoT Implementation in OmniVista
IoT devices • Global Parameters Setting
Collect from End Points • Devices & Access Points data collection
• Device Profile Services Consumption (requests etc..)
End Points
• End Point inventory capture
• End Point (Mac & IP address) -> Who?
• Network Context (where the End point connected)-> Where?
• End Point Nature (Profiling results)-> What?
Profile & Inventory • End Point Profiling
• DP Services to OmniVista for Unknown device type
• Local cache Profile available
• Default Category from DP Services & Custom device category

• Analytics Summary from Inventory (Widgets summary)

Analytics Summary • Historical & Cumulative View
• Uptime & Downtime
• Device Category Breakdown
• UNP Profile definition
Enforcement • UNP assignment based on Device category/ Profiling
OmniVista 2500/ • Manual UNP assigment
OmniVista Cirrus
Configuration
IoT Dashboard

New Apps that display IoT devices by:

• Category • Status
• Endpoint Name • AP/Switch that the device
• SSID is connected to
• UNP
Initial Configuration
• IoT is enabled for switches and APs in the Managed Devices List
• Select the devices on which you want to enable IoT and click on the Enable IoT button at the top of
the list.

Note: IoT is supported

on IPv4 devices only.
IoT Inventory
• Provides detailed information on all endpoint devices that connect to the network

• New endpoint association or disassociation (Status) is updated in real-time

• Any changes to the endpoint (e.g., profile change, IP address change) are updated every 5 minutes
for devices connected to Stellar APs and every 15 minutes for devices connected to AOS Switches

User can export

the IoT inventory
contents to an .xls
file
IoT Inventory
IoT can be configured to integrate with Google G Suite to collect device information and provide
network security for Chrome devices.

IoT can also be used to enable/disable and monitor Zigbee devices. OmniVista interfaces with a
Zigbee Server and Stellar APs to provide Zigbee device support.
IoT Category
• Displays information about device categories

• OmniVista monitors network packets to determine the types of devices connected to the
network and categorizes them based on the list of categories.
• Default categories cannot be modified, but custom categories can be added
IoT Enforcement
Configures category-based device authentication
• By associating a Category with an Access Role Profile
• You can also specify exceptions for specific devices by SSID, MAC address, AP Group, or IP address.
When a device matching one of these exceptions is categorized, it will not be subject to IoT
enforcement.
 OmniAccess Stellar
Wireless LAN
OmniVista 2500 NMS &
OmniAccess Stellar WLAN

Conclusion

1
 Course Objectives Review
During this course, you have learned how to:
• Install & Configure the OmniVista 2500 NMS Server
• Deploy & Configure Stellar APs in Enterprise Mode
• Configure SSIDs for different type of Users, using
different Authentication Methods
• Understand & Configure Additional Features
(Mobility & Roaming, WIPS)

2
Agenda

DAY 1 DAY 3

Introduction OmniVista 2500 > Maintenance

OmniVista 2500 > Overview + Installation OmniVista 2500 > Heat Map & Floor Plan

OmniAccess Stellar > Portfolio & On Boarding Mesh Topology

SSID Creation > Employee SSID Wi-Fi Survey

DAY 2 Remote Access Point (RAP)

SSID Creation > Guest SSID Internet of Things (IoT)

Web Content Filtering Spacewalkers

SSID Creation > BYOD SSID ProActive Lifecycle Management (PALM)

RF Settings Management Conclusion & Wrap-Up

L2 & L3 Roaming

WIPS

OmniVista Cirrus > Overview

3
Internet Resources

General ALE Websites

ALE Official Website Alcatel-Lucent Enterprise (ALE) Official Website

ALE Knowledge Hub Alcatel-Lucent Enterprise (ALE) Training Platform « Knowledge Hub »

Technical ALE Websites

MyPortal Alcatel-Lucent Enterprise Official Website dedicated to Business Partners

Spacewalkers Community ALE Community (Site & Technical Forum)

OmniSwitch Switches Datasheets Technical Datasheets for each ALE OmniSwitch switch

OmniAccess Stellar Datasheets Technical Datasheets for each ALE OmniAccess Stellar access point

NMS Solutions Datasheets Technical Datasheets for each ALE OmniVista solution

Other Useful Websites

Website containing the official documentations regarding the protocols that will be
RFC
setup during this training.
4
Your opinion counts!

Evaluation links are available to you as of the last day of the session and can therefore be filled in
at the end of the session before leaving the classroom or virtual class.
Two main situations have to be considered to access to the course evaluation, and this depends
on the Knowledge Hub session status (while still being in “In progress”, and as of it has switched
to “Completed”).

The status switches usually the next Monday after the session has ended.

5
Reach the session evaluation

Directly from the Home page / My Recent Learning activity;

•if “Evaluate” option is viewable, please click on it.

•if “Evaluate” is not proposed, click on “Open Curriculum” and after, on “Evaluate”

6
 Thank You

7
OmniSwitch LAN R8
OmniVista 2500 NMS R4
Administrative Users and Groups

How to
✓ Create user accounts and manage the read-write capabilities for certain
users.

Contents
1 The Users and Groups Application .......................................................... 2
2 Summary ........................................................................................ 6
3 Lab Check ...................................................................................... 6

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 2
Administrative Users and Groups

Implementation

1 The Users and Groups Application

This lab provides the instructions to set up security using OmniVista. You will create Users and Groups to
determine access privileges within OmniVista.

- Make sure the LAN+WLAN menu is selected.

- Select Security -> Users & User Groups

- In the Users & User Groups Home screen select Group

- Click on the Create new Group icon .

 3
Administrative Users and Groups

- Provide the new group with the name Training and give it a description.
- Check on the Group Rights and choose Read to provide read-only access.
- Users could be added at this point, but we’ll create a new user.
- Click Create when done to save the new group.

- The new group is now part of the Group List.

- In the User & User Groups Home screen, select User

- Click + to create a new user

 4
Administrative Users and Groups

- Enter the new user training_user with a password of training_user1 and make it part of the Training
group.

- As you are typing the password you can check the password strength button going from Risky – Weak –
Fair – OK. This provides an indication of the security of the password.

- Click Create when done.

- The new user is now part of the Existing Users list.

 5
Administrative Users and Groups

- Log out and log back in from Omnivista using the account you have just created and try to perform
various tasks. Notice that you are limited to view information, but you are not allowed to modify the
configuration.

- Log back in as an administrator to continue with the following labs.

 6
Administrative Users and Groups

2 Summary
OmniVista provides the capability to limit the rights of users logged into the OmniVista server. This
feature can be used to provide read-only access or even to prevent certain users from seeing all of the
discovered devices.

3 Lab Check

1. What are the default accounts and what privileges do each of them have?
..............................................................................................................
..............................................................................................................

2. OmniVista can be configured to allow users to only make modifications on edge devices. T/F
..............................................................................................................
..............................................................................................................

3. What was different about the OmniVista interface when you logged in with an account having
read-only privileges?
..............................................................................................................
OmniSwitch LAN R8
OmniVista 2500 NMS R4
Control Panel

How to
✓ View services currently running on OmniVista
View Asset Management History
Shut Down server processes on OmniVista.

Contents
1 Control Panel .................................................................................. 2
1.1. Watchdog Service .................................................................................. 2
2 Summary ........................................................................................ 3
 2
Control Panel

Implementation

1 Control Panel
This lab will provide the steps required to view services and shutdown the OmniVista server.

1.1. Watchdog Service

- Make sure LAN+WLAN menu is selected.
- Select Administrator -> Control Panel.
- The Watchdog Screen displays the status of all of the services used by OmniVista.
- Click on any service to view detailed information (e.g., description, status, dependencies). To Start/Stop
a service, click on the slider control next to the service (Running/Stopped).

- You can start/stop all services or shutdown OmniVista using the buttons at the top of the screen:
(Do not modify or stop any process unless directed by your instructor!)

- Start All icon to start all stopped services.

- Start All icon to restart all services.

- Select Scheduler -> Scheduler History on the left menu.
- This screen displays a history of all Asset Management events.
 3
Control Panel

2 Summary
The OmniVista Control Panel can be used to start and stop services and the OmniVista server.
OmniSwitch LAN R8
OmniVista 2500 NMS R4
Preference

How to
✓ Manage the default settings of OmniVista Web GUI

Contents
1 Preference ..................................................................................... 2
1.1. User Settings ........................................................................................ 2
1.2. System Settings ..................................................................................... 3
2 Summary ........................................................................................ 3
3 Lab Check ...................................................................................... 3
 2
Preference

Implementation

1 Preference
This lab will provide the instructions for making OmniVista Web GUI modifications using Preferences.
- Make sure the LAN+WLAN menu is selected.
- Select Administration -> Preferences.

- Select User Settings

1.1. User Settings

Configure settings for each user
 3
Preference

1.2. System Settings

Configure system wide settings.

Continue exploring the various options that can be configured using Preferences.

2 Summary
Preferences allows an administrator to change the default behavior of the OmniVista Web GUI and
change the look and feel of OmniVista.

3 Lab Check

1. What are the two different areas that can be modified using Preferences.
..............................................................................................................
..............................................................................................................
..............................................................................................................
OmniVista 2500 NMS release 4

Analytics
Lesson Summary

At the end of this presentation, you will be able to

◼ Describe the following:

⚫ Analytics Application
 Reports
 Profiles
 Summary View
 Applications Management
 Anomalies
⚫ Report Application
 Configuration
 List
⚫ Application Visibility
 Configuration
 Report
 Enforcement
Analytics
Network Analytics

◼ Real-time information to enable real-time business decisions

• Historical and predictive views
• Insight of application usage and trends
• ‘Plain talking’ to drive improved business process decisions and IT cost control
• This application leverages sflow information
• Essentially L1-L4 information
Network Analytics
Challenges

◼ Networks needs are changing

⚫ In terms of design as well as real-time requirements

◼ Highly virtualized, dynamic networks

◼ BYOD Trend
⚫ User mobility and the need to have the same type of access on any device

◼ Application Visibility for common profiles and policies

◼ Troubleshooting becomes challenging

◼ Bottlenecks can affect the network and disappear before the source of the
problem is even identified
◼ Network Planning is required
⚫ From Real-time to Long-term needs
Analytics Application
Overview

◼ Accessed from Network -> Analytics

◼ Provides users with a comprehensive view of network resource utilization

⚫ Users, devices and applications.
⚫ Summary and detailed reports are available.

◼ Provides information on usage trends

⚫ Including predictive analysis of future utilization.
Analytics
Overview

• Reports.
Provides a comprehensive view of network resource utilization.
Two types of reports:
- "Visibility" Reports can be configured to show network utilization over
different time periods.
- "Availability" Reports provide a "real-time" view of all discovered
network switches.

• Profiles.
Used to create Analytics Profiles. To generate an Analytics Report for
any of the "Visibility“ Reports, you must first create an Analytics Profile
that defines the switches/ports that you want to view and the type of
information that you want to view on those switches/ports.
Analytics
Overview

• Summary View
Displays basic information on all supported network devices,
including any Analytics Profiles defined for a device.

• Applications Management
When generating a Top N Applications Report, the Analytics
application uses port numbers to identify application traffic. This
screen is used to create port/application mappings to identify
applications traffic.

• Anomalies
Displays any port utilization anomalies. An anomaly is an utilization
data point that fall outside of expected norms based on past usage.
Reports
Reports
Types

◼ Top N Applications
⚫ Displays information about the top applications being accessed on the network,
including which users are using an application, and which switches have the most
traffic for an application.

◼ Top N Applications – Advanced

⚫ Displays information about the top applications being accessed on the network based
on Signature Profiles configured in the Application Visibility Application

◼ Top N Clients
⚫ Displays information for the Top Network Users including the number of traffic flows
for each user.
Reports
Types

◼ Network Health
⚫ Displays information for the top devices on the network in terms of the device's
resource usage. Devices are ranked based on the device's CPU usage, memory usage,
and temperature.

◼ Top N Ports Utilization

⚫ Displays network ports by utilization over time. This report can also provide predictive
analytics to show expected future usage.

◼ Network Availability
⚫ Displays the current operational state of network devices (Up/Warning/Down).

◼ Alarms
⚫ Displays network alarms by severity level.
 Reports
Measurements & OPERATIONS

KPI Mechanisms Outcome

Application name
Top N Apps Sflow sampling through TCP/UDP
Visibility
Network

Ports
Widgets &
Source IP
Graphical
Top N Users Sflow sampling address/ Sflow Reporting
sampling OV412.R02
Top N Switches/ “Index” derived
Value /gravity
Resources from CPU, Mem
scale
Utilization use, Temp
Availability

KPI Mechanisms Display top ports

Outcome
Top N Port w/ Widgets
Network

Network SNMP MIB Polling Display device were

Utilization SNMP- Device poll high network
Availability status part of
traffic OV411
SNMP – Display total
Alarms
Trap/Severity alarms in network
Reports
sflow Sampling Overview
Present
analytics OV
WebUI
Sflow
AOS Packets OV
Analytics WebServer
Switch Mongo DB
Service

Store analytical
data

• OV profiles used to create sampling

on switch ports
• Reports can be pre-defined or
customized

Sflow Collection & Sampling used for

•Top N app
•Top N users
Reports
Options

◼ Reports can be viewed in different formats.

⚫ By default, the Summary View is displayed for all reports as a pie chart or in a list.
⚫ In the Detail View, you can display a detailed subset of information in a bar chart
format.

◼ Reports can be customized by clicking on the Configuration icon.

⚫ Options vary depending on the report type

◼ By clicking on the Options icon, users can:

⚫ Download a report in PDF or PNG format or send the report to a printer
⚫ Schedule a report.
Top N Applications
Summary View
◼ Displays information about the top applications being accessed on the network.

◼ The Top N Applications are determined using sFlow.

⚫ OmniVista identifies the applications using the TCP/UDP port obtained from sFlow
packets.
⚫ Well known ports (e.g., 161 for SNMP, 80 for HTTP) are automatically identified and
labeled in the Top N Applications Report.
⚫ Other applications can be mapped using the Applications Management Screen.

Pie Chart List View

Top N Applications
Client and switch information
◼ When in the Pie Chart View of the Top N Applications Report you can identify:
⚫ Clients accessing an application (by source IP address).
⚫ Switches passing the application traffic.

◼ Right-click on a section of the Pie Chart and select the appropriate option.

A legend (not shown here)

identifies the client or switch
Clients by color and text, or you can
hover over a section to view
the client/switch IP address
(along with detailed flow
information).

Switches
Top N Applications
Detail View
◼ Provides a detailed view of the specified time interval.
⚫ For example, if a report displays data for the last 24 hours, the Summary View will
display a summary of the data for the last 24 hours; and the Detail View will then
display data for each hour within those 24 hours.
Top N Applications
Trending information
◼ When in the Detail View, you can click on a bar in the chart to view usage
trends for each application for the selected time interval by "drilling down" on
a data set to see a subset of that data.
⚫ The trend for an hour would be displayed in 15-minute increments.
Top N Clients
Summary View
◼ Displays information for the top network clients including the number of traffic
flows for each client.
◼ OmniVista uses the source IP address in the sFlow packet to determine the
client.
⚫ Each client is displayed as a percentage of the total for the configured time interval
(e.g., last 24 hours).

List View
Pie Chart
Top N Clients
Detail View and Trending information
◼ Detail view provides a detailed view of ◼ In the Detail View, you can click on a bar
the specified time interval in the chart to view usage trends for
⚫ If a report displays data for the last 24 each client for the selected time interval
hours, the Detail View will display data for ⚫ Displayed in 15 minute increments.
each hour within those 24 hours.
◼ Click on a data point in the trending
◼ Information is displayed in a bar chart view for more detailed information.
view
Network Health
◼ Displays information for the top switches on the network in terms of the
switch's resource usage.
⚫ Based on switch's CPU usage, memory usage, and temperature.
Top N Ports
Summary View
◼ Displays the top network ports based on utilization.
⚫ Displayed as a percentage of the total utilization for all monitored ports.

◼ In this view, switches/ports are displayed in a list view from highest to lowest
utilization for the configured time period (e.g., day, week).
Top N Ports
Detail View
◼ Depending on the number of ports you configured for display (e.g., top 10
ports, top 15 ports), any monitored ports that qualify during the configured
time interval (e.g., last 24 hours) are displayed.
◼ Ports are simply stacked numerically in each bar by IP address and port number
(the order is not based on utilization).
Top N Ports
Trending View
◼ Used to view predicted future port utilization based on past utilization.
⚫ Predictions can provide valuable insight for capacity management.

◼ OmniVista samples past port utilization for a period of time (Prediction:

Training Timeout), and predicts future utilization within a configurable error
rate (Prediction: Training Error) using a machine learning algorithm.
◼ The predicted utilization will appear in the display to the right of the current
utilization.
⚫ The predicted usage area of the display will be slightly shaded to differentiate it from
current usage.

◼ The amount of predicted data displayed depends on the interval time

configured for the report

Configured Time Interval Amount of Predicted Data

Last 24 Hours 12 Hours
Last 7 Days 3 Days
Last 4 Weeks 2 Weeks
Top N Ports
Trending View

Current Predicted
Top N Reports
Customization

◼ Click on the Configuration icon in the upper right corner of the screen to
configure how information is displayed in the report.
⚫ Default Devices - By default, all top switches/ports are displayed. However, you can
click on the Select Devices button to display only information from specific switches.

⚫ Number of Top Applications/ Clients/ Switches/ Ports - Range = 1 – 20, Default = 10

⚫ Interval Type - The time interval for the information:

 Up Until Now - Displays all information in the selected time interval (e.g., last 24 Hours).
 Custom - Sets the start and end time for the information you want to display. You can display up
to 3 months of data. When data reaches the 3-month maximum, it is overwritten with new data.

⚫ Time Interval - Last 24 Hours, 7 Days, or 4 Weeks

⚫ Auto Refresh Timer - In minutes (Range = 15 - 60, Default = 15).

Reports
Network Availability
◼ Displays the current operational state of all discovered network devices
(Up/Warning/Down).
◼ Each category is displayed as a percentage of all monitored switches
⚫ Click on a category to display a list of switches in the category, with specific
information about each switch.
Reports
Alarms
◼ Displays network status/traps for all discovered switches.

◼ A graphical pie chart view or a list format can be displayed.

◼ The reported alarms in each severity level are displayed as a percentage of the
total alarms reported.
⚫ Click on a severity level in the pie chart to view the switch(es) from which the alarms
originated, and the number of those alarms received.
Profiles
◼ Displays currently configured Analytics Profiles.
⚫ Used to create, edit, and delete profiles.

◼ The first step in generating analytics information for any of the "Visibility"
Reports (Top N Applications, Top N Clients, Top N Switches, and Top N Ports
Utilization) is to create an Analytics Profile.
◼ A profile consists of the type of information you want to view (Profile Type)
and the switches/ports that you want to analyze.

Create Profile
Profiles
Configuration
◼ Configuration Screen
⚫ Profile Name - User-configured name for the profile.
⚫ Profile Type - Select a Profile Type from the drop-down menu:
 Top N Apps & Clients
 Top N Ports Utilization
⚫ Sampling Rate (Top N Apps & Clients Only) - Ratio of packets observed at the data
source to the samples generated. For example, a sampling rate of 100 specifies that,
on average, 1 sample will be generated for every 100 packets observed.
Profiles
Configuration
◼ Device/Port Selection Screen
⚫ Add/Remove Switches - From the list of switches, select those you want to analyze.
⚫ Add/Remove Ports - Select a switch and click on the Add/Remove Ports button. From
the list of ports, select the port(s) that you want to analyze.

◼ Note: A switch can only be in one profile of a particular Profile Type.

Summary View
◼ Displays basic information for all discovered network switches,
⚫ Including any Analytics Profiles to which a switch may belong.

Name - User-configured switch name.

Address - IP address of the switch.
Location - User-configured switch location (if no location was
configured by the user, the field will display "Unknown").
MAC Address - MAC address of the switch
Version - Switch AOS version.
Type - Switch type (e.g., OS10K, OS6900-X20).
Applications Management
◼ When generating a Top N Applications Report, the Analytics application uses
port numbers to identify application traffic.
⚫ Traffic on a specific port is identified as coming from a specific application.

◼ The Application Management Screen is used to create, edit, and delete

application/port mapping.
⚫ Well known ports (e.g., 161 for SNMP, 80 for HTTP) are automatically mapped.
Applications Management
Modes
◼ Mapping is done by choosing one of the two available modes:
⚫ Range-Based - This mode is used to set a range of ports that are monitored by the
Analytics application.
 Traffic on these ports is monitored and can be displayed in the Top N Applications Report.
 Information for all of these ports is available to be displayed
 Only those ports that have been mapped will be labeled with the application.
 Other ports will be labeled as "Unknown".
⚫ Enumerated - This mode requires that you define specific ports to be monitored.
 Only those ports you define when you create a mapping will be monitored.
Applications Management
Configuration
◼ Click on the Create icon and complete the fields as described below:
⚫ Application Name - Enter the name of the application (e.g., SNMP) .
⚫ Ports - Enter the port or port range to be associated with the application. If you are
entering a range of ports, separate the port numbers with a "-" (e.g., 20-21).

◼ An existing application ports mapping file (.json file) can be imported into
OmniVista 2500 NMS.
⚫ Note that this new mapping will override the existing mapping.
Anomalies
◼ Displays any anomalies that are discovered in established port utilization
trends.
⚫ The information is displayed in a list that describes the anomaly and its origins (e.g.,
IP address, Port).

◼ Anomaly detection uses Z-Score to check for anomalies in the latest port
utilization data gathered from hourly polling over the past 30 days.
⚫ Z-Score is a statistical measurement of a score's relationship to the mean in a group of
scores.
⚫ It measures utilization for a port for a specific hour to determine its relationship with
utilization for the same hour over the sampling period (30 days).
⚫ A data point that deviates considerably from an established pattern is flagged as an
anomaly and displayed on the Anomalies Screen.
⚫ Z-Score parameters are configured on the Preferences - Analytics Screen.
Anomalies

◼ Note: A minimum of 11 days of data is required for anomaly calculation.

⚫ Seasonal variation for periods of more than 30 days cannot be adequately learned
using this method. For example, an annual usage pattern would be affected by lower
usage due to holidays/vacations.
REPORT
Report
Configuration
◼ This Application creates and schedules Analytics Reports that can be viewed
and stored as PDF documents.
◼ Includes:
⚫ Information from specific Analytics Reports (e.g., Top N Users, Top N Apps)
⚫ Specific views of that report (e.g., Summary View, Detailed View).

◼ A report is generated at specific times/intervals (e.g., Daily, Weekly).

⚫ When it is generated, it takes a current snapshot of the Analytics information you
specified

Create Report
Report
Configuration
◼ A report is created in two steps:

1) In the Report Configuration screen, click on the Create icon and complete the
fields as described below:
⚫ Report Title
⚫ Schedule Settings
 Purging Policy – The report will be removed from the server at the selected interval. Select
"None" to never purge the report.
 Schedule – "Now” generates the report immediately.
“Periodically” creates the report at specific times/intervals.
- "Simple” schedules the report generation every "x" number of days, hours,
minutes, seconds (e.g., every 5 days, every 5 minutes).
- "Cron” schedules the report generation as a cron job (e.g., every minute,
every hour, every year).
⚫ Other Settings - Optional report parameters (e.g., page size, orientation).
Report
Configuration
Report
Configuration
2) In the Analytics Application, go to the report that you want to include (e.g.
Alarms). In the upper right corner of the screen, click on the Export icon and
select Add to Report.
▪ On the Add to Report Window, select the Report from the Report Configuration drop-
down list and click OK.

▪ You can open different views (e.g., Summary View, Detailed View) and repeat
the procedure to include those views in the report.
Report
List
◼ Displays all generated reports.

◼ To download/view a report in PDF format, select the report and click on the
Download button.
◼ To delete a report(s), select the report(s) and click on the Delete icon , then
click OK at the confirmation prompt.
Application Visibility
Application Visibility
Devices Management
◼ Displays all network switches that support Application Visibility.
⚫ Name, IP address, and operational status of each switch,
⚫ Indicates whether or not an Application Visibility Profile has been assigned to the
switch.
Application Visibility
Signature Files
Application Visibility
Signature Profile Creation
Application Visibility
Signature Profile Creation
◼ Select one of the predefined groups or a custom application group can be
configured
◼ Two different types of groups can be created:
⚫ Monitoring group: Used for the Analytics Reports
⚫ Enforcement group: used for the QoS and Access Role applications
Application Visibility
Signature Profile Assignment
◼ After the profile is created, it has to be assigned to the switches and its ports.
Application Visibility
Displaying Application Reports
◼ In the Analytics screen, select Top N Applications – Advanced to display the
reports

◼ Click on any application to display

the switch that is identifying the flows

Application Visibility
Policies
Application Visibility
Policies
◼ These policies are treated like regular policies, only the policy condition is set
to the enforcement group that was configured during the Signature Profile
creation
Application Visibility
QoS Enforcement
◼ The Policy has to be included in a Policy List.

◼ Then, the Policy List is included as part of the Access Role Profile configuration
 OMNIVISTA 2500
How-to Setup Application Visibility

Abstract
Quick configuration guide on how to enable Application Monitoring on the OmniSwitch 6860E
and configure Application Visibility and Reporting on OmniVista.
OmniVista 2500
How-to setup Application Visibility
Table of Contents

1 INTRODUCTION 3

2 REFERENCES 3

3 APPLICATION MONITORING 3
3.1 OMNISWITCH 3
3.2 OMNIVISTA 2500 3
3.3 APPLICATION SIGNATURE DATA BASE 3

4 PREREQUISITES 4
4.1 OV 2500 5
4.2 SWITCH 5

5 TEST SETUP INFORMATION 5

5.1 HARDWARE 5
5.2 SOFTWARE 5

6 SWITCH CONFIGURATION 5

7 OV 2500 CONFIGURATION 5
7.1 IMPORT SIGNATURE FILES 5
7.2 CREATE SIGNATURE PROFILE AND ADD SWITCH/PORTS 7
7.3 APPLYING SIGNATURE PROFILE TO DEVICES 11
7.4 ADDING WIDGETS TO DASHBOARD 15
7.5 DISPLAY OUTPUT 16
7.5.1 FLOW DATA COUNT 16
7.5.2 FLOW DATA USAGE STATISTICS 18
7.6 VERIFY CONFIGURATION ON SWITCH 21
7.6.1 SHOW APP-MON CONFIG 21
7.6.2 SHOW APP-MON PORT 21
7.6.3 SHOW APP-MON STATS 22
7.6.4 SHOW APP-MON APP-RECORD 22
7.6.5 SHOW APP-MON FLOW TABLE 24

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

1 Introduction
This document details the procedure needed to setup Application Visibility - Monitoring on OmniSwitch 6860E
switches and how to collect application flow data. This document does not cover per flow enforcement (QOS-ACL).
This document provides an overview of Application Monitoring for a detailed explanation of the feature please
refer to the documents listed under references.

2 References
1. OmniVista User Guide
2. AOS 8x Network Configuration Guide
3. AOS 8x CLI Reference Guide

3 Application Monitoring
Application Monitoring (app-mon) feature is available on the OS6860E’s. Since app-mon looks deeper into packets
received, it can detect application flows (e.g., YouTube, Netflix, Facebook etc.,).
App-mon has three components to work: a capable OmniSwith, OmniVista 2500 and an application signature data
base.

3.1 OmniSwitch
The OmniSwitch 6860E’s ASIC has Flow Tracker and a co-processor to accomplish app-mon. When a new flow is
received on the switch, a new entry is added to flow tracker (The flow tracker is 8K in size). When a port is enabled
st
for app-mon, the 1 few packets of the flow are trapped and sent to the co-processor. The co-processor runs a
regex pattern matching algorithm on the received packet to see if any patterns match with the application
signatures. When packet’s pattern match with application signatures, they are logged if Monitoring is enabled. If
Enforcement is enabled additional controls in the form of ACL’s can be applied to control the traffic.

The pattern for applications is provided by COSMOS.

3.2 OmniVista 2500

The OV 2500 manages signature files (from COSMOS). The signature files get updated when COSMOS provides new
updates based on applications changes. OV 2500 sends the files to the switches app-mon enabled.
The OV 2500 also configures the switches port for app-mon and enforcement. It also collects the data and displays
information on flow in graphical format.

3.3 Application Signature data base

Signatures are provided by COSMOS. They are available as a ZIP file. There are about 2000 application signatures
available. They get updated by COSMOS. An auto update mechanism for the signatures is available in OV 2500.

Multiple signatures may be needed to detect a particular application. The signatures in OV 2500 are grouped into
individual applications (YouTube, Facebook, twitter etc.,) and application groups (Audio/Video, Game, Peer to Peer,
ERP etc.,). OV 2500 allows for groups to be created based on need. There are 3 constructs in AOS app-mon

• App Pool – This is the set of all signatures (An application may need multiple signatures)
• App Group – Logical group of signatures
o AOS has pre-defined groups
o User can create groups according to need

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

 • App List – This is a pre-defined list to which groups can be added/removed
o The app-list can be enabled for Monitoring or Enforcement

The Signatures can be configured to do

• Monitoring
• Enforcement

Monitoring counts the number of flows that are detected per application.

Enforcement has two levels of control.

§ Enabling enforcement will start collection statistics (traffic counters) for application traffic. For
each flow the amount of bandwidth will be collected (e.g., 30MB for YouTube traffic 5 MB of
Twitter traffic).

§ Enforcement can also be used to apply QOS (ACL) on a per flow basis.

4 Prerequisites

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

4.1 OV 2500
1. OV 2500 has to be configured
2. Time and date should be set correctly on the VM (Based on the Virtualized environment)
3. The switch(s) should be discovered by OV 2500
4. The Signature file has to be downloaded and imported into OV 2500

4.2 Switch
1. Time and Date should be set
2. SNMP should be configured for OV 2500 to discover it
3. Switch should be setup to be accessed through OV 2500
4. Advanced Licenses should be applied to the switch(s)

5 Test setup Information

This section provides the software and hardware used.

5.1 Hardware
OS6860E-24

5.2 Software
AOS Software Release: 8.2.1.304
OV 25000 Release: 4.2.1.R01 (Build 69)

6 Switch Configuration
Since most of the configuration is done using OV 2500. There is not much to be done on the switch with respect to
app-mon.

The IPV6 Flow management has to be disabled. This has been fixed in future releases.

app-mon l3-mode ipv6 admin-state disable

7 OV 2500 Configuration
The DPI configurations from OV 2500 can be modified at any time based on customer need. Any number of
switches and ports can be added. The configuration applied during runtime will be applied immediately to the
switch (no need for a reboot of the switch). The data collection from OV 2500 relies on the hourly data collected
on the switch. The users might have to wait for an hour to see the display on the Dashboard.

Please follow the steps below to configure DPI

7.1 Import Signature Files

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

The signature file can be obtained from our support site (https://support.esd.alcatel-lucent.com/).
Click the Application Visibility Menu under Network from the OV 2500 Main page

Select Signature File From the left and Click on Import

Browse to the location of the file and import the file

Hit OK and the file will be imported

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

7.2 Create Signature Profile and Add Switch/Ports
The Signature profile will contain the following
1. Set of Application/Groups
2. Set of Switches and Ports on that switch where app-mon will be enabled

Go to Network->Application Visibility from the main page

Select Signature Profile on the left side and click on the “+” to create a new profile

Enter the Profile Name any String and the Description and click on Next

Select the Signature File.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Click on Groups and or Apps to select groups or applications. You can also create a new group and select
applications. For the purposes of this document, we will select “Groups” and Select all Groups. This is done for
Monitoring

Application groups can be searched and selected or “+” sign can be clicked to add the groups to the profile.
For the purposes of this document, we will select the entire list (all application groups).

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

All groups selected and click OK.

Click Next to Select Enforcement Groups.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Follow the Same procedure to select the Enforcement application groups. For the purposes of this document don’t
the UNP/QOS profiles are not created.

Choose all App Groups and Select OK.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

After all the Enforcement groups are selected create the profile (No need to configure UNP/QOS for the purposes
of this document).

7.3 Applying Signature Profile to Devices

This setup is to apply the created signature profile to port(s) on switch(s).

Select the signature profile and click on “Apply to Devices”

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Select the switch that needs to be configured for app-mon monitoring. Click OK.

Select the Ports in the Switch by clicking on Add Port and selecting the ports on that switch

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

User search bar and or “+” sign to select the ports and click to add to selected ports.

Click OK to select the ports needed.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Click on “Apply” at the bottom. This will take a few minutes (since we have selected all ports and all groups). Wait
till all the signatures are pushed to the switch(s). Hit “OK” at the end. If there are errors they will be displayed.

SPB Service statistics have to be disabled for App Mon Statistics to work (since they use the same counters).

This completes the assignment of Signature profiles to switches and enabling of app-mon on port(s) on the
switch(s).

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

7.4 Adding Widgets to Dashboard
This section lists the steps needed to configure the widgets used for displaying the graphs on the dashboard

Click on the Widget Icon on the top right corner of the OV 2500 dashboard (main page)
Click on “Add Widget”

This will open a Widget screen.

Scroll down to Select the following

1. Application Discovery 6860

2. Application Count Summary View
3. Application Count Detailed View.

The out of those screens are provided in the next section.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

7.5 Display Output

7.5.1 Flow Data Count

This Widget shows the number of flow received by the switch(s) for each application. Moving the mouse over
provides information about each application.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Clicking on More provides with detailed information on the applications.

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

7.5.2 Flow Data Usage Statistics

This Widget shows the total network bandwidth. This is collected using the hardware statistics (as one part of
enforcement).

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Detailed View

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E
7.6 Verify Configuration on Switch
This section lists the set of CLI commands on the switch used to verify what has been configured by OV 2500.
This section also covers how to look at the flows that are being received on the switch

7.6.1 Show app-mon config

This command shows the overall configuration

6860E-24-APMON-> show app-mon config

Admin State : Disable,
Operational State : Disable,
L3-IPv4 : Enable,
L3-IPv6 : Disable, (IP V6 Disabled)
Enforcement Flow-Table Stats : Enable,
Enforcement Flow-Sync Interval : 60 seconds,
Monitor Logging Threshold : 20000,
Enforcement Logging Threshold : 20000,
App-Pool Applications : 2001, <<- Signatures configured
Monitor Applied Applications : 2001,
Enforcement Applied Applications : 2001,
Upgraded Signature File Type : Production,
AOS Compatible Signature Kit Version : 1,
Signature Kit version : 1.1.2

7.6.2 Show app-mon port

This command displays port configuration for app-mon

6860E-24-APMON-> show app-mon port

Port Admin-Status Oper-Status L4-mode
----------+-------------+------------------+---------------
1/1/1 Enable Up TCP-UDP
1/1/2 Enable Up TCP-UDP
1/1/3 Enable Up TCP-UDP
1/1/4 Enable Up TCP-UDP
1/1/5 Enable Up TCP-UDP
1/1/6 Enable Up TCP-UDP
1/1/7 Enable Up TCP-UDP
1/1/8 Enable Up TCP-UDP
1/1/9 Enable Up TCP-UDP
1/1/10 Enable Up TCP-UDP
1/1/11 Enable Up TCP-UDP
1/1/12 Enable Up TCP-UDP
1/1/13 Enable Up TCP-UDP
1/1/14 Enable Up TCP-UDP
1/1/15 Enable Up TCP-UDP
1/1/16 Enable Up TCP-UDP
1/1/17 Enable Up TCP-UDP
1/1/18 Enable Up TCP-UDP
1/1/19 Enable Up TCP-UDP
1/1/20 Enable Up TCP-UDP
1/1/21 Enable Up TCP-UDP
1/1/22 Enable Up TCP-UDP
1/1/23 Enable Up TCP-UDP
1/1/24 Enable Up TCP-UDP
1/1/25 Enable Up TCP-UDP
1/1/26 Enable Up TCP-UDP
1/1/27 Enable Up TCP-UDP
1/1/28 Enable Up TCP-UDP

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

7.6.3 Show app-mon stats

6860E-24-APMON-> show app-mon stats

Chassis/ Total Enforcement Total Total TCP Total UDP
Slot Matched Flows Used Flows Overflow Flows Overflow Packets
--------+------------------+-----------+---------------+----------------
1/1 41 35 0 0
Total 41 35 0 0

7.6.4 Show app-mon app-record

This command shows app-records for current hour, hourly and a twenty four hour period. This is what is collected
in OV 2500 and displayed.

6860E-24-APMON-> show app-mon app-record current-hour

Sampling Interval Every 5-minutes

Application Application group
Total Detected Flows
----------------------------------------------------------------+--------------------------------
+------------------------
2017-01-14 14:00:00 PST 0d 00h 38m 58s

google Web
2
twitter Web
1
google_analytics Web
1
gstatic Web
21
hulu Audio/Video
1
instagram Web
4
--------------------------------
Number of Applications: 6

6860E-24-APMON-> show app-mon app-record hourly

Sampling Interval Every 5-minutes

Application Application group
Total Detected Flows
----------------------------------------------------------------+--------------------------------
+------------------------
2017-01-13 19:00:00 PST 0d 01h 00m 00s
dns Network Service
78
google Web
2889
google_maps Web
6
ntp Network Service
10
snmp Network Management
26
ssh Encrypted
9
youtube Web
9317
facebook Web
2579
google_ads Web
1647

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

ocsp Encrypted
3
twitter Web
9506
firefox_update Web
8
netflix Audio/Video
21
google_analytics Web
780
gstatic Web
9163
mozilla Web
3
hulu Audio/Video
13123
instagram Web
2889
amazon_aws Web
1
akamai Web
1551
cloudflare Web
1
google_accounts Web
48
snapchat Web
243
nielsen Web
247
appnexus Web
3
--------------------------------
--------------------------------
Number of Applications: 25
--------------------------------+---------------------------------------------------
2017-01-13 20:00:00 PST 0d 01h 00m 00s
dns Network Service
49
google Web
3930
google_maps Web
8
ntp Network Service
10
snmp Network Management
34
ssh Encrypted
12
youtube Web
12537
facebook Web
3485
google_ads Web
2233
ocsp Encrypted
1
twitter Web
12852
netflix Audio/Video
29
google_analytics Web
1085
gstatic Web
12858
mozilla Web
1
google_play Application Service
1

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

hulu Audio/Video
19024
instagram Web
3904
amazon_aws Web
1
akamai Web
2210
cloudflare Web
1
google_accounts Web
105
snapchat Web
353
scorecardresearch Web
1
nielsen Web
355
appnexus Web
4
--------------------------------
--------------------------------

7.6.5 Show app-mon Flow Table

This command provided Flow Table for monitoring/Enforcement. For the purposes of this document we only do
monitoring

6860E-24-APMON-> show app-mon ipv4-flow-table monitor

SrcIP DestIP SrcPort DestPort Proto App Name App Group
---------------+---------------+-----------+-----------+---------+------------------+------------
-----
10.255.10.80 10.255.135.177 8080 51392 TCP google Web
10.255.10.80 10.255.135.178 8080 31436 TCP google_analytics Web
10.255.10.80 10.255.135.178 8080 31437 TCP twitter Web
10.255.10.80 10.255.135.178 8080 31439 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31440 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31441 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31442 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31443 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31444 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31445 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31446 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31447 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31448 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31449 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31450 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31451 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31452 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31453 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31454 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31455 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31456 TCP google Web
10.255.10.80 10.255.135.178 8080 31457 TCP instagram Web
10.255.10.80 10.255.135.178 8080 31458 TCP instagram Web
10.255.10.80 10.255.135.178 8080 31459 TCP instagram Web
10.255.10.80 10.255.135.178 8080 31460 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31461 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31462 TCP instagram Web
10.255.10.80 10.255.135.178 8080 31463 TCP gstatic Web
10.255.10.80 10.255.135.178 8080 31464 TCP hulu
Audio/Video
10.255.10.80 10.255.135.178 8080 31465 TCP gstatic Web
Number of Flows : 30

Alcatel-Lucent Enterprise – Quick Configuration Guide OmniVista 4.2.x OmniSwitch 6860E

OmniVista 2500 NMS Release 4
Using Network, Configuration &
Administration Groups

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Lesson Summary

Learn how to use:

• Discovery Application
• Topology Application
• Locator Application
• Notification Application
• Audit Application
• Resource Manager Application
• CLI Scripting Application
Discovery
Discovery
Discovery wizard enables you to discover:
• Alcatel devices in the network.
• Links between devices
• Additional link information
• VLAN information
• Third-party devices from Cisco, 3Com, and Extreme.
• Any additional third-party devices for which support has been added via the Third Party Device Support
Preferences window in the Preferences application.
Discovering Devices
• OmniVista performs a discovery based on a specified IP address range and a Discovery Profile
• You can "re-discover" previously-discovered devices to update information about a device(s).
Discovery Profile - General
Contains the parameters that are used by OmniVista when performing a discovery
General
• Name - Profile name.
• CLI/FTP User Name - Used to establish CLI and FTP sessions with the devices.
• CLI/FTP Password - Used to establish CLI and FTP sessions with the devices. Note that the user name and
password specified will be used to auto-login to the devices
Discovery Profile - SNMP
SNMP
• SNMP Version that OmniVista will use to communicate with the device.

• Timeout (msec) that OmniVista will wait for a switch to respond before
assuming that the request has timed-out (Default = 5,000)

• User Name (v3 only) - The SNMP version 3 user name.

• Auth and Priv Protocol (v3 only) - used for SNMP communications with
the discovered switches (None, MD5, SHA, ...).
• Auth Password (v3 only) - Used for MD5 or SHA authentication protocol
(if applicable).
• Priv Password (v3 only) - Used as secret key (if applicable).

• Context Name (v3 only) - An SNMP context is a collection of

management information accessible by an SNMP entity, in this case
OmniVista.
• Context ID (v3 only) - Each context must be identified by a unique
context name and a unique context ID.
Discovery Profile - Advanced

Advanced Services
• Trap Station Name - The device user name that will be used when an AOS device is configured to send
traps to OmniVista.
• Discover Link - Specifies how OmniVista will discover the physical links associated with the discovered
devices.
• Shell Preference - Specifies the default command line interface to be used for discovered devices: Telnet
or SSH
• Use Get Bulk - When enabled, the "Get Bulk" operation is used for retrieving large amounts of data,
particularly from large tables
• Max Repetitions - The number of rows of table data that the "Get Bulk" operation will request in each
"Get Next" operation.
Discover New Devices – IP Ranges
Define address ranges to discover devices
Associate Address Ranges to SNMP Setups
Discovery – Start Discovering
After creating the IP Range, click on the Discover Now button
Discovery – Managed Devices
Displays a list of all network devices that are currently being managed by OmniVista.
There are two tabs.
• "ALL“ displays all managed devices (LAN Devices and APs).
• "OAW“ displays only managed APs.
Discovery – Hardware Inventory
Displays inventory information (e.g., CMM, Chassis, Power Supplies) for any discovered device
Discovery - Links
Displays existing links in the network
• Automatically discovered using AMAP or LLDP
• Links can also be added manually
Discovery – Manual Link
Manual links are persistent and displayed in RED when the link goes down.
Recommended to configure critical links providing better monitoring capabilities.
Useful to create links between ALE devices and external devices.
Discovery - Ports
Displays information about ports on network devices
• Enables/Disables device ports
Discovery – SPB Ports
Displays information about SPB Services Ports on network devices.
• SPB Services are configured on edge devices, so only edge devices are displayed.
Discovery – Third-Party Devices Support
Discovery and support of third-party (non-AOS) devices.
Once third-party devices have been discovered, OV supports the following:
• Web Browser, Telnet or SSH
• Custom MIBs
• Custom Icons
• Traps
• Locator
Discovery – Adding Third-party Device Support

Create Mibset
• OID: Device’s Object ID
• Display Name: Name to be used for the device
• Mib Directory Name: If you want to use MIB-2 level support for third-party devices, enter mib-2. This
generic directory already exists in OV. If you are not using standard MIB-2, enter a directory name.
Discovery – Import MIBs
Imports new or updated MIB files to Omnivista
All MIB files must have an file extension of .mib
If you create a new MIB directory, you must import a complete set of MIBs into that directory.
Select the Mibset to be updated from the drop-down box and click on the Import button
Discovery – Scheduled Upgrades
Allows to upgrade multiple switches at the same time
• Upgrade can be done immediately or scheduled for a later time
Discovery – Scheduled Upgrades
User can set the same or different software version for each device
• Directory in which the new version will be installed can be defined as well
Discovery – Scheduled Upgrades
At the end of the software update, the user can go to the Managed Devices window to review the
result of the action
• Verify that the directory where the installation was made is correct and that the status of the update
is successful
Discovery – NaaS Device Licenses
• A device interacts with a designated License Activation Server to obtain a Device License:
• NaaS. The switch is a licensed device that participates in the NaaS subscription-based model.
• CAPEX. The switch does not participate in the NaaS subscription-based model.
• CAPEX Undecided. The switch has not yet obtained a license
Topology
Topology – Geo Map View
Google Maps for Topology
• Display of Google Maps for geolocating sites
• Zoom-In / Zoom-Out on for displaying Countries / Cities / Sites
• Switch to Topology application for moving to floor plans

Sites / Devices on Google Maps

• Declare sites using address or coordinates
• Add custom notes on maps
• Link between sites showing health status
Topology – Physical Network View
Topology of discovered
devices in the network
• All discovered devices
(default)
• Highlight specific devices or
links
• Re-arrange devices in a map
• Create custom maps
Topology - Maps
Create and Manage Maps
• Physical/Logical
• Location
• Background Images
• Custom Map
• Custom Color
Topology – Device Operations and Information
When clicking on a device in the map, you can:
• View detailed information
• Perform certain operations Left mouse click
Displays Detail panel on
the right of the screen

Pointing at the device

Right mouse click

Topology – SPB Network Mode
Displays link information for devices by BVLAN or SPT links between devices.
• You can also navigate to the SPB Services Screen to view detailed information about all SPB Services.
• To bring up an SPB Map, click on the Map Level Actions drop-down at the top of the screen and
select SPB Network
Topology – SPB Network Mode
Viewing Options
BVLAN. Enter a BVLAN ID in the Search Bar to • SPT Links - Click on the "Available" link to display
bring up a list of linked devices on the BVLAN. a list of all available SPT links between the
Click on a link to highlight the link in the map. devices by BVLAN.
Locator
Locator Application
Locates Switches and Devices
• IPv4 / v6 Address
• Mac Address
• Authorized User
Locator – Browse
Displays
• Search Criterion
• Search Results
• Map Location
Locator – Search Results
Locate on Map
If the device you are searching for is a switch:
• A notification will appear and you can click on the Locate on Map button to launch the Topology
application and display a regional map in the Physical Network that contains the selected device.
• The device is automatically selected and centered in the map display.
Ethernet OAM
SAA Ethernet OAM
• Displays information about all configured SAAs and is used to create, edit, and delete SAAs
between switch pairs.
 Bar Chart

Viewing SAA Statistics

• View statistics for configured SAA in terms of:
• Jitter, RTT, Packet Loss
Line Chart

• It can also be displayed from the Main Dashboard

Notifications
Notifications
Notifications
• Displays traps for switches.
- View by table
- View by device tree
• Click on the trap to view detailed information.
Configuring Alarm Sounds
Set audible alarm sounds for certain OmniVista actions:
• UI Inactivity timeout
• Notifications Traps
Audit
Audit
Monitors client and server activity
• Date and time when a user logged into OmniVista
• Device added to the discovery database
• Configuration file was saved, etc.
OmniVista organizes this information and stores it in the following categories
User Activity Report
Contains detailed information about actions in OV
• User / Client IP
• Action / Status ...
Resource Manager
Resource Manager
Resource Manager – Backup/Restore
Backup and Restore to Manage Files
OmniVista • Compare config files
• Firmware • Edit Backup files
• Configuration Files • Save as new Backup
• Optimize Backup files
Resource Manager – Compare
Text file comparison Determine changes
(boot.cfg) • GUI
• Select files from list • Color coded
• Same or different backup
or switch
Edit/Save/Restore
• Save as new
Resource Manager - Upgrade Image
Upgrade Image
• Import/Upgrade
• Image files
• Firmware files
• Scheduled
Resource Manager - Inventory
Inventory from known Switches
• Software / Hardware
• Condensed / Detailed Content
Resource Manager – Auto Configuration
Auto Configuration
• Remote Configuration
• Remote Upgrade
Resource Manager – Switch File Set
Switch File Set • Captive Portal
• Background - Welcome

• Banner - Welcome Fail

- Login Help
• Logo
- Welcome Login
- Policy
- Welcome Status
Two-factor Authentication
Two-Factor Authentication
• Displays Two-Factor Authentication Status by User Role
• Used to enable/disable Two-Factor Authentication for user login based on User Role.
• It requires a user to enter an authentication code after entering their login/password to access
OmniVista.
Two-Factor Authentication Initial Setup
• Two-Factor Authentication uses the Google Authenticator App to generate a time-based, 6-
digit code that is used to log into OmniVista.
• User must first download the Google Authenticator App to their phone.
• After entering your login/password on the OmniVista Login Screen, the following Two-Factor
Authentication Screen will appear.
Two-Factor Authentication Initial Setup
• Open the Google Authenticator App on your phone and use your phone to scan the QR Code on the
login screen into the App.

• Enter the code for your user account into the TOTP Code Field on the OmniVista Login Screen and
click Verify to log into OmniVista.
CLI Scripting
Create Telnet Scripts
Create Exit & Apply Scripts
• Preconfigured files
• Create scripts in OV or text editor
• Import Scripts
Send Scripts
Select a Script

Select Switches

Schedule and
send the script
View Log
View Script Log
• Success / Error
• Syntax errors
SSH/Telnet
SSH/Telnet to a New Device

New from 4.3R2 and later

SNMP users and community strings need to be configured on devices before they can be
managed by OmniVista.
You can now SSH/Telnet to a newly added device that is not yet reachable by SNMP to
configure the device for OmniVista management.
Switch User Account
Switch User Account
Creates switch user accounts through UPAM
• After creating a switch user, you create a AAA Profile for the user, setting UPAM as the server used
for switch access, and assign the AAA Profile to network switches
Switch Access Record
Displays information about user authentication access to network switches through UPAM.
OmniAccess Stellar WLAN
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Objective
✓ Learn how to setup the different equipment in order to deploy an
OmniAccess Stellar Access Point as Remote Access Point (RAP)

Contents
1 Topology ........................................................................................ 2
2 Configuring the OmniVista Cirrus ........................................................... 2
2.1. Logging into the OmniVista Cirrus ................................................................ 3
2.2. Declaring the OmniAccess Stellar AP as Remote AP Point .................................... 3
2.2.1. Retrieving the Stellar AP Serial Number & MAC Address .............................................. 3
2.2.2. Declaring the Stellar AP in the OmniVista Cirrus ....................................................... 4
2.3. Configuring the VPN Settings ..................................................................... 5
3 Connecting the OmniAccess Stellar Access Point ......................................... 6
4 Importing the VPN Configuration ........................................................... 6
5 Configuring the VPN Server Virtual Appliance ............................................ 7
5.1. Configuring the VPN Server Virtual Appliance Basic Settings ................................ 8
5.2. Configuring the VPN Server Virtual Appliance Settings ....................................... 8
5.2.1. Configuring the Network Interfaces...................................................................... 9

6 Checking the VPN Status ................................................................... 14

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
 1
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

7 Configuring the OmniVista 2500 NMS ..................................................... 15

7.1. Adding a Default Route in the OmniVista 2500 NMS .......................................... 16
7.2. Discovering the Remote Access Point in the OmniVista 2500 NMS.......................... 17
7.3. Filling the VPN Tunnel (client’s traffic) Settings ............................................. 18
7.4. Exporting the VPN Tunnel (client’s traffic) settings .......................................... 19
7.5. Assigning the VPN Tunnel (client’s traffic) to the Remote AP .............................. 19
7.6. Creating an Employee SSID ....................................................................... 20
7.7. On the Remote site................................................................................ 21
8 Configuring the VPN Server Virtual Appliance .......................................... 21
9 On the Remote Site ......................................................................... 25
10 [Add-On] Creating an OmniVista Cirrus Account ........................................ 27
10.1. Logging into the OmniVista Cirrus ............................................................... 27
10.2. Verify Your Account ............................................................................... 28
11 [Add-On] Deploying the ALE VPN Server on VMware ESXi ............................. 29
11.1. Deploying the Virtual Appliance ................................................................. 29
 2
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

1 Topology
During this lab, we will use the following topology:

VPN Server
OMNIVISTA - Public IP@: x.x.x.x (hidden)
CIRRUS - Private IP@: 10.130.5.251
- VPN Server IP@ (vpn_mgmt): 192.168.0.1
- VPN Client IP@ (vpn_mgmt): 192.168.0.2-20
- VPN Server IP@ (vpn_data): 10.7.0.61
FREEMIUM - VPN Client IP@ (vpn_data): 10.7.0.55-60
CLOUD

192.168.1.76 192.168.1.1

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE 10.130.5.50

MAIN SITE

2 Configuring the OmniVista Cirrus

OMNIVISTA
CIRRUS

FREEMIUM
CLOUD

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE

MAIN SITE

The OmniAccess Stellar Access Point to be deployed as Remote Access Point (RAP) must be first declared in
the OmniVista Cirrus.
 3
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

The OmniVista Cirrus is a cloud-based network management system. To log into this application, an account
is necessary. 2 types of accounts are available:
- Freemium: free account that provides limited features for an unlimited number of registered devices.
- Paid: full OmniVista Cirrus functionalities for the subscribed number of devices and services for the length
of your contract.

In this lab, we will use a Freemium account. To learn how to create a freemium account, please refer to the
dedicated part available in the add-on section of this lab.

2.1. Logging into the OmniVista Cirrus

Web Browser
Access to the OmniVista Cirrus https://registration.ovcirrus.com/
webpage
Enter your credentials
(Freemium account)

2.2. Declaring the OmniAccess Stellar AP as Remote AP Point

2.2.1. Retrieving the Stellar AP Serial Number & MAC Address

First, retrieve the Stellar AP serial number and MAC address information. You will need it in the next part.
This information can be found on the label at the rear of your Stellar Access Point:
 4
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

2.2.2. Declaring the Stellar AP in the OmniVista Cirrus

Go to Network > Inventory >

Device Catalog

Click on (upper right

corner of the screen)

Enter the AP Serial Number

Select Device Filters = AP

See the Tips below to learn

where to find the AP Serial
Number
Desired Software Version From this field, you can select a software version for the AP to be upgraded.
Enter the AP MAC Address

Select Is this a Remote AP ?

YES
 5
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

2.3. Configuring the VPN Settings

VPN settings and the OmniVista 2500 NMS IP address must be configured on the OmniVista Cirrus. The
OmniVista Cirrus will then send these information to the Remote Access Point for it to be able to reach
the OmniVista 2500 NMS through a VPN tunnel.

VPN > MGMT TRAFFIC PUBLIC IP@: 6550

10.130.5.50

ROUTER
AP
OMNIVISTA 2500
VPN SETTINGS : VPN SERVER
REMOTE SITE - CLIENT IP@ RANGE: 192.168.0.2 TO .20
- SERVER IP@: 192.168.0.1
MAIN SITE

Enter the VPN Settings

Then, click on Save VPN

Setting & Create Device

VPN Settings Name User-configured name for the VPN configuration.

Server's Public IP The VPN Server's Public IP address (configured when you installed the VPN VM). This is the IP
address used by Remote APs to connect to the VPN Server. And this is the interface through
which traffic originating from inside the Enterprise Network flows to the Remote site.
Port The VPN Server Port.
Server's VPN IP The VPN Server's Private IP address (configured when you installed the VPN VM). This is the
interface through which traffic originating from the Remote AP flows to reach a destination
inside the Enterprise Network.
OmniVista Enterprise Server The IP address of the OmniVista 2500 NMS that will manage the devices.
IP
Client VPN IP Address Pool The range of addresses available to assign to Remote APs. You can select IP range and insert
a range of IP addresses, or a shorthand mask.
 6
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

3 Connecting the OmniAccess Stellar Access Point

OMNIVISTA
CIRRUS

FREEMIUM
CLOUD

192.168.1.79 192.168.1.1

ROUTER
AP
REMOTE SITE OMNIVISTA 2500
VPN SERVER
MAIN SITE

Connect the OmniAccess Stellar Access Point that must act as Remote Access Point to Internet. After a few
moments, the OmniAccess Stellar Access Point is seen as registered on the OmniVista Cirrus:

Check the AP’s Device status

4 Importing the VPN Configuration

OMNIVISTA
CIRRUS

FREEMIUM
CLOUD

VPN SETTINGS
(.CONF FILE)

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE

MAIN SITE

Now that the Remote Access Point has been registered in the OmniVista Cirrus, let’s export the VPN settings.
In the next part (5 - Configuring the VPN Server Virtual Appliance), we will import these VPN settings in order
to configure the VPN server.
 7
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

OmniVista Cirrus Web Administration Interface

Click on Export VPN Settings

Select the line corresponding

to the VPN Server configured
previously (ex. VPN_Server)

Click on Export

A new window appears, asking

you to download a <VPN
Server name>.conf file

Download the file

Warning
KEEP THE CONF FILE PRECIOUSLY, AS WE WILL NEED TO IMPORT IT IN THE VPN SERVER VIRTUAL APPLIANCE AT
THE END OF THE NEXT PART.

5 Configuring the VPN Server Virtual Appliance

OMNIVISTA
CIRRUS

FREEMIUM
CLOUD

10.130.5.251

PUBLIC IP@

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE

MAIN SITE

Tips
To learn how to deploy the ALE “VPN Server” virtual appliance, please refer to the dedicated add-on part
available at the end of this lab.
 8
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

5.1. Configuring the VPN Server Virtual Appliance Basic Settings

Web Browser

Click on to start the VM

Click on the icon to open

a console window

Select the language (ex.

English)

Enter y to confirm

If necessary, configure a new

keyboard layout

Accept the end-user license

agreement
Enter, then confirm, the
password for the admin
account (ex. Alcatel.0)

The virtual machine reboots to take the basic settings into account.

5.2. Configuring the VPN Server Virtual Appliance Settings

VPN Server Console

Log into the VPN Server VA
- login: admin
- password: <password set at
previous step>
The Main Menu is displayed
 9
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

5.2.1. Configuring the Network Interfaces

- Configure the Network Interface 1 (Public IP@):

VPN Server Console

Select Network Interfaces in
the menu then press Enter

- Enter 1 to configure the

NIC1 (eth0)
- Select OK and press Enter

Enter the VPN Public IP@ and

its prefix length

Select Save, then press Enter

Press Enter to confirm

- Configure the Network Interface 2 (Private IP@):

VPN Server Console

Select Network Interfaces in
the menu then press Enter

- Enter 2 to configure the

NIC2
- Select OK and press Enter

Enter the VPN Private IP@

and its prefix length

Select Save, then press Enter

Press Enter to confirm

- Configure the gateway:

VPN Server Console

Go to Network Settings… >
Configure a network setting…

Press Enter
 10
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Select Configure Default

Gateway

Press Enter

Enter the Gateway IP@

Select Save, then press Enter

Press Enter to confirm

- Configure the DNS server(s):

VPN Server Console

Select Configure Default
Gateway

Press Enter

Enter the DNS IP@

Select Save, then press Enter

Press Enter to confirm

- Enable the SSH feature:

VPN Server Console

From the main menu

Select Network Services… >

Configure a network service

Press Enter

Select ssh

Press Enter
 11
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Select the option

corresponding to your
private IP@ (ex. 2)

Enter the port number (ex.

6550)

Select Save, then press Enter

Confirm, then press Enter

Press Enter to confirm

- Apply the configuration changes:

VPN Server Console

From the main menu

Select Apply Configuration

Changes

Select OK, then press Enter

- Now that the SSH/SFTP is enabled, upload the VPN server configuration (.conf file) to the VPN server
VM:

Windows

Open FileZilla Client

Connect to the VPN Server by

entering the following
information:
- Host: VPN Server Private IP
@ (ex. 10.130.5.251)
- Username: admin
- Password: VPN Server
password (ex. Alcatel.0)
- Port : 22

Click Quickconnect
 12
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Transfer the <VPN Server

name>.conf file in the folder

/opt/OmniVista_2500_NMS/d
ata/vpn_conf/vpn_profile

- Configure the VPN service:

VPN Server Console

From the main menu

Select Network Services… >

Configure a network service

Press Enter

Select vpn_

Press Enter

Enter the appended name

(ex. vpn_mgmt)

Select the Public IP@

Enter the desired port

 13
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

- Apply the VPN configuration transferred from the OmniVista Cirrus:

VPN Server Console

From the main menu

Select Network Endpoints…

Press Enter

Select Configure a VPN

endpoint

Select the VPN server

configuration (ex. vpn_mgmt)

Select the configuration file

(ex. VPN_Server.conf)

Select the interface (ex. None

(Layer 3 VPN)

Select Save, then press Enter

Press Enter to save the

configuration

Press Enter to confirm

 14
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

- Apply the configuration changes:

VPN Server Console

From the main menu

Select Apply Configuration

Changes

Select OK, then press Enter

Press Enter to confirm

6 Checking the VPN Status

IP@: 192.168.0.2

AP IP@: 192.168.0.1
OMNIVISTA 2500
VPN > MGMT TRAFFIC VPN SERVER
REMOTE SITE
MAIN SITE

- Now that the VPN Server configuration is complete, reboot the OmniAccess Stellar Access Point to
reinitialize the VPN connection process.
 15
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

- To check the VPN status:

VPN Server Console

From the main menu

Select Maintenance…

Press Enter

Select VPN Status

Press Enter

A “peer” section should

appear with a public IP@, the
latest handshake operation,
and transfer information.

7 Configuring the OmniVista 2500 NMS

Now that the OmniVista Cirrus and VPN Server are configured, and the VPN tunnel created between the VPN
Server and the remote OmniAccess Stellar Access Point, let’s configure the OmniVista 2500 NMS. In this
server, we will configure the settings that will be sent to the remote OmniAccess Stellar Access Point.

Notes
In this part, we consider that the OmniVista 2500 NMS Virtual Appliance has already been deployed and that the
initial configuration has already been done (IP address, gateway, password…)
If not done, please refer to the lab dedicated to the installation of the OmniVista 2500 NMS.

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
 16
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

7.1. Adding a Default Route in the OmniVista 2500 NMS

To make it possible for the OmniVista 2500 NMS to reach the Remote Access Point, a default route must
be created:

Web Browser
Select the OV2500 VA, then

click on the icon

Enter the login and password

(ex. cliadmin/Alcatel.0)

Select [2] Configure the

Virtual Appliance

Select [8] Configure Route

Select [3] Add Route v4

Enter your default route

information
Ex:
- subnet: 192.168.0.0
- netmask: 255.255.255.0
- gateway: 10.130.5.251

Enter y to confirm

Press [0] Exit several times to go back to the main menu

 17
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

7.2. Discovering the Remote Access Point in the OmniVista 2500 NMS

OmniVista 2500 NMS Web Admin Interface

Log into the OmniVista 2500
NMS (ex. 10.130.5.50)

Go to NETWORK > AP
REGISTRATION > Access
Points

Select your Country/Region

and Timezone

The Remote AP should appear

in the Managed AP tab
 18
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

7.3. Filling the VPN Tunnel (client’s traffic) Settings

Let’s now create a L2GRE tunnel. The L2GRE tunnel will be created between the Remote AP and the VPN
Server. It will carry the remote employee’s data traffic.

VPN > MGMT TRAFFIC

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE VPN SETTINGS (VPN > CLIENT DATA TRAFFIC):
- CLIENT IP@ RANGE: 10.7.0.55 TO .60
- SERVER IP@: 10.7.0.61 MAIN SITE

OmniVista 2500 NMS Web Admin Interface

Go to NETWORK > AP
REGISTRATION > Data VPN
Servers

Click on to create a new

VPN Server

Enter the VPN Settings

Click Apply
 19
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Name User-configured name for the VPN configuration.

Server's Public IP The VPN Server's Public IP address (configured when you installed the VPN VM). This is the IP
address used by Remote APs to connect to the VPN Server. And this is the interface through
which traffic originating from inside the Enterprise Network flows to the Remote site.
Port The VPN Server Port.
Server's VPN IP The VPN Server's Private IP address (configured when you installed the VPN VM). This is the
interface through which traffic originating from the Remote AP flows to reach a destination
inside the Enterprise Network.
Client VPN IP Address Pool The range of addresses available to assign to Remote APs. You can select IP range and insert
a range of IP addresses, or a shorthand mask.

7.4. Exporting the VPN Tunnel (client’s traffic) settings

OmniVista 2500 Web Administration Interface

Click on Export VPN Settings

A new window appears, asking

you to download a <VPN
Server name>.conf file

Download the file

Warning
KEEP THE CONF FILE PRECIOUSLY, AS WE WILL NEED TO IMPORT IT IN THE VPN SERVER VIRTUAL APPLIANCE AT
THE END OF THE NEXT PART.

7.5. Assigning the VPN Tunnel (client’s traffic) to the Remote AP

OmniVista 2500 Web Administration Interface

Go to NETWORK > AP
REGISTRATION > AP Group

Select the Remote Access

Point’s AP Group (ex. default
group)

Click (top right of the

screen)
In the Data VPN Setting,
select the Data VPN Server(s)
previously created.

Click Commit
 20
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Tips
During this lab, the default AP Group is used. If desired, it is also possible to create an AP Group dedicated for
Remote Access Points and insert in it all the settings that will be sent to these Remote APs.

7.6. Creating an Employee SSID

For test purpose, we will create an SSID dedicated to Employees that will be broadcasted by the Remote
Access Point.

Notes
This part is designed as a quick reminder, as the Employee SSID creation is viewed in details in a dedicated lab.

> Select WLAN > SSIDs > SSIDs

> Click on the + button
> SSID Service Name: EmployeesX (X = R-Lab number)
> SSID: <filled automatically>
> Usage: Enterprise Network for Employees (802.1X)
> Click on Create & Customize

> Allowed Band: 2.4GHz and 5GHz

> Encryption Type: WPA3_AES

Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Employee Accounts

// Employee account creation //

> Click on the + button
> Username: Employee
> Password: password
> Click on Create
> Click on Close

Default VLAN/Network

Select Use Tunnel

Enter the Tunnel ID (must be

0)

Double click in the field, then

select the VPN Server
configured in a previous step.
 21
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Select the desired AP Group

(ex. default group)

Click on Save and Apply to AP

Group

7.7. On the Remote site

The OmniVista 2500 then push its configuration to the Remote Access Point. The SSID created in the
previous step should now be broadcasted on the remote site:

8 Configuring the VPN Server Virtual Appliance

VPN SETTINGS
(.CONF FILE)

ROUTER
AP
OMNIVISTA 2500
VPN SERVER
REMOTE SITE

MAIN SITE

- As in one of the previous steps, upload the VPN server configuration (.conf file) to the VPN server VM:

Windows
Open FileZilla Client

Connect to the VPN Server by

entering the following
information:
- Host: VPN Server Private IP
@ (ex. 10.130.5.251)
 22
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

- Username: admin
- Password: VPN Server
password (ex. Alcatel.0)
- Port : 22

Click Quickconnect
Transfer the <VPN Server
name>.conf file in the folder

/opt/OmniVista_2500_NMS/d
ata/vpn_conf/vpn_profile

- Configure a new network service:

VPN Server Console

From the main menu

Select Network Services… >

Configure a network service

Press Enter

Select vpn_

Press Enter

Enter the appended name

(ex. vpn_data)

Select the Public IP@

Enter the desired port (ex.

6551)

Select Save, then press Enter

 23
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Save the configuration

In this lab, on the main site, we are using 2 different networks:

- One dedicated to the management equipments (ex. OV2500) > VLAN 1305, IP@ range: 10.130.5.x
- The other one dedicated for the clients/employees > VLAN 30, IP@ range: 10.7.0.x

CLIENTS NETWORK
> VLAN 30
PUBLIC INTERFACE > 10.7.0.X
> X.X.X.X (HIDDEN)
ETH2
ETH0
ETH1 MGMT NETWORK
> VLAN 1305
VPN SERVER > 10.130.5.X

VPN Server
- Public IP@: x.x.x.x (hidden) OMNIVISTA 2500
MAIN SITE - Private IP@: 10.130.5.251
- VPN Server IP@ (vpn_mgmt): 192.168.0.1 10.130.5.50
- VPN Client IP@ (vpn_mgmt): 192.168.0.2-20
- VPN Server IP@ (vpn_data): 10.7.0.61
- VPN Client IP@ (vpn_data): 10.7.0.55-60

The VLANs are tagged on the virtual machine interfaces:

 24
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

- Import the VPN Endpoints configuration:

VPN Server Console

From the main menu

Select Network Endpoints…

Press Enter

Select Configure a VPN

endpoint

Select the VPN server

configuration (ex. vpn_data)

Select the configuration file

(ex. VPN_Server_Conf.conf)

Select the eth2 interface

Select Save, then press Enter

Press Enter to save the

configuration

Press Enter to confirm

- Apply the configuration changes:

 25
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

VPN Server Console

From the main menu

Select Apply Configuration

Changes

Select OK, then press Enter

Press Enter to confirm

9 On the Remote Site

If a client connects to the SSID broadcasted by the Remote Access Point, it is now able to connect to the
company network.

Client (ex. Windows 10)

Click on the icon

(bottom right)

Select the SSID EmployeesX

(X = R-Lab Number)

Click on Connect

Enter the credentials

Username: Employee
Password: password

Click on OK
 26
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Click on Connect

In our example, the client has received an IP address in the range dedicated to the employees:
 27
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

10 [Add-On] Creating an OmniVista Cirrus Account

10.1. Logging into the OmniVista Cirrus

Web Browser
Access to the OmniVista Cirrus https://registration.ovcirrus.com/
webpage
Click Create New Account

1 – Fill the personal

information
 28
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Fill the information about

your company

Check the 2 boxes

Click Create Account

10.2. Verify Your Account

Then, a mail is automatically sent to the mail address filled during the account creation process.

Mail
Click the link GO TO VERIFY
ACCOUNT

Your account is now ready for use.

 29
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

11 [Add-On] Deploying the ALE VPN Server on VMware ESXi

11.1. Deploying the Virtual Appliance

The VPN Server Virtual Appliance can be downloaded from the ALE Business Partner Web Site (BPWS).
In this lab, we will deploy the VPN Server on a VMWare infrastructure. This virtual appliance can also be
deployed on a Hyper-V infrastructure.

VMware Web Console

Log into the VMware ESXi

Right click and select Deploy

OVF Template… in the
contextual menu

Select Local File

Click on Browse…

Select the .ovf and .vmdk

files

Click Open, then click Next

 30
Remote Access Point (RAP) Deployment – OV Cirrus (Freemium) & OV 2500

Insert a name for the VPN

Server VA, then a folder
where this VA will be
deployed.

Select a compute resource

(depends on your
infrastructure)

Click Next
Review the details

Click Next
Check the box “I accept all
license agreements”

Click Next
Select a storage (depends on
your infrastructure)

Click Next
Select the destination
network for the network cards

Click Next

Click on Finish to launch the

deployment
0123425304 6789  

'8 76()8 97 *++'7,97 * 87

-789
. 89. 7989+9789  79 8 97 8 *++'/* 8+ +7989'9801'2#233'8 76( 7 14553367'
89:;9<:=>
? 87 9798 998@888  88797 97 97 878 8 861'#A9898 *++'
+99898  88797 8 987 87
+ @9B5*C3+ D8998787E9  B5  89E98@87E978B5E7@ 87889 798 @9B1 87
B5*C3  88+ 3(98887 9 899@8 76 798 7B1 87
B5*C37E9 39 73B668@ 7E9 *C33F8 89 A99789 A989 4(6988  *C38
* 879 8 8-87 8@878 8  8  8 98 98 8 78878 -87 8897 8@878 987 87
GHIHJHKL>
18 3 '98D  88 '8 76(D M6((78
1* 8+ +7989'98D 78 B3-87  97 78' 7E9 6 (78984B66+
B39879  8 8 7E9 4B669D898 B5*C3  77 -(
6 8778 77@8 8 7879 89B5*C3  77  879 B17898 *C38 7-(
998987987E9 9 99@ 789' 7E9 6 (9898+@ 8 74B66+79887E9 9
3'6(9'7 4978(789 899@(@938 7 8B9(784B66+
-* 8+ 9D'6(988 4B66898988 87988 7 76 67
6 (78E 89 '6(989898
.) (7 @ 89  98 *++''98877.) (7N 879
'889C8 9 978 988 7 7998@88 8

OJPQRH;STUVIIH;Q>
61'87 W&#"0C35
1'2#23
1'2#233
1'2#25
1'2433X152Y$5
8822 8 88779 77 2  2789 28 7! 7!6789 23333"#4#$2%88& 02"
0123425304 6789  
'(4433

(8 76)99 87 *&13504

'6+6)0030
'6+6)05502'6+6)0555
'6+6)05102'6+6)0515
'6+6)05,0
- 79.9 #"0/31
/ 89
/ 89 012345167
89:;<=>54?@<?16A5:3BC45167
78 8 D3987
78 8 88978 878 EFF(D3
GHIGJKLMNOPLIQRSSHTOPUVQIOWWMLXXIYVZVZVZYI
GHIXKOKGP[MS\KLI]VZVZVZY^]_I`OKLaObIYVZY]cZdYZcY
eff0<?16A5:3BC45167
78 8 D3987
78 8 88978 878 g (98D3
GHIGJKLMNOPLIQRSSHTOPUVQIOWWMLXXI]VZVZVZYI
GHIXKOKGP[MS\KLIYVZVZVZY^]_I`OKLaObIYVZY]cZdYZcVIhLKMGPIY
78 i9  8 785350
78 8 E 8-D6jk)k87
lmOJIcVIJOhLI`\LXKn\XLMXI
GHIGJKLMNOPLI`\LXKn\XLMXIOWWMLXXIcVZVZVZoIhOXUI_ccZ_ccZ_ccZVIlmOJIcV
78 7p9  7898pq89  
XLMlGPLIm_HMSNGmLIQ`\LXK[m_HMSNGmLQIXKHIWMSHI`lMHIWMSHIhlMHIWMSHI
XLMlGPLIOPPLXXIHSMKIY^Y^_VIlmOJ[rmOKGSJILJOTmLIm_HMSNGmLIQ`\LXK[m_HMSNGmLQIWLXPMGHKGSJIQ`\LXKIOPPLXXIHSMKQ
78 8 D5E/g7p9 98pq89  
XLMlGPLIXWHI_YIm_`MLINOM[LJWIYVZY]cZo_ZstI
XLMlGPLIYVVIm_`MLIlHJGWIcVIWLXPMGHKGSJIQ`\LXKQIXKOKXILJOTmLIlmOJ[rmOKGSJILJOTmLIMLhSlL[GJ`MLXX[KO`ILJOTmLI
XLMlGPLIYVVIXOHIHSMKIY^Y^_VucVIWLXPMGHKGSJIQXLMlGPLI`\LXKQI
XLMlGPLIYVVITGJW[XWHI_Y
FE 8-D6j( 7p9 )78020250
vwxyz{|z}~}~€z‚ƒ€„z † †‡ z„xˆˆ~‰z
78 9  7
Š‚z‹~w‚~€zvwxyz{|zx‰‰€~z{|Œ|Œ|Œ
16A5:3B;<AB1Ž<7
(80 78 16 / )79
6/)!‘ 86986)E798-D6j0
6/)!(878i6986)E798-D6j$3
8822 8 88779 77 2  2789 28 7! 7!6789 23333"#4#$2%88& 52"
0123425304 6789  
6'(!) 86986()798*8+

78 8 6 ' (79  97 8 *9* 8*++  88 + (79 78,

-8569)- 8898) 9789.- 88986()797 78/'0' 97 89

-81 78 10627,9 986()73 7984   8 89, (78797 89
/997  988  888  875  7 8 4  3989 797 88 89, 788 898968 87 27719 788/(6* .) 86 .) 86 88
6878 8989 4386(8,98 98 8798!988349 8 989 86( 87:333;
<==>?@ABCDEFGEHIJK>LMNOK>J
PPQRE@ABSCTSJ
PU@MV@WJJJJJJJJJJJJJJJJJQAJJJJJJJJJJJJJJXYNOYZUO[ZJJJJJJJJJJJJJJ\]JJJJJJJJJU]JJJJJJJJJJJJ^\_`JJJJ@aUbJJJJ^OYLNM<=NZJJJJJJJJJJJJJJJJJJJJJcd@eQRJJUaee_dQRJJ^@\_eRQAJ
fgECLELCEFZEhFEijJJJJfGkGkGkSGJJJJJJJJlGJJJJJJJJJJJJJJJgTSCCJJJJJlFlJJJJJJJCkgmbnJJJJXA_eJJJJ@\AMmoZK>JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJGJJJJJJJJJJJfGJJJJJJTGkGkGkS
pqrstuvwxrryz{|}yz~w
5 -8 76(3 8 
SffFg€lfkl€lCEJKZ>JLhhJNC‚<ZJUoYYZNJoioKJ[K‚EJoioKJjLNNJNC‚<ZJLhhMoKZ<Jƒ„ >oYYZNQR EfG†J <Z[=>ZQA E TGkGkGkS †J [Lj@hh<ZKK E TgEgCECEZhEflEFg ‡ƒJ
SffFg€lfk€TTlCEJMmXdPXbMˆJmUUPJ?JL>‰SCJŠEJPZ>JmoZK>JUoYYZN†JUoYYZNQR‹ˆfGŠ†J^L<_YhQA‹ˆTGkGkGkSŠJŒ=<JPU@JTgEgCECEZhEflEFgŽJ
J
SffFg€lfk€TgfTlEJKZ>J=NOjNOK>JoioKJ[K‚EJoioKJjLNNJ=NOjJKZ>MoKZ<M=NOjJƒ„ [Lj@hh<ZKK E TgEgCECEZhEflEFg † L<eL[Z E mUUP † =NOjdOK>eL[Z E † OŒeL[Z E L>‰SC † KKOh E mUUP † ‚‘VLj@hh< E † OK=NL>Z_YLiNZ EG† ‘NLYP’jeL[Z E mUUP ‡ƒ
5-8 76(3 77 88,7948 05)'“ 4”062*93798 * 98”06203:

5 )++-3 8 *6 67+

XPlGJBŽJK‰=‘J[LjBNZL<YOY‚Jh=[LOYJNC‚<ZJ
JJJJJdCm\_JJJJJJJJJJJJJJJJSGGEfGJJJZlEZFETCEjjEŒFE€JJJJJJJJJJJJhYL[OjJJJJKZ<’OjOY‚JJJJJJJJJJJJKLES•S•CGEfGJJJJJJJJJJJJJJJJJJ
‹‹ŽJW=<<ZK=YhKJ>=J>‰ZJ’O<>oLNJNOY–J‘O>‰JO>KZNŒJ—j‰LKKOKJV@WJ@hh<ZKKJ•JP@AJA=<>JS•S•CGJ[LZhJ>=Jcd@eJfG˜J
JJJJJdCm\_JJJJJJJJJJJJJJJJSGGEfGJJJZlEZFETCEjjEŒFElgJJJJJJJJJJJJhYL[OjJJJJKZ<’OjOY‚JJJJJJJJJJJJKLES•S•CGEfGJJJJJJJJJJJJJJJJJJ
‹‹ŽJW=<<ZK=YhKJ>=J>‰ZJ’O<>oLNJNOY–J‘O>‰J>‰ZJOY>Z<ŒLjZJS•S•CSJ—OŒQYhZ™JSGCSJV@WJ@hh<ZKKJ•JP@AJA=<>JS•S•CGJ[LZhJ>=Jcd@eJfG˜J
JJJJJdCm\_JJJJJJJJJJJJJJJJSGGEfGJJJTgEgCECEZhEflEFgJJJJJJJJJJJJhYL[OjJJJJKZ<’OjOY‚JJJJJJJJJJJJJKhETCFlESGGJJJJJJJJJJJJJJJJJ
‹‹ŽJW=<<ZK=YhKJ>=J>‰ZJ’O<>oLNJNOY–J‘O>‰J>‰ZJšOŒOJjNOZY>J—hYL[OjJPRA†JPZ<’OjZJQRJSGG˜J
5)++-3 8 7,9 88
XPlGJBŽJK‰=‘JKZ<’OjZJNC‚<ZJ
dZ‚ZYhEJ›JhZY=>ZKJLJhYL[OjJ=iœZj>J
dCm\_JPZ<’OjZJQYŒ=J
JJJJJJJJJJJJJJJJJJJJJJJJJJJJP@AJJJDOYhJ
PZ<’OjZQhJJJ@h[JJXZ<JP>L>KJW=oY>JW=oY>JcYOhJ
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBJ
SGGJJJJJJJJJaJJJaJJJJžJJJJSJJJJJCJJJJJfG
5 )++-3  8897 87 74
XPlGJBŽJK‰=‘JKZ<’OjZJSGGJ
dCm\_JPZ<’OjZJRZ>LONZhJQYŒ=J
8822 8 88779 77 2  2789 28 7! 7!6789 23333"#4#$2%88& 12"
0123425304 6789  
''()*+,-)'./'''''''0'1223''''''''''''''''''4)5-*,67,89''''''0':;)573'
''<=>.4''''''''''''0'?@2213'
''A/B,9'(7C7;5'''''0'D63'''''''''''''''''''E6)*'(7C7;5''''''0'D63'
''(7C75'(7C7;5'''''0'F)53''''''''''''''''''<GC9'H*C95GC7,89'0'F)53'
''()*+,-)'HI6)'''''0'JKLMN3''''''''''''''''AGG8-C7,89'HI6)''0'(7C7,-3'
''OHD''''''''''''''0'P1P@3'''''''''''''''''<=>'.=QOHD'''''''0'1R223'
''(A='S8;97''''''''0'13''''''''''''''''''''(4='T,9/'S8;97'''0'K3'
''M)B8+).9:*)55HC:'0'F)53'
''.9:*)55'=U75'''''0'23''''''''''''''''''''.9:*)55'TI7)5''''0'23'
''N:*)55'=U75''''''0'23''''''''''''''''''''N:*)55'TI7)5'''''0'23'
''O:B7'SVC9:)''''''0'2WX21XK21P'1202R01@3''(7C7;5'SVC9:)''''0'2WX21XK21P'1202R01@

688 8

8822 8 88779 77 2  2789 28 7! 7!6789 23333"#4#$2%88& "2"
OMNIACCESS STELLAR WLAN
VOWLAN

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
PORTFOLIO FOR VOICE
ENTERPRISE HANDSET
• Handset Management & Alarm Tool

• Handsets
• ALE NOE & SIP standard protocols handled
USB Configuration Cradle IMS3 Mass Deployment Server

• Key Features
• Seamless Roaming • Handset Accessories
• Power Save
• Real-time handset location (Ekahau RTLS for
OT8168s and OT8128)
Rack Charger Battery Rack Charger
• For industrial use 8168s.

Belt & Swivel Clips Carrying Case Desktop Charger Battery

8168s 8158s 8118 8128 ASCOM

IOS & ANDROID MOBILE, LAPTOP WITH VOICE

• Voice applications:
• Rainbow UCaaS client
• Rainbow mobility with OXO/OXE integration
• OTC mobile application
• Non-ALE softphones applications (Facetime,…)

• Roaming assistance with 802.11r/k/v protocols

• iOS 8 and above
• Samsung Galaxy S7 minimum
• S9 minimum for 802.11v

Voice over WLAN quality may vary depending on the

hardware/Operating System of the device on which
the voice application is installed
STELLAR LINEUP FOR VOICE

• Support of Voice on all access points

• Update your APs to the latest available release
SMB MLE SMB MLE MLE

Indoor Indoor Indoor Indoor Indoor

Wi-Fi 5 Wi-Fi 5 Wi-Fi 6E Wi-Fi 6E Wi-Fi 6E

AP1201 AP123x AP1411 AP1431 AP1451

Wi-Fi 7
Wi-Fi 5 Wi-Fi 6E
SMB MLE

Indoor Indoor

Wi-Fi 7 Wi-Fi 7
SMB Hosp. SMB MLE MLE Rugged
AP1511 AP1521
Indoor Indoor Indoor Indoor Indoor Outdoor

Wi-Fi 6 Wi-Fi 6 Wi-Fi 6 Wi-Fi 6 Wi-Fi 6 Wi-Fi 6

AP1301 AP1301H AP1311 AP132x AP1351 AP136x

Wi-Fi 6
VOICE WLAN DEPLOYMENT PROCESS
VOICE OVER WLAN DEPLOYMENT STEPS
These are the major steps for the deployment of VoWLAN in a WLAN Stellar environment.
In any case, please refer to the document « VoWLAN Deployment Guide » in the appendix.

Prepare Identify the Voice usages: understand the challenges and

requirements

Plan Requirements: wireless infrastructure, Voice devices, environments,

performance, security and management

Design Choice of architecture

Implement Deploy and manage Voice users as per design

Operate Provide Voice service to users, maintain and extend the service
PREPARATION 1
Prepare

• Requirements • Requirements for Voice

• What are the voice coverage requirements?
• 1 access point / 255 m²
• What is the bandwidth required for the • Number of users per AP –
handsets and/or applications? Average of 20-25 users

• What is the placement of the APs?

-70dBm
Cells overlap Radius
of cells
-60dBm

• Actions
Figure 1
• Site survey
• Analyze the RF environment
• Discover the source of interferences and their level
• Number of APs required (Fig. 1)
• AP placement calculation (Fig. 2)

5 GHz Tx Power Figure 2 APs placement

• Identify areas that require multiple APs for
High Availability (eg: reception desk)
PLAN 2
Plan
• Define the Voice service
• Bandwidth required
• « Voice » WLAN configuration
• Level of Security
• Select the appropriate level of encryption and authentication

• Recommanded configuration for « Voice »

• RF Management
• 5GHz prefered (robust, best performance)
• Capacity planning
• 20 to 25 clients per Aps, providing 36 Mbps user throughput
• Roaming:
• Activate the roaming options supported by the devices.
• Plan dedicated SSIDs for devices sharing the same capacities
• Generally a -62dBm RSSI (or better) is required to ensure a correct
roaming
• Reliable and redundant AP network
DESIGN 3
Design

WMM Queuing
• Antennas & Channels selection Management Voice Application
• Channels selection is country dependent QoS Aware RF Management Bandwidth Management

• Non-overlapping channels on adjacent APs

Voice Wireless LAN Edge LAN Core
• Channels aggregation in 802.11ac Differenciated service
High priority traffic WMM Tagged DSCP, 802.1p Tagged DSCP, 802.1p

WMM Tagged DSCP, 802.1p Tagged DSCP, 802.1p

• QoS Collaborative apps
Best effort traffic Figure 1
• Policies designed for Voice operations (VoIP real-
time) (Fig.1)
Deep Packet Inspection Network Analytics
• Policies designed for real-time conferencing (AP12XXs)
Voice Signatures Kits
(Collaborative apps) (Fig.1) Application visibility
• Voice enforcement (optional) with Stellar DPI/app
Wireless LAN Core
monitoring (Fig.2)
DPI reports, SCP

• Architecture Tagged Voice

Application flows
Bandwidth enforcement

Management Plan
• 802.11ac data throughput requires Gigabit user
ports compatible on the access switches
Figure 2 Voice LAN
• Dedicated VLAN for voice with guaranteed
bandwidth and QOS
IMPLEMENTATION 4
Implement

• Planning of Deployment
• Cabling
• Install the Voice servers
• Configure Radius, DNS and DHCP servers
• Configure IMS3 server for Voice devices
management
• Configure WLAN SSID for handsets
• Install, template and configure Voice
handsets via IMS3

• OmniVista 2500/Cirrus configuration

OPERATION 5
Operate

• Monitoring
• Voice coverage (level of SNR, RF scan)
• VoIP audit
• System performances
• Updating the infrastructure
• Handsets, Hardware networking infrastructure, servers
• Surveying
• Ekahau site survey PRO or Airmagnet Survey PRO
• Support & Troubleshooting

• Professional services
• Professional Services cover the build and run phases of all projects, including plan & design,
integrate & deploy, asses & migrate, and project management.
• Ekahau 3D site survey tool can be delivered as service by PS to design WLAN deployments
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniVista 2500 NMS Release 4
PolicyView

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Lesson Summary

Administrate and deploy a global Quality of

Service policy over a network
OmniVista PolicyView
PolicyView QoS OmniVista
• “OneTouch” QoS PolicyView

OmniVista 2500
Used to configure network-wide QoS policies
Infrastructure

Policies stored in LDAP server configured as part PolcyView

of OmniVista installation LDAP
Directory
• Switches notified to retrieve new policies from
Web Based ELMs
this server
OmniVista PolicyView
OneTouch simplifies QoS configuration
• Reduces the amount of interfaces for configuring QoS for VoIP and time critical data operations
• Enables enhanced policy-based management across multiple devices
• Sets parameters once
• Distributed to devices at the same time

Operation modes
• OneTouch for Voice, Data & ACL
- QoS for one or more subnets of VoIP phones
- QoS priorities for selected data servers
- Accept/ Drop traffic for selected groups
• Expert Mode
- Advanced QoS controls for complex policies (including validation scheme)
PolicyView Home
QOS Rule configuration steps

Create a Policy Rule

Create a Policy Condition

Create a Policy Action

Apply the Policy

OmniVista PolicyView QoS
One Touch Voice mode

Set Voice Conditions for IP or MAC Policies

OmniVista PolicyView QoS
One Touch Data mode QoS Priority:
Platinum (7)
Gold (5)
Silver (3)
Bronze (1)

Set Data Server IP address and Priority

OmniVista PolicyView QoS
One Touch ACL mode

Set IP Network Group and traffic accessibility (Accept/ Drop)

OmniVista PolicyView QoS
Expert mode Create Policy
Expert mode Wizard
Initial Configuration Advanced options:
Default List. Adds the rule to the QoS Default
Policy List

Enabled. Enables the policy

Save. Marks the policy rule so that it may be

captured as part of the switch configuration.

Log Matches. Log messages about specific

flows coming into the switch that match this
policy rule.

Send Trap. Enables traps for the Policy

Reflexive. Reflexive policies allow specific

return connections that would normally be
Set Policy Rule name, Precedence and Advanced options denied
Expert Mode Wizard
Device Selection

Specify the devices to which the policy will be applied

Expert Mode Wizard
Set Condition
Conditions:
L2 MACs. Source/ Destination MAC Address /
MAC Group. Source MAC Range

L3 IPs. Fragment. Source / Destination IP

Address / Network Group. Multicast IP Address

L3 DSCP / TOS

L4 Services. Protocol Only. Ports. Service.

Service Group

L7 Application. App Group. App Name

Expert Mode Wizard
Set Action
Actions:
QoS.
Disposition (Accept / Drop).
QoS Parameters (Platinum / Gold / Silver /
Bronze)
Max. Output Rate (kbits/sec)
Output Mapping
802.1p Priority Level

TCM.
Committed information Rate.
Peak Information Rate
Expert Mode Wizard
Validity Period and Review
Policy and Policy Manager
Policy
Administration LDAP
Repository
LDAP

LDAP LDAP
Policy Flow
User creates a policy using
OmniVista PolicyView

2
Policy
Directory
Server
3

Policy Enabled
Switches
OMNIACCESS STELLAR
WIRELESS LAN
S S I D C R E AT I O N – A D VA N C E D O P T I O N S

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE
LESSON SUMMARY
Upon completion this module,
you will be able to:

• SSID Creation – Advanced options

- At the end of this module, you will be able to:
Understand and configure the advanced options of the SSID
wizard.
DEFAULT VLAN/NETWORK

• Access Role Profile configuration

• Network:
• VLAN ID
• Tunnel ID and Tunnel Termination Switch (TTS) IP
• Walled Garden
• Wireless Client Social Login
• Wireless client authenticates through a social media vendor (FaceBook WiFi or Google)
• Whitelist Domain
• Allow a wireless client to access the URLs of the whitelist without authentication
• Advanced Access Role Configuration
• Location/Period Policy
• Can a client access the network? Based on the time/date and location of the client
• Bandwidth Control Setting
• Bandwidth allocated per user
ADVANCED WLAN SERVICE CONFIGURATION

• Basic
• Hide SSID
• UAPSD
• Unscheduled Automatic Power Save Delivery is a QoS facility defined in
IEEE 802.11e that extends the battery life of mobile clients

• Security
• Classification Status
• Role assignement if 802.1X/MAC authentication does not return a role

• Client Isolation
• Traffic between clients on the same AP (in the SSID) is blocked
ADVANCED WLAN SERVICE CONFIGURATION

• QoS Setting ◼ Broadcast Optimization

⚫ Broadcast Key rotation
• Bandwidth Contract  Only applicable for Enterprise
• Bandwidth limitation shared for all users, per radio  A unicast key (PTK) and a group key (GTK) are used
to encrypt traffic
 Rotate the keys periodically to avoid key cracking
 Default period: 15 min – Range 1 min – 24 hours

⚫ Broadcast Optimization
 Broadcast Filter All
 Drop all broadcast packets except DHCP & ARP.
 Broadcast Filter ARP
 Convert broadcast ARP to unicast ARP
 Recommended if no specific multicast application is
used
ADVANCED WLAN SERVICE CONFIGURATION

• Multicast Optimization
• Enabling Multicast Optimization = Convert multicast to unicast
• Unicast key PTK used
• Uses the highest data rate (unicast)

• Limited to IP Multicast and IGMP Snooping traffic

• Multicast Optimization automatically stops on high load

• Upper limit of multicast optimization:
Channel Utilization (RF environment too poor to have optimization) : default value 90%
Number of Clients (CPU load too high to support optimization) : default value 6 (maximum number of high-
throughput clients)
ADVANCED WLAN SERVICE CONFIGURATION
Ex: DSCP Mapping

• WMM QoS
• Four categories
• QOS treatment per category
• Uplink 802.1p/DSCP
DSCP=56
• Downlink 802.1p/DSCP

DSCP=56 DSCP=46

DOWNLINK DSCP UPLINK DSCP

DSCP = 8, 16 ? DSCP = 0, 24 ? BACKGROUND BEST EFFORT
BACKGROUND BEST EFFORT DSCP = 8 DSCP = 0

DSCP = 32, 40 ? DSCP = 48, 56 ? VIDEO VOICE

VIDEO VOICE DSCP = 32 DSCP = 46
WLAN SERVICE - WMM QOS RECOMMENDATION

• Recommended Settings
WMM 802.1p DSCP
Best Effort 0 0
Background 2 18 - AF 21
Voice 5 46 – EF
Video 4 34 – AF41

• Default OV Settings

WMM 802.1p DSCP

Best Effort 0,3 0x00, 0x18 – 0, 24
Background 1,2 0x08, 0x10 – 8, 16
Voice 6,7 0x30, 0x38 – 48, 56
Video 4,5 0x20, 0x28 – 32, 40
 HOTSPOT 2.0 & WIFI4EU
Hotspot 2.0 Network

NAT
DHPC
Firewall

ANPQ and EAP Switch RADIUS MAP

Mobile Home Home
Device AAA HLR
Passpoint ANPQ
Server
APs Server
Client device credentials verified
against home operator’s HLR

◼ Insecure, overcrowded public WiFi • WiFi4EU

• European Union Initiative, to provide free WiFi access
◼ Offload client traffic from 3G/4G to WiFi services to citizen in public venues
◼ Deliver seamless and secure network • Networks with WiFi4EU SSID use an HTTPS Captive
(WPA2 or WPA3 Enterprise) for clients in public spaces Portal
• Session timeout should be configurable up to 12 hours
◼ Hotspot 2.0 is a WLAN Service option
◼ Stellar Access Point support
⚫ 802.11u (GAS/ANPQ)
⚫ EAP-SIM / EAP-AKA
HOTSPOT 2.0 & WIFI4EU - CONFIGURATION

• Hotspot 2.0 • WIFI4EU

• Guest SSID -> Guest Access Strategy
• WPA-2 Enterprise SSID -> Advanced WLAN
configuration
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 1
February 25
It’s an Open Technical Community To connect and…
providing a great place to connect
with other members or just participants Read or post interesting information
who share the same passion Provide mutual aids
on Alcatel-Lucent Enterprise Network Learn from others into the community
Solutions
 All about Our Developer
Homepage Network via
our NEWS
Center is our
APIs center

Knowledge Resources &

through the Live
BLOGs on our
latest
solutions

Slider mode
Configurable
home banner Community
activity Stats

Connections Top active

through Members
the FORUM
 Forum
FORUM link per
Categories for
better usage

Search for
quick access
Ask your
question

Top
Details on
members:
Location
Most answers
Services
& comment
category
Dedicated topic
News
Resources
Blog
Developer Center
 Developer Center
Category’s example
Search bar
 Key Takeaways

SPACEWALKERS is YOUR place to

exchange on the ALE Network
Solutions!

Sharing your passion around

ALE technologies with all
members to answer any question,
provide guidance, help or getting
information

Creating fruitful connections

To create a community and discover a new land for your IT experience!

 Check it out!

Get your spacesuit, come

explore Spacewalkers and
become a member of our
community in few minutes!

As soon as you become a

member, you will access
resourceful content while
interacting with the
community…

Join us now!
Time for a little quiz
Now that you are a
Spacewalkers’ member, here
a couple questions to check
your training before you start
exploring on your own!

The answers might be simply

within Spacewalkers!

Ready for take off?

Start now
Thank you!

C O N TA C T U S

WEBSITE
www.al-enterprise.com

Follow us on:
END OF TRAINING EVALUATIONS
C L A S S R O O M S E S S I O N O R V I RT U A L C L A S S S E S S I O N
YOUR FEEDBACKS ARE
IMPORTANT!

Thank you to complete the training

evaluation online survey before leaving
your session. This will take you 2 minutes!

You must complete the end of training

evaluation to be able to download your
training certificate of attendance.
LOGIN TO ALE KNOWLEDGE HUB

• Connect to ALE Knowledge Hub (https://enterprise-education.csod.com ) with your usual

credentials
ACCESS TO THE ONLINE EVALUATION SURVEY (1/2)
• Click on My Training on the home page

• Search for the training course by the reference provided by your instructor
ACCESS TO THE ONLINE EVALUATION SURVEY (2/2)
• From the session, select Evaluate in the dropdown menu and follow the instructions

OR
• From the curriculum, select Open Curriculum

• Then select Evaluate in the dropdown menu associated to the session and follow the
instructions
THANK YOU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Find a Course
Browse our catalog available on https://enterprise-education.csod.com/ to find your training path
and course detail.

Feedback
In order to improve the quality of the documentation, please report any feedback and address to:

Alcatel-Lucent Enterprise
115-225 rue Antoine de Saint-Exupéry
ZAC Prat Pip – Guipavas
29806 BREST CEDEX 9 – France
FAX: (33) 2 98 28 50 03

or mail to: [email protected]